What is ITAR, the International Traffic in Arms Regulations?

The International Traffic in Arms Regulations (ITAR) is a U.S. government framework that controls how defense-related items and technical data can be exported or shared.

If you’re working on aerospace or military-grade circuit boards, adhering to the regulatory guidelines is crucial. It affects how you manage design data and communicate with fabricators. Following the ITAR guidelines helps you protect sensitive information and avoid penalties.

Highlights:

To ensure ITAR compliance of your PCBs:

1. Identify whether products or technical data fall under the U.S. Munitions List (USML) before design, manufacturing, or export.
2. Restrict access to ITAR-controlled files (e.g., Gerber data, BOMs, blueprints) to U.S. persons only, unless authorized by the DDTC.
3. Vet ITAR-compliant fabricators and suppliers to ensure supply chain security.

In this blog, you’ll get a clear overview of ITAR, how it applies to technical data and PCBs, and the key compliance requirements for manufacturers, designers, and suppliers. You’ll also learn about the risks and penalties of non-compliance.

What is ITAR?

The International Traffic in Arms Regulations is a United States regulatory regime governed by the Department of State.

Its primary function is to control:

1. The manufacture, sale, distribution, export, and temporary import of defense-related articles and services.
2. Technical data listed on the USML.

ITAR exists to prevent sensitive military and defense technology, including electronics, satellites, and technical data, from falling into the hands of foreign adversaries, safeguarding national security and geopolitical interests.

The USML primarily covers:

1. Defense articles like firearms, guns, explosives, and tanks (categories I–IV)
2. Electronics (category XI)
3. Satellites (category XV)
4. Chemical materials (category XIV) specifically designed or modified for military use

However, its scope extends beyond obvious military hardware.

Items with commercial applications may be subject to the Export Administration Regulations (EAR) unless explicitly listed on the USML. Entities can request a commodity jurisdiction determination from the Directorate of Defense Trade Controls (DDTC) to clarify whether an item is ITAR or EAR-controlled, as outlined in 22 CFR § 120.4.

Beyond military hardware, the USML also restricts technical data, which includes:

1. The blueprints, drawings, instructions, and other documentation required for manufacturing ITAR-controlled military gear.
2. Software directly related to defense articles, as defined in 22 CFR § 120.33(a)(4).

Even if the technical data is unclassified, it still requires export authorization, typically a DSP-5 license, before it can be shared with non-U.S. persons, unless a valid exemption applies under 22 CFR § 126.

Managing physical ITAR-compliant items requires strict adherence to access and export controls (22 CFR §§ 120.54, 126). The 2020 ITAR amendment clarified that end-to-end encrypted transfers of unclassified technical data are not considered exports, as long as the data isn’t shared with foreign persons or stored in the proscribed countries. Access remains restricted to U.S. persons unless authorized by a DDTC license or exemption.

Who must register under the International Traffic in Arms Regulations?

Any person/company that engages in manufacturing, exporting, or temporarily importing defense articles, or furnishing defense services covered under the USML, must register with the Directorate of Defense Trade Controls (DDTC) under ITAR Part 122.1.

The ITAR registration requirement does not apply to:

1. U.S. government officers and employees acting in an official capacity.
2. Persons whose business activity is limited to the production of unclassified publicly available technical data as defined in 22 CFR § 120.33(b) that is not intended for export.
3. Activities exclusively regulated under the Atomic Energy Act of 1954, as amended, or the Nuclear Regulatory Commission’s regulations.

Does ITAR mandate U.S. citizenship?

ITAR does not explicitly require U.S. citizenship. However, access to defense articles and technical data is limited to individuals legally classified as U.S. persons.

According to 22 CFR § 120.62, the following individuals are classified as U.S. persons:

• U.S. citizens
• Lawful permanent residents (green card holders)
• Certain protected individuals under U.S. law (8 U.S.C. § 1324b(a)(3))

Access by foreign persons, including temporary visa holders or foreign employees, generally requires specific authorization via a DDTC license or an ITAR exemption.

Registration fees and renewal process

Registration must be completed annually by submitting a Statement of Registration (form DS-2032) along with the appropriate registration fee, in accordance with the guidelines available on the DDTC website per 22 CFR § 122.3(a).

• Tier 1: $3,000 for new registrants or no favorable determinations
• Tier 2: $4,000 for 1-5 favorable determinations
• Tier 3: $4,000 plus $1,100 per additional authorization beyond 5 favorable determinations in the 12-month period ending 90 days before expiration

A notification for renewal is typically sent to current registrants approximately 60 days before the expiration date.

A request for registration renewal must be submitted at least 30 days before the expiration date, but no earlier than 60 days prior.

A registrant who fails to renew and later seeks to re-register must pay the applicable registration fee, including retroactive fees for any part of the lapse period during which they engaged in ITAR-regulated activities. The retroactive fees for the lapse period are based on the applicable tier.

If a company continues activities regulated under ITAR (e.g., manufacturing or exporting defense articles) during the lapse, it may result in violations and subject to enforcement actions.

Companies should consider filing a voluntary disclosure with DDTC if a lapse-related violation has occurred.

Download our eBook to learn how to design an efficient class 3 board.

IPC Class 3 Design Guide

8 Chapters - 23 Pages - 35 Minute Read

What's Inside:

• IPC guidelines for manufacturing defects
• IPC standards for assembly processes
• Common differences between the classes
• IPC documents to set the level of acceptance criteria

Download Now

4 key requirements to become ITAR-compliant

To become ITAR-compliant, an organization must comply with the regulations set forth by the International Traffic in Arms Regulations.

This includes:

1. Registering with the Directorate of Defense Trade Controls, if applicable.
2. Implementing internal compliance programs to safeguard controlled items and technical data.
3. Restricting access to U.S. persons only, unless proper export authorizations are obtained.
4. Obtaining export licenses when transferring controlled items or data to foreign persons or countries.

Benefits of being an ITAR-compliant entity

For every company involved in American defense-related activities, it is essential to have a properly documented ITAR compliance program. It helps prevent violations and resolve future discrepancies.

1. Secure handling of defense articles: Manufacturers of USML-listed defense articles (e.g., military electronics under Category XI) ensure compliance with the regulations by restricting access to U.S. persons and securing technical data. These measures protect national security and align with export control requirements.
2. Reliable export operations: Exporters of defense items who comply with the International Traffic in Arms Regulations gain greater visibility and control over their operations through accurate recordkeeping. Compliance also helps prevent unauthorized exports by ensuring proper licenses and approvals are obtained.
3. Reduced risk of violations: A single regulation violation can result in significant civil or criminal penalties. Maintaining compliance helps companies avoid these risks, saving both time and money.
4. Promotion of ethical practices: A robust compliance program fosters a culture of accountability and adherence to U.S. national security standards, potentially enhancing employee confidence in ethical business practices and supporting retention.
5. Enhanced reputation: ITAR-compliant businesses are better positioned to win U.S. government contracts and bids related to defense. Compliance builds trust with partners and customers and strengthens the company’s position in the supply chain.

Where do PCBs fit under the International Traffic in Arms Regulations?

Printed circuit boards may be subject to ITAR if they are specifically designed or modified for defense articles listed on the USML (22 CFR § 120.41). Both the PCB and its associated technical data are considered ITAR-controlled.

ITAR-controlled technical data may include files such as production files, fabrication drawings, and customer specifications, provided they relate to a USML-controlled defense article (22 CFR § 120.33(a)).

As stated earlier, the regulatory body restricts access to such technical data and defense articles to U.S. persons only, unless proper export licenses or agreements are in place (22 CFR § 120.54).

Foreign manufacturing of ITAR-controlled PCBs is permitted only under specific authorizations from the DDTC, such as a Manufacturing License Agreement (MLA) or Technical Assistance Agreement (TAA) (22 CFR § 124).

These agreements are approved on a case-by-case basis and come with strict conditions, including end-use monitoring, access controls, and retransfer restrictions. When authorized, they allow foreign entities to legally manufacture USML-listed items, which is a common practice in international defense supply chains.

It’s also important to note that even PCB manufacturers that operate solely within the United States face ITAR compliance risks if their products or technical data fall under the USML.

For example, providing access to USML-controlled design files or documentation to foreign nationals, even those employed domestically, is considered a deemed export and requires prior authorization from the DDTC. Similarly, when sourcing USML-related PCBs from domestic suppliers, prime contractors must verify that those suppliers are ITAR-compliant to prevent unauthorized access or transfer of controlled data and materials.

Types of printed board technical data regulated by ITAR

The table below lists the circuit board design data that comes under ITAR (22 CFR § 120.33):

PCB DESIGN TOOL

BOM Checker

TRY TOOL

PCB designer’s checklist to meet ITAR requirements

The table below highlights the critical actions engineers must take to ensure technical data and designs are handled securely and in full compliance with the regulations:

For tips on designing military-grade circuit boards, see military-grade PCB design rules and considerations.

What makes a board manufacturer ITAR-compliant?

1. Strong internal compliance framework

• DDTC registration: The manufacturer must be registered with the DDTC per 22 CFR § 122.1 if they manufacture, export, or broker USML items or technical data.
• Documented ITAR compliance program: A formal, documented compliance program with policies, procedures, and protocols for handling ITAR-controlled items and technical data (e.g., Gerbers, BOMs) must be in place.
• Dedicated compliance officer or team: A responsible individual or team must oversee compliance efforts and act as the liaison with the Directorate of Defense Trade Controls.
• Periodic internal audits: The manufacturer must conduct regular audits to detect gaps and implement corrective actions where needed.
• Training employees based on roles: Ongoing ITAR training must be provided, tailored to each employee’s responsibilities, ensuring a consistent understanding of requirements across the organization.
• Employees and contractor screening: Only U.S. persons may access controlled data, unless properly licensed. Records of citizenship/visa status must be maintained.

2. Protected technical data and cyber infrastructure

• Early identification of controlled technical data: All ITAR-controlled data (e.g., Gerbers/IPC-2581/ODB++, BOMs, schematics) should be clearly marked and tracked throughout the design and production lifecycle.
• Cybersecurity controls (aligned with NIST SP 800-171/DFARS, if applicable): Controlled data with encryption, endpoint protection, intrusion detection, and role-based access systems must be protected.
• Technical data access control and monitoring: Version control, access logs, and secure collaboration tools must be used to prevent unauthorized data movement or sharing.
• Digital rights management (DRM): Unlicensed downloading, printing, or sharing of sensitive design files must be prevented, particularly in cloud-based design environments.

3. Supply chain compliance

• Supplier and subcontractor vetting: All suppliers and subcontractors must be ITAR-compliant, especially those with access to technical data or involved in defense manufacturing.
• Contractual agreements integrated with ITAR clauses: Compliance obligations in the contracts must be incorporated to formally bind suppliers, subcontractors, and customers to the regulatory standards.
• Controlled technical data flow: Robust data security protocols must be implemented, such as encryption, access restrictions, and secure transmission channels, for sharing technical data across the supply chain.

4. Secure manufacturing operations

1. Controlled facility and equipment access protocols: Physical security controls (e.g., keycard access, surveillance, visitor logs) must be implemented to limit entry to ITAR-sensitive areas.
2. Secure material handling procedures: Clear workflows must be defined for handling, storing, and tracking ITAR-controlled materials using inventory systems and secure storage solutions.
3. Detailed process documentation: Thorough records of all procedures and quality control processes for ITAR items must be maintained. This documentation is vital during audits or investigations.

5. Licensed exports and recordkeeping

1. Accurate classification and shipment labeling: ITAR-controlled shipments must be clearly marked and classified per regulatory requirements.
2. Mandatory export licenses and approvals: All the necessary licenses or authorizations from the DDTC must be secured before any international transfer of controlled items or data.
3. ITAR-compliant freight partners: Logistics partners must be specialized in ITAR compliance to manage documentation, customs, and export controls efficiently.
4. Long-term record retention: All export documentation, licenses, audit records, and communications must be stored securely and in line with ITAR’s retention requirements.

6. Incident response and continuity measures

1. Incident response planning: A documented plan must exist for responding to ITAR violations (e.g., accidental exports or data leaks), including internal reporting and DDTC notification.
2. Data backup and disaster recovery: ITAR-controlled data must be securely backed up and recovered while preserving chain-of-custody and access controls.
3. Annual program review: The compliance program must be annually evaluated and updated based on changes in personnel, business operations, supply chain, or regulations.

Sierra Circuits manufactures and assembles ITAR-compliant PCBs rigorously tested and fully documented. To learn more, see our aerospace and defense PCB capabilities.

How to protect ITAR-controlled data?

Beyond understanding compliance and penalties, protecting ITAR-controlled technical data is critical to prevent unauthorized access or export. Here are key practices companies should follow:

1. Implement a formal information security policy aligned with ITAR and NIST SP 800-171 standards.
2. Use robust network policies, including firewalls and intrusion detection systems.
3. Avoid default credentials. Have strong, unique passwords for all systems.
4. Assign unique IDs to each user with access to systems handling ITAR data.
5. Encrypt ITAR-controlled data both in transit and at rest using FIPS 140-2 validated cryptography.
6. Limit access to U.S. persons only, unless a license or exemption is obtained.
7. Regularly audit system access and activity logs to detect unauthorized behavior.
8. Monitor and scan for vulnerabilities to maintain secure systems.
9. Back up data securely and ensure disaster recovery plans maintain ITAR compliance.

PCB DESIGN TOOL

Better DFM

TRY TOOL

3 types of ITAR violations and consequences

Failing to follow the regulatory rules can result in civil and criminal penalties and may also prohibit a company from future exports.

Violations may lead to:

1. Civil fines up to $1,272,251 per violation (adjusted annually under the Federal Civil Penalties Inflation Adjustment Act).
2. Criminal fines up to $1,000,000 per violation and/or up to 7 years of imprisonment for willful violations under the Arms Export Control Act (AECA).

Here are the types of ITAR violations that may occur.

1. Accidental infringements

While every organization subject to ITAR is responsible for understanding and following its requirements, unintentional violations do occur, such as:

• Inadequate security controls
• Lack of awareness of updated ITAR requirements
• Outdated or incomplete compliance programs

Such accidental violations typically result in civil penalties, although the U.S. state department may consider reducing penalties if the organization self-discloses the violation through a voluntary disclosure.

2. Known breaches

Unlike accidental ones, some organizations knowingly violate ITAR regulations by:

• Failing to implement compliance programs
• Assuming a low risk of enforcement
• Ignoring legal obligations

Regardless of the reason, intentional non-compliance can result in severe criminal or civil penalties.

3. Omission of facts

Another type of violation is the failure to disclose required information. Omitting, misrepresenting, or falsifying data in ITAR filings, or failing to report a known violation, can lead to serious legal consequences, including criminal prosecution.

There is no tolerance for non-compliance when it comes to ITAR. Before bringing a USML-controlled product to market or sharing technical data, any organization should ensure it fully complies with ITAR restrictions and maintains an active compliance program.

Download our handbook to learn how to design a manufacturable board without board respins.

Design for Manufacturing Handbook

10 Chapters - 40 Pages - 45 Minute Read

What's Inside:

• Annular rings: avoid drill breakouts
• Vias: optimize your design
• Trace width and space: follow the best practices
• Solder mask and silkscreen: get the must-knows

Download Now

Latest ITAR amendments

The International Traffic in Arms Regulations have evolved to address advancements in technology, U.S. national security priorities, and global defense dynamics.

On January 23, 2020, the U.S. Department of State published a final rule, effective March 9, 2020, revising USML categories I, II, and III.

This amendment transferred certain items, such as non-automatic and semi-automatic firearms, to the Commerce Control List (CCL) under the Export Administration Regulations. These items were deemed not to provide a critical military or intelligence advantage or perform an inherently military function requiring ITAR control.

A separate interim final rule, effective March 6, 2020, amended ITAR (§ 120.54) to clarify that unclassified technical data is not considered an export when:

1. Encrypted end-to-end using FIPS 140-2 or FIPS 140-3 validated cryptographic modules.
2. Not intentionally sent to or stored in proscribed countries (§ 126.1) or accessed by foreign persons.
3. Inaccessible to unauthorized third parties, including cloud service providers, regardless of nationality.

This rule enabled secure cloud storage and transmission of ITAR-controlled technical data, on the condition that stringent encryption and access controls are implemented.

Further amendments in 2024 and 2025 include:

1. On September 1, 2024, an interim final rule (§ 126.7) introduced a license exemption for transfers of most USML items among authorized users in the United States, Australia, and the United Kingdom under the AUKUS partnership. This exemption remains valid provided transfers occur within their territories and exclude items on the Excluded Technology List (ETL).
2. Effective July 7, 2025, amendments to § 126.1 updated proscribed country restrictions, aligning with UN Security Council resolutions. The rule also updated § 120.23 to include Finland and Sweden as NATO members and added Qatar, Colombia, and Kenya as Major Non-NATO Allies (MNNA), and removed Afghanistan.
3. Ongoing USML reviews, with proposed rules in 2024 (e.g., July 29 for defense services, October 23 for space systems), may lead to further updates in late 2025 or 2026, potentially refining USML categories and definitions.

Key takeaways:

1. ITAR regulates defense articles, services, and technical data listed on the U.S. Munitions List, covering more than just weapons.
2. Even unclassified technical data tied to USML items requires DDTC authorization before sharing with non-U.S. persons.
3. All manufacturers, exporters, and brokers handling ITAR items must register with DDTC and restrict access to U.S. persons only.
4. Prime contractors must ensure that suppliers and subcontractors handling controlled PCBs are also ITAR-compliant.
5. A strong compliance checklist includes file marking, secure storage, restricted access, supplier vetting, and detailed recordkeeping.
6. Penalties for violations are severe, with fines exceeding $1 million per violation and possible criminal prosecution.
7. Compliance builds credibility, strengthens eligibility for U.S. defense contracts, and protects against costly violations.
8. The regulations are updated regularly. Recent amendments include secure, encrypted transfers, AUKUS exemptions, and revised country restrictions.

By following ITAR rules, designers, manufacturers, and suppliers protect sensitive defense information, strengthen their supply chain credibility, and position themselves to win U.S. defense contracts. Compliance ensures peace of mind, knowing your business is aligned with U.S. national security laws and shielded from future violations.

Have questions about printed circuit boards? Post your queries on SierraConnect. Our PCB experts will answer them.