The International Traffic in Arms Regulations govern the export and import of defense-related articles, services, and technical data. For SDVOSB firms working on defense contracts, ITAR compliance is not optional, not a documentation exercise, and not something that can be delegated to an attorney and forgotten. It is an ongoing operational discipline with criminal penalties for violations that can reach 20 years in federal prison and fines of up to $1 million per violation.
The firms that get into trouble with ITAR are rarely the ones that knowingly circumvent the law. They are the ones that did not know what they were handling, did not know who they were sharing it with, or did not know that a foreign national on their team triggered disclosure requirements. This guide covers what triggers ITAR, what a compliant program looks like, and where small contractors most frequently go wrong.
What ITAR actually covers
ITAR is administered by the State Department's Directorate of Defense Trade Controls (DDTC). The regulation is built around the United States Munitions List (USML), a catalog of defense articles, services, and technical data that are subject to export control. The USML covers 21 categories ranging from firearms and military aircraft to spacecraft, toxicological agents, and classified technical data.
If your contract involves anything on the USML, or if you provide defense services or technical assistance related to USML items, you are likely dealing with ITAR-controlled content. This includes not just hardware but also technical data, which ITAR defines broadly as any information required for the design, development, production, manufacture, assembly, operation, repair, or modification of defense articles.
The critical point for SDVOSB firms: you do not need to export anything for ITAR to apply. The "deemed export" rule means that sharing technical data with a foreign national inside the United States is treated as an export to that person's country of citizenship. If you have foreign nationals on your team, as employees, consultants, or even visitors to your facility, and they have access to ITAR-controlled technical data, you may have an export control obligation.
ITAR vs. EAR: understanding the boundary
ITAR covers defense articles and services on the USML. The Export Administration Regulations (EAR), administered by the Commerce Department, cover dual-use items on the Commerce Control List. The distinction matters because the two regimes have different licensing requirements, different penalty structures, and different compliance frameworks.
Many SDVOSB firms deal with both. A firm that develops cybersecurity software may have ITAR obligations for work related to classified military systems and EAR obligations for the same software sold commercially. Mapping your products and services to the correct regulatory framework is the starting point of any ITAR and EAR compliance program.
When in doubt about classification, consult the USML and the Commerce Control List directly, or request a commodity jurisdiction determination from the State Department. A formal determination tells you definitively whether your item is ITAR-controlled, EAR-controlled, or neither.
Registration requirements
Any person who manufactures, exports, or temporarily imports defense articles, or who furnishes defense services, must register with the DDTC. Registration is annual and costs $2,250 for the first registration tier. This is a registration requirement, not a licensing requirement. Registration does not authorize any exports. It is a threshold requirement to operate in the defense trade space.
If your SDVOSB firm is manufacturing, modifying, or servicing anything on the USML, or if you are providing technical assistance, training, or other defense services related to USML items, you need to be registered. Check with legal counsel before concluding that registration does not apply to your activities.
When you need a license
Exports of ITAR-controlled technical data or defense articles generally require a license from the DDTC unless an exemption applies. The most commonly used exemptions for small contractors include the following.
The government purpose exemption. Technical data may be disclosed to U.S. government agencies and their contractors without a license when the disclosure is in furtherance of a government contract. This exemption has specific conditions and does not apply to subcontractors automatically. Read the full text of ITAR 22 CFR 125.4(b)(1) and confirm with your program manager that the exemption applies to your specific situation.
The allied nation exemption. Certain disclosures to Canada and other treaty allies may be covered by bilateral agreements that reduce or eliminate licensing requirements. Do not assume an exemption applies. Verify it with your export control counsel.
The licensing process involves submitting an application to the DDTC with a detailed description of what is being exported, who is receiving it, the end use, and the end user. Review and approval can take weeks to months. Build that timeline into your contract performance planning.
Building an ITAR compliance program
A compliance program is not a binder on a shelf. It is a set of active procedures that govern how your firm identifies, handles, stores, and transmits ITAR-controlled information. The core components of an effective program follow.
Commodity classification. Every product, service, and category of technical data your firm handles needs to be classified against the USML and CCL. This is not a one-time exercise. It must be repeated whenever you take on new work, new products, or new client relationships.
Technology control plan. A TCP is a written document that describes how you will control access to ITAR-controlled technical data. It covers who has access, how access is granted and revoked, how data is stored and transmitted, and what physical controls are in place. Many defense prime contractors require their subcontractors to have a TCP in place before granting access to controlled programs.
Employee screening and training. Know the citizenship status and work authorization of every person who will have access to ITAR-controlled data. Foreign nationals may require licensing before they can access controlled technical data, regardless of their immigration status. Train all relevant employees on ITAR requirements at hiring and annually thereafter.
Visit controls. Implement procedures for controlling visitor access to areas where ITAR-controlled technical data is in use or displayed. A visitor from a foreign country who views controlled technical data, even briefly, may trigger an export.
IT security and data handling. Control where ITAR-controlled data is stored and who can access it. Cloud storage, email, and collaboration platforms used for ITAR-controlled data must be configured to prevent unauthorized access, including access by foreign nationals who may have administrative access to the underlying infrastructure. Many SDVOSB firms underestimate the IT security requirements that accompany ITAR compliance.
Subcontractor obligations
If you are a prime contractor, your ITAR obligations flow down to your subcontractors. You are responsible for ensuring that any subcontractor you use for ITAR-controlled work has an appropriate compliance program in place. This means due diligence before engaging subcontractors, contractual flow-down of ITAR requirements, and ongoing monitoring.
If you are a subcontractor, your ITAR obligations exist independently of whatever your prime is doing. You cannot rely on the prime's compliance program to cover your firm's activities.
Voluntary disclosure
ITAR violations happen, even at firms with mature compliance programs. When they do, the DDTC strongly encourages voluntary disclosure. A voluntary disclosure, submitted promptly and accompanied by a thorough internal investigation and corrective action plan, typically results in significantly reduced penalties compared to violations that are discovered through government investigation.
The decision to file a voluntary disclosure is serious and should be made with legal counsel. But the decision not to disclose a known violation is almost always worse. The DDTC's track record on self-reported violations is considerably more favorable than its track record on violations it discovers independently.
ITAR compliance and SDVOSB contracting
ITAR compliance is increasingly a threshold requirement for defense subcontracting, not just prime contracting. Large prime contractors routinely conduct ITAR compliance audits of their supply chains, and firms without demonstrable compliance programs are losing subcontracting opportunities as a result.
For SDVOSB firms pursuing defense work, a documented ITAR compliance program is a competitive differentiator. It demonstrates operational maturity, reduces prime contractor risk, and opens doors to programs that require rigorous export control compliance as a condition of participation.
If your firm does not currently have an ITAR compliance program and you are pursuing defense work, prioritize building one. The investment in legal counsel, training, and technology control infrastructure is modest compared to the cost of a violation or the opportunity cost of being excluded from defense subcontracting relationships.