BIS issues significant new export controls on certain cybersecurity items and related guidance

/in


On October 21, 2021, the Bureau of Industry and Security (BIS) published an interim final rule (IFR) to implement significant new controls regarding certain cybersecurity items. The rule contains new and updated Export Control Classification Numbers (ECCNs) and new License Exception Authorized Cybersecurity Exports (ACE). On November 12, 2021, BIS issued Frequently Asked Questions (FAQs) to provide guidance on the IFR and License Exception ACE.

On October 21, 2021, the Bureau of Industry Security (BIS) published an Interim Final Rule (IFR) to implement controls on certain “cybersecurity items” that can be used for malicious cyber activities. Most notably, the IFR defines “cybersecurity items” to include the new and updated Export Control Classification Numbers (ECCNs) and creates a new License Exception Authorized Cybersecurity Exports (ACE). This IFR follows BIS’s original proposal to implement the addition of cybersecurity items to the Wassenaar Arrangement (WA) in 2015. However, the 2015 proposed rule received substantial industry scrutiny, including concerns that the rule was overly broad, would impose a heavy burden on licensing for legitimate transactions, and could cripple legitimate cybersecurity research. In response to those and other concerns, BIS suspended implementation of the 2015 proposed rule and, instead, renegotiated changes to the WA control lists in 2017, intending to define more precisely the scope of the cybersecurity controls. BIS released the October 2021 IFR to implement the 2017 WA decisions. Public comments on the IFR are due December 6, 2021, and the IFR is set to go into effect on January 19, 2022.

On November 12, 2021, BIS issued Frequently Asked Questions (FAQs) that provide guidance on this IFR.

New Export Control Classification Numbers 

“Cybersecurity items” are defined to include the new and updated ECCNs referenced below and certain related ECCNs in Categories 4 and 5.

Category 4 includes two new ECCNs related to “intrusion software”:

  • 4A005 “Systems,” “equipment,” and “components” therefor, “specially designed” or modified for the generation, command and control, or delivery of “intrusion software.”
  • 4D004…

Source…