A Comprehensive Guide to ITAR for Metal Fabricators

For manufacturers working with defense-related products or operating within the defense supply chain, understanding ITAR—International Traffic in Arms Regulations—isn’t just important. It’s mandatory. These regulations control the export and import of defense articles, technical data, and services listed on the United States Munitions List (USML), and compliance requirements continue to evolve with changing geopolitical realities and technological advances.

Whether you’re a defense contractor evaluating fabrication partners or a manufacturer trying to understand ITAR requirements for the first time, navigating these regulations requires both vigilance and expertise. With regulatory enforcement intensifying in 2025 and the U.S. Department of State implementing the most substantial regulatory revisions in nearly a decade, staying current with ITAR compliance has never been more critical.

What Exactly is ITAR?

ITAR is a set of U.S. government regulations administered by the Directorate of Defense Trade Controls (DDTC), a division of the U.S. Department of State. The primary goal is straightforward but serious: safeguard U.S. national security by ensuring sensitive defense-related materials, technical data, and services don’t fall into unauthorized hands.

Items regulated by ITAR fall under the United States Munitions List (USML), which includes 21 categories of defense articles:

• Firearms and ammunition
• Military vehicles and equipment
• Aircraft, spacecraft, and associated equipment
• Protective personnel equipment
• Military electronics and communication systems
• Technical data including blueprints, design instructions, and software
• Defense services including manufacturing assistance, training, and technical support

The scope extends beyond physical items. Even sharing regulated technical data with unauthorized individuals—whether domestically or internationally—can result in serious violations. This broad reach makes ITAR compliance essential for every company in the defense manufacturing ecosystem, regardless of their specific role in the supply chain.

The Evolving ITAR Landscape: 2024-2025 Regulatory Changes

ITAR regulations don’t stand still. The Department of State’s Directorate of Defense Trade Controls has unveiled an ambitious regulatory agenda for 2025, with 14 planned actions that will significantly revise ITAR and the USML. This represents the most substantial number of regulatory changes in nearly a decade, reflecting both technological advances and evolving international security partnerships.

Recent Major Updates

USML Revisions (September 2025)
The State Department implemented targeted revisions to the USML, removing or reclassifying items that no longer meet the threshold for control under ITAR. Items removed include lead-free birdshot, certain GPS anti-spoofing systems, and specific anti-jam antennas. The changes also added new exemptions for underwater vessels that warrant USML description but are highly suitable for scientific research and commercial operations.

Manufacturers should carefully review the updated USML to determine whether their products still fall under ITAR jurisdiction or may have shifted to Commerce Department jurisdiction under the Export Administration Regulations (EAR).

International Partnership Expansions
New licensing exemptions and expedited review policies for Australia, the United Kingdom, and Canada took effect in September 2024 as part of the AUKUS security partnership implementation. While these regulatory changes further AUKUS objectives, the exemptions and expedited reviews aren’t limited exclusively to AUKUS-related activities, potentially streamlining certain international defense cooperation projects.

Country Policy Updates (July 2025)
The DDTC updated country designations affecting defense trade policies. Finland and Sweden were formally added to NATO definitions in ITAR regulations, while Colombia, Kenya, and Qatar received major non-NATO ally designations. Policies toward several countries including Nicaragua, the Democratic Republic of the Congo, Central African Republic, and others were also updated to reflect recent United Nations Security Council resolutions.

Space-Related Controls Modernization
Significant updates to USML Categories IV and XV aim to streamline exports for nonmilitary space initiatives and ease regulatory burdens for civil and allied space activities while maintaining robust national security standards. These changes reflect the growing commercial space industry and the need to balance security concerns with technological advancement.

What’s Coming Next

Several significant regulatory changes are expected throughout 2025 and beyond:

“Deemed Export” Rule Changes
Proposed rules will revise how ITAR handles “deemed exports” of technical data to foreign persons, limiting deemed exports to countries where the foreign person currently holds citizenship or permanent residency, rather than all countries where they have ever held citizenship. This change could significantly simplify compliance for companies employing naturalized U.S. citizens.

Remote Work Clarifications
Updated definitions of “regular employee” will explicitly allow subject persons to work remotely and clarify which contractual relationships meet the definition of regular employee. These changes acknowledge the post-pandemic shift in work arrangements while maintaining security requirements.

Emerging Technologies Focus
Ongoing USML revisions will continue adding entries for critical and emerging technologies that warrant inclusion while removing items that no longer require ITAR-level control. Manufacturers working with cutting-edge technologies should monitor these updates closely.

Who is Subject to ITAR?

ITAR applies to all manufacturers, exporters, and brokers of items listed on the USML. But compliance obligations extend far beyond direct manufacturers—the entire supply chain must meet ITAR requirements. If your company provides components, materials, fabrication services, or technical assistance that contribute to a defense product, you’re likely subject to these regulations.

This supply chain requirement creates a compliance ecosystem where a single non-compliant vendor can jeopardize an entire defense program. Defense contractors evaluating fabrication partners must verify ITAR registration and compliance capabilities before awarding contracts. For precision metal fabrication and machining services, ITAR compliance isn’t optional—it’s a fundamental requirement for participating in defense work.

U.S. Persons vs. Foreign Nationals

One of ITAR’s most challenging aspects involves controlling access to defense articles and technical data based on citizenship and residency status. ITAR restricts this access to “U.S. persons,” defined as:

• U.S. citizens
• Lawful permanent residents (green card holders)
• Certain protected individuals under U.S. law

Foreign nationals—even if employed by a U.S. company—may not access ITAR-regulated items or technical data without specific export licenses. This creates significant operational challenges for companies operating internationally or employing diverse workforces. Organizations must carefully balance compliance requirements with employment laws prohibiting discrimination based on national origin, creating complex HR and operational considerations.

For manufacturers, this means implementing strict access controls not just at facility entry points but throughout the production environment. Manufacturing facilities handling ITAR work must establish segregated areas, controlled access systems, and rigorous documentation of who accesses what information and when.

The Role of the USML in ITAR Compliance

The United States Munitions List serves as the definitive catalog of defense articles, technical data, and services subject to ITAR control. Updated regularly to reflect technological advances and geopolitical shifts, the USML organizes controlled items into 21 categories ranging from firearms (Category I) to miscellaneous articles (Category XXI).

Understanding USML categorization is critical for compliance. Items are described in detailed paragraphs that specify not just physical articles but also associated technical data, software, and services. For example, Category VIII covers aircraft and related articles, but it also controls:

• Technical data related to aircraft design and manufacture
• Software for flight control or weapons systems
• Defense services including assembly, testing, or maintenance training

The USML’s definition of technical data deserves special attention. It encompasses design plans, engineering drawings, manufacturing instructions, software, and even verbal or visual instructions related to defense articles. For fabrication and engineering services, this means process documentation, CAD files, inspection procedures, and quality control systems may all require protection as ITAR-controlled technical data.

Recent USML updates reflect a more targeted approach, removing items that no longer provide critical military advantages while adding descriptions for emerging technologies. Manufacturers should review their product classifications regularly and, when uncertain, request a Commodity Jurisdiction (CJ) determination from the DDTC to confirm proper classification.

ITAR Compliance Challenges for Manufacturers

Complying with ITAR presents multifaceted challenges that extend beyond simple regulatory checkbox exercises. Manufacturers face operational, technological, and organizational hurdles that require systematic approaches and ongoing vigilance.

Complex Supply Chain Management

Modern defense products often incorporate components from multiple suppliers across extended supply chains. Each supplier must maintain ITAR compliance, meaning a single non-compliant vendor can compromise the entire production program. For a company providing precision sheet metal fabrication for defense applications, this requires:

• Verifying all subcontractors maintain current DDTC registration
• Ensuring material suppliers understand ITAR requirements for defense-related metals
• Confirming finishing and coating services providers implement proper access controls
• Maintaining documentation of the entire supply chain’s compliance status

Supply chain verification isn’t a one-time activity. Manufacturers must conduct regular audits, monitor registration renewals, and immediately address any compliance gaps that emerge among suppliers or subcontractors.

Employee Access Restrictions and HR Challenges

ITAR’s limitations on foreign nationals create significant operational and human resources challenges. Companies must implement strict access controls while navigating employment discrimination laws. This requires:

• Screening applicants for citizenship status without violating equal employment opportunity regulations
• Creating physical and digital barriers separating ITAR-controlled areas from general operations
• Implementing badge systems, access logs, and controlled entry procedures
• Training HR personnel on legally permissible screening questions and processes
• Establishing procedures for when employees’ citizenship status changes

Technical Data Security in the Digital Age

Protecting ITAR-controlled technical data has become increasingly complex in the era of cloud computing, remote work, and global digital networks. Manufacturers must address:

Cloud Storage Considerations
ITAR-controlled data stored in cloud environments must be protected from foreign access. Recent regulatory amendments clarified that data in transit via the internet isn’t deemed to be stored in countries it passes through, but companies must ensure cloud service providers don’t allow foreign persons access to stored technical data.

Cybersecurity Requirements
Robust cybersecurity measures protect ITAR-controlled information from unauthorized access, theft, or loss. This includes securing networks and systems, implementing end-to-end encryption for data transfers, and conducting regular security assessments. For companies also subject to Defense Federal Acquisition Regulation Supplement (DFARS) requirements, cybersecurity obligations extend to implementing NIST 800-171 controls.

Remote Work Challenges
The post-pandemic shift to remote and hybrid work arrangements creates additional ITAR compliance complications. Companies must ensure home offices meet security requirements, implement VPN and access controls for remote connections, and verify that employees’ household members cannot access ITAR-controlled data.

Navigating International Laws and Conflicting Regulations

Companies operating globally face potential conflicts between ITAR and foreign regulations. Some countries’ labor laws may prevent restricting access based on nationality, creating direct conflicts with ITAR’s U.S. person requirements. Manufacturers must carefully navigate these legal tensions, often requiring specialized legal counsel to develop compliant approaches that satisfy both U.S. and foreign legal obligations.

Severe Penalties for Non-Compliance

The consequences of ITAR violations underscore why compliance must be taken seriously. Since 1981, the U.S. has averaged one new manufacturing-related regulation every week, and enforcement has intensified significantly. Penalties for ITAR violations can include:

• Fines up to $1 million per violation
• Criminal charges resulting in imprisonment
• Debarment from government contracts
• Loss of export privileges
• Mandatory compliance programs with external oversight
• Substantial legal fees and settlement costs

Recent enforcement actions demonstrate these aren’t theoretical risks. A U.S. manufacturer settled allegations in March 2023 for approximately $27 million across three government entities. The most notable historical enforcement was the $100 million penalty applied to ITT for unauthorized retransfer of night vision technology. Major defense contractors including Lockheed Martin, Boeing, and Northrop Grumman have all faced penalties for alleged ITAR breaches in recent years.

Best Practices for ITAR Compliance

Staying compliant requires a proactive, systematic approach embedded throughout the organization’s culture and operations. Manufacturers should implement these fundamental best practices:

1. Register with the DDTC

All manufacturers, exporters, and brokers of USML items must register with the Directorate of Defense Trade Controls. Registration follows a three-tier fee structure:

• Tier 1: $3,000 per year for most manufacturers
• Tier 2: $2,750 per year for certain small businesses
• Tier 3: Lower fees for specific limited operations

Registration isn’t merely an administrative formality—it’s the foundation demonstrating your company’s commitment to ITAR compliance and prerequisite for legally manufacturing or handling defense articles.

2. Develop a Comprehensive Compliance Program

Create documented ITAR compliance programs outlining policies, procedures, training requirements, and responsibilities. Effective programs should address:

• Clear classification procedures for determining which items and data fall under ITAR
• Export licensing processes and approval workflows
• Technical data management and access control protocols
• Employee screening and access authorization procedures
• Supplier and subcontractor verification systems
• Incident reporting and corrective action processes
• Regular compliance audits and program updates

Appoint a designated ITAR Compliance Officer with authority and resources to implement and enforce the compliance program across the organization.

3. Implement Robust Technical Data Security

Protecting ITAR-controlled technical data requires multi-layered security approaches:

• Physical Security: Establish controlled access areas for ITAR work with badge systems, visitor logs, and restricted entry procedures
• Digital Security: Use secure servers, implement end-to-end encryption for data transfers, establish VPN requirements for remote access, and maintain network segregation between ITAR and non-ITAR systems
• Data Classification: Clearly mark all ITAR-controlled documents, drawings, and files with appropriate classification and handling instructions
• Disposal Procedures: Implement secure destruction processes for ITAR-controlled materials, including shredding documents and sanitizing digital storage media

For manufacturing operations handling both commercial and defense work, physical and digital segregation between ITAR-controlled and non-controlled areas becomes essential for preventing inadvertent violations.

4. Train Employees Regularly and Comprehensively

Compliance depends on employees understanding their responsibilities and recognizing ITAR-controlled materials. Implement training programs that include:

• Initial ITAR awareness training for all employees with potential exposure to defense work
• Role-specific advanced training for employees directly handling ITAR-controlled items or data
• Annual refresher training to reinforce requirements and update on regulatory changes
• Documented training records demonstrating each employee’s completion and understanding
• Testing or certification requirements to verify comprehension

Focus training particularly on roles directly interacting with regulated items: engineering teams, production personnel, quality control, procurement, and logistics staff all require thorough ITAR education tailored to their specific responsibilities.

5. Audit Your Supply Chain Systematically

Supply chain compliance verification protects your organization from violations introduced by suppliers or subcontractors. Establish systematic processes for:

• Pre-qualification screening verifying suppliers’ DDTC registration before awarding contracts
• Contractual compliance clauses requiring suppliers to maintain ITAR compliance throughout the business relationship
• Periodic audits confirming ongoing compliance and addressing any gaps
• Monitoring suppliers’ registration renewals and compliance status changes
• Documented procedures for responding to supplier compliance failures

For companies providing fabrication and cnc machining services to defense contractors, demonstrating robust supply chain oversight becomes a competitive differentiator when bidding on contracts.

6. Maintain Meticulous Records

Comprehensive documentation proves compliance during audits and investigations. Maintain detailed records including:

• DDTC registration certificates and renewal documentation
• Export licenses, Technical Assistance Agreements (TAAs), and Manufacturing License Agreements (MLAs)
• Access logs showing who accessed what ITAR-controlled items or data and when
• Training records for all employees
• Supply chain verification and audit documentation
• Incident reports and corrective actions
• Correspondence with DDTC regarding classifications, license applications, or compliance questions

Establish record retention policies ensuring documentation remains available for the periods required by ITAR regulations and potential government audits.

7. Engage Legal and Compliance Expertise

ITAR’s complexity makes specialized expertise valuable. Consider:

• Retaining legal counsel specializing in export controls for complex classification questions or licensing applications
• Engaging compliance consultants to audit your program and identify gaps
• Participating in industry associations and Defense Trade Advisory Group (DTAG) activities to stay informed of regulatory developments
• Consulting with the DDTC directly when facing classification uncertainty or unique compliance situations

Many companies find that investing in expert guidance costs far less than addressing violations or losing defense contracts due to compliance deficiencies.

How ITAR Benefits National Security

While compliance challenges are real, ITAR serves vital national security functions that benefit the defense industrial base and the nation. By controlling access to sensitive technologies, ITAR helps:

• Prevent adversaries from gaining strategic advantages through access to U.S. defense technology
• Ensure allied nations receiving defense articles meet security and end-use requirements
• Maintain U.S. technological superiority in critical defense systems
• Support foreign policy objectives by controlling defense exports to specific countries or entities
• Create accountability throughout the defense supply chain

Companies maintaining strong ITAR compliance contribute directly to these national security objectives while positioning themselves as trustworthy partners for defense work.

EVS Metal’s ITAR Compliance Capabilities

EVS Metal operates an ITAR-registered metal fabrication and manufacturing facility in Pflugerville (Austin), Texas. As an ITAR-registered manufacturer, EVS has received federal clearance to submit bids and supply finished defense articles for the United States Government and its authorized subcontractors.

Our Texas facility combines ITAR compliance with advanced precision sheet metal fabrication and manufacturing capabilities:

• Comprehensive Fabrication Services: Precision sheet metal fabrication, CNC machining, robotic welding, and powder coat finishing
• Quality Certifications: ISO 9001:2015 certified operations ensuring quality management systems meet international standards for defense manufacturing
• Technical Expertise: Engineering support services including design for manufacturability, value engineering, and technical problem-solving
• Supply Chain Integration: Logistics and assembly capabilities supporting just-in-time delivery and complex project coordination

ITAR compliance isn’t an isolated function at EVS—it’s integrated into our quality management systems, employee training programs, facility access controls, and supplier management processes. Our compliance framework ensures defense contractors can confidently source precision metal fabrication knowing their ITAR requirements will be met throughout the manufacturing process.

For defense contractors requiring ITAR-compliant fabrication partners, our Texas facility provides domestic manufacturing capacity with the quality systems, technical capabilities, and compliance infrastructure that defense programs demand. Whether you need prototype development, production manufacturing, or ongoing capacity support, our ITAR registration enables us to support your defense manufacturing requirements.

The Bottom Line

For manufacturers involved in defense-related products, ITAR compliance isn’t optional—it’s essential for legal operation, national security, and business sustainability. From securing technical data to managing complex supply chains, every aspect of operations must align with these evolving regulations.

With the Department of State implementing the most substantial regulatory revisions in nearly a decade and enforcement agencies intensifying compliance scrutiny in 2025, staying current requires ongoing attention and systematic approaches. Understanding ITAR’s requirements, implementing comprehensive compliance programs, maintaining robust technical data security, training employees thoroughly, and verifying supply chain compliance create the foundation for successful defense manufacturing operations.

Companies that invest in strong compliance programs not only avoid penalties—they position themselves as trusted partners in the defense industrial base, capable of delivering the quality, security, and accountability that defense programs require.

If you’d like to learn more about EVS Metal’s ITAR-compliant fabrication and manufacturing capabilities, contact us today. We’re here to help guide you through the complexities of defense manufacturing while delivering the precision metal fabrication your projects demand.