[Federal Register Volume 87, Number 102 (Thursday, May 26, 2022)]
[Rules and Regulations]
[Pages 31948-31954]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-11282]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR Parts 740, 772, and 774
[Docket No. 220520-0118]
RIN 0694-AH56
Information Security Controls: Cybersecurity Items
AGENCY: Bureau of Industry and Security, Commerce.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: BIS is finalizing changes to License Exception ACE and
corresponding changes in the definition section of the Export
Administration Regulations (EAR) in response to public comments to an
October 21, 2021 interim rule. That rule established a new control on
certain cybersecurity items for National Security (NS) and Anti-
terrorism (AT) reasons, as well as adding a new License Exception
Authorized Cybersecurity Exports (ACE) that authorizes exports of these
items to most destinations except in certain circumstances. These items
warrant controls because these tools could be used for surveillance,
espionage, or other actions that disrupt, deny or degrade the network
or devices on it. This rule also corrects Export Control Classification
Number (ECCN) 5D001 in the Commerce Control List.
DATES: This rule is effective May 26, 2022.
FOR FURTHER INFORMATION CONTACT: For questions regarding the Export
Control Classification Numbers (ECCNs) included in this rule or License
Exception ACE, contact Aaron Amundson at 202-482-0707 or email
[email protected].
SUPPLEMENTARY INFORMATION:
Background
In 2013, the Wassenaar Arrangement (WA) decided on new controls on
cybersecurity items. The controls included hardware and software
controls on the command and delivery platforms for ``intrusion
software'', the technology for the ``development'', ``production'' or
``use'' of the command and delivery platforms, and the
[[Page 31949]]
technology for the ``development'' of ``intrusion software''. On May
20, 2015, BIS published a proposed rule (80 FR 28853) entitled
``Wassenaar Arrangement 2013 Plenary Agreements Implementation:
Intrusion and Surveillance Items,'' which proposed implementing these
controls and sought comments on their impact.
In response to the proposed rule, BIS received almost 300 comments
that raised substantial concerns about the proposed rule's scope and
the effect the proposed rule would have on legitimate cybersecurity
research and incident response activities. BIS also conducted extensive
outreach with the security industry, financial institutions, and
government agencies that manage cybersecurity.
Comments on the previously published proposed rule focused on three
main issues. First, many commenters asserted that the entries were
overly broad, captured more than was intended, and, as a technical
matter, failed to accurately describe the items intended for control.
Second, many commenters asserted that the rule as written imposed a
heavy and unnecessary licensing burden on legitimate transactions that
contribute to cybersecurity. Third, many commenters suggested that the
proposed rule's control on technology for the ``development'' of
``intrusion software'' could cripple legitimate cybersecurity research.
Based on these comments, the United States decided against amending
the proposed rule and instead returned to the WA in 2016 and 2017 to
negotiate changes to the text. In December 2017, the WA published the
changes that resulted from those negotiations. There were three
significant changes: First, using ``command and control'' in the
control language for both hardware and software addressed concerns from
cybersecurity companies to more specifically control tools that can be
used maliciously; second, adding a note to the control entry for
technology for the ``development'' of ``intrusion software'' that
excludes from the entry ``technology'' that is exchanged for
``vulnerability disclosure'' or ``cyber incident response''; and third,
adding a note to the ``software'' generation, command and control, or
delivery entry that excludes from this entry products designed and
limited to providing basic software updates and upgrades.
On October 21, 2021 (86 FR 58205), the Bureau of Industry and
Security (BIS) published an interim final rule (October 21 rule) that
establishes new controls on certain cybersecurity items for National
Security (NS) and Anti-terrorism (AT) reasons, along with a new License
Exception, Authorized Cybersecurity Exports (ACE), that authorizes
exports of these items to most destinations except in specified
circumstances. That rule was published with a 45-day comment period,
which ended on December 12, 2021, and a 90-day delayed effective date
(January 19, 2022). A total of 12 comments were received. On January
12, 2022 (87 FR 1670), BIS published a rule that further delayed the
effective date of the interim final rule by 45 days (March 7, 2022).
That action did not extend or reopen the comment period for BIS's
previous request for comments on the interim final rule. Consistent
with the comments received, this action amends the October 21 rule that
became effective March 7, 2022.
Public Comments on the October 21 Rule
Comments Requesting Additional Guidance
Several commenters stated that the new 5A001.j entry is complex and
therefore presents compliance difficulties. One commenter asked whether
5A001.j would control cybersecurity incident detection and monitoring
software. Another commenter stated that 5A001.j systems have numerous
components, all of which will need to be examined under the new entry.
In response, BIS is providing additional information and guidance
through ``Frequently Asked Questions'' (FAQs) on 5A001.j to clarify
these interpretation issues. BIS does not expect 5A001.j to control a
large number of products, and therefore believes these issues can be
addressed in the FAQs.
Several commenters recommended that BIS devote additional resources
to conducting outreach to exporters about the interim final rule. One
commenter recommended a decision tool for ACE like the one used for
License Exception Strategic Trade Authorization (STA), as well as more
FAQs. Another said BIS should put more resources towards outreach to
the cybersecurity community. One commenter recommended developing
additional guidelines to help exporters with the interim final rule.
BIS agrees with these comments and is working on providing additional
guidance along these lines.
Several commenters asked for clarification of BIS's ``reason to
know'' standard. One commenter said that the end-use based control uses
the phrase ``knows or has reason to know'' and asked if this was
supposed to be different from the ``knowledge'' standard. Others
recommended BIS provide guidelines on when an exporter would have
``reason to know'' something will be used for unauthorized
surveillance. The terms ``know'' and ``reason to know'' use the same
definition found in Sec. 772.1 of the EAR as the term ``knowledge,''
which is the one that should be used for this rule. BIS has published
extensive ``Know Your Customer'' guidance in supplement no. 3 to part
732 of the EAR and on its website. That information also applies to
transactions under license exception ACE. BIS believes the current
guidance is sufficient to address the questions raised by the
commenters and declines to provide additional sector-specific guidance
for this area beyond what is published on the website.
Comments Requiring Regulatory Changes
Several commenters stated that the definition of `government end
user' in ACE is vague and will be difficult to apply. Two commenters
stated that there is some potential overlap between `government end
users' and `favorable treatment cybersecurity end users'. BIS agrees
with this recommendation and makes changes to the definition of
`government end user' to be more specific and to clarify the meaning of
this term.
One commenter stated that the licensing requirement for people
acting on behalf of a `government end user' will chill cross-border
collaboration with cybersecurity researchers and bug bounty hunters
because exporters will be required to check whether an individual has a
government affiliation before communicating with them. The company
recommends BIS either remove this requirement or modify it. BIS
disagrees with this recommendation. The license requirement for people
acting on behalf of a government is necessary to prevent people who are
acting on behalf of a Country Group D government from obtaining
`cybersecurity items' for activities contrary to U.S. national security
and foreign policy interests. Removing this requirement would risk
allowing Country Group D governments access to those items. BIS agrees
that this means that exporters will in some cases have to check
government affiliation of people and companies they work with. However,
because of the limited scope and applicability of the license
requirement, BIS believes the requirement will protect U.S. national
security and foreign policy interests without unduly impacting
legitimate cybersecurity activities.
[[Page 31950]]
A couple of commenters stated that the definitions of
``vulnerability disclosure'' and ``cyber incident response'' are too
narrow. One commenter said that researchers share vulnerability
information unrelated to remediation of a specific vulnerability or
incident. Another said the definitions should include information that
is not strictly ``necessary'' for vulnerability disclosure or cyber
incident response activities, as well as information that is needed to
prevent cyber incidents from happening. One commenter recommended
expanding the exclusion to include preventative remediation and
coordination activities. They recommend two possible solutions: (1)
Amend FAQs to clarify that the carve-out covers routine sharing of
exploits for cybersecurity purposes; or (2) amend the definition of
fundamental research to include transferring exploit information for
research purposes. BIS believes that many of the activities commenters
mentioned as being subject to a license requirement, such as tactics
and techniques of malicious actors, and identifying products that
contain vulnerabilities, are not subject to this control and that
therefore the scope of items that would require a license in this area
is significantly smaller than the commenters asserted. Therefore, BIS
is not amending the rule but will clarify the scope of license
requirements in this area via guidance in FAQs.
Other Significant Comments
One commenter suggested extending the comment period to January 5,
2022. Another recommended delaying the effective date of the rule and
conducting more extensive industry consultations and engagements. In
response, BIS delayed the implementation date of the October 21 rule to
March 7, 2022, and reached out to interested industry members of BIS's
Technical Advisory Committees to prepare additional guidance and make
clarifications that are in this final rule.
Several commenters said the rule is complicated and will be
difficult for people to understand and implement. In response, BIS has
made several changes in this final rule to clarify the scope of
controls. In addition, BIS delayed the implementation date of the
October 21 rule to March 7, 2022, which allowed for the preparation of
additional guidance to assist with compliance.
One commenter said that the estimated yearly expense of compliance
of $2,520 is a gross underestimation, because the complexity of the
rule will increase the cost of compliance. However, none of the
commenters provided data to substantiate this claim or provided another
estimate. BIS consulted with its Technical Advisory Committees to
develop the estimate yearly expense identified in this rule.
Specific Revisions
Section 740.17 License Exception Encryption Commodities, Software, and
Technology (ENC)
BIS is revising Sec. 740.17 by adding a new end-use restriction
(Sec. 740.17(f)) equivalent to the end-use restriction in Sec.
740.22(c)(4) of License Exception ACE, so that License Exception ENC is
not authorized if the exporter, reexporter, or transferor ``knows'' or
has ``reason to know'' at the time of export, reexport, or transfer
(in-country), including deemed exports and reexports, that the
following items will be used to affect the confidentiality, integrity
or availability of information or information systems, without
authorization by the owner, operator or administrator of the
information system (including the information and processes within such
systems): ``cryptanalytic items'', classified in ECCN 5A004.a,
5D002.a.3.a or c.3.a, or 5E002; network penetration tools described in
Sec. 740.17(b)(2)(i)(F), and ECCN 5E002 ``technology'' therefor; or
automated network vulnerability analysis and response tools described
in Sec. 740.17(b)(3)(iii)(A), and ECCN 5E002 ``technology'' therefor.
This conforming change is necessary to avoid an unintended circumstance
in which the Sec. 740.22(c)(4) License Exception ACE end-use
restriction could be evaded by adding cryptographic or cryptanalytic
functionality to the `cybersecurity item' and exporting, reexporting or
transferring (in-country) the resulting `encryption item' subject to
the EAR under License Exception ENC.
Section 740.22 License Exception Authorized Cybersecurity Exports (ACE)
In response to public comments, BIS is revising Sec. 740.22. BIS
is revising the definition of the term `Government end user' as defined
in Sec. 740.22(b)(4) of License Exception ACE by adding a detailed
illustrative list of end users that meet this definition. Included in
the list are two types of government end users that are already defined
in the EAR, ``more-sensitive government end users'' and ``less-
sensitive government end users''. BIS also added a note to define
`partially operated or owned by a government or governmental authority'
to guide the public in understanding this phrase, which is used in
three of the listed `government end users' related to utilities;
transportation hubs and services; and retail or wholesale firms engaged
in the manufacture, distribution, or provision of items or services
specified in the Wassenaar Arrangement Munitions List.
BIS also revised the format of the restrictions in Sec. 740.22(c)
by collapsing the levels and moving most of the text that was in notes
to subordinate paragraphs within paragraph (c). Several people
commented that the double negative structure of the restrictions
paragraph was confusing. BIS believes the more simplified paragraph
organization will alleviate the confusion.
Finally, BIS is amending Sec. 740.22(c)(2)(i) to correct the text,
which inadvertently increased the scope of the exception. As currently
written, that paragraph allows (a) exports of `digital artifacts' to
anyone in a Country Group D country that is also listed in Country
Group A:6; and (b) exports of any `cybersecurity item' to police or
judicial bodies to Country Group D countries that are also listed in
Country Group A:6. However, BIS intended to only allow exports of
`digital artifacts' to police or judicial bodies in Country Group D
countries that are also listed in Country Group A:6 for purposes of
criminal or civil investigations or prosecutions. These changes correct
the text to reflect the intended scope.
Part 772--Definitions of Terms
This rule amends the terms ``Less sensitive government end users''
and ``More sensitive government end users'' to indicate that the terms
apply to cybersecurity items and are now referenced in License
Exception ACE (Sec. 740.22).
Part 774--Commerce Control List: ECCN 5D001
This rule corrects an error made to ECCN 5D001in the October 21,
2021 interim rule. That rule inadvertently removed 5D001.e and this
rule restores 5D001.e.
Export Control Reform Act of 2018
On August 13, 2018, the President signed into law the John S.
McCain National Defense Authorization Act for Fiscal Year 2019, which
included the Export Control Reform Act of 2018 (ECRA), 50 U.S.C.
Sections 4801-4852. ECRA provides the legal basis for BIS's principal
authorities and serves as the authority under which BIS issues this
rule.
Executive Order Requirements
This final rule has been designated a ``significant regulatory
action'' under Executive Order 12866.
[[Page 31951]]
This rule does not contain policies with federalism implications as
that term is defined under Executive Order 13132.
Paperwork Reduction Act Requirements
Notwithstanding any other provision of law, no person is required
to respond to, nor shall any person be subject to a penalty for failure
to comply with a collection of information subject to the requirements
of the Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501 et seq.)
unless a valid Office of Management and Budget (OMB) Control Number is
displayed. While there is no collection of information associated with
using License Exception ACE, this rule does involve a collection of
information currently approved under Control Number 0694-0088, Multi-
Purpose Application. The current burden hour estimate for this
collection is 29.6 minutes for a manual or electronic submission.
For the existing ECCNs included in this rule (4D001, 4E001, 5A001,
5A004, 5D001, 5E001), the 2020 data from the Automated Export System
(AES) shows 980 shipments valued at $39,146,164. Of those shipments,
120 shipments valued at $1,864,699 went to Country Group D:1 or D:5
countries, which would make them ineligible for License Exception ACE.
There were no shipments to Country Group E:1 or E:2. Under the
provisions of this rule, the 120 shipments require a license
application submission to BIS.
As there is no specific ECCN data in AES for the new export
controls in new ECCNs 4A005 and 4D004 or new paragraph 4E001.c, BIS has
used other data to estimate the number of shipments of these new ECCNs
that will require a license. Bureau of Economic Analysis (BEA) data
from 2019 show a total dollar value of $55,657,000 for Telecom,
Computer, and Information Technology Services exports. Multiplying this
value by 12.1% (the percentage of all exports that are subject to an
EAR license requirement as determined by using AES data) suggests that
$6,734,497,000 of Telecom/Computer/IT exports are now subject to EAR
license requirements. Based on AES data on the existing ECCNs affected
by this rule, BIS estimates the average value of each shipment for the
new ECCNs at about $40,000, and further estimates that 0.6% of all new
ECCN shipments (1,010 shipments) are now eligible for License Exception
ACE and 0.03% of all new ECCN shipments (50 shipments) require a
license application submission.
Therefore, the annual total estimated cost associated with the
paperwork burden imposed by this rule (that is, the projected increase
of license application submissions based on the additional shipments
requiring a license) is estimated to be 170 new applications x 29.6
minutes = 5,032/60 min = 84 hours x $30 = $2,520.
BIS is in the process of updating this information collection to
account for the increase in burden hours and costs posed by this rule.
Comments on the methodology associated with calculating the cost or
burden increases or any other aspect of this collection can be
submitted via www.regulations.gov by searching for OMB Control Number
0694-0088.
Administrative Procedure Act and Regulatory Flexibility Act
Requirements
Pursuant to Section 4821 of ECRA, this action is exempt from the
Administrative Procedure Act (5 U.S.C. 553) requirements for notice of
proposed rulemaking and opportunity for public participation. Further,
no other law requires notice of proposed rulemaking or opportunity for
public comment for this final rule. Because a notice of proposed
rulemaking and an opportunity for public comment are not required under
the Administrative Procedure Act or by any other law, the analytical
requirements of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.)
are not applicable.
List of Subjects
15 CFR Part 740
Administrative practice and procedure, Exports, Reporting and
recordkeeping requirements.
15 CFR Part 772
Exports.
15 CFR Part 774
Exports, Reporting and recordkeeping requirements.
Accordingly, the interim rule amending 15 CFR parts 740, 772, and
774, which was published on October 21, 2021 (86 FR 58205), is adopted
as final with the following changes:
PART 740 [AMENDED]
0
1. The authority citation for part 740 continues to read as follows:
Authority: 50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50
U.S.C. 1701 et seq.; 22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR
58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR,
2001 Comp., p. 783.
0
2. Section 740.17 is revised by adding paragraph (f) to read as
follows:
Sec. 740.17 Encryption commodities, software, and technology (ENC).
* * * * *
(f) End-use restrictions. Notwithstanding the other provisions and
authorizations of this section, License Exception ENC is not authorized
for any of the following items if the exporter, reexporter, or
transferor ``knows'' or has ``reason to know'' at the time of export,
reexport, or transfer (in-country), including deemed exports and
reexports, that the item will be used to affect the confidentiality,
integrity, or availability of information or information systems,
without authorization by the owner, operator, or administrator of the
information system (including the information and processes within such
systems):
(1) ``Cryptanalytic items,'' classified in ECCN 5A004.a,
5D002.a.3.a or c.3.a, or 5E002;
(2) Network penetration tools described in paragraph (b)(2)(i)(F)
of this section, and ECCN 5E002 ``technology'' therefor; or
(3) Automated network vulnerability analysis and response tools
described in paragraph (b)(3)(iii)(A) of this section, and ECCN 5E002
``technology'' therefor.
Note to paragraph (f): See also Sec. 740.22(c)(4).
0
3. Section 740.22 is revised to read as follows:
Sec. 740.22 Authorized Cybersecurity Exports (ACE).
(a) Scope. License Exception ACE authorizes export, reexport, and
transfer (in-country), including deemed exports and reexports, of
`cybersecurity items,' as set forth in paragraph (b) of this section,
subject to the restrictions set forth in paragraph (c) of this section.
Deemed exports and reexports are authorized under this license
exception, except for deemed exports or reexports to E:1 and E:2
nationals as described in paragraph (c)(1) of this section, to certain
`government end users' as described in paragraph (c)(2) of this
section, and subject to the end use restrictions described in paragraph
(c)(4) of this section. Even if License Exception ACE is not available
for a particular transaction, other license exceptions may be
available. For example, License Exception GOV (Sec. 740.11) authorizes
certain exports to U.S. Government agencies and personnel. License
Exception TMP (Sec. 740.9(a)(1)) authorizes the export, reexport, and
transfer (in country) of tools of the trade in certain situations.
(b) Definitions. The following terms and definitions are for the
purpose of License Exception ACE only.
[[Page 31952]]
(1) `Cybersecurity Items' are ECCNs 4A005, 4D001.a (for 4A005 or
4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or
4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j),
5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for
5A001.j or 5D001.a (for 5A001.j)).
(2) `Digital artifacts' are items (e.g., ``software'' or
``technology'') found or discovered on an information system that show
past or present activity pertaining to the use or compromise of, or
other effects on, that information system.
(3) `Favorable treatment cybersecurity end user' is any of the
following:
(i) A ``U.S. subsidiary'';
(ii) Providers of banking and other financial services;
(iii) Insurance companies; or
(iv) Civil health and medical institutions providing medical
treatment or otherwise conducting the practice of medicine, including
medical research.
(4) `Government end user,' for the purpose of this section, is a
national, regional, or local department, agency, or entity that
provides any governmental function or service, including entities or
individuals who are acting on behalf of such an entity. This term does
not include any `favorable treatment cybersecurity end user' listed in
paragraph (b)(3) of this section. This term includes, but is not
limited to:
(i) International governmental organizations;
(ii) Government operated research institutions;
(iii) ``More-sensitive government end users'';
(iv) ``Less-sensitive government end users'';
(v) Utilities (including telecommunications service providers and
internet service providers) that are wholly operated or owned by a
government or governmental authority or `partially operated or owned by
a government or governmental authority';
(vi) Transportation hubs and services (e.g., airlines and airports;
ships and ports; railways and rail stations; buses, trucking and
highways) that are wholly operated or owned by a government or
governmental authority or `partially operated or owned by a government
or governmental authority'; and
(vii) Retail or wholesale firms that are wholly operated or owned
by a government or governmental authority or `partially operated or
owned by a government or by a governmental authority', engaged in the
manufacture, distribution, or provision of items or services specified
in the Wassenaar Arrangement Munitions List.
(5) For the purposes of this section, `partially operated or owned
by a government or governmental authority' means that a foreign
government or governmental authority beneficially owns or controls
(whether directly or indirectly) 25 percent or more of the voting
securities of the foreign entity, or a foreign government or
governmental authority has the authority to appoint a majority of the
members of the board of directors of the foreign entity.
(c) Restrictions. License Exception ACE does not authorize deemed
exports and reexports, exports, reexports, or transfers (in-country) of
`cybersecurity items' as follows:
(1) To a destination that is listed in Country Group E:1 or E:2 in
supplement no.1 to this part.
(2) To a `government end user', as defined in this section, of any
country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement
no. 1 to this part, except:
(i) `Digital artifacts' (that are related to a cybersecurity
incident involving information systems owned or operated by a
`favorable treatment cybersecurity end user') to police or judicial
bodies in Country Group D countries that are also listed in Country
Group A:6 for purposes of criminal or civil investigations or
prosecutions of such cybersecurity incidents; or
(ii) To national computer security incident response teams in
Country Group D countries that are also listed in Country Group A:6 of
`cybersecurity items' for purposes of responding to cybersecurity
incidents, for purposes of ``vulnerability disclosure'', or for
purposes of criminal or civil investigations or prosecutions of such
cybersecurity incidents.
(3) The restrictions in paragraphs (c)(1) and (2) of this section
also apply to activities, including exports, reexports, and transfers
(in-country), related to ``vulnerability disclosure'' and ``cyber
incident response''.
Note 1 to paragraph (c)(3): For paragraphs (c)(1) and (2) of
this section, see Note 1 to ECCN 4E001 in the CCL (supplement no. 1
to part 774 of the EAR) excluding ``vulnerability disclosure'' and
``cyber incident response'' from control under 4E001.a or .c.
(4) To a non-`government end user' located in any country listed in
Country Group D:1 or D:5 of supplement no. 1 to this part, except:
(i) Cybersecurity items classified under ECCNs 4A005, 4D001.a (for
4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or
4D004) or 4D004) and 4E001.c, to any `favorable treatment cybersecurity
end user'.
(ii) ``Vulnerability disclosure'' or ``cyber incident response''.
(iii) Deemed exports.
(5) If the exporter, reexporter, or transferor ``knows'' or has
``reason to know'' at the time of export, reexport, or transfer (in-
country), including deemed exports and reexports, that the
`cybersecurity item' will be used to affect the confidentiality,
integrity, or availability of information or information systems,
without authorization by the owner, operator, or administrator of the
information system (including the information and processes within such
systems).
PART 772 [AMENDED]
0
4. The authority citation for part 772 continues to read as follows:
Authority: 50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50
U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p.
783.
0
5. Section 772.1 is amended by revising the definitions ``Less
sensitive government end users'' and ``More sensitive government end
users'' to read as follows:
Sec. 772.1 Definitions of terms as used in the Export Administration
Regulations (EAR).
* * * * *
Less sensitive government end users (as applied to encryption items
and `cybersecurity items'). The following ``government end users'' (as
defined in this section) are considered ``less sensitive'' for the
purposes of License Exception ENC (Sec. 740.17 of the EAR) and License
Exception ACE (Sec. 740.22 of the EAR):
(1) Local/state/provincial ``government end users'' (departments,
agencies, and entities), including local/state/provincial executive,
legislative, judicial, police, fire, rescue, and public safety
agencies.
(2) National/federal/royal ``government end users'' (departments,
agencies, and entities) providing the following civil government
functions and services:
(i) Census and statistics services;
(ii) Civil public works infrastructure services (construction,
maintenance, repair, regulation, and administration) as follows:
Buildings, public transportation, roads and highways, trucking;
(iii) Civil service administration and regulation, including human
resources and personnel/labor management;
(iv) Clean water infrastructure services (treatment, supply and
testing);
(v) Economic (trade/commerce/investment), business and industrial
development, promotion, regulation and
[[Page 31953]]
administration, excluding the following end users/end uses:
(A) Agencies, departments, boards, and councils for science and
technology;
(B) Research, development, and national laboratories (other than as
specified in paragraphs (2)(xi) (measurements and standards services)
and (2)(xii) (meteorology/weather/atmospheric services) of this
definition); and
(C) National telecommunications and information technology
agencies, boards, councils, and development authorities (including
national information center, and Information Communications Technology
(ICT)/telecommunications infrastructure/spectrum planning, policy,
regulation, and testing);
(vi) Elections, balloting, and polling services;
(vii) Energy regulation and administration, including oil, gas, and
mining sectors;
(viii) Environmental/natural resources regulation, administration,
and protection, including wildlife, fisheries, and national parks;
(ix) Food/agriculture regulation and administration;
(x) Labor/community/social services planning, regulation, and
administration, including: Housing and urban development, municipality
and rural affairs;
(xi) Measurements and standards services;
(xii) Meteorology (weather, atmospheric) services;
(xiii) National archives/museums;
(xiv) Patents;
(xv) Pilgrimage and religious affairs;
(xvi) Postal services;
(xvii) Public and higher education (excluding government research
institutions and any agency, institution, or affiliate engaged in the
manufacture or distribution of items or services controlled on the
Wassenaar Munitions List);
(xviii) Public health and medicine/pharmaceutical regulation and
administration;
(xix) Public libraries;
(xx) Sports/culture (includes film, commercial broadcasting, and
the arts) promotion, regulation, and administration; and
(xxi) Travel/tourism promotion, regulation, and administration.
* * * * *
More sensitive government end users (as applied to encryption items
and `cybersecurity items'). The following national/federal/royal
(departments, agencies, and entities) ``government end users'' (as
defined in this section) providing the following government functions
and services, are considered ``more sensitive'' for the purposes of
License Exception ENC (Sec. 740.17 of the EAR) and License Exception
ACE (Sec. 740.22 of the EAR):
(1) Agencies, departments, boards, and councils for science and
technology (including research, development, and state/national
laboratories, but not including measurements and standards);
(2) Currency and monetary authorities (including departments and
offices of the national/federal/royal reserve);
(3) Executive agents of state (including offices of president/vice
president/prime minister, royal courts, national security councils,
cabinet/council of ministers/supreme councils/executive councils, crown
princes and other deputies of the rulers, departments and offices of
political/constitutional/mainland affairs);
(4) Legislative bodies responsible for the enactment of laws;
(5) Import/export control, customs and immigration agencies, and
entities;
(6) Intelligence agencies and entities;
(7) Judiciary (including supreme courts and other national/federal/
regional/royal high courts and tribunals);
(8) Maritime, port, railway, and airport authorities;
(9) Military and armed services (including national guard, coast
guard, security bureaus, and paramilitary);
(10) Ministries, departments, and garrisons of defense (including
defense technology agencies);
(11) Ministries and departments of finance and taxation (including
national/federal/royal budget and revenue authorities);
(12) Ministries and departments of foreign affairs/foreign
relations/consulates/embassies;
(13) Ministries of interior, internal/home/mainland affairs, and
homeland security;
(14) State/national telecommunications and information technology
agencies, boards, councils, and development authorities (including
national information/critical infrastructure data centers, and
Information and Communications Technology (ICT)/telecommunications
infrastructure/spectrum planning, policy, regulation, and testing);
(15) Police, investigation and other law enforcement agencies, and
entities (including digital crime/cybercrime/computer forensics,
counter narcotics/counter terrorism/counter proliferation agencies);
(16) Prisons; and
(17) Public safety agencies and entities (including national/
federal/royal agencies and departments of civil defense, emergency
management, and first responders).
* * * * *
PART 774 [AMENDED]
0
6. The authority citation for part 774 continues to read as follows:
Authority: 50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50
U.S.C. 1701 et seq.; 10 U.S.C. 8720; 10 U.S.C. 8730(e); 22 U.S.C.
287c, 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 42 U.S.C. 2139a; 15
U.S.C. 1824; 50 U.S.C. 4305; 22 U.S.C. 7201 et seq.; 22 U.S.C. 7210;
E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66
FR 44025, 3 CFR, 2001 Comp., p. 783.
0
7. In supplement no. 1 to part 774, Category 5--Part 1, ECCN 5D001 is
revised to read as follows:
Supplement No. 1 to Part 774--The Commerce Control List
* * * * *
5D001 ``Software'' as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, SL, AT
Country chart (see Supp.
Control(s) No. 1 to part 738)
NS applies to entire entry................ NS Column 1
SL applies to the entire entry as A license is required for
applicable for equipment, functions, all destinations, as
features, or characteristics controlled specified in Sec. 742.13
by 5A001.f.1. of the EAR. Accordingly, a
column specific to this
control does not appear on
the Commerce Country Chart
(Supplement No. 1 to Part
738 of the EAR).
Note to SL paragraph: This
licensing requirement does
not supersede, nor does it
implement, construe or
limit the scope of any
criminal statute,
including, but not limited
to the Omnibus Safe Streets
Act of 1968, as amended.
AT applies to entire entry................ AT Column 1
Reporting Requirements
See Sec. 743.1 of the EAR for reporting requirements for
exports under License Exceptions, and Validated End-User
authorizations.
List Based License Exceptions
(See Part 740 for a description of all license exceptions).
[[Page 31954]]
TSR: Yes, except for exports and reexports to destinations outside
of those countries listed in Country Group A:5 (See Supplement No. 1
to part 740 of the EAR) of ``software'' controlled by 5D001.a and
``specially designed'' for items controlled by 5A001.b.5 and
5A001.h, and N/A for ``software'' classified under ECCN 5D001.a (for
5A001.j) or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)).
ACE: Yes for 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or
5B001.a (for 5A001.j)), except to Country Group E:1 or E:2. See
Sec. 740.22 of the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship or transmit
5D001.a ``software'' ``specially designed'' for the ``development''
or ``production'' of equipment, functions or features, specified by
ECCN 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 5B001.a (for
5A001.j)) to any of the destinations listed in Country Group A:5 or
A:6 (See Supplement No.1 to part 740 of the EAR); 5A001.b.3, .b.5 or
.h; and for 5D001.b. for ``software'' ``specially designed'' or
modified to support ``technology'' specified by the STA paragraph in
the License Exception section of ECCN 5E001 to any of the
destinations listed in Country Group A:6.
List of Items Controlled
Related Controls: See also 5D980 and 5D991.
Related Definitions: N/A
Items:
a. ``Software'' ``specially designed'' or modified for the
``development'', ``production'' or ``use'' of equipment, functions
or features controlled by 5A001;
b. [Reserved]
c. Specific ``software'' ``specially designed'' or modified to
provide characteristics, functions or features of equipment,
controlled by 5A001 or 5B001;
d. ``Software'' ``specially designed'' or modified for the
``development'' of any of the following telecommunication
transmission or switching equipment:
d.1. [Reserved]
d.2. Equipment employing a ``laser'' and having any of the
following:
d.2.a. A transmission wavelength exceeding 1,750 nm; or
d.2.b. Employing analog techniques and having a bandwidth
exceeding 2.5 GHz; or
Note: 5D001.d.2.b does not control ``software'' ``specially
designed'' or modified for the ``development'' of commercial TV
systems.
d.3. [Reserved]
d.4. Radio equipment employing Quadrature-Amplitude-Modulation
(QAM) techniques above level 1,024.
e. ``Software'', other than that specified by 5D001.a or
5D001.c, ``specially designed'' or modified for monitoring or
analysis by law enforcement, providing all of the following:
e.1. Execution of searches on the basis of ``hard selectors'' of
either the content of communication or metadata acquired from a
communications service provider using a `handover interface'; and
Technical Notes:
1. For the purposes of 5D001.e, a `handover interface' is a
physical and logical interface, designed for use by an authorised
law enforcement authority, across which targeted interception
measures are requested from a communications service provider and
the results of interception are delivered from a communications
service provider to the requesting authority. The `handover
interface' is implemented within systems or equipment (e.g.,
mediation devices) that receive and validate the interception
request, and deliver to the requesting authority only the results of
interception that fulfil the validated request.
2. `Handover interfaces' may be specified by international
standards (including but not limited to ETSI TS 101 331, ETSI TS 101
671, 3GPP TS 33.108) or national equivalents.
e.2. Mapping of the relational network or tracking the movement
of targeted individuals based on the results of searches on content
of communication or metadata or searches as described in 5D001.e.1.
Note: 5D001.e does not apply to ``software'' ``specially
designed'' or modified for any of the following:
a. Billing purposes;
b. Network Quality of Service (QoS);
c. Quality of Experience (QoE);
d. Mediation devices; or
e. Mobile payment or banking use.
* * * * *
Matthew S. Borman,
Deputy Assistant Secretary for Export Administration.
[FR Doc. 2022-11282 Filed 5-25-22; 8:45 am]
BILLING CODE 3510-33-P