BIS Makes Some Changes in Final Cybersecurity Rule
The Bureau of Industry and Security this week finalized its new controls on cybersecurity items, making several changes to the rule’s language and addressing some questions from the public comment period. The changes include revisions to the definition of “government end user” and other actions to “clarify the scope of controls,” BIS said in a final rule effective May 26.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The rule, first announced by BIS in October, aligns U.S. cybersecurity restrictions with controls previously agreed to at the multilateral Wassenaar Arrangement and created new License Exception Authorized Cybersecurity Exports (ACE) (see 2110200036). The agency delayed the rule’s effective date for 45 days after receiving requests from industry (see 2201110025), some of whom said the controls should be tweaked so they don’t impede certain activities in the cybersecurity sector, including information sharing and exports to certain government end-users (see 2112130028).
Microsoft specifically asked BIS to narrow the rule’s definition of government end-user in License Exception ACE, which it said was “significantly broader” than how the term is applied to encryption-related exports. In the final rule released May 25, BIS said it agreed with this suggestion and added a “detailed illustrative list of end users that meet this definition.” The list includes “two types of government end-users that are already defined” in the Export Administration Regulations, BIS said: “more-sensitive government end-users” and “less-sensitive government end-user.”
The agency also added a note to define “partially operated or owned by a government or governmental authority” to help the public understand the phrase. BIS said the phrase is used in “three of the listed ‘government end users’ related to utilities; transportation hubs and services; and retail or wholesale firms engaged in the manufacture, distribution, or provision of items or services specified in the Wassenaar Arrangement Munitions List.”
BIS also said it plans to issue more guidance and frequently asked questions beyond the FAQs issued in November (see 2111120041) to help the public comply with the restrictions (see 2205050023). The agency may publish a “decision tool” for License Exception ACE to help exporters figure out if they should use the exception, BIS said.
The agency also disagreed with some commenters' suggestions, including one comment that asked BIS to “remove or modify” the rule’s license requirement for government end-users. Although the commenter said the requirement could “chill cross-border collaboration with cybersecurity researchers” because exporters “will be required to check whether an individual has a government affiliation before communicating with them,” BIS said it’s necessary prevent people acting on behalf of a Country Group D government -- including Iran, North Korea and China -- from obtaining cybersecurity items for “activities contrary to U.S. national security and foreign policy interests.”
Another commenter told BIS that the estimated annual expense of $2,250 for the public to comply with the rule is a “gross underestimation,” BIS said. The “complexity of the rule will increase the cost of compliance,” the commenter said. BIS said it consulted with its technical advisory committees on the number, and said “none of the commenters provided data to substantiate this claim or provided another estimate.”