CCL

Encryption Controls under the Export Administration Regulations

Encryption is generally defined as the process of converting information or data into a code, especially to prevent unauthorized access. Put simply, encryption makes a wide range of technologies more secure. Since 1996, most encrypted technology is controlled by the EAR. Some encrypted technology, which has military-related functionalities, is controlled by the International Traffic in Arms Regulations (“ITAR”). This article provides an overview of encryption controls under the EAR, outlines license exceptions for certain encrypted technologies, and provides best practices for export compliance.

Background on Export Administration Regulations

Over 95% of the world’s population is outside of the United States. Opportunities abound for U.S. companies that export. However, exporting is a privilege and not a right. U.S. exporters have an important responsibility to adhere to U.S. export control laws, including the Export Administration Regulations (“EAR”).

Administered by the U.S. Commerce Department, the EAR is a set of regulations which governs whether U.S. persons may export or transfer goods, software, and technology outside of the United States or to non-U.S. citizens. U.S. exporters have an important responsibility to adhere to the EAR. Violations of the EAR carry hefty civil and criminal penalties. Exporters can pay hundreds of thousands of dollars in penalties, lose export privileges, and even be imprisoned.

Encryption Controls

According to 15 CFR 742.15:

“Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm U.S. national security, foreign policy and law enforcement interests. The United States has a critical interest in ensuring that […]

Export Controls and Cybersecurity

Introduction

In order to protect U.S. national security interests and promote foreign policy objectives, various U.S. agencies collectively administer and enforce U.S. export control laws and participate in various multilateral export control regimes to prevent the proliferation of weapons of mass destruction and prevent destabilizing accumulations of conventional weapons and related materials. To that end, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) governs the export and reexport of commodities, software, and technology falling under the jurisdiction of Export Administration Regulations. BIS promotes continued U.S. strategic technology leadership and is responsible for enforcing the regulation of export, reexport, and transfer of items with commercial uses that can also have a dual use, and be used in conventional arms, weapons of mass destruction, terrorist activities, or human rights abuses, and less sensitive military items, which bleeds into cybersecurity as well.

Cybersecurity has recently become an essential aspect in export controls and on October 21, 2021, BIS published its Interim Final Rule (this rule is effective January 19, 2022), which summary states:

SUMMARY: This interim final rule outlines the progress the United States has made in export controls pertaining to cybersecurity items, revised Commerce Control List (CCL) implementation, and requests from the public information about the impact of these revised controls on U.S. industry and the cybersecurity community. Specifically, this rule establishes a new control on these items for National Security (NS) and Anti-terrorism (AT) reasons, along with a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of […]

Go to Top