On June 3, 2015, the Department of Commerce’s Bureau of Industry and Security (BIS) and Department of State’s Directorate of Defense Trade Controls (DDTC) published much-anticipated proposed rules, updating key terms in the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR). The proposed rules address a host of important definitions and attempt to provide for technological advances in data storage and transmission, including cloud computing. You can find the full text of the BIS proposed rule here and the DDTC proposed rule here.
These particular revisions have been promised by BIS and DDTC for some time, as critical components of the President’s larger Export Control Reform (ECR) Initiative. A major goal of the ECR Initiative is the harmonization of definitions and terms used across both regulatory schemes.
One of the more significant proposed changes is the identification of activities that would not be considered “exports,” “reexports,” or “transfers” under U.S. export controls regulations. The proposed rules recognize some of the nuances involved with modern data storage, cloud services, and email. Acknowledging that email may transit through a foreign country’s infrastructure en route to its final destination and that information stored on the cloud may be stored on servers located in a foreign country without the sender’s knowledge, DDTC’s proposed rule would create an exclusion from the definition of export that covers the transmission and storage of encrypted, unclassified technical data and software.
The technical data or software must be secured using end-to-end encryption and cryptographic modules that are compliant with the U.S. National Institute for Standards and Technology’s (NIST) Federal Information Processing Standards (FIPS) Publication 140-2 and supplemented with controls in accordance with current NIST publication guidance. Encrypted data also cannot be stored in a 22 C.F.R. § 126.1 (i.e., ITAR-prohibited) country or Russia. BIS’s proposed rule includes a similar carve-out from the definition of “export” but would allow for the transmission of technology protected using cryptographic means that are similarly effective to NIST FIPS Publication 140-2 compliant methods without requiring certification of those means.
This is just one aspect of the new proposed rules, which cover a range of other issues. A longer summary of the changes can be found here.
BIS and DDTC are encouraging industry members to submit comments on issues including the proposed rules’ treatment of methods and manners of data transmission, storage, and access; and the alignment of and/or any contradictions created by the proposed revisions. Comments should be submitted by August 3, 2015, and can be filed either by direct submission to the relevant agency or via the Federal eRulemaking Portal at http://www.regulations.gov.