ITAR Foreign National Visitor Access: How a Visit Becomes an Export (and How to Screen for It)
Under ITAR, releasing controlled technical data to a foreign person is an export — even when that person is standing inside your U.S. facility. That single rule is why foreign-national visitor access is the regulated event, and why a sign-in sheet can't carry the weight.
Most “ITAR visitor management” content starts with badges and escorts. It is worth starting one step earlier — with the rule that makes any of it necessary. ITAR doesn't regulate visitors because they walk through a door. It regulates them because of what they might be released while they're inside.
The short version
Under 22 CFR 120.17, releasing ITAR-controlled technical data to a foreign person is an export — and that includes releasing it to a foreign person inside the United States. (EAR calls its version a “deemed export”; ITAR just calls it an export.) So a foreign-national visitor's access to controlled areas or data is the regulated event. You have to know each visitor's person status, control what they can reach, and be able to prove it.
How a visit becomes an export
The International Traffic in Arms Regulations (22 CFR Parts 120–130) control defense articles and technical data on the U.S. Munitions List. The definition of export in 22 CFR 120.17 is deliberately broad: it includes releasing or transferring technical data to a foreign person — whether that person is abroad or in the United States. A “release” (22 CFR 120.50) can be as ordinary as a foreign visitor seeing a controlled drawing on a monitor or hearing a controlled technical discussion on the floor.
That is why person status is the hinge. A U.S. person (22 CFR 120.62 — a citizen, lawful permanent resident, or protected individual) can generally receive technical data without ITAR authorization. A foreign person (22 CFR 120.63 — everyone else) generally cannot, unless you hold the right authorization: a license, a Technical Assistance or Manufacturing License Agreement, or a valid exemption. The visitor's nationality, combined with what they can reach inside your facility, is the entire risk.
“Deemed export” vs. ITAR “export”
“Deemed export” is an EAR (Commerce/BIS) term for releasing controlled technology to a foreign person in the U.S. ITAR doesn't use the phrase — its “export” definition already reaches the same conduct. If your technical data is ITAR-controlled, think in terms of an ITAR export; the practical control on the floor is identical.
What actually controls the risk
If the regulated event is a foreign person's access to controlled data, the controls follow directly. None of them are exotic — but they're hard to run off a clipboard:
Know who is a foreign person
Capture person-status indicators (citizenship / nationality) at registration. You cannot apply the rule to a visitor whose status you never recorded.
Screen the visitor and who sent them
Check visitors and their companies against OFAC SDN, BIS, UN, EU, and UK lists, and route possible matches to a reviewer before access is granted.
Control where they go and what they see
Zone and escort rules keep foreign persons out of controlled areas and away from controlled data unless they are specifically authorized.
Make status visible and authorize access
Badge by person status so floor staff can see it, operate under a Technology Control Plan, and obtain DDTC authorization (license, agreement, or exemption) when a foreign person needs access.
The thread running through all four is evidence. ITAR enforcement (22 CFR Part 127) and a Directorate of Defense Trade Controls review both turn on whether you can show what you did — who entered, their status, where they went, who escorted them, and the decision — not on whether you can assert it after the fact.
A practical access-side checklist
Capture person-status / citizenship indicators at registration — before access, not after an incident.
Screen visitors and the companies sending them against OFAC SDN, BIS, UN, EU, and UK lists, and review possible matches before granting access.
Enforce zone and escort rules so foreign persons cannot reach controlled areas or data unless authorized.
Badge by person status so floor staff can see at a glance who can be where.
Run it under a Technology Control Plan, and obtain DDTC authorization (license, agreement, or exemption) when a foreign person needs access to controlled data.
Keep an immutable, timestamped record of every entry, status, escort, screening result, and decision — the evidence an Empowered Official or DDTC can read.
Re-screen recurring foreign visitors and vendors; status, sponsorship, and list membership change over time.
Where SecurePoint fits
SecurePoint Visitor handles the access and evidence layer of this problem. It captures visitor identity and person-status indicators at check-in, screens visitors and related parties against OFAC SDN, BIS, UN, EU, and UK lists, routes possible matches to a reviewer, supports escort and zone workflows and badging, and writes every check-in, screening result, and access decision to an append-only audit log that exports as an audit-ready evidence pack.
Scope, honestly: SecurePoint supports access control and recordkeeping. It does not make export-jurisdiction or classification calls, issue DDTC authorizations, or replace your Empowered Official, Technology Control Plan, or counsel. It is one defensible input to an ITAR program, not the program — and this article is educational, not legal advice.
Frequently asked questions
Primary sources
- 22 CFR Part 120 — ITAR General Information & Definitions (eCFR)
- 22 CFR Part 125 — Licenses for the Export of Technical Data (eCFR)
- 22 CFR Part 127 — Violations and Penalties (eCFR)
- Directorate of Defense Trade Controls (DDTC)
ITAR definitions and section numbering have changed (notably the 2020 Part 120 reorganization) and continue to evolve. Verify the current text against the eCFR and DDTC before relying on it. This article is educational and is not legal advice.
Control foreign-national access — and prove it
See how SecurePoint captures person status, screens visitors and vendors, enforces escort and zone rules, and keeps an audit-ready record for ITAR and EAR visitor access.
