npx claudepluginhub grcengclub/claude-grc-engineering --plugin us-exportThis skill is limited to using the following tools:
> **Engineering guidance only. Not legal advice.** Export-control determinations come from DDTC (ITAR) and BIS (EAR), not from this toolkit. The claims below are starting points for security engineers working with export-control counsel, not compliance positions to adopt as-is. Citations to read alongside this material: [22 CFR 120.54](https://www.ecfr.gov/current/title-22/chapter-I/subchapter-...
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.
Analyzes BMad project state from catalog CSV, configs, artifacts, and query to recommend next skills or answer questions. Useful for help requests, 'what next', or starting BMad.
Engineering guidance only. Not legal advice. Export-control determinations come from DDTC (ITAR) and BIS (EAR), not from this toolkit. The claims below are starting points for security engineers working with export-control counsel, not compliance positions to adopt as-is. Citations to read alongside this material: 22 CFR 120.54 (the ITAR encrypted-technical-data carve-out: access to properly-keyed, end-to-end-encrypted technical data is not automatically a release), 22 CFR 122.5 (ITAR recordkeeping, scoped to specific record categories), 15 CFR 734.6 (BIS is the licensing authority on EAR), 15 CFR 746.8 (Russia and Belarus sanctions). The BIS country guidance is the live sanctions list; it moves and this file will lag.
Deep expertise in both ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations) for US export control compliance.
ITAR (International Traffic in Arms Regulations):
EAR (Export Administration Regulations):
Requirement: Only "US persons" may access ITAR-controlled technical data. 22 CFR 120.62 defines that term broader than "citizens or green-card holders." It covers:
Access policies that say "citizens or LPRs only" over-restrict and can create avoidable HR and employment-law exposure. Use the full 120.62 definition; work with HR and counsel on how you verify each category.
Implementation:
Cloud Verification:
# AWS: Tag users with citizenship
aws iam tag-user --user-name john.smith --tags Key=Citizenship,Value=US
# List all users for verification
aws iam list-users --query 'Users[*].UserName'
Common Gaps:
Posture summary: ITAR technical data is stored in US-located systems by default. 22 CFR 120.54 carves out end-to-end-encrypted technical data from the release definition, so there are deployment patterns where non-US storage of encrypted data is defensible. Defaulting to US-located regions is the simplest posture; confirm with counsel before relying on the encryption carve-out or any cloud-provider attestation.
Approved Regions:
Prohibited:
Verification:
# AWS: Check S3 bucket locations
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
location=$(aws s3api get-bucket-location --bucket "$bucket" --query 'LocationConstraint' --output text)
echo "$bucket: $location"
done
Requirement: FIPS 140-2 validated encryption for all ITAR data
Standards:
Cloud Solutions:
Encryption Coverage:
Requirement summary: 22 CFR 122.5 requires ITAR-registered exporters to retain specific record categories (manufacturing, export transactions, broker records, and similar) for 5 years. This is not a blanket "retain every cloud log for 5 years" mandate. Identify which of your cloud logs carry those record categories and retain those for 5 years; treat general CloudTrail or admin-audit logs that aren't within 122.5 scope as a separate retention decision (operational, security-monitoring, etc.) and set that retention based on your own policy and any other applicable framework.
Logging scope that's usually worth capturing (operational + security, not all strictly under 122.5):
Implementation:
Log Protection:
Requirement: ITAR systems should be isolated from non-ITAR systems
Implementation:
Best Practice:
Requirement: Mark all ITAR data with appropriate export control notices
Tagging Strategy:
AWS Resource Tags:
ExportControl: "ITAR"
Classification: "CUI" | "SECRET"
Handling: "NOFORN" (No Foreign Nationals)
Owner: "john.smith@company.com"
Document Marking:
WARNING: This document contains technical data whose export is
restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751,
et seq.) or the Export Administration Act of 1979 (Title 50, U.S.C.,
App 2401 et seq.), as amended. Violations of these export laws are
subject to severe criminal penalties. Disseminate in accordance with
provisions of DoD Directive 5230.25.
Requirement: Control access by cloud service providers and third parties
Implementation:
Commercial Cloud:
Requirement: Classify all items with proper ECCN or EAR99
Classification Process:
Common ECCNs:
| ECCN | Description | License Required |
|---|---|---|
| 5D002 | Encryption software | Often License Exception ENC |
| 5A002 | Encryption hardware | Varies by specification |
| 5E002 | Encryption technology | Varies by specification |
| 3A001 | Electronic equipment | Varies by destination |
| 4A003 | Digital computers | Varies by performance |
| EAR99 | Items not on CCL | No license for most destinations, but licenses can still be required based on destination (15 CFR 746), end-user (Entity List / DPL / SDN), or end-use (15 CFR 744 proliferation and military end-use rules) |
Self-Classification:
Requirement: Screen all customers against BIS denied parties lists
Screening Lists:
| List | Authority | Purpose | Entries |
|---|---|---|---|
| Entity List | BIS | National security/foreign policy restrictions | 1,400+ |
| Denied Persons List (DPL) | BIS | Export privileges denied | 200+ |
| Unverified List (UVL) | BIS | End-use verification failed | 100+ |
| Specially Designated Nationals (SDN) | Treasury OFAC | Sanctions program | 10,000+ |
| Military End User (MEU) | BIS | China/Russia military restrictions | N/A |
| Foreign Sanctions Evaders (FSE) | Treasury | Sanctions evasion | 70+ |
Screening Process:
Frequency:
Implementation:
# Pseudocode for screening
def screen_customer(customer_name, country):
if customer_name in ENTITY_LIST:
return "DENIED - Entity List match"
if customer_name in DPL:
return "DENIED - Denied Persons List"
if customer_name in SDN:
return "DENIED - OFAC SDN List"
if country in EMBARGOED_COUNTRIES:
return "DENIED - Embargoed country"
return "APPROVED"
Requirement: Encryption items (Category 5 Part 2) must use FIPS 140-2/140-3 validated modules
FIPS Validation:
License Exception ENC:
Encryption Registration:
Requirement: Block access from comprehensively embargoed countries
Embargoed Countries (no exports):
Partially Sanctioned (check specific restrictions):
Implementation:
AWS WAF Geo-Blocking:
{
"Name": "EAR-Embargo-Block",
"Rules": [{
"GeoMatchStatement": {
"CountryCodes": ["CU", "IR", "KP", "SY"]
},
"Action": "Block"
}]
}
CloudFront Geo-Restrictions:
{
"GeoRestriction": {
"RestrictionType": "blacklist",
"Items": ["CU", "IR", "KP", "SY", "UA"]
}
}
Requirement: Control export of technical data and source code
Technical Data Definition (EAR 734.2):
Deemed Exports (EAR 734.13):
Source Code Controls:
Requirement: Verify CSP provides EAR-compliant features
CSP Compliance Features:
| Provider | FIPS 140-2 | CMEK | Data Residency | Geo-Blocking |
|---|---|---|---|---|
| AWS | ✅ Level 2+ | ✅ KMS | ✅ Regional | ✅ WAF, CloudFront |
| Azure | ✅ Level 2 | ✅ Key Vault | ✅ Regional | ✅ Front Door, WAF |
| GCP | ✅ Level 3 | ✅ Cloud KMS | ✅ Regional | ✅ Cloud Armor |
Required Attestations:
BIS Cloud Computing FAQ:
Requirement: Determine if License Exception applies (avoiding license requirement)
License Exception ENC (Encryption):
Eligibility:
Requirements:
License Exception TSU (Technology and Software - Unrestricted):
Categories:
Note: Open source software may qualify for TSU
License Exception BAG (Baggage):
Eligibility:
Limits: Reasonable quantities for personal/professional use
License Exception TMP (Temporary):
Eligibility:
Duration: Typically 1 year, renewable
Decision Tree:
Step 1: Is the item on the US Munitions List (USML)?
├─ YES → ITAR applies (State Department DDTC jurisdiction)
│ └─ End analysis - use ITAR framework
└─ NO → Continue to Step 2
Step 2: Is the item on the Commerce Control List (CCL)?
├─ YES → EAR applies with specific ECCN
│ ├─ High-level ECCN (e.g., 5D002) → May require license
│ ├─ Check License Exceptions (ENC, TSU, BAG, TMP)
│ └─ Prohibited: embargoed countries, denied parties
└─ NO → Continue to Step 3
Step 3: Item not on USML or CCL
└─ Likely EAR99
├─ No license required for most destinations to most end-users
├─ License still required for exports to comprehensively embargoed destinations (15 CFR 746)
├─ License still required when end-user is on the Entity List, DPL, or SDN
├─ License still required for prohibited end-uses under 15 CFR 744 (proliferation, military end-use, military-intelligence end-use)
└─ The "knowledge" standard applies: if you know or have reason to know the item is destined for a prohibited use or user, a license is required even for EAR99
Commodity Jurisdiction (CJ) Request:
Overlapping Controls (implement once, satisfies both):
✅ FIPS 140-2 Encryption
✅ Access Logging
Framework-Specific Controls:
ITAR-Only:
EAR-Only:
Compliance Strategy:
ITAR Workloads:
AWS GovCloud (highly recommended)
Azure Government (highly recommended)
GCP Assured Workloads (recommended)
EAR Workloads:
AWS Commercial (with controls)
Azure Commercial (with controls)
GCP Commercial (with controls)
US Person Verification (ITAR)
Denied Party Screening (EAR)
Data Residency Compliance (ITAR)
ECCN Classification (EAR)
License Exception Determination (EAR)
ITAR Violations:
EAR Violations:
Voluntary Self-Disclosure:
ITAR Resources:
EAR Resources: