I hear some version of this statement in nearly every initial consultation with a small manufacturer: "We're just a machine shop. We make parts. We're not a defense contractor."
It's an understandable assumption — and it's almost always wrong.
The International Traffic in Arms Regulations (ITAR), administered by the U.S. Department of State's Directorate of Defense Trade Controls (DDTC), does not care how you think of your business. What matters is what you make, what technical data you handle, and who you work with. If any of those touch the U.S. Munitions List (USML), you are in the ITAR ecosystem whether you registered for it or not.
Over my 8+ years advising manufacturers on export control compliance, I've watched small shops face six-figure civil penalties, lost contracts, and in the worst cases, criminal referrals — not because they were bad actors, but because no one ever told them the rules applied to them. This guide exists to change that.
What Is ITAR, and Why Does It Reach So Far?
ITAR implements the Arms Export Control Act (AECA), 22 U.S.C. § 2778, and establishes controls over the export and temporary import of defense articles, defense services, and related technical data. The regulations are codified at 22 C.F.R. §§ 120–130.
The critical phrase most small manufacturers miss is in 22 C.F.R. § 120.6: ITAR defines "defense articles" as any item or technical data designated on the USML. The USML covers 21 categories, from firearms and ammunition to military aircraft, naval vessels, spacecraft, and directed-energy weapons. But here's what catches shops off guard: the USML also covers parts, components, accessories, and attachments specifically designed or modified for a defense article.
You don't have to build the weapon system. You just have to make a part for it.
The Three Scenarios Where Small Shops Get Exposed
Scenario 1: The Subcontractor Assumption
Your shop gets a purchase order from a Tier 1 or Tier 2 defense prime to machine aluminum housings for a fire control system. The print says "ITAR controlled." You sign the quality agreement without reading it carefully, machine the parts, and ship them. You never export anything. You never deal with a foreign national.
Except that new hire you brought on last month — the one with the green card — just ran the CNC program for that job.
Under 22 C.F.R. § 120.17, a "deemed export" occurs when you disclose or transfer technical data to a foreign national inside the United States. ITAR does not require you to physically ship something overseas for an export violation to occur. Sharing a drawing, a CNC program, or even a process specification with a non-U.S. person can constitute an unlicensed export of controlled technical data.
Scenario 2: The "We Don't Know What We Don't Know" Problem
Many small manufacturers have never conducted a formal commodity jurisdiction review or an Export Control Classification Number (ECCN) analysis. They take on work because a customer asks them to, they're good at it, and it pays. Over time, they accumulate a library of ITAR-controlled drawings and technical data without any formal tracking, access controls, or registration with DDTC.
According to DDTC enforcement data, a significant portion of voluntary disclosures come from companies that discovered historical ITAR violations years after the fact — often during a merger, acquisition due diligence, or audit by a new prime contractor.
Scenario 3: The International Customer
A manufacturer in Germany or Canada reaches out. They found you through a trade directory. They need precision-machined components that you produce regularly for domestic customers. The part looks the same. The material is the same. You quote it, they order it, and you ship it.
If that part is a USML item — even a commercial-looking one — shipping it to a foreign customer without a DDTC-issued export license is a federal crime. Civil penalties under 22 U.S.C. § 2778(c) can reach $1,308,333 per violation (adjusted for inflation). Criminal penalties can reach $1 million per violation and 20 years imprisonment.
ITAR Registration: The Obligation Most Small Shops Don't Know Exists
Any U.S. person who manufactures, exports, or temporarily imports a defense article is required to register with DDTC under 22 C.F.R. § 122.1. Registration is not a license. It does not authorize you to export anything. It is simply the baseline legal obligation for being in the defense manufacturing supply chain.
Registration fees as of 2024 range from $2,250 to $2,750 per year depending on whether you are engaged in exporting. Failure to register when required is itself a violation — independent of whether any actual export occurred.
I routinely encounter machine shops that have been making ITAR parts for 5–10 years without ever registering. In every case, they had no idea the requirement existed.
What Parts and Data Are Actually Controlled? Understanding the USML
The USML categories most relevant to precision manufacturers include:
| USML Category | Description | Example Parts a Machine Shop Might Make |
|---|---|---|
| Category I | Firearms and close assault weapons | Barrel blanks, bolt carriers, fire control components |
| Category II | Guns and armament | Breech mechanisms, recoil systems, mount components |
| Category IV | Launch vehicles, guided missiles | Structural airframe components, nozzle assemblies |
| Category VI | Vessels of war | Propulsion system components, hull fittings |
| Category VIII | Military aircraft | Engine mounts, actuator housings, landing gear parts |
| Category XI | Military electronics | Electronic enclosures, waveguide components |
| Category XV | Spacecraft | Satellite bus components, propulsion brackets |
| Category XVI | Nuclear weapons | Classified — significant controls apply |
| Category XIX | Gas turbine engines | Turbine blade blanks, combustor components |
The 2013 Export Control Reform (ECR) initiative moved many items from the USML to the Commerce Control List (CCL), which is governed by the Export Administration Regulations (EAR) rather than ITAR. However, items remaining on the USML are generally those with predominant military utility — and that still covers a substantial portion of what precision machine shops produce for defense customers.
The Deemed Export Problem for Small Manufacturers
Of all the ITAR concepts that catch small manufacturers off guard, the deemed export rule is the one most likely to create a real violation in a typical shop environment.
Under 22 C.F.R. § 120.17(a)(2), releasing technical data to a foreign national — regardless of that person's location — is treated as an export to the person's country of citizenship or permanent residency. This means:
- A foreign national machinist who reads a controlled print = potential deemed export
- A foreign national engineer who reviews a process specification = potential deemed export
- A foreign national owner or manager who has access to controlled drawings in your ERP system = potential deemed export
The deemed export rule applies to lawful permanent residents (green card holders) of specific countries of concern. It does not apply to U.S. citizens or U.S. nationals, regardless of national origin.
In a manufacturing environment where workforce diversity is common and skilled machinists are recruited internationally, this is one of the highest-risk areas for unintentional violations.
Five Signs Your Shop Has an Unaddressed ITAR Exposure
-
You've signed a quality agreement or purchase order that mentions ITAR, but you've never registered with DDTC. The customer contractually told you the parts are controlled — that's constructive notice.
-
You have foreign national employees with access to all drawings in your shared drive or ERP system, without any review of which data is ITAR-controlled.
-
You've quoted or sold parts to Canadian customers without a license, assuming Canada is exempt. (Export to Canada for certain ITAR items requires a license or license exemption — the exemptions are specific and have conditions.)
-
You've never conducted a commodity jurisdiction or export classification review on your product lines, even though you serve defense customers.
-
Your quality manual mentions AS9100 or Nadcap but says nothing about export control. If you're serving the aerospace and defense supply chain, export control should be integrated into your QMS.
What ITAR Compliance Actually Requires for a Small Manufacturer
Compliance doesn't have to be overwhelming, but it does have to be intentional. Here's what a baseline ITAR compliance program looks like for a small manufacturer:
Step 1: DDTC Registration
If you manufacture, export, or temporarily import defense articles, register with DDTC at pm-ddtc.state.gov. This is your legal baseline.
Step 2: Product Classification Review
Review your part families against the USML and CCL. Determine which items are ITAR-controlled, EAR-controlled, or EAR99. This is often done with the help of a qualified export control consultant and may involve filing a formal Commodity Jurisdiction (CJ) request with DDTC.
Step 3: Technical Data Controls
Establish procedures to identify, mark, and restrict access to ITAR-controlled technical data. This includes physical drawings, electronic files, CNC programs, inspection records, and process specifications.
Step 4: Deemed Export Screening
Review your workforce for foreign nationals. Determine which positions involve access to ITAR-controlled data. Implement access controls or obtain appropriate licenses or exemptions.
Step 5: Technology Control Plan (TCP)
Develop a written Technology Control Plan that documents your export control policies, procedures, responsible personnel, training requirements, and recordkeeping practices. Many prime contractors now require a TCP as a supplier qualification prerequisite.
Step 6: Employee Training
Train all employees who handle controlled data or parts on ITAR basics: what is controlled, what constitutes a violation, and how to report concerns.
Step 7: Recordkeeping
ITAR requires records of exports and related transactions to be maintained for five years under 22 C.F.R. § 122.5. Establish a compliant recordkeeping system.
The Cost of Non-Compliance vs. the Cost of Compliance
One of the most common objections I hear from small manufacturers is cost. "We're a 15-person shop. We can't afford a compliance program."
Here's the business case:
| Cost Category | Compliance Investment | Non-Compliance Consequence |
|---|---|---|
| DDTC Registration | $2,250–$2,750/year | $1.3M+ per violation (civil) |
| Initial compliance assessment | $3,000–$8,000 (one-time) | Criminal referral risk |
| Technology Control Plan development | $2,500–$6,000 (one-time) | Contract termination by prime |
| Annual compliance maintenance | $1,500–$4,000/year | Debarment from defense contracting |
| Employee training | $500–$2,000/year | Reputational damage, lost business |
| Total Year 1 investment | ~$10,000–$20,000 | Potentially company-ending exposure |
These figures are general ranges based on my consulting experience with small manufacturers. Actual costs vary based on complexity, number of controlled product lines, and workforce composition. Every shop I've worked with has found that the cost of compliance is a fraction of what a single enforcement action would cost — even a minor one.
Voluntary Disclosure: Your Best Option If You've Already Violated ITAR
If you read this article and realize your shop has been operating in violation of ITAR — don't panic, but do act.
DDTC has a voluntary disclosure process outlined in 22 C.F.R. § 127.12. Companies that proactively disclose violations, cooperate with the investigation, and implement corrective actions consistently receive more favorable treatment than those caught through external reporting or investigation. Penalty mitigation of 50% or more is common for good-faith disclosures.
The worst thing you can do is nothing. Continuing to operate with known violations compounds liability and eliminates the goodwill that voluntary disclosure creates.
Citation Hook Statements
"Any U.S. manufacturer that produces parts specifically designed or modified for a defense article listed on the USML is subject to ITAR, regardless of company size, revenue, or primary market focus."
"Sharing ITAR-controlled technical data — including CNC programs, engineering drawings, or process specifications — with a foreign national inside the United States constitutes a 'deemed export' under 22 C.F.R. § 120.17 and may require prior DDTC authorization."
"DDTC civil penalties for unauthorized exports of defense articles can reach $1,308,333 per violation, and criminal penalties under 22 U.S.C. § 2778(c) can reach $1 million per violation and 20 years imprisonment."
How Certify Consulting Helps Small Manufacturers Get Compliant
At Certify Consulting, I've built a practice specifically around helping small and mid-sized manufacturers navigate ITAR and export control compliance without the overhead of a large consulting firm. With 200+ clients served and a 100% first-time audit pass rate, my team knows how to right-size a compliance program for a 10-person machine shop as efficiently as for a 200-person contract manufacturer.
Services I provide to small manufacturers include:
- DDTC registration support
- ITAR gap assessments and compliance audits
- Export classification reviews (USML/CCL analysis)
- Technology Control Plan (TCP) development
- Deemed export workforce screening support
- Voluntary disclosure preparation and submission
- Ongoing compliance retainer programs
If you're uncertain whether ITAR applies to your operation, the right answer is to find out before your prime contractor, DDTC, or a disgruntled employee makes the determination for you.
Schedule an ITAR compliance assessment or explore our ITAR compliance resources for manufacturers to get started.
Frequently Asked Questions
Does ITAR apply to my shop if I only make parts domestically and never export anything?
Yes, potentially. ITAR applies to the manufacture of defense articles and the handling of controlled technical data — not just physical exports. If your employees access ITAR-controlled drawings or CNC programs, and any of those employees are foreign nationals, a "deemed export" may occur even if nothing leaves the country. Additionally, DDTC registration is required for manufacturers of defense articles regardless of whether they export.
How do I know if the parts I make are on the USML?
Start by reviewing the USML categories at 22 C.F.R. Part 121. If your parts are specifically designed or modified for a military system, there's a reasonable probability they're USML-controlled. If you're uncertain, you can request a formal Commodity Jurisdiction (CJ) determination from DDTC, or work with an export control consultant to analyze your product lines against the USML and CCL.
My customer said the parts are ITAR. Does that mean I have to register with DDTC?
If your customer has designated the parts as ITAR-controlled, and you are manufacturing those parts, then yes — registration with DDTC is almost certainly required under 22 C.F.R. § 122.1. A customer's designation is strong evidence that the item meets the USML threshold. Registration is the legal baseline; it does not authorize exports but does establish your compliance standing.
Can I hire a foreign national machinist if I do ITAR work?
Yes, but with important conditions. Foreign nationals (including green card holders) who will access ITAR-controlled technical data must be screened under the deemed export rules. Depending on the individual's country of citizenship and the nature of the controlled data, you may need a DDTC export license or may be able to rely on a specific exemption. Access controls must be in place for all ITAR data, regardless of employee citizenship.
What is the difference between ITAR and EAR, and does it matter for my shop?
ITAR (22 C.F.R. §§ 120–130, administered by State/DDTC) controls defense articles and services on the U.S. Munitions List. EAR (15 C.F.R. §§ 730–774, administered by Commerce/BIS) controls dual-use items on the Commerce Control List. ITAR is generally more restrictive. For a machine shop, the distinction matters because the licensing requirements, exemptions, and penalty structures differ between the two regimes. Many shops that believed they were EAR-only have discovered, upon proper classification review, that some product lines are actually ITAR-controlled.
Last updated: 2026-03-05
Jared Clark is the principal consultant at Certify Consulting and founder of itarconsultant.us. He holds a JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, and RAC, and has advised 200+ clients on ITAR, EAR, and quality management compliance. This article is for informational purposes only and does not constitute legal advice.
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.