GE Knows ITAR – Its Employees Need Reminders

June 11, 2026

By: Margaret M. Cassidy & Jelena Tasic

One of the simplest policies a company issues to its employees is control of their devices.

It is remarkable how often that edict is not followed: left in a car then stolen; unmanned at a trade show booth while logged in—trade secrets accessed; and as General Electric (GE) recently disclosed to the Directorate of Defense Trade Controls (“DDTC”), left at a university in China with classified information on it.

This was listed as one of 116 alleged violations of the Arms Export Control Act and ITAR that resulted in GE reaching a $36 million settlement with DDTC without admitting wrongdoing. (Click here for the proposed charging letter and the settlement)

If GE, a sophisticated, well-experienced defense contractor, can get into this situation—what are all the other defense contractors doing?

Reviewing some of the facts that led to the settlement offer insight on how this happened and what to consider to mitigate the risk of a similar situation.

The Allegations

According to the proposed charging letter, GE disclosed to DDTC conduct inconsistent with its obligations as a company with ITAR controlled items:

  1. GE voluntarily disclosed unauthorized exports to China:
  • A GE employee flew to China, laptop in tow, which contained ITAR-controlled technical data related to the F-35 fighter and F414 aircraft engines, gave a presentation at a Chinese university and left the laptop unattended at the university for ninety minutes. This same employee had made other trips to China with a GE work-issued laptop presumably with the same type of data.
  • Another GE employee emailed (that is, exported) F118 engine component drawings to a Chinese supplier even after GE’s system identified the drawings as ITAR controlled. Apparently, the employee did not understand the difference between ITAR (export controlled military items) and Export Administration Regulations (export controlled dual-use items) and improperly completed an internal export authorization certification to allow the transfer.
  • GE also disclosed that it had not notified its freight forwarders that Singapore-bound F110 engine maintenance manuals were ITAR controlled, and the freight forwarded then unwittingly routed the shipment through China.
  1. GE also voluntarily disclosed that it failed to comply with export licenses and technology sharing agreements, for example:
  • GE repaired military equipment and sent it to the UK Ministry of Defense when the UK MOD was not listed as an authorized recipient under the relevant sharing agreement.
  • GE Japanese business partners shared GE F110 engine technology with unauthorized sub-suppliers.
  • GE shipped parts to a Canadian business partner using an incorrect export exemption, and the Canadian business partner sent them to a GE subsidiary in Poland without authorization.
  • GE exported to Israel and Sweden without proper export licenses.
  1. GE also disclosed to DDTC that it had lapses in its reporting and internal controls because it had not:
  • Notified DDTC of certain exports;
  • Submitted certain purchase orders to DDTC;
  • Submitted amendments to certain technology sharing agreements to DDTC;
  • Had not been up to date with required congressional notifications;
  • Updated its export internal controls policies and procedures for over ten years.

In its proposed charging letter, DDTC:

  • Alleged that, taken together, the disclosures “demonstrate a failure to maintain effective ITAR compliance practices”;
  • Noted that the export to China “harmed U.S. national security” because they “could have provided [China] with insights into the design, manufacture, configuration, and testing of components of other military aircraft engines”.

 The $36 Million Consent Agreement

Without admitting wrongdoing GE settled with DDTC for 116 violations that occurred from 2018 through 2024:

  • GE will pay $18 million in cash in three installments over two years.
  • An additional $18 million of the penalty will be suspended, but only if GE can demonstrate it spent the money on compliance program improvements over the three-years of its agreement with DDTC.
  • GE must appoint a DDTC-approved compliance officer reporting directly to the CEO.
  • Implement a company-wide automated export compliance system.
  • Complete a full export classification review of all hardware and technical data across its ITAR-regulated units.
  • Undergo at least one independent external audit; and
  • Submit semiannual compliance reports to DTCC.

Voluntary Disclosure

Considering that DDTC could have disbarred GE from exporting for all of this, and that they settled for a three-year oversight period and a $36 million dollar penalty, of which $18 million could be used to improve its export compliance program, GE fared well in the end.

DDTC noted that GE merited consideration in settling the matter because it:

  • Discovered the situations on its own;
  • Voluntarily disclosed all 116 violations to DDTC;
  • Fully cooperated in the investigation;
  • Quickly embarked on remediation, even before the settlement was final; and
  • Waived any statute of limitations that could have applied.

It seems the self-disclosure process worked as designed—leniency for bringing forward wrongdoing voluntarily and remediating the lack of controls.

Takeaways for Defense Contractors

 GE’s situation should inform defense contractors with ITAR controlled items on actions to consider that may mitigate the risk of getting accused of export violations and that will also protect national security.

  • Implement and Keep Up to Date Compliance Controls. GE had procedures to comply with its ITAR obligations, but it seems it had not updated the controls for a long time. Businesses need to make sure controls exist to comply with export regulations and should audit those controls. One of the controls needs to be implementing procedures to stay current on export regulations in order to adapt controls to keep pace with changing regulations, global growth, and evolving geo-political risks.
  • Train Employees. Employees must understand the controls, especially if they have a job managing controls or are working with export-controlled items and information; and they need to be able to spot risks. So, emphasize that if they leave the country, they must take a clean device; they must keep their devices within their control, and failing to do so, results in discipline.
  • Work with Business Partners on Their Compliance. GE’s freight forwarders and other business partners engaged in some of the conduct listed in the DDTC documents. When export-controlled software, technology, or products are handed to a third party, it is not a hand-off of regulatory obligation. So, all third-party contracts should include requirements to not only comply with U.S. export regulations but also to comply with a business’s export control. If a business partner lacks its own controls, consider not working with them if there is a risk that they can violate export regulations for you, and/or train them to do it right and to spot issues. Give business partners a contact to report concerns and then be sure to resolve those concerns.

Distinguish ITAR & EAR Items Anyone who handles technical data should be able to clearly articulate the difference between the two regulatory regimes and what that means for their day-to-day decisions. The GE violations weren’t acts of bad intent—they were acts of ignorance. And that’s entirely preventable.

Previous Post

Sign Up for the Defense Salon Newsletter

Get the latest updates and insights delivered to your inbox.

 

My New Stories