The knock at the door comes early. Federal agents with a warrant. Hard drives seized. Executives interviewed under caution. Export control violations don't announce themselves with a polite email—they arrive with consequences that reshape companies and end careers.
I've watched defense contractors discover they're under investigation. The pattern is consistent: shock, then a frantic scramble to understand what happened, then the slow realization that an ITAR violation they thought was minor—or didn't know about at all—has triggered a federal enforcement action. By that point, the question isn't whether there will be consequences. It's how severe they'll be.
The International Traffic in Arms Regulations exist for a reason. Defense articles and technical data can't leave the country or reach foreign nationals without authorization. When companies get this wrong, whether through negligence, ignorance, or intentional circumvention, the U.S. government responds with civil penalties, criminal prosecution, or both. Understanding what actually happens when violations occur isn't academic—it's essential for anyone operating in the defense industrial base.
Civil Penalties: The Financial Reckoning
Civil enforcement is the State Department's primary tool for addressing ITAR violations. The Directorate of Defense Trade Controls can impose fines up to $1,116,689 per violation. That's not a typo, and it's not a theoretical maximum. DDTC regularly assesses penalties in the millions for companies that export defense articles without authorization, provide technical data to foreign nationals, or fail to maintain proper registration and compliance programs.
The math gets ugly fast. Each individual export can constitute a separate violation. If you shipped a defense article to a foreign customer on ten occasions without the proper license, that's ten violations. If you shared technical drawings with unauthorized recipients in five separate emails, that's five more. The cumulative exposure can exceed a company's annual revenue.
In my experience, the violations that generate the largest civil penalties share common characteristics: they were repeated over time, they involved countries of concern or embargoed destinations, they demonstrated a disregard for known obligations, and they came to light through government investigation rather than voluntary disclosure. Companies that discover problems internally and report them promptly receive markedly different treatment than those caught by enforcement actions.
DDTC considers aggravating and mitigating factors when calculating penalties. Aggravating factors include prior violations, involvement of proscribed destinations (think China, Russia, Iran), economic harm to U.S. interests, and whether the violator attempted to conceal the conduct. Mitigating factors include voluntary disclosure, cooperation with the investigation, remedial compliance measures, and whether the violation resulted from circumstances beyond the company's control.
The consent agreements published by DDTC tell the story clearly. A defense contractor that self-disclosed unauthorized exports to allied nations, cooperated fully, and implemented comprehensive remediation might pay $200,000. A similar company that was caught, resisted the investigation, and showed no meaningful compliance program might pay $2 million for comparable conduct. The difference isn't the underlying violation—it's how the company responded.
Consent Agreements vs. Charging Letters
Most civil cases resolve through consent agreements: the company neither admits nor denies the violations but agrees to pay a fine and implement specific remedial measures. These agreements are public and searchable. Reading through a few dozen of them reveals patterns that compliance training slides never quite capture.
When DDTC issues a charging letter instead—a formal accusation of violations—the gloves are off. Charging letters typically precede either contested administrative proceedings or criminal referrals. They signal that the State Department believes the violations were serious enough to warrant formal adjudication rather than settlement. Smart companies settle before they receive a charging letter.
Criminal Prosecution: When DOJ Gets Involved
Civil penalties hurt the bottom line. Criminal prosecution destroys companies and incarcerates individuals. The Arms Export Control Act provides for criminal penalties up to $1 million per violation and up to 20 years imprisonment. The Justice Department pursues criminal cases when violations appear willful, involve intentional circumvention, compromise national security, or benefit adversaries.
The distinction between civil and criminal violations often comes down to intent and knowledge. An inadvertent export resulting from negligent compliance practices typically remains a civil matter. A deliberate scheme to export night vision technology to a Chinese company using shell intermediaries is a federal crime. The gray area in between—where employees knew or should have known their conduct violated ITAR—is where companies face the greatest uncertainty.
Federal prosecutors approach ITAR cases differently than corporate defense attorneys expect. They don't view violations as regulatory missteps or paperwork problems. They view them as potential threats to national security, and they prosecute accordingly. When the FBI and Homeland Security Investigations start interviewing employees, the company is already deep into a criminal investigation.
I've seen cases where mid-level engineers who shared technical data with foreign colleagues at academic conferences found themselves subjects of criminal investigation. The engineers thought they were engaging in normal technical exchange. The government viewed it as unauthorized transfer of defense technical data to foreign nationals. The engineers had no idea ITAR applied to their conference presentations because their companies never trained them properly. That ignorance didn't prevent prosecution—it just demonstrated the company's compliance failures.
Individual Liability
Corporate officers and employees face personal criminal liability for ITAR violations they commit or facilitate. This reality doesn't get enough emphasis in compliance programs. Engineers, program managers, export coordinators, and executives can all be charged individually if they participated in violations with the requisite criminal intent.
The Justice Department has increasingly pursued individual accountability in corporate crime cases, and ITAR violations are no exception. Deferred prosecution agreements and plea agreements often require companies to identify individuals responsible for misconduct. Executives who signed off on questionable exports, export coordinators who falsified license applications, and engineers who knowingly shared technical data without authorization all face potential prosecution.
Need an Expert on Export Controls and Defense Compliance?
Carl speaks to defense industry audiences about practical ITAR compliance, lessons from enforcement cases, and building programs that actually work. His sessions go beyond checkbox training to address real-world scenarios your teams face.
Book Carl to Speak
How Violations Come to Light
Companies don't wake up one day and decide to report their ITAR violations out of civic duty. Most violations surface through one of three paths: voluntary disclosure following internal discovery, government investigation triggered by external information, or third-party reporting by employees, competitors, or former business partners.
Voluntary disclosures happen when companies conduct internal audits, respond to employee concerns, or discover problems during M&A due diligence. A new compliance officer reviews historical shipments and finds exports that should have required licenses but didn't. An engineer raises concerns about technical data sharing practices. An acquiring company's legal team identifies potential violations during due diligence. In each case, the company faces a choice: disclose to DDTC or hope it never comes to light.
Government investigations often start with license application reviews. When a company submits a license application, DDTC scrutinizes the applicant's compliance history. If inconsistencies appear—prior shipments to the same customer without licenses, suspicious shipping patterns, gaps in record-keeping—those inconsistencies trigger deeper investigation. Customs and Border Protection also identifies potential violations during import/export inspections.
Third-party reporting is more common than most companies realize. Disgruntled employees report violations to DDTC or the FBI. Competitors file complaints when they suspect rivals are gaining unfair advantage through non-compliance. Foreign customers mention receiving items without proper licenses, not realizing they're implicating the exporter. Former business partners, particularly after disputes, become prolific sources of enforcement leads.
The pattern I see most often: companies discover violations through routine compliance activities—audits, training sessions, process reviews—but delay reporting while they "investigate further." That delay proves fatal. By the time they're ready to disclose, the government has already received information from another source. What could have been a voluntary disclosure with mitigated penalties becomes a contested enforcement action.
Voluntary Disclosure: The Math That Actually Matters
The State Department publishes detailed guidance on voluntary disclosures, but the practical reality is simpler: disclose early, disclose completely, and demonstrate genuine remediation. Companies that follow this approach receive substantially reduced penalties. Those that don't pay the full price.
DDTC's policy is explicit. Voluntary disclosures qualify for favorable consideration if they're made "as soon as possible after discovery" and before the government knows about the violation from other sources. The phrase "as soon as possible" doesn't mean "after we complete our internal investigation." It means promptly—within weeks, not months. Companies that spend six months investigating before disclosing forfeit much of the credit they'd have received for self-reporting.
A proper voluntary disclosure includes specific elements: description of the violation, identification of defense articles or technical data involved, countries and foreign nationals involved, how the violation occurred, what internal controls failed, and what remedial measures the company is implementing. Generic or incomplete disclosures receive less credit. DDTC wants to see that the company understands what went wrong and has fixed the underlying problems.
The remedial measures matter as much as the disclosure itself. Companies that report violations but continue business as usual demonstrate that they don't take compliance seriously. Companies that implement comprehensive improvements—enhanced training, better screening procedures, technical controls, personnel changes—show genuine commitment to preventing recurrence. DDTC notices the difference.
I tell clients to approach voluntary disclosures with the assumption that DDTC will verify everything. Because they will. The State Department doesn't accept disclosures at face value. They investigate. If your disclosure understates the scope of violations, omits aggravating facts, or mischaracterizes what happened, you're worse off than if you'd never disclosed. Incomplete honesty is worse than silence.
The Voluntary Disclosure Timeline
From initial discovery to disclosure submission shouldn't exceed 30 days unless the violations are genuinely complex. Most cases don't qualify as genuinely complex—they're just uncomfortable. A company discovers it made unauthorized exports, the facts are straightforward, the remediation is obvious. Disclose within two weeks.
For cases requiring forensic investigation—potential violations spanning years, multiple business units, complex supply chains—more time is justified. But even then, companies should notify DDTC that a disclosure is forthcoming and provide a preliminary summary. Silence while investigating makes it look like you're hoping the problem will disappear. It won't.
Real Enforcement Cases: What the Settlements Reveal
The consent agreements published by DDTC provide a window into what actually triggers enforcement and what penalties look like. Reading the clinical language of these settlements reveals patterns that compliance programs should address but often don't.
One common pattern: companies export defense articles to foreign subsidiaries or distributors without authorization, treating internal corporate transfers as exempt when they're not. The company views its overseas office as part of the same corporate family, so export controls don't apply, right? Wrong. An export to a foreign subsidiary is still an export under ITAR unless a specific exemption applies. These cases routinely result in six-figure penalties.
Another frequent scenario: companies provide technical data to foreign national employees in the United States without proper authorization. The engineering team hires talented individuals, some of whom are foreign nationals, and gives them access to technical drawings and specifications because that's their job. If those foreign nationals aren't U.S. persons and don't have the appropriate authorization, that access constitutes an export of technical data—a "deemed export." Companies that don't screen employees or limit access based on nationality face violations.
Manufacturing and production technology creates another category of common violations. When companies build defense articles, the technical data and know-how needed for production is itself controlled. Sharing that manufacturing data with foreign partners, even for legitimate co-production arrangements, requires authorization. Companies that enter into international manufacturing agreements without proper licenses discover their violations during DDTC audits.
The settlements also reveal what aggressive remediation looks like. Companies agree to retain outside compliance consultants for multi-year periods. They commit to specific training frequencies and audit schedules. They implement technology controls that prevent unauthorized access or transfer of technical data. They hire dedicated export compliance personnel. These commitments aren't optional—they're conditions of the settlement, and DDTC monitors compliance.
What the Numbers Tell Us
Over the past decade, civil penalties assessed by DDTC have ranged from tens of thousands to tens of millions of dollars. The median settlement for cases involving voluntary disclosure typically falls between $100,000 and $500,000. Cases discovered through government investigation or third-party reporting average significantly higher—often multiple millions.
Criminal cases are less frequent but more devastating. When DOJ prosecutes, individuals receive prison sentences ranging from probation to multiple years incarceration. Companies face criminal fines, compliance monitoring, and debarment from government contracting. The collateral consequences—lost business, reputation damage, difficulty attracting talent—often exceed the direct penalties.
Keynote Speaking Topics on Defense Industrial Base Compliance
Carl delivers practical, experience-based presentations on ITAR, CMMC, and the realities of operating in the defense industrial base. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventAdministrative Actions Beyond Fines
Civil penalties are only one enforcement tool. DDTC can also suspend or revoke export privileges, impose special compliance conditions, require outside audits and monitoring, and debar companies from participating in defense trade. These administrative sanctions often prove more damaging than monetary fines.
Debarment is the nuclear option. A debarred company cannot engage in any activities subject to ITAR—cannot manufacture, export, or broker defense articles; cannot obtain licenses or agreements; cannot participate in the defense trade at all. For companies whose business depends on defense contracts, debarment is a death sentence. DDTC reserves debarment for the most serious violations: willful conduct, repeated violations, failure to cooperate with investigations, or violations involving proscribed destinations.
Statutory debarment applies automatically to certain convictions. If a company or individual is convicted of violating the Arms Export Control Act or related criminal statutes, they're statutorily debarred from export privileges for three years following conviction or release from imprisonment. There's no discretion—the statute mandates it. This automatic debarment is one reason why criminal prosecution carries consequences beyond the immediate criminal penalties.
Consent agreements frequently include conditions that function as probationary monitoring. Companies must submit to regular audits by DDTC, retain outside compliance consultants who report directly to the State Department, implement specific compliance measures within defined timeframes, and provide periodic certifications of compliance. These conditions typically last three to five years and create ongoing compliance costs well beyond the initial financial penalty.
The compliance conditions imposed through consent agreements reveal what DDTC views as baseline requirements. If you read enough settlements, you see the same requirements repeatedly: comprehensive written procedures, regular training with attendance tracking, screening of all employees for foreign national status, IT controls preventing unauthorized access to technical data, audit procedures for all exports, and management-level oversight. These aren't innovative compliance measures—they're the basics. The fact that DDTC must impose them as settlement conditions tells you how many companies lack fundamental programs.
Collateral Consequences: The Hidden Costs
The published penalties—fines, settlements, criminal restitution—don't capture the full cost of ITAR violations. The collateral damage often exceeds the direct enforcement action.
Government contractors face suspension or debarment from federal contracting when they violate export controls. The Defense Department and other agencies can exclude companies from competing for contracts based on ITAR violations, even if those violations didn't directly involve government contracts. For companies in the defense industrial base, losing the ability to compete for federal contracts eliminates their business model. This isn't theoretical—it happens regularly.
Customer relationships suffer immediately. When a defense contractor settles an ITAR violation case, prime contractors and government customers see the published consent agreement. Those customers then reassess whether they want to do business with a company that demonstrated compliance failures. Existing contracts may continue, but new opportunities disappear. The reputational damage persists for years.
M&A transactions collapse when ITAR violations surface during due diligence. I've seen acquisition deals worth tens of millions evaporate because the target company disclosed pending ITAR violation investigations. Even if the violations ultimately settle for modest penalties, the uncertainty and compliance risk kill the transaction. Sellers who discover violations late in the sale process find themselves with worthless companies.
Insurance implications deserve more attention than they receive. Most professional liability and directors & officers policies exclude intentional regulatory violations. When ITAR violations involve knowing conduct—and many do—insurance won't cover the penalties, legal fees, or related costs. Companies assume their insurance will respond and discover too late that it won't. The entire financial burden falls directly on the company.
Personnel costs multiply quickly. Responding to an investigation or enforcement action requires substantial legal representation—specialized export control attorneys who bill accordingly. Internal investigations demand staff time from already stretched compliance and legal teams. Implementing remedial measures requires hiring additional compliance personnel, retaining consultants, and potentially restructuring operations. The all-in cost of a six-figure settlement often reaches seven figures when you include response costs.
What Leadership Should Take Away
Executives who treat ITAR as a compliance department problem rather than an enterprise risk are making a costly mistake. The consequences of violations—civil penalties, criminal prosecution, debarment, reputational damage, lost business—can end companies. These aren't remote possibilities. They're documented outcomes from published enforcement cases.
The strategic question isn't whether to invest in compliance programs. It's whether to invest proactively or pay reactively after violations occur. The math overwhelmingly favors prevention. A robust compliance program costs less than a single settlement, and dramatically less than the all-in cost of an enforcement action including collateral consequences.
Leadership needs to understand what actually constitutes an ITAR violation and where the common failure points occur. It's not just physical exports without licenses. It's technical data sharing with foreign nationals. It's deemed exports to foreign employees. It's manufacturing technology transfers. It's brokering arrangements. It's retransfers by foreign customers. The range of potential violations is broader than most executives realize, and the company's exposure exists anywhere these activities occur.
The decision to voluntarily disclose violations is fundamentally a leadership decision, not a legal decision. Lawyers can assess risks and analyze options, but executives must decide whether the company will self-report or gamble that violations remain undiscovered. That decision reveals the company's actual values more clearly than any compliance policy document. In my experience, companies that default to disclosure demonstrate stronger compliance cultures than those that default to concealment.
Building an effective compliance program requires three elements that only leadership can provide: adequate resources, genuine accountability, and consistent messaging. Resources means dedicated compliance personnel, training budgets, technology controls, and audit capabilities. Accountability means consequences for employees who violate policies and rewards for those who identify problems. Messaging means executives consistently communicate that compliance matters more than short-term business opportunities.
The defense industrial base operates under stricter regulatory scrutiny than most industries. Between ITAR registration requirements, CMMC compliance obligations, and standard government contracting regulations, the compliance burden is substantial. That burden is the price of admission. Companies that resent it or cut corners eventually pay enforcement penalties that dwarf what proper compliance would have cost. Regulatory compliance in this space isn't optional—it's existential.
When violations do occur—and they will, because no program is perfect—the company's response determines the outcome more than the underlying conduct. Rapid voluntary disclosure, complete cooperation, genuine remediation, and transparent accountability convert potential disasters into manageable problems. Delay, minimization, concealment, and resistance convert manageable problems into company-ending disasters. The choice is leadership's to make.
The knock at the door doesn't have to come. But if it does, the question federal agents ask will be simple: did you know about the violations and what did you do about them? The answer to that question—shaped by leadership decisions made long before any investigation—determines everything that follows.