What ITAR Registration Obligates — and What It Doesn't
ITAR registration means a company has registered with DDTC and pays the annual registration fee, establishing it as eligible to manufacture or export defense articles. Crucially, registration is not the same as authorization to export — a registered shop still needs licenses or exemptions for actual exports, and it still must operate a compliance program that controls who touches controlled hardware and data.
The core obligation that drives sourcing decisions is the U.S.-person rule. ITAR technical data and defense articles may only be accessed by U.S. persons (citizens, lawful permanent residents, and certain protected individuals) absent specific authorization. That means a compliant shop restricts access to your drawings, models, and hardware to U.S.-person employees and controls its facility, network, and even cloud and email systems accordingly.
What ITAR registration does not give you is any assurance of manufacturing quality. It says nothing about tolerances, process control, or inspection. A shop can be ITAR-registered and produce poor parts. That's why ITAR is almost always paired with a quality credential — AS9100 for flight and defense hardware, or at least ISO 9001 — and you verify the two independently.
Verifying a Las Vegas Shop's ITAR Status and Data Controls
Unlike AS9100 (OASIS) or ISO certificates (registrar directories), ITAR registration isn't publicly searchable — DDTC's registrant list isn't an open database. So verification runs through the supplier directly: request evidence of current DDTC registration (the registration letter and code), confirm the registration is active and the fee is current, and get it in writing in your supplier agreement.
Go beyond the registration to the compliance program, because that's where real protection lives. Ask how the shop segregates ITAR work, how it enforces U.S.-person-only access on the floor and on its network, where your technical data resides (on-prem versus cloud, and whether any cloud is ITAR-compliant), and how it handles email, file transfer, and backups of controlled data. A shop with a mature program answers these crisply and may have a designated Empowered Official and a written Technology Control Plan.
Red flags: a shop that conflates 'ITAR registered' with 'ITAR certified' (there's no ITAR certification — it's registration plus compliance), can't describe its U.S.-person access controls, or routes controlled data through ordinary consumer cloud and email. In a fast-grown market, also confirm the registered legal entity matches your PO entity, since shops that rebrand can leave registration under an old name.
Handling Controlled Data Across a Local Supply Chain
Defense parts rarely come from a single shop. Machining routes to plating, heat treat, NDT, and finishing, and every sub-tier that touches controlled technical data or hardware must itself be ITAR-compliant and staffed by U.S. persons for that work. A local prime shop's ITAR registration does not extend to its sub-tiers — the flowdown of export-control obligations has to be real and contractual.
This matters acutely in Las Vegas because some special-process capacity routes to Southern California. When your drawing or hardware moves to an out-of-state processor, that transfer and that processor are inside your ITAR boundary. Confirm the prime shop flows ITAR requirements to every sub-tier on the routing, and that the data transfer mechanisms between them are controlled rather than emailed in the clear.
The practical safeguard is to require, up front, a map of where your controlled data and hardware will travel — which shops, in which states, under what data-transfer controls. A mature ITAR supplier produces this without hesitation. A shop that hasn't thought through its sub-tier compliance is an export-control liability regardless of its own registration, because a single non-U.S.-person at a careless plating vendor is still a violation that lands on the program.