The Physical Security Gap Most ITAR Programs Miss
When companies focus on ITAR and export controls compliance, they typically spend most of their energy on technology controls, license determinations, and employee training. Physical security often gets treated as an afterthought—something covered by a generic security policy rather than a deliberate, ITAR-specific control framework.
That is a mistake DDTC examiners are increasingly inclined to surface. The Directorate of Defense Trade Controls does not publish a line-item physical security checklist, but the International Traffic in Arms Regulations, enforcement patterns, and consent agreement precedents make clear what a defensible facility program looks like. If your physical controls cannot survive scrutiny during a voluntary disclosure review or a DDTC compliance examination, your program has a gap—regardless of how strong your technical data controls are on paper.
This post walks through the physical security controls that ITAR facility requirements practically demand, and what compliance managers and executives at defense contractors need to have documented and operational.
What the ITAR Actually Says About Physical Security
The ITAR does not contain a dedicated physical security section the way a NIST framework does. Instead, physical security obligations are embedded throughout the regulations. Part 120 establishes that defense articles and technical data must be protected from unauthorized disclosure or access. Part 122 registration requirements obligate registrants to maintain the internal controls necessary to comply. Part 126.1 and the broader compliance program expectations established through enforcement actions confirm that physical access controls are a foundational element of any defensible program.
The practical standard comes from two sources: DDTC consent agreements, which describe in detail what adequate controls look like when companies have failed, and general industry guidance on what a reasonable compliance program must include. Taken together, they describe a clear set of physical security expectations that go well beyond locking a file cabinet.
Core ITAR Facility Requirements: What Must Be in Place
1. Defined and Enforced Access Control Zones
Your facility must have clearly defined areas where ITAR-controlled technical data, hardware, and defense articles are handled, stored, or accessible. These areas need to be physically separated from general workspace to the extent practicable, and access must be restricted to U.S. persons who are authorized to access the specific controlled items involved.
This means badge-controlled entry points, locked storage areas, and documented access lists. It is not sufficient to have a general policy stating that only authorized personnel may access controlled areas. You need a functioning access control system, records of who has access, and a process for revoking access promptly when employment or role changes.
For companies operating in shared or multi-tenant facilities, the requirement to demonstrate physical separation is especially important. A foreign national working in a co-located space who can observe, overhear, or access ITAR-controlled items creates a deemed export exposure that DDTC treats as a violation regardless of intent.
2. Visitor Control and Foreign National Management
This is where many defense contractors are most vulnerable. ITAR visitor requirements demand that before any foreign national enters an area where controlled technical data or defense articles may be accessible, the company must either have an applicable license or other authorization in place, or must ensure that no controlled items are accessible during the visit.
Operationally, this requires a visitor management process that includes pre-screening visitors to determine citizenship and need-to-know status, escorting visitors through sensitive areas at all times, and maintaining a visitor log with sufficient detail to demonstrate compliance. The log should capture visitor identity, citizenship, date and time of entry and exit, areas accessed, and the name of the escort.
Visual identification is part of this system. ITAR badge requirements are not merely administrative. Color-coded badging systems that visually distinguish U.S. person employees from visitors, and that differentiate cleared from uncleared personnel, give your workforce a practical tool to enforce access controls in real time. Without visible badging, your staff cannot reliably identify who belongs in a controlled area and who does not.
Color-coded visitor badges—available in red, green, and blue configurations for different access levels—provide a low-cost, high-visibility control that makes your access tiers immediately apparent to any employee or security officer on the floor. Pairing them with a purpose-designed ITAR-compliant visitor log book creates the paper trail examiners expect to see.
3. Signage and Notice Controls
Facility signage serves both a legal notice and a deterrence function. Controlled areas should be clearly marked so that no one—employee or visitor—can credibly claim they were unaware they were entering a restricted space. Entry points to ITAR-controlled areas should display conspicuous signage indicating that access is restricted and that the area is subject to ITAR controls.
Lobby and reception areas should prominently direct all visitors to check in before proceeding, establishing the first line of your visitor control process from the moment someone enters the building. Physical signs designed specifically for ITAR-compliant facilities—such as lobby restricted access signs and authorized personnel only signs—are inexpensive controls that directly support your documented compliance posture.
4. Storage Controls for Technical Data and Hardware
ITAR-controlled technical data in physical form—drawings, specifications, test results, manuals—must be stored in a manner that prevents unauthorized access. Locked file cabinets, secure rooms, or safes with access restricted to authorized U.S. persons are the standard expectation. Blanket storage in shared areas, open shelving in common spaces, or printed materials left on desks in accessible areas are compliance failures waiting to be documented by an examiner.
The same logic applies to defense articles and components. Hardware subject to ITAR controls must be stored in secured areas with inventory controls and access logs. Manufacturers and defense contractors operating on shop floors face particular complexity here, as the line between production areas and controlled item storage can blur quickly without deliberate design.
5. Physical Security Documentation and Recordkeeping
Controls that exist only in practice and not on paper do not satisfy DDTC expectations. Your physical security program must be documented. That documentation should include a written physical security policy that specifically addresses ITAR requirements, access control procedures, visitor management procedures, and the roles responsible for maintaining each control.
DDTC expects records to be retained for five years under 22 CFR Part 122 and related provisions. Your visitor logs, access control records, and any incident reports related to unauthorized access or potential exposures fall within the scope of records that must be available for review. An ITAR compliance documentation toolkit can help compliance teams structure and maintain these records in a format that holds up under examination.
How Physical Security Connects to Your Broader ITAR Program
Physical security controls do not exist in isolation. They are one component of an integrated ITAR compliance program that also encompasses technology controls, employee training, license management, and an ongoing auditing function. Physical gaps can undermine otherwise strong technical controls—a robust cloud security posture means little if unauthorized individuals can access printed technical data or observe controlled workstations.
For companies in the aerospace and defense sector, manufacturing, or other defense industrial base segments, physical security is often where DDTC examiners start. It is observable, documentable, and directly connected to some of the most serious violations on record—including unauthorized exports to foreign nationals through uncontrolled facility access.
If your current program lacks a dedicated physical security component, or if your controls have not been formally assessed against current ITAR facility requirements, that gap should be a near-term priority. Our team at Cleared Systems regularly identifies physical security deficiencies during risk assessments that clients had not recognized as ITAR exposure.
Common Deficiencies Found During ITAR Facility Reviews
- No visitor log or incomplete visitor records that fail to capture citizenship, areas accessed, or escort identity
- Absence of color-coded badging or visitor badges that do not visually distinguish access levels
- Controlled areas without signage or with generic signage that does not reference ITAR restrictions
- Technical data stored in unsecured or shared areas accessible to unauthorized personnel or foreign nationals
- No documented access revocation process for terminated employees or personnel whose roles have changed
- Physical security policy absent from the compliance program or written at a level too general to provide actual guidance
- No escort procedures for foreign national visitors or ad hoc escorting without documentation
Building a Defensible Physical Security Posture
The standard for ITAR facility requirements is not perfection—it is demonstrable, documented, and consistently applied control. DDTC examiners and enforcement attorneys look for evidence that your organization has made deliberate decisions about physical security, trained employees to support those decisions, and maintained the records to prove it.
If you are assessing your current posture, start with a physical walkthrough against the control categories described above. Document what exists, identify the gaps, and build a remediation plan with clear ownership and timelines. That process, properly documented, is itself evidence of a functioning compliance program.
For a more structured approach to evaluating your overall ITAR readiness, our ITAR compliance checklist provides a useful starting framework. For companies looking to build or rebuild a comprehensive program, our compliance program development services include physical security as an integrated element of a full ITAR compliance architecture.
Take the Next Step
If your facility's physical security controls have not been formally reviewed against current ITAR requirements, now is the time to close that gap before an examiner or a disclosure situation forces the issue. Cleared Systems works with defense contractors, manufacturers, and federal contractors to design and document physical security programs that satisfy DDTC expectations and stand up under scrutiny. Request a quote today to speak with our team about where your program stands and what it takes to get it where it needs to be.