Docs

CUI and Classified Information

If you or your organization handle Controlled Unclassified Information (CUI) or classified information, follow the guidance below when using ExChek for export control classification.

Do not use cloud or API LLMs for CUI/classified data

You must not use cloud-hosted services or API-based LLM models to process CUI or classified information. Sending item descriptions, technical specifications, or other CUI/classified content to third-party cloud APIs (e.g., commercial Claude, ChatGPT, or other cloud LLM endpoints) may violate your agency or contractor security requirements and can result in unauthorized disclosure.

For any classification work that involves CUI or classified information, use only an on-premises (on-prem) deployment with a local LLM and the ExChek skill installed locally, as described below.

Using the ExChek skill for CUI or classified information

To use the ExChek skill in an environment that handles CUI or classified information:

  1. Download the skill from the public GitHub repo β€” Do not rely on cloud-based clones or live sync. Download the repository as a ZIP from the ExChek skill repo and transfer it to your on-prem environment via your organization’s approved method (e.g., air-gapped media, secure transfer).
  2. Install the skill on your on-prem agency environment β€” Unzip the skill and place it in your local agent’s skills directory (e.g. ~/.claude/skills/exchek-classify or the equivalent for your on-prem agent platform).
  3. Use a local LLM only β€” Run the agent that executes the ExChek skill against a local LLM hosted within your secure boundary. Do not configure the agent to use any cloud or external API LLM when processing CUI or classified items.

Skill repo (download ZIP from): https://github.com/mrdulasolutions/exchekskills. On GitHub, use the green Code button β†’ Download ZIP, then extract and copy the contents to your on-prem skills folder.

Getting the latest Part 774 and Part 121 on-prem

The ExChek skill uses regulatory data from 15 CFR Part 774 (Commerce Control List, CCL) and 22 CFR Part 121 (United States Munitions List, USML). For on-prem use, you need to obtain the latest 774 and 121 data inside your environment so the local agent can use it without calling external cloud APIs.

Option 1: Run the ExChek refresh script on-prem

If you have the ExChek API codebase in your on-prem environment (e.g., from the full ExChek repo or a released package), you can run the eCFR snapshot refresh script. It fetches the current title structures from eCFR (ecfr.gov), extracts Part 774 and Part 121, and writes them to local JSON files. No Supabase or cloud storage is required for local-only use.

  1. From the apps/api directory of the ExChek repo, ensure dependencies are installed (npm install).
  2. Run the refresh script:
node scripts/refresh-ecfr-snapshot.js

By default, the script writes ecfr-part-774.json and ecfr-part-121.json to apps/api/.data (or the directory set in ECFR_SNAPSHOT_DIR). Configure your on-prem API or agent to read 774/121 from this directory so the skill can use the latest CCL and USML data without calling the public ExChek API.

Option 2: Fetch from eCFR and extract the parts

If you cannot run the ExChek script on-prem, you can fetch the latest structure from eCFR and extract the parts manually:

  1. From a system that is allowed to reach eCFR (e.g., a boundary host), download the current title structures:
curl -o title-15.json "https://www.ecfr.gov/api/versioner/v1/structure/current/title-15.json"
curl -o title-22.json "https://www.ecfr.gov/api/versioner/v1/structure/current/title-22.json"
  1. Transfer title-15.json and title-22.json to your on-prem environment using your approved process.
  2. Extract the Part 774 subtree from title-15.json (the node whose identifier or label is Part 774) and save it as ecfr-part-774.json. Extract the Part 121 subtree from title-22.json and save it as ecfr-part-121.json.
  3. Place both JSON files in a directory your on-prem agent or API can read, and point the skill or local API to that directory so classification uses this data instead of any cloud endpoint.

Run this process periodically (e.g., weekly) to refresh 774 and 121 when eCFR is updated.

Related