Export Administration Regulations: Establishment of License Exception Intra-Company Transfer (ICT), 57554-57564 [E8-23506]

Agencies

• DEPARTMENT OF COMMERCE
• Bureau of Industry and Security
• Industry and Security Bureau

[Federal Register Volume 73, Number 193 (Friday, October 3, 2008)]
[Proposed Rules]
[Pages 57554-57564]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-23506]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / 
Proposed Rules

[[Page 57554]]



DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Parts 740 and 772

[Docket No. 071213838-81132-01]
RIN 0694-AE21


Export Administration Regulations: Establishment of License 
Exception Intra-Company Transfer (ICT)

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule would amend the Export Administration 
Regulations (EAR) to establish a new license exception entitled 
``Intra-Company Transfer (ICT).'' This license exception would allow an 
approved parent company and its approved wholly-owned or controlled in 
fact entities to export, reexport, or transfer (in-country) many items 
on the Commerce Control List (CCL) among themselves for internal 
company use. Prior authorization from the Bureau of Industry and 
Security (BIS) would be required to use this license exception. This 
rule describes the criteria pursuant to which entities would be 
eligible to use License Exception ICT and the procedure by which they 
must apply for such authorization. This proposed rule is one of the 
initiatives in the export control directive announced by the President 
on January 22, 2008.

DATES: Comments must be received by November 17, 2008.

ADDRESSES: You may submit comments, identified by RIN 0694-AE21, by any 
of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: rpd2@bis.doc.gov. Include ``RIN 0694-AE21'' in the 
subject line of the message.
     Fax: 202-482-3355
     Mail/Hand Delivery: Steven Emme, U.S. Department of 
Commerce, Bureau of Industry and Security, Regulatory Policy Division, 
14th & Pennsylvania Avenue, NW., Room 2705, Washington, DC 20230, ATTN: 
RIN 0694-AE21.

FOR FURTHER INFORMATION CONTACT: Steven Emme, Regulatory Policy 
Division; Telephone: 202-482-2440; E-mail: semme@bis.doc.gov.

SUPPLEMENTARY INFORMATION: 

Background

Presidential Directives on U.S. Export Control Reform and Deemed Export 
Advisory Committee

    On January 22, 2008, the President announced a package of 
directives to ensure that the export control policies and practices of 
the United States support the National Security Strategy of 2006, while 
facilitating the United States' continued international economic and 
technological leadership. These directives focus the export control 
system to meet the unprecedented security challenges as well as the 
economic challenges faced by the United States, due to the increasing 
worldwide diffusion of high technology and impact of global markets.
    The directives recognize that the economic and technological 
competitiveness of the United States is essential to meet long-term 
national security interests. Export controls must, therefore, cover the 
export and reexport of sensitive items without unduly burdening U.S. 
economic competitiveness and innovation. This is particularly critical 
in light of the current and increasing globalization of research, 
development, and production, as well as the rise of new economic 
competitors and the diffusion of global supply networks that challenge 
U.S. economic and technological competitiveness.
    Shortly before the President announced the package of directives on 
U.S. export control reforms, the Deemed Export Advisory Committee 
(DEAC) presented its findings to the Secretary of Commerce on deemed 
export controls. The DEAC, a federal advisory committee established by 
the Secretary, undertook a comprehensive examination of the national 
security, technology, and competitiveness aspects of the deemed export 
rule. A deemed export is the release of technology and source code 
subject to the EAR to foreign nationals in the United States that is 
``deemed'' to be an export to the home country or countries of the 
foreign national. In its final report, which was issued in December 
2007, the DEAC concluded that the deemed export rule ``no longer 
effectively serves its intended purpose and should be replaced with an 
approach that better reflects the realities of today's national 
security needs and global economy.'' In order to address this concern, 
the DEAC made several recommendations, including creating a category of 
``Trusted Entities'' that voluntarily elect to qualify for streamlined 
treatment after meeting certain criteria. Further, the DEAC recommended 
that these ``Trusted Entities'' include subsidiaries abroad so that 
individuals and ideas could move within the company structure without 
the need for separate deemed export licenses.
    It is in the context of the President's directives on U.S. export 
control reforms and with respect to the DEAC's recommendations on 
deemed export controls that BIS is proposing this rule creating a 
license exception for intra-company transfers.

The Impact of U.S. Export Controls on Intra-Company Transfers

    As global markets and manufacturing continue to evolve, many parent 
companies have numerous operations in multiple countries for 
distribution, service and repair, manufacturing and development, 
product testing, and other uses. In this environment, parent companies 
increasingly export commodities, software, and technology to their 
foreign branches, subsidiaries, and/or ultimate foreign parent 
companies around the world. Consequently, many companies may need 
multiple export licenses from BIS under a variety of scenarios for 
their own internal operations. For example, to conduct day-to-day 
operations, many companies in the United States must export 
commodities, software, and technology to their foreign branches and 
subsidiaries, resulting in the need for export licenses. In addition, 
companies may also require reexport licenses to transfer items among 
their foreign branches, foreign subsidiaries, and/or their ultimate 
foreign parent companies, located in multiple countries. On occasion, a 
company will have several branches or subsidiaries within the same 
foreign country and must then seek authorization to make in-country

[[Page 57555]]

transfers of technology and other items between those entities. 
Finally, releasing technology and source code subject to the EAR to 
foreign national employees at locations of the company in the United 
States or at the location of another foreign branch or subsidiary could 
generate the need for deemed export or deemed reexport licenses.
    Generally, obtaining these licenses for intra-company transfers can 
negatively impact transactions due to the delay involved in waiting for 
a licensing decision. Moreover, obtaining licenses for intra-company 
transfers can hinder more than just individual transactions; they can 
also hinder product development and the ability to be first to market--
activities key to the competitiveness of U.S. companies. For many 
companies, product development entails large capital investments, 
compressed product cycles, and intensive coordination of research and 
development. With the current licensing requirements in place, however, 
many companies with U.S. operations may be forced to segregate their 
research and development activities. For instance, while waiting for 
the approval of a deemed export license, U.S. employees and certain 
foreign national employees would be precluded from collaborating 
together on projects. Furthermore, once the license is approved, 
companies may still need to segregate their research and development 
activities in the future because product breakthroughs could exceed the 
licensing parameters and require a new round of export licensing.

Establishment of License Exception ICT

    In order to facilitate secure exports, reexports, and in-country 
transfers to, from, and among a parent company and its wholly-owned or 
controlled in fact entities, the Bureau of Industry and Security is 
proposing to amend the Export Administration Regulations (EAR) to 
create License Exception Intra-Company Transfer (ICT). License 
Exception ICT, which would be set forth in new Sec.  740.19 of the EAR, 
would provide companies a process for intra-company exports, reexports, 
and in-country transfers without individual licenses. This license 
exception would allow parent companies and the entities that the parent 
company wholly owns or controls in fact to export, reexport, and 
transfer (in-country) many items on the Commerce Control List (CCL) 
among themselves for internal company use. The grant of ICT would be 
restricted to those approved companies and those Export Control 
Classification Numbers (ECCNs) that are authorized by BIS.
    Companies authorized to use License Exception ICT would benefit 
because it would relieve them of some of the administrative 
requirements of obtaining, tracking, and reporting on individual 
licenses and would reduce the lag time, expense, and uncertainty in the 
licensing process. This license exception would also improve research 
and development and other internal company activities, thus leading to 
improved competitiveness and innovation for companies with operations 
in the United States.
    In proposing this license exception for intra-company exports, 
reexports, and in-country transfers, BIS recognizes that industry and 
government share the goal of protecting controlled commodities, 
software, and technology, since these often represent proprietary 
information and property. Moreover, BIS also recognizes that many 
companies devote considerable financial and workforce resources to 
ensuring compliance with export controls. BIS would authorize License 
Exception ICT for those companies that demonstrate effective internal 
control plans, submit annual reports on their use of ICT, and agree to 
audits by BIS officials as requested.
    By authorizing this license exception for companies that have 
effective internal control plans and have agreed to audits, BIS can 
focus its resources on evaluating transactions involving lesser-known 
items and entities to better prevent exports to persons who may act 
contrary to U.S. national security and foreign policy interests. 
Greater focus on such transactions would increase the national security 
value of the remaining reviews of individual license applications.

Definitions

    For purposes of this rule, BIS is defining multiple terms used with 
respect to License Exception ICT. These terms are ``controlled in 
fact,'' ``employee,'' and ``parent company.'' This rule would amend 
Sec.  772.1 of the EAR to include these new definitions as described 
below.
    First, BIS is amending the definition of ``controlled in fact'' in 
Sec.  772.1 by applying aspects of the definition of the same term set 
forth in Sec.  760.1(c) of the EAR to specify the circumstances in 
which one entity will be presumed to have control over another entity 
for purposes of License Exception ICT. In order to include any entity 
in its application to use License Exception ICT, the parent company 
must either wholly own or control in fact that individual entity.
    Next, BIS is amending Sec.  772.1 to add the term ``employee,'' for 
purposes of License Exception ICT, to refer to persons who work, with 
or without compensation, in the interest of an entity that is an 
approved eligible user or an approved eligible recipient of ICT. Such 
persons must work at the approved eligible entity's locations, 
including overseas locations, or at locations assigned by the approved 
eligible entity, such as at remote sites or on business trips. This 
definition may include permanent employees, contractors, and interns.
    Finally, BIS is amending Sec.  772.1 to add the term ``parent 
company,'' which will be defined for purposes of License Exception ICT, 
to mean any entity that wholly owns or controls in fact a different 
entity, such as a subsidiary or branch. The parent company does not 
have to be an ultimate parent company, as that term is referred to in 
the definition of parent company; it may be wholly-owned or controlled 
by another entity or other entities. Also, the parent company does not 
need to be incorporated in or have its principal place of business in 
the United States. However, in order to be eligible for and use License 
Exception ICT, the parent company must be incorporated in or have its 
principal place of business in a country listed in Supplement No. 4 to 
part 740 (see new Sec.  740.19(b)(1)). This definition does not include 
colleges and universities. Thus, the research conducted by colleges and 
universities that is not fundamental research (see Sec.  734.8(a) of 
the EAR) and that requires a license would not qualify for License 
Exception ICT. However, a university professor who enters into a 
contractual relationship with a company to conduct proprietary research 
could qualify as an ``employee'' if all conditions in that definition 
are met.

Information Required for Submission to BIS for Review to Use License 
Exception ICT

    In order to avail themselves of License Exception ICT, a ``parent 
company'' and the entities that it wholly owns or ``controls in fact'' 
must maintain an internal control plan, hereinafter referred to as an 
ICT control plan. Upon implementation of the ICT control plan, the 
parent company, as the eligible applicant under new Sec.  740.19(b)(1), 
must submit the plan to BIS for review pursuant to new Sec.  740.19(e). 
Additionally, the eligible applicant must submit documentation showing 
that the ICT control plan has been implemented. Such documentation 
should include a representative sample of records showing effective 
compliance with the screening, training, and self-evaluation elements 
of the ICT control plan, as described below in further detail.

[[Page 57556]]

    Along with the ICT control plan and supporting documentation, the 
eligible applicant parent company must list the wholly-owned entities 
and controlled in fact entities that the applicant parent company 
intends to be eligible users (see new Sec.  740.19(b)(2)) or eligible 
recipients (see new Sec.  740.19(b)(3)(i)) of this license exception. 
It is possible for an entity to be both an eligible user and an 
eligible recipient. For itself, and for each eligible user and eligible 
recipient entity, the eligible applicant parent company must list any 
individual or group that has at least a 10% ownership interest. 
Finally, the eligible applicant parent company must list the ECCNs of 
the items it plans to export, reexport, or transfer (in-country) under 
ICT; provide a narrative describing the purpose for which the requested 
ECCNs will be used and the anticipated resulting commodities, if 
applicable; disclose its relationship with each entity that is intended 
to be an eligible user and/or eligible recipient; and provide a signed 
statement by a company officer of the eligible applicant parent company 
stating that each entity will allow BIS to conduct audits on the use of 
License Exception ICT.

ICT Control Plan

    An ICT control plan seeks to ensure that items on the Commerce 
Control List will not be exported, reexported, or transferred in 
violation of this license exception. As this license exception may be 
used for commodities, software, and technology, the ICT control plan 
must address how the parent company and the entities that it wholly 
owns or controls in fact, as eligible users and eligible recipients, 
will maintain items authorized for export, reexport, or transfer by 
this license exception within the company structure, as authorized by 
BIS.
    Within the ICT control plan, eligible applicants must describe how 
certain mandatory elements will be met. These mandatory elements, which 
are listed in new Sec.  740.19(d)(1), include corporate commitment to 
export compliance, a physical security plan, an information security 
plan, personnel screening procedures, a training and awareness program, 
a self-evaluation program, a letter of assurance for software and 
technology, non-disclosure agreements, and end-user list reviews. All 
of these elements are aspects of export control compliance programs 
that establish effective internal control plans. In turn, these 
internal control plans generate an increased level of awareness of 
export control compliance issues among employees and help secure a 
company's proprietary information.
    For the required ICT control plan elements in paragraphs (d)(1)(i) 
through (d)(1)(vi) of new Sec.  740.19, BIS is not specifying how each 
company must achieve them due to the varying characteristics of 
companies. However, paragraphs (d)(1)(i) through (d)(1)(vi) do contain 
illustrative examples of evidence that a company may use in its 
descriptions detailing how it will implement those mandatory elements. 
While companies may include additional elements in their ICT control 
plan, they must, at a minimum, describe how the minimum mandatory 
elements set forth in Sec.  740.19(d)(1) will be met. One mandatory 
element--the self-evaluation program in paragraph (d)(1)(vi)--requires 
the creation and performance of regular internal self-audits, creation 
of a checklist of critical areas and items to review, and development 
of corrective procedures or measures implemented to correct identified 
deficiencies. If any identified deficiencies rise to the level of a 
violation of the EAR, the company should make a voluntary self-
disclosure pursuant to Sec.  764.5.
    If a company plans to use this license exception for commodities 
only, then the company may state in the ICT control plan that the 
mandatory elements of the ICT control plan set forth in paragraphs 
(d)(1)(iii) (information security plan), (d)(1)(iv) (personnel 
screening procedures), (d)(1)(vii) (letter of assurance for software 
and technology), (d)(1)(viii) (signing of non-disclosure agreements), 
and (d)(1)(ix) (review of end-user lists) are not applicable because 
the license exception will be used for commodities only and not used 
for software or technology. Similarly, if a company plans to use this 
license exception for software (excluding source code) only, or if a 
company plans to use this license exception for commodities and 
software (excluding source code) only, then the company may state in 
the ICT control plan that the mandatory elements found in paragraphs 
(d)(1)(iv) (personnel screening procedures), (d)(1)(viii) (signing of 
non-disclosure agreements), and (d)(1)(ix) (review of end-user lists) 
are not applicable because the license exception will be used for 
software (excluding source code) only, or, if appropriate, for software 
(excluding source code) and commodities only, and not used for 
technology or source code.

Mandatory Requirements for Technology and Source Code Under an ICT 
Control Plan

    Entities that seek to be approved eligible users and/or eligible 
recipients of this license exception must ensure that non-U.S. national 
employees, wherever located, sign non-disclosure agreements before 
receiving technology or source code under this license exception. Such 
non-disclosure agreements must state that the employee agrees not to 
release any technology or source code in violation of the EAR, and such 
agreements must be binding as long as the technology or source code 
remains subject to export controls, regardless of the signatory's 
employment relationship with the employer. In other words, even if the 
signatory's employment relationship with the employer were severed, the 
signatory would remain prohibited from releasing any technology or 
source code received under License Exception ICT while employed. The 
non-disclosure agreement must also specify that the prohibition would 
remain in effect until the technology or source code no longer required 
a license to any destination under the EAR.
    In addition, entities that seek to be approved eligible users and/
or eligible recipients of ICT must screen non-U.S. national employees 
who are also foreign national employees in the country in which they 
are working against lists of end-user concern. This screening 
requirement applies if such individuals are to receive technology or 
source code under ICT. The lists of end-users of concern are compiled 
by the U.S. government and may be accessed at the BIS Web site at 
https://www.bis.doc.gov. Upon publication of a final rule, BIS plans to 
provide guidance on its website with respect to screening such 
employees for purposes of ICT.
    Non-U.S. national employees are those employees who are not U.S. 
citizens, U.S. permanent residents, or protected individuals under the 
Immigration and Naturalization Act (8 U.S.C. 1324b(a)(3)). Foreign 
national employees are those non-U.S. national employees, wherever 
located, who are not citizens or legal permanent residents of the 
country in which they work. For instance, a German national working in 
the United States and a German national working in France are both 
considered foreign national employees for purposes of this rule (and 
more generally for purposes of the EAR). However, a French national 
working in France is not a foreign national employee from the 
perspective of BIS. Therefore, all foreign national employees are non-
U.S. national employees, but not all non-U.S. national employees are 
foreign national employees. This distinction is important because the 
non-disclosure agreement element in an ICT control plan applies to the 
German national working in France as well as to the French national

[[Page 57557]]

working in France. Thus, it applies to non-U.S. national employees who 
would otherwise be permitted to receive technology or source code 
subject to the EAR, if not for the grant of ICT, under a deemed export 
license, deemed reexport license, license to a facility where the 
employee works, or other license exception.
    Unlike the non-disclosure agreement requirement, the screening 
element applies only to foreign national employees. Hence, it would 
apply to a German national working in France but not to a French 
national working in France. The release of technology or source code 
subject to the EAR to a foreign national employee may occur under a 
deemed export or deemed reexport license or by operation of a license 
exception, but it may also occur under a license that has been issued 
to a facility. For example, a technology license approved for a French 
facility may have a condition allowing all EU nationals to receive the 
technology as well as the French employees. The screening requirement 
is intended to apply to all foreign national employees receiving 
technology or source code under ICT that would otherwise require a 
license, whether it be through a license for a deemed export or deemed 
reexport, a license issued to a facility, or other license exception.
    Additionally, foreign national employees of companies located in 
the United States must comply with U.S. immigration laws and maintain 
current and valid visa authorization.

Authorization From BIS to Use License Exception ICT

    Following receipt of the ICT control plan and all information 
required under new Sec.  740.19(e)(1), BIS will review and refer the 
submission to the reviewing agencies consistent with Sec. Sec.  750.3 
and 750.4 of the EAR and Executive Order 12981, as amended by Executive 
Orders 13020, 13026, and 13117. In order to determine ICT eligibility, 
BIS will consider prior licensing history of the eligible applicant 
parent company and its wholly-owned or controlled in fact entities that 
are part of the authorization request, demonstration of an effective 
ICT control plan, need for this license exception within the company 
structure as articulated by the applicant parent company, and 
relationship of the wholly-owned or controlled in fact entities to the 
eligible applicant parent company.
    Upon reaching a decision, BIS will inform the eligible applicant 
parent company in writing if it may use this license exception pursuant 
to new Sec.  740.19(f). BIS will specify the terms of the ICT 
authorization, including identifying the wholly-owned or controlled in 
fact entities of the eligible applicant parent company that may use ICT 
and the ECCNs of the items that may be exported, reexported, or 
transferred (in-country) for internal company use under ICT. After 
receiving authorization, approved parent companies and their approved 
wholly-owned or controlled in fact entities, if covered under the ICT 
control plan, may use this license exception to export, reexport, or 
transfer (in-country) approved commodities, software, and/or technology 
among themselves for internal company use only. Any entity that seeks 
to become an eligible user and/or eligible recipient, as described in 
new Sec. Sec.  740.19(b)(2) and 740.19(b)(3)(i), must be specifically 
covered by the ICT control plan submitted to BIS and maintain the ICT 
control plan of the eligible applicant parent company.
    Exports, reexports, and in-country transfers for any purpose other 
than internal company use are not authorized under License Exception 
ICT. With respect to an item that has been exported, reexported, or 
transferred (in-country) pursuant to License Exception ICT, the entity 
must submit a license application if required under the EAR before 
using the item for a purpose other than that covered by this license 
exception. Also, should control of the approved eligible applicant 
parent company change, then use of License Exception ICT is no longer 
valid. The newly-controlled eligible applicant parent company must re-
submit the information required for ICT authorization, as described in 
new Sec.  740.19(g)(3).

Annual Reporting Requirements

    After submitting a request for authorization to use License 
Exception ICT pursuant to new Sec.  740.19(e) and after receiving 
approval from BIS, approved eligible applicant parent companies must 
submit an annual report to BIS on the use of this license exception by 
itself and by its approved wholly-owned or controlled in fact entities. 
Specifically, approved eligible applicant parent companies must list 
the name, nationality, and date of birth of each foreign national 
employee, as described in note 2 to new Sec.  740.19(b)(3)(ii), who has 
received technology or source code under this license exception. The 
requirement is limited to those employees, who would have required a 
license to receive technology or source code if not for ICT, and who 
are not citizens or legal permanent residents of the country in which 
they are employed. Therefore, it applies to foreign national employees 
working in the United States and to foreign national employees working 
outside of the United States.
    Also, approved eligible applicant parent companies must submit the 
names of those foreign national employees, as described in note 2 to 
new Sec.  740.19(b)(3)(ii), who previously received technology or 
source code under this license exception and have ended their 
employment. This requirement does not apply to those who have merely 
switched positions within the company structure of the parent company, 
so long as the new employer is an approved eligible entity under the 
same parent company. BIS is requesting this information in order to 
examine the use of License Exception ICT and measure its effectiveness. 
Further, a company officer must certify to BIS that the approved 
eligible applicant parent company and its approved eligible users and 
eligible recipient entities are in compliance with the terms and 
conditions of ICT. This certification should include the results of the 
self-evaluation described in paragraph (d)(1)(vi) of this section.

Auditing Use of License Exception ICT

    BIS will conduct audits of approved eligible applicant parent 
companies and their approved wholly-owned or controlled in fact 
entities to ensure proper compliance with License Exception ICT. These 
reviews will take place approximately once every two years. Generally, 
BIS will give notice to the relevant parties before conducting an 
audit. However, if BIS has reason to believe that an entity is 
improperly using ICT, BIS may conduct an unannounced audit at its 
discretion that is separate from the biennial audit.

Restrictions on the Use of License Exception ICT and the Direct Product 
Rule

    Consistent with other license exceptions, License Exception ICT is 
subject to the restrictions on the use of all license exceptions, which 
are set forth in Sec.  740.2 of the EAR. Therefore, ICT cannot be used 
for certain items, such as items controlled for missile technology 
reasons or certain items that are ``space qualified.'' Moreover, ICT is 
subject to revision, suspension, or revocation, in whole or in part, 
without notice.
    Also, new Sec.  740.19(c) lists restrictions on using ICT. For 
instance, items controlled for Encryption Items (EI) reasons and items 
controlled for Significant Items (SI) reasons are ineligible for 
export, reexport, or transfer (in-country) under ICT. At this

[[Page 57558]]

time, License Exception ENC will remain the primary resource for 
providing the authorization necessary for many intra-company transfers 
of encryption items. Further, no items exported, reexported, or 
transferred within country under this license exception may be 
subsequently exported, reexported, or transferred for purposes other 
than internal company use, unless done so in accordance with the EAR. 
However, items that have been exported, reexported, or transferred (in-
country) under License Exception ICT may not be subsequently exported, 
reexported, or transferred (in-country) under License Exception APR 
(see Sec.  740.16).
    Finally, note that whether the foreign direct product of U.S. 
software or technology exported from abroad, reexported, or transferred 
under License Exception ICT is subject to the EAR is determined under 
Sec.  736.2(b)(3) of the EAR, when the foreign direct product is 
exported from abroad, reexported, or transferred (in-country) for other 
than internal use within a Country Group D:1 country or Cuba.
    Although the Export Administration Act expired on August 20, 2001, 
the President, through Executive Order 13222 of August 17, 2001, 3 CFR, 
2001 Comp., p. 783 (2002), as extended by the Notice of July 23, 2008, 
73 FR 43603 (July 25, 2008), has continued the Export Administration 
Regulations in effect under the International Emergency Economic Powers 
Act.

Rulemaking Requirements

    1. This proposed rule has been determined to be significant for 
purposes of Executive Order 12866.
    2. Notwithstanding any other provision of law, no person is 
required to respond to nor be subject to a penalty for failure to 
comply with a collection of information, subject to the requirements of 
the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA), 
unless that collection of information displays a currently valid Office 
of Management and Budget (OMB) Control Number. This proposed rule 
contains a collection previously approved by the OMB under control 
numbers 0694-0088, ``Multi-Purpose Application,'' which carries a 
burden hour estimate of 58 minutes to prepare and submit form BIS-748. 
Miscellaneous and recordkeeping activities account for 12 minutes per 
submission. In addition, this proposed rule contains a new collection 
for reporting, recordkeeping, and auditing requirements, which would be 
submitted for approval to use License Exception ICT, carries an 
estimated burden of 19.6 hours for companies having an existing 
internal control plan and 265.6 hours for companies not having an 
existing internal control plan in place. A request for new collection 
authority will be submitted to OMB for approval. Public comment will be 
sought regarding the burden of the collection of information associated 
with preparation and submission of these proposed voluntary 
requirements. BIS estimates that this rule will reduce the number of 
multi-purpose application forms that must be filed by 582 annually. 
Send comments regarding this burden estimate or any other aspect of 
this collection information, including suggestions for reducing the 
burden, to Jasmeet K. Seehra, Office of Management and Budget (OMB), 
and to the Regulatory Policy Division, Bureau of Industry and Security, 
Department of Commerce, as indicated in the Addresses section of this 
proposed rule.
    3. This rule does not contain policies with Federalism implications 
as that term is defined in Executive Order 13132.
    4. The Regulatory Flexibility Act (RFA), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), 5 U.S.C. 
601 et seq., generally requires an agency to prepare a regulatory 
flexibility analysis of any rule subject to the notice and comment 
rulemaking requirements under the Administrative Procedure Act (5 
U.S.C. 553) or any other statute, unless the agency certifies that the 
rule will not have a significant economic impact on a substantial 
number of small entities. Under section 605(b) of the RFA, however, if 
the head of an agency certifies that a rule will not have a significant 
economic impact on a substantial number of small entities, the statute 
does not require the agency to prepare a regulatory flexibility 
analysis. Pursuant to section 605(b), the Chief Counsel for 
Regulations, Department of Commerce, certified to the Chief Counsel for 
Advocacy, Small Business Administration, that this proposed rule, if 
promulgated, will not have a significant economic impact on a 
substantial number of small entities for the reasons explained below. 
Consequently, BIS has not prepared a regulatory flexibility analysis.
    The EAR applies to all entities that export, reexport, or transfer 
commodities, software, and technology that are subject to the EAR. The 
EAR potentially affects any entity in any sector that chooses to 
export, reexport, or transfer items subject to the EAR. Thus, while 
this proposed rule could potentially have a significant economic impact 
on small entities, BIS believes that this proposed rule will not impact 
a substantial number of small entities.
    BIS does not have data on the total number of small entities that 
are potentially impacted by the requirements of the EAR, but BIS does 
maintain data on actual licenses applied for by entities of all sizes. 
In order to examine the number of small entities that would be impacted 
by this proposed rule, BIS examined the licensing data to find approved 
licenses that would potentially qualify as an intra-company transfer. 
Using this data as well as using estimated burden hours in gaining ICT 
authorization, BIS conducted a cost-benefit analysis to see which 
entities would likely choose to apply for authorization. BIS also 
examined all approved licenses that could qualify as intra-company 
transfers to determine whether any entities were small entities.
    Upon initial examination of licensing data from 2004 to 2006, BIS 
found that approximately 200 companies had licenses approved that could 
potentially qualify as an intra-company transfer. Of those companies, 
the vast majority consisted of large parent companies, medium-sized 
companies, or companies that were owned by larger domestic or foreign 
companies. This result supports the premise that entities that would 
avail themselves of ICT must be large enough to have subsidiaries or 
branches located in different countries that the entities control in 
fact.
    To look at which of those approximately 200 companies would most 
likely choose to apply for ICT authorization, BIS conducted a cost-
benefit analysis by estimating the burden hours involved in gaining ICT 
authorization as well as with complying with recordkeeping and 
reporting requirements under ICT. BIS determined that over a three-year 
period it would take 280.8 hours (or 16,848 minutes) for a company 
without an internal control program to seek ICT authorization and 34.8 
hours (or 2088 minutes) for a company with an existing internal control 
program to seek ICT authorization. The threshold by which companies 
would likely be inclined to apply for authorization to use ICT is the 
point at which the burden of applying for licenses over a three-year 
period (at 70 minutes per license) exceeds the total ICT burden hours 
over three years (at 16,848 minutes for companies without an existing 
internal control program or at 2088 minutes for companies with an 
internal control program). In order to meet that threshold, companies 
without an internal control program would have to apply for about 241 
licenses over a three-year period, and companies with

[[Page 57559]]

an existing internal control program would have to apply for about 30 
licenses per year over a three-year period. Only two companies meet the 
241 license threshold, and those companies are not small entities under 
the North American Industry Classification System (NAICS) standards. 
Sixteen companies meet the 30 license threshold or come close (within 
five licenses) of meeting the threshold, and none of those companies is 
a small entity under the NAICS standards. In addition to burden hours, 
companies without an existing internal compliance program may be less 
likely to choose to seek ICT authorization because additional 
investments would likely need to be made to implement an internal 
control program. While these upfront investments could greatly vary 
depending on company size as well as the type and number of items in 
the company portfolio, it is likely that companies would need to invest 
in physical and information security as well as incur travel expenses 
to visit overseas facilities to ensure that the internal compliance 
program is operating effectively. All of these additional costs would 
likely increase the burden in any cost-benefit analysis and would 
likely make an entity of any size that does not have an internal 
compliance program less likely to seek ICT authorization and thus not 
be impacted by this proposed rule.
    Even if an entity without an internal compliance program utilizes a 
different cost-benefit analysis and decides to apply for ICT 
authorization, BIS licensing data shows that the potential ICT 
candidate would not be a small entity. Only four companies, for which 
public information was available, were found to qualify as small 
entities under the NAICS. However, the potential intra-company licenses 
approved for these four entities would all be ineligible under License 
Exception ICT. The items approved for export were all items listed 
under Sec.  740.2 that are restricted for export, reexport, or in-
country transfer under all license exceptions. Therefore, no small 
entity was found to have licenses that were approved by BIS over a 
three-year period that would qualify under ICT. Consequently, this 
proposed rule would not affect a significant number of small entities.
    This proposed rule was mandated by the President in National 
Security Presidential Directive (NSPD) 55. While this proposed rule 
will increase burden hours for those entities choosing to seek 
authorization for License Exception ICT, BIS licensing data and 
publicly available information show that no small entities in the 
period of review received approved licenses for intra-company transfers 
that would be eligible for License Exception ICT. Thus, a substantial 
number of small entities will not be impacted by this proposed rule.

List of Subjects

15 CFR Part 740

    Administrative practice and procedure, Exports, Reporting and 
recordkeeping requirements.

15 CFR Part 772

    Exports.

    For the reasons set forth in the preamble, parts 740 and 772 of the 
Export Administration Regulations (15 CFR 730-774) are amended as 
follows:

PART 740--[AMENDED]

    1. The authority citation for 15 CFR part 740 is revised to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., 
p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice 
of July 23, 2008, 73 FR 43603 (July 25, 2008).

    2. Section 740.19 is added to read as follows:


Sec.  740.19  Intra-Company Transfer (ICT).

    (a) Scope. This license exception authorizes exports, reexports, 
and in-country transfers of items on the Commerce Control List for 
internal company use among approved eligible applicants, eligible 
users, and eligible recipients, as described in paragraphs (b)(1), 
(b)(2), and (b)(3) respectively, of this section. Use of License 
Exception ICT is limited to those entities and those ECCNs that are 
authorized by BIS, pursuant to paragraph (f) of this section.
    (b) Eligibility.
    (1) Eligible applicant. The eligible applicant is the ``parent 
company,'' as that term is defined in section 772.1, that institutes an 
ICT control plan, as described in paragraph (d) of this section, and 
that applies for authorization from BIS to use this license exception. 
The eligible applicant must be incorporated in or have its principal 
place of business in any country listed in Supplement No. 4 to part 
740. In addition, the eligible applicant may be, but is not required to 
be, the ultimate parent company, as that term is referred to in the 
definition of ``parent company'' set forth in section 772.1; hence the 
eligible applicant may be owned or controlled by other entities. 
However, the ultimate parent company cannot be an eligible user under 
this license exception unless it is also the eligible applicant. 
Application requirements are set forth in paragraph (e) of this 
section.
    (2) Eligible users. Eligible users may be eligible applicants, as 
described in paragraph (b)(1) of this section, and their wholly-owned 
or ``controlled in fact'' entities that implement and maintain the ICT 
control plan of the eligible applicant and that are included in the 
applications submitted by eligible applicants pursuant to paragraph (e) 
of this section. Eligible applicants must ensure that each eligible 
user implements the eligible applicant's ICT control plan, including 
the use of non-disclosure agreements as described in paragraph 
(d)(1)(viii) of this section.
    (3) Eligible recipients.
    (i) Entities. Eligible recipients of items under this license 
exception may be eligible applicants as described in paragraph (b)(1) 
of this section, eligible users as described in paragraph (b)(2) of 
this section, and eligible applicants' other wholly-owned or controlled 
in fact companies that implement and maintain the ICT control plan of 
the eligible applicant and that are named in the applications submitted 
by the eligible applicant pursuant to paragraph (e) of this section. 
Eligible applicants must ensure that each eligible recipient, as 
described in this paragraph, implements the eligible applicant's ICT 
control plan, including the use of non-disclosure agreements as 
described in paragraph (d)(1)(viii) of this section.
    (ii) Non-U.S. national employees receiving technology or source 
code. Non-U.S. national employees (wherever located) of entities that 
are eligible applicants, eligible users, and/or eligible recipients of 
this license exception may be eligible recipients of technology and 
source code under this license exception provided the non-U.S. national 
employees sign non-disclosure agreements with their employer in which 
the non-U.S. national employees agree not to release any technology or 
source code in violation of the EAR. Additionally, if non-U.S. national 
employees are also foreign national employees in their country of 
employment, then such non-U.S. national employees must also be screened 
by the appropriate eligible user against end-user lists compiled by the 
U.S. government. For further information on employees, non-disclosure 
agreements, and screening requirements, see Sec. Sec.  772.1, 
740.19(d)(1)(viii), and 740.19(d)(1)(ix) respectively.

    Note 1 to Paragraph (B)(3)(II) of this Section: Non-U.S. 
national employees are those employees who are not U.S. citizens, 
lawful permanent residents of the United

[[Page 57560]]

States, or individuals protected under the Immigration and 
Naturalization Act (8 U.S.C. 1324b(a)(3)). Non-U.S. national 
employees include those working in the United States and outside of 
the United States. Furthermore, non-U.S. national employees include 
those employees who would otherwise be permitted to receive 
technology or source code only under: (1) A deemed export or deemed 
reexport license; (2) a license issued to a facility, and the 
employee is a citizen or legal permanent resident of the same 
country where the facility is located; and (3) a license issued to a 
facility, but the employee is not a citizen or legal permanent 
resident of the country where the facility is located; (4) another 
authorization such as a license exception other than ICT.


    Note 2 to Paragraph (B)(3)(II) of this Section: Foreign national 
employees are those non-U.S. national employees who are not citizens 
or legal permanent residents of the country in which they are 
employed. Foreign national employees include those employees who 
would otherwise receive technology or source code under: (1) A 
deemed export or deemed reexport license; or (2) a license to a 
facility, but the employee is not a citizen or legal permanent 
resident of the country where the facility is located; or (3) 
another authorization such as a license exception other than ICT.

    (4) Eligible uses. Items exported, reexported, or transferred 
within country under this license exception may be exported, 
reexported, or transferred only for purposes of the internal company 
use by approved eligible applicants and approved eligible users of this 
license exception, as described in paragraphs (b)(1) and (b)(2) 
respectively, of this section.
    (c) Restrictions.
    (1) No item may be exported, reexported, or transferred within 
country under this license exception to destinations in or nationals of 
Country Group E or North Korea.
    (2) No item exported, reexported, or transferred within country 
under this license exception may be subsequently exported, reexported, 
or transferred for purposes other than the internal company use of 
approved eligible applicants, eligible users, and eligible recipients, 
as described in paragraphs (b)(1), (b)(2), and (b)(3)(i) respectively, 
of this section, unless done so in accordance with the EAR. See 
paragraph (c)(3) of this section for further restrictions.
    (3) No items that have been exported, reexported, or transferred 
(in-country) under License Exception ICT may be subsequently exported, 
reexported, or transferred (in-country) under License Exception APR 
(see Sec.  740.16).
    (4) No release of technology or source code is authorized under 
this license exception to foreign national employees whose visa or 
authority to work has been revoked, denied, or is otherwise not valid. 
It is the responsibility of the exporter to ensure that foreign 
national employees working in the United States maintain a valid U.S. 
visa if they are required to hold a visa from the United States.
    (5) No release of technology or source code is authorized under 
this license exception to a foreign national employee, as described in 
note 2 to paragraph (b)(3)(ii), if that employee or a prior employer of 
that employee is listed on any of the end-user lists of concern 
compiled by the U.S. government. In such instances, eligible applicants 
(or eligible users, as appropriate) should obtain the appropriate 
authorization required under the EAR.
    (6) No items controlled for Encryption Items (EI) reasons under 
ECCNs 5A002, 5D002, or 5E002 may be exported, reexported, or 
transferred (in-country) under this license exception.
    (7) No items controlled for Significant Items (SI) reasons may be 
exported, reexported, or transferred (in-country) under this license 
exception.
    (d) ICT control plan. Prior to submitting an application to BIS 
under paragraph (e) of this section, and before making any exports, 
reexports, or in-country transfers under this license exception, 
eligible applicants must implement an ICT control plan that is designed 
to ensure compliance with this license exception and the EAR. In 
addition, eligible users and eligible recipient entities must implement 
the ICT control plan of the eligible applicant. Under an ICT control 
plan, which may be a component of a more comprehensive export 
compliance program, all entities that seek to use this license 
exception must ensure that commodities, software, and technology, where 
applicable, will not be exported, reexported, or transferred in 
violation of this license exception. With their application for 
authorization (as described in paragraph (e) of this section) to use 
this license exception, eligible applicants must submit a copy of the 
ICT control plan and must specifically note which of their wholly-owned 
or controlled in fact entities are covered by the plan. BIS may require 
the eligible applicant to modify the ICT control plan before 
authorizing use of this license exception. Paragraph (d)(1) of this 
section lists the mandatory elements of an ICT control plan. Paragraph 
(d)(2) of this section lists exceptions to addressing certain mandatory 
elements in paragraph (d)(1) in the ICT control plan.
    (1) Mandatory elements of an ICT control plan. The following 
elements are mandatory, subject to the exceptions in paragraph (d)(2) 
of this section. The ICT control plan must describe how each mandatory 
element will be implemented. In order to provide guidance, the 
mandatory elements described in paragraphs (d)(1)(i) through (d)(1)(v) 
include illustrative examples of evidence demonstrating how the element 
may be addressed. Note that these illustrative examples are guidelines 
only; satisfying the five required elements in paragraphs (d)(1)(i) 
through (d)(1)(v) of this section is dependent upon the nature and 
complexity of company activities, the type of items that will be 
exported, reexported, or transferred under this license exception 
(i.e., commodities, software, and/or technology), the countries 
involved, and the relationship between the eligible users and eligible 
recipients of this license exception, as described in paragraphs (b)(2) 
and (b)(3)(i) respectively of this section. With respect to the other 
four elements of the ICT control plan, eligible applicants must fulfill 
certain specified requirements. For paragraphs (d)(1)(vi), (d)(1)(vii), 
(d)(1)(viii), and (d)(1)(ix) of this section, no illustrative examples 
are included. Note, however, that to satisfy the self-evaluation 
element in paragraph (d)(1)(vi) of this section, establishing self-
audits, creating a checklist, and developing corrective measures are 
required, but the self-audits may be structured in a manner that works 
best for the eligible applicant and its wholly-owned or controlled in 
fact entities. In order to use this license exception for technology or 
software, a letter of assurance, consistent with Sec. Sec.  740.19(c) 
and 740.6, must be provided by a company officer of the eligible 
applicant. Additionally, in order to use this license exception for 
non-U.S. national employees, wherever located, to receive technology or 
source code under this license exception, submitting a template or 
sample of the non-disclosure agreement to be used is a mandatory 
element. Also, in order to use this license exception for non-U.S. 
national employees who are also foreign national employees, reviewing 
lists of end-users of concern compiled by the U.S. government is a 
mandatory element.
    (i) Corporate commitment to export compliance. Evidence of a 
corporate commitment to export compliance may include: An 
organizational chain of command for export controls compliance issues 
and related issues of concern; senior management member(s) responsible 
for export controls compliance, who are able to

[[Page 57561]]

demonstrate how compliance issues are resolved; internal recordkeeping 
requirements in accordance with the EAR; maintenance of a sound 
commodity classification methodology; and commitment of resources to 
implement and maintain an ICT control plan.
    (ii) Physical security plan. Evidence of a physical security plan 
may include: Methods of physical security that prevent the transfer of 
commodities, software, and technology on the Commerce Control List 
outside of the internal company structure; and organization and 
maintenance of up-to-date building layouts, including a description of 
physical security measures, such as secured doors and badges as well as 
biometric, guard, and perimeter controls.
    (iii) Information security plan. Evidence of an information 
security plan may include: Organization and maintenance of up-to-date 
virtual security layouts and descriptions of what information security 
methods are in place, such as password protection, firewalls, 
segregated servers, non-network computers, and intranet security.
    (iv) Personnel screening procedures. Evidence of personnel 
screening procedures may include: Thorough pre-screening analysis of 
new foreign national employees, as described in note 2 to paragraph 
(b)(3)(ii), which includes, but is not limited to, criminal background, 
driver's license, and credit history, before allowing them to receive 
technology or source code through a license or license exception.
    (v) Training and awareness program. Evidence of a training and 
awareness program may include: Creation, scheduling, and performance of 
regular training programs (for all employees working in areas relevant 
to export controls) to inform employees about export controls and 
limits on their access to technology or source code.
    (vi) Self-evaluation program. Evidence of a self-evaluation program 
must include the following three components: Creation and performance 
of regular internal self-audits, which may be conducted through the use 
of internal and/or external resources depending upon the needs and 
demands of the organization; creation of a checklist of critical areas 
and items to review, including identification of any deficiencies; and 
development of corrective procedures or measures implemented to correct 
identified deficiencies. Note: Disclosure of identified deficiencies 
and corrective actions will be considered when evaluating effective ICT 
control plans under paragraph (f)(2). Failure to disclose this 
information could result in revocation, as noted in paragraph (j). Any 
violations of the EAR that are uncovered in the process of conducting 
this self-evaluation should be disclosed to BIS in accordance with the 
voluntary self-disclosure procedures found in section 764.5.
    (vii) Letter of assurance for software and technology. A company 
officer of the eligible applicant must submit a signed statement on 
company letterhead stating that under this license exception, the 
eligible applicant and each eligible user and/or eligible recipient 
entity will not export, reexport, or transfer (in-country) software 
(including the source code for the software) and technology, consistent 
with paragraph (c)(1) of this section and consistent with paragraphs 
(a)(1) and (a)(2) of Sec.  740.6.
    (viii) Signing of non-disclosure agreements. Non-disclosure 
agreements not to release any technology or source code must be binding 
with respect to any technology or source code that has been released or 
otherwise provided to any non-U.S. national employee, wherever located, 
on the basis of this license exception, until such technology or source 
code no longer requires a license to any destination under the EAR, 
regardless of whether the non-U.S. national's employment relationship 
with the company remains in effect. Non-disclosure agreements should be 
completed in both English and the non-U.S. national employee's native 
language.
    (ix) Review of end-user lists. Foreign national employees, as 
described in note 2 to paragraph (b)(3)(ii), who are eligible to 
receive technology or source code under this license exception, must be 
screened against all lists of end-users of concern compiled by the U.S. 
government. In addition, prior employers of the foreign national 
employees must also be screened. These lists can be accessed at https://
www.bis.doc.gov. See paragraph (c)(5) of this section for specific 
restrictions.
    (2) Exceptions to certain mandatory elements of an ICT control 
plan.
    (i) If this license exception will be used only for commodities, 
then the ICT control plan elements described in paragraphs (d)(1)(iii), 
(d)(1)(iv), (d)(1)(vii), (d)(1)(viii), and (d)(1)(ix) are not 
mandatory. In this situation, the ICT control plan must state that this 
license exception will be used for commodities only and not used for 
software or technology.
    (ii) If this license exception will be used only for software 
(excluding source code), or if this license exception will be used only 
for commodities and software (excluding source code), then the ICT 
control plan elements described in paragraphs (d)(1)(iv), (d)(1)(viii), 
and (d)(1)(ix) are not mandatory. In this situation, the ICT control 
plan must state that this license exception will be used for software 
(excluding source code) only, or will be used for commodities and 
software (excluding source code) only, and not used for technology or 
source code.
    (e) Information required for grant of ICT authorization.
    (1) Prior to the export, reexport, or in-country transfer of items 
on the Commerce Control List under this license exception, an eligible 
applicant, as described in paragraph (b)(1) of this section, must 
submit the following information to BIS:
    (i) For the eligible applicant: Full name of company; location of 
company headquarters; location of principal place of business; complete 
physical addresses (listing a post office box is insufficient) of 
company's headquarters and principal place of business; post office box 
if used as an alternate address; location of registration or 
incorporation; ownership of company, including listing all individuals 
or groups that have at least a 10% ownership interest; and need for 
License Exception ICT, including listing the ECCNs of the items that 
will be exported, reexported, or transferred (in-country) under this 
license exception and a detailed narrative describing the intended use 
of the items covered by the listed ECCNs and the anticipated resulting 
commodities, where relevant;
    (ii) For each company, separate from the eligible applicant, that 
is intended to be an eligible user or eligible recipient that will 
export, reexport, transfer (in-country), or receive items under this 
license exception: Full name of entity; location of entity's principal 
place of business; complete physical address (listing a post office box 
is insufficient) of entity's principal place of business; post office 
box if used as an alternate address; location of entity's registration 
or incorporation; relationship of the entity to the eligible applicant; 
and ownership of company, including listing all individuals or groups 
that have at least a 10% ownership interest, where relevant;
    (iii) Name and contact information of the employee(s) responsible 
for implementing the ICT control plan of the eligible applicant and its 
wholly-owned or controlled in fact entities that are eligible users 
and/or eligible recipients;
    (iv) A full copy of the ICT control plan, as described in paragraph 
(d) of this section, covering the eligible

[[Page 57562]]

applicant and its wholly-owned or controlled in fact entities that are 
eligible users and/or eligible recipients;
    (v) Documentation showing implementation of screening, training, 
and self-evaluation elements in the ICT control plan, as described in 
paragraphs (d)(1)(iv), (d)(1)(v), (d)(1)(vi), and (d)(1)(ix), where 
applicable; and
    (vi) A signed statement, on company letterhead, by a company 
officer of the eligible applicant that states each eligible user and/or 
eligible recipient entity will allow BIS, at the agency's discretion, 
to conduct audits to ensure compliance with this license exception.
    (2) Submit all required information to: Bureau of Industry and 
Security, Attn: License Exception ICT, HCHB Room 2705, 14th Street & 
Pennsylvania Ave., NW., Washington, DC 20230.
    (f) Review of License Exception ICT submissions. Upon receipt of 
completed information required under paragraph (e)(1) of this section, 
BIS will conduct a review described in paragraph (f)(1) of this 
section. During the review, BIS will use the factors described in 
paragraph (f)(2) of this section to determine authorization. In 
addition to informing the eligible applicant whether it may use this 
license exception, BIS will provide the terms of the ICT authorization 
including which wholly-owned or controlled in fact entities may use 
this license exception and the ECCNs of the items that may be exported, 
reexported, or transferred under this license exception. BIS will 
respond in writing to the eligible applicant once a decision is 
reached.
    (1) Processing procedures. For purposes of review only, License 
Exception ICT submissions will be reviewed in the manner that license 
applications are reviewed pursuant to Sec. Sec.  750.3 and 750.4 of the 
EAR and Executive Order 12981, as amended by Executive Orders 13020, 
13026, and 13117.
    (2) Review factors. The following factors will be considered in 
determining License Exception ICT authorization: Prior licensing 
history; demonstration of an effective ICT control plan; and need for 
the license exception, as expressed in the submission for ICT 
authorization, including the requested ECCNs and the relationship of 
the wholly-owned or controlled in fact entities to the parent company 
or other entities of national security or foreign policy concern. BIS 
will also consider any deficiencies, including violations of the EAR, 
that are uncovered as part of the self-evaluation element of the 
eligible applicant's ICT control plan described in (d)(vi) of this 
part, and, if appropriate, disclosed to BIS in accordance with section 
764.5, as well as any corrective action that was subsequently taken.
    (g) Changes to Submitted Information Following Receipt of 
Authorization.
    (1) Before an entity not previously identified in an approved 
eligible applicant's initial submission under paragraph (e) of this 
section may use this license exception, the approved eligible applicant 
must submit the information regarding the new entity in accordance with 
paragraph (e)(1)(ii) of this section to BIS at the address listed in 
paragraph (e)(2) of this section. This submission will undergo the same 
process of review as the initial submission, which is described in 
paragraph (f)(1) of this section.
    (2) After obtaining authorization to use this license exception, an 
approved eligible applicant may request License Exception ICT 
eligibility for additional ECCNs that were not previously identified in 
its initial submission. To make such a request, the approved eligible 
applicant must submit the necessary information required under 
paragraph (e)(1)(i) regarding the additional ECCNs to BIS at the 
address listed in paragraph (e)(2) of this section. This submission 
will undergo the same process of review as the initial submission, 
which is described in paragraph (f)(1) of this section.
    (3) If control of an approved eligible applicant changes after 
obtaining prior authorization to use this license exception (e.g., 
through change of ownership, acquisition, or merger), authorization to 
use this license exception will no longer be valid. Under such 
circumstances, the new eligible applicant must submit all information 
required under paragraph (e)(1) of this section to obtain new 
authorization to use this license exception. This submission will 
undergo