ITAR Compliance Crucial for Lower-Tier Suppliers

By Thomas B. McVey

iStock illustration

Companies that supply products and services that are used in the defense sector increasingly are being asked by their customers whether they are “ITAR compliant” and if they can document this. Many mid-sized, second- and third-tier contractors and suppliers do not know how to respond to these requests, which can have important consequences for a company.

By way of background, the International Traffic in Arms Regulations are the State Department rules that apply to the manufacture and transfer of defense products, services and related technical data. There is a major concern within the U.S. government that, while large prime contractors have strong ITAR compliance programs, many mid-sized and small companies in the defense supply chain do not, and that this gap creates significant national security risks.

These issues apply not only to companies with direct contracts on defense projects but also independent upstream suppliers of parts, components, services and software that ultimately flow into the defense sector. A similar problem exists for major companies whose principal customers are commercial but whose products are occasionally purchased by defense manufacturers, as such companies do not have ITAR-compliance processes as part of their day-to-day activities.

Federal agencies have taken a number of steps to address this risk. One of them is adopting specialized clauses in defense contracts mandating that contractors comply with ITAR requirements and flow this requirement down to their subcontractors. See for example Defense Federal Acquisition Regulation Supplement §225.79 and 252.225.7048.

Another step is to initiate ITAR enforcement cases targeted specifically at small and mid-sized companies.

Many prime contractors are now worried that if their subcontractors commit ITAR violations, the prime contractor can have liability. As a result, primes are establishing requirements that their subcontractors become ITAR-compliant, and asking the subcontractors to impose similar requirements on their suppliers and subcontractors. The primes will often ask for documentation from the subcontractors providing evidence that they have done this.

Companies under ITAR are subject to a number of potential requirements including obtaining export/import licenses and technical assistance agreements, which are restrictions on transfers of controlled technical data and software to foreign nationals in the United States or overseas — including potentially employees of the company — restrictions on entering transactions with certain “proscribed countries,” engaging in “brokering” activities without authorization, registration, reporting and record-keeping requirements.

Failure to be ITAR compliant can create significant problems for small and mid-sized contractors, including loss or termination of their contracts, potential civil and criminal liability for ITAR violations, and reputational damage, especially in the eyes of prime contractors and other downstream customers. Penalties for ITAR violations include fines of up to $1 million per violation and up to 20 years imprisonment.

The Commerce Department also administers a companion set of regulations called Export Administration Regulations that apply to commercial products and certain limited defense products, and which must be read in conjunction with ITAR. ITAR and EAR requirements can apply even if a company does not engage in any international activities and even if its only customer is the Defense Department.

What should mid-sized companies do to deal with these requirements? There is no formal process or certification for a company to become ITAR compliant or “ITAR certified.” However, there are a number of important steps that small and mid-sized contractors can take to come into compliance with the law and address these requests from prime contractors.

The first step is ITAR registration. Many companies in the defense supply chain are required to register with the State Department under ITAR Part 122. Companies should assess if they are required to register and, if so, do it as quickly as possible.

A second important step is identifying the specific ITAR/EAR requirements that apply to the company based upon its business activity, customer base and countries of operation, and adopting focused strategies for dealing with these. This is called a “risk assessment,” which can help you identify the greatest legal risks and exposures for a company and strategically concentrate efforts to eliminate these.

A third important step is to learn about the general requirements under ITAR and EAR and adopt internal written policies and procedures to comply. This is called a “compliance program.” Both the State and Commerce Departments recommend that companies involved in ITAR- or EAR-controlled activities adopt compliance programs. If a company has a violation, the agencies frequently reduce penalties or assesses no penalties for companies that have compliance programs. Such programs demonstrate to prime contractors that a company has a formal process for ITAR/EAR compliance and project a sophisticated approach to managing these issues.

Other steps to protect a company include: conducting due diligence reviews of your subcontractors and upstream suppliers to verify that they take steps to comply with ITAR requirements; marking products and documents to show that they are subject to ITAR controls; reviewing articles and documents received to see if they are marked as ITAR-controlled; and conducting compliance training for employees.

Once these steps are taken, a lower-tier vendor will be ready to respond to future inquiries from prime contractors regarding its ITAR readiness for new contracts. This will provide a competitive advantage over other subcontractors in competing for new business and help in reducing legal liability on an ongoing basis.

Thomas B. McVey ( is the chair of the international practice group at Williams Mullen.

Topics: Business Trends, Global Defense Market, International

Comments (0)

Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.