What is ITAR Compliance?
What is ITAR?
The International Traffic in Arms Regulations (ITAR) is a regulation that restricts and controls the export of defense and space-related articles, technologies and services to safeguard United States national security and foreign policy objectives. The Directorate of Defense Trade Controls (DDTC), U.S. Department of State, administers the ITAR, which is outlined in the Electronic Code of Federal Regulations (e-CFR) – 22 CFR parts 120 through 130.
Your Guide to ITAR Compliance
Learn why complying with the International Traffic in Arms Regulation (ITAR) is important for your government contractor business and how to adhere to the requirement.
Who Does ITAR Apply To?
ITAR requires that access to technical data and physical materials related to defense and military technologies be restricted to only U.S. citizens on a secure, compliant network.
U.S.-based companies with overseas operations are prohibited from sharing ITAR technical data with employees local to those countries, unless State Department authorization is secured. U.S. companies that work with non-U.S. subcontractors are also subject to this rule. A few companies have secured exemptions, based on specific purposes, including Canada, the United Kingdom and Australia.
Government Contractors Need An ITAR Compliance Plan
Because ITAR exists to track sensitive military and defense materials in order to keep them from foreign players, government contractors are required to put a documented ITAR compliance plan in place. The programs includes the tracking, monitoring and auditing of technical data. Every company in the supply chain of a contract or project – subcontractors, computer software/hardware vendors, third-party suppliers, wholesalers and distributors – also needs to be ITAR compliant and must be factored into the plan.
Your Guide to Government Compliance
Navigating compliance regulations can be difficult for even the most seasoned of government contractors. Get an overview of top priorities and how Costpoint provides a clear path to compliance.
What are ITAR Articles, Services and Technical Data?
Articles (the current list outlines 21 categories) and services are defined in the United States Munitions List (USML). Technical data outlined by ITAR includes plans, blueprints, photos, diagrams, drawings, instructions, and other documentation.
Categories on the United States Munitions List
- Guns and armament
- Firearms, close assault weapons and combat shotguns
- Ordnance and ammunition
- Nuclear weapons and related articles
- Directed energy weapons
- Surface vessels of war and special naval equipment
- Ground vehicles
- Aircraft and related articles
- Spacecraft and related articles
- Submersive vessels and related articles
- Launch vehicles, guided missiles, ballistic missiles, rockets, torpedoes, bombs, and mines
- Explosives and energetic materials, propellants, incendiary agents, and their constituents
- Military training equipment and training
- Personal protective equipment
- Military electronics
- Classified articles, technical data and defense services not otherwise enumerated
- Articles, technical data and defense services not otherwise enumerated
- Fire control, range finder, optical and guidance and control equipment, including night-vision goggles
- Materials and miscellaneous articles
- Toxicology agents, including chemical agents, biological agents, and associated equipment
- Gas Turbine engines and related articles
Understanding ITAR Technical Data Compliance
Any company that manufactures, exports and/or brokers defense articles, services or is involved with related technical data must comply with ITAR requirements. This technical data is necessary for the development, design, production, manufacturing, operation, assembly, testing, maintenance, repair, or altering of an article.
To protect technical data, security strategies should be multi-layered and follow the standards and guidelines within the National Institute of Standards and Technology (NIST) special publication 800-53.
Principles to consider to ensure ITAR technical data compliance:
- Locate, classify and secure data as defined by business policies
- Identify and map administrators, users, groups, folders and file permissions
- Manage access controls
- Monitor and audit data, file activity and user behavior to detect security vulnerabilities and threats for remediation.
ITAR Penalties for Non-Compliance
Penalties for ITAR non-compliance include civil and criminal fines.
- Civil fines: Up to $500,000 per violation
- Criminal fines: Up to $1 million per violation OR 10 years imprisonment per violation
The U.S. government also has the authority to take the additional measure of banning a company from any related future exports and imports.
In a massive global foreign bribery resolution, the United States Department of Justice issued details on an agreement with Airbus SE to pay over $3.9 billion in penalties involving ITAR non-compliance. A global provider of civilian and military aircraft based in France, their penalties included bribery charges with authorities in the U.S., France and the United Kingdom. Airbus planned to “use third-party business partners to bribe government officials, as well as non-governmental airline executives, around the world and to resolve the Company’s violation of the Arms Export Control Act (“AECA”) and its implementing regulations, the International Traffic in Arms Regulations (“ITAR”), in the United States,” according to a statement from the U.S. Department of Justice.
Steps for Achieving ITAR Compliance
Currently, no formal certification process exists to become ITAR Compliant. Certain standards exist within the defense industry, however, that are important for building an ITAR compliance plan.
- Register with the State Department – Specifically, the Directorate of Defense Trade Controls (DDTC).
- Formalize ITAR Compliance Programs within your Business – Having formal programs and defined processes demonstrate a commitment to compliance and a framework for addressing issues.
- Use a Compliant Cloud Storage – To ensure technical data is not accessible to foreign persons or nations, government business seeking ITAR compliance should consider having data centers managed solely by U.S. persons in U.S. locations.
How Deltek Supports Government Contractors with ITAR
In an effort to support the government contractors’ increasing cybersecurity and compliance demands, Deltek offers industry-leading solutions and cloud environments, providing enhanced cybersecurity controls to help protect data and meet strict federal compliance requirements.
Deltek has gone to great lengths to ensure our cloud environments meet the security and oversight demands of government agencies like the U.S. Department of State and Department of Defense. Costpoint GovCon Cloud (GCC) Moderate supports government contractors with meeting compliance requirements for the protection of Controlled Unclassified Information (CUI) and ITAR data in the Deltek Cloud, eliminating the burden of on-premises equipment. Deltek has implemented controls to align with government contracting requirements, such as NIST SP 800-53 and CSNI 1253. Costpoint GCCM has also achieved FedRAMP Moderate Ready status and is listed on the FedRAMP Marketplace.
As a software-as-a-service provider, Deltek covers approximately 75% of the required controls and shares in the responsibility of most of the remaining controls. Costpoint GCC Moderate customers share in the responsibility of meeting the FedRAMP Moderate control requirements beyond Deltek in terms of how they internally define process and procedures to secure technical data.
Related Resources
Guide to Government Contracting
Get the information you need to successfully find win and manage government contracts.Learn More »
How to Find Government Contracts
Get started by finding government contracts that best fit your business.Learn More »
What is DCAA Compliance?
Learn more about DCAA compliance, and how contractors can reduce risk by avoiding and preparing for DCAA audits.Learn More »
Federal Government Contracting
Learn more about federal government contracts and where you can find them.Learn More »
Small Business Contracting
Discover how to find, win and deliver on small business government contracts.Learn More »
Types of Government Contracts
Learn about the four main types of government contracts that contractors encounter.Learn More »
How to Win Government Contracts
Discover how to beat the competition and win more government contracts.Learn More »
Guide to Govcon Compliance
Learn why compliance should be top of mind for all government contractors.Learn More »
What is CMMC?
Learn more about the basics of Cybersecurity Maturity Model Certification (CMMC).Learn More »
State & Local Contracting
Learn the basics of state and local government contracts and where you can find them.Learn More »
Basics of FAR & CAS
Learn about the Federal Acquisition Regulation (FAR) and Cost Accounting Standards (CAS).Learn More »
What is a Teaming Agreement?
Discover how teaming agreements can help you reach your government contracting goals.Learn More »