State Department Publishes Long Awaited Cloud Computing Rule

On December 26, 2019, the State Department issued an interim final rule that nearly mirrors the changes adopted by the Commerce Department in 2016. The new ITAR rule will allow for cloud based storage and handling in the U.S. and abroad of appropriately encrypted ITAR controlled software and technical data. It will take effect on March 25, 2020, but allows 30 days for public comment (until January 27, 2020) and perhaps further revision by DDTC, if warranted, prior to the effective date.

Similar to the approach adopted by BIS, DDTC’s interim final rule creates a new definition for “activities that are not exports, reexports, retransfers, or temporary imports,” including sending, taking, or storing unclassified technical data that is end-to-end encrypted in one of two ways: (1) using encryption modules that are FIPS 140-2 compliant; or (2) using other cryptographic means that provide security strength comparable to AES-128. DDTC expressly declined to adopt the EAR language that permitted encryption by “other equally or more effective cryptographic means” because DDTC felt that phrase lacked sufficient definition to ensure technical data was adequately protected. To qualify for the ITAR exclusion, the technical data or software may not be intentionally stored in a § 126.1 country or Russia, and the means of decryption may not be provided to unauthorized third parties. The provision of information to a foreign person that would cause or enable access to the decrypted technical data would require prior export authorization from DDTC.

Other events that no longer require prior DDTC authorization as a result of the rule include:

• Launching items into space.
• Transmitting or otherwise transferring technical data between U.S. persons within the United States (for example, U.S. persons can email controlled technical data to another US person located in the US, and even if that data temporarily transits outside the U.S. boundary, no DDTC export authorization is required).
• Transmissions or other transfers of technical data between and among only U.S. persons in the same foreign country so long as they do not result in a release to a foreign person or transfer to a person prohibited from receiving the technical data (for example, U.S. persons located in foreign affiliate facilities can exchange technical data with each other without prior export authorization, provided no “release” to a foreign person occurs).
• Movements of defense articles between states, possessions, and territories of the United States.

Responding to public comments on the proposed cloud rules, the State Department also clarified: 

• The shipment or carriage of defense technology via a physical medium, such as a USB drive, in a properly encrypted state is not an export, reexport, or transfer.  
• State declined to provide a safe harbor to exporters who obtain contractual assurances from cloud services providers that data would not be stored in a § 126.1 country or the Russian Federation. Instead, State recognized the difficulty of controlling the actions of third parties and will “review potential violations on a case-by-case basis, subject to the totality of the facts and circumstances comprising the issue at hand.”
• Data converted into clear text during transmission, for example by anti-virus software or spell-check, will not meet State’s end-to-end encryption standard.