ITAR Access Control Checklist: What Auditors Look for in Your Authorization Records

Why ITAR Access Control Records Are Auditor Priority One

When the Directorate of Defense Trade Controls (DDTC) or an internal auditor walks into your facility, the first thing they want to see is not your policy binder. They want evidence. Specifically, they want to see who had access to ITAR-controlled technical data and defense articles, when that access was granted, who authorized it, and whether it was ever reviewed or revoked. Authorization records are the documentary spine of your entire ITAR and export controls compliance program. If those records are incomplete, inconsistent, or missing entirely, everything else you present is called into question.

This checklist is designed for compliance managers and executives at defense contractors, manufacturers, and federal agencies who need to understand exactly what auditors are looking for—and close gaps before an examination begins.

The Core Framework: What ITAR Requires on Access Control

The International Traffic in Arms Regulations (22 CFR Parts 120–130) do not publish a single "access control checklist," but the requirements are distributed across several provisions. The regulations obligate registrants to prevent unauthorized access to defense articles and ITAR-controlled technical data, including by foreign nationals. That obligation requires deliberate, documented controls—not informal practice.

Auditors reconcile your authorization records against these regulatory anchors:

• 22 CFR § 120.10 — Definition of technical data and what must be protected
• 22 CFR § 122.5 — Records retention requirements (five years minimum)
• 22 CFR § 125 — Licensing requirements for exports, including deemed exports to foreign nationals
• Technology Control Plan (TCP) — Your organization's internal governing document for managing access

If you have not yet built or updated your TCP, that gap will surface immediately. You can learn more about structuring that document in our post on what a Technology Control Plan is and who needs one.

ITAR Access Control Checklist: What Auditors Examine

1. Authorization Records for All Personnel with Access

Auditors will request a current roster of every employee, contractor, and visitor who has been granted access to ITAR-controlled areas or technical data. For each person, your records should document:

• Full legal name and role or title
• U.S. person status verification (citizenship or lawful permanent resident documentation)
• Date access was granted and the specific systems, areas, or data categories covered
• Name and title of the authorizing official
• Date of most recent access review
• Date access was terminated, if applicable

A missing termination date or an undocumented authorization decision is a finding. Auditors treat incomplete records the same as absent controls.

2. Foreign National Access Controls and Deemed Export Records

This is where many defense contractors have their most significant exposure. If a foreign national—regardless of where they are physically located—views, touches, or receives ITAR-controlled technical data, that constitutes a deemed export requiring a license unless an exemption applies. Your authorization records must show:

• Identification of all foreign nationals with any level of facility or system access
• Copy of the applicable export license (e.g., DSP-5) or documented exemption justification
• Access restrictions mapped to license conditions or scope limitations
• Visitor screening documentation prior to facility entry

Physical badging is part of this control. If your facility uses color-coded visitor badges to distinguish U.S. persons from foreign nationals or to indicate access levels, auditors want to see your badging policy and verify it is being consistently applied. Our overview of visitor badges and ITAR compliance covers how badge systems support your broader access control posture.

3. Physical Access Controls and Visitor Log Documentation

Facility access records must demonstrate that only authorized personnel enter spaces where ITAR-controlled articles or data are present. Auditors specifically examine:

• Visitor logs showing name, affiliation, purpose, escort, and entry/exit times
• Signage indicating ITAR-restricted areas (required at entry points)
• Badge issuance and return logs for all visitors
• Evidence that escorts accompanied all non-badged visitors throughout the visit
• Documentation that visitors acknowledged access restrictions before entry

Gaps in visitor logs—unsigned entries, missing escort names, or blank fields—are commonly cited findings. A structured ITAR compliant visitor log book designed specifically for DIB facilities helps standardize what gets captured at the point of entry.

4. Digital and System Access Authorization Records

Physical access records alone are not sufficient. ITAR-controlled technical data increasingly lives in digital systems—CAD files, engineering drawings, specifications, and test data stored on servers, cloud platforms, and endpoints. Auditors will look for:

• System access control lists (ACLs) or role-based access control (RBAC) configurations showing who can access ITAR-controlled data repositories
• Evidence of least-privilege enforcement—users should access only what their role requires
• Audit logs showing login activity, file access, and data transfers for ITAR-controlled systems
• Documentation of account provisioning and deprovisioning tied to HR records
• Multi-factor authentication (MFA) enforcement for systems housing technical data

Cloud environments require particular attention. If your organization stores ITAR technical data in Microsoft 365 or a cloud infrastructure, that environment must meet ITAR-compliant standards. Our post on ITAR controlled technical data in cloud environments outlines current 2026 requirements.

5. Periodic Access Reviews and Recertification Records

A one-time authorization is not sufficient. Auditors expect to see documented evidence that access rights are periodically reviewed—typically at least annually—and that access is promptly revoked when employment status, role, or project assignment changes. Your records should include:

• Scheduled access review logs signed by the responsible manager or compliance officer
• Evidence that terminated employees had access revoked within a defined, documented timeframe
• Records of access modifications tied to role changes
• Acknowledgment forms showing that personnel reviewed and understood access responsibilities

6. ITAR Training Completion Records Tied to Access

Access authorization and training documentation are linked. Auditors commonly check whether employees received ITAR training before access was granted—not after. You should be able to demonstrate:

• Training completion records for every individual with ITAR access
• Training date compared against access grant date (training must precede access)
• Annual refresher training records for all active authorized personnel
• Role-specific training for individuals with elevated access privileges

7. Subcontractor and Third-Party Access Documentation

If subcontractors or vendors access your ITAR-controlled data or facilities, your authorization records must cover them as well. Auditors look for:

• Executed ITAR compliance agreements or non-disclosure agreements with ITAR provisions
• Verification that subcontractors are themselves DDTC-registered, if required
• Documented access scope limitations for third parties
• Audit or review provisions in subcontractor agreements

Common Recordkeeping Failures That Create Audit Exposure

Based on our work with defense contractors across the aerospace and defense supply chain, the most frequently cited access control deficiencies include:

• Authorization records that exist in email chains rather than a structured system
• Visitor logs with incomplete or inconsistent fields
• Digital access control lists that have never been reconciled against current HR records
• No documented process for revoking access when employees depart
• Training records that cannot be matched to specific access grants
• Foreign national access that predates any license review

If any of these sound familiar, the time to remediate is now—before an examination, not after a violation notice. Our post on ITAR audit readiness and the 25 documents examiners request provides a broader pre-audit inventory to work through alongside this checklist.

Connecting Access Control to Your Broader Compliance Program

Access control does not operate in isolation. It is one pillar of a defensible ITAR compliance program that also includes technical data labeling, recordkeeping, training, licensing, and incident response. If your organization is building or maturing this program, our guide to the ten essential elements of a defensible ITAR compliance program lays out how these components integrate.

Organizations that have implemented structured compliance program development consistently perform better in audits because their authorization records are generated by a process—not assembled after the fact. A process-driven approach means your records are audit-ready every day, not just when an examiner calls.

Take the Next Step Before an Auditor Does

If your access control records could not survive a DDTC examination today, you have a window to fix that. Cleared Systems works with defense contractors, manufacturers, and federal agencies to assess, remediate, and document ITAR access control programs that hold up under scrutiny. Request a quote to speak with our team about where your authorization records stand and what it takes to close the gaps.