Expert guidance on ITAR registration, EAR jurisdiction, technical data handling, deemed-export controls, and the operating practices that keep export compliance violations from becoming criminal liability.
ITAR violations aren't regulatory — they're criminal. Individual employees can face prosecution. Companies can face debarment from federal contracting, civil penalties exceeding $1 million per violation, and reputational damage that doesn't recover. Export controls under EAR are administered separately and carry their own escalating penalty structure. Both regimes are actively enforced.
Cleared Systems works with defense manufacturers, aerospace contractors, technology companies, research institutions, and any organization handling defense articles, technical data, or services that fall under U.S. export controls. We help you determine jurisdiction, register where required, build the operating practices that keep you compliant, and respond to the inevitable hard questions: foreign nationals on staff, cloud storage of technical data, foreign customer inquiries, and international travel with controlled information.
What is ITAR & Export Controls Compliance?
The International Traffic in Arms Regulations (ITAR), administered by the State Department's Directorate of Defense Trade Controls (DDTC), govern the export, temporary import, and brokering of defense articles, defense services, and related technical data on the United States Munitions List (USML). The Export Administration Regulations (EAR), administered by the Commerce Department's Bureau of Industry and Security (BIS), govern dual-use items on the Commerce Control List (CCL).
The two regimes overlap, conflict in places, and require ongoing classification work to determine what falls where. They also reach further than most organizations expect — covering technical drawings, simulation outputs, software, training materials, and conversations between cleared engineers and foreign national colleagues. The phrase "deemed export" — sharing controlled technical data with a foreign national, even inside the United States — is where many otherwise-careful organizations get into trouble.
Cleared Systems' export controls practice covers the full lifecycle: jurisdictional analysis, registration and licensing, internal program design, technology control plans, deemed-export management, training, audit response, and voluntary disclosure when something has gone wrong.
Why You Need This Service
Several realities are pushing more organizations into formal export controls work:
The rules reach further than they used to. CAD files, simulation outputs, AI training data, cloud-stored design documents, and routine engineering email all qualify as technical data the moment they describe a controlled item. Organizations that thought they had no export exposure routinely discover they do.
Enforcement is active. DOJ, DDTC, and BIS have all increased prosecutions and civil enforcement over the past several years. Deferred Prosecution Agreements with seven- and eight-figure penalties are no longer rare. Voluntary disclosure is meaningfully better than involuntary discovery — but it requires a program that recognizes a violation in the first place.
Foreign national workforce is the rule, not the exception. American engineering teams routinely include foreign national contributors, often through TAA arrangements. Each one represents a deemed-export exposure that needs an active management plan, not a one-time form check.
CMMC and DFARS interact with export controls. Technical data that's both CUI and ITAR-controlled is now common, and the controls protecting it have to satisfy both regimes simultaneously. Organizations that treat them as separate programs end up with gaps in both.
Cloud storage decisions get expensive fast. Putting ITAR-controlled data in a cloud that hasn't been authorized for it is a violation regardless of intent. Organizations need to make GCC High vs. AWS GovCloud vs. on-premises decisions with the export controls implications fully understood — not as an afterthought.
If your organization handles anything with potential military application, has foreign national engineers, ships internationally, or stores controlled data in the cloud — you have export exposure that benefits from formal program support.
What We Deliver
A typical ITAR & Export Controls engagement covers the operational and documentation foundations of an export compliance program:
- Jurisdictional classification of your products, technical data, and services — USML, CCL, or EAR99 — with documented rationale
- ITAR registration support with DDTC where required, including initial registration and annual renewals
- Export license applications (DSP-5, DSP-73, DSP-83, MLA, TAA) and post-license tracking
- A documented Technology Control Plan (TCP) defining how controlled data is identified, marked, stored, transmitted, and destroyed
- Deemed-export controls covering foreign national access — including segregation requirements, badging, system access, and meeting protocols
- Visitor controls and facility access procedures for foreign national visitors
- An export compliance manual tailored to your operations, with procedures owned by named roles
- Training tailored to the workforce — engineering staff, shipping and receiving, sales and BD, executives
- Recordkeeping practices that produce the audit trail required under both ITAR and EAR
- Voluntary disclosure support when violations are identified internally
- Audit response when DDTC, BIS, or Customs initiates a review
We work with both ITAR-only and EAR-only organizations, and with the much larger group that's subject to both — including the DDTC-CMMC-DFARS triad common in the defense supply chain.
Frameworks and Regulations We Cover
ITAR (22 CFR Parts 120–130) including USML categories I–XXI, EAR (15 CFR Parts 730–774) including the CCL and EAR99 classifications, OFAC sanctions programs (SDN list, country sanctions, sectoral sanctions), DDTC Part 122 registration and Part 123/124/125 licensing, deemed-export rules under 15 CFR 734.2(b)(2)(ii) and 22 CFR 120.17, NISPOM (32 CFR Part 117) for cleared facilities, DFARS 252.204-7012 where ITAR-controlled data overlaps CUI, CMMC 2.0 requirements where export-controlled data is in scope, and CBP export filing requirements (AES, EEI).
Who This Is For
ITAR & Export Controls Compliance is the right service if you're an aerospace or defense manufacturer, a precision manufacturer with export-controlled output, a federal contractor handling defense technical data, a research institution working on defense-funded programs, a technology company with potential dual-use applications, or any organization that's been told — by a customer, a prime, a foreign partner, or a regulator — to demonstrate an export compliance program. Browse all industries Cleared Systems supports for additional context.
You especially need this service if any of the following apply: you have foreign national employees, contractors, or interns; you ship products internationally; you store technical data in the cloud; you participate in international research collaborations; or you've never had a formal jurisdictional classification done on your products and technical data.
How We Engage
Export controls work is well-suited to retainer engagement, because the questions don't stop. Every new hire raises a deemed-export question. Every new product raises a classification question. Every new customer relationship raises a license question. Cleared Systems engages on retainer by default — read more about how we engage — and project-based work is available where scope is well-defined.
We frequently combine export controls work with CMMC, CUI & DFARS Compliance when controlled technical data also qualifies as CUI, with Compliance Program Development when the export program is part of a larger compliance build, and with Regulatory vCISO Services when the organization needs senior leadership ownership of the export function. Request a quote for an export controls engagement and we'll scope what's appropriate for your environment.
Common Questions
How do we know if our products are ITAR-controlled?
The threshold question is whether your product, technical data, or service appears on the USML. If it does, ITAR applies. If it doesn't, EAR likely does — and you need to determine the ECCN classification. We perform formal jurisdictional analyses with documented rationale, which is what's expected in audit response.
Do export controls apply if we don't ship anything overseas?
Yes. Deemed exports — sharing technical data with a foreign national, even inside the U.S. — are regulated. Cloud storage that crosses national boundaries is regulated. International phone calls describing controlled technical data are regulated. Many ITAR violations occur entirely within the United States.
We use a foreign cloud provider — is that a violation?
Possibly. The cloud's physical location, the provider's nationality, and the provider's access controls all matter. ITAR requires that controlled data not be exported to a foreign person or place — and storage in a non-cleared cloud can constitute an export. We help organizations evaluate cloud architecture against export requirements, including GCC High and AWS GovCloud authorizations.
What happens if we discover a violation?
You have a decision to make: voluntary disclosure or wait for it to be discovered. Voluntary disclosure typically results in significantly reduced penalties and demonstrates a functioning compliance program. We help clients evaluate whether disclosure is warranted, prepare the submission, and respond to follow-up inquiries from DDTC or BIS.
Are penalties really criminal?
Yes. Willful ITAR violations carry up to $1 million per occurrence in criminal fines and up to 20 years in prison for individuals. EAR willful violations carry similar criminal exposure. Civil penalties are added on top. The criminal exposure attaches to individuals — including engineers, executives, and shipping personnel — not just the corporate entity.
Don't Get Compliance Wrong on Export Controls
ITAR and EAR are the highest-stakes compliance regimes most organizations will ever operate under. The cost of getting it wrong starts at career-ending and goes from there. Request a quote for an export controls engagement and we'll scope a program that fits your jurisdictional exposure, your workforce, and your operational reality.