SecurePoint USA
SecurePoint USAEnterprise Compliance
Request Demo
ITAR Compliance
Whitepaper · 2026

ITAR Visitor Screening & Access Control

Meeting 22 CFR 120-130 foreign national requirements through systematic visitor screening — because every unscreened visitor in a controlled area is a potential deemed export violation.

12 min readApril 2026ITAR · EAR · DDTC
Download PDFShare on LinkedIn

In This Whitepaper

01Executive Summary02The ITAR Framework for Physical Access03The 5 Critical Failure Points04Building a Compliant Screening Workflow05DDTC Enforcement: Real-World Consequences06Technology Control Plan Integration07SecurePoint USA ITAR Capabilities0860-Day Implementation Roadmap
01 · Executive Summary

Every Unscreened Visitor Is a Potential Violation

The International Traffic in Arms Regulations (ITAR), codified in 22 CFR Parts 120-130, impose strict controls on who can access defense articles, technical data, and defense services. Under the “deemed export” rule, disclosing controlled technical data to a foreign person — even on US soil — is legally equivalent to exporting it to that person's home country.

For defense contractors, this means every visitor who enters a facility where ITAR-controlled data exists represents a potential export control event. A foreign national who glimpses a controlled schematic on a whiteboard, walks through a manufacturing floor with USML-classified equipment, or overhears a technical discussion about a defense article has triggered a deemed export — regardless of intent.

Civil penalties reach $1,000,000 per violation. Criminal penalties include up to 20 years imprisonment. The Directorate of Defense Trade Controls (DDTC) applies strict liability — meaning accidental or negligent exposure carries the same enforcement consequences as deliberate violations.

$1M
Per Violation
Civil penalty
20 yr
Criminal
Per violation
Strict
Liability
Intent not required
4
Restricted Lists
Screened per visitor

The Deemed Export Problem

Under 22 CFR § 120.54, a “deemed export” occurs when controlled technical data is released to a foreign person within the United States. Your visitor management system is the first — and often only — line of defense against uncontrolled deemed exports at the facility level.

02 · The ITAR Framework

ITAR Requirements for Physical Access Control

The ITAR framework imposes specific requirements on defense contractors that directly affect how visitors are screened, admitted, escorted, and documented at facilities handling controlled articles.

US Person vs. Foreign Person (22 CFR § 120.62 / § 120.16)

ITAR defines a “US Person” as a US citizen, lawful permanent resident, protected individual under 8 U.S.C. § 1324b(a)(3), or any entity incorporated in the US. Everyone else is a “foreign person.” This determination is the threshold question for every visitor — and it must be made before access is granted.

Dual nationals present additional complexity. A visitor who holds both US and foreign citizenship is generally treated as a US Person, but specific country combinations may trigger additional screening requirements under sanctions programs.

Deemed Exports (22 CFR § 120.54)

The release of controlled technical data to a foreign person in the United States is “deemed” to be an export to the country of the foreign person's nationality. This includes visual access (seeing a controlled document), verbal disclosure (discussing controlled specifications), and physical access (entering a space where controlled articles are present).

A foreign visitor walking through a manufacturing floor where USML items are being assembled has received a deemed export — even if they weren't shown anything specific. The physical presence in the controlled area is sufficient.

Technology Control Plans (TCP)

A Technology Control Plan defines how a facility physically and procedurally separates controlled from uncontrolled areas. TCPs specify which zones require ITAR clearance, which require escort, and which are accessible to all visitors. Your visitor management system must enforce the TCP — not just document it.

This means zone-based access control tied directly to each visitor's export classification, with badge issuance reflecting the approved access posture and mandatory escort assignment for foreign nationals in controlled zones.

Record-Keeping Requirements (22 CFR § 122.5)

ITAR-registered manufacturers and exporters must maintain records of all exports and deemed exports for a minimum of five years. For visitor management, this means retaining visitor identity, nationality, screening results, zone access logs, escort assignments, and any technical data access documentation for every foreign visitor — with records that cannot be altered after the fact.

03 · Failure Points

The 5 Critical ITAR Failure Points in Visitor Management

DDTC enforcement actions consistently reveal the same five gaps in how defense contractors manage visitor access. Each one independently creates deemed export exposure — and most organizations have multiple gaps simultaneously.

1.No Citizenship Verification at Registration

Most visitor management systems collect a name and a company. They do not ask for citizenship, dual nationality status, or country of origin. Without this data, you cannot determine whether a visitor is a US Person under ITAR — and you cannot determine whether their access to controlled areas constitutes a deemed export.

22 CFR § 120.62 — US Person Definition

2.No Pre-Arrival Screening Against Restricted Lists

Foreign nationals must be screened against the OFAC SDN list, BIS Entity List, BIS Denied Persons List, and the DDTC Debarred Parties List before they arrive on site. Screening after arrival — or not screening at all — means a restricted person may have already accessed controlled technical data before anyone knew.

22 CFR § 127.1 — Prohibited Activities

3.No Zone-Based Access Enforcement

ITAR-controlled areas must be physically and logically separated from uncontrolled areas. A visitor badge that grants access to the entire facility — including labs, manufacturing floors, or engineering spaces with controlled technical data — creates an uncontrolled deemed export exposure for every foreign visitor.

22 CFR § 125.4 — Technical Data Exports

4.No Mandatory Escort Workflow

Foreign nationals in ITAR-controlled areas must be escorted at all times. An optional escort field on a check-in form does not constitute escort enforcement. If a foreign visitor can physically enter a controlled space without a confirmed, acknowledged escort, your TCP is not being enforced.

22 CFR § 126.18 — Exemption Conditions

5.No Defensible Audit Trail

DDTC expects you to demonstrate who accessed what, when, and under what authorization. If your visitor logs can be edited or deleted — or if they only show check-in time without escort assignment, zone access, or screening results — they do not constitute defensible compliance evidence.

22 CFR § 122.5 — Maintenance of Records

Compounding Exposure

Each failure point is an independent violation. A foreign visitor who arrives unscreened, enters a controlled zone without escort, and has no audit trail represents at minimum three separate ITAR violations — each carrying up to $1,000,000 in civil penalties. Multiply by the number of visitors and the number of days, and the exposure grows exponentially.

04 · Compliant Workflow

Building an ITAR-Compliant Visitor Screening Workflow

A defensible ITAR visitor management workflow has five distinct phases — each generating compliance evidence that auditors and DDTC investigators expect to see.

1
Phase 1: Pre-Registration

Visitor Identity & Nationality Capture

  • Citizenship and dual nationality collected at invitation
  • Country of origin evaluated against embargoed nations (Cuba, Iran, North Korea, Syria, Russia, Belarus)
  • Company/entity affiliation captured and screened against BIS Entity List
  • Purpose of visit documented with technical data access scope
  • Government-issued photo ID uploaded for verification
2
Phase 2: Pre-Arrival Screening

Multi-List Sanctions & Restricted Party Screening

  • Automated screening against OFAC SDN, BIS Entity List, BIS Denied Persons, DDTC Debarred Parties
  • Fuzzy matching with configurable threshold to catch name variations and transliterations
  • Foreign person status determination: US Person vs. Foreign Person under 22 CFR § 120.62
  • License exception eligibility evaluation (NLR, STA, TSU, TMP)
  • Compliance officer notification for matches — no badge issued until resolved
3
Phase 3: Arrival & Check-In

Gate Screening & Zone Assignment

  • Re-screening at check-in catches list updates between pre-registration and arrival
  • Government ID verified against pre-registration data
  • Zone access determined by visitor export classification and TCP requirements
  • Escort assigned from authorized personnel roster — mandatory confirmation required
  • Badge issued reflecting access posture: ITAR-cleared, escorted-only, or uncontrolled-areas-only
4
Phase 4: During Visit

Escort Enforcement & Access Monitoring

  • Escort acknowledgment tracked with timestamp and digital signature
  • Zone transition logging for visitors in controlled areas
  • Automatic alerts for overstay, unescorted movement, or restricted area access attempts
  • NDA and non-disclosure capture for visitors accessing controlled technical data
  • Real-time compliance dashboard for security operators and export control officers
5
Phase 5: Post-Visit

Documentation & Evidence Generation

  • Automated after-visit report (AVR) with escort compliance data
  • Technical data access documentation linked to export classifications
  • Badge return confirmation and deactivation logged
  • Complete visit evidence pack exportable in CSV, PDF, JSON formats
  • Immutable audit trail — records cannot be edited, deleted, or backdated by anyone
05 · Enforcement Actions

DDTC Enforcement: The Penalties Are Not Theoretical

Recent DDTC consent agreements demonstrate that export control violations — including inadequate access controls for foreign persons — result in significant financial penalties, mandatory compliance programs, and reputational damage.

FLIR Systems

2023
$30 million

Consent agreement with DDTC for unauthorized exports of ITAR-controlled technical data, including dual-use thermal imaging technology. Violations included inadequate screening of foreign national employees and visitors with access to controlled data.

Honeywell International

2023
$13 million

Charged with unauthorized exports of ITAR-controlled technical drawings and documents related to aircraft engines, guidance systems, and other defense articles. Export control failures included inadequate access controls for foreign persons.

L3Harris Technologies

2023
$13 million

Settlement for ITAR violations involving unauthorized exports of night vision and electro-optical technology. Included failures in Technology Control Plan implementation and monitoring of foreign national access.

Curtiss-Wright

2023
$2.85 million

DDTC consent agreement for unauthorized exports of technical data related to defense electronics. Violations stemmed from inadequate internal controls over foreign person access to controlled technical data.

Voluntary Disclosures Are Not a Safe Harbor

DDTC encourages voluntary self-disclosure (VSD) of ITAR violations under 22 CFR § 127.12. While VSDs are treated as mitigating factors, they do not eliminate penalties. Organizations that voluntarily disclose still face consent agreements, mandatory compliance upgrades, and external monitoring.

The best protection is prevention — not disclosure after the fact. A systematic visitor screening program that prevents foreign person access violations eliminates the need for voluntary disclosures entirely.

06 · TCP Integration

Technology Control Plan Integration

Your Technology Control Plan defines the rules. Your visitor management system enforces them. The two must be tightly integrated — a TCP that exists only on paper provides no protection.

Zone-Based Access Classification

Map your facility into export control zones: ITAR-controlled, EAR-controlled, restricted, and unclassified. Each zone carries its own access requirements, escort rules, and badge-level permissions. Visitors are assigned to zones based on their export classification — not based on who they're visiting.

ITAR-Controlled
EAR-Controlled
Restricted
Unclassified

Export Classification Management

Visitors, their companies, and specific visits can each carry export classifications — USML categories (I-XXI), ECCN codes, or program-specific tags. These classifications determine zone eligibility and trigger appropriate screening workflows. Classifications can expire, requiring re-evaluation for repeat visitors whose access scope changes over time.

License Exception & Authorization Tracking

Not all foreign person access requires a full export license. License exceptions (NLR, STA, TSU, TMP) may apply depending on the nature of the visit, the visitor's nationality, and the specific technical data involved. Your visitor management system must track which exception applies, document the basis for the determination, and retain this as part of the 5-year record-keeping requirement.

07 · SecurePoint USA

Purpose-Built for ITAR Compliance

Foreign Person Status Determination

Citizenship and nationality are captured at pre-registration — not as optional fields, but as required data that gates the entire screening workflow. The system evaluates US Person status under 22 CFR § 120.62, flags dual nationals for additional review, and screens country of origin against embargoed nations.

The determination is made before the visitor arrives. If status cannot be confirmed, badge issuance is blocked until an export control officer reviews and approves.

Multi-List Sanctions Screening

Every visitor is screened against OFAC SDN, BIS Entity List, BIS Denied Persons List, DDTC Debarred Parties, EU FSF, and UK Sanctions lists. Screening occurs at pre-registration and again at check-in to catch list updates between booking and arrival.

Fuzzy matching with configurable thresholds catches name variations, transliterations, and aliases. Matches trigger an automatic hold — no badge is issued until a compliance officer adjudicates.

Zone-Based Access & TCP Enforcement

Site export zones map directly to your Technology Control Plan. Each zone defines its access requirements — ITAR-controlled, EAR-controlled, restricted, or unclassified. Visitor badges reflect the approved access posture, and zone transitions are logged in the audit trail.

Foreign nationals are automatically routed to approved zones only. Attempts to access restricted zones trigger alerts to security operators and export control officers.

Mandatory Escort Enforcement

Foreign nationals in controlled zones require confirmed escorts. The system blocks badge issuance until an escort from the authorized roster accepts the assignment. Escort notification, acknowledgment, and escalation are automated. At no point can a foreign visitor enter a controlled area without a confirmed, active escort.

Immutable, 5-Year Compliant Audit Trail

Every screening result, access decision, escort assignment, zone transition, and badge event is recorded in an append-only, cryptographically hashed audit log. Records cannot be edited, deleted, or backdated — by anyone, including system administrators. Data is retained for the full ITAR 5-year requirement and exportable in CSV, PDF, and JSON formats for DDTC and assessor review.

Separation of Duties

Security operators run the kiosk and front desk. Export control officers define policy and adjudicate edge cases. SecurePoint USA enforces this separation — front desk staff cannot override export classification decisions, and export control officers can audit every access event independently.

08 · Implementation

60-Day Implementation Roadmap

A phased approach that gets your ITAR visitor screening operational without disrupting daily facility operations.

Week 1-2

Discovery & TCP Mapping

  • Audit current visitor management processes and document gaps against 22 CFR requirements
  • Map facility zones to export control classifications (ITAR, EAR, restricted, unclassified)
  • Identify all USML categories and ECCN codes handled at each facility
  • Define escort policies per zone and visitor type
  • Establish export control officer roles and adjudication workflows
Week 3-4

Platform Configuration & Integration

  • Configure SecurePoint USA site zones matching your TCP
  • Set up multi-list screening rules and fuzzy match thresholds
  • Define badge templates reflecting access postures (ITAR-cleared, escorted, uncontrolled)
  • Configure escort notification and escalation chains
  • Integrate with existing access control systems if applicable
Week 5-6

Testing & Staff Training

  • Run screening workflow tests with mock visitors across all nationality/zone combinations
  • Train front desk staff on kiosk operations and badge issuance
  • Train export control officers on adjudication dashboard and evidence exports
  • Validate audit trail completeness — every event must generate a defensible record
  • Test escort enforcement end-to-end: assignment, notification, acknowledgment, escalation
Week 7-8

Go-Live & Compliance Validation

  • Deploy to production with parallel operation alongside existing processes
  • Monitor screening results and adjudication workflows in real-time
  • Generate first compliance evidence export and validate against DDTC record-keeping requirements
  • Decommission legacy visitor management processes
  • Schedule 30-day post-launch compliance review

Stop Treating ITAR Compliance
as a Paper Exercise

Every foreign visitor who enters your facility without proper screening is a potential deemed export violation. The penalties are real. The enforcement is active. The solution is systematic.

SecurePoint USA delivers ITAR-compliant visitor screening with foreign person determination, multi-list sanctions checks, TCP zone enforcement, escort workflows, and immutable audit trails — deployed in 60 days.

Schedule a Compliance ReviewDownload PDF
SAM.gov RegisteredActive CAGE CodeBuilt for Defense Contractors
Back to all whitepapers

This whitepaper is provided for informational purposes. It does not constitute legal advice. Organizations should consult with qualified export control counsel and ITAR compliance professionals for guidance specific to their operations. © 2026 SecurePoint USA. All rights reserved.