ITAR Risk Assessment Checklist: Evaluating Exposure Across People, Processes, and Technology

Why an ITAR Risk Assessment Is Not Optional

If your organization touches defense articles, technical data, or defense services controlled under the International Traffic in Arms Regulations, you are already carrying ITAR risk. The question is whether you have measured it. A structured ITAR risk assessment is the mechanism that separates organizations that know their exposure from those that discover it during a Directorate of Defense Trade Controls (DDTC) examination or, worse, after a voluntary disclosure.

Risk does not distribute itself evenly across an organization. It concentrates in the gaps between what your policies say, what your employees actually do, and what your technology is capable of enforcing. This checklist is designed to help compliance managers and executives pressure-test all three dimensions before those gaps become enforcement actions.

For a broader foundation, our ITAR & Export Controls Compliance service provides structured support for organizations at every stage of program maturity.

Domain 1: People and Personnel Controls

More ITAR violations originate from personnel failures than from any other source. Unauthorized disclosure of technical data to a foreign national, an untrained employee forwarding controlled files to a personal email account, or a hiring manager who never screened a new engineer for citizenship status — these are representative, not hypothetical. Work through each item below honestly.

Foreign National Access and Deemed Export Controls

• Have you identified every foreign national employee, contractor, intern, or visitor who has or could have access to ITAR-controlled technical data or hardware?
• Do you have a written deemed export policy that is enforced, not just documented?
• Are required export licenses obtained before any foreign national accesses controlled items or information?
• Does HR have a documented screening protocol that runs before an offer letter is extended?

For a detailed treatment of this topic, see our post on ITAR Compliance: A Guide to Hiring Foreign Nationals.

Training and Awareness

• Can every employee who handles ITAR-controlled items or data demonstrate they have completed role-appropriate training within the last 12 months?
• Do managers receive separate, more detailed training covering their supervisory obligations?
• Are training records maintained in a format that would satisfy a DDTC examiner on day one of an audit?
• Is there a mechanism to push updated training when regulations change or when your commodity jurisdiction determinations are revised?

Visitor Management

• Is there a written visitor control procedure that distinguishes between U.S. persons and foreign nationals?
• Are all visitors logged with sufficient detail — name, nationality, purpose, areas accessed, escort identity?
• Does your facility use visual badging that immediately identifies visitor status and access tier?

Color-coded visitor credentialing — such as our Red ITAR Visitor Badges for controlled-access visitors — provides an immediate, auditable signal that reinforces procedural controls on the floor. Pair them with an ITAR Compliant Visitor Log Book to maintain the records DDTC examiners expect.

Domain 2: Processes and Operational Controls

Even organizations with strong awareness programs can carry significant process risk. The checklist items in this domain target the operational procedures that govern how controlled items and data move through your organization, to partners, and across borders.

Classification and Commodity Jurisdiction

• Have you determined whether each of your products, components, and technical data sets is subject to ITAR, EAR, or neither?
• Are classification determinations documented and periodically reviewed, particularly when products are modified or new contracts are awarded?
• Is there a defined owner for commodity jurisdiction requests and export license applications?

Export License Management

• Do you maintain a complete, current log of all active and expired export licenses?
• Are license conditions — including authorized end-users, quantities, and authorized uses — tracked and enforced operationally, not just filed administratively?
• Is there a process to flag shipments or data transfers that approach or exceed license thresholds?
• Are licenses re-evaluated when business relationships or end-use conditions change?

Subcontractor and Supply Chain Controls

• Do your subcontractor agreements include explicit ITAR flow-down clauses?
• Have you verified that key subcontractors are registered with DDTC if their scope requires it?
• Is there a process to screen new suppliers against the DDTC debarred parties list and other restricted party lists before contract award?
• Do subcontractors who receive technical data from you have demonstrable controls over how that data is stored and who can access it?

Our ITAR Compliance for Manufacturers guide provides additional guidance on managing these supply chain obligations in production environments.

Recordkeeping

• Are all export transactions — including licenses, shipping documents, and technical assistance agreements — retained for the required five-year period?
• Can records be retrieved quickly and completely in response to a DDTC inquiry?
• Are electronic records protected against unauthorized modification?

Domain 3: Technology and Information Systems

ITAR risk has a significant information security dimension. The unauthorized electronic transmission of technical data to a foreign national — regardless of whether it crosses a physical border — constitutes a deemed export. Your IT environment must be capable of preventing and detecting that.

Data Classification and Labeling

• Are ITAR-controlled files and datasets labeled consistently and visibly?
• Is there an automated or semi-automated system for applying and enforcing labels, or does labeling depend entirely on individual employee judgment?
• Do your technical data controls extend to engineering files, CAD drawings, specifications, and test reports — not just formal correspondence?

For cloud-specific labeling strategies, see our post on Microsoft AIP: Overcoming Data Labeling and Classification Challenges.

Access Controls and Authentication

• Is access to ITAR-controlled systems and data limited to authorized U.S. persons or properly licensed foreign nationals?
• Do you enforce role-based access controls that are reviewed and updated when personnel change roles or leave?
• Are privileged accounts — system administrators, IT staff — subject to enhanced screening and monitoring?
• Is multi-factor authentication enforced for all systems that store or transmit ITAR-controlled technical data?

Cloud Services and Collaboration Tools

• Have you verified that your cloud environment meets ITAR requirements — specifically that data is stored and processed only on U.S. soil by U.S. persons?
• Are collaboration platforms — email, file sharing, video conferencing — configured to prevent ITAR-controlled data from being accessible to foreign nationals?
• Do you have a written acceptable use policy for cloud services that explicitly addresses ITAR obligations?

Our post on The Importance of ITAR Compliant Cloud Services explains why standard commercial cloud configurations frequently create undetected violations.

Incident Detection and Response

• Is there a documented process for identifying and responding to potential ITAR violations — including unauthorized disclosures and suspected deemed exports?
• Do you have a voluntary disclosure protocol that includes legal counsel and compliance leadership, and is that protocol understood by the people who would first detect an incident?
• Are security logs retained in a manner that would support a post-incident investigation?

Scoring Your Assessment and Prioritizing Remediation

Not every gap carries equal risk. When you score the results of this assessment, weight items by two factors: the likelihood that the gap will produce a violation, and the magnitude of the potential consequence. Gaps in foreign national access controls, cloud data sovereignty, and export license compliance tend to carry the highest combined scores and should drive your remediation roadmap.

Once you have completed the assessment, document your findings in a formal risk register and assign owners, target dates, and interim mitigating controls to each open item. A program with documented gaps and active remediation is in a materially better position with DDTC than one with undocumented gaps and no record of awareness.

Our Federal & SLED Risk Assessments service provides a structured, externally validated methodology for organizations that need an independent assessment rather than a self-evaluation.

For organizations earlier in the compliance journey, the ITAR Compliance Documentation Toolkit provides ready-to-deploy templates that support both the assessment process and ongoing program management.

Take the Next Step

A checklist identifies risk. Eliminating it requires a program. If you have completed this assessment and identified gaps you are not equipped to close internally, Cleared Systems is ready to help. Contact us to request a quote for a structured ITAR risk assessment engagement, or review our engagement models to find the right structure for your organization's size and complexity. The cost of a thorough assessment is a fraction of the cost of a DDTC enforcement action — and the benefit of knowing where you stand is immediate.