bmad-plus 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (213) hide show
  1. package/CHANGELOG.md +45 -1
  2. package/LICENSE +21 -21
  3. package/README.md +107 -85
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +18 -5
  24. package/readme-international/README.es.md +40 -12
  25. package/readme-international/README.fr.md +36 -8
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/bmad-plus-npx.js +3 -5
  180. package/tools/cli/bmad-plus-cli.js +5 -3
  181. package/tools/cli/commands/autoconfig.js +18 -61
  182. package/tools/cli/commands/doctor.js +30 -31
  183. package/tools/cli/commands/install.js +33 -343
  184. package/tools/cli/commands/memory.js +1 -0
  185. package/tools/cli/commands/scan.js +61 -74
  186. package/tools/cli/commands/uninstall.js +7 -4
  187. package/tools/cli/commands/update.js +15 -72
  188. package/tools/cli/i18n.js +92 -10
  189. package/tools/cli/lib/ide-config.js +259 -0
  190. package/tools/cli/lib/memory-init.js +113 -0
  191. package/tools/cli/lib/pack-copy.js +84 -0
  192. package/tools/cli/lib/packs.js +114 -0
  193. package/tools/cli/lib/stack-detect.js +102 -0
  194. package/tools/cli/lib/validate.js +45 -0
  195. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +0 -325
  196. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +0 -55
  197. package/src/bmad-plus/agents/pack-backup/backup-agent.md +0 -71
  198. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +0 -51
  199. package/src/bmad-plus/agents/pack-seo/SKILL.md +0 -171
  200. package/src/bmad-plus/agents/pack-seo/checklist.md +0 -140
  201. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +0 -320
  202. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +0 -187
  203. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +0 -87
  204. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +0 -123
  205. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +0 -167
  206. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +0 -153
  207. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +0 -133
  208. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +0 -91
  209. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +0 -356
  210. package/src/bmad-plus/agents/pack-seo/seo-chief.md +0 -294
  211. package/src/bmad-plus/agents/pack-seo/seo-judge.md +0 -241
  212. package/src/bmad-plus/agents/pack-seo/seo-scout.md +0 -171
  213. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +0 -241
@@ -1,174 +1,174 @@
1
- # ITAR Compliance Programme — Penalties, VSD, and TCP
2
-
3
- ## ITAR Compliance Programme Elements
4
-
5
- An effective ITAR compliance programme (recognised by DDTC as a mitigating factor) includes:
6
-
7
- ### 1. Governance and Leadership
8
- - Designated **Empowered Official (EO)** (22 CFR § 120.67): A US person with authority to sign licence applications and ensure ITAR compliance; must be in a senior position with ability to override business decisions for compliance reasons
9
- - Written **ITAR Compliance Policy** signed by senior management
10
- - Clear escalation path for export control questions
11
- - Annual management review of compliance programme effectiveness
12
-
13
- ### 2. Training
14
- - **Initial training** for all employees with ITAR access within 30 days of hire
15
- - **Annual refresher training** covering recent regulatory changes, enforcement actions, and company-specific procedures
16
- - **Role-specific training** for: Empowered Officials, shipping/logistics, engineering/R&D, legal, IT
17
- - Training records retained 5 years
18
-
19
- ### 3. Technology Control Plan (TCP)
20
-
21
- A TCP controls access to ITAR-controlled technical data, especially by foreign nationals.
22
-
23
- **TCP Sections:**
24
- ```
25
- 1. Purpose and Scope
26
- 2. ITAR-controlled items and data inventory
27
- 3. Physical access controls (secure areas, visitor escorts, badging)
28
- 4. IT access controls (network segregation, access lists, encryption)
29
- 5. Foreign national screening procedure
30
- - Collect citizenship information at hire/engagement
31
- - Screen against denied parties lists
32
- - Determine if TAA/licence required before granting access
33
- 6. Visitor and contractor procedures
34
- 7. Annual ITAR training programme
35
- 8. Incident identification, reporting, and response
36
- 9. Records management (5-year retention)
37
- 10. TCP review and update cycle (annual minimum)
38
- ```
39
-
40
- ### 4. Screening and Due Diligence
41
- Screen all parties (customers, suppliers, employees, visitors) against:
42
- - **DDTC Debarred Parties List** (22 CFR § 127.7)
43
- - **OFAC Specially Designated Nationals (SDN) List**
44
- - **BIS Denied Persons List, Entity List, Unverified List**
45
- - **US State Department Watch Lists**
46
-
47
- Screening must be documented and re-run at each transaction.
48
-
49
- ### 5. Jurisdiction and Classification Review
50
- - Formal **product classification process** for every new item, component, and software
51
- - Document classification decisions (USML citation or EAR ECCN) with rationale
52
- - Review classifications when product is modified, use-case changes, or regulations change
53
- - Consider **Commodity Jurisdiction (CJ)** requests for ambiguous items
54
-
55
- ### 6. Licence Management
56
- - Centralised tracking of all active licences, TAAs, MLAs
57
- - Pre-shipment licence review checklist
58
- - Licence condition compliance (quantities, end-users, re-export restrictions)
59
- - Timely licence renewals (track expiry dates with 90-day advance reminders)
60
- - Post-shipment filing (Automated Export System / Electronic Export Information)
61
-
62
- ### 7. Audits
63
- - Annual internal ITAR compliance audit (or third-party audit every 2–3 years)
64
- - Audit scope: registration currency, licence compliance, TCP effectiveness, training records, screening logs, record retention
65
- - Findings documented with corrective action plans and owners
66
-
67
- ---
68
-
69
- ## Penalties — 22 CFR Part 127 and 22 USC § 2778
70
-
71
- ### Civil Penalties
72
- - Up to **$1,369,000 per violation** (amount adjusted annually under the Federal Civil Penalties Inflation Adjustment Act)
73
- - Each unlicensed export, each unlicensed disclosure of technical data, each brokering violation = separate violation
74
- - DDTC may impose civil penalties via Consent Agreement without criminal referral
75
-
76
- ### Criminal Penalties
77
- - Up to **$1,000,000 fine** per violation (22 USC § 2778(c))
78
- - Up to **20 years imprisonment** per violation
79
- - Criminal cases referred to Department of Justice; prosecuted by DOJ National Security Division
80
-
81
- ### Debarment
82
- - DDTC may debar any person from ITAR privileges (22 CFR § 127.7)
83
- - Duration: typically 3 years; can be permanent for egregious violations
84
- - Debarment prevents: registration, licensing, TAA/MLA participation, US government contracting
85
- - Published on the DDTC Debarred Parties List
86
-
87
- ### Other Consequences
88
- - **Seizure and forfeiture** of articles involved in violations (22 USC § 2778(e))
89
- - **Suspension of export privileges** pending investigation
90
- - **Congressional notification** requirements for significant violations involving foreign governments
91
- - **Reputational harm** — consent agreements are publicly disclosed
92
-
93
- ---
94
-
95
- ## Voluntary Self-Disclosure (VSD) — 22 CFR § 127.12
96
-
97
- ### Why Disclose
98
- VSD is the strongest available mitigating factor. DDTC's guidelines recognise that companies with effective compliance programmes that self-discover and promptly disclose violations deserve leniency.
99
-
100
- ### VSD Process
101
-
102
- **Step 1 — Initial Notification** (~30 days from discovery)
103
- - Submit brief written notification to DDTC Director of Compliance
104
- - Include: company name, registration number, general description of the potential violation, estimated number of occurrences
105
- - Request a tolling agreement to preserve statute of limitations while investigation proceeds
106
-
107
- **Step 2 — Internal Investigation** (30–90 days)
108
- - Investigate all facts: who knew what, when, what was exported/disclosed, to whom
109
- - Pull all records (licences, shipping docs, emails, TAA files)
110
- - Identify root cause (process failure, training gap, deliberate act)
111
- - Preserve all evidence; place litigation hold if appropriate
112
-
113
- **Step 3 — Final VSD Report** (within ~60–90 days of initial notification)
114
- Submit comprehensive written report including:
115
- - Detailed factual narrative of all violations
116
- - CFR sections violated for each occurrence
117
- - Identification of all parties involved
118
- - Timeline of events
119
- - Root cause analysis
120
- - Corrective actions already implemented
121
- - Proposed additional remediation
122
-
123
- **Step 4 — DDTC Review and Resolution**
124
- - DDTC reviews report; may request additional information
125
- - Outcomes: no action, warning letter, civil penalty (usually reduced), or referral for criminal review
126
- - Most cooperative VSDs resolved within 6–18 months
127
-
128
- ### Mitigating Factors
129
- - Voluntary self-disclosure
130
- - Cooperation with DDTC investigation
131
- - Effective pre-existing compliance programme
132
- - Prompt remediation
133
- - No prior ITAR violations
134
- - Low national security harm
135
- - Relatively low transaction value
136
-
137
- ### Aggravating Factors
138
- - Wilful/deliberate violation
139
- - Senior management involvement or awareness
140
- - Harm to national security
141
- - Pattern of violations
142
- - Obstruction or lack of cooperation
143
- - High-risk end-users (state sponsors of terrorism, arms embargoes)
144
- - Prior violations
145
-
146
- ---
147
-
148
- ## DDTC Blue Lantern End-Use Monitoring
149
-
150
- The **Blue Lantern** programme is DDTC's end-use monitoring initiative. US embassy personnel conduct post-shipment verifications to confirm items reached the stated end-user and are being used as authorised.
151
-
152
- **Implications for exporters:**
153
- - Cooperate fully with Blue Lantern checks (failure to cooperate can trigger licence suspension)
154
- - Maintain accurate shipping records to facilitate verification
155
- - Include cooperation obligations in contracts with foreign distributors
156
- - Report if you discover items have been diverted or misused
157
-
158
- ---
159
-
160
- ## Checklist — ITAR Compliance Programme Readiness
161
-
162
- | Area | ✅ | Key Questions |
163
- |------|----|--------------|
164
- | Registration | | Is registration current? Renewal filed on time? |
165
- | Empowered Official | | Named EO with written authority? |
166
- | Policy | | IS Policy signed by senior management? |
167
- | TCP | | Written TCP? Reviewed in last 12 months? |
168
- | Training | | All ITAR-access employees trained in last 12 months? Records retained? |
169
- | Classification | | All products/components formally classified? CJ obtained where needed? |
170
- | Screening | | SDN/debarment screening at every transaction? Documented? |
171
- | Licence tracking | | All licences logged? Expiry alerts set? Conditions tracked? |
172
- | Record retention | | 5-year retention in place? Accessible for audit? |
173
- | Internal audit | | Annual ITAR audit completed? Findings tracked? |
174
- | Incident response | | VSD procedure documented and communicated? |
1
+ # ITAR Compliance Programme — Penalties, VSD, and TCP
2
+
3
+ ## ITAR Compliance Programme Elements
4
+
5
+ An effective ITAR compliance programme (recognised by DDTC as a mitigating factor) includes:
6
+
7
+ ### 1. Governance and Leadership
8
+ - Designated **Empowered Official (EO)** (22 CFR § 120.67): A US person with authority to sign licence applications and ensure ITAR compliance; must be in a senior position with ability to override business decisions for compliance reasons
9
+ - Written **ITAR Compliance Policy** signed by senior management
10
+ - Clear escalation path for export control questions
11
+ - Annual management review of compliance programme effectiveness
12
+
13
+ ### 2. Training
14
+ - **Initial training** for all employees with ITAR access within 30 days of hire
15
+ - **Annual refresher training** covering recent regulatory changes, enforcement actions, and company-specific procedures
16
+ - **Role-specific training** for: Empowered Officials, shipping/logistics, engineering/R&D, legal, IT
17
+ - Training records retained 5 years
18
+
19
+ ### 3. Technology Control Plan (TCP)
20
+
21
+ A TCP controls access to ITAR-controlled technical data, especially by foreign nationals.
22
+
23
+ **TCP Sections:**
24
+ ```
25
+ 1. Purpose and Scope
26
+ 2. ITAR-controlled items and data inventory
27
+ 3. Physical access controls (secure areas, visitor escorts, badging)
28
+ 4. IT access controls (network segregation, access lists, encryption)
29
+ 5. Foreign national screening procedure
30
+ - Collect citizenship information at hire/engagement
31
+ - Screen against denied parties lists
32
+ - Determine if TAA/licence required before granting access
33
+ 6. Visitor and contractor procedures
34
+ 7. Annual ITAR training programme
35
+ 8. Incident identification, reporting, and response
36
+ 9. Records management (5-year retention)
37
+ 10. TCP review and update cycle (annual minimum)
38
+ ```
39
+
40
+ ### 4. Screening and Due Diligence
41
+ Screen all parties (customers, suppliers, employees, visitors) against:
42
+ - **DDTC Debarred Parties List** (22 CFR § 127.7)
43
+ - **OFAC Specially Designated Nationals (SDN) List**
44
+ - **BIS Denied Persons List, Entity List, Unverified List**
45
+ - **US State Department Watch Lists**
46
+
47
+ Screening must be documented and re-run at each transaction.
48
+
49
+ ### 5. Jurisdiction and Classification Review
50
+ - Formal **product classification process** for every new item, component, and software
51
+ - Document classification decisions (USML citation or EAR ECCN) with rationale
52
+ - Review classifications when product is modified, use-case changes, or regulations change
53
+ - Consider **Commodity Jurisdiction (CJ)** requests for ambiguous items
54
+
55
+ ### 6. Licence Management
56
+ - Centralised tracking of all active licences, TAAs, MLAs
57
+ - Pre-shipment licence review checklist
58
+ - Licence condition compliance (quantities, end-users, re-export restrictions)
59
+ - Timely licence renewals (track expiry dates with 90-day advance reminders)
60
+ - Post-shipment filing (Automated Export System / Electronic Export Information)
61
+
62
+ ### 7. Audits
63
+ - Annual internal ITAR compliance audit (or third-party audit every 2–3 years)
64
+ - Audit scope: registration currency, licence compliance, TCP effectiveness, training records, screening logs, record retention
65
+ - Findings documented with corrective action plans and owners
66
+
67
+ ---
68
+
69
+ ## Penalties — 22 CFR Part 127 and 22 USC § 2778
70
+
71
+ ### Civil Penalties
72
+ - Up to **$1,369,000 per violation** (amount adjusted annually under the Federal Civil Penalties Inflation Adjustment Act)
73
+ - Each unlicensed export, each unlicensed disclosure of technical data, each brokering violation = separate violation
74
+ - DDTC may impose civil penalties via Consent Agreement without criminal referral
75
+
76
+ ### Criminal Penalties
77
+ - Up to **$1,000,000 fine** per violation (22 USC § 2778(c))
78
+ - Up to **20 years imprisonment** per violation
79
+ - Criminal cases referred to Department of Justice; prosecuted by DOJ National Security Division
80
+
81
+ ### Debarment
82
+ - DDTC may debar any person from ITAR privileges (22 CFR § 127.7)
83
+ - Duration: typically 3 years; can be permanent for egregious violations
84
+ - Debarment prevents: registration, licensing, TAA/MLA participation, US government contracting
85
+ - Published on the DDTC Debarred Parties List
86
+
87
+ ### Other Consequences
88
+ - **Seizure and forfeiture** of articles involved in violations (22 USC § 2778(e))
89
+ - **Suspension of export privileges** pending investigation
90
+ - **Congressional notification** requirements for significant violations involving foreign governments
91
+ - **Reputational harm** — consent agreements are publicly disclosed
92
+
93
+ ---
94
+
95
+ ## Voluntary Self-Disclosure (VSD) — 22 CFR § 127.12
96
+
97
+ ### Why Disclose
98
+ VSD is the strongest available mitigating factor. DDTC's guidelines recognise that companies with effective compliance programmes that self-discover and promptly disclose violations deserve leniency.
99
+
100
+ ### VSD Process
101
+
102
+ **Step 1 — Initial Notification** (~30 days from discovery)
103
+ - Submit brief written notification to DDTC Director of Compliance
104
+ - Include: company name, registration number, general description of the potential violation, estimated number of occurrences
105
+ - Request a tolling agreement to preserve statute of limitations while investigation proceeds
106
+
107
+ **Step 2 — Internal Investigation** (30–90 days)
108
+ - Investigate all facts: who knew what, when, what was exported/disclosed, to whom
109
+ - Pull all records (licences, shipping docs, emails, TAA files)
110
+ - Identify root cause (process failure, training gap, deliberate act)
111
+ - Preserve all evidence; place litigation hold if appropriate
112
+
113
+ **Step 3 — Final VSD Report** (within ~60–90 days of initial notification)
114
+ Submit comprehensive written report including:
115
+ - Detailed factual narrative of all violations
116
+ - CFR sections violated for each occurrence
117
+ - Identification of all parties involved
118
+ - Timeline of events
119
+ - Root cause analysis
120
+ - Corrective actions already implemented
121
+ - Proposed additional remediation
122
+
123
+ **Step 4 — DDTC Review and Resolution**
124
+ - DDTC reviews report; may request additional information
125
+ - Outcomes: no action, warning letter, civil penalty (usually reduced), or referral for criminal review
126
+ - Most cooperative VSDs resolved within 6–18 months
127
+
128
+ ### Mitigating Factors
129
+ - Voluntary self-disclosure
130
+ - Cooperation with DDTC investigation
131
+ - Effective pre-existing compliance programme
132
+ - Prompt remediation
133
+ - No prior ITAR violations
134
+ - Low national security harm
135
+ - Relatively low transaction value
136
+
137
+ ### Aggravating Factors
138
+ - Wilful/deliberate violation
139
+ - Senior management involvement or awareness
140
+ - Harm to national security
141
+ - Pattern of violations
142
+ - Obstruction or lack of cooperation
143
+ - High-risk end-users (state sponsors of terrorism, arms embargoes)
144
+ - Prior violations
145
+
146
+ ---
147
+
148
+ ## DDTC Blue Lantern End-Use Monitoring
149
+
150
+ The **Blue Lantern** programme is DDTC's end-use monitoring initiative. US embassy personnel conduct post-shipment verifications to confirm items reached the stated end-user and are being used as authorised.
151
+
152
+ **Implications for exporters:**
153
+ - Cooperate fully with Blue Lantern checks (failure to cooperate can trigger licence suspension)
154
+ - Maintain accurate shipping records to facilitate verification
155
+ - Include cooperation obligations in contracts with foreign distributors
156
+ - Report if you discover items have been diverted or misused
157
+
158
+ ---
159
+
160
+ ## Checklist — ITAR Compliance Programme Readiness
161
+
162
+ | Area | ✅ | Key Questions |
163
+ |------|----|--------------|
164
+ | Registration | | Is registration current? Renewal filed on time? |
165
+ | Empowered Official | | Named EO with written authority? |
166
+ | Policy | | IS Policy signed by senior management? |
167
+ | TCP | | Written TCP? Reviewed in last 12 months? |
168
+ | Training | | All ITAR-access employees trained in last 12 months? Records retained? |
169
+ | Classification | | All products/components formally classified? CJ obtained where needed? |
170
+ | Screening | | SDN/debarment screening at every transaction? Documented? |
171
+ | Licence tracking | | All licences logged? Expiry alerts set? Conditions tracked? |
172
+ | Record retention | | 5-year retention in place? Accessible for audit? |
173
+ | Internal audit | | Annual ITAR audit completed? Findings tracked? |
174
+ | Incident response | | VSD procedure documented and communicated? |
@@ -1,146 +1,146 @@
1
- # ITAR Licensing Guide — 22 CFR Parts 123–125
2
-
3
- ## License Types at a Glance
4
-
5
- | License / Agreement | CFR Reference | Purpose | Typical Use |
6
- |--------------------|---------------|---------|-------------|
7
- | DSP-5 | 22 CFR § 123.1 | Permanent export of defense articles | Hardware sale/transfer to foreign end-user |
8
- | DSP-73 | 22 CFR § 123.5 | Temporary export | Trade shows, testing, repair abroad |
9
- | DSP-94 | 22 CFR § 123.6 | Temporary import | Foreign defense article entering US temporarily |
10
- | DSP-61 | 22 CFR § 123.9 | Import license | Permanent import from certain countries |
11
- | Technical Assistance Agreement (TAA) | 22 CFR § 124.1 | Export of technical data / defense services | Engineering support, training, design assistance |
12
- | Manufacturing License Agreement (MLA) | 22 CFR § 124.2 | Licensed foreign manufacture | Overseas production of US defense articles |
13
- | Warehouse/Distribution Agreement | 22 CFR § 124.14 | Stocking items abroad for resale | Distributor model |
14
-
15
- ---
16
-
17
- ## DSP-5 (Permanent Export License)
18
-
19
- ### When Required
20
- Any export of USML hardware not covered by an exemption.
21
-
22
- ### Application Requirements
23
- Submit via DDTC's D-Trade portal:
24
- - **Block 1**: Applicant (DDTC registration number)
25
- - **Block 2**: Country of ultimate destination
26
- - **Block 3**: Foreign end-user name and address
27
- - **Block 4**: Description of articles (USML category, quantity, value)
28
- - **Block 5**: End-use statement (intended use, no re-export without US government approval)
29
- - **Supporting docs**: Purchase order, end-user certificate, import certificate if required by destination country
30
-
31
- ### Processing Times
32
- - Standard: 30–60 days
33
- - Significant Military Equipment (SME): may require Congressional notification (22 USC § 2776) for sales ≥$14M
34
-
35
- ### License Conditions (common)
36
- - Items may not be re-exported without prior DDTC authorisation
37
- - End-user restrictions apply
38
- - US government access rights for audits
39
- - 4-year validity; extendable
40
-
41
- ---
42
-
43
- ## DSP-73 (Temporary Export)
44
-
45
- ### When Required
46
- Hardware leaving the US temporarily (not for resale/transfer to foreign ownership).
47
-
48
- ### Key Requirements
49
- - Describe items precisely; document serial numbers
50
- - State duration and purpose (e.g., "air show display," "field test," "repair and return")
51
- - Items must return to the US by the license expiry date
52
- - License conditions prohibit use in combat, operational deployment
53
-
54
- ---
55
-
56
- ## Technical Assistance Agreement (TAA)
57
-
58
- ### Purpose
59
- Authorises the export of **technical data** and/or **defense services** to specific foreign persons/entities. Required even for oral disclosure of ITAR-controlled technical data to a foreign national.
60
-
61
- ### Required TAA Clauses (22 CFR § 124.9)
62
- 1. **Scope of agreement**: Precise description of technical data / defense services
63
- 2. **Parties**: US licensor + all foreign licensees, authorised sub-licensees
64
- 3. **Retransfer prohibition**: No further disclosure/transfer without prior written DDTC approval
65
- 4. **US government rights**: US government may review all records; terminate agreement
66
- 5. **Record-keeping**: 5-year retention
67
- 6. **Audit rights**: US licensor right to audit foreign licensee compliance
68
- 7. **Term**: Normally 5 years; must renew before expiry
69
- 8. **Security classification handling** (if applicable)
70
-
71
- ### Amendment Requirements
72
- Any change to scope, parties, or authorised countries requires a formal amendment approved by DDTC.
73
-
74
- ### Common TAA Uses
75
- - Sharing engineering drawings with foreign manufacturer
76
- - Providing maintenance training to foreign military
77
- - Technical support under FMS (Foreign Military Sales) cases
78
- - Joint development programmes with foreign partners
79
-
80
- ---
81
-
82
- ## Manufacturing License Agreement (MLA)
83
-
84
- ### Purpose
85
- Allows a foreign person to manufacture a defense article under US licence — typically for local production under an FMS programme or commercial arrangement.
86
-
87
- ### Key Differences from TAA
88
- | Feature | TAA | MLA |
89
- |---------|-----|-----|
90
- | What is transferred | Technical data / services | Manufacturing rights + technical data |
91
- | Foreign party produces? | No | Yes |
92
- | Sub-licensing allowed? | Conditional | Usually yes, with restrictions |
93
- | Offset programs | Not typical | Common |
94
-
95
- ### Required MLA Clauses
96
- - Licence to manufacture (specific quantities, articles, versions)
97
- - Quality assurance provisions
98
- - US government rights (inspection, audit, terminate)
99
- - Retransfer and re-export controls
100
- - Royalty / fee structure
101
- - End-of-programme disposition of tooling and data
102
-
103
- ---
104
-
105
- ## ITAR Exemptions (Selected)
106
-
107
- Certain transfers do not require a licence if all conditions are met. **Exemptions are NOT blanket authorisations — verify conditions every time.**
108
-
109
- ### Key Exemptions (22 CFR Part 123–126)
110
-
111
- | Exemption | CFR Reference | Conditions |
112
- |-----------|--------------|-----------|
113
- | US government | § 126.4 | Export by/for US Dept of Defense, State, etc. with government orders |
114
- | Canada exemption | § 126.5 | Certain unclassified hardware to Canada only; does not apply to all categories |
115
- | Australian/UK exemption | § 126.7 | Limited scope for certain Gov-to-Gov and industry-to-industry transfers; requires eligibility verification |
116
- | Intra-company | § 125.4(b)(9) | Technical data to wholly owned US subsidiary abroad; limited scope |
117
- | Beta test software | § 125.4(b)(10) | Unclassified software for beta testing by foreign person; narrow conditions |
118
- | Beta hardware | § 123.16 | Temporary export of unclassified hardware for demonstration; strict limits |
119
-
120
- **Australia, UK, Canada Defence Trade Cooperation Treaties**: Provide streamlined licensing for covered defence articles between treaty partners; not a blanket exemption.
121
-
122
- ---
123
-
124
- ## Foreign Military Sales (FMS) vs Direct Commercial Sales (DCS)
125
-
126
- | Aspect | FMS | DCS |
127
- |--------|-----|-----|
128
- | Contract party | US Government (DSCA) | US company directly |
129
- | ITAR licence | Not required (US Gov exemption) | DSP-5 / TAA required |
130
- | End-use assurance | US Government provides | US company responsible |
131
- | Price | Government + administrative fees | Market rate |
132
- | Delivery risk | US Government manages | US company manages |
133
-
134
- ---
135
-
136
- ## Record-Keeping Requirements (22 CFR § 122.5)
137
-
138
- All ITAR registrants must maintain for **5 years**:
139
- - All export/import licences and shipping documents
140
- - All TAA/MLA agreements and associated records
141
- - End-user certificates and purchase orders
142
- - Records of all disclosures of technical data
143
- - Commodity Jurisdiction requests and determinations
144
- - Voluntary disclosure records
145
-
146
- Records must be available for inspection by DDTC, US Customs, DoD, or other US government agencies.
1
+ # ITAR Licensing Guide — 22 CFR Parts 123–125
2
+
3
+ ## License Types at a Glance
4
+
5
+ | License / Agreement | CFR Reference | Purpose | Typical Use |
6
+ |--------------------|---------------|---------|-------------|
7
+ | DSP-5 | 22 CFR § 123.1 | Permanent export of defense articles | Hardware sale/transfer to foreign end-user |
8
+ | DSP-73 | 22 CFR § 123.5 | Temporary export | Trade shows, testing, repair abroad |
9
+ | DSP-94 | 22 CFR § 123.6 | Temporary import | Foreign defense article entering US temporarily |
10
+ | DSP-61 | 22 CFR § 123.9 | Import license | Permanent import from certain countries |
11
+ | Technical Assistance Agreement (TAA) | 22 CFR § 124.1 | Export of technical data / defense services | Engineering support, training, design assistance |
12
+ | Manufacturing License Agreement (MLA) | 22 CFR § 124.2 | Licensed foreign manufacture | Overseas production of US defense articles |
13
+ | Warehouse/Distribution Agreement | 22 CFR § 124.14 | Stocking items abroad for resale | Distributor model |
14
+
15
+ ---
16
+
17
+ ## DSP-5 (Permanent Export License)
18
+
19
+ ### When Required
20
+ Any export of USML hardware not covered by an exemption.
21
+
22
+ ### Application Requirements
23
+ Submit via DDTC's D-Trade portal:
24
+ - **Block 1**: Applicant (DDTC registration number)
25
+ - **Block 2**: Country of ultimate destination
26
+ - **Block 3**: Foreign end-user name and address
27
+ - **Block 4**: Description of articles (USML category, quantity, value)
28
+ - **Block 5**: End-use statement (intended use, no re-export without US government approval)
29
+ - **Supporting docs**: Purchase order, end-user certificate, import certificate if required by destination country
30
+
31
+ ### Processing Times
32
+ - Standard: 30–60 days
33
+ - Significant Military Equipment (SME): may require Congressional notification (22 USC § 2776) for sales ≥$14M
34
+
35
+ ### License Conditions (common)
36
+ - Items may not be re-exported without prior DDTC authorisation
37
+ - End-user restrictions apply
38
+ - US government access rights for audits
39
+ - 4-year validity; extendable
40
+
41
+ ---
42
+
43
+ ## DSP-73 (Temporary Export)
44
+
45
+ ### When Required
46
+ Hardware leaving the US temporarily (not for resale/transfer to foreign ownership).
47
+
48
+ ### Key Requirements
49
+ - Describe items precisely; document serial numbers
50
+ - State duration and purpose (e.g., "air show display," "field test," "repair and return")
51
+ - Items must return to the US by the license expiry date
52
+ - License conditions prohibit use in combat, operational deployment
53
+
54
+ ---
55
+
56
+ ## Technical Assistance Agreement (TAA)
57
+
58
+ ### Purpose
59
+ Authorises the export of **technical data** and/or **defense services** to specific foreign persons/entities. Required even for oral disclosure of ITAR-controlled technical data to a foreign national.
60
+
61
+ ### Required TAA Clauses (22 CFR § 124.9)
62
+ 1. **Scope of agreement**: Precise description of technical data / defense services
63
+ 2. **Parties**: US licensor + all foreign licensees, authorised sub-licensees
64
+ 3. **Retransfer prohibition**: No further disclosure/transfer without prior written DDTC approval
65
+ 4. **US government rights**: US government may review all records; terminate agreement
66
+ 5. **Record-keeping**: 5-year retention
67
+ 6. **Audit rights**: US licensor right to audit foreign licensee compliance
68
+ 7. **Term**: Normally 5 years; must renew before expiry
69
+ 8. **Security classification handling** (if applicable)
70
+
71
+ ### Amendment Requirements
72
+ Any change to scope, parties, or authorised countries requires a formal amendment approved by DDTC.
73
+
74
+ ### Common TAA Uses
75
+ - Sharing engineering drawings with foreign manufacturer
76
+ - Providing maintenance training to foreign military
77
+ - Technical support under FMS (Foreign Military Sales) cases
78
+ - Joint development programmes with foreign partners
79
+
80
+ ---
81
+
82
+ ## Manufacturing License Agreement (MLA)
83
+
84
+ ### Purpose
85
+ Allows a foreign person to manufacture a defense article under US licence — typically for local production under an FMS programme or commercial arrangement.
86
+
87
+ ### Key Differences from TAA
88
+ | Feature | TAA | MLA |
89
+ |---------|-----|-----|
90
+ | What is transferred | Technical data / services | Manufacturing rights + technical data |
91
+ | Foreign party produces? | No | Yes |
92
+ | Sub-licensing allowed? | Conditional | Usually yes, with restrictions |
93
+ | Offset programs | Not typical | Common |
94
+
95
+ ### Required MLA Clauses
96
+ - Licence to manufacture (specific quantities, articles, versions)
97
+ - Quality assurance provisions
98
+ - US government rights (inspection, audit, terminate)
99
+ - Retransfer and re-export controls
100
+ - Royalty / fee structure
101
+ - End-of-programme disposition of tooling and data
102
+
103
+ ---
104
+
105
+ ## ITAR Exemptions (Selected)
106
+
107
+ Certain transfers do not require a licence if all conditions are met. **Exemptions are NOT blanket authorisations — verify conditions every time.**
108
+
109
+ ### Key Exemptions (22 CFR Part 123–126)
110
+
111
+ | Exemption | CFR Reference | Conditions |
112
+ |-----------|--------------|-----------|
113
+ | US government | § 126.4 | Export by/for US Dept of Defense, State, etc. with government orders |
114
+ | Canada exemption | § 126.5 | Certain unclassified hardware to Canada only; does not apply to all categories |
115
+ | Australian/UK exemption | § 126.7 | Limited scope for certain Gov-to-Gov and industry-to-industry transfers; requires eligibility verification |
116
+ | Intra-company | § 125.4(b)(9) | Technical data to wholly owned US subsidiary abroad; limited scope |
117
+ | Beta test software | § 125.4(b)(10) | Unclassified software for beta testing by foreign person; narrow conditions |
118
+ | Beta hardware | § 123.16 | Temporary export of unclassified hardware for demonstration; strict limits |
119
+
120
+ **Australia, UK, Canada Defence Trade Cooperation Treaties**: Provide streamlined licensing for covered defence articles between treaty partners; not a blanket exemption.
121
+
122
+ ---
123
+
124
+ ## Foreign Military Sales (FMS) vs Direct Commercial Sales (DCS)
125
+
126
+ | Aspect | FMS | DCS |
127
+ |--------|-----|-----|
128
+ | Contract party | US Government (DSCA) | US company directly |
129
+ | ITAR licence | Not required (US Gov exemption) | DSP-5 / TAA required |
130
+ | End-use assurance | US Government provides | US company responsible |
131
+ | Price | Government + administrative fees | Market rate |
132
+ | Delivery risk | US Government manages | US company manages |
133
+
134
+ ---
135
+
136
+ ## Record-Keeping Requirements (22 CFR § 122.5)
137
+
138
+ All ITAR registrants must maintain for **5 years**:
139
+ - All export/import licences and shipping documents
140
+ - All TAA/MLA agreements and associated records
141
+ - End-user certificates and purchase orders
142
+ - Records of all disclosures of technical data
143
+ - Commodity Jurisdiction requests and determinations
144
+ - Voluntary disclosure records
145
+
146
+ Records must be available for inspection by DDTC, US Customs, DoD, or other US government agencies.