ITAR Compliance for Manufacturers Checklist: From Shop Floor to Shipping Dock

Why Manufacturers Face Unique ITAR Exposure

If your facility machines, assembles, tests, or ships defense articles, the International Traffic in Arms Regulations reach into every corner of your operation. ITAR compliance for manufacturers is not a documentation exercise confined to the compliance office. It lives on the shop floor, in the engineering bay, at the receiving dock, and in every email that carries a drawing or specification.

The consequences of getting it wrong are severe. The Directorate of Defense Trade Controls has levied penalties exceeding hundreds of millions of dollars against defense contractors for export violations that started with something as routine as a foreign national machinist viewing a controlled drawing or an unscreened vendor receiving a technical data package. What follows is a practical, role-oriented checklist designed to help compliance managers and operations executives close the most common gaps before DDTC finds them first.

For a broader foundation, review our existing resource on ITAR compliance for manufacturers before working through this checklist.

Section 1: Registration and Jurisdiction

Everything downstream depends on getting the basics right at the enterprise level.

• Active DDTC registration: Confirm your ITAR registration is current, accurate, and reflects any changes in ownership, corporate structure, or product lines. Registration must be renewed annually.
• USML classification confirmed: Each defense article you manufacture should have a documented classification determination tying it to a specific United States Munitions List category. Do not rely on informal assumptions.
• EAR vs. ITAR jurisdiction resolved: Items that fall under the Export Administration Regulations require a different compliance pathway. Misclassifying an EAR item as ITAR, or vice versa, creates exposure in both directions.
• Commodity Jurisdiction requests filed where uncertain: If jurisdiction is genuinely unclear, file a CJ request with DDTC rather than guessing.

Section 2: Facility Physical Security Controls

Your physical environment is among the first things a DDTC examiner will assess. Controlled manufacturing areas must be secured against unauthorized access, and the documentation supporting those controls must be readily available.

• Controlled areas clearly designated: Areas where ITAR-controlled items are manufactured, stored, or tested must be physically separated and marked. Posted signage matters. Consider ITAR-compliant facility signage for lobbies and access points to reinforce the boundary visually.
• Access control systems operational: Badge readers, keypad locks, or equivalent physical controls must restrict entry to authorized personnel only.
• Visitor management process in place: Every visitor entering a controlled area must be logged, escorted, and badged appropriately. Color-coded ITAR visitor badges provide an immediate visual indicator of access level and help floor supervisors identify who belongs where.
• Visitor log maintained: An ITAR-compliant visitor log book should capture arrival time, departure time, purpose of visit, escort identity, and citizenship status for every controlled-area entry.
• Foreign national access controls enforced: Foreign nationals require either an approved license or a license exemption determination before accessing controlled technical data or hardware. This must be documented, not assumed.

For a deeper look at facility-specific requirements, our post on what physical security controls DDTC actually expects provides detailed guidance.

Section 3: Technical Data Controls on the Shop Floor

Technical data is often where manufacturers accumulate the most invisible risk. Drawings, CAD files, process specifications, test procedures, and manufacturing instructions can all qualify as ITAR-controlled technical data the moment they describe the design, production, or operation of a USML item.

• Technical data inventory completed: You cannot control what you have not catalogued. Maintain a current inventory of all controlled technical data, both physical and digital.
• Labeling applied consistently: Every document, drawing, and digital file containing ITAR-controlled technical data must be marked with the appropriate ITAR legend. Unmarked data shared with the wrong person is still a violation.
• Print controls implemented: Shop floor printers that produce controlled drawings should be in secured areas, with print logging enabled where technically feasible.
• Digital access permissions aligned to authorization: Network folders, PLM systems, and ERP platforms that store controlled data must enforce role-based access. A machinist who does not need a full design specification should not have access to it.
• Email and file transfer controls active: Sending controlled technical data via personal email, commercial file-sharing platforms, or non-compliant cloud environments is an unauthorized export. Policy and technical controls must address this together.

Our team frequently encounters gaps in this area during assessments. The detailed guide on identifying, marking, and controlling ITAR technical data is a useful companion resource.

Section 4: Supply Chain and Subcontractor Controls

Your ITAR obligations do not stop at your four walls. When you transfer controlled technical data or hardware to a subcontractor or supplier, you are responsible for ensuring that transfer is authorized.

• Subcontractor ITAR status confirmed: Verify that any subcontractor receiving controlled data or hardware is DDTC-registered where required and has a functioning compliance program.
• Technical Assistance Agreements or Manufacturing License Agreements in place: Transfers of controlled technical data to foreign persons, including foreign subsidiaries of U.S. companies, generally require a license or agreement.
• Purchase orders and contracts include ITAR flow-down clauses: Your contracts with subcontractors should explicitly flow down applicable ITAR obligations.
• Incoming material inspections address ITAR markings: When receiving controlled components, verify that markings are intact and that custody documentation is complete.

Section 5: Personnel Training and Accountability

The most well-designed ITAR program fails when the people executing it do not understand what is expected of them. Training must be role-specific, documented, and recurring.

• New hire ITAR orientation completed before access: No employee should access controlled data or hardware before completing initial ITAR training.
• Annual refresher training documented: One-time training is not sufficient. Annual training must be documented with completion records retained.
• Role-specific training for engineers, production supervisors, and export staff: The machinist handling a USML component needs different training content than the contracts administrator processing a DSP-5 application.
• Foreign national hiring procedures coordinated with compliance: Human resources must notify the compliance function before extending offers to foreign nationals for positions that involve ITAR-controlled activities.

If your training program needs a structural overhaul, our ITAR and export controls compliance service includes program design, training delivery, and ongoing support for manufacturers at every stage of maturity.

Section 6: Export Licensing and Shipping Controls

The shipping dock is where latent compliance failures become actual export violations. Every outbound shipment of a defense article must be evaluated before it leaves your facility.

• Export license determination made for every shipment: Determine whether a license, license exemption, or license exception applies to each export before the item ships. Document the basis for the determination.
• Restricted party screening completed: Screen all end-users, consignees, and intermediaries against the DDTC debarred parties list and other applicable denied parties lists before shipment.
• Shipping documentation complete and accurate: Export Control Classification Numbers, USML categories, license numbers, and exemption citations must appear on the correct shipping documents.
• Records retained for five years: ITAR requires that export records be maintained for five years from the date of export. This includes licenses, shipping documents, and end-use documentation.
• Procedures for license condition compliance: When a license contains conditions, your operations team must have documented procedures to ensure those conditions are met on every applicable shipment.

Section 7: Compliance Program Infrastructure

A checklist is a diagnostic tool, not a compliance program. Sustained ITAR compliance for manufacturers requires organizational infrastructure that can absorb personnel changes, business growth, and evolving regulatory requirements.

• Empowered compliance officer designated: Someone with authority and resources must own the ITAR compliance function. This should not be a collateral duty assigned to someone without dedicated bandwidth.
• Technology Control Plan (TCP) in place where required: If your facility employs foreign nationals or hosts foreign visitors with access to controlled items, a TCP is a critical control document.
• Internal audit schedule maintained: Annual self-assessments against ITAR requirements help identify gaps before DDTC does.
• Voluntary disclosure procedures documented: When a potential violation is identified, your team must know the internal escalation path and understand when and how to file a voluntary disclosure with DDTC.
• Written ITAR compliance manual current: Policies and procedures should be living documents reviewed at least annually and updated to reflect regulatory changes. The ITAR Compliance Documentation Toolkit can accelerate the development of a foundational policy set.

If you are building or rebuilding your program from the ground up, our guide on building an ITAR compliance program from scratch walks through the process phase by phase.

Manufacturers serving the defense industrial base should also be aware that ITAR compliance frequently intersects with CUI and CMMC obligations. Our resource on protecting and managing CUI on shop floors addresses the overlap between these regulatory frameworks in a manufacturing environment.

Turn This Checklist Into a Living Compliance Program

Cleared Systems works with defense manufacturers, aerospace suppliers, and other regulated companies to build ITAR compliance programs that hold up under DDTC scrutiny. Whether you need a gap assessment, a full program build-out, or ongoing support through a Regulatory vCISO engagement, our team brings the operational experience to make compliance practical at every level of your organization. Request a quote today to discuss where your current program stands and what it will take to close the gaps.