On May 26, 2022, the Department of Commerce’s Bureau of Industry and Security (BIS) issued a Final Rule regarding export controls on certain cybersecurity items for national security and anti-terrorism reasons. Originally issued as an interim Final Rule in October 2021 (see Update of October 25, 2021), BIS implemented these export controls due to concern that certain cybersecurity items could be used for malicious cyber activities, such as surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it. While the controls went into effect on January 19, 2022, BIS did also request public comment.

As a result of limited public comment, in the Final Rule, BIS has made several changes and clarified the scope of this rule, including:

  • Under license exception Encryption Commodities, Software and Technology (ENC), the Final Rule adds a new end-use restriction so this license exception “is not authorized if the exporter, reexporter, or transferor ‘knows’ or has ‘reason to know’ at the time of export, reexport, or transfer (in-country), including deemed exports and reexports, that certain specified items will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system (including the information and processes within such systems)”;
  • Under the new license exception Authorized Cybersecurity Exports (ACE), the Final Rule revises the definition of the term “Government end user” by adding a detailed illustrative list of end users that meet this definition;
  • Amends the terms ‘‘Less sensitive government end users’’ and ‘‘More sensitive government end users’’ to indicate that the terms apply to cybersecurity items;
  • Corrects an error made to ECCN 5D001 in the 2021 interim Final Rule. That rule inadvertently removed 5D001.e and this Final Rule restores 5D001.e.

This Final Rule is effective on May 26, 2022.