ITAR Compliance Guide for Space Companies

The International Traffic in Arms Regulations (ITAR) represent one of the most significant regulatory challenges facing space companies, particularly those engaged in international business or employing non-U.S. persons. ITAR controls the export of defense articles, defense services, and related technical data listed on the United States Munitions List (USML), which includes a wide range of spacecraft, launch vehicles, and related technologies.

For space companies, ITAR compliance is not optional. Violations carry severe penalties -- including criminal fines of up to $1 million per violation, imprisonment of up to 20 years, and debarment from future export activities. Even inadvertent violations, such as sharing controlled technical data with a foreign national at a conference or via an unsecured email, can trigger enforcement actions.

This guide provides a comprehensive overview of the ITAR framework as it applies to space companies: what is controlled, who must comply, how the licensing process works, the distinction between ITAR and EAR (Export Administration Regulations), common compliance pitfalls, and best practices for building a robust internal compliance program. It is designed for compliance officers, engineering managers, business development professionals, and executives at space companies who need to understand the regulatory landscape.

The International Traffic in Arms Regulations (ITAR), codified at 22 CFR Parts 120-130, implement the Arms Export Control Act (AECA) of 1976. ITAR is administered by the Directorate of Defense Trade Controls (DDTC) within the U.S. Department of State's Bureau of Political-Military Affairs.

ITAR controls three categories of items and activities:

A critical concept in ITAR is the "deemed export" rule. Disclosing ITAR-controlled technical data to a foreign national -- even if both parties are physically within the United States -- is considered an "export" to that person's home country. This has profound implications for hiring, conference participation, facility access, and IT security at space companies. A foreign national engineer working at a U.S. space company cannot access ITAR-controlled data without proper authorization, regardless of their employment status, security clearance level, or physical location.

The USML is organized into 21 categories. Space-related items appear primarily in categories IV (Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines), XI (Military Electronics), and XV (Spacecraft and Related Articles).

Category IV: Launch Vehicles & Missiles

Category IV covers launch vehicles, space launch vehicles (SLVs), and their major components, including rocket engines, guidance systems, and re-entry vehicles. Due to the inherent dual-use nature of launch vehicle technology (the same technology that puts satellites in orbit can deliver warheads), this category has historically been one of the most strictly controlled. Virtually all launch vehicle technology remains on the USML.

Key controlled items include complete launch vehicles and SLVs, liquid and solid rocket engines with certain performance thresholds, guidance and navigation systems, thrust vector control systems, staging mechanisms, and associated software and technical data.

Category XV: Spacecraft & Related Articles

Category XV was created as part of the 2014 export control reform process to provide a more nuanced treatment of spacecraft. It distinguishes between items that remain on the USML (due to military or intelligence applications) and those that have been moved to the Commerce Control List (CCL) under EAR jurisdiction.

Items that remain on the USML under Category XV include:

• Spacecraft specifically designed or modified for military or intelligence purposes
• Remote sensing spacecraft with certain resolution or capability thresholds
• Spacecraft with certain radiation-hardened components
• Space-qualified components specifically designed for defense or intelligence spacecraft
• Ground control systems specifically designed for USML spacecraft

Items moved to the CCL include many commercial communication satellites, commercial remote sensing satellites (below certain resolution thresholds), and commercial spacecraft components. This was a significant reform that reduced the ITAR burden on much of the commercial satellite industry, though companies must still carefully determine the jurisdiction and classification of their specific items.

Category XI: Military Electronics

Category XI controls certain electronic equipment and components with military applications, including some space-qualified electronics, radiation-hardened components, and certain types of sensors. Space companies should review this category carefully, particularly those developing payloads, sensors, or electronic subsystems.

Track USML and regulatory changes on SpaceNexus Compliance Hub

ITAR compliance requirements extend broadly across the space industry supply chain. The following types of entities are typically subject to ITAR:

Importantly, ITAR obligations apply regardless of company size. A two-person startup designing a novel propulsion system is subject to the same regulatory framework as Lockheed Martin. Many space startups discover ITAR compliance requirements for the first time when they attempt to hire foreign national employees, attend international conferences, or engage with non-U.S. customers or partners.

The fundamental research exclusion (22 CFR 120.34) provides important relief for universities and research institutions. Information arising from fundamental research -- defined as basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the research community -- is not subject to ITAR controls. However, this exclusion has important limitations: it does not apply if the research is subject to access or dissemination restrictions, or if it is conducted under a contract or grant that restricts publication.

Any U.S. person who engages in the business of manufacturing or exporting defense articles, or furnishing defense services, must register with the DDTC (22 CFR 122.1). Registration is a prerequisite for applying for export licenses and is required even if a company does not intend to export -- the act of manufacturing defense articles triggers the registration requirement.

The registration process involves submitting Form DS-2032 (Statement of Registration) along with supporting documentation and a registration fee. As of 2026, the annual registration fee is tiered based on the nature and volume of activities, starting at $2,250 per year. Registration must be renewed annually.

Registration does not, by itself, authorize any exports. It simply establishes the registrant's relationship with the DDTC and enables the company to submit license applications and agreement requests. Failure to register when required is itself a violation of ITAR.

The registration process is now managed through the DDTC's DECCS (Defense Export Control and Compliance System), an online portal that also handles license applications, agreement submissions, and compliance reporting.

ITAR provides several authorization mechanisms for the export of defense articles, services, and technical data:

Direct Commercial Sales (DCS) Licenses

A DCS license authorizes the export of specific defense articles to a specific end user for a defined purpose. License applications are submitted through DECCS and are reviewed by the DDTC, typically with input from the Department of Defense and other agencies. Processing times vary but typically range from 30 to 90 days for routine cases, though complex applications can take significantly longer.

Technical Assistance Agreements (TAAs)

A TAA authorizes the provision of defense services or the disclosure of technical data to foreign persons. TAAs are commonly required for international collaborations, joint ventures, and customer support activities. For example, a U.S. satellite manufacturer providing technical support to a foreign satellite operator would typically need a TAA. TAAs specify the scope of authorized activities, the foreign parties involved, and any limitations or conditions.

Manufacturing License Agreements (MLAs)

An MLA authorizes the manufacture of defense articles abroad. This is relevant for space companies that establish international manufacturing facilities or license their technology to foreign companies for production.

Exemptions

ITAR provides certain exemptions from licensing requirements for specific situations. Notable exemptions include those for transfers to U.S. government end users (22 CFR 126.4), certain NATO and major non-NATO ally transfers, and the Canadian exemption (22 CFR 126.5) which provides limited exemptions for exports to Canada. However, exemptions have specific conditions and limitations, and their improper use can result in violations. Companies should carefully review exemption applicability with legal counsel before relying on them.

Technical data controls are often the most challenging aspect of ITAR compliance for space companies. ITAR-controlled technical data includes any information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This encompasses engineering drawings, specifications, test reports, operational manuals, process documentation, and software source code.

The digital age has made technical data controls particularly complex. Cloud computing, remote work, and global collaboration tools create numerous opportunities for inadvertent exports. Companies must ensure that IT systems are configured to prevent unauthorized access to controlled data, that cloud storage complies with ITAR requirements (including restrictions on data location and access controls), and that employees understand their obligations regarding controlled information.

ITAR does provide certain exclusions from the definition of "technical data" (22 CFR 120.34), including information in the public domain (such as published papers and publicly available patent applications), general scientific, mathematical, or engineering principles taught in schools and universities, and basic marketing information on function or purpose.

One of the most significant developments in space export control over the past decade has been the migration of certain commercial space items from the USML (ITAR jurisdiction) to the Commerce Control List (CCL, under EAR jurisdiction). This was part of the broader Export Control Reform (ECR) initiative that began in 2009.

The first step in any export control analysis is commodity jurisdiction determination -- determining whether an item is controlled under ITAR (USML) or EAR (CCL). Companies can submit a formal Commodity Jurisdiction (CJ) request to the DDTC (27 CFR 120.4) if the classification is unclear. In practice, many space companies maintain internal classification processes, often with the support of specialized export control counsel.

The migration of commercial satellites and components to EAR has been broadly positive for the commercial space industry, as EAR generally provides more flexible licensing mechanisms, more available license exceptions, and somewhat lower penalties. However, items on the CCL are still export-controlled and require careful compliance attention.

ITAR enforcement is taken seriously by the U.S. government. Criminal prosecutions are handled by the Department of Justice, while civil enforcement actions are brought by the DDTC. Notable enforcement actions in the space industry include:

• Boeing (2006): $75 million settlement for 47 charges related to unauthorized exports of commercial satellite and launch vehicle data to China, Russia, and other countries.
• Hughes Electronics / Boeing Satellite (2003): $32 million settlement related to unauthorized technical assistance to China during Long March launch failure investigations.
• L3 Technologies (2016): $13 million consent agreement for unauthorized exports of controlled night vision and thermal imaging technology.
• Honeywell (2022): $13 million penalty for unauthorized exports of engineering drawings related to defense articles, including aerospace components.

In addition to financial penalties, violators may face debarment -- the loss of the ability to participate in U.S. defense trade. For a space company dependent on government contracts or international sales, debarment can be an existential threat.

The DDTC encourages voluntary self-disclosure of violations. Companies that discover and promptly report violations, implement corrective actions, and cooperate with the government typically receive more favorable treatment than those where violations are discovered through investigation.

An effective ITAR compliance program should include the following elements:

1. Senior Management Commitment

Compliance must be supported from the top. The CEO and board should understand ITAR obligations, allocate adequate resources, and establish a culture where compliance is prioritized alongside business objectives. A designated Empowered Official (EO) -- a U.S. person with authority to sign export license applications and verify compliance -- must be appointed.

2. Written Policies and Procedures

Document all compliance policies, including procedures for commodity classification, license application, record keeping, technology control plans, visitor screening, employee screening, and voluntary self-disclosure. These documents should be reviewed and updated annually.

3. Training

All employees who may encounter controlled articles, data, or services should receive initial and periodic ITAR training. Training should cover the basics of export controls, company-specific policies, how to identify potentially controlled items, and how to escalate compliance questions. Engineering, business development, HR, IT, and operations staff all need appropriate training.

4. Technology Control Plan (TCP)

A TCP defines how controlled technical data is identified, marked, stored, transmitted, and accessed within the organization. It should address physical security (locked areas, visitor controls), IT security (access controls, encryption, cloud storage policies), and personnel controls (screening, need-to-know restrictions). The TCP is particularly important for companies employing foreign nationals.

5. Screening and Due Diligence

Screen all parties involved in transactions against the Consolidated Screening List maintained by the U.S. government, which includes denied parties, sanctioned entities, and other restricted persons. Screen employees, customers, suppliers, partners, and conference attendees as appropriate.

6. Record Keeping

ITAR requires retention of all records relating to defense trade activities for a minimum of five years. This includes license applications, agreements, shipping records, classification determinations, and training records. Good record keeping is essential for demonstrating compliance and supporting any future audits or investigations.

Manage regulatory compliance on SpaceNexus · Track government contracts and procurement

The export control landscape for space companies continues to evolve in response to industry changes and geopolitical dynamics. Several developments are worth tracking:

Commercial Space Decontrol Efforts

Industry groups including the Satellite Industry Association (SIA) and the Aerospace Industries Association (AIA) continue to advocate for further migration of commercial space items from the USML to the CCL. The argument is that overly broad ITAR controls on commercially available technology harm U.S. competitiveness without meaningfully improving national security. Progress has been incremental, with periodic adjustments to USML categories and CCL classifications.

Emerging Technology Controls

Conversely, new controls are being developed for emerging technologies with national security implications, including certain AI/ML applications, advanced semiconductor manufacturing technology, and quantum computing and sensing. Space companies developing or integrating these technologies should monitor regulatory developments closely.

Allied Country Collaboration

The U.S. government has been working to streamline export processes with close allies, particularly the Five Eyes nations (UK, Canada, Australia, New Zealand) and other NATO partners. The AUKUS agreement between Australia, the UK, and the U.S. includes provisions for enhanced defense trade cooperation, which may benefit space companies engaged in collaborative programs with these nations.

Cloud Computing and Data Localization

The DDTC has issued guidance clarifying that ITAR-controlled technical data may be stored on certified cloud platforms that meet specific security requirements, provided access is appropriately controlled. AWS GovCloud, Microsoft Azure Government, and other FedRAMP-authorized environments can be used for ITAR-controlled data. However, the specific requirements and configurations needed are complex and should be reviewed with counsel.

Monitor defense and security space developments on SpaceNexus

SpaceNexus provides regulatory and compliance tracking tools designed for space industry professionals. Our Regulatory & Compliance Hub tracks space law developments, regulatory filings, and licensing updates across major jurisdictions, helping you stay informed about the evolving compliance landscape.