ITAR/EAR Complaince Guide for Manufacturers

[vc_row][vc_column][vc_column_text]

Table of Contents

• Jump to Section 1: Introduction
• Jump to Section 2: Determining if ITAR/EAR Applies
• Jump to Section 3: Product Classification
• Jump to Section 4: ITAR Registration
• Jump to Section 5: Building a Program
• Jump to Section 6: Technical Data
• Jump to Section 7: Customer Screening
• Jump to Section 8: Vendors & Suppliers
• Jump to Section 9: Audit Prep
• Jump to Section 10: Record-Keeping
• Jump to Section 11: Licenses
• Jump to Section 12: ITAR Amendments
• Jump to Section 13: Violations
• Jump to Section 14: Disclosures
• Jump to Section 15: Best Practices
• Jump to Section 16: Resources
• Jump to Section 17: Antiboycott Laws

1. Introduction

This guide delivers a step-by-step path to ITAR and EAR compliance—built for manufacturers, engineers, and sales teams without a fancy expert on speed dial.

It’s your playbook to stay legal, no bank-breaking required.

What This Guide Offers

• Best practices, official citations, and practical steps to tackle export controls.
• A clear roadmap to dodge costly mistakes—whether you’re starting fresh or tightening up.
• Tools to keep ITAR and EAR rules in check, for teams juggling multiple hats.

Who This Guide Is For

• Manufacturers making stuff that might be export-controlled—like aerospace parts or firearms.
• Engineers designing products or tech data under ITAR or EAR.
• Sales teams pitching to foreign buyers—first to spot sketchy orders.
• Shipping clerks double-tasked with compliance—praying they don’t mess up.
• Small businesses without a compliance officer—figuring it out between runs.

ITAR vs. EAR Basics: ITAR (22 CFR § 121.1) covers military stuff on the USML—like a missile system. EAR (15 CFR § 774 Supp. 1) handles dual-use items on the CCL—like a high-tech drone.

2. Determining if ITAR/EAR Applies to Your Business

Start here—this is Commodity Jurisdiction. It’s figuring out if your products are controlled under ITAR or EAR.

We’re not classifying yet—that’s Section 3. This is just picking your rulebook—ITAR or EAR—so you’re not lost. Let’s do it.

Use the Chart as a Visual Aid

Your mission: decide if your stuff falls under:

• ITAR’s USML
• EAR’s CCL

What is the USML? The USML (22 CFR § 121.1) covers military items ITAR controls—like Category I (firearms), XV (spacecraft).

What is the CCL? The CCL (15 CFR § 774 Supp. 1) lists dual-use items under EAR—like ECCN 0A501 (firearms), 9A610 (drones).

3. ITAR/EAR Product Classification

You’ve picked ITAR or EAR from Section 2—nice work. Now classify your product on the USML or CCL.

This is pinning down where your stuff fits—let’s roll.

What Is Product Classification?

It’s sorting where your product lands—USML Category VIII for aircraft parts, or CCL ECCN 9A610 for drones.

Your engineer from Section 2 leads this—they know the tech. Start with one item and build a matrix later.

Why Classification Matters

Get this wrong, and it’s fines or delays. A fully automatic .50 barrel misclassified as ECCN 0A501? That’s a violation.

Why? ECCN 0A501 (15 CFR § 774 Supp. 1) covers semi-automatic firearms—like a hunting rifle barrel—but a fully automatic .50 barrel is USML (Category I(f), 22 CFR § 121.1) for military machine guns, not civilian gear. Mixing those up means ITAR controls kick in—EAR won’t save you. It’s on you to nail it.

What’s a Product Matrix? A table listing products, specs, uses, and USML/ECCN calls—like “Widget X, fully automatic .50 cal barrel, USML I(f).”

4. ITAR Registration & Legal Requirements

If Sections 2-3 flagged your stuff as ITAR-controlled (USML), registration’s next—non-negotiable. EAR folks, jump to Section 11.

Here’s what manufacturers need to get ITAR right.

Who Needs to Register?

Anyone making, exporting, or brokering USML items (22 CFR § 122.1)—even if stateside.

Examples: Building military circuit boards (Category XI)? You’re in.

How to Register with DDTC

Submit Form DS-2032 via DECCS on the DDTC webiste—can take up to 45-60 days. Key bits:

• Company details: Name, address, phone.
• Ownership: List who owns you.
• USML Categories: E.g., I(f) for Widget X.
• Fee: $3,000-$4,000+ (2025 tiers).

DDTC Registration Costs: Tier 1: $3,000 (no licenses). Tier 2: $4,000 (1-5 licenses). Tier 3: $4,000 + $1,100 per extra license.

5. Building an Export Compliance Program

If you’re locked into ITAR from Section 4—or you’ll hit EAR later in Section 11—a compliance program’s your shield against violations. This isn’t just a nice-to-have; it’s how you prove you’re following the regs like 22 CFR § 122 for ITAR or 15 CFR § 762 for EAR. Without it, you’re a sitting duck for fines, audits, or worse.

For small fries, this is your lifeline—here’s how to build one that holds up without drowning in consultant fees or turning into a corporate robot.

Why You Need an Export Compliance Program

This ain’t optional—it’s your path to staying legal with ITAR and EAR. A compliance program puts on paper how you follow the regs tied to your business, your products, and your technical data—think of it as your “we’ve got our stuff together” binder. It’s a living document—senior leadership signs off, everyone gets a copy (digital’s fine, encrypted—Section 6), and training builds on it so Judy in shipping doesn’t accidentally send Widget X to Russia.

This isn’t a step-by-step manual—that’s Section 15 for ongoing tweaks and best practices. This is your big-picture commitment to not messing up with the Directorate of Defense Trade Controls (DDTC) or Bureau of Industry and Security (BIS). It shows auditors (Section 9) you’re serious—and it might just save your ass if you slip (Section 14).

Creating Written Policies

You need a plan anyone can follow—not a legal word salad only a $500/hour lawyer gets. Outline how you handle classification (Section 3), training (this section), customer screening (Section 7), record-keeping (Section 10), and violation reporting (Section 14). Keep it tight—in real talk for Judy in shipping or Bob in sales, not a PhD thesis.

Assign roles—someone’s gotta own this, even in a small shop:

• Compliance Officer: Oversees the program—could be you, a manager, or whoever’s got the grit to wrangle it.
• Sales Team: Screens buyers—first line against sketchy orders that could trip regs (Section 7).
• Engineering: Sorts controlled items—knows Widget X from Widget Y, handles classification (Section 3).
• Shipping: Logs exports—keeps Shipping from mailing ITAR technical data blind (Section 10).

Here’s a sample outline—steal this and tweak it:

1. Purpose: Stay legal with ITAR and EAR—no fines, no jail.
2. Scope: Anyone touching exports—sales, engineering, shipping, even the receptionist if she emails tech data.
3. Procedures: Classify products (Section 3), screen customers (Section 7), secure data (Section 6), log everything (Section 10), report mistakes (Section 14).

Keep it digital—PDF on a shared drive, U.S.-based server, encrypted with AES-256 (Section 6). Print if you must, but don’t let it gather dust—update it yearly or when regs shift (Section 15). Senior leadership signs—CEO, owner, whoever’s got the title—to show DDTC/BIS you’re not screwing around.

Note: “Program PDF—3/29/25, signed by the company CEO, emailed to employees—you have your copy.”

Employee Training & Responsibilities

Train everyone yearly—reception to production—ITAR and EAR touch most departments, and ignorance ain’t a defense. New hires? Train within 30 days—no excuses. Use free webinars—BIS at bis.doc.gov/seminars and DDTC at state.gov/training—or lean on industry groups like SIA (siaed.org) for inexpensive, but great sessions.

Topics to hit: Basics of ITAR and EAR—what’s controlled, what’s not. Red flags—sketchy buyers or weird orders (Section 7). Data security—encrypting Widget X blueprints (Section 6). Keep it 10th-grade level—Judy doesn’t need a law degree, just the “don’t mess this up” highlights.

Log it—names, dates, topics—for audits (Section 9). Example: “3/29/25—Judy, Bob, 5 others trained—red flags, data basics—1 hour, BIS webinar.” Digital log, encrypted—keeps DDTC/BIS off your back.

Pro Tip: Role-play a violation—Judy emails tech data to a random Gmail. Walk it back—shows the team what not to do without real blood.

Who Needs Training? Everyone from reception to production—ITAR or EAR touches most departments and job functions in your company. Reception might email, production might pack—train ‘em all.

6. Handling Controlled Technical Data Securely

Your compliance program from Section 5 commits to protecting technical data under ITAR or EAR—and this step is critical. Technical data includes blueprints, specifications, and designs, such as plans for Widget X or software code for Widget Y. Mishandling it risks not just penalties but national security issues, as outlined in 22 CFR § 120.54 for ITAR and 15 CFR § 734.13 for EAR. For smaller operations, this doesn’t require complex systems—just practical steps to keep it secure and compliant without a big budget.

Encryption Requirements

Both ITAR and EAR require strong protection—technical data must use FIPS 140-3 compliant encryption, like AES-256 (see 22 CFR § 120.54 for ITAR, and 15 CFR § 734.13 for EAR). This applies to items like Widget X blueprints or software code—encrypt them before they move. Avoid unsecure tools; opt for reliable options like VeraCrypt (free) or professional software if you have the resources.

Store data on U.S.-based servers only—options include AWS, Azure, or a local drive—encrypted first if it’s in the cloud. Unencrypted cloud services or email attachments are off-limits, as foreign access, even unintended, violates regulations. When sending, use secure email tools like ProtonMail with AES-256 encryption, and document it—e.g., “Sent 3/30/25, AES-256, U.S. server.”

Technology Control Plan (TCP) Basics

If you’re registered under ITAR from Section 4, a Technology Control Plan (TCP) is required—it’s your documented approach to securing technical data (22 CFR § 120.54). For EAR, it’s optional but highly recommended to avoid trouble with BIS over dual-use data. This plan should be clear and practical for your team.

Include three key elements:

• Access: Limit to U.S. persons only—verify identities, no exceptions (22 CFR § 120.15). Authorized staff get access; outside contractors don’t.
• Encryption: Use FIPS 140-3 compliant tools—like AES-256—for files and transmissions. No cutting corners with unverified software.
• Training: Conduct annual training for all staff—cover essentials, warning signs, and proper data handling (Section 5).

A senior leader—CEO, owner, or equivalent—signs it to show DDTC or BIS your commitment. Keep it basic but effective: “Widget X data—U.S.-only access, AES-256 encryption, staff trained 3/30/25.” Store it digitally—PDF, encrypted, U.S. server—and have a printed copy ready if regulators visit. Document it for audits (Section 9).

Note: “Widget X data—U.S.-only, AES-256, trained 3/30/25—signed by the CEO.”

Tip: Test your process—simulate sending data. If it’s not encrypted or restricted to U.S. persons, adjust before it becomes an issue.

TCP Outline:

1. Access: U.S. persons only—verify identities, no exceptions (22 CFR § 120.15).
2. Encryption: FIPS 140-3 compliant tools—e.g., AES-256, VeraCrypt, or professional options if available.
3. Training: Annual, all staff—cover essentials, warning signs, and data handling (Section 5).

7. Customer Screening & Due Diligence Best Practices

Your compliance program from Section 5 includes screening customers—and it’s not just smart, it’s required under ITAR (22 U.S.C. § 2778) and EAR (15 CFR § 744). Sending products like Widget X or Widget Y to the wrong buyer—someone on a denied list or a questionable entity—can lead to serious penalties, including fines or loss of export privileges. Smaller businesses can handle this effectively without complex tools or a dedicated team.

Why Customer Screening Matters

Dealing with denied parties, blocked entities, or debarred individuals is illegal—ITAR carries penalties up to $1 million and 20 years in prison (22 U.S.C. § 2778), while EAR fines can reach $353,534 per violation (15 CFR § 764.3). A single shipment to an unauthorized buyer could cost you your business. Screening should start at first contact—before quoting—and continue before licensing and shipping. It’s about protecting your ability to export, not just avoiding fines.

Key Steps in Customer Screening

Here’s a straightforward process—thorough but manageable, no advanced degree needed:

• Check the Lists: Use free government resources—BIS Consolidated Screening List (bis.doc.gov/complianceandenforcement), OFAC Sanctions List (treasury.gov), DDTC Debarred List (state.gov). Enter the buyer’s name, company, and address—takes a few minutes online.
• Verify Identity: Confirm their business registration, address, and ownership—who’s really behind the order? A quick search or call can clarify if something seems off—e.g., “Customer Z, 123 Fake St—legitimate?”
• End-Use Check: Request a statement on how they’ll use it—e.g., “For commercial drones, not military.” If the response is unclear, like “It’s not your concern,” follow up with questions and document it.

Record every step—e.g., “Customer Z, screened 3/30/25—BIS clear, end-use ‘commercial drones’—J. Doe.” If there’s no match or concerns arise, hold off on shipping until it’s resolved. Suspicious signs are covered below.

Note: “Customer Z, 3/30/25—checked BIS, OFAC, DDTC—clear. End-use: ‘commercial drones’—email retained.”

Tip: Leverage free tools like Export Solutions (export.gov) or SIA’s KYC guides (siaed.org)—no need to start from scratch. A simple spreadsheet—name, date, result—works if you’re keeping costs low.

Red Flags:

• Reluctance to share end-use details: Responses like “It’s just parts, don’t worry”—a major warning sign.
• Payments from odd third parties: Funds from an unrelated source, not the buyer’s bank—questionable.
• IP address mismatches: Claims a U.S. location, but online activity traces to Russia—check email headers or use an IP lookup.

8. Compliance When Working with Vendors & Suppliers

Your compliance program from Section 5 keeps your internal processes in line, but vendors and suppliers can create risks under ITAR and EAR (15 CFR § 744). If they provide controlled parts, data, or services—like components for Widget X or technical specifications—it’s your responsibility to ensure compliance. Smaller businesses can manage this without assuming everyone else has it covered.

Understand Your Vendors’ Items

When vendors supply items or data controlled under ITAR or EAR—such as parts, subassemblies, or technical details—it affects your classification (Section 3), licensing (Section 11), and record-keeping (Section 10). Their oversight becomes your liability, so don’t rely on their word alone.

Ask them directly for the classification—ECCN or USML category—via email or a call: “Vendor X, is Part Y classified as ECCN 5A992 or under USML Category XI?” If they’re unsure, press for a clear answer in writing. Verify it yourself using 22 CFR § 121.1 for USML or 15 CFR § 774 Supplement 1 for CCL—and document it, like “Vendor X claims Part Y is ECCN 5A992—confirmed with CCL, 3/31/25—J. Doe.”

Note: “Vendor Y stated Part Z is EAR99—verified as ECCN 3A611, military electronics—flagged, 3/31/25.”

Vendor Contracts

Ensure your contracts are clear—state that vendors cannot re-export ITAR or EAR items without your written approval. Include a clause holding them accountable for violations—e.g., “Vendor is liable for penalties from unauthorized re-exports.” Screen them as you would customers (Section 7)—check name, address, and ownership against BIS, OFAC, and DDTC lists. Get it signed and documented.

For foreign suppliers, like a Canadian machining firm, screen twice as carefully. BIS closely monitors re-export violations (15 CFR § 764)—if they send your ITAR part elsewhere without permission, you’re still responsible.

Note: “Vendor X, 3/31/25—no re-exports without approval, screened clear—contract signed and filed.”

Tip: Add a clause like “Vendor certifies Part X classification”—it shifts some responsibility and provides evidence if issues arise (Section 14).

What If My Supplier’s Foreign? Foreign suppliers must understand ITAR and EAR—include a contract term prohibiting re-exports without your approval. Screen them thoroughly—BIS Consolidated List, OFAC, DDTC—and don’t accept vague assurances (15 CFR § 744). Document it—e.g., “Foreign Vendor Z, 3/31/25—clear, contract signed.”

9. Preparing for an ITAR/EAR Audit

Your compliance program from Section 5 sets the standard—audits from the Directorate of Defense Trade Controls (DDTC) for ITAR (22 CFR § 123.22) or the Bureau of Industry and Security (BIS) for EAR (15 CFR § 762) test if you’re following through. These can come as desk audits (remote requests for records) or on-site visits, often with little warning. For smaller operations, preparation is about being ready, not flawless.

What Auditors Look For

Auditors focus on evidence—records, training logs, and data security practices (Sections 6, 10). Without documentation, penalties can follow quickly, regardless of who’s unavailable or overlooked it. They’ll ask specific questions, such as:

• “Where are your last five export licenses—physical or digital copies?”
• “Show us your training records—names, dates, topics covered.”
• “How is technical data secured—can you provide encryption logs?”

For ITAR-registered businesses (Section 4), they’ll also verify your registration status (22 CFR § 122). Gaps in any area can lead to immediate consequences.

How to Prepare in Advance

Being proactive saves stress when an audit hits. Here’s a practical approach:

• Internal Audits: Review high-risk areas quarterly—like Widget X exports or technical data access—and everything else annually. Check records (Section 10), training logs (Section 5), and security measures (Section 6)—address issues promptly. Document it—e.g., “3/31/25, reviewed logs, corrected a missing entry—J. Doe.”
• Compliance Binder: Keep all key documents—licenses, logs, memos, TCP (Section 6)—in one place, ideally digital. Encrypt it with AES-256 on a U.S. server (Section 6), or use a locked drawer if you prefer physical copies. Have it ready to avoid last-minute scrambles.

Note: “Licenses, training logs, TCP—3/31/25, stored digitally with AES-256—prepared for BIS or DDTC review.”

Tip: Run a mock audit with your team—pretend DDTC or BIS is asking for Widget X records. Identify weak spots in an hour and fix them before it counts.

Fuller Audit Checklist:

1. Records: Maintain five years of licenses, emails, contracts, and screening logs (Section 10).
2. Training Logs: Document dates, names, and topics—proof of annual training (Section 5).
3. TCP: Show access lists and encryption evidence—restricted to U.S. persons (Section 6).

10. ITAR/EAR Record-Keeping Requirements

Your compliance program from Section 5 mandates record-keeping, and it’s a core requirement under ITAR (22 CFR § 123.22) and EAR (15 CFR § 762). Auditors rely on these records, and missing them can lead to penalties quickly. For smaller businesses, this is about staying organized and audit-ready without overwhelming storage needs.

Retention and Storage

Keep records for five years from the last related action—such as a shipment, license expiration, or transaction close (22 CFR § 123.22(a) for ITAR, 15 CFR § 762.6 for EAR). This includes all documents tied to ITAR or EAR activities—emails, contracts, licenses, and more.

Use digital storage—PDFs on a secure U.S.-based server (Section 6). Encrypt with FIPS 140-3, like AES-256, to meet regulations (22 CFR § 120.54)—unencrypted cloud services or physical piles risk violations. A local hard drive works too, as long as it’s encrypted and backed up, kept in the U.S.

Note: “Widget X shipment, 3/31/25—license, email, stored as PDF with AES-256 on U.S. server—retained until 3/31/30.”

What Records to Keep

Capture everything related to exports—here’s the essentials, no exceptions:

• Emails: Correspondence like “To Vendor X, 3/31/25: ‘What’s Part Y’s ECCN?’”—any export-related communication.
• Contracts: Signed agreements with vendors, customers, or shipping firms—proof of terms.
• Licenses: DSP-5 or SNAP-R approvals—every export and amendment (Section 11).
• Screening Logs: “Customer Z, 3/31/25—clear, BIS/OFAC checked—J. Doe” (Section 7).
• Memos: “Widget X, USML I(f), 3/31/25—J. Doe”—classification decisions (Section 3).

Full details are in 22 CFR § 123.22 and 15 CFR § 762.2—these are the critical ones. Maintain a clear trail for audits (Section 9); incomplete records invite trouble.

Note: “Emails, licenses, screening logs—3/31/25, compiled as PDFs, encrypted—retained for five years.”

Tip: Use a basic CRM or spreadsheet to track dates and set reminders at four years for archiving—keeps it manageable.

What to Keep: Emails, contracts, licenses, screening logs, memos—detailed in 15 CFR § 762.2—five years minimum, no shortcuts. Encrypt and store on a U.S. server (Section 6).

11. Understanding and Obtaining ITAR/EAR Export Licenses

After classifying your items (Section 3) and screening buyers (Section 7), you’ll need export licenses for anything controlled under ITAR (22 CFR § 123) or EAR (15 CFR § 738). Without a license, shipping isn’t an option—whether it’s Widget X on the USML or Widget Y on the CCL. Smaller businesses can navigate this without legal teams or excessive costs.

EAR Licensing Process

For items on the Commerce Control List (CCL)—like ECCNs 9A610 (military drones) or 5D992 (mass-market software)—use the Simplified Network Application Process-Redesign (SNAP-R) at bis.doc.gov. Register your company first—it’s free and takes a day—then submit your license application online.

BIS requires concise details:

• Applicant: Your company—e.g., “Your Co., 456 Elm St, USA—Shipping Lead.”
• Item: ECCN and description—e.g., “5D992 software, mass-market encryption, for commercial use.”
• End-User: Buyer’s name and address, screened clear (Section 7)—e.g., “Customer Z, 123 Main St, Canada.”
• End-Use: Purpose—e.g., “Commercial drones, not military.” Be specific or expect delays.

Processing takes 2-6 weeks—approvals come faster with clear submissions. Log it—e.g., “SNAP-R #456, Widget Y, 3/31/25—approved 4/15/25” (Section 10). Note: EAR99 items or exceptions like NLR (No License Required) may not need this—confirm via SNAP-R or bis.doc.gov.

ITAR Licensing Process

For United States Munitions List (USML) items—like Widget X, Category I(f)—use the Defense Export Control and Compliance System (DECCS) at state.gov. You must be registered (Section 4) before applying. Submit a DSP-5 form online for standard exports.

DDTC expects precision:

• Applicant: Your company—e.g., “Your Co., 789 Pine St, USA—Compliance Lead.”
• Item: USML category and description—e.g., “Category I(f), fully automatic .50 cal barrel, military use.”
• End-User: Buyer, screened clear (Section 7)—e.g., “Customer Y, 456 Oak St, UK.”
• End-Use: Exact use—e.g., “Military rifles, UK MOD contract.” Vague entries get rejected.

Approval takes 30-60 days—log it, e.g., “DSP-5 #123, Widget X, 3/31/25—approved 5/15/25” (Section 10). No exceptions apply—ITAR is stricter than EAR.

Note: “DSP-5 #123, Widget X, 3/31/25—submitted, awaiting approval.”

Tip: Apply early—delays can disrupt plans. For urgent cases, call DDTC (202-663-1282) to catch errors, though they won’t rush it.

License Maintenance: Track shipments—log each use—e.g., “DSP-5 #123, Widget X, 10 barrels shipped 3/31/25—10 remaining.” Stay accurate—auditors review this (Section 10).

12. ITAR Amendments and Provisos

Your ITAR license from Section 11 isn’t fixed—changes happen, and DDTC expects you to update it accordingly (22 CFR § 123.25). This applies only to ITAR—for EAR, adjustments go through SNAP-R (Section 11). Smaller operations need to stay on top of this to remain compliant.

Common Amendments

Update your DSP-5 on DECCS when details shift—new buyers, addresses, or quantities. An outdated license used for a new transaction is a violation—DDTC doesn’t accept near-matches. For example: “DSP-5 #123, Widget X—Customer Y relocated to 789 Elm St, UK—amended 3/31/25.”

Amendments take 30-60 days, similar to a new license—document it, e.g., “DSP-5 #123, amended 3/31/25—approved 5/15/25” (Section 10). Don’t ship until it’s approved; premature action risks penalties.

Provisos

Licenses often include provisos—conditions like “No technical data to Country X” or “U.S. use only.” These are mandatory—violating them triggers a breach (22 CFR § 127). Example: “DSP-5 #123—proviso: no Widget X data to China.”

Note: “DSP-5 #123 amended—new buyer, 3/31/25—proviso: no technical data to China—verified and logged.”

Tip: Review provisos carefully—email DDTC (ddtc.gov) if they’re unclear. A single oversight can lead to audit scrutiny (Section 9).

Provisos: Conditions like “No technical data to X” or “U.S.-only”—violations are breaches—monitor them closely (Section 10).

13. ITAR/EAR Violations and Enforcement

Your compliance program from Section 5 is your defense—mistakes under ITAR (22 CFR § 127) or EAR (15 CFR § 764) carry heavy consequences. DDTC and BIS enforce these rules strictly, and claiming ignorance won’t help. For smaller businesses, understanding the risks is key to staying out of trouble.

Penalties

ITAR violations can result in civil fines up to $1,197,728 per incident (2025 limit, 22 CFR § 127.10), or criminal penalties of $1 million and 20 years in prison (22 U.S.C. § 2778). EAR violations carry civil fines up to $353,534 per breach (15 CFR § 764.3), with criminal penalties reaching $1 million and 20 years.

Common issues include shipping without a license—like Widget X leaving unchecked—or missing records (Section 10), or dealing with denied parties (Section 7). Each error compounds, potentially escalating costs rapidly.

Enforcement

DDTC and BIS enforce through audits (Section 9), reports from others, or export data reviews—Customs often flags discrepancies. Civil penalties accumulate with multiple violations, while criminal cases involve the DOJ for intentional acts, such as exports to restricted countries like Russia or Iran.

Note: “Widget X shipped without license, 3/31/25—detected by BIS, resolution pending.”

Tip: Document any errors—e.g., “Caught questionable order, 3/31/25—stopped and reported” (Section 14)—it shows diligence and may reduce penalties.

Real Cases: 2020: Company X fined $500,000 for sharing ITAR data with China—caught during a DDTC audit.

14. Voluntary Disclosures & Self-Disclosures for Compliance

Errors happen—like shipping Widget X without a license or sending technical data to an unverified email. Voluntary disclosures to DDTC for ITAR (22 CFR § 127.12) or BIS for EAR (15 CFR § 764.5) can help manage the fallout if you catch it first. For smaller businesses, this is a practical way to address issues proactively.

Why Disclose?

Disclosing isn’t mandatory, but it’s a strategic choice. It demonstrates you’re not hiding issues, potentially reducing fines or avoiding criminal charges if the violation wasn’t intentional. DDTC and BIS consider your effort—prompt reporting and corrections might lighten the penalty, though it’s not guaranteed. Civil fines could drop significantly—e.g., from $500,000 to $50,000—or criminal risks may decrease.

Submit within 60 days—use DECCS for ITAR or the BIS portal for EAR. Waiting too long increases the chance they’ll find it first.

How to Self-Disclose

Keep your disclosure clear and concise—include the narrative, supporting documents, and corrective actions:

• • What Happened: “3/31/25—Widget X shipped without a license—identified 4/1/25.”

<li[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

[/vc_column_text][vc_raw_html]JTNDc2NyaXB0JTNFJTBBJTIwJTIwZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQlMjglMjdvcGVuRWFyUG9wdXAlMjclMjkuYWRkRXZlbnRMaXN0ZW5lciUyOCUyN2NsaWNrJTI3JTJDJTIwZnVuY3Rpb24lMjglMjklMjAlN0IlMEElMjAlMjAlMjAlMjBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCUyOCUyN2VhclBvcHVwJTI3JTI5LnN0eWxlLmRpc3BsYXklMjAlM0QlMjAlMjdibG9jayUyNyUzQiUwQSUyMCUyMCU3RCUyOSUzQiUwQSUyMCUyMGRvY3VtZW50LmdldEVsZW1lbnRCeUlkJTI4JTI3Y2xvc2VFYXJQb3B1cCUyNyUyOS5hZGRFdmVudExpc3RlbmVyJTI4JTI3Y2xpY2slMjclMkMlMjBmdW5jdGlvbiUyOCUyOSUyMCU3QiUwQSUyMCUyMCUyMCUyMGRvY3VtZW50LmdldEVsZW1lbnRCeUlkJTI4JTI3ZWFyUG9wdXAlMjclMjkuc3R5bGUuZGlzcGxheSUyMCUzRCUyMCUyN25vbmUlMjclM0IlMEElMjAlMjAlN0QlMjklM0IlMEElMjAlMjBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCUyOCUyN3ByaW50RWFyUG9wdXAlMjclMjkuYWRkRXZlbnRMaXN0ZW5lciUyOCUyN2NsaWNrJTI3JTJDJTIwZnVuY3Rpb24lMjglMjklMjAlN0IlMEElMjAlMjAlMjAlMjB3aW5kb3cucHJpbnQlMjglMjklM0IlMEElMjAlMjAlN0QlMjklM0IlMEElM0MlMkZzY3JpcHQlM0U=[/vc_raw_html][/vc_column][/vc_row]