International Traffic in Arms Regulations: Creation of Definition of Activities That Are Not Exports, Reexports, Retransfers, or Temporary Imports; Creation of Definition of Access Information; Revisions to Definitions of Export, Reexport, Retransfer, Temporary Import, and Release, 70887-70893 [2019-27438]

Agencies

• DEPARTMENT OF STATE

[Federal Register Volume 84, Number 247 (Thursday, December 26, 2019)]
[Rules and Regulations]
[Pages 70887-70893]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-27438]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF STATE

22 CFR Part 120

[Public Notice: 10946]
RIN 1400-AE76


International Traffic in Arms Regulations: Creation of Definition 
of Activities That Are Not Exports, Reexports, Retransfers, or 
Temporary Imports; Creation of Definition of Access Information; 
Revisions to Definitions of Export, Reexport, Retransfer, Temporary 
Import, and Release

AGENCY: Department of State.

ACTION: Interim final rule; request for comment.

-----------------------------------------------------------------------

SUMMARY: The Department of State amends the International Traffic in 
Arms Regulations (ITAR) to create a definition of ``activities that are 
not exports, reexports, retransfers, or temporary imports'' by 
combining existing text from the regulations with new text regarding 
secured unclassified technical data. The activities included in the new 
definition are: Launching items into space, providing technical data to 
U.S. persons within the United States or within a single country 
abroad, and moving a defense article between the states, possessions, 
and territories of the United States. The definition also clarifies 
that the electronic transmission and storage of properly secured 
unclassified technical data via foreign communications infrastructure 
does not constitute an export. Additionally, the Department amends the 
ITAR to create a definition of ``access information'' and revise the 
definition of ``release'' to address the provision of access 
information to an unauthorized foreign person.

DATES: Effective date: This interim final rule is effective on March 
25, 2020.
    Comments due date: Interested parties may submit comments by 
January 27, 2020.

ADDRESSES: Interested parties may submit comments by one of the 
following methods:

[[Page 70888]]

     Email: [email protected] with the subject line, 
``Revisions to Definitions; Data Transmission and Storage''
     Internet: At www.regulations.gov, search for this notice 
using Docket DOS-2019-0040.

FOR FURTHER INFORMATION CONTACT: Ms. Sarah Heidema, Director, Office of 
Defense Trade Controls Policy, Department of State, telephone (202) 
663-1282; email [email protected]. ATTN: ITAR Amendment--
Revisions to Definitions; Data Transmission and Storage.

SUPPLEMENTARY INFORMATION: The Directorate of Defense Trade Controls 
(DDTC), U.S. Department of State, administers the International Traffic 
in Arms Regulations (ITAR) (22 CFR parts 120 through 130). The items 
subject to the jurisdiction of the ITAR, i.e., defense articles and 
defense services, are identified on the ITAR's U.S. Munitions List 
(USML) (22 CFR 121.1). With few exceptions, items not subject to the 
export control jurisdiction of the ITAR are subject to the jurisdiction 
of the Export Administration Regulations (EAR, 15 CFR parts 730 through 
774, which includes the Commerce Control List (CCL) in Supplement No. 1 
to part 774), administered by the Bureau of Industry and Security 
(BIS), U.S. Department of Commerce. Both the ITAR and the EAR create 
license requirements for exports and reexports of controlled items. 
Items not subject to the ITAR or to the exclusive licensing 
jurisdiction of any other set of regulations are subject to the EAR.
    On June 3, 2015, the Department of State published a proposed rule 
(80 FR 31525) (2015 proposed rule) and requested comments on an 
extensive array of proposed amendments to the ITAR, including the 
revision of key definitions, the creation of several new definitions, 
and the revision of related provisions. The proposed amendments also 
attempted to harmonize these definitions with the EAR to the extent 
appropriate. After reviewing the public comments on the 2015 proposed 
rule, the Department published an interim final rule on June 3, 2016 
(81 FR 35611) (2016 interim final rule), which updated the definitions 
of ``export'' and ``reexport or retransfer'' and, in an effort to 
clarify and support the interpretation of these definitions, also 
created definitions of ``release'' and ``retransfer.'' BIS concurrently 
published amendments (BIS companion rule) to definitions, including 
``export,'' ``reexport,'' ``release,'' and ``transfer (in-country)'' in 
the EAR (81 FR 35586). The Department subsequently reviewed the public 
comments on the 2016 interim final rule and published a final rule on 
September 8, 2016 (81 FR 62004) (2016 final rule), which revised the 
definition of ``retransfer'' and made other clarifying revisions. Not 
all of the amendments proposed in the 2015 proposed rule were adopted, 
and both the 2016 interim final rule and the 2016 final rule reserved 
the remaining amendments for consideration in separate rulemakings.
    This interim final rulemaking addresses certain of the remaining 
amendments from the 2015 proposed rule, and the Department continues to 
reserve the remaining amendments for consideration in separate 
rulemakings. Included in this interim final rule is the creation of a 
definition for ``activities that are not exports, reexports, 
retransfers, or temporary imports'' under a new ITAR Sec.  120.54 
(Sec.  120.52 in the 2015 proposed rule). Among other things, this 
provision provides that the properly secured (by end-to-end encryption) 
electronic transmission or storage of unclassified technical data via 
foreign communications infrastructure does not constitute an export, 
reexport, retransfer, or temporary import.
    The Department recognizes the BIS companion rule addressed these 
issues with the creation of EAR Sec.  734.18, and the Department has 
received repeated enquiries regarding when a similar rule would be 
issued regarding the ITAR. In an effort to align the definition in the 
ITAR with the definition in the EAR, the interim final rule described 
below is structured similarly to EAR Sec.  734.18. The Department also 
recognizes that it has received public comments regarding these 
amendments to the ITAR. Where appropriate, those comments are addressed 
in the analysis below. In light of the potential impact the amendments 
in this rule may have on the regulated community's processes, and the 
updated security strength standards described below, the Department 
considered it appropriate to provide another opportunity for the public 
to submit comments and therefore publishes this rule as an interim 
final rule with the opportunity for the public to provide comment.

1. Definition of Activities That Are Not Exports, Reexports, 
Retransfers, or Temporary Imports

    The Department adds Sec.  120.54 to describe those ``activities 
that are not exports, reexports, retransfers, or temporary imports'' 
and do not require authorization from the Department. For the purpose 
of this preamble, the Department will use the term ``controlled event'' 
to mean an export, reexport, retransfer, or temporary import, all of 
which require a DDTC license or other approval.
    The first of five provisions in the new Sec.  120.54 states in 
paragraph (a)(1) that it is not a controlled event to launch items into 
space. This activity is already excluded from the definition of an 
export in ITAR Sec.  120.17(a)(6) and by statute, see 51 U.S.C. 
50919(f). In an effort to consolidate the different activities that do 
not qualify as exports under the ITAR, this provision has been moved to 
Sec.  120.54(a)(1), and the language has been simplified.
    The second provision states in paragraph (a)(2) that it is not a 
controlled event to transmit or otherwise transfer technical data to a 
U.S. person within the United States from a person in the United 
States. In response to public comments, the updated version of 
paragraph (a)(2) provides that a transmission or other transfer between 
U.S. persons who are in the United States is unequivocally not a 
controlled event. However, any release to a foreign person remains a 
controlled event.
    The third provision, which was not included in the 2015 proposed 
rule but is added here in response to public comments to that proposed 
rule, is found in the new paragraph (a)(3). This provision states that 
transmissions or other transfers of technical data between and among 
only U.S. persons in the same foreign country are similarly not 
reexports or retransfers so long as they do not result in a release to 
a foreign person or transfer to a person prohibited from receiving the 
technical data because that person is otherwise precluded from engaging 
in the regulated activity, for example a debarred person.
    The fourth provision states in paragraph (a)(4) that it is not a 
controlled event to move a defense article between the states, 
possessions, and territories of the United States. One commenter 
requested that the Department revise paragraph (a)(4) to list 
explicitly the Virgin Islands of the United States, Guam, American 
Samoa, and the various United States Minor Outlying Islands. The 
Department will not make this change because the ITAR already defines 
the term ``United States'' in Sec.  120.13, and that definition is 
applicable.
    The fifth provision states in paragraph (a)(5) that it is not a 
controlled event to send, take, or store unclassified technical data 
when it is effectively encrypted using end-to-end encryption. 
Therefore, a controlled event does not occur when technical data is 
encrypted

[[Page 70889]]

prior to leaving the sender's facilities and remains encrypted until 
decrypted by the intended authorized recipient or retrieved by the 
sender, as in the case of remote storage. The controlled event occurs 
upon the release of the technical data. If the technical data is 
decrypted by someone other than the sender, a U.S. person in the United 
States, or a person otherwise authorized to receive the technical data, 
then the technical data is not secured using end-to-end encryption for 
purposes of paragraph (a)(5) and the original transmission was a 
controlled event.
    The encryption must be accomplished in a manner that is certified 
by the U.S. National Institute for Standards and Technology (NIST) as 
compliant with the Federal Information Processing Standards Publication 
140-2 (FIPS 140-2), or must meet or exceed a 128-bit security strength. 
At the time of publication of this rule, that criterion is expressed in 
``Table 2: Comparable strengths'' of NIST Special Publication 800-57 
Part 1, Revision 4. Additionally, the technical data may not be 
intentionally sent to a person in or stored in a Sec.  126.1 country or 
the Russian Federation, even in its encrypted state. This will allow 
for transmissions and storage of encrypted data in most foreign 
countries, so long as the technical data remains continuously encrypted 
while outside of the United States or until decrypted by an authorized 
intended recipient.
    In response to public comments regarding the requirement of the 
2015 proposed rule that the encryption be via a FIPS 140-2 compliant 
module, the Department added language that allows encryption through 
means other than FIPS 140-2 compliant modules, so long as it meets or 
exceeds a 128-bit security strength. One commenter suggested that the 
Department retain only FIPS 140-2 to encourage interoperability between 
systems, but the overwhelming number of commenters requested other 
encryption modules be allowed. The Department also clarified that 
intentional storage in the Russian Federation or a Sec.  126.1 country 
constitutes a controlled event. However, incidental collection by a 
foreign intelligence service or transient storage that is incidental to 
sending information via the internet does not.
    Further, in response to public comments, the Department revised 
paragraph (b) to clarify the definition of end-to-end encryption. The 
cryptographic protection must be applied prior to the data being sent 
outside of the originator's security boundary and remain undisturbed 
until it arrives within the security boundary of the intended 
recipient. For communications between individuals, this can be 
accomplished by encrypting the data on the sender's computer prior to 
emailing or otherwise sending it to the intended recipient. For large 
entities, the security boundary may be managed by IT staff, who will 
encrypt the data before it leaves the entity's secure network and 
decrypt it on the way into the network. However, in all instances, the 
means of decryption must not be provided to any third party and the 
data must not have the cryptographic protection removed at any point in 
transit.
    One commenter suggested that the Department define which modules 
under FIPS 140-2 are compliant and which NIST publications are 
applicable, in the rule. The Department disagrees with this comment. 
Compliance with any of the four levels set out in FIPS 140-2 is 
sufficient for the purposes of this section. Exporters are free to 
choose the level that best meets their needs. Different NIST 
publications are relevant to each standard, so the applicable 
publications will depend on the standard used.
    One commenter suggested that the Department provide one year from 
the issuance of a new NIST standard for implementation. The Department 
disagrees with this comment. The NIST standards will be final and 
applicable when NIST makes them the standard.
    One commenter requested that the Department allow a transition 
period so that exporters can implement IT systems compliant with 
paragraph (5). The Department disagrees with this comment. Paragraph 
(5) creates a mechanism for companies to send and store technical data 
outside the United States without engaging in a controlled event. Until 
companies implement an IT system that is compliant with paragraph (5), 
they may not take advantage of this paragraph, but nothing in paragraph 
(5) places any new requirements on exporters, therefore there is no 
need for a transition period.
    One commenter suggested that the Department revise paragraph (b) to 
say ``the means to access the data in unencrypted form is not 
`released' to any third party'' rather than ``the means to access the 
data in unencrypted form is not given to any third party,'' as 
``release'' is a defined term. The Department disagrees with this 
comment. The Department did revise this concept in paragraph (b) to 
require that ``the means of decryption are not provided to any third 
party,'' but the Department chose not to use the word ``released'' 
because that word has a technical definition that would not be 
applicable in this usage.
    Several commenters requested that the Department provide a safe 
harbor, of sorts, by only requiring that cloud customers obtain 
contractual assurances that the data would not be stored in a Sec.  
126.1 country or the Russian Federation. The Department disagrees with 
this comment. Such a provision would not be in the national security or 
foreign policy interests of the United States. The Department 
recognizes it can be difficult to control the actions of third parties, 
including partners, service providers, and subcontractors, and will 
review potential violations on a case-by-case basis, subject to the 
totality of the facts and circumstances comprising the issue at hand.
    One commenter requested that the Department clarify that 
appropriately encrypted transmissions may transit the Russian 
Federation or a Sec.  126.1 country and still qualify for this 
provision. The Department clarified this point by adding the word 
``intentionally,'' to differentiate those electronic transmissions that 
were intentionally sent to Russia or a Sec.  126.1 country, and those 
that simply transited them in route to another country. The commenter 
also provided an example of such a transmission where an email server 
is located in the Russian Federation or a Sec.  126.1 country. 
Transmission through these destinations is allowed, including temporary 
storage incident to internet transmissions, but long-term storage of 
the information, such as is commonly done on email servers, is 
prohibited in these destinations. Prior to using this provision, 
putative exporters should ensure that the intended recipient or any 
intended remote storage provider does not store their information in 
the Russian Federation or a Sec.  126.1 country.
    One commenter requested that the Department provide that emails 
between authorized parties in the same country also be included in the 
definition of activities that are not exports, reexports, or 
retransfers if they happen to transit a third country, even if the 
technical data is not encrypted as described in paragraph (5). The 
Department notes that transmissions between U.S. persons in the United 
States are not exports under paragraph (2), but that with respect to 
transmissions in foreign countries, only those communications that 
remain in one country between only U.S. persons are excluded under 
paragraph (3). If a company in a foreign country is concerned that 
emails that include technical data may transit third countries, it 
should encrypt those

[[Page 70890]]

communications consistent with paragraph (5).
    Several commenters requested that the Department revise the local 
definition of end-to-end encryption to allow for information security 
mechanisms that render the data into clear text in route to the 
intended recipient, for processing via applications, such as anti-virus 
software or spell-check. The commenters also note that multiple layers 
of encryption may be applied and removed throughout the transit of the 
data. The Department disagrees with this comment. Use of paragraph 
(a)(5) requires that the technical data subject to the ITAR be 
continuously encrypted at all times while outside of an authorized 
security boundary. The Department is aware that there are many ways 
that this provision can be implemented; some of which would allow an 
entity to run anti-virus or other security scans prior to allowing the 
data onto its servers. As long as that initial encryption layer remains 
intact, the addition or removal of subsequent layers of encryption, 
which may or may not meet the FIPS 140-2 standard, is not relevant to 
the application of this section.
    One commenter requested that the Department include the electronic 
storage in the United States and transfer from the United States of 
non-U.S. origin technical data by non-U.S. persons within the 
activities that are not an export, reexport, or retransfer, even when 
not encrypted. The Department disagrees with this comment. Non-U.S. 
origin technical data transiting or stored in the United States that is 
encrypted in the manner described in paragraph (a)(5) (i.e., it remains 
encrypted at all times between originator and recipient, including at 
any time while in the United States), does not require authorization 
from the Department, unless it originates in or is sent to a country 
listed in Sec.  126.1 or the Russian Federation.
    One commenter stated that paragraph (a)(5) in this rule does not 
authorize the export of technical data in a physical medium and 
requested that the Department revise paragraph (a)(5) to allow the 
shipment or carriage of technical data in a physical medium that has 
been properly encrypted. The Department notes that the comment 
mischaracterizes the activity. The movement or storage of controlled 
technical data in a properly encrypted state outside of the United 
States is not an export as defined in Sec.  120.17(a)(1), the specific 
concern raised by the commenter, or a controlled event of any type, and 
does not require authorization. The Department notes that paragraph 
(a)(5) is not limited to electronic transmissions and the shipment or 
carriage of technical data in a physical medium is not a controlled 
event, so long as all of the conditions are met.
    One commenter requested that the Department expand paragraph (a)(5) 
to cover tokenization, as well as encryption. Tokenization is a process 
whereby individual elements of a document, be they letters, words, 
diagrams, or pictures, are replaced by a representative token. As 
described by the commenter, the tokens are assigned randomly and a key 
of the document is created. The document may not be returned to the 
original text from the tokens without use of the specific key for that 
document. This process is different from encryption, in that encryption 
uses an algorithm to encode the document, such that representative 
characters are assigned according to a mathematical formula that can, 
at least theoretically, be deciphered through analysis of the encrypted 
text. The Department will not add tokenization. There is no NIST or 
other comparable standard that the Department can reference to set a 
minimum threshold for implementation of tokenization.
    One commenter suggested that the Department encourage other 
jurisdictions to adopt a provision similar to paragraph (a)(5) in their 
export control systems. The Department agrees, and has already engaged 
in discussions with allies regarding paragraph (a)(5).
    One commenter requested that the Department add shipping to and 
within the territory of an approved end-user as an activity that is not 
an export, reexport, or retransfer. The Department disagrees with this 
comment. A shipment to the territory of an approved end-user is an 
export or reexport that requires authorization. Shipments within the 
territory of an authorized end-user will likewise require authorization 
if the shipment is to someone other than the authorized end-user or for 
activities other than the authorized end-use.
    One commenter requested that the Department create a definition of 
``basic technical data'' and include the sharing of such information in 
this section, analogizing to the sharing of the owner's manual for a 
car. The Department disagrees with this comment. The export of 
technical data requires authorization from the Department. If the 
Department were to define some portion of technical data that does not 
warrant control, the Department would revise Sec.  120.6 or Sec.  
120.10 to exclude it.
    One commenter suggested that the Department include shipments to 
military post offices in this section, noting that the National 
Industrial Security Program Operating Manual (NISPOM) treats transfers 
to military post offices as domestic transfers. The Department 
disagrees with this comment. The export of a defense article shipped to 
a military post office via the U.S. Postal Service is accomplished by 
the U.S. military and therefore may be authorized without a license via 
Sec.  126.4 of the ITAR, so long as the other terms and conditions of 
that provision are met.

2. Revised Definitions of Export, Reexport, Retransfer, and Temporary 
Import

    As stated above, the Department moves the language of Sec.  
120.17(a)(6), which articulates that it is not an export to launch 
items into space, to Sec.  120.52(a)(1), and simplifies the language. 
In its place, the Department adds a new Sec.  120.17(a)(6) in order to 
include within the definition of export the release through the use of 
access information of previously encrypted technical data as described 
in Sec.  120.50(a)(3) (to a foreign person, no matter where located) 
and (a)(4) (causing the technical data to be in an unencrypted form out 
of the United States). The Department added a citation to Sec.  120.54 
to Sec. Sec.  120.17(a), 120.18, 120.19(a), and 120.51(a), which define 
export, temporary import, reexport, and retransfer, respectively, to 
exclude from those definitions activities identified in Sec.  120.54. 
In addition, the Department takes this opportunity to revise Sec.  
120.17(a) in order to mirror the construction of the other definitions 
of controlled activities and lead with the defined term of ``export.''

3. Definition of Access Information

    The Department adds new Sec.  120.55 to define ``access 
information.'' Access information allows access to encrypted technical 
data in an unencrypted form, such as decryption keys, network access 
codes, and passwords. An authorization is required to release technical 
data through access information to the same extent that an 
authorization is required to export the technical data when it is 
unsecured by encryption.
    Several commenters requested that the Department adopt the 
knowledge requirement that was included in the BIS companion rule and 
now appears in EAR Sec.  734.19. The Department disagrees with this 
comment. As provided in Sec. Sec.  120.50(b) and 120.54(b), an existing 
authorization for the release of technical data to the foreign person 
must be in

[[Page 70891]]

place prior to the provision of access information to the foreign 
person that will allow the transition of the encrypted technical data 
to an unencrypted state.

4. Revised Definition of Release

    The Department adds two new subparagraphs to paragraph (a) and a 
new paragraph (b) to the definition of release in Sec.  120.50 in order 
to clarify what constitutes a release of technical data, a controlled 
event requiring authorization from the Department, and the provision of 
access information that may result in the release of technical data. 
Paragraph (a)(3) makes it a release of technical data to use access 
information to cause or enable a foreign person to access, view, or 
possess technical data in unencrypted form. Paragraph (a)(4) makes it a 
release of technical data to use access information in a foreign 
country to cause technical data to be in unencrypted form, including 
when such actions are taken by U.S. persons abroad. Most U.S. persons 
will be authorized to release the technical data abroad to themselves 
or over their employer's virtual private network through the exemption 
at ITAR Sec.  125.4(b)(9).
    The 2015 proposed rule proposed a new paragraph (a)(5) to make it a 
release to provide access information to a foreign person that can 
cause or enable access, viewing, or possession of technical data in 
unencrypted form. It also proposed a Note to paragraph (a) in order to 
clarify the license requirement regarding technical data secured by the 
access information when a release occurs under the proposed paragraphs 
(a)(3), (a)(4), or (a)(5).
    In a change from the 2015 proposed rule, the Department now 
includes at paragraph (b) language derived from the proposed paragraph 
(a)(5) and Note included in that draft. The new paragraph (b) clarifies 
that the provision of access information to a foreign person is not 
itself a controlled event; there is no need for an application by the 
access information provider, or for the Department to issue an 
authorization, for the provision of access information. However, in 
order for the Department to effectively control the release of 
technical data to a foreign person in certain circumstances, paragraph 
(b) requires an authorization for a release of technical data to a 
foreign person before providing the access information to that foreign 
person, if that access information can cause or enable access, viewing, 
or possession of the unencrypted technical data. In the absence of an 
authorization for the release of technical data in such circumstances, 
the provision of access information to a foreign person is a violation 
of ITAR Sec.  127.1(b)(1) for failure to abide by a rule or regulation 
contained in this subchapter.
    Furthermore, causing or enabling a foreign person to access, view, 
or possess unencrypted technical data may constitute a separate 
violation of ITAR Sec.  127.1(a), if the exporter (or reexporter or 
retransferrer) in question has not received prior authorization from 
the Department in the form of a license or other authorization (e.g., 
exemption). As stated in ITAR Sec.  120.54(b), in order for the 
sending, taking, or storing technical data to meet the requirements of 
end-to-end encryption and therefore to constitute an activity that is 
not a controlled event under ITAR Sec.  120.54(a)(5), the intended 
recipient must be the originator, a U.S. person in the United States, 
or otherwise authorized to receive the technical data in an unencrypted 
form.
    The Department recognizes that the 2015 proposed rule contained 
draft language for a new Sec.  127.1(b)(4) that would have listed the 
types of controlled events involving the secured unclassified technical 
data described in this interim final rule's Sec.  120.54(a)(5). The 
Department did not receive any public comments on this proposed 
amendment. Nevertheless, once the Department decided to establish a new 
definition for ``access information'' in Sec.  120.55 that is distinct 
from the definition of technical data in Sec.  121.10, it seemed more 
appropriate to include descriptions of the relevant controlled events 
under the definition of release in Sec.  120.50 because that provision 
was added to the ITAR in order to describe more effectively the 
controlled disclosure of information. Moreover, this construction is 
analogous to how the EAR defines the term ``access information'' in EAR 
Sec.  772.1 and uses that term in Sec.  734.19 to describe controlled 
events related to ``activities that are not exports, reexports, or 
retransfers'' under Sec.  734.18.
    Finally, the Department adds and reserves Sec. Sec.  120.52 and 
120.53.

Regulatory Analysis and Notices

Administrative Procedure Act

    This rulemaking is exempt from section[thinsp]553 (Rulemaking) and 
section[thinsp]554 (Adjudications) of the Administrative Procedure Act 
(APA) pursuant to 5 U.S.C. 553(a)(1) as a military or foreign affairs 
function of the United States Government. Although the Department is of 
the opinion that this interim final rule is exempt from the rulemaking 
provisions of the APA, the Department published this rule as a proposed 
rule (80 FR 31525) with a 60-day provision for public comment, 
published an interim final rule (81 FR 35611) with a 30-day provision 
for public comment and three-month delayed effective date for certain 
provisions thereof, and now as another interim final rule with a 30-day 
provision for public comment and three-month delayed effective date for 
the provisions identified herein. Those publications were without 
prejudice to the Department's determination that controlling the import 
and export of defense services is a foreign affairs function.

Regulatory Flexibility Act

    Since the Department is of the opinion that this rulemaking is 
exempt from the rulemaking provisions of 5 U.S.C. 553, there is no 
requirement for an analysis under the Regulatory Flexibility Act.

Unfunded Mandates Reform Act of 1995

    This rulemaking does not involve a mandate that will result in the 
expenditure by State, local, and tribal governments, in the aggregate, 
or by the private sector, of $100 million or more in any year and it 
will not significantly or uniquely affect small governments. Therefore, 
no actions were deemed necessary under the provisions of the Unfunded 
Mandates Reform Act of 1995.

Small Business Regulatory Enforcement Fairness Act of 1996

    For purposes of the Small Business Regulatory Enforcement Fairness 
Act of 1996 (the ``Act''), a major rule is a rule that the 
Administrator of the OMB Office of Information and Regulatory Affairs 
finds has resulted or is likely to result in: (1) An annual effect on 
the economy of $100,000,000 or more; (2) a major increase in costs or 
prices for consumers, individual industries, federal, state, or local 
government agencies, or geographic regions; or (3) significant adverse 
effects on competition, employment, investment, productivity, 
innovation, or on the ability of United States-based enterprises to 
compete with foreign-based enterprises in domestic and foreign markets.
    The Department does not believe this rulemaking is a major rule 
within the meaning of the Act. The means of solving the issue of data 
protection are already both familiar to and extensively used by the 
affected public in protecting sensitive information.

[[Page 70892]]

Executive Orders 12372 and 13132

    This rulemaking will not have substantial direct effects on the 
States, on the relationship between the national government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government. Therefore, in accordance with Executive 
Order 13132, it is determined that this rulemaking does not have 
sufficient federalism implications to require consultations or warrant 
the preparation of a federalism summary impact statement. The 
regulations implementing Executive Order 12372 regarding 
intergovernmental consultation on Federal programs and activities do 
not apply to this rulemaking.

Executive Orders 12866 and 13563

    Executive Orders 12866 and 13563 direct agencies to assess costs 
and benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributed impacts, and equity). The executive orders stress 
the importance of quantifying both costs and benefits, of reducing 
costs, of harmonizing rules, and of promoting flexibility. This 
rulemaking has been designated a ``significant regulatory action,'' 
although not economically significant, under section 3(f) of Executive 
Order 12866. Accordingly, the rulemaking has been reviewed by the 
Office of Management and Budget (OMB).

Executive Order 12988

    The Department has reviewed the rulemaking in light of sections 
3(a) and 3(b)(2) of Executive Order 12988 to eliminate ambiguity, 
minimize litigation, establish clear legal standards, and reduce 
burden.

Executive Order 13175

    The Department has determined that this rulemaking will not have 
tribal implications, will not impose substantial direct compliance 
costs on Indian tribal governments, and will not preempt tribal law. 
Accordingly, Executive Order 13175 does not apply to this rulemaking.

Executive Order 13771

    This final rule is not subject to the requirements of Executive 
Order 13771 because it is issued with respect to a military or foreign 
affairs function of the United States.

Paperwork Reduction Act

    This rulemaking does not impose any new reporting or recordkeeping 
requirements subject to the Paperwork Reduction Act, 44 U.S.C. Chapter 
35; however, the Department seeks public comment on any unforeseen 
potential for increased burden.

List of Subjects in 22 CFR 120

    Arms and munitions, Classified information, Exports.

    Accordingly, for the reasons set forth above, title 22, chapter I, 
subchapter M, part 120 of the Code of Federal Regulations is amended as 
follows:

PART 120--PURPOSE AND DEFINITIONS

0
1. The authority citation for part 120 continues to read as follows:

    Authority:  Secs. 2, 38, and 71, Pub. L. 90-629, 90 Stat. 744 
(22 U.S.C. 2752, 2778, 2797); 22 U.S.C. 2794; 22 U.S.C. 2651a; Pub. 
L. 105-261, 112 Stat. 1920; Pub. L. 111-266; Section 1261, Pub. L. 
112-239; E.O. 13637, 78 FR 16129.


0
2. Section 120.17 is amended by revising paragraphs (a) introductory 
text and (a)(6) to read as follows:


Sec.  120.17  Export.

    (a) Export, except as set forth in Sec.  120.54, Sec.  126.16, or 
Sec.  126.17, means:
* * * * *
    (6) The release of previously encrypted technical data as described 
in Sec.  120.50(a)(3) and (4) of this subchapter.
* * * * *

0
3. Section 120.18 is revised to read as follows:


Sec.  120.18  Temporary import.

    Temporary import, except as set forth in Sec.  120.54, means 
bringing into the United States from a foreign country any defense 
article that is to be returned to the country from which it was shipped 
or taken, or any defense article that is in transit to another foreign 
destination. Temporary import includes withdrawal of a defense article 
from a customs bonded warehouse or foreign trade zone for the purpose 
of returning it to the country of origin or country from which it was 
shipped or for shipment to another foreign destination. Permanent 
imports are regulated by the Attorney General under the direction of 
the Department of Justice's Bureau of Alcohol, Tobacco, Firearms, and 
Explosives (see 27 CFR parts 447, 478, 479, and 555).

0
4. Section 120.19 is amended by revising paragraph (a) introductory 
text to read as follows:


Sec.  120.19  Reexport.

    (a) Reexport, except as set forth in Sec.  120.54, Sec.  126.16, or 
Sec.  126.17, means:
* * * * *

0
5. Section 120.50 is amended as follows:
0
a. By removing the word ``or'' at the end of paragraph (a)(1);
0
b. By removing the period and adding in its place a semi-colon at the 
end of paragraph (a)(2); and
0
c. By adding paragraphs (a)(3) and (4) and (b).
    The additions read as follows:


Sec.  120.50  Release.

    (a) * * *
    (3) The use of access information to cause or enable a foreign 
person, including yourself, to access, view, or possess unencrypted 
technical data; or
    (4) The use of access information to cause technical data outside 
of the United States to be in unencrypted form.
    (b) Authorization for a release of technical data to a foreign 
person is required to provide access information to that foreign 
person, if that access information can cause or enable access, viewing, 
or possession of the unencrypted technical data.

0
6. Section 120.51 is amended by revising paragraph (a) introductory 
text to read as follows:


Sec.  120.51  Retransfer.

    (a) Retransfer, except as set forth in Sec.  120.54, Sec.  126.16, 
or Sec.  126.17, means:
* * * * *


Sec.  120.52  [Reserved]

0
7. Add reserved Sec.  120.52.


Sec.  120.53  [Reserved]

0
8. Add reserved Sec.  120.53.

0
9. Section 120.54 is added to read as follows:


Sec.  120.54  Activities that are not exports, reexports, retransfers, 
or temporary imports.

    (a) The following activities are not exports, reexports, 
retransfers, or temporary imports:
    (1) Launching a spacecraft, launch vehicle, payload, or other item 
into space.
    (2) Transmitting or otherwise transferring technical data to a U.S. 
person in the United States from a person in the United States.
    (3) Transmitting or otherwise transferring within the same foreign 
country technical data between or among only U.S. persons, so long as 
the transmission or transfer does not result in a release to a foreign 
person or

[[Page 70893]]

transfer to a person prohibited from receiving the technical data.
    (4) Shipping, moving, or transferring defense articles between or 
among the United States as defined in Sec.  120.13 of this subchapter.
    (5) Sending, taking, or storing technical data that is:
    (i) Unclassified;
    (ii) Secured using end-to-end encryption;
    (iii) Secured using cryptographic modules (hardware or software) 
compliant with the Federal Information Processing Standards Publication 
140-2 (FIPS 140-2) or its successors, supplemented by software 
implementation, cryptographic key management, and other procedures and 
controls that are in accordance with guidance provided in current U.S. 
National Institute for Standards and Technology (NIST) publications, or 
by other cryptographic means that provide security strength that is at 
least comparable to the minimum 128 bits of security strength achieved 
by the Advanced Encryption Standard (AES-128);
    (iv) Not intentionally sent to a person in or stored in a country 
proscribed in Sec.  126.1 of this subchapter or the Russian Federation; 
and

    Note to paragraph (a)(5)(iv): Data in-transit via the internet 
is not deemed to be stored.

    (v) Not sent from a country proscribed in Sec.  126.1 of this 
subchapter or the Russian Federation.
    (b)(1) For purposes of this section, end-to-end encryption is 
defined as:
    (i) The provision of cryptographic protection of data, such that 
the data is not in an unencrypted form, between an originator (or the 
originator's in-country security boundary) and an intended recipient 
(or the recipient's in-country security boundary); and
    (ii) The means of decryption are not provided to any third party.
    (2) The originator and the intended recipient may be the same 
person. The intended recipient must be the originator, a U.S. person in 
the United States, or a person otherwise authorized to receive the 
technical data, such as by a license or other approval pursuant to this 
subchapter.
    (c) The ability to access technical data in encrypted form that 
satisfies the criteria set forth in paragraph (a)(5) of this section 
does not constitute the release or export of such technical data.

0
9. Section 120.55 is added to read as follows:


Sec.  120.55  Access Information.

    Access information is information that allows access to encrypted 
technical data subject to this subchapter in an unencrypted form. 
Examples include decryption keys, network access codes, and passwords.

Christopher A. Ford,
Assistant Secretary, International Security and Nonproliferation, U.S. 
Department of State.
[FR Doc. 2019-27438 Filed 12-23-19; 8:45 am]
BILLING CODE 4710-25-P