The new rule, ironically entitled “Encryption Simplification” takes up eighteen pages in the Federal Register. BIS plans on developing additional guidance to be posted on its website as questions will inevitably be raised regarding the correct interpretation of certain provisions contained in the final rule.

Good News for Some

Companies in the business of making products for the consumer market will benefit from the regulatory changes. For example, companies that make mass-market products using weak cryptography (now defined as using key lengths not exceeding 80 bits; for asymmetric algorithms with key lengths not exceeding 1024 bits; and for elliptic curve algorithms with key lengths not exceeding 160 bits) no longer have to submit a notification of self-classification prior to export. These products can be classified as 5X992 and exported under “NLR”.

The new regulation introduces a category of products performing “ancillary cryptography” and exempts them from review and reporting requirements. Examples provided by BIS in its definition of ancillary cryptography in section 772.1 of the EAR include “business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery); industrial, manufacturing or mechanical systems (including robotics, other factory or heavy equipment, facilities systems controllers including fire alarms and HVAC); automotive, aviation and other transportation systems. Relief from the review and reporting requirements is also given to companies making products using short-range wireless technology.
BIS has also raised the thresholds that allow some network infrastructure equipment to be exported under the unrestricted provisions of ENC. As a consequence, low-end virtual private network (VPN) hardware and other wide area networking products can now potentially qualify for license-free shipment to both commercial government end-users worldwide.

All exporters will benefit by the inclusion of Bulgaria, Canada, Iceland, Romania and Turkey to the “License Free Zone” (also known as the “Supplement 3 countries”). Both government and commercial entities in these countries may receive product under ENC once a review request is submitted.

Bad News for Others

BIS has made a change affecting the classification of mass-market products that could present a compliance challenge for companies who may conduct a limited international release of product coincident with the submission of a technical review. Companies had previously been allowed to self-classify mass-market products as 5×992 and export under NLR (no license required) pending a 30 day BIS review. The new rules require that future products be temporarily classified as 5×002 pending a final BIS determination and export be made according to the provisions of ENC. This change is viewed as a roll-back of an existing liberalization and will undoubtedly be cited in comment letters to BIS. Companies will likely claim that expensive system change requirements in their order processing, export documentation and ERP systems will be required to comply with the new rule.

BIS is actively working on a long range plan to further modify the encryption regulations. However, given the fact that this is an election year and that fundamental changes to U.S. encryption export rules will require Wassenaar Arrangement approval there will likely be no further changes for at least a year to eighteen months.
— Felice Laird, Export Strategies LLC

When determining nationality, the Department of Defense Trade Controls will consider an individuals country of origin or birth in addition to citizenship. The individuals must be physically located within one of the countries to receive access to the technical data.

The “Guidelines for Preparing Agreements” available on the DDTC website will be revised to incorporate this change and are effective February 1, 2008. Any submission that does not meet the following requirements will be subject to being Returned Without Action:

• On pages 10 and 22 of the Guidelines, insert the following statement: This agreement (does/does not) request retransfer of defense articles and defense services pursuant to ITAR 124.16. (Change or No Change on page 22)
• On page 15 of the Guidelines, the applicant must include the following statements (if applicable) which are required by the ITAR. Both the second and third statement my be used in conjunction depending on the location of the foreign licensees and or sublicensees:
  1. If Not Requesting Third Country/Dual Nationals: This agreement does not authorize access to defense articles or transfer of technical data/defense services to third country/dual national employees of the foreign licensees (or approved sublicenses – if applicable).
  2. If Requesting Third Country/Dual Nationals Who Do Not Qualify for ITAR 124.16: Pursuant to ITAR 124.8(5), this agreement authorizes access to defense articles and/or retransfer of technical data/defense services to individuals who are third country/dual national employees of the foreign licensees (and its approved sublicensees – if applicable). The exclusive nationalities authorized are listing all foreign nationalities of the employees who are not eligible for application of ITAR 124.16. Prior to any access or retransfer, the employee must execute a Non-Disclosure Agreement (NDA) referencing this DTC case number. The applicant must maintain copies of the executed NDAs for five years from the expiration of the agreement.
  3. If Requesting Third Country/Dual Nationals Who Do Qualify for ITAR 124.16: Pursuant to ITAR 124.16, this agreement authorizes access to unclassified defense articles and/or retransfer of technical data/defense services to individuals who are third country/dual national employees of the foreign licensees (and its approved sublicensees – if applicable). The exclusive nationalities authorized are limited to NATO, European Union, Australia, Japan, New Zealand, and Switzerland. All access and/or retransfers must take place completely within the physical territories of these countries or the United States.

More information available at: www.pmddtc.state.gov/dual_nationals.htm

At this time the Department of State is reviewing and modifying the current Guidelines for Preparing Agreements. Here are some key links. State says it will publish comprehensive new Agreements Guidelines this summer.

Current Guidelines for Preparing Agreements:

Word Version

PDF version

Updates to Guidelines for Preparing Agreements:

Section 9.4, Exporting Hardware Via Separate License in Furtherance of an Agreement (DOC)

Section 10.1, Sublicensing (DOC)

Agreements Menu:

Agreements Expiration Schedule

Agreements Renewal Deadline

“Beware of apparently good news.” — John Black

In the December 19, 2007 Federal Register, the Directorate of Defense Trade Controls (DDTC) of the State Department announced its new policy for dual and third country nationals. The change primarily is related to the requirement that when you apply for a Technical Assistance Agreement (TAA) or Manufacturing License Agreement, you must identify the foreign nationalities of the foreign signatories to the agreement.

For example, under the old rules if you apply for a TAA with a company in Germany, your application must identify any employees of the German company who will have access to the defense articles and have a nationality other than German. This would include a third country national who is a citizen of France, and a dual-national who has dual German and Mexican citizenship. In addition, under the old rules you have to get a Non-Disclosure Agreement (NDA) from the third country national (but not the dual national).

(For more information on the nuts and bolts related to preparation and submission of TAAs and MLAs under the new policy, see the next article.)

The new rule raises three issues:

1. Relaxed TAA and MLA requirements for to Nice Nationals
2. Implied Clarification of Requirements for Employees of Sub-Licensees
3. Implied Non-Clarification of the Term “Nationality”

Let’s take these one at a time.

1. Relaxed TAA and MLA Requirements for Nice Nationals

When you apply for a TAA, you no longer have to identify countries of nationality for dual and third country nationals who are nice nationals. Nice nationals are people with nationality exclusively of nice countries — for purposes of this ITAR rule, the nice countries are NATO member countries, EU member countries, Australia, New Zealand, Japan, and Switzerland, and you also do not have to get NDA from the same people.

Instead of listing individual countries and getting NDAs, you must include the new paragraph (a)(10) in ITAR 124.12 in which you request retransfer authorization for the nice nationals in ITAR 124.16. Once DDTC approves your TAA or MLA, items may be retransferred to nice nationals from any of the nice countries, and you don’t have to get NDAs. The blanket 124.16 authorization applies only to transfers within the United States or the nice countries. In addition, 124.16 does not authorize permanent retransfer of hardware-if a nice national needs to have access to ITAR hardware while doing his job he may have access, but if hardware actually needs to be permanently retransferred permanently to another party, that must be approved in the actual TAA/MLA or in a separate General Correspondence authorization.

There is one more requirement under the 124.16: the new benefits apply only to nice nationals employed parties who have either signed the TAA or MLA or who have signed an NDA. This leads us to the next point…

2. Implied Clarification of Requirements for Employees of Sub-Licensees

Well, after a dose of good ITAR news, I know all you experienced ITAR veterans are expecting some bad news. Here it is: (Insert funeral dirge tune here.) The ITAR now implies that you have to get NDAs from dual and third country nationals who are employees of sublicenses covered by your TAA and MLAs, in addition to having to get NDAs from duals and third employees of signatories to your TAAs and MLAs.

Ouch. Get NDAs from duals and third employed by sub-licensees.

OK, here are the details. The new ITAR 124.16 says you do not have to get NDAs from nice nationals employed by signatories who have signed the TAA/MLA or nice nationals employed sub-licensees who have signed the NDA. So, you might read this as implying that you have to get NDAs from non-nice nationals employed by sub-licensees.

There is nothing in the ITAR that explicitly or directly (much less clearly) says you have to get NDAs from foreign employed by sub-licensees. The Agreement Guidelines almost say that. The Guidelines include a reference to such a requirement but never actually impose the requirement-that is what you find, I should say, if you make a literal reading of the guidelines (using English grammar, an English language dictionary and logic). I am not going to give you the exact details of the almost requirement in the Guidelines-if you are not aware of it already, cherish your ignorance.

So there you go, the ITAR now implies that you have a huge new burden of getting NDAs from non-nice country nationals employed by sub-licensees. (Logically I would say that if, for example, a TAA includes a sub-licensee in Mexico, if the sub-licensee company signs the NDA, I certainly would not try to get NDAs from Mexican citizens who work for the sub-licensee.)

So, now the ITAR implies you have to get NDAs from non-nice country nationals employed by sub-licensees. Do you take the next step and say, well, if we have to get NDAs from those employees of the sub-licensees, shouldn’t we have to identify all of the nationalities of those employees in our TAA and MLA applications? My answer: Neither the Guidelines nor the ITAR require that you do so. Many of you do not have resources available to attempt to comply with an unstated extension of an implied requirement. If DDTC tells you to do it, then do it. If your compliance program is at a place where you can do it, it won’t hurt, until, of course, you put forth a great deal of effort trying to get a list of all of the dual and third nationalities from all of the sub-licensees in your TAA/MLA (or until you learn that your sub-licensee in France employees a dual French-Venezuelan national).

OK, now that you ITAR veterans have shifted from the initial good mood about the new rules to the more familiar irritated, overwhelmed and exasperated mood, let’s go to the last issue of this rule.

3. Implied Non-Clarification of the Term “Nationality”

In the Supplementary Information section of the Federal Register notice, DDTC made this statement, “In addition to citizenship, DDTC considers country of birth a factor in determining nationality.”

Importantly, DDTC does not define “nationality” with the above statement. DDTC only lets you know that it looks at citizenship and country of birth when it tries to determine a person’s nationality. It doesn’t say how it looks at those two factors nor does it tell you what other factors are involved (e.g., nationality of parents, time the person lived in various countries, passports the person holds, passports the person is eligible to hold, the first letter of the first name of the US exporter, DDTC policy of the week, current state of mind of licensing officer). So, DDTC raises the question of the definition of nationality, and refuses to define it.

I conclude that DDTC does not want to publish a definition of nationality because it wants to have the leeway to define it however it wants and change its definition, and, ultimately use one definition in one case and another definition in another case. Say a guy is born in Mexico, but moves to Canada when he is 1 year old, and is a Canadian citizen and has lived in English-speaking Canada his whole life-maybe DDTC thinks he is Canadian, but if the same guy were born in Iran and has only Canadian citizenship, maybe DDTC would like to call him Iranian. And, of course, if a guy is born in Iran and moves to the US when he is 21 and gets a US permanent resident alien status, well, of course DDTC treats him like a US citizen.

So, there you go, that is my analysis of the good, the bad, and the ugly of the recent Federal Register notice. The best thing about this analysis is the line, “Cherish your ignorance.” Unfortunately, I guess there ain’t much left to cherish.

For the details of the new rule, go to www.pmddtc.state.gov.

The rule expands the availability of License Exceptions TMP and BAG but does not authorize any new release of technology. Any technology exported under the new rule may only be released to persons who may receive that same technology pursuant to other provisions of the EAR which means it will still be subject to restrictions applicable to technology exports and reexports.

The rule makes several changes to Section 740.9 which amends the “tools of trade” and the definition of U.S. persons which are applicable to export and report certain technology. Restrictions have also been added to prevent unauthorized export or reexport of technology which will require U.S. employers to demonstrate and document the reasons why the technology is needed by employees in business activities which are abroad. There will also be an additional requirement and guidance for the return or disposal of the technology, which will include an illustrative list of examples of technology that exists in a format that could facilitate a subsequent release of technology.

Section 740.14 amends the tools of trade provision which will authorize the export or reexport of certain technology to U.S. persons for use in the trade, occupation, employment, vocation, or hobby of the traveler or members of the U.S. person’s household, provided that they are U.S. persons, who are traveling or moving. The rule also provides a specific definition the above mentioned U.S. persons.

This rule also specifies certain restrictions applicable to the exports and reexports of certain types of encryption technology. The encryption technology will be controlled under ECCN 5E002 and will not be authorized under the new “tools of trade” and the new U.S. persons tools of trade will not authorize the export or reepxort of ECCN 5E002 technology to any destination found in the Country Group E:1 of Supplement No. 1 to part 740.

More information:

Federal Register Notice

More information:

Federal Register Notice

The SNAP-R is an improvement of the BIS’s latter system, SNAP. The new system includes the ability to include documents related to a submission in the form of PDF files as “attachments” to the submission. The system also includes a feature that allows BIS personnel to request additional information from the submitting party and for the party to submit that information in a manner that ties the chain of communication to the submission.

SNAP-R is intended to reduce processing times and simplify compliance with the administration of export controls. The system should provide improved efficiency in submission and processing and will hopefully improve end-user security through rights management and an updated application and security infrastructure.

Under the proposal, paper submissions will only be accepted if:

1. The party has had only had one submission in the twelve months immediately preceding the current submission
2. The party does not have access to the internet
3. BIS has rejected the party’s electronic filing registration or revoked its eligibility to file electronically
4. BIS has determined that the party submit on paper for a particular transaction
5. BIS has determined that certain conditions justify allowing paper submissions on a particular instance.

More information:

Federal Register Notice (PDF)

• Applied Material China: supplier
• Boeing Hexcel AVIC I Joint Venture National Semiconductor Corporation
• Semiconductor Manufacturing International Corporation
• Shanghai Hua Hong NEC Corporation
• National Semiconductor Corporation

Each VEU has a list of specific Export Control Classification Numbers (ECCNs) that they may receive license-free under the VEU program. The eligible ECCNs vary from one VEU to the next. The new rule also identifies which facilities for each VEU are eligible to receive license-free exports/reexports.

More information and the complete final rule are available at:

Federal Register Notice

BIS Announcement

More information:

Federal Register Notice

This rule will expand the general order and add sixteen additional persons to it. Pursuant to the expansion, the general order will cover: (i) Persons regarding whom the U.S. Government possesses information of affiliation or relationship to Mayrow; and (ii) other persons regarding whom the U.S. Government possesses information concerning the acquisition or attempted acquisition of commodities capable of being used to construct IEDs, as well as persons who are related to or affiliated with such persons 2E The order will apply to persons specifically listed who fit within either of these two groups. To reflect this expansion, this rule will update the heading of the general order to use the term “persons”.

Details from Department of Commerce

— Hannah Bandalan