Last updated: April 18, 2026
Key Takeaways
- ITAR violations carry severe penalties up to $1,271,078 per incident or twice the transaction value, as seen in RTX’s $200M and Raytheon’s $950M settlements.
- Procurement teams can verify suppliers using a 10-step checklist that begins with DDTC registration search, certificate validation, and U.S. persons screening through I-9 procedures.
- Key red flags include expired registrations, inadequate security infrastructure, past violations on SAM.gov, and missing flow-down requirements to subcontractors.
- Common violations involve unauthorized foreign access, poor record-keeping, and weak cybersecurity. On-site audits and mock tests provide practical assurance.
- Choose Precision Advanced Manufacturing, an ITAR-registered, AS9100D-certified partner for compliant aerospace components, and request a quote today.
Core ITAR Concepts You Need Before Using the Checklist
This verification process targets procurement and supply chain professionals managing aerospace and defense programs. Before using the 10-step checklist, you need to understand four key terms that appear throughout the verification process: DDTC (Directorate of Defense Trade Controls), U.S. persons (citizens and green card holders verified through I-9 documentation), flow-down requirements, and Compliance Management Programs (CMP). ITAR restricts access to USML items to U.S. persons, prohibiting foreign persons from access unless otherwise authorized. These concepts form the foundation of every verification step you will perform, because unauthorized access by non-U.S. persons constitutes deemed exports that require DDTC authorization.
How to Verify a Supplier Is ITAR Compliant in 10 Steps
Step 1: Check DDTC Registration
Search the DDTC directory by company name or DUNS number. Verify active registration status and expiration dates. Treat expired registrations, mismatched company names, or absence from the official directory as immediate red flags.
Step 2: Request and Verify ITAR Certificate
Obtain the supplier’s DS-2032 registration certificate and cross-reference details with DDTC records. Check for watermarks, official formatting, and registration numbers that match the directory listing. Swiss Automation Inc. agreed to pay $421,234 to resolve alleged False Claims Act violations relating to its failure to provide adequate cybersecurity for certain drawings of parts that the company machined and supplied to Department of Defense prime contractors, which shows how missing or weak controls can escalate quickly.
Step 3: Confirm U.S. Persons Policy
Under ITAR, every person who may have access to ITAR-controlled technical data must be screened to determine their citizenship or immigration status at the point of hire. To verify that the supplier follows this rule, request sample I-9 documentation procedures and employee training records. Verification of lawful permanent resident status requires employers to confirm the I-551 green card was current at the time access was granted, since expired cards invalidate U.S. person status.
Step 4: Review the Compliance Management Program
Examine written policies that cover data security, incident reporting, and violation disclosure procedures. Confirm that responsibilities, escalation paths, and training requirements are clearly documented. An effective ITAR compliance program must include comprehensive written policies, procedures, responsibilities, and escalation paths, not just informal practices.
Step 5: Search Violation History
Conduct FOIA requests with DDTC and check SAM.gov for debarment records. Review public enforcement actions and settlement announcements that involve the supplier or its key principals. Department of Defense matters accounted for significant amounts in FCA settlements and judgments in fiscal year 2025, which underscores the enforcement pressure on defense contractors.
Step 6: Audit Security Infrastructure
Verify physical security measures, including perimeter fencing, access controls, and visitor management. These physical controls must align with equally robust cybersecurity protections, because ITAR-compliant systems rely on both layers of defense. Pay close attention to cloud storage restrictions and foreign access prevention measures, since these digital vulnerabilities frequently cause audit failures.
Step 7: Verify Employee Screening Procedures
As established in Step 3, ITAR requires citizenship screening at the point of hire for anyone with access to controlled technical data. Under 22 CFR 120.15, ITAR defines U.S. persons, and suppliers must align their screening criteria with this definition. Review citizenship verification processes and documentation retention practices to confirm that screening occurs consistently and records remain available for audits.
Step 8: Inspect Flow-Down Requirements
Confirm that ITAR compliance clauses appear in subcontractor agreements and purchase orders. Verify that these clauses clearly state registration, access control, and reporting obligations for every downstream supplier. AS9100 Rev D requires that quality, safety, and regulatory requirements, including ITAR compliance, are passed down the aerospace supply chain, so missing clauses indicate a serious gap.
Step 9: Conduct an On-Site Audit
Perform facility inspections using standardized checklists that cover marking procedures, access logs, and segregation controls. Confirm that controlled technical data is clearly labeled and stored in restricted areas. ITAR regulations require aerospace and defense facilities to maintain detailed records of all facility access for audit purposes, so verify that these logs are complete and accurate.
Step 10: Execute Mock Scenario Testing
Test supplier responses to dummy technical data handling scenarios to confirm that written procedures work in practice. Evaluate incident response protocols and documentation practices during these simulations, and record any gaps that require corrective action.
Use the following checklist to track your verification progress across the four most critical compliance dimensions, and confirm that each one passes before approving a supplier:
| Step | Evidence Needed | Red Flags | Pass/Fail |
|---|---|---|---|
| DDTC Registration | Active DS-2032 certificate | Expired/missing registration | ☐ |
| U.S. Persons Policy | I-9 procedures, training records | No screening documentation | ☐ |
| Security Infrastructure | Robust cybersecurity protocols | Foreign cloud storage | ☐ |
| Violation History | Clean DDTC/SAM records | Past enforcement actions | ☐ |
Patterns in Common ITAR Violations
The most common ITAR violations include unlicensed exports, manufacturing violations, security measure violations, and foreign national access violations. Common violations include unauthorized export of technical data by sharing controlled technical data with foreign nationals, inadequate record-keeping, and lack of employee training. Recent enforcement examples include Precision Castparts Corp. settling for $3 million after foreign national employees accessed controlled technical data, which illustrates how access control failures quickly become export violations.
How to Check If a Company Is ITAR Registered
Verify ITAR registration through the official DDTC public database search function. Cross-reference company names, DUNS numbers, and registration details to confirm a precise match. Organizations manufacturing, exporting, brokering, or storing defense articles listed on the USML must register with the DDTC. Registration status must be current and match the supplier’s legal business name exactly, including punctuation and corporate suffixes.
ITAR Requirements for Employees
Under 22 CFR § 120.62, a lawful permanent resident qualifies as a US person under ITAR and can access ITAR-controlled technical data without an export license. Temporary visa holders including H-1B, L-1, F-1/OPT, J-1, TN, O-1, and all other non-immigrant visa holders are foreign persons subject to full deemed export controls. Employers must maintain documentation that supports these determinations and store it in line with ITAR record-keeping requirements.
Who Audits ITAR Compliance?
ITAR compliance involves both self-auditing by registered organizations and government oversight by DDTC and the Defense Threat Reduction Agency (DTRA). Regular internal audits are essential to review export control processes, employee access permissions, document management, and security protocols. Government audits may be triggered by violations, complaints, or routine compliance reviews, so suppliers must treat internal audits as preparation for external scrutiny.
Common Challenges and ITAR Red Flags
Suppliers often struggle with three distinct compliance challenges, and each one requires a different verification approach. The first involves outdated regulations, where suppliers follow superseded guidance and miss newer requirements. The second involves non-U.S. cloud storage solutions, where multi-tenant public cloud platforms risk cross-contamination of ITAR-regulated technical data, and unmanaged Generative AI platforms can inadvertently process ITAR-sensitive content. The third involves counterfeit documentation, where suppliers present falsified certificates that appear legitimate at first glance.
Red flags across these areas include missing registration numbers, vague compliance statements, and reluctance to provide documentation. Effective mitigation strategies include using downloadable verification checklists, requiring annual compliance updates, and validating certificates directly against DDTC and certification body records.
Why Choose Precision Advanced Manufacturing
Precision Advanced Manufacturing operates as an ITAR-registered supplier with AS9100D and ISO 9001 certifications, providing multi-axis CNC machining and precision fabrication for aerospace, defense, and space applications. Our proven compliance framework reduces program delays and lowers supply chain risk through complete traceability and documentation. With certified quality management systems and established procedures for handling controlled technical data, we deliver mission-critical components that meet stringent regulatory requirements. Partner with us to eliminate compliance risks and get a custom quote for your program.
Frequently Asked Questions
The 10-step verification process explains how to verify a supplier, but procurement teams still face practical questions about timing, scope, and risk. The following questions address the most common gaps that appear when organizations apply this checklist in real programs.
How often should suppliers be re-verified for ITAR compliance?
Aerospace suppliers should be requalified every 1 to 3 years or immediately after triggers such as certification lapses, major process changes, extended inactivity periods, or significant quality issues. Annual verification works best for high-risk suppliers handling critical defense articles, while lower-risk suppliers may be verified every two to three years. Continuous monitoring should include quarterly compliance updates and immediate notification of any changes in registration status, ownership, or key personnel.
What are the actual costs of ITAR non-compliance for contractors?
ITAR non-compliance costs extend far beyond monetary penalties. Civil fines can reach $1,271,078 per violation with potential doubling for high-value transactions, while criminal penalties include up to $1,000,000 in fines and 20 years imprisonment for willful violations. Additional costs include contract termination, debarment from government programs, legal fees, remediation expenses, and reputational damage that can permanently affect business relationships. Program delays and rework expenses often exceed the initial penalty amounts.
Do ITAR requirements apply to all subcontractors in the supply chain?
ITAR compliance requirements apply to the entire supply chain when defense articles or technical data are involved. Prime contractors must ensure that all subcontractors, vendors, and suppliers handling ITAR-controlled items maintain proper registration, implement adequate security measures, and restrict access to authorized U.S. persons. This includes suppliers providing raw materials, components, manufacturing services, or any support activities that involve exposure to controlled technical data or defense articles.
What cybersecurity requirements apply to ITAR-controlled data in 2026?
Current cybersecurity requirements for ITAR-controlled data include FIPS 140-2 or 140-3 validated encryption, multi-factor authentication, U.S.-based data storage, and comprehensive audit logging. Organizations must implement DFARS 252.204-7012 cybersecurity controls when handling Controlled Unclassified Information, which includes export-controlled technical data. Cloud solutions must guarantee U.S. data sovereignty through FedRAMP-authorized government cloud regions or private clouds with proper personnel screening and encryption key control.
Can suppliers use foreign-manufactured components in ITAR-controlled products?
Suppliers may use foreign-manufactured components in ITAR-controlled products only with proper export authorization and licensing. They must verify that any foreign-sourced materials, components, or subassemblies comply with ITAR export licensing requirements and do not violate prohibited destination restrictions. This verification requires careful documentation of component origins, export licenses, and compliance with any applicable exemptions or authorizations. The use of foreign components must be disclosed and approved by the prime contractor and end customer.
Conclusion
Verifying supplier ITAR compliance requires systematic execution of these 10 verification steps, from DDTC registration confirmation through mock scenario testing. Incomplete verification exposes programs to million-dollar penalties, schedule slips, and potential contract termination. Procurement professionals need to verify rigorously and select suppliers with proven compliance track records. Precision Advanced Manufacturing’s ITAR-registered operations, combined with AS9100D and ISO 9001 certifications, provide the verified compliance foundation your critical programs demand. Start your supplier verification with a partner that already meets these standards and request your quote now.
