What to Expect from a DDTC Compliance Examination
The Directorate of Defense Trade Controls (DDTC) has significantly increased its enforcement activity in recent years. Whether your organization receives a directed audit, a compliance review triggered by a voluntary disclosure, or a routine examination, the experience is the same: DDTC examiners arrive with specific expectations, and gaps in your program will surface quickly.
The organizations that fare best are those that treat audit preparation as an ongoing discipline rather than a last-minute scramble. This checklist is designed to help compliance managers and executives conduct a realistic internal review before an examiner ever sets foot in your facility. It covers ITAR and export controls compliance fundamentals that DDTC consistently evaluates, organized into four functional areas.
Registration and Organizational Governance
1. Confirm Your DDTC Registration Is Current and Accurate
Your DDTC registration must be renewed annually. Verify the registration reflects your current legal name, address, ownership structure, and business activities. Outdated registrations are a low-effort finding for examiners and signal weak program oversight. If your organization has undergone a merger, acquisition, or name change, confirm those events have been properly disclosed.
2. Verify Your Empowered Official Designation Is Documented
ITAR requires a designated Empowered Official (EO) who has authority to sign export license applications and certify compliance. Confirm the EO designation is formalized in writing, that the individual is actively engaged in compliance oversight, and that a backup EO has been identified. DDTC examiners will ask to speak with this person directly.
3. Review Your Written ITAR Compliance Program
A written compliance program is the foundation of any defensible ITAR posture. Confirm the document is current, reflects your actual operations, and has been reviewed within the last twelve months. Examiners expect to see policies that go beyond boilerplate — your program should address jurisdiction determinations, technical data controls, license management, and training requirements specific to your business.
4. Assess Compliance Program Maturity Against Current DDTC Expectations
DDTC expects more than a binder on a shelf. Your ITAR compliance program maturity should reflect a functioning governance structure, documented risk assessments, regular internal audits, and corrective action processes. If your program has not evolved since it was first written, it will not hold up under scrutiny.
Technical Data and Commodity Controls
5. Audit Your Commodity Jurisdiction and Classification Determinations
Every defense article and technical data item your organization handles should have a documented jurisdiction and classification determination. Confirm that these determinations are on file, reflect current USML categories, and have been reviewed after any product changes. Misclassification is one of the most common findings in DDTC examinations.
6. Evaluate Technical Data Identification, Marking, and Access Controls
ITAR-controlled technical data must be properly identified, marked, and protected from unauthorized access — including access by foreign nationals. Review your technical data compliance controls to confirm that digital files are labeled, storage systems enforce access restrictions, and physical documents are handled according to written procedures.
7. Review Cloud and IT Systems Handling ITAR Data
If your organization stores or transmits ITAR-controlled technical data through cloud platforms, confirm that those environments meet ITAR requirements. This includes verifying that data residency is restricted to the United States, that foreign nationals cannot access the environment, and that your cloud provider's compliance posture is documented. Platforms that are not ITAR-configured represent a serious exposure.
8. Confirm Procedures for Identifying and Preventing Deemed Exports
A deemed export occurs when ITAR-controlled technical data is disclosed to a foreign national in the United States. Review your hiring and access procedures to confirm that foreign nationals are screened before receiving access to controlled technical data, that required licenses or exemptions are in place, and that this process is documented. This is a high-priority area for DDTC examiners.
Licensing, Agreements, and Transaction Records
9. Conduct a License Inventory and Status Review
Pull a complete inventory of your active and recently expired export licenses, including DSP-5, DSP-73, and TAA/MLA agreements. Confirm that each license reflects current end users and authorized items, that shipments have not exceeded license value or quantity limits, and that licenses approaching expiration have been flagged for renewal. DDTC examiners will cross-reference your transaction records against your license holdings.
10. Verify Agreement Compliance for TAAs and MLAs
Technical Assistance Agreements and Manufacturing License Agreements carry specific performance obligations including training requirements, sublicense controls, and reporting provisions. Review each active agreement to confirm your organization is meeting all terms, that required reports have been submitted, and that all sublicensees have been properly authorized and notified of their obligations.
11. Audit Your Export Transaction Records
ITAR requires that export transaction records be maintained for five years. Confirm that your records are complete, organized, and retrievable. This includes Electronic Export Information filings, shipper's export declarations, license determinations, and correspondence with DDTC. Gaps in transaction records are a red flag that can expand the scope of an examination significantly.
12. Review Your Voluntary Disclosure History and Corrective Actions
If your organization has filed voluntary disclosures with DDTC, confirm that the underlying violations have been fully remediated and that corrective action documentation is on file. Examiners will evaluate whether your program has actually improved following a disclosure or whether the same weaknesses persist. A pattern of recurring violations without sustained corrective action is treated as an aggravating factor.
Training, Visitor Controls, and Physical Security
13. Verify Employee ITAR Training Records Are Current
DDTC expects that all employees with access to ITAR-controlled items or data receive role-appropriate training. Review your training records to confirm that initial training has been completed for all covered employees, that annual refresher training is documented, and that training materials reflect current ITAR requirements. Undocumented training is treated as no training at all during an examination. Our ITAR and Export Controls Fundamentals guide is a practical resource for structuring role-based training content.
14. Assess Training Coverage for Managers and Functional Leaders
Supervisors and department heads carry specific ITAR responsibilities and must understand them. Confirm that manager-level training covers deemed export rules, technology transfer risks, license requirements, and escalation procedures. ITAR training for managers is distinct from general employee awareness and should be documented separately.
15. Review Foreign National Visitor Procedures and Documentation
Your visitor control program is one of the first physical compliance areas DDTC examiners inspect. Confirm that pre-visit screening procedures are in place, that required licenses or exemptions are obtained before foreign national visitors access controlled areas, and that visitor logs are complete. ITAR visitor requirements include both pre-visit and post-visit documentation obligations that many organizations underestimate.
16. Inspect Visitor Badging and Physical Access Controls
Badge color-coding and physical access controls are a visible indicator of program rigor. Confirm that your badging system distinguishes between U.S. persons and foreign nationals, that controlled areas are clearly marked, and that escort procedures are enforced consistently. Using ITAR-specific visitor badges and posting compliant restricted access signage throughout your facility reinforces physical controls and demonstrates program intentionality to examiners.
17. Confirm Your Visitor Log Meets ITAR Requirements
Visitor logs must capture sufficient information to reconstruct each visit, including the visitor's nationality, the areas accessed, the escort assigned, and the purpose of the visit. An ITAR-compliant visitor log that is consistently maintained provides contemporaneous documentation that can be produced quickly during an examination.
18. Evaluate Subcontractor and Supplier ITAR Compliance Flow-Down
Your ITAR obligations extend to your supply chain. Review your agreements with subcontractors and suppliers to confirm that ITAR compliance obligations have been flowed down in writing, that subcontractors handling controlled items or data have been assessed, and that your oversight process is documented. DDTC holds prime contractors accountable for their suppliers' access to controlled technical data.
19. Assess Your Incident Response and Reporting Procedures
Confirm that your organization has documented procedures for identifying and responding to potential ITAR violations, including a clear escalation path to the Empowered Official and legal counsel. Your voluntary disclosure procedures should be documented and tested. Organizations that self-identify and promptly disclose violations receive more favorable treatment from DDTC than those whose violations are discovered during an examination.
20. Conduct a Pre-Audit Internal Mock Examination
Before a DDTC examiner arrives, conduct an internal mock examination that mirrors the actual examination process. This means requesting documents on short notice, interviewing employees who handle controlled items, walking the facility to assess physical controls, and reviewing transaction records against license holdings. Findings from an internal review can be remediated before they become examination findings. If your team lacks the bandwidth or objectivity to conduct this internally, an outside resource with deep DDTC compliance requirements expertise can provide significant value.
Using This Checklist Effectively
This checklist is a starting point, not a substitute for a comprehensive program review. Each item above represents a category of compliance that can have significant depth depending on your organization's size, transaction volume, and the nature of the defense articles you handle. Organizations operating in aerospace and defense or manufacturing environments with complex supply chains will need to apply additional rigor to several of these areas.
If your internal review surfaces gaps, the time to address them is before the examination, not after. DDTC examiners are experienced at distinguishing between organizations that are actively managing their compliance obligations and those that are reacting to enforcement pressure. The difference in how those examinations conclude is significant.
Cleared Systems helps defense contractors, manufacturers, and federal suppliers build and maintain defensible ITAR compliance programs. Whether you need a comprehensive program assessment, training development, or hands-on preparation for a DDTC examination, we bring the operational experience to get your program where it needs to be. Request a quote to discuss your situation, or review our ITAR and export controls compliance services to learn how we structure engagements for organizations at every stage of program maturity.