🛡️ ITAR
ITAR Registered Manufacturers Serving Lexington, KY Defense Work
When a part falls under the US Munitions List, the supplier handling its drawings and machining it has to be ITAR registered, and getting that wrong carries criminal and financial exposure that dwarfs a quality slip. Lexington's defense-adjacent machining base, pulled up by Lockheed Martin's regional presence, includes shops registered with the State Department's DDTC and built to control technical data. This page explains what ITAR registration really means for buyers and how to confirm a central Kentucky supplier handles controlled work correctly.
ITARAS9100ISO 9001
What ITAR registration actually is, and isn't
ITAR, the International Traffic in Arms Regulations, governs the manufacture, export, and brokering of defense articles and defense services on the US Munitions List. A manufacturer that produces or even handles the technical data for USML items is generally required to register with the Directorate of Defense Trade Controls, or DDTC, part of the US State Department. That registration is the credential buyers reference when they say a shop is 'ITAR registered.'
It's important to understand that ITAR registration is not a quality certification like ISO 9001 or AS9100. It does not attest to a shop's machining capability or quality system. It establishes that the company is registered with DDTC and is therefore eligible and obligated to comply with the export-control framework, including controls on who can access controlled technical data. A shop can be ITAR registered and still be a poor manufacturer, which is why buyers almost always require ITAR registration alongside a real quality credential like AS9100.
Around Lexington, the shops carrying ITAR registration are typically the same precision machining operations that pursued aerospace and defense work as Lockheed Martin's regional activity created demand. They've built the compliance infrastructure, secure handling of drawings, US-person access controls, and the technology control plans, that controlled work requires.
Verifying registration and technical data controls
DDTC registration is not public the way an OASIS or registrar lookup is, so verification works differently. A registered supplier can provide their DDTC registration code, often on request under an NDA, and confirm their registration is current, since DDTC registration must be renewed annually. Ask for confirmation in writing as part of qualification, and many primes require a representation that the supplier is registered before any controlled data changes hands.
The deeper verification is around technical data handling. ITAR controls who can access controlled technical data, generally limiting it to US persons unless a license or exemption applies. A serious shop has a documented technology control plan describing how it segregates controlled drawings, restricts network and physical access, screens personnel for US-person status, and prevents inadvertent disclosure to foreign nationals, including foreign-national employees or IT vendors. Ask to walk through that plan.
Red flags include a shop that can't describe its US-person access controls, stores controlled drawings on uncontrolled cloud services, or is vague about whether foreign nationals touch the work. Because an ITAR violation can mean severe civil and criminal penalties for both supplier and buyer, the diligence here is non-negotiable. Confirm registration, confirm the technology control plan exists and is followed, and confirm the supplier understands the difference between physical export and the deemed export of releasing data to a foreign person.
How ITAR rides alongside AS9100 and quality flow-down
For most Lexington defense buyers, ITAR registration shows up bundled with AS9100 and sometimes NADCAP, because the same defense and aerospace customers that demand export-control compliance also demand aerospace quality. The two serve completely different purposes: AS9100 ensures the part is built right and traceable, ITAR ensures the controlled information and article are handled within US export law. You typically need both.
When you place ITAR-controlled work, the obligations flow down the supply chain just like quality requirements. Your prime flows ITAR clauses to you, you flow them to your machining supplier, and that supplier must flow them to any sub-tier that touches controlled data or the article, including NADCAP special-process houses doing heat treat or finishing. A break anywhere in that chain is a compliance failure, so a mature supplier manages its sub-tiers for ITAR compliance the same way it manages them for quality.
This is where the Lexington advantage and risk both live. The advantage is that a tight cluster of regionally proximate AS9100 and NADCAP shops can keep the controlled-data footprint smaller and easier to govern. The risk is assuming an AS9100 sub-tier is automatically ITAR-ready; it isn't. Confirm registration and controlled-data handling at every link before drawings move.
Frequently Asked Questions
No, and conflating the two is a common and costly mistake. ITAR registration is a compliance status with the US State Department's Directorate of Defense Trade Controls, indicating a company is registered to manufacture or handle defense articles and technical data on the US Munitions List. It says nothing about the supplier's machining quality, process control, or inspection capability. ISO 9001 and AS9100, by contrast, are quality management system certifications audited by accredited third parties and verifiable through registrar databases or OASIS. Because ITAR registration and quality are separate, buyers of defense parts almost always require both: ITAR registration to satisfy export-control law and AS9100 to ensure the parts are actually built right and traceable. Verification also works differently. You can't look ITAR registration up in a public database the way you check a quality certificate; instead the supplier provides their DDTC registration code, typically under an NDA, and confirms it is current, since DDTC registration must be renewed annually. Treat ITAR and quality as two independent gates a defense supplier must pass.
Controlled technical data under ITAR is information required for the design, development, production, manufacture, assembly, operation, or modification of a defense article on the US Munitions List, including drawings, models, specifications, and certain process information. When you send such data to a supplier, you are not just transferring a part file; you are transferring export-controlled information that ITAR restricts. The critical concept is the deemed export: releasing controlled technical data to a foreign person, even one standing inside a US facility, counts as an export and generally requires a license or exemption. That's why a properly run ITAR shop in Lexington controls exactly who can see your drawings, limiting access to US persons unless authorized, segregating the data on controlled systems, and screening employees and even IT contractors. Before you transmit any controlled drawing, confirm the supplier is ITAR registered, has a documented technology control plan, and uses secure transmission and storage. Sending controlled data to a non-compliant shop exposes both you and the supplier to serious civil and criminal liability.
Yes, if those sub-tiers handle the controlled article or its technical data, the ITAR obligations flow down to them just as quality requirements do. Most ITAR-controlled machined parts touch special processes like heat treatment, plating, coating, or nondestructive testing, which are typically performed by separate NADCAP-accredited houses. If those sub-tiers receive controlled drawings, process specifications, or the physical defense article, they fall within the ITAR compliance perimeter and must handle the work accordingly, which often means they too need to be registered and operate under appropriate controls. A mature ITAR-registered prime machining shop in the Lexington area manages this by flowing export-control requirements down its supply chain, controlling which sub-tiers receive controlled data, and verifying their compliance. The risk for buyers is assuming that because a special-process house is NADCAP accredited it is automatically ITAR ready; accreditation and export-control compliance are unrelated. Before controlled work moves, ask your supplier to map the sub-tier chain and confirm ITAR compliance at every link that touches the article or its data.
Releasing ITAR-controlled technical data or a defense article to a foreign person without proper authorization is treated as an unauthorized export, regardless of whether anything physically left the country. This is the deemed export rule, and it applies even to a foreign-national employee, contractor, or visitor inside a US facility who gains access to the controlled information. The consequences are severe: ITAR violations can carry substantial civil penalties per violation and criminal penalties including significant fines and imprisonment, and they expose both the supplier and the buyer who entrusted the work. This is precisely why a properly run ITAR-registered shop maintains a technology control plan that screens personnel for US-person status, restricts physical and network access to controlled data, and prevents inadvertent disclosure. When qualifying a Lexington-area defense supplier, you should specifically probe how they control foreign-national access, since many shops employ foreign nationals in non-controlled roles. The supplier must demonstrate that those individuals are walled off from your controlled drawings and parts. A vague or hand-waving answer here is a disqualifying red flag for any genuinely controlled work.
Last updated: July 2026
Find ITAR-Certified Manufacturers in Lexington, KY
Search verified Lexington shops that hold ITAR.
No logins. No email gates. Just results.