bmad-plus 0.9.0 → 0.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +36 -0
- package/LICENSE +21 -21
- package/README.md +106 -86
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +30 -3
- package/readme-international/README.de.md +8 -3
- package/readme-international/README.es.md +8 -3
- package/readme-international/README.fr.md +8 -3
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/bmad-plus-cli.js +5 -3
- package/tools/cli/commands/autoconfig.js +23 -59
- package/tools/cli/commands/doctor.js +14 -0
- package/tools/cli/commands/install.js +29 -128
- package/tools/cli/commands/memory.js +1 -0
- package/tools/cli/commands/scan.js +44 -42
- package/tools/cli/commands/uninstall.js +10 -5
- package/tools/cli/commands/update.js +21 -3
- package/tools/cli/lib/ide-config.js +259 -0
- package/tools/cli/lib/memory-init.js +0 -1
- package/tools/cli/lib/pack-copy.js +84 -84
- package/tools/cli/lib/packs.js +16 -8
- package/tools/cli/lib/stack-detect.js +102 -0
- package/tools/cli/lib/validate.js +50 -0
|
@@ -1,280 +1,280 @@
|
|
|
1
|
-
# EAR Export Compliance Programme, Enforcement, and Special Rules
|
|
2
|
-
|
|
3
|
-
## Export Compliance Programme (ECP) — BIS Seven Elements
|
|
4
|
-
|
|
5
|
-
BIS has identified seven elements of an effective Export Compliance Programme. Companies with strong ECPs receive significant penalty mitigation in enforcement actions.
|
|
6
|
-
|
|
7
|
-
### Element 1 — Management Commitment
|
|
8
|
-
|
|
9
|
-
- Senior leadership (CEO/CISO/CCO level) must visibly champion export compliance
|
|
10
|
-
- Written, board-approved export compliance policy signed by senior officer
|
|
11
|
-
- Compliance resources: dedicated ECP staff, compliance counsel, budget
|
|
12
|
-
- Export Control Officer (ECO) or Export Compliance Manager designated in writing
|
|
13
|
-
- Annual certification to the board that the ECP is operating effectively
|
|
14
|
-
|
|
15
|
-
**Best practice:** Quarterly compliance reporting to senior leadership; annual ECP review with documented findings
|
|
16
|
-
|
|
17
|
-
### Element 2 — Risk Assessment
|
|
18
|
-
|
|
19
|
-
- Identify all products, software, and technology subject to EAR
|
|
20
|
-
- Classify each item: ECCN or EAR99 (document the classification rationale)
|
|
21
|
-
- Identify all business units, geographies, and transaction types
|
|
22
|
-
- Assess risks: customers in D/E country groups, distributors with high-risk channels, end-use certificates accuracy
|
|
23
|
-
- Maintain a classification database tied to product lifecycle (new products re-classified before launch)
|
|
24
|
-
|
|
25
|
-
**ECCN classification log fields:** Item description, part number, technical parameters reviewed, ECCN assigned, RFC codes, date of classification, classifier name, review date
|
|
26
|
-
|
|
27
|
-
### Element 3 — Written Policies and Procedures
|
|
28
|
-
|
|
29
|
-
- Written, procedure-level guidance for each process that touches exports:
|
|
30
|
-
- Customer onboarding and restricted party screening
|
|
31
|
-
- Order acceptance and fulfilment (sales, finance, logistics)
|
|
32
|
-
- ECCN classification and update trigger
|
|
33
|
-
- Licence application and management
|
|
34
|
-
- Employee travel with controlled items/technology
|
|
35
|
-
- Hiring of foreign nationals (deemed export screening)
|
|
36
|
-
- Distributor/reseller programme requirements
|
|
37
|
-
- Procedures must address digital transactions (cloud, SaaS, APIs) and source code repositories
|
|
38
|
-
|
|
39
|
-
### Element 4 — Training and Awareness
|
|
40
|
-
|
|
41
|
-
- Mandatory training for all employees who may touch controlled transactions: sales, engineering, operations, HR (foreign national hiring), finance, legal
|
|
42
|
-
- Role-based training depth: frontline sales (awareness); ECO/lawyers (deep dive)
|
|
43
|
-
- Annual refresher training with sign-off acknowledgement
|
|
44
|
-
- Training records retained for 5 years
|
|
45
|
-
- Training content must cover: EAR basics, ECCN/EAR99, restricted parties, red flag recognition, deemed exports, reporting obligations
|
|
46
|
-
|
|
47
|
-
**Topics for engineers and developers:**
|
|
48
|
-
- Deemed exports: sharing controlled source code with foreign national colleagues
|
|
49
|
-
- Cloud platforms and access controls for controlled technology
|
|
50
|
-
- Open-source publication — fundamental research exemption vs. EAR controls on software
|
|
51
|
-
|
|
52
|
-
### Element 5 — Restricted Party Screening
|
|
53
|
-
|
|
54
|
-
- Screen **all parties** to every transaction: buyer, end-user, intermediate consignee, freight forwarder, bank, broker
|
|
55
|
-
- Minimum lists to screen against:
|
|
56
|
-
- BIS Denied Persons List
|
|
57
|
-
- BIS Entity List
|
|
58
|
-
- BIS Unverified List
|
|
59
|
-
- BIS Military End-User (MEU) List
|
|
60
|
-
- State Department Debarred List (DDTC)
|
|
61
|
-
- OFAC SDN List
|
|
62
|
-
- OFAC Consolidated Sanctions List
|
|
63
|
-
- **Consolidated Screening List (CSL):** trade.gov/consolidated-screening-list — single search covers BIS + State + Treasury
|
|
64
|
-
- Screen at time of: quote/order acceptance, before each shipment, and when parties change
|
|
65
|
-
|
|
66
|
-
**Screening cadence for ongoing relationships:**
|
|
67
|
-
- Re-screen existing distributors and customers at minimum **monthly** (list updates are continuous)
|
|
68
|
-
- Automate screening via ERP integration (SAP GTS, Oracle AGIS, Visual Compliance, Restricted Party Screening tools)
|
|
69
|
-
|
|
70
|
-
**Handling a match:**
|
|
71
|
-
1. Do not ship or service the order
|
|
72
|
-
2. Escalate to ECO/legal immediately
|
|
73
|
-
3. Determine if the match is a true hit or false positive (similar name, different entity)
|
|
74
|
-
4. If true hit: refuse the transaction; do not tip off the customer (no "tipping off" problem under EAR as severe as OFAC, but standard practice)
|
|
75
|
-
5. Document the match, review, and outcome
|
|
76
|
-
|
|
77
|
-
### Element 6 — Due Diligence (Know Your Customer)
|
|
78
|
-
|
|
79
|
-
- Know-Your-Customer (KYC) process for new distributors, resellers, and high-risk end-users
|
|
80
|
-
- For high-risk transactions, obtain:
|
|
81
|
-
- **End-User Statement (EUS):** Certified statement of intended end-use, end-user identity, and location of end-use
|
|
82
|
-
- **Importer Safety Zone (ISZ) Statement** for certain dual-use items
|
|
83
|
-
- **Distributor Management: assurances that downstream sales comply with EAR**
|
|
84
|
-
- Red flag investigation: BIS publishes 15 "red flags" in Supplement 3 to Part 732; document your review and conclusions
|
|
85
|
-
- **Distributors in high-risk territories (D:1 countries):** Site visits, supply chain audits, enhanced due diligence on sub-distributors
|
|
86
|
-
|
|
87
|
-
### Element 7 — Recordkeeping and Audits
|
|
88
|
-
|
|
89
|
-
- Retain all export-related records for **5 years** from the date of export (§ 762.6)
|
|
90
|
-
- Records include: orders, invoices, bills of lading, Shipper's Export Declarations, EEI filings, classification records, screening records, licence applications and approvals, end-user statements, licence exception documentation
|
|
91
|
-
- Records accessible to BIS within a **reasonable time** (generally within 5 business days of OEE request)
|
|
92
|
-
- Annual internal ECP audit or review
|
|
93
|
-
- Periodic third-party ECP assessment recommended for high-volume or high-risk exporters
|
|
94
|
-
|
|
95
|
-
---
|
|
96
|
-
|
|
97
|
-
## Enforcement Regime
|
|
98
|
-
|
|
99
|
-
### Office of Export Enforcement (OEE)
|
|
100
|
-
|
|
101
|
-
BIS's enforcement arm investigates violations through:
|
|
102
|
-
- **Special Agents** conducting criminal investigations
|
|
103
|
-
- **End-Use Checks (EUC):** Pre-licence checks (PLC) and post-shipment verifications (PSV) conducted by US Commercial Service officers and BIS agents overseas
|
|
104
|
-
- **Administrative investigations** by the Office of Chief Counsel (OCC)
|
|
105
|
-
|
|
106
|
-
### Civil Penalties (§ 764.3, Part 766)
|
|
107
|
-
|
|
108
|
-
| Violation Type | Maximum Penalty |
|
|
109
|
-
|---------------|----------------|
|
|
110
|
-
| Per civil violation | Greater of $374,474 per violation (adjusted annually for inflation) OR **2× the value of the transaction** |
|
|
111
|
-
| Egregious violations | Higher penalties; may approach statutory maximum |
|
|
112
|
-
| Denial of export privileges | Temporary or permanent denial of all export privileges |
|
|
113
|
-
|
|
114
|
-
**Penalty determination factors (Part 766, Supplement 1):**
|
|
115
|
-
- Willfulness (did the violator know it was a violation?)
|
|
116
|
-
- Nature of the item (weapons-relevant, dual-use, EAR99)
|
|
117
|
-
- Harm to US national security or foreign policy interests
|
|
118
|
-
- Compliance programme quality (strong ECP = significant mitigation)
|
|
119
|
-
- Remedial action taken
|
|
120
|
-
- Cooperation with OEE
|
|
121
|
-
|
|
122
|
-
**Base penalty matrix** (post-September 2024 rule change):
|
|
123
|
-
- BIS removed caps that previously limited penalties below statutory maximums
|
|
124
|
-
- Penalties now more directly reflect transaction value, particularly for egregious cases
|
|
125
|
-
- Multiple violations per shipment (wrong ECCN, wrong destination, wrong exception = 3 violations from 1 shipment)
|
|
126
|
-
|
|
127
|
-
### Criminal Penalties (§ 764.2)
|
|
128
|
-
|
|
129
|
-
Willful violations of the EAR may be referred to the Department of Justice for criminal prosecution:
|
|
130
|
-
- **Individuals:** Up to **20 years** imprisonment + fines up to $1 million per violation
|
|
131
|
-
- **Corporations:** Fines up to $1 million per violation (per count)
|
|
132
|
-
- Criminal cases are reserved for deliberate, knowing, or willful violations — particularly those involving proliferation, sanctions evasion, or schemes to evade Entity List restrictions
|
|
133
|
-
|
|
134
|
-
### Export Denial Orders (EDOs)
|
|
135
|
-
|
|
136
|
-
BIS issues Export Denial Orders (EDOs) against individuals and companies found to have violated the EAR:
|
|
137
|
-
- EDOs are published in the Federal Register and placed on the Denied Persons List
|
|
138
|
-
- Third parties are prohibited from participating in any transaction involving a denied person
|
|
139
|
-
- Scope: US persons everywhere in the world; any person regarding items subject to EAR
|
|
140
|
-
|
|
141
|
-
---
|
|
142
|
-
|
|
143
|
-
## Voluntary Self-Disclosure (VSD) Process (§ 764.5)
|
|
144
|
-
|
|
145
|
-
### What is a VSD?
|
|
146
|
-
|
|
147
|
-
A Voluntary Self-Disclosure (VSD) is a self-initiated notification to OEE of an **apparent violation** of the EAR, license conditions, or orders. BIS strongly encourages VSDs.
|
|
148
|
-
|
|
149
|
-
### When to File
|
|
150
|
-
|
|
151
|
-
File a VSD when you discover:
|
|
152
|
-
- Items shipped without a required licence
|
|
153
|
-
- Items shipped to an Entity List, Denied Persons List, or Unverified List party
|
|
154
|
-
- Incorrect ECCN used that resulted in an unlicensed shipment
|
|
155
|
-
- SNAP-R licence conditions violated
|
|
156
|
-
- Prohibited end-use found post-shipment
|
|
157
|
-
|
|
158
|
-
### VSD Process
|
|
159
|
-
|
|
160
|
-
1. **Preliminary Inquiry (PI):** Review the facts; if a likely violation is found, stop any ongoing transactions
|
|
161
|
-
2. **Initial Notification:** File a brief initial notification to OEE (letter or email) — as soon as a likely violation is discovered; preserves the VSD date
|
|
162
|
-
3. **Full VSD Submission (within 180 days of initial notification):** Complete written VSD including:
|
|
163
|
-
- Detailed narrative of the facts
|
|
164
|
-
- All transactions identified (shipper, consignee, item, ECCN, value, date, exception claimed)
|
|
165
|
-
- Root cause analysis
|
|
166
|
-
- Remedial actions already taken
|
|
167
|
-
- Proposed corrective actions
|
|
168
|
-
4. **OEE Review:** May request additional information; may conduct End-Use Checks
|
|
169
|
-
5. **Resolution:** Warning Letter, No-Action Letter, or administrative penalty with significant reduction for VSD
|
|
170
|
-
|
|
171
|
-
### VSD Penalty Mitigation
|
|
172
|
-
|
|
173
|
-
- VSD is considered a **strong mitigating factor** under the 2024 revised penalty guidelines
|
|
174
|
-
- Deliberate decision **not to disclose** significant apparent violations is an **aggravating factor**
|
|
175
|
-
- Combined with robust ECP, remediation, and full cooperation → may result in warning letter only for non-egregious cases
|
|
176
|
-
|
|
177
|
-
---
|
|
178
|
-
|
|
179
|
-
## Foreign Direct Product Rule (FDPR) — Deep Dive
|
|
180
|
-
|
|
181
|
-
### General FDPR (§ 736.2(b)(3))
|
|
182
|
-
|
|
183
|
-
Foreign-made items are subject to EAR if they are the **direct product** of US-origin technology or software that is controlled for NS or CB reasons AND the foreign item is to be shipped to a Country Group D:1 or E:1/E:2 country.
|
|
184
|
-
|
|
185
|
-
**Test:** Two-prong test:
|
|
186
|
-
1. **Technology/software prong:** Was the item produced using US-origin technology or software controlled for NS or CB reasons under the CCL?
|
|
187
|
-
2. **Destination prong:** Is the item destined for a D:1 or E:1/E:2 country?
|
|
188
|
-
|
|
189
|
-
### Entity List FDPR (2020 — Huawei Rule)
|
|
190
|
-
|
|
191
|
-
Extended the FDPR to capture foreign-made items when:
|
|
192
|
-
1. The foreign item is produced using equipment or technology that is the direct product of **specific US technology/software** (tooling, wafer fab equipment under 3B001/3B002)
|
|
193
|
-
2. AND the item is destined for a party on the Entity List
|
|
194
|
-
|
|
195
|
-
Designed to prevent circumvention of Entity List restrictions through foreign-chip supply chains.
|
|
196
|
-
|
|
197
|
-
### Advanced Computing FDPR (October 2022 / October 2023)
|
|
198
|
-
|
|
199
|
-
Captures items produced with US wafer fabrication equipment destined for:
|
|
200
|
-
- China or Macau for use in advanced computing applications above threshold
|
|
201
|
-
- Any Entity List party
|
|
202
|
-
|
|
203
|
-
### Russia/Belarus FDPR (March 2022)
|
|
204
|
-
|
|
205
|
-
Captures virtually all items produced anywhere with **any** US technology, software, or equipment, destined for Russia or Belarus — with extremely limited exceptions.
|
|
206
|
-
|
|
207
|
-
---
|
|
208
|
-
|
|
209
|
-
## Deemed Export Rules — Compliance Programme Implications
|
|
210
|
-
|
|
211
|
-
### What Constitutes a Deemed Export
|
|
212
|
-
|
|
213
|
-
Under § 734.13, the **release** of controlled technology or software to a **foreign national** in the US is a deemed export to their home country. "Release" includes:
|
|
214
|
-
- Visual inspection of controlled hardware
|
|
215
|
-
- Providing access to controlled equipment
|
|
216
|
-
- Oral, written, or electronic transmission of controlled technical data
|
|
217
|
-
- Demonstration of controlled software
|
|
218
|
-
|
|
219
|
-
### Nationality Rule
|
|
220
|
-
|
|
221
|
-
BIS applies the **"most restrictive" nationality rule** for dual nationals or persons with multiple citizenships:
|
|
222
|
-
- Apply the nationality that requires the most restrictive licensing treatment
|
|
223
|
-
- Example: A Chinese/Canadian dual national in the US is treated as a Chinese national for deemed export licensing purposes
|
|
224
|
-
|
|
225
|
-
### Practical Compliance Steps
|
|
226
|
-
|
|
227
|
-
1. **HR Screening:** When hiring foreign nationals for roles touching controlled technology, conduct pre-employment deemed export screening
|
|
228
|
-
2. **Classification Review:** Determine which technologies the employee will access; classify each
|
|
229
|
-
3. **Access Controls:** Limit access to controlled technology to employees with appropriate authorizations
|
|
230
|
-
4. **Deemed Export Licence Applications:** For employees who need access to NS-controlled technology from D:1 countries, apply for a deemed export licence via SNAP-R
|
|
231
|
-
5. **Source Code Repositories:** Restrict access to controlled source code on GitHub/GitLab/Bitbucket using role-based access; foreign nationals from D:1 countries require deemed export licences or exception applicability review
|
|
232
|
-
6. **Cloud and SaaS Environments:** Access to controlled technology via cloud platforms can constitute a deemed export; apply IP controls, authentication, and access auditing
|
|
233
|
-
|
|
234
|
-
---
|
|
235
|
-
|
|
236
|
-
## SNAP-R — Licensing Portal Guidance
|
|
237
|
-
|
|
238
|
-
**URL:** snap-r.bis.doc.gov (requires free BIS account)
|
|
239
|
-
|
|
240
|
-
**Forms filed through SNAP-R:**
|
|
241
|
-
- BIS-748P: Multipurpose Application Form (export licence, CCATS, Advisory Opinion)
|
|
242
|
-
- BIS-748P-A: Supplement for encryption review notifications (ENC exception)
|
|
243
|
-
- BIS-748P-B: Supplement for end-user statement attachments
|
|
244
|
-
- BIS-711: Statement by Ultimate Consignee and Purchaser
|
|
245
|
-
|
|
246
|
-
**SNAP-R Best Practices:**
|
|
247
|
-
- Submit complete applications — missing technical data is the #1 cause of delay
|
|
248
|
-
- Include end-use statements and supporting technical documentation proactively
|
|
249
|
-
- Track licence expiration dates and re-apply at least 60 days before expiry
|
|
250
|
-
- For time-sensitive transactions: contact the relevant BIS division directly after submission
|
|
251
|
-
- Use the "Licensing at a Glance" tool on bis.gov to estimate processing times by category
|
|
252
|
-
|
|
253
|
-
---
|
|
254
|
-
|
|
255
|
-
## EAR Recordkeeping Quick Reference
|
|
256
|
-
|
|
257
|
-
| Document Type | Retention Period | Format |
|
|
258
|
-
|---------------|-----------------|--------|
|
|
259
|
-
| Commercial invoices, purchase orders | 5 years from export date | Any readable format |
|
|
260
|
-
| Bills of lading, air waybills | 5 years | Any |
|
|
261
|
-
| EEI/AES filings | 5 years | Any |
|
|
262
|
-
| Licence applications and approvals | 5 years from expiry/completion | Any |
|
|
263
|
-
| Licence exception documentation | 5 years from export | Any |
|
|
264
|
-
| Restricted party screening records | 5 years | Recommended: dated screenshots |
|
|
265
|
-
| End-user statements and certifications | 5 years | Any |
|
|
266
|
-
| ECCN classification records | 5 years from last export of item | Any |
|
|
267
|
-
| VSD submissions and correspondence | Permanently | Any |
|
|
268
|
-
|
|
269
|
-
---
|
|
270
|
-
|
|
271
|
-
## Compliance Programme Maturity Assessment
|
|
272
|
-
|
|
273
|
-
| Level | Characteristics |
|
|
274
|
-
|-------|----------------|
|
|
275
|
-
| **Basic** | Written policy exists; some screening; training ad hoc; no formal audit |
|
|
276
|
-
| **Developing** | Formal ECCN classification; screening tool in place; annual training; no automated integration |
|
|
277
|
-
| **Proficient** | ERP-integrated screening; annual audits; full classification database; documented due diligence |
|
|
278
|
-
| **Advanced** | Real-time automated screening; ECCN lifecycle management; pre-shipment compliance review; regular third-party assessments; VSD process documented |
|
|
279
|
-
|
|
280
|
-
BIS rewards **Advanced** programmes with maximum penalty mitigation; **Basic** programmes may receive minimal credit even for VSDs.
|
|
1
|
+
# EAR Export Compliance Programme, Enforcement, and Special Rules
|
|
2
|
+
|
|
3
|
+
## Export Compliance Programme (ECP) — BIS Seven Elements
|
|
4
|
+
|
|
5
|
+
BIS has identified seven elements of an effective Export Compliance Programme. Companies with strong ECPs receive significant penalty mitigation in enforcement actions.
|
|
6
|
+
|
|
7
|
+
### Element 1 — Management Commitment
|
|
8
|
+
|
|
9
|
+
- Senior leadership (CEO/CISO/CCO level) must visibly champion export compliance
|
|
10
|
+
- Written, board-approved export compliance policy signed by senior officer
|
|
11
|
+
- Compliance resources: dedicated ECP staff, compliance counsel, budget
|
|
12
|
+
- Export Control Officer (ECO) or Export Compliance Manager designated in writing
|
|
13
|
+
- Annual certification to the board that the ECP is operating effectively
|
|
14
|
+
|
|
15
|
+
**Best practice:** Quarterly compliance reporting to senior leadership; annual ECP review with documented findings
|
|
16
|
+
|
|
17
|
+
### Element 2 — Risk Assessment
|
|
18
|
+
|
|
19
|
+
- Identify all products, software, and technology subject to EAR
|
|
20
|
+
- Classify each item: ECCN or EAR99 (document the classification rationale)
|
|
21
|
+
- Identify all business units, geographies, and transaction types
|
|
22
|
+
- Assess risks: customers in D/E country groups, distributors with high-risk channels, end-use certificates accuracy
|
|
23
|
+
- Maintain a classification database tied to product lifecycle (new products re-classified before launch)
|
|
24
|
+
|
|
25
|
+
**ECCN classification log fields:** Item description, part number, technical parameters reviewed, ECCN assigned, RFC codes, date of classification, classifier name, review date
|
|
26
|
+
|
|
27
|
+
### Element 3 — Written Policies and Procedures
|
|
28
|
+
|
|
29
|
+
- Written, procedure-level guidance for each process that touches exports:
|
|
30
|
+
- Customer onboarding and restricted party screening
|
|
31
|
+
- Order acceptance and fulfilment (sales, finance, logistics)
|
|
32
|
+
- ECCN classification and update trigger
|
|
33
|
+
- Licence application and management
|
|
34
|
+
- Employee travel with controlled items/technology
|
|
35
|
+
- Hiring of foreign nationals (deemed export screening)
|
|
36
|
+
- Distributor/reseller programme requirements
|
|
37
|
+
- Procedures must address digital transactions (cloud, SaaS, APIs) and source code repositories
|
|
38
|
+
|
|
39
|
+
### Element 4 — Training and Awareness
|
|
40
|
+
|
|
41
|
+
- Mandatory training for all employees who may touch controlled transactions: sales, engineering, operations, HR (foreign national hiring), finance, legal
|
|
42
|
+
- Role-based training depth: frontline sales (awareness); ECO/lawyers (deep dive)
|
|
43
|
+
- Annual refresher training with sign-off acknowledgement
|
|
44
|
+
- Training records retained for 5 years
|
|
45
|
+
- Training content must cover: EAR basics, ECCN/EAR99, restricted parties, red flag recognition, deemed exports, reporting obligations
|
|
46
|
+
|
|
47
|
+
**Topics for engineers and developers:**
|
|
48
|
+
- Deemed exports: sharing controlled source code with foreign national colleagues
|
|
49
|
+
- Cloud platforms and access controls for controlled technology
|
|
50
|
+
- Open-source publication — fundamental research exemption vs. EAR controls on software
|
|
51
|
+
|
|
52
|
+
### Element 5 — Restricted Party Screening
|
|
53
|
+
|
|
54
|
+
- Screen **all parties** to every transaction: buyer, end-user, intermediate consignee, freight forwarder, bank, broker
|
|
55
|
+
- Minimum lists to screen against:
|
|
56
|
+
- BIS Denied Persons List
|
|
57
|
+
- BIS Entity List
|
|
58
|
+
- BIS Unverified List
|
|
59
|
+
- BIS Military End-User (MEU) List
|
|
60
|
+
- State Department Debarred List (DDTC)
|
|
61
|
+
- OFAC SDN List
|
|
62
|
+
- OFAC Consolidated Sanctions List
|
|
63
|
+
- **Consolidated Screening List (CSL):** trade.gov/consolidated-screening-list — single search covers BIS + State + Treasury
|
|
64
|
+
- Screen at time of: quote/order acceptance, before each shipment, and when parties change
|
|
65
|
+
|
|
66
|
+
**Screening cadence for ongoing relationships:**
|
|
67
|
+
- Re-screen existing distributors and customers at minimum **monthly** (list updates are continuous)
|
|
68
|
+
- Automate screening via ERP integration (SAP GTS, Oracle AGIS, Visual Compliance, Restricted Party Screening tools)
|
|
69
|
+
|
|
70
|
+
**Handling a match:**
|
|
71
|
+
1. Do not ship or service the order
|
|
72
|
+
2. Escalate to ECO/legal immediately
|
|
73
|
+
3. Determine if the match is a true hit or false positive (similar name, different entity)
|
|
74
|
+
4. If true hit: refuse the transaction; do not tip off the customer (no "tipping off" problem under EAR as severe as OFAC, but standard practice)
|
|
75
|
+
5. Document the match, review, and outcome
|
|
76
|
+
|
|
77
|
+
### Element 6 — Due Diligence (Know Your Customer)
|
|
78
|
+
|
|
79
|
+
- Know-Your-Customer (KYC) process for new distributors, resellers, and high-risk end-users
|
|
80
|
+
- For high-risk transactions, obtain:
|
|
81
|
+
- **End-User Statement (EUS):** Certified statement of intended end-use, end-user identity, and location of end-use
|
|
82
|
+
- **Importer Safety Zone (ISZ) Statement** for certain dual-use items
|
|
83
|
+
- **Distributor Management: assurances that downstream sales comply with EAR**
|
|
84
|
+
- Red flag investigation: BIS publishes 15 "red flags" in Supplement 3 to Part 732; document your review and conclusions
|
|
85
|
+
- **Distributors in high-risk territories (D:1 countries):** Site visits, supply chain audits, enhanced due diligence on sub-distributors
|
|
86
|
+
|
|
87
|
+
### Element 7 — Recordkeeping and Audits
|
|
88
|
+
|
|
89
|
+
- Retain all export-related records for **5 years** from the date of export (§ 762.6)
|
|
90
|
+
- Records include: orders, invoices, bills of lading, Shipper's Export Declarations, EEI filings, classification records, screening records, licence applications and approvals, end-user statements, licence exception documentation
|
|
91
|
+
- Records accessible to BIS within a **reasonable time** (generally within 5 business days of OEE request)
|
|
92
|
+
- Annual internal ECP audit or review
|
|
93
|
+
- Periodic third-party ECP assessment recommended for high-volume or high-risk exporters
|
|
94
|
+
|
|
95
|
+
---
|
|
96
|
+
|
|
97
|
+
## Enforcement Regime
|
|
98
|
+
|
|
99
|
+
### Office of Export Enforcement (OEE)
|
|
100
|
+
|
|
101
|
+
BIS's enforcement arm investigates violations through:
|
|
102
|
+
- **Special Agents** conducting criminal investigations
|
|
103
|
+
- **End-Use Checks (EUC):** Pre-licence checks (PLC) and post-shipment verifications (PSV) conducted by US Commercial Service officers and BIS agents overseas
|
|
104
|
+
- **Administrative investigations** by the Office of Chief Counsel (OCC)
|
|
105
|
+
|
|
106
|
+
### Civil Penalties (§ 764.3, Part 766)
|
|
107
|
+
|
|
108
|
+
| Violation Type | Maximum Penalty |
|
|
109
|
+
|---------------|----------------|
|
|
110
|
+
| Per civil violation | Greater of $374,474 per violation (adjusted annually for inflation) OR **2× the value of the transaction** |
|
|
111
|
+
| Egregious violations | Higher penalties; may approach statutory maximum |
|
|
112
|
+
| Denial of export privileges | Temporary or permanent denial of all export privileges |
|
|
113
|
+
|
|
114
|
+
**Penalty determination factors (Part 766, Supplement 1):**
|
|
115
|
+
- Willfulness (did the violator know it was a violation?)
|
|
116
|
+
- Nature of the item (weapons-relevant, dual-use, EAR99)
|
|
117
|
+
- Harm to US national security or foreign policy interests
|
|
118
|
+
- Compliance programme quality (strong ECP = significant mitigation)
|
|
119
|
+
- Remedial action taken
|
|
120
|
+
- Cooperation with OEE
|
|
121
|
+
|
|
122
|
+
**Base penalty matrix** (post-September 2024 rule change):
|
|
123
|
+
- BIS removed caps that previously limited penalties below statutory maximums
|
|
124
|
+
- Penalties now more directly reflect transaction value, particularly for egregious cases
|
|
125
|
+
- Multiple violations per shipment (wrong ECCN, wrong destination, wrong exception = 3 violations from 1 shipment)
|
|
126
|
+
|
|
127
|
+
### Criminal Penalties (§ 764.2)
|
|
128
|
+
|
|
129
|
+
Willful violations of the EAR may be referred to the Department of Justice for criminal prosecution:
|
|
130
|
+
- **Individuals:** Up to **20 years** imprisonment + fines up to $1 million per violation
|
|
131
|
+
- **Corporations:** Fines up to $1 million per violation (per count)
|
|
132
|
+
- Criminal cases are reserved for deliberate, knowing, or willful violations — particularly those involving proliferation, sanctions evasion, or schemes to evade Entity List restrictions
|
|
133
|
+
|
|
134
|
+
### Export Denial Orders (EDOs)
|
|
135
|
+
|
|
136
|
+
BIS issues Export Denial Orders (EDOs) against individuals and companies found to have violated the EAR:
|
|
137
|
+
- EDOs are published in the Federal Register and placed on the Denied Persons List
|
|
138
|
+
- Third parties are prohibited from participating in any transaction involving a denied person
|
|
139
|
+
- Scope: US persons everywhere in the world; any person regarding items subject to EAR
|
|
140
|
+
|
|
141
|
+
---
|
|
142
|
+
|
|
143
|
+
## Voluntary Self-Disclosure (VSD) Process (§ 764.5)
|
|
144
|
+
|
|
145
|
+
### What is a VSD?
|
|
146
|
+
|
|
147
|
+
A Voluntary Self-Disclosure (VSD) is a self-initiated notification to OEE of an **apparent violation** of the EAR, license conditions, or orders. BIS strongly encourages VSDs.
|
|
148
|
+
|
|
149
|
+
### When to File
|
|
150
|
+
|
|
151
|
+
File a VSD when you discover:
|
|
152
|
+
- Items shipped without a required licence
|
|
153
|
+
- Items shipped to an Entity List, Denied Persons List, or Unverified List party
|
|
154
|
+
- Incorrect ECCN used that resulted in an unlicensed shipment
|
|
155
|
+
- SNAP-R licence conditions violated
|
|
156
|
+
- Prohibited end-use found post-shipment
|
|
157
|
+
|
|
158
|
+
### VSD Process
|
|
159
|
+
|
|
160
|
+
1. **Preliminary Inquiry (PI):** Review the facts; if a likely violation is found, stop any ongoing transactions
|
|
161
|
+
2. **Initial Notification:** File a brief initial notification to OEE (letter or email) — as soon as a likely violation is discovered; preserves the VSD date
|
|
162
|
+
3. **Full VSD Submission (within 180 days of initial notification):** Complete written VSD including:
|
|
163
|
+
- Detailed narrative of the facts
|
|
164
|
+
- All transactions identified (shipper, consignee, item, ECCN, value, date, exception claimed)
|
|
165
|
+
- Root cause analysis
|
|
166
|
+
- Remedial actions already taken
|
|
167
|
+
- Proposed corrective actions
|
|
168
|
+
4. **OEE Review:** May request additional information; may conduct End-Use Checks
|
|
169
|
+
5. **Resolution:** Warning Letter, No-Action Letter, or administrative penalty with significant reduction for VSD
|
|
170
|
+
|
|
171
|
+
### VSD Penalty Mitigation
|
|
172
|
+
|
|
173
|
+
- VSD is considered a **strong mitigating factor** under the 2024 revised penalty guidelines
|
|
174
|
+
- Deliberate decision **not to disclose** significant apparent violations is an **aggravating factor**
|
|
175
|
+
- Combined with robust ECP, remediation, and full cooperation → may result in warning letter only for non-egregious cases
|
|
176
|
+
|
|
177
|
+
---
|
|
178
|
+
|
|
179
|
+
## Foreign Direct Product Rule (FDPR) — Deep Dive
|
|
180
|
+
|
|
181
|
+
### General FDPR (§ 736.2(b)(3))
|
|
182
|
+
|
|
183
|
+
Foreign-made items are subject to EAR if they are the **direct product** of US-origin technology or software that is controlled for NS or CB reasons AND the foreign item is to be shipped to a Country Group D:1 or E:1/E:2 country.
|
|
184
|
+
|
|
185
|
+
**Test:** Two-prong test:
|
|
186
|
+
1. **Technology/software prong:** Was the item produced using US-origin technology or software controlled for NS or CB reasons under the CCL?
|
|
187
|
+
2. **Destination prong:** Is the item destined for a D:1 or E:1/E:2 country?
|
|
188
|
+
|
|
189
|
+
### Entity List FDPR (2020 — Huawei Rule)
|
|
190
|
+
|
|
191
|
+
Extended the FDPR to capture foreign-made items when:
|
|
192
|
+
1. The foreign item is produced using equipment or technology that is the direct product of **specific US technology/software** (tooling, wafer fab equipment under 3B001/3B002)
|
|
193
|
+
2. AND the item is destined for a party on the Entity List
|
|
194
|
+
|
|
195
|
+
Designed to prevent circumvention of Entity List restrictions through foreign-chip supply chains.
|
|
196
|
+
|
|
197
|
+
### Advanced Computing FDPR (October 2022 / October 2023)
|
|
198
|
+
|
|
199
|
+
Captures items produced with US wafer fabrication equipment destined for:
|
|
200
|
+
- China or Macau for use in advanced computing applications above threshold
|
|
201
|
+
- Any Entity List party
|
|
202
|
+
|
|
203
|
+
### Russia/Belarus FDPR (March 2022)
|
|
204
|
+
|
|
205
|
+
Captures virtually all items produced anywhere with **any** US technology, software, or equipment, destined for Russia or Belarus — with extremely limited exceptions.
|
|
206
|
+
|
|
207
|
+
---
|
|
208
|
+
|
|
209
|
+
## Deemed Export Rules — Compliance Programme Implications
|
|
210
|
+
|
|
211
|
+
### What Constitutes a Deemed Export
|
|
212
|
+
|
|
213
|
+
Under § 734.13, the **release** of controlled technology or software to a **foreign national** in the US is a deemed export to their home country. "Release" includes:
|
|
214
|
+
- Visual inspection of controlled hardware
|
|
215
|
+
- Providing access to controlled equipment
|
|
216
|
+
- Oral, written, or electronic transmission of controlled technical data
|
|
217
|
+
- Demonstration of controlled software
|
|
218
|
+
|
|
219
|
+
### Nationality Rule
|
|
220
|
+
|
|
221
|
+
BIS applies the **"most restrictive" nationality rule** for dual nationals or persons with multiple citizenships:
|
|
222
|
+
- Apply the nationality that requires the most restrictive licensing treatment
|
|
223
|
+
- Example: A Chinese/Canadian dual national in the US is treated as a Chinese national for deemed export licensing purposes
|
|
224
|
+
|
|
225
|
+
### Practical Compliance Steps
|
|
226
|
+
|
|
227
|
+
1. **HR Screening:** When hiring foreign nationals for roles touching controlled technology, conduct pre-employment deemed export screening
|
|
228
|
+
2. **Classification Review:** Determine which technologies the employee will access; classify each
|
|
229
|
+
3. **Access Controls:** Limit access to controlled technology to employees with appropriate authorizations
|
|
230
|
+
4. **Deemed Export Licence Applications:** For employees who need access to NS-controlled technology from D:1 countries, apply for a deemed export licence via SNAP-R
|
|
231
|
+
5. **Source Code Repositories:** Restrict access to controlled source code on GitHub/GitLab/Bitbucket using role-based access; foreign nationals from D:1 countries require deemed export licences or exception applicability review
|
|
232
|
+
6. **Cloud and SaaS Environments:** Access to controlled technology via cloud platforms can constitute a deemed export; apply IP controls, authentication, and access auditing
|
|
233
|
+
|
|
234
|
+
---
|
|
235
|
+
|
|
236
|
+
## SNAP-R — Licensing Portal Guidance
|
|
237
|
+
|
|
238
|
+
**URL:** snap-r.bis.doc.gov (requires free BIS account)
|
|
239
|
+
|
|
240
|
+
**Forms filed through SNAP-R:**
|
|
241
|
+
- BIS-748P: Multipurpose Application Form (export licence, CCATS, Advisory Opinion)
|
|
242
|
+
- BIS-748P-A: Supplement for encryption review notifications (ENC exception)
|
|
243
|
+
- BIS-748P-B: Supplement for end-user statement attachments
|
|
244
|
+
- BIS-711: Statement by Ultimate Consignee and Purchaser
|
|
245
|
+
|
|
246
|
+
**SNAP-R Best Practices:**
|
|
247
|
+
- Submit complete applications — missing technical data is the #1 cause of delay
|
|
248
|
+
- Include end-use statements and supporting technical documentation proactively
|
|
249
|
+
- Track licence expiration dates and re-apply at least 60 days before expiry
|
|
250
|
+
- For time-sensitive transactions: contact the relevant BIS division directly after submission
|
|
251
|
+
- Use the "Licensing at a Glance" tool on bis.gov to estimate processing times by category
|
|
252
|
+
|
|
253
|
+
---
|
|
254
|
+
|
|
255
|
+
## EAR Recordkeeping Quick Reference
|
|
256
|
+
|
|
257
|
+
| Document Type | Retention Period | Format |
|
|
258
|
+
|---------------|-----------------|--------|
|
|
259
|
+
| Commercial invoices, purchase orders | 5 years from export date | Any readable format |
|
|
260
|
+
| Bills of lading, air waybills | 5 years | Any |
|
|
261
|
+
| EEI/AES filings | 5 years | Any |
|
|
262
|
+
| Licence applications and approvals | 5 years from expiry/completion | Any |
|
|
263
|
+
| Licence exception documentation | 5 years from export | Any |
|
|
264
|
+
| Restricted party screening records | 5 years | Recommended: dated screenshots |
|
|
265
|
+
| End-user statements and certifications | 5 years | Any |
|
|
266
|
+
| ECCN classification records | 5 years from last export of item | Any |
|
|
267
|
+
| VSD submissions and correspondence | Permanently | Any |
|
|
268
|
+
|
|
269
|
+
---
|
|
270
|
+
|
|
271
|
+
## Compliance Programme Maturity Assessment
|
|
272
|
+
|
|
273
|
+
| Level | Characteristics |
|
|
274
|
+
|-------|----------------|
|
|
275
|
+
| **Basic** | Written policy exists; some screening; training ad hoc; no formal audit |
|
|
276
|
+
| **Developing** | Formal ECCN classification; screening tool in place; annual training; no automated integration |
|
|
277
|
+
| **Proficient** | ERP-integrated screening; annual audits; full classification database; documented due diligence |
|
|
278
|
+
| **Advanced** | Real-time automated screening; ECCN lifecycle management; pre-shipment compliance review; regular third-party assessments; VSD process documented |
|
|
279
|
+
|
|
280
|
+
BIS rewards **Advanced** programmes with maximum penalty mitigation; **Basic** programmes may receive minimal credit even for VSDs.
|