-
Start Preamble
AGENCY:
Bureau of Industry and Security, Commerce.
ACTION:
Interim final rule, with request for comments.
SUMMARY:
This interim final rule outlines the progress the United States has made in export controls pertaining to cybersecurity items, revised Commerce Control List (CCL) implementation, and requests from the public information about the impact of these revised controls on U.S. industry and the cybersecurity community. Specifically, this rule establishes a new control on these items for National Security (NS) and Anti-terrorism (AT) reasons, along with a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of these items to most destinations except in the circumstances described. These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.
Start Printed Page 58206DATES:
Effective date: This rule is effective January 19, 2022. Comments must be received by BIS no later than December 6, 2021.
ADDRESSES:
Comments on this rule may be submitted to the Federal rulemaking portal ( www.regulations.gov ). The regulations.gov ID for this rule is: BIS-2020-0038. Please refer to RIN 0694-AH56 in all comments.
All filers using the portal should use the name of the person or entity submitting the comments as the name of their files, in accordance with the instructions below. Anyone submitting business confidential information should clearly identify the business confidential portion at the time of submission, file a statement justifying nondisclosure and referring to the specific legal authority claimed, and also provide a non-confidential version of the submission.
For comments submitted electronically containing business confidential information, the file name of the business confidential version should begin with the characters “BC.” Any page containing business confidential information must be clearly marked “BUSINESS CONFIDENTIAL” on the top of that page. The corresponding non-confidential version of those comments must be clearly marked “PUBLIC.” The file name of the non-confidential version should begin with the character “P.” Any submissions with file names that do not begin with either a “BC” or a “P” will be assumed to be public and will be made publicly available through http://www.regulations.gov.
Start Further InfoFOR FURTHER INFORMATION CONTACT:
For questions regarding the Export Control Classification Numbers (ECCNs) included in this rule or License Exception ACE, contact Aaron Amundson at 202-482-0707 or email Aaron.Amundson@bis.doc.gov.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
Background
In 2013, the Wassenaar Arrangement (WA) added cybersecurity items to the WA List, including a definition for “intrusion software.” The controls included hardware and software controls on the command and delivery platforms for “intrusion software,” the technology for the “development,” “production” or “use” of the command and delivery platforms, and the technology for the “development” of “intrusion software.” On May 20, 2015, the Bureau of Industry and Security (BIS) published a proposed rule describing how these new controls would fit into the Export Administration Regulations (EAR) and requested information from the public about the impact on U.S. industry. The public comments on the proposed rule revealed serious issues concerning scope and implementation regarding these controls. Based on these comments, as well as substantial commentary from Congress, the private sector, academia, civil society, and others on the potential unintended consequences of the 2013 controls, the U.S. government returned to the WA to renegotiate the controls.
In response to the proposed rule, BIS received almost 300 comments that raised substantial concerns about the proposed rule's scope and the impact the proposed rule would have on legitimate cybersecurity research and incident response activities. BIS also conducted extensive outreach with the security industry, financial institutions, and government agencies that manage cybersecurity.
Comments on the previously published proposed rule focused on three main issues. First, many commenters asserted that the entries were overly broad, captured more than was intended, and, as a technical matter, failed to accurately describe the items intended for control. Second, many commenters asserted that the rule as written imposed a heavy and unnecessary licensing burden on legitimate transactions that contribute to cybersecurity. Third, many commenters suggested that the proposed rule's control on technology for the “development” of “intrusion software” could cripple legitimate cybersecurity research.
Based on these comments, the United States decided against amending the proposed rule and instead returned to the WA in 2016 and 2017 to negotiate changes to the text. In December 2017, the WA published the changes that resulted from those negotiations. There were three significant changes: First, using “command and control” in the control language for both hardware and software addressed concerns from cybersecurity companies to more specifically control tools that can be used maliciously. Second, adding a note to the control entry for technology for the “development” of “intrusion software” that excludes from the entry “technology” that is exchanged for `vulnerability disclosure' or `cyber incident response'. Third, adding a note to the “software” generation, command and control, or delivery entry that excludes from this entry products designed and limited to providing basic software updates and upgrades.
BIS publishes this interim final rule to implement the WA 2017 decisions related to cybersecurity. The rule creates a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports, reexports and transfers (in-country) of cybersecurity items, as described in more detail below, which are not also controlled in Category 5—Part 2 of the CCL or for Surreptitious Listening (SL) reasons.
In addition, BIS authorizes certain IP network surveillance products under the same License Exception ACE. These items were also part of the May 20, 2015 proposed rule but received far fewer comments than the other items in that proposed rule. BIS believes that making these products eligible for License Exception ACE addresses concerns raised in the comments on the previously published proposed rule.
BIS believes this rule implements the WA decision of 2013, as amended in 2017, with regard to cybersecurity items and addresses the concerns expressed by industry and others about the previously published proposed rule. Further, because of the limited scope of this rule, BIS believes the impact would be minimal. However, to ensure full consideration of the potential impact of this rule, BIS seeks public comment on this interim final rule, including comments on the potential cost of complying with this rule, and any impacts this rule has on legitimate cybersecurity activities.
No items subject to the International Traffic in Arms Regulations (ITAR) are being transferred to the EAR by this rule. Items and services described on the U.S. Munitions List (USML) at ITAR § 121.1, including military training, technical data directly related to a defense article, and certain hardware and software specially designed for intelligence purposes, remain subject to the ITAR. For software directly related to a defense article, see ITAR § 120.10(a)(4) and the applicable technical data entry in each USML category. See EAR § 734.3(b) and ITAR § 120.5(a) for more on the relationship between the ITAR and EAR.
Specific Revisions
ECCNs 4A005 (new), 4D004 (new), 4E001.a and 4E001.c (new)
ECCNs 4A005 and 4D004 are added, as well as a new paragraph 4E001.c, as set forth in the amendments described below. In addition, the existing definition for “intrusion software” found in § 772.1 of the EAR applies to the new ECCNs. The entries include the 2017 WA notes: An exclusion Note in 4D004 for software specially designed Start Printed Page 58207 and limited to providing basic updates and upgrades and an exclusion Note for 4E001.c (as well as existing 4E001.a) for “vulnerability disclosure” or “cyber incident response.” These terms are added to part 772 and are further explained elsewhere in this preamble. This rule also adds a Note 2 to 4E001.a and .c to clarify that BIS can request information on items decontrolled by Note 1 to ensure compliance with the controls. BIS does not intend this note to require any additional compliance measures beyond what is otherwise required by the EAR. “Software” and “technology” “published” in the public domain and meeting the requirements of § 734.7 of the EAR are not subject to the EAR.
ECCN 5A001.j “IP network communications surveillance systems or equipment . . .”
Paragraph 5A001.j “IP network communications surveillance systems or equipment . . .” is added to ECCN 5A001. License Exception ACE eligibility is added for 5A001.j in part 740 “License Exception.” License Exception STA conditions are revised to remove eligibility for 5A001.j to destinations listed in Country Groups A:5 and A:6 (see Supplement No. 1 to part 740 of the EAR for Country Groups). License Exceptions GBS and LVS are also revised to remove eligibility for those license exceptions.
Overlap With Category 5—Part 2 (“Information Security”)
When a cybersecurity item also incorporates particular “information security” functionality specified in ECCNs 5A002.a, 5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3 Category 5—Part 2 of the CCL in Supplement No. 1 to part 774 of the EAR, these Category 5—Part 2 ECCNs prevail, provided the controlled “information security” functionality remains present and usable within the cybersecurity end item or executable “software.” Category 5—Part 2 does not apply to elements of source code or “technology” that implement functionality controlled in another Category, or to any item subject to the EAR where Encryption Item (EI) functionality is absent, removed or otherwise non-existent.
Surreptitious Listening (SL) Controls
All items subject to the EAR that are controlled for Surreptitious Listening (SL) reasons under another ECCN not added by this rule will continue to be classified under the SL ECCN. The WA control list changes related to “intrusion software” and IP network communications surveillance systems do not affect or change any EAR provision regarding communications intercepting devices, “software” or “technology”, or any SL control (see § 742.13 of the EAR). If a circumstance arises where the item meets the control for national security (NS) because it meets the cybersecurity parameters, encryption item (EI) parameters, and SL parameters, then the control with the most restrictive licensing requirements applies, which would be SL control, because SL has worldwide control.
§ 740.22 License Exception Authorized Cybersecurity Exports (ACE)
BIS is also establishing a new License Exception Authorized Cybersecurity Exports (ACE). This license exception, will appear in new § 740.22 of the EAR, is necessary to avoid impeding legitimate cybersecurity research and incident response activities. Cybersecurity items in the wrong hands raise both national security and foreign policy concerns. This license exception starts with a definition section that defines cybersecurity items, digital artifacts, favorable treatment cybersecurity end user, and government end user (for the purpose of § 740.22 only). `Cybersecurity Items' are defined in § 740.22 as ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a (for 5A001.j)).
License Exception ACE allows the export, reexport and transfer (in-country) of `cybersecurity items' to most destinations, except to destinations listed in Country Groups E:1 and E:2 of supplement no. 1 to part 740.
There are two types of end-user restrictions. Restricted end users include a `government end user,' as defined in § 740.22, of any country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement no. 1 to part 740, or a non-government end user located in a country listed in Country Group D:1 or D:5. For deemed exports, the `government end user' restriction applies, but not the `non-government end user' restriction.
There are exclusions to the end-user restrictions. The restriction on `government end users' does not apply to exports, reexports, and transfers (in-country) to Country Group D countries that are also listed in Country Group A:6, which includes Cyprus (A:6 and D:5), Israel (A:6 and D:2-4), and Taiwan (A:6 and D:3), of `digital artifacts' that are related to a cybersecurity incident involving information systems owned or operated by a `favorable treatment cybersecurity end user,' or to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents. In addition, the restriction does not apply to exports, reexports, and transfers (in-country) to national computer security incident response teams in Country Group D countries that are also listed in Country Group A:6 of `cybersecurity items' for purposes of responding to cybersecurity incidents, for purposes of `vulnerability disclosure', or for purposes of criminal investigations or prosecutions of such cybersecurity incidents. For exports, reexports, or transfers (in-country) to `government end-users' under License Exception ACE, there is no exclusion for activities related to “vulnerability disclosure” and “cyber incident response.” However, Note 1 to ECCN 4E001 in the CCL (supplement no. 1 to part 774 of the EAR) excludes “vulnerability disclosure” and “cyber incident response” from control under 4E001.a or .c. The 4E001 exclusion note applies regardless of the type of end user and is unaffected by the restrictions in License Exception ACE.
The restriction on non-government end users in Country Group D:1 or D:5 does not apply to exports, reexports or transfers (in-country) of cybersecurity items classified under ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) and 4E001.c to any `favorable treatment cybersecurity end user.' In addition, this restriction does not apply to “vulnerability disclosure” or “cyber incident response.”
Lastly, License Exception ACE has an end-use restriction. License Exception ACE is not authorized if the exporter, reexporter, or transferor knows or has reason to know at the time of export, reexport, or transfer (in-country), including a deemed export or reexport, that the `cybersecurity item' will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator, or administrator of the information system (including the information and processes within such systems).
Part 772—Definitions of Terms
BIS adds to § 772.1 the WA definitions for “cyber incident response,” and “vulnerability disclosure”, which are used in Category 4, new paragraph 4E001.c. Start Printed Page 58208
Conforming Changes
Because of the addition of the cybersecurity items to the CCL, some conforming changes need to occur. Notes are added to Category 4 and Category 5—Part 1 to address the overlap between these entries and other entries on the CCL, as further explained below.
Notes 3 and 4 to Category 4
To clarify the scope of existing entries in Category 5, Notes 3 and 4 are added to Category 4 stating that cybersecurity items that are specified by certain ECCNs in Category 5—Part 2 or in an ECCN controlled for SL reasons in Category 5—Part 1 would continue to be classified in those ECCNs instead of the new cybersecurity ECCN. In addition, these cybersecurity items are eligible for the license exceptions and are subject to the licensing policies applicable to those entries in Category 5—Part 2 or in the SL-controlled ECCNs.
ECCN 4D001 “Software”
Paragraph 4D001.a is revised to include 4A005. License Exception ACE eligibility is added for 4D001.a and License Exception STA special conditions are revised to include the ineligibility of software specified in 4D001.a “specially designed” for the “development” or “production” of equipment specified by ECCN 4A005 to Country Groups A:5 and A:6.
ECCN 4E001 “Technology”
In addition to the revision that adds 4E001.c, License Exception ACE eligibility is added for 4E001.a (for 4A005 and 4D004) and 4E001.c. License Exception STA ineligibility is added for 4E001.a (for 4A005 and 4D004) and 4E001.c to destinations listed in Country Groups A:5 and A:6.
Notes 3 and 4 to Category 5—Part 1
To clarify the scope of these entries and existing entries in Category 5 Parts 1 and 2, Notes 3 and 4 are added to Category 5—Part 1 identifying that cybersecurity items controlled in certain Category 5—Part 2 ECCNs will remain controlled in Category 5—Part 2 and are eligible for the license exceptions and are subject to the licensing policies applicable to those ECCNs. In addition, cybersecurity items specified in an ECCN controlled for SL reasons in Category 5—Part 1 continue to be classified in those ECCNs instead of the new cybersecurity ECCN.
ECCN 5B001 Telecommunication Test, Inspection and Production Equipment, “Components” and “Accessories”
License Exception ACE eligibility is added for 5B001.a (for equipment and “specially designed” “components” or “accessories” therefor, “specially designed” for the “development” or “production” of equipment, functions or features, controlled by 5A001.j). License Exception STA conditions are revised to remove eligibility for 5B001.a (for equipment and “specially designed” “components” or “accessories” therefor, “specially designed” for the “development” or “production” of equipment, functions or features, controlled by 5A001.j) to destinations listed in Country Groups A:5 and A:6 (See Supplement No. 1 to part 740 of the EAR for Country Groups). License Exceptions LVS and GBS are revised to remove eligibility for 5B001.a (for 5A001.j).
ECCN 5D001 “Software”
License Exception ACE eligibility is added for 5D001.a (for equipment, functions or features specified by 5A001.j) and 5D001.c (for equipment specified by 5A001.j or 5B001.a). License Exception STA conditions are revised to remove eligibility for 5D001.a (for equipment, functions or features specified by 5A001.j) and 5D001.c (for equipment specified by 5A001.j or 5B001.a) to destinations listed in Country Groups A:5 and A:6 (See Supplement No. 1 to part 740 of the EAR for Country Groups). License Exception TSR is revised to remove eligibility for “software” classified under ECCN 5D001.a (for 5A001.j) or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)).
ECCN 5E001 “Technology”
License Exception ACE eligibility is added for 5E001.a (for 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)). License Exception STA conditions is revised to remove eligibility for 5E001.a (for 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)) to destinations listed in Country Groups A:5 and A:6 (See Supplement No. 1 to part 740 of the EAR for Country Groups). License Exception TSR is revised to remove eligibility for “technology” classified under ECCN 5E001.a for 5A001.j, 5B001.a (for 5A001.j), ECCN 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)).
ECCN 5A004 “Systems,” “Equipment” and “Components” for Defeating, Weakening or Bypassing “Information Security”
This rule also amends ECCN 5A004 to add 4A005 to 5A004.b. This is done to harmonize with the WA Dual-Use List now that ECCN 4A005 has been added to the CCL.
§ 740.11 Governments, International Organizations, International Inspections Under the Chemical Weapons Convention, and the International Space Station (GOV)
License Exception GOV is amended to exclude cybersecurity items, as defined in § 740.22 License Exception ACE, from paragraph (c) of License Exception GOV. As such, this rule revises paragraph (c)(3)(vi) to remove “or” and to revise paragraph (c)(3)(vii) to replace the period with a semi-colon and “or.” Lastly, paragraph (c)(3)(viii) is added to exclude “cybersecurity items as defined in § 740.22(b)(1) of the EAR.”
Export Control Reform Act of 2018
On August 13, 2018, the President signed into law the John S. McCain National Defense Authorization Act for Fiscal Year 2019, which included the Export Control Reform Act of 2018 (ECRA), 50 U.S.C. Sections 4801-4852. ECRA provides the legal basis for BIS's principal authorities and serves as the authority under which BIS issues this proposed rule.
Executive Order Requirements
Executive Orders 13563 and 12866 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distribute impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This interim final rule has been designated a “significant regulatory action” under Executive Order 12866.
This rule does not contain policies with Federalism implications as that term is defined under Executive Order 13132.
Paperwork Reduction Act Requirements
This rule involves collections of information subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq. ) under the following information collection approved by the Office of Start Printed Page 58209 Management and Budget (OMB): 0694-0088, “Multi-Purpose Application,” and carries a burden hour estimate of 29.6 minutes for a manual or electronic submission. BIS will be updating this information collection to account for the increase in burden hours.
For the existing ECCNs included in this rule (4D001, 4E001, 5A001, 5A004, 5D001, 5E001), the 2020 data from the Automated Export System (AES) shows 980 shipments valued at $39,146,164. Of those shipments, 120 shipments valued at $1,864,699 went to Country Group D:1 or D:5 countries, which would make them ineligible for License Exception ACE. There were no shipments to Country Group E:1 or E:2. Under the provisions of this rule, the 120 shipments require a license application submission to BIS.
As there is no specific ECCN data in AES for the new export controls in new ECCNs 4A005 and 4D004 or new paragraph 4E001.c, BIS uses other data to estimate the number of shipments of these new ECCNs that will require a license. Bureau of Economic Analysis (BEA) data from 2019 show a total dollar value of $55,657 million for Telecom, Computer, and Information Technology Services exports. Multiplying this value by 12.1% (the percentage of all exports that are subject to an EAR license requirement as determined by using AES data) suggests that $6,734,497,000 of Telecom/Computer/IT exports are now subject to EAR license requirements. Based on AES data on the existing ECCNs affected by this rule, BIS estimates the average value of each shipment for the new ECCNs at about $40,000, and further estimates that 0.6% of all new ECCN shipments (1,010 shipments) are now eligible for License Exception ACE and 0.03% of all new ECCN shipments (50 shipments) require a license application submission.
Therefore, the annual total estimated cost associated with the paperwork burden imposed by this rule (that is, the projected increase of license application submissions based on the additional shipments requiring a license) is estimated to be 170 new applications × 29.6 minutes = 5,032/60 min = 84 hours × $30 = $2,520.
There is no paperwork submission to BIS associated with using License Exception ACE, and therefore there is no increase to any paperwork burden or information collection cost associated with License Exception ACE requirements in this rule.
Any comments regarding these burden estimates or any other aspect of these collections of information, including suggestions for reducing the burden, may be submitted online at https://www.reginfo.gov/public/do/PRAMain. Find the particular information collection by using the search function and entering either the title of the collection, “Multi-Purpose Application,” or the OMB Control Number, 0694-0088.
Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with a collection of information subject to the requirements of the PRA, unless that collection of information displays a currently valid OMB Control Number.
Administrative Procedure Act and Regulatory Flexibility Act Requirements
Pursuant to Section 4821 of ECRA, this action is exempt from the Administrative Procedure Act (5 U.S.C. 553) requirements for notice of proposed rulemaking and opportunity for public participation.
Further, no other law requires notice of proposed rulemaking or opportunity for public comment for this interim final rule. Because a notice of proposed rulemaking and an opportunity for public comment are not required under the Administrative Procedure Act or by any other law, the analytical requirements of the Regulatory Flexibility Act (5 U.S.C. 601 et seq. ) are not applicable. Notwithstanding, BIS believes this interim final rule would benefit from public comment on the impact of the control text and the usefulness of the new License Exception ACE.
Start List of SubjectsList of Subjects
15 CFR Part 740
- Administrative practice and procedure
- Exports
- Reporting and recordkeeping requirements
15 CFR Part 772
- Exports
15 CFR Part 774
- Exports
- Reporting and recordkeeping requirements
Accordingly, parts 740, 772, and 774 of the Export Administration Regulations (15 CFR parts 730 through 774) are amended as follows:
Start PartPART 740—[AMENDED]
End Part Start Amendment Part1. The authority citation for part 740 continues to read as follows:
End Amendment Part Start Amendment Part2. Section 740.11 is amended by revising paragraphs (c)(3)(vi) and (vii) and adding paragraph (c)(3)(viii) to read as follows:
End Amendment PartGovernments, international organizations, international inspections under the Chemical Weapons Convention, and the International Space Station (GOV).* * * * *(c) * * *
(3) * * *
(vi) Items controlled for nuclear nonproliferation (NP) reasons;
(vii) Items listed as not eligible for License Exception STA in § 740.20(b)(2)(ii) of the EAR; or
(viii) Cybersecurity items as defined in § 740.22(b)(1) of the EAR.
* * * * *3. Section 740.22 is added to read as follows:
End Amendment PartAuthorized Cybersecurity Exports (ACE).(a) Scope. License Exception ACE authorizes export, reexport, and transfer (in-country), including deemed exports and reexports, of `cybersecurity items,' as set forth in paragraph (b) of this section, subject to the restrictions set forth in paragraph (c) of this section. Deemed exports and reexports are authorized under this license exception, except for deemed exports or reexports to E:1 and E:2 nationals as described in paragraph (c)(1)(i) of this section, to certain `government end-users' as described in paragraph (c)(1)(ii) of this section, and subject to the end-use restrictions described in paragraph (c)(2) of this section. Even if License Exception ACE is not available for a particular transaction, other license exceptions may be available. For example, License Exception GOV (§ 740.11 of the EAR) authorizes certain exports to U.S. government agencies and personnel. License Exception TMP (§ 740.9(a)(1) of the EAR) authorizes the export, reexport, and transfer (in country) of tools of the trade in certain situations.
(b) Definitions. The following terms and definitions are for the purpose of License Exception ACE only.
(1) Cybersecurity Items are ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a (for 5A001.j)).
(2) Digital artifacts are items ( e.g., “software” or “technology”) found or discovered on an information system that show past or present activity pertaining to the use or compromise of, Start Printed Page 58210 or other effects on, that information system.
(3) Favorable treatment cybersecurity end user is any of the following:
(i) A “U.S. subsidiary”;
(ii) Providers of banking and other financial services;
(iii) Insurance companies; or
(iv) Civil health and medical institutions providing medical treatment or otherwise conducting the practice of medicine, including medical research.
(4) Government end user, for the purpose of § 740.22, is a national, regional or local department, agency or entity that provides any governmental function or service, including international governmental organizations, government operated research institutions, and entities and individuals who are acting on behalf of such an entity. This term includes retail or wholesale firms engaged in the manufacture, distribution, or provision of items or services, controlled on the Wassenaar Arrangement Munitions List.
(c) Restrictions. License Exception ACE exports, reexports, or transfers (in-country) of `cybersecurity items' are subject to the restrictions of this paragraph (c).
(1) Destination or end-user restrictions. License Exception ACE does not authorize deemed exports under paragraph (c)(1)(i) or (ii) of this section.The restrictions in paragraphs (c)(1)(i) and (ii) apply to activities, including exports, reexports, and transfers (in-country), related to “vulnerability disclosure” and “cyber incident response.” However, Note 1 to ECCN 4E001 in the CCL (supplement no. 1 to part 774 of the EAR) excludes “vulnerability disclosure” and ”cyber incident response” from control under 4E001.a or .c.
(i) A destination that is listed in Country Group E:1 or E:2 in supplement no.1 to part 740 of the EAR.
(ii) A government end user, as defined in this section, of any country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement no. 1 to part 740. This restriction does not apply to:
(A) Exports, reexports, and transfers (in-country) to Country Group D countries that are also listed in Country Group A:6 of `digital artifacts' that are related to a cybersecurity incident involving information systems owned or operated by a `favorable treatment cybersecurity end user', or to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents; or
(B) Exports, reexports, and transfers (in-country) to national computer security incident response teams in Country Group D countries that are also listed in Country Group A:6 of `cybersecurity items' for purposes of responding to cybersecurity incidents, for purposes of `vulnerability disclosure', or for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents.
(iii) A non-government end user located in any country listed in Country Group D:1 or D:5 of Supplement No. 1 to part 740 of the EAR. This restriction does not apply to:
(A) Exports, reexports or transfers (in-country) of cybersecurity items classified under ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) and 4E001.c, to any `favorable treatment cybersecurity end user;'
(B) “Vulnerability disclosure” or “cyber incident response;”or
(C) Deemed exports.
(2) End-use restrictions. License Exception ACE is not authorized if the exporter, reexporter, or transferor “knows” or has “reason to know” at the time of export, reexport, or transfer (in-country), including deemed exports and reexports, that the `cybersecurity item' will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system (including the information and processes within such systems).
PART 772—[AMENDED]
End Part Start Amendment Part4. The authority citation for part 772 is revised to read as follows:
End Amendment Part Start Amendment Part5. Section 772.1 is amended by adding the definitions for “cyber incident response”, and “vulnerability disclosure” to read as follows:
End Amendment PartDefinitions of terms as used in the Export Administration Regulations (EAR).* * * * *Cyber incident response. (§ 740.22, Cat 4) means the process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident.
* * * * *Vulnerability disclosure. (§ 740.22, Cat 4) means the process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.
* * * * *PART 774—[AMENDED]
End Part Start Amendment Part6. The authority citation for part 774 continues to read as follows:
End Amendment PartSupplement No. 1 to Part 774—[Amended]
Start Amendment Part7. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4 is amended by adding Notes 3 and 4 to the beginning of the category to read as follows:
End Amendment PartCategory 4—Computers
* * * * *Note 3: Commodities and “software” in ECCNs 4A005 and 4D004 that are also controlled in ECCNs 5A002.a, 5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3, remain controlled in Category 5—Part 2 by those entries. Category 5—Part 2 does not apply to elements of source code that implement functionality controlled by these Category 4 ECCNs, or to any item subject to the EAR where Encryption Item (EI) functionality is absent, removed or otherwise non-existent.
Note 4: Items in ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, and “technology” specified in ECCN 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) and 4E001.c that are also controlled for Surreptitious Listening (SL) reasons under another ECCN, will continue to be classified under the SL ECCN.
Start Amendment Part8. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4 is amended by adding ECCN 4A005 after ECCN 4A004 to read as follows:
End Amendment PartSupplement No. 1 to Part 774—The Commerce Control List
* * * * *4A005 “Systems,” “equipment,” and “components” therefor, “specially designed” or modified for the generation, command and control, or delivery of “intrusion software”.
License Requirements
Reason for Control: NS, AT
Start Printed Page 58211Control(s) Country chart (See Supp. No. 1 to part 738) NS applies to entire entry NS Column 1. AT applies to entire entry AT Column 1. Reporting Requirements
See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations.
List Based License Exceptions (See Part 740 for a description of all license exceptions)
LVS: N/A
GBS: N/A
APP: N/A
ACE: Yes, except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship items specified by ECCN 4A005.
List of Items Controlled
Related Controls: Defense articles described in USML Category XI(b), and software directly related to a defense article, are “subject to the ITAR”; see § 120.10(a)(4).
Related Definitions: N/A
Items: The list of items controlled is contained in the ECCN heading.
Start Amendment Part9. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4, ECCN 4D001 is revised to read as follows:
End Amendment Part4D001 “Software” as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, CC, AT
Control(s) Country chart (See Supp. No. 1 to part 738) NS applies to entire entry NS Column 1. CC applies to “software” for computerized finger-print equipment controlled by 4A003 for CC reasons CC Column 1. AT applies to entire entry AT Column 1. Reporting Requirements
See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations.
List Based License Exceptions (See Part 740 for a description of all license exceptions)
TSR: Yes, except for “software” for the “development” or “production” of the following:
(1) Commodities with an “Adjusted Peak Performance” (“APP”) exceeding 29 WT; or
(2) Commodities controlled by 4A005 or “software” controlled by 4D004.
APP: Yes to specific countries (see § 740.7 of the EAR for eligibility criteria).
ACE: Yes for 4D001.a (for the “development”, “production” or “use” of equipment or “software” specified in ECCN 4A005 or 4D004), except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship or transmit “software” “specially designed” or modified for the “development” or “production” of equipment specified by ECCN 4A001.a.2 or for the “development” or “production” of “digital computers” having an `Adjusted Peak Performance' (`APP') exceeding 29 Weighted TeraFLOPS (WT) to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR); and may not be used to ship or transmit “software” specified in 4D001.a “specially designed” for the “development” or “production” of equipment specified by ECCN 4A005 to any of the destinations listed in Country Group A:5 or A:6.
List of Items Controlled
Related Controls: Software described in USML Category XI(b), and software directly related to a defense article, is “subject to the ITAR”; see § 120.10(a)(4).
Related Definitions: N/A
Items:
a. “Software” “specially designed” or modified for the “development” or “production”, of equipment or “software” controlled by 4A001, 4A003, 4A004, 4A005 or 4D (except 4D980, 4D993 or 4D994).
b. “Software”, other than that controlled by 4D001.a, “specially designed” or modified for the “development” or “production” of equipment as follows:
b.1. “Digital computers” having an “Adjusted Peak Performance” (“APP”) exceeding 15 Weighted TeraFLOPS (WT);
b.2. “Electronic assemblies” “specially designed” or modified for enhancing performance by aggregation of processors so that the “APP” of the aggregation exceeds the limit in 4D001.b.1.
Start Amendment Part10. In Supplement No. 1 to Part 774, Category 4 is amended by adding ECCN 4D004 after ECCN 4D001 to read as follows:
End Amendment Part4D004 “Software” “specially designed” or modified for the generation, command and control, or delivery of “intrusion software.”
License Requirements
Reason for Control: NS, AT
Control(s) Country chart (See Supp. No. 1 to part 738) NS applies to entire entry NS Column 1. AT applies to entire entry AT Column 1. List Based License Exceptions (See Part 740 for a description of all license exceptions)
TSR: N/A
APP: N/A
ACE: Yes, except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship or transmit “software” specified by ECCN 4D004.
List of Items Controlled
Related Controls: Software described in USML Category XI(b), and software directly related to a defense article, is “subject to the ITAR”; see § 120.10(a)(4).
Related Definitions: N/A
Items:
The list of items controlled is contained in the ECCN heading.
Note: 4D004 does not apply to “software” specially designed and limited to provide “software” updates or upgrades meeting all the following:
a. The update or upgrade operates only with the authorization of the owner or administrator of the system receiving it; and
b. After the update or upgrade, the “software” updated or upgraded is not any of the following:
1. “Software” specified by 4D004; or
2. “Intrusion software.”
Start Amendment Part11. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4, ECCN 4E001 is revised to read as follows:
End Amendment Part4E001 “Technology” as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, MT, CC, AT
Control(s) Country chart (See Supp. No. 1 to part 738) NS applies to entire entry NS Column 1. MT applies to “technology” for items controlled by 4A001.a and 4A101 for MT reasons MT Column 1. CC applies to “software” for computerized finger-print equipment controlled by 4A003 for CC reasons CC Column 1. AT applies to entire entry AT Column 1. Reporting Requirements
See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations.
List Based License Exceptions (See Part 740 for a description of all license exceptions)
TSR: Yes, except for the following:
(1) “Technology” for the “development” or “production” of commodities with an “Adjusted Peak Performance” (“APP”) exceeding 29 WT or for the “development” or “production” of commodities controlled by 4A005 or “software” controlled by 4D004; or
(2) “Technology” for the “development” of “intrusion software”. Start Printed Page 58212
APP: Yes to specific countries. See § 740.7 of the EAR for eligibility criteria.
ACE: Yes for 4E001.a (for the “development”, “production” or “use” of equipment or “software” specified in ECCN 4A005 or 4D004) and for 4E001.c, except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship or transmit “technology” according to the General Technology Note for the “development” or “production” of any of the following equipment or “software”: a. Equipment specified by ECCN 4A001.a.2; b. “Digital computers” having an `Adjusted Peak Performance' (`APP') exceeding 29 Weighted TeraFLOPS (WT); or c. “software” specified in the License Exception STA paragraph found in the License Exception section of ECCN 4D001 to any of the destinations listed in Country Group A:6 (See Supplement No. 1 to part 740 of the EAR); and may not be used to ship or transmit “software” specified in 4E001.a (for the “development”, “production” or “use” of equipment or “software” specified in ECCN 4A005 or 4D004) and 4E001.c to any of the destinations listed in Country Group A:5 or A:6.
List of Items Controlled
Related Controls: Military training of foreign units and forces (see ITAR § 120.9(a)(3)), and technical data (see ITAR § 120.10) directly related to a defense article, are “subject to the ITAR.”
Related Definitions: N/A
Items:
a. “Technology” according to the General Technology Note, for the “development”, “production”, or “use” of equipment or “software” controlled by 4A (except 4A980 or 4A994) or 4D (except 4D980, 4D993, 4D994).
b. “Technology” according to the General Technology Note, other than that controlled by 4E001.a, for the “development” or “production” of equipment as follows:
b.1. “Digital computers” having an “Adjusted Peak Performance” (“APP”) exceeding 15 Weighted TeraFLOPS (WT);
b.2. “Electronic assemblies” “specially designed” or modified for enhancing performance by aggregation of processors so that the “APP” of the aggregation exceeds the limit in 4E001.b.1.
c. “Technology” for the “development” of “intrusion software.”
Note 1: 4E001.a and 4E001.c do not apply to “vulnerability disclosure” or “cyber incident response”.
Note 2: Note 1 does not diminish national authorities' rights to ascertain compliance with 4E001.a and 4E001.c.
Start Amendment Part12. In Supplement No. 1 to Part 774, Category 5—Part 1 is amended by adding Notes 3 and 4 to the beginning of the Category after Note 2 to read as follows:
End Amendment PartCategory 5—Telecommunications and “Information Security”
Part 1—Telecommunications
Notes: * * *
3. Commodities in ECCN 5A001.j, and related “software” specified in 5D001.c (for 5A001.j) that are also controlled in ECCNs 5A002.a, 5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3, remain controlled in Category 5—Part 2 by those entries. Category 5—Part 2 does not apply to elements of source code that implement functionality controlled by these Category 5 Part 1 ECCNs, or to any item subject to the EAR where Encryption Item (EI) functionality is absent, removed or otherwise non-existent.
4. Items in ECCN 5A001.j, 5B001.a (for 5A001.j), related “software” specified in 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)) and related “technology” specified in ECCN 5E001.a (for 5A001.j and 5D001.a (for 5A001.j)) that are also controlled for Surreptitious Listening (SL) reasons under another ECCN, will continue to be classified under the SL ECCN.
* * * * *Start Amendment Part13. In Supplement No. 1 to Part 774, Category 5—Part 1, ECCN 5A001 is revised to read as follows:
End Amendment Part5A001 Telecommunications systems, equipment, “components” and “accessories,” as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, SL, AT
Control(s) Country chart (See Supp. No. 1 to part 738) NS applies to 5A001.a, b.5, .e, .f.3, .h NS Column 1. NS applies to 5A001.b (except .b.5), .c, .d, .f (except f.3), .g, and .j NS Column 2. SL applies to 5A001.f.1 A license is required for all destinations, as specified in § 742.13 of the EAR. Accordingly, a column specific to this control does not appear on the Commerce Country Chart (Supplement No. 1 to Part 738 of the EAR). Note to SL paragraph: This licensing requirement does not supersede, nor does it implement, construe or limit the scope of any criminal statute, including, but not limited to the Omnibus Safe Streets Act of 1968, as amended. AT applies to entire entry AT Column 1. Reporting Requirements
See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations.
List Based License Exceptions (See Part 740 for a description of all license exceptions)
LVS: N/A for 5A001.a, b.5, .e, f.3, .h and .j; $5000 for 5A001.b.1, .b.2, .b.3, .b.6, .d, f.2, f.4, and .g; $3000 for 5A001.c.
GBS: Yes, except 5A001.a, .b.5, .e, .h and .j.
ACE: Yes for 5A001.j, except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria
Special Conditions for STA
STA: License Exception STA may not be used to ship any commodity in 5A001.j to any of the destinations listed in Country Group A:5 or A:6 (See Supplement No. 1 to part 740 of the EAR), or any commodity in 5A001.b.3, .b.5 or .h to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR).
List of Items Controlled
Related Controls: (1) See USML Category XI for controls on direction-finding “equipment” including types of “equipment” in ECCN 5A001.e and any other military or intelligence electronic “equipment” that is “subject to the ITAR.” (2) See USML Category XI(a)(4)(iii) for controls on electronic attack and jamming “equipment” defined in 5A001.f and .h that are subject to the ITAR. (3) See also ECCNs 5A101, 5A980, and 5A991.
Related Definitions: N/A
Items:
a. Any type of telecommunications equipment having any of the following characteristics, functions or features:
a.1. “Specially designed” to withstand transitory electronic effects or electromagnetic pulse effects, both arising from a nuclear explosion;
a.2. Specially hardened to withstand gamma, neutron or ion radiation;
a.3. “Specially designed” to operate below 218 K (−55 °C); or
a.4. “Specially designed” to operate above 397 K (124 °C);
Note: 5A001.a.3 and 5A001.a.4 apply only to electronic equipment.
b. Telecommunication systems and equipment, and “specially designed” “components” and “accessories” therefor, having any of the following characteristics, functions or features:
b.1 Being underwater untethered communications systems having any of the following:
b.1.a. An acoustic carrier frequency outside the range from 20 kHz to 60 kHz;
b.1.b. Using an electromagnetic carrier frequency below 30 kHz; or
b.1.c. Using electronic beam steering techniques; or Start Printed Page 58213
b.1.d. Using “lasers” or light-emitting diodes (LEDs), with an output wavelength greater than 400 nm and less than 700 nm, in a “local area network”;
b.2. Being radio equipment operating in the 1.5 MHz to 87.5 MHz band and having all of the following:
b.2.a. Automatically predicting and selecting frequencies and “total digital transfer rates” per channel to optimize the transmission; and
b.2.b. Incorporating a linear power amplifier configuration having a capability to support multiple signals simultaneously at an output power of 1 kW or more in the frequency range of 1.5 MHz or more but less than 30 MHz, or 250 W or more in the frequency range of 30 MHz or more but not exceeding 87.5 MHz, over an “instantaneous bandwidth” of one octave or more and with an output harmonic and distortion content of better than −80 dB;
b.3. Being radio equipment employing “spread spectrum” techniques, including “frequency hopping” techniques, not controlled in 5A001.b.4 and having any of the following:
b.3.a. User programmable spreading codes; or
b.3.b. A total transmitted bandwidth which is 100 or more times the bandwidth of any one information channel and in excess of 50 kHz;
Note: 5A001.b.3.b does not control radio equipment “specially designed” for use with any of the following:
a. Civil cellular radio-communications systems; or
b. Fixed or mobile satellite Earth stations for commercial civil telecommunications.
Note: 5A001.b.3 does not control equipment operating at an output power of 1 W or less.
b.4. Being radio equipment employing ultra-wideband modulation techniques, having user programmable channelizing codes, scrambling codes, or network identification codes and having any of the following:
b.4.a. A bandwidth exceeding 500 MHz; or
b.4.b. A “fractional bandwidth” of 20% or more;
b.5. Being digitally controlled radio receivers having all of the following:
b.5.a. More than 1,000 channels;
b.5.b. A `channel switching time' of less than 1 ms;
b.5.c. Automatic searching or scanning of a part of the electromagnetic spectrum; and
b.5.d. Identification of the received signals or the type of transmitter; or
Note: 5A001.b.5 does not control radio equipment “specially designed” for use with civil cellular radio-communications systems.
Technical Note: `Channel switching time': the time (i.e., delay) to change from one receiving frequency to another, to arrive at or within ±0.05% of the final specified receiving frequency. Items having a specified frequency range of less than ±0.05% around their center frequency are defined to be incapable of channel frequency switching.
b.6. Employing functions of digital “signal processing” to provide 'voice coding' output at rates of less than 700 bit/s.
Technical Notes:
1. For variable rate 'voice coding', 5A001.b.6 applies to the 'voice coding' output of continuous speech.
2. For the purpose of 5A001.b.6, `voice coding' is defined as the technique to take samples of human voice and then convert these samples of human voice into a digital signal taking into account specific characteristics of human speech.
c. Optical fibers of more than 500 m in length and specified by the manufacturer as being capable of withstanding a `proof test' tensile stress of 2 × 109 N/m2 or more;
N.B.: For underwater umbilical cables, see 8A002.a.3.
Technical Note: `Proof Test': on-line or off-line production screen testing that dynamically applies a prescribed tensile stress over a 0.5 to 3 m length of fiber at a running rate of 2 to 5 m/s while passing between capstans approximately 150 mm in diameter. The ambient temperature is a nominal 293 K (20 °C) and relative humidity 40%. Equivalent national standards may be used for executing the proof test.
d. “Electronically steerable phased array antennae” as follows:
d.1. Rated for operation above 31.8 GHz, but not exceeding 57 GHz, and having an Effective Radiated Power (ERP) equal to or greater than +20 dBm (22.15 dBm Effective Isotropic Radiated Power (EIRP));
d.2. Rated for operation above 57 GHz, but not exceeding 66 GHz, and having an ERP equal to or greater than +24 dBm (26.15 dBm EIRP);
d.3. Rated for operation above 66 GHz, but not exceeding 90 GHz, and having an ERP equal to or greater than +20 dBm (22.15 dBm EIRP);
d.4. Rated for operation above 90 GHz;
Note 1: 5A001.d does not control `electronically steerable phased array antennae' for landing systems with instruments meeting ICAO standards covering Microwave Landing Systems (MLS).
Note 2: 5A001.d does not apply to antennae specially designed for any of the following:
a. Civil cellular or WLAN radio-communications systems;
b. IEEE 802.15 or wireless HDMI; or
c. Fixed or mobile satellite earth stations for commercial civil telecommunications.
Technical Note: For the purposes of 5A001.d `electronically steerable phased array antenna' is an antenna which forms a beam by means of phase coupling, (i.e., the beam direction is controlled by the complex excitation coefficients of the radiating elements) and the direction of that beam can be varied (both in transmission and reception) in azimuth or in elevation, or both, by application of an electrical signal.
e. Radio direction finding equipment operating at frequencies above 30 MHz and having all of the following, and “specially designed” “components” therefor:
e.1. “Instantaneous bandwidth” of 10 MHz or more; and
e.2. Capable of finding a Line Of Bearing (LOB) to non-cooperating radio transmitters with a signal duration of less than 1 ms;
f. Mobile telecommunications interception or jamming equipment, and monitoring equipment therefor, as follows, and “specially designed” “components” therefor:
f.1. Interception equipment designed for the extraction of voice or data, transmitted over the air interface;
f.2. Interception equipment not specified in 5A001.f.1, designed for the extraction of client device or subscriber identifiers ( e.g., IMSI, TIMSI or IMEI), signaling, or other metadata transmitted over the air interface;
f.3. Jamming equipment “specially designed” or modified to intentionally and selectively interfere with, deny, inhibit, degrade or seduce mobile telecommunication services and performing any of the following:
f.3.a. Simulate the functions of Radio Access Network (RAN) equipment;
f.3.b. Detect and exploit specific characteristics of the mobile telecommunications protocol employed ( e.g., GSM); or
f.3.c. Exploit specific characteristics of the mobile telecommunications protocol employed ( e.g., GSM);
f.4. Radio Frequency (RF) monitoring equipment designed or modified to identify the operation of items specified in 5A001.f.1, 5A001.f.2 or 5A001.f.3.
Note: 5A001.f.1 and 5A001.f.2 do not apply to any of the following:
a. Equipment “specially designed” for the interception of analog Private Mobile Radio (PMR), IEEE 802.11 WLAN;
b. Equipment designed for mobile telecommunications network operators; or
c. Equipment designed for the “development” or “production” of mobile telecommunications equipment or systems.
N.B. 1: See also the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120-130). For items specified by 5A001.f.1 (including as previously specified by 5A001.i), see also5A980 and the U.S. Munitions List (22 CFR part 121).
N.B. 2: For radio receivers see 5A001.b.5.
g. Passive Coherent Location (PCL) systems or equipment, “specially designed” for detecting and tracking moving objects by measuring reflections of ambient radio frequency emissions, supplied by non-radar transmitters.
Technical Note: Non-radar transmitters may include commercial radio, television or cellular telecommunications base stations.
Note: 5A001.g. does not control:
a. Radio-astronomical equipment; or
b. Systems or equipment, that require any radio transmission from the target.
h. Counter Improvised Explosive Device (IED) equipment and related equipment, as follows:
h.1. Radio Frequency (RF) transmitting equipment, not specified by 5A001.f, designed or modified for prematurely activating or preventing the initiation of Improvised Explosive Devices (IEDs);
h.2. Equipment using techniques designed to enable radio communications in the same frequency channels on which co-located equipment specified by 5A001.h.1 is transmitting.
N.B.: S ee also Category XI of the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120-130).
i. [Reserved]
N.B.: See 5A001.f.1 for items previously specified by 5A001.i.
j. IP network communications surveillance systems or equipment, and “specially Start Printed Page 58214 designed” components therefor, having all of the following:
j.1. Performing all of the following on a carrier class IP network ( e.g., national grade IP backbone):
j.1.a. Analysis at the application layer ( e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
j.1.b. Extraction of selected metadata and application content ( e.g., voice, video, messages, attachments); and
j.1.c. Indexing of extracted data; and
j.2. Being “specially designed” to carry out all of the following:
j.2.a. Execution of searches on the basis of “hard selectors”; and
j.2.b. Mapping of the relational network of an individual or of a group of people.
Note: 5A001.j does not apply to “systems” or “equipment”, “specially designed” for any of the following:
a. Marketing purpose;
b. Network Quality of Service (QoS); or
c. Quality of Experience (QoE).
N.B.: See also the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120-130). Defense articles described in USML Category XI(b) are “subject to the ITAR.”
Start Amendment Part14. In Supplement No. 1 to Part 774 (the CCL), Category 5—Part 1, ECCN 5B001 is revised to read as follows:
End Amendment Part5B001 Telecommunication test, inspection and production equipment, “components” and “accessories,” as follows (See List of Items Controlled).
License Requirements
Reason for Control: NS, AT
Control(s) Country chart (See Supp. No. 1 to part 738) NS applies to entire entry NS Column 2. AT applies to entire entry AT Column 1. Reporting Requirements
See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations.
List Based License Exceptions (See Part 740 for a description of all license exceptions)
LVS: $5000, except N/A for 5B001.a (for 5A001.j)
GBS: Yes, except N/A for 5B001.a (for 5A001.j)
ACE: Yes for 5B001.a (for equipment and “specially designed” “components” or “accessories” therefor, “specially designed” for the “development” or “production” of equipment, functions or features, controlled by 5A001.j), except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship 5B001.a equipment and “specially designed” components or “accessories” therefor, “specially designed” for the “development” or “production” of equipment, functions or features specified by in ECCN 5A001.b.3, .b.5 or .h to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR) and 5A001.j to any of the destinations listed in Country Group A:5 or A:6.
List of Items Controlled
Related Controls: See also 5B991.
Related Definition: N/A
Items:
a. Equipment and “specially designed” “components” or “accessories” therefor, “specially designed” for the “development” or “production” of equipment, functions or features, controlled by 5A001;
Note: 5B001.a does not apply to optical fiber characterization equipment.
b. Equipment and “specially designed” “components” or “accessories” therefor, “specially designed” for the “development” of any of the following telecommunication transmission or switching equipment:
b.1. [Reserved]
b.2. Equipment employing a “laser” and having any of the following:
b.2.a. A transmission wavelength exceeding 1750 nm; or
b.2.b. [Reserved]
b.2.c. [Reserved]
b.2.d. Employing analog techniques and having a bandwidth exceeding 2.5 GHz; or
Note: 5B001.b.2.d. does not include equipment “specially designed” for the “development” of commercial TV systems.
b.3. [Reserved]
b.4. Radio equipment employing Quadrature-Amplitude-Modulation (QAM) techniques above level 1,024.
Start Amendment Part15. In Supplement No. 1 to Part 774 (the CCL), Category 5—Part 1, ECCN 5D001 is revised to read as follows:
End Amendment Part5D001 “Software” as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, SL, AT
Control(s) Country chart (See Supp. No. 1 to part 738) NS applies to entire entry NS Column 1. SL applies to the entire entry as applicable for equipment, functions, features, or characteristics controlled by 5A001.f.1 A license is required for all destinations, as specified in § 742.13 of the EAR. Accordingly, a column specific to this control does not appear on the Commerce Country Chart (Supplement No. 1 to Part 738 of the EAR). Note to SL paragraph: This licensing requirement does not supersede, nor does it implement, construe or limit the scope of any criminal statute, including, but not limited to the Omnibus Safe Streets Act of 1968, as amended. AT applies to entire entry AT Column 1. Reporting Requirements
See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations.
List Based License Exceptions (See Part 740 for a description of all license exceptions)
TSR: Yes, except for exports and reexports to destinations outside of those countries listed in Country Group A:5 (See Supplement No. 1 to part 740 of the EAR) of “software” controlled by 5D001.a and “specially designed” for items controlled by 5A001.b.5 and 5A001.h, and N/A for “software” classified under ECCN 5D001.a (for 5A001.j) or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)).
ACE: Yes for 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship or transmit 5D001.a “software” “specially designed” for the “development” or “production” of equipment, functions or features, specified by ECCN 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)) to any of the destinations listed in Country Group A:5 or A:6 (See Supplement No.1 to part 740 of the EAR); 5A001.b.3, .b.5 or .h; and for 5D001.b. for “software” “specially designed” or modified to support “technology” specified by the STA paragraph in the License Exception section of ECCN 5E001 to any of the destinations listed in Country Group A:6.
List of Items Controlled
Related Controls: See also 5D980 and 5D991.
Related Definitions: N/A
Items:
a. “Software” “specially designed” or modified for the “development”, “production” or “use” of equipment, functions or features controlled by 5A001;
b. [Reserved]
c. Specific “software” “specially designed” or modified to provide characteristics, functions or features of equipment, controlled by 5A001 or 5B001; Start Printed Page 58215
d. “Software” “specially designed” or modified for the “development” of any of the following telecommunication transmission or switching equipment:
d.1.[Reserved]
d.2. Equipment employing a “laser” and having any of the following:
d.2.a. A transmission wavelength exceeding 1,750 nm; or
d.2.b. Employing analog techniques and having a bandwidth exceeding 2.5 GHz; or
Note: 5D001.d.2.b does not control “software” “specially designed” or modified for the “development” of commercial TV systems.
d.3. [Reserved]
d.4. Radio equipment employing Quadrature-Amplitude-Modulation (QAM) techniques above level 1,024.
Start Amendment Part16. In Supplement No. 1 to Part 774 (the CCL), Category 5—Part 1, ECCN 5E001 is revised to read as follows:
End Amendment Part5E001 “Technology” as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, SL, AT
Control(s) Country chart (See Supp. No. 1 to part 738) NS applies to entire entry NS Column 1. SL applies to “technology” for the “development” or “production” of equipment, functions or features controlled by 5A001.f.1, or for the “development” or “production” of “software” controlled by ECCN 5D001.a (for 5A001.f.1) A license is required for all destinations, as specified in § 742.13 of the EAR. Accordingly, a column specific to this control does not appear on the Commerce Country Chart (Supplement No. 1 to Part 738 of the EAR). Note to SL paragraph: This licensing requirement does not supersede, nor does it implement, construe or limit the scope of any criminal statute, including, but not limited to the Omnibus Safe Streets Act of 1968, as amended. AT applies to entire entry AT Column 1. Reporting Requirements
See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations.
List Based License Exceptions (See Part 740 for a description of all license exceptions)
TSR: Yes, except for exports or reexports to destinations outside of those countries listed in Country Group A:5 (See Supplement No. 1 to part 740 of the EAR) of “technology” controlled by 5E001.a for the “development” or “production” of the following:
(1) Items controlled by 5A001.b.5, .h or .j;
(2) “Software” controlled by 5D001.a that is “specially designed” for the “development” or “production” of equipment, functions or features controlled by 5A001.b.5, 5A001.h, 5A001.j, or 5B001.a (for 5A001.j); or
(3) “Software” controlled by 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)).
ACE: Yes for 5E001.a (for 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j))) except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship or transmit “technology” according to the General Technology Note for the “development” or “production” of equipment, functions or features specified by 5A001.b.3, .b.5 or .h; or for “software” in 5D001.a or .c, that is specified in the STA paragraph in the License Exception section of ECCN 5D001 to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR); or “technology” specified in 5E001.a according to the General Technology Note for the “development” or “production” of equipment, functions or features specified by 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a) to any destinations listed in Country Group A:5 or A:6.
List of Items Controlled
Related Controls: (1) See also 5E101, 5E980 and 5E991. (2) “Technology” for “development” or “production” of “Monolithic Microwave Integrated Circuit” (“MMIC”) amplifiers that meet the control criteria given at 3A001.b.2 is controlled in 3E001; 5E001.d refers only to that additional “technology” “required” for telecommunications.
Related Definitions: N/A
Items:
a. “Technology” according to the General Technology Note for the “development”, “production” or “use” (excluding operation) of equipment, functions or features, controlled by 5A001 or “software” controlled by 5D001.a.
b. Specific “technology”, as follows:
b.1. “Technology” “required” for the “development” or “production” of telecommunications equipment “specially designed” to be used on board satellites;
b.2. “Technology” for the “development” or “use” of “laser” communication techniques with the capability of automatically acquiring and tracking signals and maintaining communications through exoatmosphere or sub-surface (water) media;
b.3. “Technology” for the “development” of digital cellular radio base station receiving equipment whose reception capabilities that allow multi-band, multi-channel, multi-mode, multi-coding algorithm or multi-protocol operation can be modified by changes in “software”;
b.4. “Technology” for the “development” of “spread spectrum” techniques, including “frequency hopping” techniques.
Note: 5E001.b.4 does not apply to “technology” for the “development” of any of the following:
a. Civil cellular radio-communications systems; or
b. Fixed or mobile satellite Earth stations for commercial civil telecommunications.
c. “Technology” according the General Technology Note for the “development” or “production” of any of the following:
c.1. [Reserved]
c.2. Equipment employing a “laser” and having any of the following:
c.2.a. A transmission wavelength exceeding 1,750 nm;
c.2.b. [Reserved]
c.2.c. [Reserved]
c.2.d. Employing wavelength division multiplexing techniques of optical carriers at less than 100 GHz spacing; or
c.2.e. Employing analog techniques and having a bandwidth exceeding 2.5 GHz;
Note: 5E001.c.2.e does not control “technology” for commercial TV systems.
N.B.: For “technology” for the “development” or “production” of non-telecommunications equipment employing a “laser”, see Product Group E of Category 6, e.g., 6E00x
c.3. Equipment employing “optical switching” and having a switching time less than 1 ms; or
c.4. Radio equipment having any of the following:
c.4.a. Quadrature-Amplitude-Modulation (QAM) techniques above level 1,024; or
c.4.b. Operating at input or output frequencies exceeding 31.8 GHz; or
Note: 5E001.c.4.b does not control “technology” for equipment designed or modified for operation in any frequency band which is “allocated by the ITU” for radio-communications services, but not for radio-determination.
c.4.c. Operating in the 1.5 MHz to 87.5 MHz band and incorporating adaptive techniques providing more than 15 dB suppression of an interfering signal; or
c.5. [Reserved]
c.6. Mobile equipment having all of the following:
c.6.a. Operating at an optical wavelength greater than or equal to 200nm and less than or equal to 400nm; and
c.6.b. Operating as a “local area network”;
d. “Technology” according to the General Technology Note for the “development” or “production” of “Monolithic Microwave Integrated Circuit” (“MMIC”) amplifiers “specially designed” for telecommunications and that are any of the following:
Technical Note: For purposes of 5E001.d, the parameter peak saturated power output may also be referred to on product data sheets as output power, saturated power output, maximum power output, peak power output, or peak envelope power output.
d.1. Rated for operation at frequencies exceeding 2.7 GHz up to and including 6.8 GHz with a “fractional bandwidth” greater than 15%, and having any of the following:
d.1.a. A peak saturated power output greater than 75 W (48.75 dBm) at any Start Printed Page 58216 frequency exceeding 2.7 GHz up to and including 2.9 GHz;
d.1.b. A peak saturated power output greater than 55 W (47.4 dBm) at any frequency exceeding 2.9 GHz up to and including 3.2 GHz;
d.1.c. A peak saturated power output greater than 40 W (46 dBm) at any frequency exceeding 3.2 GHz up to and including 3.7 GHz; or
d.1.d. A peak saturated power output greater than 20 W (43 dBm) at any frequency exceeding 3.7 GHz up to and including 6.8 GHz;
d.2. Rated for operation at frequencies exceeding 6.8 GHz up to and including 16 GHz with a “fractional bandwidth” greater than 10%, and having any of the following:
d.2.a. A peak saturated power output greater than 10W (40 dBm) at any frequency exceeding 6.8 GHz up to and including 8.5 GHz; or
d.2.b. A peak saturated power output greater than 5W (37 dBm) at any frequency exceeding 8.5 GHz up to and including 16 GHz;
d.3. Rated for operation with a peak saturated power output greater than 3 W (34.77 dBm) at any frequency exceeding 16 GHz up to and including 31.8 GHz, and with a “fractional bandwidth” of greater than 10%;
d.4. Rated for operation with a peak saturated power output greater than 0.1n W (-70 dBm) at any frequency exceeding 31.8 GHz up to and including 37 GHz;
d.5. Rated for operation with a peak saturated power output greater than 1 W (30 dBm) at any frequency exceeding 37 GHz up to and including 43.5 GHz, and with a “fractional bandwidth” of greater than 10%;
d.6. Rated for operation with a peak saturated power output greater than 31.62 mW (15 dBm) at any frequency exceeding 43.5 GHz up to and including 75 GHz, and with a “fractional bandwidth” of greater than 10%;
d.7. Rated for operation with a peak saturated power output greater than 10 mW (10 dBm) at any frequency exceeding 75 GHz up to and including 90 GHz, and with a “fractional bandwidth” of greater than 5%; or
d.8. Rated for operation with a peak saturated power output greater than 0.1 nW (−70 dBm) at any frequency exceeding 90 GHz;
e. “Technology” according to the General Technology Note for the “development” or “production” of electronic devices and circuits, “specially designed” for telecommunications and containing “components” manufactured from “superconductive” materials, “specially designed” for operation at temperatures below the “critical temperature” of at least one of the “superconductive” constituents and having any of the following:
e.1. Current switching for digital circuits using “superconductive” gates with a product of delay time per gate (in seconds) and power dissipation per gate (in watts) of less than 10−14 J; or
e.2. Frequency selection at all frequencies using resonant circuits with Q-values exceeding 10,000.
Start Amendment Part17. In supplement no. 1 to part 774, Category 5—Part 2, ECCN 5A004 is revised to read as follows:
End Amendment Part5A004 “Systems,” “equipment” and “components” for defeating, weakening or bypassing “information security,” as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country chart (See Supp. No. 1 to part 738) NS applies to entire entry NS Column 1. AT applies to entire entry AT Column 1. EI applies to entire entry Refer to § 742.15 of the EAR. License Requirements Note: See § 744.17 of the EAR for additional license requirements for microprocessors having a processing speed of 5 GFLOPS or more and an arithmetic logic unit with an access width of 32 bit or more, including those incorporating “information security” functionality, and associated “software” and “technology” for the “production” or “development” of such microprocessors.
List Based License Exceptions (See Part 740 for a Description of All License Exceptions)
LVS: Yes: $500 for “components.”
N/A for systems and equipment.
GBS: N/A
ENC: Yes for certain EI controlled commodities. See § 740.17 of the EAR for eligibility.
List of Items Controlled
Related Controls: ECCN 5A004.a controls “components” providing the means or functions necessary for “information security.” All such “components” are presumptively “specially designed” and controlled by 5A004.a. Defense articles described in USML Category XI(b), and software directly related to a defense article, are “subject to the ITAR”; see § 120.10(a)(4).
Related Definitions: N/A
Items:
a. Designed or modified to perform `cryptanalytic functions.'
Note: 5A004.a includes systems or equipment, designed or modified to perform `cryptanalytic functions' by means of reverse engineering.
Technical Note: `Cryptanalytic functions' are functions designed to defeat cryptographic mechanisms in order to derive confidential variables or sensitive data, including clear text, passwords or cryptographic keys.
b. Items, not specified by ECCNs 4A005 or 5A004.a, designed to perform all of the following:
b.1. `Extract raw data' from a computing or communications device; and
b.2. Circumvent “authentication” or authorisation controls of the device, in order to perform the function described in 5A004.b.1.
Technical Note: `Extract raw data' from a computing or communications device means to retrieve binary data from a storage medium, e.g., RAM, flash or hard disk, of the device without interpretation by the device's operating system or filesystem.
Note 1: 5A004.b does not apply to systems or equipment specially designed for the “development” or “production” of a computing or communications device.
Note 2: 5A004.b does not include:
a. Debuggers, hypervisors;
b. Items limited to logical data extraction;
c. Data extraction items using chip-off or JTAG; or
d. Items specially designed and limited to jail-breaking or rooting.
* * * * *Start SignatureMatthew S. Borman,
Deputy Assistant Secretary for Export Administration.
[FR Doc. 2021-22774 Filed 10-20-21; 8:45 am]
BILLING CODE 3510-33-P
Document Information
- Effective Date:
- 1/19/2022
- Published:
- 10/21/2021
- Department:
- Industry and Security Bureau
- Entry Type:
- Rule
- Action:
- Interim final rule, with request for comments.
- Document Number:
- 2021-22774
- Dates:
- Effective date: This rule is effective January 19, 2022. Comments must be received by BIS no later than December 6, 2021.
- Pages:
- 58205-58216 (12 pages)
- Docket Numbers:
- Docket No. 211013-0209
- RINs:
- 0694-AH56: Information Security Controls: Cybersecurity Items
- RIN Links:
- https://www.federalregister.gov/regulations/0694-AH56/information-security-controls-cybersecurity-items
- Topics:
- Administrative practice and procedure, Exports, Reporting and recordkeeping requirements
- PDF File:
- 2021-22774.pdf
- Supporting Documents:
- » Information Security Controls: Cybersecurity Items
- » Information Security Controls: Cybersecurity Items; Delay of Effective Date
- » Information Security Controls: Cybersecurity Items
- CFR: (3)
- 15 CFR 740.11
- 15 CFR 740.22
- 15 CFR 772.1