🛡️ ITAR

ITAR-Registered Sheet Metal Fabricators for Defense Work

Sending a defense drawing to an offshore quoting portal can be a violation before a single part is ever cut. ITAR registration is less about how a shop forms metal and more about who is allowed to see the drawing, touch the part, and store the data, which is exactly why it governs defense sheet metal from the first email.

ITARAS9100ISO 9001

What ITAR registration actually is, and what it is not

ITAR is the International Traffic in Arms Regulations (22 CFR 120-130), administered by the State Department's Directorate of Defense Trade Controls (DDTC). A sheet metal shop that fabricates defense articles described on the U.S. Munitions List (USML) is, under 22 CFR 122, required to register with DDTC. That registration is the foundational compliance step; it is paid annually and renewed, and it is what people mean when they say a shop is 'ITAR registered.' A critical distinction: ITAR registration is not a certification or an audit in the way ISO 9001 or AS9100 are. No registrar inspects the shop and issues a scoped certificate. DDTC registration is essentially an enrollment that establishes the company as a known manufacturer or exporter of defense articles and makes it eligible to apply for export licenses. There is no third-party 'ITAR certificate' equivalent to a 9001 cert, which is why verification works differently. The substance of ITAR compliance is control of defense articles and technical data. The fabricated part can be a controlled defense article, but so can the drawing, the 3D model, the flat pattern, and the specification, all of which are ITAR 'technical data.' A shop's real ITAR posture is its compliance program: an empowered official, an export-control plan, access controls, and the discipline to keep technical data away from foreign persons absent authorization.

Technical data, U.S. persons, and the deemed-export trap

The most common ITAR mistake in sheet metal never involves a physical export. Under ITAR, releasing controlled technical data to a foreign person inside the United States is a 'deemed export' that requires authorization just as if it were shipped overseas. A shop that emails a USML drawing to a foreign-national engineer on staff, or uploads it to a quoting platform that routes work offshore, can violate ITAR without a part ever leaving the building. This is why a compliant defense fabricator controls access tightly: technical data is stored on U.S.-based servers with access restricted to U.S. persons (citizens, lawful permanent residents, and certain protected individuals), foreign-national employees are screened out of controlled programs or covered by a license or technical assistance agreement, and cloud and email systems are configured to keep data inside U.S. jurisdiction. Many defense shops use ITAR-compliant infrastructure that enforces these boundaries. For a buyer, the takeaway is that ITAR compliance starts at the RFQ, not at the loading dock. Before you transmit a controlled drawing, confirm the shop is registered, that their data systems keep your technical data with U.S. persons, and that they will not flow the work to an unregistered or foreign subcontractor for cutting, forming, plating, or finishing without proper authorization.

Verifying a shop's ITAR posture before you share a drawing

Because there is no public certificate and the DDTC registration list is not openly searchable, verification leans on documentation the shop provides. Ask for their DDTC registration code (the letter-and-number identifier issued on registration) and confirmation that the registration is current for the year. A registered shop can produce this readily; hesitation is a warning sign. Go beyond the registration to the compliance program. Ask who their Empowered Official is, whether they maintain a written export-compliance program, how they segregate technical data, and how they screen personnel for U.S.-person status. Ask specifically how subcontracted operations are handled: plating, anodize, NDT, and heat treat are routinely outsourced, and every one of those subcontractors who touches the controlled article or its technical data must also be ITAR compliant. A shop that cannot describe how it controls its own supply chain is a liability. Red flags: a shop that offers to take your defense drawing through a generic offshore-linked quoting portal, that cannot name an Empowered Official, that stores data on consumer cloud services without geographic controls, or that treats ITAR as interchangeable with EAR. EAR (the Export Administration Regulations under the Commerce Department) governs dual-use items and is a different regime; a shop conflating the two has not done the work.

Where ITAR overlaps with quality certifications on defense parts

ITAR registration says nothing about whether a shop can actually hold your tolerances or build flight-quality hardware. It is purely an export-control status. That is why defense sheet metal almost always pairs ITAR registration with a quality certification, most commonly AS9100 for airborne or aerospace defense hardware or ISO 9001 for ground systems and support equipment. The two answer entirely different questions: ITAR asks 'who may handle this,' and the quality cert asks 'can they make it right.' For the part itself, defense drawings frequently invoke military specifications: chemical conversion coating per MIL-DTL-5541 on aluminum, anodize per MIL-A-8625, painting and CARC systems, welding to AWS D17.1 for aerospace, and NDT requirements. Many of these special processes also require NADCAP accreditation at the processor, so a fully compliant defense supply chain layers ITAR registration, a quality system, and NADCAP-accredited special processes together. The buyer's job is to confirm all three dimensions independently. A shop can be ITAR registered and AS9100 certified yet outsource welding to a processor that is neither, breaking the chain. Verify that every operation touching the controlled article, in-house or subcontracted, stays inside both the export-control boundary and the quality framework your contract demands.

Frequently Asked Questions

No, and that is the most common misunderstanding. ITAR registration with the State Department's DDTC is an enrollment, not a third-party audit, so there is no scoped certificate equivalent to an ISO 9001 or AS9100 cert. What a registered shop can provide is its DDTC registration code, the letter-and-number identifier assigned at registration, and confirmation that the registration is current for the year. Some shops will state ITAR registration in a capability statement or a compliance letter on company letterhead, often signed by their Empowered Official. Treat that as a starting point, not proof of competence, because registration only establishes the company as a known manufacturer or exporter of defense articles. The real evidence of ITAR readiness is the compliance program: a named Empowered Official, a written export-compliance plan, U.S.-person access controls, U.S.-based data storage, and personnel screening. Ask about those directly. A shop serious about defense work will walk you through them; a shop that just says 'we're ITAR' and cannot describe how it controls technical data is exposing you to risk regardless of any letter it sends.
Only if you have confirmed the shop is ITAR registered and that their systems keep your technical data with U.S. persons inside U.S. jurisdiction. A USML drawing, flat pattern, 3D model, or specification is ITAR-controlled technical data, and releasing it to a foreign person, even one standing inside the United States, is a 'deemed export' requiring authorization. The classic violation is uploading a defense drawing to a generic online quoting portal that routes the file to offshore or foreign-national reviewers, or emailing it to a shop with foreign-national engineers who lack a license or technical assistance agreement. Before you transmit anything, verify the shop's registration, confirm their email and file-sharing systems store data on U.S.-based infrastructure with access restricted to U.S. persons, and confirm they will not flow the drawing to an unregistered or foreign subcontractor. When in doubt, use a controlled file-transfer method the shop designates rather than ordinary email or consumer cloud links. ITAR compliance begins at the RFQ, so the safest path is to vet the supplier before the first drawing ever leaves your system.
Yes. ITAR follows the controlled defense article and its technical data through the entire supply chain, not just the prime fabricator. When a sheet metal shop outsources anodize per MIL-A-8625, chemical conversion coating per MIL-DTL-5541, painting, heat treat, welding, or NDT, the controlled part and often its drawing move to that subcontractor, so each one that handles the article or its technical data must also maintain ITAR compliance. A shop can be properly registered yet break the chain by sending your defense parts to a coater that stores drawings on uncontrolled systems or employs foreign nationals without authorization. This is why you should ask the fabricator specifically how it controls its supply chain: whether its special-process sources are themselves registered and how it flows down export-control requirements in its purchase orders. Many of these same processes also require NADCAP accreditation for quality, so a fully compliant defense supply chain layers ITAR registration, a quality system like AS9100, and NADCAP-accredited processors together. Verify the whole chain, because the weakest uncontrolled link is where the violation happens.
They are two separate U.S. export-control regimes, and conflating them is a sign a shop has not done its compliance homework. ITAR (22 CFR 120-130), administered by the State Department's DDTC, controls defense articles and defense services described on the U.S. Munitions List, the clearly military items. EAR (the Export Administration Regulations, 15 CFR), administered by the Commerce Department's Bureau of Industry and Security, controls dual-use items, things with both commercial and military application, classified under the Commerce Control List by ECCN. A sheet metal part can fall under either regime depending on its design and end use: a bracket for a guided-missile system is likely ITAR, while a chassis for commercial communications gear with potential military use may be EAR. The jurisdiction determines who must register, what licenses apply, and how technical data is controlled. For a buyer, the practical step is to know your part's jurisdiction before you source it, and to confirm the fabricator understands which regime governs your hardware. A shop that treats ITAR and EAR as interchangeable, or assumes everything defense is automatically ITAR, may mishandle your data or misadvise you on licensing.

Last updated: July 2026

Find ITAR-Certified Sheet Metal Suppliers

Search verified sheet metal shops that hold ITAR.

No logins. No email gates. Just results.