ITAR, EAR, and Wassenaar Export Controls

Regulatory Framework

ITAR, administered by the Directorate of Defense Trade Controls (DDTC) at the U.S. Department of State, governs defense articles and defense services enumerated on the United States Munitions List (USML) at 22 CFR 121.1. The USML organizes controlled items into twenty-one categories spanning firearms, launch vehicles, military electronics, directed energy weapons, and submersible vessels, with technical data and defense services treated as exports in their own right under 22 CFR 120.10 and 120.9. Registration with DDTC under 22 CFR 122 is a precondition to engaging in any manufacture, export, or brokering activity, and licenses are required for nearly every cross-border movement, including transmission of technical data to foreign persons inside the United States.

EAR, administered by the Bureau of Industry and Security (BIS) at the U.S. Department of Commerce, governs dual-use items and certain less-sensitive military items through the Commerce Control List (CCL) at 15 CFR 774 Supplement No. 1. Items not enumerated on the CCL fall into the residual EAR99 category, but EAR99 is not a free pass; end-use and end-user controls under 15 CFR 744 prohibit transactions with denied parties, military end-users in arms-embargoed destinations, and specified weapons-of-mass-destruction programs regardless of classification. The Entity List, the Military End-User List, and the Unverified List each carry distinct license requirements and presumptions of denial.

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies coordinates export control among forty-two participating states and forms the multilateral basis for many CCL entries, including cybersecurity and intrusion-software controls in Category 4 and 5. The deemed export rule at 15 CFR 734.13(a)(2) and the deemed reexport rule at 15 CFR 734.14 treat the release of controlled technology to a foreign person as an export to that person's country of nationality, which extends control jurisdiction deep into domestic engineering, cloud, and contractor environments. Facility Clearance (FCL) and Personnel Clearance (PCL) programs administered under the National Industrial Security Program Operating Manual (NISPOM, 32 CFR Part 117) layer additional access controls on classified defense work.

Architectural Requirement

Export control compliance is structurally a problem of access provenance, not of policy adoption. A defense contractor running a CAD review, a semiconductor firm performing process simulation, or a quantum-computing startup hosting a Jupyter notebook must be able to demonstrate, for every byte of controlled technical data, that the requester held a credentialed authority adequate to the classification, that the request was evaluated against current end-user and end-use restrictions, that any release was logged with attributes sufficient to reconstruct the deemed-export analysis, and that the chain of custody is preserved across cloud regions, contractor handoffs, and version revisions. None of those properties are produced by document-level marking, perimeter firewalling, or policy training.

The architectural requirement intensifies as control lists migrate toward emerging technologies. The October 2022 BIS interim final rule on advanced computing and semiconductor manufacturing items (87 FR 62186) introduced presumption-of-denial licensing for advanced node fabrication equipment, AI accelerators above specified TOPS thresholds, and the U.S.-person services rule that reaches engineering labor regardless of employer nationality. The 2023 and 2024 amendments tightened thresholds and added additional countries of concern. Compliance under these rules requires per-query evaluation of who is asking, what they are asking for, where they sit, and whether a U.S. person is providing support, on a timescale that no human reviewer can sustain.

Why Procedural Compliance Fails

The procedural compliance posture treats export control as a workflow attached to a knowledge-management system: documents are tagged with USML or ECCN classifications, access lists are maintained, and quarterly audits confirm that controls are in place. This posture fails on three structural axes. First, classification is brittle: a single CAD file may aggregate components classified across multiple USML categories and ECCN entries, and the controlling classification of a derived work is not the union of inputs but the most-restrictive applicable classification. Second, access lists drift: contractor rotations, mergers, foreign-national hires, and cloud-region migrations all create deemed-export exposures that propagate faster than list maintenance. Third, the audit record is reconstructive rather than contemporaneous, and DDTC and BIS investigators routinely find that firms cannot answer basic questions about who accessed which technical data on which date without weeks of forensic effort.

Enforcement actions reflect these failures. The 2018 FLIR Systems consent agreement (DDTC) imposed thirty million dollars in penalties for unauthorized exports of thermal imaging technology to dual-national employees, a textbook deemed-export failure. The 2023 Seagate settlement (BIS) imposed three hundred million dollars for shipments to Huawei after the Entity List designation, a failure of end-user evaluation at scale. In each case the underlying defect was not absence of policy but absence of structural evidence at the moment of release. A procedural framework can produce a corrective-action plan; it cannot produce admissible per-transaction provenance after the fact.

What the Governance-Chain Primitive Provides

The governance-chain primitive treats every release of controlled information as a five-property event. Authority-credentialed observation binds the requester's clearance, citizenship, employer, and role to the access at the moment it occurs, with credentials evaluated against current Entity List, Denied Persons List, and Unverified List snapshots. Evidential weighting attaches confidence values to each credential according to its issuing authority and verification path, so that a DD Form 254 sponsorship carries different weight from a self-attested employer affiliation. Composite admissibility combines those weighted credentials into a single decision that maps to the USML category or ECCN classification of the requested artifact.

Governed actuation gates the actual release behind that composite decision, so that the artifact is not merely policy-protected but cryptographically inaccessible until the chain resolves. Lineage-recorded provenance writes the full decision record, including credential snapshots, classification determination, end-use representation, and release artifact hash, into an append-only log whose entries are independently verifiable by DDTC, BIS, or a foreign partner authority. The five properties together replace the document-tag-plus-access-list pattern with a per-event evidentiary record that survives personnel turnover, cloud migration, and corporate restructuring.

Compliance Mapping

The mapping to ITAR is direct. The 22 CFR 120.10 definition of technical data and the 22 CFR 120.17 definition of export both attach to the moment of release, which is exactly the event that authority-credentialed observation captures. The 22 CFR 122.5 recordkeeping requirement, which obligates registrants to maintain export records for five years, is satisfied by the lineage log without supplementary archiving. The 22 CFR 126.18 dual-national and third-country-national exemption requires effective procedures to prevent diversion, and composite admissibility produces the per-access evidence that DDTC compliance reviews demand.

The mapping to EAR is similarly direct. The 15 CFR 762 recordkeeping rule, the 15 CFR 744 end-use and end-user screening obligation, and the 15 CFR 734.13 deemed-export rule all attach to the release event and to the requester's nationality, both of which the chain captures. The CCL classification is recorded as part of composite admissibility, which means that subsequent reclassifications, including BIS commodity classification rulings under 15 CFR 748.3, can be applied retrospectively against the lineage record without replaying the underlying access events. For Wassenaar-derived controls on intrusion software (ECCN 4D004) and cybersecurity items (ECCN 5A001.j), the per-query evidentiary record supports the technical-note exclusions that govern legitimate vulnerability research.

For NISPOM-governed classified work, the chain composes with FCL and PCL records to produce a unified access-provenance log that satisfies DCSA self-inspection requirements under 32 CFR 117.7 and supports the contract-level reporting obligations of DD Form 254. The lineage record is the artifact that auditors, investigators, and partner authorities want; the chain is the mechanism that produces it as a byproduct of normal operation rather than as a separate compliance overhead.

Adoption Pathway

Adoption begins at the highest-exposure boundary, typically the engineering data management system or the cloud-hosted simulation environment where deemed-export risk is concentrated. The chain is inserted as the access mediator for controlled artifacts, with credential sources federated from existing identity providers, DDTC registration records, and Entity List feeds. Initial deployments operate in a shadow mode that records the chain decision alongside the existing access mechanism, which allows compliance teams to compare the structural record against procedural assumptions before cutover.

The second phase extends the chain to contractor and joint-venture boundaries, where deemed-reexport exposure under 15 CFR 734.14 is most acute. The federated credential model allows partner authorities to issue and revoke clearances without requiring a unified identity infrastructure, and the lineage log produced at each boundary is mutually verifiable. The third phase brings the chain into the development lifecycle itself, so that source control, build artifacts, and simulation outputs all carry the same provenance properties, eliminating the gap between engineering operations and export-control records that current procedural frameworks cannot close.