Reality check · ITAR-EAR
ITAR is not a registration. It is a program that operates every day.
A program-build engagement for US manufacturers handling export-controlled defense articles or dual-use items. We stand up the documented program the State Department, BIS, and your Empowered Official need in place.
The most common misunderstanding in this category is that ITAR registration completes the work. Registration is the door. The program is the building. DDTC and BIS expect a documented Technology Control Plan, a working Restricted Party Screening process, an Empowered Official with documented authority, recordkeeping that survives a Directorate of Defense Trade Controls Compliance audit, and a licensing workflow that operates fast enough to not blow your contract delivery dates. The Program Build engagement is the structured first build of that program.
Quick answer
The ITAR / EAR Program Build engagement stands up the documented and operating export-control program required by the State Department Directorate of Defense Trade Controls (DDTC) for ITAR-registered manufacturers and the Commerce Department Bureau of Industry and Security (BIS) for EAR-controlled exports. Brass & Bench partners come onsite for one to two weeks across multiple visits, build the program documentation set, deploy the licensing workflow tool, train the Empowered Official and supporting staff, and deliver a bound program binder. Pricing is $55,000 to $95,000 all-inclusive depending on USML / CCL classification scope and foreign-customer footprint. Most clients use this engagement when starting their first export-controlled sales, when transitioning from a CJ (commodity jurisdiction) ruling, or after a self-disclosed violation triggered a remediation requirement.
By Jason Santiago · Founding Partner. Executive Strategy, AI Architecture & Custom Software · Updated May 14, 2026The gap
What the registrar finds that your internal audit missed.
The most common gaps in shops that are ITAR-registered but operating without a built program.
Technology Control Plan (TCP) missing or boilerplate (22 CFR 124, 122). ITAR requires a TCP that addresses physical access controls, IT system access controls, visitor management for foreign nationals, employee training, marking and handling of technical data, and the procedures for re-export or re-transfer authorization. Common gap: the TCP exists as a generic template downloaded from an industry source, with no operational specificity to the shop's actual physical layout, IT systems, or foreign-person workforce.
Restricted Party Screening (RPS) workflow absent or single-source. Customers, suppliers, freight forwarders, and any party involved in a transaction must be screened against the consolidated screening list (BIS Entity List, OFAC SDN, DDTC Debarred Parties, plus several others). Common gap: the screen is performed at quote time against one or two lists, but not at every transaction stage and not against the full consolidated list. Or the screening records do not retain the lookup-time evidence required for audit.
Empowered Official designation and authority (22 CFR 120.25). The Empowered Official must be a US person, knowledgeable in ITAR, with corporate authority to bind the company and to halt a transaction. Common gap: the named Empowered Official is the compliance officer but lacks signature authority on commercial contracts. Or the designation is a holdover from a prior organizational chart and no longer matches actual reporting lines.
Recordkeeping (22 CFR 122.5, 15 CFR 762). Five years for ITAR (and longer for some record types), five years for EAR. Records must be retrievable on request by DDTC or BIS. Common gap: the records exist in operator email archives, paper folders, and various drive shares with no consolidated retrieval procedure. An audit-time request takes weeks to fulfill.
Foreign Person identification and access controls (22 CFR 120.16, 120.17). Any foreign person with access to technical data requires a license unless the data is in the public domain. Common gap: the IT system permits broad access to engineering drawings without a Foreign Person access check. Visitor procedures do not enforce escort or technology-segregation requirements.
Licensing workflow that bottlenecks delivery. DSP-5 (export of unclassified defense articles), DSP-61 (temporary import), DSP-73 (temporary export), DSP-85 (classified defense articles), and the matching EAR licenses for CCL items. Common gap: the license-request flow has no internal SLA. Sales commits to delivery dates without checking license status. The license arrives after the contract delivery date and the contract is breached.
Marking and handling of technical data. ITAR-controlled technical data must be marked and segregated. Common gap: drawings are marked at the title block but the underlying CAD file metadata is not classified, allowing the file to flow through file-sharing systems without the marking traveling with it.
Voluntary self-disclosure preparation. When a violation is discovered, DDTC and BIS treat voluntary self-disclosure substantially differently from involuntary discovery. Common gap: no procedure exists for evaluating, scoping, and submitting a VSD. Discovery of a potential violation triggers panic rather than process.
The path
How we close the gap before the audit.
The Program Build engagement is structured to deliver the complete operating program, not just the documentation.
Week one onsite. Build the documented program.
Day one. Jason Santiago and Lorrie Lynn arrive onsite. Day opens with a full operational walk-through to understand the actual physical layout, the IT system topology, the foreign-person workforce mix, the customer base in scope, and the supplier base. The TCP is authored against the actual operation, not a template.
Day two. RPS workflow built. The screening tool is deployed (either an off-the-shelf product like Visual Compliance or Descartes, or a custom workflow if the volume warrants). The screening procedure is documented with the consolidated list scope, the screening frequency, the recordkeeping format, and the escalation procedure for a positive hit.
Day three. Empowered Official designation finalized. The EO's authority is documented, with a back-up EO designated and trained. Internal training plan authored for the EO, the sales team, the engineering team, and the operations team.
Day four. Licensing workflow built. The internal license-request form is deployed. The license-tracking dashboard goes live with statuses, SLAs, and customer-delivery-date integration. The licensing decision matrix is authored, identifying which products and which destinations require which license types.
Day five. Recordkeeping infrastructure stood up. The five-year retention system is built on the company's existing IT stack where possible. The retrieval procedure is documented and tested with a dry-run pull of records by control number.
Between visits. Two to four weeks of remote work. Foreign Person access controls implemented in the IT system. Technical-data marking standards rolled out in the engineering team. Training delivered (live or LMS-based) to all in-scope employees.
Week two onsite. Program operating verification.
Day six. Operational dry-run of the licensing workflow. A real-or-realistic foreign customer scenario is walked through end-to-end. Every step in the workflow is timed and refined.
Day seven. Audit-readiness dry-run. The team simulates a DDTC compliance audit, requesting records and validating retrieval times. Gaps surfaced get closed.
Day eight. Voluntary Self-Disclosure procedure authored. The team walks through three hypothetical violation scenarios and tests the VSD evaluation procedure.
Day nine. Program binder finalized. The full program documented, version-controlled, audit-ready.
Day ten. Handover with ownership and the EO. The complete program is transferred. The team is trained. The twelve-month watchpost is scheduled.
The bound binder ships at engagement close. The twelve-month watchpost includes quarterly compliance check-ins, regulatory-update bulletins for DDTC and BIS rule changes, and ad-hoc consultation on any new licensing scenario. The recommended-path appendix identifies any product or technical-data category that warrants a Commodity Jurisdiction request to formally determine USML versus CCL classification.
ITAR-EAR audit coming up? Let's find the gap first.
The first call is a thirty-minute conversation. We tell you whether the Conformance Reality Check is the right product, or whether you need something different.