United States: Changes To BIS's Information Security Controls Bring Relaxed Controls, Removal Of Registration Requirement

As part of a raft of revisions to the Export Administration Regulations ("EAR") implementing December 2015 changes to the Wassenaar Arrangement, on September 20, 2016, the Bureau of Industry and Security ("BIS") issued a final rule affecting the Commerce Control List ("CCL") and parts of the EAR relating to Information Security.¹ While the changes represent perhaps the most substantial update to the EAR's encryption and information security controls since those rules were simplified in 2010, they do not fundamentally alter the existing framework of those controls. Rather, they reduce certain compliance burdens and relax controls for a number of items, while increasing controls on a limited subset of encryption items. Businesses potentially affected by these changes should review the rule carefully in order to be able to benefit from these changes while remaining compliant with the rule.

Removal of Encryption Registration Requirement

Previously, 15 C.F.R. Sections 740.17(b) and 742.15(b) required that an encryption registration be submitted to BIS as a prerequisite for certain uses of License Exception ENC or mass market treatment, and for submission of Encryption Classification Requests. The final rule eliminates this encryption registration requirement.² Nevertheless, exporters who self-classify encryption products under § 740.17(b)(1) will continue to be required to submit a self-classification report on an annual basis.³

Changes Affecting Items Eligible for License Exception ENC

Information security items that fall under Section 740.17(b)(2) of License Exception ENC ("ENC (b)(2)") continue to require submission of a classification request and are subject to restrictions on the types and locations of end users for whom the exception may be used. However, the rule has been revised so that only more sensitive, technologically current information security items, will be subject to these additional restrictions. At the same time, exporters should be able to use ENC to export older, less sensitive information security items to a wider range of end users. The change should also reduce the need for encryption classification requests.

Specifically, revised ENC (b)(2) increases the performance parameter for aggregate encrypted WAN, MAN, VPN, backhaul or long-haul throughput (including communications through wireless network elements such as gateways, mobile switches, and controllers) from greater than 90 Mbps to 250 Mbps and greater.⁴ For media gateways and other unified communications infrastructure, including Voice-over-Internet Protocol services, the endpoint threshold for media and signaling encryption was raised from 1,000 to greater than 2,500.

In addition, while ENC (b)(2) continues to capture satellite infrastructure items generally, the rule now contains a carve-out for certain satellite terminals and modems that provide end-to-end encryption and otherwise meet the criteria for mass market treatment. In contrast, the final rule also subjects certain items used in the encryption of certain ultra-wideband and spread spectrum communications systems (now classified as 5A002.d and 5A002.e) that had previously been eligible for exception ENC under the less-restrictive provisions of (b)(1) or (b)(3), to the provisions of ENC (b)(2). While BIS determined that these items, which have previously been categorized under ECCN 5A002.a.5 and .a.6, warrant a higher level of control under (b)(2), BIS noted that it does not anticipate this change to generate a increase in license applications. In addition to making items in ECCNs 5A002.d and 5A002.e ineligible for ENC under (b)(1) or (b)(3), a note was added to 5A002 directing exporters to the USML for related controls that may capture items described in these ECCNs.

Narrowing the "Government End-User" Exclusion from License Exception ENC (b)(2)

The final rule amends Section 740.17(b)(2) to authorize exports, reexports, and transfers (in-country) of "network infrastructure" items to "less sensitive government end users" in all countries except Country Group E:1 and E:2 countries. Not all items subject to 740.17(b)(2) are "network infrastructure" – this category of items includes WAN, MAN, VPN, backhaul or long-haul equipment, certain satellite infrastructure, media gateways, and terrestrial wireless infrastructure. "Less sensitive government end-users" is defined in Part 772 to generally include sub-federal government subdivisions (e.g., local, municipal and provincial), and certain categories of federal-level government end users involved in purely civilian or civil society activities. Examples of such less-sensitive federal-level government functions include civil public works; civil service human resources administration; public health; energy regulation and administration, including oil, gas and mining sectors; and economic and business development functions.

The definition also contains certain important exclusions. Notably, national telecommunications agencies, science and technology agencies, and research and development and national laboratories are carved out from the definition of "less sensitive government end users." In addition, BIS has added a definition of "more sensitive government end-users" to Part 772 listing the types of federal-level government entities within that category. While Exception ENC does not user the term "more sensitive government end-users," such entities would, by definition, not be "less sensitive government end users."

This revision represents an important relaxation of the prior rule, which prohibited the use of ENC (b)(2) to export cryptographic items to any government end user outside of the Supplement 3 Favorable Treatment Countries. Nonetheless, important restrictions remain in place regarding items subject to 740.17(b)(2). Such items that are not "network infrastructure" continue to require a license to any government end-user in a country not listed on Supplement 3. In addition, network infrastructure items under 740.17(b)(2) continue to require a license to non-Supplement 3 government end users that have not been designated "less sensitive" or that have been excluded from that definition (such as national telecommunications agencies).

Changes to Category 5, Part 2 of the Commerce Control List

Changes were made to ECCNs in Category 5 Part 2 of the CCL that represent both decontrols and important realignments of existing ECCNs. Paragraphs 5A992.a and .b, 5D992.a and .b, and 5E992.a have been deleted. These provisions previously controlled telecommunications and other information security containing encryption, as well as a catch-all category for information security equipment not specified in former 5A002. The impact of this change will be that information security equipment and software, whether or not containing encryption, and components therefor will now either be controlled under 5X002, 5A003, or 5A004, will qualify for mass market treatment and therefore fall within 5A992.c or 5D992.c, or will not be controlled under Category 5, Part 2. This change has the potential to decontrol numerous items previously within 5X992. As a result, such items may be designated EAR99 or, depending on their functionality, may move to another ECCN (such as 5X991).

In addition, Category 5, Part 2 was realigned to create two new ECCNs: 5A003 and 5A004. 5A003 now contains non-cryptographic intrusion detection items formerly within 5A002.a.4 and a.8, and 5A004 contains cryptanalytic items for weakening or bypassing information security formerly classified as 5A002.a.2. Because items classified under 5A003 are not controlled for EI reasons, they are eligible for use of License Exception GOV. Items classified under 5A004 are controlled for EI reasons, and may not use GOV.

Miscellaneous Other Revisions

The final rule also makes a number of additional changes affecting license exception ENC.

• Section 740.17(b)(4) has been deleted, because items it formerly described have been decontrolled (in the case of short-range wireless products) or moved to 740.17(a) (in the case of certain foreign-developed items containing US-origin encryption).
• Supplement No. 3 to Part 740 was amended to add Croatia, because it is now a member of the European Union. This revised list harmonizes with the European Union's list of countries that do not require a license for encryption items.

BIS is in the process of updating its web materials and guidance relating to encryption. In the meantime, it has posted a new webpage, available at http://www.bis.doc.gov/InformationSecurity2016-updates, that provides an overview of these and other changes under the September 20, 2016 rule. One of the changes listed is that "5E002 encryption technology" has been made eligible for the "tools of trade" provisions under license exception TMP (§ 740.9). Interestingly, § 740.9 was not amended by the September 20 rule, and the "tools of trade" provision thereof still is available only for "commodities and software," which does not include "technology."

Most of the changes to the EAR's Information Security controls should have the effect of easing certain export restrictions on encryption and other information security items. Nonetheless, those restrictions remain complicated and highly fact-dependent. While exporters may stand to benefit from the revised rules, they must continue to be mindful of applicable restrictions and regulatory requirements.

Footnotes

1. "Wassenaar Arrangement 2015 Plenary Agreements Implementation, Removal of Foreign National Review Requirements, and Information Security Updates," 81 FR 64656 (September 20, 2016). The Final Rule ontains a number of changes to the EAR; however, this update focuses on those changes affecting information security items.

2. This revision reverberates throughout the EAR and references to the former encryption registration requirement are also removed (e.g., parts 738 and 748) and Supplement No. 5 to part 742 is deleted.

3. The requirements for the self-classification report are moved to § 740.17(e)(3) from § 742.15(c).

4. Further, Section (b)(2)(i)(A)(2), which set forth a performance parameter for wire (line), cable or fiber optic WAN, MAN or VPN single channel input data rate exceeding 154 Mbps, was deleted as redundant of the new aggregate encrypted throughput parameter in paragraph (b)(2)(A)(1).

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.