ITAR Just Got Harder Again for Defense Firms

A lot of contractors still talk about ITAR as if it sits off to the side of the business. Legal checks. Shipping forms. License questions. Maybe a compliance review before a foreign transaction.

That mindset is now dangerous.

The August 27, 2025 final rule, effective September 15, 2025, explicitly says the Department of State amended ITAR to remove items from the USML that no longer warranted inclusion, add items that do warrant inclusion, and clarify entries, while also updating the January 17, 2025 interim final rule. It also added a new license exemption for certain activities involving unmanned underwater vehicles. That is not a “streamlining only” move. It is a rescoping move.

The bigger message is simple. Washington is reasserting tighter control over defense sensitive technology after years in which many firms got used to living closer to the EAR line.

For years, many in industry got comfortable with the idea that export control reform mostly meant migration away from ITAR toward Commerce jurisdiction for less sensitive items.

The 2025 rule does not fit that lazy assumption.

State’s final rule says plainly that some items were removed, some were added, and some entries were clarified because they warrant USML treatment. DDTC’s own summary highlighted concrete examples. Some anti jam and anti spoofing related items were removed from Category XI, but new control language was retained for certain large uncrewed underwater vessels because of their significant military or intelligence advantage and weaponization potential.

That is the point many firms are missing. This was not a one way deregulation exercise. It was a recalibration. Some things came off. Some things went back on. Some things got defined more clearly. The practical result is more classification risk for companies that assumed older assumptions still hold.

Another major shift came through § 126.7.

The December 30, 2025 final rule made the Australia, UK, and U.S. exemption effective that same day. The rule states that no license or other approval is required for certain eligible exports, reexports, retransfers, temporary imports, defense services, or brokering activity among authorized users within the physical territories of Australia, the United Kingdom, and the United States, subject to requirements and limitations. It also retained expedited licensing mechanisms for exports to Australia, the UK, and Canada under § 126.15(c) and (d).

That matters for industry, but the distinction matters even more.

• Australia and the UK sit inside the new § 126.7 exemption framework.
• Canada does not sit inside that same exemption. Canada is tied to expedited licensing treatment under separate provisions discussed in the same rulemaking history.

A lot of companies will blur those lines in conversation. That is a mistake. When your teams start saying “Canada is in the AUKUS exemption,” you have already created the kind of compliance sloppiness that gets people hurt later.

One of the clearest clues about where control is tightening is the new UUV provision.

DDTC’s own summary explains that, effective September 15, 2025, Category XX(a)(10) covers certain uncrewed, untethered vessels over 3,000 pounds designed to operate without human interaction for more than 24 hours or more than 70 nautical miles. The agency kept control over those systems because of their military and intelligence significance, but added a narrow exemption to facilitate certain civil tasks for eligible UUVs at or below 8,000 pounds.

That is exactly how modern control policy now works.

The government is not relaxing because autonomy is becoming common. It is tightening because autonomy is becoming militarily useful.

If your company touches unmanned maritime systems, autonomous payload integration, subsea mission support, or dual use navigation and endurance systems, this is not theoretical. It is your operating environment.

The compliance risk here is not limited to crates crossing borders.

It touches design reviews, technical data sharing, engineering collaboration, digital twins, autonomous control logic, anti jam functionality, software embedded in defense systems, test support, and foreign national access inside programs that used to be treated too casually.

The Raytheon case is the warning shot nobody in defense should ignore. In October 2024, DOJ announced Raytheon would pay over $950 million to resolve investigations involving defective pricing, foreign bribery, and export control violations. DOJ said the AECA and ITAR part of the case involved willfully failing to disclose bribes in export licensing applications with the State Department as required under ITAR Part 130. It also required a three year compliance monitor and program enhancements.

That is the real lesson. Export control failures do not stay inside the trade compliance office. They become enterprise failures.

Most defense contractors still make the same bad assumptions.

• They assume their product is “probably EAR.”
• They assume a supplier already checked classification.
• They assume software is less sensitive than hardware.
• They assume allied country transactions are lower risk.
• They assume the program team can move first and let legal clean it up later.

That kind of thinking might survive in a slow moving commercial market.

It does not survive under ITAR when the rule set is expanding, the allied carve outs are conditional, and enforcement is already proving painful.

This is not only a prime contractor problem.

Smaller manufacturers, software firms, niche sensor builders, aerospace suppliers, autonomy startups, and subsystem integrators are all in the blast radius because they are the ones most likely to carry legacy assumptions about where their item sits.

The final rule itself makes clear that items can move in both directions depending on sensitivity and policy judgment. That means classification decisions that were made years ago may now be stale. For smaller firms, the risk is not only a missed license. It is bad quoting, bad teaming, bad data sharing, and bad website claims that promise work with allies before anyone has validated the actual control path.

There is another reason contractors need to stop repeating shaky summaries.

I could verify that the Army is actively pursuing the XM1208 155 mm advanced submunitions projectile through a November 2025 market survey and that the government described the system’s military purpose in public program materials. But I did not find an official source supporting the exact claim that a $210 million sole source September 2025 contract was awarded to an Israeli firm called “Toare.” What I did find in the official September 23, 2025 contract notices was a different large ammunition award for 155 mm high explosive rounds to Global Military Products.

That matters because bad sourcing around controlled weapons programs is not a harmless mistake. In this market, sloppy facts often sit next to sloppy compliance habits.

A company that wants to stay credible under this new environment should do five things immediately.

• First, recheck classifications on anything touching autonomy, anti jam capability, aerospace subsystems, underwater vehicles, and sensitive technical data.
• Second, separate the Australia and UK § 126.7 exemption conversation from the Canada expedited licensing conversation so your teams stop blending unlike rules.
• Third, review who inside your company is sharing technical data with foreign persons, affiliates, suppliers, or teammates and under what authority.
• Fourth, stop treating ITAR as a shipping problem. It is an engineering, program management, capture, contracting, and digital collaboration problem too.
• Fifth, make your website and capture language match your compliance reality. Do not advertise frictionless allied collaboration if your internal controls are weak, your classifications are stale, or your people cannot explain where an item sits.

The 2025 to 2026 ITAR changes tell a very clear story.

The government is making defense trade easier with close allies in targeted ways.

At the same time, it is tightening or clarifying control over sensitive items that matter more in modern warfare, especially around autonomy, survivability, and advanced defense functionality.

That combination is unforgiving.

If your company still treats export control like administrative overhead, you are behind. And if your business development, engineering, and compliance teams are not speaking the same language right now, you are exposed.