By Michelle Kurosawa, Founder & CEO, Additiveio —
One of the more uncomfortable realities of operating a small aerospace manufacturing shop is that the ITAR question comes up early, comes up often, and does not always have a clean answer. A program manager calls to discuss a bracket for a satellite bus. Is that ITAR? It depends on whether the satellite is commercial or defense, whether the subsystem it mounts is controlled, and what technical data would need to be exchanged to execute the program. A procurement manager at a defense tier-1 sends a drawing with a CAGE code on it. Does that make the part ITAR? Not automatically — but it raises the probability that some element of the data package might be controlled.
This article is not legal advice, and it is not a substitute for consulting a licensed attorney familiar with export control law. It is a practical overview of what ITAR and EAR mean for small metal AM shops, where the exposure points are, and what "ITAR-aware" means in practice at Additiveio.
ITAR and EAR: the two regulatory frameworks
Export control in the United States is governed primarily by two frameworks that are frequently conflated:
ITAR (International Traffic in Arms Regulations), administered by the State Department's Directorate of Defense Trade Controls (DDTC), controls the export of defense articles, defense services, and related technical data enumerated on the United States Munitions List (USML). ITAR coverage is determined by whether an item or service is designed, developed, configured, adapted, or modified for a military application. ITAR is jurisdiction-based: once an item is on the USML, ITAR applies regardless of where in the supply chain you are or whether any individual transaction looks commercial.
EAR (Export Administration Regulations), administered by the Commerce Department's Bureau of Industry and Security (BIS), controls dual-use goods, software, and technology on the Commerce Control List (CCL). EAR covers items that have primarily commercial applications but may have military or proliferation-related implications. Ti-6Al-4V and LPBF manufacturing technology itself are generally EAR-controlled as dual-use technology, not ITAR-controlled, unless the specific item being produced is a USML-listed defense article.
The practical distinction for a Ti-6Al-4V LPBF shop: your material and process are likely under EAR as dual-use technology. A customer's drawing for a defense component — a missile fin bracket, an ejector seat fitting, a fire control system mounting structure — is likely ITAR-controlled technical data. When you receive that drawing, you have received controlled technical data, and how you handle it matters under ITAR.
What triggers ITAR exposure in AM manufacturing
For a metal AM shop, ITAR exposure can arise from several distinct points in the customer interaction:
Receiving controlled technical data
A drawing, specification, or 3D model for a defense article is technical data under ITAR. Receiving that data without a Technology Control Plan (TCP) and appropriate access controls is an exposure point. The data must be stored on controlled systems (not personal email or shared commercial cloud services), access must be limited to personnel with a need to know, and the data must not be disclosed to foreign nationals without appropriate authorization (a DSP-5 export license, or an applicable exemption under ITAR Part 125).
This is a particular risk at small shops where IT infrastructure is less formalized. A drawing emailed to a personal account, forwarded to an outside supplier to get a machining quote, or stored on an uncontrolled network share has been "exported" to every person with access to that system — including non-US persons, if any exist in that access path.
Foreign national access to controlled data or articles
ITAR's broad definition of "export" includes disclosing controlled technical data to a foreign national in the United States — not just physical export across a border. This is the "deemed export" rule. If any employee, contractor, or visitor at your facility is a foreign national, their access to ITAR-controlled data, drawings, or defense articles must be managed under a DSP-5 export license or a qualifying ITAR exemption. Most small shops do not have active export licenses, which means their workforce access controls must ensure that no foreign national has access to controlled data.
The manufactured article itself
If the part you produce is a defense article — a component of a listed USML item — then the finished part is ITAR-controlled. Shipping it requires either a DSP-5 export license (if shipping internationally) or compliance with applicable USML exemptions for domestic intra-US transfers. Domestic transfers of ITAR articles between US persons are generally not regulated as exports, but the articles and their associated technical data remain subject to ITAR controls on storage and access.
What ITAR-aware means in practice
"ITAR-aware" is not a certification or a registration status. ITAR registration with the DDTC is required for exporters and manufacturers of ITAR-controlled defense articles — it is not a general compliance standard for all members of the defense supply chain. A machining shop that only receives drawings and produces parts for domestic US customers may not need ITAR registration, depending on whether the articles meet the definition of a defense article under the USML and whether any export transactions are involved.
At Additiveio, "ITAR-aware" means:
- We recognize that drawings and specifications received for some aerospace and defense programs may contain controlled technical data under ITAR or EAR.
- We do not accept controlled technical data via personal email, uncontrolled cloud storage, or any other system accessible to unauthorized parties.
- Inquiries that involve potentially controlled data are routed to designated personnel — currently Michelle Kurosawa and Rajan Mehta — who handle the data access and storage under our internal data control procedures.
- We do not transfer drawings, models, or specifications for potentially controlled articles to outside suppliers, subcontractors, or other third parties without first confirming with the customer whether ITAR controls apply.
- We maintain awareness of our workforce composition relative to foreign national access to any controlled data we receive.
We are transparent that we are an early-stage company that has not pursued full ITAR registration. If your program requires a fully ITAR-registered manufacturer, we will tell you that directly, and we can discuss whether our current procedures satisfy your program's flow-down requirements or whether registration is required before we can accept the engagement.
How to evaluate a small AM shop's ITAR posture
If you are a procurement engineer or program manager evaluating a small metal AM shop for a defense-adjacent program, the questions that distinguish a genuinely ITAR-aware operation from one that is simply unfamiliar with the exposure are:
How do you receive and store customer drawings? A shop with no controlled data storage — where drawings arrive by email and sit in an uncontrolled shared folder — has not thought carefully about ITAR. A shop that has a designated controlled data system and access controls, even a simple one, has.
Who has access to customer drawings? If the answer is "everyone in the shop," and the shop has foreign national employees or contractors, that is an exposure. A compliant operation should be able to identify which personnel have access to controlled data and confirm their US person status.
Do you have a Technology Control Plan? A TCP is the formal document that describes how an organization controls ITAR-regulated technical data. It is required for ITAR-registered exporters but also a strong signal of seriousness in non-registered suppliers handling sensitive programs. A shop that has never heard of a TCP is probably not the right home for your ITAR-sensitive program.
Have you worked on programs with ITAR flow-down clauses before? Experience matters. A shop that has received and executed DDTC-compliant programs knows what questions to ask and what records to keep. A shop that encounters ITAR requirements for the first time on your program will learn on your schedule.
What a minimal TCP looks like for a small shop
A Technology Control Plan does not need to be a 200-page document to be meaningful. For a small metal AM shop that receives occasional defense-adjacent work, a functional TCP addresses four core areas:
- Controlled data storage: Where ITAR-controlled drawings and specifications are stored, access credentials required, and explicit prohibition on personal email or uncontrolled cloud services. A dedicated on-premises network folder with access logging, or a purpose-built controlled vault like Kiteworks or equivalent, is the minimum viable solution.
- Access control roster: Named list of US persons authorized to access controlled data, with documentation of their citizenship or immigration status. This list is reviewed when personnel change. Foreign nationals on the roster require a DSP-5 export license or a qualifying ITAR exemption before access is granted — not after.
- Subcontractor disclosure procedure: Written procedure for how controlled data is handled if any machining, inspection, or processing step is subcontracted. The procedure must establish that the customer is notified before controlled data is passed to any subcontractor, and that the subcontractor is confirmed as a US person under ITAR before data is transferred.
- Incident response: What happens if controlled data is inadvertently disclosed — who is notified, what records are preserved, and when an attorney should be consulted for voluntary disclosure to DDTC under 22 CFR 127.12.
This is not a complete TCP and is not legal advice. It is the structural skeleton that a small shop should have documented before accepting programs with ITAR flow-down clauses. The difference between a shop that has this written down and one that does not is the difference between a manageable compliance posture and an undefined one.
Our honest position
Additiveio can accept programs involving defense components where the customer's flow-down requirements are consistent with our current ITAR-awareness posture. For programs that require full ITAR registration, DDTC-registered manufacturing operations, or a formal Technology Control Plan audit, we will tell you honestly if we are not yet at that level and discuss whether the program is appropriate for our current capabilities.
The worst outcome in defense supply chain compliance is a supplier who says yes to everything and manages the exposure reactively. Aerospace procurement managers who work in the defense tier know that the honest "we're not there yet on X, but here's what we do have" is more valuable than a confident misrepresentation. We operate on that basis.
If your program involves potentially controlled technical data, contact us at [email protected] before submitting any data through the RFQ form. We will discuss your program requirements and confirm whether we can support it appropriately.
Note: Nothing in this article constitutes legal advice on ITAR or EAR compliance. Consult a licensed export control attorney for program-specific legal guidance.
