🛡️ ITAR

ITAR Registered Manufacturers in Portland, ME

Defense procurement carries a layer most commercial buyers never deal with: the International Traffic in Arms Regulations. When a part, a drawing, or even a conversation falls under ITAR, the manufacturer must be registered with the U.S. State Department's DDTC and must control who can touch the work. Portland's defense-machining base means ITAR-registered shops are here, but registration is a compliance posture, not a quality mark, and buyers need to understand exactly what it does and does not cover.

ITARAS9100ISO 9001

What ITAR Registration Actually Means for a Portland Supplier

ITAR is administered by the Directorate of Defense Trade Controls within the U.S. Department of State, and it governs defense articles and defense services on the United States Munitions List. A Portland manufacturer that makes parts, or even just holds technical data, falling under the USML must be registered with DDTC. That registration is not a certification of quality or capability; it is a declaration to the State Department that the company is engaged in manufacturing or exporting defense articles and is subject to the regulations. For southern Maine, where defense machining is a real part of the economy, ITAR registration is common among shops that take prime and tier-one defense subcontracts. These shops handle controlled technical data, the drawings, specifications, and process details that themselves are export-controlled even before a physical part exists. The core compliance obligation is controlling access so that only authorized U.S. persons handle ITAR-controlled data and articles unless a license or exemption permits otherwise. The critical thing a buyer must internalize is that ITAR registration verifies a regulatory posture, not manufacturing competence. A shop can be perfectly ITAR registered and still be a poor machinist, or excellent at machining and sloppy at compliance. You evaluate the two things separately.

Verifying Registration and Probing Real Compliance Controls

DDTC registration is not publicly searchable the way an ISO certificate directory is, so verification works differently. Ask the supplier for their DDTC registration code and confirm their registration is current; a registered party can show you evidence of active registration. More importantly, probe how they actually implement compliance, because registration is the easy part and day-to-day control is where shops fail. Ask specific questions. How do they segregate ITAR-controlled technical data so that only authorized U.S. persons can access it? Do they have a technology control plan? How do they handle their IT systems, file servers, and email so controlled data is not exposed to foreign persons or stored on non-compliant cloud services? How do they vet employee citizenship or immigration status to confirm U.S.-person status? Do they have an empowered official and a documented compliance program with training? A shop that answers these crisply has a living program; one that waves at registration without describing controls is a risk. Watch for specific red flags. A supplier that wants to send your controlled drawings to an offshore or non-U.S.-person subcontractor without a license is a violation in the making. A supplier storing controlled data on consumer cloud services without appropriate controls is exposing you. Because ITAR violations carry serious civil and criminal penalties and the liability can reach back up the chain, your diligence here protects your own company.

Data Handling, U.S. Persons, and the Mixed-Shop Problem

The hardest part of ITAR for a small Portland shop is controlling technical data inside a building that also runs commercial work. Controlled drawings and CAD files must be access-restricted, and that means real IT controls: segregated network shares, encrypted storage where required, controlled email, and a clear rule that only authorized U.S. persons handle the data. In a small mixed-use shop, ask how they prevent a foreign-person employee or an outside IT contractor from incidentally accessing controlled files, because casual access is a violation even without intent to export. The U.S.-person requirement extends to the floor. Anyone who can read the controlled drawing, program the machine from controlled data, or inspect against controlled specs needs to be an authorized U.S. person unless a license covers them. For a Portland shop, ask how they document the U.S.-person status of the people who will actually touch your job, and how they handle visitors and outside service technicians who might walk past controlled work. Subcontracting is the other trap. If the shop outsources heat treat, plating, NDT, or any step, the controlled technical data and the controlled article travel with the part. Every link in that chain must be ITAR compliant, and exporting controlled data or articles to a non-U.S. person, even a domestic subcontractor employing foreign persons, without authorization is a violation. Confirm the supplier's entire routing stays inside compliant, U.S.-person-controlled facilities.

How ITAR Sits Alongside AS9100 and Quality Requirements

ITAR and AS9100 are completely different things that frequently appear on the same Portland defense job, and buyers should not conflate them. AS9100 governs whether the part is made correctly and documented to aerospace standards. ITAR governs whether the controlled data and article are handled legally. A defense part often requires both: AS9100 for quality assurance and ITAR registration for export control compliance. A shop holding one does not imply the other. Most ITAR-registered Portland defense machine shops also hold AS9100 or at least ISO 9001, because the same prime contracts that flow down ITAR requirements also flow down quality-system requirements. When you source defense work locally, confirm both independently: verify the AS9100 certificate in OASIS for the quality side, and confirm DDTC registration and a real compliance program for the export-control side. They are separate diligence tracks with separate failure modes. Keep in mind that some defense work falls under the Export Administration Regulations rather than ITAR, depending on whether the item is on the USML or the Commerce Control List. Part of qualifying a Portland supplier is confirming they correctly classify your work and apply the right regulatory regime, because misclassification is itself a compliance failure that can expose both parties.

Frequently Asked Questions

No. Unlike ISO 9001 or AS9100, which are certifications you can verify in public directories like ANAB's listings or the OASIS database, ITAR registration is a registration with the U.S. Department of State's Directorate of Defense Trade Controls and is not publicly searchable. Verification works by asking the supplier directly for their DDTC registration code and confirming their registration is active and current. A legitimately registered Portland supplier can provide evidence of their registration. More important than the registration itself is the supplier's actual compliance program, because registration is straightforward to obtain while day-to-day control of technical data is where compliance succeeds or fails. When qualifying a supplier, go beyond confirming registration and probe how they segregate controlled technical data, how they verify the U.S.-person status of people handling your work, whether they maintain a technology control plan and an empowered official, and how their IT systems prevent unauthorized access. Registration is necessary but far from sufficient; the operational controls are what actually protect both companies from a violation.
No, and conflating the two is a common and dangerous mistake. ITAR registration is purely a compliance and export-control posture; it declares to the State Department that the company manufactures or exports defense articles and is subject to the International Traffic in Arms Regulations. It says nothing about whether the shop can hold tolerances, control its processes, or document its work. Manufacturing quality is governed by entirely separate standards, principally AS9100 for aerospace and defense work and ISO 9001 as the general foundation. A Portland shop can be flawlessly ITAR registered and a mediocre machinist, or an excellent machinist with a weak compliance program. For a defense part, you almost always need both a strong quality system and ITAR compliance, and you must evaluate them as separate diligence tracks. Verify the AS9100 certificate in OASIS for the quality side, confirm DDTC registration and inspect the real compliance controls for the export-control side. Most established Portland defense shops hold both because their prime contracts flow down both requirements, but never assume one implies the other.
The controlled technical data and the controlled defense article travel with the part, and every facility that touches them must be ITAR compliant and must restrict access to authorized U.S. persons. This is one of the highest-risk areas in defense subcontracting. If a Portland machine shop sends your controlled part out for heat treat, plating, anodizing, or nondestructive testing, those processors receive controlled data such as drawings and specifications along with the physical article, and they too must control access appropriately. Sending controlled data or articles to a non-U.S. person, including a domestic subcontractor that employs foreign-person workers who could access the data, without proper authorization is an export under ITAR and a violation. When qualifying a Portland supplier, map the entire process routing and confirm every link, including out-of-state special-process houses, stays within ITAR-compliant, U.S.-person-controlled facilities. Ask specifically how the supplier flows down ITAR requirements to its subcontractors and how it controls the transfer of technical data to them. Because Maine has limited local special-process capacity, parts often route out of state, so the compliance chain is longer and deserves extra scrutiny.
They cover different risks on the same part and must both be satisfied independently. AS9100 Rev D governs manufacturing quality: configuration management, first-article inspection, traceability, foreign object debris control, and the documentation that proves the part was made correctly to the aerospace standard. ITAR governs export-control compliance: whether the controlled technical data and the controlled defense article are handled legally and kept away from unauthorized foreign persons. A typical Portland defense machining job requires both because the prime contract flows down both requirements. Holding one does not imply the other; they are entirely separate regimes administered by entirely different authorities, the IAQG scheme for AS9100 and the State Department's DDTC for ITAR. When you source defense work in Portland, run two parallel diligence tracks. Confirm the AS9100 certificate and its scope in OASIS and verify the quality system through audit history and FAI samples. Separately, confirm DDTC registration and inspect the supplier's technology control plan, U.S.-person controls, and data-handling practices. Also confirm the supplier correctly classifies your work, since some defense items fall under the Export Administration Regulations rather than ITAR, and applying the wrong regime is itself a compliance failure.

Last updated: July 2026

Find ITAR-Certified Manufacturers in Portland, ME

Search verified Portland shops that hold ITAR.

No logins. No email gates. Just results.