Workforce and Operations Support for Aerospace and ITAR Programs

Releasing USML technical data to a Foreign Person — even one standing inside your US facility — is an export to their country of citizenship.

Showing source code for a guidance system to a French national engineer is an illegal export to France, no shipping container required.

US Person under ITAR: US citizens, lawful permanent residents (green card holders), and persons granted asylum or refugee status. Visa holders (H-1B, F-1) are Foreign Persons.

Job postings for ITAR-controlled roles must state the US Person requirement. HR must verify status before facility or network access. Screening language must be written by counsel to avoid INA discrimination claims ("Are you a US Person as defined by 22 CFR §120.15?").

Many aerospace firms run bifurcated workforces — a cleared population (US citizens only) for classified DoD work and an ITAR population (US Persons) for unclassified ITAR work — with rigorously segregated access.

Every visitor logged with declared citizenship. Foreign Persons continuously escorted by trained US Persons who control visual access.

Mature facilities physically segregate ITAR manufacturing and engineering bays from administrative space, with badge readers and biometric controls.

Clean-desk policy enforced — screens locked, technical data cleared whenever an employee steps away — to prevent incidental disclosure to cleaning crews.

ITAR technical data is "Export Controlled" CUI under the DoD framework — DFARS 7012 and NIST 800-171 apply on top of ITAR.

Commercial M365 fails ITAR because Microsoft uses a global support model. Aerospace contractors must use Microsoft GCC High (US-only data centers and US Person support) or AWS GovCloud.

Logical access control via RBAC enforces that only verified US Persons can reach the ITAR enclaves; non-ITAR Foreign Person hires are explicitly denied at the directory level.

Designate an Empowered Official — the senior US Person with authority to sign DDTC submissions.

Maintain a Technology Control Plan describing physical, IT, and training measures that prevent Foreign Person access to controlled data.

Manage export licenses rigorously: license conditions are not blank checks. Keep records of every export under each license.

Train everyone who might touch ITAR data: engineers, PMs, HR, IT, front-desk reception. Cover USML basics, deemed export, internal procedures, and reporting channels.

When violations happen — and they do — the DDTC's Voluntary Disclosure process treats self-reporters dramatically more leniently than firms caught hiding incidents.