ITAR Technical Data: Who You Can Share It With
If your company designs, manufactures, or supports anything on the U.S. Munitions List, every blueprint, CAD file, test result, and engineering email you produce is potentially ITAR technical data. And the rules for who can see it are stricter than most operators realize.
A misconfigured SharePoint permission, an engineer forwarding a drawing to a foreign-national colleague, or a supplier portal that lets a non-U.S. employee log in — any of these can trigger an unauthorized export. The State Department doesn't distinguish between a shipping container crossing a border and a PDF opened by a foreign person sitting two desks away.
This post breaks down what counts as ITAR technical data, who you can legally share it with, and how restricted party screening fits into the workflow.
What Counts as ITAR Technical Data
ITAR technical data is information directly tied to a defense article on the U.S. Munitions List (USML). That includes drawings, specifications, software source code, manufacturing instructions, and even emails describing how a controlled item works.
The regulation is explicit: for information to be ITAR-controlled, it must be directly related to a defense article or specifically enumerated on the USML, and not satisfy one of the exclusions in § 120.10(b).
What does not count:
- Basic marketing information on function, purpose, or general system descriptions
- Information already in the public domain
- Results of fundamental research at accredited U.S. universities, where the resulting information is ordinarily published and shared broadly
Everything else — the engineering substance — is controlled. And the 2025 USML revisions shifted the boundary. The September 2025 USML revisions shifted which technologies fall under ITAR's scope. Some items moved to Commerce Department jurisdiction while others were added or clarified. Organizations should reassess their classification, licensing, and compliance processes accordingly.
The Deemed Export Rule: The Trap Most Companies Miss
Here's where compliance breaks down for most defense manufacturers. Under ITAR, an "export" isn't just shipping hardware overseas. Export means an actual shipment or transmission out of the United States, releasing or otherwise transferring technical data to a foreign person in the United States (a deemed export), or performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad.
That second category — the deemed export — is the one that catches small and mid-size shops off guard. The "deemed export" regulation states that a transfer of "technology" (EAR term) or "technical data" (ITAR term) to the foreign person is "deemed" to be an export to the home country of the foreign person. Accordingly, for all controlled commodities, a license or license exception is required prior to the transfer of "technology" or "technical data" about the controlled commodity to foreign persons inside the U.S.
In plain English: showing an ITAR drawing to a foreign-national employee sitting in your Ohio office is legally equivalent to exporting that drawing to their home country. And any release in the United States of technical data to a foreign person is deemed to be an export to all countries in which the foreign person has held or holds citizenship or holds permanent residency — meaning a dual national triggers multiple deemed exports from a single disclosure.
Who You Can Share ITAR Technical Data With
Without a license or approved exemption, ITAR technical data may only be shared with U.S. persons. The category is narrower than most people think:
- U.S. citizens
- Lawful permanent residents (green card holders)
- Protected individuals under 8 U.S.C. § 1324b(a)(3) (e.g., asylees, refugees)
A work visa holder — including H-1B engineers — is not a U.S. person for ITAR purposes. Articles that are covered by the ITAR United States Munitions List (USML) include equipment, components, materials, software, and technical information that can only be shared with US Persons unless under special authorization or exemption. US Persons are individuals who are US Green Card (Permanent Resident Card) holders or US citizens.
The practical implications:
| Recipient | Can receive ITAR technical data? |
|---|---|
| U.S. citizen employee | Yes |
| Green card holder employee | Yes |
| Foreign national employee (H-1B, L-1, etc.) | No — requires DDTC license |
| U.S.-based subcontractor (cleared) | Yes, with proper agreements |
| Foreign subsidiary or distributor | No — requires DSP-5 or other authorization |
| Cloud provider transmitting encrypted data | Yes, if end-to-end encryption requirements are met |
The End-to-End Encryption Carve-Out
One of the most important developments for modern defense manufacturers is the encryption carve-out at 22 CFR § 120.54(a)(5). Properly encrypted transmission and storage of ITAR technical data is not treated as an export.
The 2020 ITAR update made clear that a cloud platform does not become a DDTC-registered ITAR entity simply because customer ITAR technical data passes through it. When unclassified technical data is kept properly end-to-end encrypted and access is limited to authorized recipients, its transmission or storage is not treated as an export under 22 CFR § 120.54.
To qualify, the encryption must meet specific standards. In order to qualify for the carve-out, the encryption must meet certain standards as follows: cryptographic protection must be applied prior to the data being sent outside of the originator's security boundary and remain encrypted until it arrives within the security boundary of the intended recipient, the means of decryption must not be provided to any third party, and the data must not have the cryptographic protection removed at any point in transit.
The rule also forbids intentional storage in proscribed countries. Data must not be intentionally sent to a person in or stored in a country proscribed in §126.1 of this subchapter or the Russian Federation, and data in-transit via the internet is not deemed to be stored in a transit country.
This is what makes solutions like AWS GovCloud (US), Microsoft GCC High, and ITAR-aware file sharing platforms viable for defense work. The data itself can pass through commercial infrastructure as long as no foreign person can ever access the unencrypted content.
Where Restricted Party Screening Fits In
Knowing the rule isn't enough. Before you share technical data with any person, company, subcontractor, or foreign customer, you need to confirm two things:
- Are they a U.S. person (or otherwise authorized under a license)?
- Are they on any restricted party list — OFAC SDN, BIS Entity List, DDTC Debarred List, or the Consolidated Screening List?
The second question is non-negotiable. A U.S. citizen who happens to be on the OFAC SDN list is still a prohibited recipient. A domestic supplier whose parent company sits on the BIS Entity List is now a deemed extension of that listed party under the 50% Affiliates Rule. The BIS 50% Affiliates Rule will automatically extend restrictions to any company that is 50% or more owned by any organization on the Bureau of Industry and Security (BIS) Entity List, regardless of whether the subsidiary, joint venture, or related company is explicitly named.
Manual screening doesn't scale. Defense supply chains routinely involve dozens of Tier 2 and Tier 3 suppliers, and in 2026, even Tier 3 suppliers are under greater scrutiny. Each one needs to be screened — and re-screened — before technical data crosses the boundary.
What Happens When You Get It Wrong
The penalties are severe and have ratcheted up. Civil penalties can reach fines up to $1,271,078 per violation or twice the value of the transaction, whichever is greater. Criminal penalties include fines up to $1,000,000 per violation, imprisonment for up to 20 years, or both. Debarment from participating in future U.S. government contracts or export activities is also possible.
And enforcement is rising. The enforcement posture has intensified dramatically. CMMC enforcement is now a contractual reality. Penalties for noncompliance have climbed to historic levels.
The historical record shows the government has gone after edge cases. College professors have been prosecuted for breaches of the AECA as a result of access to USML items by foreign graduate students and companies have been penalized for alleged breaches of the AECA for failing to properly remove USML items from material used to market defense articles. The U.S. government has also taken action for the export of technical data that was allegedly already publicly available on the Internet.
A Practical Compliance Workflow
For a small defense manufacturer or ITAR-registered job shop, the minimum viable workflow looks like this:
- Classify the data. Tag every drawing, file, and email tied to a USML article as ITAR-controlled.
- Restrict access by citizenship. Identity management must enforce U.S.-persons-only access on any system holding ITAR technical data.
- Screen every external recipient. Before sharing with a supplier, sub-contractor, or customer, run the entity and key personnel against the Consolidated Screening List, OFAC SDN, and the DDTC Debarred List.
- Use compliant transmission. End-to-end encrypted channels (FIPS 140-3 or AES-256) that satisfy § 120.54(a)(5).
- Maintain an audit trail. Log who accessed what, when, and why. Exemption certifications must be made in written form and retained in the exporter's files for a period of 5 years. For exports that are oral, visual, or electronic the exporter must also complete a written certification and retain it for a period of 5 years.
Step 3 is where ScreenShield fits. Before any technical data leaves your boundary — internally to a new hire, externally to a supplier, or digitally through a portal — the recipient should be screened against the full set of U.S. denied and restricted party lists.
Screen your first name free — takes 10 seconds
Related: ITAR Fabrication Compliance Guide · ITAR Subcontractor Screening Guide · EAR vs ITAR