As part of its years-long project to update and revise the International Traffic in Arms Regulations (ITAR) and better align them with the Export Control Regulations, the Department of State (DoS) recently amended the ITAR with an interim rule to address another group of amendments first proposed in June of 2015. The new rule defines a new term, ‘‘activities that are not exports, reexports, retransfers, or temporary imports,’’ by combining existing text from the regulations with new text regarding secured unclassified technical data. It also amends the ITAR to create a definition of ‘‘access information’’ and revise the definition of ‘‘release’’ to address the provision of access information to an unauthorized foreign person.
Activities that are not exports, reexports, retransfers, or temporary imports
The interim rule adds §120.54 to the ITAR to define “activities that are not exports, reexports, retransfers, or temporary imports” and do not require authorization from the DoS. The five types of activities that fall within this category—and are not controlled events requiring DoS authorization—include:
- Launching items into space. This activity is already excluded from the definition of an export in ITAR § 120.17(a)(6) and by statute, see 51 U.S.C. 50919(f), but in the interest of clarity the provision has been moved to § 120.54(a)(1), and the language has been simplified.
- Transferring or transmitting technical data to a U.S. person in the United States from a person in the United States. Again, while public comments suggested that it may not have been clear under the ITAR before, § 120.54(a)(2) makes clear that such an activity is unequivocally not a controlled event. (Any release to a foreign person in the United States remains a controlled event.)
- Transmitting or otherwise transferring within the same foreign country technical data between or among only U.S. persons, so long as the transmission or transfer does not result in a release to a foreign person or transfer to a person prohibited from receiving the technical data. Like those within the United States, transmissions or transfers of technical data between and among only U.S. persons in the same foreign country do not constitute controlled events, provided that they do not result in a release to a foreign person or transfer to a person prohibited from receiving the technical data (e.g., a debarred person). § 120.54(a)(3).
- Shipping, moving, or transferring defense articles between or among the United States as defined in ITAR § 120.13. Under § 120.54(a)(4) it is not a controlled event to move a defense article between the states, possessions, and territories of the United States. Note that the ITAR definition of ‘‘United States’’ in § 120.13 applies and includes the states, the District of Columbia, and the territories and possessions of the United States.
- Sending, taking, or storing technical data that is: (i) Unclassified; (ii) Secured using end-to-end encryption; (iii) Secured using FIPS 140-2-compliant cryptographic modules (hardware or software) supplemented by NIST-compliant procedures and controls, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by AES– 128; (iv) Not intentionally sent to a person in or stored in a country proscribed in § 126.1 of this subchapter or the Russian Federation (data in-transit via the internet is not deemed to be stored); and (v) Not sent from a country proscribed in § 126.1 of this subchapter or the Russian Federation. DoS summarizes § 120.54(a)(5) as providing “that it is not a controlled event to send, take, or store unclassified technical data when it is effectively encrypted using end-to-end encryption.” In this regard, § 120.54(b)(1) defines “end-to-end encryption” as: (i) The provision of cryptographic protection of data, such that the data is not in an unencrypted form, between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary); and (ii) The means of decryption are not provided to any third party. In other words, properly secured (by end-to-end encryption) electronic transmission or storage of unclassified technical data via foreign communications infrastructure does not constitute an export, reexport, retransfer, or temporary import requiring DoS authorization. Note, however, that even properly encrypted technical data cannot be intentionally sent to a person in or stored in a § 126.1 country or the Russian Federation.
As noted above, where these provisions are being moved from elsewhere in the ITAR, those other provisions have also been amended to reflect the change.
Defining “access information” and “release”
The new rule also adds a new § 120.55 to define ‘‘access information” as information that allows access to encrypted technical data in an unencrypted form. Examples include decryption keys, network access codes, and passwords. The release of technical data through access information requires DoS authorization to the same extent that such authorization is required to export unencrypted technical data.
Additionally, the DoS has amended ITAR § 120.50 in order to clarify what constitutes a “release” of technical data, a controlled event requiring authorization from the DoS, and the provision of access information that may result in the release of technical data. More particularly, the “release” of technical data includes: (i) using access information to cause or enable a foreign person to access, view, or possess technical data in unencrypted form § 120.50(a)(3); or (ii) using access information in a foreign country to cause technical data to be in unencrypted form, including when such actions are taken by U.S. persons abroad. In addition, the new § 120.50(b) clarifies that, while the provision of access information to a foreign person is not itself a controlled event for which the access information provider must get DoS authorization, an authorization for a release of technical data to a foreign person must be obtained before the access information may be provided to that foreign person, if that access information can cause or enable access, viewing, or possession of the unencrypted technical data.
The interim final rule takes effect on March 25, 2020, but, in light of the rule’s potential impact, DoS is providing another opportunity for the public to submit comments. Interested parties may submit comments by January 27, 2020.
While, generally speaking, updating the ITAR to address concerns about the release of unclassified technical data and ensure better consistency with the EAR is a laudable effort, the devil is, as always, in the details. It remains to be seen whether, even if this rule achieves better alignment between the ITAR and the EAR, the new ITAR provisions will aid or interfere with the current and evolving cybersecurity requirements that government contractors must meet.