A sales engineer from a European firm shows up at your lobby for a product demo. Your receptionist issues a visitor badge. Your IT team provisions demo environment access. Your operations manager walks him through the manufacturing floor to see the integration point. Three months later, during an ITAR audit, you discover that sales engineer had access to technical data controlled under ITAR—and he was a French national. You've just committed a deemed export violation.
This scenario plays out more often than most defense contractors want to admit. ITAR and foreign nationals isn't just a policy problem or an HR issue—it's a physical and logical access control challenge that lives at the intersection of facilities, IT, and compliance. Most companies I've worked with have solid perimeter security but porous internal controls when it comes to segregating what foreign persons can see, touch, or access once they're inside the building.
The problem is that ITAR compliance demands more than badge readers and escort policies. It requires a systematic approach to screening visitors before they arrive, controlling what they can access while they're on-site, and maintaining audit trails that prove you knew who had access to what. This isn't about being unwelcoming to international colleagues or customers. It's about understanding that under ITAR, merely showing technical data to a foreign national—even inside your own facility—constitutes an export.
Understanding Deemed Exports in Your Own Facility
The concept of a deemed export catches people off guard because it defies common sense. Most people think of exports as physical shipments leaving the country: cargo containers, freight manifests, customs forms. But under ITAR, an export occurs whenever you release technical data or defense articles to a foreign person, regardless of location. That foreign person doesn't need to leave your building with a thumb drive or a blueprint. Simply viewing controlled technical data on a screen, participating in a design review, or walking through a secured production area can constitute a deemed export if proper authorization isn't in place.
The International Traffic in Arms Regulations define a foreign person as anyone who is not a U.S. citizen or a lawful permanent resident. This includes foreign nationals working for you as employees, contractors visiting for short-term projects, customers evaluating your products, and vendors providing services. It also includes that sales engineer I mentioned earlier, along with auditors from international certification bodies, visiting executives from allied countries, and university researchers collaborating on defense projects.
What constitutes technical data under ITAR is broader than most people assume. It's not just classified information or export-controlled documents marked "ITAR." It includes blueprints, engineering drawings, specifications, process documentation, test data, software source code, manufacturing know-how, and even verbal discussions about the design, development, production, or use of defense articles. If a foreign national overhears a detailed technical conversation in your engineering pod, that can trigger deemed export requirements.
The defense is straightforward in concept: either obtain a Technical Assistance Agreement (TAA) or other export authorization before the disclosure occurs, or prevent the disclosure entirely through access controls. In practice, this means you need to know who is a foreign person, what they can access, and how you're preventing unauthorized access—before they walk through your front door.
Visitor Screening Before They Arrive
The pattern I see most often is reactive screening: someone shows up, and only then does anyone think to ask about citizenship. By that point, you've already lost control of the situation. Effective ITAR and foreign nationals management starts when the meeting is being scheduled, not when the visitor signs in at the lobby.
Your visitor registration process should capture citizenship status and country of citizenship as mandatory fields. This isn't optional information you collect if you remember to ask. It should be impossible to complete a visitor request without providing it. The form should also capture the purpose of the visit, what facilities or systems the visitor will access, and which employees will be meeting with them. This creates a record that proves you asked the right questions up front.
Once you have citizenship information, someone needs to make a determination: does this visit require an export license or TAA? That determination shouldn't be left to the admin scheduling the meeting. It needs to go to your trade compliance function, export control officer, or ITAR coordinator—someone who understands what technical data the visitor might be exposed to and whether existing authorizations cover that exposure. For many companies, this means integrating your visitor management system with your compliance workflow so that foreign national visits trigger an automatic review.
If the visit isn't authorized, you have three options: obtain authorization before the visit (which typically takes months, so it's not practical for short-notice meetings), redesign the visit to eliminate exposure to controlled data, or decline the visit. The second option is usually the most practical: move the meeting to a non-controlled conference room, limit the agenda to uncontrolled topics, and ensure no one brings controlled materials into the meeting space.
Document the screening decision. If you approved the visit based on an existing TAA, note the TAA number and scope. If you redesigned the visit to avoid controlled data, document what controls you put in place. If you declined the visit, record why. These records prove that you have a functioning deemed export control process, which is exactly what auditors and DDTC investigators look for. For more background on how ITAR registration and oversight work, see ITAR Registration: Who Needs It and How to Get It Right.
Badge Regimes That Actually Segregate Access
Badges are the most visible part of your access control system, but in most facilities, they're theater. Everyone gets a badge, the badge opens the front door, and after that it's a free-for-all. If you're subject to ITAR, that approach doesn't work. Your badge system needs to enforce segregation between controlled and uncontrolled areas, and it needs to make a foreign national's status immediately visible to anyone who encounters them.
Start with badge color or design. Foreign nationals should have a visually distinct badge that makes their status obvious from across a room. This isn't about stigma; it's about enabling everyone in your facility to recognize when someone who shouldn't be in a controlled area has wandered into one. If your engineers can't tell at a glance whether the person standing behind them can see their screen, your badge system has failed its primary function.
Badge access permissions need to match the visitor's authorization. If a foreign national has no export authorization, their badge should not open doors to any area where controlled technical data is present. This typically means access is limited to the lobby, designated conference rooms, restrooms, and break areas. If the visitor has a TAA or license that authorizes access to specific data, their badge permissions should be scoped to the areas where that data is used—and nowhere else.
Most electronic access control systems allow you to define zones and assign badges to specific zones with time limits. Use this functionality. Create a "public" zone for uncontrolled areas, and one or more "controlled" zones for areas where ITAR data is present. Foreign national badges default to public zone access only. If a specific visit is authorized, you can grant temporary access to a controlled zone for the duration of the visit, and the system automatically revokes it afterward.
The weak point in most badge systems is tailgating—someone with access holds the door open for someone without it. This is a training and culture problem, not a technology problem. Your workforce needs to understand that allowing a foreign national to follow them into a controlled area is not a courtesy; it's a potential export violation. Reinforce this during onboarding, in periodic refresher training, and through visible signage at controlled area entry points.
Temporary Badges and Expiration
Visitor badges should have a built-in expiration mechanism. The simplest approach is time-expiring badges that change color or display an expiration date. If someone is still wearing a badge from last week, it's immediately obvious. For higher-security environments, consider badges that must be returned to the lobby to exit the building, which forces a check-out process and ensures badges don't walk out the door.
Temporary access permissions in your electronic system should also expire automatically. I've seen too many situations where a vendor was granted access for a one-week project, and their badge still worked six months later because no one remembered to revoke it. Build expiration into the access grant workflow: if someone needs access beyond the initial period, they should have to request an extension that triggers another review.
Speaking on Export Control and Defense Industrial Base Compliance
Carl delivers keynotes and workshops on ITAR, CMMC, and defense contractor compliance challenges. His sessions are built on real-world CISO experience in regulated industries, not vendor talking points or theory.
Book Carl to SpeakEscort Policies That Hold Up Under Scrutiny
Escorting is the fallback control when you can't fully segregate access through badges and facility design. If a foreign national needs to be in a controlled area—for example, a customer witnessing a factory acceptance test—an authorized escort can provide continuous line-of-sight supervision to prevent access to data outside the scope of authorization. But escort policies only work if they're specific, enforced, and auditable.
Define who can serve as an escort. It should be someone who understands what information is controlled, what the visitor is authorized to access, and how to intervene if the visitor is about to see or hear something out of scope. This usually means the escort must be a U.S. person, must have completed ITAR training, and must be familiar with the specific authorization covering the visit. Your receptionist can't be an escort unless they meet these criteria. Neither can a junior employee who happens to be walking in the same direction.
Line-of-sight supervision means exactly that: the escort must be able to see the visitor at all times. If the visitor goes to the restroom, the escort waits outside. If the visitor steps into a side conversation, the escort stays within earshot. If the escort is pulled into a separate meeting, the visit stops until another qualified escort is available. This level of supervision is labor-intensive, which is why facility design and badge-based segregation are preferable where possible.
Escort logs should capture the date, visitor name, citizenship, escort name, areas accessed, and duration of the visit. These logs are critical evidence that your escort policy is more than words in a manual. During an audit, investigators will compare escort logs against badge swipe records and visitor sign-in sheets to verify that escorts were actually present when they were supposed to be.
One practical challenge: what happens when a foreign national employee needs to move through a controlled area to get to an uncontrolled workspace? Continuous escorting isn't sustainable if it's a daily occurrence. The better answer is facility redesign—relocate the workspace, reroute the path, or consolidate controlled functions into a single area that can be bypassed. If that's not possible, you're left with either obtaining broader authorization for that individual or accepting the labor cost of escorting.
IT Systems and Logical Access Segregation
Physical access controls get most of the attention, but logical access controls are just as important. If a foreign national can log into your network and access file shares, databases, or applications that contain ITAR-controlled technical data, you've got a deemed export problem—even if they never set foot in a controlled area of your facility.
The challenge with IT systems is that data is fluid. A document might start out in a controlled repository, then get emailed to a broader distribution list, then get uploaded to a shared drive that's accessible to contractors. Unless your data classification and access control are tightly linked, you can't reliably prevent foreign nationals from accessing controlled data through IT channels.
Start with data classification. Every document, drawing, dataset, and application that contains ITAR-controlled technical data should be marked as such. This isn't just a label for compliance purposes—it's the attribute your access control systems will use to enforce segregation. If your data isn't classified, your access controls can't work. For organizations also managing CUI, the principles overlap significantly; see What Is Controlled Unclassified Information (CUI)? for more context.
User accounts for foreign nationals should be flagged in your directory system—Active Directory, Entra ID, or whatever identity provider you're using. This flag drives conditional access policies: if user.citizenship != "US" and user.LPR != true, then deny access to resources tagged as ITAR-controlled. Most identity and access management platforms support attribute-based access control (ABAC) that makes this kind of policy enforceable.
File shares and collaboration platforms are particularly high-risk. If you're using SharePoint, Teams, Google Workspace, or similar tools, you need to ensure that ITAR-controlled sites, channels, and folders have access control lists that exclude foreign nationals. This means someone has to actively manage permissions, not just rely on default settings. It also means regular audits to catch permission drift—that file share that was locked down six months ago but has gradually accumulated broader access as people were added for convenience.
Email is harder to control because it's inherently a push mechanism. You can block foreign nationals from sending or receiving certain message types, but that's clumsy and often breaks legitimate workflows. A better approach is to use email encryption or data loss prevention (DLP) tools that detect when someone is about to email ITAR-controlled content and either block the message or require additional authorization before it goes out. If your organization handles ITAR data in the cloud, ITAR and the Cloud: What Defense Contractors Need to Know in 2026 covers additional safeguards you should consider.
Remote Access and VPN Policies
Remote access adds another layer of complexity. If a foreign national employee or contractor has VPN access, what can they reach from outside your facility? Even if you've segregated on-premises access, a poorly configured VPN can bypass all of those controls and grant access to everything on your internal network.
The safest approach is to deny VPN access to foreign nationals entirely unless there's a specific, documented business need supported by export authorization. If access is required, segment your VPN so that foreign nationals connect to a restricted zone that doesn't include ITAR-controlled systems. Use network access control (NAC) to enforce this at the network layer, not just through policy.
Facility Design and Controlled Area Segregation
Technology and policy can only do so much. Facility design is the foundation of effective access control for ITAR and foreign nationals. If your controlled areas are scattered throughout your building with no clear physical boundaries, you're fighting an uphill battle. If controlled data is visible from common areas or accessible through shared workspaces, even the best badge system won't save you.
Controlled areas should have clear, defensible perimeters. This usually means dedicated rooms or zones with walls, doors, and access control readers. Open floor plans are popular for collaboration, but they're incompatible with deemed export control unless you're willing to restrict the entire floor to U.S. persons. I've worked with companies that tried to create "virtual" controlled areas within open workspaces using policy and signage—it never works. People move around, conversations carry, and screens are visible from uncontrolled areas.
Signage at controlled area entry points should state that the area contains ITAR-controlled technical data and that access is limited to authorized U.S. persons or foreign nationals with specific export authorization. This serves two purposes: it reminds your workforce of the access restrictions, and it provides evidence that you've taken steps to notify people of the controlled nature of the area.
Visual controls matter. If your engineering team works on ITAR-controlled designs on large monitors that are visible from hallways or through glass walls, you've got a problem. Use privacy screens, position monitors away from windows and doors, or use frosted glass in areas where controlled work is performed. The goal is to make it difficult for someone who isn't authorized to casually view controlled data, even if they're in an adjacent area.
Conference rooms present a special challenge. If a conference room is sometimes used for controlled meetings and sometimes for uncontrolled meetings, how do you prevent a foreign national from being scheduled into that room right after a meeting where controlled materials are still on the whiteboard? The best practice is to designate certain conference rooms as controlled and others as uncontrolled, and enforce that designation through room booking systems and physical signage. If a room is controlled, it's always controlled—you don't toggle it back and forth based on who's scheduled.
Manufacturing Floor Controls
Manufacturing and production areas are often the hardest to control because they're large, dynamic, and involve a mix of employees, contractors, and visitors. If you're manufacturing ITAR-controlled articles or using ITAR-controlled technical data in your production processes, the entire manufacturing floor is typically a controlled area. That means foreign nationals should not have access unless specifically authorized.
The practical challenge is that manufacturing often requires vendor support—maintenance on production equipment, installation of new tooling, quality audits by customer representatives. If those vendors or customers include foreign nationals, you need to either obtain export authorization in advance or redesign the work so that controlled articles and data aren't visible during the visit. This might mean covering or removing controlled items, restricting the visit to specific work cells, or scheduling the work during off-hours when production is paused.
Escort intensity on a manufacturing floor is higher than in an office environment because there are more ways to inadvertently access controlled data: picking up a work order, glancing at a screen showing production data, overhearing a conversation about process parameters, or simply observing the configuration of a controlled article. Escorts need to be vigilant and empowered to stop the visit if the situation is getting out of control.
Bringing Export Control Challenges to Your Leadership Team
Carl's keynotes help defense contractors, federal agencies, and industry groups understand the real-world implications of ITAR, EAR, and supply chain security. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventThe Audit Trail: Proving You Knew Who Was Where
All of the controls I've described are only as good as your ability to prove they were in place and followed. When DDTC or an independent auditor shows up, they will ask for records that demonstrate you knew who was a foreign national, what they accessed, and how you prevented unauthorized access. If you can't produce those records, the auditors will assume the controls didn't exist.
Your audit trail should include visitor logs with citizenship information, badge issuance records, escort logs, export authorization documentation (TAAs, licenses, exemptions), access control system logs showing badge swipes and door access, IT access logs showing login activity and resource access, and training records proving that employees understand deemed export requirements. These records should be retained for at least five years, which is the statute of limitations for ITAR violations.
Periodic self-audits are valuable. Pull a random sample of foreign national visits from the past quarter and verify that the proper screening occurred, escorts were logged, and badge access was limited appropriately. Pull a sample of IT accounts for foreign nationals and verify that they don't have access to controlled resources. If you find gaps, document them, fix them, and adjust your processes to prevent recurrence. Self-identified issues are far better than auditor-identified issues. For related compliance readiness concepts, see Audit Readiness: How to Stop Scrambling Before Every Assessment.
Incident response is part of your audit trail. If someone reports that a foreign national was observed in a controlled area without an escort, or that a foreign national accessed a controlled file share, you need to investigate immediately. Document what happened, who was involved, what data was exposed, whether it was authorized, and what corrective actions you took. If the exposure wasn't authorized, you may have a voluntary disclosure obligation to DDTC. Ignoring the incident or handling it informally is not an option—it will come back to haunt you during an audit.
Training and Culture: The Hardest Part
The technical controls I've described in this article will fail if your workforce doesn't understand why they matter or doesn't believe leadership is serious about enforcement. Deemed export controls are counterintuitive—they require people to treat conversations, screen views, and facility access as if they were cargo shipments. That mindset doesn't come naturally.
ITAR training should cover deemed exports explicitly, with examples relevant to your facility and operations. Abstract regulatory language doesn't stick. Concrete scenarios do: "If you're troubleshooting a design issue at your desk and a foreign national contractor walks up to ask a question, what do you do?" The answer is you stop the conversation, move to a non-controlled area, or verify that the contractor has authorization to access that specific technical data.
Training should also clarify who is responsible for what. Engineers need to know they can't share controlled data with foreign nationals, even if the foreign national is a colleague or customer. Receptionists need to know they can't issue a badge or allow access until citizenship is verified. IT staff need to know they can't grant system access without verifying authorization. Managers need to know they can't approve a foreign national visit without involving trade compliance. When everyone thinks someone else is handling it, no one handles it.
Culture comes from leadership. If executives talk about ITAR compliance as a checkbox exercise or a burden, the workforce will treat it that way. If leaders reinforce that deemed export controls protect the company, the workforce, and national security, and if violations result in real consequences, people take it seriously. I've watched the same workforce go from ignoring escort policies to rigorously enforcing them after a single leadership message that made the stakes clear.
Consequences for non-compliance need to be consistent and visible. If someone lets a foreign national into a controlled area without proper authorization and nothing happens, the message is that the policy doesn't really matter. If the same violation results in retraining, documentation, and escalation for repeat offenses, people get the message. This isn't about being punitive—it's about making it clear that deemed export violations are serious business.
Where Leadership Comes In
The controls I've outlined in this article require investment: facility modifications, badge system upgrades, IT access management tools, training development, and staff time for visitor screening and escort duties. These investments don't happen without leadership buy-in, and leadership buy-in doesn't happen unless someone frames the issue in business terms.
The business case isn't complicated. ITAR violations carry civil penalties up to $1.3 million per violation, and criminal penalties including imprisonment for willful violations. Beyond fines, violations can result in debarment, which means losing the ability to bid on or perform defense contracts. For many companies, that's an existential threat. Even short of formal enforcement, poor deemed export controls create risk during M&A diligence, contract renewals, and facility security clearance reviews. A single high-profile violation can damage customer relationships that took years to build. For more on what violations look like in practice, see ITAR Violation Consequences: What Happens When Defense Contractors Get It Wrong.
The flip side is that strong ITAR and foreign nationals controls are a competitive differentiator. Primes want to work with subcontractors who have their act together on export compliance because it reduces the prime's liability and program risk. Government customers evaluate contractor compliance as part of source selection. Demonstrating mature deemed export controls signals operational maturity and reduces the likelihood of costly program disruptions.
This isn't a problem you can delegate entirely to a trade compliance officer and forget about. CISOs own physical and logical access controls, which means we own a large part of the deemed export control challenge. Facility managers own building design and visitor management. HR owns employee screening and training. IT owns systems access. If these functions aren't coordinated and accountable to a single leader who understands the regulatory requirement and the operational reality, you'll end up with gaps. That leader is often the CISO or a compliance executive with cross-functional authority, supported by a steering committee that includes all the stakeholders.
The question isn't whether your organization will invest in these controls. If you're doing ITAR-controlled work, the regulation requires them. The question is whether you'll build them proactively, based on a clear understanding of the risk and a commitment to getting it right, or whether you'll bolt them on reactively after an auditor or investigator points out the deficiencies. I know which approach costs less and causes fewer sleepless nights.