Handling Export-Controlled Technical Data

Defense and aerospace suppliers routinely exchange drawings, 3D models, build files, inspection results, and certification packs that can be regulated under U.S. export controls. For many small and mid-sized manufacturers, the highest risk is not the machining cell or the powder bed fusion (PBF) machine—it’s the “normal” places data flows: a public website upload form, an engineer forwarding a CAD file to a personal email, a shared drive with loose permissions, or a visitor walking through a facility while a controlled traveler is sitting on a workbench.

This article provides practical, engineering- and procurement-ready guidance for handling export controlled technical data across your website and internal processes. The goal is not to turn suppliers into lawyers; it is to help you build a repeatable workflow that reduces accidental disclosure, supports ITAR/DFARS expectations, and holds up during customer audits and source inspections.

Important note: This is operational guidance, not legal advice. When in doubt, involve your Empowered Official, compliance lead, and the customer’s export compliance team.

What counts as controlled data

Suppliers get into trouble when they treat “controlled” as only a stamp on a drawing. In practice, controlled technical data can appear in many formats throughout additive manufacturing (AM), PM-HIP densification, CNC machining, and inspection workflows.

Common controlled technical data examples (often controlled under ITAR or EAR depending on the program and jurisdiction):

Engineering definition: 2D drawings (including GD&T), 3D CAD models (native and neutral formats), model-based definition (MBD), and the “as-designed” product specification.

AM build definition: STL/3MF and, more importantly, the complete PBF job package—build orientation, support strategy, scan strategy, parameter sets, layer thickness, hatch patterns, recoater strategy, and post-build heat treat/HIP requirements. These often reveal design intent and manufacturing know-how that customers consider sensitive even when not explicitly ITAR-marked.

Process and inspection data: process travelers, work instructions, First Article Inspection (FAI) packages (AS9102-style), CMM programs, CT scanning slice data, NDE procedures and reports, and any acceptance criteria tied to defense/aerospace parts. A CT dataset for a flight-critical PBF manifold, for example, may disclose internal geometry, wall thickness targets, or defect disposition rules.

Material and lot information: material heat/lot traceability, powder batch records for DMLS/SLM, chemical and mechanical test reports, and certificates of conformance (CoC). These are not always export-controlled by themselves, but they can become controlled when linked to a controlled part number, drawing, or end-use.

Program context: contract identifiers, end-user information, and controlled part numbers. Even a “simple” RFQ email thread can become sensitive if it contains controlled drawings and identifies the defense end item.

From a practical standpoint, treat technical data as controlled if any of the following are true:

1) The customer marks it (ITAR legend, distribution statements, “export controlled,” etc.).

2) It enables production (a capable party could manufacture, inspect, or reverse engineer using the data).

3) It reveals performance or design intent for a defense/aerospace system (including internal geometries common in AM).

4) Your contract requires it (flow-downs referencing ITAR, DFARS, program security clauses, or restricted distribution).

In AM-heavy programs, remember that “technical data” is not just geometry. PBF parameter sets, HIP cycles, and post-processing recipes can be as sensitive as the drawing. A secure workflow must cover all of it.

Access control basics

Access control is where most suppliers can make the biggest improvement quickly. The objective is simple: only authorized people can see controlled data, and their access is limited to what they need to do their job. That sounds obvious, but it requires specific, enforced choices.

Start with classification at intake. When a customer sends an RFQ or purchase order (PO) package, route it through a defined intake step before it is distributed internally. Successful suppliers often use a “gate” function (program management, contracts, or quality) to confirm:

1) Is the data controlled? (markings, contract language, end-use indicators)

2) Who is authorized? (U.S. persons only if ITAR applies; approved supplier personnel; need-to-know)

3) Where will it live? (approved storage location and project folder with restricted permissions)

Implement role-based access and least privilege. Many shops still rely on shared network drives where “Engineering” or “Quality” folders are broadly accessible. A better approach is project-based access: create a controlled project workspace where only named users (and backups) can access the folder. When someone changes roles or leaves, permissions should change immediately.

Control access on the shop floor. In regulated manufacturing, travelers and drawings are often printed for convenience. If you must print, control where controlled prints are allowed, how they are stored, and how they are disposed. Consider:

Controlled print stations that require badge authentication

“Clean desk / clean bench” rules in AM build prep, CNC programming, and inspection areas

Shred bins for controlled paper, with documented destruction

Segregated work cells for export-controlled jobs (particularly if you host visitors or have mixed programs in the same area)

Separate “process know-how” from “program data” where practical. For example, your generic HIP work instruction can be a controlled internal document without being tied to a specific defense program, while program-specific HIP cycles, part numbers, and acceptance criteria remain in the restricted project folder.

Verify controlled data handling extends to subcontractors. If you outsource NDE, CT scanning, coating, or special processes, ensure the sub-tier is qualified and contractually bound to the same export-control expectations. For NADCAP-accredited processes, don’t assume accreditation equals export-control readiness—confirm they can restrict access, store data securely, and limit foreign national access if required.

Secure file transfer

Secure transfer is not just “use a password.” The goal is to preserve confidentiality, prevent accidental forwarding, and maintain traceability of what was sent, to whom, and when.

Prefer controlled portals over email attachments. Email is convenient but hard to control once data leaves your environment. Mature suppliers use one of these patterns:

Customer portal: the customer provides a secure portal; you enforce internal controls on download and storage.

Supplier portal: you provide a secure portal with named accounts, multi-factor authentication (MFA), and access logging.

Encrypted file exchange: time-limited, access-controlled links with download auditing.

Practical transfer rules that work in real shops:

1) Use MFA for any account that can access controlled data. This includes engineering, quality, program management, and IT administrators.

2) Use expiring links and revoke access after award or after the job closes. RFQs often end with “no bid” or “bid not selected,” but the data can remain in inboxes and shared folders for years unless you deliberately retire it.

3) Encrypt at rest and in transit. Encrypt the storage volume where controlled data resides and require secure protocols for transfer. If you are subject to DFARS cyber requirements, align the implementation with your organization’s cybersecurity plan and any applicable NIST 800-171 controls.

4) Control the “secondary artifacts.” AM programs generate many derived files: slicer outputs, build reports, recoater logs, machine event logs, powder handling records, CMM programs, CT scan reconstructions, and screenshots embedded in nonconformance reports. Treat those artifacts as controlled if they are tied to the controlled part.

5) Avoid personal devices and unmanaged apps. Prohibit forwarding controlled files to personal email, personal cloud storage, and consumer messaging tools. If you allow remote work, define a compliant remote access method (managed device, VPN, MFA, no local saving unless encrypted and approved).

6) Put guardrails around CAM and build prep work. For 5-axis machining and PBF build preparation, programmers often need to move large files and toolpaths. Standardize where NC programs, post-processor outputs, and build job files are stored, and ensure machine controllers don’t become uncontrolled repositories. If a CNC controller or AM machine PC stores controlled programs, include it in your access control and backup strategy.

Step-by-step example: controlled AM + HIP + machining workflow (where data handling must be designed in):

Step 1: RFQ intake → controlled project folder created; access assigned; data classification recorded.

Step 2: DfAM review → engineering notes stored in the same controlled space; no screenshots pasted into uncontrolled chat tools.

Step 3: Build preparation (PBF/DMLS/SLM) → build file, parameter set references, and machine setup sheets stored and access-controlled; job file transferred to the machine via approved secure method.

Step 4: Post-processing → stress relief and support removal work instructions reference the controlled traveler; images captured for quality records are stored in the controlled workspace.

Step 5: HIP / PM-HIP densification → cycle parameters recorded; linkage to part serials maintained; HIP charts stored with restricted access.

Step 6: CNC machining (often 5-axis) → NC programs and setup sheets remain controlled; shop floor print control applied; revisions managed.

Step 7: Inspection and NDE → CMM results, CT scanning datasets, and NDE reports stored as controlled; only released results shared externally according to contract.

Step 8: Certification pack → CoC, material traceability, inspection reports, and process certs compiled; package transmitted via secure portal; record retention follows contract and quality system rules.

Visitor controls

Facility tours and on-site supplier audits are routine in aerospace and defense—and they are also a common pathway for uncontrolled data exposure. Visitor controls should be treated as part of your export-controlled data handling system, not as “front desk etiquette.”

Build a visitor flow that is compatible with real operations:

1) Pre-visit screening and purpose definition. For customer visits, confirm the agenda, areas to be visited, and whether controlled programs will be discussed. For non-customer visitors (vendors, students, media), default to a non-controlled route and prohibit technical discussions.

2) Badging, escorting, and zone control. Maintain designated controlled areas where visitors are not permitted unless authorized. Use escorts trained to intervene if a visitor deviates from the route. In mixed-use facilities, a simple visual zone system helps (e.g., “green” general, “yellow” restricted, “red” export-controlled), implemented through signage and access controls.

3) No-photography and device policy. Establish and enforce a policy for cameras, phones, and smart devices. If photography is allowed for a specific reason, define the scope and require review before images leave the facility. Remember that photos of a CMM screen, traveler, or AM build report can disclose controlled details.

4) Work area readiness. Before tours, remove or cover controlled drawings, travelers, whiteboards with part numbers, and screens displaying controlled CAD. This is especially important in AM build prep rooms and inspection areas where geometry and acceptance criteria are visible.

5) Conversations are data too. Train technical staff not to casually disclose controlled performance requirements, program names, or design intent in hallway conversations. A visitor hearing “this bracket is for a specific missile program” can be a reportable event even if no file changed hands.

6) Mixed workforce considerations. If a program requires U.S. person-only access (common under ITAR), plan staffing and visitor routing accordingly. Do not “solve it in the moment” by hoping people won’t see something.

Visitor control is also relevant for remote visits. Screen sharing during virtual meetings can expose controlled CAD, CT scans, or travelers. Use meeting settings that restrict recording, control attendance, and confirm that shared screens display only what is authorized.

Documentation

Good controls that are not documented are hard to sustain and harder to defend during audits. For defense and aerospace suppliers operating under AS9100 or similar quality systems, documentation is the bridge between compliance intent and repeatable execution.

Core documents and records to maintain:

Export-controlled data handling procedure. Define what data is considered controlled in your environment, how it is labeled, where it is stored, who can access it, how it is transferred, and how incidents are handled. Keep the procedure aligned with contract flow-downs and your cybersecurity plan.

Training and acknowledgment records. Provide role-based training for engineering, quality, IT, program management, and shop leadership. Include practical examples: controlled CAD, PBF job files, HIP cycle charts, CT scan data, and certification packs. Document that employees understand the rules and where to ask questions.

Access authorization records. Maintain a list of authorized users for each controlled project and review it periodically. Include onboarding/offboarding steps and emergency access rules.

Data transfer logs. Record what was sent, to whom, method used, and approvals (especially for subcontractor transfers). If you’re exchanging large datasets like CT scans or CMM point clouds, logging is invaluable for traceability.

Revision and configuration management. Controlled technical data is often revised. Ensure your workflow prevents building or machining to an obsolete revision. In AM, revision control must include build files, parameter references, and any post-processing plans tied to the revision.

Incident response and corrective action. Define what constitutes an incident (mis-sent email, unauthorized access, lost laptop, uncontrolled print, visitor exposure) and how you respond. Integrate this with your corrective action system so issues lead to containment and systemic fixes.

Supplier/sub-tier controls. Keep evidence that sub-tiers receiving controlled data are approved, trained as required, and contractually bound. Store NDAs, flow-down clauses, and verification of their secure transfer method.

Documentation should be usable. If your engineers and quality inspectors cannot follow it during an urgent RFQ or a late-night machine down event, it will be bypassed. Write procedures that fit actual manufacturing tempo.

Procurement checklist

Procurement teams often act as the first “receiver” and “distributor” of customer data. The following checklist can be embedded into your RFQ/PO intake process and used to qualify sub-tiers that will touch controlled technical data.

1. Contract and data classification confirmed: RFQ/PO package reviewed for ITAR/EAR markings, DFARS cyber clauses, distribution statements, and any U.S. person-only requirements.

2. Controlled project workspace created: Data stored only in the approved system; permissions granted by name (not broad groups); MFA enforced.

3. Website intake is not a backdoor: Public website forms do not accept uncontrolled uploads of drawings/models; if uploads are necessary, they route into a secure portal with user verification and clear export-control warnings.

4. Approved transfer method defined: No controlled files sent via unapproved email attachments; use portal/encrypted exchange with expiring links and access logs.

5. Sub-tier readiness verified: For NDE, CMM, CT scanning, heat treat/HIP, coating, or machining partners, confirm they can restrict access, store data securely, and meet program requirements (AS9100 alignment, NADCAP where applicable, and export-control handling).

6. Manufacturing workflow mapped: Identify every point where data is generated or copied: PBF build prep outputs, machine logs, HIP charts, CNC programs, inspection datasets, nonconformance reports, and final certification packs.

7. Print control and shop floor rules in place: Controlled prints limited, tracked, and destroyed; travelers and drawings not left exposed; controlled areas defined.

8. Visitor policy enforced: Badging, escorts, no-photo rules, and tour routes that avoid controlled programs; screen sharing rules for virtual visits.

9. Record retention defined: Retention period and disposal method match contract and quality system requirements; access removed when no longer needed.

10. Incident response ready: Clear internal reporting path, containment steps, and corrective action process for mis-handling events.

When a customer evaluates a supplier for AM, HIP, and precision machining, they are not only buying capacity—they are buying trust. A disciplined approach to export-controlled technical data handling protects programs, reduces sourcing friction, and accelerates award decisions because your team can confidently say, “Yes, we can receive, process, and return controlled data and parts under a controlled workflow.”