Trade, Export Controls & Sanctions
USML categories controlling defense articles and services
Maximum civil penalty per violation (2025, adjusted for inflation)
Minimum recordkeeping requirement for all ITAR transactions
Regulation Overview
https://www.pmddtc.state.gov
ITAR is the US regulatory framework controlling the export and import of defense articles, defense services, and related technical data listed on the United States Munitions List. For supply chain and compliance teams, the primary obligation is ensuring that every item, document, and interaction involving USML-controlled technology is properly classified, licensed, and documented. The USML contains 21 categories spanning firearms, ammunition, military vehicles, aircraft, naval vessels, satellites, electronics, and related technical data. DDTC's September 2025 final rule amended 15 of 21 categories—adding newer technologies and removing outdated entries. Companies must register with DDTC, obtain export licenses before transferring controlled items, and prevent unauthorized access by foreign persons—including employees and visitors. ITAR compliance requires classification-level data from every supplier in the defense supply chain. When USML categories are revised, your entire product portfolio requires reclassification assessment.
Key Components / Sub-Frameworks
US manufacturers of defense articles listed on the USML\nExporters and importers of USML-controlled items, technical data, or defense services\nBrokers of defense articles between foreign persons or governments\nSubcontractors and suppliers in the defense supply chain handling ITAR-controlled items\nCompanies employing foreign nationals with access to ITAR technical data (deemed exports)\nUniversities and research institutions working on USML-related technologies
Key Thresholds
DDTC revised 15 of 21 USML categories in September 2025. Your product line includes 300 components from 80 suppliers. Some items moved from ITAR to EAR jurisdiction. Others moved in. Your classification records are 18 months old. Without a systematic reclassification review, you may be exporting under the wrong authority—and every shipment is a potential violation.
A foreign national engineer on your team accesses a shared drive containing ITAR technical data. No export license was obtained. Under ITAR, this "deemed export" carries the same penalties as shipping a missile component overseas. Your IT systems don't distinguish between ITAR-controlled files and general engineering data. Your access controls are based on job title, not citizenship verification.
Your prime contractor requires ITAR compliance across all sub-tier suppliers. Supplier 1 has DDTC registration but no documented compliance program. Supplier 2 manufactures a component that was recently reclassified onto the USML. Supplier 3 uses a foreign-owned subcontractor you didn't know about. Without multi-tier supply chain transparency, one non-compliant link can trigger debarment for your entire program.
DDTC requests records for a license issued three years ago. You need the original application, all amendments, end-use certificates, delivery verification, and correspondence. Records are scattered across email, file shares, and a retired licensing system. Assembling a complete audit trail takes weeks—and incomplete records are themselves a violation.
Certivo In Action
Certivo in Action — ITAR Workflow
From Manual Classification Tracking to Automated Compliance Intelligence
CORA collects, parses, and validates supplier ITAR evidence automatically. Your team focuses on classification decisions and license strategy—not chasing DDTC registrations and compiling spreadsheets.
Flow-Down Documentation Acceleration
Generate complete, audit-ready ITAR compliance packages for prime contractor flow-down requirements in hours—not the weeks of manual compilation across suppliers and programs.
Proactive ITAR Compliance Assurance
When DDTC amends the USML, Certivo reassesses your product portfolio and supplier classifications instantly. Know which items shifted jurisdiction before your next export.
Key Statistics
Frequently Asked Questions
Who must comply with ITAR?
Any US person or entity that manufactures, exports, imports, or brokers defense articles, defense services, or related technical data listed on the USML must register with DDTC and comply with ITAR. This extends to subcontractors and suppliers in the defense supply chain—including companies that never export but manufacture USML-controlled items domestically. Certivo helps organizations map their ITAR obligations across the full supplier network.
What are the penalties for ITAR violations?
Civil penalties reach $1,271,078 per violation (2025, inflation-adjusted) or twice the transaction value. Criminal penalties include up to $1 million in fines and 20 years imprisonment per willful violation. DDTC can also impose debarment—permanently excluding violators from ITAR-regulated activities. Consent agreements typically include monetary penalties, multi-year compliance monitoring, and mandatory remedial measures.
How does the September 2025 USML revision affect existing classifications?
The September 2025 final rule amended 15 of 21 USML categories, adding newer technologies such as advanced sensors, propulsion systems, and unmanned underwater vehicles while removing outdated entries. Items removed from the USML transition to EAR jurisdiction under the Commerce Department. CORA monitors all USML amendments and alerts you when product classifications in your portfolio may have shifted.
How does Certivo manage ITAR flow-down compliance across the supply chain?
Certivo collects DDTC registration status, USML classification data, and export control certifications from every supplier in your chain. CORA validates registration currency, flags classification inconsistencies, and generates flow-down compliance packages for prime contractor requirements. One supplier submission satisfies multiple program flow-down obligations simultaneously.
How does ITAR relate to EAR and other export control frameworks?
ITAR controls defense articles on the USML; EAR controls dual-use and commercial items on the Commerce Control List. Jurisdiction determination—deciding whether an item falls under ITAR or EAR—is a critical first step. Many items sit near the boundary, especially after USML revisions. Certivo validates supplier evidence against both ITAR and EAR frameworks simultaneously, supporting commodity jurisdiction determinations and multi-jurisdiction export control compliance from a single supplier campaign.