How a Fortune 500 Defense Prime Achieved ITAR-Grade Visitor Screening at 14 Sites

When a Tier-1 U.S. defense prime started prep for its CMMC 2.0 Level 2 audit in late 2025, the gap that surfaced first wasn't the IT side. The cyber controls had been hardened for two years. The gap was physical: 14 production sites, each running its own visitor sign-in process, none of them connected, and the export-controlled facilities still on paper clipboards.

Eleven weeks later, every site was on a single AI-powered visitor management platform, with ITAR-grade foreign-national screening at every front desk, and the auditors signed off in a single pass.

Background

The customer is a publicly traded U.S. defense manufacturer producing classified subsystems for U.S. and allied governments. Roughly 38,000 employees, 14 production facilities (4 of them on ITAR-controlled lines), and several thousand visits per month across the network: vendor technicians, auditors, foreign-national escorts, government inspectors, and corporate guests.

The trigger event was the CMMC 2.0 Level 2 readiness assessment, which made physical access control evidence (NIST SP 800-171 PE.3.136 and PE.3.137) audit-scope for the first time. The interim solution, a binder of sign-in sheets per site, was clearly not going to survive the assessment.

The compliance challenge

Three overlapping regulations had to be satisfied at the same time:

• ITAR foreign-national screening at every ITAR-controlled facility, with positive denial workflow for matched parties.
• CMMC 2.0 Level 2 evidence: tamper-evident visitor logs, role-based access to visitor data, retention controls.
• NIST SP 800-171 PE family controls: visitor authorization, escort tracking, log of physical access by visitors.
• Customer-specific export-control rules layered on top, with denied parties from contract-specific blocklists.

The internal compliance team had built a clear control matrix. The issue was implementing it across 14 sites with one budget cycle.

Solution architecture

The customer evaluated four enterprise visitor management vendors and landed on LogBook360 for three reasons: real-time screening latency under 1 second, native multi-site management without per-site contracts, and a documented mapping from platform controls to NIST SP 800-171 evidence.

The deployed architecture across 14 sites:

• Kiosk-based check-in at every staffed lobby with QR pre-registration for scheduled visits.
• Government ID scan with AI liveness detection (DDTC requires positive ID at ITAR sites).
• Real-time screening against DDTC denied-party, BIS Entity List, OFAC SDN, and a contract-specific custom blocklist.
• Foreign-national workflow: nationality captured at check-in, automatic ITAR-relevant hold-for-review if not pre-cleared.
• Tamper-evident audit log streamed to the customer's central SIEM with 7-year retention.
• Multi-site dashboard for the corporate security operations center to monitor flags in real time.

11-week multi-site rollout

The rollout sequence the customer's program manager ran:

1. 1Week 1-2: Discovery and contract-specific blocklist intake. Mapped every applicable list per site (some sites had additional country-specific denied parties).
2. 2Week 3-4: Pilot at the corporate HQ lobby. Tuned screening confidence thresholds, host notification preferences, and the foreign-national hold workflow.
3. 3Week 5-6: Parallel deployment at two ITAR-controlled production sites. Surfaced edge cases around foreign-national escort tracking that were rolled into the standard runbook.
4. 4Week 7-10: Wave rollout across the remaining 11 sites in groups of 3, with a 1-week stabilization window per wave.
5. 5Week 11: SOC integration. Multi-site dashboard live, SIEM stream tested, runbook signed off by the CISO and chief compliance officer.

Outcomes and audit results

After 90 days of live operation:

• 100% screening coverage at every staffed lobby. Zero missed screenings across roughly 4,200 visits in the first quarter.
• Average kiosk check-in time of 8 seconds for pre-registered visitors, 38 seconds for walk-ins (down from 4 to 6 minutes on paper).
• 12 confirmed flags in the first 90 days: 10 false positives resolved at the kiosk in under 60 seconds, 2 confirmed denied-party matches escalated to SOC.
• CMMC 2.0 Level 2 assessment cleared on the first pass. The auditor cited the visitor management platform's evidence export as 'best in class' for the PE control family.
• ITAR audit evidence for the most recent shipment review was produced in 8 minutes from the visitor management platform alone, down from a 6-hour cross-team scramble.

Lessons learned

Three patterns from this engagement that other defense and aerospace customers should plan for:

1. 1Contract-specific blocklists are non-negotiable. Off-the-shelf OFAC + DDTC screening is necessary but not sufficient. Make sure your platform supports per-site, per-program custom lists.
2. 2Pilot one ITAR site, not just a corporate HQ. The HQ lobby is the easiest deployment; the ITAR-controlled site is where the edge cases live.
3. 3SIEM integration on day one. The audit value of the platform multiplies when its logs land in the same security data lake as everything else.