When a Routine Contract Review Uncovered a Compliance Crisis
Most companies don't discover they have a serious export control problem until it's too late. For one mid-size precision components manufacturer supplying parts to the defense supply chain, the wake-up call came during a routine contract review ahead of a new prime contractor award. What started as a standard due diligence exercise quickly revealed a web of unaddressed ITAR obligations that put the company at risk of penalties well exceeding one million dollars.
This is the story of how ITAR and export controls compliance consulting turned a near-disaster into a defensible, sustainable program — and what other manufacturers can learn from it.
The Company Profile and the Problem
The manufacturer in question — a roughly 200-person shop producing machined components and electromechanical assemblies — had been operating in the defense space for nearly a decade. Leadership assumed that because they were not directly exporting finished weapons systems, their exposure to the International Traffic in Arms Regulations (ITAR) was minimal. That assumption was wrong, and it was expensive.
When Cleared Systems conducted an initial assessment, we found the following conditions in place:
- No formal ITAR registration documentation was current with the Directorate of Defense Trade Controls (DDTC)
- Technical data — including CAD drawings and manufacturing specifications — had been shared via standard commercial email with a foreign-national subcontractor without a license or license exemption determination
- No written Technology Control Plan (TCP) existed
- Employees had received no formal ITAR training in over three years
- Visitor logs did not differentiate between U.S. persons and foreign nationals, and no ITAR-compliant access control procedures were in place for the shop floor
- The company had never conducted a commodity jurisdiction or export control classification review on its products
Any one of these findings would warrant corrective action. Together, they constituted a pattern of non-compliance that, if discovered during a DDTC audit or reported by a competitor or disgruntled employee, could have triggered a consent agreement with civil penalties in the seven-figure range — or worse, a referral for criminal prosecution.
For further context on what ITAR violations actually look like in practice, our post on ITAR violations and compliance manager guidance is essential reading.
Phase One: Scoping the Exposure
The first step in any credible export compliance consulting engagement is to understand the full scope of what a company makes, who it shares technical data with, and what regulatory frameworks actually apply. This is not a paperwork exercise — it is a legal and operational risk mapping process that requires hands-on access to product documentation, supplier agreements, employee workflows, and IT systems.
Our team reviewed the company's entire product portfolio against the United States Munitions List (USML) and the Commerce Control List (CCL). Several product lines that leadership believed were subject only to the Export Administration Regulations (EAR) were, in fact, ITAR-controlled under USML Categories VI and XIII. This single finding changed the entire risk picture.
Understanding the boundary between ITAR and EAR jurisdiction is one of the most common sources of confusion among defense manufacturers. If your team is unclear on where that line falls, our breakdown of ITAR export control compliance vs. EAR compliance provides a clear framework.
Phase Two: Building a Defensible Compliance Program
Once the risk exposure was fully scoped, we moved into program development. This phase focused on three interconnected workstreams: documentation, training, and operational controls.
Documentation and Policy Infrastructure
We developed a complete export compliance program from the ground up, including a written Technology Control Plan, an empowered official designation and delegation matrix, a commodity classification log, license and exemption determination procedures, and a visitor and foreign national access protocol. All policies were mapped to current DDTC expectations and reviewed against the company's specific product lines and customer base.
Our compliance program development service follows exactly this methodology — building the documentation infrastructure that regulators expect to see when they knock on your door.
Employee Training
Export compliance programs fail most frequently at the human layer. Engineers share files without thinking about export jurisdiction. Sales staff promise delivery timelines without considering license lead times. HR onboards foreign nationals without triggering the required deemed export analysis.
We delivered role-specific ITAR training for all relevant personnel, from shop floor supervisors to the executive team. Training covered fundamental concepts, specific scenarios tied to the company's actual workflows, and the personal liability exposure individual employees face under ITAR's criminal provisions. For organizations looking to get ahead of this, our ITAR and Export Controls Fundamentals guide is a practical starting resource for compliance managers.
Physical Access Controls
One of the most overlooked areas of ITAR compliance is physical access control — specifically, what happens when foreign nationals visit your facility. The company had no standardized process for pre-screening visitors, no visual access differentiation on the floor, and no documentation of what technical data or hardware visitors had been exposed to.
We implemented a tiered visitor badging system with color-coded credentials, a compliant visitor log process, and clear posted signage at facility entry points. These are not cosmetic measures — they are evidence of a functioning compliance culture that DDTC examiners look for during site reviews.
Phase Three: The Voluntary Self-Disclosure Decision
This is the part of the engagement that most manufacturers find uncomfortable, but it is often the most strategically important decision a company can make after discovering significant compliance gaps.
The unauthorized deemed export — sharing ITAR-controlled technical data with a foreign national without a license — was a clear violation. The question was not whether it had occurred, but how the company would handle it. After consultation with export counsel, the company elected to file a Voluntary Self-Disclosure (VSD) with DDTC, supported by a comprehensive remediation narrative that documented every corrective action taken.
DDTC's treatment of companies that self-disclose and demonstrate genuine remediation is materially more favorable than its treatment of companies caught through external investigation or audit. The final outcome for this manufacturer: a finding letter with a compliance requirement and a modest administrative penalty — a fraction of what an uninvestigated violation of this scope typically produces.
The difference between a seven-figure consent agreement and a manageable administrative resolution was, in large part, the quality and completeness of the remediation program we built alongside the company. That's what effective export compliance consulting actually delivers.
What This Case Teaches Every Defense Manufacturer
The lessons from this engagement are not unique to this company. They reflect patterns we see consistently across the manufacturing sector, particularly among companies that have grown into ITAR-covered work gradually rather than entering the defense space with a compliance infrastructure already in place.
Here are the critical takeaways:
- Classification assumptions are dangerous. If your company has never conducted a formal commodity jurisdiction or ECCN classification review, you do not know your actual regulatory exposure. For a plain-language breakdown of how export control classification numbers work, see our post on understanding ECCNs.
- Deemed exports are real enforcement priorities. Sharing technical data with foreign nationals — whether employees, contractors, or visitors — is a deemed export under ITAR. It requires the same analysis as a physical export.
- Training frequency matters. Annual check-the-box training is not sufficient. Role-specific, scenario-based training delivered at least annually — and updated when regulations or workflows change — is the standard DDTC expects.
- Voluntary disclosure is a strategic tool, not a white flag. Companies that self-disclose with strong remediation evidence consistently receive more favorable outcomes than those that don't. Burying a problem rarely makes it disappear.
- Program gaps compound over time. Every year a company operates without a written TCP, current training records, or a classification log, the remediation burden grows. Starting now is always better than waiting for an audit.
How Export Compliance Consulting Fits Into a Broader Compliance Strategy
Export compliance does not exist in isolation. For defense contractors, ITAR obligations overlap significantly with DFARS cybersecurity requirements, CUI handling protocols, and physical security standards. A mature compliance program addresses all of these layers in a coordinated way.
Companies that engage with export compliance consulting as part of a broader compliance strategy — rather than as a one-time fix — consistently outperform their peers in audits, contract awards, and enforcement outcomes. If you want to understand how export control requirements interact with your information systems specifically, our post on the impact of EAR and ITAR on your information systems is a strong next read.
For manufacturers operating across multiple compliance frameworks, our Regulatory vCISO services offer a cost-effective model for maintaining ongoing expert oversight without the overhead of a full-time hire.
Take Action Before the Auditors Do
The manufacturer in this case study was fortunate. The compliance gap surfaced internally during a contract review, not during a DDTC investigation or in response to a whistleblower complaint. That timing made all the difference. If your organization has never conducted a formal export control assessment, or if your ITAR program hasn't been reviewed in the past twelve months, you are carrying risk you may not be able to quantify. Cleared Systems works with defense manufacturers, aerospace suppliers, and regulated-industry contractors to assess, build, and maintain export compliance programs that hold up under real scrutiny. Request a quote today to speak with our team about where your program stands — before someone else finds out first.