ITAR certification is not a formal credential issued by a government agency — it is an informal term manufacturers use to describe the combination of DDTC registration, compliance program implementation, and documented controls required under the International Traffic in Arms Regulations. If your shop manufactures, exports, or handles technical data related to items on the United States Munitions List, ITAR compliance is a legal requirement, not an optional designation.
A customer sends over a new supplier questionnaire. One section asks whether your facility is ITAR compliant.
You have heard the term before. You know it has something to do with defense exports. But no one has ever walked you through exactly what compliance means for a precision machining shop in the middle of the country that has never shipped anything overseas.
Here is what most small manufacturers in the defense supply chain need to understand: ITAR does not only apply to companies that export hardware to foreign governments. It applies to any company that manufactures, handles, or stores items — or the technical data describing those items — that appear on the USML. That includes a significant number of domestic-only subcontractors who have never thought of themselves as exporters.
Related Topic: IT Support for Manufacturing: Why Modern Manufacturers Need Expert IT Services
What ITAR Actually Covers?
The International Traffic in Arms Regulations are administered by the State Department’s Directorate of Defense Trade Controls. ITAR controls the export and import of defense articles, defense services, and related technical data as defined by the United States Munitions List.
The USML is a list of categories covering military and defense items — from firearms and ammunition to aircraft, vessels, spacecraft, electronics, and the technical data associated with each. If a component your shop machines is specifically designed or modified for a military application and appears on the USML, ITAR likely applies to your work.
What catches small manufacturers off guard is the technical data piece. ITAR does not just govern physical items. It governs the drawings, specifications, software, and other technical information that describe how to produce those items. Sending a CAD file or engineering drawing related to a USML item to a foreign national — including a foreign national employee working inside your facility in the United States — can constitute an ITAR-controlled export.
Related Topic: IT Solutions for Manufacturing: A Guide for Small Shops
The Difference Between ITAR Registration and ITAR Certification
This distinction matters and is worth stating plainly.
There is no ITAR certification issued by the government. The term “ITAR certified” is used widely in the defense supply chain, but what it typically refers to is one of two things: either DDTC registration, which is a formal legal requirement for manufacturers and exporters of defense articles, or an internal compliance posture — the policies, training, access controls, and documentation a company has in place to meet ITAR requirements.
DDTC registration is required by 22 CFR Part 122 for any person who manufactures or exports defense articles. Registration is done through the DDTC Public Portal. It is not a one-time event — registrations must be renewed annually and require an authorized official at the company to certify compliance.
When a prime contractor or customer asks if your shop is “ITAR certified,” they are typically asking whether you are DDTC-registered and whether you have a functioning compliance program. Both matter. Registration without compliance controls is a legal liability. Compliance controls without registration are incomplete.
Related Topic: How Much Should You Pay for Managed IT Services?
What ITAR Compliance Requires in Practice
ITAR compliance for a small manufacturer is not a single document or a checkbox. It is an ongoing set of controls that govern how your facility handles defense articles and technical data.
At minimum, a functional ITAR compliance program covers:
DDTC registration
Any manufacturer of USML items must register with DDTC before manufacturing begins. Registration requires identifying an Empowered Official — a U.S. person with authority to bind the company on export matters and sign license applications.
USML classification
You need to know which of your parts and products are subject to ITAR. This requires reviewing your product line against the USML categories (22 CFR Parts 120–129) and making a documented jurisdiction determination. Items that are not specifically designed or modified for defense application may fall under the Export Administration Regulations instead.
Access controls
ITAR requires that technical data and defense articles only be accessible to U.S. persons unless an export license or other DDTC authorization covers foreign person access. This applies to your employees, contractors, and vendors. A foreign national working in your facility who has access to ITAR-controlled drawings is an export under the regulations.
Export licensing
Any actual export of defense articles or technical data — including electronic transmission of files, temporary exports for repair, or physical shipments — requires either a DDTC export license or an applicable exemption. License applications are submitted through the DDTC Public Portal.
Training and recordkeeping
ITAR requires that employees who handle controlled items or data understand their obligations. Documented training records and written policies are standard compliance requirements. ITAR also requires that records of export transactions be maintained for five years.
ITAR and CMMC: Related but Separate Requirements
This comes up regularly with defense subcontractors, and the confusion is understandable.
ITAR and CMMC are both defense compliance frameworks, but they govern different things. ITAR — administered by the State Department — controls the export of defense articles and technical data on the USML. CMMC compliance — administered by the Department of Defense — governs cybersecurity controls for contractors who handle controlled unclassified information under DoD contracts.
A shop can be subject to both, either, or neither, depending on what it makes and what data it handles. A manufacturer that machines USML-controlled components and also handles CUI under a DoD contract is subject to both regimes. Understanding which framework applies — and which parts of your operations each governs — is a threshold question that should be answered before building either compliance program.
Related Topic: What Is CUI in Cybersecurity and Why Is It Important?
The Cost of Getting ITAR Wrong
ITAR violations are not administrative oversights. They are federal violations that can carry significant consequences.
Civil penalties under ITAR can reach up to $1,271,078 per violation under 22 CFR § 127.10. Criminal penalties for willful violations can reach $1 million per violation and up to ten years imprisonment. Beyond the financial exposure, a violation can result in loss of export privileges — which for a manufacturer in the defense supply chain effectively means loss of the ability to do business.
Enforcement is real. The State Department has pursued major consent agreements against companies of all sizes. In 2024, RTX Corporation settled 750 ITAR violations for $200 million. A 2023 settlement with 3D Systems Corporation reached $20 million. These are large-company cases, but the regulatory framework that produces them applies equally to small manufacturers — the penalties simply scale with the violation.
The more common risk for a small manufacturer is not a willful export to a proscribed country. It is a miscategorized part, a foreign national employee with unmanaged access to controlled technical data, or a file sent electronically without recognizing it was an export. These are compliance failures, not criminal intent — but ITAR does not require intent for civil liability.
Related Topic: Managed IT Services vs Break-Fix: Which Is Better for Your Business?
Building an ITAR Compliance Program
For most small manufacturers, the process of becoming ITAR compliant follows a practical sequence.
Start with jurisdiction and classification. Determine which of your products and technical data are subject to ITAR. This requires a review of the USML categories and, for ambiguous items, potentially a commodity jurisdiction request to DDTC. Do not assume — a wrong classification in either direction creates problems.
Register with DDTC if required. Registration is done through the DDTC Public Portal. Identify your Empowered Official before registering.
Build the program around your actual operations. A compliance program that exists in a binder on a shelf is not a compliance program. Access controls need to match how your facility actually works. Training needs to reach the people who actually handle controlled data. Recordkeeping needs to be maintained consistently, not reconstructed after the fact.
Get outside help for complex questions. Export control law is a specialized legal discipline. Jurisdiction determinations on borderline items, license applications for complicated transactions, and questions about foreign person access all benefit from a qualified export compliance professional. For a small shop, this does not mean retaining a full-time compliance officer — it means having a resource to call when classification or licensing questions arise.
Right Hand Technology Group works with manufacturers in the defense industrial base to address the IT and cybersecurity requirements that run alongside ITAR and CMMC compliance — including access controls, network segmentation, and data protection for ITAR-controlled technical information. If you want to understand where your current setup stands, schedule a free consultation with our team — and walk away with a clear picture of what needs attention.
Related Topic: How to Get Ready for a CMMC Assessment in 2026
Frequently Asked Questions
Is there an official ITAR certification?
No. The DDTC requires registration and compliance — not certification. No government agency issues an official ITAR certificate to manufacturers.
Who is required to register with DDTC?
Any U.S. manufacturer or exporter of USML-listed defense articles must register with DDTC before manufacturing or exporting begins.
What is the United States Munitions List?
The USML is a 21-category list of defense articles, services, and technical data controlled under ITAR regulations.
What are the penalties for ITAR violations?
Civil penalties reach $1.27M per violation. Criminal penalties include $1M fines and up to 10 years imprisonment.
How does ITAR relate to CMMC for defense subcontractors?
ITAR controls defense data exports. CMMC governs cybersecurity for DoD contractors. Both can apply simultaneously to the same manufacturer.
