Cloud Solutions Allowed for Encrypted, Unclassified Defense Data

The State Department’s Directorate of Defense Trade Controls (“DDTC”) published an interim final rule on December 26, 2019, bringing the International Traffic in Arms Regulations’ (“ITAR”) treatment of encrypted electronic transmissions, such as cloud computing solutions, in line with the Export Administration Regulations (“EAR”). The interim final rule becomes effective on March 25, 2020, and interested parties have until January 27, 2020 to file additional comments with the DDTC. Implementation of this new rule should reduce the export licensing burden for companies dealing with ITAR-controlled technical data, as well as reduce compliance costs by allowing those companies to use global cloud solutions currently available for data controlled under the EAR.

Summary of Interim Final Rule

The interim final rule creates a new definition of “activities that are not exports, reexports, retransfers, or temporary imports” in § 120.54 of the ITAR to exclude certain transactions from the ITAR’s licensing authority. Upon implementation, the electronic transmission and storage of secured unclassified technical data outside of the U.S. will no longer be considered an “export” subject to ITAR requirements. Prior to the implementation of this rule, the storage or transmission of ITAR-controlled technical data in or through a foreign country required ITAR authorization, or use of cloud solutions that employed only U.S. servers and network infrastructure. That requirement, which deviated from the EAR practice adopted in 2016, imposed a significant compliance burden on multinational companies with globally diversified IT networks as well as companies looking to migrate their data to a cloud solution.

New ITAR Exclusion: Encrypted Electronic Transmissions 

With the new rule, companies will no longer be required to seek ITAR authorizations for the transmission of unclassified ITAR technical data through networks and servers outside of the U.S. However, intentionally sending encrypted data to or storing it in arms embargoed countries still would be restricted. The new definition of transactions not subject to the ITAR’s controls on exports is identical to the EAR provision found in § 734.18. A summary of the requirements is included below.

• Data Eligible - Unclassified only
  
• Method of Transfer - Secured using end-to-end encryption
  
• Security Thresholds - Secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140–2 (FIPS 140–2) or its successors, supplemented by software implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES–128)
• Restrictions - Not intentionally sent to a person in or stored in a country proscribed in § 126.1 of the ITAR / Country Group D:5 of the EAR (Afghanistan, Belarus, Burma, Central African Republic, China, Congo, Cuba, Cyprus, Eritrea, Haiti, Iran, Iraq, North Korea, Lebanon, Libya, Somalia, South Sudan, Sudan, Syria, Venezuela and Zimbabwe), or Russia

By mirroring the EAR’s exclusions for encrypted technical transfers, companies that implemented protocols for handling EAR-controlled technology can quickly migrate their unclassified ITAR-controlled technical data to those existing platforms. 

In addition to excluding encrypted technology transfers from the ITAR licensing authority, the new rule also mirrors the EAR’s rule in other respects. The following activities are not subject to either of the ITAR’s or EAR’s export licensing requirements:

• Launching a spacecraft, launch vehicle, payload, or other item into space. ITAR § 120.52(a)(1); EAR § 734.18(a)(1)
• Transfers of ITAR technical data or EAR technology to a U.S. person in the U.S. from a person in the U.S. Note: this would cover activities such as electronic communications between two U.S. persons in the United States that might incidentally transit other countries. There is no requirement such U.S. transfers be encrypted. However, the release of technical data or technology to a non-U.S. person remains subject to ITAR and EAR licensing. ITAR § 120.52(a)(2); EAR § 734.18 (a)(2)
• Transfers of ITAR technical data or EAR technology by and among U.S. persons while located in a foreign country. Note: transfers to prohibited parties or foreign persons remain subject to ITAR and EAR licensing. ITAR § 120.54(a)(3); EAR § 134.18(a)(3)); and
• Shipping, moving or transferring commodities between or amount the U.S., including U.S. territories and possessions (i.e., Puerto Rico, Commonwealth of the Northern Mariana Islands). ITAR § 120.54(a)(4); EAR § 734.18(a)(4)