The ITAR Statutory Framework
The International Traffic in Arms Regulations, codified at 22 CFR 120 through 130, implement the Arms Export Control Act (AECA), 22 USC 2778. Congress enacted the AECA to ensure that the export of defense articles, defense services, and related technical data advances U.S. foreign policy and national security objectives. The State Department, through the Directorate of Defense Trade Controls, administers the ITAR. This regulatory structure is not primarily a trade law framework. It is a national security framework administered by a foreign policy agency, and that distinction shapes everything about how ITAR intersects with M&A transactions.
ITAR jurisdiction attaches to defense articles enumerated on the United States Munitions List, to defense services, and to technical data directly related to USML-listed items. Unlike the Export Administration Regulations administered by the Commerce Department's Bureau of Industry and Security, the ITAR does not employ a matrix-based licensing structure or a broad license exception framework. The ITAR generally requires a license or other DDTC authorization for any export, temporary import, or brokering of a covered item or service, with limited statutory and regulatory exceptions. The breadth of this requirement becomes acutely relevant in M&A transactions involving a change in ownership, a change in registration, or the transfer of technical data to a new party.
The AECA's legislative history makes clear that Congress intended DDTC to exercise independent judgment about the national security and foreign policy implications of defense trade transactions. DDTC is not a ministerial licensing body. The agency has authority to deny licenses, impose conditions, require audits, and debar companies from participating in future defense trade. In the M&A context, this means that a buyer cannot assume DDTC will automatically approve a change in ownership or that existing licenses will transfer without review. DDTC expects proactive engagement, accurate disclosure, and a demonstrated commitment to compliance from both seller and buyer throughout the transaction process.
The penalties for ITAR violations are severe. Civil penalties under 22 USC 2778(e) reach up to $1,302,326 per violation, adjusted for inflation. Criminal penalties can include fines of up to $1,000,000 per violation and imprisonment of up to 20 years. Debarment from export privileges is a sanction that can effectively end a defense contractor's ability to operate. Understanding the statutory framework is the foundation for understanding why ITAR compliance deserves dedicated attention in every defense M&A transaction, regardless of transaction size.
United States Munitions List Categorization
The United States Munitions List, found at 22 CFR 121, organizes defense articles into 21 categories. These categories span firearms and ammunition (Category I), artillery and projectiles (Category II), ammunition and ordnance (Category III), launch vehicles and missiles (Category IV), explosives (Category V), surface vessels of war (Category VI), ground vehicles (Category VII), aircraft and related articles (Category VIII), military training equipment (Category IX), personal protective equipment (Category X), military electronics (Category XI), fire control systems (Category XII), auxiliary military equipment (Category XIII), toxicological agents (Category XIV), spacecraft systems (Category XV), nuclear weapons related articles (Category XVI), classified articles (Category XVII), directed energy weapons (Category XVIII), gas turbine engines (Category XIX), submersible vessels (Category XX), and miscellaneous articles (Category XXI).
The Export Control Reform initiative, which began in 2010 and concluded its primary phase around 2018, moved a substantial number of items from the USML to the Commerce Control List through a series of final rules. The reform effort was designed to focus ITAR controls on the most sensitive defense articles while allowing commercial items with military applications to be regulated under the less restrictive EAR. Each reformed USML category now includes a positive list of items that remain ITAR-controlled and a note pointing items no longer listed to the corresponding 600 Series ECCNs under the EAR. Understanding where a target company's products and technical data fall within this reformed structure is essential to scoping the compliance obligations that will transfer with the acquisition.
USML categorization analysis in due diligence requires more than reviewing the target's existing export compliance records. Companies misclassify items as EAR-jurisdiction when they should be ITAR-jurisdiction, or maintain stale jurisdiction determinations that predate Export Control Reform. Acquirers should commission an independent technical analysis of the target's product lines, comparing each product's design characteristics against the current positive list language in the applicable USML category. Where jurisdiction is genuinely uncertain, the commodity jurisdiction process under 22 CFR 120.4 provides a formal resolution mechanism.
USML categorization also determines the scope of the technical data obligation. Technical data subject to ITAR controls is defined by reference to the USML category covering the related defense article. Understanding the USML category correctly therefore defines the perimeter of what the buyer is acquiring in terms of regulated information assets, which in turn shapes the Technology Control Plan, the license portfolio, and the post-closing compliance program architecture.
Technical Data: Definition and Scope
Under 22 CFR 120.10, technical data is defined as information, other than software as defined in 22 CFR 120.10(a)(4), that is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. The definition is broader than most practitioners initially assume. It encompasses blueprints, drawings, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices, and software directly related to defense articles. The definition also covers information, other than basic scientific research, that advances the state of the art of an article on the USML.
The ITAR carves out certain categories of information from the technical data definition. Information in the public domain, as defined in 22 CFR 120.11, is not ITAR technical data. General scientific, mathematical, or engineering principles commonly taught in schools and universities are excluded. Basic scientific research information not clearly related to defense articles is excluded. Information released by the U.S. government to the public domain through unlimited distribution, approved for public release, or available at public libraries or newsstands falls outside ITAR jurisdiction. The scope of the public domain exclusion is frequently misunderstood, and companies sometimes over-rely on it to justify sharing information that retains controlled status.
In the M&A context, the technical data inventory of the target is often the most complex ITAR compliance asset to assess. Unlike a physical defense article, technical data exists in distributed form across engineering servers, document management systems, email archives, employee workstations, cloud repositories, and test data systems. A comprehensive technical data inventory must map not just where the controlled data exists but who has access to it, including whether any foreign persons have current or historical access that may have constituted unauthorized deemed exports.
Technical data transfer between the seller and the buyer in an M&A transaction is itself a regulated event. Absent an applicable authorization, transferring ITAR technical data from the seller entity to the buyer entity is an export that requires a license or DDTC approval. Structured correctly, transactions can use the change of registration or new registration process to establish the buyer as the authorized holder of the technical data. Structured incorrectly, the same transfer constitutes an unauthorized export, even when both parties are U.S. companies. Export control counsel must be involved before any technical data is transferred in connection with the transaction.
The Deemed Export Doctrine
The deemed export doctrine, codified at 22 CFR 120.17, treats the release of ITAR-controlled technical data to a foreign person in the United States as an export to that person's country of nationality. The release does not require physical transmission outside U.S. borders. Any visual inspection by, oral briefing to, or electronic transmission to a foreign person in the United States triggers the deemed export rule if the information disclosed constitutes ITAR technical data. The practical consequence is that a defense contractor's internal operations, including its own workforce, are subject to ITAR controls whenever foreign nationals work with or have access to controlled technical data.
In M&A transactions, the deemed export doctrine creates risk at multiple points in the transaction timeline. During due diligence, foreign national employees or representatives of the prospective buyer may seek access to technical data in the virtual data room. At closing, if the buyer's workforce includes foreign nationals who will inherit access to the target's technical data systems, those access grants are deemed exports. Post-closing integration, including consolidation of engineering teams, consolidation of document management systems, and consolidation of IT infrastructure, creates additional deemed export exposure if foreign persons in the combined workforce gain access to controlled information.
Managing deemed export risk requires systematic tracking of foreign person access. The ITAR does not define "foreign person" narrowly. Under 22 CFR 120.16, a foreign person is any natural person who is not a lawful permanent resident or a protected individual under 8 USC 1324b(a)(3), and also includes foreign corporations, international organizations, and foreign governments. Employees on temporary work visas, even those who have worked for a U.S. company for years, are foreign persons for ITAR purposes unless they have obtained lawful permanent resident status. This distinction must inform workforce analysis during due diligence and during integration planning.
Addressing deemed export risk requires either obtaining appropriate DDTC authorization for each foreign national's access to specific categories of controlled technical data or implementing access controls that prevent foreign nationals from accessing controlled data without authorization. The Technology Control Plan is the primary mechanism for implementing and documenting these access controls on an ongoing basis.
DDTC Registration Transfer Mechanics
Any person who engages in the United States in the business of manufacturing or exporting defense articles or defense services must register with DDTC under 22 CFR 122.1. Registration is not a license. It does not authorize the export of any specific defense article or the performance of any specific defense service. Registration is a threshold requirement that establishes the registrant's eligibility to apply for licenses and to engage in ITAR-regulated activities. A company that manufactures USML-listed items without a current ITAR registration violates the AECA regardless of whether it has actually exported anything.
ITAR registrations are not transferable assets in the same sense as a contract or a license. They are issued to a specific legal entity. When an M&A transaction changes the legal entity that holds the registration, the proper course of action depends on the transaction structure. In a stock acquisition where the legal entity survives and continues as the operating entity under new ownership, DDTC generally expects the surviving entity to file a registration amendment using the DS-2032 form to update the ownership information. In an asset acquisition, the buyer must obtain its own ITAR registration before taking possession of any defense articles, technical data, or other ITAR-controlled assets transferred by the deal.
The five-day notification requirement under 22 CFR 122.4(a) for material changes applies to changes in the information submitted in the registration, including changes in ownership. Parties must plan their DDTC notification to coincide with closing. Pre-closing, counsel can prepare the amendment or new registration application so that it is ready to file at closing. DDTC reviews registration changes in the order received, and processing times vary. Buyers who rely on the seller's registration during a post-closing transition period without DDTC authorization create regulatory exposure.
DDTC's review of a change in ownership goes beyond verifying that the paperwork is complete. The agency evaluates whether the new owner or controlling party raises any foreign ownership, control, or influence concerns, and whether the new registration structure supports continued compliance with ITAR obligations. Buyers with significant foreign ownership may face additional scrutiny, and buyers who have prior ITAR enforcement history may need to address that history as part of the registration review. Engaging DDTC early, before the transaction closes, is consistently the approach that produces the most orderly and timely resolution.
Material Change Disclosure Requirements
The ITAR's material change disclosure obligation under 22 CFR 122.4 requires registered persons to notify DDTC whenever any of the information submitted as part of the registration changes. Changes in ownership or control are explicitly listed as material changes. The obligation runs to the registered entity, meaning that the seller has an independent obligation to notify DDTC of the change in ownership, separate from whatever registration steps the buyer must take. Both parties carry notification obligations, and both parties should ensure that their counsel has confirmed the notification is accurate and timely.
Beyond ownership changes, other facts that may trigger material change disclosure include: a change in the company's senior officers listed on the registration, a change in the company's address, a change in the scope of manufacturing or export activities that materially affects the registration, and a change in the company's empowered official. The empowered official is the individual designated under 22 CFR 120.25 to certify export license applications on behalf of the registrant. In post-closing integration, if the seller's empowered official departs or the buyer installs its own empowered official, DDTC must be notified of the change.
Buyers conducting due diligence should verify whether the target has maintained current and accurate registration information throughout its history as a registrant. Companies that have experienced officer turnover, office relocations, or ownership changes in prior transactions may have outdated registration records on file with DDTC. Discovering stale registration information during due diligence creates an opportunity to cure the deficiency before closing. Discovering it after closing means the buyer has acquired a legacy compliance gap that it must now disclose and remediate.
The representations and warranties section of the purchase agreement should specifically address the accuracy of DDTC registration information, the timeliness of prior material change disclosures, and the absence of any pending enforcement actions or voluntary disclosures with DDTC. These representations give the buyer contractual recourse if pre-closing registration failures come to light after closing, but they do not substitute for thorough pre-closing diligence that identifies issues before the transaction closes.
DSP-5 and DSP-85 License Transition
The DSP-5 is the standard application form for a permanent export license under the ITAR, used for the export of unclassified defense articles and related technical data. The DSP-85 is the application form for a temporary import or export of classified defense articles. Both license types are issued to the registered exporter and authorize specific export transactions within defined parameters, including authorized destinations, authorized end users, quantities, and authorized articles. Neither license type is automatically transferable when the registrant changes.
A defense contractor engaged in ongoing export transactions will typically hold a portfolio of active DSP-5 licenses at any given time. These licenses may be supporting active deliveries to foreign customers, ongoing technical assistance agreements, or long-term contracts with foreign governments. When the contractor is acquired, each active license must be individually analyzed to determine whether the change in ownership affects the license's validity and whether DDTC authorization is required to continue operating under the license. DDTC's position is that licenses are issued to a specific legal entity, and that a change in that entity's ownership or structure requires the new entity to obtain its own authorization before continuing the exports covered by the license.
The practical approach to license transition planning is to inventory all active licenses early in the due diligence process, categorize them by the status of shipments or services under each license, identify licenses with near-term deliverables that will be affected by any transition gap, and work with DDTC to develop a transition plan that minimizes disruption to ongoing export activities. In some transactions, DDTC has agreed to allow the successor entity to operate under existing licenses for a defined transition period while new applications are processed. This requires advance coordination with the agency and should not be assumed as a default outcome.
Technical assistance agreements and manufacturing license agreements, which may be approved under separate DDTC authorizations, require similar transition analysis. The buyer must confirm which agreements are currently active, what obligations run under each agreement, and how the change in ownership affects DDTC's authorization of those activities. Overlooking a technical assistance agreement during the license inventory creates post-closing exposure because continuing to provide the authorized services without valid DDTC authorization is an ITAR violation, even if the underlying commercial agreement is otherwise valid.
Technology Control Plan Implementation
A Technology Control Plan is the operational document that governs how a company controls access to ITAR-controlled technical data within its facilities and operations. The TCP is not specifically mandated by the text of the ITAR in every case, but it is a standard requirement imposed by DDTC as a license condition in many export authorizations, and it is required by the Defense Counterintelligence and Security Agency for facilities operating under DSS oversight. Beyond regulatory requirements, the TCP is the practical mechanism through which a defense contractor prevents unauthorized deemed exports by systematically controlling which employees can access which categories of controlled technical data.
A well-drafted TCP includes: an identification of all ITAR-controlled technical data categories the company maintains; a mapping of that data to specific storage locations, systems, and document management platforms; a description of the access control mechanisms that restrict foreign person access; a procedure for vetting employees before granting access to controlled data, including nationality verification; a badging or credentialing system that visually identifies personnel authorized for ITAR access; a visitor control procedure for managing access by third parties, including foreign nationals; an incident reporting procedure for suspected unauthorized disclosures; and a training program for all employees with potential access to controlled data.
In an M&A transaction, the buyer must review the target's existing TCP before closing and determine whether it is adequate for post-closing operations. A TCP written for a smaller company with a homogeneous U.S. workforce may not be sufficient for a combined entity with a larger or more diverse workforce. The TCP must also reflect the buyer's IT systems, access control infrastructure, and document management platforms as integration proceeds. Updating the TCP to reflect post-closing realities is part of the integration workplan, not an afterthought.
If the buyer employs foreign nationals who will be working with or near controlled technical data, the TCP must specifically address how those individuals are badged, what access controls apply to their workstations and systems, and what monitoring or logging procedures confirm that their access remains within authorized parameters. Where a DSP-5 license or DDTC authorization is required for a specific foreign national's access to specific technical data, the TCP must cross-reference that authorization and document the approval date and scope. The TCP is a living document that must be updated whenever the workforce composition, the technical data inventory, or the applicable regulatory requirements change.
Foreign Person Access Controls
Controlling foreign person access to ITAR technical data requires a combination of legal analysis, human resources processes, IT access controls, and physical security measures. The legal analysis begins with determining which employees are foreign persons under 22 CFR 120.16, which requires reviewing immigration status rather than citizenship alone. An employee who is a citizen of a foreign country but holds U.S. lawful permanent resident status is not a foreign person for ITAR purposes. An employee who is a naturalized U.S. citizen is not a foreign person. An employee who is a dual citizen of the United States and another country is generally not a foreign person because U.S. citizenship controls. But an employee on an H-1B, L-1, or any other temporary nonimmigrant visa is a foreign person regardless of how long they have worked for the company.
Human resources processes must be aligned with export control requirements. During onboarding, every employee who will have potential access to ITAR technical data must complete an immigration status disclosure, and HR must communicate that disclosure to the export compliance function before the employee is granted systems access. This requires coordination between HR, IT, and export compliance that many companies, particularly smaller defense contractors, have not systematically implemented. Due diligence should examine whether the target has a documented process for this coordination or whether access control has been informal and inconsistent.
IT access controls are the technical mechanism for enforcing the access policies established in the TCP. Role-based access controls in document management systems, engineering data systems, and file servers should be configured to align with export control authorizations. A foreign national whose access to specific technical data is authorized under a DDTC license should have access only to the data covered by that authorization, not to the full technical data library. Implementing this level of granularity requires IT system architecture that many smaller defense contractors do not maintain before they are acquired by a larger buyer.
Physical access controls at defense contractor facilities include badging systems that distinguish between cleared U.S. persons and foreign nationals, visitor escort procedures for any foreign national present in areas where controlled technical data is accessible, and clean desk or screen lock policies that prevent unauthorized visual access to controlled information. In the post-closing integration period, when two previously separate facilities may be combined or when employees from one entity begin visiting the other entity's facilities, physical access controls must be evaluated and updated before integration activities begin.
Subcontractor Flowdown Requirements
When a prime contractor receives ITAR technical data under a government contract or export license and flows that data down to a subcontractor, the subcontractor receives the data subject to the same ITAR obligations that govern the prime. The prime contractor is responsible for ensuring that its subcontractors handle controlled technical data in compliance with the ITAR, and the prime's export licenses typically include conditions requiring flowdown of export control obligations to all subcontractors who receive controlled data. This flowdown responsibility is a significant compliance obligation that acquirers must understand when buying a prime contractor with an extensive subcontract base.
Due diligence on the subcontract base should examine whether the target's subcontracts contain appropriate ITAR flowdown clauses, whether those clauses accurately reflect the controlled nature of the data being shared, and whether the target has any mechanism for monitoring subcontractor compliance with ITAR obligations. Many prime contractors include boilerplate export control clauses in their subcontracts but do not conduct regular audits or compliance reviews of their subcontractors. A prime contractor that discovers a subcontractor has been mishandling ITAR technical data bears potential liability for that mishandling if the prime failed to exercise reasonable oversight.
In transactions where the target is a major defense prime with hundreds or thousands of subcontractors, a full subcontract audit before closing is often impractical. The parties typically address this through representations and warranties about the adequacy of flowdown clauses in material subcontracts, combined with a post-closing audit commitment that the buyer will conduct a systematic review of the subcontract base within a defined period. Representations about subcontractor compliance should be negotiated carefully, because the seller may have limited visibility into whether subcontractors are actually following the flowdown requirements they agreed to.
The brokering regulations under 22 CFR 129 introduce an additional layer of analysis when the target's subcontract or teaming arrangements involve facilitating the transfer of defense articles or defense services between foreign parties. Activities that constitute brokering under Part 129 require separate DDTC registration as a broker and, in many cases, prior approval before brokering activities may be conducted. The brokering regulations are frequently overlooked in transactions focused on manufacturing or export activities, and the omission can create post-closing compliance exposure if the target has been engaged in arrangements that qualify as brokering without maintaining the required registration.
ITAR vs. EAR Jurisdiction: The 500 Series Boundary
Export Control Reform created a new set of Export Control Classification Numbers within the Commerce Control List specifically designed to capture items that moved from the USML during the reform process. These 600 Series ECCNs cover items that were formerly USML-listed but are now determined to be sufficiently commercial or widely available to warrant regulation under the EAR rather than the ITAR. A separate set of ECCNs, the 500 Series, covers spacecraft and related items that moved from USML Category XV. Understanding the 500 Series and 600 Series classifications is essential to properly scoping the regulatory obligations of a defense company whose product line spans both ITAR and EAR jurisdiction.
The EAR, codified at 15 CFR 730 through 774, is administered by BIS and governs the export, reexport, and in-country transfer of dual-use items, certain military items no longer on the USML, and other items not subject to the exclusive jurisdiction of another agency. Items subject to the EAR are classified according to the Commerce Control List, with each item assigned an ECCN based on its technical characteristics and the reasons for control. Unlike the ITAR's categorical approach, the EAR uses a country-based licensing matrix, and many EAR transactions qualify for license exceptions that allow exports without a BIS license.
For items subject to the EAR, the dual-use provisions of 15 CFR 734 are particularly relevant in M&A due diligence. Section 734 defines the scope of items subject to the EAR and establishes the framework for determining whether an item is subject to EAR jurisdiction. Items that are subject to the EAR but that have both commercial and military applications, so-called dual-use items, require classification analysis to determine the applicable ECCN, the reasons for control, and whether a BIS license or license exception applies to any particular export transaction. Dual-use items in a defense contractor's product portfolio may generate EAR compliance obligations that run alongside ITAR obligations for other items, and the compliance program must address both regimes.
A common post-Reform compliance gap occurs when a company exports 600 Series items under EAR license exceptions without recognizing that those same items incorporate ITAR-controlled components or are produced using ITAR technical data. The incorporation of an ITAR-controlled component into an otherwise EAR-jurisdiction item does not automatically make the end item ITAR-controlled, but the ITAR technical data used to produce the item remains ITAR-controlled regardless of how the end item is classified. This creates parallel compliance obligations: the item ships under EAR authority, but the technical data supporting its production remains subject to ITAR controls. Defense M&A due diligence must trace these intersecting jurisdictions at the item level rather than applying a single regulatory framework to the entire product portfolio.
Voluntary Disclosure and the ITAR Penalty Framework
When due diligence or post-closing integration reveals an ITAR violation, the company faces a fundamental decision: disclose voluntarily to DDTC or attempt to remediate without disclosure. The voluntary disclosure process under 22 CFR 127.12 provides a structured mechanism for companies to self-report violations to DDTC and receive credit for cooperation. DDTC's enforcement guidelines treat voluntary disclosure as a significant mitigating factor that can substantially reduce civil penalty exposure and, in some cases, result in resolution through a warning letter or administrative agreement rather than a formal consent agreement with penalties.
The decision to make a voluntary disclosure requires careful assessment of the nature and scope of the violation, the quality of the evidence establishing the violation, the availability of mitigating factors independent of voluntary disclosure, and the likely penalty range if the violation surfaces through other means. DDTC's enforcement history shows that violations discovered through third-party referrals, whistleblower complaints, or government contract audits are treated more severely than comparable violations that the company identified and reported proactively. The voluntary disclosure credit is real, but it is not unlimited, and a disclosure that understates or mischaracterizes the scope of the violation can be treated as an aggravating factor.
A voluntary disclosure submission under 22 CFR 127.12 must include: a description of the violation, including the specific ITAR provision violated; the defense articles, technical data, or defense services involved; the parties to the transaction; the relevant timeline; the root cause of the violation; and the corrective actions the company has taken or will take. DDTC expects the submission to be thorough and accurate. Companies often submit an initial disclosure within the 60-day window to preserve the disclosure credit, followed by a more complete submission once internal investigation is complete. This two-stage approach is accepted by DDTC when the initial disclosure is accurate and the supplemental submission follows within a reasonable time.
In the M&A context, the buyer faces a specific disclosure timing question: if due diligence reveals a pre-closing violation, should the disclosure be made before closing, or should the seller make the disclosure as the party that committed the violation? The answer depends on who has the legal obligation to disclose, which is the entity that committed the violation. The seller is the party that committed the pre-closing violation and therefore bears the primary disclosure obligation. The buyer's interest is in ensuring the disclosure is made, because inheriting an undisclosed ITAR violation creates both legal exposure and reputational risk. Purchase agreement provisions can address this by requiring the seller to make any required disclosures before closing and by giving the buyer approval rights over the content of any disclosure that relates to the target's business.
ITAR audits conducted by DDTC or by DSS provide another avenue through which pre-closing violations can surface. Defense contractors subject to DSS oversight are periodically audited on their export compliance programs, and a post-closing DSS audit that reveals pre-closing violations creates the same disclosure and remediation obligations as internal discovery. Buyers who acquire defense contractors without conducting thorough export control due diligence cannot assume that pre-closing violations will remain undetected. The audit environment for defense contractors has intensified over the past decade, and the sophistication of government enforcement has increased correspondingly.
Frequently Asked Questions
When must a seller notify DDTC of a change in ownership in a defense M&A transaction?
Under 22 CFR 122.4(a), a registered person must notify the Directorate of Defense Trade Controls of any material change to the information in its registration within five days of the change becoming effective. A change in ownership or control qualifies as a material change. Practically, this means the parties must coordinate DDTC notification to coincide with closing. Filing the DS-2032 amendment or new registration application before closing closes the exposure window, but the statutory obligation attaches at the moment the change becomes legally effective. Counsel should build this timeline into the transaction schedule so that DDTC receives notification contemporaneously with closing, not weeks after the fact.
Does a defense M&A transaction require a new DDTC registration or an amendment to the existing one?
The answer depends on the transaction structure. In an asset purchase, the buyer is acquiring specific assets from the seller, and the seller's existing ITAR registration does not transfer with those assets. The buyer must obtain its own DDTC registration before taking possession of any defense articles or technical data covered by the ITAR. In a stock purchase or merger where the registered legal entity survives, the existing registration may be amended to reflect the new ownership. DDTC evaluates these situations individually, and the agency has issued guidance making clear that it expects proactive communication from parties. Waiting for DDTC to discover the change is not an acceptable posture.
Can a buyer implement a Technology Control Plan after closing rather than before?
Implementing a TCP before closing is strongly advisable and, in many cases, contractually required. If a buyer intends to continue operating the target's ITAR-controlled programs on day one, the TCP must be in place to govern foreign person access from the moment the buyer takes operational control. Deferring TCP implementation creates a window during which foreign person access cannot be systematically controlled, which may constitute an unauthorized export or a deemed export under 22 CFR 120.17. Government contractors whose facilities hold facility clearances may also face DSS scrutiny if there is a period of uncontrolled foreign person access. The TCP should be drafted, reviewed by export control counsel, and approved by facility security officers before the transaction closes.
How should parties handle foreign person access to ITAR technical data during due diligence?
Due diligence access to ITAR technical data by foreign persons, including foreign national employees of a prospective buyer, constitutes a deemed export under 22 CFR 120.17 unless an applicable license or license exception applies. Before sharing any ITAR-controlled information with a foreign person during due diligence, the parties must determine whether a DSP-5 license or other DDTC authorization covers the disclosure. In most cases, the seller will restrict due diligence data rooms to U.S. persons only, or will segment ITAR-controlled technical data into a restricted tier accessible only to cleared U.S. persons on the buyer's team. Non-disclosure agreements do not substitute for export control authorization. This analysis must occur before the data room opens, not after a foreign national has already accessed controlled materials.
What happens to existing DSP-5 and DSP-85 licenses when a defense company is acquired?
Existing DSP-5 and DSP-85 licenses are issued to the registered exporter and are not automatically assignable to a successor in interest. Following a change in ownership, the new entity or the surviving entity with amended registration must either obtain new licenses or apply for license amendments reflecting the updated registrant information. DDTC has discretion to allow the parties to continue operating under existing licenses during a transition period, but this requires advance coordination with the agency. Parties should inventory all active export licenses early in the transaction timeline, identify licenses with open transactions or ongoing performance obligations, and develop a license transition plan that addresses each license individually. Failing to address license continuity before closing can halt deliveries and create contract performance issues with government customers.
How are USML and Commerce Control List classification disputes resolved when there is a question about jurisdiction?
When there is a genuine question about whether an item is subject to ITAR jurisdiction under the USML or EAR jurisdiction under the CCL, the parties can seek a formal commodity jurisdiction determination from DDTC under 22 CFR 120.4. The CJ process requires the applicant to submit a detailed technical description of the item along with supporting documentation. DDTC coordinates with the Department of Commerce and, in some cases, the Department of Defense before issuing a determination. The CJ determination is binding on the exporter and provides a formal legal basis for the jurisdiction claim. In the M&A context, unresolved CJ questions represent material legal uncertainty that should be disclosed in representations and warranties and, in some cases, resolved before closing to avoid post-closing indemnification exposure.
Does voluntary disclosure meaningfully reduce ITAR penalty exposure?
Voluntary self-disclosure under 22 CFR 127.12 is the single most effective tool for mitigating civil penalty exposure in ITAR enforcement cases. DDTC's penalty guidelines treat voluntary disclosure as a significant mitigating factor, and the agency has resolved disclosed violations through warning letters and administrative agreements rather than maximum civil penalties in cases where the disclosure was thorough, timely, and accompanied by meaningful remediation. The disclosure must describe the violation fully and accurately, explain the root cause, and outline the corrective actions the company has taken or will take. Incomplete or misleading disclosures can transform a mitigating disclosure into an aggravating factor. In the M&A context, discovering a pre-closing violation and disclosing it voluntarily before or shortly after closing, with full cooperation from both seller and buyer, is almost always preferable to allowing the violation to surface through a government investigation.
What are the maximum penalties for ITAR violations and what factors affect the outcome?
Civil penalties under 22 USC 2778(e) can reach up to $1,302,326 per violation, with the per-violation cap adjusted periodically for inflation. Criminal penalties under 22 USC 2778(c) can include fines of up to $1,000,000 per violation and imprisonment of up to 20 years per violation. Debarment from future export privileges is also available as a sanction. DDTC considers a range of factors when determining penalty amounts: the severity of the violation, the number of violations, whether classified information was involved, whether the violation provided a military advantage to a foreign adversary, the company's compliance history, and the quality and scope of any voluntary disclosure and remediation. Companies with robust export compliance programs that self-report promptly and cooperate fully consistently achieve substantially better outcomes than companies where violations surface through third-party reporting or government investigation.
Related Resources
Aerospace and Defense M&A: Legal Guide
Full overview of regulatory frameworks, clearance issues, and deal structure in defense M&A.
DSS, FOCI Mitigation, and Special Security Agreements in Defense M&A
Facility clearance implications, FOCI determinations, and SSA negotiation in transactions involving cleared contractors.
DFARS Cybersecurity and CMMC Certification in Defense Contractor M&A
CMMC certification continuity, DFARS 252.204-7012 obligations, and CUI handling in post-closing integration.
This analysis reflects the ITAR regulatory framework as of the publication date and is provided for informational purposes only. Export control law is complex and fact-specific. The application of ITAR requirements to any particular transaction depends on the specific articles, technical data, parties, and jurisdictions involved. Parties to a defense M&A transaction should retain qualified export control counsel to analyze their specific circumstances before taking any action.