Consulting Agreement for Manufacturing

The unique risks of manufacturing consulting

Three things define manufacturing consulting risk. First, technical data and export control. If the consultant is a non-US person (any non-US-citizen, non-LPR, non-protected-individual under EAR 734.13) and views ITAR-controlled technical data (defense articles or services on the USML) or EAR-controlled technology (CCL items requiring a license to certain destinations), that view is a "deemed export" requiring a license. Even US-person consultants face EAR/ITAR record-keeping and recipient-tracking obligations. The 2018 China-related EAR rule additions, the 2022 advanced computing controls, and the 2023-2024 expansions of FDPR (foreign direct product rule) on semiconductor and AI tooling have all sharpened this exposure.

Second, trade secret protection. Manufacturing IP — process parameters, tooling drawings, BOMs, supplier costs, test methods, recipes — is the company's most valuable asset and is protected as a trade secret only if reasonable measures protect its secrecy (DTSA 18 USC 1839(3); state UTSA). A consultant who emails an unprotected drawing to a competitor's email later can be sued under DTSA with attorneys' fees, exemplary damages, and ex parte civil seizure remedies. Economic espionage under 18 USC 1831 adds criminal exposure when foreign-government benefit is involved.

Third, customer flow-downs. Auto OEMs require IATF 16949 (the auto-industry-specific overlay on ISO 9001, updated 2016 with 2025 amendment). Aerospace primes require AS9100D and often NADCAP for special processes (heat treating, NDT, chemical processing, etc.). Medical device customers require ISO 13485 and FDA 21 CFR Part 820 / 2024 QMSR final rule (effective February 2, 2026) which aligned QSR to ISO 13485:2016. A consultant who advises on a process change that breaks the prime's PPAP, APQP, or DHF documentation puts the supplier in default of the customer contract.

Fourth, OT/ICS cybersecurity. The 2021 Colonial Pipeline ransomware attack and the 2024 critical infrastructure ransomware wave changed how manufacturing companies (especially in defense, energy, water, food) view OT security. CISA Cross-Sector Cybersecurity Performance Goals (CPGs, updated 2024), TSA Security Directives for pipelines, and CMMC 2.0 (for defense suppliers) all require vendor flow-downs.

Industry-specific clauses to include

• Export Control Compliance (ITAR / EAR / OFAC): Consultant warrants all personnel are US persons (or properly licensed for the technology in scope under ITAR 22 CFR 120-130 or EAR 15 CFR 730-774); maintains a list of authorized recipients; pre-clears any non-US person before access to controlled technical data; complies with deemed-export rules and the foreign direct product rule (FDPR) as expanded in 2022-2024 for advanced computing and semiconductor tooling.
• Trade Secret Protection (DTSA 18 USC 1836 / State UTSA): Definition of confidential information expressly includes process parameters, tooling drawings, BOMs, recipes, test methods, supplier costs, customer-specific manufacturing requirements; consultant takes reasonable measures to protect secrecy (no personal email, no consumer cloud, no unattended printouts); immediate DTSA-style notice obligation on suspected misappropriation.
• OSHA Multi-Employer Disclaimer (CPL 02-00-124): Consultant has no "controlling employer" authority over plant safety, will not direct workers on safety matters, and will report observed hazards in writing to the plant safety officer rather than directly to workers.
• Customer Flow-Down Compliance: Consultant complies with applicable customer-imposed quality standards: ISO 9001:2015, IATF 16949:2016 (with 2025 amendment) for automotive, AS9100D for aerospace, ISO 13485:2016 / 21 CFR Part 820 / QMSR 2024 final rule (effective February 2, 2026) for medical devices, NADCAP for special processes; supports the company's PPAP, APQP, FAI, and DHF/DMR documentation obligations.
• Process Change Control: No process change implemented without written change-management approval following customer's PPAP/APQP/CN approval process (auto), FAI (aerospace), or design control change procedure (medical devices); consultant supports change documentation but does not unilaterally implement changes.
• Validation / Requalification: Where consultant recommendations affect validated processes (FDA cGMP, ISO 13485, aerospace), the contract requires revalidation per the company's IQ/OQ/PQ protocol and customer approval before deployment.
• OT/ICS Cybersecurity: Where consultant accesses OT/ICS systems (PLCs, SCADA, MES, HMI), aligned to CISA Cross-Sector CPGs (2024); no production network connections from consultant-owned devices; air-gapped or controlled-DMZ access only; no remote access via personal VPN; immediate incident notification within 24 hours.
• CMMC 2.0 Compliance (defense suppliers): Where the consultant handles CUI for defense manufacturing, contractor maintains required CMMC level (Level 1 self-attest or Level 2 C3PAO assessment) per DFARS 252.204-7012/7019/7020/7021, effective in phases through 2028.
• Environmental Compliance (REACH / RoHS / TSCA / CSDDD): If consultant supports material selection or supply chain, consultant complies with EU REACH (1907/2006), RoHS (2011/65/EU), TSCA (15 USC 2601 et seq., with 2023 TSCA section 6 risk evaluations on chrysotile asbestos, methylene chloride, TCE), the EU Corporate Sustainability Due Diligence Directive (CSDDD, 2024/1760, phased compliance 2027-2029), Carbon Border Adjustment Mechanism (CBAM, EU 2023/956, transitional through 2025, definitive from 2026), and Conflict Minerals Rule (Dodd-Frank Section 1502 / SEC Rule 13p-1).
• IP Assignment + Background IP License: Manufacturer gets ownership (work-for-hire under 17 USC 201(b) + present assignment) of process improvements, fixtures designs, custom software, SOPs, and validation protocols; consultant retains pre-existing methodology and templates with license-back for incorporated background IP.
• Insurance Schedule: Professional Liability / E&O $2M/$5M; General Liability $1M/$2M with completed-operations coverage; Workers' Comp per state; Cyber Liability $5M+ if OT/ICS access; if working with high-risk equipment, Environmental Impairment Liability rider.

Common mistakes in manufacturing consulting agreements

• Letting a non-US person consultant see ITAR/EAR-controlled technical data. Even one CAD file or process parameter shared with a non-US person is a deemed export. The contract should screen personnel before access, document US-person status, and maintain a record.
• Generic NDA instead of trade-secret-protective measures. A trade secret is only protected if reasonable measures protect it. A boilerplate NDA without controlled-access, no-personal-device, and DTSA notice language may not meet the "reasonable measures" element under DTSA 18 USC 1839(3).
• Process change without customer-flow-down review. Implementing a lean improvement on Line 3 without notifying the auto OEM customer breaks IATF 16949 process change requirements and PPAP. The contract should require change-management approval matching the customer's flow-downs.
• No CMMC flow-down for defense suppliers. Defense manufacturers (Tier 1, 2, 3) face the DFARS 252.204-7012 cyber clause and the rolling CMMC implementation. A consultant who handles CUI without the required CMMC level puts the prime in default.
• Allowing OT/ICS access from consultant laptops. Connecting a consultant laptop to a production network risks lateral movement to PLCs and historian systems. The contract should require air-gapped or DMZ-only access and prohibit consultant-owned devices on the OT network.
• Forgetting REACH/RoHS/TSCA when advising on material substitution. A consultant who recommends substituting a phthalate or a chrysotile-containing brake compound may push the manufacturer into REACH SVHC restriction or TSCA Section 6 noncompliance. The contract should require material substitutions to pass regulatory screening.
• Gainsharing structures that turn the consultant into a partner. A consultant paid 30% of validated cost savings has aligned incentives, but may also become a de facto joint employer or partner; the contract should disclaim partnership and joint employer status and limit the gainsharing measurement period.

Regulatory landscape

Workplace safety: OSHA 29 CFR Part 1910 (general industry) including Subpart D walking-working surfaces, Subpart I PPE, Subpart J general environmental controls (LOTO 1910.147, confined spaces 1910.146), Subpart O machinery and machine guarding, Subpart Q welding cutting and brazing, Subpart S electrical, Subpart Z toxic and hazardous substances (hazard communication 1910.1200, lead 1910.1025, silica 1910.1053); OSHA Process Safety Management (1910.119) for HHC processes; OSHA's multi-employer worksite policy (CPL 02-00-124).

Export controls: ITAR (22 CFR 120-130) administered by State Department DDTC for defense articles on the USML; EAR (15 CFR 730-774) administered by Commerce BIS for dual-use items on the CCL with destination, end-user, and end-use controls; the foreign direct product rule (FDPR) expansions in 2022 (semiconductor) and 2023-2024 (advanced computing, AI training compute); OFAC sanctions at 31 CFR Chapter V. Anti-boycott rules under EAR Part 760. AECA / IEEPA underlying authority.

Quality standards: ISO 9001:2015 (general); IATF 16949:2016 (automotive, with 2025 amendment); AS9100D (aerospace), AS9110 (MRO), AS9120 (distributors); NADCAP for aerospace special processes (heat treating, NDT, chemical processing, welding, conventional machining); ISO 13485:2016 (medical device QMS); FDA 21 CFR Part 820 Quality System Regulation through January 31, 2026, then 21 CFR Part 4 / 820 Quality Management System Regulation (QMSR, FDA final rule effective February 2, 2026) aligning to ISO 13485:2016; ISO 14001 environmental management; ISO 45001 occupational health and safety.

Cybersecurity: NIST CSF 2.0 (Feb 2024); NIST SP 800-171 Rev. 2 for CUI (Rev. 3 finalized May 2024, DFARS clauses still keyed to Rev. 2 as of mid-2026); CMMC 2.0 final rule at 32 CFR Part 170 effective December 16, 2024 with phased contract requirements through 2028; CISA Cross-Sector Cybersecurity Performance Goals (CPGs, updated 2024); ISA/IEC 62443 for industrial automation and control systems; TSA Security Directives for pipelines (continuing through 2026).

Environmental and product compliance: Clean Air Act (42 USC 7401 et seq., including NESHAP for HAPs and NSPS for new sources); Clean Water Act (33 USC 1251 et seq.) including NPDES industrial stormwater (40 CFR Part 122); RCRA (42 USC 6901 et seq.) hazardous waste with the 2024 final hazardous waste pharmaceuticals rule expansion; CERCLA (42 USC 9601 et seq.); EPCRA Tier II / Form R reporting; TSCA (15 USC 2601 et seq.) with EPA's 2023-2025 risk evaluation actions on chrysotile asbestos (banned 2024), methylene chloride, TCE, perchloroethylene, and asbestos. EU: REACH (1907/2006) with SVHC candidate list updated semi-annually; RoHS (2011/65/EU); CSRD (Directive 2022/2464) ESG reporting; CSDDD (Directive 2024/1760) supply chain due diligence phased compliance 2027-2029; CBAM (Regulation 2023/956) carbon border adjustment definitive phase from January 1, 2026.

Sample fee structure

US manufacturing consulting fee benchmarks for 2025–2026:

• Lean / operational excellence consultant: $200–$450/hour; or 5–15% of validated annualized cost savings (gainsharing, with documented measurement protocol).
• Industrial engineer / process design: $200–$400/hour; or $50,000–$300,000 fixed-fee per cell/line redesign.
• Quality / ISO consultant: $150–$350/hour; full ISO 9001:2015 readiness $25,000–$80,000; IATF 16949:2016 readiness $40,000–$200,000; AS9100D readiness $40,000–$150,000.
• FDA QSR / QMSR (21 CFR Part 820) readiness consultant: $250–$500/hour; full QMS build $200,000–$1.5M for medical device manufacturer.
• Validation / IQ/OQ/PQ consultant: $200–$400/hour; full validation package per piece of equipment $30,000–$120,000.
• Supply chain / S&OP consultant: $250–$500/hour; full S&OP implementation $200,000–$1.5M over 6–12 months.
• Big Four / strategy consultancy: day rates $3,500–$8,000 for senior managers; transformation programs $500,000–$10M+.
• OT/ICS cybersecurity consultant: $250–$500/hour; full OT security assessment $80,000–$400,000.
• CMMC Level 2 readiness (defense suppliers): $25,000–$75,000 gap assessment; full prep $80,000–$400,000 over 6–12 months including C3PAO assessment fees.
• Industrial automation / robotics integration consultant: $200–$500/hour; or 10–20% of system cost as integration fee.
• Environmental health & safety consultant: $150–$350/hour; full EHS program build $80,000–$300,000.

Gainsharing structures (% of cost savings) require careful drafting: define the baseline, the measurement protocol, the verification process, the carve-outs (raw material price changes, demand variability, FX), the duration of the savings measurement, and the cap. Otherwise the gainsharing dispute can dwarf the consulting fee.

How to draft this in Word with LexDraft

Open the LexDraft add-in inside Word and start from the consulting agreement template, then insert the ITAR/EAR export control screening, DTSA trade-secret protection, customer flow-down compliance, process change control, OT/ICS cybersecurity, and OSHA multi-employer disclaimer clauses from the clause library. For pre-engagement teaming with a tier-1 supplier or technology partner, the NDA template covers process-confidential information with DTSA-aligned language. The broader templates library covers structuring across lean, quality, and supply-chain workstreams. Comparing drafting tools? See LexDraft vs Spellbook.

Frequently asked questions