In order to protect U.S. national security interests and promote foreign policy objectives, various U.S. agencies collectively administer and enforce U.S. export control laws and participate in various multilateral export control regimes to prevent the proliferation of weapons of mass destruction and prevent destabilizing accumulations of conventional weapons and related materials. To that end, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) governs the export and reexport of commodities, software, and technology falling under the jurisdiction of Export Administration Regulations. BIS promotes continued U.S. strategic technology leadership and is responsible for enforcing the regulation of export, reexport, and transfer of items with commercial uses that can also have a dual use, and be used in conventional arms, weapons of mass destruction, terrorist activities, or human rights abuses, and less sensitive military items, which bleeds into cybersecurity as well.
Cybersecurity has recently become an essential aspect in export controls and on October 21, 2021, BIS published its Interim Final Rule (this rule is effective January 19, 2022), which summary states:
SUMMARY: This interim final rule outlines the progress the United States has made in export controls pertaining to cybersecurity items, revised Commerce Control List (CCL) implementation, and requests from the public information about the impact of these revised controls on U.S. industry and the cybersecurity community. Specifically, this rule establishes a new control on these items for National Security (NS) and Anti-terrorism (AT) reasons, along with a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of these items to most destinations except in the circumstances described. These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.
Cybersecurity Items are defined by this Interim Rule as including:
- Systems, equipment, software, and other technology specially designed or modified to develop, generate, command and control, or deliver “intrusion software”;
- “IP [Internet Protocol] network communications surveillance systems or equipment” that meet specified criteria, including the ability to capture and analyze application data (e.g., email messages, attachments, video files, and the contents of web traffic, rather than simply metadata); and
- Other related items, software, and technology, as specified in new and revised Export Control Classification Numbers (ECCNs).
Revised Commerce Control List (CCL) Implementation
The Interim Rule adds multiple new export control classification numbers (ECCNs) to the Commerce Control List (CCL) that incorporate national security (NS) and antiterrorism (AT) controls for “cybersecurity items.” An EAR license or license exception would be required for exports and reexports of such items to most jurisdictions. In particular, this rule adds ECCNs 4Aoo5 and 4D004, along with a new paragraph to 4E001.c, commodities, software, and technology relating to the generation, command, and control or delivery of “intrusive software.” In addition, the interim rule added “IP network communications surveillance systems or equipment” to the CCL under ECCN 5A001.j.
New License Exception: Authorized Cybersecurity Exports (ACE)
The Interim Rule creates a new License Exception Authorized Cybersecurity Exports (ACE), authorizing certain exports, reexports and transfers of cybersecurity items. The License Exception ACE authorizes certain exports, reexports, and transfers of cybersecurity items. This would generally authorize the export, reexport. and transfer of cybersecurity items to most destinations excluding antiterrorism destinations listed in Country Groups E:1 and E:2 such as Cuba, Iran, Syria, and North Korea. It also excludes Group D Government End Users in Country Groups D:1, D:2, D:3, D:4, or D:5, along with Group D1 and D5 Non-Government End Users with exclusions for “favorable treatment cybersecurity end users,” vulnerability disclosures, cyber incident responses, or deemed exports to nationals of Country Groups D:1 or D:5.
License Exception ACE could authorize exports to government end users in Cyprus, Israel and Taiwan only for limited purposes such as those previously discussed but will not authorize exports to government end users in other Group D countries such as China, Russia, Saudi Arabia and the UAE. In addition, non-government end users in China and Russia will not generally be eligible for License Exception ACE. License Exception ACE may be used for deemed exports to non-governmental nationals of any country other than antiterrorism destinations.
Identifying and Managing Non-Tangible Exports: Software, Technology, and More
All U.S. origin items, items located in the U.S., certain non-U.S. origin products with U.S. origin parts, and certain products of U.S. origin technology wherever located are subject to EAR. Hardware and tangible items, software, and technology such as information necessary for the development, production, use, operation, installation, maintenance, repair, overhaul, or refurbishing of an item are all under the scope of EAR.
Software and technology exports pose challenges such as how software is not usually exported tangible and there is no export filing requirement, encryption controls are complex and many software are considered “mass market” and NLR but subject to annual filing requirements or CCAT, and they are often shared during R&D phase and not as a product as engineers are collaborating with other companies to produce an end product from OEM, along with purchasing and supply chain managers sending specifications to potential suppliers. Identifying what is considered technology can also be difficult and addition of prominent global companies to the Entity List means that technology reviews have to include EAR99 technology in addition to technology on CCL or USML.
Tips for Export Compliance with Software and Technology
Identify and classify software products. Many items may be eligible for mass market treatment as 5D992 items and most other items that involve encryption are eligible for License Exception ENC, both generally requiring filing self-classification reports or a CCATS. It is important to maintain an export classification list and check what information you have about recipient/consignee and end user, which should be screened for restricted parties.
Technology is most likely to be inadvertently exported so it is critical to train personnel, especially development, engineering, and R&D teams with an emphasis on controlled technology and screening counterparties prior to sharing information. In the case of suppliers, ensure to obtain classification of final product to assist in proper classification of component and related technology. When producing a technology control plan, make sure to include receipts and transmission security, physical security, IT security, conversation security, marking, and disposal.
Intersection of Cyber Security and Export Controls: Controlled Unclassified Information
Controlled Unclassified Information is unclassified information that have had access or distribution limitations applied IAW national laws, policies, and regulations of USG. This includes U.S. information that is subject to export controls IAW International Traffic in Arms Regulations (ITAR).
The CUI Registry is the online repository for all information, guidance, policy, and requirements on handling CUI. It identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.
What Should You Do
If you are exporting goods subject to filing requirements under the Foreign Trade Regulations, we propose you should:
- Develop an effective export compliance plan
- A key foundation of proactive and effective export compliance requires the development of an export compliance plan. An export compliance plan establishes a set of procedures for your organization to ensure that everyone is on the same page about how standard processes work, who is responsible for what, how to identify violations, what to do when violations occur, etc. An export compliance plan helps build consciousness in your organization that compliance is critical – both to avoid costly penalties and to protect national security. Diaz Trade Law helps exporters create export compliance manuals that help prove you have a process in place to classify your merchandise correctly, vet your customers and ensure you can prove you can take compliance seriously and implement all the important great weight mitigating factors. Diaz Trade Law has significant experience in developing and enhancing export compliance plans for organizations. Additionally, Diaz Trade Law can assist your business in auditing and improving your current plan so that it is in its best shape.
- Engage in regular export compliance training
- A foundation of a strong export compliance program is export compliance training. Training is important because it (1) ensures that all employees understand the export regulations and reinforces internal policies and procedures, (2) demonstrates to federal government agencies that your business is proactive about export compliance, and (3) avoids your business from being subject to costly penalties and even criminal liability. Fortunately, export compliance training can be highly tailored to meet your company’s needs. All your training events include assessments for comprehension, certificates for successful participation, and ample opportunities for Q&A. For your next export compliance training event, trust Diaz Trade Law to provide highly-effective, engaging training.
- Thoroughly vet your proposed export transaction
- Unsure whether a proposed export transaction violates the Foreign Trade Regulations or other export control laws? Diaz Trade Law has significant experience vetting your potential transaction against U.S. export control laws and in assisting clients to properly file their EEI. Through research and due diligence, Diaz Trade Law ensures that your transaction won’t get you in trouble later down the road.
- Request authorization when necessary
- BIS or DDTC export authorization is required for many export transactions of controlled goods. Diaz Trade Law has significant experience in vetting proposed transactions to determine whether BIS or DDTC authorization is required. Furthermore, Diaz Trade Law assists clients by filing export license applications on their behalf.
- Engage in mitigation and corrective actions
- If your business has violated U.S. export control laws, there is a lot you can do to mitigate penalties and prevent future violations. Diaz Trade Law has significant experience representing businesses in dealing with the U.S. Commerce Department’s Bureau of Industry & Security and the Census Bureau. Specifically, Diaz Trade Law has successfully assisted clients in (1) submitting voluntary self-disclosures to mitigate penalties, (2) negotiated agreements with BIS and Census, and (3) built corrective action systems to help ensure that your business does not make the same violation again.
Check out our Bloomberg Law article on Submitting a Voluntary Self-Disclosure to the U.S. Census Bureau.
Diaz Trade Law has significant experience in a broad range of export compliance matters. To learn more about the services we offer, contact us at firstname.lastname@example.org or call us at 305-456-3830.