On December 26, 2019, the Department of State, Directorate of Defense Trade Controls (DDTC) published an Interim Final Rule (84 FR 70887) describing when data controlled by the International Traffic in Arms Regulations (ITAR) may be transmitted electronically without triggering a requirement for an export authorization. The new rule is intended to clearly permit the use of cloud services and other electronic transmissions when technical requirements are met.
Rule Proposed in 2015 Effective March 2020
In an effort to modernize and harmonize export regulations, the Departments of Commerce and State originally published parallel proposed rules on June 3, 2015 (80 FR 31505 and 80 FR 31525). One year later, on June 3, 2016, the Department of Commerce published a final rule (81 FR 35586) establishing that secured, unclassified transmissions would not be considered exports, reexports, or transfers when specific conditions were met. The Department of State revised the ITAR at that time as well, but did not implement parallel definition until this notice. The revision will go into effect nearly five years after the original proposal.
As revised, the Department of Commerce’s Export Administration Regulations (EAR) now allows the use of cloud services with EAR-controlled technology by excluding the following from the definition of exports, reexports, or transfers (EAR §734.18(a)(5)):
Sending, taking, or storing “technology” or “software” that is:
(i) Unclassified;
(ii) Secured using ‘end-to-end encryption;’
(iii) Secured using cryptographic modules (hardware or “software”) compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by “software” implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other equally or more effective cryptographic means; and
(iv) Not intentionally stored in a country listed in Country Group D:5 (see Supplement No. 1 to part 740 of the EAR) or in the Russian Federation.
Note that the EAR’s Country Group D:5 incorporates ITAR §126.1 prohibited destinations.
The new ITAR rule is nearly identical, creating ITAR §120.54 “Activities that are not exports, reexports, retransfers, or temporary imports.” §120.54(a)(5) excludes:
Sending, taking, or storing technical data that is:
(i) Unclassified;
(ii) Secured using end-to-end encryption;
(iii) Secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140–2 (FIPS 140–2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES–128);
(iv) Not intentionally sent to a person in or stored in a country proscribed in § 126.1 of this subchapter or the Russian Federation; and
(v) Not sent from a country proscribed in § 126.1 of this subchapter or the Russian Federation.
(Substantial variations from EAR text are underlined.)
One noteworthy variation is that while the EAR allows for “other equally or more effective cryptographic means” the ITAR rule specifies AES-128 as a minimum standard. The ITAR rule also adds paragraph (v) regarding transmissions from §126.1 countries or Russia.
Both the EAR and ITAR rules note that “data in-transit via the internet is not deemed to be stored,” define end-to-end encryption, and state that the ability to access encrypted data is not considered a release or export.
The rule also makes minor changes to other ITAR definitions in order to reference the new section.
An Interim Final Rule?
The Interim Final Rule combines a request for comments like the original 2015 Proposed Rule with a rule that is scheduled to be effective March 25, 2020. The new definitions are subject to revision based on comments received. This is a valuable opportunity to submit substantive comments on how the ITAR revision will affect your business, particularly if you can suggest possible changes that could make the rules more workable.
Comments may be submitted through January 27, 2020. Refer to the Federal Register Notice for the full revision, responses to previous comments, and how to comment.