On June 3, 2015, the State and Commerce Department issued proposed regulations to harmonize key terms used in the International Traffic In Arms Regulations (“ITAR”) and the Export Administration Regulations (“EAR”) to include the definition of the term “export”. By contrast, they also included what would not constitute an export. As an important part of this is the position that transmitting or storing electronic data would not constitute an “export” of the data if meets certain security standards. Specifically, they proffer that sending, taking or storing technology/technical data or software would not constitute an export if it is:
(i) unclassified; and,
(ii) secured using “end-to-end” encryption; and,
(iii) secured using cryptographic modules (hardware or software) compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications; and,
(iv) not stored in a country listed in Country Group D:5 (see Supplement No. 1 to Part 740 of the EAR) or in the Russian Federation.
Both proposals state, however, that decryption keys, network access codes, passwords or other information that will permit access by a foreign person to controlled technology/technical data cannot be release. If it is, it will constitute an export!
Remember, this is still a “proposed rule” and in not in effect. Until them, any transfer or storage of technical data outside of the U.S. is still considered an export and requires a U.S. Government authorization.
If companies want to take advantage of these proposed rules, they will need tools to comply with the new proposed regulations (encryption during storage/transfer, marking and access control rights). Contact Reliant Technologies to find out more about solutions!