ITAR registration

Does your machine shop need to register for ITAR?

A print lands on your floor stamped ITAR. The PO repeats it. You don't have a compliance department — you have a spindle running and a customer waiting. So what do you actually have to do?

Updated June 2026~6 min readDecision support, not legal advice

Here's the plain-English version, without the consultant markup.

The short answer

If you manufacture a defense article that appears on the U.S. Munitions List (USML), you're required to register with the Directorate of Defense Trade Controls (DDTC) — even if you never export anything.

That last part trips up almost everyone. The regulation is explicit. Under 22 CFR 122.1, "a manufacturer who does not engage in exporting must nevertheless register." Making the part is the trigger; shipping it overseas is a separate question. So "I just make the part and hand it to a U.S. prime" does not get you out of it.

What registration actually is (and isn't)

DDTC registration is mostly administrative:

A form and a fee. Tier 1 is $3,000/year as of January 2025 — the first increase since 2008, when it was $2,250. Small filers can apply for a $500 discount (paying $2,500) if $3,000 is 1% or more of annual revenue, which for a one- or two-person shop it often is.
Processing usually runs a couple of weeks.
It puts you on file with the State Department as a manufacturer. It confers no export rights — it's a precondition for licenses, not a license itself.

That part really is straightforward. The part that isn't is what comes next.

The catch most shops miss

Registering is not the same as being compliant. Cutting the check registers you. It does not make you compliant. Compliance is a separate, ongoing job — and it's where the real risk lives.

Compliance is three separate jobs

1. Knowing what's actually controlled

Primes routinely blanket-stamp everything "ITAR" to cover themselves. Some of those parts are genuinely USML; some are controlled under the EAR (a different rulebook, run by Commerce) with an ECCN; some aren't really controlled at all. The care you owe depends on which bucket the part is in. Don't take the stamp at face value — and don't assume it's nothing either. Get the classification confirmed in writing.

2. Controlling who can see the data

ITAR technical data — prints, models, specs — can't be accessed by a foreign person, and that's broad. This is the one that quietly bites small shops: it's not just who you hire, it's anyone who could see the data, and it includes your cloud. A controlled print in consumer Google Drive or Dropbox, or run through a general AI tool like ChatGPT, can count as an unauthorized export. (We go deep on this in the cloud & AI guide.) Keep controlled data off consumer cloud and general-purpose AI tools, and U.S. persons only.

3. Keeping records

A simple, honest log of who has copies of controlled data, plus a short written Technology Control Plan, is the backbone of being able to show you took it seriously.

"But I don't export — I'm just a sub"

Common, and usually wrong. If you manufacture a USML article — including forgings, castings, and machined bodies of a USML end item — the registration obligation can apply regardless of whether you export or who you sell to. Being a subcontractor doesn't automatically exempt you.

A short checklist

Get the part's classification (USML / EAR-with-ECCN / not controlled) in writing from the customer.
If you manufacture a USML article, register with DDTC (and check the small-filer discount).
Lock down access: U.S. persons only on controlled data; keep it off consumer cloud and general AI tools.
Keep a simple log of who holds controlled prints/files.
Write a one-page Technology Control Plan and keep it current.

Why it's worth getting right

Routine audits are rare, which is why "you'll never get caught" is a popular attitude. But the penalties are severe — the maximum ITAR civil penalty is $1,271,078 per violation (2025) — and enforcement is real, especially anything touching exports to restricted parties. The cheap insurance isn't a $50,000 consultant. It's knowing which parts are actually controlled, keeping foreign-person access and consumer cloud/AI away from them, and writing a one-page control plan.

Built for shops like yours

Know which parts are actually controlled — and prove it.

DepChain reads your drawings and BOMs, tells you which export rules apply to each part with the reasoning shown and the regulation cited, flags deemed-export and AI-tool risk, and generates your Technology Control Plan and audit trail. Join the waitlist for early access.

Bay Area shops get early access first. No spam, ever. Or email [email protected].

This guide is general information to help you ask the right questions — it is not legal advice and isn't a substitute for qualified export-control counsel. Fees and regulations change; verify specifics against primary sources (DDTC for ITAR, BIS for EAR) before you act.