Getting Certified-International Traffic in Arms Regulations ITAR- ISO PROS #21

Getting Certified & Implementing International Traffic in Arms Regulations ITAR

The United States government demands conformity with ITAR for all suppliers, exporters, and distributors of military products, security supplies, or relevant technological details. If your organization falls into these groups, the details below will help address some of your queries.

Many and more businesses need representatives of their supply chains to be ITAR certified or ITAR compliant. Language for this function is also found in contracts, procurement agreements, and application demands. It is written out nowhere in the International Trade in Arms Regulations (ITAR) what “ITAR approved” entails. When you talk to various staff members of the Directorate of Defense Trade Controls (DDTC), you can get somewhat different responses, but the appropriate, usually secure meaning of “not for attribution” is as follows:

To a corporation engaging in the production, selling or delivery of products and services covered by the U.S. Munitions List (USML) or even a product manufacturer of products covered by the U.S.M.L., the stipulation and obligation to be ‘ITAR approved (compliant)’ implies that the business must be licensed with the DDTC of the State Department, if applicable as specified on the website of the DDTC and the item. The business also certifies that as it acknowledges as a supplier to the USML prime exporter, it works in compliance with the ITAR.

In other simplistic terms, in order to be fully ITAR compliant, an organization has to file with DDTC to recognize all they need to do in accordance with ITAR, and to be self-certified that they have this information. This clarification is not a legal opinion and is not meant for attribution. When you have a question regarding whether this definition relates to your business, you can receive legal advice or call us at ISO Pros for more clarity.

ITAR compliance for technology companies

The ITAR governs the production, selling, and delivery of technologies as a significant U.S. export protection regulation. The purpose of the law is to control access to different application forms and their related data. And overall, the government’s seeking to discourage all foreign nationals from releasing or transmitting classified details. Because of this, ITAR can also pose challenges for all global corporations, as data relating to specific technologies which may also need transferring over the internet and/or stored locally when outside of the US to allow business processes to flow smoothly. All of the responsibility does lie with the specific manufacturer and/or exporter especially when taking all necessary precautions with steps certifying that they actually comply with the requirements of ITAR compliance.

ITAR, in particular:

  • Covers all military items and/or articles on defense
  • Regulates materials and technologies in a strategic environment intended to destroy or protect against death
  • Requires spatial technologies owing to the transition of missile systems
  • Includes analytical reports on information and resources relevant to the defence
  • Implies tight governmental approval which does not fulfill market or study objectives

ITAR information security recommendations

Along with the importance of ITAR enforcement and the consequences of non-compliance, it is necessary to also understand especially how to protect your data under ITAR supervision. Although data management for each organization may have specific criteria, below are some of the best practices used to consider when protecting ITAR data:

  • Be sure to maintain a Safe information policy
  • Create and manage a stable network by deploying and managing data protection firewall configuration and preventing the usage of vendor-provided passwords as well as other security defaults
  • Assign a specific ID to any user accessing a device
  • Check the protection infrastructure and procedures periodically
  • Encryption to protect confidential data
  • Track and check the networks on a regular basis
  • Implement strong measures to check access
  • Monitor and track every access to your network resources as well as sensitive data
  • Keep a risk detection system
  • Implement steps to avoid the destruction of data subject to ITAR control

The list isn’t comprehensive but it’s meant to include a starting point when protecting confidential data and compliance with ITAR. Through implementing and enforcing these steps to match the requirements of your business, you will guarantee that ITAR data’s available where it is required to be, whilst being shielded from failure or unwanted access.

A couple of important FAQs to help with getting compliant with ITAR

What’s an Export?

With the export laws, exports are all real imports of a product from the country including those called ‘deemed exports.’ With a deemed export, it is the sale, release or transmission to all foreign persons living in the US of ‘scientific details’ (the term used by the International Trade in Arms Regulations (ITAR)) or ‘information’ (the term that is used by Export Administration Regulations (EAR)) pertaining to co-operation. A declared export is called an export into the international person’s home country. Accordingly, a certificate or authorization waiver is required for all regulated commodities before transmitting “information” or “scientific details” regarding the regulated commodity to all foreign persons within the United States.

For more specific details and ties to the legislation see the government’s Export Management Policies.

The FAQs further specify that, with the degree that exporters and/or foreign entities are in proper faith adopting the frameworks proposed which have been revised by the law of 2015 on the procurement by defense services by U.S. persons overseas, which, amongst other items, included an exception for a U.S. contractor of any foreign person under certain circumstances, DDTC would generally consider the delivery for defense services by the U.S.

For more clarity on, inter alia, the specific information needed for the authorization request and the conditions to be fulfilled before the authorization request is sent, please see the full text of the FAQs.


Are you legally liable/responsible? What can be the penalties incurred for violating these export regulations?

The regulations regulating export control specify that both institutions and individuals can be found liable. Do note that in all circumstances, these regulations will apply to yourself, regardless of the activities carried out as part of your responsibilities at the business.

The Arms Export Controls Act (AECA) as well as the  International Trade in Arms Regulations (ITAR) specify that deliberate breaches of the security controls may be punished by up to 1 million dollars per breach, or 10 years’ incarceration, or both. The US Secretary of State can also impose criminal fines but will not surpass 500 hundred thousand dollars per infringement. The criminal fines can be levied in relation to some other duty or fine, or in place of it.

Similar to ITAR, infringements of the very important Export Management Regulations (EAR) makes you also subject to criminal as well as administrative penalties. Fines due for export breaches, including anti-boycott infringement, in criminal cases, will go up to 1 million dollars per offense, and in most administrative situations, 500 hundred thousand dollars per breach. Additionally, convicted criminals could be sentenced for up to twenty years in jail, and administrative punishments can require revocation of export rights.

Potential fines differ depending on the nation and content concerned for those violations made under the US Office of Foreign Assets Management. Under the rules, any exporter could be liable to a cumulative criminal penalty of 250 thousand dollars for each violation.

In any of the aforementioned situations, if performed properly, voluntary self-disclosures will minimize the seriousness for the fine. Penalties refer to each particular offense, which implies that whether an offense requires at least two regulated substances or objects, which happens more than once, whose event may result in a fine. If you fear you may have made such a mistake and maybe violated export controls, contact ISO Pros today; we can help you to assess the best way forward, as we are the experts you need to call.