View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOC/BIS RIN: 0694-AH56 Publication ID: Fall 2021 
Title: Information Security Controls: Cybersecurity Items 
Abstract:

In 2013, the Wassenaar Arrangement (WA) added cybersecurity items to the WA List, including a definition for "intrusion software.” On May 20, 2015, the Bureau of Industry and Security (BIS) published a proposed rule describing how these new controls would fit into the Export Administration Regulations (EAR) and requested information from the public about the impact on U.S. industry. The public comments on the proposed rule revealed serious issues concerning scope and implementation regarding these controls. Based on these comments, as well as substantial commentary from Congress, the private sector, academia, civil society, and others on the potential unintended consequences of the 2013 controls, the U.S. government returned to the WA to renegotiate the controls. This interim final rule outlines the progress the United States has made in this area, revised Commerce Control List (CCL) implementation, and requests from the public information about the impact of these revised controls on U.S. industry and the cybersecurity community.

 
Agency: Department of Commerce(DOC)  Priority: Other Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: No  Unfunded Mandates: No 
CFR Citation: 15 CFR 740    15 CFR 742    15 CFR 772    15 CFR 774   
Legal Authority: 10 U.S.C. 7420    10 U.S.C. 7430(e)    15 U.S.C. 1824a    22 U.S.C. 287c    22 U.S.C. 3201 et seq.    22 U.S.C. 6004    22 U.S.C. 7201 et seq.    22 U.S.C. 7210    30 U.S.C. 185(s)    30 U.S.C. 185(u)    42 U.S.C. 2139a    43 U.S.C. 1354    50 U.S.C. 1701 et seq.    50 U.S.C. 4305    50 U.S.C. 4601 et seq.    E.O. 12058    E.O. 12851    E.O. 12938    E.O. 13026    E.O. 13222    Pub. L. 108-11   
Legal Deadline:  None

Statement of Need:

In 2013, the Wassenaar Arrangement (WA) added cybersecurity items to the WA List, including a definition for intrusion software. On May 20, 2015, the Bureau of Industry and Security (BIS) published a proposed rule describing how these new controls would fit into the Export Administration Regulations (EAR) and requested information from the public about the impact on U.S. industry. The public comments on the proposed rule revealed serious issues concerning scope and implementation regarding these controls. Based on these comments, as well as substantial commentary from Congress, the private sector, academia, civil society, and others on the potential unintended consequences of the 2013 controls, the U.S. government returned to the WA to renegotiate the controls. This interim final rule outlines the progress the United States has made in this area, implements revised Commerce Control List (CCL) text, establishes a new License Exception Authorized Cybersecurity Exports (ACE) and requests from the public information about the impact of these revised controls on U.S. industry and the cybersecurity community.

Summary of the Legal Basis:

On August 13, 2018, the President signed into law the John S. McCain National Defense Authorization Act for Fiscal Year 2019, which included the Export Control Reform Act of 2018 (ECRA), 50 U.S.C. sections 4801-4852. ECRA provides the legal basis for BIS’s principal authorities and serves as the authority under which BIS issues this rule.

Alternatives:

As noted above, BIS does not believe that the amendments in this rule, will have a significant economic impact on a substantial number of small entities. Nevertheless, consistent with 5 U.S.C. 603(c), BIS considered significant alternatives to these amendments to assess whether the alternatives would: (1) Accomplish the stated objectives of this rule (consistent with the requirements in ECRA); and (2) minimize any significant economic impact of this rule on small entities. BIS could have implemented a much broader control on software capable of cybersecurity controlled under ECCNs 4A005, 4D004, 4E001, 4E001, and 5A001 that would have captured a greater amount of such software and related technology. That in turn would have had a greater impact not only on small businesses, but also on research and development laboratories (both academic and corporate), which are involved in network security. BIS has determined that implementing focused controls on specific software and related technology (i.e., the software controlled under new ECCN 4A005, 4D004, 4E001.a, 4E001.c, and 5A001.j and corresponding development technology in ECCN 5E001) is the least disruptive alternative for implementing export controls in a manner consistent with controlling technology that has been determined, through the interagency process authorized under ECRA, to be essential to U.S. national security. BIS is not implementing different compliance or reporting requirements for small entities. If a small business is subject to a compliance requirement for the export, reexport or transfer (in- country) of this software and related technology, then it would submit a license application using the same process as any other business (i.e., electronically via SNAPR). The license application process is free of charge to all entities, including small businesses. In addition, as noted above, the resources and other compliance tools made available by BIS typically serve to lessen the impact of any EAR license requirements on small businesses.

Anticipated Costs and Benefits:

For the existing ECCNs included in this rule (4D001, 4E001, 5A001, 5A004, 5D001, 5E001), the 2020 data from U.S. Customs and Border Protection’s Automated Export System (AES) shows 980 shipments valued at $39,146,164. Of those shipments, 120 shipments valued at $1,864,699 went to Country Group D:1 or D:5 countries, which would make them ineligible for License Exception ACE. There were no shipments to Country Group E:1 or E:2. Under the provisions of this rule, the 120 shipments require a license application submission to BIS.

As there is no specific ECCN data in AES for the new export controls in new ECCNs 4A005 and 4D004 or new paragraph 4E001.c, BIS uses other data to estimate the number of shipments of these new ECCNs that will require a license. Bureau of Economic Analysis (BEA) data from 2019 show a total dollar value of $55,657 million for Telecom, Computer, and Information Technology Services exports. Multiplying this value by 12.1% (the percentage of all exports that are subject to an EAR license requirement as determined by using AES data) suggests that $6,734,497,000 of Telecom/Computer/IT exports are now subject to EAR license requirements. Based on AES data on the existing ECCNs affected by this rule, BIS estimates the average value of each shipment for the new ECCNs at about $40,000, and further estimates that 0.6% of all new ECCN shipments (1,010 shipments) are now eligible for License Exception ACE and 0.03% of all new ECCN shipments (50 shipments) require a license application submission.

Therefore, the annual total estimated cost associated with the paperwork burden imposed by this rule (that is, the projected increase of license application submissions based on the additional shipments requiring a license) is estimated to be 170 new applications x 29.6 minutes = 5,032/60 min = 84 hours x $30 = $2,520.

There is no paperwork submission to BIS associated with using License Exception ACE, and therefore there is no increase to any paperwork burden or information collection cost associated with License Exception ACE requirements in this rule.

Benefit

Cybersecurity items in the wrong hands raise both national security and foreign policy concerns. The benefit of publishing these revisions and controlling cybersecurity items in the way contemplated by this rule is that national security and foreign policy concerns are addressed, in that these regulations assist in keeping such items out of the hands of those that would use them for nefarious end uses, while at the same time not disrupt legitimate cybersecurity exports.

Risks:

The risks of publishing this rule is that it has unexpected consequences, which is why there is a 90 day delayed effective date and 45 day comment period that will allow the public to comment on the rule.

Timetable:
Action Date FR Cite
Interim Final Rule  10/21/2021  86 FR 58205   
Interim Final Rule Comment Period End  12/06/2021 
Interim Final Rule Effective  01/19/2022 
Next Action Undetermined  02/00/2022 
Regulatory Flexibility Analysis Required: No  Government Levels Affected: None 
Small Entities Affected: No  Federalism: No 
Included in the Regulatory Plan: Yes 
RIN Data Printed in the FR: No 
Related RINs: Related to 0694-AG49 
Agency Contact:
Sharron Cook
Policy Analyst
Department of Commerce
Bureau of Industry and Security
2096/MS 2705, 14th Street and Pennsylvania Avenue NW,
Washington, DC 20230
Phone:202 482-2440
Fax:202 482-3355
Email: sharron.cook@bis.doc.gov