Why DDTC Investigations Often Begin With Preventable Errors
In my years working with defense contractors across the aerospace, manufacturing, and federal sectors, I have seen the same pattern repeat itself. A company believes it is ITAR-compliant. Leadership has signed off on a policy document. Someone completed an online training course two years ago. And then a DDTC inquiry arrives, and the organization realizes its program existed largely on paper.
The Directorate of Defense Trade Controls does not announce its investigations in advance. Enforcement actions can originate from a voluntary disclosure, a tip, a routine audit, a customs flag, or an allegation buried in a competitor's legal dispute. The penalties are severe: civil fines reaching millions of dollars per violation, criminal prosecution, debarment from federal contracting, and reputational damage that is nearly impossible to reverse.
What follows are eight of the most costly and most common ITAR compliance mistakes we see at defense contractors. If any of these describe your organization, consider this a warning you cannot afford to ignore.
Mistake 1: Treating ITAR Registration as a One-Time Event
DDTC registration is not a checkbox you complete and forget. It must be renewed annually, and any significant change to your business — new ownership, merger, acquisition, name change, or change in the scope of defense articles manufactured — requires an amendment. We have worked with contractors who allowed their registration to lapse mid-contract or failed to update their registration after an acquisition, exposing themselves to serious enforcement risk.
If you are unsure whether your registration is current or accurate, review our guidance on how to register with DDTC and verify your DECCS account against current business reality today.
Mistake 2: Misclassifying Technical Data and Defense Articles
One of the most common — and most expensive — errors in ITAR compliance for defense contractors is misclassifying items under the United States Munitions List. Companies routinely assume that a component or software tool falls under the Export Administration Regulations rather than ITAR, and they proceed accordingly. When DDTC disagrees, the downstream consequences can be severe.
Engineers and program managers must understand what qualifies as ITAR-controlled technical data. Classification decisions should be documented, defensible, and reviewed by a qualified compliance officer or outside counsel. Our post on 5 common misclassifications of ITAR controlled technical data walks through the specific scenarios we see most frequently.
Mistake 3: Inadequate Foreign National Access Controls
The deemed export rule is one of the most misunderstood provisions in ITAR. Sharing technical data with a foreign national — even on U.S. soil, even in your own facility, even with a green card holder — constitutes an export under ITAR. Without a valid license or applicable exemption, that disclosure is a violation.
This affects hiring decisions, lab access, email distribution lists, shared drives, and engineering meetings. Many contractors have robust physical security at their front door but zero controls over who receives ITAR-controlled presentations in a conference room or who has access to a shared cloud drive. Our comprehensive guide on ITAR foreign national requirements provides the framework your HR, security, and compliance teams need.
Mistake 4: No Formal Technology Control Plan
A Technology Control Plan is a written document that describes how your organization identifies, controls, and protects ITAR-controlled items and technical data from unauthorized access or disclosure. DDTC expects to see a TCP that reflects actual operational conditions — not a generic template downloaded from the internet.
Contractors operating in university research environments, shared facilities, or joint ventures with foreign partners face particularly high risk here. If your organization does not have a current, facility-specific TCP, you have a significant gap. Learn more about what a Technology Control Plan is and who is required to have one.
Mistake 5: Weak or Absent Visitor Control Procedures
Visitor management is a physical security issue and an ITAR compliance issue simultaneously. Foreign national visitors must be identified in advance, screened, escorted, and logged. Access to areas where ITAR-controlled items or technical data are present must be controlled and documented. Visual indicators — such as color-coded visitor badges — are a practical, auditor-recognized method for communicating access permissions at a glance.
We see facilities where visitors sign a paper log at the front desk and then walk unescorted through engineering areas. That is not a compliant visitor control program. It is an enforcement action waiting to happen. Proper badging, signage, and a maintained visitor log are foundational controls. Our ITAR visitor requirements guide explains exactly what DDTC expects before a foreign national enters your facility.
Mistake 6: Inadequate Employee Training Documentation
ITAR requires that employees who handle defense articles, technical data, or defense services receive regular training. The operative word is regular — not once at onboarding and never again. More importantly, that training must be documented in a way that satisfies an auditor.
We consistently find that contractors can describe their training program verbally but cannot produce attendance records, training content, version histories, or signed acknowledgments. When DDTC asks for evidence of your training program, verbal assurances do not count. Our analysis of ITAR compliance training frequency, format, and documentation requirements outlines precisely what auditors look for.
Mistake 7: No Voluntary Disclosure Program or Internal Audit Function
DDTC looks significantly more favorably on organizations that identify their own violations and self-report through the voluntary disclosure process than on those where violations are discovered externally. A proactive internal audit function — one that periodically reviews license compliance, technical data access logs, and export records — is not just good hygiene. It is a critical component of a defensible compliance program.
Equally important is having a clear, documented process for what happens when a potential violation is discovered internally. Who is notified? What investigation steps are taken? When and how is DDTC contacted? Without a voluntary disclosure protocol, panic drives decisions — and panic-driven decisions in an enforcement context almost always make things worse. Our step-by-step guide to filing an ITAR voluntary disclosure is required reading for every compliance manager.
Mistake 8: Failing to Extend ITAR Controls to Subcontractors
Prime contractors are responsible for ensuring that the ITAR obligations flowing through their contracts are passed down appropriately to subcontractors and suppliers. This is not optional, and it is not limited to written contract clauses. It requires active oversight — verifying that subcontractors understand their ITAR obligations, maintain their own compliance programs, and do not create exposure for the prime.
This is a persistent gap in the defense industrial base. A subcontractor's ITAR violation can implicate the prime contractor's compliance posture, particularly where the prime had reason to know about the deficiency and failed to act. If you are a prime contractor with a layered supply chain, your ITAR program must extend beyond your own four walls. Our ITAR and export controls compliance service includes supply chain risk assessment as a core component.
What a Defensible ITAR Compliance Program Actually Looks Like
Across all eight of these mistakes, the common thread is the gap between compliance on paper and compliance in practice. DDTC examiners are experienced professionals. They know what a real program looks like, and they know what a paper program looks like. The difference between the two is not the quality of your policy documents — it is whether your people know what to do, your controls are functioning, and your records can prove it.
A defensible program includes a current DDTC registration, accurate USML classifications, a facility-specific Technology Control Plan, documented employee training, enforceable visitor control procedures, active internal audits, a voluntary disclosure protocol, and supply chain oversight. It is also regularly reviewed and updated to reflect changes in your business and in DDTC's enforcement priorities.
For a structured framework, review the 10 essential elements of a defensible ITAR compliance program and use our ITAR compliance checklist to benchmark your current posture. Organizations that serve the aerospace and defense market can also benefit from our dedicated federal and defense industry resources.
Take Action Before DDTC Does
If this post identified gaps in your ITAR compliance program, the right time to address them is now — not after a disclosure request arrives. At Cleared Systems, we work directly with compliance managers and executives at defense contractors to assess, build, and mature ITAR compliance programs that hold up under real scrutiny. Whether you need a gap assessment, a full program build, or ongoing compliance support, we can help. Request a quote today to speak with our team, or review our compliance program development service to understand how we structure engagements for organizations at every stage of the compliance journey.