🛡️ ITAR

ITAR-Registered Inspection & Quality Suppliers for Controlled Parts

ITAR registration is not a quality certification at all, and treating it like one is the fastest way to a compliance violation. It is a federal registration with the US State Department that authorizes a company to handle defense articles and technical data, and when your inspection involves controlled drawings, the supplier's registration status and access controls matter as much as their CMM. This page separates what ITAR actually governs in an inspection context from the quality standards that run alongside it.

ITARAS9100ISO 9001

ITAR is a federal registration, not a quality standard, and why that matters for inspection

The International Traffic in Arms Regulations (ITAR, 22 CFR Parts 120 through 130) are administered by the Directorate of Defense Trade Controls (DDTC) within the US State Department. They control the export and handling of defense articles and defense services listed on the United States Munitions List (USML, 22 CFR 121). A company that manufactures, exports, or brokers USML items must register with DDTC under 22 CFR 122 and obtain an annual registration code. That registration is what people loosely call 'ITAR certified,' but there is no quality system, no measurement competence, and no inspection capability implied by it whatsoever. For inspection work, the controlled item is frequently the technical data, not just the physical part. A defense drawing, model, GD&T scheme, or inspection program for a USML item is itself ITAR-controlled technical data under 22 CFR 120.10. So when you hand an inspection supplier the drawing to write a CMM program and measure a part, you are transferring controlled technical data, and an unauthorized disclosure to a foreign person, even a foreign-national employee in the same building, is a deemed export and a potential violation. This is why the inspection supplier's ITAR posture matters beyond a logo. You need a DDTC-registered company with documented controls over who can access the drawing, where the data lives, and how the inspection records are stored and transmitted. The quality of the measurement and the legality of the data handling are two separate questions, and ITAR addresses only the second.

Verifying ITAR registration and the access controls behind it

Unlike ISO certificates, DDTC registration is not posted in a public registry you can search. Registration status is confidential, so verification is done through documentation and attestation rather than a database lookup. Ask the supplier for evidence of current DDTC registration: the registrant identification (the M-number or registration code), confirmation the registration is current (it renews annually), and a signed statement or representation in the contract that they are registered and will handle your technical data in compliance with ITAR. Many primes require a formal ITAR/EAR compliance representation clause in the PO. Beyond the registration itself, probe the operational controls, because registration without a real Technology Control Plan is hollow. Confirm the supplier restricts access to controlled drawings to US persons (US citizens, lawful permanent residents, and protected individuals under 8 USC 1324b), that they have a documented Technology Control Plan or equivalent, and that controlled data is stored on US-person-only systems. If they use cloud storage or email, ask whether it meets the carve-out requirements for end-to-end encrypted transmission and US-located data, and whether any IT administrators are foreign persons with potential access. The most common trap is the foreign-national-on-the-floor problem: an otherwise registered shop with a non-US-person inspector or IT admin who can see the controlled drawing has created a deemed-export exposure. Ask specifically how access is segregated and logged. A second trap is assuming ITAR covers your part when it is actually EAR-controlled or uncontrolled; confirm the part's USML category or commodity jurisdiction so you are flowing down the correct regime.

Pairing ITAR with a real quality standard for defense inspection

Because ITAR carries no quality content, defense inspection work almost always requires a separate quality credential layered on top. For flight and weapons hardware, that is typically AS9100 Rev D, often with NADCAP for any special-process testing such as NDT, plus customer-specific quality clauses and frequently DCMA government source inspection. The ITAR registration authorizes the supplier to legally touch the controlled data; the AS9100 system governs whether the measurement and acceptance record is actually trustworthy. You need both, and they should be evaluated independently. In practice, a well-run defense inspection supplier presents a stacked credential set: a current DDTC registration with a documented Technology Control Plan, an AS9100D certificate verifiable in OASIS with a scope covering inspection, and NAS 410-certified personnel for any NDT. For serialized flight-safety or fracture-critical parts, expect full traceability, AS9102 FAIR packages, and the ability to support government or customer source inspection at their facility, all while keeping the technical data inside US-person access controls. When you source, match the part's control regime first, then the quality requirement. A common failure mode is selecting a supplier on quality credentials alone and discovering after the drawing is sent that they routed the CMM programming to a foreign-national contractor or an offshore service bureau, which is a reportable violation regardless of how good the inspection was. Build the data-handling representation into the PO before any controlled drawing leaves your hands.

Frequently Asked Questions

No. There is no such thing as an ITAR certification or ITAR quality standard. ITAR (the International Traffic in Arms Regulations, 22 CFR 120 through 130) is administered by the State Department's Directorate of Defense Trade Controls, and what a compliant company holds is a DDTC registration under 22 CFR 122, renewed annually, that authorizes it to manufacture, export, or broker items on the United States Munitions List. People say 'ITAR certified' as shorthand, but it confers nothing about quality systems, measurement competence, calibration, or inspection capability. For inspection work, ITAR governs the legal handling of controlled technical data, such as defense drawings and CMM programs, and the prevention of unauthorized disclosure to foreign persons, including a deemed export to a foreign-national employee. You must evaluate quality separately. A defense inspection supplier should hold both a current DDTC registration with documented access controls and a genuine quality credential such as AS9100 Rev D, with NADCAP for special processes where required. Confirming one tells you nothing about the other, so verify both before sending a controlled drawing.
DDTC registration status is confidential and is not posted in a public, searchable registry like ISO or AS9100 certificates are. Verification is therefore documentary and contractual rather than a lookup. Ask the supplier to provide evidence of current registration, including their registrant code or M-number, confirmation that the annual registration is active, and a signed ITAR compliance representation in the purchase order stating they are registered and will handle your technical data in accordance with the regulations. Beyond the registration paper, verify the operational controls that make it meaningful: a documented Technology Control Plan, access to controlled drawings restricted to US persons (citizens, lawful permanent residents, and protected individuals), US-located and US-person-administered IT systems for storing controlled data, and compliant handling of any transmission. Probe specifically for foreign-national access on the shop floor or in IT administration, because an unregistered or uncontrolled disclosure to a foreign person is a deemed export and a violation regardless of registration status. If the supplier cannot describe these controls concretely, the registration alone does not protect your data.
Generally no, not without specific State Department authorization, and doing so is one of the most common and serious ITAR violations in the inspection chain. ITAR-controlled technical data, which includes defense drawings, models, GD&T schemes, and the CMM inspection programs derived from them for USML items, cannot be exported to a foreign person or a foreign location without a license or applicable exemption. Sending the drawing to an offshore service bureau to write an inspection program, or even allowing a foreign-national contractor in the US to access it, constitutes an unauthorized export or deemed export. This matters because some inspection suppliers quietly subcontract CMM programming or overflow inspection work to offshore or third-party resources to manage capacity, and the buyer never sees it. Protect yourself by writing an explicit prohibition on offshoring or foreign-person access into the purchase order, requiring the supplier to keep all programming and inspection of controlled parts inside US-person access controls at a US facility, and requiring notification of any subcontracting. Confirm the part's actual control jurisdiction first, because if it is genuinely USML-controlled, the data-handling rules are strict and the penalties for a violation are severe.
Because ITAR carries no quality content, the package combines compliance evidence with a separate quality deliverable. On the compliance side, expect the supplier's ITAR compliance representation, confirmation that controlled technical data was handled under US-person access controls and a Technology Control Plan, and that no unauthorized export or deemed export occurred. On the quality side, the deliverable matches the part's requirements: for defense flight or weapons hardware that typically means an AS9102 first article inspection report, a Certificate of Conformance with full lot or serial traceability, raw-material certifications, special-process certifications from NADCAP-accredited sources where applicable, and NAS 410 inspector certification evidence for any NDT. For serialized flight-safety or fracture-critical parts, expect serial-level traceability and support for DCMA government source inspection or customer source inspection. Keep both record sets together: the quality records prove the part is conforming, and the compliance records prove the controlled data was handled lawfully throughout inspection. Missing either one is a problem, but the data-handling representation is the piece buyers most often forget to require until an audit or investigation surfaces the gap.

Last updated: July 2026

Find ITAR-Certified Quality & Inspection Suppliers

Search verified quality & inspection shops that hold ITAR.

No logins. No email gates. Just results.