What Qualifies as ITAR Controlled Technical Data? A Decision Framework for Engineers

Why the Definition of ITAR Controlled Technical Data Matters More Than You Think

Of all the questions I field from engineers and program managers at defense contractors, one comes up more consistently than any other: Is this technical data ITAR controlled? It sounds straightforward. In practice, it is one of the most consequential judgment calls your team will make on any given workday.

Getting the answer wrong in either direction carries real consequences. Over-controlling data creates friction, slows collaboration, and strains relationships with foreign partners. Under-controlling it can result in unauthorized exports, criminal penalties, and debarment from federal contracting. The International Traffic in Arms Regulations (ITAR), administered by the Directorate of Defense Trade Controls (DDTC) under 22 CFR Parts 120–130, do not grade on a curve.

This post gives engineers, program managers, and compliance professionals a working decision framework for evaluating whether information qualifies as ITAR controlled technical data. If you want a deeper foundation before applying the framework, our ITAR compliance overview is a good starting point.

What ITAR Says About Technical Data

Under 22 CFR § 120.33, technical data is defined as information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This includes:

• Information in the form of blueprints, drawings, photographs, plans, instructions, and documentation
• Software directly related to defense articles
• Classified information relating to defense articles and defense services
• Information covered by an inventions secrecy order

Critically, the definition explicitly excludes information in the public domain and basic marketing information about function and purpose. The operative concept is defense articles, which are items enumerated in the United States Munitions List (USML) at 22 CFR Part 121. If your technical data provides meaningful assistance in designing, producing, operating, or maintaining something on the USML, it is almost certainly controlled.

For a detailed breakdown of how ITAR and the Export Administration Regulations interact with your information systems, see our post on the impact of EAR and ITAR on information systems.

A Practical Decision Framework: Five Questions to Ask

Rather than attempting to memorize every USML category, engineers can apply a structured five-question test to any piece of information they create, receive, or transmit.

Question 1: Does This Information Relate to a Defense Article?

Start with the USML. The list covers 21 categories, ranging from firearms and ammunition (Category I) to military electronics (Category XI) to spacecraft and satellites (Category XV). If the system, subsystem, component, or material your information describes appears on that list—or is specifically designed, modified, or configured for a defense article—you have strong reason to treat the data as controlled.

This is where engineers often stumble. A commercial gyroscope may be EAR-controlled rather than ITAR-controlled. The same gyroscope, modified for use in a missile guidance system, becomes a defense article under USML Category IV or XV, and any technical data describing that modification becomes ITAR controlled technical data.

Question 2: Does the Information Provide Meaningful Technical Assistance?

The ITAR definition of technical data focuses on information required for design, development, production, and related activities. Ask whether the information you hold would provide a recipient with a meaningful capability advantage in producing or operating a defense article. General descriptions, capability summaries, or publicly available performance specifications typically do not clear this bar. Detailed schematics, manufacturing tolerances, source code for weapons systems, and test procedures almost always do.

Question 3: Is the Information Already in the Public Domain?

ITAR does not control information that is genuinely in the public domain—meaning it has been made available to the public through unrestricted sales, public libraries, published patents, or through fundamental research exclusions under 22 CFR § 120.34. However, this exclusion is narrow. The mere fact that some related information is public does not render your specific, consolidated, or proprietary technical dataset uncontrolled. If your organization produced it and it has not been formally released into the public domain through an authorized channel, treat it as controlled until you confirm otherwise.

Question 4: Is There an Applicable Exemption?

Several ITAR exemptions can authorize exchanges of technical data without a license. The most commonly used include:

• 22 CFR § 125.4(b)(2) — Technical data in the public domain
• 22 CFR § 125.4(b)(9) — Intra-company transfers to foreign subsidiaries under certain conditions
• 22 CFR § 126.18 — Exemptions for foreign persons employed by U.S. persons, subject to nationality screening and access controls
• 22 CFR § 126.5 — Canadian exemptions for specific categories

Exemptions require documented compliance procedures. Using them carelessly is one of the most common root causes of ITAR violations. Our post on ITAR violations and how to manage them covers this risk in depth.

Question 5: Who Will Have Access to This Information?

Under ITAR, transmitting or otherwise making controlled technical data available to a foreign person—regardless of where that exchange occurs—constitutes an export. This is the deemed export rule. A foreign national engineer working in your facility, reviewing your CAD files or test documentation on-site in the United States, triggers the same export control obligations as physically shipping a document overseas.

This makes access control a core compliance function, not just an IT concern. For organizations with foreign national employees, visitors, or offshore collaboration, the deemed export analysis must happen before access is granted. Our resource on ITAR compliance and hiring foreign nationals addresses this in detail.

Categories of Information That Frequently Require Analysis

Not every piece of information at a defense contractor is ITAR controlled. But certain categories warrant extra scrutiny because they sit near the line:

• CAD models and engineering drawings for defense components
• Software source code and object code embedded in or used to operate defense articles
• Test and evaluation data characterizing performance of defense systems
• Manufacturing process specifications describing how defense articles are produced
• Failure mode analyses and maintenance manuals for weapons systems
• Interface control documents linking defense and non-defense components
• Simulation models used in development of defense articles

If your organization operates in the aerospace and defense sector, virtually every one of these categories will appear in your daily workflow. Our aerospace and defense industry page outlines how we help companies in that space build and sustain ITAR compliance programs.

Common Mistakes Engineers Make When Evaluating ITAR Status

In my experience conducting compliance reviews and training programs at defense contractors, the same misunderstandings appear repeatedly:

1. Assuming dual-use items are automatically EAR, not ITAR. The line between the EAR and ITAR is not always intuitive. When in doubt, analyze both regulatory regimes before sharing data.
2. Treating aggregation as harmless. Individual pieces of information may each appear benign, but combined into a comprehensive technical package, they may collectively qualify as ITAR controlled technical data.
3. Conflating classification with ITAR control. Information does not need to be classified to be ITAR controlled. Unclassified technical data can be fully subject to ITAR restrictions.
4. Assuming a commercial off-the-shelf label eliminates ITAR risk. If a commercial item is used in a defense application, related technical data may still be controlled depending on how the item is modified or integrated.
5. Failing to label documents properly. Controlled technical data should be marked to alert recipients of its status. Proper labeling is both a regulatory requirement and a practical safeguard. See our guidance on proper labeling of ITAR documents and records.

How Technical Data Intersects With CUI and CMMC Requirements

It is worth noting that ITAR controlled technical data and Controlled Unclassified Information (CUI) are not the same category, though they frequently coexist in the same information environment. Some ITAR technical data will also carry CUI designations under the DoD CUI Program. Others may be ITAR controlled but not CUI. Your compliance program needs to account for both frameworks simultaneously.

Defense contractors subject to DFARS 252.204-7012 and CMMC must also apply appropriate cybersecurity controls to systems processing CUI. If you are still sorting out how those frameworks interact, our post on effective compliance with ITAR, CMMC 2.0, and CUI provides a practical overview.

Building a Defensible Technical Data Review Process

The five-question framework above is a starting point, not a substitute for a formal technical data review process embedded in your compliance program. A defensible program includes:

• A written technical data identification and classification procedure
• Designated technical data custodians or a compliance officer with export control authority
• Regular training for engineering, program management, and IT staff
• Document marking and handling procedures aligned with 22 CFR Part 125
• An access control policy that addresses foreign nationals and the deemed export rule
• Periodic internal audits and a voluntary disclosure posture

Our ITAR and export controls compliance service is specifically designed to help defense contractors build and operationalize this kind of program, from initial gap assessment through ongoing program management.

Practical Resources to Support Your Program

If your team is building out ITAR compliance documentation, our ITAR Compliance Documentation Toolkit provides ready-to-use templates and procedures. For foundational training, the ITAR and Export Controls Fundamentals guide is written specifically for compliance managers who need to translate regulatory requirements into practical policies.

Take the Next Step

Determining what qualifies as ITAR controlled technical data is not a one-time exercise. It requires ongoing vigilance, trained personnel, and a compliance infrastructure that keeps pace with evolving DDTC guidance. If your organization needs an independent review of your technical data identification process, your access control policies, or your overall ITAR compliance posture, Cleared Systems is ready to help. Request a quote to connect with our team, or review our ITAR and export controls compliance services to learn how we structure our engagements for defense contractors at every stage of program maturity.