No. Consumer ChatGPT is not authorized for ITAR-controlled technical data, and pasting it in can be an unauthorized deemed export under U.S. law. Releasing that data through a general AI service that foreign persons can access counts as a "deemed export" that requires State Department authorization the tool cannot give you. And the liability for that paste can land on you personally, not just your employer.
The International Traffic in Arms Regulations (ITAR) are administered by the State Department's Directorate of Defense Trade Controls (DDTC) under the Arms Export Control Act, codified at 22 U.S.C. 2778. The regulations sit at 22 CFR Parts 120 through 130. If your work involves items on the United States Munitions List, including the technical data tied to those items, ITAR governs where that data can go and who can see it.
General information only. This post is not legal or compliance advice. Before you put any controlled data anywhere, consult your organization's export-control officer.
What counts as ITAR technical data
Technical data is the category most likely to end up in a chat window, and it is broader than a finished drawing. Under the ITAR, technical data means information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of a defense article. That reaches source code, engineering models, test results, tolerances, wiring diagrams, and the notes an engineer writes while debugging a controlled system. If the underlying item is on the United States Munitions List, the data that describes how to build or sustain it travels with the same controls.
This is why the AI use case is risky precisely where it feels convenient. Asking a model to reformat a test report, summarize a maintenance procedure, or debug a snippet of flight software all involve moving technical data into the tool. The task feels administrative. The regulation does not care that the goal was tidier formatting. It cares that you released controlled technical data.
Why pasting ITAR data into ChatGPT is an "export"
An "export" under ITAR is broader than shipping a physical part overseas. 22 CFR 120.50 defines export to include "releasing or otherwise transferring technical data to a foreign person in the United States," which the regulation labels a deemed export. You do not have to send anything across a border. Disclosing controlled technical data to a foreign person, even inside the United States, is treated as an export that needs authorization.
A general AI service is a poor fit for that rule. When you paste technical data into a consumer chatbot, the data leaves your controlled environment and enters infrastructure operated by the provider. The service, its staff, its subprocessors, and its model-improvement pipelines may include foreign persons. Under the deemed export rule, releasing controlled technical data where a foreign person can access it is treated as an export to every country in which that person holds citizenship or permanent residency.
"Release" is deliberately wide. DDTC's definitions capture visual inspection, oral exchanges, and written or electronic transfers of technical data to a foreign person. A chat window that displays your controlled data to systems and people outside your authorized access list can constitute a release. The activity, not your intent, is what the regulation measures.
Retention and training make the exposure worse. A consumer service may store your prompts, use them to improve models, or route them to human reviewers. Once controlled technical data enters that pipeline, you lose the ability to say who saw it, where copies live, or whether a foreign person accessed it. The deemed export may have already happened by the time you close the tab, and you cannot claw it back. The damage sticks. Enterprise or business tiers with contractual controls change the retention picture for ordinary corporate data, but they do not convert a general AI product into an ITAR-authorized environment.
What are the penalties?
The penalties are severe and personal. The Arms Export Control Act, at 22 U.S.C. 2778(c), states that any person who willfully violates the statute shall be fined for each violation not more than $1,000,000 or imprisoned not more than 20 years, or both. That criminal exposure attaches to individuals, not only to companies.
Civil penalties apply on top of the criminal ones and do not require willful intent. The ITAR sets substantial civil penalties per violation under 22 CFR 127.10, and DDTC adjusts the maximum figures for inflation each year. As of 2026 the inflation-adjusted per-violation ceiling for an Arms Export Control Act violation exceeds one million dollars. Each release can count as a separate violation, so a single careless paste of a multi-page document can multiply into many.
The penalties in 22 U.S.C. 2778(c) reach individuals. An engineer who pastes controlled technical data into a consumer AI tool can face personal criminal and civil liability, not just their employer.
Enforcement also runs beyond fines. DDTC can pursue debarment, which blocks a company or individual from future defense trade activity, and violations can trigger voluntary disclosure obligations, remediation, and reputational harm that outlasts any single penalty. For a contractor whose business depends on defense work, losing the ability to participate in that trade is often the more damaging outcome. The regulation gives DDTC wide latitude to combine criminal referral, civil penalty, and administrative action for the same underlying conduct.
Does a CMMC assessment give me ITAR shelter?
No. CMMC and ITAR are different regimes enforced by different regulators. The Cybersecurity Maturity Model Certification is a Department of Defense program that measures how well a contractor protects Controlled Unclassified Information under DoD acquisition rules. ITAR is a State Department export-control regime under the Arms Export Control Act. A clean CMMC assessment says your cybersecurity practices met a DoD standard. It does not authorize you to disclose ITAR technical data to a foreign person, and it does not make a consumer AI tool an approved destination for controlled data.
Treating a CMMC certificate as ITAR cover is a common and costly misread. Passing one does not satisfy the other, even though the two programs overlap in practice and a contractor may need both. The export authorization question is separate, and DDTC, not the DoD assessor, controls the answer.
What about the ITAR encryption carve-out?
The encryption carve-out exists, but a consumer chatbot session does not meet its conditions. In 2020, DDTC added 22 CFR 120.54, which lists activities that are not exports. Under paragraph (a)(5), the ability to access unclassified technical data secured by end-to-end encryption does not by itself count as a release or export, provided strict conditions are met.
Those conditions are demanding. The data must be secured using cryptographic modules compliant with FIPS 140-2 or a comparable minimum of AES-128 security strength. It must be end-to-end encrypted so it stays unintelligible while in transit and while stored on any intermediate infrastructure. The means of decryption cannot be given to any third party, and the data cannot be intentionally sent to or stored in a country proscribed under 22 CFR 126.1. In short, the provider handling your data must never be able to read it.
A consumer AI tool breaks that model by design. To answer your prompt, the model has to see your unencrypted words. The provider decrypts the request, processes it, and may log or retain it. That is the opposite of end-to-end encryption where no third party holds the keys. The 120.54 carve-out does not rescue a chatbot session, because the chatbot has to see the data to work.
Consumer ChatGPT versus an authorized environment
| Dimension | Consumer ChatGPT / general AI tools | ITAR-authorized environment |
|---|---|---|
| Access control | Provider staff, subprocessors, and pipelines may include foreign persons | Access restricted to authorized U.S. persons with documented controls |
| Deemed export risk | Pasting controlled technical data can be an unauthorized release under 22 CFR 120.50 | Designed so no unauthorized foreign-person access occurs |
| Data visibility | Provider must read your plaintext to generate a response | Controlled data stays inside an approved, access-limited boundary |
| Encryption carve-out (120.54) | Fails: not end-to-end, provider holds keys and reads content | Can be architected to meet or exceed 120.54 conditions where applicable |
| Regulatory authority | No DDTC authorization for ITAR technical data | Operated under the terms of your license, agreement, or exemption |
| Who bears liability | You and your employer, criminally and civilly | Managed under a documented compliance program |
How to tell if your data is controlled
When you are unsure, treat the data as controlled until your compliance function tells you otherwise. Classification under ITAR turns on whether the item sits on the United States Munitions List and whether the information qualifies as technical data for that item. That determination belongs to your export-control officer, not to an individual engineer under deadline pressure. The safe default costs you a short delay. The unsafe default can cost personal criminal liability.
A few practical signals should stop you before you paste. Each of these points toward controlled status:
- Documents marked with export-control legends.
- Data tied to a program with foreign-national access restrictions.
- Files pulled from a system that limits access to U.S. persons.
The presence of a CMMC or Controlled Unclassified Information label does not resolve the ITAR question by itself, since a file can be both CUI and ITAR technical data. When any of these signals appear, the destination is your authorized environment, not a public model.
What to do instead
Keep ITAR-controlled technical data out of every general consumer AI tool. Controlled data belongs only in an environment that your export-control program has authorized and that limits access to cleared U.S. persons. Reformatting, summarizing, or debugging controlled data is not a valid reason to move it outside that boundary. If you need AI assistance on controlled work, that requirement has to go through your compliance function, not a public chat window.
- Confirm with your export-control officer whether the data is ITAR-controlled technical data before it touches any AI tool.
- Never paste controlled technical data into consumer ChatGPT, Claude, Gemini, or similar general services.
- Do not rely on a CMMC certificate as authorization to disclose ITAR data.
- Do not assume the 22 CFR 120.54 encryption carve-out covers a chatbot session; it does not.
- Route any AI-on-controlled-data need through your compliance program and an authorized environment.
Before using any AI assistant on defense work, split the task. Non-controlled material, such as public documentation or your own unclassified notes, can go to general tools. Controlled technical data stays inside your authorized environment. When in doubt, ask your export-control officer first.
Where MemX fits, honestly
MemX is not an ITAR-authorized environment, and we do not claim it is. MemX is a private-by-architecture memory layer for your own non-controlled work, so your general context and notes stay in one place instead of scattered across chat sessions. It is not a substitute for an authorized, access-controlled system, and it should never hold ITAR-controlled technical data. For controlled defense data, the only correct home is the environment your export-control program has approved. Written by Aditya Kumar Jha, Founding Engineer at MemX.
Frequently asked questions
01Is ChatGPT ITAR compliant?
No. Consumer ChatGPT is not authorized for ITAR-controlled technical data. Pasting such data can be an unauthorized deemed export under 22 CFR 120.50, since foreign persons in the provider's operations could access it.
02What is a deemed export under ITAR?
A deemed export is releasing or transferring controlled technical data to a foreign person in the United States. Under 22 CFR 120.50 it is treated as an export to every country where that person holds citizenship or residency.
03What are the penalties for an ITAR violation?
Under 22 U.S.C. 2778(c), willful violations carry fines up to $1,000,000 and up to 20 years imprisonment per violation. Substantial civil penalties over one million dollars per violation apply separately under 22 CFR Part 127.
04Does CMMC certification make me ITAR compliant?
No. CMMC is a DoD cybersecurity standard for Controlled Unclassified Information. ITAR is a separate State Department export-control regime. Passing CMMC does not authorize you to disclose ITAR technical data or use a consumer AI tool for it.
05Does the ITAR encryption carve-out cover ChatGPT?
No. The 22 CFR 120.54 carve-out requires true end-to-end encryption where no third party holds the keys or reads the data. A chatbot must decrypt and read your prompt to answer it, so the session does not qualify.
The short answer stays the same across every phrasing of the question. Consumer ChatGPT is not an ITAR-authorized destination for export-controlled technical data, a CMMC assessment does not change that, and the encryption carve-out does not apply to a tool that has to read your data. Keep controlled defense data inside an authorized environment and route AI needs through your compliance officer.
