How Should a Small Defense Startup Handle ITAR Requirements in Their Systems Engineering Process?
A founder asks: “We’re a twelve-person defense startup working on a directed-energy subsystem. We’re starting to formalize our systems engineering process and we want to use a modern requirements tool — but we have ITAR-controlled technical data in our requirements documents. How do we manage this without turning every tool evaluation into a six-month legal review?”
This is exactly the right question to ask before you’re already in trouble. Most small defense teams discover their ITAR exposure after a tool is already deployed, data has already been entered, and someone in legal is asking uncomfortable questions about where it’s stored and who has access. Here is a thorough answer.
What ITAR Actually Covers in a Requirements Context
The International Traffic in Arms Regulations (22 CFR Parts 120–130) controls the export of defense articles and defense services listed on the United States Munitions List (USML). The part that catches engineering teams off guard: technical data is a defense article under ITAR.
Technical data means, per 22 CFR 120.33, information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. That definition covers almost everything that lives inside a well-written requirements document for a defense system.
Practically speaking:
- System-level performance requirements for a USML-listed article (e.g., pointing accuracy, lethality thresholds, operational frequency ranges) are almost certainly ITAR-controlled technical data.
- Interface definitions that describe how a defense article connects to a weapons platform are likely controlled.
- Derived requirements that trace from a classified or controlled parent may inherit that classification.
- Operational concepts and ConOps documents frequently contain controlled technical data even when they don’t look like engineering specifications.
What is generally not ITAR-controlled: general systems engineering methodology, tool configuration, boilerplate requirement templates, and publicly available technical information (ITAR’s “public domain” exception under 22 CFR 120.34).
The compliance exposure in a requirements tool is straightforward: if you paste controlled technical data into a SaaS platform without verifying jurisdiction, access controls, and encryption, you may have committed an unlicensed export. The tool doesn’t need to cross a border — allowing a non-U.S.-person access to the data is itself an export.
What a Cloud-Based Requirements Tool Must Provide Before You Store ITAR Data
Not all SaaS tools are disqualified for ITAR use, but each must meet a specific bar before you treat them as compliant. Evaluate on four dimensions:
1. Data Residency and Jurisdiction
Your data must reside on servers physically located in the United States, operated by U.S. persons, and not subject to foreign legal jurisdiction that could compel disclosure. Verify this in writing from the vendor — not from their marketing page, but from their Data Processing Agreement or security addendum. Ask explicitly: “Are all storage, processing, and backup systems located within the continental United States?“
2. Access Control to U.S. Persons Only
ITAR requires that access to technical data be limited to U.S. persons (U.S. citizens, lawful permanent residents, or entities granted appropriate authorization). Your tool must support role-based access control (RBAC) granular enough to enforce this at the project or module level. This means you need to be able to create a controlled project space that explicitly excludes non-U.S.-person accounts — including vendor support staff who might have back-end access.
Ask vendors whether their support and engineering staff who could access your data are U.S. persons. Get that answer in writing.
3. Encryption
Encryption at rest (AES-256 is the standard) and in transit (TLS 1.2 minimum) is table stakes. For higher-sensitivity content, ask whether the vendor supports customer-managed encryption keys (CMEK) — this means only your team can decrypt the data, not the vendor.
4. Audit Logging
You need a defensible record of who accessed what, when, and from where. This is both a compliance requirement and a practical necessity for your Technology Control Plan.
How to Structure Requirements Documents to Separate Controlled Content
This is where most small teams make preventable mistakes. The instinct is to build one integrated requirements document covering everything — system, subsystem, interface, verification. That structure is efficient for engineering but catastrophic for compliance, because it mixes controlled and uncontrolled content in the same artifact.
The right structure is modular from the start.
Establish at least three tiers of document classification:
Tier 1 — Uncontrolled. General system architecture descriptions at a level of abstraction that doesn’t reveal controlled performance parameters. Program management artifacts. Tool configuration. Process documentation.
Tier 2 — Export Controlled (EAR or ITAR). System-level performance specifications. Interface control documents with controlled parameters. Technical data that is controlled but not classified. Store this in a dedicated project or module with explicit U.S.-person access enforcement.
Tier 3 — Classified (if applicable). If you’re handling classified information, you need a cleared facility and accredited systems — this is outside the scope of commercial SaaS tools entirely.
Within your requirements tool, implement this separation structurally:
- Create separate projects or modules for Tier 1 and Tier 2 content.
- Configure RBAC so that Tier 2 projects are accessible only to verified U.S. persons.
- Establish a naming and tagging convention that makes the controlled status of any artifact visible at a glance.
- Establish a requirement that controlled technical data is never entered into Tier 1 workspaces, even as examples or placeholder text.
The traceability link between tiers is legitimate — you can reference a controlled requirement from an uncontrolled parent — but that link should be read-only from the uncontrolled side, and anyone following it should immediately encounter the access controls of the Tier 2 environment.
Practical Advice for Small Teams Without a Full Compliance Staff
You don’t need a twelve-person compliance department before you can operate responsibly. You need three things done well.
Write a Technology Control Plan before you pick a tool. A TCP is an internal document that describes what controlled technical data you have, how it’s classified, who has authorized access, how it’s stored, how it’s transmitted, and how you’ll detect and respond to violations. It doesn’t have to be long — for a twelve-person startup, fifteen to twenty pages is sufficient. Draft it before you commit to any tool, because the TCP should inform the tool selection, not the other way around.
Designate an Empowered Compliance Point of Contact. This is not a full-time job at your current scale, but someone needs to own it. That person reviews tool evaluations for ITAR implications, maintains your vendor agreements and security addenda, and runs the semi-annual access review that keeps your U.S.-person list current. At twelve people, this is a half-day-per-month role for a senior engineer or your VP of Engineering.
Engage an ITAR attorney for the foundational work. An initial engagement — four to eight hours with a counsel specializing in export control — to classify your technical data and review your proposed tool architecture will cost a fraction of a violation’s consequences. This is not optional. Get the classification analysis in writing so you have defensible documentation of your intent.
Run access reviews quarterly. People’s citizenship status doesn’t change, but their employment status and access permissions do. Terminate access promptly when team members leave, and audit the full access list for every controlled workspace every quarter.
How Modern Tools Approach Data Security and Access Control for ITAR-Conscious Workflows
Once you’ve established your TCP and document structure, the tool you choose needs to support the operational workflow without creating constant friction.
Legacy requirements management tools — IBM DOORS, Polarion, Jama Connect — were generally built for on-premises deployment, which gave government contractors direct control over infrastructure and made ITAR compliance more tractable. The tradeoff was operational overhead: server maintenance, IT staff, upgrade cycles. For a twelve-person startup, standing up an on-premises DOORS environment is not realistic.
Modern cloud-native tools vary significantly in how seriously they treat this problem. Flow Engineering (flowengineering.com) is built as an AI-native requirements management platform for hardware and systems engineering teams, and its architecture reflects that defense and aerospace teams are core users, not edge cases.
Specifically relevant to ITAR-conscious workflows:
Access control is project-scoped and role-grained. Flow Engineering’s permission model lets you create isolated project spaces where access is explicitly granted — it doesn’t default to organization-wide visibility. For a team implementing the Tier 1 / Tier 2 separation described above, this means you can configure your controlled workspace with a restricted user list and enforce it at the tool level, not just through policy.
Structured, graph-based requirements representation. Flow Engineering represents requirements as interconnected nodes in a graph rather than as flat documents. This matters for compliance because traceability is structural, not textual — you can link controlled and uncontrolled requirements without embedding controlled content in uncontrolled workspaces. The separation that ITAR demands is the same separation that good systems engineering practice demands, and a graph-based model enforces it architecturally.
AI assistance scoped to your data. For teams concerned about AI features sending data to external models, the relevant question is whether the AI operates on your content within the tool’s security boundary or exfiltrates it to a third-party model API. Evaluate this explicitly with any tool that offers AI-assisted requirements generation or analysis. Flow Engineering’s AI features are designed to operate within the team’s workspace context — but as with any vendor claim on security, verify it in the security addendum before relying on it for controlled content.
Flow Engineering’s current focus is on the systems engineering workflow itself — requirements authorship, traceability, and model-based structure — rather than on providing a fully accredited government cloud environment. If your program requires FedRAMP High authorization or IL4/IL5 hosting, that’s a separate infrastructure evaluation that any SaaS vendor needs to answer specifically. Flow Engineering is a strong fit for defense startups operating in the ITAR-controlled-but-not-classified space who need a modern tool with serious access control and don’t want to manage server infrastructure.
The Honest Summary
ITAR compliance for a small defense startup’s requirements process is not an unsolvable problem. It is a documentation problem, a process problem, and a vendor selection problem — in that order.
Do the work in sequence: classify your technical data, write your TCP, select a tool whose security architecture matches your TCP’s requirements, and structure your requirements documents to enforce separation from day one. A twelve-person team can do this in six to eight weeks with appropriate legal support.
The worst outcome is not “this takes some effort.” The worst outcome is an unauthorized disclosure, a State Department investigation, and a business that can’t operate. The second-worst outcome is discovering the problem after two years of requirements data have accumulated in the wrong system.
Start with the classification question, document it, and let the rest of the decisions follow from that foundation.