AGENCY:

Bureau of Industry and Security, Commerce.

ACTION:

Final rule.

SUMMARY:

BIS is finalizing changes to License Exception ACE and corresponding changes in the definition section of the Export Administration Regulations (EAR) in response to public comments to an October 21, 2021 interim rule. That rule established a new control on certain cybersecurity items for National Security (NS) and Anti-terrorism (AT) reasons, as well as adding a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of these items to most destinations except in certain circumstances. These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it. This rule also corrects Export Control Classification Number (ECCN) 5D001 in the Commerce Control List.

DATES:

This rule is effective May 26, 2022.

FOR FURTHER INFORMATION CONTACT:

For questions regarding the Export Control Classification Numbers (ECCNs) included in this rule or License Exception ACE, contact Aaron Amundson at 202-482-0707 or email Aaron.Amundson@bis.doc.gov.

SUPPLEMENTARY INFORMATION:

Background

In 2013, the Wassenaar Arrangement (WA) decided on new controls on cybersecurity items. The controls included hardware and software controls on the command and delivery platforms for “intrusion software”, the technology for the “development”, “production” or “use” of the command and delivery platforms, and the Start Printed Page 31949 technology for the “development” of “intrusion software”. On May 20, 2015, BIS published a proposed rule (80 FR 28853) entitled “Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items,” which proposed implementing these controls and sought comments on their impact.

In response to the proposed rule, BIS received almost 300 comments that raised substantial concerns about the proposed rule's scope and the effect the proposed rule would have on legitimate cybersecurity research and incident response activities. BIS also conducted extensive outreach with the security industry, financial institutions, and government agencies that manage cybersecurity.

Comments on the previously published proposed rule focused on three main issues. First, many commenters asserted that the entries were overly broad, captured more than was intended, and, as a technical matter, failed to accurately describe the items intended for control. Second, many commenters asserted that the rule as written imposed a heavy and unnecessary licensing burden on legitimate transactions that contribute to cybersecurity. Third, many commenters suggested that the proposed rule's control on technology for the “development” of “intrusion software” could cripple legitimate cybersecurity research.

Based on these comments, the United States decided against amending the proposed rule and instead returned to the WA in 2016 and 2017 to negotiate changes to the text. In December 2017, the WA published the changes that resulted from those negotiations. There were three significant changes: First, using “command and control” in the control language for both hardware and software addressed concerns from cybersecurity companies to more specifically control tools that can be used maliciously; second, adding a note to the control entry for technology for the “development” of “intrusion software” that excludes from the entry “technology” that is exchanged for “vulnerability disclosure” or “cyber incident response”; and third, adding a note to the “software” generation, command and control, or delivery entry that excludes from this entry products designed and limited to providing basic software updates and upgrades.

On October 21, 2021 (86 FR 58205), the Bureau of Industry and Security (BIS) published an interim final rule (October 21 rule) that establishes new controls on certain cybersecurity items for National Security (NS) and Anti-terrorism (AT) reasons, along with a new License Exception, Authorized Cybersecurity Exports (ACE), that authorizes exports of these items to most destinations except in specified circumstances. That rule was published with a 45-day comment period, which ended on December 12, 2021, and a 90-day delayed effective date (January 19, 2022). A total of 12 comments were received. On January 12, 2022 (87 FR 1670), BIS published a rule that further delayed the effective date of the interim final rule by 45 days (March 7, 2022). That action did not extend or reopen the comment period for BIS's previous request for comments on the interim final rule. Consistent with the comments received, this action amends the October 21 rule that became effective March 7, 2022.

Public Comments on the October 21 Rule

Comments Requesting Additional Guidance

Several commenters stated that the new 5A001.j entry is complex and therefore presents compliance difficulties. One commenter asked whether 5A001.j would control cybersecurity incident detection and monitoring software. Another commenter stated that 5A001.j systems have numerous components, all of which will need to be examined under the new entry. In response, BIS is providing additional information and guidance through “Frequently Asked Questions” (FAQs) on 5A001.j to clarify these interpretation issues. BIS does not expect 5A001.j to control a large number of products, and therefore believes these issues can be addressed in the FAQs.

Several commenters recommended that BIS devote additional resources to conducting outreach to exporters about the interim final rule. One commenter recommended a decision tool for ACE like the one used for License Exception Strategic Trade Authorization (STA), as well as more FAQs. Another said BIS should put more resources towards outreach to the cybersecurity community. One commenter recommended developing additional guidelines to help exporters with the interim final rule. BIS agrees with these comments and is working on providing additional guidance along these lines.

Several commenters asked for clarification of BIS's “reason to know” standard. One commenter said that the end-use based control uses the phrase “knows or has reason to know” and asked if this was supposed to be different from the “knowledge” standard. Others recommended BIS provide guidelines on when an exporter would have “reason to know” something will be used for unauthorized surveillance. The terms “know” and “reason to know” use the same definition found in § 772.1 of the EAR as the term “knowledge,” which is the one that should be used for this rule. BIS has published extensive “Know Your Customer” guidance in supplement no. 3 to part 732 of the EAR and on its website. That information also applies to transactions under license exception ACE. BIS believes the current guidance is sufficient to address the questions raised by the commenters and declines to provide additional sector-specific guidance for this area beyond what is published on the website.

Comments Requiring Regulatory Changes

Several commenters stated that the definition of `government end user' in ACE is vague and will be difficult to apply. Two commenters stated that there is some potential overlap between `government end users' and `favorable treatment cybersecurity end users'. BIS agrees with this recommendation and makes changes to the definition of `government end user' to be more specific and to clarify the meaning of this term.

One commenter stated that the licensing requirement for people acting on behalf of a `government end user' will chill cross-border collaboration with cybersecurity researchers and bug bounty hunters because exporters will be required to check whether an individual has a government affiliation before communicating with them. The company recommends BIS either remove this requirement or modify it. BIS disagrees with this recommendation. The license requirement for people acting on behalf of a government is necessary to prevent people who are acting on behalf of a Country Group D government from obtaining `cybersecurity items' for activities contrary to U.S. national security and foreign policy interests. Removing this requirement would risk allowing Country Group D governments access to those items. BIS agrees that this means that exporters will in some cases have to check government affiliation of people and companies they work with. However, because of the limited scope and applicability of the license requirement, BIS believes the requirement will protect U.S. national security and foreign policy interests without unduly impacting legitimate cybersecurity activities. Start Printed Page 31950

A couple of commenters stated that the definitions of “vulnerability disclosure” and “cyber incident response” are too narrow. One commenter said that researchers share vulnerability information unrelated to remediation of a specific vulnerability or incident. Another said the definitions should include information that is not strictly “necessary” for vulnerability disclosure or cyber incident response activities, as well as information that is needed to prevent cyber incidents from happening. One commenter recommended expanding the exclusion to include preventative remediation and coordination activities. They recommend two possible solutions: (1) Amend FAQs to clarify that the carve-out covers routine sharing of exploits for cybersecurity purposes; or (2) amend the definition of fundamental research to include transferring exploit information for research purposes. BIS believes that many of the activities commenters mentioned as being subject to a license requirement, such as tactics and techniques of malicious actors, and identifying products that contain vulnerabilities, are not subject to this control and that therefore the scope of items that would require a license in this area is significantly smaller than the commenters asserted. Therefore, BIS is not amending the rule but will clarify the scope of license requirements in this area via guidance in FAQs.

Other Significant Comments

One commenter suggested extending the comment period to January 5, 2022. Another recommended delaying the effective date of the rule and conducting more extensive industry consultations and engagements. In response, BIS delayed the implementation date of the October 21 rule to March 7, 2022, and reached out to interested industry members of BIS's Technical Advisory Committees to prepare additional guidance and make clarifications that are in this final rule.

Several commenters said the rule is complicated and will be difficult for people to understand and implement. In response, BIS has made several changes in this final rule to clarify the scope of controls. In addition, BIS delayed the implementation date of the October 21 rule to March 7, 2022, which allowed for the preparation of additional guidance to assist with compliance.

One commenter said that the estimated yearly expense of compliance of $2,520 is a gross underestimation, because the complexity of the rule will increase the cost of compliance. However, none of the commenters provided data to substantiate this claim or provided another estimate. BIS consulted with its Technical Advisory Committees to develop the estimate yearly expense identified in this rule.

Specific Revisions

Section 740.17 License Exception Encryption Commodities, Software, and Technology (ENC)

BIS is revising § 740.17 by adding a new end-use restriction (§ 740.17(f)) equivalent to the end-use restriction in § 740.22(c)(4) of License Exception ACE, so that License Exception ENC is not authorized if the exporter, reexporter, or transferor “knows” or has “reason to know” at the time of export, reexport, or transfer (in-country), including deemed exports and reexports, that the following items will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system (including the information and processes within such systems): “cryptanalytic items”, classified in ECCN 5A004.a, 5D002.a.3.a or c.3.a, or 5E002; network penetration tools described in § 740.17(b)(2)(i)(F), and ECCN 5E002 “technology” therefor; or automated network vulnerability analysis and response tools described in § 740.17(b)(3)(iii)(A), and ECCN 5E002 “technology” therefor. This conforming change is necessary to avoid an unintended circumstance in which the § 740.22(c)(4) License Exception ACE end-use restriction could be evaded by adding cryptographic or cryptanalytic functionality to the `cybersecurity item' and exporting, reexporting or transferring (in-country) the resulting `encryption item' subject to the EAR under License Exception ENC.

Section 740.22 License Exception Authorized Cybersecurity Exports (ACE)

In response to public comments, BIS is revising § 740.22. BIS is revising the definition of the term `Government end user' as defined in § 740.22(b)(4) of License Exception ACE by adding a detailed illustrative list of end users that meet this definition. Included in the list are two types of government end users that are already defined in the EAR, “more-sensitive government end users” and “less-sensitive government end users”. BIS also added a note to define `partially operated or owned by a government or governmental authority' to guide the public in understanding this phrase, which is used in three of the listed `government end users' related to utilities; transportation hubs and services; and retail or wholesale firms engaged in the manufacture, distribution, or provision of items or services specified in the Wassenaar Arrangement Munitions List.

BIS also revised the format of the restrictions in § 740.22(c) by collapsing the levels and moving most of the text that was in notes to subordinate paragraphs within paragraph (c). Several people commented that the double negative structure of the restrictions paragraph was confusing. BIS believes the more simplified paragraph organization will alleviate the confusion.

Finally, BIS is amending § 740.22(c)(2)(i) to correct the text, which inadvertently increased the scope of the exception. As currently written, that paragraph allows (a) exports of `digital artifacts' to anyone in a Country Group D country that is also listed in Country Group A:6; and (b) exports of any `cybersecurity item' to police or judicial bodies to Country Group D countries that are also listed in Country Group A:6. However, BIS intended to only allow exports of `digital artifacts' to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 for purposes of criminal or civil investigations or prosecutions. These changes correct the text to reflect the intended scope.

Part 772—Definitions of Terms

This rule amends the terms “Less sensitive government end users” and “More sensitive government end users” to indicate that the terms apply to cybersecurity items and are now referenced in License Exception ACE (§  740.22).

Part 774—Commerce Control List: ECCN 5D001

This rule corrects an error made to ECCN 5D001in the October 21, 2021 interim rule. That rule inadvertently removed 5D001.e and this rule restores 5D001.e.

Export Control Reform Act of 2018

On August 13, 2018, the President signed into law the John S. McCain National Defense Authorization Act for Fiscal Year 2019, which included the Export Control Reform Act of 2018 (ECRA), 50 U.S.C. Sections 4801-4852. ECRA provides the legal basis for BIS's principal authorities and serves as the authority under which BIS issues this rule.

Executive Order Requirements

This final rule has been designated a “significant regulatory action” under Executive Order 12866. Start Printed Page 31951

This rule does not contain policies with federalism implications as that term is defined under Executive Order 13132.

Paperwork Reduction Act Requirements

Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with a collection of information subject to the requirements of the Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501 et seq. ) unless a valid Office of Management and Budget (OMB) Control Number is displayed. While there is no collection of information associated with using License Exception ACE, this rule does involve a collection of information currently approved under Control Number 0694-0088, Multi-Purpose Application. The current burden hour estimate for this collection is 29.6 minutes for a manual or electronic submission.

For the existing ECCNs included in this rule (4D001, 4E001, 5A001, 5A004, 5D001, 5E001), the 2020 data from the Automated Export System (AES) shows 980 shipments valued at $39,146,164. Of those shipments, 120 shipments valued at $1,864,699 went to Country Group D:1 or D:5 countries, which would make them ineligible for License Exception ACE. There were no shipments to Country Group E:1 or E:2. Under the provisions of this rule, the 120 shipments require a license application submission to BIS.

As there is no specific ECCN data in AES for the new export controls in new ECCNs 4A005 and 4D004 or new paragraph 4E001.c, BIS has used other data to estimate the number of shipments of these new ECCNs that will require a license. Bureau of Economic Analysis (BEA) data from 2019 show a total dollar value of $55,657,000 for Telecom, Computer, and Information Technology Services exports. Multiplying this value by 12.1% (the percentage of all exports that are subject to an EAR license requirement as determined by using AES data) suggests that $6,734,497,000 of Telecom/Computer/IT exports are now subject to EAR license requirements. Based on AES data on the existing ECCNs affected by this rule, BIS estimates the average value of each shipment for the new ECCNs at about $40,000, and further estimates that 0.6% of all new ECCN shipments (1,010 shipments) are now eligible for License Exception ACE and 0.03% of all new ECCN shipments (50 shipments) require a license application submission.

Therefore, the annual total estimated cost associated with the paperwork burden imposed by this rule (that is, the projected increase of license application submissions based on the additional shipments requiring a license) is estimated to be 170 new applications × 29.6 minutes = 5,032/60 min = 84 hours × $30 = $2,520.

BIS is in the process of updating this information collection to account for the increase in burden hours and costs posed by this rule. Comments on the methodology associated with calculating the cost or burden increases or any other aspect of this collection can be submitted via www.regulations.gov by searching for OMB Control Number 0694-0088.

Administrative Procedure Act and Regulatory Flexibility Act Requirements

Pursuant to Section 4821 of ECRA, this action is exempt from the Administrative Procedure Act (5 U.S.C. 553) requirements for notice of proposed rulemaking and opportunity for public participation. Further, no other law requires notice of proposed rulemaking or opportunity for public comment for this final rule. Because a notice of proposed rulemaking and an opportunity for public comment are not required under the Administrative Procedure Act or by any other law, the analytical requirements of the Regulatory Flexibility Act (5 U.S.C. 601 et seq. ) are not applicable.

List of Subjects

15 CFR Part 740

• Administrative practice and procedure
• Exports
• Reporting and recordkeeping requirements

15 CFR Part 772

• Exports

15 CFR Part 774

• Exports
• Reporting and recordkeeping requirements

Accordingly, the interim rule amending 15 CFR parts 740, 772, and 774, which was published on October 21, 2021 (86 FR 58205), is adopted as final with the following changes:

PART 740 [AMENDED]

1. The authority citation for part 740 continues to read as follows:

Authority: 50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783.

2. Section 740.17 is revised by adding paragraph (f) to read as follows:

3. Section 740.22 is revised to read as follows:

PART 772 [AMENDED]

4. The authority citation for part 772 continues to read as follows:

Authority: 50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783.

5. Section 772.1 is amended by revising the definitions “Less sensitive government end users” and “More sensitive government end users” to read as follows:

PART 774 [AMENDED]

6. The authority citation for part 774 continues to read as follows:

Authority: 50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; 10 U.S.C. 8720; 10 U.S.C. 8730(e); 22 U.S.C. 287c, 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 42 U.S.C. 2139a; 15 U.S.C. 1824; 50 U.S.C. 4305; 22 U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783.

7. In supplement no. 1 to part 774, Category 5—Part 1, ECCN 5D001 is revised to read as follows:

Supplement No. 1 to Part 774—The Commerce Control List

5D001 “Software” as follows (see List of Items Controlled).

License Requirements

Reason for Control: NS, SL, AT

Reporting Requirements

See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations.

List Based License Exceptions

(See Part 740 for a description of all license exceptions).

TSR: Yes, except for exports and reexports to destinations outside of those countries listed in Country Group A:5 (See Supplement No. 1 to part 740 of the EAR) of “software” controlled by 5D001.a and “specially designed” for items controlled by 5A001.b.5 and 5A001.h, and N/A for “software” classified under ECCN 5D001.a (for 5A001.j) or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)).

ACE: Yes for 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria.

Special Conditions for STA

STA: License Exception STA may not be used to ship or transmit 5D001.a “software” “specially designed” for the “development” or “production” of equipment, functions or features, specified by ECCN 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)) to any of the destinations listed in Country Group A:5 or A:6 (See Supplement No.1 to part 740 of the EAR); 5A001.b.3, .b.5 or .h; and for 5D001.b. for “software” “specially designed” or modified to support “technology” specified by the STA paragraph in the License Exception section of ECCN 5E001 to any of the destinations listed in Country Group A:6.

List of Items Controlled

Related Controls: See also 5D980 and 5D991.

Related Definitions: N/A

Items:

a. “Software” “specially designed” or modified for the “development”, “production” or “use” of equipment, functions or features controlled by 5A001;

b. [Reserved]

c. Specific “software” “specially designed” or modified to provide characteristics, functions or features of equipment, controlled by 5A001 or 5B001;

d. “Software” “specially designed” or modified for the “development” of any of the following telecommunication transmission or switching equipment:

d.1. [Reserved]

d.2. Equipment employing a “laser” and having any of the following:

d.2.a. A transmission wavelength exceeding 1,750 nm; or

d.2.b. Employing analog techniques and having a bandwidth exceeding 2.5 GHz; or

Note: 5D001.d.2.b does not control “software” “specially designed” or modified for the “development” of commercial TV systems.

d.3. [Reserved]

d.4. Radio equipment employing Quadrature-Amplitude-Modulation (QAM) techniques above level 1,024.

e. “Software”, other than that specified by 5D001.a or 5D001.c, “specially designed” or modified for monitoring or analysis by law enforcement, providing all of the following:

e.1. Execution of searches on the basis of “hard selectors” of either the content of communication or metadata acquired from a communications service provider using a `handover interface'; and

Technical Notes:

1. For the purposes of 5D001.e, a `handover interface' is a physical and logical interface, designed for use by an authorised law enforcement authority, across which targeted interception measures are requested from a communications service provider and the results of interception are delivered from a communications service provider to the requesting authority. The `handover interface' is implemented within systems or equipment ( e.g., mediation devices) that receive and validate the interception request, and deliver to the requesting authority only the results of interception that fulfil the validated request.

2. `Handover interfaces' may be specified by international standards (including but not limited to ETSI TS 101 331, ETSI TS 101 671, 3GPP TS 33.108) or national equivalents.

e.2. Mapping of the relational network or tracking the movement of targeted individuals based on the results of searches on content of communication or metadata or searches as described in 5D001.e.1.

Note: 5D001.e does not apply to “software” “specially designed” or modified for any of the following:

a. Billing purposes;

b. Network Quality of Service (QoS);

c. Quality of Experience (QoE);

d. Mediation devices; or

e. Mobile payment or banking use.