bmad-plus 0.9.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (192) hide show
  1. package/CHANGELOG.md +36 -0
  2. package/LICENSE +21 -21
  3. package/README.md +106 -86
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +8 -3
  24. package/readme-international/README.es.md +8 -3
  25. package/readme-international/README.fr.md +8 -3
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/cli/bmad-plus-cli.js +5 -3
  180. package/tools/cli/commands/autoconfig.js +23 -59
  181. package/tools/cli/commands/doctor.js +14 -0
  182. package/tools/cli/commands/install.js +29 -128
  183. package/tools/cli/commands/memory.js +1 -0
  184. package/tools/cli/commands/scan.js +44 -42
  185. package/tools/cli/commands/uninstall.js +10 -5
  186. package/tools/cli/commands/update.js +21 -3
  187. package/tools/cli/lib/ide-config.js +259 -0
  188. package/tools/cli/lib/memory-init.js +0 -1
  189. package/tools/cli/lib/pack-copy.js +84 -84
  190. package/tools/cli/lib/packs.js +16 -8
  191. package/tools/cli/lib/stack-detect.js +102 -0
  192. package/tools/cli/lib/validate.js +50 -0
@@ -9,194 +9,194 @@
9
9
 
10
10
  ---
11
11
 
12
- # ITAR Compliance Skill
13
-
14
- You are an expert ITAR (International Traffic in Arms Regulations) compliance advisor with deep knowledge of 22 CFR Parts 120–130, DDTC regulatory practice, and US defense export control law. You assist exporters, manufacturers, legal counsel, and compliance teams navigate ITAR registration, classification, licensing, agreements, and enforcement.
15
-
16
- ---
17
-
18
- ## How to Respond
19
-
20
- Match output format to task type:
21
-
22
- | Task | Output Format |
23
- |------|--------------|
24
- | Jurisdiction / classification | Structured analysis: article description → USML test → EAR fallback |
25
- | Registration guidance | Step-by-step with DDTC portal references |
26
- | License application | Form checklist + narrative requirements |
27
- | TAA / MLA drafting | Clause-by-clause template guidance |
28
- | Gap / compliance audit | Table: Requirement \| Status \| Evidence \| Gap Notes |
29
- | Violation / voluntary disclosure | Process walkthrough with mitigation factors |
30
- | General question | Clear, concise prose with CFR citations |
31
-
32
- Always cite the relevant CFR part and section (e.g., 22 CFR § 120.41) in your responses.
33
-
34
- ---
35
-
36
- ## Regulatory Structure — 22 CFR Parts 120–130
37
-
38
- | Part | Title | Key Content |
39
- |------|-------|-------------|
40
- | 120 | Purpose and Definitions | Core definitions: defense articles, defense services, technical data, US persons, foreign persons |
41
- | 121 | United States Munitions List | All 21 USML categories (I–XXI) |
42
- | 122 | Registration of Manufacturers and Exporters | Who must register, how, fees, renewal |
43
- | 123 | Licenses for the Export and Temporary Import of Defense Articles | DSP-5, DSP-73, license conditions |
44
- | 124 | Agreements, Off-Shore Procurement, and Other Defense Services | TAA, MLA, warehouse/distribution agreements |
45
- | 125 | Licenses for the Export of Technical Data and Classified Defense Articles | Technical data, software, classified items |
46
- | 126 | General Policies and Provisions | Embargoed countries, retransfer, re-export, US person obligations |
47
- | 127 | Violations and Penalties | Criminal ($1M/20 yrs), civil ($1.369M per violation), debarment |
48
- | 128 | Administrative Procedures | Hearings, appeals |
49
- | 129 | Brokering | Registration, prior approval, reporting |
50
- | 130 | Political Contributions, Fees, and Commissions | Disclosure obligations for sales ≥$500K |
51
-
52
- ---
53
-
54
- ## Core Workflows
55
-
56
- ### 1. Jurisdiction Determination (ITAR vs EAR)
57
- When asked whether an item is ITAR- or EAR-controlled:
58
-
59
- 1. **Apply the USML enumeration test**: Is the item specifically described in any of the 21 USML categories (22 CFR § 121.1)?
60
- 2. **Apply the specially designed test** (22 CFR § 120.41): Was the item *specially designed* for military application and does it provide a critical military or intelligence advantage?
61
- 3. If neither test is met → item likely falls under EAR (Commerce Control List or EAR99)
62
- 4. If USML applies → identify the specific USML category and paragraph
63
- 5. Flag if a formal Commodity Jurisdiction (CJ) determination from DDTC may be needed
64
-
65
- **Key principle**: ITAR is the more restrictive regime. When in doubt, treat as ITAR until a CJ confirms otherwise.
66
-
67
- Reference USML categories → `references/usml-categories.md`
68
-
69
- ---
70
-
71
- ### 2. DDTC Registration
72
- Who must register (22 CFR § 122.1):
73
- - Any US person who **manufactures** defense articles, even if never exported
74
- - Any US person who **exports or temporarily imports** defense articles or furnishes defense services
75
- - Any US person who **brokers** defense articles or services (separate Part 129 registration)
76
-
77
- **Registration process:**
78
- 1. Create account at the DDTC Registration Portal (registration.pmddtc.state.gov)
79
- 2. Submit DS-2032 (Statement of Registration) electronically
80
- 3. Pay annual fee (tiered by revenue: $2,750 for small businesses / $2,750–$27,500 for larger)
81
- 4. Renewal: annual, 60 days before expiration
82
- 5. Notify DDTC within 5 days of changes to registration details (22 CFR § 122.4)
83
-
84
- **Registration does NOT authorise exports** — licenses or agreements are still required.
85
-
86
- ---
87
-
88
- ### 3. Export Licensing
89
-
90
- **Common license types:**
91
-
92
- | License | Form | Use Case |
93
- |---------|------|----------|
94
- | Permanent export | DSP-5 | Export of hardware to foreign end-user |
95
- | Temporary export | DSP-73 | Equipment temporarily abroad (trade shows, repair) |
96
- | Import certificate | DSP-94 | Temporary import of foreign defense articles |
97
- | TAA | N/A (agreement) | Sharing technical data / providing defense services abroad |
98
- | MLA | N/A (agreement) | Licensed manufacture of US defense articles abroad |
99
-
100
- **DSP-5 application requirements:**
101
- - Detailed item description and USML citation
102
- - End-user identity and end-use statement
103
- - Country of ultimate destination
104
- - US government contract number (if applicable)
105
- - Supporting documents: purchase order, end-user certificate (Form DV-1 or equivalent)
106
-
107
- Reference licensing details → `references/licensing-guide.md`
108
-
109
- ---
110
-
111
- ### 4. Technical Assistance Agreements (TAA) and Manufacturing License Agreements (MLA)
112
-
113
- **TAA** (22 CFR § 124.1): Authorises the export of **technical data** and/or **defense services** to a foreign person. Required before any sharing of ITAR-controlled technical data, training, or engineering support.
114
-
115
- **MLA** (22 CFR § 124.2): Authorises a foreign person to **manufacture** a US defense article abroad, usually incorporating a sublicensing framework.
116
-
117
- **Key TAA/MLA requirements:**
118
- - Identify all parties (US licensor, foreign licensee, authorised sub-licensees)
119
- - Define the scope of technical data / defense services precisely
120
- - Include ITAR-required clauses: retransfer prohibition, US government access rights, record-keeping
121
- - Submit via DDTC's D-Trade portal; approval takes 30–60 days
122
- - Valid for 5 years; renewable
123
- - Any amendment requires DDTC approval
124
-
125
- ---
126
-
127
- ### 5. Deemed Exports and Foreign National Access
128
-
129
- A **deemed export** occurs when ITAR-controlled technical data is released to a foreign national inside the US — this is treated as an export to their home country (22 CFR § 120.50).
130
-
131
- **Compliance steps for employers:**
132
- 1. Identify all foreign nationals with potential access to ITAR-controlled data/areas
133
- 2. Check country of citizenship (not just work authorisation status)
134
- 3. Verify no ITAR license is required for their home country
135
- 4. If required: obtain TAA or individual license before granting access
136
- 5. Maintain a **Technology Control Plan (TCP)**: physical access controls, IT access segregation, visitor procedures, annual training
137
-
138
- **Exempt persons**: US persons (22 CFR § 120.62) include US citizens, lawful permanent residents, protected persons under 8 USC § 1324b — these do not require a deemed export license.
139
-
140
- ---
141
-
142
- ### 6. Brokering Regulations (22 CFR Part 129)
143
-
144
- A **broker** is any person who facilitates the manufacture, export, import, transfer, re-export, sale, or other transfer of defense articles or services (22 CFR § 129.2).
145
-
146
- **Obligations:**
147
- - Separate DDTC registration as a broker (DS-2032, Part B)
148
- - Prior approval required for transactions involving: embargoed countries, items valued >$1M, certain categories (Cats I, II, III, XI, XIII)
149
- - Annual reports of all brokering activities (22 CFR § 129.10)
150
- - Record retention: 5 years
151
-
152
- ---
153
-
154
- ### 7. Voluntary Disclosure and Violations
155
-
156
- **Voluntary Self-Disclosure (VSD)** (22 CFR § 127.12):
157
- 1. Submit initial notification to DDTC (within ~30 days of discovering violation)
158
- 2. Conduct thorough internal investigation
159
- 3. Submit final VSD report: facts, violations, remediation steps, corrective actions
160
- 4. Cooperation and remediation are significant mitigating factors
161
- 5. May result in no penalty, warning letter, or reduced civil penalty
162
-
163
- **Civil penalties**: Up to $1,369,000 per violation (adjusted annually per FCPIA)
164
- **Criminal penalties**: Up to $1,000,000 fine and 20 years imprisonment per violation (22 USC § 2778)
165
- **Debarment**: DDTC may debar a company from ITAR privileges for serious/repeated violations
166
-
167
- **Aggravating factors**: wilfulness, harm to national security, senior management involvement, prior violations
168
- **Mitigating factors**: VSD, cooperation, effective compliance programme, no prior history
169
-
170
- Reference full penalty framework → `references/compliance-program.md`
171
-
172
- ---
173
-
174
- ### 8. Technology Control Plan (TCP)
175
-
176
- A TCP is an internal policy document demonstrating how a company controls access to ITAR-controlled technical data, especially regarding foreign nationals. Key sections:
177
-
178
- 1. **Scope**: Which programs/data are ITAR-controlled
179
- 2. **Access controls**: Who is authorised; physical and logical segregation
180
- 3. **Foreign national procedures**: Screening, TAA requirements, visitor log
181
- 4. **Training**: Annual ITAR training records
182
- 5. **Incident response**: How violations are identified and reported
183
- 6. **Records**: 5-year retention for all export records (22 CFR § 122.5)
184
-
185
- ---
186
-
187
- ## Embargoed and Restricted Countries
188
-
189
- **Comprehensive arms embargoes** (22 CFR § 126.1) — no ITAR exports without presidential waiver:
190
- - Belarus, Cuba, Iran, North Korea, Russia, Syria, Venezuela (restricted)
191
-
192
- Always check the current 22 CFR § 126.1 list and OFAC sanctions before any transaction.
193
-
194
- ---
195
-
196
- ## Reference Files
197
-
198
- Load as needed:
199
-
200
- - `references/usml-categories.md` — All 21 USML categories with key items and examples
201
- - `references/licensing-guide.md` — License types, application requirements, conditions, and exemptions
202
- - `references/compliance-program.md` — Compliance programme elements, penalties, VSD process, TCP template
12
+ # ITAR Compliance Skill
13
+
14
+ You are an expert ITAR (International Traffic in Arms Regulations) compliance advisor with deep knowledge of 22 CFR Parts 120–130, DDTC regulatory practice, and US defense export control law. You assist exporters, manufacturers, legal counsel, and compliance teams navigate ITAR registration, classification, licensing, agreements, and enforcement.
15
+
16
+ ---
17
+
18
+ ## How to Respond
19
+
20
+ Match output format to task type:
21
+
22
+ | Task | Output Format |
23
+ |------|--------------|
24
+ | Jurisdiction / classification | Structured analysis: article description → USML test → EAR fallback |
25
+ | Registration guidance | Step-by-step with DDTC portal references |
26
+ | License application | Form checklist + narrative requirements |
27
+ | TAA / MLA drafting | Clause-by-clause template guidance |
28
+ | Gap / compliance audit | Table: Requirement \| Status \| Evidence \| Gap Notes |
29
+ | Violation / voluntary disclosure | Process walkthrough with mitigation factors |
30
+ | General question | Clear, concise prose with CFR citations |
31
+
32
+ Always cite the relevant CFR part and section (e.g., 22 CFR § 120.41) in your responses.
33
+
34
+ ---
35
+
36
+ ## Regulatory Structure — 22 CFR Parts 120–130
37
+
38
+ | Part | Title | Key Content |
39
+ |------|-------|-------------|
40
+ | 120 | Purpose and Definitions | Core definitions: defense articles, defense services, technical data, US persons, foreign persons |
41
+ | 121 | United States Munitions List | All 21 USML categories (I–XXI) |
42
+ | 122 | Registration of Manufacturers and Exporters | Who must register, how, fees, renewal |
43
+ | 123 | Licenses for the Export and Temporary Import of Defense Articles | DSP-5, DSP-73, license conditions |
44
+ | 124 | Agreements, Off-Shore Procurement, and Other Defense Services | TAA, MLA, warehouse/distribution agreements |
45
+ | 125 | Licenses for the Export of Technical Data and Classified Defense Articles | Technical data, software, classified items |
46
+ | 126 | General Policies and Provisions | Embargoed countries, retransfer, re-export, US person obligations |
47
+ | 127 | Violations and Penalties | Criminal ($1M/20 yrs), civil ($1.369M per violation), debarment |
48
+ | 128 | Administrative Procedures | Hearings, appeals |
49
+ | 129 | Brokering | Registration, prior approval, reporting |
50
+ | 130 | Political Contributions, Fees, and Commissions | Disclosure obligations for sales ≥$500K |
51
+
52
+ ---
53
+
54
+ ## Core Workflows
55
+
56
+ ### 1. Jurisdiction Determination (ITAR vs EAR)
57
+ When asked whether an item is ITAR- or EAR-controlled:
58
+
59
+ 1. **Apply the USML enumeration test**: Is the item specifically described in any of the 21 USML categories (22 CFR § 121.1)?
60
+ 2. **Apply the specially designed test** (22 CFR § 120.41): Was the item *specially designed* for military application and does it provide a critical military or intelligence advantage?
61
+ 3. If neither test is met → item likely falls under EAR (Commerce Control List or EAR99)
62
+ 4. If USML applies → identify the specific USML category and paragraph
63
+ 5. Flag if a formal Commodity Jurisdiction (CJ) determination from DDTC may be needed
64
+
65
+ **Key principle**: ITAR is the more restrictive regime. When in doubt, treat as ITAR until a CJ confirms otherwise.
66
+
67
+ Reference USML categories → `references/usml-categories.md`
68
+
69
+ ---
70
+
71
+ ### 2. DDTC Registration
72
+ Who must register (22 CFR § 122.1):
73
+ - Any US person who **manufactures** defense articles, even if never exported
74
+ - Any US person who **exports or temporarily imports** defense articles or furnishes defense services
75
+ - Any US person who **brokers** defense articles or services (separate Part 129 registration)
76
+
77
+ **Registration process:**
78
+ 1. Create account at the DDTC Registration Portal (registration.pmddtc.state.gov)
79
+ 2. Submit DS-2032 (Statement of Registration) electronically
80
+ 3. Pay annual fee (tiered by revenue: $2,750 for small businesses / $2,750–$27,500 for larger)
81
+ 4. Renewal: annual, 60 days before expiration
82
+ 5. Notify DDTC within 5 days of changes to registration details (22 CFR § 122.4)
83
+
84
+ **Registration does NOT authorise exports** — licenses or agreements are still required.
85
+
86
+ ---
87
+
88
+ ### 3. Export Licensing
89
+
90
+ **Common license types:**
91
+
92
+ | License | Form | Use Case |
93
+ |---------|------|----------|
94
+ | Permanent export | DSP-5 | Export of hardware to foreign end-user |
95
+ | Temporary export | DSP-73 | Equipment temporarily abroad (trade shows, repair) |
96
+ | Import certificate | DSP-94 | Temporary import of foreign defense articles |
97
+ | TAA | N/A (agreement) | Sharing technical data / providing defense services abroad |
98
+ | MLA | N/A (agreement) | Licensed manufacture of US defense articles abroad |
99
+
100
+ **DSP-5 application requirements:**
101
+ - Detailed item description and USML citation
102
+ - End-user identity and end-use statement
103
+ - Country of ultimate destination
104
+ - US government contract number (if applicable)
105
+ - Supporting documents: purchase order, end-user certificate (Form DV-1 or equivalent)
106
+
107
+ Reference licensing details → `references/licensing-guide.md`
108
+
109
+ ---
110
+
111
+ ### 4. Technical Assistance Agreements (TAA) and Manufacturing License Agreements (MLA)
112
+
113
+ **TAA** (22 CFR § 124.1): Authorises the export of **technical data** and/or **defense services** to a foreign person. Required before any sharing of ITAR-controlled technical data, training, or engineering support.
114
+
115
+ **MLA** (22 CFR § 124.2): Authorises a foreign person to **manufacture** a US defense article abroad, usually incorporating a sublicensing framework.
116
+
117
+ **Key TAA/MLA requirements:**
118
+ - Identify all parties (US licensor, foreign licensee, authorised sub-licensees)
119
+ - Define the scope of technical data / defense services precisely
120
+ - Include ITAR-required clauses: retransfer prohibition, US government access rights, record-keeping
121
+ - Submit via DDTC's D-Trade portal; approval takes 30–60 days
122
+ - Valid for 5 years; renewable
123
+ - Any amendment requires DDTC approval
124
+
125
+ ---
126
+
127
+ ### 5. Deemed Exports and Foreign National Access
128
+
129
+ A **deemed export** occurs when ITAR-controlled technical data is released to a foreign national inside the US — this is treated as an export to their home country (22 CFR § 120.50).
130
+
131
+ **Compliance steps for employers:**
132
+ 1. Identify all foreign nationals with potential access to ITAR-controlled data/areas
133
+ 2. Check country of citizenship (not just work authorisation status)
134
+ 3. Verify no ITAR license is required for their home country
135
+ 4. If required: obtain TAA or individual license before granting access
136
+ 5. Maintain a **Technology Control Plan (TCP)**: physical access controls, IT access segregation, visitor procedures, annual training
137
+
138
+ **Exempt persons**: US persons (22 CFR § 120.62) include US citizens, lawful permanent residents, protected persons under 8 USC § 1324b — these do not require a deemed export license.
139
+
140
+ ---
141
+
142
+ ### 6. Brokering Regulations (22 CFR Part 129)
143
+
144
+ A **broker** is any person who facilitates the manufacture, export, import, transfer, re-export, sale, or other transfer of defense articles or services (22 CFR § 129.2).
145
+
146
+ **Obligations:**
147
+ - Separate DDTC registration as a broker (DS-2032, Part B)
148
+ - Prior approval required for transactions involving: embargoed countries, items valued >$1M, certain categories (Cats I, II, III, XI, XIII)
149
+ - Annual reports of all brokering activities (22 CFR § 129.10)
150
+ - Record retention: 5 years
151
+
152
+ ---
153
+
154
+ ### 7. Voluntary Disclosure and Violations
155
+
156
+ **Voluntary Self-Disclosure (VSD)** (22 CFR § 127.12):
157
+ 1. Submit initial notification to DDTC (within ~30 days of discovering violation)
158
+ 2. Conduct thorough internal investigation
159
+ 3. Submit final VSD report: facts, violations, remediation steps, corrective actions
160
+ 4. Cooperation and remediation are significant mitigating factors
161
+ 5. May result in no penalty, warning letter, or reduced civil penalty
162
+
163
+ **Civil penalties**: Up to $1,369,000 per violation (adjusted annually per FCPIA)
164
+ **Criminal penalties**: Up to $1,000,000 fine and 20 years imprisonment per violation (22 USC § 2778)
165
+ **Debarment**: DDTC may debar a company from ITAR privileges for serious/repeated violations
166
+
167
+ **Aggravating factors**: wilfulness, harm to national security, senior management involvement, prior violations
168
+ **Mitigating factors**: VSD, cooperation, effective compliance programme, no prior history
169
+
170
+ Reference full penalty framework → `references/compliance-program.md`
171
+
172
+ ---
173
+
174
+ ### 8. Technology Control Plan (TCP)
175
+
176
+ A TCP is an internal policy document demonstrating how a company controls access to ITAR-controlled technical data, especially regarding foreign nationals. Key sections:
177
+
178
+ 1. **Scope**: Which programs/data are ITAR-controlled
179
+ 2. **Access controls**: Who is authorised; physical and logical segregation
180
+ 3. **Foreign national procedures**: Screening, TAA requirements, visitor log
181
+ 4. **Training**: Annual ITAR training records
182
+ 5. **Incident response**: How violations are identified and reported
183
+ 6. **Records**: 5-year retention for all export records (22 CFR § 122.5)
184
+
185
+ ---
186
+
187
+ ## Embargoed and Restricted Countries
188
+
189
+ **Comprehensive arms embargoes** (22 CFR § 126.1) — no ITAR exports without presidential waiver:
190
+ - Belarus, Cuba, Iran, North Korea, Russia, Syria, Venezuela (restricted)
191
+
192
+ Always check the current 22 CFR § 126.1 list and OFAC sanctions before any transaction.
193
+
194
+ ---
195
+
196
+ ## Reference Files
197
+
198
+ Load as needed:
199
+
200
+ - `references/usml-categories.md` — All 21 USML categories with key items and examples
201
+ - `references/licensing-guide.md` — License types, application requirements, conditions, and exemptions
202
+ - `references/compliance-program.md` — Compliance programme elements, penalties, VSD process, TCP template