ITAR Compliance Program: 7 Core Requirements from DDTC Guidelines

If your company deals with defense articles or services, ITAR compliance isn't optional—it's legally required. The International Traffic in Arms Regulations (ITAR), enforced by the State Department's Directorate of Defense Trade Controls (DDTC), protect U.S. national security by controlling what defense items can be exported and to whom.

In 2023, DDTC updated its ITAR Compliance Program (ICP) Guidelines with clearer expectations for companies of all sizes. Whether you're setting up your first compliance program or refining an existing one, here are the seven core elements every exporter needs to understand.

1. Management Commitment: Why Leadership Must Lead

The first element of an effective ITAR compliance program is management commitment. While DDTC’s compliance program guidelines suggest that company leadership publish a written Export Compliance Management Commitment Statement signed by the CEO or president, real leadership is more than just signing a policy.

DDTC wants to see management actively involved, which means:

• Providing resources (staff, training and technology) for compliance
• Making compliance part of employee evaluations and performance goals
• Regular review and updates to the ICP

Managers need to emphasize that compliance isn't negotiable and provide clear channels for employees to raise concerns without retaliation.

2. DDTC Registration and Classification: Knowing Who You Are and What You Handle

Before you can export anything under ITAR, you need to register with DDTC—and this requirement catches many companies off guard. Even if you manufacture defense articles but never ship them overseas, registration is required.

As of January 2025, the annual registration fee starts at $3,000, and registration must be renewed 30–60 days before expiration.

But registration is just the beginning. The harder question is: Are your products actually ITAR-controlled?

Most items exported from the United States fall under the jurisdiction of the U.S. Commerce Department’s Bureau of Industry and Security (BIS) and the Export Administration Regulations (EAR). It is typically easier to export items controlled by the EAR than ITAR, but you must first be sure your products don’t appear on the U.S. Munitions List.

For more details on making that determination, see our blog post, Determining Export Controls Jurisdiction and Classification: ITAR and EAR Order of Review.

If you’re unsure, DDTC allows you to request a Commodity Jurisdiction (CJ) determination for an official ruling. Our blog post, The ITAR-Controlled Item You Never Knew You Had, explores common classification surprises.

Example: A machine shop that made specialty fasteners had always assumed their commercial products fell under EAR. When a defense contractor requested their parts for a military helicopter, they realized certain specifications pushed those same fasteners into ITAR territory under USML Category VIII. A CJ request confirmed it—and they had to register with DDTC before fulfilling the order.

3. Recordkeeping: The 5-Year Rule and What It Covers

According to ITAR, exporters must keep detailed records for at least five years after a license expires or a transaction occurs—whichever is later. Records include:

• Licenses and authorizations
• Technical data exports (including oral and visual disclosures)
• Brokering records
• Documentation of political contributions, fees and commissions

Because recordkeeping requirements are so strict, many exporters use export documentation and compliance software to maintain audit-ready records rather than relying on spreadsheets or filing cabinets that could be stored across the company in various locations.

For companies employing or working with foreign persons, DDTC encourages creating a Technology Control Plan (TCP) outlining how technical data is secured and who has access. The plan should log every foreign visitor, what they saw and why they were there.

Example: During a DDTC audit, one company couldn't produce visitor logs from three years earlier. They'd kept the logs but hadn't linked them to specific technical data disclosures. DDTC cited this as a recordkeeping deficiency even though no unauthorized export occurred. The lesson: Document not just WHO visited, but WHAT they accessed.

4. Detecting and Reporting Violations

No compliance program is perfect. What matters is how your company responds when something goes wrong.

DDTC strongly encourages voluntary self-disclosure of suspected ITAR violations. Doing so can significantly reduce potential penalties—sometimes even avoiding them entirely.

Key Requirements

Your ITAR Compliance Program should include: 

✓ Management commitment with written policy
✓ DDTC registration ($3,000 annual fee)
✓ 5-year recordkeeping for all exports
✓ Voluntary disclosure of violations reduces penalties
✓ Tiered training based on employee roles
✓ Annual risk assessments and audits
✓ Formal written compliance manual

A strong compliance policy should:

• Provide clear internal reporting channels
• Allow anonymous reporting without retaliation
• Include step-by-step procedures for investigating, documenting and disclosing violations

The stakes are high:

• Civil penalties exceeding $1,271,078 per violation (as of 2025, adjusted annually)
• Criminal penalties of up to $1 million and/or 20 years imprisonment
• Debarment from defense exporting

This is why internal reporting channels matter. Employees need to feel safe raising compliance concerns.

5. Training: One Size Does Not Fit All

I sometimes get asked how long ITAR training should last. My answer: It depends. It depends on the employee’s role, experience and exposure to ITAR-controlled activities.

DDTC emphasizes role-based training:

• All employees: General awareness training on what ITAR is and why it matters.
• Senior management: Understanding how leadership decisions impact compliance.
• Export and technical staff: Practical guidance on classification, licensing and recordkeeping.
• Export Compliance team: Advanced, detailed training including updates to ITAR and audit procedures.

DDTC doesn't specify a set amount of time for training. They care about the effective of the training. A 30-minute slideshow for engineers isn’t enough if they handle technical data daily.

Companies should provide annual training and update it whenever the DDTC or the ITAR rules change. They should test their employees on key concepts and provide documentation when it's done.

Example: One defense contractor brings in outside counsel annually to train their export team, while factory floor workers watch a 20-minute video on recognizing ITAR red flags. Both groups are then tested on scenarios relevant to their roles. All participants receive a Certificate of Completion for their records.

6. Risk Assessments and Audits: Stay Ahead of Problems

Risk assessments should happen at least annually and whenever your business changes—new products, new customers, new foreign employees or new facilities all create new risks.

Regular risk assessments help identify where ITAR violations could happen—from international travel with laptops to facility visits or poorly documented license exemptions. Once risks are identified, organizations should prioritize them and adjust their ICP accordingly.

DDTC also recommends routine audits to test the effectiveness of your compliance program. These can be internal or external and should include interviews, document reviews and process checks.

Example: A defense contractor discovered during an internal audit that old technical drawings were still stored on a shared drive accessible to foreign subsidiaries. They corrected access controls before any unauthorized export occurred. If DDTC had discovered this first during an audit, the company likely would have faced penalties even without proof of actual disclosure.

7. Documenting Your Compliance Program

All these elements should be captured in a formal ITAR Compliance Manual (sometimes called an Export Compliance Manual or ECM. This isn't just a nice-to-have—DDTC expects to see it during audits and considers it evidence of a functioning program.

Your manual should include:

• Roles and responsibilities (including your Empowered Official)
• Step-by-step procedures for export authorization requests
• Classification guidance and resources
• Recordkeeping requirements and systems
• Violation reporting procedures
• Training schedules

Many first-time exporters hire consultants or trade attorneys to help draft their initial manual, then maintain it internally. The key is keeping it current—a dusty binder from 2018 is worse than no manual at all because it shows neglect.

Final Thoughts

Getting ITAR compliance right takes commitment, but it's worth it. Companies with strong compliance programs experience fewer shipment delays, avoid costly violations and build stronger relationships with both customers and regulators.

For new exporters, DDTC's guidelines can feel overwhelming. Start with the basics: register if required, classify your products accurately, train your team and document everything. Seek help from outside experts if needed. Compliance is too important—and penalties are too significant—to rely on a hope and a prayer.

Technology Can Support Your ITAR Compliance Program

While no software replaces a complete ITAR compliance program, technology can support critical activities like documentation, restricted party screening and recordkeeping.

Shipping Solutions export documentation and compliance software helps ITAR exporters:

• Create accurate export documentation faster, reducing shipment delays
• Screen customers, consignees and freight forwarders against government denied and restricted party lists
• Maintain organized, audit-ready export records
• Ensure license information is properly referenced on required forms

Strong compliance starts with solid policies and training. Technology helps you execute them consistently.

Request a free demo to see how Shipping Solutions can help you streamline your compliance processes and keep your business export ready.

Like what you read? Join thousands of exporters and importers who subscribe to Passages: The International Trade Blog. You'll get the latest news and tips for exporters and importers delivered right to your inbox.