ITAR Fabrication Compliance: A 2026 Guide for Shops
If your machine shop cuts metal for a defense prime, you are inside the ITAR perimeter — whether or not your name is on the contract. The International Traffic in Arms Regulations flow down through every tier of the defense supply chain, and the penalties for getting it wrong now exceed $1.27 million per violation.
This guide breaks down what ITAR fabrication compliance actually requires in 2026: registration, technical data controls, U.S. persons rules, and the screening obligations that catch most small shops off guard.
What ITAR Covers — and Why Fabricators Are In Scope
ITAR compliance refers to adhering to the International Traffic in Arms Regulations, a set of U.S. government rules that control the export and handling of defense-related articles, services, and technical data. These rules are administered by the State Department's Directorate of Defense Trade Controls (DDTC) and are built around the U.S. Munitions List (USML) — a catalog of military items and related technical data that require strict protection.
Fabricators are squarely in scope. Any company that designs, develops, produces, or tests items listed on the USML must comply with ITAR. This includes everything from weapons systems to specialized components. CNC machining, sheet metal work, welding, and finishing all qualify as "manufacturing" under the regulation when the end item — or even an intermediate component — lives on the USML.
A common misconception: ITAR only applies if you ship overseas. It doesn't. Compliance extends well beyond physical shipments. Shared files, cloud storage access, collaboration tools, and AI prompts can all trigger unauthorized exports of controlled technical data. Emailing a CAD file to a foreign-national engineer sitting in your U.S. office is a "deemed export" — and it is the single most common ITAR violation in fabrication shops.
The Flow-Down Problem
ITAR obligations do not stop at the prime contractor. ITAR requirements "flow down" through the supply chain. This means subcontractors, vendors, and service providers that receive, process, or store ITAR-controlled data must also maintain compliance.
In practice, that means:
- A Tier 2 fab shop machining housings for a Tier 1 supplier carries the same data-handling obligations as the prime.
- Your raw-material vendors, heat-treat partners, and plating subcontractors must also be vetted.
- Every party in the chain needs an active DDTC registration if they manufacture USML-controlled articles.
To qualify as an ITAR-registered defense and aircraft parts supplier, vendor and subcontractor selection must also be taken into account. These parties are just as subject to ITAR regulations. In the case of material sourcing, for example, ITAR manufacturers will rely on a network of vetted, domestic suppliers that can meet strict security, documentation, and traceability requirements. This satisfies the demand that all raw materials, components, and secondary processes also comply with ITAR requirements.
Step 1: DDTC Registration
Registration is the entry ticket. There is no such thing as an ITAR certification. Organizations are simply registered with the DDTC and must comply with ITAR regulations (CFR 22 190-200). ITAR DDTC registration currently costs $2,250 for manufacturers with a similar annual renewal fee.
A few practical notes:
- Registration must be renewed annually — lapsed registration is itself a violation.
- Registration alone is not a license to export. Specific transactions still require licenses or qualify for an exemption.
- If you only fabricate USML items domestically and never share technical data abroad, you still must register.
Step 2: U.S. Persons Access Controls
This is where most shops trip. ITAR access is restricted to U.S. persons as defined in §120.15, covered earlier, which primarily includes citizens, lawful permanent residents and qualifying U.S. organizations. Foreign nationals, including those on work visas, cannot access ITAR-controlled technical data or defense articles without specific authorization. This restriction applies to manufacturing activities such as CNC programming, machining operations and quality control procedures.
That means an H-1B engineer cannot open a controlled CAD file. A machinist on a green-card-pending status can — but a temporary visa holder cannot run the program on the floor. The shop needs a documented process to verify status before granting access to any USML-related job folder, network share, or physical work area.
Step 3: Technical Control Plan and Data Security
ITAR compliance requirements include DDTC registration for manufacturers of defense articles, implementation of Technical Control Plans documenting security procedures, restriction of access to U.S. persons only, encrypted storage and transmission of technical data, comprehensive record keeping for five years minimum and regular training for personnel handling controlled items. These requirements apply across defense manufacturing, including CNC machining, fabrication and assembly operations.
A Technical Control Plan (TCP) is a written document describing how your shop physically and digitally segregates ITAR work. At minimum it covers:
- Physical segregation — locked areas, badge access, visitor logs for any space where USML hardware or drawings are present
- Digital segregation — encrypted file shares, U.S.-only cloud regions, no personal email
- Personnel screening — citizenship verification, NDAs, training records
- Records retention — five years minimum on every export-relevant document
The 2026 enforcement environment has raised the bar. The 2026 enforcement environment emphasizes cybersecurity compliance under DFARS 252.204-7012 alongside traditional ITAR requirements. Defense suppliers face increased scrutiny for technical data protection and foreign person access controls throughout their supply chains.
Step 4: Screen Every Party You Touch
This is the step most fab shops skip — and it's the one that triggers the largest penalties.
Before you ship a USML part, share a drawing, or quote a job, you must verify that the other party is not on a U.S. restricted party list. That includes the State Department's Debarred List, the Treasury Department's Specially Designated Nationals (SDN) list, and the Commerce Department's Entity List and Denied Persons List.
One of the explicit ITAR violations recognized by DDTC is Failure to Vet Other Parties: ITAR data must not be sent to parties that are barred from handling it.
Screening is not optional, and it is not a one-time event. SDN designations are added almost daily. OFAC applies a strict liability standard — if a prohibited transaction occurred, a civil penalty can be assessed even if the violator had no idea they were dealing with a sanctioned party.
A practical screening process for a fab shop looks like this:
- Screen every new customer at quote time.
- Screen every supplier and subcontractor before placing a PO.
- Screen every individual receiving controlled technical data (employees, contractors, visitors).
- Re-screen the entire database on a regular cadence — at minimum monthly.
- Keep a dated screening record for every party, every time.
Without an audit trail, you cannot prove you did the work — and DDTC and OFAC both treat the absence of records as evidence of negligence.
The Cost of Getting It Wrong
Penalties are not theoretical. ITAR violations carry severe consequences for manufacturers and individuals. Common compliance risks include: Civil penalties can reach $1,271,078 per violation or twice the transaction value, whichever is greater. Criminal penalties include fines up to $1 million and imprisonment for up to 20 years. Companies may also face debarment from defense exporting.
The real risk for a small shop isn't the headline fine — it's debarment. Losing your ability to bid on defense work ends the business.
Voluntary Self-Disclosure
If you find a violation, disclose it. DDTC encourages voluntary self-disclosure of suspected violations, which can significantly reduce potential penalties or avoid them entirely. Recent OFAC enforcement actions reinforce the value of early disclosure: companies that disclosed before an investigation began consistently received steeper penalty reductions than those that disclosed after an inquiry was already open.
A Practical Compliance Stack for a Fab Shop
For a 20–200 person fabrication business, a workable ITAR program looks like:
| Element | Tool / Process |
|---|---|
| Registration | Active DDTC registration, renewed annually |
| Technical Control Plan | Written TCP reviewed yearly |
| U.S. persons verification | I-9 review + documented citizenship check before USML access |
| Data security | Encrypted file shares, U.S.-only cloud, MFA, segregated networks |
| Restricted party screening | Automated screening of every customer, supplier, and employee against the Consolidated Screening List + SDN |
| Training | Annual ITAR training with attendance records |
| Records | Five-year retention on every export document and screening result |
The screening piece is where most small shops are weakest — and where a tool that automates the work pays for itself the first time a sanctioned name appears in your quote queue.
Where ScreenShield Fits
ScreenShield handles the restricted party screening leg of ITAR fabrication compliance. Every customer, supplier, and employee gets checked against the Consolidated Screening List — including the State Department Debarred List, BIS Entity List, and OFAC SDN list — with fuzzy name matching, alias coverage, and a dated audit trail you can hand to a DDTC auditor.
Screen your first name free — takes 10 seconds
Related: ITAR Subcontractor Screening Guide · ITAR Compliance for Small Manufacturers · EAR vs ITAR