DDTC Compliance Enforcement Has Shifted — And Most Contractors Haven't Caught Up
If your organization has been managing its ITAR and export controls compliance program the same way it did three or four years ago, there is a reasonable chance you are already behind. The Directorate of Defense Trade Controls has undergone a measurable shift in its enforcement posture, investigative priorities, and expectations for registered companies. What changed in 2025 and into 2026 is not cosmetic. It reflects a more proactive, data-informed approach to identifying violations and a lower tolerance for programs that exist on paper but fail in practice.
This post breaks down the most significant enforcement trends I am tracking, what they mean operationally for your compliance program, and what steps you should take now to reduce exposure.
What Has Actually Changed in DDTC Enforcement
Increased Coordination with Other Federal Agencies
One of the most significant structural changes in 2025 and 2026 is the deepening coordination between DDTC, the Department of Justice, the FBI's Counterintelligence Division, and the Commerce Department's Bureau of Industry and Security. Investigations that once might have been handled by a single agency now frequently involve joint task forces. This means that a company flagged for a potential ITAR violation may simultaneously find itself under scrutiny for Export Administration Regulations issues, sanctions violations, or even foreign influence concerns.
Contractors who treat ITAR, EAR, and OFAC as separate silos — with separate compliance owners and no unified oversight — are particularly exposed. A finding in one area can quickly open doors for investigators in others.
Scrutiny of Technical Data Controls Is at an All-Time High
DDTC examiners are paying closer attention to how companies control and account for ITAR-controlled technical data, particularly in digital environments. Cloud platforms, collaboration tools, remote access systems, and third-party integrations have expanded the technical data perimeter considerably. Regulators know this, and they are asking harder questions about it.
Companies that cannot demonstrate clear access controls, data classification practices, and documented handling procedures for ITAR technical data are generating findings at a higher rate than in previous enforcement cycles. If your program does not have a formal technical data inventory and cannot show how that data is protected across physical and digital environments, that gap is a liability.
Voluntary Disclosures Are Being Scrutinized More Closely
DDTC has historically treated voluntary disclosures favorably, and that remains true. However, the quality of disclosures is now under greater scrutiny. Disclosures that are incomplete, that minimize the scope of a violation, or that are submitted without a credible remediation plan are receiving less credit than they once did. In some cases, a poorly prepared disclosure has elevated rather than reduced a company's enforcement exposure.
This is an area where many compliance managers underestimate the stakes. If your organization encounters a potential violation, the disclosure process needs to be handled with the same rigor as the underlying compliance program. That typically means involving experienced export controls counsel and a compliance consultant who understands DDTC's current expectations — not simply drafting a memo and hoping for the best.
Registration Accuracy and Renewal Compliance Are Enforcement Triggers
DDTC has become more aggressive about registration accuracy. Companies that have allowed registrations to lapse, that have failed to update their registration following an acquisition or organizational change, or that have registered in categories that do not accurately reflect their activities are increasingly finding themselves in enforcement conversations.
For companies that have gone through mergers, acquisitions, or significant personnel changes in the past 18 months, reviewing the accuracy of your current DDTC registration should be a near-term priority. Our post on DDTC registration requirements in 2026 covers what has specifically changed and what you need to prepare.
The Enforcement Patterns Worth Watching in 2026
Supply Chain and Subcontractor Violations Are Generating Prime Contractor Liability
DDTC is holding prime contractors accountable for export control failures that originate in their supply chains. If a subcontractor improperly handles ITAR-controlled data, hardware, or services, and that activity flows through a prime contractor's program, the prime is not insulated. We are seeing enforcement actions and compliance reviews that trace violations upstream to the prime even when the prime had no direct knowledge of the subcontractor's failure.
This means that supply chain due diligence is no longer a best practice — it is an enforcement expectation. Your compliance program needs to include supplier screening, contractual flow-down requirements, and some form of periodic verification that key subcontractors are meeting ITAR obligations.
Foreign National Access Controls Remain a Flashpoint
Deemed export violations — the unauthorized release of ITAR-controlled technical data to foreign nationals on U.S. soil — continue to be among the most common triggers for enforcement action. Despite years of guidance on this issue, companies are still mismanaging foreign national access to controlled areas, controlled data, and controlled technology.
If your facility regularly hosts foreign national employees, contractors, or visitors, your visitor control protocols and physical access procedures need to be airtight. Our discussion of ITAR visitor requirements outlines exactly what DDTC expects before a foreign national enters a controlled facility. Physical controls like properly implemented ITAR visitor badging and documented visitor logs are not optional — they are evidence of a functioning access control program.
Program Maturity Is Now an Explicit Evaluation Criterion
When DDTC examines a company's compliance posture, examiners are increasingly looking beyond whether individual procedures exist. They are evaluating whether those procedures are integrated, tested, and genuinely operational. A compliance program that consists of a policy document and an annual training reminder does not reflect the level of maturity DDTC now expects from a registered company.
Our post on ITAR compliance program maturity in 2026 goes deeper on what DDTC examiners are evaluating. The short version: your program needs documented procedures, measurable controls, evidence of training, and a mechanism for identifying and addressing gaps on a recurring basis.
What This Means for Your Organization Operationally
Compliance Program Development Is Not a One-Time Exercise
The companies that are weathering DDTC scrutiny most successfully share a common characteristic: they treat compliance as an ongoing operational function rather than a project that was completed at some point in the past. They have a designated compliance officer or program lead with real authority, a documented program that is updated as regulations and business activities change, and a regular cadence of internal review.
For organizations that have not formalized this structure, compliance program development services provide a structured path to building a program that will hold up under examination.
Training Programs Need to Reflect Current Risks
Annual ITAR awareness training that covers the same content every year is not meeting the current moment. DDTC expects training that is role-specific, documented, and updated to address emerging risks. Engineers, program managers, HR teams responsible for hiring foreign nationals, and facilities personnel all face different ITAR risk profiles. Your training program needs to reflect those differences.
If you are building or rebuilding your training approach, our resource on ITAR compliance training frequency, format, and documentation is a practical starting point.
The ITAR Compliance Checklist Has Gotten Longer
Between technical data controls in digital environments, supply chain flow-down requirements, updated registration expectations, and heightened scrutiny of foreign national access, the operational footprint of a compliant ITAR program has expanded meaningfully. Organizations that have not reviewed their program against current requirements — not what was current three years ago — should treat that review as urgent. Our ITAR export control compliance audit checklist is a useful tool for identifying where your program may have gaps relative to what DDTC examiners are actually looking for today.
The Bottom Line for Compliance Managers and Executives
DDTC compliance enforcement in 2026 is more sophisticated, more coordinated, and less forgiving of programs that are structurally sound but operationally hollow. The organizations that face the greatest risk are not necessarily those with the most complex export activities — they are the ones that have not kept pace with how enforcement expectations have evolved.
The enforcement environment rewards organizations that can demonstrate genuine program maturity: documented procedures, operational controls, trained personnel, accurate registrations, and a clear record of ongoing compliance activity. It penalizes organizations that cannot produce that evidence when it is asked for.
If you are unsure where your program stands against current DDTC expectations, a structured review is the right starting point. Understanding what examiners are looking for — and where your program may fall short — is far less costly than discovering those gaps during an enforcement action.
Take the Next Step
Cleared Systems works with defense contractors, manufacturers, and federal suppliers to build and strengthen ITAR and export controls compliance programs that reflect current DDTC enforcement expectations. Whether you need a program assessment, help preparing for a DDTC examination, or support building out specific program elements, we are ready to help. Request a quote to speak with our team, or review our engagement models to understand how we structure our work with clients at different stages of compliance maturity.