ITAR (International Traffic in Arms Regulations)

ITAR, codified at 22 CFR Parts 120–130 and administered by the State Department's Directorate of Defense Trade Controls (DDTC), controls the export, temporary import, re-export, and transfer of defense articles, defense services, and related technical data enumerated on the US Munitions List (USML). Any person or organization that manufactures, exports, or brokers USML items must register with DDTC. Violations carry criminal penalties up to 20 years imprisonment and $1 million per violation, plus civil penalties up to $1.3 million per violation. Unlike EAR, ITAR has no de minimis exception: even 0.1% ITAR-controlled content triggers full ITAR compliance obligations on the finished article.

From an engineering standpoint, ITAR compliance demands rigorous access control architecture. "Technical data" includes CAD files, schematics, software source code, and system specifications that could enable a foreign national — even one physically present in the US — to operate or develop a USML item. This creates the "deemed export" problem: granting a foreign national read access to a Git repository containing ITAR-controlled firmware constitutes an unlicensed export. Engineering teams must implement nationality-aware identity and access management, hardware-isolated build pipelines, encrypted-at-rest storage with US-person-only key management, and audit trails that satisfy DDTC's record-retention requirement of five years under 22 CFR 122.5.

Edge cases proliferate in cloud and DevOps environments. Hosting ITAR data on a commercial cloud provider requires the provider to hold a FedRAMP High authorization and, typically, a specific ITAR support agreement (e.g., AWS GovCloud US-East/West with ITAR BAA). Multi-tenant SaaS tools — Jira, Slack, GitHub Enterprise Cloud — are categorically prohibited for ITAR technical data unless isolated to US-person-controlled tenants. Open-source release of any component derived from a ITAR-controlled design requires a DDTC commodity jurisdiction determination first. The 2020 USML reform (the "Export Control Reform" or ECR initiative) moved many dual-use items to EAR's Commerce Control List, but the ITAR perimeter remains strict for Category VIII (aircraft), XI (electronics), XIII (materials), and XV (spacecraft).

We architect ITAR-compliant infrastructure using US-person-only tenancy controls, nationality-gated IAM policies enforced at the IdP layer, and air-gapped or GovCloud-isolated CI/CD pipelines. We conduct deemed-export risk assessments against every repository and collaboration tool in scope, and we implement automated data classification to prevent ITAR technical data from touching non-compliant systems.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.