ITAR-Compliant PCB Assembly: What Defense OEMs Verify Before Placing Their First PO

ITAR-compliant PCB assembly isn't a checkbox a contract manufacturer ticks once — it's an active compliance posture, audited at any time by the State Department's Directorate of Defense Trade Controls (DDTC), with criminal-liability exposure for the CM, the OEM, and individual employees when something goes wrong. For defense OEMs sourcing PCB assembly under any program that touches the U.S. Munitions List (USML), the question isn't whether a contract manufacturer is "ITAR-registered" — that's the floor. The question is whether their day-to-day operations actually enforce ITAR jurisdiction, foreign-person access controls, recordkeeping, and the cascading agreements (TAA, MLA, exemptions) that govern who can touch your technical data. This 10-point vetting guide walks defense OEMs through what to verify before placing a PO.

It's the screening script our customer-quality team uses when defense primes pre-qualify suppliers — every question maps to a specific clause in 22 CFR Parts 120–130 or a DDTC enforcement pattern.

Why ITAR is the highest-stakes compliance posture in U.S. manufacturing

ITAR — the International Traffic in Arms Regulations — governs the export, import, and brokering of defense articles and services on the USML. Unlike commercial-export regulations under EAR (Export Administration Regulations), ITAR violations carry criminal penalties: up to $1 million per violation civil, $1 million plus 20 years imprisonment criminal, per occurrence. DDTC has prosecuted multiple cases where engineers, contractors, and corporate officers were personally indicted for ITAR violations involving offshore manufacturing transfers, foreign-national engineer access, and inadequate technical-data controls. For a defense OEM, choosing a CM whose ITAR posture is weak isn't just a procurement risk — it's a personal-liability risk for whoever signs the purchase order.

The flip side: the universe of CMs that can credibly perform ITAR-controlled work is small, and competitive RFQs in this market are won on demonstrated compliance posture as much as on price or lead time. A CM that walks an OEM's quality team through this 10-point list confidently has done the work. One that hand-waves at any of these questions is a liability waiting to surface during a DDTC inspection.

The 10-point ITAR vetting checklist

1. What does "ITAR-registered" actually mean for a contract manufacturer?

ITAR registration is a State Department filing under 22 CFR Part 122 — any U.S. person who manufactures, exports, or temporarily imports defense articles must register with DDTC and pay an annual fee. Registration itself is administrative; it does not authorize specific transactions. A CM's DDTC registration number (M-prefix code) confirms they're on the list, but says nothing about whether their actual operations enforce ITAR controls. Verify the registration number on the CM's quote or capabilities document, then ask: "What does your compliance program look like beyond the registration filing?" An ITAR-credible CM has a documented compliance manual, a designated empowered official, a recurring internal-audit cadence, and annual employee training records. A CM whose answer stops at "we're ITAR-registered" is at the floor.

2. How does ITAR jurisdiction actually work for PCBA — when does a board fall under the USML?

The 2014 USML reform moved most generic electronic components to EAR jurisdiction, but specific finished defense articles and their direct-replacement components remain on the USML — Category XI(c) covers most defense electronics components, Category XII covers fire-control and sensors, Category VIII covers aircraft components. A PCBA falls under ITAR when it's specifically designed, modified, or configured for a USML end-item, or when its technical data is explicitly USML-listed. A CM building your board needs to receive a written jurisdiction determination from you (the OEM, as legal manufacturer) — they can't unilaterally classify your product. Ask the CM: "How do you intake jurisdiction determinations from your OEM customers, and where do you record them in your QMS?" Expect a specific procedure and document examples.

3. Is ITAR registration sufficient, or do I also need ITAR-compliant procedures?

Registration is necessary but radically insufficient. ITAR compliance requires documented procedures covering: technical-data access controls (who can see drawings, BOMs, firmware), physical-security controls (visitor management, badging, controlled-area boundaries), foreign-person identification and screening (who works on what, citizenship documentation), recordkeeping (5 years minimum per 22 CFR 122.5), and an employee compliance-training program. Ask to see the CM's compliance manual table of contents and the date of the most recent revision. A CM that produces a manual revised in the last 12-18 months is actively maintaining the program; one whose manual was last touched in 2019 is going through the motions.

4. What's the actual difference between ITAR and EAR, and why does it matter for my program?

ITAR (22 CFR 120-130, administered by DDTC) covers defense articles on the USML — generally requires specific licensing or exemptions for export, foreign-person access, or any cross-border transfer. EAR (15 CFR 730-774, administered by the Commerce Department's BIS) covers dual-use commercial technology — broader scope but generally lower compliance burden. Many electronics components live in a gray zone where reclassification under the 2014 USML reform moved them from ITAR to EAR with caveats. For your specific PCBA program, the determination matters because ITAR-controlled components require U.S.-person-only access during manufacture; EAR-controlled components typically don't. Ask the CM: "How do you handle mixed-jurisdiction programs where some components are ITAR and others are EAR?" Expect a segregation protocol, not a single bucket.

5. Can a U.S. CM legally use foreign-national engineers on my ITAR-controlled PCBA program?

Generally no, absent specific authorization. Under ITAR, transfer of controlled technical data to a foreign person is itself an export — even if the foreign national is physically in the United States. A CM employing foreign-national engineers, technicians, or even janitorial staff in areas where ITAR technical data is accessible needs either: (a) specific DDTC licensing covering those persons, (b) an applicable license exemption (rare for ongoing access), or (c) physical and electronic controls that prevent foreign-person access entirely. Ask the CM: "How do you verify the citizenship status of every employee who has access to ITAR-controlled programs, and how is that documented?" Expect an I-9-plus process with documented citizenship verification and a controlled-area access matrix that maps roles to authorized programs.

6. How does ITAR interact with DFARS 252.225-7012 (Buy American) flow-down?

DFARS 252.225-7012 ("Preference for Certain Domestic Commodities") and DFARS 252.225-7008 govern the Buy American Act flow-down for defense contracts — generally requiring U.S. manufacture and U.S.-mined or -produced specialty metals for most defense programs. ITAR and DFARS Buy American operate in parallel: a CM building ITAR-controlled defense electronics must satisfy both ITAR jurisdiction and Buy American domestic-content requirements. Ask the CM: "Walk me through your specialty-metals tracking for defense programs — how do you document that the steel, copper, and titanium in your supply chain comes from qualifying countries?" An ITAR-credible CM serving defense primes has a documented specialty-metals certification process and will produce sample certifications under NDA.

7. What records does an ITAR-registered CM need to keep for my program?

Per 22 CFR 122.5, an ITAR-registered manufacturer must maintain records of all defense-article manufacturing activities for at least 5 years from the date of the activity. This includes: technical-data receipt logs (what you sent them, when, in what format, who received it), access logs (who internally accessed the data and when), build records linking the manufacture to the specific USML jurisdiction determination, disposal records when controlled data leaves their custody, and training records for employees with access. Ask the CM: "If DDTC inspects you tomorrow and asks for the records associated with program XYZ from 18 months ago, what's your response process?" An ITAR-credible CM produces a sample record set in 24-48 hours; a CM whose recordkeeping is reactive will scramble and produce gaps.

8. What's the DDTC voluntary disclosure process if something goes wrong?

DDTC's voluntary disclosure program (described in DDTC's guidelines) materially reduces penalties when a CM self-reports a violation before DDTC discovers it. The reduction can be the difference between a written warning and seven-figure penalties. Ask the CM: "Has your compliance officer ever filed a voluntary disclosure? Walk me through how that process worked." A CM that has run a voluntary disclosure has tested their compliance posture under real conditions and has institutional knowledge of how to respond when a near-miss happens. A CM that has never filed one isn't necessarily worse — but their answer to this question reveals how seriously they treat enforcement risk.

9. Do I need a Technical Assistance Agreement (TAA) or Manufacturing License Agreement (MLA) for the CM relationship?

Generally no for a U.S. OEM to U.S. CM relationship — TAAs and MLAs are required for transfers to foreign persons or foreign entities, not for domestic CM relationships. However: if the U.S. CM is a subsidiary of a foreign parent, or if the U.S. CM employs foreign nationals, or if any technical data crosses a U.S. border during the work (cloud-based PLM systems hosted overseas are a common gotcha), TAA/MLA exposure can arise. Ask the CM: "Is your parent entity U.S.-owned? Where is your engineering PLM system physically hosted? Do any subcontractors in your supply chain receive technical data?" An ITAR-credible CM has clean answers on all three; a CM with foreign ownership or offshore-hosted IT systems may require additional licensing exposure on your end.

10. How do I actually verify a CM's ITAR registration is current?

The DDTC registration database is not publicly searchable — you cannot Google-verify ITAR registration the way you can verify AS9100D through OASIS. Instead, ask the CM to provide a copy of their current DDTC registration acknowledgment letter (refreshed annually) and their registration code (M-prefix). Cross-reference the registration code on any defense-contract documentation they provide. Additionally, defense primes who use the CM can confirm registration as part of their own supplier-qualification programs — referrals from other defense OEMs are the practical verification path. A CM unwilling to share their registration acknowledgment letter, or one whose registration code doesn't match their stated entity name, is a hard stop.

Red flags during defense-OEM CM vetting

These patterns consistently signal ITAR-posture gaps when running the checklist:

• "We're ITAR-compliant" without a registration code. Compliance is a posture; registration is the prerequisite. No code = no registration = no ITAR-controlled work.
• Foreign-national engineers visible during a facility tour. Not disqualifying by itself, but requires a clear answer to "how is technical-data access controlled in mixed-staffing environments."
• No documented jurisdiction-determination intake process. If they can't tell you how they record which programs are USML-controlled, they're treating ITAR as a blanket policy rather than a per-program discipline.
• PLM or design-data systems hosted on offshore cloud infrastructure. Major TAA exposure even for a U.S. CM working a U.S. program; ask explicitly where every system that touches your data is physically hosted.
• Records older than 5 years on the production floor. Either they're over-retaining (low risk) or they're treating record retention as inconsistent (signals broader compliance-program drift).
• No history of DDTC interactions of any kind. A CM that has done substantial defense work over years has typically interacted with DDTC at least once (a licensing question, a registration renewal, a voluntary disclosure). Total absence of any interaction is unusual and worth probing.

How i-TECH e-Services approaches ITAR-controlled work

i-TECH e-Services operates as an ITAR-registered contract manufacturer at our AS9100D-certified facility in Norcross, Georgia. The ITAR registration is one piece of a broader defense-electronics compliance posture that combines AS9100D quality discipline, AS6081-aligned counterfeit-mitigation procedures, and a documented foreign-person access program. Practical implications for defense OEMs:

• Active DDTC registration with documented annual compliance training, designated empowered official, and current compliance manual. Registration acknowledgment letter available under NDA during supplier qualification.
• U.S.-person-only access controls on defense programs, with documented citizenship verification at hire and program-specific access matrices that map employees to authorized work.
• Domestic IT and PLM infrastructure — engineering data systems hosted within the U.S., with no offshore cloud touch-points for ITAR-controlled programs.
• DFARS 252.225-7012 specialty-metals tracking across the supply chain, with sample certifications available for review during qualification.
• Configuration management and recordkeeping aligned to AS9100D Clause 8.1.2, with technical-data receipt and access logs maintained per 22 CFR 122.5 retention requirements.
• Multi-vertical certification posture — see our aerospace and defense capabilities page for AS9100D + ITAR + IPC J-STD-001 Class 3 details, and our quality and testing overview for the inspection stack.

If you're vetting a U.S. CM for an ITAR-controlled defense electronics program, our compliance team is happy to walk through the 10-point list above with your supplier-quality team and ship sample documentation under NDA. Request a quote with your program's DFARS / ITAR flow-down details and we'll structure the qualification accordingly.

Bottom line

ITAR compliance is the highest-stakes posture in U.S. contract manufacturing. The OEMs who do this right treat the CM-selection decision as a personal-liability decision — they verify registration, audit the compliance program, walk the foreign-person access controls, and confirm recordkeeping discipline before signing. The 10 questions above will surface a CM's actual posture in 60 minutes of conversation. The CMs who pass become long-term defense-electronics partners; the ones who don't will eventually show up in a DDTC enforcement action you don't want to be downstream of.