Cloud Solutions Allowed for Encrypted, Unclassified Defense Data

January 08, 2020

The State Department’s Directorate of Defense Trade Controls (“DDTC”) published an interim final rule on December 26, 2019, bringing the International Traffic in Arms Regulations’ (“ITAR”) treatment of encrypted electronic transmissions, such as cloud computing solutions, in line with the Export Administration Regulations (“EAR”). The interim final rule becomes effective on March 25, 2020, and interested parties have until January 27, 2020 to file additional comments with the DDTC. Implementation of this new rule should reduce the export licensing burden for companies dealing with ITAR-controlled technical data, as well as reduce compliance costs by allowing those companies to use global cloud solutions currently available for data controlled under the EAR.

Summary of Interim Final Rule

The interim final rule creates a new definition of “activities that are not exports, reexports, retransfers, or temporary imports” in § 120.54 of the ITAR to exclude certain transactions from the ITAR’s licensing authority. Upon implementation, the electronic transmission and storage of secured unclassified technical data outside of the U.S. will no longer be considered an “export” subject to ITAR requirements. Prior to the implementation of this rule, the storage or transmission of ITAR-controlled technical data in or through a foreign country required ITAR authorization, or use of cloud solutions that employed only U.S. servers and network infrastructure. That requirement, which deviated from the EAR practice adopted in 2016, imposed a significant compliance burden on multinational companies with globally diversified IT networks as well as companies looking to migrate their data to a cloud solution.

New ITAR Exclusion: Encrypted Electronic Transmissions 

With the new rule, companies will no longer be required to seek ITAR authorizations for the transmission of unclassified ITAR technical data through networks and servers outside of the U.S. However, intentionally sending encrypted data to or storing it in arms embargoed countries still would be restricted. The new definition of transactions not subject to the ITAR’s controls on exports is identical to the EAR provision found in § 734.18. A summary of the requirements is included below.

  • Data Eligible - Unclassified only
  • Method of Transfer - Secured using end-to-end encryption
  • Security Thresholds - Secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140–2 (FIPS 140–2) or its successors, supplemented by software implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES–128)
  • Restrictions - Not intentionally sent to a person in or stored in a country proscribed in § 126.1 of the ITAR / Country Group D:5 of the EAR (Afghanistan, Belarus, Burma, Central African Republic, China, Congo, Cuba, Cyprus, Eritrea, Haiti, Iran, Iraq, North Korea, Lebanon, Libya, Somalia, South Sudan, Sudan, Syria, Venezuela and Zimbabwe), or Russia

By mirroring the EAR’s exclusions for encrypted technical transfers, companies that implemented protocols for handling EAR-controlled technology can quickly migrate their unclassified ITAR-controlled technical data to those existing platforms. 

In addition to excluding encrypted technology transfers from the ITAR licensing authority, the new rule also mirrors the EAR’s rule in other respects. The following activities are not subject to either of the ITAR’s or EAR’s export licensing requirements:

  • Launching a spacecraft, launch vehicle, payload, or other item into space. ITAR § 120.52(a)(1); EAR § 734.18(a)(1)
  • Transfers of ITAR technical data or EAR technology to a U.S. person in the U.S. from a person in the U.S. Note: this would cover activities such as electronic communications between two U.S. persons in the United States that might incidentally transit other countries. There is no requirement such U.S. transfers be encrypted. However, the release of technical data or technology to a non-U.S. person remains subject to ITAR and EAR licensing. ITAR § 120.52(a)(2); EAR § 734.18 (a)(2)
  • Transfers of ITAR technical data or EAR technology by and among U.S. persons while located in a foreign country. Note: transfers to prohibited parties or foreign persons remain subject to ITAR and EAR licensing. ITAR § 120.54(a)(3); EAR § 134.18(a)(3)); and
  • Shipping, moving or transferring commodities between or amount the U.S., including U.S. territories and possessions (i.e., Puerto Rico, Commonwealth of the Northern Mariana Islands). ITAR § 120.54(a)(4); EAR § 734.18(a)(4)
Clarifications of Restrictions on Enabling Foreign Persons to Access Encrypted ITAR Data
The interim rule also clarifies that providing a foreign person with the ability to decrypt encrypted ITAR data (such as that stored on a cloud) constitutes a release of that data that requires authorization. DDTC’s commentary clarifies that provision of “access information” (a new term) is not itself an export transaction subject to the ITAR licensing requirements. However, companies need to consider how the use of access information could fall within the amended definition of “release.”  

“Access information” is defined as the information or mechanisms (e.g., decryption keys, network access codes and passwords) that can convert encrypted information to its unencrypted form. The use of access information can cause a “release” of ITAR technical data when (i) the use of the access information causes or enables a foreign person to access, view or possess unencrypted technical data; or (ii) the use of access information to cause technical data outside of the United States to be in unencrypted form. Further, the rule provides:
Authorization for a release of technical data to a foreign person is required to provide access information to that foreign person, if that access information can cause or enable access, viewing or possession of the unencrypted technical data.

This revised definition makes providing access information to a foreign person a release of the underlying technical data (and therefore an ITAR licensable transaction) if the access information can cause or enable access to unencrypted technical data. This definition does not require actual access, viewing or possession of the unencrypted technical data, which contrasts with DDTC’s regulatory revision in 2016 that made clear that a “release” requires actual access. Companies can consider utilizing the comment period to address this theoretical access concern and should closely monitor this definition to ensure their programs are structured to avoid theoretical access through making decryption means available to users outside the United States. 

For more information about this and other international trade issues, please contact the attorneys listed below.

Subscribe to Dechert Updates