🛡️ ITAR
ITAR-Registered Waterjet Cutting for Defense and USML-Controlled Parts
Sourcing waterjet cutting for a defense program is less about the machine and more about who is allowed to touch the drawing: ITAR turns a routine cutting job into a controlled transfer of technical data the moment a part falls under the U.S. Munitions List. The critical thing buyers misunderstand is that ITAR is a registration and compliance obligation enforced by the State Department, not a quality certificate you can audit like ISO. This page explains what that means on a waterjet floor.
ITARAS9100ISO 9001
ITAR Is a Registration, Not a Quality Certification
The most important correction up front: ITAR registration is not a certificate of quality and there is no ITAR audit body issuing a wall plaque. The International Traffic in Arms Regulations (22 CFR Parts 120-130) are administered by the Directorate of Defense Trade Controls (DDTC) within the U.S. Department of State. A manufacturer or exporter of defense articles or services must register with DDTC under Part 122, pay the annual registration fee, and receive a registration code. That registration is the baseline obligation; it does not by itself authorize exports, which require licenses or exemptions.
For a waterjet shop, ITAR applicability is triggered by what it cuts and the technical data it receives. If the part is a defense article on the U.S. Munitions List, or if cutting it constitutes a defense service, the shop must be DDTC-registered and must control the associated technical data. Crucially, ITAR attaches to the technical data and the part, not to the cutting process itself. A shop can be a flawless cutter and still be non-compliant if it lets a non-U.S. person view the controlled drawing.
USML Scope and When a Cut Part Becomes Controlled
Whether your waterjet job is ITAR-controlled depends on the U.S. Munitions List categories in 22 CFR 121.1. Parts and components specifically designed or modified for defense articles fall under their parent category, for example Category VIII (aircraft and associated equipment), Category IV (launch vehicles and missiles), or Category XII (fire control and related). A bracket cut from titanium is unremarkable until it is specifically designed for a controlled aircraft, at which point the drawing and the part are ITAR technical data and defense articles respectively.
Many dual-use items have migrated to the Commerce Control List under EAR (Export Administration Regulations) through export control reform, so part of a buyer's due diligence is confirming whether the item is genuinely ITAR (State/USML) or EAR (Commerce/CCL). This jurisdiction question is the buyer's or prime's responsibility, often resolved through a commodity jurisdiction determination. For the waterjet supplier, the practical line is simple: if the customer flows down that the drawing is ITAR-controlled, the shop must treat the data as controlled and restrict access to U.S. persons regardless of how mundane the cutting operation looks.
Technical Data, U.S. Persons, and the Deemed-Export Trap
ITAR's teeth, for a cutting shop, are in technical data control under 22 CFR 120.10 and the U.S.-person rule. Technical data includes the drawings, CAD models, cut programs, and specifications needed to manufacture a defense article. Disclosing that data to a foreign person, even one standing on the shop floor in the United States, is a deemed export and generally requires authorization. This is the trap that catches well-run shops: a non-U.S.-person machinist, a contract programmer, or an offshore IT vendor with server access can constitute an unauthorized export.
A compliant ITAR waterjet supplier therefore controls who programs the nests, who can open the files, and where the data lives. Expect access controls limiting controlled drawings to U.S. persons (citizens, permanent residents, and certain protected individuals), segregated or domestically hosted servers, and an internal compliance program with a designated empowered official. ITAR-aware cloud and ITAR-compliant data handling are now standard expectations. The cutting is trivial; the data perimeter is everything, and violations carry civil penalties into the millions per occurrence and potential criminal exposure.
How to Verify a Supplier's ITAR Standing
You cannot look up an ITAR 'certificate' because there isn't one, but you can verify the substance. Ask the supplier for its DDTC registration code and confirmation that its Part 122 registration is current; registration codes are issued by DDTC and a legitimate registrant can provide theirs. Many defense buyers require this in writing on a supplier survey along with attestation of an ITAR compliance program and a named empowered official.
Go further on the controls that actually prevent violations: ask how technical data is segregated, whether all personnel and IT vendors with access are U.S. persons, and whether they use ITAR-compliant data hosting. For programs touching controlled unclassified information, CMMC and NIST SP 800-171 cybersecurity posture is increasingly required alongside ITAR. Red flags include a shop that cannot produce a registration code, vague answers about who can access drawings, offshore programming or IT support, and conflating ISO 9001 with ITAR compliance. Pair ITAR registration with AS9100 when the part is also flight hardware, since ITAR says nothing about cut quality.
Frequently Asked Questions
No, and any supplier presenting an 'ITAR certificate' as if it were an ISO-style accreditation is misrepresenting how the regulation works. ITAR compliance rests on registration with the Directorate of Defense Trade Controls under 22 CFR Part 122, which produces a registration code, not a quality certificate, and there is no independent ITAR audit body issuing accreditations. What you can and should request is the supplier's DDTC registration code, written confirmation that its registration is current and the annual fee is paid, and attestation that it maintains an ITAR compliance program with a designated empowered official. Beyond registration, the meaningful evidence is in the controls: how technical data is segregated, confirmation that everyone with access to controlled drawings is a U.S. person, and how data is hosted. Defense buyers typically capture all of this on a supplier survey or in flow-down terms rather than relying on a certificate. Treat ITAR as a legal-compliance posture you verify through documentation and questioning, not a badge you can scan in a registry.
It comes down to the U.S. Munitions List in 22 CFR 121.1 and whether the item is specifically designed or modified for a defense article. A generic plate cut to a generic shape is almost never ITAR-controlled on its own. The same cut becomes controlled when the part is a component specifically designed for, say, a controlled military aircraft (Category VIII), a missile or launch vehicle (Category IV), or fire-control equipment (Category XII). The drawing and CAD that define that part become ITAR technical data. Because export control reform moved many formerly USML items to the Commerce Control List under the EAR, you also have to confirm jurisdiction: an item may be EAR-controlled (Commerce) rather than ITAR (State), which changes the rules. The determination is the responsibility of the prime or original manufacturer, often through a formal commodity jurisdiction request to DDTC when ambiguous. For the cutting supplier, the operative trigger is the customer's flow-down: if your purchase order or drawing marks the data as ITAR-controlled, the supplier must handle it as controlled regardless of how ordinary the cut looks.
A deemed export is the release of ITAR technical data to a foreign person inside the United States, and it is the most common way an otherwise compliant shop falls out of compliance. On a waterjet floor, technical data includes the drawings, CAD models, and the cut programs or nests required to manufacture a controlled defense article. If a non-U.S.-person employee programs the job, opens the controlled drawing, or even has casual visual access to it, that disclosure is treated as an export to that person's country of nationality and generally requires prior State Department authorization. The risk extends to IT: an offshore managed-service provider, an overseas software contractor, or a cloud environment accessible to foreign administrators can all constitute unauthorized access. Compliant shops mitigate this by restricting controlled data to verified U.S. persons, segregating it on domestically hosted and access-controlled systems, vetting IT vendors, and training floor staff. Penalties are severe, with civil fines reaching into the millions per violation and potential criminal liability, which is why the data perimeter, not the cutting itself, is where ITAR scrutiny concentrates.
Frequently yes, because the two address completely different things and a defense flight part usually needs both. ITAR registration is a legal export-control obligation; it says absolutely nothing about whether the shop can hold tolerance, control FOD, or produce a defensible first article. AS9100 Rev D is the aerospace quality system that governs configuration management, AS9102 first-article inspection, FOD prevention, and counterfeit-part control. A defense aircraft or missile component cut by waterjet typically falls under both regimes: ITAR because it is a USML-controlled defense article with controlled technical data, and AS9100 because the prime requires aerospace quality discipline. So the ideal supplier carries AS9100 (verifiable in OASIS) and is DDTC-registered with a documented ITAR compliance program. Some non-flight defense hardware, ground support equipment, or lower-criticality components may need ITAR without AS9100, and some commercial aerospace needs AS9100 without ITAR. Match the pair to your part: confirm the quality certification against the criticality and the export-control posture against the USML jurisdiction.
The cutting cost itself barely changes; the compliance overhead is what moves price and schedule. Suppliers maintaining ITAR programs carry real fixed costs: the DDTC annual registration fee, segregated and domestically hosted IT, U.S.-person staffing for controlled work, empowered-official oversight, and increasingly CMMC and NIST SP 800-171 cybersecurity infrastructure for controlled unclassified information. Those costs show up as a higher shop rate, commonly comparable to or stacked on top of an AS9100 premium, so defense waterjet routinely runs well above commercial job-shop pricing. On lead time, the cutting is fast, but onboarding can be slow the first time: executing nondisclosure and technical-assistance arrangements, confirming the data-handling path, and clearing the part through the supplier's compliance review before a non-U.S. jurisdiction question is resolved can add days to weeks before the first chip flies. Once a program is established and the data perimeter is set, repeat production tracks normal waterjet throughput of roughly a week for plate detail work. Budget the ITAR impact onto qualification and data onboarding, not per-part cutting time.
Last updated: July 2026
Find ITAR-Certified Waterjet Cutting Suppliers
Search verified waterjet cutting shops that hold ITAR.
No logins. No email gates. Just results.