ITAR Foreign National Requirements Checklist: From Hiring Through Ongoing Access Management

Why ITAR Foreign National Requirements Demand a Structured Approach

Foreign national employees, contractors, and visitors represent one of the most frequently cited sources of ITAR violations. The reason is not malicious intent—it is process failure. Companies that lack a written, repeatable workflow for managing foreign national access to ITAR-controlled technical data and defense articles routinely find themselves on the wrong side of a Directorate of Defense Trade Controls (DDTC) examination. The penalties are severe: civil fines up to $1 million per violation, criminal liability, and debarment from future government contracting.

This checklist is designed for compliance managers and executives at defense contractors who need a practical, end-to-end reference for managing ITAR foreign national requirements from the moment a candidate enters your pipeline through ongoing access management. For a deeper foundation, review our existing guidance on ITAR compliance and hiring foreign nationals before applying the steps below.

Understanding the Deemed Export Rule

Before walking through the checklist, every compliance manager must understand the deemed export concept. Under the International Traffic in Arms Regulations (ITAR), a "deemed export" occurs when ITAR-controlled technical data or defense services are released to a foreign national inside the United States. That release is treated as an export to the individual's country of nationality, regardless of where the disclosure physically occurs.

This means that allowing a foreign national employee to access drawings, source code, specifications, or manufacturing processes for items on the U.S. Munitions List (USML) without a license or applicable exemption is an ITAR violation. The nationality that matters is citizenship or permanent residency status—not where the person currently lives or how long they have worked for your company.

For a broader overview of what ITAR covers and who must comply, see our guide on what ITAR compliance is and who needs to comply.

Phase 1: Pre-Hire Screening Checklist

The compliance process begins before an offer letter is signed. HR, legal, and your empowered official must coordinate on every candidate who may have access to ITAR-controlled items or data.

• Determine nationality and citizenship status. Collect passport information and visa documentation. Identify all current citizenships and any pending immigration petitions. Note that dual nationals are treated as nationals of both countries under ITAR.
• Assess the role's ITAR exposure. Identify whether the position will involve access to USML items, technical data, or defense services. Roles in engineering, manufacturing, R&D, IT systems hosting ITAR data, and program management typically create exposure.
• Determine if a license or exemption applies. If the candidate is a foreign national who will require access, evaluate whether the ITAR §126.18 exemption for employees of companies in a Bilateral or Multilateral Agreement country is available, or whether a license such as a DSP-5 or a Technical Assistance Agreement (TAA) is required.
• Consult your empowered official or legal counsel. Do not make access determinations at the HR level alone. The empowered official must be involved in any licensing determination.
• Document the screening decision. Record the nationality check, the exposure assessment, the license or exemption determination, and who made the decision. This documentation is essential during a DDTC audit.

Phase 2: Technology Control Plan (TCP) Obligations

If your organization employs foreign nationals with potential ITAR exposure, you are very likely required to have a Technology Control Plan. A TCP documents how your organization will prevent unauthorized access to ITAR-controlled technical data and defense articles by foreign nationals who have not been covered under a license or approved exemption.

• Establish or update your TCP. The TCP must identify the USML categories involved, the foreign nationals subject to access restrictions, the physical and logical controls in place, and the procedures for monitoring and enforcement.
• Identify restricted areas and systems. Map locations and IT systems that contain ITAR-controlled technical data. These become restricted zones for unlicensed foreign nationals.
• Define access tiers by nationality and license status. Not all foreign nationals have the same level of restriction. Canadian nationals covered under ITAR §126.5, for example, have different treatment than nationals of countries in Country Group D:5. Your TCP must reflect these distinctions.
• Designate a TCP administrator. Assign a named individual responsible for enforcing the plan, updating it as personnel or programs change, and maintaining records.

Our ITAR and Export Controls Compliance service includes TCP development and review as a core deliverable for clients navigating these requirements.

Phase 3: Onboarding and Access Provisioning Checklist

Once a foreign national is hired and the license or exemption status is confirmed, access provisioning must follow a documented process.

1. Brief the employee on ITAR obligations. Provide role-specific ITAR training that explains what they can and cannot access, what constitutes a deemed export, and the consequences of unauthorized disclosure. Document completion.
2. Implement access controls consistent with license or exemption scope. If a TAA or other license governs access, the scope of that license defines the boundary of what the employee may access. Do not provision access beyond license scope.
3. Issue appropriate facility credentials. Foreign nationals whose access is restricted should receive badging that clearly distinguishes their access level. Color-coded ITAR visitor and access badges provide a visible, physical layer of access management. For facilities that host both cleared and uncleared personnel, consider red ITAR visitor badges for restricted access and green ITAR visitor badges for cleared or approved personnel.
4. Configure IT system access in alignment with TCP restrictions. Role-based access controls in your network, document management systems, and collaboration platforms must reflect the same restrictions documented in the TCP. Foreign nationals without a license or approved exemption must not have access to systems containing ITAR-controlled technical data.
5. Establish a signed acknowledgment of ITAR obligations. Require the employee to sign a written acknowledgment that they understand their ITAR obligations, the access restrictions that apply to their role, and the reporting requirements if they believe a violation has occurred.

Phase 4: Ongoing Access Management and Monitoring

ITAR foreign national requirements do not end at onboarding. Continuous monitoring and periodic reviews are required to maintain a defensible compliance posture.

• Conduct annual access reviews. At minimum annually, review the access rights of all foreign national employees against current license or exemption status, changes in nationality or immigration status, and changes in program scope.
• Monitor for nationality or status changes. Foreign nationals who naturalize as U.S. citizens no longer require ITAR controls for deemed exports. Conversely, employees who obtain a second citizenship from a restricted country may trigger new compliance obligations. Establish a self-reporting requirement and periodic verification process.
• Track license expirations and renewals. ITAR licenses have defined terms. Build license expiration dates into your compliance calendar. Access must be suspended if a license lapses and no renewal or replacement is in place.
• Audit physical access logs and IT access logs. Periodically audit whether foreign national employees are accessing areas or systems beyond their authorized scope. Anomalies require immediate investigation and documentation.
• Maintain records for five years minimum. ITAR requires that export-related records be retained for at least five years. This includes records related to deemed exports, TCP reviews, license applications, and access decisions.
• Update the TCP when programs, personnel, or controls change. A TCP that was accurate at the time of hire can become non-compliant if programs change, new USML items are added to scope, or personnel move into different roles. Assign accountability for keeping the TCP current.

For organizations seeking support structuring these ongoing obligations within a broader compliance framework, our Compliance Program Development service provides the architecture to make these processes sustainable and audit-ready.

Special Considerations: Subcontractors and Vendors

ITAR foreign national requirements extend to your supply chain. If you share ITAR-controlled technical data with a subcontractor who employs foreign nationals, you are responsible for ensuring that the disclosure is authorized. This means your subcontract agreements must include ITAR flow-down clauses, and you must verify that your subcontractors have adequate controls in place before sharing data.

Do not assume that a subcontractor's general ITAR registration with DDTC means they have a compliant foreign national access program. Ask for evidence of their TCP, their screening procedures, and their training documentation before transmitting any ITAR-controlled technical data.

Common Failure Points to Audit Now

Based on enforcement trends and our experience supporting defense contractors, these are the areas where ITAR foreign national programs most frequently break down:

• Failure to update the TCP when foreign national employees change roles or programs change scope
• IT system access that was provisioned at onboarding and never reviewed against license scope
• License expirations that went unnoticed because no one owned the compliance calendar
• Dual nationals whose second citizenship was never identified during screening
• Foreign national visitors escorted through ITAR-restricted areas without a visitor log entry or badge
• Training completed but not documented—leaving the organization without evidence of the briefing

For a broader look at your overall program posture, our ITAR compliance checklist covers the full regulatory landscape beyond foreign national requirements alone. You may also find value in reviewing ITAR access control requirements to ensure your physical, digital, and administrative controls are properly aligned.

Building a Defensible Program

DDTC examiners and DoD auditors look for written procedures, documented decisions, training records, and evidence of consistent enforcement when they evaluate ITAR foreign national compliance programs. The difference between a company that receives a warning letter and one that faces a consent agreement is almost always the quality of documentation and the consistency of process execution.

If your organization handles ITAR-controlled items and employs or engages foreign nationals in any capacity, the program described in this checklist is not optional—it is required. The question is whether you have implemented it in a way that is defensible under scrutiny.

For organizations that want expert support designing or strengthening their ITAR foreign national compliance program, Cleared Systems provides hands-on consulting through our ITAR and Export Controls Compliance service. Whether you need a TCP drafted from scratch, an access control audit, or a full program assessment, our team of compliance professionals is ready to help you build a program that protects your company and your contracts.

Ready to assess where your ITAR foreign national program stands today? Request a quote and speak directly with our compliance team about the fastest path to a defensible, audit-ready program.