7 Steps to Meeting ITAR Requirements With Polarion

By behrenst

Lately, we’ve had an increasing number of inquiries about whether or not Polarion’s solutions are ITAR certified. The good news is that Polarion Software® doesn’t need ITAR certification to help regulated companies automate and accelerate their certification process.

What is ITAR?

For the record, the ITAR acronym stands for the International Traffic in Arms Regulations, which implements the Arms Export Control Act (ACEA), legislation to provide “the authority to control the export (and also import) of defense articles and services.”1 There’s a long list of products (and services) that are covered in this regulation listed on the United States Munitions List (USML), and not just with things like ammunition and guns, but just about anything that contributes to the delivery or discharge of munitions.

The goal of this act and regulation is to safeguard national security and further foreign policy objectives.  The penalties for violation of the ACEA range from substantial fines (as high as $100 million), to the requirement to spend funds on implementing and maintaining compliance measures, and submission to external audits.  In serious situations, it is also possible that the company could be forbidden from exporting their products for a time.

ITAR Part 121 lists 21 categories of articles from firearms to aircraft to nuclear weapons, but also some items that may not be directly associated with munitions, like submersible vessels.  But because Polarion’s “pertinent business activity is confined to the production of unclassified technical data only,”2 we are not compelled to register with the Department of State as manufacturer, broker, or exporter of defense articles or services under the ACEA to comply with ITAR.

Where does Polarion fit in?

What Polarion CAN do is to take processes that satisfy ITAR regulations, port them into a customized project template that can be reused over and over, providing accurate and timely reporting, and safeguarding your Verification and Validation (V&V) process with forensic-level accountability.Our technical services team has the skills and track record to deliver process automation and reporting so that compliance of affected products with the spirit of the ITAR regulation (as well as most any other regulatory requirements and standards) can be achieved much faster, consistently, and without fail.

In fact, Polarion is used by thousands of companies to establish processes which comply with a wide range of regulations and industry mandates.Our customers benefit from the fact that Polarion is certified by TÜV Nord as a “Trusted Tool” for use in compliance with ISO 26262/IEC 61508 relating to functional safety. What this means is that the tool can be used to produce systems up to ASIL-D or TCL2, the most stringent levels of safety function as defined by the standards. Beyond that, the certification demonstrates the trustworthiness of the tool in general, with the neutral certificate providing a respected proof of quality that minimizes customer certification efforts.

At the core of it, Polarion is a powerful tool that enables the automation of the V&V process for products and systems over their full lifecycle via comprehensive traceability, forensic level accountability, enforcement of electronic signatures, and real-time reporting.  This is directly applicable to ITAR efforts.

7 Steps to managing ITAR compliance

Graphic: ITAR audit passedAs an example, one of our large defense contract customers is using Polarion to meet ITAR (and FAA) compliance by judicious assignment of user rights for access to ITAR data, along with specific project configurations within the template.Preparation for compliance audits, which used to be a massive effort, has been minimized to running established reports at the end of each project with the push of a button..

With Polarion, it’s easy to make it an integral part of your solution to satisfy ITAR requirements.  The process is logical and simple:

  1. Identify the components of your ITAR internal process, validate them with all your stakeholders, and verify with the requirements you must meet.

  2. Identify those users who are authorized to interact with ITAR-sensitive documents and processes, and assign user rights and restrictions as applicable.  In Polarion’s administrative area, assign those rights by project, user groups, user roles, or by individual user.

  3. In Polarion, build out a project template (which is re-usable) and import the components of your ITAR process.

  4. Validate this process with your team and stakeholders in a non production environment.

  5. Create secure links to each ITAR artifact with proper accessibility.

  6. Create V&V reports and dashboards for quick review on project progress and security.

  7. Enjoy the benefits of ITAR compliance with Polarion when auditors come knocking at your door!


1 Wikipedia.  “Arms Export Control Act.”  Ref:
2 ITAR Part 122.1(b)(2).  Registration Requirements.

Polarion Customer Success Story:

Polarion Customer Success Story: Global Defense Industry Giant



Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at