bmad-plus 0.9.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (192) hide show
  1. package/CHANGELOG.md +15 -0
  2. package/LICENSE +21 -21
  3. package/README.md +105 -85
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +8 -3
  24. package/readme-international/README.es.md +8 -3
  25. package/readme-international/README.fr.md +8 -3
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/cli/bmad-plus-cli.js +5 -3
  180. package/tools/cli/commands/autoconfig.js +5 -58
  181. package/tools/cli/commands/doctor.js +2 -0
  182. package/tools/cli/commands/install.js +9 -128
  183. package/tools/cli/commands/memory.js +1 -0
  184. package/tools/cli/commands/scan.js +26 -41
  185. package/tools/cli/commands/uninstall.js +7 -4
  186. package/tools/cli/commands/update.js +2 -1
  187. package/tools/cli/lib/ide-config.js +259 -0
  188. package/tools/cli/lib/memory-init.js +0 -1
  189. package/tools/cli/lib/pack-copy.js +84 -84
  190. package/tools/cli/lib/packs.js +114 -114
  191. package/tools/cli/lib/stack-detect.js +102 -0
  192. package/tools/cli/lib/validate.js +45 -0
@@ -1,280 +1,280 @@
1
- # EAR Export Compliance Programme, Enforcement, and Special Rules
2
-
3
- ## Export Compliance Programme (ECP) — BIS Seven Elements
4
-
5
- BIS has identified seven elements of an effective Export Compliance Programme. Companies with strong ECPs receive significant penalty mitigation in enforcement actions.
6
-
7
- ### Element 1 — Management Commitment
8
-
9
- - Senior leadership (CEO/CISO/CCO level) must visibly champion export compliance
10
- - Written, board-approved export compliance policy signed by senior officer
11
- - Compliance resources: dedicated ECP staff, compliance counsel, budget
12
- - Export Control Officer (ECO) or Export Compliance Manager designated in writing
13
- - Annual certification to the board that the ECP is operating effectively
14
-
15
- **Best practice:** Quarterly compliance reporting to senior leadership; annual ECP review with documented findings
16
-
17
- ### Element 2 — Risk Assessment
18
-
19
- - Identify all products, software, and technology subject to EAR
20
- - Classify each item: ECCN or EAR99 (document the classification rationale)
21
- - Identify all business units, geographies, and transaction types
22
- - Assess risks: customers in D/E country groups, distributors with high-risk channels, end-use certificates accuracy
23
- - Maintain a classification database tied to product lifecycle (new products re-classified before launch)
24
-
25
- **ECCN classification log fields:** Item description, part number, technical parameters reviewed, ECCN assigned, RFC codes, date of classification, classifier name, review date
26
-
27
- ### Element 3 — Written Policies and Procedures
28
-
29
- - Written, procedure-level guidance for each process that touches exports:
30
- - Customer onboarding and restricted party screening
31
- - Order acceptance and fulfilment (sales, finance, logistics)
32
- - ECCN classification and update trigger
33
- - Licence application and management
34
- - Employee travel with controlled items/technology
35
- - Hiring of foreign nationals (deemed export screening)
36
- - Distributor/reseller programme requirements
37
- - Procedures must address digital transactions (cloud, SaaS, APIs) and source code repositories
38
-
39
- ### Element 4 — Training and Awareness
40
-
41
- - Mandatory training for all employees who may touch controlled transactions: sales, engineering, operations, HR (foreign national hiring), finance, legal
42
- - Role-based training depth: frontline sales (awareness); ECO/lawyers (deep dive)
43
- - Annual refresher training with sign-off acknowledgement
44
- - Training records retained for 5 years
45
- - Training content must cover: EAR basics, ECCN/EAR99, restricted parties, red flag recognition, deemed exports, reporting obligations
46
-
47
- **Topics for engineers and developers:**
48
- - Deemed exports: sharing controlled source code with foreign national colleagues
49
- - Cloud platforms and access controls for controlled technology
50
- - Open-source publication — fundamental research exemption vs. EAR controls on software
51
-
52
- ### Element 5 — Restricted Party Screening
53
-
54
- - Screen **all parties** to every transaction: buyer, end-user, intermediate consignee, freight forwarder, bank, broker
55
- - Minimum lists to screen against:
56
- - BIS Denied Persons List
57
- - BIS Entity List
58
- - BIS Unverified List
59
- - BIS Military End-User (MEU) List
60
- - State Department Debarred List (DDTC)
61
- - OFAC SDN List
62
- - OFAC Consolidated Sanctions List
63
- - **Consolidated Screening List (CSL):** trade.gov/consolidated-screening-list — single search covers BIS + State + Treasury
64
- - Screen at time of: quote/order acceptance, before each shipment, and when parties change
65
-
66
- **Screening cadence for ongoing relationships:**
67
- - Re-screen existing distributors and customers at minimum **monthly** (list updates are continuous)
68
- - Automate screening via ERP integration (SAP GTS, Oracle AGIS, Visual Compliance, Restricted Party Screening tools)
69
-
70
- **Handling a match:**
71
- 1. Do not ship or service the order
72
- 2. Escalate to ECO/legal immediately
73
- 3. Determine if the match is a true hit or false positive (similar name, different entity)
74
- 4. If true hit: refuse the transaction; do not tip off the customer (no "tipping off" problem under EAR as severe as OFAC, but standard practice)
75
- 5. Document the match, review, and outcome
76
-
77
- ### Element 6 — Due Diligence (Know Your Customer)
78
-
79
- - Know-Your-Customer (KYC) process for new distributors, resellers, and high-risk end-users
80
- - For high-risk transactions, obtain:
81
- - **End-User Statement (EUS):** Certified statement of intended end-use, end-user identity, and location of end-use
82
- - **Importer Safety Zone (ISZ) Statement** for certain dual-use items
83
- - **Distributor Management: assurances that downstream sales comply with EAR**
84
- - Red flag investigation: BIS publishes 15 "red flags" in Supplement 3 to Part 732; document your review and conclusions
85
- - **Distributors in high-risk territories (D:1 countries):** Site visits, supply chain audits, enhanced due diligence on sub-distributors
86
-
87
- ### Element 7 — Recordkeeping and Audits
88
-
89
- - Retain all export-related records for **5 years** from the date of export (§ 762.6)
90
- - Records include: orders, invoices, bills of lading, Shipper's Export Declarations, EEI filings, classification records, screening records, licence applications and approvals, end-user statements, licence exception documentation
91
- - Records accessible to BIS within a **reasonable time** (generally within 5 business days of OEE request)
92
- - Annual internal ECP audit or review
93
- - Periodic third-party ECP assessment recommended for high-volume or high-risk exporters
94
-
95
- ---
96
-
97
- ## Enforcement Regime
98
-
99
- ### Office of Export Enforcement (OEE)
100
-
101
- BIS's enforcement arm investigates violations through:
102
- - **Special Agents** conducting criminal investigations
103
- - **End-Use Checks (EUC):** Pre-licence checks (PLC) and post-shipment verifications (PSV) conducted by US Commercial Service officers and BIS agents overseas
104
- - **Administrative investigations** by the Office of Chief Counsel (OCC)
105
-
106
- ### Civil Penalties (§ 764.3, Part 766)
107
-
108
- | Violation Type | Maximum Penalty |
109
- |---------------|----------------|
110
- | Per civil violation | Greater of $374,474 per violation (adjusted annually for inflation) OR **2× the value of the transaction** |
111
- | Egregious violations | Higher penalties; may approach statutory maximum |
112
- | Denial of export privileges | Temporary or permanent denial of all export privileges |
113
-
114
- **Penalty determination factors (Part 766, Supplement 1):**
115
- - Willfulness (did the violator know it was a violation?)
116
- - Nature of the item (weapons-relevant, dual-use, EAR99)
117
- - Harm to US national security or foreign policy interests
118
- - Compliance programme quality (strong ECP = significant mitigation)
119
- - Remedial action taken
120
- - Cooperation with OEE
121
-
122
- **Base penalty matrix** (post-September 2024 rule change):
123
- - BIS removed caps that previously limited penalties below statutory maximums
124
- - Penalties now more directly reflect transaction value, particularly for egregious cases
125
- - Multiple violations per shipment (wrong ECCN, wrong destination, wrong exception = 3 violations from 1 shipment)
126
-
127
- ### Criminal Penalties (§ 764.2)
128
-
129
- Willful violations of the EAR may be referred to the Department of Justice for criminal prosecution:
130
- - **Individuals:** Up to **20 years** imprisonment + fines up to $1 million per violation
131
- - **Corporations:** Fines up to $1 million per violation (per count)
132
- - Criminal cases are reserved for deliberate, knowing, or willful violations — particularly those involving proliferation, sanctions evasion, or schemes to evade Entity List restrictions
133
-
134
- ### Export Denial Orders (EDOs)
135
-
136
- BIS issues Export Denial Orders (EDOs) against individuals and companies found to have violated the EAR:
137
- - EDOs are published in the Federal Register and placed on the Denied Persons List
138
- - Third parties are prohibited from participating in any transaction involving a denied person
139
- - Scope: US persons everywhere in the world; any person regarding items subject to EAR
140
-
141
- ---
142
-
143
- ## Voluntary Self-Disclosure (VSD) Process (§ 764.5)
144
-
145
- ### What is a VSD?
146
-
147
- A Voluntary Self-Disclosure (VSD) is a self-initiated notification to OEE of an **apparent violation** of the EAR, license conditions, or orders. BIS strongly encourages VSDs.
148
-
149
- ### When to File
150
-
151
- File a VSD when you discover:
152
- - Items shipped without a required licence
153
- - Items shipped to an Entity List, Denied Persons List, or Unverified List party
154
- - Incorrect ECCN used that resulted in an unlicensed shipment
155
- - SNAP-R licence conditions violated
156
- - Prohibited end-use found post-shipment
157
-
158
- ### VSD Process
159
-
160
- 1. **Preliminary Inquiry (PI):** Review the facts; if a likely violation is found, stop any ongoing transactions
161
- 2. **Initial Notification:** File a brief initial notification to OEE (letter or email) — as soon as a likely violation is discovered; preserves the VSD date
162
- 3. **Full VSD Submission (within 180 days of initial notification):** Complete written VSD including:
163
- - Detailed narrative of the facts
164
- - All transactions identified (shipper, consignee, item, ECCN, value, date, exception claimed)
165
- - Root cause analysis
166
- - Remedial actions already taken
167
- - Proposed corrective actions
168
- 4. **OEE Review:** May request additional information; may conduct End-Use Checks
169
- 5. **Resolution:** Warning Letter, No-Action Letter, or administrative penalty with significant reduction for VSD
170
-
171
- ### VSD Penalty Mitigation
172
-
173
- - VSD is considered a **strong mitigating factor** under the 2024 revised penalty guidelines
174
- - Deliberate decision **not to disclose** significant apparent violations is an **aggravating factor**
175
- - Combined with robust ECP, remediation, and full cooperation → may result in warning letter only for non-egregious cases
176
-
177
- ---
178
-
179
- ## Foreign Direct Product Rule (FDPR) — Deep Dive
180
-
181
- ### General FDPR (§ 736.2(b)(3))
182
-
183
- Foreign-made items are subject to EAR if they are the **direct product** of US-origin technology or software that is controlled for NS or CB reasons AND the foreign item is to be shipped to a Country Group D:1 or E:1/E:2 country.
184
-
185
- **Test:** Two-prong test:
186
- 1. **Technology/software prong:** Was the item produced using US-origin technology or software controlled for NS or CB reasons under the CCL?
187
- 2. **Destination prong:** Is the item destined for a D:1 or E:1/E:2 country?
188
-
189
- ### Entity List FDPR (2020 — Huawei Rule)
190
-
191
- Extended the FDPR to capture foreign-made items when:
192
- 1. The foreign item is produced using equipment or technology that is the direct product of **specific US technology/software** (tooling, wafer fab equipment under 3B001/3B002)
193
- 2. AND the item is destined for a party on the Entity List
194
-
195
- Designed to prevent circumvention of Entity List restrictions through foreign-chip supply chains.
196
-
197
- ### Advanced Computing FDPR (October 2022 / October 2023)
198
-
199
- Captures items produced with US wafer fabrication equipment destined for:
200
- - China or Macau for use in advanced computing applications above threshold
201
- - Any Entity List party
202
-
203
- ### Russia/Belarus FDPR (March 2022)
204
-
205
- Captures virtually all items produced anywhere with **any** US technology, software, or equipment, destined for Russia or Belarus — with extremely limited exceptions.
206
-
207
- ---
208
-
209
- ## Deemed Export Rules — Compliance Programme Implications
210
-
211
- ### What Constitutes a Deemed Export
212
-
213
- Under § 734.13, the **release** of controlled technology or software to a **foreign national** in the US is a deemed export to their home country. "Release" includes:
214
- - Visual inspection of controlled hardware
215
- - Providing access to controlled equipment
216
- - Oral, written, or electronic transmission of controlled technical data
217
- - Demonstration of controlled software
218
-
219
- ### Nationality Rule
220
-
221
- BIS applies the **"most restrictive" nationality rule** for dual nationals or persons with multiple citizenships:
222
- - Apply the nationality that requires the most restrictive licensing treatment
223
- - Example: A Chinese/Canadian dual national in the US is treated as a Chinese national for deemed export licensing purposes
224
-
225
- ### Practical Compliance Steps
226
-
227
- 1. **HR Screening:** When hiring foreign nationals for roles touching controlled technology, conduct pre-employment deemed export screening
228
- 2. **Classification Review:** Determine which technologies the employee will access; classify each
229
- 3. **Access Controls:** Limit access to controlled technology to employees with appropriate authorizations
230
- 4. **Deemed Export Licence Applications:** For employees who need access to NS-controlled technology from D:1 countries, apply for a deemed export licence via SNAP-R
231
- 5. **Source Code Repositories:** Restrict access to controlled source code on GitHub/GitLab/Bitbucket using role-based access; foreign nationals from D:1 countries require deemed export licences or exception applicability review
232
- 6. **Cloud and SaaS Environments:** Access to controlled technology via cloud platforms can constitute a deemed export; apply IP controls, authentication, and access auditing
233
-
234
- ---
235
-
236
- ## SNAP-R — Licensing Portal Guidance
237
-
238
- **URL:** snap-r.bis.doc.gov (requires free BIS account)
239
-
240
- **Forms filed through SNAP-R:**
241
- - BIS-748P: Multipurpose Application Form (export licence, CCATS, Advisory Opinion)
242
- - BIS-748P-A: Supplement for encryption review notifications (ENC exception)
243
- - BIS-748P-B: Supplement for end-user statement attachments
244
- - BIS-711: Statement by Ultimate Consignee and Purchaser
245
-
246
- **SNAP-R Best Practices:**
247
- - Submit complete applications — missing technical data is the #1 cause of delay
248
- - Include end-use statements and supporting technical documentation proactively
249
- - Track licence expiration dates and re-apply at least 60 days before expiry
250
- - For time-sensitive transactions: contact the relevant BIS division directly after submission
251
- - Use the "Licensing at a Glance" tool on bis.gov to estimate processing times by category
252
-
253
- ---
254
-
255
- ## EAR Recordkeeping Quick Reference
256
-
257
- | Document Type | Retention Period | Format |
258
- |---------------|-----------------|--------|
259
- | Commercial invoices, purchase orders | 5 years from export date | Any readable format |
260
- | Bills of lading, air waybills | 5 years | Any |
261
- | EEI/AES filings | 5 years | Any |
262
- | Licence applications and approvals | 5 years from expiry/completion | Any |
263
- | Licence exception documentation | 5 years from export | Any |
264
- | Restricted party screening records | 5 years | Recommended: dated screenshots |
265
- | End-user statements and certifications | 5 years | Any |
266
- | ECCN classification records | 5 years from last export of item | Any |
267
- | VSD submissions and correspondence | Permanently | Any |
268
-
269
- ---
270
-
271
- ## Compliance Programme Maturity Assessment
272
-
273
- | Level | Characteristics |
274
- |-------|----------------|
275
- | **Basic** | Written policy exists; some screening; training ad hoc; no formal audit |
276
- | **Developing** | Formal ECCN classification; screening tool in place; annual training; no automated integration |
277
- | **Proficient** | ERP-integrated screening; annual audits; full classification database; documented due diligence |
278
- | **Advanced** | Real-time automated screening; ECCN lifecycle management; pre-shipment compliance review; regular third-party assessments; VSD process documented |
279
-
280
- BIS rewards **Advanced** programmes with maximum penalty mitigation; **Basic** programmes may receive minimal credit even for VSDs.
1
+ # EAR Export Compliance Programme, Enforcement, and Special Rules
2
+
3
+ ## Export Compliance Programme (ECP) — BIS Seven Elements
4
+
5
+ BIS has identified seven elements of an effective Export Compliance Programme. Companies with strong ECPs receive significant penalty mitigation in enforcement actions.
6
+
7
+ ### Element 1 — Management Commitment
8
+
9
+ - Senior leadership (CEO/CISO/CCO level) must visibly champion export compliance
10
+ - Written, board-approved export compliance policy signed by senior officer
11
+ - Compliance resources: dedicated ECP staff, compliance counsel, budget
12
+ - Export Control Officer (ECO) or Export Compliance Manager designated in writing
13
+ - Annual certification to the board that the ECP is operating effectively
14
+
15
+ **Best practice:** Quarterly compliance reporting to senior leadership; annual ECP review with documented findings
16
+
17
+ ### Element 2 — Risk Assessment
18
+
19
+ - Identify all products, software, and technology subject to EAR
20
+ - Classify each item: ECCN or EAR99 (document the classification rationale)
21
+ - Identify all business units, geographies, and transaction types
22
+ - Assess risks: customers in D/E country groups, distributors with high-risk channels, end-use certificates accuracy
23
+ - Maintain a classification database tied to product lifecycle (new products re-classified before launch)
24
+
25
+ **ECCN classification log fields:** Item description, part number, technical parameters reviewed, ECCN assigned, RFC codes, date of classification, classifier name, review date
26
+
27
+ ### Element 3 — Written Policies and Procedures
28
+
29
+ - Written, procedure-level guidance for each process that touches exports:
30
+ - Customer onboarding and restricted party screening
31
+ - Order acceptance and fulfilment (sales, finance, logistics)
32
+ - ECCN classification and update trigger
33
+ - Licence application and management
34
+ - Employee travel with controlled items/technology
35
+ - Hiring of foreign nationals (deemed export screening)
36
+ - Distributor/reseller programme requirements
37
+ - Procedures must address digital transactions (cloud, SaaS, APIs) and source code repositories
38
+
39
+ ### Element 4 — Training and Awareness
40
+
41
+ - Mandatory training for all employees who may touch controlled transactions: sales, engineering, operations, HR (foreign national hiring), finance, legal
42
+ - Role-based training depth: frontline sales (awareness); ECO/lawyers (deep dive)
43
+ - Annual refresher training with sign-off acknowledgement
44
+ - Training records retained for 5 years
45
+ - Training content must cover: EAR basics, ECCN/EAR99, restricted parties, red flag recognition, deemed exports, reporting obligations
46
+
47
+ **Topics for engineers and developers:**
48
+ - Deemed exports: sharing controlled source code with foreign national colleagues
49
+ - Cloud platforms and access controls for controlled technology
50
+ - Open-source publication — fundamental research exemption vs. EAR controls on software
51
+
52
+ ### Element 5 — Restricted Party Screening
53
+
54
+ - Screen **all parties** to every transaction: buyer, end-user, intermediate consignee, freight forwarder, bank, broker
55
+ - Minimum lists to screen against:
56
+ - BIS Denied Persons List
57
+ - BIS Entity List
58
+ - BIS Unverified List
59
+ - BIS Military End-User (MEU) List
60
+ - State Department Debarred List (DDTC)
61
+ - OFAC SDN List
62
+ - OFAC Consolidated Sanctions List
63
+ - **Consolidated Screening List (CSL):** trade.gov/consolidated-screening-list — single search covers BIS + State + Treasury
64
+ - Screen at time of: quote/order acceptance, before each shipment, and when parties change
65
+
66
+ **Screening cadence for ongoing relationships:**
67
+ - Re-screen existing distributors and customers at minimum **monthly** (list updates are continuous)
68
+ - Automate screening via ERP integration (SAP GTS, Oracle AGIS, Visual Compliance, Restricted Party Screening tools)
69
+
70
+ **Handling a match:**
71
+ 1. Do not ship or service the order
72
+ 2. Escalate to ECO/legal immediately
73
+ 3. Determine if the match is a true hit or false positive (similar name, different entity)
74
+ 4. If true hit: refuse the transaction; do not tip off the customer (no "tipping off" problem under EAR as severe as OFAC, but standard practice)
75
+ 5. Document the match, review, and outcome
76
+
77
+ ### Element 6 — Due Diligence (Know Your Customer)
78
+
79
+ - Know-Your-Customer (KYC) process for new distributors, resellers, and high-risk end-users
80
+ - For high-risk transactions, obtain:
81
+ - **End-User Statement (EUS):** Certified statement of intended end-use, end-user identity, and location of end-use
82
+ - **Importer Safety Zone (ISZ) Statement** for certain dual-use items
83
+ - **Distributor Management: assurances that downstream sales comply with EAR**
84
+ - Red flag investigation: BIS publishes 15 "red flags" in Supplement 3 to Part 732; document your review and conclusions
85
+ - **Distributors in high-risk territories (D:1 countries):** Site visits, supply chain audits, enhanced due diligence on sub-distributors
86
+
87
+ ### Element 7 — Recordkeeping and Audits
88
+
89
+ - Retain all export-related records for **5 years** from the date of export (§ 762.6)
90
+ - Records include: orders, invoices, bills of lading, Shipper's Export Declarations, EEI filings, classification records, screening records, licence applications and approvals, end-user statements, licence exception documentation
91
+ - Records accessible to BIS within a **reasonable time** (generally within 5 business days of OEE request)
92
+ - Annual internal ECP audit or review
93
+ - Periodic third-party ECP assessment recommended for high-volume or high-risk exporters
94
+
95
+ ---
96
+
97
+ ## Enforcement Regime
98
+
99
+ ### Office of Export Enforcement (OEE)
100
+
101
+ BIS's enforcement arm investigates violations through:
102
+ - **Special Agents** conducting criminal investigations
103
+ - **End-Use Checks (EUC):** Pre-licence checks (PLC) and post-shipment verifications (PSV) conducted by US Commercial Service officers and BIS agents overseas
104
+ - **Administrative investigations** by the Office of Chief Counsel (OCC)
105
+
106
+ ### Civil Penalties (§ 764.3, Part 766)
107
+
108
+ | Violation Type | Maximum Penalty |
109
+ |---------------|----------------|
110
+ | Per civil violation | Greater of $374,474 per violation (adjusted annually for inflation) OR **2× the value of the transaction** |
111
+ | Egregious violations | Higher penalties; may approach statutory maximum |
112
+ | Denial of export privileges | Temporary or permanent denial of all export privileges |
113
+
114
+ **Penalty determination factors (Part 766, Supplement 1):**
115
+ - Willfulness (did the violator know it was a violation?)
116
+ - Nature of the item (weapons-relevant, dual-use, EAR99)
117
+ - Harm to US national security or foreign policy interests
118
+ - Compliance programme quality (strong ECP = significant mitigation)
119
+ - Remedial action taken
120
+ - Cooperation with OEE
121
+
122
+ **Base penalty matrix** (post-September 2024 rule change):
123
+ - BIS removed caps that previously limited penalties below statutory maximums
124
+ - Penalties now more directly reflect transaction value, particularly for egregious cases
125
+ - Multiple violations per shipment (wrong ECCN, wrong destination, wrong exception = 3 violations from 1 shipment)
126
+
127
+ ### Criminal Penalties (§ 764.2)
128
+
129
+ Willful violations of the EAR may be referred to the Department of Justice for criminal prosecution:
130
+ - **Individuals:** Up to **20 years** imprisonment + fines up to $1 million per violation
131
+ - **Corporations:** Fines up to $1 million per violation (per count)
132
+ - Criminal cases are reserved for deliberate, knowing, or willful violations — particularly those involving proliferation, sanctions evasion, or schemes to evade Entity List restrictions
133
+
134
+ ### Export Denial Orders (EDOs)
135
+
136
+ BIS issues Export Denial Orders (EDOs) against individuals and companies found to have violated the EAR:
137
+ - EDOs are published in the Federal Register and placed on the Denied Persons List
138
+ - Third parties are prohibited from participating in any transaction involving a denied person
139
+ - Scope: US persons everywhere in the world; any person regarding items subject to EAR
140
+
141
+ ---
142
+
143
+ ## Voluntary Self-Disclosure (VSD) Process (§ 764.5)
144
+
145
+ ### What is a VSD?
146
+
147
+ A Voluntary Self-Disclosure (VSD) is a self-initiated notification to OEE of an **apparent violation** of the EAR, license conditions, or orders. BIS strongly encourages VSDs.
148
+
149
+ ### When to File
150
+
151
+ File a VSD when you discover:
152
+ - Items shipped without a required licence
153
+ - Items shipped to an Entity List, Denied Persons List, or Unverified List party
154
+ - Incorrect ECCN used that resulted in an unlicensed shipment
155
+ - SNAP-R licence conditions violated
156
+ - Prohibited end-use found post-shipment
157
+
158
+ ### VSD Process
159
+
160
+ 1. **Preliminary Inquiry (PI):** Review the facts; if a likely violation is found, stop any ongoing transactions
161
+ 2. **Initial Notification:** File a brief initial notification to OEE (letter or email) — as soon as a likely violation is discovered; preserves the VSD date
162
+ 3. **Full VSD Submission (within 180 days of initial notification):** Complete written VSD including:
163
+ - Detailed narrative of the facts
164
+ - All transactions identified (shipper, consignee, item, ECCN, value, date, exception claimed)
165
+ - Root cause analysis
166
+ - Remedial actions already taken
167
+ - Proposed corrective actions
168
+ 4. **OEE Review:** May request additional information; may conduct End-Use Checks
169
+ 5. **Resolution:** Warning Letter, No-Action Letter, or administrative penalty with significant reduction for VSD
170
+
171
+ ### VSD Penalty Mitigation
172
+
173
+ - VSD is considered a **strong mitigating factor** under the 2024 revised penalty guidelines
174
+ - Deliberate decision **not to disclose** significant apparent violations is an **aggravating factor**
175
+ - Combined with robust ECP, remediation, and full cooperation → may result in warning letter only for non-egregious cases
176
+
177
+ ---
178
+
179
+ ## Foreign Direct Product Rule (FDPR) — Deep Dive
180
+
181
+ ### General FDPR (§ 736.2(b)(3))
182
+
183
+ Foreign-made items are subject to EAR if they are the **direct product** of US-origin technology or software that is controlled for NS or CB reasons AND the foreign item is to be shipped to a Country Group D:1 or E:1/E:2 country.
184
+
185
+ **Test:** Two-prong test:
186
+ 1. **Technology/software prong:** Was the item produced using US-origin technology or software controlled for NS or CB reasons under the CCL?
187
+ 2. **Destination prong:** Is the item destined for a D:1 or E:1/E:2 country?
188
+
189
+ ### Entity List FDPR (2020 — Huawei Rule)
190
+
191
+ Extended the FDPR to capture foreign-made items when:
192
+ 1. The foreign item is produced using equipment or technology that is the direct product of **specific US technology/software** (tooling, wafer fab equipment under 3B001/3B002)
193
+ 2. AND the item is destined for a party on the Entity List
194
+
195
+ Designed to prevent circumvention of Entity List restrictions through foreign-chip supply chains.
196
+
197
+ ### Advanced Computing FDPR (October 2022 / October 2023)
198
+
199
+ Captures items produced with US wafer fabrication equipment destined for:
200
+ - China or Macau for use in advanced computing applications above threshold
201
+ - Any Entity List party
202
+
203
+ ### Russia/Belarus FDPR (March 2022)
204
+
205
+ Captures virtually all items produced anywhere with **any** US technology, software, or equipment, destined for Russia or Belarus — with extremely limited exceptions.
206
+
207
+ ---
208
+
209
+ ## Deemed Export Rules — Compliance Programme Implications
210
+
211
+ ### What Constitutes a Deemed Export
212
+
213
+ Under § 734.13, the **release** of controlled technology or software to a **foreign national** in the US is a deemed export to their home country. "Release" includes:
214
+ - Visual inspection of controlled hardware
215
+ - Providing access to controlled equipment
216
+ - Oral, written, or electronic transmission of controlled technical data
217
+ - Demonstration of controlled software
218
+
219
+ ### Nationality Rule
220
+
221
+ BIS applies the **"most restrictive" nationality rule** for dual nationals or persons with multiple citizenships:
222
+ - Apply the nationality that requires the most restrictive licensing treatment
223
+ - Example: A Chinese/Canadian dual national in the US is treated as a Chinese national for deemed export licensing purposes
224
+
225
+ ### Practical Compliance Steps
226
+
227
+ 1. **HR Screening:** When hiring foreign nationals for roles touching controlled technology, conduct pre-employment deemed export screening
228
+ 2. **Classification Review:** Determine which technologies the employee will access; classify each
229
+ 3. **Access Controls:** Limit access to controlled technology to employees with appropriate authorizations
230
+ 4. **Deemed Export Licence Applications:** For employees who need access to NS-controlled technology from D:1 countries, apply for a deemed export licence via SNAP-R
231
+ 5. **Source Code Repositories:** Restrict access to controlled source code on GitHub/GitLab/Bitbucket using role-based access; foreign nationals from D:1 countries require deemed export licences or exception applicability review
232
+ 6. **Cloud and SaaS Environments:** Access to controlled technology via cloud platforms can constitute a deemed export; apply IP controls, authentication, and access auditing
233
+
234
+ ---
235
+
236
+ ## SNAP-R — Licensing Portal Guidance
237
+
238
+ **URL:** snap-r.bis.doc.gov (requires free BIS account)
239
+
240
+ **Forms filed through SNAP-R:**
241
+ - BIS-748P: Multipurpose Application Form (export licence, CCATS, Advisory Opinion)
242
+ - BIS-748P-A: Supplement for encryption review notifications (ENC exception)
243
+ - BIS-748P-B: Supplement for end-user statement attachments
244
+ - BIS-711: Statement by Ultimate Consignee and Purchaser
245
+
246
+ **SNAP-R Best Practices:**
247
+ - Submit complete applications — missing technical data is the #1 cause of delay
248
+ - Include end-use statements and supporting technical documentation proactively
249
+ - Track licence expiration dates and re-apply at least 60 days before expiry
250
+ - For time-sensitive transactions: contact the relevant BIS division directly after submission
251
+ - Use the "Licensing at a Glance" tool on bis.gov to estimate processing times by category
252
+
253
+ ---
254
+
255
+ ## EAR Recordkeeping Quick Reference
256
+
257
+ | Document Type | Retention Period | Format |
258
+ |---------------|-----------------|--------|
259
+ | Commercial invoices, purchase orders | 5 years from export date | Any readable format |
260
+ | Bills of lading, air waybills | 5 years | Any |
261
+ | EEI/AES filings | 5 years | Any |
262
+ | Licence applications and approvals | 5 years from expiry/completion | Any |
263
+ | Licence exception documentation | 5 years from export | Any |
264
+ | Restricted party screening records | 5 years | Recommended: dated screenshots |
265
+ | End-user statements and certifications | 5 years | Any |
266
+ | ECCN classification records | 5 years from last export of item | Any |
267
+ | VSD submissions and correspondence | Permanently | Any |
268
+
269
+ ---
270
+
271
+ ## Compliance Programme Maturity Assessment
272
+
273
+ | Level | Characteristics |
274
+ |-------|----------------|
275
+ | **Basic** | Written policy exists; some screening; training ad hoc; no formal audit |
276
+ | **Developing** | Formal ECCN classification; screening tool in place; annual training; no automated integration |
277
+ | **Proficient** | ERP-integrated screening; annual audits; full classification database; documented due diligence |
278
+ | **Advanced** | Real-time automated screening; ECCN lifecycle management; pre-shipment compliance review; regular third-party assessments; VSD process documented |
279
+
280
+ BIS rewards **Advanced** programmes with maximum penalty mitigation; **Basic** programmes may receive minimal credit even for VSDs.