bmad-plus 0.7.4 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +450 -407
- package/LICENSE +21 -0
- package/README.md +555 -446
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
- package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +62 -57
- package/readme-international/README.de.md +576 -426
- package/readme-international/README.es.md +578 -518
- package/readme-international/README.fr.md +576 -516
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
- package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
- package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
- package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
- package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
- package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
- package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
- package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
- package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
- package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
- package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
- package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
- package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
- package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
- package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
- package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
- package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
- package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
- package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/module.yaml +283 -280
- package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
- package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
- package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
- package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
- package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
- package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
- package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
- package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
- package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
- package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
- package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
- package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
- package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
- package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
- package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
- package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
- package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
- package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
- package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
- package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
- package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
- package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/commands/autoconfig.js +498 -489
- package/tools/cli/commands/doctor.js +222 -175
- package/tools/cli/commands/install.js +739 -739
- package/tools/cli/commands/memory.js +194 -194
- package/tools/cli/commands/scan.js +360 -350
- package/tools/cli/commands/uninstall.js +96 -96
- package/tools/cli/commands/update.js +174 -174
- package/tools/cli/i18n.js +763 -763
|
@@ -1,174 +1,174 @@
|
|
|
1
|
-
# ITAR Compliance Programme — Penalties, VSD, and TCP
|
|
2
|
-
|
|
3
|
-
## ITAR Compliance Programme Elements
|
|
4
|
-
|
|
5
|
-
An effective ITAR compliance programme (recognised by DDTC as a mitigating factor) includes:
|
|
6
|
-
|
|
7
|
-
### 1. Governance and Leadership
|
|
8
|
-
- Designated **Empowered Official (EO)** (22 CFR § 120.67): A US person with authority to sign licence applications and ensure ITAR compliance; must be in a senior position with ability to override business decisions for compliance reasons
|
|
9
|
-
- Written **ITAR Compliance Policy** signed by senior management
|
|
10
|
-
- Clear escalation path for export control questions
|
|
11
|
-
- Annual management review of compliance programme effectiveness
|
|
12
|
-
|
|
13
|
-
### 2. Training
|
|
14
|
-
- **Initial training** for all employees with ITAR access within 30 days of hire
|
|
15
|
-
- **Annual refresher training** covering recent regulatory changes, enforcement actions, and company-specific procedures
|
|
16
|
-
- **Role-specific training** for: Empowered Officials, shipping/logistics, engineering/R&D, legal, IT
|
|
17
|
-
- Training records retained 5 years
|
|
18
|
-
|
|
19
|
-
### 3. Technology Control Plan (TCP)
|
|
20
|
-
|
|
21
|
-
A TCP controls access to ITAR-controlled technical data, especially by foreign nationals.
|
|
22
|
-
|
|
23
|
-
**TCP Sections:**
|
|
24
|
-
```
|
|
25
|
-
1. Purpose and Scope
|
|
26
|
-
2. ITAR-controlled items and data inventory
|
|
27
|
-
3. Physical access controls (secure areas, visitor escorts, badging)
|
|
28
|
-
4. IT access controls (network segregation, access lists, encryption)
|
|
29
|
-
5. Foreign national screening procedure
|
|
30
|
-
- Collect citizenship information at hire/engagement
|
|
31
|
-
- Screen against denied parties lists
|
|
32
|
-
- Determine if TAA/licence required before granting access
|
|
33
|
-
6. Visitor and contractor procedures
|
|
34
|
-
7. Annual ITAR training programme
|
|
35
|
-
8. Incident identification, reporting, and response
|
|
36
|
-
9. Records management (5-year retention)
|
|
37
|
-
10. TCP review and update cycle (annual minimum)
|
|
38
|
-
```
|
|
39
|
-
|
|
40
|
-
### 4. Screening and Due Diligence
|
|
41
|
-
Screen all parties (customers, suppliers, employees, visitors) against:
|
|
42
|
-
- **DDTC Debarred Parties List** (22 CFR § 127.7)
|
|
43
|
-
- **OFAC Specially Designated Nationals (SDN) List**
|
|
44
|
-
- **BIS Denied Persons List, Entity List, Unverified List**
|
|
45
|
-
- **US State Department Watch Lists**
|
|
46
|
-
|
|
47
|
-
Screening must be documented and re-run at each transaction.
|
|
48
|
-
|
|
49
|
-
### 5. Jurisdiction and Classification Review
|
|
50
|
-
- Formal **product classification process** for every new item, component, and software
|
|
51
|
-
- Document classification decisions (USML citation or EAR ECCN) with rationale
|
|
52
|
-
- Review classifications when product is modified, use-case changes, or regulations change
|
|
53
|
-
- Consider **Commodity Jurisdiction (CJ)** requests for ambiguous items
|
|
54
|
-
|
|
55
|
-
### 6. Licence Management
|
|
56
|
-
- Centralised tracking of all active licences, TAAs, MLAs
|
|
57
|
-
- Pre-shipment licence review checklist
|
|
58
|
-
- Licence condition compliance (quantities, end-users, re-export restrictions)
|
|
59
|
-
- Timely licence renewals (track expiry dates with 90-day advance reminders)
|
|
60
|
-
- Post-shipment filing (Automated Export System / Electronic Export Information)
|
|
61
|
-
|
|
62
|
-
### 7. Audits
|
|
63
|
-
- Annual internal ITAR compliance audit (or third-party audit every 2–3 years)
|
|
64
|
-
- Audit scope: registration currency, licence compliance, TCP effectiveness, training records, screening logs, record retention
|
|
65
|
-
- Findings documented with corrective action plans and owners
|
|
66
|
-
|
|
67
|
-
---
|
|
68
|
-
|
|
69
|
-
## Penalties — 22 CFR Part 127 and 22 USC § 2778
|
|
70
|
-
|
|
71
|
-
### Civil Penalties
|
|
72
|
-
- Up to **$1,369,000 per violation** (amount adjusted annually under the Federal Civil Penalties Inflation Adjustment Act)
|
|
73
|
-
- Each unlicensed export, each unlicensed disclosure of technical data, each brokering violation = separate violation
|
|
74
|
-
- DDTC may impose civil penalties via Consent Agreement without criminal referral
|
|
75
|
-
|
|
76
|
-
### Criminal Penalties
|
|
77
|
-
- Up to **$1,000,000 fine** per violation (22 USC § 2778(c))
|
|
78
|
-
- Up to **20 years imprisonment** per violation
|
|
79
|
-
- Criminal cases referred to Department of Justice; prosecuted by DOJ National Security Division
|
|
80
|
-
|
|
81
|
-
### Debarment
|
|
82
|
-
- DDTC may debar any person from ITAR privileges (22 CFR § 127.7)
|
|
83
|
-
- Duration: typically 3 years; can be permanent for egregious violations
|
|
84
|
-
- Debarment prevents: registration, licensing, TAA/MLA participation, US government contracting
|
|
85
|
-
- Published on the DDTC Debarred Parties List
|
|
86
|
-
|
|
87
|
-
### Other Consequences
|
|
88
|
-
- **Seizure and forfeiture** of articles involved in violations (22 USC § 2778(e))
|
|
89
|
-
- **Suspension of export privileges** pending investigation
|
|
90
|
-
- **Congressional notification** requirements for significant violations involving foreign governments
|
|
91
|
-
- **Reputational harm** — consent agreements are publicly disclosed
|
|
92
|
-
|
|
93
|
-
---
|
|
94
|
-
|
|
95
|
-
## Voluntary Self-Disclosure (VSD) — 22 CFR § 127.12
|
|
96
|
-
|
|
97
|
-
### Why Disclose
|
|
98
|
-
VSD is the strongest available mitigating factor. DDTC's guidelines recognise that companies with effective compliance programmes that self-discover and promptly disclose violations deserve leniency.
|
|
99
|
-
|
|
100
|
-
### VSD Process
|
|
101
|
-
|
|
102
|
-
**Step 1 — Initial Notification** (~30 days from discovery)
|
|
103
|
-
- Submit brief written notification to DDTC Director of Compliance
|
|
104
|
-
- Include: company name, registration number, general description of the potential violation, estimated number of occurrences
|
|
105
|
-
- Request a tolling agreement to preserve statute of limitations while investigation proceeds
|
|
106
|
-
|
|
107
|
-
**Step 2 — Internal Investigation** (30–90 days)
|
|
108
|
-
- Investigate all facts: who knew what, when, what was exported/disclosed, to whom
|
|
109
|
-
- Pull all records (licences, shipping docs, emails, TAA files)
|
|
110
|
-
- Identify root cause (process failure, training gap, deliberate act)
|
|
111
|
-
- Preserve all evidence; place litigation hold if appropriate
|
|
112
|
-
|
|
113
|
-
**Step 3 — Final VSD Report** (within ~60–90 days of initial notification)
|
|
114
|
-
Submit comprehensive written report including:
|
|
115
|
-
- Detailed factual narrative of all violations
|
|
116
|
-
- CFR sections violated for each occurrence
|
|
117
|
-
- Identification of all parties involved
|
|
118
|
-
- Timeline of events
|
|
119
|
-
- Root cause analysis
|
|
120
|
-
- Corrective actions already implemented
|
|
121
|
-
- Proposed additional remediation
|
|
122
|
-
|
|
123
|
-
**Step 4 — DDTC Review and Resolution**
|
|
124
|
-
- DDTC reviews report; may request additional information
|
|
125
|
-
- Outcomes: no action, warning letter, civil penalty (usually reduced), or referral for criminal review
|
|
126
|
-
- Most cooperative VSDs resolved within 6–18 months
|
|
127
|
-
|
|
128
|
-
### Mitigating Factors
|
|
129
|
-
- Voluntary self-disclosure
|
|
130
|
-
- Cooperation with DDTC investigation
|
|
131
|
-
- Effective pre-existing compliance programme
|
|
132
|
-
- Prompt remediation
|
|
133
|
-
- No prior ITAR violations
|
|
134
|
-
- Low national security harm
|
|
135
|
-
- Relatively low transaction value
|
|
136
|
-
|
|
137
|
-
### Aggravating Factors
|
|
138
|
-
- Wilful/deliberate violation
|
|
139
|
-
- Senior management involvement or awareness
|
|
140
|
-
- Harm to national security
|
|
141
|
-
- Pattern of violations
|
|
142
|
-
- Obstruction or lack of cooperation
|
|
143
|
-
- High-risk end-users (state sponsors of terrorism, arms embargoes)
|
|
144
|
-
- Prior violations
|
|
145
|
-
|
|
146
|
-
---
|
|
147
|
-
|
|
148
|
-
## DDTC Blue Lantern End-Use Monitoring
|
|
149
|
-
|
|
150
|
-
The **Blue Lantern** programme is DDTC's end-use monitoring initiative. US embassy personnel conduct post-shipment verifications to confirm items reached the stated end-user and are being used as authorised.
|
|
151
|
-
|
|
152
|
-
**Implications for exporters:**
|
|
153
|
-
- Cooperate fully with Blue Lantern checks (failure to cooperate can trigger licence suspension)
|
|
154
|
-
- Maintain accurate shipping records to facilitate verification
|
|
155
|
-
- Include cooperation obligations in contracts with foreign distributors
|
|
156
|
-
- Report if you discover items have been diverted or misused
|
|
157
|
-
|
|
158
|
-
---
|
|
159
|
-
|
|
160
|
-
## Checklist — ITAR Compliance Programme Readiness
|
|
161
|
-
|
|
162
|
-
| Area | ✅ | Key Questions |
|
|
163
|
-
|------|----|--------------|
|
|
164
|
-
| Registration | | Is registration current? Renewal filed on time? |
|
|
165
|
-
| Empowered Official | | Named EO with written authority? |
|
|
166
|
-
| Policy | | IS Policy signed by senior management? |
|
|
167
|
-
| TCP | | Written TCP? Reviewed in last 12 months? |
|
|
168
|
-
| Training | | All ITAR-access employees trained in last 12 months? Records retained? |
|
|
169
|
-
| Classification | | All products/components formally classified? CJ obtained where needed? |
|
|
170
|
-
| Screening | | SDN/debarment screening at every transaction? Documented? |
|
|
171
|
-
| Licence tracking | | All licences logged? Expiry alerts set? Conditions tracked? |
|
|
172
|
-
| Record retention | | 5-year retention in place? Accessible for audit? |
|
|
173
|
-
| Internal audit | | Annual ITAR audit completed? Findings tracked? |
|
|
174
|
-
| Incident response | | VSD procedure documented and communicated? |
|
|
1
|
+
# ITAR Compliance Programme — Penalties, VSD, and TCP
|
|
2
|
+
|
|
3
|
+
## ITAR Compliance Programme Elements
|
|
4
|
+
|
|
5
|
+
An effective ITAR compliance programme (recognised by DDTC as a mitigating factor) includes:
|
|
6
|
+
|
|
7
|
+
### 1. Governance and Leadership
|
|
8
|
+
- Designated **Empowered Official (EO)** (22 CFR § 120.67): A US person with authority to sign licence applications and ensure ITAR compliance; must be in a senior position with ability to override business decisions for compliance reasons
|
|
9
|
+
- Written **ITAR Compliance Policy** signed by senior management
|
|
10
|
+
- Clear escalation path for export control questions
|
|
11
|
+
- Annual management review of compliance programme effectiveness
|
|
12
|
+
|
|
13
|
+
### 2. Training
|
|
14
|
+
- **Initial training** for all employees with ITAR access within 30 days of hire
|
|
15
|
+
- **Annual refresher training** covering recent regulatory changes, enforcement actions, and company-specific procedures
|
|
16
|
+
- **Role-specific training** for: Empowered Officials, shipping/logistics, engineering/R&D, legal, IT
|
|
17
|
+
- Training records retained 5 years
|
|
18
|
+
|
|
19
|
+
### 3. Technology Control Plan (TCP)
|
|
20
|
+
|
|
21
|
+
A TCP controls access to ITAR-controlled technical data, especially by foreign nationals.
|
|
22
|
+
|
|
23
|
+
**TCP Sections:**
|
|
24
|
+
```
|
|
25
|
+
1. Purpose and Scope
|
|
26
|
+
2. ITAR-controlled items and data inventory
|
|
27
|
+
3. Physical access controls (secure areas, visitor escorts, badging)
|
|
28
|
+
4. IT access controls (network segregation, access lists, encryption)
|
|
29
|
+
5. Foreign national screening procedure
|
|
30
|
+
- Collect citizenship information at hire/engagement
|
|
31
|
+
- Screen against denied parties lists
|
|
32
|
+
- Determine if TAA/licence required before granting access
|
|
33
|
+
6. Visitor and contractor procedures
|
|
34
|
+
7. Annual ITAR training programme
|
|
35
|
+
8. Incident identification, reporting, and response
|
|
36
|
+
9. Records management (5-year retention)
|
|
37
|
+
10. TCP review and update cycle (annual minimum)
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
### 4. Screening and Due Diligence
|
|
41
|
+
Screen all parties (customers, suppliers, employees, visitors) against:
|
|
42
|
+
- **DDTC Debarred Parties List** (22 CFR § 127.7)
|
|
43
|
+
- **OFAC Specially Designated Nationals (SDN) List**
|
|
44
|
+
- **BIS Denied Persons List, Entity List, Unverified List**
|
|
45
|
+
- **US State Department Watch Lists**
|
|
46
|
+
|
|
47
|
+
Screening must be documented and re-run at each transaction.
|
|
48
|
+
|
|
49
|
+
### 5. Jurisdiction and Classification Review
|
|
50
|
+
- Formal **product classification process** for every new item, component, and software
|
|
51
|
+
- Document classification decisions (USML citation or EAR ECCN) with rationale
|
|
52
|
+
- Review classifications when product is modified, use-case changes, or regulations change
|
|
53
|
+
- Consider **Commodity Jurisdiction (CJ)** requests for ambiguous items
|
|
54
|
+
|
|
55
|
+
### 6. Licence Management
|
|
56
|
+
- Centralised tracking of all active licences, TAAs, MLAs
|
|
57
|
+
- Pre-shipment licence review checklist
|
|
58
|
+
- Licence condition compliance (quantities, end-users, re-export restrictions)
|
|
59
|
+
- Timely licence renewals (track expiry dates with 90-day advance reminders)
|
|
60
|
+
- Post-shipment filing (Automated Export System / Electronic Export Information)
|
|
61
|
+
|
|
62
|
+
### 7. Audits
|
|
63
|
+
- Annual internal ITAR compliance audit (or third-party audit every 2–3 years)
|
|
64
|
+
- Audit scope: registration currency, licence compliance, TCP effectiveness, training records, screening logs, record retention
|
|
65
|
+
- Findings documented with corrective action plans and owners
|
|
66
|
+
|
|
67
|
+
---
|
|
68
|
+
|
|
69
|
+
## Penalties — 22 CFR Part 127 and 22 USC § 2778
|
|
70
|
+
|
|
71
|
+
### Civil Penalties
|
|
72
|
+
- Up to **$1,369,000 per violation** (amount adjusted annually under the Federal Civil Penalties Inflation Adjustment Act)
|
|
73
|
+
- Each unlicensed export, each unlicensed disclosure of technical data, each brokering violation = separate violation
|
|
74
|
+
- DDTC may impose civil penalties via Consent Agreement without criminal referral
|
|
75
|
+
|
|
76
|
+
### Criminal Penalties
|
|
77
|
+
- Up to **$1,000,000 fine** per violation (22 USC § 2778(c))
|
|
78
|
+
- Up to **20 years imprisonment** per violation
|
|
79
|
+
- Criminal cases referred to Department of Justice; prosecuted by DOJ National Security Division
|
|
80
|
+
|
|
81
|
+
### Debarment
|
|
82
|
+
- DDTC may debar any person from ITAR privileges (22 CFR § 127.7)
|
|
83
|
+
- Duration: typically 3 years; can be permanent for egregious violations
|
|
84
|
+
- Debarment prevents: registration, licensing, TAA/MLA participation, US government contracting
|
|
85
|
+
- Published on the DDTC Debarred Parties List
|
|
86
|
+
|
|
87
|
+
### Other Consequences
|
|
88
|
+
- **Seizure and forfeiture** of articles involved in violations (22 USC § 2778(e))
|
|
89
|
+
- **Suspension of export privileges** pending investigation
|
|
90
|
+
- **Congressional notification** requirements for significant violations involving foreign governments
|
|
91
|
+
- **Reputational harm** — consent agreements are publicly disclosed
|
|
92
|
+
|
|
93
|
+
---
|
|
94
|
+
|
|
95
|
+
## Voluntary Self-Disclosure (VSD) — 22 CFR § 127.12
|
|
96
|
+
|
|
97
|
+
### Why Disclose
|
|
98
|
+
VSD is the strongest available mitigating factor. DDTC's guidelines recognise that companies with effective compliance programmes that self-discover and promptly disclose violations deserve leniency.
|
|
99
|
+
|
|
100
|
+
### VSD Process
|
|
101
|
+
|
|
102
|
+
**Step 1 — Initial Notification** (~30 days from discovery)
|
|
103
|
+
- Submit brief written notification to DDTC Director of Compliance
|
|
104
|
+
- Include: company name, registration number, general description of the potential violation, estimated number of occurrences
|
|
105
|
+
- Request a tolling agreement to preserve statute of limitations while investigation proceeds
|
|
106
|
+
|
|
107
|
+
**Step 2 — Internal Investigation** (30–90 days)
|
|
108
|
+
- Investigate all facts: who knew what, when, what was exported/disclosed, to whom
|
|
109
|
+
- Pull all records (licences, shipping docs, emails, TAA files)
|
|
110
|
+
- Identify root cause (process failure, training gap, deliberate act)
|
|
111
|
+
- Preserve all evidence; place litigation hold if appropriate
|
|
112
|
+
|
|
113
|
+
**Step 3 — Final VSD Report** (within ~60–90 days of initial notification)
|
|
114
|
+
Submit comprehensive written report including:
|
|
115
|
+
- Detailed factual narrative of all violations
|
|
116
|
+
- CFR sections violated for each occurrence
|
|
117
|
+
- Identification of all parties involved
|
|
118
|
+
- Timeline of events
|
|
119
|
+
- Root cause analysis
|
|
120
|
+
- Corrective actions already implemented
|
|
121
|
+
- Proposed additional remediation
|
|
122
|
+
|
|
123
|
+
**Step 4 — DDTC Review and Resolution**
|
|
124
|
+
- DDTC reviews report; may request additional information
|
|
125
|
+
- Outcomes: no action, warning letter, civil penalty (usually reduced), or referral for criminal review
|
|
126
|
+
- Most cooperative VSDs resolved within 6–18 months
|
|
127
|
+
|
|
128
|
+
### Mitigating Factors
|
|
129
|
+
- Voluntary self-disclosure
|
|
130
|
+
- Cooperation with DDTC investigation
|
|
131
|
+
- Effective pre-existing compliance programme
|
|
132
|
+
- Prompt remediation
|
|
133
|
+
- No prior ITAR violations
|
|
134
|
+
- Low national security harm
|
|
135
|
+
- Relatively low transaction value
|
|
136
|
+
|
|
137
|
+
### Aggravating Factors
|
|
138
|
+
- Wilful/deliberate violation
|
|
139
|
+
- Senior management involvement or awareness
|
|
140
|
+
- Harm to national security
|
|
141
|
+
- Pattern of violations
|
|
142
|
+
- Obstruction or lack of cooperation
|
|
143
|
+
- High-risk end-users (state sponsors of terrorism, arms embargoes)
|
|
144
|
+
- Prior violations
|
|
145
|
+
|
|
146
|
+
---
|
|
147
|
+
|
|
148
|
+
## DDTC Blue Lantern End-Use Monitoring
|
|
149
|
+
|
|
150
|
+
The **Blue Lantern** programme is DDTC's end-use monitoring initiative. US embassy personnel conduct post-shipment verifications to confirm items reached the stated end-user and are being used as authorised.
|
|
151
|
+
|
|
152
|
+
**Implications for exporters:**
|
|
153
|
+
- Cooperate fully with Blue Lantern checks (failure to cooperate can trigger licence suspension)
|
|
154
|
+
- Maintain accurate shipping records to facilitate verification
|
|
155
|
+
- Include cooperation obligations in contracts with foreign distributors
|
|
156
|
+
- Report if you discover items have been diverted or misused
|
|
157
|
+
|
|
158
|
+
---
|
|
159
|
+
|
|
160
|
+
## Checklist — ITAR Compliance Programme Readiness
|
|
161
|
+
|
|
162
|
+
| Area | ✅ | Key Questions |
|
|
163
|
+
|------|----|--------------|
|
|
164
|
+
| Registration | | Is registration current? Renewal filed on time? |
|
|
165
|
+
| Empowered Official | | Named EO with written authority? |
|
|
166
|
+
| Policy | | IS Policy signed by senior management? |
|
|
167
|
+
| TCP | | Written TCP? Reviewed in last 12 months? |
|
|
168
|
+
| Training | | All ITAR-access employees trained in last 12 months? Records retained? |
|
|
169
|
+
| Classification | | All products/components formally classified? CJ obtained where needed? |
|
|
170
|
+
| Screening | | SDN/debarment screening at every transaction? Documented? |
|
|
171
|
+
| Licence tracking | | All licences logged? Expiry alerts set? Conditions tracked? |
|
|
172
|
+
| Record retention | | 5-year retention in place? Accessible for audit? |
|
|
173
|
+
| Internal audit | | Annual ITAR audit completed? Findings tracked? |
|
|
174
|
+
| Incident response | | VSD procedure documented and communicated? |
|
|
@@ -1,146 +1,146 @@
|
|
|
1
|
-
# ITAR Licensing Guide — 22 CFR Parts 123–125
|
|
2
|
-
|
|
3
|
-
## License Types at a Glance
|
|
4
|
-
|
|
5
|
-
| License / Agreement | CFR Reference | Purpose | Typical Use |
|
|
6
|
-
|--------------------|---------------|---------|-------------|
|
|
7
|
-
| DSP-5 | 22 CFR § 123.1 | Permanent export of defense articles | Hardware sale/transfer to foreign end-user |
|
|
8
|
-
| DSP-73 | 22 CFR § 123.5 | Temporary export | Trade shows, testing, repair abroad |
|
|
9
|
-
| DSP-94 | 22 CFR § 123.6 | Temporary import | Foreign defense article entering US temporarily |
|
|
10
|
-
| DSP-61 | 22 CFR § 123.9 | Import license | Permanent import from certain countries |
|
|
11
|
-
| Technical Assistance Agreement (TAA) | 22 CFR § 124.1 | Export of technical data / defense services | Engineering support, training, design assistance |
|
|
12
|
-
| Manufacturing License Agreement (MLA) | 22 CFR § 124.2 | Licensed foreign manufacture | Overseas production of US defense articles |
|
|
13
|
-
| Warehouse/Distribution Agreement | 22 CFR § 124.14 | Stocking items abroad for resale | Distributor model |
|
|
14
|
-
|
|
15
|
-
---
|
|
16
|
-
|
|
17
|
-
## DSP-5 (Permanent Export License)
|
|
18
|
-
|
|
19
|
-
### When Required
|
|
20
|
-
Any export of USML hardware not covered by an exemption.
|
|
21
|
-
|
|
22
|
-
### Application Requirements
|
|
23
|
-
Submit via DDTC's D-Trade portal:
|
|
24
|
-
- **Block 1**: Applicant (DDTC registration number)
|
|
25
|
-
- **Block 2**: Country of ultimate destination
|
|
26
|
-
- **Block 3**: Foreign end-user name and address
|
|
27
|
-
- **Block 4**: Description of articles (USML category, quantity, value)
|
|
28
|
-
- **Block 5**: End-use statement (intended use, no re-export without US government approval)
|
|
29
|
-
- **Supporting docs**: Purchase order, end-user certificate, import certificate if required by destination country
|
|
30
|
-
|
|
31
|
-
### Processing Times
|
|
32
|
-
- Standard: 30–60 days
|
|
33
|
-
- Significant Military Equipment (SME): may require Congressional notification (22 USC § 2776) for sales ≥$14M
|
|
34
|
-
|
|
35
|
-
### License Conditions (common)
|
|
36
|
-
- Items may not be re-exported without prior DDTC authorisation
|
|
37
|
-
- End-user restrictions apply
|
|
38
|
-
- US government access rights for audits
|
|
39
|
-
- 4-year validity; extendable
|
|
40
|
-
|
|
41
|
-
---
|
|
42
|
-
|
|
43
|
-
## DSP-73 (Temporary Export)
|
|
44
|
-
|
|
45
|
-
### When Required
|
|
46
|
-
Hardware leaving the US temporarily (not for resale/transfer to foreign ownership).
|
|
47
|
-
|
|
48
|
-
### Key Requirements
|
|
49
|
-
- Describe items precisely; document serial numbers
|
|
50
|
-
- State duration and purpose (e.g., "air show display," "field test," "repair and return")
|
|
51
|
-
- Items must return to the US by the license expiry date
|
|
52
|
-
- License conditions prohibit use in combat, operational deployment
|
|
53
|
-
|
|
54
|
-
---
|
|
55
|
-
|
|
56
|
-
## Technical Assistance Agreement (TAA)
|
|
57
|
-
|
|
58
|
-
### Purpose
|
|
59
|
-
Authorises the export of **technical data** and/or **defense services** to specific foreign persons/entities. Required even for oral disclosure of ITAR-controlled technical data to a foreign national.
|
|
60
|
-
|
|
61
|
-
### Required TAA Clauses (22 CFR § 124.9)
|
|
62
|
-
1. **Scope of agreement**: Precise description of technical data / defense services
|
|
63
|
-
2. **Parties**: US licensor + all foreign licensees, authorised sub-licensees
|
|
64
|
-
3. **Retransfer prohibition**: No further disclosure/transfer without prior written DDTC approval
|
|
65
|
-
4. **US government rights**: US government may review all records; terminate agreement
|
|
66
|
-
5. **Record-keeping**: 5-year retention
|
|
67
|
-
6. **Audit rights**: US licensor right to audit foreign licensee compliance
|
|
68
|
-
7. **Term**: Normally 5 years; must renew before expiry
|
|
69
|
-
8. **Security classification handling** (if applicable)
|
|
70
|
-
|
|
71
|
-
### Amendment Requirements
|
|
72
|
-
Any change to scope, parties, or authorised countries requires a formal amendment approved by DDTC.
|
|
73
|
-
|
|
74
|
-
### Common TAA Uses
|
|
75
|
-
- Sharing engineering drawings with foreign manufacturer
|
|
76
|
-
- Providing maintenance training to foreign military
|
|
77
|
-
- Technical support under FMS (Foreign Military Sales) cases
|
|
78
|
-
- Joint development programmes with foreign partners
|
|
79
|
-
|
|
80
|
-
---
|
|
81
|
-
|
|
82
|
-
## Manufacturing License Agreement (MLA)
|
|
83
|
-
|
|
84
|
-
### Purpose
|
|
85
|
-
Allows a foreign person to manufacture a defense article under US licence — typically for local production under an FMS programme or commercial arrangement.
|
|
86
|
-
|
|
87
|
-
### Key Differences from TAA
|
|
88
|
-
| Feature | TAA | MLA |
|
|
89
|
-
|---------|-----|-----|
|
|
90
|
-
| What is transferred | Technical data / services | Manufacturing rights + technical data |
|
|
91
|
-
| Foreign party produces? | No | Yes |
|
|
92
|
-
| Sub-licensing allowed? | Conditional | Usually yes, with restrictions |
|
|
93
|
-
| Offset programs | Not typical | Common |
|
|
94
|
-
|
|
95
|
-
### Required MLA Clauses
|
|
96
|
-
- Licence to manufacture (specific quantities, articles, versions)
|
|
97
|
-
- Quality assurance provisions
|
|
98
|
-
- US government rights (inspection, audit, terminate)
|
|
99
|
-
- Retransfer and re-export controls
|
|
100
|
-
- Royalty / fee structure
|
|
101
|
-
- End-of-programme disposition of tooling and data
|
|
102
|
-
|
|
103
|
-
---
|
|
104
|
-
|
|
105
|
-
## ITAR Exemptions (Selected)
|
|
106
|
-
|
|
107
|
-
Certain transfers do not require a licence if all conditions are met. **Exemptions are NOT blanket authorisations — verify conditions every time.**
|
|
108
|
-
|
|
109
|
-
### Key Exemptions (22 CFR Part 123–126)
|
|
110
|
-
|
|
111
|
-
| Exemption | CFR Reference | Conditions |
|
|
112
|
-
|-----------|--------------|-----------|
|
|
113
|
-
| US government | § 126.4 | Export by/for US Dept of Defense, State, etc. with government orders |
|
|
114
|
-
| Canada exemption | § 126.5 | Certain unclassified hardware to Canada only; does not apply to all categories |
|
|
115
|
-
| Australian/UK exemption | § 126.7 | Limited scope for certain Gov-to-Gov and industry-to-industry transfers; requires eligibility verification |
|
|
116
|
-
| Intra-company | § 125.4(b)(9) | Technical data to wholly owned US subsidiary abroad; limited scope |
|
|
117
|
-
| Beta test software | § 125.4(b)(10) | Unclassified software for beta testing by foreign person; narrow conditions |
|
|
118
|
-
| Beta hardware | § 123.16 | Temporary export of unclassified hardware for demonstration; strict limits |
|
|
119
|
-
|
|
120
|
-
**Australia, UK, Canada Defence Trade Cooperation Treaties**: Provide streamlined licensing for covered defence articles between treaty partners; not a blanket exemption.
|
|
121
|
-
|
|
122
|
-
---
|
|
123
|
-
|
|
124
|
-
## Foreign Military Sales (FMS) vs Direct Commercial Sales (DCS)
|
|
125
|
-
|
|
126
|
-
| Aspect | FMS | DCS |
|
|
127
|
-
|--------|-----|-----|
|
|
128
|
-
| Contract party | US Government (DSCA) | US company directly |
|
|
129
|
-
| ITAR licence | Not required (US Gov exemption) | DSP-5 / TAA required |
|
|
130
|
-
| End-use assurance | US Government provides | US company responsible |
|
|
131
|
-
| Price | Government + administrative fees | Market rate |
|
|
132
|
-
| Delivery risk | US Government manages | US company manages |
|
|
133
|
-
|
|
134
|
-
---
|
|
135
|
-
|
|
136
|
-
## Record-Keeping Requirements (22 CFR § 122.5)
|
|
137
|
-
|
|
138
|
-
All ITAR registrants must maintain for **5 years**:
|
|
139
|
-
- All export/import licences and shipping documents
|
|
140
|
-
- All TAA/MLA agreements and associated records
|
|
141
|
-
- End-user certificates and purchase orders
|
|
142
|
-
- Records of all disclosures of technical data
|
|
143
|
-
- Commodity Jurisdiction requests and determinations
|
|
144
|
-
- Voluntary disclosure records
|
|
145
|
-
|
|
146
|
-
Records must be available for inspection by DDTC, US Customs, DoD, or other US government agencies.
|
|
1
|
+
# ITAR Licensing Guide — 22 CFR Parts 123–125
|
|
2
|
+
|
|
3
|
+
## License Types at a Glance
|
|
4
|
+
|
|
5
|
+
| License / Agreement | CFR Reference | Purpose | Typical Use |
|
|
6
|
+
|--------------------|---------------|---------|-------------|
|
|
7
|
+
| DSP-5 | 22 CFR § 123.1 | Permanent export of defense articles | Hardware sale/transfer to foreign end-user |
|
|
8
|
+
| DSP-73 | 22 CFR § 123.5 | Temporary export | Trade shows, testing, repair abroad |
|
|
9
|
+
| DSP-94 | 22 CFR § 123.6 | Temporary import | Foreign defense article entering US temporarily |
|
|
10
|
+
| DSP-61 | 22 CFR § 123.9 | Import license | Permanent import from certain countries |
|
|
11
|
+
| Technical Assistance Agreement (TAA) | 22 CFR § 124.1 | Export of technical data / defense services | Engineering support, training, design assistance |
|
|
12
|
+
| Manufacturing License Agreement (MLA) | 22 CFR § 124.2 | Licensed foreign manufacture | Overseas production of US defense articles |
|
|
13
|
+
| Warehouse/Distribution Agreement | 22 CFR § 124.14 | Stocking items abroad for resale | Distributor model |
|
|
14
|
+
|
|
15
|
+
---
|
|
16
|
+
|
|
17
|
+
## DSP-5 (Permanent Export License)
|
|
18
|
+
|
|
19
|
+
### When Required
|
|
20
|
+
Any export of USML hardware not covered by an exemption.
|
|
21
|
+
|
|
22
|
+
### Application Requirements
|
|
23
|
+
Submit via DDTC's D-Trade portal:
|
|
24
|
+
- **Block 1**: Applicant (DDTC registration number)
|
|
25
|
+
- **Block 2**: Country of ultimate destination
|
|
26
|
+
- **Block 3**: Foreign end-user name and address
|
|
27
|
+
- **Block 4**: Description of articles (USML category, quantity, value)
|
|
28
|
+
- **Block 5**: End-use statement (intended use, no re-export without US government approval)
|
|
29
|
+
- **Supporting docs**: Purchase order, end-user certificate, import certificate if required by destination country
|
|
30
|
+
|
|
31
|
+
### Processing Times
|
|
32
|
+
- Standard: 30–60 days
|
|
33
|
+
- Significant Military Equipment (SME): may require Congressional notification (22 USC § 2776) for sales ≥$14M
|
|
34
|
+
|
|
35
|
+
### License Conditions (common)
|
|
36
|
+
- Items may not be re-exported without prior DDTC authorisation
|
|
37
|
+
- End-user restrictions apply
|
|
38
|
+
- US government access rights for audits
|
|
39
|
+
- 4-year validity; extendable
|
|
40
|
+
|
|
41
|
+
---
|
|
42
|
+
|
|
43
|
+
## DSP-73 (Temporary Export)
|
|
44
|
+
|
|
45
|
+
### When Required
|
|
46
|
+
Hardware leaving the US temporarily (not for resale/transfer to foreign ownership).
|
|
47
|
+
|
|
48
|
+
### Key Requirements
|
|
49
|
+
- Describe items precisely; document serial numbers
|
|
50
|
+
- State duration and purpose (e.g., "air show display," "field test," "repair and return")
|
|
51
|
+
- Items must return to the US by the license expiry date
|
|
52
|
+
- License conditions prohibit use in combat, operational deployment
|
|
53
|
+
|
|
54
|
+
---
|
|
55
|
+
|
|
56
|
+
## Technical Assistance Agreement (TAA)
|
|
57
|
+
|
|
58
|
+
### Purpose
|
|
59
|
+
Authorises the export of **technical data** and/or **defense services** to specific foreign persons/entities. Required even for oral disclosure of ITAR-controlled technical data to a foreign national.
|
|
60
|
+
|
|
61
|
+
### Required TAA Clauses (22 CFR § 124.9)
|
|
62
|
+
1. **Scope of agreement**: Precise description of technical data / defense services
|
|
63
|
+
2. **Parties**: US licensor + all foreign licensees, authorised sub-licensees
|
|
64
|
+
3. **Retransfer prohibition**: No further disclosure/transfer without prior written DDTC approval
|
|
65
|
+
4. **US government rights**: US government may review all records; terminate agreement
|
|
66
|
+
5. **Record-keeping**: 5-year retention
|
|
67
|
+
6. **Audit rights**: US licensor right to audit foreign licensee compliance
|
|
68
|
+
7. **Term**: Normally 5 years; must renew before expiry
|
|
69
|
+
8. **Security classification handling** (if applicable)
|
|
70
|
+
|
|
71
|
+
### Amendment Requirements
|
|
72
|
+
Any change to scope, parties, or authorised countries requires a formal amendment approved by DDTC.
|
|
73
|
+
|
|
74
|
+
### Common TAA Uses
|
|
75
|
+
- Sharing engineering drawings with foreign manufacturer
|
|
76
|
+
- Providing maintenance training to foreign military
|
|
77
|
+
- Technical support under FMS (Foreign Military Sales) cases
|
|
78
|
+
- Joint development programmes with foreign partners
|
|
79
|
+
|
|
80
|
+
---
|
|
81
|
+
|
|
82
|
+
## Manufacturing License Agreement (MLA)
|
|
83
|
+
|
|
84
|
+
### Purpose
|
|
85
|
+
Allows a foreign person to manufacture a defense article under US licence — typically for local production under an FMS programme or commercial arrangement.
|
|
86
|
+
|
|
87
|
+
### Key Differences from TAA
|
|
88
|
+
| Feature | TAA | MLA |
|
|
89
|
+
|---------|-----|-----|
|
|
90
|
+
| What is transferred | Technical data / services | Manufacturing rights + technical data |
|
|
91
|
+
| Foreign party produces? | No | Yes |
|
|
92
|
+
| Sub-licensing allowed? | Conditional | Usually yes, with restrictions |
|
|
93
|
+
| Offset programs | Not typical | Common |
|
|
94
|
+
|
|
95
|
+
### Required MLA Clauses
|
|
96
|
+
- Licence to manufacture (specific quantities, articles, versions)
|
|
97
|
+
- Quality assurance provisions
|
|
98
|
+
- US government rights (inspection, audit, terminate)
|
|
99
|
+
- Retransfer and re-export controls
|
|
100
|
+
- Royalty / fee structure
|
|
101
|
+
- End-of-programme disposition of tooling and data
|
|
102
|
+
|
|
103
|
+
---
|
|
104
|
+
|
|
105
|
+
## ITAR Exemptions (Selected)
|
|
106
|
+
|
|
107
|
+
Certain transfers do not require a licence if all conditions are met. **Exemptions are NOT blanket authorisations — verify conditions every time.**
|
|
108
|
+
|
|
109
|
+
### Key Exemptions (22 CFR Part 123–126)
|
|
110
|
+
|
|
111
|
+
| Exemption | CFR Reference | Conditions |
|
|
112
|
+
|-----------|--------------|-----------|
|
|
113
|
+
| US government | § 126.4 | Export by/for US Dept of Defense, State, etc. with government orders |
|
|
114
|
+
| Canada exemption | § 126.5 | Certain unclassified hardware to Canada only; does not apply to all categories |
|
|
115
|
+
| Australian/UK exemption | § 126.7 | Limited scope for certain Gov-to-Gov and industry-to-industry transfers; requires eligibility verification |
|
|
116
|
+
| Intra-company | § 125.4(b)(9) | Technical data to wholly owned US subsidiary abroad; limited scope |
|
|
117
|
+
| Beta test software | § 125.4(b)(10) | Unclassified software for beta testing by foreign person; narrow conditions |
|
|
118
|
+
| Beta hardware | § 123.16 | Temporary export of unclassified hardware for demonstration; strict limits |
|
|
119
|
+
|
|
120
|
+
**Australia, UK, Canada Defence Trade Cooperation Treaties**: Provide streamlined licensing for covered defence articles between treaty partners; not a blanket exemption.
|
|
121
|
+
|
|
122
|
+
---
|
|
123
|
+
|
|
124
|
+
## Foreign Military Sales (FMS) vs Direct Commercial Sales (DCS)
|
|
125
|
+
|
|
126
|
+
| Aspect | FMS | DCS |
|
|
127
|
+
|--------|-----|-----|
|
|
128
|
+
| Contract party | US Government (DSCA) | US company directly |
|
|
129
|
+
| ITAR licence | Not required (US Gov exemption) | DSP-5 / TAA required |
|
|
130
|
+
| End-use assurance | US Government provides | US company responsible |
|
|
131
|
+
| Price | Government + administrative fees | Market rate |
|
|
132
|
+
| Delivery risk | US Government manages | US company manages |
|
|
133
|
+
|
|
134
|
+
---
|
|
135
|
+
|
|
136
|
+
## Record-Keeping Requirements (22 CFR § 122.5)
|
|
137
|
+
|
|
138
|
+
All ITAR registrants must maintain for **5 years**:
|
|
139
|
+
- All export/import licences and shipping documents
|
|
140
|
+
- All TAA/MLA agreements and associated records
|
|
141
|
+
- End-user certificates and purchase orders
|
|
142
|
+
- Records of all disclosures of technical data
|
|
143
|
+
- Commodity Jurisdiction requests and determinations
|
|
144
|
+
- Voluntary disclosure records
|
|
145
|
+
|
|
146
|
+
Records must be available for inspection by DDTC, US Customs, DoD, or other US government agencies.
|