Most defense machine shops understand ITAR at the part level.
You’re machining components on the United States Munitions List. You know those parts can’t be exported without authorization. You probably have export control procedures in place.
What fewer shops think about is the technical data used to make those parts — specifically, the G-code programs running on your CNC machines.
What ITAR Says About Technical Data
ITAR does not just control hardware. It controls technical data — information required for the design, development, production, manufacture, or modification of defense articles.
A G-code program for a USML part encodes geometry, tolerances, feeds, speeds, toolpaths, and process sequencing. That is not just a set of machine instructions. It is practical manufacturing knowledge — how the part is actually produced to specification. Someone with that file and the right equipment can reproduce the part.
That is exactly the kind of information ITAR is designed to protect.
Whether a specific program qualifies depends on context. But if you are machining USML parts, the G-code that produces them should be treated as potentially controlled technical data. The geometry and process knowledge embedded in those files is the reason ITAR exists.
The USB Drive Problem Gets Bigger
In a CMMC discussion, an uncontrolled USB drive is a compliance gap.
In an ITAR context, it is something more serious: loss of control over export-controlled technical data.
ITAR does not require intent for a violation. It focuses on whether adequate controls were in place to prevent unauthorized access — including access by foreign persons. A USB drive containing ITAR-controlled G-code that is accessible to unauthorized personnel, leaves the facility, or gets shared without verifying recipient authorization creates risk that controlled technical data moved outside approved channels.
If you’re running DNC software instead of USB drives, the exposure is less visible but the question is the same. Most DNC systems don’t encrypt files in transit or at rest, don’t tie transfers to an authenticated identity, and don’t produce the kind of access records ITAR expects. An unencrypted G-code file sitting on a DNC server accessible to anyone on the shop network is the same loss of control — it’s just harder to see.
That is the exposure ITAR is designed to prevent. Enforcement is handled by the U.S. Department of State, and penalties include civil fines, debarment, and criminal liability.
It is about whether you can demonstrate control over where technical data goes and who can access it.
CMMC and ITAR Are Not the Same Thing
They overlap in defense manufacturing, but they are not interchangeable.
CMMC is a DoD contractual requirement tied to the protection of CUI. Non-compliance affects contract eligibility. ITAR is a federal export control regime governing defense articles and technical data. It applies regardless of contract status and is enforced independently.
Many shops are subject to both.
The important connection: controls that improve traceability, access control, and data handling discipline for CMMC also strengthen your ability to demonstrate control under ITAR. They are not the same framework — but they tend to fail in the same place: uncontrolled movement of technical data on the shop floor.
What Proper Control Looks Like
ITAR does not prescribe specific technologies. It expects you to maintain control over technical data.
For G-code on the shop floor, that means only authorized personnel can access controlled programs and that authorization is verified. It means you can reconstruct how a file moved — who accessed it, when, and where it went. It means technical data does not travel through unmanaged channels like USB drives, personal email, or open network shares. And it means you maintain records sufficient to demonstrate those controls are working.
If you can consistently show those elements, you are in a far more defensible position — under ITAR and under CMMC.
Where the Secure Manufacturing Cell (SMC) Fits
SMC is not an ITAR compliance program. ITAR compliance requires policies, training, classification decisions, and ongoing oversight.
What SMC addresses is a specific and common gap: uncontrolled movement of G-code from engineering to the shop floor. Every transfer is authenticated to a specific person and machine, encrypted in transit and at rest, logged with a timestamp and identity, and verified for integrity on delivery. That produces a record of exactly how technical data moved through your facility — the kind of record both CMMC assessors and ITAR auditors want to see.
It does not replace your compliance program. It strengthens the part most shops struggle to enforce.
The Question Worth Asking
If you were asked to demonstrate how ITAR-controlled technical data moved through your shop over the past 12 months — could you do it?
Not in general terms. With records.
If the answer is yes, you are operating from a position of control.
If the answer is “we’d have to reconstruct it” — that’s the gap. And under ITAR, that’s the gap that matters.
If you want to see how your current workflow maps to CMMC and ITAR expectations, see how CNC shops are reducing scope at /cnc-scope-reduction/.