101 Marietta Street NW, Centennial Tower, Suite 3325, Atlanta, GA 30303
Lowther | Walker Logo

ITAR Violations

For anyone subject to ITAR, it is crucial to understand the consequences of a violation and what steps to take with an ITAR attorney should a mistake occur.

The International Traffic in Arms Regulations, known as ITAR, is a federal law that controls the import and export of goods, services, technology, and data related to defense and space within the United States. The full list of relevant items is known as the United States Munition List (USML), and anyone involved in the supply chain for these items is required to comply with ITAR, from manufacturers to contractors.

The basic principle of ITAR sounds simple: items on the USML cannot be sold to or held by anyone who is not a United States citizen. But the processes, licenses, and documentation involved in proper ITAR compliance can be overwhelming for some companies, and registration with the State Department’s Directorate of Defense Trade Controls (DDTC) is required and may seem intimidating.

Not every ITAR violation is done intentionally, but they are all taken very seriously by federal courts.

Common ITAR Compliance Violations

The range of actions that could lead to non-compliance with ITAR is impossible to list out comprehensively, especially due to the changing nature of ITAR and export controls. However, a number of issues come up frequently in ITAR cases and are good to be aware of as a means of prevention.

Intentional Non-Compliance

In these cases, a company knows they are violating ITAR and chooses to proceed with an action anyway. They may even receive additional compensation or benefits for doing so. These cases are at the highest risk of both criminal and civil penalties, usually receiving the harshest possible consequences, including both fines and imprisonment. If any employee becomes aware of an ITAR violation and does not properly communicate through appropriate channels, they can be considered willfully violating ITAR and punished to the full extent of the law.


Any manufacturers of firearms, ammunition, or other defense services are required to register with the U.S. Department of State, Directorate of Defense Trade Controls ((DDTC) in order to produce these heavily controlled items. If a company fails to register with the appropriate agency, this can lead to export violations.


Within the defense industry, a number of compliance measures exist to prevent unauthorized exports in the interest of national security. Prior to exporting defense services and technical data to a foreign entity, a company must comply with strict ITAR programs and gain prior approval. If this is not done properly, it can lead to a violation.

It is important to note here that exporting does not always require the physical shipment of a defense item, service, or piece of data. Even discussing these items with someone in a foreign country can be considered a violation under these terms.

Accidents or Oversights

Oftentimes, ITAR is violated by someone within a company completely unknowingly. The breadth and complexity of the law make it easy for some items to fall through the cracks, especially in large organizations. Someone simply sending an email without realizing a recipient is not a citizen could cause issues.

However, ITAR provides for a process of voluntary disclosure that allows companies to drastically reduce their fines or eliminate them altogether. By being forthcoming and cooperative, as well as making an effort to prevent future occurrences, you can avoid severe penalties.

Omissions or Misrepresentations

Some companies or individuals simply get confused about specific aspects of ITAR and what it covers. When an exporter makes a factual omission of information, licensing, or reporting, this could lead to criminal and civil penalties. If this is done in error, it is critical to report that error as soon as possible. ITAR relies on honesty and accuracy, so full disclosure will go a long way.

Consequences for ITAR Violations

In addition to following ITAR regulations, companies must also keep updated on amendments and updates to the regulations as the environment changes. The U.S. government is serious about compliance with ITAR and rarely does a violation go unpunished.

Penalties for ITAR violations can be both civil and criminal in nature, depending on the severity, type, and scope of the violation. Some potential consequences include the following:

  • Business Fines: Violators may have to pay up to $1 million per individual ITAR violation. For many companies, this can impact their ability to function competitively in their market.
  • Personal Civil Penalties: Depending on the circumstances of a violation, the Secretary of State can opt to fine individuals up to $500,000 per violation in civil penalties.
  • Personal Criminal Penalties: Individuals can also be charged with criminal ITAR violations, resulting in up to 10 years of imprisonment per violation. This generally requires malicious intent.
  • Debarment or Loss of Export Licenses: In addition to direct fines, you may lose your ability to work and conduct business by losing a license. This could rule out working as a government contractor ever again, impacting your career.
  • Business Disruption: Any case regarding ITAR violations will take time, attention, and energy from the leaders of a business. Not only is there a risk of penalty, but the business may be disrupted or halted while a case is addressed.
  • Reputational Risk: ITAR penalties are often made public, which could brand a company as untrustworthy or unethical in the eyes of its clients.

Avoiding ITAR Violations

Because of the harsh consequences, no company wants to end up entangled in an ITAR-related court case. Most companies that are subject to ITAR have internal processes set up to ensure compliance. While these can be designed by the entity itself, the U.S. Federal regulations for federal agencies can offer guidance on how to build a strong preventative program.

Based on NIST SP 800-53, the standards for securing ITAR data include the following principles:

  • Any sensitive data should be located and identified as such and placed under appropriate security measures. Data may also be classified based on the business policy related to that specific category of good or service.
  • All data and permissions should be appropriately mapped. Each user, group, file, and folder should have a specific set of permissions, and each employee should be classified according to what they have the right to access.
  • Access control is critical, including the management of users and group memberships and the deactivation of any “stale” users. Because permissions are location-based, global access groups will be disabled on any ITAR related information. A “least privilege” model is recommended, in which employees are only given the minimum permissions needed for specific tasks.
  • Monitoring of data, file activity, and user behavior is critical in demonstrating compliance. All file and event activity should be audited regularly, with results recorded. This includes monitoring for insider threats, malware, misconfigurations, and security breaches and remediating any issues discovered.
Experienced. Aggressive. Successful. Nationwide.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram