State Department Adds ITAR Definitions in Interim Final Rule for Activities that Are Not Exports, Reexports, Retransfers or Temporary Imports -…

On December 30, 2019, the U.S. Department of States Directorate of Defense Trade Controls (DDTC) issued an interim final rule seeking to amend the International Traffic in Arms Regulations (ITAR) with definitions more clearly explaining activities that are not considered to be exports, reexports, retransfers or temporary imports of secured and unclassified technical data. This interim final rule is part of DDTCs ongoing effort to update the ITAR and will become effective on March 25, 2020. Before that date, DDTC is accepting public comments on the rule until January 27, 2020.

While the interim final rule addresses a number of definitions, a new definition has been proposed under a new section of the ITAR, 22 C.F.R. 120.54, covering activities that are not exports and thus not controlled and subject to the ITAR, including:

The proposal regarding the sending, storing or taking of unclassified technical data is intended to help address questions and concerns as to email transmissions as well as cloud computing and storage. DDTC makes clear that electronic transmissions and storage of secured unclassified technical data is not an export as long as the technical data is encrypted prior to leaving the senders facilities and remains encrypted until decrypted by the intended authorized recipient or retrieved by the sender, as in the case of remote storage. This provision contains important requirements that must be met in order to remain compliant with U.S. export control laws and to prevent an unauthorized or inadvertent export violation.

The transmission must employ end-to-end encryption, which is defined as: (i) the provision of cryptographic protection of data, such that the data is not in an unencrypted form, between an originator (or the originators in-country security boundary) and an intended recipient (or the recipients in-country security boundary); and (ii) the means of decryption are not provided to any third party. Further, the transmission and/or storage must be secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES-128). Also, the sending, storing or taking of secured unclassified technical data may not involve, be stored in or be sent from the Russian Federation or a DDTC-restricted country, including Belarus, Burma, China, Cuba, Iran, North Korea, Syria, Venezuela, Afghanistan, Central African Republic, Cyprus, Democratic Republic of Congo, Eritrea, Haiti, Iraq, Lebanon, Libya, Somalia, South Sudan, Sudan and Zimbabwe.

Those interested in addressing the interim final rule before the January 27, 2020 deadline may submit comments by (i) email to DDTCPublicComments@state.gov with the subject line, Revisions to Definitions; Data Transmission and Storage or (ii) using the federal rulemaking portal at http://www.regulations.gov and filing comments under Docket DOS20190040.

See the article here:
State Department Adds ITAR Definitions in Interim Final Rule for Activities that Are Not Exports, Reexports, Retransfers or Temporary Imports -...