ITAR compliance: what it is, who it applies to, and what IT teams must do

According to the 2026 Kaseya State of the MSP Report, regulatory compliance and reporting ranks among the top ten service needs for MSP clients in 2026, and for those in the defense sector, ITAR compliance is non-negotiable. Download the full report.

ITAR, the International Traffic in Arms Regulations, is the US export control framework governing defense articles, defense services, and related technical data listed on the United States Munitions List (USML). For IT teams and MSPs, ITAR compliance is relevant whenever they are handling technical data or providing services that fall within its scope, and the consequences of getting it wrong are severe.

Unlike most compliance frameworks where penalties are financial, ITAR violations can result in criminal prosecution, debarment from government contracting, and personal liability for individual employees. Understanding whether ITAR applies and what it requires is essential before accepting any engagement in the defense sector. Kaseya’s compliance tools support multi-framework compliance management for MSPs serving defense contractors and federal-adjacent clients.

What is ITAR?

ITAR is administered by the US Department of State’s Directorate of Defense Trade Controls (DDTC). It implements the Arms Export Control Act, regulating the export and import of defense-related materials and services to prevent sensitive military technology from reaching adversaries.

The regulation controls items on the United States Munitions List (USML), which includes weapons systems, military electronics, spacecraft, nuclear materials, and the technical data and defense services related to those items. The USML has 21 categories, and many items that are not obviously “weapons” fall within its scope, including training simulators, certain software with military applications, and technical data about controlled items.

The USML was revised in September 2025, removing items no longer considered sensitive enough to warrant control and adding others. Organizations that previously determined ITAR did not apply to their work should revisit that assessment if they operate in aerospace, space technology, or emerging tech categories that were in scope for the revision.

ITAR is distinct from but related to EAR (Export Administration Regulations), administered by the Commerce Department, which covers dual-use items: commercial products with potential military applications. Items not on the USML but with export control significance may fall under EAR instead.

Who ITAR applies to

ITAR applies to US persons, citizens, permanent residents, and US-incorporated entities, who manufacture, export, temporarily import, or broker defense articles or services.

“Export” under ITAR has a broader technical meaning than most people expect:

• Providing technical data to a foreign national inside the United States is a “deemed export,” treated as an export to their home country
• Allowing access to ITAR-controlled technical data from outside the United States, including through cloud storage accessible from abroad, is an export
• Transferring ITAR-controlled technical data to a foreign entity, or allowing foreign nationals to access it, requires authorization

ITAR requirements also flow down through the supply chain. Subcontractors, tool vendors, and service providers that receive, process, or store ITAR-controlled data must maintain compliance themselves. An MSP that takes on a defense contractor engagement does not inherit only the client’s compliance obligation: it takes on its own.

For IT teams and MSPs, this means any engagement involving ITAR-controlled technical data requires understanding the nationality of all staff with access, the location of every system where the data is stored or accessible, and the export authorizations that apply.

What counts as ITAR-controlled technical data

Technical data under ITAR means information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This includes:

• Technical drawings, specifications, and design documents
• Software directly related to USML-controlled hardware
• Manufacturing processes for USML items
• Performance specifications and test data for defense articles

Not all technical data from defense contractors is ITAR-controlled. The critical question is whether the information is required for the development, production, or operation of a USML-listed item. Companies subject to ITAR should have a formal technology control program (TCP) that classifies what data is ITAR-controlled within their environment.

An IT team or MSP that cannot get clarity on this from a defense contractor client is not in a position to safely take on the engagement. Before accepting any work that touches defense sector systems, get written confirmation of what data is classified as ITAR-controlled and what the client’s TCP covers.

The export concept, and why IT systems are in scope

The deemed export concept creates the most significant IT compliance challenge. A system that stores ITAR-controlled technical data could constitute an export if:

• The system is accessible from outside the United States, including cloud storage without geographic restrictions
• A foreign national has access to the system or its data, including IT administrators
• The system is managed or accessed remotely from a foreign location

For cloud storage specifically, the DDTC has made clear that storing ITAR-controlled data on cloud infrastructure accessible from or operated in foreign locations requires export authorization, or the use of cloud infrastructure specifically designed for ITAR compliance. That means US-only data residency, US-person access restrictions, and appropriate contractual and technical controls. Standard commercial cloud tiers at AWS, Microsoft 365, and Google Workspace typically do not meet these requirements without specific configuration. Purpose-built environments such as AWS GovCloud and Microsoft Azure Government are designed for ITAR-eligible workloads.

There is also an emerging concern specific to AI and collaboration tools. When ITAR-controlled content is processed by AI platforms, drafted in collaboration tools, or transmitted through shared workspaces, each of those flows is a potential export event if a foreign person can access the tool or if data is routed through foreign infrastructure.

For MSPs, the implication is direct. If an MSP provides IT services to a defense contractor handling ITAR data, and the MSP’s technicians include foreign nationals, or the MSP uses tools with offshore support or remote access, the MSP may be creating export violations on behalf of its client and for itself.

What ITAR requires of IT systems and MSPs

There is no single ITAR technical control checklist comparable to PCI DSS or HIPAA. ITAR compliance for IT is primarily about controlling access to technical data so that it does not reach foreign persons or foreign locations without appropriate authorization.

Data localization. ITAR-controlled technical data must be stored on systems physically located in the United States and not accessible from outside the US without export authorization.

Access control by nationality. Access to ITAR-controlled data must be limited to US persons. Foreign nationals, including IT staff, contractors, and any system administrators, must not have access to systems or data covered by ITAR without a specific export license or applicable exemption.

US-only cloud infrastructure. Cloud storage of ITAR-controlled data requires US-only data residency and US-person access controls. Major cloud providers offer ITAR-eligible configurations through government cloud tiers. Standard commercial tiers typically do not meet ITAR requirements.

Remote access controls. Remote access to ITAR-scope systems must be restricted to US persons accessing from within the United States. VPN or remote access solutions that allow connections from any geographic location are not suitable for ITAR-scope systems without additional controls.

Subcontractor and supply chain controls. MSPs that access ITAR data must ensure their own subcontractors and tool vendors also control access appropriately. An MSP that uses a foreign-owned or foreign-staffed service for any function touching ITAR-scope clients may be creating violations regardless of intent.

Technology control program (TCP). DDTC guidance and industry practice calls for a documented TCP: policies and procedures covering how ITAR-controlled data is identified, stored, accessed, and protected. For IT teams and MSPs in this space, the TCP is the governance equivalent of a HIPAA security program or a CMMC System Security Plan.

Relationship to CMMC. Most organizations that handle ITAR data are also in scope for Department of Defense work, which means ITAR obligations overlap with Cybersecurity Maturity Model Certification (CMMC) requirements. ITAR-controlled technical data typically qualifies as Controlled Unclassified Information (CUI), bringing CMMC Level 2 requirements into play. MSPs supporting defense contractors should treat ITAR and CMMC as a combined compliance program, not separate workstreams.

Consequences of non-compliance

ITAR violations are treated as serious federal offenses. The enforcement environment has tightened in recent years.

Civil penalties. The current maximum civil penalty is $1,271,078 per violation, or twice the value of the transaction, whichever is greater, effective January 2025. Each unauthorized disclosure or export is a separate violation, and total exposure can multiply quickly across a pattern of non-compliance.

Criminal penalties. Up to $1 million per violation and up to 20 years imprisonment for willful violations. Criminal prosecution requires proof of knowing or willful intent, a higher threshold than civil enforcement.

Debarment. Organizations found to have violated ITAR may be debarred from US government contracting, effectively ending eligibility for federal work. Reinstatement of export privileges is not automatic and requires a formal request to the Department of State.

Enforcement is rising. In October 2024, RTX (formerly Raytheon) agreed to pay over $950 million to resolve investigations that included ITAR and Arms Export Control Act violations, the largest ITAR-related settlement on record. The case reinforced that enforcement is active, penalties are severe, and the consequences extend well beyond the immediate fine to include mandatory compliance oversight and reputational damage.

Voluntary disclosure. DDTC operates a voluntary disclosure program that typically results in reduced penalties for organizations that self-report violations. Voluntary disclosure is generally preferable to waiting for enforcement action, and should be the first step when a potential violation is identified.

ITAR compliance practical checklist

For IT teams and MSPs evaluating or managing ITAR-scope engagements:

• Confirm with the client what data is ITAR-controlled and review their technology control program
• Verify that all staff and contractors with access to ITAR-scope systems are US persons
• Confirm that cloud storage used for ITAR data has US-only residency and US-person access controls
• Restrict remote access to ITAR-scope systems to US persons accessing from within the US
• Review all tool vendors and subcontractors for foreign person access risks
• Evaluate AI and collaboration tools for ITAR data exposure risk
• Execute appropriate contractual protections addressing ITAR obligations
• Document all compliance measures for audit purposes
• Determine whether CMMC obligations overlap with ITAR scope and manage them as a combined program

Compliance Manager GRC from Kaseya supports multi-framework compliance management, including CMMC and federal-adjacent frameworks that intersect with ITAR obligations.