What to Expect When DDTC Comes Knocking
A Directorate of Defense Trade Controls (DDTC) examination is not a surprise inspection in the traditional sense, but it can feel that way if your program is held together with good intentions and outdated spreadsheets. Whether you are responding to a directed audit, a voluntary disclosure follow-up, or a scheduled compliance review, examiners arrive with a structured request list. Organizations that have done the preparation work hand over documents in hours. Those that have not spend days searching for records that may not exist.
This checklist covers the 25 documents and controls most commonly requested during an ITAR audit. Use it to benchmark your current state, identify gaps, and drive remediation before an examiner ever sets foot in your facility. For a broader foundation, our ITAR and Export Controls Compliance services can help you build or strengthen the underlying program that makes these documents defensible.
Program Foundation Documents
Examiners first establish whether a formal compliance program exists and whether it is governed at an appropriate organizational level. Expect requests for the following.
1. Written ITAR Compliance Program Manual or Policy
Your program manual should describe the scope of your ITAR obligations, assign ownership, define processes for classification, licensing, and recordkeeping, and reference the relevant sections of the International Traffic in Arms Regulations. A policy document that was written five years ago and never updated is a red flag.
2. Empowered Official Designation Letter
ITAR requires a designated Empowered Official (EO) who has authority to sign export license applications and is legally accountable for compliance. The designation must be documented, current, and signed by senior leadership.
3. DDTC Registration Certificate and Renewal History
Examiners will verify your active registration and review whether renewal filings were submitted on time. Lapsed registrations are a serious finding. Keep a copy of every registration certificate dating back at least five years.
4. Organizational Chart Showing Compliance Roles
Who reports to whom, and where does the compliance function sit within the organization? Examiners want to see that compliance has visibility and authority, not that it is buried under a finance or IT department with no direct line to leadership.
Classification and Commodity Jurisdiction Records
One of the most common sources of ITAR violations is misclassification. Examiners look closely at how your organization determines what is and is not subject to the USML.
5. USML Classification Determinations
For each product, technology, or service your company handles, there should be a documented classification determination. These determinations should reference the specific USML category, include the rationale, identify who made the determination, and be dated. Undocumented verbal determinations will not survive scrutiny.
6. Commodity Jurisdiction (CJ) Request Records
If your organization has submitted Commodity Jurisdiction requests to DDTC, maintain the original submissions, correspondence, and final determinations. These are primary evidence that you sought authoritative guidance.
7. Export Control Classification Number (ECCN) Cross-Reference Log
For dual-use items that may straddle the line between ITAR and EAR jurisdiction, a documented analysis showing how you distinguished between the two regimes is essential. Examiners look for this especially in technology companies and manufacturers with both commercial and defense product lines.
License and Authorization Records
Every export, re-export, or transfer of ITAR-controlled defense articles, technical data, or defense services must be authorized. Examiners will pull your license files and cross-reference them against actual transactions.
8. Active and Expired Export License Files (DSP-5, DSP-73, etc.)
Maintain complete license files including the original application, supporting documents, the issued license, all amendments, and shipment records tied to each license. ITAR requires records to be kept for five years from the date of export or the expiration of the license, whichever is later.
9. Technical Assistance Agreement (TAA) and Manufacturing License Agreement (MLA) Files
TAAs and MLAs must be approved before controlled technical data or defense services are shared with foreign persons. Keep the signed agreement, all DDTC correspondence, implementation records, and any amendments in a centralized, retrievable file.
10. License Exemption Justification Records
When you rely on a license exemption rather than an approved license, document the specific exemption claimed, the regulatory citation, and the basis for eligibility. Unsupported exemption claims are among the most common audit findings.
11. Transaction Screening and Denied Party Screening Logs
Demonstrate that every transaction involving a foreign party was screened against denied party lists before the export occurred. Screening logs should capture the date, the parties screened, the lists checked, the result, and the name of the individual who performed the check.
Technical Data Controls
Technical data is where many ITAR violations originate, particularly in the age of cloud collaboration, remote work, and global engineering teams. Examiners focus heavily on how your organization identifies, marks, and controls technical data.
12. Technical Data Inventory and Classification Register
Maintain a current inventory of ITAR-controlled technical data, where it resides, who has access, and the applicable USML category. This inventory is the backbone of your access control and data handling program.
13. Data Labeling and Marking Procedures
ITAR requires that controlled technical data be appropriately marked. Show examiners your documented marking procedures and evidence of consistent application across electronic files, drawings, specifications, and physical media. Our post on ITAR compliance and proper labeling of documents and records offers practical guidance on this requirement.
14. IT System Security Controls Documentation
If technical data is stored or transmitted electronically, examiners will ask how those systems are protected. This includes access control configurations, encryption in transit and at rest, cloud environment accreditation, and any FedRAMP or GCC High documentation relevant to ITAR-compliant cloud storage.
Visitor and Access Controls
Physical access to ITAR-controlled areas and the presence of foreign national visitors are consistent audit focus areas. Examiners will walk your facility and review your physical security documentation.
15. Foreign National Visit Requests and Approvals
Every visit by a foreign national to an area where ITAR-controlled items or technical data may be accessed must be pre-approved and documented. Maintain visit request forms, approval records, escort assignments, and post-visit documentation.
16. Visitor Logs for ITAR-Controlled Areas
A complete, legible visitor log showing the name, nationality, affiliation, purpose, escort, and time in and out of controlled areas is a basic physical security requirement. An ITAR-compliant visitor log book designed specifically for defense industrial base facilities ensures you capture the right data in the right format.
17. Visitor Badge Control Procedures and Issuance Records
Color-coded badging systems that visually distinguish between U.S. persons, cleared visitors, and uncleared foreign nationals help facility staff enforce access controls consistently. Documented badge issuance and return procedures demonstrate programmatic control, not ad hoc enforcement.
18. Physical Security Plan for ITAR-Controlled Areas
Describe how controlled areas are designated, secured, and monitored. This includes lock controls, alarm systems, camera coverage, and the process for revoking access. Examiners want to see a plan, evidence of implementation, and records of periodic review.
Personnel, Training, and Human Resources Records
Your workforce is your largest exposure vector. Examiners review how employees are screened, trained, and held accountable.
19. ITAR Training Records
Document every training session: date, attendees, content covered, delivery method, and trainer credentials. Training must be role-appropriate. An engineer handling USML technical data needs more than the general awareness session delivered to administrative staff. Our ITAR and Export Controls Fundamentals guide is a practical resource for building role-based curriculum.
20. Foreign National Employment Records and Technology Control Plans
Employing foreign nationals in roles with access to ITAR-controlled technology requires either an approved export license or a documented basis for a license exemption. Technology Control Plans (TCPs) define how foreign national employees are managed, what they can access, and what controls are in place to prevent unauthorized transfers.
21. Personnel Nondisclosure Agreements and ITAR Acknowledgment Forms
Employees and contractors with access to ITAR-controlled items or data should sign acknowledgment forms confirming they understand their obligations. These records demonstrate that your compliance program has teeth beyond posted policies.
Audit, Incident, and Corrective Action Records
Examiners look favorably on organizations that conduct self-assessments and correct deficiencies proactively. A compliance program with no internal audit history is a program that does not take itself seriously.
22. Internal ITAR Audit Reports
Maintain records of internal compliance audits or reviews, including scope, methodology, findings, and corrective actions taken. Annual internal audits are a best practice; more frequent reviews are appropriate for high-volume exporters.
23. Voluntary Disclosure and Incident Records
If your organization has ever filed a voluntary disclosure with DDTC, maintain the complete file: the initial notification, the final report, all supporting documentation, and DDTC correspondence. If you have identified potential violations that were ultimately determined not to require disclosure, document that analysis as well.
24. Corrective Action Plans and Closure Records
When audits or incidents identify deficiencies, corrective action plans must be documented, tracked to completion, and verified effective. Open corrective actions that have not been addressed are a significant audit liability.
25. Transaction Records and Shipping Documentation
Maintain export transaction records including Electronic Export Information (EEI) filings, shipping documents, packing lists, commercial invoices, and destination control statements. These records must correlate to your license or exemption documentation. Gaps between transaction records and authorization records are a primary trigger for deeper examination.
How to Use This Checklist Before an Audit
Treat this list as a gap analysis tool, not just a document inventory. For each item, ask whether the document exists, whether it is current, whether it is retrievable within 24 hours, and whether it accurately reflects actual practice. A policy that says one thing while operations do another creates more legal exposure than no policy at all.
Organizations preparing for their first ITAR examination or refreshing a program that has drifted should consider a structured readiness assessment. Our post on how to prepare for an ITAR audit with a 90-day readiness plan walks through a phased approach to closing gaps systematically. For manufacturers with specific operational challenges, ITAR compliance for manufacturers addresses the production-floor considerations that office-centric checklists often miss.
If your organization operates across both ITAR and CMMC requirements, the documentation demands overlap in meaningful ways. Understanding how these frameworks interact helps you build a unified compliance posture rather than two parallel programs competing for the same resources. Our CMMC, CUI, and DFARS Compliance services are designed with that integration in mind.
Finally, consider whether your compliance program development is keeping pace with your business growth. Acquisitions, new contracts, and expanded foreign relationships all create new ITAR obligations. Our Compliance Program Development services help organizations build scalable programs that grow with the business rather than lag behind it.
Get Audit-Ready Before the Examiner Calls
ITAR audit readiness is not a one-time project. It is a discipline built on documented processes, trained personnel, and records that tell a coherent story about how your organization manages its export control obligations. If your current program cannot produce the 25 items on this list on short notice, that gap is your risk to manage. Cleared Systems works with defense contractors, aerospace firms, and regulated manufacturers to build and validate ITAR compliance programs that hold up under examination. Request a quote today to discuss your readiness posture, or explore our engagement models to find the right level of support for your organization.