ITAR Subcontractor Screening: A 2026 Compliance Guide
If you supply parts, software, or services to a U.S. defense prime contractor, you are now expected to screen your own subcontractors and suppliers against U.S. restricted party lists — and document it. This is no longer a nice-to-have. It is a contractual obligation that flows down from the prime, and it is increasingly a focus of DDTC enforcement against small and mid-sized firms.
This guide explains what ITAR subcontractor screening actually means in practice, who has to do it, what lists to check, and how to keep an audit trail that will survive a prime contractor audit or a DDTC consent agreement.
Why subcontractor screening became a flow-down requirement
For decades, ITAR enforcement focused on the primes — Lockheed Martin, Raytheon, Boeing, Northrop Grumman. Since 1999, the U.S. Government has substantially increased action against organizations and individuals responsible for ITAR breaches, with the most notable being the $100M penalty against ITT for unauthorized retransfer of night vision technology to the PRC in 2007. Other major defense contractors penalized in recent years include Lockheed Martin, Motorola, Boeing, L-3 Communications, and Northrop Grumman.
Those cases changed how primes manage their supply chains. There is a major concern within the U.S. Government that, while large prime contractors have strong ITAR compliance, many mid-sized and small companies in the defense supply chain do not, and that this gap creates significant national security risks. The government's response was to push compliance obligations downward through contracts.
DOD now uses specialized clauses mandating that contractors comply with ITAR requirements and flow this requirement down to their subcontractors (see DFARS §225.79 and 252.225-7048), and has initiated ITAR enforcement cases targeted specifically at small and mid-sized companies. The result: prime contractors are worried that if their subcontractors commit ITAR violations, the prime can have liability. As a result, primes are establishing requirements that their subcontractors become ITAR-compliant, and requiring those subcontractors to impose similar requirements on their own suppliers. The prime will often ask for documentation from the subcontractors providing evidence that they have done this.
If you cannot produce that documentation on demand, you risk losing the contract.
Who has to screen
The short answer: every tier of the defense supply chain.
ITAR requirements "flow down" through the supply chain. This means subcontractors, vendors, and service providers that receive, process, or store ITAR-controlled data must also maintain compliance. ITAR's reach extends across the full defense and aerospace supply chain — from prime contractors to fifth-tier subcontractors.
You are almost certainly in scope if your company:
- Manufactures, modifies, or repairs any item on the U.S. Munitions List (USML)
- Provides defense services under ITAR Part 120
- Receives ITAR-controlled technical data from a customer — drawings, specs, source code, build instructions
- Holds a DoD contract or a subcontract with a defense prime
- Operates as a software, hosting, or managed services provider for any of the above
ITAR likely applies to you, even if you are not a prime contractor. Enforcement is no longer reactive. It is proactive.
What "screening" actually means under ITAR
ITAR subcontractor screening is the process of verifying that every party in your defense supply chain — and every foreign person who might gain access to controlled technical data — is not on a U.S. restricted, denied, or sanctioned party list before you ship, transmit, or grant access.
It has two halves:
1. Restricted party list screening
Before onboarding a subcontractor, supplier, or downstream customer, you must check them against the Consolidated Screening List (CSL) maintained by the U.S. government, plus DDTC's own debarred parties list. Conduct thorough screening of foreign customers, partners, and subcontractors to avoid unauthorized access to ITAR-controlled items or data.
At a minimum, screen against:
| List | Agency | What it covers |
|---|---|---|
| DDTC Debarred Parties | State Dept. | Parties barred from ITAR transactions |
| Entity List | BIS | Foreign parties presenting export risk |
| Denied Persons List | BIS | Parties stripped of export privileges |
| SDN List | OFAC | Sanctioned individuals and entities |
| Unverified List | BIS | Parties BIS could not verify in end-use checks |
| Nonproliferation Sanctions | State Dept. | WMD/missile proliferators |
2. Foreign person screening (deemed exports)
Sharing ITAR-controlled technical data with a foreign person inside the United States is considered an export. This includes employees, contractors, or visitors who are not U.S. persons. Compliance controls must account for physical access, digital access, and personnel screening.
This means your subcontractor screening must include verification of the nationality of the people at the subcontractor who will touch your data — not just the corporate entity itself. A subcontractor with non-U.S. person employees working on your drawings is a deemed export risk, and you cannot rely on the subcontractor's word alone.
The September 2025 USML revisions changed who is in scope
If you last reviewed your supply chain mapping before late 2025, you need to do it again. The September 2025 final rule amended 15 of 21 USML categories — marking the first time in years that DDTC has expanded the USML's coverage more than it reduced it. The revisions added newer technologies like advanced sensors, propulsion systems, and unmanned underwater vehicles while also removing outdated entries. Organizations need to carefully review whether their products have shifted into or out of ITAR jurisdiction as a result.
Products that were EAR-controlled last year may now sit on the USML. Subcontractors who never thought they touched ITAR data may now be receiving it. Existing DDTC licenses for transitioning items will remain valid for up to three years to allow industry time to adjust to the new regulatory environment — but the underlying compliance obligations apply immediately.
What primes are asking subcontractors to produce
In 2026, a defense prime onboarding a new supplier will typically ask for:
- DDTC registration confirmation — proof you are registered under ITAR Part 122 if you manufacture USML items. As of January 2025, annual DDTC registration starts at $3,000 and must be renewed 30–60 days before expiration.
- Written compliance program — a documented Internal Compliance Program (ICP) with an Empowered Official.
- Technology Control Plan (TCP) — written procedures for protecting controlled data.
- Screening records — evidence that you screen your own suppliers and that you re-screen on a defined cadence.
- Annual self-assessment — many prime contractors require subcontractor self-assessment documentation as a contract condition.
- Foreign person access logs — who at your facility has been authorized to access ITAR technical data and on what basis.
The screening records piece is where many sub-tier firms fall short. Spreadsheets and one-time checks at onboarding are not enough. Restricted party lists update weekly, and a supplier who was clean six months ago may be on the Entity List today.
How to build a defensible screening process
A workable subcontractor screening program for an ITAR-registered fabricator or service provider looks like this:
- Screen at onboarding. Every new supplier, sub-tier vendor, freight forwarder, and end customer gets checked against the CSL and the DDTC debarred list before the first PO is issued.
- Re-screen on a cadence. At minimum monthly for active suppliers; weekly is better. Save the timestamped result for each screen.
- Screen on every transaction. Before releasing controlled technical data or shipping a USML item, screen the receiving party again.
- Use fuzzy name matching. Sanctioned parties commonly use aliases, transliterations, and slight spelling variations. Exact-match searches miss real hits.
- Keep the audit trail. According to ITAR, exporters must keep detailed records for at least five years after a license expires or a transaction occurs — whichever is later. Your screening records are part of that.
- Document negative results too. A clean screen is evidence of due diligence. Without the record, you cannot prove the check happened.
The penalty picture
ITAR penalties are not theoretical, and they reach individuals as well as companies. Since June 2023, the State Department has been barring individuals convicted of violating the Arms Export Control Act from ITAR-related activities for a minimum of three years, adding personal liability to organizational risk.
For corporate violators, penalties typically involve a mandatory compliance component requiring the entity to spend funds on compliance measures, including the appointment of "Internal Special Compliance Officers." Penalties may also require the party to submit to external audit. In serious cases, a party may be debarred from future exporting for a period of time.
Debarment is the worst outcome for a defense subcontractor — it ends your ability to participate in the defense industrial base.
Bottom line
If you sit anywhere in a defense supply chain in 2026, you need a documented restricted party screening process that covers your subcontractors, your suppliers, and the foreign persons at those organizations. The flow-down clauses in your prime contracts already require it. The 2025 USML expansion has pulled in more companies than ever. And both DDTC and the primes are checking.
Don't wait for a contract audit or a consent agreement to find the gap.
Screen your first subcontractor free — takes 10 seconds
Related: ITAR Compliance for Small Manufacturers · EAR vs ITAR: Which Applies to You? · How to Screen Your Vendor List for Export Compliance