🛡️ ITAR
ITAR Registered Assembly Suppliers for Defense Hardware
ITAR is not a quality certification at all, and treating it like one is the fastest way for a defense program to slip into a violation. ITAR registration with the State Department's Directorate of Defense Trade Controls signals that an assembler is set up to handle defense articles and the technical data behind them under US export-control law. For assembly specifically, where drawings, fixtures, and the physical hardware all sit under one roof, getting the controls right is a compliance problem as much as a manufacturing one. Here is what ITAR actually means for an assembly supplier and how to confirm it.
What ITAR registration is, and what it is not
Technical data and the US-person rule on the assembly floor
The heart of ITAR on an assembly floor is control of technical data. Under 22 CFR 120.10, technical data includes the drawings, specifications, build instructions, and any information required for the assembly of a defense article. Releasing that data to a foreign person, including a foreign-national employee working on the line in the United States, is a deemed export under 22 CFR 120.17 and generally requires authorization. This is why ITAR-aware assemblers control who can see the print and touch the hardware. In practice the controls show up as access-restricted work cells, badge and document controls that limit USML drawings to authorized US persons, segregated network drives, and screening of personnel against the US-person definition. An assembler building a USML component must ensure that every individual with access to the technical data or the article itself is either a US person or covered by a specific license or exemption. Foreign-national contractors, visiting reps, and even cloud storage with foreign administrators can all create deemed-export exposure. Buyers should ask how the supplier segregates ITAR work, who has access, and how they handle technical data transmission. A supplier that emails USML drawings without encryption or stores them on a server administered offshore is creating risk that flows to your program.
Verifying ITAR status and program-level fit
Unlike AS9100 or ISO 9001, there is no public registry where you can look up a company's ITAR registration; DDTC registration information is not published. Verification therefore relies on documentation the supplier provides and on contractual representations. Ask for the supplier's DDTC registration code (an M-prefixed number) and the registration expiration date, since registration must be renewed annually. Many primes require the supplier to attest to current registration in the contract and to flow down ITAR obligations to their own sub-tiers. Because the registration itself is not externally auditable, the meaningful verification is the supplier's compliance program. Request their ITAR compliance manual or a summary, confirm they have an empowered official responsible for export compliance, and ask how they screen personnel and control technical data. For assembly specifically, confirm they can segregate your USML work and that any special processes feeding the assembly are also performed under ITAR-compliant control. Red flags include a supplier that conflates ITAR with a quality certification, cannot produce a registration code, has foreign ownership or foreign-national staff without addressing the access controls, or treats technical-data handling casually. Because ITAR violations carry civil penalties and potential criminal liability, and because obligations flow down contractually, a verification gap here is a direct risk to your company, not just the supplier.
Where ITAR-controlled assembly applies and how it interacts with quality
ITAR-controlled assembly shows up wherever the finished article or its components are on the USML: guided missile and ordnance assembly, military aircraft and ground-vehicle subsystem integration, military electronics and avionics builds, night-vision and targeting assemblies, and space hardware that falls under USML Category XV rather than the Commerce-controlled EAR. Note that some space and dual-use items have moved to the EAR over the years, so the controlling regime depends on the specific item and its classification. For build quality, ITAR sits alongside, not instead of, the quality system. A defense assembly contract typically requires both ITAR registration and AS9100 (for aerospace) or ISO 9001 plus the program's quality flow-downs. The ITAR controls govern who can handle the work and the data; the quality system governs configuration control, first article inspection, and traceability. Buyers should treat them as two separate boxes that both must be checked. Be honest about scope: not every defense-adjacent part is ITAR-controlled. The determinant is whether the item is on the USML or whether the assembly involves controlled technical data. Misclassifying a commercial item as ITAR creates unnecessary cost and restricts your supplier pool; misclassifying a controlled item as commercial creates legal exposure. When in doubt, the item's export classification should be determined before sourcing, not after.
Frequently Asked Questions
Last updated: July 2026
Find ITAR-Certified Assembly Suppliers
Search verified assembly shops that hold ITAR.
No logins. No email gates. Just results.