[Federal Register Volume 86, Number 201 (Thursday, October 21, 2021)]
[Rules and Regulations]
[Pages 58205-58216]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-22774]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR Parts 740, 772 and 774
[Docket No. 211013-0209]
RIN 0694-AH56
Information Security Controls: Cybersecurity Items
AGENCY: Bureau of Industry and Security, Commerce.
ACTION: Interim final rule, with request for comments.
-----------------------------------------------------------------------
SUMMARY: This interim final rule outlines the progress the United
States has made in export controls pertaining to cybersecurity items,
revised Commerce Control List (CCL) implementation, and requests from
the public information about the impact of these revised controls on
U.S. industry and the cybersecurity community. Specifically, this rule
establishes a new control on these items for National Security (NS) and
Anti-terrorism (AT) reasons, along with a new License Exception
Authorized Cybersecurity Exports (ACE) that authorizes exports of these
items to most destinations except in the circumstances described. These
items warrant controls because these tools could be used for
surveillance, espionage, or other actions that disrupt, deny or degrade
the network or devices on it.
[[Page 58206]]
DATES: Effective date: This rule is effective January 19, 2022.
Comments must be received by BIS no later than December 6, 2021.
ADDRESSES: Comments on this rule may be submitted to the Federal
rulemaking portal (www.regulations.gov). The regulations.gov ID for
this rule is: BIS-2020-0038. Please refer to RIN 0694-AH56 in all
comments.
All filers using the portal should use the name of the person or
entity submitting the comments as the name of their files, in
accordance with the instructions below. Anyone submitting business
confidential information should clearly identify the business
confidential portion at the time of submission, file a statement
justifying nondisclosure and referring to the specific legal authority
claimed, and also provide a non-confidential version of the submission.
For comments submitted electronically containing business
confidential information, the file name of the business confidential
version should begin with the characters ``BC.'' Any page containing
business confidential information must be clearly marked ``BUSINESS
CONFIDENTIAL'' on the top of that page. The corresponding non-
confidential version of those comments must be clearly marked
``PUBLIC.'' The file name of the non-confidential version should begin
with the character ``P.'' Any submissions with file names that do not
begin with either a ``BC'' or a ``P'' will be assumed to be public and
will be made publicly available through http://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: For questions regarding the Export
Control Classification Numbers (ECCNs) included in this rule or License
Exception ACE, contact Aaron Amundson at 202-482-0707 or email
[email protected].
SUPPLEMENTARY INFORMATION:
Background
In 2013, the Wassenaar Arrangement (WA) added cybersecurity items
to the WA List, including a definition for ``intrusion software.'' The
controls included hardware and software controls on the command and
delivery platforms for ``intrusion software,'' the technology for the
``development,'' ``production'' or ``use'' of the command and delivery
platforms, and the technology for the ``development'' of ``intrusion
software.'' On May 20, 2015, the Bureau of Industry and Security (BIS)
published a proposed rule describing how these new controls would fit
into the Export Administration Regulations (EAR) and requested
information from the public about the impact on U.S. industry. The
public comments on the proposed rule revealed serious issues concerning
scope and implementation regarding these controls. Based on these
comments, as well as substantial commentary from Congress, the private
sector, academia, civil society, and others on the potential unintended
consequences of the 2013 controls, the U.S. government returned to the
WA to renegotiate the controls.
In response to the proposed rule, BIS received almost 300 comments
that raised substantial concerns about the proposed rule's scope and
the impact the proposed rule would have on legitimate cybersecurity
research and incident response activities. BIS also conducted extensive
outreach with the security industry, financial institutions, and
government agencies that manage cybersecurity.
Comments on the previously published proposed rule focused on three
main issues. First, many commenters asserted that the entries were
overly broad, captured more than was intended, and, as a technical
matter, failed to accurately describe the items intended for control.
Second, many commenters asserted that the rule as written imposed a
heavy and unnecessary licensing burden on legitimate transactions that
contribute to cybersecurity. Third, many commenters suggested that the
proposed rule's control on technology for the ``development'' of
``intrusion software'' could cripple legitimate cybersecurity research.
Based on these comments, the United States decided against amending
the proposed rule and instead returned to the WA in 2016 and 2017 to
negotiate changes to the text. In December 2017, the WA published the
changes that resulted from those negotiations. There were three
significant changes: First, using ``command and control'' in the
control language for both hardware and software addressed concerns from
cybersecurity companies to more specifically control tools that can be
used maliciously. Second, adding a note to the control entry for
technology for the ``development'' of ``intrusion software'' that
excludes from the entry ``technology'' that is exchanged for
`vulnerability disclosure' or `cyber incident response'. Third, adding
a note to the ``software'' generation, command and control, or delivery
entry that excludes from this entry products designed and limited to
providing basic software updates and upgrades.
BIS publishes this interim final rule to implement the WA 2017
decisions related to cybersecurity. The rule creates a new License
Exception Authorized Cybersecurity Exports (ACE) that authorizes
exports, reexports and transfers (in-country) of cybersecurity items,
as described in more detail below, which are not also controlled in
Category 5--Part 2 of the CCL or for Surreptitious Listening (SL)
reasons.
In addition, BIS authorizes certain IP network surveillance
products under the same License Exception ACE. These items were also
part of the May 20, 2015 proposed rule but received far fewer comments
than the other items in that proposed rule. BIS believes that making
these products eligible for License Exception ACE addresses concerns
raised in the comments on the previously published proposed rule.
BIS believes this rule implements the WA decision of 2013, as
amended in 2017, with regard to cybersecurity items and addresses the
concerns expressed by industry and others about the previously
published proposed rule. Further, because of the limited scope of this
rule, BIS believes the impact would be minimal. However, to ensure full
consideration of the potential impact of this rule, BIS seeks public
comment on this interim final rule, including comments on the potential
cost of complying with this rule, and any impacts this rule has on
legitimate cybersecurity activities.
No items subject to the International Traffic in Arms Regulations
(ITAR) are being transferred to the EAR by this rule. Items and
services described on the U.S. Munitions List (USML) at ITAR Sec.
121.1, including military training, technical data directly related to
a defense article, and certain hardware and software specially designed
for intelligence purposes, remain subject to the ITAR. For software
directly related to a defense article, see ITAR Sec. 120.10(a)(4) and
the applicable technical data entry in each USML category. See EAR
Sec. 734.3(b) and ITAR Sec. 120.5(a) for more on the relationship
between the ITAR and EAR.
Specific Revisions
ECCNs 4A005 (new), 4D004 (new), 4E001.a and 4E001.c (new)
ECCNs 4A005 and 4D004 are added, as well as a new paragraph
4E001.c, as set forth in the amendments described below. In addition,
the existing definition for ``intrusion software'' found in Sec. 772.1
of the EAR applies to the new ECCNs. The entries include the 2017 WA
notes: An exclusion Note in 4D004 for software specially designed
[[Page 58207]]
and limited to providing basic updates and upgrades and an exclusion
Note for 4E001.c (as well as existing 4E001.a) for ``vulnerability
disclosure'' or ``cyber incident response.'' These terms are added to
part 772 and are further explained elsewhere in this preamble. This
rule also adds a Note 2 to 4E001.a and .c to clarify that BIS can
request information on items decontrolled by Note 1 to ensure
compliance with the controls. BIS does not intend this note to require
any additional compliance measures beyond what is otherwise required by
the EAR. ``Software'' and ``technology'' ``published'' in the public
domain and meeting the requirements of Sec. 734.7 of the EAR are not
subject to the EAR.
ECCN 5A001.j ``IP network communications surveillance systems or
equipment . . .''
Paragraph 5A001.j ``IP network communications surveillance systems
or equipment . . .'' is added to ECCN 5A001. License Exception ACE
eligibility is added for 5A001.j in part 740 ``License Exception.''
License Exception STA conditions are revised to remove eligibility for
5A001.j to destinations listed in Country Groups A:5 and A:6 (see
Supplement No. 1 to part 740 of the EAR for Country Groups). License
Exceptions GBS and LVS are also revised to remove eligibility for those
license exceptions.
Overlap With Category 5--Part 2 (``Information Security'')
When a cybersecurity item also incorporates particular
``information security'' functionality specified in ECCNs 5A002.a,
5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3 Category 5--Part 2 of the CCL
in Supplement No. 1 to part 774 of the EAR, these Category 5--Part 2
ECCNs prevail, provided the controlled ``information security''
functionality remains present and usable within the cybersecurity end
item or executable ``software.'' Category 5--Part 2 does not apply to
elements of source code or ``technology'' that implement functionality
controlled in another Category, or to any item subject to the EAR where
Encryption Item (EI) functionality is absent, removed or otherwise non-
existent.
Surreptitious Listening (SL) Controls
All items subject to the EAR that are controlled for Surreptitious
Listening (SL) reasons under another ECCN not added by this rule will
continue to be classified under the SL ECCN. The WA control list
changes related to ``intrusion software'' and IP network communications
surveillance systems do not affect or change any EAR provision
regarding communications intercepting devices, ``software'' or
``technology'', or any SL control (see Sec. 742.13 of the EAR). If a
circumstance arises where the item meets the control for national
security (NS) because it meets the cybersecurity parameters, encryption
item (EI) parameters, and SL parameters, then the control with the most
restrictive licensing requirements applies, which would be SL control,
because SL has worldwide control.
Sec. 740.22 License Exception Authorized Cybersecurity Exports (ACE)
BIS is also establishing a new License Exception Authorized
Cybersecurity Exports (ACE). This license exception, will appear in new
Sec. 740.22 of the EAR, is necessary to avoid impeding legitimate
cybersecurity research and incident response activities. Cybersecurity
items in the wrong hands raise both national security and foreign
policy concerns. This license exception starts with a definition
section that defines cybersecurity items, digital artifacts, favorable
treatment cybersecurity end user, and government end user (for the
purpose of Sec. 740.22 only). `Cybersecurity Items' are defined in
Sec. 740.22 as ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004,
4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c,
5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for
5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a
(for 5A001.j)).
License Exception ACE allows the export, reexport and transfer (in-
country) of `cybersecurity items' to most destinations, except to
destinations listed in Country Groups E:1 and E:2 of supplement no. 1
to part 740.
There are two types of end-user restrictions. Restricted end users
include a `government end user,' as defined in Sec. 740.22, of any
country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement
no. 1 to part 740, or a non-government end user located in a country
listed in Country Group D:1 or D:5. For deemed exports, the `government
end user' restriction applies, but not the `non-government end user'
restriction.
There are exclusions to the end-user restrictions. The restriction
on `government end users' does not apply to exports, reexports, and
transfers (in-country) to Country Group D countries that are also
listed in Country Group A:6, which includes Cyprus (A:6 and D:5),
Israel (A:6 and D:2-4), and Taiwan (A:6 and D:3), of `digital
artifacts' that are related to a cybersecurity incident involving
information systems owned or operated by a `favorable treatment
cybersecurity end user,' or to police or judicial bodies in Country
Group D countries that are also listed in Country Group A:6 for
purposes of criminal or civil investigations or prosecutions of such
cybersecurity incidents. In addition, the restriction does not apply to
exports, reexports, and transfers (in-country) to national computer
security incident response teams in Country Group D countries that are
also listed in Country Group A:6 of `cybersecurity items' for purposes
of responding to cybersecurity incidents, for purposes of
`vulnerability disclosure', or for purposes of criminal investigations
or prosecutions of such cybersecurity incidents. For exports,
reexports, or transfers (in-country) to `government end-users' under
License Exception ACE, there is no exclusion for activities related to
``vulnerability disclosure'' and ``cyber incident response.'' However,
Note 1 to ECCN 4E001 in the CCL (supplement no. 1 to part 774 of the
EAR) excludes ``vulnerability disclosure'' and ``cyber incident
response'' from control under 4E001.a or .c. The 4E001 exclusion note
applies regardless of the type of end user and is unaffected by the
restrictions in License Exception ACE.
The restriction on non-government end users in Country Group D:1 or
D:5 does not apply to exports, reexports or transfers (in-country) of
cybersecurity items classified under ECCNs 4A005, 4D001.a (for 4A005 or
4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or
4D004) and 4E001.c to any `favorable treatment cybersecurity end user.'
In addition, this restriction does not apply to ``vulnerability
disclosure'' or ``cyber incident response.''
Lastly, License Exception ACE has an end-use restriction. License
Exception ACE is not authorized if the exporter, reexporter, or
transferor knows or has reason to know at the time of export, reexport,
or transfer (in-country), including a deemed export or reexport, that
the `cybersecurity item' will be used to affect the confidentiality,
integrity or availability of information or information systems,
without authorization by the owner, operator, or administrator of the
information system (including the information and processes within such
systems).
Part 772--Definitions of Terms
BIS adds to Sec. 772.1 the WA definitions for ``cyber incident
response,'' and ``vulnerability disclosure'', which are used in
Category 4, new paragraph 4E001.c.
[[Page 58208]]
Conforming Changes
Because of the addition of the cybersecurity items to the CCL, some
conforming changes need to occur. Notes are added to Category 4 and
Category 5--Part 1 to address the overlap between these entries and
other entries on the CCL, as further explained below.
Notes 3 and 4 to Category 4
To clarify the scope of existing entries in Category 5, Notes 3 and
4 are added to Category 4 stating that cybersecurity items that are
specified by certain ECCNs in Category 5--Part 2 or in an ECCN
controlled for SL reasons in Category 5--Part 1 would continue to be
classified in those ECCNs instead of the new cybersecurity ECCN. In
addition, these cybersecurity items are eligible for the license
exceptions and are subject to the licensing policies applicable to
those entries in Category 5--Part 2 or in the SL-controlled ECCNs.
ECCN 4D001 ``Software''
Paragraph 4D001.a is revised to include 4A005. License Exception
ACE eligibility is added for 4D001.a and License Exception STA special
conditions are revised to include the ineligibility of software
specified in 4D001.a ``specially designed'' for the ``development'' or
``production'' of equipment specified by ECCN 4A005 to Country Groups
A:5 and A:6.
ECCN 4E001 ``Technology''
In addition to the revision that adds 4E001.c, License Exception
ACE eligibility is added for 4E001.a (for 4A005 and 4D004) and 4E001.c.
License Exception STA ineligibility is added for 4E001.a (for 4A005 and
4D004) and 4E001.c to destinations listed in Country Groups A:5 and
A:6.
Notes 3 and 4 to Category 5--Part 1
To clarify the scope of these entries and existing entries in
Category 5 Parts 1 and 2, Notes 3 and 4 are added to Category 5--Part 1
identifying that cybersecurity items controlled in certain Category 5--
Part 2 ECCNs will remain controlled in Category 5--Part 2 and are
eligible for the license exceptions and are subject to the licensing
policies applicable to those ECCNs. In addition, cybersecurity items
specified in an ECCN controlled for SL reasons in Category 5--Part 1
continue to be classified in those ECCNs instead of the new
cybersecurity ECCN.
ECCN 5B001 Telecommunication Test, Inspection and Production Equipment,
``Components'' and ``Accessories''
License Exception ACE eligibility is added for 5B001.a (for
equipment and ``specially designed'' ``components'' or ``accessories''
therefor, ``specially designed'' for the ``development'' or
``production'' of equipment, functions or features, controlled by
5A001.j). License Exception STA conditions are revised to remove
eligibility for 5B001.a (for equipment and ``specially designed''
``components'' or ``accessories'' therefor, ``specially designed'' for
the ``development'' or ``production'' of equipment, functions or
features, controlled by 5A001.j) to destinations listed in Country
Groups A:5 and A:6 (See Supplement No. 1 to part 740 of the EAR for
Country Groups). License Exceptions LVS and GBS are revised to remove
eligibility for 5B001.a (for 5A001.j).
ECCN 5D001 ``Software''
License Exception ACE eligibility is added for 5D001.a (for
equipment, functions or features specified by 5A001.j) and 5D001.c (for
equipment specified by 5A001.j or 5B001.a). License Exception STA
conditions are revised to remove eligibility for 5D001.a (for
equipment, functions or features specified by 5A001.j) and 5D001.c (for
equipment specified by 5A001.j or 5B001.a) to destinations listed in
Country Groups A:5 and A:6 (See Supplement No. 1 to part 740 of the EAR
for Country Groups). License Exception TSR is revised to remove
eligibility for ``software'' classified under ECCN 5D001.a (for
5A001.j) or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)).
ECCN 5E001 ``Technology''
License Exception ACE eligibility is added for 5E001.a (for
5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), or 5D001.c (for
5A001.j or 5B001.a (for 5A001.j)). License Exception STA conditions is
revised to remove eligibility for 5E001.a (for 5A001.j, 5B001.a (for
5A001.j), 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a
(for 5A001.j)) to destinations listed in Country Groups A:5 and A:6
(See Supplement No. 1 to part 740 of the EAR for Country Groups).
License Exception TSR is revised to remove eligibility for
``technology'' classified under ECCN 5E001.a for 5A001.j, 5B001.a (for
5A001.j), ECCN 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or
5B001.a (for 5A001.j)).
ECCN 5A004 ``Systems,'' ``Equipment'' and ``Components'' for Defeating,
Weakening or Bypassing ``Information Security''
This rule also amends ECCN 5A004 to add 4A005 to 5A004.b. This is
done to harmonize with the WA Dual-Use List now that ECCN 4A005 has
been added to the CCL.
Sec. 740.11 Governments, International Organizations, International
Inspections Under the Chemical Weapons Convention, and the
International Space Station (GOV)
License Exception GOV is amended to exclude cybersecurity items, as
defined in Sec. 740.22 License Exception ACE, from paragraph (c) of
License Exception GOV. As such, this rule revises paragraph (c)(3)(vi)
to remove ``or'' and to revise paragraph (c)(3)(vii) to replace the
period with a semi-colon and ``or.'' Lastly, paragraph (c)(3)(viii) is
added to exclude ``cybersecurity items as defined in Sec. 740.22(b)(1)
of the EAR.''
Export Control Reform Act of 2018
On August 13, 2018, the President signed into law the John S.
McCain National Defense Authorization Act for Fiscal Year 2019, which
included the Export Control Reform Act of 2018 (ECRA), 50 U.S.C.
Sections 4801-4852. ECRA provides the legal basis for BIS's principal
authorities and serves as the authority under which BIS issues this
proposed rule.
Executive Order Requirements
Executive Orders 13563 and 12866 direct agencies to assess all
costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distribute impacts, and equity). Executive
Order 13563 emphasizes the importance of quantifying both costs and
benefits, of reducing costs, of harmonizing rules, and of promoting
flexibility. This interim final rule has been designated a
``significant regulatory action'' under Executive Order 12866.
This rule does not contain policies with Federalism implications as
that term is defined under Executive Order 13132.
Paperwork Reduction Act Requirements
This rule involves collections of information subject to the
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) under the
following information collection approved by the Office of
[[Page 58209]]
Management and Budget (OMB): 0694-0088, ``Multi-Purpose Application,''
and carries a burden hour estimate of 29.6 minutes for a manual or
electronic submission. BIS will be updating this information collection
to account for the increase in burden hours.
For the existing ECCNs included in this rule (4D001, 4E001, 5A001,
5A004, 5D001, 5E001), the 2020 data from the Automated Export System
(AES) shows 980 shipments valued at $39,146,164. Of those shipments,
120 shipments valued at $1,864,699 went to Country Group D:1 or D:5
countries, which would make them ineligible for License Exception ACE.
There were no shipments to Country Group E:1 or E:2. Under the
provisions of this rule, the 120 shipments require a license
application submission to BIS.
As there is no specific ECCN data in AES for the new export
controls in new ECCNs 4A005 and 4D004 or new paragraph 4E001.c, BIS
uses other data to estimate the number of shipments of these new ECCNs
that will require a license. Bureau of Economic Analysis (BEA) data
from 2019 show a total dollar value of $55,657 million for Telecom,
Computer, and Information Technology Services exports. Multiplying this
value by 12.1% (the percentage of all exports that are subject to an
EAR license requirement as determined by using AES data) suggests that
$6,734,497,000 of Telecom/Computer/IT exports are now subject to EAR
license requirements. Based on AES data on the existing ECCNs affected
by this rule, BIS estimates the average value of each shipment for the
new ECCNs at about $40,000, and further estimates that 0.6% of all new
ECCN shipments (1,010 shipments) are now eligible for License Exception
ACE and 0.03% of all new ECCN shipments (50 shipments) require a
license application submission.
Therefore, the annual total estimated cost associated with the
paperwork burden imposed by this rule (that is, the projected increase
of license application submissions based on the additional shipments
requiring a license) is estimated to be 170 new applications x 29.6
minutes = 5,032/60 min = 84 hours x $30 = $2,520.
There is no paperwork submission to BIS associated with using
License Exception ACE, and therefore there is no increase to any
paperwork burden or information collection cost associated with License
Exception ACE requirements in this rule.
Any comments regarding these burden estimates or any other aspect
of these collections of information, including suggestions for reducing
the burden, may be submitted online at https://www.reginfo.gov/public/do/PRAMain. Find the particular information collection by using the
search function and entering either the title of the collection,
``Multi-Purpose Application,'' or the OMB Control Number, 0694-0088.
Notwithstanding any other provision of law, no person is required
to respond to, nor shall any person be subject to a penalty for failure
to comply with a collection of information subject to the requirements
of the PRA, unless that collection of information displays a currently
valid OMB Control Number.
Administrative Procedure Act and Regulatory Flexibility Act
Requirements
Pursuant to Section 4821 of ECRA, this action is exempt from the
Administrative Procedure Act (5 U.S.C. 553) requirements for notice of
proposed rulemaking and opportunity for public participation.
Further, no other law requires notice of proposed rulemaking or
opportunity for public comment for this interim final rule. Because a
notice of proposed rulemaking and an opportunity for public comment are
not required under the Administrative Procedure Act or by any other
law, the analytical requirements of the Regulatory Flexibility Act (5
U.S.C. 601 et seq.) are not applicable. Notwithstanding, BIS believes
this interim final rule would benefit from public comment on the impact
of the control text and the usefulness of the new License Exception
ACE.
List of Subjects
15 CFR Part 740
Administrative practice and procedure, Exports, Reporting and
recordkeeping requirements.
15 CFR Part 772
Exports.
15 CFR Part 774
Exports, Reporting and recordkeeping requirements.
Accordingly, parts 740, 772, and 774 of the Export Administration
Regulations (15 CFR parts 730 through 774) are amended as follows:
PART 740--[AMENDED]
0
1. The authority citation for part 740 continues to read as follows:
Authority: 50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50
U.S.C. 1701 et seq.; 22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR
58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR,
2001 Comp., p. 783.
0
2. Section 740.11 is amended by revising paragraphs (c)(3)(vi) and
(vii) and adding paragraph (c)(3)(viii) to read as follows:
Sec. 740.11 Governments, international organizations, international
inspections under the Chemical Weapons Convention, and the
International Space Station (GOV).
* * * * *
(c) * * *
(3) * * *
(vi) Items controlled for nuclear nonproliferation (NP) reasons;
(vii) Items listed as not eligible for License Exception STA in
Sec. 740.20(b)(2)(ii) of the EAR; or
(viii) Cybersecurity items as defined in Sec. 740.22(b)(1) of the
EAR.
* * * * *
0
3. Section 740.22 is added to read as follows:
Sec. 740.22 Authorized Cybersecurity Exports (ACE).
(a) Scope. License Exception ACE authorizes export, reexport, and
transfer (in-country), including deemed exports and reexports, of
`cybersecurity items,' as set forth in paragraph (b) of this section,
subject to the restrictions set forth in paragraph (c) of this section.
Deemed exports and reexports are authorized under this license
exception, except for deemed exports or reexports to E:1 and E:2
nationals as described in paragraph (c)(1)(i) of this section, to
certain `government end-users' as described in paragraph (c)(1)(ii) of
this section, and subject to the end-use restrictions described in
paragraph (c)(2) of this section. Even if License Exception ACE is not
available for a particular transaction, other license exceptions may be
available. For example, License Exception GOV (Sec. 740.11 of the EAR)
authorizes certain exports to U.S. government agencies and personnel.
License Exception TMP (Sec. 740.9(a)(1) of the EAR) authorizes the
export, reexport, and transfer (in country) of tools of the trade in
certain situations.
(b) Definitions. The following terms and definitions are for the
purpose of License Exception ACE only.
(1) Cybersecurity Items are ECCNs 4A005, 4D001.a (for 4A005 or
4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or
4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j),
5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for
5A001.j or 5D001.a (for 5A001.j)).
(2) Digital artifacts are items (e.g., ``software'' or
``technology'') found or discovered on an information system that show
past or present activity pertaining to the use or compromise of,
[[Page 58210]]
or other effects on, that information system.
(3) Favorable treatment cybersecurity end user is any of the
following:
(i) A ``U.S. subsidiary'';
(ii) Providers of banking and other financial services;
(iii) Insurance companies; or
(iv) Civil health and medical institutions providing medical
treatment or otherwise conducting the practice of medicine, including
medical research.
(4) Government end user, for the purpose of Sec. 740.22, is a
national, regional or local department, agency or entity that provides
any governmental function or service, including international
governmental organizations, government operated research institutions,
and entities and individuals who are acting on behalf of such an
entity. This term includes retail or wholesale firms engaged in the
manufacture, distribution, or provision of items or services,
controlled on the Wassenaar Arrangement Munitions List.
(c) Restrictions. License Exception ACE exports, reexports, or
transfers (in-country) of `cybersecurity items' are subject to the
restrictions of this paragraph (c).
(1) Destination or end-user restrictions. License Exception ACE
does not authorize deemed exports under paragraph (c)(1)(i) or (ii) of
this section.The restrictions in paragraphs (c)(1)(i) and (ii) apply to
activities, including exports, reexports, and transfers (in-country),
related to ``vulnerability disclosure'' and ``cyber incident
response.'' However, Note 1 to ECCN 4E001 in the CCL (supplement no. 1
to part 774 of the EAR) excludes ``vulnerability disclosure'' and
''cyber incident response'' from control under 4E001.a or .c.
(i) A destination that is listed in Country Group E:1 or E:2 in
supplement no.1 to part 740 of the EAR.
(ii) A government end user, as defined in this section, of any
country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement
no. 1 to part 740. This restriction does not apply to:
(A) Exports, reexports, and transfers (in-country) to Country Group
D countries that are also listed in Country Group A:6 of `digital
artifacts' that are related to a cybersecurity incident involving
information systems owned or operated by a `favorable treatment
cybersecurity end user', or to police or judicial bodies in Country
Group D countries that are also listed in Country Group A:6 for
purposes of criminal or civil investigations or prosecutions of such
cybersecurity incidents; or
(B) Exports, reexports, and transfers (in-country) to national
computer security incident response teams in Country Group D countries
that are also listed in Country Group A:6 of `cybersecurity items' for
purposes of responding to cybersecurity incidents, for purposes of
`vulnerability disclosure', or for purposes of criminal or civil
investigations or prosecutions of such cybersecurity incidents.
(iii) A non-government end user located in any country listed in
Country Group D:1 or D:5 of Supplement No. 1 to part 740 of the EAR.
This restriction does not apply to:
(A) Exports, reexports or transfers (in-country) of cybersecurity
items classified under ECCNs 4A005, 4D001.a (for 4A005 or 4D004),
4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) and
4E001.c, to any `favorable treatment cybersecurity end user;'
(B) ``Vulnerability disclosure'' or ``cyber incident response;''or
(C) Deemed exports.
(2) End-use restrictions. License Exception ACE is not authorized
if the exporter, reexporter, or transferor ``knows'' or has ``reason to
know'' at the time of export, reexport, or transfer (in-country),
including deemed exports and reexports, that the `cybersecurity item'
will be used to affect the confidentiality, integrity or availability
of information or information systems, without authorization by the
owner, operator or administrator of the information system (including
the information and processes within such systems).
PART 772--[AMENDED]
0
4. The authority citation for part 772 is revised to read as follows:
Authority: 50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50
U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p.
783.
0
5. Section 772.1 is amended by adding the definitions for ``cyber
incident response'', and ``vulnerability disclosure'' to read as
follows:
Sec. 772.1 Definitions of terms as used in the Export Administration
Regulations (EAR).
* * * * *
Cyber incident response. (Sec. 740.22, Cat 4) means the process of
exchanging necessary information on a cybersecurity incident with
individuals or organizations responsible for conducting or coordinating
remediation to address the cybersecurity incident.
* * * * *
Vulnerability disclosure. (Sec. 740.22, Cat 4) means the process
of identifying, reporting, or communicating a vulnerability to, or
analyzing a vulnerability with, individuals or organizations
responsible for conducting or coordinating remediation for the purpose
of resolving the vulnerability.
* * * * *
PART 774--[AMENDED]
0
6. The authority citation for part 774 continues to read as follows:
Authority: 50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50
U.S.C. 1701 et seq.; 10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C.
287c, 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 42 U.S.C. 2139a; 15
U.S.C. 1824a; 50 U.S.C. 4305; 22 U.S.C. 7201 et seq.; 22 U.S.C.
7210; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O.
13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783.
Supplement No. 1 to Part 774--[Amended]
0
7. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 4 is amended by adding Notes 3 and 4 to the beginning of the
category to read as follows:
Category 4--Computers
* * * * *
Note 3: Commodities and ``software'' in ECCNs 4A005 and 4D004
that are also controlled in ECCNs 5A002.a, 5A004.a, 5A004.b,
5D002.c.1, or 5D002.c.3, remain controlled in Category 5--Part 2 by
those entries. Category 5--Part 2 does not apply to elements of
source code that implement functionality controlled by these
Category 4 ECCNs, or to any item subject to the EAR where Encryption
Item (EI) functionality is absent, removed or otherwise non-
existent.
Note 4: Items in ECCNs 4A005, 4D001.a (for 4A005 or 4D004),
4D004, and ``technology'' specified in ECCN 4E001.a (for 4A005,
4D001.a (for 4A005 or 4D004) or 4D004) and 4E001.c that are also
controlled for Surreptitious Listening (SL) reasons under another
ECCN, will continue to be classified under the SL ECCN.
0
8. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 4 is amended by adding ECCN 4A005 after ECCN 4A004 to read as
follows:
Supplement No. 1 to Part 774--The Commerce Control List
* * * * *
4A005 ``Systems,'' ``equipment,'' and ``components'' therefor,
``specially designed'' or modified for the generation, command and
control, or delivery of ``intrusion software''.
License Requirements
Reason for Control: NS, AT
Country chart (See Supp. No.
Control(s) 1 to part 738)
NS applies to entire entry................ NS Column 1.
AT applies to entire entry................ AT Column 1.
[[Page 58211]]
Reporting Requirements
See Sec. 743.1 of the EAR for reporting requirements for
exports under License Exceptions, and Validated End-User
authorizations.
List Based License Exceptions (See Part 740 for a description of all
license exceptions)
LVS: N/A
GBS: N/A
APP: N/A
ACE: Yes, except to Country Group E:1 or E:2. See Sec. 740.22 of
the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship items specified
by ECCN 4A005.
List of Items Controlled
Related Controls: Defense articles described in USML Category XI(b),
and software directly related to a defense article, are ``subject to
the ITAR''; see Sec. 120.10(a)(4).
Related Definitions: N/A
Items: The list of items controlled is contained in the ECCN
heading.
0
9. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 4, ECCN 4D001 is revised to read as follows:
4D001 ``Software'' as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, CC, AT
Country chart (See Supp. No.
Control(s) 1 to part 738)
NS applies to entire entry................ NS Column 1.
CC applies to ``software'' for CC Column 1.
computerized finger-print equipment
controlled by 4A003 for CC reasons.
AT applies to entire entry................ AT Column 1.
Reporting Requirements
See Sec. 743.1 of the EAR for reporting requirements for
exports under License Exceptions, and Validated End-User
authorizations.
List Based License Exceptions (See Part 740 for a description of all
license exceptions)
TSR: Yes, except for ``software'' for the ``development'' or
``production'' of the following:
(1) Commodities with an ``Adjusted Peak Performance'' (``APP'')
exceeding 29 WT; or
(2) Commodities controlled by 4A005 or ``software'' controlled
by 4D004.
APP: Yes to specific countries (see Sec. 740.7 of the EAR for
eligibility criteria).
ACE: Yes for 4D001.a (for the ``development'', ``production'' or
``use'' of equipment or ``software'' specified in ECCN 4A005 or
4D004), except to Country Group E:1 or E:2. See Sec. 740.22 of the
EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship or transmit
``software'' ``specially designed'' or modified for the
``development'' or ``production'' of equipment specified by ECCN
4A001.a.2 or for the ``development'' or ``production'' of ``digital
computers'' having an `Adjusted Peak Performance' (`APP') exceeding
29 Weighted TeraFLOPS (WT) to any of the destinations listed in
Country Group A:6 (See Supplement No.1 to part 740 of the EAR); and
may not be used to ship or transmit ``software'' specified in
4D001.a ``specially designed'' for the ``development'' or
``production'' of equipment specified by ECCN 4A005 to any of the
destinations listed in Country Group A:5 or A:6.
List of Items Controlled
Related Controls: Software described in USML Category XI(b), and
software directly related to a defense article, is ``subject to the
ITAR''; see Sec. 120.10(a)(4).
Related Definitions: N/A
Items:
a. ``Software'' ``specially designed'' or modified for the
``development'' or ``production'', of equipment or ``software''
controlled by 4A001, 4A003, 4A004, 4A005 or 4D (except 4D980, 4D993
or 4D994).
b. ``Software'', other than that controlled by 4D001.a,
``specially designed'' or modified for the ``development'' or
``production'' of equipment as follows:
b.1. ``Digital computers'' having an ``Adjusted Peak
Performance'' (``APP'') exceeding 15 Weighted TeraFLOPS (WT);
b.2. ``Electronic assemblies'' ``specially designed'' or
modified for enhancing performance by aggregation of processors so
that the ``APP'' of the aggregation exceeds the limit in 4D001.b.1.
0
10. In Supplement No. 1 to Part 774, Category 4 is amended by adding
ECCN 4D004 after ECCN 4D001 to read as follows:
4D004 ``Software'' ``specially designed'' or modified for the
generation, command and control, or delivery of ``intrusion
software.''
License Requirements
Reason for Control: NS, AT
Country chart (See Supp. No.
Control(s) 1 to part 738)
NS applies to entire entry................ NS Column 1.
AT applies to entire entry................ AT Column 1.
List Based License Exceptions (See Part 740 for a description of all
license exceptions)
TSR: N/A
APP: N/A
ACE: Yes, except to Country Group E:1 or E:2. See Sec. 740.22 of
the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship or transmit
``software'' specified by ECCN 4D004.
List of Items Controlled
Related Controls: Software described in USML Category XI(b), and
software directly related to a defense article, is ``subject to the
ITAR''; see Sec. 120.10(a)(4).
Related Definitions: N/A
Items:
The list of items controlled is contained in the ECCN heading.
Note: 4D004 does not apply to ``software'' specially designed
and limited to provide ``software'' updates or upgrades meeting all
the following:
a. The update or upgrade operates only with the authorization of
the owner or administrator of the system receiving it; and
b. After the update or upgrade, the ``software'' updated or
upgraded is not any of the following:
1. ``Software'' specified by 4D004; or
2. ``Intrusion software.''
0
11. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 4, ECCN 4E001 is revised to read as follows:
4E001 ``Technology'' as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, MT, CC, AT
Country chart (See Supp. No.
Control(s) 1 to part 738)
NS applies to entire entry................ NS Column 1.
MT applies to ``technology'' for items MT Column 1.
controlled by 4A001.a and 4A101 for MT
reasons.
CC applies to ``software'' for CC Column 1.
computerized finger-print equipment
controlled by 4A003 for CC reasons.
AT applies to entire entry................ AT Column 1.
Reporting Requirements
See Sec. 743.1 of the EAR for reporting requirements for
exports under License Exceptions, and Validated End-User
authorizations.
List Based License Exceptions (See Part 740 for a description of all
license exceptions)
TSR: Yes, except for the following:
(1) ``Technology'' for the ``development'' or ``production'' of
commodities with an ``Adjusted Peak Performance'' (``APP'')
exceeding 29 WT or for the ``development'' or ``production'' of
commodities controlled by 4A005 or ``software'' controlled by 4D004;
or
(2) ``Technology'' for the ``development'' of ``intrusion
software''.
[[Page 58212]]
APP: Yes to specific countries. See Sec. 740.7 of the EAR for
eligibility criteria.
ACE: Yes for 4E001.a (for the ``development'', ``production'' or
``use'' of equipment or ``software'' specified in ECCN 4A005 or
4D004) and for 4E001.c, except to Country Group E:1 or E:2. See
Sec. 740.22 of the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship or transmit
``technology'' according to the General Technology Note for the
``development'' or ``production'' of any of the following equipment
or ``software'': a. Equipment specified by ECCN 4A001.a.2; b.
``Digital computers'' having an `Adjusted Peak Performance' (`APP')
exceeding 29 Weighted TeraFLOPS (WT); or c. ``software'' specified
in the License Exception STA paragraph found in the License
Exception section of ECCN 4D001 to any of the destinations listed in
Country Group A:6 (See Supplement No. 1 to part 740 of the EAR); and
may not be used to ship or transmit ``software'' specified in
4E001.a (for the ``development'', ``production'' or ``use'' of
equipment or ``software'' specified in ECCN 4A005 or 4D004) and
4E001.c to any of the destinations listed in Country Group A:5 or
A:6.
List of Items Controlled
Related Controls: Military training of foreign units and forces (see
ITAR Sec. 120.9(a)(3)), and technical data (see ITAR Sec. 120.10)
directly related to a defense article, are ``subject to the ITAR.''
Related Definitions: N/A
Items:
a. ``Technology'' according to the General Technology Note, for
the ``development'', ``production'', or ``use'' of equipment or
``software'' controlled by 4A (except 4A980 or 4A994) or 4D (except
4D980, 4D993, 4D994).
b. ``Technology'' according to the General Technology Note,
other than that controlled by 4E001.a, for the ``development'' or
``production'' of equipment as follows:
b.1. ``Digital computers'' having an ``Adjusted Peak
Performance'' (``APP'') exceeding 15 Weighted TeraFLOPS (WT);
b.2. ``Electronic assemblies'' ``specially designed'' or
modified for enhancing performance by aggregation of processors so
that the ``APP'' of the aggregation exceeds the limit in 4E001.b.1.
c. ``Technology'' for the ``development'' of ``intrusion
software.''
Note 1: 4E001.a and 4E001.c do not apply to ``vulnerability
disclosure'' or ``cyber incident response''.
Note 2: Note 1 does not diminish national authorities' rights to
ascertain compliance with 4E001.a and 4E001.c.
0
12. In Supplement No. 1 to Part 774, Category 5--Part 1 is amended by
adding Notes 3 and 4 to the beginning of the Category after Note 2 to
read as follows:
Category 5--Telecommunications and ``Information Security''
Part 1--Telecommunications
Notes: * * *
3. Commodities in ECCN 5A001.j, and related ``software''
specified in 5D001.c (for 5A001.j) that are also controlled in ECCNs
5A002.a, 5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3, remain
controlled in Category 5--Part 2 by those entries. Category 5--Part
2 does not apply to elements of source code that implement
functionality controlled by these Category 5 Part 1 ECCNs, or to any
item subject to the EAR where Encryption Item (EI) functionality is
absent, removed or otherwise non-existent.
4. Items in ECCN 5A001.j, 5B001.a (for 5A001.j), related
``software'' specified in 5D001.a (for 5A001.j) and 5D001.c (for
5A001.j or 5B001.a (for 5A001.j)) and related ``technology''
specified in ECCN 5E001.a (for 5A001.j and 5D001.a (for 5A001.j))
that are also controlled for Surreptitious Listening (SL) reasons
under another ECCN, will continue to be classified under the SL
ECCN.
* * * * *
0
13. In Supplement No. 1 to Part 774, Category 5--Part 1, ECCN 5A001 is
revised to read as follows:
5A001 Telecommunications systems, equipment, ``components'' and
``accessories,'' as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, SL, AT
Country chart (See Supp. No.
Control(s) 1 to part 738)
NS applies to 5A001.a, b.5, .e, .f.3, .h.. NS Column 1.
NS applies to 5A001.b (except .b.5), .c, NS Column 2.
.d, .f (except f.3), .g, and .j.
SL applies to 5A001.f.1................... A license is required for
all destinations, as
specified in Sec. 742.13
of the EAR. Accordingly, a
column specific to this
control does not appear on
the Commerce Country Chart
(Supplement No. 1 to Part
738 of the EAR).
Note to SL paragraph: This
licensing requirement does
not supersede, nor does it
implement, construe or
limit the scope of any
criminal statute,
including, but not limited
to the Omnibus Safe Streets
Act of 1968, as amended.
AT applies to entire entry................ AT Column 1.
Reporting Requirements
See Sec. 743.1 of the EAR for reporting requirements for
exports under License Exceptions, and Validated End-User
authorizations.
List Based License Exceptions (See Part 740 for a description of all
license exceptions)
LVS: N/A for 5A001.a, b.5, .e, f.3, .h and .j; $5000 for 5A001.b.1,
.b.2, .b.3, .b.6, .d, f.2, f.4, and .g; $3000 for 5A001.c.
GBS: Yes, except 5A001.a, .b.5, .e, .h and .j.
ACE: Yes for 5A001.j, except to Country Group E:1 or E:2. See Sec.
740.22 of the EAR for eligibility criteria
Special Conditions for STA
STA: License Exception STA may not be used to ship any commodity in
5A001.j to any of the destinations listed in Country Group A:5 or
A:6 (See Supplement No. 1 to part 740 of the EAR), or any commodity
in 5A001.b.3, .b.5 or .h to any of the destinations listed in
Country Group A:6 (See Supplement No.1 to part 740 of the EAR).
List of Items Controlled
Related Controls: (1) See USML Category XI for controls on
direction-finding ``equipment'' including types of ``equipment'' in
ECCN 5A001.e and any other military or intelligence electronic
``equipment'' that is ``subject to the ITAR.'' (2) See USML Category
XI(a)(4)(iii) for controls on electronic attack and jamming
``equipment'' defined in 5A001.f and .h that are subject to the
ITAR. (3) See also ECCNs 5A101, 5A980, and 5A991.
Related Definitions: N/A
Items:
a. Any type of telecommunications equipment having any of the
following characteristics, functions or features:
a.1. ``Specially designed'' to withstand transitory electronic
effects or electromagnetic pulse effects, both arising from a
nuclear explosion;
a.2. Specially hardened to withstand gamma, neutron or ion
radiation;
a.3. ``Specially designed'' to operate below 218 K (-55 [deg]C);
or
a.4. ``Specially designed'' to operate above 397 K (124 [deg]C);
Note: 5A001.a.3 and 5A001.a.4 apply only to electronic
equipment.
b. Telecommunication systems and equipment, and ``specially
designed'' ``components'' and ``accessories'' therefor, having any
of the following characteristics, functions or features:
b.1 Being underwater untethered communications systems having
any of the following:
b.1.a. An acoustic carrier frequency outside the range from 20
kHz to 60 kHz;
b.1.b. Using an electromagnetic carrier frequency below 30 kHz;
or
b.1.c. Using electronic beam steering techniques; or
[[Page 58213]]
b.1.d. Using ``lasers'' or light-emitting diodes (LEDs), with an
output wavelength greater than 400 nm and less than 700 nm, in a
``local area network'';
b.2. Being radio equipment operating in the 1.5 MHz to 87.5 MHz
band and having all of the following:
b.2.a. Automatically predicting and selecting frequencies and
``total digital transfer rates'' per channel to optimize the
transmission; and
b.2.b. Incorporating a linear power amplifier configuration
having a capability to support multiple signals simultaneously at an
output power of 1 kW or more in the frequency range of 1.5 MHz or
more but less than 30 MHz, or 250 W or more in the frequency range
of 30 MHz or more but not exceeding 87.5 MHz, over an
``instantaneous bandwidth'' of one octave or more and with an output
harmonic and distortion content of better than -80 dB;
b.3. Being radio equipment employing ``spread spectrum''
techniques, including ``frequency hopping'' techniques, not
controlled in 5A001.b.4 and having any of the following:
b.3.a. User programmable spreading codes; or
b.3.b. A total transmitted bandwidth which is 100 or more times
the bandwidth of any one information channel and in excess of 50
kHz;
Note: 5A001.b.3.b does not control radio equipment ``specially
designed'' for use with any of the following:
a. Civil cellular radio-communications systems; or
b. Fixed or mobile satellite Earth stations for commercial civil
telecommunications.
Note: 5A001.b.3 does not control equipment operating at an
output power of 1 W or less.
b.4. Being radio equipment employing ultra-wideband modulation
techniques, having user programmable channelizing codes, scrambling
codes, or network identification codes and having any of the
following:
b.4.a. A bandwidth exceeding 500 MHz; or
b.4.b. A ``fractional bandwidth'' of 20% or more;
b.5. Being digitally controlled radio receivers having all of
the following:
b.5.a. More than 1,000 channels;
b.5.b. A `channel switching time' of less than 1 ms;
b.5.c. Automatic searching or scanning of a part of the
electromagnetic spectrum; and
b.5.d. Identification of the received signals or the type of
transmitter; or
Note: 5A001.b.5 does not control radio equipment ``specially
designed'' for use with civil cellular radio-communications systems.
Technical Note: `Channel switching time': the time (i.e., delay)
to change from one receiving frequency to another, to arrive at or
within 0.05% of the final specified receiving
frequency. Items having a specified frequency range of less than
0.05% around their center frequency are
defined to be incapable of channel frequency switching.
b.6. Employing functions of digital ``signal processing'' to
provide 'voice coding' output at rates of less than 700 bit/s.
Technical Notes:
1. For variable rate 'voice coding', 5A001.b.6 applies to the
'voice coding' output of continuous speech.
2. For the purpose of 5A001.b.6, `voice coding' is defined as
the technique to take samples of human voice and then convert these
samples of human voice into a digital signal taking into account
specific characteristics of human speech.
c. Optical fibers of more than 500 m in length and specified by
the manufacturer as being capable of withstanding a `proof test'
tensile stress of 2 x 10\9\ N/m\2\ or more;
N.B.: For underwater umbilical cables, see 8A002.a.3.
Technical Note: `Proof Test': on-line or off-line production
screen testing that dynamically applies a prescribed tensile stress
over a 0.5 to 3 m length of fiber at a running rate of 2 to 5 m/s
while passing between capstans approximately 150 mm in diameter. The
ambient temperature is a nominal 293 K (20 [deg]C) and relative
humidity 40%. Equivalent national standards may be used for
executing the proof test.
d. ``Electronically steerable phased array antennae'' as
follows:
d.1. Rated for operation above 31.8 GHz, but not exceeding 57
GHz, and having an Effective Radiated Power (ERP) equal to or
greater than +20 dBm (22.15 dBm Effective Isotropic Radiated Power
(EIRP));
d.2. Rated for operation above 57 GHz, but not exceeding 66 GHz,
and having an ERP equal to or greater than +24 dBm (26.15 dBm EIRP);
d.3. Rated for operation above 66 GHz, but not exceeding 90 GHz,
and having an ERP equal to or greater than +20 dBm (22.15 dBm EIRP);
d.4. Rated for operation above 90 GHz;
Note 1: 5A001.d does not control `electronically steerable
phased array antennae' for landing systems with instruments meeting
ICAO standards covering Microwave Landing Systems (MLS).
Note 2: 5A001.d does not apply to antennae specially designed
for any of the following:
a. Civil cellular or WLAN radio-communications systems;
b. IEEE 802.15 or wireless HDMI; or
c. Fixed or mobile satellite earth stations for commercial civil
telecommunications.
Technical Note: For the purposes of 5A001.d `electronically
steerable phased array antenna' is an antenna which forms a beam by
means of phase coupling, (i.e., the beam direction is controlled by
the complex excitation coefficients of the radiating elements) and
the direction of that beam can be varied (both in transmission and
reception) in azimuth or in elevation, or both, by application of an
electrical signal.
e. Radio direction finding equipment operating at frequencies
above 30 MHz and having all of the following, and ``specially
designed'' ``components'' therefor:
e.1. ``Instantaneous bandwidth'' of 10 MHz or more; and
e.2. Capable of finding a Line Of Bearing (LOB) to non-
cooperating radio transmitters with a signal duration of less than 1
ms;
f. Mobile telecommunications interception or jamming equipment,
and monitoring equipment therefor, as follows, and ``specially
designed'' ``components'' therefor:
f.1. Interception equipment designed for the extraction of voice
or data, transmitted over the air interface;
f.2. Interception equipment not specified in 5A001.f.1, designed
for the extraction of client device or subscriber identifiers (e.g.,
IMSI, TIMSI or IMEI), signaling, or other metadata transmitted over
the air interface;
f.3. Jamming equipment ``specially designed'' or modified to
intentionally and selectively interfere with, deny, inhibit, degrade
or seduce mobile telecommunication services and performing any of
the following:
f.3.a. Simulate the functions of Radio Access Network (RAN)
equipment;
f.3.b. Detect and exploit specific characteristics of the mobile
telecommunications protocol employed (e.g., GSM); or
f.3.c. Exploit specific characteristics of the mobile
telecommunications protocol employed (e.g., GSM);
f.4. Radio Frequency (RF) monitoring equipment designed or
modified to identify the operation of items specified in 5A001.f.1,
5A001.f.2 or 5A001.f.3.
Note: 5A001.f.1 and 5A001.f.2 do not apply to any of the
following:
a. Equipment ``specially designed'' for the interception of
analog Private Mobile Radio (PMR), IEEE 802.11 WLAN;
b. Equipment designed for mobile telecommunications network
operators; or
c. Equipment designed for the ``development'' or ``production''
of mobile telecommunications equipment or systems.
N.B. 1: See also the International Traffic in Arms Regulations
(ITAR) (22 CFR parts 120-130). For items specified by 5A001.f.1
(including as previously specified by 5A001.i), see also5A980 and
the U.S. Munitions List (22 CFR part 121).
N.B. 2: For radio receivers see 5A001.b.5.
g. Passive Coherent Location (PCL) systems or equipment,
``specially designed'' for detecting and tracking moving objects by
measuring reflections of ambient radio frequency emissions, supplied
by non-radar transmitters.
Technical Note: Non-radar transmitters may include commercial
radio, television or cellular telecommunications base stations.
Note: 5A001.g. does not control:
a. Radio-astronomical equipment; or
b. Systems or equipment, that require any radio transmission
from the target.
h. Counter Improvised Explosive Device (IED) equipment and
related equipment, as follows:
h.1. Radio Frequency (RF) transmitting equipment, not specified
by 5A001.f, designed or modified for prematurely activating or
preventing the initiation of Improvised Explosive Devices (IEDs);
h.2. Equipment using techniques designed to enable radio
communications in the same frequency channels on which co-located
equipment specified by 5A001.h.1 is transmitting.
N.B.: See also Category XI of the International Traffic in Arms
Regulations (ITAR) (22 CFR parts 120-130).
i. [Reserved]
N.B.: See 5A001.f.1 for items previously specified by 5A001.i.
j. IP network communications surveillance systems or equipment,
and ``specially
[[Page 58214]]
designed'' components therefor, having all of the following:
j.1. Performing all of the following on a carrier class IP
network (e.g., national grade IP backbone):
j.1.a. Analysis at the application layer (e.g., Layer 7 of Open
Systems Interconnection (OSI) model (ISO/IEC 7498-1));
j.1.b. Extraction of selected metadata and application content
(e.g., voice, video, messages, attachments); and
j.1.c. Indexing of extracted data; and
j.2. Being ``specially designed'' to carry out all of the
following:
j.2.a. Execution of searches on the basis of ``hard selectors'';
and
j.2.b. Mapping of the relational network of an individual or of
a group of people.
Note: 5A001.j does not apply to ``systems'' or ``equipment'',
``specially designed'' for any of the following:
a. Marketing purpose;
b. Network Quality of Service (QoS); or
c. Quality of Experience (QoE).
N.B.: See also the International Traffic in Arms Regulations
(ITAR) (22 CFR parts 120-130). Defense articles described in USML
Category XI(b) are ``subject to the ITAR.''
0
14. In Supplement No. 1 to Part 774 (the CCL), Category 5--Part 1, ECCN
5B001 is revised to read as follows:
5B001 Telecommunication test, inspection and production equipment,
``components'' and ``accessories,'' as follows (See List of Items
Controlled).
License Requirements
Reason for Control: NS, AT
Country chart (See Supp. No.
Control(s) 1 to part 738)
NS applies to entire entry................ NS Column 2.
AT applies to entire entry................ AT Column 1.
Reporting Requirements
See Sec. 743.1 of the EAR for reporting requirements for
exports under License Exceptions, and Validated End-User
authorizations.
List Based License Exceptions (See Part 740 for a description of all
license exceptions)
LVS: $5000, except N/A for 5B001.a (for 5A001.j)
GBS: Yes, except N/A for 5B001.a (for 5A001.j)
ACE: Yes for 5B001.a (for equipment and ``specially designed''
``components'' or ``accessories'' therefor, ``specially designed''
for the ``development'' or ``production'' of equipment, functions or
features, controlled by 5A001.j), except to Country Group E:1 or
E:2. See Sec. 740.22 of the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship 5B001.a equipment
and ``specially designed'' components or ``accessories'' therefor,
``specially designed'' for the ``development'' or ``production'' of
equipment, functions or features specified by in ECCN 5A001.b.3,
.b.5 or .h to any of the destinations listed in Country Group A:6
(See Supplement No.1 to part 740 of the EAR) and 5A001.j to any of
the destinations listed in Country Group A:5 or A:6.
List of Items Controlled
Related Controls: See also 5B991.
Related Definition: N/A
Items:
a. Equipment and ``specially designed'' ``components'' or
``accessories'' therefor, ``specially designed'' for the
``development'' or ``production'' of equipment, functions or
features, controlled by 5A001;
Note: 5B001.a does not apply to optical fiber characterization
equipment.
b. Equipment and ``specially designed'' ``components'' or
``accessories'' therefor, ``specially designed'' for the
``development'' of any of the following telecommunication
transmission or switching equipment:
b.1. [Reserved]
b.2. Equipment employing a ``laser'' and having any of the
following:
b.2.a. A transmission wavelength exceeding 1750 nm; or
b.2.b. [Reserved]
b.2.c. [Reserved]
b.2.d. Employing analog techniques and having a bandwidth
exceeding 2.5 GHz; or
Note: 5B001.b.2.d. does not include equipment ``specially
designed'' for the ``development'' of commercial TV systems.
b.3. [Reserved]
b.4. Radio equipment employing Quadrature-Amplitude-Modulation
(QAM) techniques above level 1,024.
0
15. In Supplement No. 1 to Part 774 (the CCL), Category 5--Part 1, ECCN
5D001 is revised to read as follows:
5D001 ``Software'' as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, SL, AT
Country chart (See Supp. No.
Control(s) 1 to part 738)
NS applies to entire entry................ NS Column 1.
SL applies to the entire entry as A license is required for
applicable for equipment, functions, all destinations, as
features, or characteristics controlled specified in Sec. 742.13
by 5A001.f.1. of the EAR. Accordingly, a
column specific to this
control does not appear on
the Commerce Country Chart
(Supplement No. 1 to Part
738 of the EAR).
Note to SL paragraph: This
licensing requirement does
not supersede, nor does it
implement, construe or
limit the scope of any
criminal statute,
including, but not limited
to the Omnibus Safe Streets
Act of 1968, as amended.
AT applies to entire entry................ AT Column 1.
Reporting Requirements
See Sec. 743.1 of the EAR for reporting requirements for
exports under License Exceptions, and Validated End-User
authorizations.
List Based License Exceptions (See Part 740 for a description of all
license exceptions)
TSR: Yes, except for exports and reexports to destinations outside
of those countries listed in Country Group A:5 (See Supplement No. 1
to part 740 of the EAR) of ``software'' controlled by 5D001.a and
``specially designed'' for items controlled by 5A001.b.5 and
5A001.h, and N/A for ``software'' classified under ECCN 5D001.a (for
5A001.j) or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)).
ACE: Yes for 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or
5B001.a (for 5A001.j)), except to Country Group E:1 or E:2. See
Sec. 740.22 of the EAR for eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship or transmit
5D001.a ``software'' ``specially designed'' for the ``development''
or ``production'' of equipment, functions or features, specified by
ECCN 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 5B001.a (for
5A001.j)) to any of the destinations listed in Country Group A:5 or
A:6 (See Supplement No.1 to part 740 of the EAR); 5A001.b.3, .b.5 or
.h; and for 5D001.b. for ``software'' ``specially designed'' or
modified to support ``technology'' specified by the STA paragraph in
the License Exception section of ECCN 5E001 to any of the
destinations listed in Country Group A:6.
List of Items Controlled
Related Controls: See also 5D980 and 5D991.
Related Definitions: N/A
Items:
a. ``Software'' ``specially designed'' or modified for the
``development'', ``production'' or ``use'' of equipment, functions
or features controlled by 5A001;
b. [Reserved]
c. Specific ``software'' ``specially designed'' or modified to
provide characteristics, functions or features of equipment,
controlled by 5A001 or 5B001;
[[Page 58215]]
d. ``Software'' ``specially designed'' or modified for the
``development'' of any of the following telecommunication
transmission or switching equipment:
d.1.[Reserved]
d.2. Equipment employing a ``laser'' and having any of the
following:
d.2.a. A transmission wavelength exceeding 1,750 nm; or
d.2.b. Employing analog techniques and having a bandwidth
exceeding 2.5 GHz; or
Note: 5D001.d.2.b does not control ``software'' ``specially
designed'' or modified for the ``development'' of commercial TV
systems.
d.3. [Reserved]
d.4. Radio equipment employing Quadrature-Amplitude-Modulation
(QAM) techniques above level 1,024.
0
16. In Supplement No. 1 to Part 774 (the CCL), Category 5--Part 1, ECCN
5E001 is revised to read as follows:
5E001 ``Technology'' as follows (see List of Items Controlled).
License Requirements
Reason for Control: NS, SL, AT
Country chart (See Supp. No.
Control(s) 1 to part 738)
NS applies to entire entry................ NS Column 1.
SL applies to ``technology'' for the A license is required for
``development'' or ``production'' of all destinations, as
equipment, functions or features specified in Sec. 742.13
controlled by 5A001.f.1, or for the of the EAR. Accordingly, a
``development'' or ``production'' of column specific to this
``software'' controlled by ECCN 5D001.a control does not appear on
(for 5A001.f.1). the Commerce Country Chart
(Supplement No. 1 to Part
738 of the EAR).
Note to SL paragraph: This
licensing requirement does
not supersede, nor does it
implement, construe or
limit the scope of any
criminal statute,
including, but not limited
to the Omnibus Safe Streets
Act of 1968, as amended.
AT applies to entire entry................ AT Column 1.
Reporting Requirements
See Sec. 743.1 of the EAR for reporting requirements for
exports under License Exceptions, and Validated End-User
authorizations.
List Based License Exceptions (See Part 740 for a description of all
license exceptions)
TSR: Yes, except for exports or reexports to destinations outside of
those countries listed in Country Group A:5 (See Supplement No. 1 to
part 740 of the EAR) of ``technology'' controlled by 5E001.a for the
``development'' or ``production'' of the following:
(1) Items controlled by 5A001.b.5, .h or .j;
(2) ``Software'' controlled by 5D001.a that is ``specially
designed'' for the ``development'' or ``production'' of equipment,
functions or features controlled by 5A001.b.5, 5A001.h, 5A001.j, or
5B001.a (for 5A001.j); or
(3) ``Software'' controlled by 5D001.c (for 5A001.j or 5B001.a
(for 5A001.j)).
ACE: Yes for 5E001.a (for 5A001.j, 5B001.a (for 5A001.j), 5D001.a
(for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)))
except to Country Group E:1 or E:2. See Sec. 740.22 of the EAR for
eligibility criteria.
Special Conditions for STA
STA: License Exception STA may not be used to ship or transmit
``technology'' according to the General Technology Note for the
``development'' or ``production'' of equipment, functions or
features specified by 5A001.b.3, .b.5 or .h; or for ``software'' in
5D001.a or .c, that is specified in the STA paragraph in the License
Exception section of ECCN 5D001 to any of the destinations listed in
Country Group A:6 (See Supplement No.1 to part 740 of the EAR); or
``technology'' specified in 5E001.a according to the General
Technology Note for the ``development'' or ``production'' of
equipment, functions or features specified by 5A001.j, 5B001.a (for
5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a) to
any destinations listed in Country Group A:5 or A:6.
List of Items Controlled
Related Controls: (1) See also 5E101, 5E980 and 5E991. (2)
``Technology'' for ``development'' or ``production'' of ``Monolithic
Microwave Integrated Circuit'' (``MMIC'') amplifiers that meet the
control criteria given at 3A001.b.2 is controlled in 3E001; 5E001.d
refers only to that additional ``technology'' ``required'' for
telecommunications.
Related Definitions: N/A
Items:
a. ``Technology'' according to the General Technology Note for
the ``development'', ``production'' or ``use'' (excluding operation)
of equipment, functions or features, controlled by 5A001 or
``software'' controlled by 5D001.a.
b. Specific ``technology'', as follows:
b.1. ``Technology'' ``required'' for the ``development'' or
``production'' of telecommunications equipment ``specially
designed'' to be used on board satellites;
b.2. ``Technology'' for the ``development'' or ``use'' of
``laser'' communication techniques with the capability of
automatically acquiring and tracking signals and maintaining
communications through exoatmosphere or sub-surface (water) media;
b.3. ``Technology'' for the ``development'' of digital cellular
radio base station receiving equipment whose reception capabilities
that allow multi-band, multi-channel, multi-mode, multi-coding
algorithm or multi-protocol operation can be modified by changes in
``software'';
b.4. ``Technology'' for the ``development'' of ``spread
spectrum'' techniques, including ``frequency hopping'' techniques.
Note: 5E001.b.4 does not apply to ``technology'' for the
``development'' of any of the following:
a. Civil cellular radio-communications systems; or
b. Fixed or mobile satellite Earth stations for commercial civil
telecommunications.
c. ``Technology'' according the General Technology Note for the
``development'' or ``production'' of any of the following:
c.1. [Reserved]
c.2. Equipment employing a ``laser'' and having any of the
following:
c.2.a. A transmission wavelength exceeding 1,750 nm;
c.2.b. [Reserved]
c.2.c. [Reserved]
c.2.d. Employing wavelength division multiplexing techniques of
optical carriers at less than 100 GHz spacing; or
c.2.e. Employing analog techniques and having a bandwidth
exceeding 2.5 GHz;
Note: 5E001.c.2.e does not control ``technology'' for commercial
TV systems.
N.B.: For ``technology'' for the ``development'' or
``production'' of non-telecommunications equipment employing a
``laser'', see Product Group E of Category 6, e.g., 6E00x
c.3. Equipment employing ``optical switching'' and having a
switching time less than 1 ms; or
c.4. Radio equipment having any of the following:
c.4.a. Quadrature-Amplitude-Modulation (QAM) techniques above
level 1,024; or
c.4.b. Operating at input or output frequencies exceeding 31.8
GHz; or
Note: 5E001.c.4.b does not control ``technology'' for equipment
designed or modified for operation in any frequency band which is
``allocated by the ITU'' for radio-communications services, but not
for radio-determination.
c.4.c. Operating in the 1.5 MHz to 87.5 MHz band and
incorporating adaptive techniques providing more than 15 dB
suppression of an interfering signal; or
c.5. [Reserved]
c.6. Mobile equipment having all of the following:
c.6.a. Operating at an optical wavelength greater than or equal
to 200nm and less than or equal to 400nm; and
c.6.b. Operating as a ``local area network'';
d. ``Technology'' according to the General Technology Note for
the ``development'' or ``production'' of ``Monolithic Microwave
Integrated Circuit'' (``MMIC'') amplifiers ``specially designed''
for telecommunications and that are any of the following:
Technical Note: For purposes of 5E001.d, the parameter peak
saturated power output may also be referred to on product data
sheets as output power, saturated power output, maximum power
output, peak power output, or peak envelope power output.
d.1. Rated for operation at frequencies exceeding 2.7 GHz up to
and including 6.8 GHz with a ``fractional bandwidth'' greater than
15%, and having any of the following:
d.1.a. A peak saturated power output greater than 75 W (48.75
dBm) at any
[[Page 58216]]
frequency exceeding 2.7 GHz up to and including 2.9 GHz;
d.1.b. A peak saturated power output greater than 55 W (47.4
dBm) at any frequency exceeding 2.9 GHz up to and including 3.2 GHz;
d.1.c. A peak saturated power output greater than 40 W (46 dBm)
at any frequency exceeding 3.2 GHz up to and including 3.7 GHz; or
d.1.d. A peak saturated power output greater than 20 W (43 dBm)
at any frequency exceeding 3.7 GHz up to and including 6.8 GHz;
d.2. Rated for operation at frequencies exceeding 6.8 GHz up to
and including 16 GHz with a ``fractional bandwidth'' greater than
10%, and having any of the following:
d.2.a. A peak saturated power output greater than 10W (40 dBm)
at any frequency exceeding 6.8 GHz up to and including 8.5 GHz; or
d.2.b. A peak saturated power output greater than 5W (37 dBm) at
any frequency exceeding 8.5 GHz up to and including 16 GHz;
d.3. Rated for operation with a peak saturated power output
greater than 3 W (34.77 dBm) at any frequency exceeding 16 GHz up to
and including 31.8 GHz, and with a ``fractional bandwidth'' of
greater than 10%;
d.4. Rated for operation with a peak saturated power output
greater than 0.1n W (-70 dBm) at any frequency exceeding 31.8 GHz up
to and including 37 GHz;
d.5. Rated for operation with a peak saturated power output
greater than 1 W (30 dBm) at any frequency exceeding 37 GHz up to
and including 43.5 GHz, and with a ``fractional bandwidth'' of
greater than 10%;
d.6. Rated for operation with a peak saturated power output
greater than 31.62 mW (15 dBm) at any frequency exceeding 43.5 GHz
up to and including 75 GHz, and with a ``fractional bandwidth'' of
greater than 10%;
d.7. Rated for operation with a peak saturated power output
greater than 10 mW (10 dBm) at any frequency exceeding 75 GHz up to
and including 90 GHz, and with a ``fractional bandwidth'' of greater
than 5%; or
d.8. Rated for operation with a peak saturated power output
greater than 0.1 nW (-70 dBm) at any frequency exceeding 90 GHz;
e. ``Technology'' according to the General Technology Note for
the ``development'' or ``production'' of electronic devices and
circuits, ``specially designed'' for telecommunications and
containing ``components'' manufactured from ``superconductive''
materials, ``specially designed'' for operation at temperatures
below the ``critical temperature'' of at least one of the
``superconductive'' constituents and having any of the following:
e.1. Current switching for digital circuits using
``superconductive'' gates with a product of delay time per gate (in
seconds) and power dissipation per gate (in watts) of less than
10-14 J; or
e.2. Frequency selection at all frequencies using resonant
circuits with Q-values exceeding 10,000.
0
17. In supplement no. 1 to part 774, Category 5--Part 2, ECCN 5A004 is
revised to read as follows:
5A004 ``Systems,'' ``equipment'' and ``components'' for defeating,
weakening or bypassing ``information security,'' as follows (see
List of Items Controlled).
License Requirements
Reason for Control: NS, AT, EI
Country chart (See Supp. No.
Control(s) 1 to part 738)
NS applies to entire entry................ NS Column 1.
AT applies to entire entry................ AT Column 1.
EI applies to entire entry................ Refer to Sec. 742.15 of
the EAR.
License Requirements Note: See Sec. 744.17 of the EAR for
additional license requirements for microprocessors having a
processing speed of 5 GFLOPS or more and an arithmetic logic unit
with an access width of 32 bit or more, including those
incorporating ``information security'' functionality, and associated
``software'' and ``technology'' for the ``production'' or
``development'' of such microprocessors.
List Based License Exceptions (See Part 740 for a Description of All
License Exceptions)
LVS: Yes: $500 for ``components.''
N/A for systems and equipment.
GBS: N/A
ENC: Yes for certain EI controlled commodities. See Sec. 740.17 of
the EAR for eligibility.
List of Items Controlled
Related Controls: ECCN 5A004.a controls ``components'' providing the
means or functions necessary for ``information security.'' All such
``components'' are presumptively ``specially designed'' and
controlled by 5A004.a. Defense articles described in USML Category
XI(b), and software directly related to a defense article, are
``subject to the ITAR''; see Sec. 120.10(a)(4).
Related Definitions: N/A
Items:
a. Designed or modified to perform `cryptanalytic functions.'
Note: 5A004.a includes systems or equipment, designed or
modified to perform `cryptanalytic functions' by means of reverse
engineering.
Technical Note: `Cryptanalytic functions' are functions designed
to defeat cryptographic mechanisms in order to derive confidential
variables or sensitive data, including clear text, passwords or
cryptographic keys.
b. Items, not specified by ECCNs 4A005 or 5A004.a, designed to
perform all of the following:
b.1. `Extract raw data' from a computing or communications
device; and
b.2. Circumvent ``authentication'' or authorisation controls of
the device, in order to perform the function described in 5A004.b.1.
Technical Note: `Extract raw data' from a computing or
communications device means to retrieve binary data from a storage
medium, e.g., RAM, flash or hard disk, of the device without
interpretation by the device's operating system or filesystem.
Note 1: 5A004.b does not apply to systems or equipment specially
designed for the ``development'' or ``production'' of a computing or
communications device.
Note 2: 5A004.b does not include:
a. Debuggers, hypervisors;
b. Items limited to logical data extraction;
c. Data extraction items using chip-off or JTAG; or
d. Items specially designed and limited to jail-breaking or
rooting.
* * * * *
Matthew S. Borman,
Deputy Assistant Secretary for Export Administration.
[FR Doc. 2021-22774 Filed 10-20-21; 8:45 am]
BILLING CODE 3510-33-P