DDTC and BIS Revise Definitions in ITAR and EAR – Effective September 1

Today, the Directorate of Defense Trade Controls (DDTC) and the Bureau of Industry and Security (BIS) issued their long awaited revisions to definitions contained in the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), as part of Export Control Reform’s (ECR) continuing effort to harmonize, where appropriate, the two export regimes.

Although both rules are effective on September 1 and represent a milestone in standardizing the ITAR and EAR, additional rules will be required to complete this process. The DDTC revision, for example, is an interim final rule allowing stakeholders the opportunity to provide comments until July 5th. BIS less formally leaves the door open for comments on the revision, stating it welcomes public comments on its rule on a continuing basis, and in places suggests certain comments received in response to the proposed rule will require further rulemaking.

Below are some of the key “takeaways” from both rules.

Revisions Impacting Cloud-Based IT Solutions

To align treatment under the ITAR and EAR of electronic transmissions and storage of technical data, controlled technology, and software, BIS added the following definition of “end-to-end encryption,” which serves as a condition to the EAR’s export control carve-out for technology and software:

(i) the provision of cryptographic protection of data such that the data is not in unencrypted form between an originator (or the originator's in-country security boundary) and an intended recipient (or the recipient's in-country security boundary); and, (ii) the means of decryption are not provided to any third party. The originator and the recipient may be the same person.

Under this definition, the transmission of encrypted data or software from one country to another is not an export or reexport under the EAR, so long as the data or software has been encrypted (to certain specified standards) before crossing any national boundary and remains encrypted at all times while in transmission. Similarly, transmissions within a cloud service infrastructure, where a transmission from one node or cloud infrastructure element to another, also qualify for the carve-out provided that the data or software was appropriately encrypted before it crossed a national border.

DDTC issued a more limited change to the ITAR that exempts certain exports, reexports, and retransfers of unclassified technical data from DDTC licensing requirements when sufficient security precautions, such as encryption or the use of secure networks, are taken to prevent unauthorized access. Although DDTC addressed cloud solutions in the 2015 proposed rule, it did not include the proposed changes in this interim final rule, and stated that it intends to do so in a separate rulemaking.

Additional Consolidation and Harmonization of Defined Terms and Concepts

In an effort to enhance clarity and consistency with the ITAR, BIS also revised the definitions of “access information,” “technology,” “required,” “foreign person,” “proscribed person,” “published,” results of “fundamental research,” “export,” “reexport,” “release,” “transfer,” and “transfer (in-country).”

DDTC likewise updated the definitions of “export” and “reexport or retransfer” in the ITAR and added new definitions of “release” and “retransfer” to clarify and support the interpretation of the revised definition.

Significantly, in response to comments on the 2015 proposed rule, DDTC removed from the interim definition of “export” the provision to foreign persons of “physical access” to controlled technical data, regardless of whether such data has been or will be transferred, although DDTC cautions that any actual release of technical data will continue to require authorization.

DDTC also consolidated the regulatory provisions on the treatment of foreign dual and third country national employees into one exemption by incorporating much of the language from §124.16 into §126.18.