In 2023, DDTC updated its ITAR Compliance Program (ICP) Guidelines with clearer expectations for companies of all sizes. Whether you're setting up your first compliance program or refining an existing one, here are the seven core elements every exporter needs to understand.
The first element of an effective ITAR compliance program is management commitment. While DDTC’s compliance program guidelines suggest that company leadership publish a written Export Compliance Management Commitment Statement signed by the CEO or president, real leadership is more than just signing a policy.
DDTC wants to see management actively involved, which means:
Managers need to emphasize that compliance isn't negotiable and provide clear channels for employees to raise concerns without retaliation.
Before you can export anything under ITAR, you need to register with DDTC—and this requirement catches many companies off guard. Even if you manufacture defense articles but never ship them overseas, registration is required.
As of January 2025, the annual registration fee starts at $3,000, and registration must be renewed 30–60 days before expiration.
But registration is just the beginning. The harder question is: Are your products actually ITAR-controlled?
Most items exported from the United States fall under the jurisdiction of the U.S. Commerce Department’s Bureau of Industry and Security (BIS) and the Export Administration Regulations (EAR). It is typically easier to export items controlled by the EAR than ITAR, but you must first be sure your products don’t appear on the U.S. Munitions List.
For more details on making that determination, see our blog post, Determining Export Controls Jurisdiction and Classification: ITAR and EAR Order of Review.
If you’re unsure, DDTC allows you to request a Commodity Jurisdiction (CJ) determination for an official ruling. Our blog post, The ITAR-Controlled Item You Never Knew You Had, explores common classification surprises.
Example: A machine shop that made specialty fasteners had always assumed their commercial products fell under EAR. When a defense contractor requested their parts for a military helicopter, they realized certain specifications pushed those same fasteners into ITAR territory under USML Category VIII. A CJ request confirmed it—and they had to register with DDTC before fulfilling the order.
According to ITAR, exporters must keep detailed records for at least five years after a license expires or a transaction occurs—whichever is later. Records include:
Because recordkeeping requirements are so strict, many exporters use export documentation and compliance software to maintain audit-ready records rather than relying on spreadsheets or filing cabinets that could be stored across the company in various locations.
For companies employing or working with foreign persons, DDTC encourages creating a Technology Control Plan (TCP) outlining how technical data is secured and who has access. The plan should log every foreign visitor, what they saw and why they were there.
Example: During a DDTC audit, one company couldn't produce visitor logs from three years earlier. They'd kept the logs but hadn't linked them to specific technical data disclosures. DDTC cited this as a recordkeeping deficiency even though no unauthorized export occurred. The lesson: Document not just WHO visited, but WHAT they accessed.
No compliance program is perfect. What matters is how your company responds when something goes wrong.
DDTC strongly encourages voluntary self-disclosure of suspected ITAR violations. Doing so can significantly reduce potential penalties—sometimes even avoiding them entirely.
A strong compliance policy should:
The stakes are high:
This is why internal reporting channels matter. Employees need to feel safe raising compliance concerns.
I sometimes get asked how long ITAR training should last. My answer: It depends. It depends on the employee’s role, experience and exposure to ITAR-controlled activities.
DDTC emphasizes role-based training:
DDTC doesn't specify a set amount of time for training. They care about the effective of the training. A 30-minute slideshow for engineers isn’t enough if they handle technical data daily.
Companies should provide annual training and update it whenever the DDTC or the ITAR rules change. They should test their employees on key concepts and provide documentation when it's done.
Example: One defense contractor brings in outside counsel annually to train their export team, while factory floor workers watch a 20-minute video on recognizing ITAR red flags. Both groups are then tested on scenarios relevant to their roles. All participants receive a Certificate of Completion for their records.
Risk assessments should happen at least annually and whenever your business changes—new products, new customers, new foreign employees or new facilities all create new risks.
Regular risk assessments help identify where ITAR violations could happen—from international travel with laptops to facility visits or poorly documented license exemptions. Once risks are identified, organizations should prioritize them and adjust their ICP accordingly.
DDTC also recommends routine audits to test the effectiveness of your compliance program. These can be internal or external and should include interviews, document reviews and process checks.
Example: A defense contractor discovered during an internal audit that old technical drawings were still stored on a shared drive accessible to foreign subsidiaries. They corrected access controls before any unauthorized export occurred. If DDTC had discovered this first during an audit, the company likely would have faced penalties even without proof of actual disclosure.
All these elements should be captured in a formal ITAR Compliance Manual (sometimes called an Export Compliance Manual or ECM. This isn't just a nice-to-have—DDTC expects to see it during audits and considers it evidence of a functioning program.
Your manual should include:
Many first-time exporters hire consultants or trade attorneys to help draft their initial manual, then maintain it internally. The key is keeping it current—a dusty binder from 2018 is worse than no manual at all because it shows neglect.
Getting ITAR compliance right takes commitment, but it's worth it. Companies with strong compliance programs experience fewer shipment delays, avoid costly violations and build stronger relationships with both customers and regulators.
For new exporters, DDTC's guidelines can feel overwhelming. Start with the basics: register if required, classify your products accurately, train your team and document everything. Seek help from outside experts if needed. Compliance is too important—and penalties are too significant—to rely on a hope and a prayer.
While no software replaces a complete ITAR compliance program, technology can support critical activities like documentation, restricted party screening and recordkeeping.
Shipping Solutions export documentation and compliance software helps ITAR exporters:
Strong compliance starts with solid policies and training. Technology helps you execute them consistently.
Request a free demo to see how Shipping Solutions can help you streamline your compliance processes and keep your business export ready.
Like what you read? Join thousands of exporters and importers who subscribe to Passages: The International Trade Blog. You'll get the latest news and tips for exporters and importers delivered right to your inbox.