ITAR Explained: What Every Procurement Leader Needs to Know
ITAR doesn't just affect engineering -- it constrains your supply base, restricts who can see your RFQ drawings, and carries penalties up to $1.27 million per violation. Raytheon paid $950 million in 2024. Here's the practical guide.
Spencer Penn
If you've recently moved from commercial manufacturing into aerospace or defense -- or if your company just won its first DoD contract -- you're about to encounter a regulatory framework that will change how you think about every procurement decision you make.
ITAR -- the International Traffic in Arms Regulations -- governs how defense-related articles, services, and technical data move into, out of, and within the United States. It affects who you can source from, what data you can share with suppliers, which team members can view a drawing, and how you store procurement records. Getting it wrong isn't an abstract compliance risk. Raytheon paid $950 million in October 2024 for violations that included ITAR. BAE Systems paid $78 million. 3D Systems paid $20 million. The penalties are real, and they apply to procurement teams as directly as they apply to engineering.
This post covers what ITAR is, where it came from, how it affects procurement specifically, and how to build compliance into your sourcing operations.
A Brief History
ITAR was enacted in 1976 under the Arms Export Control Act (AECA), during the Cold War. The original intent was straightforward: prevent US defense technology from reaching adversaries, particularly the Soviet Union and its allies.
The regulations are administered by the Directorate of Defense Trade Controls (DDTC), a division of the US Department of State. The DDTC maintains the United States Munitions List (USML), which defines the specific articles, services, and technical data subject to ITAR control. The USML is organized into 21 categories -- everything from firearms and ammunition (Category I) to spacecraft and satellites (Category XV) to submersible vessels (Category XX).
ITAR has evolved significantly since 1976. The most consequential recent reform was the Export Control Reform (ECR) initiative that began in 2013 under President Obama, which moved thousands of items from the USML to the less restrictive Commerce Control List (CCL) administered by the Bureau of Industry and Security (BIS). The intent was to focus ITAR on the most sensitive items and reduce the compliance burden on items that didn't warrant it.
In August 2025, the DDTC published targeted revisions to the USML, removing items like lead-free birdshot and certain GNSS anti-spoofing systems, and adding new license exemptions for unmanned underwater vehicles. The list continues to evolve as technology changes and geopolitical priorities shift.
What ITAR Actually Controls
ITAR governs three categories of controlled items:
Defense articles. Physical items on the USML -- weapons, vehicles, aircraft, electronics, propulsion systems, and their components. If a bracket you're sourcing goes into a missile guidance system, that bracket is an ITAR-controlled defense article.
Defense services. Assistance to foreign persons in the design, development, engineering, manufacture, production, assembly, testing, or modification of defense articles. If you bring a foreign supplier to your facility and walk them through how to manufacture an ITAR-controlled component, that's a defense service -- and it requires a license.
Technical data. This is the one that catches procurement teams. Technical data includes engineering drawings, specifications, process instructions, BOM structures, test data, and manufacturing know-how related to defense articles. If a drawing has ITAR-controlled content and you email it to a supplier in Germany, you've just made an unauthorized export -- even though the part never left the country.
The critical concept: under ITAR, an "export" isn't just shipping a physical item overseas. Sharing technical data with a non-US person -- even a colleague sitting next to you in your own office -- constitutes a "deemed export" if that person is not a US citizen or permanent resident.
How ITAR Affects Procurement
For procurement teams, ITAR creates constraints at every stage of the sourcing lifecycle.
Supplier Selection
Not every supplier can work on ITAR programs. Suppliers handling ITAR-controlled articles or technical data must be registered with the DDTC. Your supplier qualification process needs to verify:
Is the supplier DDTC-registered?
Does the supplier have appropriate access controls for ITAR data?
Are the supplier's employees who will handle your program US persons?
Does the supplier have ITAR-compliant IT systems (encrypted storage, access logging)?
If the supplier uses sub-tier vendors, are those sub-tiers also compliant?
This narrows your supply base significantly. A component you could source from 20 suppliers globally might have only 5 qualified domestic suppliers when ITAR applies. Less competition typically means higher prices and longer lead times.
Data Sharing and RFQs
In commercial procurement, you send an RFQ with drawings and specs to any qualified supplier. Under ITAR, you can't share controlled technical data with a supplier unless:
The supplier is a US person (US citizen, permanent resident, or US company with only US persons on the program)
You have an approved export license or agreement (Technical Assistance Agreement, Manufacturing License Agreement) authorizing the transfer
An exemption applies
This means your standard sourcing process needs a compliance gate before any technical data goes to a supplier. In practice: before issuing an RFQ for an ITAR-controlled part, verify the supplier's ITAR status, mark the data appropriately, and document the authorization basis for the transfer.
Internal Access Controls
ITAR compliance isn't just about external suppliers. Within your own organization, only authorized US persons should have access to ITAR-controlled technical data. This affects:
Who on your procurement team can view drawings and specs for ITAR programs
How your procurement platform manages permissions
Whether your file storage, email, and collaboration tools adequately restrict access
How you handle the transition when team members join, leave, or change roles
If your company has international employees on the procurement team, they cannot access ITAR-controlled program data unless a license permits it. This creates real operational challenges in diverse, global organizations.
Record-Keeping and Audit Trails
ITAR requires records of all exports, including deemed exports of technical data. Procurement teams need to maintain logs of:
What technical data was shared with which suppliers, when, and under what authorization
Which team members accessed ITAR-controlled procurement data
Supplier DDTC registration status and compliance documentation
All license applications, approvals, and amendments
The DDTC and the Department of Justice can audit these records. If you can't demonstrate that your data sharing was authorized, the assumption is that it wasn't.
The Penalty Landscape
ITAR violations carry severe consequences. The current penalty structure:
Violation Type | Maximum Penalty |
|---|---|
Civil (per violation) | $1,271,078 or 2x transaction value (whichever is greater) |
Criminal (per violation) | $1,000,000 fine + up to 20 years imprisonment |
Debarment | Prohibition from all ITAR-regulated activity |
Recent enforcement actions:
Company | Year | Settlement | Context |
|---|---|---|---|
Raytheon (RTX) | 2024 | $950,000,000 | ITAR + FCPA + FAR violations, required independent monitor for 3 years |
BAE Systems | 2011 | $78,000,000 | 2,591 violations |
3D Systems | 2023 | $20,000,000 | Unauthorized export of technical data related to satellite, launch, and defense programs |
These aren't theoretical. The DDTC actively investigates and prosecutes violations. Voluntary self-disclosure of violations is strongly encouraged -- and typically results in significantly reduced penalties compared to violations discovered through investigation.
Building ITAR Compliance into Procurement
A Practical Checklist
Before you source:
Determine if the program involves ITAR-controlled articles or technical data
Classify the USML category and identify the specific controlled items
Verify your company's DDTC registration is current
Identify which team members are authorized US persons for this program
Before you issue an RFQ:
Verify the supplier is DDTC-registered
Confirm the supplier has ITAR-compliant access controls and IT systems
Determine the authorization basis for sharing technical data (license, agreement, or exemption)
Mark all controlled documents with appropriate ITAR distribution restrictions
Document the authorization in your procurement records
During the sourcing process:
Restrict access to ITAR program data within your procurement platform to authorized users only
Log all technical data transmissions to suppliers with date, recipient, content, and authorization basis
Verify sub-tier supplier compliance if your Tier 1 supplier subcontracts any work
Ensure supplier performance reviews include ITAR compliance status
Ongoing:
Conduct annual ITAR compliance reviews of your procurement processes
Update supplier ITAR status records when registrations renew or expire
Train new procurement team members on ITAR requirements before granting program access
Voluntarily disclose any identified violations to the DDTC promptly
How LightSource Supports ITAR Compliance
For procurement teams managing both ITAR and non-ITAR programs, the operational challenge is keeping the walls in place without slowing down the work. LightSource supports this through several capabilities:
ITAR-approved supplier labeling. Within LightSource's supplier relationship management, suppliers can be tagged with their ITAR compliance status -- DDTC-registered, ITAR-approved for specific categories, or not ITAR-qualified. When a buyer starts a sourcing event for an ITAR program, the platform surfaces only qualified suppliers, preventing accidental engagement with non-compliant sources.
Permissions and access controls. LightSource's workspace controls can restrict access to ITAR program data to authorized US persons only. Program-level permissions ensure that team members who aren't cleared for a specific ITAR program can't view its drawings, BOMs, supplier quotes, or sourcing decisions -- even if they have access to non-ITAR programs in the same account.
Audit trails. Every action in LightSource is logged -- who accessed what data, when, and what they did with it. This creates the record-keeping foundation that ITAR requires without manual documentation.
Separate workspace controls. Teams can maintain distinct workspaces for ITAR vs. non-ITAR programs, with different access rules, supplier pools, and data handling policies. This architectural separation is the digital equivalent of the physical separation that defense contractors maintain between classified and unclassified work areas.
Sources
International Traffic in Arms Regulations | DDTC -- Official DDTC ITAR landing page and compliance resources
ITAR | Cornell Law Institute -- Legal overview of ITAR framework and AECA
USML Targeted Revisions, August 2025 -- Federal Register notice of 2025 USML changes
ITAR Compliance Guide | PreVeil -- Comprehensive guide to ITAR compliance requirements and violation examples
DDTC ITAR Compliance Program Guidelines -- DDTC's expectations for effective compliance programs (Dec 2022)
Raytheon $950M Settlement | Multiple sources -- Oct 2024 settlement covering ITAR, FCPA, and FAR violations
ITAR Cybersecurity Requirements for Contractors -- How ITAR cybersecurity requirements flow through the federal supply chain
Frequently Asked Questions
What is ITAR?
ITAR (International Traffic in Arms Regulations) is a set of US government regulations that control the export and import of defense-related articles, services, and technical data. Administered by the State Department's DDTC, ITAR requires that companies handling items on the US Munitions List register with the government and obtain licenses before sharing controlled items or data with non-US persons. Violations carry civil penalties up to $1.27 million per violation and criminal penalties up to $1 million plus 20 years imprisonment.
Does ITAR affect procurement teams?
Yes, directly. ITAR constrains which suppliers you can engage (must be DDTC-registered for controlled items), what technical data you can share in RFQs (controlled drawings and specs require authorization before sharing), who on your team can access program data (only authorized US persons), and how you maintain records of all data transmissions. Procurement teams need compliance gates built into their sourcing workflow.
What counts as an "export" under ITAR?
An export isn't just shipping a physical item. Sharing ITAR-controlled technical data with a non-US person -- including a foreign national colleague in your own office -- constitutes a "deemed export" that requires authorization. This means emailing a controlled drawing to a supplier in another country, showing controlled specs to a non-US-person employee, or storing controlled data on a server accessible to non-US persons can all be ITAR violations.
What is the US Munitions List (USML)?
The USML is the list of defense articles, services, and technical data controlled under ITAR. It contains 21 categories covering everything from firearms (Category I) to spacecraft (Category XV) to directed energy weapons (Category XIX). The list is maintained by the DDTC and periodically updated. In August 2025, the DDTC published targeted revisions removing some items and adding new exemptions.
How can procurement software help with ITAR compliance?
Procurement platforms can support ITAR compliance through supplier ITAR-status tagging (filtering sourcing events to only DDTC-registered suppliers), role-based access controls (restricting ITAR program data to authorized US persons), audit logging (tracking who accessed what data and when), and workspace separation (maintaining distinct environments for ITAR vs. non-ITAR programs). These features create the operational infrastructure for compliance without requiring manual tracking.
What should I do if I discover an ITAR violation?
Voluntarily self-disclose to the DDTC as soon as possible. The DDTC strongly encourages voluntary disclosure, and companies that self-report typically receive significantly reduced penalties compared to violations discovered through investigation or audit. Engage legal counsel experienced in export controls before making the disclosure.
If you've recently moved from commercial manufacturing into aerospace or defense -- or if your company just won its first DoD contract -- you're about to encounter a regulatory framework that will change how you think about every procurement decision you make.
ITAR -- the International Traffic in Arms Regulations -- governs how defense-related articles, services, and technical data move into, out of, and within the United States. It affects who you can source from, what data you can share with suppliers, which team members can view a drawing, and how you store procurement records. Getting it wrong isn't an abstract compliance risk. Raytheon paid $950 million in October 2024 for violations that included ITAR. BAE Systems paid $78 million. 3D Systems paid $20 million. The penalties are real, and they apply to procurement teams as directly as they apply to engineering.
This post covers what ITAR is, where it came from, how it affects procurement specifically, and how to build compliance into your sourcing operations.
A Brief History
ITAR was enacted in 1976 under the Arms Export Control Act (AECA), during the Cold War. The original intent was straightforward: prevent US defense technology from reaching adversaries, particularly the Soviet Union and its allies.
The regulations are administered by the Directorate of Defense Trade Controls (DDTC), a division of the US Department of State. The DDTC maintains the United States Munitions List (USML), which defines the specific articles, services, and technical data subject to ITAR control. The USML is organized into 21 categories -- everything from firearms and ammunition (Category I) to spacecraft and satellites (Category XV) to submersible vessels (Category XX).
ITAR has evolved significantly since 1976. The most consequential recent reform was the Export Control Reform (ECR) initiative that began in 2013 under President Obama, which moved thousands of items from the USML to the less restrictive Commerce Control List (CCL) administered by the Bureau of Industry and Security (BIS). The intent was to focus ITAR on the most sensitive items and reduce the compliance burden on items that didn't warrant it.
In August 2025, the DDTC published targeted revisions to the USML, removing items like lead-free birdshot and certain GNSS anti-spoofing systems, and adding new license exemptions for unmanned underwater vehicles. The list continues to evolve as technology changes and geopolitical priorities shift.
What ITAR Actually Controls
ITAR governs three categories of controlled items:
Defense articles. Physical items on the USML -- weapons, vehicles, aircraft, electronics, propulsion systems, and their components. If a bracket you're sourcing goes into a missile guidance system, that bracket is an ITAR-controlled defense article.
Defense services. Assistance to foreign persons in the design, development, engineering, manufacture, production, assembly, testing, or modification of defense articles. If you bring a foreign supplier to your facility and walk them through how to manufacture an ITAR-controlled component, that's a defense service -- and it requires a license.
Technical data. This is the one that catches procurement teams. Technical data includes engineering drawings, specifications, process instructions, BOM structures, test data, and manufacturing know-how related to defense articles. If a drawing has ITAR-controlled content and you email it to a supplier in Germany, you've just made an unauthorized export -- even though the part never left the country.
The critical concept: under ITAR, an "export" isn't just shipping a physical item overseas. Sharing technical data with a non-US person -- even a colleague sitting next to you in your own office -- constitutes a "deemed export" if that person is not a US citizen or permanent resident.
How ITAR Affects Procurement
For procurement teams, ITAR creates constraints at every stage of the sourcing lifecycle.
Supplier Selection
Not every supplier can work on ITAR programs. Suppliers handling ITAR-controlled articles or technical data must be registered with the DDTC. Your supplier qualification process needs to verify:
Is the supplier DDTC-registered?
Does the supplier have appropriate access controls for ITAR data?
Are the supplier's employees who will handle your program US persons?
Does the supplier have ITAR-compliant IT systems (encrypted storage, access logging)?
If the supplier uses sub-tier vendors, are those sub-tiers also compliant?
This narrows your supply base significantly. A component you could source from 20 suppliers globally might have only 5 qualified domestic suppliers when ITAR applies. Less competition typically means higher prices and longer lead times.
Data Sharing and RFQs
In commercial procurement, you send an RFQ with drawings and specs to any qualified supplier. Under ITAR, you can't share controlled technical data with a supplier unless:
The supplier is a US person (US citizen, permanent resident, or US company with only US persons on the program)
You have an approved export license or agreement (Technical Assistance Agreement, Manufacturing License Agreement) authorizing the transfer
An exemption applies
This means your standard sourcing process needs a compliance gate before any technical data goes to a supplier. In practice: before issuing an RFQ for an ITAR-controlled part, verify the supplier's ITAR status, mark the data appropriately, and document the authorization basis for the transfer.
Internal Access Controls
ITAR compliance isn't just about external suppliers. Within your own organization, only authorized US persons should have access to ITAR-controlled technical data. This affects:
Who on your procurement team can view drawings and specs for ITAR programs
How your procurement platform manages permissions
Whether your file storage, email, and collaboration tools adequately restrict access
How you handle the transition when team members join, leave, or change roles
If your company has international employees on the procurement team, they cannot access ITAR-controlled program data unless a license permits it. This creates real operational challenges in diverse, global organizations.
Record-Keeping and Audit Trails
ITAR requires records of all exports, including deemed exports of technical data. Procurement teams need to maintain logs of:
What technical data was shared with which suppliers, when, and under what authorization
Which team members accessed ITAR-controlled procurement data
Supplier DDTC registration status and compliance documentation
All license applications, approvals, and amendments
The DDTC and the Department of Justice can audit these records. If you can't demonstrate that your data sharing was authorized, the assumption is that it wasn't.
The Penalty Landscape
ITAR violations carry severe consequences. The current penalty structure:
Violation Type | Maximum Penalty |
|---|---|
Civil (per violation) | $1,271,078 or 2x transaction value (whichever is greater) |
Criminal (per violation) | $1,000,000 fine + up to 20 years imprisonment |
Debarment | Prohibition from all ITAR-regulated activity |
Recent enforcement actions:
Company | Year | Settlement | Context |
|---|---|---|---|
Raytheon (RTX) | 2024 | $950,000,000 | ITAR + FCPA + FAR violations, required independent monitor for 3 years |
BAE Systems | 2011 | $78,000,000 | 2,591 violations |
3D Systems | 2023 | $20,000,000 | Unauthorized export of technical data related to satellite, launch, and defense programs |
These aren't theoretical. The DDTC actively investigates and prosecutes violations. Voluntary self-disclosure of violations is strongly encouraged -- and typically results in significantly reduced penalties compared to violations discovered through investigation.
Building ITAR Compliance into Procurement
A Practical Checklist
Before you source:
Determine if the program involves ITAR-controlled articles or technical data
Classify the USML category and identify the specific controlled items
Verify your company's DDTC registration is current
Identify which team members are authorized US persons for this program
Before you issue an RFQ:
Verify the supplier is DDTC-registered
Confirm the supplier has ITAR-compliant access controls and IT systems
Determine the authorization basis for sharing technical data (license, agreement, or exemption)
Mark all controlled documents with appropriate ITAR distribution restrictions
Document the authorization in your procurement records
During the sourcing process:
Restrict access to ITAR program data within your procurement platform to authorized users only
Log all technical data transmissions to suppliers with date, recipient, content, and authorization basis
Verify sub-tier supplier compliance if your Tier 1 supplier subcontracts any work
Ensure supplier performance reviews include ITAR compliance status
Ongoing:
Conduct annual ITAR compliance reviews of your procurement processes
Update supplier ITAR status records when registrations renew or expire
Train new procurement team members on ITAR requirements before granting program access
Voluntarily disclose any identified violations to the DDTC promptly
How LightSource Supports ITAR Compliance
For procurement teams managing both ITAR and non-ITAR programs, the operational challenge is keeping the walls in place without slowing down the work. LightSource supports this through several capabilities:
ITAR-approved supplier labeling. Within LightSource's supplier relationship management, suppliers can be tagged with their ITAR compliance status -- DDTC-registered, ITAR-approved for specific categories, or not ITAR-qualified. When a buyer starts a sourcing event for an ITAR program, the platform surfaces only qualified suppliers, preventing accidental engagement with non-compliant sources.
Permissions and access controls. LightSource's workspace controls can restrict access to ITAR program data to authorized US persons only. Program-level permissions ensure that team members who aren't cleared for a specific ITAR program can't view its drawings, BOMs, supplier quotes, or sourcing decisions -- even if they have access to non-ITAR programs in the same account.
Audit trails. Every action in LightSource is logged -- who accessed what data, when, and what they did with it. This creates the record-keeping foundation that ITAR requires without manual documentation.
Separate workspace controls. Teams can maintain distinct workspaces for ITAR vs. non-ITAR programs, with different access rules, supplier pools, and data handling policies. This architectural separation is the digital equivalent of the physical separation that defense contractors maintain between classified and unclassified work areas.
Sources
International Traffic in Arms Regulations | DDTC -- Official DDTC ITAR landing page and compliance resources
ITAR | Cornell Law Institute -- Legal overview of ITAR framework and AECA
USML Targeted Revisions, August 2025 -- Federal Register notice of 2025 USML changes
ITAR Compliance Guide | PreVeil -- Comprehensive guide to ITAR compliance requirements and violation examples
DDTC ITAR Compliance Program Guidelines -- DDTC's expectations for effective compliance programs (Dec 2022)
Raytheon $950M Settlement | Multiple sources -- Oct 2024 settlement covering ITAR, FCPA, and FAR violations
ITAR Cybersecurity Requirements for Contractors -- How ITAR cybersecurity requirements flow through the federal supply chain
Frequently Asked Questions
What is ITAR?
ITAR (International Traffic in Arms Regulations) is a set of US government regulations that control the export and import of defense-related articles, services, and technical data. Administered by the State Department's DDTC, ITAR requires that companies handling items on the US Munitions List register with the government and obtain licenses before sharing controlled items or data with non-US persons. Violations carry civil penalties up to $1.27 million per violation and criminal penalties up to $1 million plus 20 years imprisonment.
Does ITAR affect procurement teams?
Yes, directly. ITAR constrains which suppliers you can engage (must be DDTC-registered for controlled items), what technical data you can share in RFQs (controlled drawings and specs require authorization before sharing), who on your team can access program data (only authorized US persons), and how you maintain records of all data transmissions. Procurement teams need compliance gates built into their sourcing workflow.
What counts as an "export" under ITAR?
An export isn't just shipping a physical item. Sharing ITAR-controlled technical data with a non-US person -- including a foreign national colleague in your own office -- constitutes a "deemed export" that requires authorization. This means emailing a controlled drawing to a supplier in another country, showing controlled specs to a non-US-person employee, or storing controlled data on a server accessible to non-US persons can all be ITAR violations.
What is the US Munitions List (USML)?
The USML is the list of defense articles, services, and technical data controlled under ITAR. It contains 21 categories covering everything from firearms (Category I) to spacecraft (Category XV) to directed energy weapons (Category XIX). The list is maintained by the DDTC and periodically updated. In August 2025, the DDTC published targeted revisions removing some items and adding new exemptions.
How can procurement software help with ITAR compliance?
Procurement platforms can support ITAR compliance through supplier ITAR-status tagging (filtering sourcing events to only DDTC-registered suppliers), role-based access controls (restricting ITAR program data to authorized US persons), audit logging (tracking who accessed what data and when), and workspace separation (maintaining distinct environments for ITAR vs. non-ITAR programs). These features create the operational infrastructure for compliance without requiring manual tracking.
What should I do if I discover an ITAR violation?
Voluntarily self-disclose to the DDTC as soon as possible. The DDTC strongly encourages voluntary disclosure, and companies that self-report typically receive significantly reduced penalties compared to violations discovered through investigation or audit. Engage legal counsel experienced in export controls before making the disclosure.
If you've recently moved from commercial manufacturing into aerospace or defense -- or if your company just won its first DoD contract -- you're about to encounter a regulatory framework that will change how you think about every procurement decision you make.
ITAR -- the International Traffic in Arms Regulations -- governs how defense-related articles, services, and technical data move into, out of, and within the United States. It affects who you can source from, what data you can share with suppliers, which team members can view a drawing, and how you store procurement records. Getting it wrong isn't an abstract compliance risk. Raytheon paid $950 million in October 2024 for violations that included ITAR. BAE Systems paid $78 million. 3D Systems paid $20 million. The penalties are real, and they apply to procurement teams as directly as they apply to engineering.
This post covers what ITAR is, where it came from, how it affects procurement specifically, and how to build compliance into your sourcing operations.
A Brief History
ITAR was enacted in 1976 under the Arms Export Control Act (AECA), during the Cold War. The original intent was straightforward: prevent US defense technology from reaching adversaries, particularly the Soviet Union and its allies.
The regulations are administered by the Directorate of Defense Trade Controls (DDTC), a division of the US Department of State. The DDTC maintains the United States Munitions List (USML), which defines the specific articles, services, and technical data subject to ITAR control. The USML is organized into 21 categories -- everything from firearms and ammunition (Category I) to spacecraft and satellites (Category XV) to submersible vessels (Category XX).
ITAR has evolved significantly since 1976. The most consequential recent reform was the Export Control Reform (ECR) initiative that began in 2013 under President Obama, which moved thousands of items from the USML to the less restrictive Commerce Control List (CCL) administered by the Bureau of Industry and Security (BIS). The intent was to focus ITAR on the most sensitive items and reduce the compliance burden on items that didn't warrant it.
In August 2025, the DDTC published targeted revisions to the USML, removing items like lead-free birdshot and certain GNSS anti-spoofing systems, and adding new license exemptions for unmanned underwater vehicles. The list continues to evolve as technology changes and geopolitical priorities shift.
What ITAR Actually Controls
ITAR governs three categories of controlled items:
Defense articles. Physical items on the USML -- weapons, vehicles, aircraft, electronics, propulsion systems, and their components. If a bracket you're sourcing goes into a missile guidance system, that bracket is an ITAR-controlled defense article.
Defense services. Assistance to foreign persons in the design, development, engineering, manufacture, production, assembly, testing, or modification of defense articles. If you bring a foreign supplier to your facility and walk them through how to manufacture an ITAR-controlled component, that's a defense service -- and it requires a license.
Technical data. This is the one that catches procurement teams. Technical data includes engineering drawings, specifications, process instructions, BOM structures, test data, and manufacturing know-how related to defense articles. If a drawing has ITAR-controlled content and you email it to a supplier in Germany, you've just made an unauthorized export -- even though the part never left the country.
The critical concept: under ITAR, an "export" isn't just shipping a physical item overseas. Sharing technical data with a non-US person -- even a colleague sitting next to you in your own office -- constitutes a "deemed export" if that person is not a US citizen or permanent resident.
How ITAR Affects Procurement
For procurement teams, ITAR creates constraints at every stage of the sourcing lifecycle.
Supplier Selection
Not every supplier can work on ITAR programs. Suppliers handling ITAR-controlled articles or technical data must be registered with the DDTC. Your supplier qualification process needs to verify:
Is the supplier DDTC-registered?
Does the supplier have appropriate access controls for ITAR data?
Are the supplier's employees who will handle your program US persons?
Does the supplier have ITAR-compliant IT systems (encrypted storage, access logging)?
If the supplier uses sub-tier vendors, are those sub-tiers also compliant?
This narrows your supply base significantly. A component you could source from 20 suppliers globally might have only 5 qualified domestic suppliers when ITAR applies. Less competition typically means higher prices and longer lead times.
Data Sharing and RFQs
In commercial procurement, you send an RFQ with drawings and specs to any qualified supplier. Under ITAR, you can't share controlled technical data with a supplier unless:
The supplier is a US person (US citizen, permanent resident, or US company with only US persons on the program)
You have an approved export license or agreement (Technical Assistance Agreement, Manufacturing License Agreement) authorizing the transfer
An exemption applies
This means your standard sourcing process needs a compliance gate before any technical data goes to a supplier. In practice: before issuing an RFQ for an ITAR-controlled part, verify the supplier's ITAR status, mark the data appropriately, and document the authorization basis for the transfer.
Internal Access Controls
ITAR compliance isn't just about external suppliers. Within your own organization, only authorized US persons should have access to ITAR-controlled technical data. This affects:
Who on your procurement team can view drawings and specs for ITAR programs
How your procurement platform manages permissions
Whether your file storage, email, and collaboration tools adequately restrict access
How you handle the transition when team members join, leave, or change roles
If your company has international employees on the procurement team, they cannot access ITAR-controlled program data unless a license permits it. This creates real operational challenges in diverse, global organizations.
Record-Keeping and Audit Trails
ITAR requires records of all exports, including deemed exports of technical data. Procurement teams need to maintain logs of:
What technical data was shared with which suppliers, when, and under what authorization
Which team members accessed ITAR-controlled procurement data
Supplier DDTC registration status and compliance documentation
All license applications, approvals, and amendments
The DDTC and the Department of Justice can audit these records. If you can't demonstrate that your data sharing was authorized, the assumption is that it wasn't.
The Penalty Landscape
ITAR violations carry severe consequences. The current penalty structure:
Violation Type | Maximum Penalty |
|---|---|
Civil (per violation) | $1,271,078 or 2x transaction value (whichever is greater) |
Criminal (per violation) | $1,000,000 fine + up to 20 years imprisonment |
Debarment | Prohibition from all ITAR-regulated activity |
Recent enforcement actions:
Company | Year | Settlement | Context |
|---|---|---|---|
Raytheon (RTX) | 2024 | $950,000,000 | ITAR + FCPA + FAR violations, required independent monitor for 3 years |
BAE Systems | 2011 | $78,000,000 | 2,591 violations |
3D Systems | 2023 | $20,000,000 | Unauthorized export of technical data related to satellite, launch, and defense programs |
These aren't theoretical. The DDTC actively investigates and prosecutes violations. Voluntary self-disclosure of violations is strongly encouraged -- and typically results in significantly reduced penalties compared to violations discovered through investigation.
Building ITAR Compliance into Procurement
A Practical Checklist
Before you source:
Determine if the program involves ITAR-controlled articles or technical data
Classify the USML category and identify the specific controlled items
Verify your company's DDTC registration is current
Identify which team members are authorized US persons for this program
Before you issue an RFQ:
Verify the supplier is DDTC-registered
Confirm the supplier has ITAR-compliant access controls and IT systems
Determine the authorization basis for sharing technical data (license, agreement, or exemption)
Mark all controlled documents with appropriate ITAR distribution restrictions
Document the authorization in your procurement records
During the sourcing process:
Restrict access to ITAR program data within your procurement platform to authorized users only
Log all technical data transmissions to suppliers with date, recipient, content, and authorization basis
Verify sub-tier supplier compliance if your Tier 1 supplier subcontracts any work
Ensure supplier performance reviews include ITAR compliance status
Ongoing:
Conduct annual ITAR compliance reviews of your procurement processes
Update supplier ITAR status records when registrations renew or expire
Train new procurement team members on ITAR requirements before granting program access
Voluntarily disclose any identified violations to the DDTC promptly
How LightSource Supports ITAR Compliance
For procurement teams managing both ITAR and non-ITAR programs, the operational challenge is keeping the walls in place without slowing down the work. LightSource supports this through several capabilities:
ITAR-approved supplier labeling. Within LightSource's supplier relationship management, suppliers can be tagged with their ITAR compliance status -- DDTC-registered, ITAR-approved for specific categories, or not ITAR-qualified. When a buyer starts a sourcing event for an ITAR program, the platform surfaces only qualified suppliers, preventing accidental engagement with non-compliant sources.
Permissions and access controls. LightSource's workspace controls can restrict access to ITAR program data to authorized US persons only. Program-level permissions ensure that team members who aren't cleared for a specific ITAR program can't view its drawings, BOMs, supplier quotes, or sourcing decisions -- even if they have access to non-ITAR programs in the same account.
Audit trails. Every action in LightSource is logged -- who accessed what data, when, and what they did with it. This creates the record-keeping foundation that ITAR requires without manual documentation.
Separate workspace controls. Teams can maintain distinct workspaces for ITAR vs. non-ITAR programs, with different access rules, supplier pools, and data handling policies. This architectural separation is the digital equivalent of the physical separation that defense contractors maintain between classified and unclassified work areas.
Sources
International Traffic in Arms Regulations | DDTC -- Official DDTC ITAR landing page and compliance resources
ITAR | Cornell Law Institute -- Legal overview of ITAR framework and AECA
USML Targeted Revisions, August 2025 -- Federal Register notice of 2025 USML changes
ITAR Compliance Guide | PreVeil -- Comprehensive guide to ITAR compliance requirements and violation examples
DDTC ITAR Compliance Program Guidelines -- DDTC's expectations for effective compliance programs (Dec 2022)
Raytheon $950M Settlement | Multiple sources -- Oct 2024 settlement covering ITAR, FCPA, and FAR violations
ITAR Cybersecurity Requirements for Contractors -- How ITAR cybersecurity requirements flow through the federal supply chain
Frequently Asked Questions
What is ITAR?
ITAR (International Traffic in Arms Regulations) is a set of US government regulations that control the export and import of defense-related articles, services, and technical data. Administered by the State Department's DDTC, ITAR requires that companies handling items on the US Munitions List register with the government and obtain licenses before sharing controlled items or data with non-US persons. Violations carry civil penalties up to $1.27 million per violation and criminal penalties up to $1 million plus 20 years imprisonment.
Does ITAR affect procurement teams?
Yes, directly. ITAR constrains which suppliers you can engage (must be DDTC-registered for controlled items), what technical data you can share in RFQs (controlled drawings and specs require authorization before sharing), who on your team can access program data (only authorized US persons), and how you maintain records of all data transmissions. Procurement teams need compliance gates built into their sourcing workflow.
What counts as an "export" under ITAR?
An export isn't just shipping a physical item. Sharing ITAR-controlled technical data with a non-US person -- including a foreign national colleague in your own office -- constitutes a "deemed export" that requires authorization. This means emailing a controlled drawing to a supplier in another country, showing controlled specs to a non-US-person employee, or storing controlled data on a server accessible to non-US persons can all be ITAR violations.
What is the US Munitions List (USML)?
The USML is the list of defense articles, services, and technical data controlled under ITAR. It contains 21 categories covering everything from firearms (Category I) to spacecraft (Category XV) to directed energy weapons (Category XIX). The list is maintained by the DDTC and periodically updated. In August 2025, the DDTC published targeted revisions removing some items and adding new exemptions.
How can procurement software help with ITAR compliance?
Procurement platforms can support ITAR compliance through supplier ITAR-status tagging (filtering sourcing events to only DDTC-registered suppliers), role-based access controls (restricting ITAR program data to authorized US persons), audit logging (tracking who accessed what data and when), and workspace separation (maintaining distinct environments for ITAR vs. non-ITAR programs). These features create the operational infrastructure for compliance without requiring manual tracking.
What should I do if I discover an ITAR violation?
Voluntarily self-disclose to the DDTC as soon as possible. The DDTC strongly encourages voluntary disclosure, and companies that self-report typically receive significantly reduced penalties compared to violations discovered through investigation or audit. Engage legal counsel experienced in export controls before making the disclosure.
Ready to change the way you source?
Try out LightSource and you’ll never go back to Excel and email.
Ready to change the way you source?
Try out LightSource and you’ll never go back to Excel and email.
Ready to change the way you source?
Try out LightSource and you’ll never go back to Excel and email.
Trusted by:
Trusted by:
Trusted by:
*GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and COOL VENDORS is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.