What Is ITAR?

ITAR governs the manufacture, sale, distribution, and export of defense and space-related articles, services, and technical data as defined on the United States Munitions List (USML). The regulations are codified in 22 CFR Parts 120-130 and administered by the Directorate of Defense Trade Controls (DDTC) within the U.S. Department of State. ITAR’s central purpose is to prevent sensitive defense technology from reaching foreign nations or foreign persons without explicit government authorization.

ITAR vs. EAR: Understanding Export Controls

The U.S. has two primary export control regimes. ITAR covers defense articles and services on the USML, while the Export Administration Regulations (EAR), administered by the Bureau of Industry and Security (BIS) within the Department of Commerce, govern dual-use items on the Commerce Control List (CCL). The key distinction is that ITAR controls are generally more restrictive — ITAR technical data cannot be shared with any foreign person (regardless of nationality or location) without a license or exemption, whereas EAR controls vary by country and end-use.

ITAR Registration and Compliance

Any U.S. person or entity engaged in manufacturing, exporting, or brokering defense articles or services must register with DDTC. ITAR compliance requires maintaining registration, implementing Technology Control Plans (TCPs) to prevent unauthorized access to ITAR data, screening employees and visitors for foreign person status, securing ITAR technical data in both physical and digital environments, and obtaining export licenses or applying valid exemptions before sharing ITAR-controlled items with foreign persons.

ITAR and Cloud Computing: The GCC High Connection

ITAR’s restriction on foreign person access creates specific requirements for cloud computing environments. ITAR data must be stored and processed in facilities where access is limited to U.S. persons. This is why defense contractors handling ITAR data typically require Microsoft GCC High or equivalent government cloud environments — these platforms guarantee U.S.-only data residency and U.S.-person-only access to infrastructure and support operations.

ITAR Penalties and Enforcement

ITAR violations carry severe penalties. Civil penalties can reach over $1 million per violation, while criminal penalties include fines up to $1 million and imprisonment up to 20 years. The State Department can also impose debarment, which bars an organization from participating in defense trade. Recent enforcement trends show increased scrutiny of digital transfers, including emails, cloud storage, and remote access that may constitute unauthorized exports of ITAR technical data.

ITAR and CMMC Compliance

While ITAR and CMMC are administered by different agencies (State Department and DoD, respectively), they often apply to the same organizations. Defense contractors handling ITAR data that is also CUI must comply with both frameworks. The NIST SP 800-171 controls required by CMMC Level 2 provide a strong foundation for protecting ITAR technical data, though ITAR adds specific requirements around foreign person access controls, deemed exports, and Technology Control Plans that go beyond CMMC’s scope.