The Precision Castparts ITAR Case Shows Why Export Compliance Cannot Live in Spreadsheets

For aerospace, defense, and advanced manufacturing companies, export compliance is often treated as a shipping dock concern. We focus on license checks for shipping boxes containing military hardware. But a recent State Department enforcement action serves as a stark reminder that the biggest compliance liability is not what leaves the shipping dock—it is who accesses technical data inside your facility.

Under the International Traffic in Arms Regulations (ITAR), sharing technical data with a foreign person—even an employee physically located in the United States—constitutes a deemed export. And if you cannot prove exactly who accessed what data, when they accessed it, and under what authorization, you are exposed to significant enforcement risk.

Deemed Exports and the Internal Control Failure

The official charging letter issued by the DDTC outlines a recurring pattern of compliance failure. PCC’s subsidiary, Mold Masters, employed foreign-person workers who were given access to technical data related to United States Munitions List (USML) Category XIX (gas turbine engines).

Because these employees were foreign persons, disclosing this technical data to them required prior DDTC authorization. The charging letter alleges that the company did not obtain these authorizations, resulting in 24 distinct violations.

Crucially, the DDTC did not just look at the unauthorized access itself. They focused heavily on the failure of the company’s internal compliance system. The charging letter specifically highlighted that Mold Masters' recordkeeping failed to capture critical details:

• •The specific dates technical data was accessed.
• •The work assignments given to foreign-person employees.
• •The exact technical data details shared.

Why Spreadsheets and Shared Folders Fail

When compliance teams rely on manual tracking, spreadsheets, and decentralized shared folders to manage foreign-person access, they introduce systemic gaps. The PCC case demonstrates that voluntary disclosures—often initiated after a post-acquisition review—frequently uncover years of unprovable, unmonitored data access.

Spreadsheets and manual approvals fail because:

• No Verifiable Decision Chain: An email chain approving a visitor or employee access is easily lost, altered, or forgotten, providing no centralized log of approvals.
• Weak Version History: Spreadsheets lack immutable edit histories. They cannot cryptographically prove to an auditor who approved an entry or when it was updated.
• Poor Subsidiary Control: Corporate headquarters rarely have real-time visibility into whether newly acquired subsidiaries are actually implementing local technology control plans.
• No Tie-in to Authorization limits: Static files do not prevent a user from sharing data beyond the bounds of a specific license or exemption.

How SecurePoint Trade Helps Manage Technical Data Access

SecurePoint Trade acts as a dedicated compliance operating layer, providing the repeatable controls that manual methods miss. Rather than trying to rebuild compliance from scratch at every subsidiary, companies use SecurePoint Trade to implement systematic checkpoints for:

• Controlled Technical Data Release ReviewDocument and authorize every release of USML-controlled technical data. Ensure each access is tied to a specific U.S. sponsor and policy control.
• Foreign-Person Employee Access ReviewScreen and track work assignments, citizenship verifications, and individual license conditions in a single, structured system.
• Audit-Ready Evidence PacksAutomatically package screening results, nationality verification, technology control plans, and approval timestamps into immutable, audit-ready PDF records.

SecurePoint Trade cannot guarantee that a company avoids enforcement, but it is built to help compliance teams catch risk earlier, document decisions, and preserve the evidence auditors expect.

Frequently Asked Questions