🛡️ ITAR
ITAR-Registered Milling Shops for Defense-Controlled Machined Parts
ITAR registration is not a quality credential and it does not promise a single tenth of accuracy; it is a federal export-control status that determines whether a milling shop may lawfully receive your defense-related drawings and cut your parts. Buyers who treat it like AS9100 or ISO 9001 get the relationship exactly wrong. This page explains what registration with the State Department actually controls, where the EAR boundary sits, and how to confirm a machining supplier is compliant rather than merely claiming to be.
ITARAS9100ISO 9001
What ITAR registration actually means for a machine shop
The International Traffic in Arms Regulations (22 CFR 120-130) are administered by the Directorate of Defense Trade Controls (DDTC) within the State Department. Any US person who manufactures defense articles, even if they never export, must register with DDTC under 22 CFR Part 122. So when a milling shop says it is ITAR registered, the precise meaning is that it has filed a Statement of Registration (Form DS-2032), paid the annual fee, and holds a current registration code. That is the floor, not the whole picture.
Registration is mandatory for manufacturers of items on the United States Munitions List (USML), the 21 categories at 22 CFR Part 121 that include military aircraft and parts (Category VIII), launch vehicles and missiles (IV), firearms (I), and ground vehicles (VII), among others. A milling shop cutting a part defined on the USML is a manufacturer of a defense article and must be registered regardless of whether it ever ships overseas. Critically, registration by itself confers no export authorization; any actual export of hardware or technical data requires a separate license (DSP-5, DSP-73) or a recognized exemption.
What registration does not do is certify quality, validate processes, or guarantee tolerances. A shop can be ITAR registered and a poor machinist. That is why defense milling almost always pairs ITAR registration with a real quality system, typically AS9100 for flight hardware, so the buyer gets both lawful data handling and engineering competence. Treat ITAR as the gate that lets the supplier touch the work, and a quality cert as the proof it can do the work.
Controlled technical data: the real day-to-day obligation
For a milling shop, the heaviest ITAR burden is rarely the parts themselves; it is the technical data. Drawings, models, specifications, tooling data, and process instructions for a USML item are ITAR-controlled technical data under 22 CFR 120.10. Disclosing that data to a foreign person, even one standing on the shop floor in the United States, is a deemed export and requires authorization. This drives concrete controls: US-person-only access to controlled drawings, segregated or access-controlled servers, restricted areas around machines running controlled jobs, visitor controls, and personnel screening to establish US-person status.
Cloud and IT handling is a frequent failure point. Technical data stored or transmitted through systems accessible to foreign persons can constitute an unauthorized export. Compliant shops use access-controlled, often US-based and sometimes ITAR-aware cloud environments, and many defense primes now also require CMMC and NIST SP 800-171 controls on top of ITAR for protecting controlled unclassified information. ITAR and CMMC overlap but are distinct; a shop can be ITAR registered and still fail a CMMC assessment.
Flow-down is the other obligation buyers should verify. If the milling shop sends your controlled part out for plating, heat treat, or NDT, the controlled technical data and the article travel to that subcontractor, who must also be a compliant US person or registered manufacturer. A clean ITAR posture at the prime machine shop means nothing if the anodize vendor downstream is uncontrolled. Confirm the supplier has a documented technology control plan and controls its supply chain, not just a registration code.
USML versus EAR: getting the jurisdiction right
The single most common and costly mistake in defense milling is jurisdictional miscategorization, assuming a part is ITAR-controlled when it is actually EAR-controlled, or the reverse. Export Control Reform moved many military-derived but less sensitive items off the USML and onto the Commerce Control List under the Export Administration Regulations, administered by the Bureau of Industry and Security. The USML now uses a positive-list, often specially-designed standard, and many brackets, fasteners, and generic machined components that feed military programs are actually EAR 9A610 or similar, not USML.
Getting this wrong cuts both ways. Treating an EAR part as ITAR wastes money on unnecessary controls and can needlessly restrict your supplier pool. Treating an ITAR part as EAR, or worse as uncontrolled, exposes both buyer and shop to serious civil and criminal penalties, with ITAR violations historically reaching into the millions per violation. The jurisdiction is determined by the technical characteristics of the item and the governing specification, and when in doubt a Commodity Jurisdiction request to DDTC settles it authoritatively.
For the milling buyer, the practical discipline is to know your part's jurisdiction and classification before sourcing, communicate it on the PO, and confirm the supplier's registration and controls match. An ITAR-registered shop is the right home for a confirmed USML part. For an EAR part, you want a shop competent in EAR compliance and the relevant ECCN, which may or may not also be ITAR registered. Do not let a supplier's marketing claim of being ITAR registered substitute for your own determination of what the part actually is.
Frequently Asked Questions
No, and conflating the two is a meaningful error. ITAR registration is an export-control status with the State Department's Directorate of Defense Trade Controls, established by filing Form DS-2032 and maintaining a current registration under 22 CFR Part 122. It signals that a milling shop is a lawful manufacturer of defense articles and is permitted to receive controlled technical data, nothing more. It says nothing about whether the shop holds tolerances, controls its processes, calibrates its gauges, or inspects its parts. Those are quality-system attributes governed by standards like ISO 9001 and, for flight hardware, AS9100, which is why defense milling suppliers almost always carry both: ITAR registration as the legal gate and a quality certification as proof of competence. When you source a defense machined part, verify ITAR registration to confirm the shop can lawfully handle your data and article, and separately verify a quality cert to confirm it can actually make the part to print. One does not substitute for the other, and a vendor that offers ITAR registration as if it were a quality stamp does not understand its own obligations.
Registration itself is verified by the shop's current DDTC registration code, which it can provide; DDTC does not run a public lookup, so verification leans on the supplier furnishing its registration confirmation and you assessing the surrounding compliance posture. Ask for the registration code and confirm it is current, since registration must be renewed annually with a fee. Then probe the controls that actually matter: a documented technology control plan, US-person-only access to controlled technical data, access-controlled IT systems for storing and transmitting drawings, restricted areas for controlled jobs, visitor and personnel screening, and supply-chain flow-down so subcontractors handling your controlled part are themselves compliant. Increasingly, defense buyers also require CMMC and NIST SP 800-171 evidence for protecting controlled unclassified information, which is distinct from ITAR but often demanded alongside it. A shop with a registration code but no technology control plan, or one that stores controlled drawings on systems accessible to foreign-person IT contractors, is registered but not compliant. Verify the program, not just the paperwork.
Jurisdiction depends on what the part is. ITAR, administered by the State Department's DDTC, controls items on the United States Munitions List at 22 CFR Part 121, the most sensitive defense articles across 21 categories. EAR, administered by Commerce's Bureau of Industry and Security, controls items on the Commerce Control List, including many military-related but less sensitive items, often under 600-series ECCNs like 9A610. Export Control Reform moved a large volume of brackets, fasteners, and generic machined components from the USML to the CCL, so a part feeding a military program is frequently EAR-controlled, not ITAR. Getting this right matters because the wrong call is expensive: treating an EAR part as ITAR over-restricts your supplier pool and adds cost, while treating an ITAR part as EAR or uncontrolled exposes you to severe penalties. Jurisdiction follows the item's technical characteristics and governing specification, and a Commodity Jurisdiction request to DDTC resolves genuine ambiguity. Determine and document your part's jurisdiction and classification before sourcing, and put it on the PO so the supplier applies the correct controls.
Yes, though differently from a quality certification. The cost shows up as compliance overhead rather than per-part machining: maintaining DDTC registration and its annual fee, running a technology control plan, access-controlling IT systems and physical areas, screening personnel for US-person status, and managing a compliant supply chain all carry expense that ITAR-registered shops build into their rates. Lead time can extend because controlled technical data cannot be freely shared, subcontractors for plating, heat treat, or NDT must themselves be compliant which narrows options and can add routing time, and any actual export of hardware or data requires a separate DDTC license that can take weeks to months to obtain. For purely domestic production to a US-person buyer with a registered shop, the schedule impact is modest. The expensive scenarios are export, foreign-person involvement, or discovering mid-program that a subcontractor is not compliant and the work must be re-sourced. Manage it by confirming the full supply chain's compliance up front and resolving any export-authorization needs early rather than at the point of shipment.
This is where buyers get into the most trouble. ITAR registration is for US persons, and a foreign person, including a foreign national employee, generally may not access controlled technical data or defense articles without specific authorization, because doing so is a deemed export under 22 CFR 120.10. A US-incorporated shop with foreign-national employees can still run ITAR work, but only if it controls access so those employees are walled off from controlled data, or holds the appropriate authorization. A shop physically located outside the United States cannot be the home for unlicensed ITAR manufacturing of USML hardware. Foreign ownership does not automatically disqualify a US shop, but it raises scrutiny and may trigger additional controls or even foreign-ownership-control-influence mitigation in classified contexts. The practical rule for buyers: confirm the milling happens at a US facility by US persons under a documented technology control plan, and confirm that any subcontractors handling your controlled part meet the same bar. If foreign persons or foreign locations are anywhere in the chain for a USML part, treat it as a licensing question and get export-control counsel before proceeding, not after.
Last updated: July 2026
Find ITAR-Certified Milling Suppliers
Search verified milling shops that hold ITAR.
No logins. No email gates. Just results.