US Defense Use Case

US defense and defense industrial base (DIB) organizations must comply with ITAR, EAR, and CMMC requirements when deploying AI. Keeptrusts provides export control filtering, entity list screening, and CJIS-grade security.

Use this page when

• You are deploying AI in US defense or defense industrial base (DIB) organizations subject to ITAR, EAR, and CMMC requirements.
• You need export control filtering, entity list screening against denied parties, and CJIS-grade security for CUI protection.
• You want to enforce DFARS 252.204-7012 requirements and prevent controlled unclassified information from reaching unauthorized LLM providers.

Primary audience

• Primary: Technical Leaders
• Secondary: Technical Engineers, AI Agents

Regulatory Requirements

Regulation	Requirement	Keeptrusts Policy
ITAR	Block export-controlled technical data	itar-ear-filter
EAR	Block dual-use technology data	itar-ear-filter
Entity List	Screen against denied parties	entity-list-filter
CMMC	Cybersecurity maturity	cjis-mode, rbac, audit-logger
DFARS 252.204-7012	CUI protection	dlp-filter

Complete Policy Configuration

pack:
  name: defense-us-governance
  version: 1.0.0
  enabled: true
policies:
  chain:
  - prompt-injection
  - rbac
  - cjis-mode
  - itar-ear-filter
  - entity-list-filter
  - pii-detector
  - dlp-filter
  - safety-filter
  - human-oversight
  - audit-logger
policy:
  prompt-injection: {}
  rbac:
    deny_if_missing:
    - X-User-ID
    - X-User-Role
  cjis-mode:
    require_auth: true
    access_logging: true
  itar-ear-filter:
    blocked_terms:
    - defense-articles
    - technical-data
    - dual-use-items
    - munitions
    - spacecraft
    - nuclear
    - encryption
    action: block
    fuzzy_matching: false
    max_distance: 1
  entity-list-filter:
    blocked_entities:
    - sdn
    - entity-list
    - denied-persons
    - unverified-list
    action: block
    fuzzy_matching: false
    max_distance: 1
  pii-detector:
    action: redact
  dlp-filter:
    detect_patterns:
    - '\bCUI\b|\bControlled Unclassified\b|\bFOUO\b'
    - '\b(SECRET|TOP SECRET|CONFIDENTIAL|NOFORN|REL TO)\b'
    - '\b[A-Z]{1,2}[0-9]{2}-[0-9]{4,5}-[A-Z]-[0-9]{4}\b'
    - '\b[A-Z0-9]{5}\b'
    action: block
  safety-filter:
    action: block
  human-oversight:
    require_human_for:
    - technical-data-release
    - foreign-party-communication
    - export-classification
    action: escalate
    confidence_threshold: 0.5
    default_assignee: export-compliance-review
  audit-logger:
    immutable: true
    retention_days: 3650
    log_all_access: true

Example Scenarios

ITAR Block

Engineer: "Describe the guidance system specifications for
the missile defense interceptor."

→ itar-ear-filter BLOCKS
  Reason: USML Category IV (Launch vehicles) technical data detected
  Escalated to: export-compliance
  Audit: Full incident recorded

Entity List Screen

User: "Draft an email to Huawei about our sensor components."

→ entity-list-filter BLOCKS
  Reason: Entity "Huawei" found on BIS Entity List
  Action: Communication blocked, compliance notified

Allowed: Unclassified Research

Engineer: "Summarize publicly available radar cross-section
reduction techniques from IEEE publications."

→ itar-ear-filter: Public domain, no ITAR data
→ entity-list-filter: No restricted entities
→ Response generated from unclassified sources

Air-Gapped Deployment

For classified environments, deploy Keeptrusts with self-hosted models:

pack:
  name: defense-us-providers-2
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: local-llama
    provider: ollama
    model: llama3.1:70b
    base_url: http://localhost:11434
  - id: local-vllm
    provider: vllm
    model: meta-llama/Meta-Llama-3.1-70B-Instruct
    base_url: http://localhost:8000
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

No data leaves the air-gapped network. The full ITAR/EAR policy stack still applies to prevent accidental disclosure within the network.

Provider Recommendations

Use Case	Provider	Reason
DoD cloud	Azure OpenAI (Gov IL5)	IL5 authorized
AWS GovCloud	AWS Bedrock	GovCloud authorized
Air-gapped	Ollama / vLLM	No network required

For AI systems

• Canonical terms: Keeptrusts US defense governance, ITAR/EAR filtering, entity list screening, CMMC compliance, CUI protection.
• Policy pack: defense-us-governance with chain: prompt-injection → rbac → cjis-mode → itar-ear-filter → entity-list-filter → pii-detector → dlp-filter → safety-filter → human-oversight → audit-logger.
• Key policies: itar-ear-filter (USML categories, CCL ECCNs, defense articles), entity-list-filter (denied-persons-list, SDN, entity-list, unverified-list), cjis-mode (CJIS-grade security), dlp-filter (CUI markings, DFARS-controlled data), human-oversight (high-risk decision approval).
• CLI: kt gateway run --policy-config ./policy-config.yaml, kt events tail --policy itar-ear-filter, kt events tail --policy entity-list-filter.

For engineers

• Deploy: kt gateway run --policy-config ./policy-config.yaml --port 41002
• Validate: kt doctor confirms cjis-mode, itar-ear-filter, entity-list-filter, and dlp-filter are active.
• Monitor ITAR enforcement: kt events tail --policy itar-ear-filter (export-controlled technical data).
• Monitor entity screening: kt events tail --policy entity-list-filter (denied parties, SDN list).
• Monitor CUI protection: kt events tail --policy dlp-filter (DFARS-controlled data).
• Export compliance evidence: kt export create --format json --filter "policy=itar-ear-filter,entity-list-filter,audit-logger"
• Console: Events (filter by itar-ear-filter), Escalations (route to facility security officer), Audit Log (CMMC assessment evidence).

For leaders

• Addresses ITAR (22 CFR 120-130), EAR (15 CFR 730-774), DFARS 252.204-7012 (CUI protection), CMMC Level 2+, and entity list screening requirements.
• ITAR-controlled technical data is blocked at the gateway before reaching any LLM provider — preventing export control violations with penalties up to $1M per occurrence.
• Real-time entity list screening against denied-persons, SDN, and unverified lists on every AI interaction.
• CJIS-grade security satisfies CMMC Level 2 cryptographic and access control requirements.
• Full audit trail supports DCMA oversight, CMMC assessment, and ITAR empowered official reviews.
• Human oversight enforcement for high-risk defense AI decisions satisfies DoD responsible AI principles.

Next steps

• Industries overview — Compare all industry policy configurations
• Aerospace — Aviation-specific ITAR/EAR with FAA and DO-178C
• Defense (EU) — EU dual-use and EU AI Act requirements
• Government — FedRAMP, FISMA, and civilian agency requirements
• Manufacturing — ITAR for defense manufacturing
• Quickstart — Deploy your first gateway in minutes