If your company manufactures, exports, or provides services related to defense articles, ITAR registration is not optional, and it is not a one-time event. It is an ongoing legal obligation that governs your ability to do business in the defense space. Yet registration is one of the most misunderstood steps in the compliance process and lapsed registration is one of the fastest ways to create an ITAR violation without ever shipping anything.
What ITAR Is and Why It Applies to You
The International Traffic in Arms Regulations (ITAR) are found at Title 22 of the Code of Federal Regulations, Parts 120 through 130. They implement the Arms Export Control Act (AECA) and are administered by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC).
Defense article means any item or technical data designated in the United States Munitions List (USML) and includes technical data recorded or stored in any physical form, models, mockups, or other items that reveal technical data directly relating to items designated in the USML. eCFR
If your company makes parts, components, software, technical data, or provides services that touch anything on the USML, ITAR likely applies even if you never ship anything overseas.
Official source: eCFR — 22 CFR Part 120, Definitions
Who Must Register
This is the question most companies get wrong. Registration is not limited to exporters.
Any person who engages in the United States in the business of manufacturing or exporting or temporarily importing defense articles, or furnishing defense services, is required to register with the Directorate of Defense Trade Controls. For this subchapter, engaging in such a business requires only one occasion of manufacturing or exporting or temporarily importing a defense article or furnishing a defense service. eCFR
That last sentence is critical. It takes only a single transaction one part manufactured, one drawing shared, one service performed to trigger the registration requirement. Manufacturers who never export a single item are still required to register.
Registration provides the U.S. Government with necessary information on who is involved in certain manufacturing and exporting activities and does not grant any export or temporary import rights or privileges. DDTC Public Portal
Registration is the starting point, not the finish line.
Official source: eCFR — 22 CFR 122.1, Registration Requirements
ITAR controls those who can access controlled technical data, not just who can export physical goods. Understanding the definition of a U.S. person is foundational.
U.S. person means a person who is a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any corporation, business association, partnership, society, trust, or any other entity, organization, or group that is incorporated to do business in the United States. It also includes any governmental (Federal, state, or local) entity. It does not include any foreign person as defined in § 120.63. eCFR
The flip side of this is the deemed export rule. An export includes releasing or otherwise transferring technical data to a foreign person in the United States. eCFR Showing a drawing, sharing a file, or even allowing a foreign national to visually inspect an ITAR-controlled article inside your U.S. facility can constitute an export requiring authorization.
Official source: eCFR — 22 CFR 120.62, U.S. Person | eCFR — 22 CFR 120.50, Export
How to Register: The DS-2032 and DECCS
An intended registrant must submit a Statement of Registration (Department of State form DS-2032) to the Office of Defense Trade Controls Compliance by following the electronic filing instructions available on the Directorate of Defense Trade Controls website at www.pmddtc.state.gov. eCFR
The DS-2032 must be signed by a senior U.S. person officer — such as a CEO, president, secretary, partner, treasurer, or general counsel who has been empowered to certify compliance on behalf of the organization. The submission is made through DDTC’s online system, called DECCS (Defense Export Control and Compliance System).
The registration form requires disclosure of whether any senior officers have been convicted of violating U.S. criminal statutes, and whether the registrant is foreign owned or foreign-controlled. If the registrant is foreign owned, that must be explained in detail, including the identities of the foreign people who ultimately own or control the entity.
Official source: DDTC — Registration | DS-2032 Form
Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and understand what steps are required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.
SCHEDULE YOUR FREE CONSULTATION!
Registration Fees: The Three-Tier System
Registration is not free, and the fees scale based on activity level.
The fee to be paid is one of the following: Tier 1 is a set fee of $3,000 per year and applies to new registrants, as well as to those renewing whose Department did not issue a favorable determination on a license application or other request for authorization during the 12-month period ending 90 days prior to the expiration of their current registration. Tier 2 is a set fee of $4,000 for registrants renewing who have submitted license applications or other requests for authorization and received five or fewer favorable determinations during that same 12-month period. Tier 3 is a calculated fee for registrants who received more than five favorable determinations. eCFR
In practice, most smaller defense manufacturers and subcontractors who do not regularly apply for export licenses will pay the Tier 1 rate of $3,000 per year.
Official source: eCFR — 22 CFR 122.3, Registration Fees
The Annual Renewal Requirement and Its Hard Deadlines
Registration does not last forever. It must be renewed every year, and the window to do so is narrow.
A registrant must submit its request for renewal for registration at least 30 days but no earlier than 60 days prior to the expiration date. Notice of the fee due for the next year’s registration will be sent to the registrant of record at least 60 days prior to its expiration date. eCFR
That is a 30-day window no earlier than 60 days out, and no later than 30 days before expiration. Organizations that miss this window risk a lapse in registration, which has serious consequences.
What Happens When Registration Lapses
This is where many companies learn expensive lessons. A lapse in registration does not pause your legal obligations, it creates a violation.
A registrant who fails to renew a registration and, after an intervening period, seeks to register again must pay registration fees for any part of such intervening period during which the registrant engaged in the business of manufacturing or exporting defense articles or defense services. eCFR
In other words, if you continue doing ITAR-controlled work during the lapse — manufacturing a part, working on a contract, sharing a drawing you owe back registration fees for the entire period. More importantly, any ITAR-controlled activity conducted while unregistered may itself constitute a violation subject to penalties.
Official source: eCFR — 22 CFR 122.2, Registration Submission and Renewal
The Penalties for Getting This Wrong
ITAR violations carry some of the most severe civil and criminal penalties in U.S. export control law.
The Assistant Secretary of State for Political-Military Affairs is authorized to impose a civil penalty of an amount not to exceed the greater of $1,271,078 or the amount that is twice the value of the transaction that is the basis of the violation. eCFR
The Department strongly encourages the disclosure of information to the Directorate of Defense Trade Controls by persons that believe they may have violated any export control provision of the Arms Export Control Act. The Department may consider a voluntary disclosure as a mitigating factor in determining the administrative penalties, if they should be imposed. eCFR
If you discover a violation, self-reporting quickly and completely to DDTC is the single best step you can take to reduce exposure. A voluntary disclosure does not guarantee leniency, but failing to disclose forfeits the only real mitigating factor available.
Official source: eCFR — 22 CFR Part 127, Violations and Penalties | eCFR — 22 CFR 127.12, Voluntary Disclosures
The One Thing Registration Does Not Do
This point trips up more companies than almost any other aspect of ITAR.
Registration is primarily a means to provide the U.S. Government with necessary information on who is involved in certain manufacturing and exporting activities. Registration does not confer any export rights or privileges. It is generally a precondition to the issuance of any license or other approval under this subchapter. eCFR
Being registered with DDTC means you are allowed to apply for licenses and approvals. It does not mean you are cleared to export anything. Every controlled transaction still requires its own authorization either a license, an approved agreement, or a specific exemption under the ITAR.
Official source: eCFR — 22 CFR 122.1
If your organization is unsure whether your technologies will fall under ITAR or EAR, it is important to identify risks early.
Download the ITAR Compliance Checklist to better understand how to protect controlled data and reduce export control exposure.
About Brea Networks
Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework — from Level 1 self-assessments to Level 2 and Level 3 readiness. Our team works alongside contractors to strengthen system security, define assessment scope, prepare documentation such as System Security Plans (SSPs) and POA&Ms, and build sustainable cybersecurity programs that protect FCI and CUI. Whether you are preparing for a self-assessment, a C3PAO certification, or simply improving your security posture, Brea Networks provides practical guidance and technical expertise to help you move forward with confidence.
Brea Networks, LLC
451 W Lambert Rd Ste 214
Brea, CA 92821
https://www.cmmccompliance.us
https://www.breanetworks.com
Telephone: 714-592-0063
