Compliance with U.S. export control regulations will get a little easier, thanks to new amendments that ease licensing requirements for companies that store or transmit technical data or software in the cloud—although, naturally, compliance with the regulations comes with a catch.
The Commerce Department’s Bureau of Industry and Security (BIS) last month published a final rule amending a number of definitions in the Export Administration Regulations (EAR), while the State Department’s Directorate of Defense Trade Controls (DDTC) concurrently published an interim final rule revising several definitions in the International Traffic in Arms Regulations (ITAR).
“Using common terms and common definitions to regulate the same types of items or actions will facilitate enhanced compliance and reduce unnecessary regulatory burdens,” the BIS rule stated. Both the BIS and DDTC rules take effect Sept. 1.
In response to numerous questions raised about how BIS would apply criteria in particular situations, BIS posted a list of Frequently Asked Questions relating to the newly revised definitions in the EAR. “Companies need to carefully read the new definitions and adapt their procedures accordingly,” says Melvin Schwechter, a partner at law firm BakerHostetler. “They should also carefully review the FAQs that the Commerce Department put out on its website for clarity on some of the finer points in the new export controls regime.”
U.S. export control laws traditionally have applied not only to the shipment of physical products out of the United States, but also to the technology and software necessary for the development, production, or use of those products. Thus, prior to these final rules, every controlled technology or software transmitted through the cloud outside the United States was deemed by the government as an export or re-export that could potentially trigger a licensing requirement.
The BIS final rule and DDTC interim rule go a long way toward simplifying compliance with export controls, primarily affecting any company that exports items controlled by the Commerce Control List or the United States Munitions List. Fundamental variances between the two rules, however, means that companies will carefully need to differentiate between their treatment of ITAR- and EAR-controlled technology and software for purposes of cloud storage.
The BIS final rule, for example, establishes a new four-part test establishing that the “sending, taking, or storing” of technical data or software outside of the United States will be exempt from exports controls, provided that it is:
Secured using “end-to-end encryption”;
Secured using encryption technology that meets or exceeds Federal Information Processing Standards (FIPS) Publication 140-2—a common encryption standard used for federal government procurement—and supplemented by other controls consistent with the National Institute for Standards and Technology guidance; and
Not “intentionally” stored in a country subject to U.S. arms embargo or in the Russian Federation.
BIS made numerous revisions in the final rule addressing exemptions for encrypted data, the most substantial of which was relaxing the definition of “end-to-end encryption.” The proposed rule, for example, would have prohibited data from being decrypted at any point between the origination of the transmission to its receipt, but some commented that this wasn’t feasible, because data often is encrypted and decrypted numerous times in the course of it being transmitted.
“Companies need to carefully read the new definitions and adapt their procedures accordingly.”
Melvin Schwechter, Partner, BakerHostetler
In response to these comments, the BIS final rule establishes that the originator and recipient may decrypt and re-encrypt technology or software within their “in-country security boundaries,” provided that the controlled technology or software is encrypted while outside the originator’s and recipient’s security boundaries and while crossing borders, and provided that no third parties have the ability to access the data in a decrypted form.
“Companies must be aware of their encryption protocols to ensure that the data doesn’t cross national boundaries unencrypted,” says Michael Gershberg, a partner with law firm Fried Frank. This means ensuring that the company’s cloud service provider or in-house IT team is aware of, and in compliance with, these end-to-end encryption requirements, he says.
BIS further specified that the security boundary must be contained within a single country and cannot include infrastructure in more than one country. Any release of controlled data to non-U.S. nationals within a security boundary—for example, a corporate intranet—will be treated as a deemed export requiring authorization, BIS stated.
Furthermore, BIS noted that FIPS 140-2 is not the only cryptographic standard or approach companies have to use to be eligible for the carve-out. In some cases, companies may have developed cryptography for internal company use that may be just as effective but that have never been subject to the NIST certification process. “However, exporters must be sure that whatever standard and procedures are used are effective within the context in which the firm operates,” BIS warned.
Regarding the storing of data in certain restricted countries, BIS amended the rule to clarify that this restriction doesn’t apply to “data in-transit via the Internet,” in response to comments that data in transit may be “stored” temporarily on servers located in these restricted countries without the knowledge of the sender.
“Presumably, the knowledge of a company’s IT staff or contractors would be attributed to the company,” stated a client alert from law firm Steptoe. “Therefore, compliance personnel should be in close communication with IT staff (whether internal or outsourced) about the network’s structure before relying on this rule.”
One important difference between the BIS and DDTC rules is that the DDTC has not yet issued a final rule applying a carve-out for ITAR-controlled technical data. DDTC said it will address that issue in a separate rulemaking.
FREQUENTLY ASKED QUESTIONS
Below is a list of frequently asked questions regarding “activities that are not exports, reexports, or transfers.”
Q.1: What does “unclassified” mean in § 734.18?
A: Unclassified information” refers to information not classified in accordance with Executive Order 13526, 75 FR 707; 3 CFR 2010 Comp., p. 298, or a comparable predecessor or successor order.
Q.2: What is the “encryption carve-out?”
A: The export control “carve-out for encrypted data” results from a number of changes in technology and software controls implemented as part of Export Control Reform. The changes affect export controls on cross-national transmission of technical data in the Export Administration Regulations, and also release of such data to foreign persons. While not referencing cloud applications directly, these changes will have a major positive effect on the management and use of many cloud services. Most applicable provisions may be found in EAR §734.18 of the EAR, “Activities that are not exports, reexports or transfers.”
Q.3: Why is FIPS 140-2 specified for the carve-out?
A: The Federal Information Processing Standards Publication 140-2 (“FIPS 140-20”) is a well-known set of cryptographic standards used for government procurement in the U.S and Canada. It is intended to set a baseline for the quality of encryption eligible for the carve-out. Specifically, hardware and software modules (and by extension, algorithms) certified as compliant by the National Institute of Standards and Technology (NIST) would qualify. FIPS 140-2 can be found at the NIST website: http://csrc.nist.gov/groups/STM/cmvp/standards.html
Q.4: What level of security would qualify?
A: While FIPS 140-2 features four levels of security, § 734.18 does not specify what level is appropriate for a particular business environment. Moreover, the section references NIST publications as guidance for dimensions of cryptographic execution, such as key management that are not referenced in the FIPS 140-2 itself. The exporter is responsible for ensuring that modules and procedures implemented are sufficient to ensure protection of data within the context in which he or she operates.
Q.5: Is FIPS 140-2 the only cryptographic standard or approach that can be used for the carve-out?
A: No, and in fact the EAR specifically state that equally or more effective cryptographic means can be used. BIS recognizes that there are circumstances, such as cryptography developed for internal company use, that may be effective but that have never been subject to the NIST certification process. However, exporters must be sure that whatever standard and procedures are used are effective within the context in which the firm operates.
Source: Bureau of Industry and Security FAQs
Until that time, companies will need to continue to differentiate between how they treat their ITAR-controlled technical data, on the one hand, and EAR-controlled technology and software on the other hand for purposes of cloud storage. “Companies that are ITAR registrants and may have ITAR-controlled technical data cannot at this point rely upon the decontrol to transfer or store encrypted data on servers outside the United States,” Gershberg says.
Another way that companies can violate U.S. export regulations under the final rules is by releasing “access information” (cryptographic keys, passwords, network access codes, and the like) to a foreign national, including within the United States.
The BIS final rule codifies its long-standing policy that such an export is deemed to occur only to that person’s most recent country of citizenship or permanent residency, whereas the DDTC interim rule states that such an export is deemed to be an export to all countries in which the foreign national holds or has held citizenship or holds permanent residency.
Providing access information requires authorization, but the final rule clarifies that access information itself will not be controlled as a separate stand-alone item, distinct from the underlying data. Rather, the BIS final rule states that, “to the extent an authorization would be required to transfer technology or software, a comparable authorization is required to transfer access information if with the ‘knowledge’ that such transfer would result in the release of such technology or software without a required authorization.”
“Still, companies will need to be thoughtful about how to do this without linking the keys to the data in a way that could lead to unauthorized access,” the Steptoe client alert stated. “Great care will have to be taken in securing, or at least segregating, access information.”
The rule clarifies that the victim of a database hack is not the one responsible for the theft of the technology. The individual who originally placed technology into a database would only be held liable for knowing or otherwise allowing access to the encrypted data.
Both the BIS and DDTC rules also allow for the transfer of certain information between or among U.S. persons located outside the United States without the transfer being subject to licensing requirements under the EAR or ITAR. The scope of authorizations under each rule differ, however, so companies must pay careful attention to what the BIS or DDTC interim rule allows for a given transfer.
The EAR, for example, authorizes the transfer of technology or software between or among U.S. persons who are located in the same foreign country, so long as that technology or software isn’t released to a foreign person. Under the DDTC interim rule, foreign persons employed by the U.S. government or directly employed by a U.S. person authorized under an ITAR license or other approval to receive technical data in the United States may receive this same data while on temporary assignment abroad on behalf of their employer.
The DDTC interim rule clarifies that U.S. persons or authorized foreign persons located outside of the United States may rely on this exemption when accessing technical data stored on U.S. servers. To be eligible for this exemption, the technical data must be secured while abroad to prevent an unauthorized release.
With the issuance of the final rules, companies will want to ensure they have appropriate encryption and access control safeguards in place, paying particular attention to the specific restrictions laid out in the final rules. That includes knowing where your data is stored and where it will transit. Companies are also advised to ask cloud providers those questions and include provisions in contracts prohibiting the company’s data from being exported to or stored in specific countries subject to U.S. export controls.