If your company already holds ISO 9001 or AS9100 certification, you've done the hard work of building a disciplined quality management system. The natural next question — especially for defense contractors, aerospace suppliers, and manufacturers touching military-grade components — is whether that certification gives you a running start on ITAR compliance.
The short answer: yes, but with significant caveats. Your QMS infrastructure is genuinely valuable. Your documented processes, management review cadence, internal audit program, and corrective action system all translate. But ITAR (the International Traffic in Arms Regulations, 22 C.F.R. Parts 120–130) is a regulatory framework, not a quality standard. The gap between where your ISO 9001 or AS9100 program ends and where ITAR compliance begins is real — and the penalties for underestimating it are severe.
This guide breaks down exactly what carries over, what doesn't, and what you'll need to build from scratch.
What Is ITAR and Why Does It Matter for Manufacturers?
ITAR is administered by the U.S. Department of State's Directorate of Defense Trade Controls (DDTC) and controls the export, import, and transfer of defense articles and services listed on the United States Munitions List (USML). Any company that manufactures, exports, imports, or brokers USML items must register with DDTC — there is no exemption threshold based on company size.
Citation hook #1: ITAR violations can result in civil penalties of up to $1,308,326 per violation (adjusted annually for inflation under the Federal Civil Penalties Inflation Adjustment Act) and criminal penalties of up to $1 million per violation and 20 years imprisonment under 22 U.S.C. § 2778.
The DDTC has pursued enforcement actions against companies of all sizes. Between 2020 and 2024, the DDTC imposed consent agreements and penalties totaling hundreds of millions of dollars against aerospace and defense manufacturers, including cases where internal compliance programs were deemed inadequate despite robust quality certifications.
Citation hook #2: ITAR registration with the DDTC is mandatory for any U.S. person or company engaged in the manufacture of defense articles, regardless of whether they intend to export — a requirement frequently misunderstood by domestic-only suppliers.
What Your ISO 9001 or AS9100 Certification Already Gives You
Let's be specific about where your existing QMS provides genuine leverage.
Document Control (ISO 9001 Clause 7.5 / AS9100 Clause 7.5)
ITAR requires strict control over technical data — blueprints, specifications, software, manufacturing instructions related to USML items. Your document control system built under ISO 9001 clause 7.5 is directly applicable. You already have version control, access restrictions, and retention policies. What you'll need to add is ITAR-specific access controls (U.S. person verification), export-controlled document marking, and a system for tracking where controlled technical data has been sent.
Supplier Control (AS9100 Clause 8.4)
AS9100-certified companies are particularly well-positioned here. Your existing supplier qualification process, approved supplier list, and flow-down requirements give you a strong foundation for ITAR's requirement to ensure defense articles and technical data are not transferred to unauthorized foreign persons. You'll need to add nationality verification for any person (employee or contractor) with access to ITAR-controlled data.
Internal Audit Program (ISO 9001 Clause 9.2)
ITAR compliance programs require periodic self-assessments and audits. Your internal audit infrastructure — trained auditors, audit schedules, findings tracking, and corrective action integration — maps directly onto the ITAR compliance audit requirement. The scope simply needs to expand to include ITAR-specific checkpoints.
Corrective Action and Nonconformance (ISO 9001 Clause 10.2)
When an ITAR violation or potential violation is discovered, you need a documented process for investigation, containment, root cause analysis, and reporting to DDTC (voluntary disclosure is strongly encouraged and can significantly reduce penalties). Your existing corrective action process is the right vehicle — it just needs ITAR-specific triggers and escalation paths.
Management Review and Leadership Commitment (ISO 9001 Clause 5.1 / AS9100 Clause 5.1)
DDTC expects demonstrable leadership commitment to ITAR compliance, including documented policies, designated responsible personnel, and resource allocation. Your management review process and quality policy infrastructure directly supports this.
What ISO 9001 and AS9100 Do NOT Cover
This is where companies get into trouble — assuming their certification covers more ITAR ground than it actually does.
DDTC Registration
Registration with the DDTC (22 C.F.R. § 122) is a prerequisite — it is not a certification you earn through a QMS process. Your ISO or AS9100 certificate is irrelevant to DDTC registration. You must register, renew annually, and pay the applicable fee regardless of your quality certifications.
U.S. Person Verification and Foreign National Screening
This is one of the most operationally complex ITAR requirements. Before any employee, contractor, intern, or visitor accesses ITAR-controlled technical data, you must verify their status as a "U.S. person" under 22 C.F.R. § 120.62 (U.S. citizen, lawful permanent resident, protected individual, or person granted asylum or refugee status). ISO 9001 has no analogous requirement. You'll need to build an entirely new HR and visitor screening process.
Citation hook #3: Under ITAR, transferring controlled technical data to a foreign national — even within the United States — constitutes a deemed export requiring prior State Department authorization, a requirement with no equivalent in ISO 9001 or AS9100.
Export Licensing and USML Classification
Determining whether your products or technical data are USML-controlled, identifying the correct USML category, and obtaining the appropriate license or using the correct exemption under 22 C.F.R. Part 123 requires specialized legal and regulatory knowledge. This entire domain is outside the scope of any quality standard.
Technology Control Plan (TCP)
A TCP is a documented program specifically designed to prevent unauthorized access to ITAR-controlled technical data, hardware, and software. While it has structural similarities to an ISO 9001 QMS, the TCP is a distinct document with distinct requirements: facility access controls, IT security measures, foreign visitor protocols, employee training on ITAR specifically, and an empowered ITAR compliance officer. Most AS9100 companies need to build this from scratch.
Voluntary Disclosure Program
If you discover a potential ITAR violation, the DDTC voluntary disclosure program (22 C.F.R. § 127.12) can significantly mitigate penalties — but only if handled correctly and promptly. Your corrective action process doesn't include this regulatory reporting pathway. You need a documented escalation procedure that connects internal findings to the DDTC voluntary disclosure process.
Brokering Regulations
If your company brokers defense articles or services, 22 C.F.R. Part 129 imposes additional registration and approval requirements with no ISO equivalent.
Side-by-Side Comparison: ISO 9001 / AS9100 vs. ITAR Requirements
| Compliance Area | ISO 9001 | AS9100 | ITAR | Leverageable? |
|---|---|---|---|---|
| Document control system | ✅ Clause 7.5 | ✅ Clause 7.5 | Required | ✅ Yes, with ITAR markings added |
| Supplier qualification | ✅ Clause 8.4 | ✅ Clause 8.4 (detailed) | Required | ✅ Yes, add nationality checks |
| Internal audit program | ✅ Clause 9.2 | ✅ Clause 9.2 | Required | ✅ Yes, expand scope |
| Corrective action process | ✅ Clause 10.2 | ✅ Clause 10.2 | Required | ✅ Yes, add DDTC reporting path |
| Management commitment | ✅ Clause 5.1 | ✅ Clause 5.1 | Required | ✅ Yes, formalize ITAR policy |
| DDTC registration | ❌ | ❌ | Required | ❌ Must build |
| U.S. person / foreign national screening | ❌ | ❌ | Required | ❌ Must build |
| USML classification & licensing | ❌ | ❌ | Required | ❌ Must build |
| Technology Control Plan (TCP) | ❌ | ❌ | Required | ❌ Must build |
| Deemed export controls | ❌ | ❌ | Required | ❌ Must build |
| Voluntary disclosure process | ❌ | ❌ | Required | ⚠️ Partial (CAR infrastructure) |
| Facility physical security standards | ❌ | ⚠️ Partial | Required | ⚠️ Partial |
| IT/cybersecurity for controlled data | ❌ | ❌ | Required | ❌ Must build |
| Employee ITAR training program | ❌ | ⚠️ Partial | Required | ⚠️ Partial |
✅ = Directly leverageable | ⚠️ = Partial overlap | ❌ = No overlap
The AS9100 Advantage Over ISO 9001 Alone
If you hold AS9100 certification specifically (the aerospace and defense extension of ISO 9001), your starting position for ITAR compliance is meaningfully better than ISO 9001 alone. AS9100 Rev D incorporates requirements around:
- Configuration management (clause 8.1.2) — directly supports controlling ITAR-controlled hardware and documentation versions
- First article inspection and product realization controls — support USML article identification
- Customer-specific requirements flow-down — provides a documented pathway for ITAR clause flow-down to suppliers
- Risk management (clause 6.1) — can be extended to incorporate ITAR violation risk assessment
- Foreign Object Debris/Damage (FOD) controls and counterfeit parts prevention — reflect the defense industry orientation that aligns culturally with ITAR's rigor
In my experience at Certify Consulting, AS9100-certified companies typically reduce their ITAR compliance buildout time by 30–40% compared to ISO 9001-only companies, primarily because AS9100 organizations already operate with the defense-industry mindset around controlled access, traceability, and regulatory awareness.
What You Need to Build: The ITAR Compliance Gap Checklist
For an ISO 9001 or AS9100 certified company, here's the practical buildout required:
Phase 1: Foundation (Weeks 1–4) - [ ] Complete DDTC registration (Form DS-2032) - [ ] Designate an ITAR Empowered Official (a U.S. person with authority to sign export license applications) - [ ] Conduct USML product and technical data classification review - [ ] Integrate ITAR policy into your quality policy and management system
Phase 2: Program Infrastructure (Weeks 5–10) - [ ] Develop Technology Control Plan (TCP) - [ ] Implement U.S. person verification process for all personnel with ITAR data access - [ ] Establish foreign visitor/vendor protocol - [ ] Add ITAR-controlled markings to all relevant technical documents - [ ] Implement physical and IT security controls for controlled data
Phase 3: Operational Integration (Weeks 11–16) - [ ] Train all relevant employees on ITAR requirements (document attendance) - [ ] Expand internal audit scope to include ITAR compliance checkpoints - [ ] Add ITAR violation reporting pathway to corrective action process - [ ] Add ITAR flow-down requirements to supplier qualification and purchase order templates - [ ] Establish export license management process (application, tracking, expiration, recordkeeping per 22 C.F.R. § 122.5)
Phase 4: Ongoing Compliance (Recurring) - [ ] Annual DDTC registration renewal - [ ] Periodic ITAR compliance self-assessments - [ ] Annual employee ITAR training refreshers - [ ] License expiration monitoring - [ ] Monitoring for USML and EAR regulatory changes
How Long Does the Gap-Fill Take?
Based on my work with 200+ clients at Certify Consulting, a company with a mature, well-documented ISO 9001 or AS9100 system can typically achieve a functional ITAR compliance program in 3–6 months, compared to 6–12 months for a company starting from zero. That's a significant time-to-compliance advantage — but it's not a shortcut. The regulatory elements (DDTC registration, classification, TCP, foreign national screening) must be built properly regardless of your quality certification status.
For companies pursuing Department of Defense contracts, note that DFARS 252.204-7012 (Safeguarding Covered Defense Information) and CMMC (Cybersecurity Maturity Model Certification) requirements layer on top of ITAR obligations — so your compliance roadmap may need to account for multiple simultaneous regulatory frameworks.
Common Mistakes ISO/AS9100 Companies Make When Adding ITAR
-
Assuming QMS auditors will catch ITAR issues. Your ISO/AS9100 registrar has no authority or obligation to evaluate ITAR compliance. These are entirely separate domains.
-
Treating the TCP as just another quality procedure. A TCP is a living compliance document that must reflect actual facility conditions, actual IT systems, and actual personnel access. Copy-paste TCPs that don't reflect reality are a significant enforcement liability.
-
Overlooking the deemed export rule. Many companies focus entirely on physical shipments and miss that sharing a technical drawing with a foreign national in a U.S. facility requires State Department authorization.
-
Underpowering the Empowered Official role. The Empowered Official must be a U.S. person with actual authority to sign license applications and legal certifications. This is not an administrative role — it requires regulatory knowledge and legal accountability.
-
Failing to flow ITAR down to suppliers. Your ITAR obligations don't end at your facility boundary. Subcontractors who receive USML technical data or defense articles must also comply, and you are responsible for ensuring that flow-down occurs.
Working With a Consultant: What to Expect
The intersection of quality management, export control law, and defense contracting regulations is genuinely complex. When evaluating consultants, look for a combination of quality management expertise (ISO 9001/AS9100 implementation experience), regulatory knowledge (ITAR, EAR, OFAC), and practical defense industry experience. An attorney who understands export control law but has never implemented a QMS, or a quality consultant without export control depth, will leave gaps.
At Certify Consulting, I bring credentials across quality (CMQ-OE, CFSQA), project management (PMP), and regulatory affairs (RAC) to ITAR compliance engagements — specifically because the companies I work with need integrated guidance, not siloed advice.
Frequently Asked Questions
Q: Does ISO 9001 or AS9100 certification satisfy any ITAR requirements?
A: Not directly. ITAR does not recognize ISO 9001 or AS9100 certification as satisfying any specific regulatory obligation. However, the documented processes, document control, supplier management, and internal audit infrastructure built for ISO 9001/AS9100 can be extended and adapted to meet several ITAR program requirements, reducing the time and cost of building an ITAR compliance program.
Q: Do I need to register with DDTC even if I only sell domestically?
A: Yes. Under 22 C.F.R. § 122.1, any U.S. person engaged in the United States in the business of manufacturing defense articles is required to register with the DDTC, regardless of whether they export. Manufacturing USML items domestically for U.S. government customers triggers the registration requirement.
Q: What is a Technology Control Plan (TCP) and is it the same as a quality manual?
A: A TCP is a document specifically designed to prevent unauthorized access to ITAR-controlled technical data and hardware. While it shares structural features with a quality manual — scope, policies, procedures, responsibilities — it addresses ITAR-specific requirements including U.S. person access controls, foreign visitor protocols, IT security for controlled data, and employee ITAR training. It is a distinct document from your quality manual, though the two should be integrated and cross-referenced.
Q: Can I use my AS9100 internal audit team to conduct ITAR compliance audits?
A: Yes, with additional training. Your internal auditors already understand your QMS infrastructure, which is an advantage. However, they must receive ITAR-specific training to audit the regulatory elements of your compliance program — DDTC registration status, license management, foreign national screening, TCP implementation, and deemed export controls. ITAR compliance checkpoints should be formally added to your audit program scope.
Q: How long does ITAR compliance typically take for an AS9100-certified company?
A: In my experience, AS9100-certified companies with mature, well-documented QMS programs typically achieve a functional ITAR compliance program in 3–6 months, compared to 6–12 months for companies starting from zero. The time savings come primarily from leveraging existing document control, supplier management, internal audit, and corrective action infrastructure. The regulatory buildout — DDTC registration, USML classification, TCP development, foreign national screening — takes roughly the same time regardless of certification status.
The Bottom Line
Your ISO 9001 or AS9100 certification is a genuine asset when building an ITAR compliance program — not just in terms of operational infrastructure, but in terms of organizational culture. Companies with mature QMS programs already understand documented processes, management accountability, and continuous improvement. That foundation matters.
But ITAR is a federal regulatory regime with criminal enforcement teeth. The quality standard and the export control regulation are not substitutes for each other, and the gaps between them are specific and significant. Understanding exactly where those gaps are — and closing them systematically — is the difference between a robust compliance program and a costly enforcement action.
If you'd like an expert assessment of your current QMS posture against ITAR requirements, Certify Consulting offers gap assessments specifically designed for ISO 9001 and AS9100 certified companies entering the defense supply chain.
For more on building quality systems that support regulatory compliance, see our guides on AS9100 certification requirements and ISO 9001 clause-by-clause implementation on ISO9001Expert.com.
Last updated: 2026-03-04
Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC is the principal consultant at Certify Consulting, with 8+ years of experience and a 100% first-time audit pass rate across 200+ clients. This article is for informational purposes only and does not constitute legal advice. ITAR compliance questions involving specific products, transactions, or enforcement matters should be reviewed by qualified export control counsel.
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.