0694-AH56 202110 The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions 0694 Bureau of Industry and Security BIS 0600 Department of Commerce DOC Information Security Controls: Cybersecurity Items

In 2013, the Wassenaar Arrangement (WA) added cybersecurity items to the WA List, including a definition for "intrusion software.” On May 20, 2015, the Bureau of Industry and Security (BIS) published a proposed rule describing how these new controls would fit into the Export Administration Regulations (EAR) and requested information from the public about the impact on U.S. industry. The public comments on the proposed rule revealed serious issues concerning scope and implementation regarding these controls. Based on these comments, as well as substantial commentary from Congress, the private sector, academia, civil society, and others on the potential unintended consequences of the 2013 controls, the U.S. government returned to the WA to renegotiate the controls. This interim final rule outlines the progress the United States has made in this area, revised Commerce Control List (CCL) implementation, and requests from the public information about the impact of these revised controls on U.S. industry and the cybersecurity community.

]]> Other Significant Previously Published in The Unified Agenda Final Rule Stage No No 15 CFR 740 15 CFR 742 15 CFR 772 15 CFR 774 10 U.S.C. 7420 10 U.S.C. 7430(e) 15 U.S.C. 1824a 22 U.S.C. 287c 22 U.S.C. 3201 et seq. 22 U.S.C. 6004 22 U.S.C. 7201 et seq. 22 U.S.C. 7210 30 U.S.C. 185(s) 30 U.S.C. 185(u) 42 U.S.C. 2139a 43 U.S.C. 1354 50 U.S.C. 1701 et seq. 50 U.S.C. 4305 50 U.S.C. 4601 et seq. E.O. 12058 E.O. 12851 E.O. 12938 E.O. 13026 E.O. 13222 Pub. L. 108-11 Yes

In 2013, the Wassenaar Arrangement (WA) added cybersecurity items to the WA List, including a definition for intrusion software. On May 20, 2015, the Bureau of Industry and Security (BIS) published a proposed rule describing how these new controls would fit into the Export Administration Regulations (EAR) and requested information from the public about the impact on U.S. industry. The public comments on the proposed rule revealed serious issues concerning scope and implementation regarding these controls. Based on these comments, as well as substantial commentary from Congress, the private sector, academia, civil society, and others on the potential unintended consequences of the 2013 controls, the U.S. government returned to the WA to renegotiate the controls. This interim final rule outlines the progress the United States has made in this area, implements revised Commerce Control List (CCL) text, establishes a new License Exception Authorized Cybersecurity Exports (ACE) and requests from the public information about the impact of these revised controls on U.S. industry and the cybersecurity community.

]]>

On August 13, 2018, the President signed into law the John S. McCain National Defense Authorization Act for Fiscal Year 2019, which included the Export Control Reform Act of 2018 (ECRA), 50 U.S.C. sections 4801-4852. ECRA provides the legal basis for BIS’s principal authorities and serves as the authority under which BIS issues this rule.

]]>

As noted above, BIS does not believe that the amendments in this rule, will have a significant economic impact on a substantial number of small entities. Nevertheless, consistent with 5 U.S.C. 603(c), BIS considered significant alternatives to these amendments to assess whether the alternatives would: (1) Accomplish the stated objectives of this rule (consistent with the requirements in ECRA); and (2) minimize any significant economic impact of this rule on small entities. BIS could have implemented a much broader control on software capable of cybersecurity controlled under ECCNs 4A005, 4D004, 4E001, 4E001, and 5A001 that would have captured a greater amount of such software and related technology. That in turn would have had a greater impact not only on small businesses, but also on research and development laboratories (both academic and corporate), which are involved in network security. BIS has determined that implementing focused controls on specific software and related technology (i.e., the software controlled under new ECCN 4A005, 4D004, 4E001.a, 4E001.c, and 5A001.j and corresponding development technology in ECCN 5E001) is the least disruptive alternative for implementing export controls in a manner consistent with controlling technology that has been determined, through the interagency process authorized under ECRA, to be essential to U.S. national security. BIS is not implementing different compliance or reporting requirements for small entities. If a small business is subject to a compliance requirement for the export, reexport or transfer (in- country) of this software and related technology, then it would submit a license application using the same process as any other business (i.e., electronically via SNAPR). The license application process is free of charge to all entities, including small businesses. In addition, as noted above, the resources and other compliance tools made available by BIS typically serve to lessen the impact of any EAR license requirements on small businesses.

]]>

For the existing ECCNs included in this rule (4D001, 4E001, 5A001, 5A004, 5D001, 5E001), the 2020 data from U.S. Customs and Border Protection’s Automated Export System (AES) shows 980 shipments valued at $39,146,164. Of those shipments, 120 shipments valued at $1,864,699 went to Country Group D:1 or D:5 countries, which would make them ineligible for License Exception ACE. There were no shipments to Country Group E:1 or E:2. Under the provisions of this rule, the 120 shipments require a license application submission to BIS.

As there is no specific ECCN data in AES for the new export controls in new ECCNs 4A005 and 4D004 or new paragraph 4E001.c, BIS uses other data to estimate the number of shipments of these new ECCNs that will require a license. Bureau of Economic Analysis (BEA) data from 2019 show a total dollar value of $55,657 million for Telecom, Computer, and Information Technology Services exports. Multiplying this value by 12.1% (the percentage of all exports that are subject to an EAR license requirement as determined by using AES data) suggests that $6,734,497,000 of Telecom/Computer/IT exports are now subject to EAR license requirements. Based on AES data on the existing ECCNs affected by this rule, BIS estimates the average value of each shipment for the new ECCNs at about $40,000, and further estimates that 0.6% of all new ECCN shipments (1,010 shipments) are now eligible for License Exception ACE and 0.03% of all new ECCN shipments (50 shipments) require a license application submission.

Therefore, the annual total estimated cost associated with the paperwork burden imposed by this rule (that is, the projected increase of license application submissions based on the additional shipments requiring a license) is estimated to be 170 new applications x 29.6 minutes = 5,032/60 min = 84 hours x $30 = $2,520.

There is no paperwork submission to BIS associated with using License Exception ACE, and therefore there is no increase to any paperwork burden or information collection cost associated with License Exception ACE requirements in this rule.

Benefit

Cybersecurity items in the wrong hands raise both national security and foreign policy concerns. The benefit of publishing these revisions and controlling cybersecurity items in the way contemplated by this rule is that national security and foreign policy concerns are addressed, in that these regulations assist in keeping such items out of the hands of those that would use them for nefarious end uses, while at the same time not disrupt legitimate cybersecurity exports.

]]>

The risks of publishing this rule is that it has unexpected consequences, which is why there is a 90 day delayed effective date and 45 day comment period that will allow the public to comment on the rule.

]]> Interim Final Rule 10/21/2021 86 FR 58205 Interim Final Rule Comment Period End 12/06/2021 Interim Final Rule Effective 01/19/2022 Next Action Undetermined 02/00/2022 No No None No No No No 0694-AG49 Related to Sharron Cook 0694 Bureau of Industry and Security BIS 202 482-2440 sharron.cook@bis.doc.gov 2096/MS 2705, 14th Street and Pennsylvania Avenue NW, Washington DC 20230