ITAR Non-US Persons, Green Cards, and Deemed Export Rules

A defense contractor in San Diego hired a mechanical engineer in January 2025. Green card, nine years in the US, master's degree in progress at UC San Diego. The hiring manager assumed the green card resolved any ITAR questions and moved on. Three weeks into onboarding, legal flagged that she had been given access to USML Category IV technical data before anyone confirmed whether that access required authorization. It had not. One oversight. Four months of internal review. Potential civil penalties under 22 CFR Part 127 on the table.

We see this exact pattern more than we should. The company understood ITAR in the abstract. What they got wrong was the gap between immigration status and ITAR authorization status. The two are related but not equivalent, and the distinction matters more than most HR workflows acknowledge.

The "US Person" Definition Under ITAR Has One Firm Answer

Four categories qualify as "US persons" under ITAR, and the list is shorter than most people assume. 22 CFR § 120.62 covers US citizens, lawful permanent residents, protected individuals under 8 U.S.C. § 1324b(a)(3) (a narrow category of refugees and asylees), and entities incorporated under US law. Nothing else. No other status, no other visa category, regardless of how long someone has lived in the United States or what employment documents they hold.

The protected individual category covers certain refugees and asylees, not most temporary visa categories. An L-1 holder seven years into a US-based role is still a non-US person. A TN visa holder from Canada doing aerospace engineering is still a non-US person. HR departments consistently discover this at the worst possible time: after access has already been granted.

One edge case that trips up companies with international workforces: dual citizenship. A US-Germany dual citizen is a US person. A German national with a current H-1B is not. No middle ground exists under the regulation.

Green Card Holders Qualify, But the Edge Cases Create Real Exposure

The green card question has a clean answer: yes. A lawful permanent resident is a US person under 22 CFR § 120.62 and can access ITAR-controlled technical data without a separately issued license for that access.

The trouble is what happens before the card is approved. An H-1B employee with a pending I-485 is still a non-US person until USCIS issues the I-551. The I-485 receipt notice changes nothing. The employment authorization document issued during adjustment of status proceedings changes nothing. Lawful permanent residency begins at approval, not at application.

We have talked to compliance officers who discovered their engineering teams were using pending I-485 status as a proxy for green card status. It made operational sense to those teams, the person was clearly on track, but DDTC does not grade on trajectory. The question at the time of any access is binary: US person or not? If not, was a license in place?

Green card holders who later abandon residency or have status revoked revert to non-US person status. Rare, but it happens. The employer receives no automatic notification from USCIS when this occurs.

Deemed Export Rules Treat Technology Transfer as a Physical Export

The biggest source of ITAR exposure for most engineering companies has nothing to do with shipping hardware overseas. Under 22 CFR § 120.50, showing ITAR-controlled technical data to a foreign national inside the United States is an export. No border crossing. No shipping manifest. Nationality controls the analysis, not geography. A verbal briefing at the whiteboard counts. Access to a shared folder counts. A foreign national sitting in a code review for avionics software counts.

This is where most ITAR exposure actually sits. A company that carefully manages hardware exports but lets foreign nationals reach CAD files, manufacturing tolerances, test reports, or avionics source code on an internal server has been exporting. DDTC's own guidance under 22 CFR § 120.50 makes clear the location of the transfer is irrelevant. The absence of a shipping manifest changes nothing.

The practical implication: companies with foreign national employees or contractors on USML-covered projects need either a Technical Assistance Agreement (TAA) or Manufacturing License Agreement (MLA) authorizing that access, or a qualifying exemption. A verbal discussion at a whiteboard about USML Category VIII aircraft performance counts. A foreign national in a code review for avionics software counts.

One approach that consistently fails: treating internal systems access as categorically different from document exports. We see this constantly. The outbound export process gets built carefully. The internal access question gets waved through on the assumption that internal means internal. It does not. When a foreign national can reach ITAR-controlled data through any channel, the deemed export analysis applies.

Common ITAR Violations Follow Predictable Patterns

The companies that get hit by DDTC civil penalties are mostly not the ones trying to evade controls. They are companies with real compliance programs that failed at the execution level. Four patterns show up repeatedly in DDTC's enforcement record, and recognizing them is more useful than any general compliance checklist.

Unauthorized deemed exports account for the largest category in published DDTC consent agreements and charging letters. In the Raytheon ITAR consent agreement (a $13 million penalty covering violations across multiple program areas), the core finding included engineers giving foreign nationals access to controlled technical data through normal project workflows. Nobody was trying to export anything. The data just moved through internal channels with no screening for recipient nationality.

Recordkeeping failures are the second most penalized category. 22 CFR § 127.12 requires companies to maintain records for five years: what was authorized, who it was authorized for, and when. Companies that cannot reconstruct what they authorized, when, and for whom face penalties regardless of whether any actual unauthorized transfer occurred. The recordkeeping requirement does not depend on whether a violation happened.

Re-transfers are the quiet enforcement risk. A US person receives ITAR-controlled data under a valid TAA, then shares it with a subcontractor or vendor without checking whether that downstream party has authorization. The original transfer is clean. The re-transfer violates 22 CFR § 123.9. We've seen this pattern particularly in defense subcontractor chains where the prime contractor has the authorization and the subs assume coverage flows down. It does not.

Licensing gaps during corporate transactions are less frequent but tend to be large when they occur. Mergers and acquisitions can shift ITAR authorizations to entities that were not the originally authorized party, creating violations the acquiring company discovers only when DDTC investigates. Export controls due diligence in M&A has become standard practice specifically because of this pattern.

The Elbit Systems of America consent agreement, formalized in 2025, included civil penalties and corrective action requirements spanning multiple program areas. DDTC also has the authority to deny, revoke, or suspend export license privileges, an outcome that can effectively close a company out of defense markets entirely, separate from any financial penalty.

ITAR Exemptions Are Narrower Than Most Teams Assume

There are exemptions from ITAR licensing requirements, and companies rely on them constantly. The problem is that every exemption in 22 CFR Part 123 and 22 CFR § 125.4 is narrower than its label implies. The gap between how companies read them and how DDTC reads them is where enforcement actions happen.

The most commonly misapplied is § 125.4(b)(3), the public domain exemption. Public domain under ITAR is defined at 22 CFR § 120.72, and that definition is stricter than most legal teams expect. Information is not public domain because it appears in a patent, a published paper, or a conference proceeding. ITAR requires release without authorization restrictions. A company's own detailed engineering data does not become public domain because someone else published a general overview of the same technology.

The intracompany transfer exemption at § 125.4(b)(4) gets misread regularly. It covers transfers to affiliates and subsidiaries wholly owned by the same US parent, where the foreign national recipient holds appropriate citizenship or is a lawful permanent resident. Foreign nationals at a foreign subsidiary do not benefit from this exemption simply because the US parent holds the authorization.

Exemptions still require recordkeeping. A company relying on § 125.4(b)(9) for patent filing purposes needs to document that determination and retain the records. Exemption reliance that cannot be reconstructed in an audit is not a defense.

ITAR and EAR compliance intersect here in ways that catch companies off guard. Items moved from the USML to the Commerce Control List under Export Control Reform are now governed by EAR rather than ITAR. The export administration regulations include their own deemed export provisions with materially similar standards. Companies that completed the USML-to-CCL transition and assumed their ITAR-era procedures transferred intact often find that EAR uses a different framework for license exception eligibility. The two sets of procedures need to coexist without creating gaps between them.

Frequently Asked Questions

Can non-US citizens work on ITAR projects?

Yes, but the mechanism depends entirely on immigration status. Non-US citizens who are lawful permanent residents are US persons under 22 CFR § 120.62 and can access ITAR-controlled technical data without a license. All others need either a DDTC export license (typically through a Technical Assistance Agreement) or a qualifying exemption. Job title, years of experience, security clearance level: none of that changes the nationality question.

Is a green card holder a US person under ITAR?

Yes. A lawful permanent resident qualifies under 22 CFR § 120.62. Timing is the critical variable: the card must be approved, not pending. An I-485 in process does not create US person status. An Employment Authorization Document issued during adjustment of status proceedings does not create US person status. The I-551 approval date is what matters.

Is a green card enough for ITAR?

For the deemed export question, yes. A green card holder can access ITAR-controlled technical data without an individual export license. The employer still needs to verify and document that the green card was current at the time access was granted, maintain records, and ensure the access fits within any applicable program or license conditions. The green card resolves the nationality question. It does not automatically satisfy DoD or program-specific security requirements, which are separate frameworks.

Can green card holders see ITAR data?

Yes. As US persons, lawful permanent residents can be given access to ITAR-controlled technical data. Document the verification: confirm the I-551 was current when access was granted and keep that record for the required five-year retention period.

Who is considered a US person for ITAR?

22 CFR § 120.62 gives the full list: US citizens, lawful permanent residents, refugees and asylees under 8 U.S.C. § 1324b(a)(3), and entities incorporated under US law. Visa holders (H-1B, L-1, O-1, TN, F-1) are non-US persons regardless of time in the country.

Is ITAR only for the USA?

ITAR is a US regime under 22 CFR Parts 120-130, administered by the State Department's Directorate of Defense Trade Controls. But it reaches non-US companies: any company anywhere that re-exports ITAR-controlled items or incorporates ITAR-controlled components into its own products is subject to the regulations. The industry shorthand is "ITAR contamination," which is why European and Asian manufacturers actively engineer ITAR-free product lines when they can. Being outside the US does not create a safe harbor if ITAR-controlled content is present in a product.

Can undocumented immigrants work as independent contractors on ITAR projects?

No. Without lawful immigration status, a person is not a US person under ITAR and cannot access ITAR-controlled technical data. A TAA cannot authorize this in the normal course, and there's separate exposure under immigration law.

What are the most common ITAR violations?

By DDTC enforcement pattern: unauthorized deemed exports (foreign nationals accessing controlled data without authorization), recordkeeping failures under 22 CFR § 127.12, unauthorized downstream re-transfers, and licensing gaps that surface during M&A activity.

What are ITAR exemptions?

The main exemptions are in 22 CFR § 125.4. Transfers to authorized US government contractors fall under § 125.4(b)(1). Public domain data as defined at 22 CFR § 120.72 falls under § 125.4(b)(3). Intracompany transfers to wholly-owned affiliates meeting citizenship conditions fall under § 125.4(b)(4). Patent filing purposes fall under § 125.4(b)(9). Every exemption is narrower than it sounds, and every exemption requires documentation to survive an audit.

---

Keeping current with DDTC guidance changes, USML category updates, and Export Control Reform reclassifications is the part that most teams underinvest in. Lenzo tracks those changes automatically, so compliance teams know when something affecting their workforce or product classification has shifted without having to monitor primary sources manually.

Here is a detail that almost no ITAR guidance covers: the deemed export analysis does not end when an employee's access is revoked. Under 22 CFR § 120.50, "release" includes oral disclosure. When a foreign national who worked on USML-covered technical data for two years departs, what they carry in memory does not neatly exit the ITAR framework. DDTC guidance does not provide a clean answer on this, and that ambiguity is precisely why some defense contractors require foreign national employees on controlled programs to sign affirmations at exit that they understand their continuing obligations. It is not a perfect solution, but it creates a documented record that the company took the re-transfer question seriously. Whether that matters in an investigation depends on the specifics, but the companies that have nothing are always in a worse position than the ones that have something.