logo
Sign UpSign InTry for free
ITAR COMPLIANCE CHECKLIST

ITAR compliance checklist

A practical ITAR compliance checklist for entities that manufacture, broker, or export defense articles or technical data: USML determination, DDTC registration, Technology Control Plan, license / exemption strategy, and ongoing audit.

Official source:

Read the official DDTC (State Department) ITAR site
Download the checklist (PDF)Download DOCX
Who must comply with ITAR

Who ITAR applies to

US persons that manufacture defense articles, furnish defense services, broker defense articles, or engage in the export of USML-listed items or technical data. Also relevant to foreign persons who receive such items.

Jurisdiction: US defense industrial base and downstream defense exports. Full name: International Traffic in Arms Regulations.

ITAR Checklist

The ITAR compliance checklist

The high-level cycle. Each item below is the visible head of a fuller process - open it in the editor to flesh out the steps, owners, and decisions your team actually runs.

Download fillable PDFDownload DOCX

The PDF includes real fillable form fields - tick each checkbox in your PDF reader and fill in organisation name, owner, and dates. The DOCX is fully editable in Word, Google Docs, or any compatible editor.

  1. STEP 1

    Determine whether your article, software, or technical data is on the US Munitions List (USML).

  2. STEP 2

    For dual-use items, check the Commerce Control List (CCL) and EAR jurisdiction.

  3. STEP 3

    Register with the Directorate of Defense Trade Controls (DDTC) and pay the annual fee.

  4. STEP 4

    Designate an Empowered Official authorised to sign ITAR submissions.

  5. STEP 5

    Implement a Technology Control Plan (TCP) - physical, IT, personnel, visitor controls.

  6. STEP 6

    Run workforce training on ITAR scope, USML categorisation, and reporting obligations.

  7. STEP 7

    For each transaction: apply for a DSP-5 / DSP-73 / DSP-85 license or rely on a documented exemption.

  8. STEP 8

    Maintain DDTC-required records for 5 years after the transaction.

  9. STEP 9

    Run periodic internal audits and self-disclose violations to DDTC where appropriate.

  10. STEP 10

    Update USML categorisation when product capabilities change.

FILLABLE PDF PREVIEW

ITAR compliance checklist

International Traffic in Arms Regulations

Organisation

[Organisation name]

Owner

[Assigned to]

Target date

[Target completion date]

Reviewed by

[Reviewed by]

Determine whether your article, software, or technical data is on the US Munitions List (USML).

For dual-use items, check the Commerce Control List (CCL) and EAR jurisdiction.

Register with the Directorate of Defense Trade Controls (DDTC) and pay the annual fee.

Designate an Empowered Official authorised to sign ITAR submissions.

Implement a Technology Control Plan (TCP) - physical, IT, personnel, visitor controls.

+ 5 more checkboxes in the downloaded PDF
ITAR Process Map

ITAR as a process map

The ITAR programme lifecycle. USML determination at the top is where most teams either accidentally drift into scope or miss controlled items entirely - the gate that everything else depends on.

Open in editor

ITAR USML applicability and export authorization

An ITAR USML applicability and export authorization process rendered as a BPMN 2.0 process map. The flow takes an item, hardware, software, or technical data through the §120.10 USML applicability check, branches to EAR/non-USML on negative jurisdiction, otherwise determines whether to apply for a DSP-5 license or an ITAR exemption (e.g. §125.4, §126.4), screens the end-use and end-user against the §126.7 / Debarred Parties / OFAC lists, and records the authorization in the export audit log per §122.5.

  1. Identify the item, hardware, software, or technical data to be exported, re-exported, or transferred.
  2. Run the USML applicability check per §120.10 - is the item enumerated on the United States Munitions List (Categories I-XXI)?
  3. If the item is not USML and not specially designed for a defense article, route to the EAR / non-USML jurisdiction path and exit the ITAR process.
  4. If the item is USML, decide whether to apply for a DSP-5 license (or DSP-73 for temporary export) or to claim an ITAR exemption (e.g. §125.4 technical data, §126.4 USG transfers).
  5. For the license path, prepare and submit DSP-5 via DECCS; for the exemption path, document the exemption citation and required certifications.
  6. Screen the end-use, end-user, and intermediate consignees against §126.7 ineligibility, Debarred Parties, OFAC SDN, and proliferation lists; resolve red flags or deny.
  7. Record the authorization, screening evidence, and shipment details in the §122.5 export audit log and the brokering activity register where applicable.
ITAR FAQ

Frequently asked questions

ITAR vs EAR - which applies?

ITAR applies to defense articles, defense services, and related technical data on the US Munitions List (USML), administered by DDTC at State. EAR applies to dual-use items on the Commerce Control List (CCL), administered by BIS at Commerce. Many products fall under EAR; ITAR is more restrictive and covers explicitly military items.

Do I need to register with DDTC if I never export?

Yes if you manufacture or broker defense articles on the USML. ITAR registration is required for US persons engaged in manufacturing or exporting USML items, even where no actual export has yet occurred. Brokering requires a separate registration.

What counts as an ITAR-controlled "export"?

Physical export of items, electronic transmission of technical data abroad, and - critically - "deemed exports" to foreign persons inside the US (a foreign-national employee accessing technical data, for example). The deemed-export rule catches teams off guard the most.

What are the penalties?

Criminal penalties up to $1M per violation and 20 years imprisonment; civil penalties up to $1,271,078 per violation (or twice the transaction value, whichever is greater - 2025 inflation-adjusted per the State Department's January 2025 Federal Register notice). DDTC also imposes administrative penalties - debarment, suspension, denial of export privileges.

More Compliance Checklists

Other compliance checklists

DORA compliance checklist

A practical DORA (Digital Operational Resilience Act) compliance checklist for EU financial entities: ICT risk management framework, incident classification and reporting, resilience testing, third-party register, and annual reporting - the five pillars of Regulation 2022/2554.

CMMC 2.0 compliance checklist

A step-by-step CMMC 2.

HIPAA compliance checklist

The annual HIPAA compliance cycle as a step-by-step checklist: risk analysis, policy updates, workforce training, safeguards, documentation, and re-attestation.

SOC 2 compliance checklist

A practical SOC 2 compliance checklist covering Trust Service Criteria selection, control mapping, evidence gathering, auditor engagement, and report issuance - for both Type I and Type II engagements.

PCI DSS 4.0.1 compliance checklist

A practical PCI DSS 4.

SOX compliance checklist

A practical Sarbanes-Oxley compliance checklist focused on Section 404: scoping significant accounts and ITGCs, documenting control design, testing operating effectiveness, evaluating deficiencies, and supporting management's assertion.

All compliance checklists

The full compliance hub - every checklist (HIPAA, SOC 2, PCI DSS, CMMC, NIST, FedRAMP, ITAR, DORA, SOX, CCPA) plus the regulation deep-dives (CPS 230, OSFI E-21, EU AI Act Annex IV) in one place.

Cosmic background pattern
Decorative rectangle pattern

Turn the ITAR checklist into a working process

Open the ITAR process map, rename the steps to match your organisation, and turn the checklist into a working procedure your team can run year after year.