ITAR Certification: What It Really Means in 2026 — The Honest Guide for US Defense Suppliers

Every week, a small or mid-sized US manufacturer receives a supplier questionnaire from a prime defense contractor with a box that says "ITAR Certified" — and the panic begins. The honest answer no one tells you upfront is that ITAR certification, as a formal credential, does not exist. The US government does not issue ITAR certificates. What prime contractors are really asking about is something much more substantive: are you registered with the State Department's Directorate of Defense Trade Controls, and do you have a real Trade Compliance Program in place? This guide walks through exactly what that means in 2026, what the current registration costs, what your compliance program needs to cover, and how to answer "ITAR Certified" questionnaires with confidence rather than guesswork.

The ITAR certification myth — and what's real

Let's clear this up at the start. There is no ITAR certification. The State Department does not issue ITAR certificates. The Directorate of Defense Trade Controls (DDTC) does not run a certification program. Unlike ISO 9001 or CMMC, there is no formal credential you can earn that says your company is ITAR certified.

Yet the phrase persists everywhere. Prime contractors put it on supplier questionnaires. Defense buyers use it in RFP language. Recruiters list "ITAR Certified" as a qualification on engineering job postings. So what's actually happening? When a knowledgeable industry person says "ITAR Certified," they usually mean three things at once:

• The company is registered with DDTC under 22 CFR Part 122
• The company has a documented Trade Compliance Program addressing the core ITAR elements
• The company actively follows that program in its day-to-day operations

When a less-informed person says it, they often mean only the first item — registration. Treating DDTC registration as the whole picture is exactly how companies get themselves into expensive trouble. Registration alone does not prove compliance. It is the entry ticket, not the destination.

The reason the term spread is practical. Prime defense contractors need a fast way to ask their suppliers whether they understand and follow defense trade rules. "Are you ITAR Certified?" became industry shorthand. Smart suppliers learned to read it as the longer question it really is: "Are you registered, do you have a program, and will you not get my technical data into the wrong hands?"

Who actually needs to register with DDTC

Under 22 CFR Part 122, US persons who engage in the business of any one of the following activities involving defense articles, defense services, or related technical data must register with DDTC. This is not optional. Registration is required even if the company never actually exports anything.

The four registration triggers

• Manufacturing defense articles. If your company physically produces any item listed on the United States Munitions List (USML), you must register. This applies even to subcontractors making controlled components that never leave the US.
• Exporting defense articles or technical data. Any company that exports USML-controlled items, drawings, technical specifications, or related software must register.
• Furnishing defense services. Companies providing technical training, assistance, or consulting that touches USML items must register — including services delivered to foreign persons inside the US.
• Brokering defense articles. Companies that facilitate transactions involving defense articles between buyers and sellers, even without taking physical possession, must register as brokers under 22 CFR Part 129.

The misconceptions that get companies in trouble

The most common mistakes around registration are not technical — they are mental. Companies routinely assume one of the following and find themselves out of compliance:

• "We do not export, so ITAR does not apply to us." Wrong. Manufacturing alone triggers registration.
• "We are too small to matter." Wrong. There is no size threshold for ITAR registration. A 10-person shop making rifle scopes faces the same registration requirement as a Fortune 500 prime.
• "We only make commercial-grade products that happen to ship to defense customers." Possibly wrong. Whether an item is ITAR-controlled depends on the USML classification, not on the customer. If your product is listed on the USML, it is controlled regardless of who buys it.
• "Our foreign workers are domestic — they have US visas." Wrong. Releasing technical data to a foreign person inside the US is considered a deemed export and may require an export license even though nothing physically left the country.

If your company sits anywhere near defense work — even as a third-tier subcontractor making fasteners for a part that ends up on a fighter jet — register with DDTC. The cost of getting this wrong dwarfs the cost of getting it right.

The DDTC registration process step by step

Registration with DDTC happens through the Defense Export Control and Compliance System (DECCS), the State Department's online portal. The actual mechanics are not the hard part. Knowing what you are signing up for is.

The Statement of Registration (Form DS-2032) is the central document. It captures legal entity details, ownership structure (including any foreign ownership, control, or influence), the USML categories your company operates in, key personnel, and your Empowered Official designation. Inaccuracies on the DS-2032 are not paperwork errors — they are potential false statements to a federal agency.

Foreign ownership, control, or influence (FOCI) deserves special attention. Companies with foreign investors, foreign parent entities, or foreign board members must disclose these relationships. Material FOCI may trigger additional review, mitigation requirements, or restrictions on what work the company can perform.

DDTC registration fees in 2026

For 15 years, DDTC registration fees stayed frozen at their 2008 levels. In January 2024, that changed. DDTC implemented a tiered fee structure with significantly higher costs across the board. The 2026 rates are the second year under this updated schedule, and registrants should plan accordingly.

The registration fee is only one cost line. The bigger investment is the compliance program itself — and that is what prime contractors are really paying for when they vet "ITAR Certified" suppliers. Skipping the compliance program to save money is exactly the kind of false economy that costs companies their major customers later.

For a deeper look at how export compliance budgets fit into broader trade operations, our companion piece on export customs clearance covers the wider US export framework and how ITAR work sits alongside standard commercial export operations.

The Trade Compliance Program 14 elements

This is the part that actually matters. DDTC registration is the entry ticket. The Trade Compliance Program is what makes you genuinely compliant — and what answers the real question prime contractors are asking when they put "ITAR Certified" on a supplier form.

DDTC publishes compliance program guidelines and expects every registrant to maintain a documented program that addresses each of the elements below. Some apply to almost every registrant. Others may not be relevant depending on your business activities. But all of them should be considered, documented, and dispositioned in your written program.

• Export jurisdiction determination. Document how you classify your products, data, and services as ITAR-controlled, EAR-controlled, or not subject to either.
• End-user and end-use verification. Procedures for understanding who is ultimately receiving and using your defense articles, including in domestic transactions.
• Intermediate party identification. Procedures for mapping the supply chain and title chain on each transaction.
• Prohibited destination screening. Procedures for identifying countries subject to ITAR restrictions and OFAC sanctions.
• Restricted party screening. Screening of all parties — buyers, end users, banks, freight forwarders, US supply chain, foreign parties — against the consolidated screening list.
• Party name and address verification. Confirmation that party data is accurate before licensing or shipment.
• Licensing and exemption procedures. Process for determining when an export license is required and when ITAR exemptions apply.
• Reporting fees and commissions. Investigation of payment and commission obligations and inclusion in license filings as required.
• International travel and foreign visitor controls. Procedures for employee travel with controlled data and for visits by foreign nationals.
• Export marking. Marking of export-controlled materials for internal use and external shipment.
• Recordkeeping. Policies on which records are kept, by whom, where, and for how long (ITAR requires 5-year retention minimum).
• Administrative reporting. Tracking and timely submission of reports DDTC requires under various ITAR sections (Technical Assistance Agreements, Manufacturing License Agreements, Section 126.5 Canadian exemption reporting, and others).
• Training. Initial and ongoing training of employees on how ITAR applies to their roles and on red-flag recognition.
• Auditing and voluntary disclosure. Internal audits of compliance program effectiveness, plus procedures for investigating potential violations and filing voluntary disclosures with DDTC.

A compliance program is not a binder you create once and forget. It is a living system that adapts as your business changes, as the ITAR is amended, and as enforcement priorities shift. The most effective programs are tailored specifically to the company's products and operations — generic off-the-shelf templates rarely survive scrutiny when DDTC actually visits.

The Empowered Official role

Every DDTC-registered company must designate at least one Empowered Official. This is not a job title — it is a regulatory designation under 22 CFR §120.67. The Empowered Official carries personal responsibility for compliance certifications and is the company's binding signatory on ITAR licenses and registrations.

Who can be an Empowered Official

Per the regulations, an Empowered Official must be a US person who:

• Is directly employed by the registered company (not a contractor)
• Has authority within the company to commit it to legally binding actions
• Has authority to inquire into and audit applications for compliance
• Has authority to refuse to sign any submission they believe to be inaccurate
• Has actual knowledge of the company's operations relevant to the submissions

This is a meaningful responsibility. The Empowered Official's signature on a DDTC license application certifies, under federal law, that the company will comply with applicable ITAR rules. Signing inaccurately exposes the individual to personal civil and criminal liability. This is why mid-level managers, sales staff, and external consultants are not appropriate Empowered Officials — they typically lack the authority to bind the company and the knowledge to verify accuracy.

Most companies designate a senior compliance executive, a general counsel, or a senior operations leader as Empowered Official. Larger companies designate multiple Empowered Officials with defined scopes of authority. The names are filed with DDTC and updated when personnel changes.

ITAR vs EAR vs OFAC: which one applies to you

US export controls are spread across three different regulatory regimes administered by three different federal agencies. Knowing which one applies to which products and transactions is foundational to running any export compliance program.

For most US defense suppliers, ITAR is the primary regime — but EAR and OFAC always apply alongside it. A single product line can have ITAR-controlled components, EAR-controlled components, and need OFAC clearance for the end destination. Treating these as separate silos creates gaps. The most effective compliance programs cover all three under one umbrella.

For broader context on how export controls fit into standard commercial export operations, our piece on exporting goods walks through the full US export framework including AES filing, EAR commercial classifications, and how compliance disciplines transfer across product categories.

How to answer "ITAR Certified" questionnaires honestly

You are going to see this question on supplier registration forms, prime contractor questionnaires, and bid documents for years to come, regardless of whether the term is technically accurate. The trick is to answer in a way that is honest, defensible, and useful to the requester.

What honest answers actually look like

The better answer accomplishes three things. It tells the prime exactly what they want to know, it does not overstate your status, and it leaves you defensible if anyone later asks whether your statements were accurate. Most experienced compliance officers strongly prefer the second style of answer — it tells them they are dealing with a supplier who actually understands the rules.

Penalties for ITAR violations

The penalty regime under ITAR is among the most severe in US regulatory law. The numbers below should make clear why compliance is not just a checkbox exercise.

• Civil penalties up to approximately $1.3 million per violation, adjusted annually for inflation. A single shipment of an unlicensed item can constitute multiple violations.
• Criminal penalties up to $1 million per violation and up to 20 years imprisonment per count for willful violations.
• Debarment. Companies and individuals can be debarred from future participation in defense exports, effectively ending the business line.
• Statutory denial. Loss of US government contracting privileges, federal contract terminations.
• Suspension of registration. DDTC can suspend a company's registration, immediately blocking any new licensing activity.
• Loss of access to controlled data. Prime contractors will revoke access to controlled technical data, ending current contracts.
• Reputational damage. Enforcement actions are public. They affect customer relationships, supplier relationships, and recruiting for years.

Voluntary disclosure: the penalty reduction lever

If you discover a potential ITAR violation in your own operations, the smart move is almost always to file a voluntary disclosure with DDTC before the government discovers it independently. Voluntary disclosures, when filed promptly and accompanied by genuine remediation, lead to substantially reduced penalties — and in some cases, no penalty at all. Concealing a known violation is a fast path to maximum penalties when DDTC eventually finds out, which it usually does.

This is why effective compliance programs include a clear voluntary disclosure procedure — who investigates, who reports to management, who prepares the disclosure submission, and what timeline applies. Most companies that handle disclosure well do so because they had the procedure in place before they needed it.

Real 2026 cost to get compliance-ready

Numbers make the abstract concrete. Here is a realistic 2026 budget for a small-to-mid-sized US defense supplier going from "we just got a contract" to "we have an audit-ready ITAR compliance program."

Year-two costs typically drop to around $15,000 to $20,000 once the program is in place, since the documentation, training framework, and infrastructure are already built. The investment looks substantial in absolute terms but is small relative to the value of defense contracts it unlocks — and trivial compared to the cost of a single ITAR violation.

Common mistakes that put suppliers at risk

Most ITAR violations are not deliberate. They trace back to the same handful of preventable mistakes by companies that meant well but did not have the systems in place.

• Treating registration as the end goal. The registration letter is the start of compliance, not the finish line. Without a real program, registration alone provides almost no protection.
• Missing the deemed export issue. Releasing controlled technical data to foreign-national employees inside the US is an export. Without a deemed export license, this is one of the most common violations.
• Generic compliance program templates. A program copied from another company rarely fits your specific operations. DDTC sees through generic documentation quickly.
• Inadequate restricted party screening. Screening only the immediate buyer misses end users, intermediaries, banks, and freight forwarders. Effective screening covers the entire transaction chain.
• Skipping training. Employees who do not understand the basics make mistakes. Annual, role-appropriate training is non-negotiable.
• No voluntary disclosure procedure. Discovering a violation without a clear internal process for handling it leads to delays, concealment, and maximum penalties when DDTC finds out.
• Outdated USML classifications. Products change. Specifications evolve. Classifications can shift. Reviewing classifications periodically is essential.
• Letting the Empowered Official designation lapse. If your Empowered Official leaves the company without prompt designation of a replacement, your compliance posture has a serious gap.
• Not handling FOCI disclosures. New foreign investors, board changes, or ownership changes must be reported to DDTC. Missing these notifications can invalidate registration.
• Confusing ITAR with CMMC. Both apply to defense suppliers, but they are different regimes. Cybersecurity (CMMC) compliance does not satisfy ITAR, and vice versa.

"ITAR Certified is the question the industry uses. Real compliance is the answer your defense customers actually need. Knowing the difference is what separates suppliers who win long-term contracts from suppliers who lose them at the first audit."

Frequently asked questions

Read more on export compliance and global trade

If this guide was useful, here are related resources from our blog that go deeper on adjacent topics.