Export Administration Regulations. Dual-Use Technology Controls Mapped to Security Posture.

The Export Administration Regulations (EAR) govern the export, re-export, and transfer of dual-use items: commercial goods, software, and technology that have both civilian applications and potential military, intelligence, or weapons proliferation uses. Administered by the Bureau of Industry and Security (BIS) within the Department of Commerce, EAR applies to a broader range of technologies than ITAR. Where ITAR controls defense articles specifically designed for military application, EAR covers the vast middle ground of commercially available items that could contribute to activities contrary to US national security or foreign policy interests. This includes encryption technology, high-performance computing hardware, telecommunications equipment, sensors and lasers, navigation and avionics systems, marine technology, propulsion systems, and categories of software and technology that enable or enhance controlled capabilities. The regulatory scope extends beyond physical exports. Any release of EAR-controlled technology to a foreign person, whether through physical shipment, electronic transmission, visual inspection, or oral exchange, constitutes an export subject to EAR requirements.

BIS organizes controlled items on the Commerce Control List (CCL), which assigns each controlled item an Export Control Classification Number (ECCN). The ECCN encodes the item's category, product group, and control reason, and determines the licensing requirements based on the intersection of item classification, destination country, end user, and end use. Items not specifically listed on the CCL fall under the designation EAR99, which generally permits export to most destinations without a license, though end-use and end-user restrictions still apply. The classification process is the foundation of EAR compliance: an incorrect classification can result in unlicensed exports that carry criminal penalties up to $1 million per violation and 20 years imprisonment, or civil penalties up to $300,000 per violation. Organizations must establish and maintain classification determinations for every item they export or re-export, update those determinations when items are modified or combined with other controlled technology, and document the classification rationale with sufficient detail to withstand regulatory scrutiny.

EAR operates under different statutory authority than ITAR, with different enforcement mechanisms, different licensing procedures, and different penalty structures. The Export Control Reform Act of 2018 provides the statutory basis for EAR, while ITAR derives from the Arms Export Control Act. This distinction matters because items may shift between ITAR and EAR jurisdiction based on classification decisions, commodity jurisdiction determinations, and regulatory updates. Organizations that handle both defense articles and dual-use technologies must maintain parallel compliance programs that account for the differences in classification methodology, licensing authority, exemption structures, and record-keeping requirements between the two regimes. The EAR overlay in Redoubt Forge will address these requirements as structured compliance obligations mapped to the organization's existing NIST 800-53 security controls, ensuring that export control compliance builds on the same infrastructure that supports the broader security posture.

The EAR overlay operates through ADD operations on the NIST 800-53 base framework. The base framework defines technical security controls for access management, audit logging, system protection, and data handling. The EAR overlay adds export-control-specific requirements that the base framework does not address: ECCN classification tracking, denied party screening, license application and management, deemed export prevention procedures, re-export controls, and Commerce Department record-keeping obligations. These added requirements are regulatory obligations that must be operationalized through a combination of technical controls, organizational procedures, and documented processes. A denied party screening requirement, for example, requires a technical integration with BIS screening lists (the control), an organizational process for evaluating screening results and escalating matches (the procedure), a documented workflow for handling potential matches including false positives (the process), and evidence that screening was performed for every applicable transaction (the proof). Each component must be tracked and evidenced independently within the compliance workspace.

The EAR overlay is currently in development and planned for a future release. However, organizations that have implemented DFARS and ITAR controls through Redoubt Forge have already built substantial infrastructure that the EAR overlay will reference. Access control mechanisms that enforce citizenship-based restrictions for ITAR-controlled technical data apply directly to EAR deemed export prevention. Network segmentation that isolates controlled data environments serves both regulatory regimes. Audit logging that captures access patterns and demonstrates enforcement satisfies evidence requirements for EAR access controls just as it does for ITAR. The monitoring infrastructure that Sentinel maintains for ITAR access pattern detection will extend to EAR-controlled technology with additional classification-aware filtering. Organizations do not need to wait for the EAR overlay to begin building readiness. Every control implemented for DFARS adequate security, every access restriction enforced for ITAR deemed export prevention, and every monitoring capability deployed for NIST 800-53 compliance contributes directly to the foundation that EAR compliance requires.

When released, the EAR overlay will follow the same structural model used for all regulatory overlays in Rampart. EAR requirements will map to specific NIST 800-53 control families: AC (Access Control) for deemed export prevention and technology access restrictions, AU (Audit and Accountability) for transaction logging and screening documentation, and PT (Personally Identifiable Information Processing and Transparency) for end-user and end-use documentation requirements. Where an EAR requirement shares underlying controls with an existing ITAR or DFARS requirement, the assessment status and evidence will propagate through the shared control. Where an EAR requirement is unique to export administration (ECCN classification, license management, re-export tracking), it will carry its own evidence chain and assessment criteria. The overlay will be versioned against specific EAR regulatory updates, and Rampart will recalculate compliance status when regulatory changes affect the overlay mapping. This ensures that organizations maintain current compliance posture against the regulations as they evolve, not against a static snapshot that becomes outdated with each Federal Register update.

The Commerce Control List (CCL) is the regulatory instrument that defines which items are subject to EAR export controls and under what conditions. The CCL organizes controlled items into ten categories: Category 0 (Nuclear Materials, Facilities, and Equipment), Category 1 (Special Materials and Related Equipment), Category 2 (Materials Processing), Category 3 (Electronics), Category 4 (Computers), Category 5 (Telecommunications and Information Security), Category 6 (Sensors and Lasers), Category 7 (Navigation and Avionics), Category 8 (Marine), and Category 9 (Aerospace and Propulsion). Within each category, items are further classified by product group: equipment, assemblies, and components; test, inspection, and production equipment; materials; software; and technology. The intersection of category and product group produces the five-character ECCN that uniquely identifies the item's control parameters. Category 5, Part 2 (Information Security) is particularly relevant to technology organizations because it controls encryption items, information security software, and related technology that many commercial products incorporate.

ECCN classification determines the licensing requirements for a specific export transaction through the Commerce Country Chart. Each ECCN carries one or more Reasons for Control: National Security (NS), Missile Technology (MT), Nuclear Nonproliferation (NP), Chemical and Biological Weapons (CB), Regional Stability (RS), Crime Control (CC), Anti-Terrorism (AT), Firearms Convention (FC), Surreptitious Listening (SL), Short Supply (SS), and Significant Items (SI). The Commerce Country Chart maps each reason for control against every destination country to indicate whether a license is required. An item classified under ECCN 5A002 (information security systems and equipment) with NS and AT reasons for control requires a license to some destinations but not others, depending on the country chart entries. Organizations must perform this classification and country chart analysis for every controlled item and every destination, document the determination, and maintain records for five years. Incorrect classification that results in an unlicensed export is a violation regardless of intent, though willful violations carry substantially higher penalties. The classification process must account for technology that incorporates controlled components, software that enables controlled capabilities, and items that have been modified from their original classification parameters.

The EAR overlay will track ECCN classifications as structured data within the compliance workspace, linking each controlled item to its classification determination, supporting documentation, and export history. Rampart will maintain the relationship between item classifications and applicable license requirements, surfacing changes when BIS updates the CCL or Commerce Country Chart through Federal Register notices. Garrison will maintain the inventory of systems and technology assets subject to EAR controls, ensuring that every item with an ECCN classification is tracked within the export control boundary. When items are modified, combined, or repurposed, the overlay will flag the affected classifications for review, because technical changes can alter an item's ECCN and therefore its licensing requirements. This classification management capability does not exist in isolation. It integrates with the access control and monitoring infrastructure that organizations have already built for ITAR and DFARS compliance, adding export-administration-specific tracking on top of the shared security control foundation.

A deemed export occurs when EAR-controlled technology or source code is released to a foreign national within the United States. Under EAR, this release is treated as an export to the foreign national's most recent country of citizenship or permanent residency. The deemed export rule means that export control obligations apply not only to international shipments but to every instance where a foreign national gains access to controlled technical data, source code, or technology within domestic facilities, laboratories, data centers, and collaboration environments. Visual inspection of controlled equipment, participation in technical discussions involving controlled technology, access to repositories containing controlled source code, and receipt of technical documentation all constitute potential deemed exports. Organizations that employ foreign nationals or collaborate with international partners must evaluate every access grant against EAR deemed export requirements, determine whether the access constitutes a release of controlled technology, identify the applicable ECCN and licensing requirements based on the foreign national's citizenship, and either obtain the required license or confirm that a license exception applies before granting access.

The access control implications of the deemed export rule extend across every system that stores, processes, or transmits EAR-controlled technology. Identity and access management systems must incorporate citizenship verification as a factor in access decisions for controlled resources. Repository access controls must distinguish between EAR-controlled and unrestricted content and enforce access restrictions based on verified citizenship status. Collaboration platforms must prevent inadvertent disclosure of controlled technology during meetings, document sharing, and code reviews that include foreign national participants. Physical access controls must restrict entry to areas where controlled technology is visible or accessible. These requirements parallel ITAR deemed export controls, and organizations that have implemented ITAR access restrictions have already built the infrastructure foundation. The key difference is the classification basis: ITAR restricts access based on USML categories and requires US Person verification, while EAR restricts access based on ECCN classifications and evaluates licensing requirements against the specific foreign national's country of citizenship through the Commerce Country Chart.

Sentinel will extend its access pattern monitoring to EAR deemed export detection when the overlay is released. Access attempts to resources classified under specific ECCNs will be evaluated against the authenticated user's verified citizenship status and the applicable Commerce Country Chart entries. Access events that constitute potential unlicensed deemed exports will trigger immediate alerts through the configured notification chain. The monitoring infrastructure that Sentinel already maintains for ITAR access pattern detection provides the foundation: identity correlation, citizenship verification integration, resource classification tagging, and real-time access event evaluation. The EAR extension adds ECCN-aware classification filtering and country-chart-based license determination to the existing monitoring pipeline. Organizations that have deployed Sentinel for ITAR compliance will find that the incremental configuration for EAR deemed export monitoring builds directly on their existing access control and monitoring infrastructure, adding EAR-specific classification logic without duplicating the underlying detection and alerting capabilities.

EAR licensing determines whether a specific export transaction requires prior authorization from BIS. The licensing analysis begins with item classification (ECCN or EAR99 designation), proceeds through the Commerce Country Chart to determine whether a license is required for the specific destination, and then evaluates whether any License Exception applies that would permit the export without an individual license. BIS provides numerous license exceptions for specific categories of transactions: License Exception TMP for temporary exports, License Exception TSR for technology and software under restriction, License Exception ENC for encryption items, License Exception GOV for government end users, and others. Each license exception carries its own eligibility criteria, conditions, and record-keeping requirements. Using a license exception without meeting all applicable conditions is treated as an unlicensed export, carrying the same penalties as exporting without a license. Organizations must document not only that a license exception applies but that every condition of the exception has been satisfied for every transaction that relies on it.

When no license exception applies, organizations must submit a license application to BIS through the Simplified Network Application Process Redesign (SNAP-R) system. License applications require detailed information about the item being exported (classification, technical parameters, quantity, value), the parties to the transaction (exporter, consignee, intermediate consignee, end user), the end use, and supporting documentation such as end-user statements and import certificates. BIS reviews license applications against multiple policy criteria and may approve, deny, return without action, or approve with conditions (provisos). License processing times vary from weeks to months depending on the item, destination, and policy review requirements. Organizations must maintain records of all license applications, determinations, and approved licenses, and must comply with any provisos attached to approved licenses. The record-keeping requirement under EAR mandates retention of all export-related records for five years from the date of export, re-export, or transfer, or five years from the date of any known last re-export or transfer, whichever is later.

Compliance screening is a prerequisite for every export transaction, regardless of whether a license is required. Organizations must screen all parties to the transaction against BIS consolidated screening lists: the Entity List (entities subject to specific license requirements), the Denied Persons List (individuals and entities denied export privileges), the Unverified List (entities where BIS has been unable to verify end use), and the Military End User List. Matches against any screening list require additional due diligence and may prohibit the transaction entirely. Rampart will track license management as a structured compliance workflow: license applications, approvals, provisos, expiration dates, and utilization records linked to the specific controlled items and transactions they authorize. Alliance will integrate party screening into the supply chain verification process, ensuring that every partner, customer, and intermediary in the export chain is screened against current BIS lists before controlled technology is shared. The five-year record retention requirement will be enforced through immutable evidence storage, ensuring that export transaction records, screening results, license determinations, and classification documentation remain accessible and unaltered throughout the mandatory retention period.

EAR compliance evidence centers on demonstrating that deemed export controls are actively enforced across every system containing controlled technology. For deemed export prevention, access events against resources tagged with ECCN classifications must be tracked and correlated with each authenticated user's verified citizenship status. Access by foreign nationals to ECCN-controlled resources must be evaluated against the Commerce Country Chart to determine whether the access constitutes a licensed or unlicensed deemed export. The monitoring pipeline requires identity provider integration, citizenship verification correlation, resource classification tagging, and real-time access event evaluation. Every access event to a controlled resource must generate an evidence artifact that includes the authenticated identity, the citizenship verification status, the ECCN classification of the resource accessed, the licensing determination for that access, and the timestamp. This continuous evidence stream demonstrates that deemed export controls are actively enforced, not merely documented in a policy that may or may not reflect actual access patterns. Organizations sharing infrastructure with ITAR programs can extend the same access monitoring architecture to EAR requirements with different policy logic.

The challenge with EAR compliance documentation is that it spans multiple evidence chains that must remain synchronized with evolving regulatory data. Classification determinations must link to supporting technical analysis and regulatory references. License applications must connect to approval records, provisos, and transaction histories. Screening results must be timestamped and linked to the specific transaction and parties they evaluate. Record-keeping compliance requires retention policies that ensure all export-related evidence remains accessible for the mandatory five-year period. When BIS updates the CCL, Commerce Country Chart, or screening lists, affected classifications and transactions must be reviewed, ensuring that compliance status reflects current regulatory requirements rather than outdated determinations. Organizations that manage these evidence chains in disconnected systems (spreadsheets for classifications, email folders for license approvals, separate databases for screening results) struggle to demonstrate the end-to-end traceability that auditors require. Each EAR obligation needs its own evidence chain: classification evidence, screening evidence, licensing evidence, access control evidence, and record-keeping evidence. Each chain must be independently auditable from the regulatory requirement to the specific technical control and evidence artifact that satisfies it.

Alliance will extend supply chain verification to EAR compliance. Organizations that export controlled items through intermediaries, distributors, or partners must verify that downstream parties comply with the terms of any applicable licenses and do not re-export controlled items to prohibited destinations or end users. Alliance will track the compliance posture of supply chain partners with respect to EAR obligations: do they maintain their own export compliance programs, have they been screened against BIS denied party lists, do they acknowledge and comply with re-export restrictions on controlled items they receive? For organizations that handle both ITAR and EAR-controlled items, Alliance will maintain separate compliance tracking for each regulatory regime while surfacing the areas of overlap where a single partner relationship implicates both sets of requirements. The supply chain evidence collected through Alliance will be versioned, timestamped, and linked to the specific regulatory requirements it satisfies, providing auditable proof that export control obligations extend beyond the organization's own boundaries to encompass the full chain of custody for controlled technology.

The EAR overlay maps to NIST 800-53 control families that address the technical requirements underlying export control compliance. The AC (Access Control) family provides the control foundation for deemed export prevention: AC-2 (Account Management) for managing accounts with access to controlled technology, AC-3 (Access Enforcement) for restricting access based on citizenship and licensing status, AC-6 (Least Privilege) for limiting access to controlled resources to authorized personnel only, and AC-17 (Remote Access) for controlling access to controlled technology through remote connections. The AU (Audit and Accountability) family supports the evidence and record-keeping requirements: AU-2 (Event Logging) for capturing access events on controlled resources, AU-3 (Content of Audit Records) for ensuring logs contain sufficient detail for compliance demonstration, AU-6 (Audit Record Review) for monitoring access patterns, and AU-11 (Audit Record Retention) for meeting the five-year record-keeping mandate. The PT (Personally Identifiable Information Processing and Transparency) family addresses end-user documentation and transaction transparency requirements that EAR imposes on organizations handling controlled technology.

These control families are shared with ITAR and DFARS compliance. An organization that has implemented AC-2 and AC-3 to enforce ITAR US Person access restrictions has already deployed the technical infrastructure that EAR deemed export controls require. The access enforcement mechanism is the same: identity verification, citizenship correlation, resource classification, and policy-based access decisions. The difference is the policy logic: ITAR evaluates access against US Person status and USML categories, while EAR evaluates access against citizenship, ECCN classification, and Commerce Country Chart licensing requirements. The audit controls deployed for DFARS 252.204-7012 adequate security (which references NIST 800-171, derived from 800-53) produce the same types of evidence that EAR record-keeping requires: timestamped access logs, configuration records, and enforcement documentation. Organizations do not rebuild this infrastructure for each regulatory regime. They extend the existing controls with regime-specific policy logic and classification data. The marginal effort to add EAR compliance on top of existing ITAR and DFARS implementations reflects this substantial control overlap.

When the EAR overlay is released in Rampart, organizations with existing ITAR and DFARS implementations will see their EAR readiness score reflect the controls already in place. Access control mechanisms, audit logging infrastructure, monitoring capabilities, and supply chain verification processes will carry forward from existing assessments. EAR-specific requirements that have no parallel in ITAR or DFARS (ECCN classification management, Commerce Country Chart analysis, BIS license tracking, and re-export controls) will appear as new compliance obligations requiring dedicated implementation. The derivation chain engine in Rampart will compute the cross-regulatory impact: when a shared 800-53 control is assessed for DFARS compliance, the assessment propagates to the ITAR overlay and to the EAR overlay through their common control references. One security posture serves all three regulatory regimes. The export control work that organizations perform today for ITAR and DFARS builds direct, measurable readiness for EAR compliance. Every access control deployed, every audit mechanism configured, and every monitoring capability established contributes to the infrastructure foundation that the EAR overlay will reference when it arrives.