ITAR & Dual-Use Controls: 25 Questions for Manufacturers

DDTC maintains roughly 14,500 active registrants and processes about 38,000 BIS-authorization-fits-shipment" class="text-[#635BFF] no-underline hover:underline" style="white-space: nowrap">export license applications annually (Federal Register, 2025). Most, particularly mid-market manufacturers pulling $5M–$100M in export revenue, keep asking us the same 25 questions about ITAR, EAR, and the murky zone between them. Our team compiled the answers below from years of handling jurisdictional determinations, classification disputes, and the kind of Friday afternoon licensing emergencies nobody plans for.

Key Takeaways:

• ITAR civil penalties reach $1,271,078 per violation; EAR caps at $374,474 — both carry up to $1M criminal fines and 20 years imprisonment per willful violation (22 CFR 127.10, BIS.gov, January 2025)
• DDTC registration costs $3,000–$4,000/year as of January 2025, with Tier 3 registrants paying $1,100 per favorable determination above five (Federal Register, 2025)
• Commodity Jurisdiction determinations officially target 65 business days but stretch to 6+ months for items requiring interagency review between State, Commerce and Defense
• The September 2025 USML revisions reclassified multiple items, manufacturers who haven't reviewed their product catalogs post-ECR risk operating under the wrong jurisdiction (Federal Register, August 2025)
• Deemed exports to foreign national employees at U.S. facilities require the same ITAR authorization as physical exports overseas (22 CFR 120.17)

1. What's the practical difference between ITAR and EAR for an SMB?

ITAR (22 CFR 120–130) controls defense articles on the United States Munitions List, administered by DDTC. EAR (15 CFR 730–774) covers dual-use and commercial items on the Commerce Control List, administered by BIS. For a 100-person manufacturer, the difference boils down to licensing flexibility, penalty exposure, as well as overhead. ITAR has no license exceptions, every defense article export requires specific authorization. EAR offers dozens of license exceptions, and many dual-use items ship "NLR." On penalties: ITAR civil fines hit $1,271,078 per violation; EAR caps at $374,474 (both adjusted January 2025). And ITAR registration runs $3K–$4K/year before you file a single license.

2. When do I need to register with DDTC?

If your company manufactures, exports, or temporarily imports defense articles, services, or technical data on the USML, you register. No threshold, no minimum revenue, no "we only make a small component" excuse. Tier 1: $3,000/year. Tier 2: $4,000. Tier 3: $4,000 plus $1,100 per favorable determination above five (Federal Register, 2025). Small businesses can petition for a $500 discount if that fee exceeds 1% of total revenue. We've had clients delay registration by months thinking they'd "figure out jurisdiction first." Don't do that.

3. How do I determine if my product falls under USML or CCL?

Start with ITAR §120.11's order of review, USML first, CCL second. If your item matches a USML category description, it's ITAR-controlled regardless of civilian applications. No match? Evaluate against the CCL. Post-ECR, the USML uses positive enumeration: items described by specific performance parameters rather than broad catch-all language. Don't assume your component is "just commercial" because you sell to non-military customers. A thermal imaging module meeting USML Category XII specs stays ITAR even if 90% of sales go to firefighters.

4. What is a commodity jurisdiction (cj) request and when should I file one?

A CJ request (Form DS-4076) asks DDTC to officially determine whether your item falls under USML or CCL jurisdiction. File one when internal classification analysis leaves ambiguity, particularly near the boundary between a USML category and a 600-series ECCN. You don't need DDTC registration to submit (22 CFR 120.12(f). One catch: the CJ process handles one article at a time. No product catalog submissions.

5. How long does a cj determination take?

DDTC provides a preliminary response within 10 working days of a complete request (22 CFR 120.12(d). Official guidance targets 65 business days. Our experience tells a different story. Straightforward items come back in 30 days. Anything requiring interagency consultation? Six months, sometimes longer. If DDTC hasn't responded after 45 days, request expedited processing. Don't wait on a CJ to ship, get registered and obtain authorization while the determination sits in queue.

6. What triggers an ITAR licensing requirement vs. An EAR license?

ITAR requires a license (or applicable exemption under 22 CFR 123–126) for any export of a defense article, defense service, or technical data to a foreign person. No license exceptions, only narrow exemptions. EAR licensing depends on four factors: ECCN, destination, end-user, end-use. Many EAR items ship under license exceptions to allied countries. For a manufacturer with products on both lists, the trigger follows the specific item's classification, not what your company "mainly" does.

7. How does ITAR apply to subcontractors and lower-tier suppliers on defense contracts?

Every company in the supply chain touching USML items needs to comply. If you're a Tier 2 or Tier 3 supplier manufacturing a USML-described part, you need DDTC registration and authorizations for any export. The prime's license doesn't cover your operations. This bites smaller shops hard. A machine shop heat-treating USML-controlled components may need to register even though they don't see themselves as a "defense company."

8. What's a technical assistance agreement (TAA) and when do I need one?

A TAA authorizes disclosure of technical data or defense services to foreign persons. You need one whenever your engineers share USML-controlled data with a foreign partner, design specs, manufacturing processes, test procedures. TAAs go through DECCS; expect 60–90 days minimum. The mistake we run into constantly: companies treating email exchanges with foreign engineering teams as "just conversation" when those emails contain controlled technical data. Your VP of Engineering answering a "quick question" from a German customer about thermal specs? That potentially requires TAA coverage.

9. How does a manufacturing license agreement (mla) work?

An MLA authorizes a foreign manufacturer to produce USML-controlled defense articles using U.S.-provided technical data. MLAs require DDTC approval and take far longer than standard licenses, 120+ days minimum, complex agreements past a year. Our advice: confirm you actually need manufacturing abroad. If you're providing data only for repair or maintenance, a TAA might cover it without the MLA overhead.

10. Can a single product be subject to both ITAR and EAR simultaneously?

No. Jurisdiction is binary, an item falls under ITAR or EAR, not both (22 CFR 120.11). But here's the wrinkle we deal with regularly: a finished EAR system might incorporate ITAR-controlled components, which stay ITAR while the system stays EAR. If your product integrates parts from different jurisdictions, you need parallel compliance programs. And unlike EAR, ITAR has no de minimis threshold, one ITAR component can pull the whole item into ITAR territory.

11. What are the penalties for ITAR violations vs. EAR violations?

ITAR civil penalties reach $1,271,078 per violation or twice the transaction value (22 CFR 127.10, January 2025). Criminal: up to $1M and 20 years. The RTX $950M settlement remains the largest ITAR-related penalty on record (Department of Justice, 2025). EAR caps at $374,474 per violation (BIS.gov, January 2025). Both regimes can strip export privileges entirely, and for a mid-market manufacturer, that's not just losing defense contracts, it blocks EAR-controlled transactions too.

12. How does ITAR treat "defense services" beyond physical goods?

Defense services under ITAR (22 CFR 120.32) include furnishing assistance (training, technical advice, maintenance, repair, design work) to foreign persons involving defense articles or USML technical data. Your engineers troubleshooting a defense system on-site at a foreign facility? Defense service. A phone call walking a foreign customer through repair procedures? Same thing. The definition catches far more activity than most executives expect.

13. What ITAR obligations apply to foreign national employees?

Disclosing ITAR-controlled technical data to a foreign national, even one sitting in your U.S. office, constitutes a "deemed export" (22 CFR 120.17). Authorization required before that person touches USML data. Obtain a TAA covering specific individuals, or build a Technology Control Plan restricting access. For more context, see our guide on Transshipment &. Re-Export Controls: 25 Questions Answered. We cannot overstate how often this catches engineering-heavy companies off guard. Screen employee nationalities against ITAR's country prohibitions (22 CFR 126.1) at onboarding. Not after the fact.

14. How do I handle ITAR-controlled technical data in shared engineering environments?

Segregate it. ITAR-controlled technical data needs access controls preventing unauthorized foreign person access, shared drives, cloud tools, collaboration platforms all present exposure. The ITAR encryption safe harbor (22 CFR 120.54) clarified that end-to-end encrypted transfers aren't automatically "exports," but that only helps if unauthorized persons can't reach decrypted data on the other end. We've watched companies celebrate cloud migration and then realize their AWS region sits in Frankfurt with European engineers holding admin access to USML repos.

15. What changed with ITAR export control reform (ecr) and does it affect my products?

ECR moved thousands of less-sensitive military items from the USML to CCL 600-series ECCNs. If your components don't meet the revised USML's positive enumeration criteria, they likely migrated to EAR. The September 2025 USML revisions removed items like lead-free birdshot and added the F-47 fighter to Category VIII (Federal Register, August 2025). If you haven't reclassified since ECR began, you may be spending money on ITAR licenses you don't need, or exporting under EAR when ITAR still applies.

16. How does ITAR apply to 3d printing files and additive manufacturing data?

ITAR treats digital design files as technical data. A CAD file for a USML-controlled defense article falls under 22 CFR 120.33 controls. Sending that STL file to a foreign 3D printing facility is an export requiring authorization Unlike a blueprint needing specialized tooling, a 3D printing file plus the right printer produces a functional part. Companies have been caught sending "prototype" files overseas without authorization, assuming exceptions applied when they didn't.

17. What's a DDTC voluntary disclosure and how does it compare to BIS self-disclosure?

DDTC voluntary disclosure (22 CFR 127.12) and BIS voluntary self-disclosure (15 CFR 764.5) both serve as mitigating factors. DDTC's process requires submission before the government independently discovers the violation, timing matters more than people realize. Key difference: ITAR has mandatory disclosure requirements (violations involving embargoed countries under 22 CFR 126.1 trigger a duty to inform DDTC). EAR voluntary self-disclosure is genuinely optional. In our experience, both processes chew through 12–18 months before resolution.

18. How do I manage ITAR compliance in a joint venture with a foreign partner?

Structure matters enormously. A JV with a foreign partner involving defense articles almost certainly requires DDTC-approved agreements (TAA, MLA, or both) before any technical data transfer. The foreign partner's country matters: ITAR §126.1 prohibits exports to certain destinations regardless of commercial arrangements. The biggest mistake we see, at least twice a quarter, is companies negotiating JV terms first and consulting export counsel only after signing, then discovering data sharing needs 9+ months of DDTC processing.

19. What record-keeping requirements exist specifically for ITAR-controlled exports?

Five-year retention minimum for all defense trade records (22 CFR 122.5), license applications, export docs, DDTC correspondence, contracts, shipping records. Here's what trips companies up during audits: "records" includes emails, Slack threads, plus Teams messages discussing defense articles with foreign persons If your compliance officer has to dig through someone's inbox for two days, your recordkeeping has a hole.

20. How does the ITAR exemption for nato and allied countries work in practice?

On paper, ITAR §126.17 provides an exemption for exports to NATO members and certain allied countries (Australia, Japan, South Korea, Israel, New Zealand). In reality, the exemption only covers unclassified defense articles that aren't SME and aren't on the MTCR Annex. Most manufacturers we work with can't use it, their products either qualify as SME or fall within excluded USML categories. Verify the limitations before building your export plan around these.

21. Can I ship ITAR-controlled items to my own foreign subsidiary without a license?

No, and this one surprises people. ITAR does not provide a blanket intra-company exemption. Transferring a defense article to your wholly-owned foreign subsidiary counts as an export, same as shipping to any other foreign entity. You need either a specific license or an applicable exemption. If technical data is involved, add a TAA covering the subsidiary's foreign national employees to the list.

22. How does ITAR treat repairs, returns and warranty service for defense articles?

Temporary imports and returns have specific provisions under 22 CFR 123.4 and 123.9. Foreign customer sending an ITAR-controlled item back for repair? Temporary import authorization required. Shipping the repaired article back? Another export, another authorization For warranty service involving technical data exchange, you need TAA or license coverage. The common trap: logistics teams treat warranty returns as "just shipping" when each border crossing triggers ITAR.

23. What's the difference between ITAR significant military equipment (SME) and other defense articles?

SME items (marked with an asterisk on the USML) are the most sensitive defense articles. Getting that asterisk next to your product changes everything: higher licensing scrutiny, exclusion from most exemptions including §126.17, Congressional notification for sales above certain thresholds, as well as enhanced end-use monitoring. If your product lands in an SME entry, plan for longer processing and tighter end-user restrictions.

24. How do I handle ITAR when my product incorporates both controlled and uncontrolled components?

Classify each component individually. Controlled components remain ITAR-controlled even inside a larger uncontrolled system. If your product contains even one ITAR-controlled part, the overall system may get pulled into ITAR jurisdiction depending on integration depth. Maintain a bill of materials with jurisdiction flags for each component, and check whether ECR reclassifications moved anything to the CCL since your last review.

25. What does a realistic ITAR compliance program look like for a mid-market manufacturer?

A program that DDTC will respect in enforcement needs: a designated empowered official, written procedures for classification, licensing, screening, plus training, regular employee training (annual minimum, quarterly for hands-on staff), a Technology Control Plan if foreign nationals access controlled data, documented screening of foreign parties and annual transaction audits.

For a manufacturer with 50–200 employees doing $10M–$50M in defense-related exports, budget for one full-time compliance person, external counsel on retainer, as well as compliance tool. Platforms like Lenzo consolidate screening across OFAC, BIS, plus DDTC restricted party lists, reducing the manual cross-referencing that eats 15–25 hours per week in a typical mid-market operation.

ITAR compliance for SMB manufacturers isn't about perfection, nobody expects that. DDTC looks at whether you built a system, trained your people on it and caught problems when they surfaced. The companies that get hammered are the ones that treated registration as the finish line instead of mile one.