What does ITAR compliance work include?

ITAR-controlled environment architecture (US-Person-only access, technical-data segregation, US-Persons-only system administration), GCC High or AWS GovCloud-based system design, registration with DDTC (where applicable), DECCS empowered-official setup, technical-data classification and handling procedures, supply-chain ITAR controls, employee training on ITAR (technical-data identification, deemed-export awareness), and incident-response procedures for suspected unauthorized disclosure.

Do I need GCC High or AWS GovCloud?

If you handle ITAR-controlled technical data in a Microsoft 365 environment, GCC High is the standard architecture (commercial and GCC do not meet the export-controlled requirements). For AWS workloads handling ITAR data, AWS GovCloud (US) is the standard. We architect new ITAR-controlled environments and migrate existing commercial-cloud-resident ITAR data into compliant tenancy where that work is needed.

How does ITAR overlap with EAR?

ITAR governs defense-related items on the United States Munitions List (USML); EAR governs commercial and dual-use items on the Commerce Control List (CCL). Many organizations handle both. for example, a defense contractor with both ITAR-controlled weapons-system data and EAR-controlled dual-use technology. The control architectures are compatible but distinct; we assess and architect for both where applicable.

How long does ITAR readiness take?

Architecture and tenancy migration: 3-6 months. Policy framework and procedural rollout: 2-4 months concurrent. Employee training and operational rollout: 1-3 months concurrent. Total: 4-9 months for an organization with no current ITAR posture. Faster where the organization already has reasonable export-control discipline; slower where ITAR-controlled data is currently scattered across commercial-cloud and personal devices.

What if I have ITAR-controlled data on commercial cloud already?

Self-disclosure to DDTC may be required. that is a legal-counsel decision, not a consulting decision. We do not advise on the disclosure question, but we coordinate with export-control counsel and execute the technical remediation: data inventory and classification, migration to compliant tenancy, sanitization of commercial-cloud copies, and forensic verification of disposition. The remediation is structured to support whatever disclosure decision counsel reaches.

ITAR Compliance Services | Defense Contractor Cybersecurity

ITAR-aligned cybersecurity for defense contractors and dual-use exporters

We build the cybersecurity program that backs an ITAR-registered manufacturer or service provider. technical-data segregation, citizenship-controlled access, file-sharing and cloud-storage controls that meet 22 CFR §120-130, and the audit posture that survives a DDTC inquiry. We work alongside your export-control counsel, not in their place.

What ITAR actually requires of your IT

ITAR (International Traffic in Arms Regulations) does not prescribe a cybersecurity framework the way NIST 800-171 does. It prescribes outcomes: technical data defined as defense articles must be controlled so it is not transferred to foreign persons without authorization. including your own employees, contractors, cloud providers, and email recipients who are not US persons. The cybersecurity work is in proving you can enforce that.

The four hard problems most contractors get wrong

Cloud storage and SaaS. The default Microsoft 365, Google Workspace, Dropbox, Slack, and Notion environments allow any tenant administrator to access any tenant data. ITAR requires that foreign-national personnel at the cloud provider not be able to access your technical data without authorization. Solution: use the GCC High, AWS GovCloud, or Azure Government variants. NOT the commercial tier. for any environment touching ITAR-controlled technical data.
Citizenship-controlled access. "Need-to-know" plus "US persons only" (or licensed-foreign-person only) for every system holding technical data. Active Directory groups, conditional access, audit logging that proves who accessed what.
Email and file transfer. Standard SMTP routes mail through servers in multiple countries. ITAR-grade email requires US-only routing, encrypted channels, and recipient verification. Most "encrypted email" products do not satisfy ITAR if the encryption keys are held outside the US.
Endpoint and device controls. Mobile device management with jurisdictional control on cross-border travel, full-disk encryption, USB controls, and documented procedures for foreign travel involving devices that may hold technical data.

What we deliver

Technical data inventory. What ITAR-controlled data you hold, where it lives, who touches it, and what systems it transits. the ground truth your DDTC registration commits to.
Network and tenant architecture. Segmentation between ITAR and non-ITAR data, GCC High / GovCloud migration where required, citizenship-controlled identity model.
Compliant file sharing. Vendor selection and configuration for ITAR-aligned file sharing. including the "no, not Dropbox" conversation when a project lead has been moving data through their personal Dropbox for a year.
Compliant cloud storage. Architecture review and configuration of Azure Government, AWS GovCloud, or GCC High. including the BAA-equivalent agreements (DPA + ITAR addendum) with the provider.
Endpoint program. MDM, full-disk encryption, USB controls, foreign-travel device procedures, hardware inventory.
Audit posture. Logging, evidence retention, and access-review cadence to support a DDTC compliance review or self-disclosure if you discover a violation.
Cross-border travel procedures. Burner-device protocols for sales, engineering, or executive travel to controlled destinations.
Empty-handed program. Coordinated with export-control counsel. we own the technical execution; they own the legal interpretation and DDTC filings.

Pairs with

CMMC 2.0. Most ITAR-registered companies also have CMMC obligations. The control sets overlap heavily; we run them together for ~30% efficiency gain. See CMMC compliance.
NIST 800-171. Foundation control set for handling CUI; substantial overlap with ITAR technical-data controls. See NIST 800-171.
DFARS 7012/7019/7020/7021. Cybersecurity flowdown clauses in DoD contracts. the regulatory mechanism for CMMC enforcement. We map all four against your existing controls.

Engagement structures

ITAR readiness assessment. 4-6 weeks. Technical data inventory, architecture review, gap analysis against 22 CFR §120-130, remediation roadmap. Fee: $25K-$60K.
Full ITAR program build-out. 12-24 weeks. Architecture, tenant migration to GCC High / GovCloud, identity model, MDM, file sharing, audit posture. Fee: $90K-$350K depending on existing maturity and tenant migration scope.
DDTC self-disclosure support. When you've discovered a potential violation and need the cybersecurity narrative for the disclosure. Hourly with milestone caps; coordinated with export-control counsel.
Combined ITAR + CMMC program. Most efficient path for defense contractors. Fee: $120K-$450K.

What we will not do

Practice export-control law. we coordinate with your counsel; we do not give legal opinions on whether a specific item is ITAR-controlled
Sign off on architecture that uses commercial-tier cloud for technical data covered by ITAR
Build a program that requires US-citizenship verification for roles where you have not actually verified citizenship
Take an engagement where DDTC registration itself is the gating issue. that's a counsel problem first

Available as referral or white-label

We deliver ITAR cybersecurity directly to manufacturers and service providers, sub- contract for IT firms and MSPs whose defense-contractor clients need an ITAR specialist, and partner with export-control counsel on combined legal-plus-technical engagements. Compensation negotiable per relationship.