ITAR Registration: Standard Definition, Audit Requirements
The ITAR Registration is a regulatory standard governing the export and import of defense-related articles, services, data, and technologies that appear on the United States Munitions List (USML).
ITAR (International Traffic in Arms Regulations) is the regulatory standard governing the export and import of defense-related articles, services, data, and technologies that appear on the United States Munitions List (USML). The USML is a list of technologies, systems, and materials that are considered to give the US a strategic or tactical advantage in an armed conflict. ITAR registration often carries an implicit requirement for Export Administration Regulations (EAR) registration in addition. US companies that engage as suppliers of any type seeking to export items on the USML are required to register with the US State Department's Directorate of Defense Trade Controls (DDTC) and comply with ITAR regulations. Non-US companies have various levels of local registration and compliance requirements that differ widely from the US impositions.
The audit requirements of ITAR allow for periodic no-notice compliance audits by the DDTC. These audits ensure that the business is in compliance with all applicable ITAR requirements. Failure at an ITAR audit results in significant penalties, graded according to the nature of the non-compliance. These range from fines to significant prison sentences (for deliberate breaches by evasion or sanctions busting). It is critically important for ITAR-compliant companies to thoroughly comply with all requirements and maintain quality records of all regulated actions and engagements.
The ITAR registration process involves submitting registration documentation, the DDTC registration form, and a registration fee of $2,250 to the DDTC. The registration form requires the company to provide detailed information about its business operations (USML and non-USML activities), all products or services it offers, and the countries in which it does or expects to do business.
Once registered with the DDTC, the company is required to comply with various well-documented ITAR regulations. This includes implementing an export compliance program (often referred to as a Compliance Manual) to get the license for the export of defense technology and equipment. Maintaining clear and transparent records of all exports and other ITAR-related activities is central to successfully navigating the audit process.
ITAR registration is relevant for companies that are involved in the manufacture, distribution, or export of defense-related articles, services, and technical data. If your products and services are not included in the USML, then ITAR registration is not technically required. The need for ITAR registration concerns companies that are involved in the production, development, and export of items that are specifically designed for military or defense purposes and included in the USML. Examples of technology areas that are liable to be subjected to ITAR processes are:
- Aerospace and defense companies that manufacture and export military aircraft, helicopters, drones, and related components and technologies.
- Engine and propulsion-systems developers and manufacturers.
- Military vehicle manufacturers that produce armored vehicles, tanks, and general military ground transport systems.
- Small-arms manufacturers that produce weapons designed for military or law enforcement use.
- Companies that produce analytical, targeting, strategic analysis, navigation/guidance, software security, and cryptosystems or technologies used in military equipment and support applications.
- Companies that produce or export satellite systems, radar, sensors, and other related technologies for military situation analysis or intelligence applications.
- Developers and exporters of wearables such as body armor, vision systems, comms systems, physical enhancements, and biometrics reporting devices/systems/software.
There are two types of ITAR registrations:
- Manufacturing Registration: Required for any person or company involved in the manufacture or planning to manufacture defense articles covered by USML. This includes a wide range of activities such as: production, development, and assembly of defense articles, design, engineering, testing, quality control of relevant products, software development, and integrating from other (non-USML) products, resulting in such systems. Importantly, a manufacturing registration is required, even if the company does not itself export or plan to export any defense-related products.
- Export Registration: Necessary for any person or company involved in the export of USML-covered defense products or services. This includes brokering, freight forwarding, or arranging for the transportation of USML materials.
Certain exceptions may apply, such as for temporary imports/exports for repair or servicing. However, compliance is the duty of the company, and failure to comply through not correctly interpreting the ITAR regulations, USML definitions, or the duty of care of manufacturers is considered no defense, and prosecutions do happen.
Applicable criteria for ITAR audits of defense-related developers, manufacturers, and exporters can vary widely, depending on the specifics of the situation. These are some common criteria cited during ITAR audits:
- Export compliance program.
- Licensing and recordkeeping practices. This includes all historical records for exports, agreements, and licenses related to USML articles and information/data.
- Employee training programs and regulatory awareness. This ensures internal adherence to ITAR is systemic rather than casual or when evaluated.
- Physical building/facilities security measures. This validates that all materials, products, and technical data are secured from unauthorized access.
- IT systems protection from cyberattacks and internal theft. To ensure that all unauthorized access and acquisition of data is secured from attack by foreign and unregulated commercial interests.
- If the company uses subcontractors, the audit is likely to evaluate the management of subcontractors’ handling of sensitive and regulated materials and data. This ensures that ITAR compliance is thoroughly managed at all stages.
- Company's overall business operations to ensure compliance with ITAR and that applicable licenses and agreements are in place. This can include detailed analysis down to the level of software licenses, use of unsecured servers for email and off-site backups, and a range of other aspects.
The ITAR registration audit and accreditation process ensures that companies that manufacture, distribute, or export defense items are in regulatory compliance. These are the basic steps in the ITAR registration audit and accreditation process:
- Registration: Submit a registration form and fee to the US State Department’s Directorate of Defense Trade Controls (DDTC) to register for ITAR compliance.
- Pre-assessment: The DDTC may conduct a pre-assessment review of export compliance programs and other aspects, to determine if an audit is necessary.
- Audit Notification: If an audit is deemed necessary (as is usually the case), the DDTC will notify the company and provide a time frame for the evaluation.
- Onsite Audit: The DDTC will conduct an on-site audit of operations and conformance to the export compliance program. The audit is likely to include interviews with employees to evaluate their understanding and adherence, review of records and documentation, and inspection of facilities.
- Audit Report: The DDTC will deliver an audit report that outlines any findings of non-compliance and areas for improvement. These can be small areas that don’t immediately halt company processes, but if the issues are serious, then stronger actions may ensue—up to and including suspending authorizations.
- Corrective Action Plan: The company must develop a corrective action plan to address any areas of non-compliance identified in the audit report. This is evaluated and needs to be agreed upon by the DDTC as sufficient.
- Accreditation: Once the corrective action plan is implemented and verified by the DDTC, the company may be accredited for ITAR compliance without further issues, or a fresh audit may be required if the non-compliance issues were more far-reaching.
Accreditations are issued for three years. A new audit and accreditation process is required after that. Maintaining thorough export compliance processes, undertaking internal audits, and addressing any discovered areas of non-compliance are the way to be ready for real ITAR audits when they arise.
The benefits of obtaining ITAR registration are:
- It allows a company to work on highly profitable defense-related projects with confidence in its legal position. This allows access to work with government agencies and non-government defense contractors.
- Registration/accreditation signals that a company is compliant with ITAR, offsetting the risks and potential penalties in dealing with non-compliant suppliers.
- It can enhance a company's standing among existing and potential customers, as a reliable and trustworthy supplier, accredited as such by the State Department.
- Registration provides access to DDTC-regulated training and resources supporting ITAR compliance. This can help companies stay current with regulatory changes and best practices.
- It is generally a prerequisite for companies seeking to export defense-related items and technical data outside the US. It can open up significant opportunities for international business and partnerships, including non-ITAR-regulated work.
- Government agencies and defense contractors generally prefer to work with ITAR-registered suppliers. It minimizes potential compliance risks and obviates the need to upskill their subcontract partners.
ITAR registration is required for companies that either already (or plan to) manufacture, distribute, or export defense articles or technical data covered by the USML. The list includes numerous technology areas and is considered in 21 categories, as follows:
- Firearms, close assault weapons, and combat shotguns.
- Guns and armament.
- Surface vessels of war and special naval equipment.
- Explosives and energetic materials, propellants, incendiary agents, and their constituents.
- Ballistic missiles, bombs, launch vehicles, guided missiles, rockets, torpedoes,, and mines.
- Ground vehicles.
- Aircraft and related articles.
- Military training equipment and training.
- Personal protective equipment.
- Military electronics.
- Fire control, range finder, optical and guidance and control equipment, and night vision goggles.
- Materials and miscellaneous articles.
- Toxicological agents, including chemical agents, biological agents, and associated equipment.
- Spacecraft and related articles.
- Nuclear-weapons-related articles.
- Classified articles, technical data, and defense services not otherwise enumerated.
- Directed energy weapons.
- Gas turbine engines and associated equipment.
- Submersible vessels and related articles.
- Articles, technical data, and defense services not otherwise enumerated.
ITAR registration controls areas of activity related to the above categories of product/technology, in addition to the articles themselves. It is required if a company engages in any of the following USML-related activities:
- Manufacturing defense articles or technical data.
- Exporting or temporarily importing (for re-export) defense articles or technical data.
- Brokering activities related to the sale or transfer of defense articles or technical data.
- Providing defense services related to the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, or demilitarization of defense articles.
- Additionally, companies that have been prosecuted over ITAR violations in the past may be required to register as part of a settlement agreement with the US government, irrespective of their current business model.
The Directorate of Defense Trade Controls (DDTC), part of the US State Department, is the authority that issues ITAR registrations. They perform audits on applicants and existing registrants to test compliance and correct shortfalls in processes or records. The DDTC is responsible for overseeing the export and temporary import of defense articles and technical data, under the ITAR authorizations.
There are several US registrations and accreditations, parallel and interrelated with ITAR. These are typically relevant for companies in the defense development/manufacturing sector or those who handle export-controlled items. These are listed below:
- Export Administration Regulations (EAR): Governs the export and re-export of dual-use items, software, and technology. Dual-use can have surprising interpretations, as defense and military applications for technologies are not always evident. Companies involved in activities that might involve dual-use technology exports are recommended to register with the US Commerce Department Bureau of Industry and Security (BIS).
- Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF): Controls the manufacturing, distribution, and importation of firearms and ammunition in the US. Companies that engage in these activities are recommended to register with the ATF.
- Cybersecurity Maturity Model Certification (CMMC): A standard that contractors must comply with, to be granted Department of Defense (DoD) contracts. The CMMC accreditation process verifies that companies have implemented effective cybersecurity processes.
- National Institute of Standards and Technology (NIST) 800-171: A set of cybersecurity processes that must be met to receive DoD contracts. This relates to security within companies that have access to controlled unclassified information.
- ISO 9001: The most widely used quality standard; it is considered necessary to be considered for defense-related contracts.
Other Certifications That Related to the Industries/Companies and/or Processes/Systems That It Relates To
There are several other certifications and standards that can have a bearing in the defense and weapons development and export sector, including:
- ISO 27001: Information Security Management System (ISMS) standard that guides the management of sensitive information, particularly relevant to sensitive defense-related data.
- AS9100: This is the Aerospace Quality Management System that encompasses all areas of aerospace products, including defense/military products.
- ISO 14001: Environmental Management System (EMS) standard that provides a framework for managing environmental impacts associated with all manufacturing.
- ISO 45001: Occupational Health and Safety Management System (OHSMS) standard that addresses health and safety risks associated with manufacturing.
- Nadcap: The National Aerospace and Defense Contractors Accreditation Program (Nadcap) provides accreditation for manufacturing processes related to the aerospace and defense industries.
- DFARS: The Defense Federal Acquisition Regulation Supplement (DFARS) includes further and overlapping cybersecurity requirements that contractors must meet to work on DoD contracts.
It should be noted that few companies need all of these registrations, but most of those who are looking to develop business in the defense and military sectors should consider carefully which are beneficial to their plans.
This article presented ITAR registration, explained it, and discussed its various audit requirements. To learn more about certifcations, contact a Xometry representative.
Xometry provides a wide range of manufacturing capabilities and other value-added services for all of your prototyping and production needs. Visit our website to learn more or to request a free, no-obligation quote.
The content appearing on this webpage is for informational purposes only. Xometry makes no representation or warranty of any kind, be it expressed or implied, as to the accuracy, completeness, or validity of the information. Any performance parameters, geometric tolerances, specific design features, quality and types of materials, or processes should not be inferred to represent what will be delivered by third-party suppliers or manufacturers through Xometry’s network. Buyers seeking quotes for parts are responsible for defining the specific requirements for those parts. Please refer to our terms and conditions for more information.