Archive for the ‘Wassenaar’ Category

Wassenaar Releases Due Diligence Questions

2019/02/20

In December 2018, the Wassenaar Arrangement updated its current list of indicative questions that companies should use “in any export situation” in order to help companies recognize potential compliance issues and red flags before a violation occurs. The document states that, “Being vigilant for signs of suspicious enquiries or orders is vital for countering the risks of the proliferation of sensitive goods and technologies and destabilising accumulations of conventional weapons.”

The document contains 35 questions and notes that, “Corresponding answer(s) to any of the questions below should not be considered as the basis for an automatic rejection of an export. The intention of the questions is rather to flag the need for greater scrutiny while examining exports.”

List of Advisory Questions for Industry: https://www.wassenaar.org/app/uploads/2018/12/Advisory-Questions-for-Industry-Amended.pdf


Cyber-Surveillance Export Control Reform in the United States

2019/01/31

By: Peter Lichtenbaum (plichtenbaum@cov.com), David W. Addis (daddis@cov.com), and Doron O. Hindin (dhindin@cov.com) are attorneys in the International Trade practice at Covington & Burling LLP. Mr. Lichtenbaum previously served as Assistant Secretary of Commerce for Export Administration.

Based on recent US agency actions and statements, the US government is likely to update soon its export controls on intrusion software (including exploit research), network surveillance systems, and intelligence collection tools.

Collectively, these items consist of equipment, software, and technologies designed to gain access to, surveil, and control third-party electronic devices. These highly effective tools are increasingly being used for nefarious purposes, such as by ‘black hat’ hackers to steal sensitive information and extort corporations and private individuals, and by authoritarian government regimes to repress dissidents. However, such products are also routinely used by ‘white hat’ cybersecurity specialists to protect systems and data as well as by legitimate government intelligence and law enforcement agencies to achieve critical national security objectives.

As background, and as discussed further below, the US Commerce Department sought in 2014-15 to limit the proliferation of these items through proposed export control regulations on ‘intrusion software’ and ‘IP network communications surveillance systems,’ but that regulatory endeavour lapsed in 2016 in the face of resolute opposition by industry and civil society.

However, the US government has maintained its overall objective of regulating cyber-surveillance and intelligence-gathering tools through export controls. To that end, the Commerce Department and State Department are working toward a series of regulatory changes that, in the aggregate, would significantly change export controls over cyber and intelligence products.

This article surveys these regulatory developments and evaluates what to expect from the US government in the months ahead.

Wassenaar cyber-surveillance controls and  US exceptionalism

In December 2013, the cyber industry result of proposals by France and the United Kingdom, the Wassenaar Arrangement’s List of Dual-Use Goods and Technologies and the Munitions List (collectively, the ‘Wassenaar List’) was amended to cover, for the first time, ‘intrusion software’ and “IP network communications surveillance’ systems. This proposal was made a result of concerns from non-government organisations that certain repressive governments were able to use such software and systems to eavesdrop on dissidents and reporters within their societies.

The new 2013 language covered commodities, software, and technology for the generation, operation, or delivery of, or communication with, ‘intrusion software,’ defined as:

Software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network-capable device, and performing any of the following:

(a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or

(b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

(Notes and quotation marks omitted)

In addition, the updated 2013 Wassenaar List covered communications surveillance systems, and related commodities, software, and technologies, specially designed to extract, index, search, and map metadata from carrier class IP networks, such as national grade IP backbones.3

The controls over intrusion software and IP network communications surveillance systems were immediately implemented by the export control authorities of a number of countries for which the Wassenaar List is self- executing. In other countries, the Wassenaar List requires subsequent implementing legislation, but is then generally adopted verbatim, such as in the European Union.

By contrast, the United States does not automatically adopt Wassenaar List amendments. Rather, after amendments are adopted at annual Wassenaar plenary meetings, the US government launches an interagency review process, which routinely involves seeking industry comments, to determine national security, foreign policy, and economic impacts of the Wassenaar amendments. Following that process, the US government typically adopts the amendments, but frequently modifies the language to reflect US-specific interests and so that it fits neatly within either the Commerce Control List (‘CCL’) – administered by the US Department of Commerce, Bureau of Industry and Security (‘BIS’) pursuant to the Export Administration Regulations (‘EAR’) – or the US Munitions List (‘USML’) – administered by the Department of State, Directorate of Defense Trade Controls (‘DDTC’) pursuant to the International Traffic in Arms Regulations (‘ITAR’).

The US government took this approach with respect to Wassenaar’s 2013 cyber-surveillance amendments. Ultimately, in May 2015, BIS published a proposed rule to incorporate the 2013 Wassenaar intrusion software controls into CCL category 4 and the controls over IP network communications surveillance systems into CCL category 5 part 1.

BIS’s proposed rule elicited a deluge of public comments from industry and civil society. Many of the commenters expressed serious concern that because the Wassenaar language was, in their view, overly broad, its incorporation into the CCL would chill global ‘white hat’ exploit and vulnerability research and would otherwise undermine US national security and economic interests.6 For example, commenters presented BIS with hypothetical scenarios in which exploit researchers uncover vulnerabilities in software platforms of foreign vendors but are then prevented from immediately notifying those vendors of the risks, due to a requirement to first obtain export controls licensing from BIS. Similarly, commenters argued that the proposed rule could unjustifiably require victims of rootkit or other malicious software attacks to obtain licensing prior to sharing their infected device with non-US forensic specialists.7  Others explained that adopting the Wassenaar language would be counterproductive to US national security and economic interests by imprudently controlling general purpose programming environments, such as integrated design environments, and commonly used defensive cyber tools, such as penetration testing products, adaptable end point detection and response tools, auto-updating antivirus and antimalware programs, and forensic exploit toolkits.

The industry concerns prompted BIS to publish 32 clarifying frequently asked questions (‘FAQs’), which in turn prompted yet further industry pushback.9 Ultimately, the force of the industry concern resulted in a 2016 letter by then-Secretary of Commerce Penny Pritzker to cyber industry representatives notifying them that in light of industry feedback and input from Congress, academia, and civil society, the United States would not implement the Wassenaar 2013 intrusion software controls.10 The letter further committed that the US government would advocate at upcoming Wassenaar plenary meetings for the Wassenaar List to be amended by deleting the intrusion software controls in their entirety.

To date, the intrusion software controls in the Wassenaar List have not been eliminated.11 However, as explained by BIS in a recent FAQ, US government efforts have been successful in negotiating limited changes to the Wassenaar List, ‘in order to minimize the negative impact the [intrusion software] entries would have.

A particularly significant development that the FAQ attributes to US negotiation efforts is that as of 7 December 2017, the Wassenaar List now clarifies that the technology controls on intrusion software ‘do not apply to “vulnerability disclosure” or “cyber incident response”, new terms of art in the Wassenaar List with corresponding definitions. This important clarification provides welcome relief to vendors worldwide, who are often mandated by contract or by prevailing regulation to respond without delay to data breaches. The change also offers a needed safe- harbour for exploit researchers and cybersecurity   specialists   worldwide who can now receive, analyse, and remediate vulnerabilities without delay.

A second change to the Wassenaar List discussed in the BIS FAQ is that the list now clarifies that software that provides updates or upgrades that are authorised by the owner or operator of the target system would not be controlled as intrusion software, as long as the software itself was not specially designed to update intrusion software  or  command  and  delivery platforms for intrusion software.14 That clarification was necessary to avoid unnecessarily controlling general purpose design environments, auto- updating anti-virus tools, and other pervasive and commercially available software tools, while focusing controls only on more aggressive command and delivery platforms for intrusion software, such as exploit toolkits and penetration testing tools.

Shortly after these Wassenaar changes were agreed to, Rob Joyce, the White House cybersecurity coordinator at the time, praised the US negotiating achievements: ‘We applaud the hard work of the US interagency and our partners in industry, the research community, and foreign governments to clarify software and technology controls that could have had a negative impact on legitimate cybersecurity.’

However, notwithstanding these negotiation successes, BIS has acknowledged that they are only an initial step towards addressing the concerns raised in response to its 2015 rulemaking proposal, and that a number of alternative next steps remain possible:

‘We have not decided on a next step yet [concerning intrusion software]. There are a range of possible actions we could take, including returning to Wassenaar in 2018 to negotiate further changes to the text, publishing a rule to implement the text, or publishing a notice of inquiry or proposed rule for further comment.’17

Subsequently, on 24 October 2018, BIS finalised implementation of the

2017 Wassenaar List. To the continued relief of the cybersecurity industry, neither Wassenaar’s category 4 intrusion software nor its category 5 part 1 IP network communications surveillance entries were incorporated in the CCL.

However, BIS’s recent CCL update, which implements the most current Wassenaar List but continues to exclude that list’s controls over cyber- surveillance tools, by no means signals a retreat by the US government from asserting control over those tools. In fact, other regulatory developments, surveyed below, signal the opposite: cyber-surveillance applications, including exploit research, may be the subject of a broad regulatory reform.

ECRA foundational technologies– comment period

On 13 August 2018, Congress enacted the Export Control Reform Act of 2018 (‘ECRA’), which established a formal interagency process to identify and regulate emerging and foundational technologies that are deemed ‘essential to the US national security’ and are not otherwise controlled for export purposes.

The interagency process established under ECRA has already led to a 19 November 2018 publication in the Federal Register of an advance notice of proposed rulemaking for the ‘Review of Controls for Emerging Technologies. As described in the notice’s preamble, BIS‘ seeks   public   comment [by 10 January 2019] on criteria for identifying emerging technologies that are essential to US national security, for example because they have potential conventional weapons, intelligence collection, weapons of mass destruction, or terrorist applications or could provide the United States with a qualitative military or intelligence advantage. (Emphases added)

In addition, a specific category of representative emerging technologies proposed in the notice is: ‘Advanced surveillance  technologies,  such  as: Faceprint and voiceprint technologies.’ Commerce will publish a separate notice of proposed rulemaking related to ‘foundational’ technologies, which could   also   potentially   encompass cyber-surveillance tools and technologies.

The emphasis in the November notice’s preamble on intelligence collection and the US intelligence advantage, and the inclusion of a dedicated emerging technology category of ‘[a]dvanced surveillance technologies,’ relates directly to the government’s ongoing efforts at leveraging export controls to curtail the proliferation of intrusion software and surveillance technologies.

As discussed above, the 2013 Wassenaar cyber-surveillance amendments originated from proposals by European governments and the US government yielded to the barrage of public disapproval that they generated. By contrast, under ECRA, the US Congress has explicitly directed the US administration to identify, and impose export controls on, emerging and foundational technologies, which the government has in turn interpreted to include advanced surveillance technologies, including for intelligence collection purposes. With ECRA as its tailwind, the US government might be more determined to impose controls on cyber-surveillance items, particularly if these controls are limited based on the Wassenaar amendments discussed above.

Human rights export controls for the 21st Century

On 9 May 2018, and in parallel to ECRA developments, Senator Marco Rubio and Representative Chris Smith, on behalf of the Congressional- Executive Commission on China (‘CECC’), transmitted a letter to Secretary of Commerce Wilbur Ross identifying that compelling evidence indicates that, notwithstanding current US export controls, US companies are selling Chinese authorities advanced products used for ‘surveillance, detection, and censorship’.20 The congressmen in the letter explicitly asked the Secretary to explain what new legislation or new authorities [are] needed to revisit/revise export control regulations so they are consistent with the rapid evolution of technology,’ and whether any ‘software or technology which could be used for the purpose of domestic repression, [is] subject to export controls with respect to Chinese end-users of concern?

These concerns and the need to ‘revisit/reform export control regulations’ were echoed in CECC’s 2018 annual report, published on 10 October 2018, which recommends that the US administration ‘Revamp Export Controls,’ including by amending the USML to include ‘new technologies… [that] enhance surveillance and the ability of security forces to repress universally recognized human rights.’21

In response, the Secretary of Commerce reportedly informed CECC by letter that by the autumn of 2018, the Department of Commerce would propose new ‘human rights controls for the 21st century’. The concept would be to update the Commerce Department’s so-called ‘Crime Controls’, under which the department regulates items of traditional human rights concerns such as leg shackles, thumbscrews and police batons. The new proposal would focus on high-technology items that can facilitate human rights abuses. It is unclear how this development would relate to the ECRA rulemaking discussed above, but it may provide a more expedited vehicle for Commerce to control intrusion software platforms or surveillance tools, compared with the ECRA process. In particular, this could be the case with respect to software items that are long- established technologies, since the ECRA      process      for      identifying

‘foundational’ technologies has not yet even started. Even the ECRA ‘emerging’ technologies process will probably not result in an actual proposed rule until sometime in 2019. By contrast, the ‘human rights’ rulemaking is expected to involve publication of a proposed rule in December 2018.

USML category XI(b)

A further indication of forthcoming controls on intrusion software and surveillance technologies was DDTC’s announcement on 30 August 2018, of a 12-month extension of the application of USML category XI(b), in order to provide DDTC with the opportunity to complete a ‘wholesale revision of USML category XI.’

Category XI(b) – the scope of which has been the subject of ongoing interagency debate and numerous rulemaking processes23 – is the principal USML entry intended to capture national-level intelligence collection tools:

* [XI](b) Electronic systems, equipment or software, not elsewhere enumerated in this subchapter, specially designed for intelligence purposes that collect, survey, monitor, or exploit, or analyze and produce information from, the electromagnetic spectrum (regardless of transmission medium), or for counteracting such activities.

Currently, the broad formulation of category XI(b) serves as a strong hook for the US government to control sensitive intrusion software platforms or IP network surveillance technologies. At the same time, category XI(b)’s fairly abstract language has also historically provided exporters with tenable arguments to justify self-classifications of intelligence collection items under BIS jurisdiction, to the extent those items are more accurately described in the CCL. A discussion of the numerous surveillance- and intelligence-related export control classification numbers on the CCL, as well as BIS’s policies governing surreptitious listening and cryptographic or cryptanalytic items, is beyond the scope of this article. Nonetheless, it is worth noting that these Commerce Department controls and policies, and attendant licence exceptions, have proven relevant for various vulnerability software and surveillance tools that may routinely be sold to local law enforcement or private security firms and that are more precisely captured under the EAR, and not under the ITAR’s USML category XI(b) controls.

However, that all may change with the as-yet-unknown ramifications of DDTC’s ‘wholesale revision of USML Category XI’. The DDTC’s undertaking with respect to category XI should be viewed in conjunction with the Wassenaar, ECRA, and China Commission developments discussed above, which collectively signal forthcoming export controls over intrusion software and surveillance technologies.

Conclusion

The confluence of efforts by the US delegation at Wassenaar; pending ECRA rulemaking on emerging technologies, and the expected similar ECRA rulemaking on foundational technologies; encouragement by Congress for revised Commerce Department ‘human rights controls for the 21st century’; and impending revisions of USML category XI(b) by the State Department, collectively signal a forthcoming reform in US export controls over intrusion software (including potentially exploit research), network communications surveillance systems, and intelligence-collection tools.

Those likely to be most affected by such reforms should closely monitor the concurrent agency processes discussed above. Stakeholders should also consider proffering feedback and insights to government, so that the emerging rules appropriately reflect values of human rights, national security, foreign policy and economic interests.

More Information: https://www.cov.com/-/media/files/corporate/publications/2018/12/cybersurveillance_reform_in_the_united_states.pdf

Links and notes

1    The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Technologies is a multilateral organisation with 42 member states, and several other non-member observers, that collaborate on export controls.

2    Wassenaar List (2013), Category 4.A.5.

3    Wassenaar Category 5.A.1.j.

4    The European Union, for example, adopted the 2013 Wassenaar List controls on 22 October 2014. See: Commission delegated regulation, (EU) No. 7567/2014 (Oct. 22, 2014), at http://ec.europa.eu/transparency/regdoc/rep/3/2014/ EN/3-2014-7567-EN-F1-1.PDF, entering into force on December 31, 2014, pursuant to Commission delegated regulation (EU) No. 1382/2014, OJ L 371/1, (30 December 2014).

5    Department of Commerce, Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items, Proposed Rule with Request for Comments, 80 Fed. Reg. 28553 (20 May 2015).

6    See e.g., Comments to the US Department of Commerce on Implementation of 2013 Wassenaar Arrangement Plenary Agreements (RIN 0694-AG49) On Behalf Of Access, Center for Democracy & Technology, Collin Anderson, Electronic Frontier Foundation, Human Rights Watch, and New America’s Open Technology Institute (20 July 2015), available at https://www.eff.org/files/2015/07/21/jointwassenaarc omments-final-1.pdf.

7    See https://www.cs.dartmouth.edu/~sergey/drafts/ wassenaar-public-comment.pdf http://trade.ec.europa.eu/doclib/docs/2017/december /tradoc_156502.pdf

8    See e.g., BIS 2015 ‘Intrusion and Surveillance Items Frequently Asked Questions (‘FAQ’),’ at FAQs 8, 12, 16, and 29, available as an archived webpage at: https://web.archive.org/web/20150908025350/https://www.bis.doc.gov/index.php/policy- guidance/faqs?view=category&id=114#subcat200.

9    Id; See Mailyn Fidler, Proposed US Export Controls: Implications for Zero-Day Vulnerabilities and Exploits at Lawfareblog.com (10 June 2015), available at, https://www.lawfareblog.com/proposed-us-export- controls-implications-zero-day-vulnerabilities-and-exploits

10   Letter From The Honorable Secretary of Commerce, Ms. Penny Pritzker, To American Petroleum Alliance (API), et. al. (1 March 2016), available at https://www.bis.doc.gov/index.php/forms- documents/about-bis/newsroom/1434-letter-from-secre tary-pritzker-to-several-associations-on-the- implementation-of-the-wassenaar-arrang/file.

11   Tami Abdollah, US fails to renegotiate arms control rule for hacking tools, Associated Press (19 December 2016), available at https://apnews.com/c0e437b2e24c4b68bb7063f03ce892b5 (noting that initial attempts in 2016 at renegotiating the controls were unsuccessful); Garett Hinck, Wassenaar Export Controls on Surveillance Tools: New Exemptions for Vulnerability Research (5 January

2018), available at https://www.lawfareblog.com/wassenaar-export-controls-surveillance-tools-new-exemptions-vulnerability-r esear (surveying the US negotiating efforts to date and resultant changes in December 2017 to the Wassenaar List).

12   BIS, ‘Intrusion and Surveillance Items,’ FAQ No. 1, at, https://www.bis.doc.gov/index.php/policy- guidance/faqs#faq_62 (visited 20 November 2018).

13   Wassenaar List Category 4.E.1. (defining a ‘vulnerability disclosure’ as ‘the process of identifying, reporting, or communicating a vulnerability to, or analysing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability’ and defining a ‘cyber incident response’ as ‘the process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cyber security incident’).

14   BIS, ‘Intrusion and Surveillance Items,’ FAQ No. 1, at, https://www.bis.doc.gov/index.php/policy- guidance/faqs#faq_62 (visited 20 November 2018).

15   See e.g., BIS 2015 ‘Intrusion and Surveillance Items Frequently Asked Questions (‘FAQ’),’ at FAQs 8, 12, 16, and 29, available as an archived webpage at: https://web.archive.org/web/20150908025350/https://www.bis.doc.gov/index.php/policy- guidance/faqs?view=category&id=114#subcat200.

16   Shaun Waterman, The Wassenaar Arrangement’s latest language is making security researchers very happy in cyberscoop.com (20 December 2017), available at, https://www.cyberscoop.com/wassenaar-arrangement- cybersecurity-katie-moussouris/.

17   BIS, ‘Intrusion and Surveillance Items,’ FAQ No. 1, at, https://www.bis.doc.gov/index.php/policy- guidance/faqs#faq_62 (visited 20 November 2018).

18   Department of Commerce, Review of Controls for Certain Emerging Technologies; Advance notice of proposed rulemaking (ANPRM), 83 Fed. Reg. 58201 (19 November, 2018).19   The comment period was initially scheduled to close on December 19, 2018, but was extended by three weeks in response to requests by leading technology companies that they be allotted additional time for drafting comments

20   See Letter From Senator Marco Rubio and Representative Chris Smith, Co-Chairs of the Congressional-Executive Commission on China, To The Honorable Wilbur Ross, Secretary of Commerce (9 May 2018), available at https://www.cecc.gov/media- center/press-releases/chairs-ask-commerce-secretary-ro ss-about-sale-of-surveillance-technology.

21   CECC, Annual Report, 2018, p. 16, available at https://www.cecc.gov/sites/chinacommission.house.gov/files/Annual%20Report%202018.pdf.

22   Department of State, Continued Temporary Modification of Category XI of the United States Munitions List; Final rule; notice of temporary modification, 83 Fed. Reg. 44224 (30 August 2018).

23   Department of State, Amendment to the ITAR: USML Category XI (Military Electronics), and Other Changes; Final Rule, 79 Fed. Reg. 37536, 37544 (1 July 2014) (proposing XI(b) controls that excluded the phrase

‘analyze and produce information from’ and that controlled only ‘systems or equipment,’ but not software); Department of State, Temporary Modification of Category XI of the USML; Final rule; notice of temporary modification, 80 Fed. Reg. 37974, 37975 (2 July 2015) (explaining that as a result of the 2014 version of XI(b), DDTC grew concerned ‘that exporters may read the revised control language [in Category XI(b)] to exclude certain intelligence analytics software that has been and remains controlled on the USML.’).

24   Department of State, Continued Temporary Modification of Category XI of the United States Munitions List; Final rule; notice of temporary modification, 83 Fed. Reg. 44224 (30 August 2018).


BIS Amends EAR & CCL to Implement Changes Made to the WA List

2018/11/26

The Bureau of Industry and Security (BIS) has implemented changes to the Export Administration Regulations (EAR) and the Commerce Control List (CCL) to implement changes made to the Wasaenaar Arrangement List of Dual-Use Goods and Technologies (WA List) which were agreed upon by all the governments participating in the Wassenaar Arrangement at the December 2017 Plenary meeting. This ruling also includes associated changes to the EAR and a few corrections. The rule became effective on October 24, 2018.

Relevant CCL Changes (final rule revised 50 ECCNS, ECCNs with editorial changes excluded below):

  • Category 0—Nuclear Materials, Facilities, and Equipment [and Miscellaneous Items] 0A617 Miscellaneous ‘‘Equipment’’, Materials, and Related Commodities
    • 0A617 paragraph y.3, containers for shipping or packing defense articles or items controlled by ‘‘600 series’’ ECCNs, is amended by narrowing the scope to International Organization for Standardization (ISO) intermodal containers or demountable vehicle bodies (i.e., swap bodies), but also expands the scope beyond ‘‘specially designed’’ by adding ‘‘or modified’’. As the term ‘modified’ is in single quotes, BIS is also adding the technical note that defines ‘modified,’ which was already existing text in Wassenaar Arrangement Military List of 2017 (WAML 17).
  • Category 1—Special Materials and Related Equipment, Chemicals, ‘‘Microorganisms’’, and ‘‘Toxins’’
    • 1C001: Subparagraph b is amended by moving the phrase ‘‘not transparent to visible light’’ to the beginning and adding more descriptive text ‘‘near-infrared radiation having a wavelength’’ to clarify the scope of the control. Also, the parameters are changed from ‘‘1.5 × 1014 Hz’’ to ‘‘810 nm’’ and ‘‘3.7 × 1014 Hz’’ to ‘‘2,000 nm (frequencies exceeding 150 THz but less than 370 THz)’’. (The frequency band is changed to the equivalent wavelength band to make the parameter easier to understand and not to change the scope of control.)
    • 1C608: WA agreed to add a Note specifying that WAML 8.c.1 does not apply to aircraft fuels—JP–4, JP–5 and JP–8. This rule adds this Note below 1C608.n ‘‘Any explosives, ‘propellants,’ oxidizers, ‘‘pyrotechnics’’, fuels, binders, or additives . . .’’ as well as bringing forth another Note from WAML 8.c.1 that specifies that aircraft fuels specified by WAML 8.c.1 are finished products, not their constituents.
  • Category 2—Materials Processing
    • 2A001 Note 2 at the beginning of the Items paragraph is amended by adding ‘‘(or national equivalents)’’, in order to help efficiently classify bearings using national standards that are equivalent to ISO 3290 as grade 5. 2B001 Machine Tools.
    • 2B006 heading is revised to add ‘‘position feedback units’’ and ‘‘electronic assemblies’’ to more accurately describe the scope of controls in Items paragraph .b.
      • Linear Variable Differential Transformer (LVDT) systems formerly in 2B006.b.1.b are moved to 2B206.d and no longer have a national security control.
    • 2B007 paragraph .a ‘‘[Robots] capable in real-time of full three-dimensional image processing or full three dimensional ‘‘scene analysis’’ to generate or modify ‘‘programs’’ or to generate or modify numerical program data’’ is removed and reserved because of insufficient connection to military capabilities. Robots of national security concern are controlled under 2B007.b, .c and .d.
    • 2B008 heading is amended by replacing ‘‘assemblies or units’’ with ‘compound rotary tables’ and ‘‘tilting spindles’’, as well as removing ‘‘or dimensional inspection or measuring systems and equipment’’ to align with revisions made to the List of Items Controlled in this ECCN.
      • Item paragraphs .a (linear position feedback units) and .b (rotary position feedback units) are removed and reserved, because this rule moves these items to 2B006.b.2 and .c, respectively.
      • Item paragraph .c is amended by replacing and cascading the parameter paragraphs, as well as moving the definition for ‘compound rotary table’ from part 772 to a Technical Note under this Item paragraph.
    • 2B206 is amended by adding Linear Variable Differential Transformer (LVDT) systems to Item paragraph .d, because this item is removed from 2B006.b.1.b. While LVDT systems are no longer controlled for national security reasons, they are still on the Nuclear Supplier’s Group (NSG) list under 1.B.3.b.2 and remain controlled for nuclear nonproliferation reasons on the CCL.
    • 2E003 paragraph .a (‘‘technology’’ for the ‘‘development’’ of interactive graphics as an integrated part in ‘‘numerical control’’ units for preparation or modification of part programs) is removed and reserved because of the advancement of technology.
      • Item paragraph .a is removed from License Exception TSR.
    • Category 3—Electronics Product Group A. ‘‘End Items’’, ‘‘Equipment’’, ‘‘Accessories’’, ‘‘Attachments’’, ‘‘Parts’’, ‘‘Components’’, and ‘‘Systems’’
      • 3A001 is amended by replacing ‘‘Electrical Erasable Programmable Read-Only Memories (EEPROMS), flash memories, and MRAMs’’ with ‘non-volatile memories’ and adding a Technical Note to define ‘non-volatile memories,’ to provide a more generic term for these types of memory integrated circuits.
        • Paragraph a.5.a ‘‘ADCs’’ and the Technical Note below a.5.a are amended by replacing the term ‘‘output rate’’ with the ‘‘sample rate’’ as measured points at the input, except for oversampling (defined as output sample rate), and the Technical Note identifies common ways manufacturers specify ‘sample rate.’ The definition for ‘‘sample rate’’ is added to part 772 ‘‘Definition of Terms. . . .’’
        • Item paragraph a.5.b.2.a, ‘‘settling time’’ parameter, is amended by adding ‘‘arrive at or within’’ to clarify the potentially ambiguous parameter with common usage and understanding of DAC specifications, so that it will not be misinterpreted to mean the time to deviate by the specific amount from the original level.
        • Intensity, amplitude, or phase electrooptic modulators, designed for analog signals, including electro-optic modulators having optical input and output connectors are added to new paragraph 3A001.i to address photonic components for analog Radio Frequency (RF) over fiber antenna remoting, and analog RF distribution of signals. One of the parameters for these items is ‘halfwave voltage’ (‘Vp’), which is defined in a Technical Note below the new paragraph. These items will be eligible for License Exception GBS; therefore, the GBS paragraph is revised to add Item paragraph .i.
      • 3A002 frequency parameter is raised from ‘‘exceeding 10 MHz’’ to ‘‘exceeding 40 MHz’’ for signal analyzers having a 3 dB resolution bandwidth (RBW) in Item paragraph c.1
      • 3B001 Mask ‘‘substrate blanks’’ with multilayer reflector structure consisting of molybdenum and silicon being ‘‘specially designed’’ for ‘Extreme Ultraviolet (EUV)’ lithography and being compliant with SEMI Standard P37 are added to new paragraph 3B001.j, because mask ‘‘substrate blanks’’ and the subsequent substrate blank with multilayer reflector structure are critical materials for EUV lithography 7. EUV lithography opens up integrated circuit fabrication at the most advanced state-of-the-art technology node. The definition for ‘Extreme Ultraviolet (EUV)’ is added to a Technical Note below Item paragraph j.2.
      • 3B002 Test Equipment ‘‘Specially Designed’’ for Testing Finished or Unfinished Semiconductor Devices Item paragraph .a is revised from ‘‘For testing S-parameters of transistor device at frequencies exceeding 31.8 GHz’’ to read ‘‘For testing S-parameters of items specified by 3A001.b.3’’ to remove potential overlapping controls for network analyzers (which measure Sparameters) described in 3A002.e, to harmonize the control text of equipment for testing S-parameters of transistors specified in paragraphs 3A001.b.3.a and 3A001.b.3.b (i.e., transistors that are below 31.8 GHz), and to remove ambiguity regarding the meaning of the phrase ‘‘transistor devices’’ by substituting the unambiguous reference to transistors specified by 3A001.b.3.
      • 3C002 wavelength for positive resists in Item paragraph a.1 is revised from ‘‘wavelengths less than 245 nm . . . .’’ to ‘‘wavelengths less than 193 nm . . . .’’ in order to match the material control with the lithography equipment parameters in 3B001.f.1.a.
      • 3C005 heading revised to move the items that were in the Heading to Items paragraph .a. Polycrystalline ‘‘substrates’’ or polycrystalline ceramic ‘‘substrates’’ are added to Item paragraph .b, because there are both military and commercial applications for microwave transistors fabricated on the engineered substrates. These newly added substrates will be controlled for NS:2 and AT:1 and have License Exception LVS ($3,000), GBS and CIV eligibility.
      • 3C006 heading is amended by adding ‘‘Materials, not specified by 3C001, consisting of a’’ at the beginning of the Heading in order to clarify the scope of the control.
        • The former language of 3C001, 3C005 and 3C006 has common elements that have led to some confusion around the control of silicon carbide wafers.
        • 3C992 heading is amended by replacing the wavelength range from ‘‘370 and 245 nm’’ to ‘‘370 and 193 nm.’’
      • 3E001 Note 3 is added to exclude from 3E001 ‘Process Design Kits’ (‘PDKs’) unless they include libraries implementing functions or technologies for items specified by 3A001. A Technical Note is added below Note 3 to define ‘Process Design Kit’ (‘PDK’). PDKs do not provide knowledge about production tools.
    • Category 4—Computers
      • 4A003 Adjusted Peak Performance (APP) is raised from ‘‘exceeding 16 WT’’ to ‘‘exceeding 29 WT’’ in Item paragraph .b and in accordance with this revision the APP is raised to 29 in the AT control text in the License Requirements table and in two places in the Note to the table.
      • 4D001 Adjusted Peak Performance (APP) is raised from 16 Weighted TeraFLOPs (WT) to 29 WT in License Exceptions TSR and STA in accordance with the new APP level in 4A003.b. The APP control level is raised from ‘‘exceeding 8 WT’’ to ‘‘exceeding 15 WT’’ in Item paragraph b.1. These revisions continue to address the need to track incremental (e.g., ‘‘Moore’s Law’’) improvements in microprocessor technology.
    • Category 5—Part 1— ‘‘Telecommunications’’
      • 5A001 In the NS Column 1 paragraph of the License Requirements table, the order of the referenced Item paragraphs is corrected. For telecommunications equipment specially designed to withstand transitory electronic effects or electromagnetic pulse effects, the temperature range parameters is changed from ‘‘to operate outside the temperature range from 218K (-55 °C) to 397 K (124 °C)’’ to ‘‘below 218K (-55°C)’’ in Item paragraph a.3 or ‘‘above 397 K (124 °C)’’ in new Item paragraph a.4, which does not change the scope of control, but seeks to make the text easier to understand.
        • Because of technology advances, phased array antennae are increasingly being developed for civil telecommunications applications, including cellular, WLAN, 802.15, and wireless HDMI. Exclusion Note 2 is added in order to remove from control phased array antennae specially designed for those purposes.
      • Category 5—Part 2
        • 5A002 Paragraph .a is amended by replacing the phrase ‘‘where that cryptographic capability is usable without ‘‘cryptographic activation’’ or has been activated’’ with the phrase ‘‘where that cryptographic capability is usable, has been activated, or can be activated by means of ‘‘cryptographic activation’’ not employing a secure mechanism’’. The revision clarified that an item is controlled if (1) the ‘cryptography for data confidentially’ is usable from the beginning regardless of ‘‘cryptographic activation’’ (i.e., not dormant), (2) the cryptographic capability was previously dormant but is now usable (whether by ‘‘cryptographic activation’’ or by other means; or (3) the ‘‘cryptographic activation’’ mechanism is not secure (i.e., the cryptographic capability is not securely kept dormant). Items paragraph .b is amended by replacing ‘‘to enable’’ an item with ‘‘for converting’’ an item and replacing ‘‘to achieve or exceed the controlled performance levels for functionality specified by 5A002.a that would not otherwise be enabled’’ with ‘‘not specified by Category 5 —Part 2 into an item specified by 5A002.a or 5D002.c.1, and not released by the Cryptography Note (Note 3 in Category 5—Part 2), or for enabling, by means of ‘‘cryptographic activation’’, additional functionality specified by 5A002.a of an item already specified by Category 5— Part 2’’. This clarifies that a ‘‘cryptographic activation’’ mechanism is controlled by 5A002.b in two situations: (1) It converts an item classified outside of Category 5—Part 2 into a 5A002.a item (e.g., by activating ‘cryptography for data confidentiality’ capability in an item that was previously limited to performing ‘‘authentication,’’ or by activating encryption capability which disqualifies a product from the Cryptography Note exclusion (Note 3 in Category 5—Part 2)); or (2) it enables additional functionality specified in 5A002.a in an item that was already classified in Category 5—Part 2 (e.g., making additional encryption algorithms usable by the item, or that would change the item from being eligible or described under § 740.17(b)(1) into an item described under § 740.17(b)(2) or (3)).
        • 5D002 Paragraph .b of ECCNs 5D002 and 5E002 is amended by replacing ‘‘enable’’ with ‘‘for converting’’ and replacing ‘‘to meet the criteria for functionality specified by 5A002.a, that would not otherwise be met’’ with ‘‘not specified by Category 5—Part 2 into an item specified by 5A002.a or 5D002.c.1, and not released by the Cryptography Note (Note 3 in Category 5—Part 2), or for enabling, by means of ‘‘cryptographic activation’’, additional functionality specified by 5A002.a of an item already specified by Category 5— Part 2’’. These revisions are made to create mirroring entries consistent with the changes being made to 5A002.b.
      • Category 6—Sensors and Lasers
        • 6A002 Paragraph .f is added to establish a control for Read-Out Integrated Circuits (ROICs) to ensure that certain ROICs not controlled on the Munitions List, but that provide night vision capability, are controlled. In order to maintain consistent paragraph placement with the WA List this rule adds and reserves Items paragraph .e, so that ROICs can be added to Item paragraph .f. For consistency, Items paragraph .f is added to the Regional Stability controls (RS Column 1) in the License Requirements section, because 6A990, where ROICs were formerly controlled, was controlled for RS Column 1.
        • 6A003 paragraphs a.1 (high-speed cinema recording cameras) and a.2 (mechanical high speed cameras) are removed and reserved because of the advancement of technology. Item paragraph a.3.a (mechanical streak cameras) is also removed because of the advancement of technology. As a result of this change, electronic streak cameras are moved from Item paragraph a.3.b to a.3.
        • 6A004 Dynamic wavefront measuring equipment is added to Item paragraph .f, with parameters in subparagraphs and a Technical Note at the end to define ‘‘frame rate’’. The purpose of wavefront sensing is to measure the level of the wavefront aberration as it is transferred through an optical system, regardless if the source of that aberration is the optical system itself or something external to that system. Wavefront sensors are principally used as one of the main components of adaptive optics systems where they serve to close the control loop and feed the information about the required correction to deformable mirrors and beam steering mirrors in real-time, which are also controlled in this ECCN.
        • 6A005 Item paragraph f.1 (dynamic wavefront (phase) measuring equipment) is removed and reserved, because this item is moved to ECCN 6A004.f, because of its close association to the mirrors controlled in 6A004. A Nota Bene is added to point to the new Item paragraph where this item is controlled. Item paragraph f.2 (‘‘Laser’’ diagnostic equipment) is amended by replacing ‘‘capable of measuring’’ with ‘‘specially designed for dynamic measurement of’’ and replacing ‘‘equal to or less than’’ with ‘‘and having an angular ‘‘accuracy’’ of’’ to refine the scope of the entry. The phrase ‘‘(microradians) or less (better)’’ is added after ‘‘10 mrad’’ to clarify the unit. Item paragraph f.3 (Optical equipment and components) is amended by moving the phrase ‘‘coherent beam combination’’ for better readability. The ‘‘accuracy’’ parameter is cascaded down to Item paragraph f.3.b and a new ‘‘accuracy’’ parameter is added to f.3.a, so that the equipment is controlled if it meets either of the ‘‘accuracy’’ parameters.
      • Category 9—Aerospace and Propulsion
        • 9A002 Heading is amended by revising and moving the parameter ‘‘with an ISO standard continuous power rating of 24,245 kW or more and a specific fuel consumption not exceeding 0.219 kg/ kWh in the power range from 35 to 100%’’ to the Items paragraph and adding ‘‘designed to use liquid fuel and having all of the following (see List of Items Controlled),’’ to the Heading. Two parameters are added for this ECCN: Maximum continuous power and ‘corrected specific fuel consumption’. (These revisions therefore do not change the scope of the existing control text, but rather clarify it by making it clear that the specific fuel consumption of concern applies at the ‘‘turndown performance’’ of 35%.)
        • 9A004 The scope of Item paragraph f.1 (Telemetry and telecommand equipment) is clarified by adding ‘‘specially designed’’ and two specific end uses in order to eliminate data processing equipment for mission data, such as GPS, science data, communication and broadcasting, since this data is not meant to be controlled under 9A004.f.1. The scope of Item paragraph f.2 (Simulators) is narrowed by adding ‘‘specially designed for ‘verification of operational procedures’ of ‘‘spacecraft’’.
        • 9D004 Paragraph .b (‘‘Software’’ for testing aero gas turbine engines, assemblies, ‘‘parts’’ or ‘‘components’’) is amended by removing the parameter and cascading subparagraphs with specific features or functions, such as ‘‘specially designed’’ for testing aero gas turbine engines . . . , to clarify and focus (narrow) the scope of control. A Note is added above Item paragraph .c to exclude software for operation of the test facility or operator safety, or production, repair or maintenance acceptance-testing . . .’’

Relevant EAR (Relevant changes listed below with editorial changes excluded):

  • Part 772: This rule removes 37 definitions from § 772.1 and adds them to the ECCNs where they are used. According to the WA drafting guidelines, if a term is only used in a single ECCN, then the definition must be in a Technical Note close to where that term is used.
  • Supplement No. 6 to Part 774: Sensitive List Paragraph (1)(i), ECCN 1A002, is amended by narrowing the scope from all of ECCN 1A002 to only subparagraph a.1 ‘‘ ‘‘Composite’’ structures or laminates made from an organic ‘‘matrix’’ and ‘‘fibrous or filamentary materials’’ specified by 1C010.c or 1C010.d’’, because the rest of the items in ECCN 1A002 do not warrant control on the Sensitive List as they are not key technologies.
  • Supplement No. 7 to Part 774: Very Sensitive List Paragraph (1)(i), ECCN 1A002, is amended by narrowing the scope from subparagraph .a to subparagraph a.1 (‘‘Composite’’ structures or laminates made from an organic ‘‘matrix’’ and ‘‘fibrous or filamentary materials’’ specified by 1C010.c or 1C0010.d), because the rest of the items in ECCN 1A002.a do not warrant control on the Sensitive List as they are not key technologies.
  • Section 740.16: License Exception APR is amended to remove a reference to ECCN 6A990 in paragraphs (a)(2) and (b)(2)(v), because ECCN 6A990 is removed from the CCL by this rule. ROICs are now specified in 6A002.f.
  • Section 740.20 License Exception STA is amended to remove reference to ECCNs 6A990 and 6E990 from paragraph (b)(2)(x), because these ECCNs are removed from the CCL. ROICs are now specified in 6A002.f and ROIC technology is specified in ECCNs 6E001 and 6E002.
  • Section 742.6: Regional Stability Paragraph (b)(1)(ii) is amended by removing reference to ECCN 6E990, because this ECCN is removed by this rule. ROIC technology is now controlled under ECCNs 6E001 and 6E002.
  • Section 744.9: Restrictions on Exports, Reexports, and Transfers (In-Country) of Certain Cameras, Systems, or Related Components Section 744.9 is amended by removing reference to ECCN 6A990 from paragraphs (a) and (b), because this ECCN is removed from the CCL. ROICs are now controlled under ECCN 6A002.f.

Federal Register Notice: https://www.govinfo.gov/content/pkg/FR-2018-10-24/pdf/2018-22163.pdf


EAR CCL Category 5 Part 2 Update List

2016/10/12

By: Danielle McClellan

BIS has published final rules implementing the Wassenaar Arrangement’s decision to re-write Category 5 Part 2, below is a list of updates. BIS will be updating their Encryption website soon to reflect these changes.

ECCN Changes to Category 5 Part 2

  • Separates C5P2 into 3 subsections:
    • Cryptographic information security
    • Non-cryptographic information security – 5A003
    • Defeating, Weakening, or bypassing information security – 5A004
  • Deletes ECCNS 5A992/5D992 a&b, as well as 5E992.a
  • Keeps mass market ECCNs 5A992/5D992.c and 5E992.b
  • Decontrol notes (Note to 5A002.a) moved around to remove previously unused paragraphs
  • Removes previous Note 1 to C5P2 – moved to a General Information Security Note (Supp. No. 2 to Part 774), removed all the pointers in the EAR to C5P2
  • Adds a sentence to the Note to Note 3 saying that simple price inquiry is not a consultation
  • Deletes 5A002 a.7 control on products above EAL-6

License Exception Changes

  • License Exception TSU – Publicly available source code is no longer subject to the EAR once the email notification is sent. The Notification requirement that was previously under TSU §740.13(e) is moved to §742.15(b)
  • License Exception TMP – 5E002 encryption technology now eligible for tools of the trade provisions under 740.9
  • §742.15 – Encryption Mass market provisions are moved from §742.15 to §740.17
  • License Exception ENC – §740.17
    • Paragraph (a)(1) – Adds an exception for certain related parties transactions for companies headquartered in a Supp. 3 country
    • §740.17(b)(4) – Deletes paragraph on short-range wireless items, paragraph on foreign made products is moved to paragraph (a)
    • Encryption Registrations no longer required – some of the information from the registration now goes into the Supp. No. 8 to Part 742 report
    • If an exporter submits a CCATS review for an item under §740.17(b)(1), it does NOT have to go on the self-classification report
    • §740.17(b)(2) – updates performance parameters
  • § Edits headers to make it clear that there should only be one parameter that applies to a product
  • § Aggregate encrypted throughput increased from 90 Mbps to 250 Mbps
  • § Deletes single channel input data rate
  • § Deletes 250 concurrent encrypted data channels
  • § Media parameter raised from 1,000 endpoints to 2,500
  • § Carves out for mass market satellite modems that use end-to-end encryption between the modem and the hub
  • § 5A002.d (channelizing codes) and 5A002.e (spread spectrum) moved to §740.17(b)(2)
  • § New authorization for network infrastructure items to less-sensitive government end-users.
  • Delets grandfathering provisions
  • Adds Croatia added to Supp. No. 3 to Part 740
  • Revises Supp. No. 6 to Part 742 questions
  • Definition of government end-user states that government-owned public schools and universities are “government end-users” as defined in Section 772
  • Adds definition of “More sensitive government end-users” and “Less-sensitive government end-users”

Note

Classifications issued for 5A992/5D992 a&b and 5E992.a prior to the elimination of these ECCNs may now be classified elsewhere (e.g., 5A991,) if applicable, or EAR99.

Mass market encryption authorizations issued under 742.15(b)(1) or (b)(3) prior to this rule change continue to be authorized under the newly located mass market encryption provisions found in 740.17(b)(1) and (b)(3), respectively. A new classification is NOT required merely because the item moved from 742.15 to 740.17.

Wassenaar Arrangement Ruling: https://www.federalregister.gov/documents/2016/09/20/2016-21544/wassenaar-arrangement-2015-plenary-agreements-implementation-removal-of-foreign-national-review

BIS Final Rule: http://www.bis.doc.gov/InformationSecurity2016-updates


BIS Posts Letter from Secretary Pritzker Regarding Implementation of Wassenaar Controls Concerning “Intrusion Software”

2016/04/06

(Source: Commerce/BIS)

Dear Sir or Madam,
Thank you for your letter to Secretaries Kerry, Johnson, and me regarding implementation of the Wassenaar Arrangement “intrusion software” and surveillance technology provisions.
Since the publication of our proposed regulation last May to implement these controls, we have received substantial commentary from Congress, the private sector, academia, civil society, and others on potential unintended consequences of the 2013 Wassenaar controls, as well as on our proposal to implement them in U.S. regulation.

In response to these concerns, and as a result of extensive outreach efforts and further U.S. Government review, the United States has proposed in this year’s Wassenaar Arrangement to eliminate the controls on technology required for the development of “intrusion software.” We will also continue discussions both domestically and at Wassenaar aimed at resolving the serious scope and implementation issues raised by the cybersecurity community concerning remaining controls on software and hardware tools for the command and delivery of “intrusion software.”

These discussions will include significant consultations with other Wassenaar members and those in the U.S. government, private sector, and academic cybersecurity communities. The goals of these discussions will be materially address the concerns raised during the rulemaking process. They will also give the Administration a chance to share with our counterparts in other countries the U.S. cybersecurity communities’ concerns regarding the unintended consequences such controls could have.

Because changes in Wassenaar controls must be approved by all 41 members, we cannot predict the outcome of these discussions and negotiations. The Department of Commerce and our Federal partners, however, will continue to consult with the cybersecurity communities during the negotiations and we commit that we will not implement domestically any regulations on these specific controls without first giving the public an opportunity to participate through the notice and comment process of a proposed rule.

President Obama has identified cybersecurity as one of the greatest national security challenges we face as a Nation. Cognizant of this, we commit to ensuring that the benefits of controlling the export of the purpose-built tools at issue outweigh the harm to effective U.S. cybersecurity operations and research. We will also continue to analyze the role that appropriately scoped export controls could play within the larger strategy of countering the growing capability of malicious actors to cause harm through cyberspace.

Thank you again for your letter, and we look forward to working with your associations and your membership on this critical issue.

Sincerely,
Penny Pritzker


BIS Amends Country Chart and Various Missing Wassenaar Changes

2016/01/19

By: Danielle McClellan

BIS released the following amendments and revisions that were inadvertently omitted from the Wassenaar Arrangement 2014 Plenary Agreements Implementation and Country Policy Amendments. A rule was published on May 21, 2015 but the following revisions were absent in that notice and will be implemented now:

 

  • Supplement No. 1 to Part 738: Commerce Country Chart
    • This rule would remove the X, i.e., license requirement, in the NS:2 Column for South Africa, as well as remove the X in the RS:2 Column for Argentina and South Africa
  • Part 740: Country Groups
    • This rule removes Fiji from Country Group D:5 ‘‘U.S. Arms Embargoed Countries,’’ and from Country Group D in Supplement No. 1 to part 740 of the EAR (This correction is not the result of a Wassenaar Arrangement agreement, but rather of a final rule published by the Department of State on May 29, 2015)
  • Section 743.3: Thermal Imaging Camera Reporting
    • BIS inadvertently removed a thermal imaging camera reporting requirement exemption for Canada in the May 21 rule. The reporting requirements for thermal imaging cameras are corrected by exempting Canada from the reporting requirements, as was the policy prior to the publication of the May 21, 2015, Wassenaar rule. The exception is added to paragraph (b) of § 743.3 of the EAR.
  • Part 772: Definitions
    • This rule removes a reference for ‘‘signal analyzer (dynamic).  .  .’’ that was inadvertently not removed when the definition for ‘‘dynamic signal analyzer’’ was removed from this part.
  • Supplement No. 1 to Part 774: Commerce Control List ECCN 8A620 Submersible Vessels, Oceanographic and Associated Commodities
    • Replaces paragraph .f with a new paragraph containing two subparagraphs: Subparagraph f.1 for self-contained diving rebreathers, closed or semi-closed circuit; and subparagraph f.2 for underwater swimming apparatus ‘‘specially designed’’ for use with equipment specified in paragraph f.1. Paragraph f.1 narrows the scope by adding the ‘‘self- contained’’ parameter, while f.2 is an expansion of controls.
  • ECCN 9A004 Space Launch Vehicles and ‘‘Spacecraft’’
    • The range of reference in the License Requirement Note is corrected to read ‘‘9A004.b through .f.’’ Also, Note 3 in the Related Controls is revised for clarity.
  • 9A010  ‘‘Specially Designed’’ ‘‘Parts,’’ ‘‘Components,’’ Systems and Structures, for Launch Vehicles, Launch Vehicle Propulsion Systems or ‘‘Spacecraft’’
    • The Heading to ECCN 9A010 is corrected by removing the reference to the ITAR for jurisdiction over these items and instead referring to the newly added Related Controls paragraph.

Federal Register Notice: https://www.gpo.gov/fdsys/pkg/FR-2015-12-03/pdf/2015-30253.pdf


CCL Revisions from Wassenaar Meeting

2015/07/14

By: Danielle McClellan

The Bureau of Industry and Security (BIS) issued a final rule on May 21, 2015 that revises the Commerce Control List (CCL) to implement changes made to the Wassenaar Arrangement’s List of Dual-Use Goods and Technologies.

Wassenaar Participating States agreed to new controls on spacecraft equipment and technology for fly-by-wire/flight-by-light systems and revised the text for the controls of machine tools and military utility and finber laser components in optical equipment. Changes involving the deletion of obsolete controls relating to vessels and UAVs have also occurred. The new rule revises 42 ECCNs and adds one ECCN while removing another. The General Technology Note was also amended as well as adding License Exception CIV to 3 ECCNs for Anisotropic plasma dry etching equipment and related software and technology.

CHANGE CHEAT SHEET:

  • Revises:  0A606, 1A613, 1C002, 1C007, 1C008, 1C010, 1E002, 2B001, 3A001, 3A002, 3A991, 3B001, 4D001, 4E001, 5D001, 5E001, 5A002, 6A001, 6A003, 6A004, 6A005, 6C005, 6D003, 7A003, 7D004, 7E004, 7E001, 8A001, 8A002, 8A620, 8E002, 9A001, 9A003, 9D003, 9A004, 9A010, 9A012, 9B001, 9B010, 9D003, 9D004, and 9E0032
  • Adjusts 0D521 and 0E521 controls on flight controls
  • Adds  9D005
  • Removes 4D002
  • Revises because of the Foreign Availability Assessment: 3B001, 3D001, and 3E001

FOR FURTHER INFORMATION CONTACT: Sharron Cook, Office of Exporter Services, Bureau of Industry and Security, U.S. Department of Commerce at 202-482-2440 or by email: Sharron.Cook@bis.doc.gov.

 

For technical questions contact:

  • Categories 0, 1 & 2: Michael Rithmire at 202-482-6105
  • Category 3: Brian Baker at 202-482-5534
  • Categories 4 & 5: ITCD staff 202-482-0707
  • Category 5 (Satellites): Mark Jaso at 202-482-0987 or Reynaldo Garcia at 202-482-3462
  • Category 6 (optics): Chris Costanzo at 202-482-0718
  • Category 6 (lasers): Mark Jaso at 202-482-0987
  • Category 6 (sensors and cameras): John Varesi 202-482-1114
  • Category 8: Darrell Spires 202-482-1954
  • Categories 7 & 9: Daniel Squire 202-482-3710 or Reynaldo Garcia 202-482-3462

BIS Adapts December 2013 Wassenaar List Changes

2014/10/07

By: Brooke Driver

BIS announced on the 25th of July that it was making changes to the CCL to incorporate revisions to the Wassenaar Arrangement’s List of Dual-Use Goods and Technologies that took place at the plenary meeting last December. This rule harmonizes the CCL with the changes made to the WA List by revising ECCNs controlled for national security reasons in each category of the CCL, amending the General Technology Note, WA reporting requirements and definitions section in the EAR. BIS stated that it intends to publish a separate rule this month regarding changes to the Commerce Control List related to WA agreements for cybersecurity. The rule came into effect August 4.


Wassenaar Arrangement Modifies Controls on Electronic Surveillance Tools

2014/01/30

By: Brooke Driver

At its annual plenary meeting in Austria December 3-4, 2013, the Wassenaar Arrangement, a group of 41 countries including the U.S., Russia, the U.K. and most E.U. states, focused on export controls for conventional arms and dual-use goods and technology, agreed on new harsher export controls on cybersecurity technologies, recognizing their great potential for terrorism. Each participating country must now implement these changed policies, one major area of which is surveillance and intelligence gathering tools, including malware and rootkits, which governments can use to bypass security features on electronic devices in order to attain supposedly protected data. Internet protocol network surveillance systems or equipment are also now subject to revised export controls, which include technologies used to screen for malware, viruses and surveillance programs. These technologies are subject to new controls, because representatives of the 41 countries believed that they could be used to both block cyber attacks and grant foreign persons dangerous insight into Western screening systems, increasing the potential for hacks. The agreement also places stricter controls on intelligence gathering technologies that analyze individuals’ or groups’ relational networks and activities, although there will be exceptions for companies using such software for marketing or consumer-monitoring purposes.

Click here for details of these changes and others decided upon at this year’s Wassenaar plenary meeting: http://www.wassenaar.org/controllists/2013/Summary%20of%20Changes%20to%20Control%20Lists%202013.pdf


BIS Amends EAR and CCL to Implement Wassenaar Arrangement 2012 Plenary Agreements

2013/08/21

By: Brooke Driver and John Black

The Bureau of Industry and Security has taken steps to implement changes to the Commerce Control List of the Export Administration Regulations discussed at the Plenary Meeting in 2012. This final rule revises the CCL to implement changes made to the Wassenaar Arrangement’s List of Dual-Use Goods and Technologies, agreed to by participants of the Plenary Meeting. The rule revises ECCNs in every category of the CCL except category 8.  In addition, BIS changed the EAR Part 743 Wassenaar Arrangement (WA) reporting requirements for certain license exception exports of items in 2D001, 2E001, and 2E002.
For aerospace companies, the rule makes important relaxations to what some people view as the antiquated 7E004 controls on technology.  BIS added a new ECCN to control source code related to 7E004:

7D004 “Source code” incorporating “development” “technology” specified by 7E004.a or 7E004.b, for any of the following: (see List of Items Controlled).

BIS also adjusted the ECCN 9E003.a.5 controls on technology for cooled turbine blades, vanes or tip shrouds to bring those controls more in line with other controls.  BIS added this new software ECCN:

2D003 “Software”, designed or modified for the operation of equipment specified by 2B002, that converts optical design, workpiece measurements and material removal functions into “numerical control” commands to achieve the desired workpiece form.

BIS made WA based changes to these other ECCNs 1A004, 1C001, 2B001, 2B006, 2D001, 2D002, 3A001, 3A002, 3B001, 3C002, 4D001, 5A001, 5B001, 5E001, 5A002, 5E002, 6A001, 6A002, 6A005, 6C004, 6C005, 7A001, 7D003, 7E001, 9A001, and 9A018.
For the details, visit: http://www.gpo.gov/fdsys/pkg/FR-2013-06-20/html/2013-14644.htm