In today’s regulatory environment, there’s no such thing as “set it and forget it.” For businesses navigating ITAR—the International Traffic in Arms Regulations—staying compliant means staying alert and proactive. Since 1981, the U.S. has averaged one new manufacturing-related regulation every week. From cloud data rules to updates to the United States Munitions List (USML), even small changes can have a big impact.
Here’s what’s new in 2025—and how to make sure your workplace is ready.
What is ITAR compliance?
ITAR is a set of U.S. government regulations that control the export and import of defense-related technology and services. To comply, your company needs to register with the Directorate of Defense Trade Controls (DDTC), make sure ITAR-controlled data stored in the cloud isn’t accessed by foreign entities, and lock down who can access sensitive systems and spaces.
The State Department’s DDTC manages the list of businesses that can deal in USML services and goods. But it’s up to you to put the right policies in place and keep your company compliant.
Recently, the U.S. Department of State has made multiple amendments to ITAR. On top of other things, these updates provide better governance and clearer definitions of current laws. Staying updated on these changes is essential to maintaining strong compliance practices.
Recent changes to ITAR compliance
Over the past few years, the State Department has been working to make it easier to comply with ITAR. They’ve introduced new amendments that have accomplished just that. Here are some of the most important ITAR updates.
Defining which activities aren’t exports
On March 25, 2020, the State Department added amendments that clarified the “activities that are not exports.” For example, unclassified technical data that’s transferred outside the U.S. (using end-to-end encryption) is no longer defined as an “export.”
With the rise of cloud storage, adhering to ITAR posed challenges for businesses. Before these changes, storing or transferring data overseas required a specific license from the DDTC. Cloud storage added new concerns. Companies worried about protecting sensitive data from foreign access. The March 2020 update lets companies under ITAR export rules migrate data to the cloud as long as the data is fully encrypted from start to finish.
Breaking down the multi-year ITAR overhaul project
On March 23, 2022, the State Department launched a “multi-year multi-rule project” to revise the ITAR. The plan restructures and consolidates ITAR to improve organization and clarity. The goal? Cut the clutter, simplify the language, and make the rules easier to follow.
Updates to Part 120
On September 6, 2022, the first update came into effect. The new rule restructures part 120 of the ITAR to “better organize the purposes and definitions of the regulations.”
Responses and minor amendments
The State Department reviewed feedback and, on February 27, 2023, finalized the latest changes with minor changes designed to clear up confusion and align the rules with how information is collected and defined.
Expanding trade: new defense articles you can now export
The State Department has expanded the types of defense articles and services that can be transferred under certain treaties and Canadian exemptions. Effective May 12, 2023, the amendments include specific changes to defense articles related to torpedoes, submarine combat control systems, and other categories. These updates aim to improve trade relations with allies, including the U.K. and Australia.
USML revisions: what’s in and what’s out
On May 21, 2023, the State Department made some key updates to the USML. They removed certain high-energy storage capacitors from Category XI, clarified which ones still need to be controlled, and added a 125-volt cutoff for these items. These changes still matter in 2025 and are a part of an ongoing push to keep ITAR aligned with modern tech—focusing on items that actually matter for military or intelligence use.
More recently, in early 2025, the State Department made additional changes to the USML. These included the removal or reclassification of certain items that no longer meet the threshold for control under ITAR. Manufacturers should carefully review the updated list to determine whether their products still fall under ITAR jurisdiction.
Stricter penalties: debarment for AECA violators
Starting June 15, 2023, the State Department began barring anyone convicted of violating the Arms Export Control Act (AECA) from ITAR-related activities for three years—unless they’re officially reinstated. This makes it clear: staying compliant isn’t optional, and violations have real consequences.
Staying up to date on the latest ITAR developments
Staying on top of ITAR compliance matters—especially since the State Department is still updating the rules over the next few years. More changes are expected this year, and recent updates, like how technical data is managed, can really affect your business.
But ITAR compliance isn’t just about knowing the rules. It’s about operational readiness. That starts at your front door. From checking visitor citizenship status to logging who came onsite and when, your physical access controls play a critical role. If you’re not tracking who enters your facility, you’re not truly audit-ready.
—
Learn how top exporters secure facility access and stay audit-ready in our new eBook, “Enhancing compliance and security with Envoy.”
Read more
Workplace security is critical to the future of your business. Learn why it matters, what threats to watch for, and how to strengthen your workplace security plan.
In this post, we’ll explore what workplace compliance is and how to build a compliance culture for your organization.
Learn how to choose a visitor management solution that’s right for you, including the best features to look out for.
A quality workplace has the power to make your organization thrive, if it's managed well. In this post, explore why workplace management is so important and how to get it right for you.
Managing your space well doesn’t have to be difficult. But to be successful you need the right processes and tools.
With more folks sending personal packages to the workplace, having a sound mailroom management system in place is key.