The Decision Every Compliance Manager Hopes They Never Face
You have discovered a potential ITAR violation inside your organization. Maybe it was an unauthorized export of technical data to a foreign national employee. Maybe a shipment cleared customs before a license was in place. Maybe a controlled defense article was transferred without the proper authorization. Whatever the specifics, you are now facing one of the most consequential decisions in export controls compliance: do you file a voluntary disclosure with the Directorate of Defense Trade Controls, or do you stay quiet and hope the agency never finds out?
This is not a theoretical question. It is a real fork in the road with dramatically different outcomes depending on which path you take. In my experience working with defense contractors and manufacturers navigating ITAR and export controls compliance, the organizations that try to bury violations almost always end up in a far worse position than those who self-report promptly and constructively.
Let me walk you through the actual risk calculus so you can make an informed decision — or better yet, so your leadership team understands why a strong voluntary disclosure posture needs to be built into your compliance program before an incident ever occurs.
How DDTC Enforcement Actually Works
The Directorate of Defense Trade Controls, operating under the State Department's Bureau of Political-Military Affairs, has broad authority to investigate and penalize violations of the International Traffic in Arms Regulations. Civil penalties can reach $1,394,010 per violation under current statutory authority, and criminal referrals to the Department of Justice can result in up to 20 years in federal prison and fines up to $1 million per violation.
What many compliance managers underestimate is how DDTC learns about violations in the first place. The agency receives information through multiple channels that have nothing to do with self-reporting:
- Customs and Border Protection transaction data and export filings
- Referrals from other federal agencies including the FBI, BIS, and DoD
- Foreign government notifications and intelligence sharing
- Whistleblower disclosures from current or former employees
- Routine compliance audits and registration reviews
- Disclosures surfaced during mergers, acquisitions, or contract due diligence
If DDTC is going to find out anyway — and in many cases they will — the question is not whether you get scrutinized. The question is whether you are the one who told them first.
What Voluntary Disclosure Actually Gets You
DDTC's voluntary disclosure program is codified in 22 CFR Part 127.12. The regulation explicitly states that voluntary disclosures are a "mitigating factor" in determining the penalty for a violation. But the practical impact goes well beyond regulatory language.
When an organization files a voluntary disclosure properly, several things happen in its favor:
- Penalty reduction: DDTC consistently imposes lower civil penalties on companies that self-report. In documented consent agreements, self-disclosing companies have received penalty reductions of 50 percent or more compared to what similarly situated non-disclosing organizations have faced.
- Avoided criminal referral: When a violation is discovered externally, DDTC has greater incentive to refer the matter for criminal prosecution. A well-structured voluntary disclosure signals that company leadership is not engaged in willful misconduct.
- Debarment risk reduction: Debarment from the U.S. Munitions List can effectively end a defense contractor's business. Voluntary disclosure significantly lowers the probability that DDTC will pursue this remedy.
- Narrative control: You get to frame what happened, what corrective actions you have taken, and what systemic improvements you have implemented. When DDTC discovers the violation independently, they write that narrative.
- Demonstrated compliance culture: A properly filed voluntary disclosure shows contracting officers and agency partners that your organization takes export controls seriously. That matters for future contract awards.
The Hidden Costs of Saying Nothing
The argument for staying quiet usually boils down to wishful thinking: maybe DDTC will never find out, and if you self-report you are definitely inviting scrutiny you might otherwise avoid. This reasoning fails on nearly every practical level.
First, violations rarely stay contained. The more people inside your organization who know about a compliance incident, the greater the exposure to a whistleblower report. Former employees, disgruntled contractors, or even well-intentioned staff who believe they have an obligation to report can trigger an investigation without any action on your part.
Second, when DDTC discovers a violation independently, they enter the interaction already suspicious of your organization's intent. Every document they review, every employee they interview, every system they examine gets filtered through the assumption that you had something to hide. That is an extraordinarily difficult position from which to negotiate a favorable outcome.
Third, if the violation involves a pattern of conduct rather than an isolated incident, the penalty calculation changes dramatically. Willful or repeated violations carry substantially higher penalties, and concealment of known violations can transform a civil matter into a criminal one.
For a deeper look at the full spectrum of consequences, our post on ITAR violations and guidance for compliance managers covers what organizations should expect at each stage of an enforcement action.
What a Strong Voluntary Disclosure Looks Like
Filing a voluntary disclosure is not simply sending DDTC an email saying something went wrong. A poorly constructed disclosure can actually worsen your position by admitting liability without adequately contextualizing the circumstances or demonstrating corrective action. The disclosure needs to accomplish several objectives simultaneously.
Initial Notification
As soon as you have a reasonable basis to believe a violation occurred, you should notify DDTC in writing. This initial notice does not need to include every detail of the incident, but it establishes your timeline of self-reporting. The clock matters: a disclosure filed before DDTC learns of the violation from another source carries far more weight than one filed after an investigation has already been opened.
Thorough Internal Investigation
Following the initial notice, you have a defined window to complete an internal investigation and submit a full disclosure. This investigation needs to be credible, documented, and genuinely comprehensive. DDTC will assess whether your investigation was designed to uncover the truth or to minimize disclosed facts. A risk assessment conducted by qualified outside professionals adds objectivity and credibility to your findings.
Corrective Action Plan
The full disclosure must include a concrete corrective action plan. This is where the quality of your compliance program development work becomes visible. DDTC wants to see that root causes have been identified, that systemic gaps have been addressed, and that recurrence is unlikely. A generic list of training commitments will not satisfy a sophisticated examiner.
Supporting Documentation
Every factual assertion in the disclosure should be supported by records. Export logs, license records, employee communications, shipping documentation, and internal investigation findings all contribute to a disclosure that DDTC can evaluate on its merits rather than one it must investigate independently.
Our detailed walkthrough of when and how to file an ITAR voluntary disclosure provides a step-by-step process for compliance teams managing this process for the first time.
The Role of Outside Expertise in Voluntary Disclosures
Many organizations attempt to manage voluntary disclosures entirely in-house, and some succeed. But the consequences of getting this wrong are severe enough that outside expertise almost always pays for itself. An experienced ITAR compliance consultant brings several things to the table that internal teams typically cannot provide.
First, objectivity. An internal compliance manager who participated in the activities that led to the violation, or who reports to executives whose decisions are under review, cannot credibly conduct a self-contained investigation. Outside consultants provide the independence that DDTC expects to see.
Second, familiarity with DDTC expectations. The agency has specific preferences for how disclosures are structured, what language is used, and what level of detail is provided. Getting that calibration wrong can turn a favorable disclosure into a frustrating back-and-forth with examiners. Our post on what an ITAR voluntary disclosure consultant actually does explains the specific ways outside support changes outcomes.
Third, simultaneous remediation. While the disclosure process unfolds, your organization still needs to operate and remain compliant. A consultant who understands both the disclosure process and the broader compliance program can help you fix underlying gaps without inadvertently creating new disclosure issues.
For organizations in the aerospace and defense sector or for manufacturers dealing with ITAR-controlled components, the stakes are simply too high to treat voluntary disclosure as a do-it-yourself exercise.
Building Disclosure Readiness Into Your Compliance Program
The best time to build your voluntary disclosure capability is before you need it. Organizations with mature compliance programs have internal procedures for identifying potential violations, escalating them to appropriate decision-makers, and initiating a disclosure process within a defined timeframe. They have already identified outside counsel and compliance consultants they can engage quickly. They have document preservation protocols that prevent records from being altered or destroyed once a potential violation is identified.
If your organization does not have those mechanisms in place, that gap itself represents a risk. DDTC's expectations for compliance program maturity continue to rise, and a program that lacks incident response and disclosure procedures will not hold up under scrutiny. Our ITAR compliance program maturity guide outlines what DDTC is looking for in 2026.
Consider also whether your team has the foundational ITAR knowledge needed to identify potential violations in the first place. Our ITAR and Export Controls Fundamentals guide for compliance managers is a practical resource for building that baseline awareness across your team.
The Bottom Line
When you lay the risk analysis side by side, voluntary disclosure is almost never the wrong choice when a genuine violation has occurred. The reduction in penalties, the avoided criminal exposure, the protection of your contracting relationships, and the ability to control the narrative together represent a compelling case for transparency. The alternative — hoping DDTC never finds out — is a bet against a well-resourced federal agency with multiple independent pathways to the same information you are sitting on.
The question is not really whether to disclose. The question is how to disclose in a way that positions your organization as a responsible, cooperative registrant working in good faith to maintain compliance. That requires preparation, expert support, and a compliance program capable of producing the documentation DDTC will expect to see.
Get Expert ITAR Voluntary Disclosure Support
If your organization is facing a potential ITAR violation and needs to evaluate its disclosure options, Cleared Systems is ready to help. We provide end-to-end ITAR and export controls compliance support, including voluntary disclosure guidance, internal investigation management, and corrective action planning. Contact us through our request a quote form to speak directly with our compliance team about your situation — confidentially and without obligation.