Field Notes  ·   ·  Compliance  ·  12 min read

ITAR and EAR: A Practical Primer for Defense Hardware Startups

Most defense startup founders encounter ITAR and EAR for the first time when they are already mid-product. Here is what we learned building with export control compliance in mind from day one.

By Priya Selvan

Stack of defense regulatory documents and binders on a desk

When we started Askarl Defense in 2024, we knew we were building a product that would be covered by export control regulations. What we underestimated was how early those regulations would start shaping decisions — not just at the point of selling internationally, but at the stage of hiring, choosing development tools, deciding how to structure version control access, and figuring out who can be in a design review meeting.

Most of what I'm going to write here we learned by reading primary sources, talking to an export control attorney relatively early, and making a few correctable mistakes. This is not legal advice. For your specific situation, you need actual counsel. But if you're building a defense hardware startup and haven't yet gotten into the ITAR/EAR weeds, this is the orientation we wish we'd had on day one.

ITAR vs. EAR: The Basic Distinction

ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations) are separate regulatory regimes administered by different agencies, covering different categories of items.

ITAR is administered by the Directorate of Defense Trade Controls (DDTC) at the State Department. It covers items on the United States Munitions List (USML). The USML is a positive list — if your item falls in a USML category, it is ITAR-controlled. There's no sliding scale of sensitivity; ITAR is a hard line. The USML is organized into 21 categories. For counter-drone systems specifically, the primary relevant category is USML Category XII (Fire Control, Range Finder, Optical and Guidance and Control Equipment), which covers targeting systems, fire control computers, and associated sensors. Category IV (Launch Vehicles, Guided Missiles, Ballistic Missiles) and Category XI (Military Electronics) also have relevance for some component categories depending on your architecture.

EAR is administered by the Bureau of Industry and Security (BIS) at the Commerce Department. It covers items on the Commerce Control List (CCL), as well as items that are "subject to EAR" but not specifically listed. CCL items are organized under Export Control Classification Numbers (ECCNs). EAR coverage includes dual-use technology — items with both commercial and military applications — and commercial items with military relevance that don't rise to USML level.

The threshold question for any defense hardware startup is: is my product or its components ITAR-controlled (USML), EAR-controlled (CCL), or both? The answer matters because ITAR compliance is significantly more restrictive than EAR compliance — ITAR requires registration with DDTC, licenses for most exports (including some deemed exports), and creates obligations around technical data that apply even to US persons in the US.

Deemed Exports: The Hiring Implication

This is the export control concept that surprises most defense startup founders the first time they hear it: a "deemed export" is the release of controlled technology to a foreign national in the United States. Under ITAR, sharing ITAR-controlled technical data with a foreign national in the US is treated as an export — even if that foreign national is your full-time employee working in your US office.

The practical implication: if your product is ITAR-controlled, you need to think carefully about who has access to technical data about the system. An engineer on a visa from a country that is not a treaty ally for USML Category XII purposes will need an export license before they can access ITAR-controlled design information. That license takes time to obtain (plan for 60–120 days minimum for standard applications) and may be denied for nationals of certain countries regardless of their individual credentials.

This does not mean defense startups should avoid hiring foreign nationals. It means you need to know early what the regulatory status of your product is, so that you can assess hiring decisions with that knowledge. We made the mistake of being slightly fuzzy on this in our first few months — not creating any actual violations, but not having the clarity we needed. Once we had our ITAR registration in place and our classification review documented, hiring decisions became cleaner.

ITAR Registration: Earlier Than You Think

Any US company that manufactures, exports, or provides defense services related to USML items is required to register with DDTC. This is not the same as having a license — registration is the baseline administrative step that establishes your existence in the system. The annual registration fee is currently $2,250 for manufacturers, and the process involves submitting a DS-2032 form with details about the company, its principals, and the nature of the defense-related activity.

The question of when to register is one that we got slightly wrong by being too conservative. We waited until we were further along in development before registering, reasoning that we weren't exporting anything yet. But registration is required as soon as you're manufacturing (or intending to manufacture) USML items, not at the point of first export. If your product is ITAR-controlled and you're building hardware, you should be registered. We were about 4 months late on this.

There's a related question about technical data. ITAR-controlled technical data — design drawings, specifications, testing procedures, manufacturing instructions for USML items — is subject to ITAR from the moment it exists, not from the moment you try to export it. This has implications for cloud storage, version control systems, and collaboration tools. Data about your ITAR-controlled product should be stored on infrastructure with access controls that prevent access by unauthorized foreign nationals. Most major cloud providers have US-person-only or US-government-accessible configurations that are appropriate for this; consumer-grade tools are not.

EAR and the Dual-Use Dimension

Even if your product's core capability falls under ITAR, many of the components and subsystems you're buying from commercial suppliers will be EAR-controlled rather than ITAR. Phased-array radar modules, EO/IR cameras with certain specifications, embedded compute platforms, RF components — these are frequently classified under the CCL rather than the USML.

The CCL classification system uses a 5-character ECCN (Export Control Classification Number) structure. The first character is the product category (1–9), followed by a letter indicating the group (A through E: equipment, materials, software, technology), followed by a 3-digit country/reason code. For example, 6A003 covers certain optical equipment; 7A002 covers certain inertial navigation systems.

EAR license requirements depend on both the ECCN classification and the destination country, end user, and end use. Many EAR-controlled items can be exported to most countries under "no license required" (NLR) status — the item is controlled but doesn't require a specific license for non-embargoed destinations. Some items require licenses for specific destinations, specific end users, or specific end uses (notably, military or WMD-related end uses trigger stricter requirements even for otherwise liberal ECCNs).

The day-to-day implication for a defense startup: before you buy a component from a supplier for use in a controlled product, check its ECCN. Before you consider sending any technical data or samples to a foreign entity, check whether an export license is required. The EAR Part 734 "scope" provisions and Part 736 "general prohibitions" are the place to start for understanding what requires a license.

Building With Compliance in Mind: What That Actually Means

The phrase "compliance-ready" gets used loosely in the defense startup world. Here's what we mean by it as an operational practice, not a marketing claim:

Product classification documentation: We maintain a written classification determination for ARES-1 and its principal subsystems, identifying which elements are USML-controlled, which are CCL-controlled, and which are EAR99 (subject to EAR but not specifically listed on the CCL). This document is reviewed when we add new subsystems or significantly modify existing ones. It's not a one-time exercise.

Technical data access controls: ITAR-controlled technical data is stored in access-controlled repositories. Access is restricted to US persons (US citizens and lawful permanent residents, per 8 USC 1101(a)(20)) unless a license has been obtained. We use role-based access controls that require affirmative disclosure of citizenship/residency status before granting access to ITAR-controlled repositories.

Export policy for prototypes and test articles: Any shipment of hardware outside the United States — including for testing, demonstration, or repair — requires a pre-shipment review against export control requirements. We have a short internal checklist for this that takes about 30 minutes to complete and creates a written record. For items that require a license, we don't ship until the license is in hand.

Technology Control Plan: DDTC and some contracting authorities require a Technology Control Plan (TCP) that documents how you prevent unauthorized access to ITAR-controlled items and data. We drafted ours early, before we needed it, so we weren't in the position of building the document under time pressure when a contract required it.

What We Got Wrong and Would Do Differently

The biggest mistake was treating export control as a legal problem to solve once, rather than an operational discipline to build from the start. Export control compliance is not primarily about having the right paperwork. It's about having processes that are consistent enough that the right behavior happens automatically, without someone having to remember to check.

We also underestimated the time cost of ITAR registration and initial classification review. Between the attorney time for the classification analysis, the DDTC registration processing time, and the internal work to set up compliant data handling, the setup took about 8–10 weeks of part-time attention during a period when we were also trying to build hardware. Starting earlier would have been better.

The specific things we'd do from day one: get the initial classification review done by an export control attorney before you've written significant technical documentation (classification shapes what kind of documentation controls you need, and it's easier to set up controls before the data exists than after); register with DDTC as soon as you have a plan to build USML items; set up separate data repositories for ITAR-controlled vs. non-controlled materials before you have any ITAR-controlled materials (it's much harder to segregate after the fact); and brief every new hire on deemed export requirements in their first week.

A Note on the State-Commerce Jurisdictional Question

The ITAR/EAR jurisdictional boundary — whether a given item is on the USML (ITAR) or the CCL (EAR) — is not always obvious. The 2013–2018 Export Control Reform (ECR) process moved a substantial number of items from the USML to the CCL, creating what are called "600 series" CCL entries for military items with some USML carve-outs remaining. The intent was to make EAR control more common for items that are widely available internationally, reserving ITAR for the most sensitive military-unique systems.

For a system like a kinetic counter-UAS interceptor with integrated fire control, the jurisdictional question is genuinely complex. The fire control components (targeting optics, guidance computers, fire control algorithms) are likely to remain in USML Category XII. The radar subsystem may have CCL entries that apply. The launcher mechanics may be EAR-controlled rather than ITAR. Getting this right requires a qualified attorney with specific export control experience — it's not something you should determine by reading the USML/CCL text without expert guidance.

The cost of getting it wrong is substantial: ITAR violations carry civil penalties up to $1 million per violation and criminal penalties up to $1 million and 20 years imprisonment per violation. More practically, an ITAR violation can result in loss of export privileges, which would be an existential event for a defense hardware company. The cost of getting it right — attorney fees, registration fees, the internal overhead of running a compliance program — is real but manageable.

We're not in a position to tell you your product is or isn't ITAR-controlled. What we can say is that if you're building kinetic defense hardware and you haven't done the classification review yet, do it before you share any technical data outside your US-person team. The downside scenario of being wrong after the fact is materially worse than the cost of the review.

All Field Notes