Defense Supplier Onboarding Checklist

Onboarding a new defense supplier is less about “getting them in the system” and more about proving—quickly and repeatably—that they can meet regulatory requirements, flow-down clauses, and technical quality expectations without creating risk to schedule, security, or audit posture. This is especially true when the scope includes advanced manufacturing such as additive manufacturing (AM) (e.g., powder bed fusion / DMLS / SLM), Hot Isostatic Pressing (HIP) or PM-HIP, and precision 5-axis CNC machining, where process control, traceability, and inspection evidence are inseparable from the part itself.

This checklist is written for engineers, procurement teams, and program managers who need a practical onboarding framework that translates contract language into shop-floor controls and documentation packs. Use it as a pre-award qualification guide and as an onboarding plan for first-article builds.

ITAR signals

ITAR (International Traffic in Arms Regulations) impacts who can access technical data, where work can be performed, and how data and parts can be transferred. During onboarding, look for “signals” that the supplier understands ITAR as a daily operational constraint—not a checkbox.

Checklist: confirm ITAR posture early

1) Registration and scope. Determine whether the supplier is ITAR-registered (when required for their role) and whether their registration and internal controls match the work scope. A machine shop producing ITAR-controlled hardware may be fine operationally, but if they will receive or store controlled technical data (models, drawings, process specs), their data controls must be mature.

2) Controlled access to technical data. Require the supplier to define how they restrict access to ITAR-controlled data to authorized U.S. persons. Ask for a plain-language description of:

• User access control (role-based access, least privilege, timely deprovisioning)
• Visitor controls (badging, escorted access, no photography policies)
• Remote access (MFA, approved devices, logging)

3) ITAR-aware quoting and order review. The supplier’s contract review should explicitly flag ITAR-controlled lines and verify that routing, subcontracting, and data sharing will remain compliant. A strong signal is an internal process that prevents a planner or buyer from sending ITAR drawings to a non-authorized subcontractor “just to get a price.”

4) Sub-tier controls. If the supplier will outsource any steps (NDE, heat treat, plating, passivation, special processes, CT scanning), confirm that their sub-tier selection and flow-down procedure is aligned with your requirements. If you require NADCAP for certain processes, that constraint must be enforced during purchasing—not after the fact.

5) Marking, shipping, and returns. Ask how they label and ship ITAR-controlled parts and documentation, including RMA/returns. A common weak point is the return loop: parts sent back for rework without proper controls on packaging, paperwork, and chain-of-custody.

Practical tip: For AM suppliers, ITAR is often triggered by digital thread assets (build files, scan strategies, parameter sets, CT datasets) as much as by drawings. Ensure your onboarding questionnaire explicitly includes build job files, machine parameter exports, and inspection datasets under “technical data.”

DFARS flow-down

DFARS (Defense Federal Acquisition Regulation Supplement) requirements typically reach suppliers through contract flow-downs from primes and higher-tier suppliers. The onboarding goal is to confirm the supplier can identify DFARS clauses, execute required controls, and produce evidence during audits or customer reviews.

Checklist: translate DFARS into operating controls

1) Clause capture and contract review. Require the supplier to show their process for capturing flow-down clauses at quote and at order entry. You want to see how they prevent “scope drift” where a PO includes requirements (e.g., domestic sourcing, cybersecurity) that never reach production planning.

2) Cybersecurity readiness (controlled unclassified information). If the supplier will handle controlled technical data or CUI, verify they have an established cybersecurity program appropriate to the contractual requirement. The practical onboarding step is to align on:

• What data is considered CUI in your program
• Where it will be stored (on-prem, managed cloud, segregated systems)
• How access is logged and reviewed
• Incident reporting expectations

3) Specialty metals and domestic sourcing considerations. If specialty metals restrictions apply, confirm the supplier can trace material origins and maintain supporting documentation. This becomes critical in AM and PM-HIP workflows where feedstock (powder), HIP canisters, and any wrought bar used for fixtures or machining may come from different sources.

4) Counterfeit parts and material controls. Require their process for preventing counterfeit materials and ensuring approved sources. Defense buyers often focus on electronics, but for manufacturing suppliers the risk shows up as “mystery powder,” undocumented heat lots, or substituted fasteners/consumables that can invalidate compliance.

5) Flow-down to sub-tiers. The supplier must demonstrate how DFARS requirements are flowed to sub-tier purchase orders—especially for special processes and inspection services. Ask for an example PO template or redacted PO showing required clauses and quality notes.

Practical tip: In advanced manufacturing, DFARS compliance is frequently proven through a certification pack assembled at shipment. During onboarding, define what “done” looks like: which certs, which records, who signs, and what gets archived.

Data handling

Defense onboarding fails most often at the boundary between engineering intent and production execution: CAD files, drawings, specifications, deviations, and inspection datasets. Data handling requirements should be explicit, measurable, and tied to the supplier’s actual workflow.

Checklist: define and control the digital thread

1) Define the authoritative dataset. Establish what is controlled and what is reference-only: native CAD, STEP, drawing PDF, model-based definition (MBD), process specifications, and inspection characteristics. Clarify precedence (e.g., drawing over model or vice versa). This avoids nonconformances caused by machinists or programmers using the “wrong file” pulled from an old email.

2) Revision control and distribution. Require a process that ensures only current revisions are used in manufacturing and inspection. Minimum expectations include:

• Controlled receipt of customer files (designated inbox or portal, not personal email)
• Traceable distribution to CAM, AM programming, and inspection planning
• Obsolescence controls (withdraw superseded prints from shop floor)

3) Program-specific access segmentation. For ITAR/CUI programs, ensure data is segregated from commercial work. This is especially important for multi-tenant AM environments where build prep software, build queues, and machine logs may be shared across programs unless configured correctly.

4) Manufacturing data artifacts. For AM suppliers using PBF (DMLS / SLM), define what you expect to be retained and made available, such as:

• Build job package (orientation, support strategy, scan strategy summary as allowed, machine ID, build time/date)
• Machine logs (alarms, oxygen levels, recoater events, parameter set ID)
• Powder handling records (lot IDs, reuse ratios, sieve records, storage conditions)
• Post-processing routing (stress relief, HIP cycle IDs, heat treat lots)

5) Secure transfer of large datasets. CT scanning and high-density CMM reports can be large; define acceptable transfer methods and file formats. Also define retention: how long the supplier retains raw CT volumes vs. summary reports, and how data is protected while stored.

Step-by-step: a practical defense-ready RFQ to first build data flow

Step 1: RFQ issued with controlled dataset list, quality clauses, and packaging expectations.
Step 2: Supplier acknowledges ITAR/CUI handling and confirms sub-tiers (NADCAP/NDE as applicable).
Step 3: Supplier generates manufacturing plan (AM build plan and/or CNC route) tied to revision-controlled inputs.
Step 4: First-article execution with data capture (build logs, inspection plans, material cert mapping).
Step 5: Shipment with certification pack and archive of objective evidence for audits.

Traceability

Traceability is the backbone of regulated manufacturing. The goal is not just to produce a certificate of conformance (CoC), but to maintain an unbroken chain linking each delivered part to: material lots, process steps, equipment, operators, and inspection results. For AM and PM-HIP, traceability must extend upstream into powder and densification steps.

Checklist: build a complete traceability chain

1) Lot and serial strategy. Define whether parts are lot-traceable or serial-traceable and when identification is applied. For small AM parts, marking may be constrained; define acceptable methods (e.g., tag-and-bag with traveler linkage) and when direct part marking is required.

2) Material pedigree. Require material certs that include heat/lot identifiers and chemistry/physical properties as required by the specification. For AM powder, confirm the supplier can trace:

• Powder producer batch/lot
• Incoming inspection (as required—chemistry, PSD, flow, apparent density)
• Reuse history (blend ratios, number of reuses, contamination controls)

3) Traveler/router completeness. The traveler should show every process step with sign-offs and links to objective evidence. At a minimum, travelers should capture:

• Operation numbers (AM build, depowder, stress relief, HIP, rough/finish machining, deburr, cleaning)
• Equipment IDs (AM machine ID, HIP vessel ID, furnace ID, CNC machine ID)
• Process spec revision (e.g., internal AM procedure, HIP cycle spec, heat treat spec)

4) PM-HIP and HIP-specific traceability. If your supplier performs HIP or PM-HIP, confirm they can provide:

• HIP cycle records (temperature/pressure/time, ramp rates if controlled, run ID)
• Canister and encapsulation records (for PM-HIP: can material, weld procedure, leak check)
• Pre- and post-HIP inspection (density verification approach, dimensional shifts plan)

5) Nonconformance control and deviations. The supplier must have a process for documenting, dispositioning, and communicating nonconformances. Confirm how they handle:

• Internal rework/repair approvals
• Customer MRB submission when needed
• Segregation and identification of suspect product

Practical tip: For AM + HIP + machining workflows, traceability breaks most often at hand-offs: build-to-HIP, HIP-to-machining, machining-to-NDE. During onboarding, request a sample traveler that spans the entire route, not separate departmental documents.

Inspection

Inspection onboarding is about aligning on acceptance criteria, measurement methods, and evidence. Defense and aerospace programs often require more than dimensional conformance: they require proof that the supplier can detect the failure modes that matter (porosity, lack of fusion, inclusions, distortion, machining-induced damage) and can control measurement uncertainty.

Checklist: qualify inspection capability and reporting

1) Inspection planning tied to key characteristics. Require an inspection plan that maps drawing requirements to inspection methods. For tight-tolerance machined features, confirm the plan identifies:

• Datum scheme and fixturing approach
• Measurement method (CMM, optical comparator, scanning, gaging)
• Sampling plan (100% vs. sampling; lot-based acceptance)

2) CMM capability and calibration. For precision machining and complex geometries, confirm the supplier’s CMM capability, software, calibration discipline, and reporting format. Ask how they manage fixture repeatability and thermal controls when chasing microns.

3) NDE alignment (when required). For AM and critical aerospace parts, NDE may include penetrant inspection, radiography, ultrasonic, or CT scanning. Onboarding should verify:

• Procedure availability and revision control
• Personnel qualification (as required by the contract/spec)
• Acceptance standards (what constitutes a reject vs. acceptable indication)

4) CT scanning for AM: use it deliberately. CT scanning can provide powerful insight into internal features and porosity, but it is not automatically “better” unless scanning parameters, resolution, and acceptance criteria are defined. During onboarding, align on:

• What the CT is intended to verify (internal channels, wall thickness, porosity trends)
• Minimum voxel resolution and region of interest
• Report content (pass/fail, defect maps, dimensional comparisons when applicable)

5) First Article Inspection (FAI) expectations. If AS9100-style FAI is expected, define the form and content up front and ensure the supplier can produce it without scrambling. A strong onboarding deliverable is an agreed FAI package outline that includes ballooned drawings, inspection results, material certs, special process certs, and objective evidence mapping.

Step-by-step: inspection pack for an AM + HIP + CNC part

Step 1: Incoming powder cert review (lot verification) and powder handling record initiation.
Step 2: AM build completion with build log capture and in-process checks (as defined).
Step 3: Post-build heat treatment / stress relief record capture; dimensional “before HIP” measurement if used to manage distortion risk.
Step 4: HIP cycle execution with run record; post-HIP density verification strategy (e.g., witness coupons, process qualification evidence).
Step 5: CNC machining with in-process inspection for critical datums/features; final CMM report linked to serial/lot.
Step 6: NDE/CT as required; compile results into the certification pack with CoC and traceability matrix.

Common pitfalls

Most onboarding issues are preventable if you treat onboarding as a risk-reduction project rather than an administrative step. Below are frequent failure modes seen in defense and aerospace supply chains, particularly where advanced manufacturing is involved.

1) “We’re AS9100” without evidence of process control. Certifications matter, but they don’t automatically mean the supplier can execute your specific workflow (AM parameter control, HIP routing discipline, special process management). During onboarding, ask for objective evidence: sample travelers, calibration logs, example FAIs, redacted internal audits.

2) Sub-tier creep. A supplier may quote the work assuming in-house capability but later outsource steps due to capacity. Without tight flow-down controls, this can violate ITAR, DFARS clauses, or NADCAP expectations. Require notification and approval triggers for any sub-tier changes.

3) Uncontrolled powder reuse and contamination risk. In PBF environments, powder reuse practices can make or break material properties and defect rates. Onboarding should explicitly define acceptable reuse ratios, sieving frequency, storage conditions, foreign material controls, and lot traceability.

4) HIP treated as a magic fix. HIP can reduce internal porosity, but it does not correct lack-of-fusion defects caused by poor AM parameters, nor does it guarantee dimensional stability. Ensure the supplier understands what HIP can and cannot do, and that they have a plan for distortion management and post-HIP machining stock.

5) Misaligned inspection intent. If engineering expects CT verification of internal channels but procurement only flowed down a generic “inspect per drawing,” the supplier will meet the PO but miss the program intent. Use onboarding to align on key characteristics, inspection method, and acceptance criteria—preferably with a written inspection plan.

6) Documentation packs assembled after the fact. Certification packs are often built at shipment, but the evidence must be collected during production. If records are retroactively created, the risk of missing data, wrong revisions, or mismatched lot IDs increases. Require a defined record capture plan and conduct an early build review (e.g., after AM build or after HIP) to verify documentation completeness.

7) Lack of clarity on “deliverables beyond parts.” Defense buyers often need more than hardware: CMM data, CT datasets, process certifications, FAI, deviation history, and objective evidence for audits. During onboarding, define the expected deliverables list and format so the supplier can price and plan correctly.

8) Undefined change control for manufacturing parameters. For AM especially, small changes in scan strategy, layer thickness, powder lot, or heat treatment can change outcomes. Ensure the supplier has a change control process that defines what requires customer notification/approval and how changes are documented.

How to use this checklist effectively: Treat it as a staged gate process. Start with ITAR/DFARS feasibility, then validate data handling and traceability, then qualify inspection and documentation outputs with a controlled first article build. The result is a supplier relationship that can withstand audits, support engineering changes, and deliver compliant parts on schedule.