The Department of Commerce’s Bureau of Industry and Security (BIS) today issued an interim rule on revised export controls pertaining to certain cybersecurity items and implementation of those controls. BIS requested comments addressing the impact of these controls on industry and the cybersecurity community. Those comments are to be received by December 6, 2021, and can be submitted through the Federal Rulemaking Portal. The new rule is to become effective on Monday, January 19, 2022*.
The rule will establish a new export control over certain items along with a new exception for Authorized Cybersecurity Exports (ACE). The ACE allows exports of the controlled items except in circumstances described in the rule.
Everything covered by this new interim rule, and the final rule in January, require a conscientious review of the proposed controls. It began with earlier attempts to define and control “intrusion software”, the technology of “development”, “production” or “use”, and “command and control” software. It led to a May 20, 2015, interim rule that was not finalized in favor of further negotiations of controls and outreach to industry. This interim rule is the result of further negotiation and is described by BIS as “limited scope” and, it believes, minimal impact. Given the nature of the changes, it’s important to look over the changes and submit comments to ensure that belief applies to your organization.
*Of course, these changes do not affect items subject to the ITAR. As the BIS interim rule notes, “[i]tems and services described on the U.S. Munitions List (USML) at ITAR § 121.1, including military training, technical data directly related to a defense article, and certain hardware and software specially designed for intelligence purposes, remain subject to the ITAR.”