Two Frameworks, One Compliance Obligation: Why the Distinction Matters
Every defense contractor, aerospace manufacturer, and technology company operating in the federal supply chain eventually confronts the same question: are my products and data controlled under ITAR, EAR, or both? Getting that answer wrong is not a paperwork problem. It is a federal enforcement problem that can result in criminal penalties, debarment from government contracting, and reputational damage that takes years to recover from.
ITAR export control compliance and Export Administration Regulations (EAR) compliance are related but distinct legal frameworks. They share a common purpose — preventing sensitive U.S. technology from reaching adversarial nations or unauthorized foreign persons — but they differ significantly in scope, controlling agencies, licensing structures, and the severity of consequences for noncompliance. Compliance managers and executives at defense contractors need to understand both, know where they overlap, and build programs that address each appropriately.
This post breaks down the core differences, identifies where contractors most commonly go wrong, and outlines what a defensible compliance posture looks like under each framework.
ITAR: The Strictest Export Control Regime in the U.S.
The International Traffic in Arms Regulations, administered by the Directorate of Defense Trade Controls (DDTC) within the Department of State, governs the export, temporary import, re-export, and transfer of defense articles, defense services, and related technical data. These are items specifically designed, developed, or modified for military applications.
ITAR is predicated on the United States Munitions List (USML), a categorical list that covers everything from firearms and ammunition to military aircraft, spacecraft, explosives, and classified technology. If a product, component, or piece of technical data appears on the USML, it is ITAR-controlled — full stop. There is very little discretion or ambiguity in that determination.
Key characteristics of ITAR include:
- Registration requirement: Any company that manufactures, exports, or brokers defense articles or services must register with DDTC, regardless of whether they have actually exported anything.
- Deemed exports: Sharing ITAR-controlled technical data with a foreign national inside the United States — even a lawful permanent resident in some contexts — constitutes an export and may require a license or exemption.
- No de minimis rule: Unlike EAR, ITAR does not have a de minimis threshold. If an item contains a USML-controlled component, the entire item may be subject to ITAR jurisdiction.
- Strict liability: ITAR violations can occur even without intent. The regulatory obligation attaches to the item, not to the actor's knowledge or awareness.
For a deeper operational breakdown of what ITAR requires day to day, our post on what ITAR compliance is and who needs to comply is a practical starting point. Our team also provides dedicated ITAR and export controls compliance services for organizations building or strengthening their programs.
EAR: A Broader but More Flexible Control Framework
The Export Administration Regulations, administered by the Bureau of Industry and Security (BIS) within the Department of Commerce, govern the export of commercial and dual-use items — goods, software, and technology that have both civilian and potential military applications. EAR jurisdiction is defined by the Commerce Control List (CCL), which uses Export Control Classification Numbers (ECCNs) to categorize controlled items.
EAR applies to a significantly broader universe of items than ITAR. It covers consumer electronics, encryption software, industrial equipment, chemical precursors, and advanced manufacturing technology, among many other categories. The vast majority of commercial exports fall under EAR rather than ITAR.
Key characteristics of EAR include:
- No mandatory registration: Unlike ITAR, EAR does not require companies to register with BIS simply because they manufacture or handle EAR-controlled items. Licensing requirements are triggered by the specific item, destination country, end user, and end use.
- De minimis rule: Foreign-made products that contain U.S.-origin controlled content below a specified percentage threshold may fall outside EAR jurisdiction, depending on the ECCN and destination.
- License exceptions: EAR offers a broad range of license exceptions — including License Exception STA (Strategic Trade Authorization) and License Exception ENC for encryption — that can authorize exports without a formal license application in many circumstances.
- End-user and end-use controls: Even EAR99 items (those not specifically listed on the CCL) can become controlled if BIS has issued a specific denial order or if the exporter has reason to know the item will be used in a prohibited manner.
Understanding Export Control Classification Numbers (ECCNs) is essential for any compliance manager working within the EAR framework.
The Critical Distinction: Jurisdiction Determines Everything
The single most consequential determination in export control compliance is jurisdiction: is a given item subject to ITAR or EAR? This analysis drives registration requirements, licensing strategy, employee training obligations, and recordkeeping practices.
The correct sequence for this analysis is:
- Determine whether the item is on the USML. If yes, it is ITAR-controlled and DDTC has jurisdiction.
- If the item is not on the USML, determine whether it has an ECCN on the CCL. If yes, EAR applies and BIS has jurisdiction.
- If the item has no ECCN and is not on the USML, it is classified as EAR99 — subject to EAR but generally not requiring a license for most destinations and end users.
Where contractors frequently go wrong is in assuming that a product with a commercial off-the-shelf version is automatically EAR-controlled. If that product was designed with a defense application in mind — or if it incorporates USML-listed components — ITAR jurisdiction may attach regardless of how the product is marketed or sold commercially.
DDTC's commodity jurisdiction (CJ) process exists specifically to resolve ambiguous cases. Submitting a CJ request is not an admission of a violation; it is a formal, legally defensible way to get an authoritative determination. If your organization manufactures items in a gray area between military and commercial use, pursuing a CJ determination is often the most prudent course of action.
For additional context on how EAR and ITAR intersect with your information systems and operational environment, see our post on the impact of EAR and ITAR requirements on your information systems.
Licensing: Where the Frameworks Diverge Most Sharply
Both ITAR and EAR require licenses or authorized exemptions/exceptions for most controlled exports. However, the licensing architectures are fundamentally different.
Under ITAR, the primary export authorization vehicles are DSP-5 (permanent export), DSP-73 (temporary export), DSP-61 (temporary import), and Technical Assistance Agreements (TAAs) or Manufacturing License Agreements (MLAs) for defense services and manufacturing rights. These agreements are negotiated with DDTC and can take months to obtain. Our post on DSP-61 and DSP-73 licenses explains these instruments in detail.
Under EAR, the licensing process is administered by BIS and is generally faster, with more available license exceptions that can substitute for a formal license application in many cases. BIS also maintains an Entity List, Denied Parties List, and Military End-User List that exporters must screen against before any transaction, regardless of whether a license is required.
Both frameworks impose strict recordkeeping requirements. ITAR requires retention of export records for five years. EAR requires retention for five years from the date of export or from the date of any license application.
Enforcement: The Consequences Are Not Symmetric
Both ITAR and EAR violations carry serious civil and criminal penalties, but the enforcement culture and penalty structures differ in important ways.
ITAR violations are prosecuted by the Department of Justice and the Department of State. Civil penalties can reach $1 million per violation. Criminal penalties can include up to 20 years imprisonment. DDTC's consent agreements — negotiated settlements for serious violations — frequently include mandatory compliance program enhancements, external auditors, and multi-year monitoring requirements.
EAR violations are enforced by BIS and can carry civil penalties up to $350,000 per violation or twice the value of the transaction, whichever is greater. Criminal penalties under the Export Control Reform Act of 2018 can reach $1 million per violation and 20 years imprisonment. BIS's administrative enforcement process is active and has increased in priority in recent years, particularly for violations involving controlled technology transfers to China, Russia, and Iran.
For an overview of how violations occur and what remediation looks like, see our post on ITAR violations and guidance for compliance managers.
Building a Program That Covers Both Frameworks
For most defense contractors, the practical answer is not to choose between ITAR compliance and EAR compliance — it is to build an integrated export compliance program that addresses both. The foundational elements are largely the same: written policies and procedures, a designated empowered compliance officer, jurisdiction and classification analysis for all products and technical data, license determination and management processes, employee training, screening against denied and restricted party lists, and internal audit mechanisms.
Where the programs diverge is in the specific licensing workflows, registration maintenance (mandatory under ITAR, not required under EAR), deemed export protocols, and the nature of technical data controls. ITAR technical data controls are more extensive and more strictly enforced than EAR technology controls for most organizations.
Our post on how to manage an ITAR and EAR export compliance program provides a structured approach to building and maintaining this integrated capability. Physical facility controls — including visitor management, badging, and access restrictions — are also a meaningful component of ITAR compliance that many organizations underinvest in. Proper visitor controls, including color-coded ITAR visitor badges and a compliant ITAR visitor log, are practical, low-cost measures that support compliance and demonstrate due diligence during audits.
For organizations that need structured compliance program support, our compliance program development services can help you build a framework that satisfies both DDTC and BIS expectations from the ground up.
The Bottom Line for Defense Contractors
ITAR export control compliance and EAR compliance are not interchangeable. They operate under different agencies, cover different categories of controlled items, impose different registration and licensing obligations, and carry distinct enforcement consequences. Treating them as a single undifferentiated regulatory obligation is one of the most common and costly mistakes in the defense contractor community.
Compliance managers and executives need to invest in proper classification analysis, maintain current registrations and licenses, train employees on both frameworks, and conduct regular internal audits to identify gaps before regulators do. The investment in a well-structured export compliance program is modest compared to the cost of a consent agreement or a criminal referral.
Ready to Strengthen Your Export Control Compliance Program?
At Cleared Systems, we work with defense contractors, aerospace companies, and federal suppliers to build defensible, audit-ready ITAR and EAR compliance programs. Whether you are starting from scratch, responding to an identified gap, or preparing for a DDTC review, our team is ready to help. Request a quote today or explore our ITAR and export controls compliance services to learn how we can support your organization's specific compliance needs.