ITAR Interim Final Rule on Encryption Became Effective on March 25th

On March 25, 2020, the following Directorate of Defense Trade Controls’ (DDTC’s) Interim Final Rule, commonly referred to as the “Encryption Rule” took effect. See 84 Federal Register 70887 (International Traffic in Arms Regulations: Creation of Definition of Activities That Are Not Exports, Reexports, Retransfers, or Temporary Imports; Creation of Definition of Access Information; Revisions to Definitions of Export, Reexport, Retransfer, Temporary Import, and Release.

By way of background, the International Traffic in Arms Regulations (ITAR) (22 C.F.R. Parts 120 – 130) controls exports, reexports, retransfers, and temporary imports (i.e., “controlled events”) of defense articles and defense services that are provided for in the U.S. Munitions List (22 C.F.R. Section 121.1). However, the Interim Final Rule clarifies that the following activities (which may appear to be exports, reexports, retransfers or temporary imports) will not be considered “controlled events” that are subject to the ITAR—

• Launching a spacecraft, launch vehicle, payload or other item into space;
• Transmitting or transferring technical data to U.S. persons within the United States;
• Transmitting or transferring technical data between or among U.S. persons within a single foreign country;
• Moving a defense article between the states, possessions and territories of the United States; or,
• Sending, taking or storing of technical data that is: (a) unclassified; (b) secured using end-to-end encryption as prescribed; (c) not intentionally sent to a person in or stored in ITAR proscribed countries (“Section 126.1 Countries”) or the Russian Federation; and, (d) not sent from a Section 126.1 Country or the Russian Federation.

The fifth bullet point shown above what we refer to as the DDTC’s “Encryption Rule.” Accordingly, as of March 25th, U.S. persons may take or send unclassified ITAR-controlled technical data out of the U.S. or between other countries without a license from the DDTC IF—

• the data is properly secured using minimum encryption standards, as described below;
• no proscribed countries or the Russian Federation are involved; and,
• the data is encrypted end-to-end.

With respect to the minimum encryption standards that must be applied, the technical data must be encrypted before it is sent from the originator’s location, and it must remain encrypted until it is received by the authorized foreign recipient. The technical data must also be secured using the FIPS 140-2 standard in accordance with National Institute for Standards and Technology (NIST) guidance, or by other methods that are at least comparable to the minimum AES 128-bits security strength.

The rule also adds a new definition in Section 120.55 for access information which is information that allows access to the encrypted technical data in an unencrypted form (e.g., decryption keys, network access codes, and pass codes). It also revises the definition of release in Section 120.50 to include the use of access information to: (a) cause or enable a foreign person to access, view, or possess technical data; or, (b) cause technical data outside of the United States to be in an unencrypted form.

The rule further provides in Section 120.50 that a U.S. person does not need to obtain a specific authorization from DDTC to provide access information to a foreign person provided that the foreign person is already authorized to receive the unclassified ITAR technical data. However, if the foreign person is not authorized to receive the technical data, then providing him/her with the access information would violate the ITAR.

What are the implications for sending and storing ITAR technical data in the cloud? First, use of the cloud would be permissible under the new rule provided that the technical data is unclassified. (Classified technical data remains controlled under the ITAR regardless of the encryption methods used.) Second, the cloud provider cannot be located or operate in an ITAR proscribed country or the Russian Federation.

The Encryption Rule corresponds but is not identical to the related provision in the Export Administration Regulations (EAR) (15 C.F.R. Parts 730 – 774). For example, the description of “end-to-end encryption” in the DDTC’s rule is more rigid than that under the EAR. The DDTC rule states that companies may use NIST-certified FIPS 1402 or other cryptography that meets or exceeds a 128-bit security strength, whereas the EAR does not specify a minimum security strength. In addition, the intentional sending and storage of encrypted technical data to proscribed countries or the Russian Federation would constitute an export under the DDTC’s rule, while the EAR only refers to storage of the data in those countries.

If you have any questions relating to the DDTC’s Interim Final Rule, the ITAR, export controls or other international trade-related issues, please contact us.