The New Face Of ITAR Compliance For Your Business
On December 26, 2019, DDTC issued an Interim Final Ruling which outlined changes to the ITAR and significantly, to ITAR Encryption Rules.
My Blog, “When is an Export not an Export” (published on 12/30/2019), discussed in general terms the Interim Final Ruling and the changes that would become effective on March 25, 2020.
Now that the Final Rule is in place and the changes are implemented, it is time to be more specific.
Additional Language to Existing Definitions and New Definitions Added
The final ruling will add additional language to the definition of “Release” – 120.50. In addition, new definitions will be added to the ITAR, specifically “activities that are not exports, reexports, retransfers, or temporary imports’’ (new 120.54) and “Access Information” (new 120.55). Lastly, two new sections (120.52 and 120.53) have been added, but are in reserve.
120.50 – “Release”
The following sections have been added:
- (a) (3) The use of access information to cause or enable a foreign person, including yourself, to access, view, or possess unencrypted technical data; or
- (a) (4) The use of access information to cause technical data outside of the United States to be in unencrypted form.
- (b) Authorization for a release of technical data to a foreign person is required to provide access information to that foreign person, if that access information can cause or enable access, viewing, or possession of the unencrypted technical data.
- Section (a) revised to state: “Retransfer, except as set forth in § 120.54, § 126.16, or § 126.17, means…”
120.54 (new) – “activities that are not exports, reexports, retransfers, or temporary imports”:
- 120.17(a)(6) is being moved to § 120.54(a)(1) (new) to consolidate further transactions that are not an export.
- 120.54(a)(2) (new) emphasizes that a transmission or other transfer between U.S. persons who are in the United States is unequivocally not a controlled event. However, any release to a foreign person remains a controlled event (defined as an export, reexport, retransfer, or temporary import, all of which require a DDTC license or other approval).
- 120.54(a)(3) (new) advises that transmissions or other transfers of technical data between and among only U.S. persons in the same foreign country are similarly not reexports or retransfers so long as they do not result in a release to a foreign person or an entity from a § 126.1 country.
- 120.54(a)(1) (new) instructs that it is not a controlled event to move a defense article between the states, possessions, and territories of the United States as defined in § 120.13.
- 120.54 (a)(5) (new) quantifies that it is not a controlled event to send, take, or store unclassified technical data when it is effectively encrypted using end-to-end encryption. The qualifiers for § 120.54 (a)(5) are that the data is:
- (i) Unclassified;
- (ii) Secured using end-to-end encryption;
- End-to-end encryption is basically defined as:
- The provision of cryptographic protection of data, such that the data is not in an unencrypted form, between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary);
- The means of decryption are not provided to any third party.
- Further clarification is provided in § 120.54 (a)(5):
- The cryptographic protection must be applied prior to the data being sent outside of the originator’s security boundary and remain undisturbed until it arrives within the security boundary of the intended recipient.
- For communications between individuals, this can be accomplished by encrypting the data on the sender’s computer prior to emailing or otherwise sending it to the intended recipient.
- For large entities, the security boundary may be managed by IT staff, who will encrypt the data before it leaves the entity’s secure network and decrypt it on the way into the network.
- End-to-end encryption is basically defined as:
- (iii) Secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140–2 (FIPS 140–2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES– 128); and
- (iv) Intentionally (as opposed to simply transiting in route to another country) sent to a person in or stored in a “proscribed” country identified in ITAR §126.1 or the Russian Federation, and is not sent from a §126.1 “proscribed” country or the Russian Federation.
120.55 (new) – ‘‘access information”
- Access to encrypted technical data in an unencrypted form, such as decryption keys, network access codes, and passwords. Access requires an export authorization to release technical data through access information to the same extent that an authorization is required to export the technical data when it is unsecured by encryption.
Changes and Difference to EAR 734.18
The most significant and long-awaited change is in § 120.54 (a)(5) (new). This change more closely aligns or harmonizes with those published in the EAR (§734.18 – Activities that are not exports, reexports, or transfers) in December of 2017. It is the differences that need to be focused on and observed.
The EAR prohibits intentionally storing export-controlled “technology” or “software” in a country listed in Country Group D:5 (see supplement no. 1 to part 740 of the EAR) or in the Russian Federation.
The ITAR prohibits intentionally sending Technical Data to a person in or intentionally allowing Technical Data to be stored in a “proscribed” country identified in ITAR §126.1 or the Russian Federation, and is not sent from a §126.1 “proscribed” country or the Russian Federation.
On February 11, 2020, DDTC published a handout entitled “Summary of Changes to International Traffic in Arms Regulations – Encryption Rule”. The Handout contained some Questions and Answers. Synopsizing the answers:
Q. “Does this mean I can put all my ITAR stuff ‘on the cloud’ as of March 25, 2020?”
- Not all – Unclassified Technical Data only – Classified technical data is not covered by new ITAR § 120.54, no matter the type of encryption. Additionally, even unclassified technical data cannot be intentionally stored in countries subject to restrictions under ITAR § 126.1 or the Russian Federation. So know your cloud provider and where they operate.
- “I’ve got properly encrypted unclassified ITAR tech data and I want to let a foreign person access that technical data. Do I need a license to send the access information to the foreign person so they can access it?
- No, an approved export authorization is not required to send access information to a Foreign Person. However, the actual access of that technical data in an unencrypted form is an export and there needs to be an authorization for the export of that technical data to that foreign person.
- “How do I know if my technical data is “properly secured” using “end-to-end encryption”?
- Technical Data needs to be secured using FIPS 140-2 standard in accordance with National Institute for Standards and Technology (NIST) guidance, or by other methods that are at least comparable to the minimum AES 128 bits security strength.
Understand ITAR Rules For Your Company
The ITAR is now amended and the elements described in the Final Rule are implemented – now it is up to companies to review their Compliance Programs and implement Policies and Procedures to ensure Compliance.
For assistance in how these new rules apply to you, please contact Export Solutions for a free consultation.
Jim McShane is a Sr. Consultant, Trade Compliance for Export Solutions -- a full-service consulting firm specializing in ITAR and EAR regulations.