ITAR Recordkeeping Requirements Explained: What to Keep, How Long, and in What Format

Why ITAR Recordkeeping Is Not Optional

If your organization manufactures, exports, or brokers defense articles or services covered by the United States Munitions List (USML), you are required to maintain detailed records of those activities. This is not a best practice—it is a legal obligation enforced by the Directorate of Defense Trade Controls (DDTC) under the International Traffic in Arms Regulations (ITAR), specifically 22 CFR Part 122 through Part 130.

The consequences of inadequate recordkeeping are severe. DDTC has levied civil penalties exceeding $100 million against companies whose records were incomplete, inaccessible, or destroyed prematurely. In an enforcement action, your records are your defense. Without them, you have no proof of compliance—and regulators will not assume you were compliant.

This article explains the core ITAR recordkeeping requirements: what you must retain, how long you must keep it, and in what format. If you are a compliance manager or executive at a defense contractor, this is foundational knowledge your program cannot operate without.

The Regulatory Foundation: Where ITAR Recordkeeping Requirements Come From

The primary regulatory basis for ITAR recordkeeping is found in 22 CFR § 122.5, which requires all persons registered with DDTC to maintain records of ITAR-related transactions. Additional recordkeeping obligations are embedded throughout the ITAR, including sections governing licenses, exemptions, and brokering activities.

These requirements apply to:

• DDTC-registered manufacturers and exporters of defense articles
• Companies providing defense services
• ITAR-registered brokers
• Any party using an ITAR license or exemption to transfer technical data or hardware

If your organization falls into any of these categories, your recordkeeping program must be systematic, auditable, and retained for the required period. For a broader overview of how these obligations fit into a complete program, see our ITAR and Export Controls Compliance services.

What Records Must You Keep Under ITAR?

The ITAR does not provide a single consolidated list of required records. Instead, the obligation to retain records is woven through several sections of 22 CFR. Based on the regulatory text and DDTC enforcement guidance, the following categories of records are required:

Export Licenses and Authorizations

• All DSP-5, DSP-61, DSP-73, and other license applications and approvals
• License amendments and notifications
• Denials and returned-without-action decisions
• Supporting documentation submitted with license applications

Export and Import Transaction Records

• Shipping documents, including Electronic Export Information (EEI) filings in AES
• Commercial invoices and packing lists related to USML shipments
• Bills of lading and air waybills
• Import documentation for defense articles returned to the United States

Technical Data Transfers

• Records of disclosures of ITAR-controlled technical data to foreign persons, whether domestic or abroad
• Non-disclosure agreements with foreign nationals or foreign entities
• Correspondence authorizing or describing technical data transfers
• Records of exemptions used (e.g., ITAR § 125.4 exemptions for technical data)

For more on how to properly identify and control technical data, see our related discussion on ITAR compliance and proper labeling of documents and records.

Brokering Records

• All agreements, contracts, and correspondence related to brokering activities
• Records of DDTC brokering registrations and approvals

Exemption Usage Records

• Documentation demonstrating eligibility for each exemption claimed
• Written records of the specific exemption cited at the time of transfer

Visitor and Access Control Records

• Visitor logs documenting foreign national access to ITAR-restricted areas or information
• Authorization records for any Technology Control Plan (TCP) visitors

Maintaining accurate physical visitor logs is a frequently overlooked component. Our ITAR Compliant Visitor Log Book is designed specifically to support this documentation requirement for defense industrial base facilities.

How Long Must ITAR Records Be Retained?

Under 22 CFR § 122.5(a), ITAR records must be retained for a minimum of five years from the date of the export, reexport, retransfer, or other transaction. This five-year clock typically begins on the date the transaction is completed—not the date the license was issued.

There are important nuances to this baseline:

• License validity periods: If a license covers multiple shipments over several years, the five-year retention clock starts from the date of the last transaction under that license.
• Ongoing agreements: Technical assistance agreements (TAAs) and manufacturing license agreements (MLAs) may extend the retention obligation beyond five years if the agreement itself remains active.
• Litigation holds: If your organization is under investigation or involved in litigation related to an ITAR transaction, you must suspend any normal destruction schedule and retain all relevant records indefinitely until the matter is resolved.
• Government contract requirements: If your ITAR activities are tied to a DoD or federal contract, FAR and DFARS recordkeeping requirements may impose longer retention periods. These can run up to ten years in certain circumstances.

My advice: do not treat five years as a target. Treat it as a floor. Many of our clients maintain ITAR records for seven to ten years to provide a buffer against late-emerging enforcement actions and overlapping contract obligations.

Acceptable Formats for ITAR Recordkeeping

The ITAR does not prescribe a specific format for records. Under 22 CFR § 122.5(b), records may be maintained in original or electronically reproduced form, provided the reproduction is accurate, complete, and accessible for DDTC inspection upon request.

Practically speaking, this means:

• Paper records are acceptable but create serious operational risk—they are susceptible to physical loss, degradation, and are difficult to search during an audit response.
• Electronic records are the standard in modern compliance programs. Scanned copies of original documents are generally sufficient, provided the scanning process does not alter the document's content.
• Cloud storage is permissible, but only in ITAR-compliant environments. Storing ITAR technical data or controlled records in a standard commercial cloud environment may itself constitute an unauthorized export. ITAR-controlled data must reside in cloud infrastructure that restricts access to U.S. persons. This is a significant operational consideration that our team addresses regularly through IT compliance services.
• Metadata and audit trails should be preserved alongside documents. If a record is modified, the system should log when, by whom, and what changed.

Regardless of format, records must be organized so that they can be produced promptly during a DDTC compliance review or enforcement inquiry. Disorganized records—even if technically retained—can undermine your defense in an enforcement action.

Common ITAR Recordkeeping Failures and How to Avoid Them

In my experience working with defense contractors across the aerospace, manufacturing, and technology sectors, the following recordkeeping failures appear most frequently:

1. Failure to document exemption eligibility at the time of use. Companies often claim an exemption without creating a contemporaneous record proving they qualified. If DDTC later questions the export, the burden falls on the exporter to demonstrate eligibility—and a retroactive explanation rarely satisfies auditors.
2. Gaps in technical data transfer records. Email exchanges, shared drive access, and virtual meetings involving foreign persons can constitute controlled transfers. Many organizations lack systems to systematically capture and retain these records.
3. Premature destruction of records. Automated document retention systems that apply a uniform destruction schedule can inadvertently purge ITAR records before the five-year minimum expires.
4. Inconsistent visitor logs. Visitor access records are routinely incomplete—missing nationality information, escort details, or the specific areas accessed.
5. Non-compliant cloud storage. Storing ITAR records in standard commercial environments creates both a recordkeeping deficiency and a potential unauthorized export violation simultaneously.

A structured compliance program with documented procedures addresses each of these vulnerabilities. If your program has not been formally assessed, our Compliance Program Development service provides the framework to identify and close these gaps systematically.

Building a Defensible ITAR Records Program

A defensible ITAR recordkeeping program has four characteristics:

• Completeness: All required record categories are captured across every relevant business function—shipping, engineering, legal, HR, and IT.
• Accessibility: Records can be located and produced within a reasonable timeframe during an audit or enforcement inquiry.
• Integrity: Records are stored in a manner that prevents unauthorized alteration, with audit trails where applicable.
• Retention discipline: Records are held for at least five years from the transaction date, with litigation hold procedures in place.

For organizations seeking practical implementation tools, our ITAR Compliance Documentation Toolkit provides ready-to-use templates designed to support these program elements. Our ITAR and Export Controls Fundamentals guide is also a valuable reference for compliance managers building or strengthening their programs.

For manufacturers specifically, the intersection of ITAR recordkeeping with shop floor operations and subcontractor management adds complexity that deserves focused attention. Our post on ITAR compliance for manufacturers addresses those specific challenges.

Take the Next Step Toward a Compliant Records Program

ITAR recordkeeping requirements are non-negotiable, and the cost of getting them wrong—measured in penalties, debarment risk, and reputational damage—far exceeds the cost of building a proper program. If your organization needs a gap assessment, program development support, or ongoing compliance oversight, Cleared Systems is ready to help. Request a quote today to speak with our team about your specific ITAR recordkeeping obligations and how to meet them with confidence.