ITAR Recordkeeping Requirements Checklist for Compliance and Contracts Teams

Why ITAR Recordkeeping Is a Compliance Priority You Cannot Afford to Ignore

When the Directorate of Defense Trade Controls (DDTC) initiates an audit or investigation, the first thing examiners ask for is records. Not intentions. Not verbal explanations. Records. Defense contractors who cannot produce complete, accurate, and properly organized documentation face civil penalties that can reach into the tens of millions of dollars, along with potential debarment from federal contracting.

ITAR recordkeeping requirements are codified primarily in 22 CFR Part 122 (registration), Part 123 (licenses for exports), Part 124 (agreements), Part 125 (technical data), and Part 130 (political contributions and fees). Together, these regulations create a web of documentation obligations that compliance teams and contracts departments must manage systematically — not reactively.

This checklist is designed for compliance managers and contracts professionals who need a structured, operational reference. Whether you are building your program from scratch or auditing an existing one, use this as your baseline. For a broader program perspective, our post on ITAR recordkeeping requirements explained provides useful background context.

The Core ITAR Recordkeeping Rule: Five Years, No Exceptions

The governing retention period under ITAR is five years from the expiration of a license, the completion of a transaction, or the date of the activity in question. This applies broadly across export authorizations, technical data transfers, agreements, and visitor access records. The five-year rule is not a guideline — it is a regulatory floor. Some transactions may warrant longer retention based on your internal risk posture or related contractual obligations.

Records must be stored in a manner that ensures they are readily retrievable. DDTC examiners expect that when they ask for a specific license record or a technical data disclosure log, your team can produce it within a reasonable timeframe. Buried in file cabinets with no indexing system is not a defensible posture.

ITAR Recordkeeping Requirements Checklist

1. DDTC Registration Records

• Copy of current DDTC registration certificate and all prior registration certificates for five years following expiration
• Documentation of any amendments to registration, including changes to products, services, or business structure
• Records of annual registration fee payments
• Correspondence with DDTC related to registration, including acknowledgment letters and approval notices

2. Export License and Authorization Records

• Originals or certified copies of all licenses issued under Parts 123, 124, and 125
• License application packages, including supporting technical documentation submitted to DDTC
• Records of all shipments or transfers made under each license, including quantities, values, end users, and dates
• Commodity jurisdiction (CJ) determinations and formal classification opinions
• Records of any license exemptions claimed, with documentation establishing eligibility at the time of use
• Denial and return-without-action notices from DDTC

3. Technical Data and Defense Services Records

• Logs of all disclosures of ITAR-controlled technical data to foreign persons, whether in the U.S. or abroad (deemed exports)
• Written authorization or license under which each disclosure was made
• Records identifying the recipient, the nature of the technical data disclosed, the date, and the authorizing document
• Signed non-disclosure agreements (NDAs) with foreign nationals who receive technical data
• Training records documenting that employees who handle technical data received ITAR-specific instruction

For practical guidance on labeling obligations tied to these records, see our post on ITAR compliance and proper labeling of ITAR documents and records.

4. Manufacturing License Agreements and Technical Assistance Agreements

• Executed copies of all Manufacturing License Agreements (MLAs) and Technical Assistance Agreements (TAAs) approved by DDTC
• Records of all activities conducted under each agreement, including services rendered, data transferred, and personnel involved
• Amendments and DDTC approval correspondence for each agreement modification
• Termination notices and final activity reports upon agreement expiration

5. Shipper's Export Declarations and EEI Filings

• Electronic Export Information (EEI) filings via the Automated Export System (AES), with Internal Transaction Numbers (ITNs)
• Commercial invoices, packing lists, and airway bills or bills of lading for each controlled export shipment
• End-use certificates and destination control statements
• Records confirming the foreign consignee and end user for each shipment

6. Visitor Access and Foreign National Records

• Visitor logs documenting the identity, nationality, citizenship, date of visit, areas accessed, and escorting personnel for all foreign national visitors
• Pre-visit screening documentation, including nationality checks and determination of applicable export authorization
• Records of Technology Control Plans (TCPs) in effect at the time of each visit
• Signed visitor agreements or acknowledgment forms

Physical access control materials, including compliant visitor badges and facility signage, are a visible and auditable component of this requirement. Our ITAR compliant visitor log book is purpose-built for this documentation obligation.

7. Part 130 Political Contributions and Fees Records

• Records of fees, commissions, and political contributions associated with sales of defense articles or defense services valued at $500,000 or more
• Certifications submitted to DDTC under Part 130 requirements
• Supporting documentation for each reportable payment, including the identity of the recipient and the transaction to which it relates

8. Internal Compliance Program Records

• Current written ITAR compliance manual or policy, with version history and approval records
• Records of employee ITAR training, including dates, content, attendees, and assessment results
• Internal audit and self-assessment reports, with remediation plans and closure documentation
• Records of voluntary disclosures submitted to DDTC, including the disclosure itself, supporting documentation, and DDTC correspondence
• Records of empowered official designation, including the individual's title and scope of authority

Format, Storage, and Access Requirements

ITAR does not mandate a specific storage format — paper or electronic records are both acceptable — but electronic records must be capable of being produced in readable form upon request. Encrypted storage is appropriate, but your team must be able to decrypt and retrieve records without unreasonable delay. Cloud storage used for ITAR records must be ITAR-compliant, meaning data must remain within U.S. jurisdiction with appropriate access controls. For more on this topic, see our post on the importance of ITAR compliant cloud services.

Access to ITAR records should be restricted to personnel with a legitimate need and appropriate authorization. Your records management procedures should document who has access, how access is granted and revoked, and how access logs are maintained. This is not merely an IT function — it is a compliance function that sits squarely within the scope of your ITAR and export controls compliance program.

Common Recordkeeping Failures That Invite DDTC Scrutiny

After working with defense contractors across the aerospace, manufacturing, and federal sectors, I consistently see the same recordkeeping breakdowns that create enforcement exposure:

• Incomplete license utilization logs — Contractors maintain the license but fail to log individual shipments or disclosures made under it
• Missing deemed export documentation — Foreign national employees or visitors receive technical data with no written authorization on file
• Expired records destroyed prematurely — Teams purge files on a general retention schedule without accounting for ITAR's five-year minimum
• No version control on compliance policies — A current policy exists but prior versions and approval history are gone
• Visitor logs with incomplete entries — Nationality is missing, escort information is blank, or the applicable authorization column was never filled in
• TAA activity reports never filed — The agreement is on file, but required periodic reports to DDTC were never submitted

If any of these resemble your current state, they deserve immediate remediation before your next internal audit or external examination. Our team regularly helps contractors identify and close these gaps through structured compliance program development engagements.

Integrating ITAR Recordkeeping Into Your Contracts Workflow

Contracts teams play a critical but often underutilized role in ITAR recordkeeping. Every new contract that involves defense articles, technical data, or defense services should trigger a records management review. At minimum, your contracts team should:

1. Confirm whether the contract involves USML-controlled items or data and document the determination
2. Identify the applicable export authorization and associate it with the contract file
3. Coordinate with compliance to establish a transaction log for the life of the contract
4. Flag any subcontracting arrangements that involve ITAR-controlled items or data, and ensure flow-down documentation is on file
5. Trigger a post-performance records review at contract close-out to confirm all required documentation has been captured and retained

This integration becomes especially important for companies operating in the aerospace and defense sector, where the volume and complexity of ITAR-covered transactions makes ad hoc recordkeeping unsustainable.

Ready to Strengthen Your ITAR Recordkeeping Program?

ITAR recordkeeping requirements are not a back-office administrative burden — they are the evidentiary foundation of your entire compliance program. If DDTC comes knocking, your records either tell the story of a company that takes its obligations seriously, or they expose gaps that become penalties. The Cleared Systems team works with defense contractors, manufacturers, and federal agencies to build and audit records management programs that meet DDTC expectations. To discuss where your program stands today, request a quote or review our engagement models to find the right level of support for your organization.