Aerospace and Defense Export Compliance for Suppliers

A machine shop in Wichita ships a bracket. Not a weapon, not a guidance unit, just a milled aluminum bracket that holds a wiring bundle inside a fighter jet's avionics bay. The shop has 80 employees. It is a tier-3 supplier, three contracts removed from the prime that actually sells the aircraft to a foreign government. The owner has never registered with the State Department, never screened a customer against a federal list, never heard the phrase deemed export. He thinks compliance is the prime's job.

He is wrong, and the gap between what he thinks and what the law assigns to him is where most aerospace and defense export compliance failures actually start. Primes screen heavily. Tier-1 suppliers usually screen something. By the time a part specification reaches a tier-2 or tier-3 shop, the screening obligations have thinned to almost nothing, even though the legal exposure has not moved an inch. The part is still ITAR-controlled. The technical drawing is still controlled technical data. The foreign-national machinist on the night shift can still trigger a license requirement just by reading the print.

This is the supplier's problem, written from the supplier's chair. Not the regime education that other pieces cover. The actual screening and jurisdiction workflow a parts shop runs across a catalog of components, against a stack of lists that primes almost never hand down.

Aerospace and defense suppliers screen against lists primes never see

The supplier screening problem is structural. A prime contractor selling a complete defense article runs a mature compliance function with dedicated empowered officials, automated screening, and a legal team that reads every list update. The supplier two or three tiers down sees a purchase order, a drawing, and a delivery date. The screening obligation traveled down the contract chain. The screening capability did not.

Here is what gets missed. Suppliers need to check the same parties against several distinct federal lists, and these lists live in different agencies with different rules. The OFAC SDN List comes from Treasury and covers sanctions targets. The Entity List comes from the Bureau of Industry and Security at Commerce and covers parties subject to specific license requirements. The AECA Debarred List comes from the State Department and covers parties barred from any participation in defense exports. A party can sit on one list and not the others. We have seen suppliers run a single sanctions check, get a clean result, and assume the customer was cleared across the board. The customer was on the Debarred List the whole time, which the sanctions check never touches.

Standard denied party screening tools bundle some of these lists. Many do not bundle all of them, and almost none explain to a parts shop which list governs which transaction type. The result is a screening pass that looks complete and is not.

The AECA debarred list sits outside standard SDN screening

The AECA Debarred List names parties that have been convicted of, or are otherwise barred under, the Arms Export Control Act from participating in defense trade. It is published by the State Department's Directorate of Defense Trade Controls. Critically, it is a separate list from the OFAC SDN List, governed by a separate statute, and a sanctions-only screen will not catch it.

This matters for a parts supplier because the Debarred List is the list most directly tied to the defense items a supplier actually makes. A party on the Debarred List cannot receive ITAR-controlled hardware or technical data, full stop, with no transaction-by-transaction analysis available. The bar is categorical. If a supplier ships an ITAR part to a debarred party, the violation is clean and the supplier owns it.

The trap is tooling. A shop that bought a general business screening service to check vendors and customers against fraud and sanctions databases often has no coverage of the Debarred List at all. The screen runs green every morning and silently omits the one list built specifically for the defense items moving through the shop. The fix is not more screening volume. It is confirming that the AECA Debarred List is one of the lists in the pass, alongside the SDN List and the Entity List, in a single reconciled check rather than three disconnected ones.

DDTC maintains the registration and debarment infrastructure under the International Traffic in Arms Regulations, codified at 22 CFR parts 120 through 130. A supplier that handles defense articles is expected to know that frame exists, even when no prime ever points to it.

ITAR vs EAR jurisdiction determines which parts need a license

Every part in a defense supplier's catalog falls under one of two export control regimes, or under neither, and the supplier rarely gets told which. ITAR governs defense articles on the United States Munitions List. The EAR governs dual-use and less-sensitive military items on the Commerce Control List. The jurisdictional split is the single most consequential determination a supplier makes about a part, because it sets the registration requirement, the licensing path, and the screening obligation.

The practical problem is that jurisdiction is a per-part question, and a single shop often runs parts across the full EAR vs ITAR boundary inside the same week. A bracket might be EAR99, the lowest tier, requiring almost nothing. The avionics housing next to it on the same machine might be a Significant Military Equipment item under ITAR Category XI, requiring State Department registration before the shop legally touches it. Treating the whole catalog as one regime, in either direction, produces failure. Treat everything as ITAR and the shop drowns in registration it does not need. Treat everything as EAR and the shop exports munitions without a license.

Get the jurisdiction wrong and the failure compounds quietly. In April 2026 the State Department concluded a $36 million settlement with GE Aerospace over 116 AECA and ITAR violations, and part of it traced back to exactly this: failure to establish proper jurisdiction and classification before the technical data moved. If a company that size, with a real compliance department, mislabels parts badly enough to draw 116 charges, a tier-2 shop guessing on a Tuesday afternoon is not going to get it right by luck.

Jurisdiction also drives whether a commodity jurisdiction request makes sense. When a part's classification is genuinely unclear, DDTC offers a formal process to determine which regime applies. Suppliers skip it because it takes time, then guess, and the guess is the exposure. ITAR compliance for a parts shop is less about heroic legal analysis and more about building a per-part jurisdiction record that survives an audit two years later, when nobody remembers why the bracket was called EAR99.

A clean jurisdiction record per part is also what makes the screening downstream coherent. You cannot run the right list check until you know which regime owns the part.

Tier-2 and tier-3 suppliers inherit prime-contract screening duties

The legal mechanism that pulls screening obligations down to a parts shop is the contract itself. Defense prime contracts carry DFARS clauses that flow down to subcontractors, and those clauses obligate suppliers at every tier to maintain export control compliance, including denied party screening and ITAR registration where applicable. The supplier signed up for this when it accepted the purchase order, usually without reading the flow-down terms.

This is the gap that catches tier-2 and tier-3 shops. A supplier thinks the prime handles compliance because the prime is the one selling to the foreign customer. The flow-down clause says otherwise. It assigns the supplier independent responsibility for screening the parties it deals with and for controlling the technical data it receives. When BIS or DDTC investigates an export violation, they trace the controlled item and the controlled data through the whole chain, and a supplier with no screening records is a supplier with no defense.

Effective supply chain screening at the supplier tier means screening your own vendors and customers, not relying on the prime's screen of theirs. The shop that mills a part buys raw stock from somewhere, ships finished parts somewhere, and employs people who touch the drawings. Each of those is a screening surface the prime never sees and the supplier owns. We talked to a tier-2 fabricator who assumed three layers of primes above them had it covered, then learned during a contract audit that their own raw-material vendor sat on the Entity List. The prime's screening never looked there, because from the prime's chair, that vendor did not exist.

A practical entity list check at the supplier tier has to cover the parties the supplier transacts with directly, which is a different population than the prime ever screens.

Deemed-export exposure on the shop floor

A deemed export happens when controlled technical data is released to a non-US person inside the United States, with no shipment and no border crossing. For a defense parts supplier, this is the exposure hiding in plain sight, because it lives on the shop floor rather than in the shipping department. A foreign-national engineer reading an ITAR-controlled drawing is a deemed export to that person's country of nationality. No part left the building. The license requirement triggered anyway.

The shop-floor reality makes this acute. Aerospace machining runs on skilled labor, and skilled machinists are often foreign nationals on visas. The moment one of them accesses a controlled technical drawing, a controlled CAD file, or controlled process specifications, the supplier has released technical data to a foreign person. If that release was not authorized by a license or an exemption, it is a violation, and it sits inside the company's own walls where no border control catches it.

Suppliers underestimate this because there is nothing to ship and nothing to screen at a port. The control surface is access, not movement. Who can open which file, who can stand at which machine while a controlled part runs, who can see which drawing on which monitor. We have seen shops with solid customer screening and zero access controls on technical data, which means their cleanest exports were the controlled prints sitting open on the floor. The first time you walk a shop floor and notice a controlled drawing taped to a machine where anyone on shift can read it, the problem stops being abstract. It is right there on the wall.

What does not work is the badge-and-fence approach borrowed from physical security. Locking the building does nothing when the foreign national you cleared to be inside is the one reading the print. We have watched suppliers spend on cameras and door access and leave the file server wide open, because they were defending against theft when the control they actually owed was about nationality and data access. The screening discipline that catches this is treating personnel access as a controlled transaction. Nationality of the person, jurisdiction of the data, and whether a license or exemption covers the release, checked the same way a customer gets checked against a list. The data does not move, but the access is the export.

FAQ

Does a small parts supplier really need to register with the State Department?

If the shop manufactures ITAR-controlled defense articles, yes, even when it never exports anything directly. Registration under the ITAR attaches to making USML parts, not to shipping them abroad, and the size of the shop changes nothing about the obligation.

How is the AECA debarred list different from the OFAC SDN list?

The AECA Debarred List comes from the State Department and bars parties from participating in defense trade under the Arms Export Control Act. The OFAC SDN List comes from Treasury and identifies sanctions targets across all sectors. A party can appear on one and not the other. A sanctions-only screen checks the SDN List and does not check the Debarred List, which is why a defense supplier needs both lists in the same screening pass rather than assuming one covers the other.

Can a part be controlled under both ITAR and the EAR?

A given part falls under one regime at a time, either ITAR or the EAR, but a supplier's catalog routinely contains parts under both. The determination is made per part based on the item's characteristics and where it appears on the USML or the Commerce Control List. When jurisdiction is genuinely unclear, DDTC offers a commodity jurisdiction process to resolve which regime applies before the supplier proceeds.

What counts as a deemed export in a machine shop?

A deemed export occurs when a non-US person accesses controlled technical data inside the United States. In a machine shop, that includes a foreign-national employee viewing controlled drawings, accessing controlled CAD files, or working with controlled process specifications. No physical part has to leave the country. The release of the controlled data to the foreign person is itself the export and may require a license.

Who is liable if a tier-3 supplier ships to a denied party?

The supplier that made the shipment carries direct liability, regardless of how many tiers separate it from the prime. Export control enforcement traces the controlled item and controlled data through the entire chain, and each party is responsible for its own screening. A flow-down clause in the prime contract typically makes this obligation explicit, but the statutory liability exists independent of the contract language.

The pattern worth watching through 2026 is consolidation pressure moving down the supply chain. Primes are tightening flow-down enforcement and asking tier-1 suppliers to attest to their subcontractors' screening, which pushes the documentation burden onto shops that have never produced a screening record. A tier-2 or tier-3 supplier that cannot show a per-part jurisdiction determination, a reconciled screen across the SDN List, the Entity List, and the AECA Debarred List, and an access log for controlled technical data is increasingly a supplier that loses the contract before any violation occurs. The enforcement risk was always there. What is new is that the commercial risk now arrives first, in the form of a prime that drops a supplier for failing an attestation. The shops that build the screening record now are not chasing penalties. They are protecting the contract, and the contract is the business. Platforms like Lenzo exist to centralize that reconciled screening surface for suppliers who never built a compliance department and now need the record anyway.