Commerce Department Establishes New Export Controls on Cybersecurity Items

Mark Ludwikowski
Clark Hill PLC
Contact
LinkedIn
Facebook
X
Send
Embed

The U.S. Commerce Department on Thursday published an interim final rule to establish export controls on cyber intrusion software and other cybersecurity items capable of malicious use. The changes, effective Jan. 19, 2022, will impose stringent restrictions on these cybersecurity items and includes a new license exception to authorize certain exports.

These new controls were long-awaited and published as part of United States obligations as a member of the Wassenaar Arrangement, an international export control regime. Most other Wassenaar member countries have already implemented controls on cybersecurity items.

The Commerce Department originally proposed controls on cybersecurity items in 2015. The proposal resulted in several hundred public comments from academia and private industry, interagency comments, and Congressional testimony that identified substantial problems with the proposed controls. The United States therefore worked with other Wassenaar members to narrow the controls.

The interim final rule reflects the most recent Wassenaar changes. Among them, the new controls expressly exclude certain software specially designed and limited to providing basic updates and upgrades meeting certain requirements and excludes certain technology exchanged in “vulnerability disclosures” and “cyber incident responses,” as defined by the amendments.

The interim final rule further creates License Exception Authorized Cybersecurity Exports (“ACE”), which will allow for exports, reexports, and in-country transfers of certain cybersecurity items to most destinations, subject to certain limitations. Notable among these limitations, License Exception ACE will not apply where persons export, reexport, or transfer with knowledge or reason to know that a cybersecurity item will be used to affect the confidentiality, integrity, or availability of information or information systems without proper authorization.

The Commerce Department may further revise the controls before the effective date. It is accepting public comments to the interim final rule until Dec. 6, 2021, and is particularly interested in hearing about the potential cost of complying with the new controls, and any prospective impacts on legitimate cybersecurity activities.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Clark Hill PLC | Attorney Advertising

Written by:

Clark Hill PLC
Clark Hill PLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide