ITAR stands for International Traffic in Arms Regulations. The ITAR regulations govern the information and material pertaining to defense and military related technologies. These governed technologies are on a specific list called the U.S. Munitions List. The intent is that these governed items of information are only shared with U.S. persons unless authorized by the U.S. Department of State. ITAR does not apply to information that is in the public domain, such as items commonly taught in school, general science, marketing and math. ITAR is administered by the U.S. Department of State.
Why are we discussing this on a security blog? In the work I do, which relies heavily upon both security and compliance, customers often ask if the company I work for is “ITAR Certified” or “ITAR Compliant.” Much of what is contained here is a response that I provide them, but I also felt that it was worthwhile to post a little bit about a requirement that few Information Security professionals come across.
Lets answer the customer question first, are we “ITAR Certified” or “ITAR Compliant.” Those are two different things and frankly, only one is close to accurate. There is no such thing as “ITAR certification” though the term is thrown around .