🛡️ ITAR

ITAR Registered Assembly Suppliers for Defense Hardware

ITAR is not a quality certification at all, and treating it like one is the fastest way for a defense program to slip into a violation. ITAR registration with the State Department's Directorate of Defense Trade Controls signals that an assembler is set up to handle defense articles and the technical data behind them under US export-control law. For assembly specifically, where drawings, fixtures, and the physical hardware all sit under one roof, getting the controls right is a compliance problem as much as a manufacturing one. Here is what ITAR actually means for an assembly supplier and how to confirm it.

ITARAS9100ISO 9001

What ITAR registration is, and what it is not

ITAR, the International Traffic in Arms Regulations at 22 CFR Parts 120 to 130, is administered by the Directorate of Defense Trade Controls (DDTC) within the US Department of State. It governs the export and the in-country handling of defense articles and defense services listed on the United States Munitions List (USML). Registration with DDTC under 22 CFR Part 122 is mandatory for any US person who manufactures or exports USML items, even if they never themselves export, because manufacturing a defense article triggers the registration requirement. The critical thing buyers misunderstand is that ITAR registration is not an audited quality standard. There is no ITAR auditor who inspects an assembly line for capability. Registration confirms the company has paid the registration fee, filed with DDTC, and represented that it is engaged in covered activities. The substantive obligation is the company's own compliance program: controlling access to technical data, restricting work to authorized persons, and obtaining licenses or using exemptions for any export. So for assembly, ITAR registration is necessary but not sufficient. You still need to confirm the supplier has a real compliance program and the quality certifications (typically AS9100 or ISO 9001) that actually govern build quality. ITAR answers can they lawfully handle this defense article; quality certifications answer can they build it right.
01

Technical data and the US-person rule on the assembly floor

The heart of ITAR on an assembly floor is control of technical data. Under 22 CFR 120.10, technical data includes the drawings, specifications, build instructions, and any information required for the assembly of a defense article. Releasing that data to a foreign person, including a foreign-national employee working on the line in the United States, is a deemed export under 22 CFR 120.17 and generally requires authorization. This is why ITAR-aware assemblers control who can see the print and touch the hardware. In practice the controls show up as access-restricted work cells, badge and document controls that limit USML drawings to authorized US persons, segregated network drives, and screening of personnel against the US-person definition. An assembler building a USML component must ensure that every individual with access to the technical data or the article itself is either a US person or covered by a specific license or exemption. Foreign-national contractors, visiting reps, and even cloud storage with foreign administrators can all create deemed-export exposure. Buyers should ask how the supplier segregates ITAR work, who has access, and how they handle technical data transmission. A supplier that emails USML drawings without encryption or stores them on a server administered offshore is creating risk that flows to your program.

02

Verifying ITAR status and program-level fit

Unlike AS9100 or ISO 9001, there is no public registry where you can look up a company's ITAR registration; DDTC registration information is not published. Verification therefore relies on documentation the supplier provides and on contractual representations. Ask for the supplier's DDTC registration code (an M-prefixed number) and the registration expiration date, since registration must be renewed annually. Many primes require the supplier to attest to current registration in the contract and to flow down ITAR obligations to their own sub-tiers. Because the registration itself is not externally auditable, the meaningful verification is the supplier's compliance program. Request their ITAR compliance manual or a summary, confirm they have an empowered official responsible for export compliance, and ask how they screen personnel and control technical data. For assembly specifically, confirm they can segregate your USML work and that any special processes feeding the assembly are also performed under ITAR-compliant control. Red flags include a supplier that conflates ITAR with a quality certification, cannot produce a registration code, has foreign ownership or foreign-national staff without addressing the access controls, or treats technical-data handling casually. Because ITAR violations carry civil penalties and potential criminal liability, and because obligations flow down contractually, a verification gap here is a direct risk to your company, not just the supplier.

03

Where ITAR-controlled assembly applies and how it interacts with quality

ITAR-controlled assembly shows up wherever the finished article or its components are on the USML: guided missile and ordnance assembly, military aircraft and ground-vehicle subsystem integration, military electronics and avionics builds, night-vision and targeting assemblies, and space hardware that falls under USML Category XV rather than the Commerce-controlled EAR. Note that some space and dual-use items have moved to the EAR over the years, so the controlling regime depends on the specific item and its classification. For build quality, ITAR sits alongside, not instead of, the quality system. A defense assembly contract typically requires both ITAR registration and AS9100 (for aerospace) or ISO 9001 plus the program's quality flow-downs. The ITAR controls govern who can handle the work and the data; the quality system governs configuration control, first article inspection, and traceability. Buyers should treat them as two separate boxes that both must be checked. Be honest about scope: not every defense-adjacent part is ITAR-controlled. The determinant is whether the item is on the USML or whether the assembly involves controlled technical data. Misclassifying a commercial item as ITAR creates unnecessary cost and restricts your supplier pool; misclassifying a controlled item as commercial creates legal exposure. When in doubt, the item's export classification should be determined before sourcing, not after.

Frequently Asked Questions

No. ITAR registration is fundamentally different from a quality certification like ISO 9001 or AS9100. ITAR, the International Traffic in Arms Regulations administered by the State Department's DDTC, is US export-control law governing defense articles on the United States Munitions List. Registration under 22 CFR Part 122 is mandatory for US manufacturers and exporters of USML items, but it is not an audited assessment of manufacturing capability. No ITAR auditor inspects an assembly line. Registration simply confirms the company filed with DDTC, paid the fee, and represented that it performs covered activities; the substantive obligation is the company's own compliance program controlling technical data and personnel access. For assembly, this means ITAR registration answers whether a supplier can lawfully handle a defense article and its technical data, while quality certifications answer whether they can build it correctly. A defense assembly contract typically requires both: ITAR registration for compliance and AS9100 or ISO 9001 for build quality. Treating ITAR as proof of quality, or vice versa, is a common and consequential mistake.
There is no public registry for ITAR registration; DDTC does not publish registration information, so verification relies on documentation and contractual representation rather than a lookup like OASIS or ANAB. Ask the supplier for their DDTC registration code, which is an M-prefixed number, and the registration expiration date, since ITAR registration must be renewed annually. Most defense contracts require the supplier to attest to current registration and to flow down ITAR obligations to sub-tiers. Because the registration itself cannot be externally audited, the meaningful verification is the supplier's compliance program: request their ITAR compliance manual or a summary, confirm they have an empowered official responsible for export compliance, and ask how they screen personnel for US-person status and control technical data. For assembly, confirm they can physically and electronically segregate your USML work. Red flags include a supplier that confuses ITAR with a quality certification, cannot produce a registration code, has unaddressed foreign-national access, or handles technical data casually. Given that violations carry civil and criminal liability that can flow to your company, this verification is essential.
Under ITAR, technical data and defense articles generally may only be accessed by US persons, defined at 22 CFR 120.62 as US citizens, lawful permanent residents, and certain protected individuals, unless a license or exemption authorizes broader access. On an assembly floor this matters because the drawings, build instructions, and the hardware itself are all technical data or defense articles, and releasing them to a foreign person, including a foreign-national employee working in the United States, is a deemed export under 22 CFR 120.17 that generally requires authorization. ITAR-aware assemblers therefore restrict USML work to authorized US persons through access-controlled work cells, document and badge controls, segregated networks, and personnel screening. Foreign-national contractors, visiting representatives, and even cloud storage administered offshore can all create deemed-export exposure. For buyers, the practical question to ask a supplier is how they segregate ITAR work, who has access to the technical data and the article, and how they transmit drawings, since an unencrypted email or an offshore-administered server can violate ITAR and create risk that flows back to your program.
Only if the item is controlled under ITAR, which is not automatic for everything defense-adjacent. The determinant is whether the finished article or its components appear on the United States Munitions List, or whether the assembly involves ITAR-controlled technical data. Many items have moved between ITAR and the Commerce-controlled Export Administration Regulations over the years, particularly some satellite and dual-use hardware, so the controlling regime depends on the specific item and its export classification. Misclassifying a commercial item as ITAR adds unnecessary cost and shrinks your supplier pool, while misclassifying a controlled item as commercial creates legal exposure including civil penalties and potential criminal liability. The right practice is to determine the item's export classification before sourcing, typically through your export-control function or a commodity jurisdiction request to DDTC if the classification is genuinely unclear. Once classified, you can scope the supplier requirement correctly: ITAR registration plus the appropriate quality certification for USML items, or a standard quality-certified assembler for items that fall under the EAR or are uncontrolled.
Because ITAR is a compliance regime rather than a quality standard, the build records you receive come from the supplier's quality system, typically AS9100 or ISO 9001, while ITAR governs how that work and its data were handled. Expect the standard quality deliverables: a certificate of conformance, first article inspection documentation where AS9100 applies, material and special-process certifications, and a traceable build record linking the finished serial number to component lots and personnel. On the compliance side, the supplier should be able to attest in writing to current DDTC registration with their registration code, confirm that all personnel with access to your technical data and hardware were authorized US persons or covered by a license or exemption, and document how the technical data was controlled and transmitted. If any export occurred, the relevant license or exemption citation should be on record. Your contract should also flow down ITAR obligations to the supplier and any sub-tiers, and the supplier should retain export-control records per DDTC requirements, which generally mandate retention for five years. Keep both the quality and compliance records, since both may be examined in an audit or program review.

Last updated: July 2026

Find ITAR-Certified Assembly Suppliers

Search verified assembly shops that hold ITAR.

No logins. No email gates. Just results.