The Defense Contractor ITAR Compliance Checklist: 30 Controls Your Program Must Have

Why Your ITAR Compliance Program Needs a Structured Control Framework

Most defense contractors do not fail DDTC audits because they ignored ITAR. They fail because their programs were built reactively — a policy added here, a training session scheduled there — without a disciplined framework tying everything together. The result is a compliance posture full of invisible gaps that an examiner will find in the first hour of an audit.

This checklist is built for compliance managers and executives who need to know, with confidence, whether their program covers the controls DDTC actually expects. Use it as a gap assessment tool, a program development roadmap, or an internal audit instrument. If your program cannot satisfy every item below, you have work to do before your next contract performance period begins.

For a deeper orientation before working through this list, our foundational ITAR guide for prime and sub-tier contractors covers the regulatory framework in plain language.

The 30 Controls Every ITAR Compliance Program Must Have

Registration and Jurisdictional Determination

1. Active DDTC Registration. Your organization is registered with the Directorate of Defense Trade Controls and registration is current. Lapses in registration can halt export activities and trigger enforcement scrutiny.
2. Commodity Jurisdiction Determinations on File. You have documented commodity jurisdiction (CJ) determinations or export control classification records for every product, component, and technology you manufacture or handle.
3. USML Category Mapping. Each ITAR-controlled item is mapped to the correct United States Munitions List (USML) category, with that mapping reviewed any time a product changes or a new program begins.

Written Policies and Procedures

1. Export Compliance Manual. A written, approved, and dated export compliance manual exists, is version-controlled, and is accessible to all relevant personnel.
2. Technology Control Plan (TCP). A TCP is in place for any program involving foreign national access, research activities, or international collaboration. For guidance on what this document must contain, see our post on what a Technology Control Plan is and who needs one.
3. Procedures for Identifying ITAR-Controlled Technical Data. Written procedures define how engineers, program managers, and contracts staff identify, mark, and handle technical data subject to ITAR controls.
4. License Application and Management Procedures. You have documented procedures for determining when a license is required, applying for licenses, and managing approved licenses throughout their validity period.

Access Control and Physical Security

1. Physical Access Controls for ITAR Areas. Restricted areas where ITAR-controlled hardware, data, or technical documents are stored or used are physically secured and access is limited to authorized personnel.
2. Visitor Control System. A documented visitor management process requires all visitors to check in, sign a visitor log, and wear a visible badge that distinguishes their access level. Our overview of visitor badge requirements under ITAR and EAR explains what auditors look for in these programs. Facilities should use a dedicated ITAR-compliant visitor log book to document every entry consistently.
3. ITAR-Designated Visitor Badges. Color-coded visitor badges are used to visually communicate access authorization at a glance. Red ITAR visitor badges are commonly used for restricted access, while green and blue variants signal different authorization tiers.
4. Facility Signage. Lobbies, entrances, and restricted areas display signage informing visitors and employees of ITAR-controlled facility status and check-in requirements.
5. Access Revocation Process. A documented process exists to immediately revoke physical and logical access for employees who depart, are reassigned, or lose authorization.

Foreign National Management

1. Foreign National Screening Procedure. Before any foreign national employee, contractor, or visitor accesses ITAR-controlled items or technical data, a documented screening process is completed and recorded.
2. Deemed Export Controls. Your program includes controls specifically addressing deemed exports — the release of ITAR-controlled technical data to foreign nationals on U.S. soil — not just physical export activities.
3. Foreign National Access Log. Records of foreign national access to ITAR-controlled areas, hardware, and data are maintained and available for audit review.

Training and Awareness

1. Initial ITAR Training for All Personnel. Every employee with any potential exposure to ITAR-controlled items or data completes documented ITAR awareness training at onboarding.
2. Role-Specific ITAR Training. Engineers, contracts personnel, shipping staff, and managers who handle export functions receive role-specific training beyond general awareness.
3. Annual ITAR Refresher Training. Training is repeated at least annually, with completion documented by employee name, date, and content covered.
4. Training Records Retention. Training records are retained for a minimum of five years and are retrievable on short notice for audit purposes.

Technical Data and Cybersecurity Controls

1. ITAR Data Identification and Labeling. All ITAR-controlled technical data — whether in digital or physical form — is clearly labeled in accordance with DDTC expectations. Our detailed post on proper labeling of ITAR documents and records outlines exactly what that marking must include.
2. ITAR-Compliant Cloud Environment. Any cloud system used to store, process, or transmit ITAR-controlled technical data is hosted in a U.S.-jurisdiction environment that prevents unauthorized foreign national access. Microsoft Office 365 GCC High is the most widely used platform for this purpose.
3. Data Loss Prevention (DLP) Controls. Technical controls are in place to detect and prevent unauthorized transmission of ITAR-controlled data via email, file sharing, or removable media.
4. Access Control Matrix for Digital Systems. Role-based access controls limit who can view, modify, or export ITAR-controlled files within your document management and engineering systems.

Recordkeeping and Document Retention

1. Five-Year Export Transaction Records. All export transactions — including licenses, exemption justifications, shipping documents, and end-user statements — are retained for a minimum of five years.
2. License Tracking Log. Active and expired licenses are tracked in a centralized log with expiration dates, authorized quantities, and transaction history.
3. Exemption Usage Records. When ITAR exemptions are used in lieu of licenses, the basis for each exemption is documented at the time of the transaction — not reconstructed after the fact.

Subcontractor and Supply Chain Controls

1. ITAR Flowdown in Subcontracts. Every subcontract and purchase order involving ITAR-controlled items or data includes explicit ITAR compliance obligations and flowdown provisions.
2. Subcontractor Screening and Verification. Before sharing ITAR-controlled technical data with a subcontractor or supplier, you have verified their DDTC registration status and documented that verification.

Audit Readiness and Continuous Improvement

1. Internal ITAR Audit Program. Your organization conducts periodic internal audits of ITAR compliance controls — at minimum annually — with findings documented and corrective actions tracked to closure.
2. Voluntary Disclosure Process. A written procedure exists for identifying potential ITAR violations, escalating them internally, and determining whether a voluntary disclosure to DDTC is required.
3. Designated Empowered Official (EO). A qualified Empowered Official is designated in writing, understands the legal obligations of the role, and has the authority to sign license applications and related compliance documents.
4. Annual Program Review. The entire compliance program — policies, training, controls, and records — is reviewed at least annually against current regulatory requirements and any changes to your product portfolio or business activities.

Closing the Gaps Before DDTC Does

A checklist is only useful if you act on what it reveals. In our experience working with defense contractors across the aerospace and defense sector, the controls that most often come up short are visitor management, technical data labeling, deemed export procedures, and subcontractor flowdown. These are also the areas DDTC examiners go to first.

If your program has gaps in any of the 30 controls above, the time to close them is before an audit notice arrives — not after. Our ITAR and Export Controls Compliance services are specifically designed to help contractors build, assess, and mature their programs against current DDTC expectations. You can also accelerate your documentation readiness with our ITAR Compliance Documentation Toolkit, which gives compliance teams a structured starting point for the policies and records DDTC expects to see.

Build a Program That Holds Up Under Scrutiny

ITAR compliance for defense contractors is not a one-time project. It is an ongoing operational discipline that requires leadership commitment, trained personnel, enforced procedures, and documented evidence. Whether you are building your program from scratch or stress-testing one that has been in place for years, Cleared Systems has the expertise to help you close the gap between where you are and where DDTC expects you to be.

Ready to assess your current ITAR program or build one that can withstand regulatory scrutiny? Request a quote and let us show you exactly where your program stands.