ITAR Compliance: Software, Costs, and 5 Defense Exporter Mistakes

Every U.S. company that manufactures, exports, or brokers defense articles on the United States Munitions List (USML) needs ITAR compliance. Registration with DDTC, written procedures for technical data handling, screening every transaction party against restricted lists. Getting any of this wrong carries civil fines up to $1,200,000 per unauthorized transfer under 22 U.S.C. § 2778. And the scope keeps growing — on September 15, 2025, the State Department's final rule amended 15 of 21 USML categories, adding more controlled items than it removed for the first time since the Export Control Reform era ended.

ITAR and EAR compliance overlap creates classification gaps

Most ITAR enforcement problems we see start in the same place: the boundary between ITAR and EAR compliance. ITAR covers defense articles on the USML, administered by the State Department's DDTC. The Export Administration Regulations (EAR), run by BIS at the Department of Commerce, cover dual-use items with commercial and military applications. Two agencies, two lists, two sets of rules. And an item can move from one to the other overnight.

That's what catches people. An item removed from the USML does not become uncontrolled. It shifts to EAR jurisdiction under a specific Export Control Classification Number (ECCN). The September 2025 USML revisions pulled lead-free birdshot and certain GNSS anti-spoofing systems out of ITAR, but those same items may still need a BIS license depending on where they're headed.

We've talked to manufacturers who assumed a USML removal meant free export. Thirteen times, in one case. That was Torrey Pines, shipping while their commodity jurisdiction request sat pending at DDTC. The ITAR application for a CJ determination remains the only reliable way to confirm which agency has jurisdiction. DDTC processes roughly 38,000 license applications annually from around 14,000 registered entities. A lot of products live in that gray zone.

Existing licenses for transitioning items stay valid for up to three years. That grace period exists because reclassification under EAR takes real work: new ECCN determinations, different license exception analyses, different record-keeping obligations.

What ITAR compliance software actually does

ITAR compliance software replaces the spreadsheet-and-email approach that still runs at most mid-size defense exporters. Classification tracking, license lifecycle management through DECCS, denied party screening against restricted entity lists. That's the core.

Screening dominates the workload. We talk to export managers running 200+ manual screens per week against DDTC's debarred list, the BIS Entity List, OFAC's SDN list. Above 50 screens per day, the error rate climbs. Nobody talks about that threshold, but we've watched it happen at enough companies to trust the pattern.

One thing that consistently fails: keyword-only screening without fuzzy matching. A party listed as "Al-Rashid Trading" will not match "Al Rashid Trading Co." without phonetic and alias-matching algorithms. We've seen companies build screening in Excel and miss hits sitting right there in the data. The paperwork trail goes cold when your matching logic can't handle transliteration variants or name-order inversions.

Audit trail generation matters more than most companies realize. The Torrey Pines consent agreement specifically cited failure to maintain records under 22 C.F.R. § 122.5 as an aggravating factor. One missing export log entry, and what was a manageable disclosure becomes a consent agreement negotiation. Good export control software removes that category of exposure entirely.

License management handles DSP-5, DSP-61, Technical Assistance Agreements, and Manufacturing License Agreements through their lifecycle. With DDTC processing everything through DECCS now, ITAR software plugs directly into that portal for status alerts and renewal tracking.

Registration costs and hidden expenses of ITAR export controls

DDTC registration fees are the line item everyone knows about. After January 9, 2025, Tier 1 registrants pay $3,000 annually. Tier 2 (1 to 5 favorable determinations) costs $4,000. Tier 3 starts at $4,000 plus $1,100 for each determination over five. Small businesses can petition through DECCS for a $500 discount if that $3,000 exceeds 1% of annual revenue.

Registration barely registers compared to the operational cost. We've broken this down with enough mid-size defense exporters (50 employees, $15 million in revenue) to see the pattern: $150,000 to $400,000 per year in total ITAR-related spend.

Classification reviews eat the most staff time. Every new product or modification requires a jurisdiction determination, and a single CJ request to DDTC takes 45 to 90 days. Meanwhile, the product sits. Can't ship it, can't quote it to a foreign buyer, can't send drawings to an overseas subcontractor for tooling quotes.

Training runs $5,000 to $15,000 annually for a 50-person facility. DDTC expects every person with access to ITAR-controlled technical data to be trained. That includes the IT admin who maintains the server where CAD files live, which surprises more companies than you'd think.

Then there's cloud infrastructure. ITAR data cannot be accessed by foreign persons under any circumstances. Configuring role-based access controls and physical server separation for export compliance adds $20,000 to $60,000 upfront. Companies that already run multi-tenant cloud environments usually find out the hard way that their existing setup doesn't qualify.

Legal counsel is the cost nobody budgets for until they need it. A voluntary disclosure to DDTC runs $50,000 to $200,000 in outside legal fees. DDTC gives mitigating credit for self-disclosure, but the investigation alone takes months.

5 Mistakes that trigger DDTC enforcement actions

Mistake 1: Treating DDTC registration as a compliance program. Registration gives you a code in DECCS. We've seen companies ship defense articles without a license because "they were registered," as if the code itself cleared them to export. DDTC's own guidance says registration "does not confer any export rights or privileges." Worth reading that sentence twice.

Mistake 2: Exporting while a CJ determination is pending. Torrey Pines exported items 13 times while awaiting a commodity jurisdiction ruling. Some shipments went to China, a proscribed destination under ITAR § 126.1. Their invoices showed the exports, even though they told DDTC they were treating the product as controlled. That contradiction turned a potential disclosure into a consent agreement.

Mistake 3: Letting ITAR flow-down die at Tier 1. The ITAR application extends to every subcontractor touching USML technical data. Your Tier 2 supplier gets engineering drawings for a defense article? That supplier needs DDTC registration and proper handling procedures. Honeywell's consent agreement showed exactly where this breaks. Technical data for F-35, F-22, and B1-B aircraft components reached China through the supply chain, and the enforcement action landed on Honeywell.

Mistake 4: Thinking "technical data" means finished hardware. We've talked to machine shop owners who had no idea their fixture drawings qualified as defense articles under 22 C.F.R. § 120.33. Engineering drawings. CAD files. Test reports. Manufacturing process specs. Share any of these with a foreign national employee without authorization, and that's an ITAR export. Domestic manufacturers who never ship a physical product abroad still carry this exposure.

Mistake 5: Sitting on known infractions. Four of the last ten DDTC consent agreements involved small businesses. The enforcement framework rewards prompt voluntary disclosure with reduced penalties. Six months of silence turns a manageable situation into an aggravating factor.

How ITAR software fits into existing export control systems

The question we hear most from manufacturers: does ITAR software replace the ERP or sit next to it?

Neither. Export control software operates as a middle layer between your ERP and the regulatory decision point. It pulls order data from SAP, Oracle, or NetSuite, runs screening against consolidated watchlists, flags items needing license review, and sends approval or hold signals back into the order workflow.

For dual-jurisdiction companies handling both ITAR and EAR items, the software routes each transaction through the correct framework. An item under ECCN 3A001 follows EAR procedures. The same company's USML Category XI product follows ITAR procedures. No manual sorting required.

The December 30, 2025 final rule on § 126.7 created a new layer to track. The exemption for defense trade among Australia, the United Kingdom, and the United States introduced Authorized Users, with over 700 entities enrolled from those allied countries. Lenzo that tracks Authorized User status prevents your team from filing unnecessary license applications. Without it, we've seen companies waste 3 to 4 weeks per application on transactions that already qualified under the exemption.

Cloud deployment has one hard constraint that trips up a lot of teams. ITAR-controlled data cannot reside on servers accessible to foreign persons. Any cloud-based solution needs FedRAMP authorization or equivalent controls keeping data within United States territory. That single rule eliminates most general-purpose sanctions screening software from ITAR use cases.

FAQ

What does ITAR compliance require for a small manufacturer?

DDTC registration through DECCS at $3,000 per year for Tier 1 as of January 2025. A written export control program covering classification and screening procedures, plus record retention for five years. Annual training for every employee who handles controlled articles or technical data. Screening of all transaction parties against DDTC, BIS, and OFAC restricted lists before any transfer. DDTC does not issue a compliance certificate, so the entire burden falls on the registrant to build and maintain internal controls.

How do ITAR export controls differ from EAR requirements?

ITAR covers defense articles and services on the USML, administered by the State Department through DDTC. EAR covers dual-use items on the Commerce Control List, administered by BIS at the Department of Commerce. After the September 2025 USML amendments, items moved between these two jurisdictions. A product controlled under ITAR last year may now fall under EAR with different license requirements, different exceptions, and different record-keeping rules.

What happens if a company discovers an ITAR infraction?

File a voluntary disclosure with DDTC under 22 C.F.R. § 127.12. The disclosure needs authorization from your empowered official and a full account of what happened. DDTC treats voluntary disclosure as a mitigating factor when determining enforcement response. Delayed or incomplete disclosures have been treated as aggravating factors in multiple consent agreements, including Torrey Pines.

Can ITAR compliance software replace legal counsel?

No. ITAR software handles operational throughput: screening, classification tracking, audit trails. Jurisdiction determinations, voluntary disclosures, and consent agreement negotiations need attorneys with ITAR-specific experience. Trying to run one without the other leaves gaps on both sides.

---

DDTC has signaled multiple additional USML rulemakings over the next 12 months. The expansion trend that started with the January 2025 interim final rule shows no sign of reversing. Companies that built their classification databases around a shrinking USML are going to find entries missing.