Export control regulations—specifically the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR)—are among the most consequential and least understood regulatory frameworks affecting software development. Violations carry severe penalties including criminal prosecution, and the regulations reach deep into software supply chains in ways that catch many organizations off guard.
If your software has defense applications, includes strong cryptography, or processes controlled technical data, export controls are your problem—even if you don't think of yourself as a defense contractor.
ITAR vs. EAR: The Basics
ITAR (22 CFR Parts 120-130) controls the export and temporary import of defense articles and defense services. It's administered by the State Department's Directorate of Defense Trade Controls (DDTC). Items controlled under ITAR are listed on the United States Munitions List (USML).
EAR (15 CFR Parts 730-774) controls the export of dual-use items—commercial items that could have military or intelligence applications. It's administered by the Commerce Department's Bureau of Industry and Security (BIS). Items controlled under EAR are listed on the Commerce Control List (CCL).
The key distinction: ITAR is strict. Defense articles can generally only be exported with a license, and sharing ITAR-controlled technical data with foreign persons—even within the United States—constitutes an export (a "deemed export"). EAR is more nuanced, with varying levels of control depending on the item, the destination, and the end-use.
How Software Falls Under Export Controls
Software can be export-controlled in several ways:
Defense Software (ITAR)
Software specifically designed for military or intelligence applications is typically ITAR-controlled. This includes:
- Weapons system software
- Military command and control software
- Intelligence analysis software
- Satellite and space defense software
- Software for military-specific cryptographic systems
Dual-Use Software (EAR)
Software with commercial applications that could also serve military or intelligence purposes may be EAR-controlled. Common categories include:
- Encryption software — software incorporating strong cryptography (ECCN 5D002)
- Intrusion and surveillance software — cybersecurity tools that could be used for surveillance
- High-performance computing software — software for advanced computational applications
- Cybersecurity tools — vulnerability research tools, penetration testing frameworks
Technical Data
Beyond the software itself, technical data related to controlled items is also controlled. This includes:
- Source code for controlled software
- Design documents and specifications
- Test data and results
- Manufacturing instructions
Supply Chain Implications
Export controls create several supply chain challenges that software teams often underestimate:
Personnel Restrictions
Under ITAR, sharing controlled technical data with foreign persons constitutes an export. This means:
- Development teams working on ITAR-controlled software must be restricted to US persons (citizens, permanent residents, and certain protected individuals)
- Code reviews, pair programming, and technical discussions involving controlled data cannot include foreign nationals without a license
- Offshore development and outsourcing for ITAR-controlled projects is generally prohibited
This has direct implications for software supply chains. Open-source contributions, third-party contractors, and even some cloud services may involve foreign person access to controlled technical data.
Component Controls
When building controlled software, the components matter:
- Using a foreign-developed encryption library in ITAR-controlled software creates compliance questions
- Open-source components developed by international contributors may have export control implications
- Third-party services hosted outside the US may constitute exports of controlled data
Organizations need to track not just what components are in their software, but where those components come from and who contributed to them.
Cloud and Infrastructure
Storing controlled technical data on foreign-hosted servers constitutes an export. This extends to:
- Cloud infrastructure selection (data must stay within approved jurisdictions)
- CI/CD pipelines (build artifacts containing controlled data must be properly handled)
- Collaboration tools (sharing controlled information through foreign-hosted services)
- Package registries (downloading dependencies from or publishing to foreign servers)
Encryption Controls
Encryption is particularly complex under export controls. While many commercial encryption implementations are covered by EAR License Exception ENC, organizations must:
- Classify encryption functionality in their software
- Determine applicable license exceptions
- File required notifications with BIS
- Maintain records of encryption capabilities in their products
For software supply chains, this means tracking which dependencies include encryption functionality and ensuring that the aggregate encryption capability of the software is properly classified and authorized for export.
Compliance Program Requirements
Organizations dealing with export-controlled software need robust compliance programs:
Classification. Every software product and component must be classified to determine which (if any) export controls apply. This requires technical and legal expertise.
Personnel screening. For ITAR programs, personnel must be screened for US person status. Access controls must prevent unauthorized access by foreign persons.
Supply chain vetting. Components and dependencies must be evaluated for export control implications. This includes understanding the origin of components and the nationality of contributors.
Technology control plans. Organizations must implement plans that describe how controlled technology is protected from unauthorized access and export.
Record keeping. Export control regulations require detailed records of exports, transfers, and access to controlled technology.
Training. Personnel must understand their export control obligations and the specific restrictions that apply to their work.
Penalties
Export control violations carry serious penalties:
- ITAR violations: up to $1 million per violation (civil) and up to 20 years imprisonment (criminal)
- EAR violations: up to $300,000 per violation or twice the transaction value (civil) and up to 20 years imprisonment (criminal)
- Debarment: organizations can be prohibited from participating in export activities
- Loss of contracts: defense and government contracts require export control compliance
Practical Steps
For software organizations that may be affected by export controls:
-
Classify your software. Work with legal counsel to determine whether your products or components are ITAR or EAR controlled.
-
Inventory your supply chain. Understand the origin and composition of your software dependencies. Track which components include encryption or other potentially controlled functionality.
-
Implement access controls. Ensure that access to controlled technical data is restricted to authorized personnel.
-
Evaluate cloud and tooling. Verify that your development infrastructure, CI/CD pipeline, and collaboration tools comply with export control requirements.
-
Train your team. Ensure that developers and managers understand the export control implications of their work.
How Safeguard.sh Helps
Safeguard.sh supports export control compliance by providing comprehensive visibility into software composition. The platform's SBOM generation and dependency tracking help organizations understand what components are in their software, where they come from, and what functionality they include—critical information for export classification and supply chain vetting. With detailed component metadata and audit trails, Safeguard.sh helps organizations maintain the documentation and oversight that export control regulations demand.