ITAR Compliance Consultants: Who to Hire, What It Costs, and What to Verify First
Many defense contractors who search “ITAR compliance consultants” don’t actually need an ITAR consultant first. “ITAR consultant” is one label for at least five different jobs— classification, DDTC registration, licensing, data-security controls, and violation response — and the right first hire depends on what triggered your search. Hire the wrong one, and you’ll pay to solve the wrong problem.
That’s the whole game on this page: matching your situation to the right kind of help beforeyou request quotes, so you don’t buy a $45,000 compliance program when your real issue is a foreign-national engineer with access to a drawing — or buy a cybersecurity platform when what you needed was a one-page jurisdiction call.
A warning that is not boilerplate on an ITAR page: do not type CUI, drawings, technical data, or contract details into any web form.We’ll explain why below.
Which kind of “ITAR consultant” do you actually need?
| Your situation | Start here | Don’t start here |
|---|---|---|
| Not sure if your part, drawing, software, or service is even ITAR-controlled | Export-control consultant or export attorney (classification) | A generic MSP or a CMMC assessor |
| A prime says you need DDTC registration | ITAR consultant or export attorney | A C3PAO |
| You need an export license, TAA, or MLA | Export-control consultant (+ attorney for higher-risk matters) | A cloud vendor |
| Foreign nationals (employees, vendors, visitors, overseas admins) can access technical data | Export-control consultant + attorney + IT/security controls | An HR-only process |
| Your drawings/CAD/technical data live in email, file shares, or the cloud | ITAR-aware MSP/MSSP or CUI enclave provider, plus an export-control consultant | A “GovCloud fixes everything” pitch |
| Your ITAR data is also CUI under a DoD contract | CMMC-capable MSP/MSSP/RPO or CUI enclave, plus export-control help | An ITAR-only consultant who ignores CMMC |
| You think a violation may have already happened | Export-control attorney first | A sales-led “free consultation” intake form |
| You’re ready for a formal CMMC assessment | A C3PAO (the contract sets the level) | The same firm that remediated you |
Not sure which row is yours? Run the quick triage further down — it sorts you into one category using non-sensitive questions only. And a warning: do not type CUI, drawings, technical data, or contract details into any web form.
Which ITAR compliance consultants should you hire first — and when do you need someone else?
The right first hire depends on your trigger, not on a generic “ITAR consultant” label. Classification questions and DDTC registration point to an export-control consultant or attorney; a possible violation points to an attorney first; technical data in email or the cloud points to an IT/security provider; and a CUI/CMMC contract clause points to a CMMC provider category — usually with export-control help alongside it.
We built the table below because nobody else publishes it. Every page ranking for this term is a firm selling one of these categories and quietly implying it’s the answer to all of them. It isn’t. We read the International Traffic in Arms Regulations (ITAR), 22 CFR Parts 120–130, which implement the Arms Export Control Act (AECA, 22 U.S.C. § 2778), plus DDTC’s own published guidance.
The DCR ITAR Consultant Fit Matrix
| Your trigger | First category to consider | What the engagement should produce | What that category can’t do | Primary-source checkpoint |
|---|---|---|---|---|
| “We don’t know if our item, drawing, software, or service is ITAR-controlled.” | Export-control consultant or export attorney | A documented USML/EAR classification with written jurisdiction rationale; a Commodity Jurisdiction (CJ) strategy where the answer is genuinely unclear | Guarantee a government outcome; bless a vague “ITAR compliant” claim without doing the classification work | The U.S. Munitions List (USML) is at 22 CFR Part 121 |
| “A prime says we need DDTC registration.” | ITAR consultant or export attorney | Statement of Registration (DS-2032) support in DECCS, an Empowered Official designation, and a renewal calendar | Make registration equal “permission to export” — it doesn’t | 22 CFR § 122.1: registration is required for certain manufacturers, exporters, temporary importers, brokers, and furnishers of defense services |
| “We need to export defense articles or technical data.” | Export-control consultant (+ attorney for higher-risk matters) | License/agreement strategy and package support (DSP-5, TAA, MLA), plus party/end-use/end-user screening | Sign your eligibility certification — only your Empowered Official can | The Empowered Official is defined at 22 CFR § 120.67; your EO signs, not a third party |
| “Foreign nationals can access our technical data.” | Export-control consultant + attorney + IT/security controls | A foreign-person access analysis, a license/exemption strategy, and a Technology Control Plan (TCP) with an access-control matrix | Treat access as a pure HR or citizenship issue — a release of technical data to a foreign person inside the U.S. can itself be an export | 22 CFR § 120.50: releasing technical data to a foreign person inside the U.S. is an export to all countries of that person’s citizenship/permanent residence |
| “Our drawings/CAD/technical data live in email or the cloud.” | ITAR-aware MSP/MSSP or CUI enclave provider (+ export-control consultant) | A data-flow map, a defined access boundary, U.S.-person access controls, and compliant storage/collaboration | Decide your ITAR jurisdiction or whether you need an export authorization | The encryption “carve-out” at 22 CFR § 120.54 sets the conditions for storing unclassified ITAR data in the cloud without an export authorization |
| “Our ITAR data is also CUI under a DoD contract.” | CMMC-capable MSP/MSSP/RPO/GRC/enclave (+ export-control consultant) | A CUI scope map, SSP/POA&M support, NIST SP 800-171 Rev. 2 readiness, and an export-control overlay | Treat CMMC as a substitute for ITAR — or treat ITAR as if it were CMMC certification | NARA’s CUI Registry lists “Export Controlled” as a CUI category; CMMC is governed by 32 CFR Part 170 |
| “We may already have a violation.” | Export-control attorney first | A preservation plan, a voluntary-disclosure strategy, and a corrective-action roadmap under privilege | Replace counsel where privilege, investigation, or enforcement exposure is in play | Civil and criminal ITAR enforcement runs through 22 CFR Part 127; talk to counsel before sharing detailed facts |
| “We’re ready for a formal CMMC assessment.” | A C3PAO for Level 2; DIBCAC for Level 3 after Final Level 2 | A formal assessment and a CMMC status posted in SPRS | Also be the firm that remediated you, without a conflict-of-interest review | Level 3 only applies to systems that already hold Final Level 2 (C3PAO) status (32 CFR § 170.18) |
Here’s the part most consultant pages bury, and we’d rather say it than sell you the wrong thing: an ITAR compliance consultant is often not your first hire.We’re a CMMC and DIB-compliance publication, not an ITAR law firm — which means we have no consulting hours to protect and no reason to steer you. If you’re facing possible enforcement, start with export-control counsel. If your real problem is CUI scope, GCC High, AWS GovCloud, or a CMMC Level 2 environment, you likely need a CMMC provider category — not someone who will spend your first dollars on an ITAR compliance program you already have.
What we cando well is hand you the map — and where your ITAR problem is really a data-security and CMMC problem, that’s squarely our lane.
Map the category before you spend
If your ITAR data also lives under a DoD cybersecurity clause — and for many DIB suppliers it does — the IT side of your problem is a CMMC and NIST SP 800-171 problem. Find My CMMC Path maps your level, CUI scope, environment, and timeline to the right provider category — C3PAO, RPO, MSSP, GRC platform, or CUI enclave. For the export-control side, use the vetting checklist below. Do not submit CUI, drawings, or sensitive contract details.
Map the CMMC side →Quick triage: which provider category should you compare first?
Use this to sort yourself into one category before you start calling firms. Answer for your most pressing trigger — if more than one applies, the violation question always wins. Do not enter CUI, drawings, technical data, screenshots, license applications, or contract details anywhere; this is a routing exercise, not an intake.
- Do you think a violation may have already happened? → Stop and talk to export-control counsel first. Everything else can wait a day; this can’t.
- Is your core question “is this even ITAR / what’s our jurisdiction”? → Export-control consultant or export attorney (classification and a documented jurisdiction call).
- Did a prime tell you to register, and that’s the whole ask? → Export-control consultant (registration support) — then ask what program you’ll still need.
- Do you need to file a license, TAA, or MLA? → Export-control consultant, with an attorney for higher-risk or complex matters.
- Can a foreign national touch the data? → Export-control consultant + attorney + an IT/security provider to build access controls (this is the deemed-export trap we cover below).
- Is the data sitting in email, file shares, or the cloud — but no DoD CUI clause yet? → ITAR-aware MSP/MSSP or CUI enclave provider, plus export-control help.
- Is there a CUI or CMMC clause in your contract? → A CMMC provider category (RPO/MSP/MSSP/GRC/enclave), plus export-control help. Start with Find My CMMC Path.
- Are you remediated and ready for a formal assessment? → A C3PAO (Level 2) — and only the firm that didn’t remediate you.
If you landed on a CMMC/IT category, the fastest next step is to compare provider categories with Find My CMMC Path →. If you landed on classification, registration, licensing, or counsel, the cost ranges and vetting questions below will save you a bad hire.
What does an ITAR compliance consultant actually do?
An ITAR compliance consultant helps you operationalize export-control obligations: classifying your products and technical data against the USML, supporting DDTC registration, building an export-compliance program, writing a Technology Control Plan, running training and audits, and preparing license and agreement packages. They prepare, organize, analyze, and implement — but your company still owns the statements, the decisions, and the signatures.
DDTC publishes Compliance Program Guidelines that describe what an effective ITAR compliance program contains. They are guidance, not a substitute for the AECA and the ITAR themselves, and DDTC is explicit that a program should be tailored to your organization’s controlled activities, risk, and size — not copied from a template.
Here are the deliverables a credible engagement produces, and the one thing to verify on each.
| Deliverable | What it should include | What to verify |
|---|---|---|
| Classification / applicability | An inventory of products, data, and services with a documented USML/EAR analysis and rationale | Do they document assumptions and uncertainty, or just assert “it’s ITAR”? |
| DDTC registration support | DS-2032 / DECCS preparation and an Empowered Official checklist | Do they tell you plainly that registration is not export permission? |
| Export compliance program | Policies, procedures, management commitment, roles, and a written manual | Does it map to DDTC’s program elements? |
| Technology Control Plan (TCP) | Foreign-person access controls, visitor and vendor controls, and data-access rules | Does it cover technical data, not just physical inventory? |
| Training | Role-based training for engineering, sales, shipping, HR, and IT | Does it cover deemed-export and foreign-person risk? |
| Recordkeeping | License/exemption records, export records, and classification records | Does it align with ITAR recordkeeping requirements? |
| Audit / risk assessment | Risk scoring, findings, and a corrective-action plan | Does it use real DDTC risk categories, not a generic checklist? |
| Licensing support | DSP-5, DSP-61, DSP-73, TAA, and MLA package preparation | Who signs? Who certifies? Who owns the statements? (Answer: you do.) |
The eight areas DDTC expects an effective program to cover:management commitment; DDTC registration, jurisdiction and classification, and authorizations; recordkeeping; detecting, reporting, and addressing violations; training; risk assessment; audits and compliance monitoring; and a written export-compliance manual. Ask any consultant to show how their work maps to all eight — it’s the fastest way to tell a real program from a binder of templates.
What an ITAR consultant can’t do for you
A consultant can prepare, analyze, train, document, and implement — but the regulated company still owns its export decisions, its statements, and its signatures. The clearest example: your eligibility certifications must be signed by your own Empowered Official, on your letterhead. A consultant or law firm can’t make that certification on your behalf.
This is where money gets wasted, so let’s be specific.
They can’t make you “ITAR certified.” There is no such thing. No U.S. agency certifies a company as “ITAR certified.” What the regulations require is registration with DDTC when § 122.1applies. Any consultant who promises to make you “ITAR certified” has just told you they don’t understand the regime. Walk away.
They can’t turn registration into export permission.Registration under § 122.1 is primarily a way for the government to know who’s in the business. It does not, on its own, grant the right to export anything. “We’re registered” is not “we can ship that.”
They can’t sign your Empowered Official certification. Your Empowered Official — a U.S. person with the authority to bind the company, defined at § 120.67— signs your certifications. A consultant who says “we’ll sign it for you” is offering you a problem, not a service.
They can’t guarantee an outcome.No consultant can promise a license approval, a favorable classification, a clean audit, or an enforcement result. Anyone who guarantees DDTC approval is selling certainty that doesn’t exist.
They can’t fix your cloud by writing a policy.If ITAR-controlled technical data is sitting in uncontrolled email, file shares, or CAD systems, the work is technical — data-flow mapping, access controls, and sometimes a secure enclave or government cloud. A policy document doesn’t change who can actually open the file.
They can’t replace counsel when there’s legal exposure. A possible violation, a DDTC inquiry, a subpoena, a voluntary-disclosure decision — those belong with an export-control attorney first, for privilege and strategy. A good consultant will tell you that, not paper over it.
How do you know if ITAR even applies — before you hire anyone?
ITAR may apply if you manufacture, export, temporarily import, broker, or furnish defense articles, defense services, or technical data covered by the U.S. Munitions List. The safe way to find out is not to upload your drawings — it’s to write a short, non-sensitive description of your activity and let a classification specialist or attorney make the call.
Most contractors land here after a prime’s flow-down language, a new contract, or a quiet realization that the files they email around might be export-controlled. Before you spend a dollar, run the four-question pre-check.
The four-question pre-check
- Do you design, build, modify, test, integrate, repair, or support anything that might appear on the USML (22 CFR Part 121)?
- Do you handle technical data tied to a defense article — drawings, specs, source code, process data?
- Can foreign persons — employees, vendors, visitors, or overseas IT admins — access that data?
- Does a contract, prime, or customer reference ITAR, EAR, DDTC registration, CUI, or CMMC?
If you answered yes to any of these, ITAR is at least in play, and a documented classification is the responsible first step.
The registration trigger. A person engaged in the U.S. business of manufacturing, exporting, or temporarily importing defense articles — furnishing defense services, or engaging in brokering activities under ITAR Part 129 — is required to register with DDTC under § 122.1 unless an exemption applies. Registration is annual and runs through DECCS, the Defense Export Control and Compliance System.
The deemed-export trap. This is the one small contractors miss most. Under § 120.50, releasing technical data to a foreign person inside the United Statesis treated as an export — to all countries in which that person has held or holds citizenship, or holds permanent residence. So an engineer who is not yet a lawful permanent resident or protected individual, an overseas help-desk contractor, or a foreign vendor with network access can create a deemed-export issue — even if the file never physically leaves your building. This is why “we only operate in the U.S.” is not a reason to skip the analysis.
How much do ITAR compliance consultants cost in 2026?
There is no official ITAR consultant price list. The private-service ranges below are market-observed sanity checks — drawn from published vendor pricing and 2025–2026 practitioner cost write-ups, not regulatory figures or quotes — so use them to pressure-test written proposals, not as a substitute for one. As a rough map: registration help runs about $1,000–$3,000 plus the DDTC fee; a real gap assessment runs roughly $5,000–$20,000+; a full compliance-program build runs about $20,000–$75,000+; a standard TAA runs about $5,000–$8,000; and a complex MLA runs about $15,000–$20,000+.
ITAR consulting cost reality (market-observed, 2025–2026)
| Engagement | Typically includes | Observed range | Red flag / note |
|---|---|---|---|
| DDTC registration assist | DS-2032 filing support + DECCS setup | ~$1,000–$3,000 (+ DDTC fee below) | “We’ll make you ITAR certified” = walk away |
| Gap / risk assessment | Interviews, document review, a written findings report | ~$5,000–$20,000+ | Under ~$2,000 is a red flag — that work can’t be done responsibly |
| Full compliance-program build | Program + TCP + procedures + training | ~$20,000–$75,000+ | A template “program” sold as complete is compliance theater |
| USML classification / CJ support | Order-of-review analysis; CJ filing support | ~$2,500–$10,000+ per determination | Undocumented “EAR99” self-classification is a problem |
| Single license (DSP-5) prep | Drafting and submission support | ~$1,500–$5,000 | Ask their Return Without Action (RWA) rate |
| Technical Assistance Agreement (TAA) | Drafting a standard single-category TAA | ~$5,000–$8,000 | DDTC follow-up questions add unpredictable cost |
| Complex Manufacturing License Agreement (MLA) | Multi-party/multi-category, provisos | ~$15,000–$20,000+ | Confirm what “complex” means in writing |
| Voluntary-disclosure support | Fact-gathering, drafting, corrective actions | Highly variable; can escalate | Usually involves an attorney — don’t go solo |
| Retainer / outsourced Empowered Official support | Part-time export-compliance function | ~$1,500–$10,000+/month | Match the monthly hours to your real activity level |
| ITAR-data IT environment | Encrypted collaboration / CUI enclave (per user) + setup | ~$20–$40/user/month + implementation | If the vendor can read your files, that’s a problem |
DDTC annual registration fees (set by rule — primary-sourced)
DDTC raised registration fees for the first time since 2008. The increase took effect January 9, 2025 (Federal Register, “ITAR: Registration Fees,” 89 FR 99081; current amounts on the DDTC fee page).
| Tier | Who it covers | Annual fee |
|---|---|---|
| Tier 1 | First-time registrants; renewals with no favorable determinations in the lookback period; all brokers; certain tax-exempt orgs | $3,000 — a $500 discount (to $2,500) is available through DECCS if $3,000 is at least 1% of your prior-year total revenue and you apply at least 30 days before expiration (a roughly one-year pilot) |
| Tier 2 | Renewals with 5 or fewer favorable determinations in the lookback period | $4,000 |
| Tier 3 | Renewals with more than 5 favorable determinations | $4,000 + $1,100 × (determinations over 5); a Total License Value discount may cap the fee at the greater of 3% of total approval value or $4,000 |
One more cost reality that most pages get wrong: the civil penalty for an AECA/ITAR violation. The maximum civil penalty is the greater of $1,271,078 or twice the value of the transaction, per violation, under 22 CFR § 127.10. For 2026, that figure stayed at the 2025 level because the government shutdown blocked the inflation calculation — but the exposure is the same. The criminal exposure is unchanged: up to $1,000,000 and up to 20 years in prison under the AECA (22 CFR § 127.3). Which is exactly why the cheap-and-vague quote is the expensive one.
Pressure-test the quote, not just the price
Before you accept any proposal, run the prospective firm through the vetting questions below, or use the quick triage to confirm you’re even shopping the right category. If the IT/CMMC side is in scope, compare provider categories with Find My CMMC Path →so you’re not paying a cybersecurity firm to answer an export-control question, or vice versa.
ITAR, CMMC, and CUI: where they overlap — and where buyers overbuy
ITAR and CMMC are not the same thing. ITAR is an export-control regime run by the State Department; CMMC is a DoD cybersecurity verification framework for FCI and CUI. They overlap when ITAR-controlled technical data is also CUI in a covered DoD contract environment — common, but not automatic. When that data is CUI under a contract carrying DFARS 252.204-7012, that clause requires NIST SP 800-171 protection on the systems that handle it, and CMMC verifies the level your contract requires.
This is the single biggest source of overspending we see, in both directions: ITAR-only consultants who ignore the cybersecurity clause in your contract, and IT vendors who imply a government cloud “covers” your ITAR obligations. Neither is true.
| What the rule says | What it means for you | What it does not mean |
|---|---|---|
| ITAR (22 CFR 120–130) controls defense articles, services, and technical data on the USML | If your data is ITAR technical data, export-control rules govern who can access it and where it can go | That ITAR automatically equals CMMC, or that registration equals permission to export |
| NARA’s CUI Registry lists “Export Controlled” as a CUI category | ITAR/EAR information can be CUI when a law, regulation, or government-wide policy requires safeguarding — common on DoD contracts | That every ITAR item is CUI in every business context; CUI status depends on the contract and how the data is handled and marked |
| DFARS 252.204-7012 requires NIST SP 800-171 protection for covered defense information on covered contractor systems | When your ITAR technical data is covered defense information / CUI under a 7012 contract, the systems that store, process, or transmit it must meet NIST SP 800-171 Rev. 2 | That a policy document or a cloud logo alone makes you compliant |
| CMMC (32 CFR Part 170; DFARS 252.204-7021) verifies the required level | The contract clause sets whether you need Level 1, Level 2 (self or C3PAO), or Level 3 — not a checklist | That CMMC replaces ITAR, or ITAR replaces CMMC; they are separate obligations with separate regulators |
Where CMMC enters. NIST SP 800-171 Rev. 2 protects the confidentiality of CUI in nonfederal systems, and CMMC Level 2 currently maps to its 110 requirements across 14 control families. The clause that turns CMMC into a contract requirement, DFARS 252.204-7021, became effective November 10, 2025, and CMMC’s enforcement phases run on a published schedule: Phase 1 from November 10, 2025 to November 9, 2026, with Phase 2 enforcement beginning November 10, 2026. That timeline is real urgency — not a manufactured deadline. For where you sit, see our CMMC levels and provider categories explainers.
The cloud and encryption piece — the rule the IT vendors are selling against. In March 2020, DDTC added the encryption “carve-out” at 22 CFR § 120.54 (effective March 25, 2020). Sending, taking, or storing unclassified technical data is not an export if it’s protected by end-to-end encryption meeting FIPS 140-2 (or a comparable 128-bit standard), the means of decryption is never handed to a third party — including the cloud provider — the data is never decrypted in transit, and it isn’t intentionally sent to or stored in a proscribed country (22 CFR § 126.1) or Russia. That’s what lets ITAR data live in commercial cloud at all. But here’s the trap: giving an unauthorized foreign person access to the unencrypted data — or the keys, passwords, or access codes — is still a controlled release under § 120.50. So when an IT provider says GovCloud or GCC High “solves ITAR,” the honest answer is: the environment can satisfy the carve-out if you hold the keys and control access — it does not make your classification, registration, or licensing obligations disappear.
If the cloud and CUI side is where you’re stuck, these go deeper: GCC High cost and licensing, AWS GovCloud for CMMC, Azure Government for CMMC, CMMC secure enclave, and CUI email encryption for CMMC.
This is where buyers overbuy fastest
Don’t buy IT help blind, and don’t let an ITAR consultant quietly skip your cybersecurity clause. Find My CMMC Path maps your level, CUI scope, assessment type, environment, and timeline to the right provider category before you request quotes. Do not submit CUI, drawings, or sensitive contract details.
Compare CMMC provider categories →How do you vet an ITAR consultant before you take a sales call?
Vet an ITAR consultant by asking what they’ll decide, what they’ll only support, what they won’t sign, how they handle your sensitive data, how they stay current, and when they refer you to counsel. The market has no licensing requirement — anyone can use the title “ITAR consultant” — so a credible one proves it through specifics, sources, and clear limits, not credentials alone.
Print this, and ask it on the first call. It doubles as your proposal-review checklist.
| Ask this | Strong answer | Red flag |
|---|---|---|
| What ITAR work do you actually perform? | Classification, DDTC registration support, program build, TCP, training, audits, licensing support | “We make you ITAR certified” |
| Do you handle EAR too? | A clear ITAR/EAR split and when BIS analysis is needed | Treats ITAR and EAR as interchangeable |
| Who signs the eligibility certifications? | “Your Empowered Official signs.” | “We sign it for you.” |
| How do you handle our technical data during intake? | A secure process after engagement; never a public-form upload | Asks you to send drawings right away |
| When do you refer to counsel? | Possible violation, disclosure, enforcement, privilege, complex jurisdiction | “You never need an attorney.” |
| Do you support the CMMC/CUI overlap? | A clear handoff to the right CMMC provider category | “ITAR automatically means CMMC Level 2.” |
| What deliverables are included? | A written scope with outputs, assumptions, and exclusions | Vague “consulting hours” |
| What sources do you use? | ITAR/eCFR, DDTC guidance, NARA CUI, NIST, DFARS where relevant | No source mapping |
| How current is your guidance? | A version- and date-based update process | “We’ve done this for years” — and nothing more |
One credential worth asking about: the ECoP® (Export Compliance Professional), a voluntary certification for individualsoffered by the Export Compliance Training Institute. It certifies a person’s export-control knowledge — it is not a company “ITAR certification,” and you should be skeptical of anyone who blurs the two.
Red flags that should make you walk away
- “We’ll get you ITAR certified.”
- “DDTC registration means you can export.”
- “GovCloud supersedes ITAR and CMMC.”
- “If ITAR is mentioned, you always need GCC High.”
- “You never need a lawyer.”
- “We can sign the DDTC certification for you.”
- “Just upload the drawings here.”
- “CMMC compliance equals ITAR compliance.”
- “ITAR automatically means a Level 2 C3PAO assessment.”
- “We guarantee approval / certification.”
- “We don’t provide written deliverables.”
- “We can remediate you and formally assess you for CMMC with no conflict-of-interest review.” (CMMC assessor-independence rules exist for a reason — the firm that fixes you generally shouldn’t be the firm that certifies you.)
Use the checklist before the sales call
Run a prospective firm through the questions above, or run the quick triage to confirm the category to compare first — export consultant, attorney, MSP/MSSP, enclave, GRC, RPO, or C3PAO. If the CMMC/IT side is in scope, get matched with source-checked provider categories →
What the RTX $200 million ITAR settlement teaches a small contractor
On August 29, 2024, RTX Corporation entered a consent agreement with the U.S. Department of State to resolve alleged civil AECA and ITAR violations — a $200 million civil penalty, with $100 million suspended on the condition it funds approved remedial compliance measures. The lesson for a small contractor isn’t the dollar figure. It’s the root cause: the violations stemmed largely from jurisdiction and classification errors. The boring, foundational work is the work.
We pulled the details from RTX’s own SEC Form 8-K and the State Department’s announcement. The consent agreement covers roughly 750 alleged AECA/ITAR violations (reported as occurring between August 2017 and September 2023), runs for three years, and requires an external Special Compliance Officer and an external audit of RTX’s compliance program. Notably, the violations arose from RTX’s own voluntary disclosures, and — in RTX’s words — the majority resulted from “historical jurisdiction and classification errors in acquired and merged companies’ ITAR compliance programs.”
Read that last part again, because it’s the whole point. A $200 million ITAR settlement traces back to companies getting classification and jurisdiction wrong — the exact first step an export-control consultant exists to get right.
To be clear: RTX is a major defense prime, and its settlement is nota typical small-business outcome. We won’t pretend it is. But it proves that classification, authorizations, foreign-person access control, training, and compliance-program evidence are not paperwork theater. They’re the difference between a clean record and a consent agreement. And if you’re weighing whether a violation needs disclosing, that decision belongs with counsel first — voluntary disclosure can be the right move and is often treated as a mitigating factor, but the strategy and privilege call is a legal one.
The right first hire, by contractor profile
A 10-person machine shop, a software firm with foreign developers, and a mid-sized aerospace exporter don’t need the same first engagement. Find yourself below — you’ll see the likely first hire, the first deliverable to ask for, the thing not to buy yet, and why.
Small machine shop with new defense drawings
Likely first hire: an export-control consultant, plus an ITAR-aware MSP if those drawings live in email, CAD, or file shares.
First deliverable: a non-sensitive scoping call, a USML/technical-data classification, a DDTC registration determination, and a data-flow map.
Don’t buy first: a formal C3PAO assessment, unless a contract requires it and you’re actually ready.
Why: classification comes before everything (22 CFR Part 121), and registration may be required even for domestic-only manufacturing (§ 122.1).
Aerospace manufacturer that exports
Likely first hire: an export-control consultant, plus an attorney for license/TAA/MLA work.
First deliverable: a jurisdiction/classification memo, an authorization inventory, and a licensing roadmap.
Don’t buy first: a generic cybersecurity platform as a stand-in for export-control work.
Why: exporting defense articles or technical data requires authorization, and registration alone doesn’t grant it (§ 122.1).
Engineering or software firm with foreign developers
Likely first hire: an export attorney plus a consultant, plus an IT/security provider.
First deliverable: a foreign-person access analysis, a technical-data flow map, and access controls.
Don’t buy first: “ITAR training only.” Training without access controls leaves the actual risk in place.
Why: releasing technical data to a foreign person inside the U.S. can itself be an export (§ 120.50).
DIB subcontractor with ITAR-controlled CUI and a CMMC Level 2 clause
Likely first hire: an export-control consultant plus a CMMC RPO/MSP/MSSP/GRC/enclave.
First deliverable: a CUI scope map, an ITAR technical-data map, and a CMMC provider-category plan.
Don’t buy first: a C3PAO assessment before you’re remediated and ready.
Why: export-controlled information can be CUI (NARA Export Controlled), which pulls in DFARS 252.204-7012 and CMMC. Start with Find My CMMC Path.
Company that may have shared something it shouldn’t have
Likely first hire: export-control counsel, first.
First deliverable: a privileged facts review and a disclosure strategy.
Don’t buy first: a public-form “free consultation” where you casually type in controlled details.
Why: civil and criminal enforcement runs through 22 CFR Part 127; privilege matters from the first conversation.
What to prepare before you reach out (and what never to send)
Prepare a short, non-sensitive intake summary — not the controlled files themselves. The goal is to help a provider identify the likely category of issue without you submitting CUI, drawings, technical data, or contract details through a web form. For ITAR specifically, that warning is not boilerplate: putting technical data where an unauthorized person could see it can itself be a violation.
A safe intake summary covers the shape of your situation, not the controlled content:
- Company type: manufacturer, engineering, software, aerospace, machine shop, reseller, broker, research, other
- A general description of what you make or do — no technical specifics
- Whether a prime or customer mentioned ITAR, EAR, CUI, CMMC, DFARS, or DDTC registration
- Whether you manufacture and/or export
- Whether foreign persons may access data or facilities
- Where technical data lives: email, CAD, file share, ERP, Microsoft 365, AWS, Azure, or vendor tools
- Whether you already hold DDTC registration
- Whether you have export licenses, TAAs, MLAs, or DSP history
- Whether you have a possible-violation concern
- Whether CMMC Level 1, 2, or 3 appears in a solicitation or contract
What’s changed in ITAR recently — and what’s coming
The 2024–2026 stretch brought several material ITAR changes in close succession. The AUKUS license-free exemption (§ 126.7) took effect September 1, 2024 and was finalized December 30, 2025; DDTC raised registration fees for the first time since 2008, effective January 9, 2025; and the 2026 civil-penalty figure stayed at the 2025 level after a government shutdown blocked the inflation calculation.
The AUKUS exemption (§ 126.7). Authorized by the FY2024 National Defense Authorization Act, this interim final rule took effect September 1, 2024 and allows license-free defense trade among “authorized users” within the U.S., the UK, and Australia, subject to an Excluded Technology List. A final rule published December 30, 2025 refined it and added a § 126.7(c) exemption for certain reexports, retransfers, and temporary imports supporting U.S., UK, or Australian armed forces. According to State Department figures reported around the final rule, more than 700 Australian and UK entities had registered as authorized users, and roughly 18% of proposed transfers remained ineligible under the Excluded Technology List. If you trade with UK or Australian partners, verify your transfer’s eligibility against the current § 126.7 and the Excluded Technology List.
The 2026 penalty position — the detail most pages miss. The maximum civil penalty for an AECA/ITAR violation is the greater of $1,271,078 or twice the value of the transaction, per violation, under 22 CFR § 127.10. That figure is normally adjusted for inflation every January. For 2026, it wasn’t: the government shutdown meant the Bureau of Labor Statistics didn’t publish the October 2025 CPI data the adjustment formula needs, so OMB directed agencies — DDTC included — to continue at 2025 levels. The criminal exposure is unchanged: up to $1,000,000 and up to 20 years in prison under the AECA (22 CFR § 127.3).
Active rulemaking to watch.DDTC has a proposed rule revising the definition of “defense services,” along with periodic amendments across Parts 120 and 126. If you’re standing up a program now, build it to be updated, not frozen — which is also a question to ask any consultant.
Frequently asked questions about ITAR compliance consultants
What is an ITAR compliance consultant?
An ITAR compliance consultant helps a company understand and operationalize obligations under the International Traffic in Arms Regulations — usually through classification support, DDTC registration support, compliance-program development, training, risk assessments, audits, Technology Control Plans, and licensing support. The regulated company still owns its export decisions, statements, and signatures.
Do I need an ITAR consultant or an export attorney?
Use a consultant for implementation, documentation, training, registration support, and day-to-day operational compliance. Start with an export attorney when there may be a violation, a voluntary-disclosure decision, enforcement exposure, a privilege concern, a complex jurisdiction dispute, or a high-stakes legal interpretation.
Can an ITAR consultant register my company with DDTC?
A consultant can help prepare your Statement of Registration (DS-2032) and guide you through the DECCS portal, but your company owns the statements and responsibilities. Under 22 CFR § 122.1, registration does not, by itself, grant the right to export.
Can an ITAR consultant sign DDTC certifications for us?
No. Your eligibility certifications must be signed by your own Empowered Official — a U.S. person with authority to bind the company, defined at 22 CFR § 120.67. A consultant or law firm cannot make that certification on your behalf.
Is there an official ITAR certification?
No. There is no government “ITAR certification.” The law requires DDTC registration (when applicable) plus an active, documented compliance program. Treat any vendor selling “ITAR certified” status as a red flag.
How much do ITAR compliance consultants cost?
Market-observed 2025–2026 ranges run from about $1,000–$3,000 for registration help (plus the $3,000–$4,000+ DDTC fee) to about $20,000–$75,000+ for a full compliance-program build, with TAAs around $5,000–$8,000 and complex MLAs around $15,000–$20,000+. A “gap assessment” priced under about $2,000 is a warning sign. Confirm any number with written quotes.
Is ITAR the same as CMMC?
No. ITAR is an export-control regime administered by the State Department (DDTC). CMMC is a DoD cybersecurity framework that verifies protection of FCI and CUI, governed by 32 CFR Part 170 and DFARS 252.204-7021. They overlap, but they are different obligations with different regulators.
Is ITAR-controlled technical data always CUI?
Not in every business context, but often yes on a DoD contract. NARA’s CUI Registry lists “Export Controlled” as a CUI category that includes ITAR and EAR information, so ITAR technical data on a DoD program is frequently also CUI — which can pull in DFARS 252.204-7012 and NIST SP 800-171. Whether it does depends on your contract and how the data is marked and handled.
Do I need GCC High if I have ITAR data?
Not automatically. The answer depends on your data, your access model, your contract requirements, your CUI scope, and whether your current environment can enforce U.S.-person access and the § 120.54 encryption conditions. A government cloud can support compliance; it does not replace classification, registration, or licensing.
Can an MSP be my ITAR consultant?
Usually not by itself. An MSP or MSSP can implement the technical controls for ITAR-controlled data, but classification, DDTC registration, licensing, and legal exposure require export-control expertise. Most contractors who need both end up with an export-control consultant and an IT/security provider.
What is a Technology Control Plan?
A Technology Control Plan (TCP) is an operational plan for controlling access to export-controlled technical data — covering foreign-person access, visitor and vendor access, data storage, training, and procedures. It’s a core deliverable for any company with foreign-person access risk.
What should I never send through a website form?
Never send CUI, drawings, CAD files, technical data, license applications, screenshots of controlled systems, or sensitive contract details. For ITAR data, exposing it to an unauthorized person can itself be a violation. Use forms for routing only.
What if a prime tells us to “get ITAR registered”?
Confirm whether registration is legally required under 22 CFR § 122.1 or whether it’s a contractual flow-down requirement from the prime — they’re not always the same. A classification step usually answers it.
Can an ITAR consultant help with a voluntary disclosure?
A consultant can help organize facts and corrective actions, but if a violation may have occurred, start with export-control counsel before sharing detailed facts broadly. Privilege and disclosure strategy are legal decisions.
What’s the difference between ITAR and EAR consulting?
ITAR (State Department / DDTC) covers defense articles, defense services, and related technical data on the USML. EAR (Commerce Department / BIS) covers dual-use and commercial items on the Commerce Control List. Many companies need both analyzed before they can even define the right provider scope.
Make the next move with less risk
You came here to figure out who to hire. The honest answer is that it depends on what triggered your search — and now you have the map to tell which kind of help your situation actually calls for, what it should cost, and how to spot the firms to avoid.
If your ITAR data also lives under a DoD cybersecurity clause — and for many DIB suppliers, it does — the IT and CMMC side of your problem is where we can route you with confidence.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →Need to sort the ITAR side first? Use the quick triage and the vetting questions to identify the category — without submitting CUI, drawings, technical data, or contract details. For CMMC and IT categories, Find My CMMC Path can route you to source-checked provider options. For classification, registration, licensing, or a possible violation, take the vetting checklist to qualified export-control counsel or an experienced export-control consultant.
Disclosure
What we verified
- ITAR is codified at 22 CFR Parts 120–130 and implements the Arms Export Control Act (22 U.S.C. § 2778); the U.S. Munitions List is at 22 CFR Part 121.
- DDTC registration is required under 22 CFR § 122.1 and does not confer export rights. Your Empowered Official (§ 120.67) signs eligibility certifications.
- DDTC registration fees ($3,000 / $4,000 / $4,000 + $1,100), effective January 9, 2025 (89 FR 99081).
- The § 120.54 encryption carve-out (effective March 25, 2020) and the release / deemed-export rule at § 120.50.
- The AUKUS § 126.7 exemption (interim final rule effective September 1, 2024; final rule published December 30, 2025).
- ITAR penalties — civil maximum of $1,271,078 or twice the transaction (22 CFR § 127.10), held at the 2025 level for 2026; criminal up to $1,000,000 and 20 years (22 CFR § 127.3).
- The RTX consent agreement ($200 million; $100 million suspended; ~750 alleged AECA/ITAR violations; three-year term; external Special Compliance Officer and audit; root cause in jurisdiction/classification errors), per RTX’s SEC Form 8-K.
- “Export Controlled” is a CUI category. DFARS 252.204-7012 governs safeguarding covered defense information; 252.204-7021 adds CMMC status and affirmation requirements.
- CMMC is governed by 32 CFR Part 170, mapping Level 2 to NIST SP 800-171 Rev. 2 (110 requirements, 14 families).
Related reading
- Find My CMMC Path — map your level, scope, and timeline to the right CMMC provider category
- CMMC Levels Explained — Level 1, 2, and 3 side-by-side
- CMMC Cost — DoD estimates, market ranges, and what drives your number
- CMMC Provider Categories — RPO/RP, MSP/MSSP, GRC, enclave, or C3PAO compared
- Best CMMC Consultants for Defense Contractors
- CMMC RPO Consultants
- GCC High Cost and Licensing
- AWS GovCloud for CMMC
- Azure Government for CMMC
- CMMC Secure Enclave
- CUI Email Encryption for CMMC
- CMMC Readiness Checklist
- CMMC Compliance for ITAR Companies