Why Foreign National Screening Is a Core ITAR Obligation
For defense contractors and federal agencies working with defense articles or technical data, the question of who can access controlled information is never a formality. Under the International Traffic in Arms Regulations, sharing ITAR-controlled technical data or technology with a foreign national — even inside the United States — constitutes a deemed export. That deemed export requires a license unless a specific exemption applies.
Failure to manage this correctly is one of the most common and costly ITAR violations the Directorate of Defense Trade Controls investigates. The penalties are severe: civil fines up to $1 million per violation, criminal prosecution, and debarment from future government contracting. If your organization employs, contracts with, or regularly hosts foreign nationals in any capacity near controlled programs, you need a structured, documented process. This post walks through exactly how to build one.
Understanding the Deemed Export Rule
The deemed export rule is the legal foundation for all foreign national ITAR screening requirements. Under 22 CFR Part 120, an export includes any release of technical data to a foreign person in the United States. The nationality of the individual — not their location — is what triggers the analysis.
This means a Canadian engineer sitting in your U.S. facility, reviewing a drawing for a controlled defense system, is receiving an export under ITAR. Unless a license or exemption applies, that disclosure is a violation. The same logic applies to verbal briefings, software demonstrations, and access to digital repositories containing ITAR-controlled data.
For a deeper grounding in how these rules apply across your organization, the ITAR Foreign National Requirements: A Complete Guide for HR, Security, and Compliance provides detailed guidance for every function involved in this process.
Step 1: Identify Applicable Employees and Contractors
Your screening obligation begins before the first day of work. During the hiring process, HR must identify every individual who is not a U.S. person as defined under ITAR. A U.S. person under 22 CFR § 120.62 includes:
- U.S. citizens
- Lawful permanent residents (green card holders)
- Individuals granted protected status under 8 U.S.C. 1324b(a)(3), which includes asylees and refugees
Everyone else is a foreign national for ITAR purposes, regardless of how long they have lived or worked in the United States. This includes H-1B visa holders, L-1 transferees, F-1 OPT employees, and TN visa holders from Canada or Mexico. Do not confuse work authorization with ITAR person status. They are entirely separate legal questions.
Your identification process should include a standard questionnaire at the point of hire and for each engagement of contractors or consultants. Document citizenship, dual citizenship, immigration status, and visa category for every person identified as a foreign national.
Step 2: Classify the Controlled Technology They Will Access
Not every role at a defense contractor involves ITAR-controlled technical data. Before you can determine whether a license is required, you must identify what technology the individual will access. This requires an accurate inventory of your ITAR-controlled items, technical data, and software.
Technical data subject to ITAR includes design documentation, engineering specifications, manufacturing processes, test procedures, and integration or operational data for items on the U.S. Munitions List. Conduct a task analysis for each position to determine exactly which controlled information the employee or contractor will encounter. This analysis becomes part of the documented record supporting your screening decision.
Understanding how to identify and control this information across your organization is covered in detail in our post on how to identify, mark, and control ITAR technical data.
Step 3: Determine Whether a License or Exemption Applies
Once you have confirmed an individual is a foreign national and identified the controlled technology they will access, the next determination is whether a license or exemption covers the disclosure. The two most commonly used options in the employment context are:
The Bona Fide Employee Exemption (22 CFR § 126.18)
This exemption allows ITAR-controlled technical data to be shared with foreign national employees without a license under specific conditions. To qualify, the employer must verify that the foreign national is not a national of a country subject to U.S. arms embargo (as listed in 22 CFR Part 126), and must implement a Technology Control Plan governing what controlled information the employee may access and what safeguards are in place. The exemption requires ongoing maintenance and documentation.
Individual or Dual-Use Export Licenses
If the employee is a national of an embargoed country, or if the bona fide employee exemption does not apply for another reason, your organization must obtain a license from DDTC before the foreign national accesses controlled technical data. Applications for DSP-5 licenses can take months. Plan ahead. For information on specific license types, see our post on what ITAR licenses are and how they work.
Step 4: Develop and Maintain a Technology Control Plan
A Technology Control Plan is a written document that describes the specific technical data or technology the foreign national may access, the physical and logical access controls in place, and the procedures your organization follows to ensure unauthorized disclosure does not occur. If you are relying on the bona fide employee exemption, a TCP is not just best practice — it is a compliance requirement.
A compliant TCP should address the following elements at minimum:
- Identification of the foreign national by name, nationality, and visa status
- Specific controlled technology or technical data covered by the plan
- Physical access restrictions: which facilities, labs, and areas are included or excluded
- IT access controls: network segmentation, user permissions, and system access lists
- Procedures for escorting the individual in controlled spaces
- Training requirements and acknowledgment records
- Reporting obligations if a potential violation occurs
- Review and update schedule
For a detailed checklist of every section a TCP must address, see our post on the 14 sections every Technology Control Plan must include.
Step 5: Document the Screening Decision
DDTC expects to see a documented, defensible screening record for every foreign national with access to controlled technology. This documentation should be maintained in a dedicated compliance file and must include:
- A copy of the citizenship and immigration status verification
- The task analysis identifying which ITAR-controlled data the individual accesses
- The exemption or license relied upon
- A signed Technology Control Plan, where applicable
- Training completion records for ITAR awareness
- Periodic review dates and any changes in status or access
- Records of any updates to the individual's visa or immigration status
ITAR requires organizations to retain export-related records, including those related to deemed exports, for five years. Inconsistent or missing documentation is one of the most common findings during DDTC audits and consent agreement negotiations. For a full breakdown of what to retain and in what format, review our guidance on ITAR recordkeeping requirements.
Step 6: Implement Ongoing Monitoring and Review
Screening is not a one-time event. Immigration status changes. Job responsibilities expand. Visa categories expire or convert. A foreign national who was a lawful permanent resident when hired may later become a naturalized citizen — eliminating the ITAR restriction. Conversely, an individual who was initially hired into a non-controlled role may move into a program requiring access to ITAR technical data.
Build a formal review cycle into your compliance program. At minimum, conduct an annual review of all foreign national files. Require employees to disclose any change in immigration status within 30 days. Tie access recertification to the annual review. These controls close the gaps that get organizations into trouble.
If your organization is still building the infrastructure to manage this process systematically, our ITAR and Export Controls Compliance services are designed to help defense contractors build and maintain compliant programs from the ground up.
Common Failure Points to Avoid
Organizations that have faced DDTC enforcement actions related to foreign national access share a recognizable set of failures. Avoid these common mistakes:
- Treating green card holders as requiring no screening: Lawful permanent residents are U.S. persons under ITAR. No additional license is required — but this should still be documented.
- Failing to screen contractors and subcontractors: The deemed export obligation applies to anyone you allow to access controlled data, regardless of employment type.
- Using outdated or incomplete Technology Control Plans: A TCP that was created years ago and never updated does not provide meaningful protection during an audit.
- Relying on verbal confirmations of citizenship: Every determination must be supported by documentation. Verbal representations are not sufficient.
- Not tracking visa renewals or changes in status: Immigration status is not static. Your compliance file must reflect current status.
Building a Sustainable Foreign National Compliance Process
The most effective organizations treat foreign national ITAR screening as a cross-functional process involving HR, legal, compliance, IT, and facility security. No single department can manage this in isolation. HR brings in the screening data at onboarding. Compliance interprets the regulatory requirement. IT implements the access controls. Facility security enforces physical restrictions. Program managers identify what controlled data each role touches.
This integration requires formal policies, assigned responsibilities, and trained personnel at every layer. If your current program lacks this structure, our team can help you design a compliance framework that connects these functions effectively. You can also review how a structured program comes together in our post on building an ITAR compliance program from scratch.
For organizations that need ready-made tools to support the documentation and access control side of this work, the ITAR Compliance Documentation Toolkit provides a practical starting point with templates built for defense contractor environments.
Take the Next Step Toward ITAR Compliance
Meeting ITAR foreign national requirements demands more than good intentions — it requires documented processes, trained personnel, and defensible records that hold up under DDTC scrutiny. Cleared Systems works with defense contractors, federal agencies, and regulated manufacturers to build and maintain compliant ITAR programs that address every dimension of this obligation. Whether you need a full program assessment, help developing Technology Control Plans, or support building your screening and documentation procedures, we are ready to help. Request a quote today to discuss your specific situation with our compliance team.