Defense Manufacturing Compliance

ITAR Compliance Checklist for Machine Shops

The complete guide to ITAR compliance for precision manufacturers. Covers registration, security, training, record keeping, and export controls.

$2,250+

Annual Registration

5 Years

Record Retention

30-45 Days

Registration Time

$1.3M+

Penalty Per Violation

What is ITAR?

The International Traffic in Arms Regulations (ITAR) is a set of U.S. government regulations controlling the export and import of defense-related articles and services on the United States Munitions List (USML).

ITAR applies to any company that manufactures, exports, or brokers defense articles, including machine shops producing parts for:

  • Military aircraft and spacecraft
  • Naval vessels and components
  • Military vehicles and ordnance
  • Firearms and related equipment
  • Night vision and targeting systems
  • Protective equipment

Complete ITAR Compliance Checklist

DDTC Registration

Register with the Directorate of Defense Trade Controls

Register with DDTC before manufacturing defense articles

Critical

All manufacturers of USML items must register with the State Department's DDTC prior to engaging in any manufacturing activities.

Pay annual registration fee ($2,250 base + tier fees)

Critical

Registration fees are based on your tier level and total USML activities. Fees are due annually for renewal.

Designate an Empowered Official

Critical

Must be a U.S. citizen with authority to sign export licenses and compliance documents on behalf of the company.

Maintain registration in good standing

Registration must be renewed 60 days before expiration. Late renewals may result in compliance gaps.

Update registration for significant changes

Changes in ownership, company name, address, or Empowered Official must be reported within 5 days.

Physical Security Requirements

Secure your facility against unauthorized access

Controlled access to manufacturing areas

Critical

ITAR-controlled areas must have restricted access with badge readers, keypads, or physical keys limited to authorized personnel.

Visitor sign-in and escort procedures

Critical

All visitors must sign in, show ID, and be escorted at all times in ITAR-controlled areas. Foreign visitors require additional documentation.

Secure storage for technical data

Critical

Drawings, specifications, and other technical data must be stored in locked cabinets or secure rooms when not in use.

Clear desk policy for ITAR materials

ITAR-controlled documents must not be left unattended. Implement a clear desk policy at end of each day.

Proper destruction of ITAR materials

Critical

Use cross-cut shredders (minimum Level 4) for paper documents. Degauss or physically destroy electronic storage media.

Security cameras in controlled areas

Video surveillance with 30+ day retention recommended for manufacturing areas handling defense articles.

IT & Cybersecurity Requirements

Protect electronic technical data and systems

Encrypted storage for ITAR data

Critical

All ITAR technical data must be encrypted at rest using FIPS 140-2 validated encryption (AES-256 recommended).

Encrypted email and file transfer

Critical

ITAR data transmitted electronically must use encryption. Standard email is NOT compliant without additional encryption.

Access controls and user authentication

Critical

Implement role-based access controls. ITAR data access should require multi-factor authentication.

Cloud storage compliance

Critical

Cloud storage must be on U.S. servers with U.S. persons administration. Major cloud providers offer ITAR-compliant solutions.

Network segmentation for ITAR systems

ITAR systems should be on isolated network segments with firewalls and intrusion detection.

Regular security audits and penetration testing

Annual security assessments recommended. Document all findings and remediation actions.

Incident response plan

Critical

Document procedures for security incidents. ITAR data breaches may require DDTC notification.

Employee Screening & Training

Ensure employees are authorized for ITAR access

Verify U.S. person status for ITAR access

Critical

Only U.S. citizens, lawful permanent residents, or protected persons may access ITAR data without an export license.

Document citizenship verification (I-9, passport)

Critical

Maintain copies of citizenship documentation for all employees with ITAR access. Review at hire and periodically.

Background checks for employees with ITAR access

Criminal background checks recommended. Some contracts may require specific clearance levels.

ITAR awareness training at hire

Critical

All employees must understand ITAR basics, their responsibilities, and consequences of violations.

Annual ITAR refresher training

Critical

Document completion of annual training. Include updates on regulations and company-specific procedures.

Signed acknowledgment of ITAR responsibilities

Employees should sign acknowledgment of ITAR policy understanding and agreement to comply.

Exit procedures for departing employees

Critical

Revoke access immediately upon separation. Remind departing employees of ongoing confidentiality obligations.

Record Keeping Requirements

Maintain required documentation for 5+ years

Maintain records for minimum 5 years

Critical

All ITAR-related records must be retained for at least 5 years after completion of the relevant activity.

Document all ITAR-controlled transactions

Critical

Keep records of all manufacturing, sales, and transfers of defense articles including quantities and recipients.

Technical data access logs

Critical

Log who accessed ITAR technical data, when, and for what purpose. Electronic access logs recommended.

Visitor logs for ITAR areas

Critical

Maintain visitor sign-in logs with names, dates, times, purpose, and escort information.

Training records

Critical

Document all ITAR training including attendees, dates, topics covered, and completion acknowledgments.

Citizenship verification records

Critical

Maintain documentation of U.S. person verification for all employees with ITAR access.

Subcontractor ITAR compliance documentation

Critical

Verify and document ITAR registration and compliance of all subcontractors handling ITAR work.

Export Control Procedures

Prevent unauthorized exports and deemed exports

Screen all customers against denied parties lists

Critical

Before any shipment, screen recipients against DDTC, BIS, OFAC, and UN denied parties lists.

Obtain export licenses before shipping ITAR items abroad

Critical

All exports of USML items require prior authorization. License applications may take 2-4 months.

Prevent deemed exports to foreign nationals

Critical

Releasing ITAR data to foreign nationals in the U.S. is a deemed export requiring authorization.

End-use and end-user verification

Critical

Know your customer. Verify the ultimate end-use and end-user of all defense articles.

Document all export license applications

Critical

Maintain records of all license applications, approvals, denials, and conditions.

Implement re-export controls in contracts

Include provisions prohibiting re-export without U.S. government authorization.

ITAR Violation Penalties

ITAR violations can result in severe penalties including:

  • Civil: Up to $1.3 million per violation
  • Criminal: Up to $1 million and 20 years imprisonment
  • Debarment: Prohibition from government contracting
  • Reputational: Loss of defense contracts and business relationships

Frequently Asked Questions

How much does ITAR registration cost?

ITAR registration starts at $2,250 annually for the base tier. Higher tiers based on total USML activities can cost $2,750 (Tier 2) or $3,750 (Tier 3). Most machine shops fall into Tier 1 or Tier 2.

Do I need ITAR registration to bid on defense contracts?

Yes, you must be ITAR registered before manufacturing, exporting, or brokering defense articles. Registration should be obtained before submitting proposals for ITAR work.

Can foreign nationals work on ITAR projects?

Foreign nationals cannot access ITAR technical data without an export license. This includes employees, contractors, and visitors. Only U.S. persons (citizens, permanent residents, and certain protected persons) may access ITAR data without authorization.

How long does ITAR registration take?

Initial registration typically takes 30-45 days for approval. Renewals should be submitted 60 days before expiration to ensure continuity.

What are the penalties for ITAR violations?

ITAR violations can result in civil penalties up to $1.3 million per violation, criminal penalties up to $1 million and 20 years imprisonment, and debarment from government contracting.

Is a CAGE code required for ITAR?

While not technically required for ITAR registration, a CAGE code is required to do business with the DoD. Most ITAR-registered machine shops will also have a CAGE code.

Official Resources

DDTC Registration Portal

Official DDTC portal for registration and license applications

ITAR (22 CFR 120-130)

Full text of ITAR regulations

U.S. Munitions List (USML)

Categories of defense articles controlled by ITAR

Denied Parties List Screening

Consolidated screening list for export compliance

Find ITAR-Registered Machine Shops

Browse our directory of government-verified machine shops with ITAR registration and defense manufacturing experience.

Browse ITAR ShopsFull Directory