Skip to main content
07.07.2020 Legal News

What Does It Mean to Be “ITAR Compliant” - Three Steps to Take Now

Many small and mid-sized companies in the defense industry are being asked by their prime contractors if they are “ITAR Compliant” or “ITAR Certified” and what steps they have taken to meet this requirement.1 In addition, many firms in the defense supply chain are concerned about the legal liability they face for failure to comply with ITAR on an ongoing basis.  These issues apply both to companies with direct contracts on defense projects as well as independent upstream suppliers of parts, components, services and software that are ultimately used in defense products.

There is no formal certification process to become “ITAR Compliant” or “ITAR Certified” - companies are expected to understand the regulations and comply with these requirements on their own.  However, there are three important steps that small/mid-sized government contractors and suppliers can take to come into compliance with the law and demonstrate their ITAR readiness to their prime contractors:

  1. ITAR Registration: Many companies in the defense supply chain are required to register with the State Department under ITAR Part 122.  Companies should assess if they are required to register and if so do so as quickly as possible.  For additional information regarding the requirement to register see our article: “Is My Company Required To Register Under ITAR?”
  2. ITAR Compliance Program: Another important step is to learn about the general requirements under ITAR and the EAR and adopt internal written policies and procedures to comply with these – this is called an ITAR Compliance Program.  The State Department recommends that companies involved in ITAR-controlled activities adopt ITAR Compliance Programs - and if a company has an ITAR violation the State Department frequently reduces penalties or assesses no penalties for companies that have compliance programs.  Compliance Programs demonstrate to prime contractors (and government agencies if there is an ITAR violation) that your company has a formal process for ITAR compliance and project a sophisticated approach to managing these issues.
  3. Risk Assessment - Unique Requirements That Apply To Your Company: A third important step is identifying the specific ITAR requirements that apply to your company based upon your business activity, customer base and countries of operation and adopting focused strategies for dealing with these.  For example, a company providing electronic components for the F-35 to a customer in Chicago will most likely have different ITAR requirements than a company providing program services to support the U.S. Navy in Japan.  This is sometimes called a “Risk Assessment” - this can help you identify the greatest legal risks/exposures for your company and strategically concentrate efforts to eliminate these.

If a company is subject to ITAR a number of requirements may apply, including: (i) the prohibition against disclosing ITAR-controlled technical data to foreign nationals overseas and in the U.S. (including employees of your company) without a license; (ii) the requirement to register with the State Department; (iii) the requirement to obtain State Department authorization (called a Technical Assistance Agreement) to perform “defense services;” (iv) the requirement to obtain export and import licenses for certain transactions; (v) restrictions on “brokering” or assisting others in the sale/transfer of defense articles and defense services; (vi) restrictions on entering transactions with parties from countries subject to U.S. arms embargoes set forth in ITAR §126.1 (called the “§126.1 Proscribed Countries”); and (vii) reporting and recordkeeping requirements.

A more detailed discussion of ITAR requirements applicable to government contracts firms and component suppliers is available in our Whitepaper: “ITAR For Government Contractors.”

ITAR compliance is important - failure can result in civil and criminal penalties of up to $1,000,000 in fines and twenty years imprisonment.  ITAR requirements can apply even if your company does not engage in any international activities and even if your only customer is the U.S. Department of Defense.

For additional resources for small and mid-sized government contractors and suppliers on ITAR compliance please see:   

1The International Traffic In Arms Regulations (ITAR) are the State Department regulations that apply to the manufacture and transfer of defense products, defense services and technical data.  See 22 CFR Chapter I, Subchapter M, Parts 120 – 130.  The Commerce Department administers a companion set of regulations entitled the Export Administration Regulations which apply to commercial products and certain limited defense products which must be read in conjunction with ITAR.  See 15 CFR Chapter VII, Subchapter C.