Key Takeaways
- ITAR applies to any US company that manufactures, exports, or provides defense services related to items on the United States Munitions List, and registration with DDTC is required even if the company never exports anything overseas.
- Engineering consulting firms that support defense programs, including design, testing, or modification of military technologies, are explicitly covered under ITAR's definition of a defense service, not just companies that manufacture physical hardware.
- Sharing ITAR controlled technical data with a foreign person while both are physically located inside the United States still counts as a regulated export under ITAR, a scenario known as a deemed export.
- ITAR violations carry civil fines up to 500,000 dollars and criminal fines up to 1 million dollars per violation, along with up to ten years in prison, making misclassification a serious risk rather than a paperwork inconvenience.
Hampton Roads sits inside one of the densest defense and shipbuilding regions in the country, which means a lot of local engineering firms are doing work adjacent to the Department of Defense without ever asking themselves the one question that determines whether ITAR applies to them.
What is ITAR, and who actually has to comply?
ITAR, the International Traffic in Arms Regulations, is a set of federal rules administered by the State Department's Directorate of Defense Trade Controls that governs the export, temporary import, and handling of defense articles, technical data, and defense services listed on the United States Munitions List. According to the DDTC's own public guidance, any US person or company engaged in manufacturing, exporting, or furnishing defense services related to USML items must register with DDTC and comply with the regulation, even if that company never physically ships anything outside US borders.
That last part is where most engineering firms miss their own exposure. ITAR isn't only about exporting hardware. It also covers what the regulation calls defense services, which includes providing assistance, training, or technical support related to the design, development, engineering, testing, or modification of defense articles.
Who this actually includes
- Manufacturers producing components or subassemblies used in military systems, even if the parts seem generic on their own
- Engineering consulting firms supporting defense programs with design, testing, or modification work
- Companies providing technical assistance or support for defense system integration, even without manufacturing anything themselves
- Subcontractors anywhere in a defense supply chain, since ITAR requirements flow down from prime contractors through every tier
A machine shop or engineering consultancy that has never thought of itself as a defense contractor can still fall under ITAR the moment its work touches a part or a technical drawing tied to a military system. Firms have discovered this the hard way when a defense contractor requests a part they'd always treated as purely commercial, only to learn a spec change pushed that same part into a controlled category.
Does ITAR apply even if we don't manufacture anything ourselves?
Yes, if your firm provides engineering, design, or technical support services related to a defense article, that alone can trigger ITAR obligations regardless of whether you manufacture or export a physical product. This is the scenario that catches the most Hampton Roads engineering firms off guard, because it's easy to assume ITAR is only a concern for the shipyards and prime contractors, not the smaller firms supporting them with drawings, analysis, or design consulting.
There's also a scenario worth knowing about even if your firm has no international clients at all. Sharing ITAR controlled technical data with a foreign person, meaning anyone who isn't a US citizen or lawful permanent resident, counts as a regulated export under ITAR even if that exchange happens entirely inside the United States. This is known as a deemed export, and it applies to conversations, emails, shared drives, and system access just as much as it applies to shipping a physical product overseas. A foreign national employee, intern, or subcontractor with access to controlled drawings or specifications can trigger this without a single item ever crossing a border.
What does DDTC registration actually involve?
Registration is the first of several steps, not the whole compliance picture. Under 22 CFR Part 122, the process starts with completing DDTC's Statement of Registration, disclosing business activities, ownership, and any history of export control violations. Registration must be renewed annually, and fees are assessed on a tiered schedule depending on the size and scope of the company's defense trade activity.
Registration itself does not grant export rights. It's a precondition that tells the government who is involved in defense related manufacturing, engineering, or brokering, and it's required before a company can apply for any export license or rely on a licensing exemption.
After registration, the real work starts
- Classify your work correctly. If you're unsure whether a project or component falls under ITAR, DDTC allows companies to request a Commodity Jurisdiction determination for an official ruling rather than guessing.
- Control access to technical data. This includes drawings, specifications, and any digital file related to a controlled item, not just physical products.
- Vet who can see controlled information. This means confirming the citizenship status of anyone with system or file access to ITAR controlled technical data, including your own IT vendor if they have administrative access to those systems.
- Maintain records for at least five years after a license expires or a transaction occurs, whichever comes later.
- Train your team annually, and document that training, since a one time slideshow for engineers who handle controlled data daily generally isn't considered sufficient by DDTC.
Why this is a bigger deal than a compliance checkbox
The penalties for getting this wrong are not abstract. ITAR violations, including failing to register when required, can carry civil fines as high as 500,000 dollars and criminal fines as high as 1 million dollars per violation, along with up to ten years in prison. For a small or mid sized engineering firm, a single misclassified project can turn into an existential problem, not just a fine.
The upside is that ITAR compliance, done properly, is also a competitive advantage. Prime contractors increasingly require their entire supply chain, down to smaller subcontractors and consulting firms, to maintain DDTC registration and demonstrate a real compliance program before bringing them onto a defense program. Firms that can show this clearly tend to win more of that adjacent work, not less.
If your firm does any design, testing, consulting, or technical work that touches a defense program, even indirectly, it's worth getting a clear answer on where you actually stand rather than assuming the question doesn't apply to you. That's the kind of assessment we help Hampton Roads engineering firms work through, particularly where ITAR obligations overlap with CMMC and the broader defense industrial base cybersecurity requirements already on your radar.