🛡️ ITAR
ITAR-Registered 3D Printing: Sourcing Additive Suppliers for Defense-Controlled Parts
When a 3D printed part falls on the U.S. Munitions List, the controlling factor is not the machine in the shop but who can legally see the build file. ITAR governs defense articles and the technical data behind them, and additive manufacturing concentrates that data into a single transmissible CAD file, which is precisely the thing the regulation cares about. This page explains what ITAR registration actually means for an additive supplier, where the common confusion lies, and how to source without creating a violation.
ITARAS9100ISO 9001
What ITAR Registration Is, and What It Is Not
ITAR, the International Traffic in Arms Regulations, is administered by the U.S. State Department's Directorate of Defense Trade Controls (DDTC) under 22 CFR Parts 120 to 130. A manufacturer or exporter of defense articles or defense services must register with DDTC, and that registration is what people mean when they say a shop is 'ITAR registered.' It is important to be precise: ITAR registration is not a certification, not a quality credential, and not an audit-based accreditation like NADCAP or AS9100. There is no DDTC inspector who grades the shop's processes. Registration is essentially a notification and a fee that establishes the company is known to DDTC and accepts the obligations of handling controlled articles and data.
What ITAR actually demands is compliance behavior: controlling access to ITAR-controlled technical data so that no unauthorized foreign person sees it, whether in the U.S. or abroad; obtaining the proper authorizations (licenses or exemptions) before any export, which includes a 'deemed export' to a foreign national employee or contractor; and maintaining records. For additive manufacturing the technical data is the live concern because the build file, the parameter set, drawings, and process specs can themselves be controlled technical data even before a single part is printed.
So when a buyer needs an 'ITAR shop' for a printed defense part, the real requirement is a U.S.-based, DDTC-registered manufacturer that can lawfully receive and protect the controlled technical data, employ U.S.-person operators on the controlled work, and ship within authorization. The additive capability is necessary but it is the controlled-data handling that ITAR is policing.
Why USML Classification Decides Everything
Nothing about ITAR applies until you know whether your part and its technical data are actually ITAR-controlled. That turns on the U.S. Munitions List in 22 CFR 121.1. Many parts that defense buyers assume are ITAR are in fact controlled under the EAR (Export Administration Regulations) and the Commerce Control List instead, or are not controlled at all, following the export control reform that moved large numbers of military-derived commercial items from the USML to the EAR. A printed bracket for a commercial-derivative aircraft may be EAR99; a component specifically designed for a USML-listed defense article is ITAR.
This classification is the buyer's responsibility to determine and flow down, and it is not something the additive shop can guess. Get the jurisdiction and classification right before you release any technical data, because the act of sending a controlled build file to the wrong recipient is itself the violation. If your part is genuinely ITAR-controlled, then the supplier must be DDTC-registered and the data must stay within U.S.-person access. If it is EAR-controlled, a different and often less restrictive set of rules applies and a DDTC registration may be irrelevant. Suppliers and buyers who treat 'ITAR' as a generic stamp for 'defense work' routinely over- or under-control parts, and both errors carry risk.
Protecting the Build File: Technical Data Controls in Additive
Additive manufacturing makes technical data unusually mobile. A single STEP or build file fully specifies the part, and parameter sets, support strategies, and post-process specs are the manufacturing know-how that ITAR treats as technical data. A compliant ITAR additive supplier therefore controls the entire digital thread: access-controlled file storage, U.S.-person-only access to controlled data, restricted networks, and screening so no foreign-person employee, contractor, or cloud administrator can access the file without authorization. The deemed-export rule means simply giving a foreign-national engineer visibility into the controlled file inside the U.S. is an export requiring authorization.
Cloud and outsourcing are the recurring traps. If the shop's CAD, MES, or backup runs through a service where foreign-national administrators could access the data, or where the data leaves the U.S., that can be an unauthorized export even though no part shipped. The same applies to outsourced steps: sending the build file to a foreign or unscreened heat-treat, machining, or inspection subtier exposes controlled data. A serious ITAR additive operation keeps controlled work on U.S. soil with U.S.-person handling end to end, uses ITAR-aware IT (often segregated networks and U.S.-based, access-controlled cloud arrangements structured for ITAR), and documents who touched the data. When you vet a supplier, the sharpest questions are about their data handling and IT, not their printers.
Vetting an ITAR Additive Supplier and the Honest Caveats
Because registration is self-declared rather than audited, verification looks different from a quality certificate. You cannot look ITAR registration up in a public registry the way you can an AS9100 certificate in OASIS; the DDTC registrant list is not openly public. Instead, ask the supplier for their DDTC registration code (the 'M' or 'K' code DDTC issues) and confirm it through your own DDTC interactions or via the prime's supply-chain security process. Pair that with evidence of a real compliance program: a written technology control plan, U.S.-person screening, controlled IT, employee training, and a designated empowered official. A shop that says 'we're ITAR registered' but cannot describe its technology control plan is waving a flag, not running a program.
The honest caveats matter. First, ITAR registration alone says nothing about whether the shop can build your part well, so for flight or critical hardware you still want AS9100 and likely NADCAP on top of ITAR. Second, registration does not authorize any specific export; each export still needs its own license or exemption, which is the buyer's and supplier's joint responsibility. Third, do not over-apply ITAR: if your part is EAR-controlled, demanding ITAR registration is the wrong control and may exclude capable suppliers for no compliance benefit. The clean approach is to classify the part first, then source a U.S.-based DDTC-registered additive shop with a demonstrable technology control plan only when the part and data are genuinely USML-controlled.
Frequently Asked Questions
No, and this trips up many buyers. ITAR registration with the State Department's DDTC is a self-declaration plus fee, not an audited certification like AS9100 or NADCAP, and there is no public registry where you can look up a supplier the way you would check OASIS or eAuditNet. DDTC issues each registrant a code, but the registrant list is not openly published. So you verify a different way: ask the supplier for their DDTC registration code and confirm it through your own DDTC channels or through the prime contractor's supply-chain security process, and require evidence of an actual compliance program rather than just a claim. That program should include a written technology control plan, U.S.-person screening, access-controlled and U.S.-based IT, employee training, and a designated empowered official responsible for export compliance. A supplier that asserts ITAR registration but cannot describe its technology control plan or produce its registration code is a serious red flag, because the registration is meaningless without the controls behind it.
Not necessarily, and assuming so is a common and costly error. ITAR control turns on whether the part or its technical data appears on the U.S. Munitions List in 22 CFR 121.1. After the export control reform of the last decade, large numbers of military-derived and dual-use items were moved off the USML and onto the Commerce Control List under the EAR, so many defense-adjacent parts are actually EAR-controlled or even uncontrolled rather than ITAR. A printed component specifically designed for a USML-listed defense article is ITAR; a bracket for a commercial-derivative platform may be EAR99. Determining jurisdiction and classification is the buyer's responsibility and must happen before any technical data is released, because sending a controlled build file to the wrong recipient is itself the violation. If you are unsure, get a commodity jurisdiction determination from DDTC or a qualified export-control review. Over-applying ITAR excludes capable suppliers and adds cost for no benefit; under-applying it risks a violation. Classify first, then source to the actual control level.
Because additive manufacturing concentrates the entire manufacturing definition into transmissible digital files, and ITAR controls technical data, not just physical parts. A STEP or build file, the parameter set, support strategy, and process specifications collectively define how to make the article, which is exactly what ITAR treats as controlled technical data when the part is USML-listed. That means a violation can occur before anything is ever printed: emailing the file to a foreign supplier, storing it on a cloud service whose administrators are foreign nationals or whose servers sit outside the U.S., or simply letting a foreign-national engineer view it inside the U.S. (a 'deemed export') all constitute unauthorized exports without proper authorization. This is why a compliant ITAR additive shop controls the full digital thread with access-controlled, U.S.-based storage, U.S.-person-only access, segregated networks, and screened subtiers. When you vet such a supplier, the decisive questions are about their IT, cloud arrangements, and data-access controls, because in additive the file is the defense article's most portable and most exposed form.
Almost certainly yes for any flight or critical defense hardware, because ITAR and quality accreditation answer completely different questions. ITAR registration confirms a supplier is registered with DDTC and accepts the obligation to control defense articles and technical data; it says nothing about whether the shop can actually build a sound part. It is not audited for process capability, has no quality requirements, and grants no assurance about porosity, material properties, or inspection. For a structural or flight-critical printed defense part you still need AS9100 for the aerospace quality system and configuration control, and typically NADCAP accreditation for the special processes like heat treatment, hot isostatic pressing, and non-destructive testing that finish a metal additive part. So the credential stack for a serious defense additive part is usually ITAR registration plus AS9100 plus the relevant NADCAP accreditations, with the part classified to confirm ITAR even applies. Treating ITAR registration as a substitute for quality accreditation is a category error that can put an unqualified part into a defense system.
Only to subtiers that can lawfully receive the controlled technical data and article, which usually means U.S.-based, U.S.-person-staffed, and ideally themselves DDTC-registered or operating under appropriate authorization. The moment your ITAR-controlled build file or part moves to a subtier for heat treat, HIP, machining, or inspection, that transfer is an export-control event. Sending it to a foreign subtier, or to a domestic one where foreign nationals could access the data without authorization, is an unauthorized export even if the prime shop is fully compliant. A serious ITAR additive operation keeps controlled work on U.S. soil end to end, screens and controls its subtiers, and documents the chain of custody for both the data and the article. When you source, ask for the subtier list for any outsourced special processes and confirm each link can lawfully handle the controlled work; if your part also requires NADCAP special processes, verify the subtier holds the accreditation as well. The compliance chain is only as strong as its most exposed subtier, so map it before you release a single file.
Related Pages
ITAR CNC MachiningITAR Swiss MachiningITAR EDM / Wire EDMITAR Laser CuttingITAR StampingITAR Welding & FabricationISO 9001 3D Printing / Additive ManufacturingAS9100 3D Printing / Additive ManufacturingISO 13485 3D Printing / Additive ManufacturingNADCAP 3D Printing / Additive ManufacturingISO 14001 3D Printing / Additive Manufacturing
Last updated: July 2026
Find ITAR-Certified 3D Printing / Additive Manufacturing Suppliers
Search verified 3d printing / additive manufacturing shops that hold ITAR.
No logins. No email gates. Just results.