Information Security Controls: Cybersecurity Items, 58205-58216 [2021-22774]

Download as PDF 58205 Rules and Regulations Federal Register Vol. 86, No. 201 Thursday, October 21, 2021 This section of the FEDERAL REGISTER contains regulatory documents having general applicability and legal effect, most of which are keyed to and codified in the Code of Federal Regulations, which is published under 50 titles pursuant to 44 U.S.C. 1510. 5 CFR Part 1630 Privacy Act Exemptions Paperwork Reduction Act Federal Retirement Thrift Investment Board. I certify that these regulations do not require additional reporting under the criteria of the Paperwork Reduction Act. FEDERAL RETIREMENT THRIFT INVESTMENT BOARD AGENCY: ACTION: Final rule. In accordance with the Privacy Act of 1974 (the Act) the Federal Retirement Thrift Investment Board (FRTIB) is exempting five systems of records from certain requirements of the Act. SUMMARY: This final rule is effective October 21, 2021. DATES: FOR FURTHER INFORMATION CONTACT: Dharmesh Vashee, Senior Agency Official for Privacy and General Counsel, Federal Retirement Thrift Investment Board, Office of General Counsel, 77 K Street NE, Suite 1000, Washington, DC 20002, (202) 942–1600. On August 13, 2021, FRTIB published a notice of proposed rulemaking in the Federal Register, 86 FR 44642, to amend FRTIB’s Privacy Act regulations at 5 CFR part 1630 to exempt five of its systems of records, FRTIB–2, FRTIB–13, FRTIB–14, FRTIB–15, and FRTIB–23, from certain requirements of the Privacy Act, 5 U.S.C. 552a. The FRTIB promulgated exemptions to the Privacy Act for these five systems of records in accordance with subsection (k)(2) and subsection (k)(5). Comments were invited on the notice of proposed rulemaking (NPRM) published on August 13, 2021. No comments were received regarding this proposed rulemaking. The FRTIB will implement the rulemaking as proposed. SUPPLEMENTARY INFORMATION: Public Comments FRTIB received no comments on the NPRM. VerDate Sep<11>2014 16:29 Oct 20, 2021 Unfunded Mandates Reform Act of 1995 Pursuant to the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 602, 632, 653, 1501 1571, the effects of this regulation on state, local, and tribal governments and the private sector have been assessed. This regulation will not compel the expenditure in any one year of $100 million or more by state, local, and tribal governments, in the aggregate, or by the private sector. Therefore, a statement under section 1532 is not required. Submission to Congress and the Government Accountability Office Pursuant to 5 U.S.C. 801(a)(1)(A), the Agency submitted a report containing this rule and other required information to the U.S. Senate, the U.S. House of Representatives, and the Comptroller General of the United States before publication of this rule in the Federal Register. This rule is not a major rule as defined at 5 U.S.C. 804(2). List of Subjects in 5 CFR Part 1630 Privacy. Ravindra Deo, Executive Director, Federal Retirement Thrift Investment Board. Accordingly, FRTIB amends 5 CFR part 1630 as follows: PART 1630—PRIVACY ACT REGULATIONS 1. The authority citation for part 1630 continues to read as follows: ■ Jkt 256001 Authority: 5 U.S.C. 552a. PO 00000 Frm 00001 Fmt 4700 Sfmt 4700 2. Amend § 1630.15 by revising paragraph (b) to read as follows: ■ FRTIB certifies that this regulation will not have a significant economic impact on a substantial number of small entities under the Regulatory Flexibility Act (5 U.S.C. 601, et seq.). This rule does not impose a requirement for small businesses to report or keep records on any of the requirements contained in this rule. The exemptions to the Privacy Act apply to individuals, and individuals are not covered entities under the Regulatory Flexibility Act. The Code of Federal Regulations is sold by the Superintendent of Documents. jspears on DSK121TN23PROD with RULES1 Regulatory Flexibility Act § 1630.15 Exemptions. * * * * * (b) Those designated systems of records which are exempt from the requirements of subsections (c)(3); (d); (e)(1); (e)(4)(G), (H), (I); and (f) of the Privacy Act, 5 U.S.C. 552a, include FRTIB–2, Personnel Security Investigation Files; FRTIB–13, Fraud and Forgery Records; FRTIB–14, FRTIB Legal Case Files; FRTIB–15, Internal Investigations of Harassment and Hostile Work Environment Allegations; and FRTIB–23, Insider Threat Program Records. * * * * * [FR Doc. 2021–22952 Filed 10–20–21; 8:45 am] BILLING CODE 6760–01–P DEPARTMENT OF COMMERCE Bureau of Industry and Security 15 CFR Parts 740, 772 and 774 [Docket No. 211013–0209] RIN 0694–AH56 Information Security Controls: Cybersecurity Items Bureau of Industry and Security, Commerce. ACTION: Interim final rule, with request for comments. AGENCY: This interim final rule outlines the progress the United States has made in export controls pertaining to cybersecurity items, revised Commerce Control List (CCL) implementation, and requests from the public information about the impact of these revised controls on U.S. industry and the cybersecurity community. Specifically, this rule establishes a new control on these items for National Security (NS) and Anti-terrorism (AT) reasons, along with a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of these items to most destinations except in the circumstances described. These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it. SUMMARY: E:\FR\FM\21OCR1.SGM 21OCR1 58206 Federal Register / Vol. 86, No. 201 / Thursday, October 21, 2021 / Rules and Regulations Effective date: This rule is effective January 19, 2022. Comments must be received by BIS no later than December 6, 2021. ADDRESSES: Comments on this rule may be submitted to the Federal rulemaking portal (www.regulations.gov). The regulations.gov ID for this rule is: BIS– 2020–0038. Please refer to RIN 0694– AH56 in all comments. All filers using the portal should use the name of the person or entity submitting the comments as the name of their files, in accordance with the instructions below. Anyone submitting business confidential information should clearly identify the business confidential portion at the time of submission, file a statement justifying nondisclosure and referring to the specific legal authority claimed, and also provide a non-confidential version of the submission. For comments submitted electronically containing business confidential information, the file name of the business confidential version should begin with the characters ‘‘BC.’’ Any page containing business confidential information must be clearly marked ‘‘BUSINESS CONFIDENTIAL’’ on the top of that page. The corresponding non-confidential version of those comments must be clearly marked ‘‘PUBLIC.’’ The file name of the non-confidential version should begin with the character ‘‘P.’’ Any submissions with file names that do not begin with either a ‘‘BC’’ or a ‘‘P’’ will be assumed to be public and will be made publicly available through https:// www.regulations.gov. FOR FURTHER INFORMATION CONTACT: For questions regarding the Export Control Classification Numbers (ECCNs) included in this rule or License Exception ACE, contact Aaron Amundson at 202–482–0707 or email Aaron.Amundson@bis.doc.gov. SUPPLEMENTARY INFORMATION: jspears on DSK121TN23PROD with RULES1 DATES: Background In 2013, the Wassenaar Arrangement (WA) added cybersecurity items to the WA List, including a definition for ‘‘intrusion software.’’ The controls included hardware and software controls on the command and delivery platforms for ‘‘intrusion software,’’ the technology for the ‘‘development,’’ ‘‘production’’ or ‘‘use’’ of the command and delivery platforms, and the technology for the ‘‘development’’ of ‘‘intrusion software.’’ On May 20, 2015, the Bureau of Industry and Security (BIS) published a proposed rule describing how these new controls would fit into the Export VerDate Sep<11>2014 16:29 Oct 20, 2021 Jkt 256001 Administration Regulations (EAR) and requested information from the public about the impact on U.S. industry. The public comments on the proposed rule revealed serious issues concerning scope and implementation regarding these controls. Based on these comments, as well as substantial commentary from Congress, the private sector, academia, civil society, and others on the potential unintended consequences of the 2013 controls, the U.S. government returned to the WA to renegotiate the controls. In response to the proposed rule, BIS received almost 300 comments that raised substantial concerns about the proposed rule’s scope and the impact the proposed rule would have on legitimate cybersecurity research and incident response activities. BIS also conducted extensive outreach with the security industry, financial institutions, and government agencies that manage cybersecurity. Comments on the previously published proposed rule focused on three main issues. First, many commenters asserted that the entries were overly broad, captured more than was intended, and, as a technical matter, failed to accurately describe the items intended for control. Second, many commenters asserted that the rule as written imposed a heavy and unnecessary licensing burden on legitimate transactions that contribute to cybersecurity. Third, many commenters suggested that the proposed rule’s control on technology for the ‘‘development’’ of ‘‘intrusion software’’ could cripple legitimate cybersecurity research. Based on these comments, the United States decided against amending the proposed rule and instead returned to the WA in 2016 and 2017 to negotiate changes to the text. In December 2017, the WA published the changes that resulted from those negotiations. There were three significant changes: First, using ‘‘command and control’’ in the control language for both hardware and software addressed concerns from cybersecurity companies to more specifically control tools that can be used maliciously. Second, adding a note to the control entry for technology for the ‘‘development’’ of ‘‘intrusion software’’ that excludes from the entry ‘‘technology’’ that is exchanged for ‘vulnerability disclosure’ or ‘cyber incident response’. Third, adding a note to the ‘‘software’’ generation, command and control, or delivery entry that excludes from this entry products designed and limited to providing basic software updates and upgrades. PO 00000 Frm 00002 Fmt 4700 Sfmt 4700 BIS publishes this interim final rule to implement the WA 2017 decisions related to cybersecurity. The rule creates a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports, reexports and transfers (in-country) of cybersecurity items, as described in more detail below, which are not also controlled in Category 5—Part 2 of the CCL or for Surreptitious Listening (SL) reasons. In addition, BIS authorizes certain IP network surveillance products under the same License Exception ACE. These items were also part of the May 20, 2015 proposed rule but received far fewer comments than the other items in that proposed rule. BIS believes that making these products eligible for License Exception ACE addresses concerns raised in the comments on the previously published proposed rule. BIS believes this rule implements the WA decision of 2013, as amended in 2017, with regard to cybersecurity items and addresses the concerns expressed by industry and others about the previously published proposed rule. Further, because of the limited scope of this rule, BIS believes the impact would be minimal. However, to ensure full consideration of the potential impact of this rule, BIS seeks public comment on this interim final rule, including comments on the potential cost of complying with this rule, and any impacts this rule has on legitimate cybersecurity activities. No items subject to the International Traffic in Arms Regulations (ITAR) are being transferred to the EAR by this rule. Items and services described on the U.S. Munitions List (USML) at ITAR § 121.1, including military training, technical data directly related to a defense article, and certain hardware and software specially designed for intelligence purposes, remain subject to the ITAR. For software directly related to a defense article, see ITAR § 120.10(a)(4) and the applicable technical data entry in each USML category. See EAR § 734.3(b) and ITAR § 120.5(a) for more on the relationship between the ITAR and EAR. Specific Revisions ECCNs 4A005 (new), 4D004 (new), 4E001.a and 4E001.c (new) ECCNs 4A005 and 4D004 are added, as well as a new paragraph 4E001.c, as set forth in the amendments described below. In addition, the existing definition for ‘‘intrusion software’’ found in § 772.1 of the EAR applies to the new ECCNs. The entries include the 2017 WA notes: An exclusion Note in 4D004 for software specially designed E:\FR\FM\21OCR1.SGM 21OCR1 Federal Register / Vol. 86, No. 201 / Thursday, October 21, 2021 / Rules and Regulations and limited to providing basic updates and upgrades and an exclusion Note for 4E001.c (as well as existing 4E001.a) for ‘‘vulnerability disclosure’’ or ‘‘cyber incident response.’’ These terms are added to part 772 and are further explained elsewhere in this preamble. This rule also adds a Note 2 to 4E001.a and .c to clarify that BIS can request information on items decontrolled by Note 1 to ensure compliance with the controls. BIS does not intend this note to require any additional compliance measures beyond what is otherwise required by the EAR. ‘‘Software’’ and ‘‘technology’’ ‘‘published’’ in the public domain and meeting the requirements of § 734.7 of the EAR are not subject to the EAR. ECCN 5A001.j ‘‘IP network communications surveillance systems or equipment . . .’’ Paragraph 5A001.j ‘‘IP network communications surveillance systems or equipment . . .’’ is added to ECCN 5A001. License Exception ACE eligibility is added for 5A001.j in part 740 ‘‘License Exception.’’ License Exception STA conditions are revised to remove eligibility for 5A001.j to destinations listed in Country Groups A:5 and A:6 (see Supplement No. 1 to part 740 of the EAR for Country Groups). License Exceptions GBS and LVS are also revised to remove eligibility for those license exceptions. jspears on DSK121TN23PROD with RULES1 Overlap With Category 5—Part 2 (‘‘Information Security’’) When a cybersecurity item also incorporates particular ‘‘information security’’ functionality specified in ECCNs 5A002.a, 5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3 Category 5— Part 2 of the CCL in Supplement No. 1 to part 774 of the EAR, these Category 5—Part 2 ECCNs prevail, provided the controlled ‘‘information security’’ functionality remains present and usable within the cybersecurity end item or executable ‘‘software.’’ Category 5—Part 2 does not apply to elements of source code or ‘‘technology’’ that implement functionality controlled in another Category, or to any item subject to the EAR where Encryption Item (EI) functionality is absent, removed or otherwise non-existent. Surreptitious Listening (SL) Controls All items subject to the EAR that are controlled for Surreptitious Listening (SL) reasons under another ECCN not added by this rule will continue to be classified under the SL ECCN. The WA control list changes related to ‘‘intrusion software’’ and IP network communications surveillance systems VerDate Sep<11>2014 16:29 Oct 20, 2021 Jkt 256001 do not affect or change any EAR provision regarding communications intercepting devices, ‘‘software’’ or ‘‘technology’’, or any SL control (see § 742.13 of the EAR). If a circumstance arises where the item meets the control for national security (NS) because it meets the cybersecurity parameters, encryption item (EI) parameters, and SL parameters, then the control with the most restrictive licensing requirements applies, which would be SL control, because SL has worldwide control. § 740.22 License Exception Authorized Cybersecurity Exports (ACE) BIS is also establishing a new License Exception Authorized Cybersecurity Exports (ACE). This license exception, will appear in new § 740.22 of the EAR, is necessary to avoid impeding legitimate cybersecurity research and incident response activities. Cybersecurity items in the wrong hands raise both national security and foreign policy concerns. This license exception starts with a definition section that defines cybersecurity items, digital artifacts, favorable treatment cybersecurity end user, and government end user (for the purpose of § 740.22 only). ‘Cybersecurity Items’ are defined in § 740.22 as ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a (for 5A001.j)). License Exception ACE allows the export, reexport and transfer (incountry) of ‘cybersecurity items’ to most destinations, except to destinations listed in Country Groups E:1 and E:2 of supplement no. 1 to part 740. There are two types of end-user restrictions. Restricted end users include a ‘government end user,’ as defined in § 740.22, of any country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement no. 1 to part 740, or a non-government end user located in a country listed in Country Group D:1 or D:5. For deemed exports, the ‘government end user’ restriction applies, but not the ‘non-government end user’ restriction. There are exclusions to the end-user restrictions. The restriction on ‘government end users’ does not apply to exports, reexports, and transfers (incountry) to Country Group D countries that are also listed in Country Group A:6, which includes Cyprus (A:6 and D:5), Israel (A:6 and D:2–4), and Taiwan (A:6 and D:3), of ‘digital artifacts’ that are related to a cybersecurity incident PO 00000 Frm 00003 Fmt 4700 Sfmt 4700 58207 involving information systems owned or operated by a ‘favorable treatment cybersecurity end user,’ or to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents. In addition, the restriction does not apply to exports, reexports, and transfers (incountry) to national computer security incident response teams in Country Group D countries that are also listed in Country Group A:6 of ‘cybersecurity items’ for purposes of responding to cybersecurity incidents, for purposes of ‘vulnerability disclosure’, or for purposes of criminal investigations or prosecutions of such cybersecurity incidents. For exports, reexports, or transfers (in-country) to ‘government end-users’ under License Exception ACE, there is no exclusion for activities related to ‘‘vulnerability disclosure’’ and ‘‘cyber incident response.’’ However, Note 1 to ECCN 4E001 in the CCL (supplement no. 1 to part 774 of the EAR) excludes ‘‘vulnerability disclosure’’ and ‘‘cyber incident response’’ from control under 4E001.a or .c. The 4E001 exclusion note applies regardless of the type of end user and is unaffected by the restrictions in License Exception ACE. The restriction on non-government end users in Country Group D:1 or D:5 does not apply to exports, reexports or transfers (in-country) of cybersecurity items classified under ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) and 4E001.c to any ‘favorable treatment cybersecurity end user.’ In addition, this restriction does not apply to ‘‘vulnerability disclosure’’ or ‘‘cyber incident response.’’ Lastly, License Exception ACE has an end-use restriction. License Exception ACE is not authorized if the exporter, reexporter, or transferor knows or has reason to know at the time of export, reexport, or transfer (in-country), including a deemed export or reexport, that the ‘cybersecurity item’ will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator, or administrator of the information system (including the information and processes within such systems). Part 772—Definitions of Terms BIS adds to § 772.1 the WA definitions for ‘‘cyber incident response,’’ and ‘‘vulnerability disclosure’’, which are used in Category 4, new paragraph 4E001.c. E:\FR\FM\21OCR1.SGM 21OCR1 58208 Federal Register / Vol. 86, No. 201 / Thursday, October 21, 2021 / Rules and Regulations Conforming Changes Because of the addition of the cybersecurity items to the CCL, some conforming changes need to occur. Notes are added to Category 4 and Category 5—Part 1 to address the overlap between these entries and other entries on the CCL, as further explained below. Notes 3 and 4 to Category 4 To clarify the scope of existing entries in Category 5, Notes 3 and 4 are added to Category 4 stating that cybersecurity items that are specified by certain ECCNs in Category 5—Part 2 or in an ECCN controlled for SL reasons in Category 5—Part 1 would continue to be classified in those ECCNs instead of the new cybersecurity ECCN. In addition, these cybersecurity items are eligible for the license exceptions and are subject to the licensing policies applicable to those entries in Category 5—Part 2 or in the SL-controlled ECCNs. ECCN 4D001 ‘‘Software’’ Paragraph 4D001.a is revised to include 4A005. License Exception ACE eligibility is added for 4D001.a and License Exception STA special conditions are revised to include the ineligibility of software specified in 4D001.a ‘‘specially designed’’ for the ‘‘development’’ or ‘‘production’’ of equipment specified by ECCN 4A005 to Country Groups A:5 and A:6. ECCN 4E001 ‘‘Technology’’ In addition to the revision that adds 4E001.c, License Exception ACE eligibility is added for 4E001.a (for 4A005 and 4D004) and 4E001.c. License Exception STA ineligibility is added for 4E001.a (for 4A005 and 4D004) and 4E001.c to destinations listed in Country Groups A:5 and A:6. jspears on DSK121TN23PROD with RULES1 Notes 3 and 4 to Category 5—Part 1 To clarify the scope of these entries and existing entries in Category 5 Parts 1 and 2, Notes 3 and 4 are added to Category 5—Part 1 identifying that cybersecurity items controlled in certain Category 5—Part 2 ECCNs will remain controlled in Category 5—Part 2 and are eligible for the license exceptions and are subject to the licensing policies applicable to those ECCNs. In addition, cybersecurity items specified in an ECCN controlled for SL reasons in Category 5—Part 1 continue to be classified in those ECCNs instead of the new cybersecurity ECCN. VerDate Sep<11>2014 16:29 Oct 20, 2021 Jkt 256001 ECCN 5B001 Telecommunication Test, Inspection and Production Equipment, ‘‘Components’’ and ‘‘Accessories’’ License Exception ACE eligibility is added for 5B001.a (for equipment and ‘‘specially designed’’ ‘‘components’’ or ‘‘accessories’’ therefor, ‘‘specially designed’’ for the ‘‘development’’ or ‘‘production’’ of equipment, functions or features, controlled by 5A001.j). License Exception STA conditions are revised to remove eligibility for 5B001.a (for equipment and ‘‘specially designed’’ ‘‘components’’ or ‘‘accessories’’ therefor, ‘‘specially designed’’ for the ‘‘development’’ or ‘‘production’’ of equipment, functions or features, controlled by 5A001.j) to destinations listed in Country Groups A:5 and A:6 (See Supplement No. 1 to part 740 of the EAR for Country Groups). License Exceptions LVS and GBS are revised to remove eligibility for 5B001.a (for 5A001.j). ECCN 5D001 ‘‘Software’’ License Exception ACE eligibility is added for 5D001.a (for equipment, functions or features specified by 5A001.j) and 5D001.c (for equipment specified by 5A001.j or 5B001.a). License Exception STA conditions are revised to remove eligibility for 5D001.a (for equipment, functions or features specified by 5A001.j) and 5D001.c (for equipment specified by 5A001.j or 5B001.a) to destinations listed in Country Groups A:5 and A:6 (See Supplement No. 1 to part 740 of the EAR for Country Groups). License Exception TSR is revised to remove eligibility for ‘‘software’’ classified under ECCN 5D001.a (for 5A001.j) or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)). ECCN 5E001 ‘‘Technology’’ License Exception ACE eligibility is added for 5E001.a (for 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)). License Exception STA conditions is revised to remove eligibility for 5E001.a (for 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)) to destinations listed in Country Groups A:5 and A:6 (See Supplement No. 1 to part 740 of the EAR for Country Groups). License Exception TSR is revised to remove eligibility for ‘‘technology’’ classified under ECCN 5E001.a for 5A001.j, 5B001.a (for 5A001.j), ECCN 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)). PO 00000 Frm 00004 Fmt 4700 Sfmt 4700 ECCN 5A004 ‘‘Systems,’’ ‘‘Equipment’’ and ‘‘Components’’ for Defeating, Weakening or Bypassing ‘‘Information Security’’ This rule also amends ECCN 5A004 to add 4A005 to 5A004.b. This is done to harmonize with the WA Dual-Use List now that ECCN 4A005 has been added to the CCL. § 740.11 Governments, International Organizations, International Inspections Under the Chemical Weapons Convention, and the International Space Station (GOV) License Exception GOV is amended to exclude cybersecurity items, as defined in § 740.22 License Exception ACE, from paragraph (c) of License Exception GOV. As such, this rule revises paragraph (c)(3)(vi) to remove ‘‘or’’ and to revise paragraph (c)(3)(vii) to replace the period with a semi-colon and ‘‘or.’’ Lastly, paragraph (c)(3)(viii) is added to exclude ‘‘cybersecurity items as defined in § 740.22(b)(1) of the EAR.’’ Export Control Reform Act of 2018 On August 13, 2018, the President signed into law the John S. McCain National Defense Authorization Act for Fiscal Year 2019, which included the Export Control Reform Act of 2018 (ECRA), 50 U.S.C. Sections 4801–4852. ECRA provides the legal basis for BIS’s principal authorities and serves as the authority under which BIS issues this proposed rule. Executive Order Requirements Executive Orders 13563 and 12866 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distribute impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This interim final rule has been designated a ‘‘significant regulatory action’’ under Executive Order 12866. This rule does not contain policies with Federalism implications as that term is defined under Executive Order 13132. Paperwork Reduction Act Requirements This rule involves collections of information subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) under the following information collection approved by the Office of E:\FR\FM\21OCR1.SGM 21OCR1 jspears on DSK121TN23PROD with RULES1 Federal Register / Vol. 86, No. 201 / Thursday, October 21, 2021 / Rules and Regulations Management and Budget (OMB): 0694– 0088, ‘‘Multi-Purpose Application,’’ and carries a burden hour estimate of 29.6 minutes for a manual or electronic submission. BIS will be updating this information collection to account for the increase in burden hours. For the existing ECCNs included in this rule (4D001, 4E001, 5A001, 5A004, 5D001, 5E001), the 2020 data from the Automated Export System (AES) shows 980 shipments valued at $39,146,164. Of those shipments, 120 shipments valued at $1,864,699 went to Country Group D:1 or D:5 countries, which would make them ineligible for License Exception ACE. There were no shipments to Country Group E:1 or E:2. Under the provisions of this rule, the 120 shipments require a license application submission to BIS. As there is no specific ECCN data in AES for the new export controls in new ECCNs 4A005 and 4D004 or new paragraph 4E001.c, BIS uses other data to estimate the number of shipments of these new ECCNs that will require a license. Bureau of Economic Analysis (BEA) data from 2019 show a total dollar value of $55,657 million for Telecom, Computer, and Information Technology Services exports. Multiplying this value by 12.1% (the percentage of all exports that are subject to an EAR license requirement as determined by using AES data) suggests that $6,734,497,000 of Telecom/ Computer/IT exports are now subject to EAR license requirements. Based on AES data on the existing ECCNs affected by this rule, BIS estimates the average value of each shipment for the new ECCNs at about $40,000, and further estimates that 0.6% of all new ECCN shipments (1,010 shipments) are now eligible for License Exception ACE and 0.03% of all new ECCN shipments (50 shipments) require a license application submission. Therefore, the annual total estimated cost associated with the paperwork burden imposed by this rule (that is, the projected increase of license application submissions based on the additional shipments requiring a license) is estimated to be 170 new applications × 29.6 minutes = 5,032/60 min = 84 hours × $30 = $2,520. There is no paperwork submission to BIS associated with using License Exception ACE, and therefore there is no increase to any paperwork burden or information collection cost associated with License Exception ACE requirements in this rule. Any comments regarding these burden estimates or any other aspect of these collections of information, including suggestions for reducing the VerDate Sep<11>2014 16:29 Oct 20, 2021 Jkt 256001 burden, may be submitted online at https://www.reginfo.gov/public/do/ PRAMain. Find the particular information collection by using the search function and entering either the title of the collection, ‘‘Multi-Purpose Application,’’ or the OMB Control Number, 0694–0088. Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with a collection of information subject to the requirements of the PRA, unless that collection of information displays a currently valid OMB Control Number. Administrative Procedure Act and Regulatory Flexibility Act Requirements Pursuant to Section 4821 of ECRA, this action is exempt from the Administrative Procedure Act (5 U.S.C. 553) requirements for notice of proposed rulemaking and opportunity for public participation. Further, no other law requires notice of proposed rulemaking or opportunity for public comment for this interim final rule. Because a notice of proposed rulemaking and an opportunity for public comment are not required under the Administrative Procedure Act or by any other law, the analytical requirements of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) are not applicable. Notwithstanding, BIS believes this interim final rule would benefit from public comment on the impact of the control text and the usefulness of the new License Exception ACE. List of Subjects 15 CFR Part 740 Administrative practice and procedure, Exports, Reporting and recordkeeping requirements. 15 CFR Part 772 Exports. 15 CFR Part 774 Exports, Reporting and recordkeeping requirements. Accordingly, parts 740, 772, and 774 of the Export Administration Regulations (15 CFR parts 730 through 774) are amended as follows: PART 740—[AMENDED] 1. The authority citation for part 740 continues to read as follows: ■ Authority: 50 U.S.C. 4801–4852; 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783. PO 00000 Frm 00005 Fmt 4700 Sfmt 4700 58209 2. Section 740.11 is amended by revising paragraphs (c)(3)(vi) and (vii) and adding paragraph (c)(3)(viii) to read as follows: ■ § 740.11 Governments, international organizations, international inspections under the Chemical Weapons Convention, and the International Space Station (GOV). * * * * * (c) * * * (3) * * * (vi) Items controlled for nuclear nonproliferation (NP) reasons; (vii) Items listed as not eligible for License Exception STA in § 740.20(b)(2)(ii) of the EAR; or (viii) Cybersecurity items as defined in § 740.22(b)(1) of the EAR. * * * * * ■ 3. Section 740.22 is added to read as follows: § 740.22 (ACE). Authorized Cybersecurity Exports (a) Scope. License Exception ACE authorizes export, reexport, and transfer (in-country), including deemed exports and reexports, of ‘cybersecurity items,’ as set forth in paragraph (b) of this section, subject to the restrictions set forth in paragraph (c) of this section. Deemed exports and reexports are authorized under this license exception, except for deemed exports or reexports to E:1 and E:2 nationals as described in paragraph (c)(1)(i) of this section, to certain ‘government end-users’ as described in paragraph (c)(1)(ii) of this section, and subject to the end-use restrictions described in paragraph (c)(2) of this section. Even if License Exception ACE is not available for a particular transaction, other license exceptions may be available. For example, License Exception GOV (§ 740.11 of the EAR) authorizes certain exports to U.S. government agencies and personnel. License Exception TMP (§ 740.9(a)(1) of the EAR) authorizes the export, reexport, and transfer (in country) of tools of the trade in certain situations. (b) Definitions. The following terms and definitions are for the purpose of License Exception ACE only. (1) Cybersecurity Items are ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a (for 5A001.j)). (2) Digital artifacts are items (e.g., ‘‘software’’ or ‘‘technology’’) found or discovered on an information system that show past or present activity pertaining to the use or compromise of, E:\FR\FM\21OCR1.SGM 21OCR1 jspears on DSK121TN23PROD with RULES1 58210 Federal Register / Vol. 86, No. 201 / Thursday, October 21, 2021 / Rules and Regulations or other effects on, that information system. (3) Favorable treatment cybersecurity end user is any of the following: (i) A ‘‘U.S. subsidiary’’; (ii) Providers of banking and other financial services; (iii) Insurance companies; or (iv) Civil health and medical institutions providing medical treatment or otherwise conducting the practice of medicine, including medical research. (4) Government end user, for the purpose of § 740.22, is a national, regional or local department, agency or entity that provides any governmental function or service, including international governmental organizations, government operated research institutions, and entities and individuals who are acting on behalf of such an entity. This term includes retail or wholesale firms engaged in the manufacture, distribution, or provision of items or services, controlled on the Wassenaar Arrangement Munitions List. (c) Restrictions. License Exception ACE exports, reexports, or transfers (incountry) of ‘cybersecurity items’ are subject to the restrictions of this paragraph (c). (1) Destination or end-user restrictions. License Exception ACE does not authorize deemed exports under paragraph (c)(1)(i) or (ii) of this section.The restrictions in paragraphs (c)(1)(i) and (ii) apply to activities, including exports, reexports, and transfers (in-country), related to ‘‘vulnerability disclosure’’ and ‘‘cyber incident response.’’ However, Note 1 to ECCN 4E001 in the CCL (supplement no. 1 to part 774 of the EAR) excludes ‘‘vulnerability disclosure’’ and ’’cyber incident response’’ from control under 4E001.a or .c. (i) A destination that is listed in Country Group E:1 or E:2 in supplement no.1 to part 740 of the EAR. (ii) A government end user, as defined in this section, of any country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement no. 1 to part 740. This restriction does not apply to: (A) Exports, reexports, and transfers (in-country) to Country Group D countries that are also listed in Country Group A:6 of ‘digital artifacts’ that are related to a cybersecurity incident involving information systems owned or operated by a ‘favorable treatment cybersecurity end user’, or to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents; or (B) Exports, reexports, and transfers (in-country) to national computer VerDate Sep<11>2014 16:29 Oct 20, 2021 Jkt 256001 security incident response teams in Country Group D countries that are also listed in Country Group A:6 of ‘cybersecurity items’ for purposes of responding to cybersecurity incidents, for purposes of ‘vulnerability disclosure’, or for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents. (iii) A non-government end user located in any country listed in Country Group D:1 or D:5 of Supplement No. 1 to part 740 of the EAR. This restriction does not apply to: (A) Exports, reexports or transfers (incountry) of cybersecurity items classified under ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) and 4E001.c, to any ‘favorable treatment cybersecurity end user;’ (B) ‘‘Vulnerability disclosure’’ or ‘‘cyber incident response;’’or (C) Deemed exports. (2) End-use restrictions. License Exception ACE is not authorized if the exporter, reexporter, or transferor ‘‘knows’’ or has ‘‘reason to know’’ at the time of export, reexport, or transfer (incountry), including deemed exports and reexports, that the ‘cybersecurity item’ will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system (including the information and processes within such systems). PART 772—[AMENDED] 4. The authority citation for part 772 is revised to read as follows: ■ Authority: 50 U.S.C. 4801–4852; 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783. 5. Section 772.1 is amended by adding the definitions for ‘‘cyber incident response’’, and ‘‘vulnerability disclosure’’ to read as follows: ■ § 772.1 Definitions of terms as used in the Export Administration Regulations (EAR). * * * * * Cyber incident response. (§ 740.22, Cat 4) means the process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident. * * * * * Vulnerability disclosure. (§ 740.22, Cat 4) means the process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or PO 00000 Frm 00006 Fmt 4700 Sfmt 4700 organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability. * * * * * PART 774—[AMENDED] 6. The authority citation for part 774 continues to read as follows: ■ Authority: 50 U.S.C. 4801–4852; 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; 10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c, 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 42 U.S.C. 2139a; 15 U.S.C. 1824a; 50 U.S.C. 4305; 22 U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783. Supplement No. 1 to Part 774— [Amended] 7. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4 is amended by adding Notes 3 and 4 to the beginning of the category to read as follows: ■ Category 4—Computers * * * * * Note 3: Commodities and ‘‘software’’ in ECCNs 4A005 and 4D004 that are also controlled in ECCNs 5A002.a, 5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3, remain controlled in Category 5—Part 2 by those entries. Category 5—Part 2 does not apply to elements of source code that implement functionality controlled by these Category 4 ECCNs, or to any item subject to the EAR where Encryption Item (EI) functionality is absent, removed or otherwise non-existent. Note 4: Items in ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, and ‘‘technology’’ specified in ECCN 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) and 4E001.c that are also controlled for Surreptitious Listening (SL) reasons under another ECCN, will continue to be classified under the SL ECCN. 8. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4 is amended by adding ECCN 4A005 after ECCN 4A004 to read as follows: ■ Supplement No. 1 to Part 774—The Commerce Control List * * * * * 4A005 ‘‘Systems,’’ ‘‘equipment,’’ and ‘‘components’’ therefor, ‘‘specially designed’’ or modified for the generation, command and control, or delivery of ‘‘intrusion software’’. License Requirements Reason for Control: NS, AT Control(s) NS applies to entire entry. AT applies to entire entry. E:\FR\FM\21OCR1.SGM 21OCR1 Country chart (See Supp. No. 1 to part 738) NS Column 1. AT Column 1. Federal Register / Vol. 86, No. 201 / Thursday, October 21, 2021 / Rules and Regulations Special Conditions for STA Reporting Requirements See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations. List Based License Exceptions (See Part 740 for a description of all license exceptions) LVS: N/A GBS: N/A APP: N/A ACE: Yes, except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria. Special Conditions for STA STA: License Exception STA may not be used to ship items specified by ECCN 4A005. List of Items Controlled Related Controls: Defense articles described in USML Category XI(b), and software directly related to a defense article, are ‘‘subject to the ITAR’’; see § 120.10(a)(4). Related Definitions: N/A Items: The list of items controlled is contained in the ECCN heading. 9. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4, ECCN 4D001 is revised to read as follows: ■ 4D001 ‘‘Software’’ as follows (see List of Items Controlled). License Requirements Reason for Control: NS, CC, AT Control(s) NS applies to entire entry. CC applies to ‘‘software’’ for computerized finger-print equipment controlled by 4A003 for CC reasons. AT applies to entire entry. Country chart (See Supp. No. 1 to part 738) NS Column 1. CC Column 1. jspears on DSK121TN23PROD with RULES1 List of Items Controlled Related Controls: Software described in USML Category XI(b), and software directly related to a defense article, is ‘‘subject to the ITAR’’; see § 120.10(a)(4). Related Definitions: N/A Items: a. ‘‘Software’’ ‘‘specially designed’’ or modified for the ‘‘development’’ or ‘‘production’’, of equipment or ‘‘software’’ controlled by 4A001, 4A003, 4A004, 4A005 or 4D (except 4D980, 4D993 or 4D994). b. ‘‘Software’’, other than that controlled by 4D001.a, ‘‘specially designed’’ or modified for the ‘‘development’’ or ‘‘production’’ of equipment as follows: b.1. ‘‘Digital computers’’ having an ‘‘Adjusted Peak Performance’’ (‘‘APP’’) exceeding 15 Weighted TeraFLOPS (WT); b.2. ‘‘Electronic assemblies’’ ‘‘specially designed’’ or modified for enhancing performance by aggregation of processors so that the ‘‘APP’’ of the aggregation exceeds the limit in 4D001.b.1. 10. In Supplement No. 1 to Part 774, Category 4 is amended by adding ECCN 4D004 after ECCN 4D001 to read as follows: ■ AT Column 1. 4D004 ‘‘Software’’ ‘‘specially designed’’ or modified for the generation, command and control, or delivery of ‘‘intrusion software.’’ Reporting Requirements See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations. License Requirements List Based License Exceptions (See Part 740 for a description of all license exceptions) TSR: Yes, except for ‘‘software’’ for the ‘‘development’’ or ‘‘production’’ of the following: (1) Commodities with an ‘‘Adjusted Peak Performance’’ (‘‘APP’’) exceeding 29 WT; or (2) Commodities controlled by 4A005 or ‘‘software’’ controlled by 4D004. APP: Yes to specific countries (see § 740.7 of the EAR for eligibility criteria). ACE: Yes for 4D001.a (for the ‘‘development’’, ‘‘production’’ or ‘‘use’’ of equipment or ‘‘software’’ specified in ECCN 4A005 or 4D004), except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria. VerDate Sep<11>2014 STA: License Exception STA may not be used to ship or transmit ‘‘software’’ ‘‘specially designed’’ or modified for the ‘‘development’’ or ‘‘production’’ of equipment specified by ECCN 4A001.a.2 or for the ‘‘development’’ or ‘‘production’’ of ‘‘digital computers’’ having an ‘Adjusted Peak Performance’ (‘APP’) exceeding 29 Weighted TeraFLOPS (WT) to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR); and may not be used to ship or transmit ‘‘software’’ specified in 4D001.a ‘‘specially designed’’ for the ‘‘development’’ or ‘‘production’’ of equipment specified by ECCN 4A005 to any of the destinations listed in Country Group A:5 or A:6. 16:29 Oct 20, 2021 Jkt 256001 Reason for Control: NS, AT Control(s) NS applies to entire entry. AT applies to entire entry. Country chart (See Supp. No. 1 to part 738) NS Column 1. AT Column 1. List Based License Exceptions (See Part 740 for a description of all license exceptions) TSR: N/A APP: N/A ACE: Yes, except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria. PO 00000 Frm 00007 Fmt 4700 Sfmt 4700 58211 Special Conditions for STA STA: License Exception STA may not be used to ship or transmit ‘‘software’’ specified by ECCN 4D004. List of Items Controlled Related Controls: Software described in USML Category XI(b), and software directly related to a defense article, is ‘‘subject to the ITAR’’; see § 120.10(a)(4). Related Definitions: N/A Items: The list of items controlled is contained in the ECCN heading. Note: 4D004 does not apply to ‘‘software’’ specially designed and limited to provide ‘‘software’’ updates or upgrades meeting all the following: a. The update or upgrade operates only with the authorization of the owner or administrator of the system receiving it; and b. After the update or upgrade, the ‘‘software’’ updated or upgraded is not any of the following: 1. ‘‘Software’’ specified by 4D004; or 2. ‘‘Intrusion software.’’ 11. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4, ECCN 4E001 is revised to read as follows: ■ 4E001 ‘‘Technology’’ as follows (see List of Items Controlled). License Requirements Reason for Control: NS, MT, CC, AT Control(s) NS applies to entire entry. MT applies to ‘‘technology’’ for items controlled by 4A001.a and 4A101 for MT reasons. CC applies to ‘‘software’’ for computerized finger-print equipment controlled by 4A003 for CC reasons. AT applies to entire entry. Country chart (See Supp. No. 1 to part 738) NS Column 1. MT Column 1. CC Column 1. AT Column 1. Reporting Requirements See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations. List Based License Exceptions (See Part 740 for a description of all license exceptions) TSR: Yes, except for the following: (1) ‘‘Technology’’ for the ‘‘development’’ or ‘‘production’’ of commodities with an ‘‘Adjusted Peak Performance’’ (‘‘APP’’) exceeding 29 WT or for the ‘‘development’’ or ‘‘production’’ of commodities controlled by 4A005 or ‘‘software’’ controlled by 4D004; or (2) ‘‘Technology’’ for the ‘‘development’’ of ‘‘intrusion software’’. E:\FR\FM\21OCR1.SGM 21OCR1 58212 Federal Register / Vol. 86, No. 201 / Thursday, October 21, 2021 / Rules and Regulations APP: Yes to specific countries. See § 740.7 of the EAR for eligibility criteria. ACE: Yes for 4E001.a (for the ‘‘development’’, ‘‘production’’ or ‘‘use’’ of equipment or ‘‘software’’ specified in ECCN 4A005 or 4D004) and for 4E001.c, except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria. Special Conditions for STA STA: License Exception STA may not be used to ship or transmit ‘‘technology’’ according to the General Technology Note for the ‘‘development’’ or ‘‘production’’ of any of the following equipment or ‘‘software’’: a. Equipment specified by ECCN 4A001.a.2; b. ‘‘Digital computers’’ having an ‘Adjusted Peak Performance’ (‘APP’) exceeding 29 Weighted TeraFLOPS (WT); or c. ‘‘software’’ specified in the License Exception STA paragraph found in the License Exception section of ECCN 4D001 to any of the destinations listed in Country Group A:6 (See Supplement No. 1 to part 740 of the EAR); and may not be used to ship or transmit ‘‘software’’ specified in 4E001.a (for the ‘‘development’’, ‘‘production’’ or ‘‘use’’ of equipment or ‘‘software’’ specified in ECCN 4A005 or 4D004) and 4E001.c to any of the destinations listed in Country Group A:5 or A:6. jspears on DSK121TN23PROD with RULES1 List of Items Controlled Related Controls: Military training of foreign units and forces (see ITAR § 120.9(a)(3)), and technical data (see ITAR § 120.10) directly related to a defense article, are ‘‘subject to the ITAR.’’ Related Definitions: N/A Items: a. ‘‘Technology’’ according to the General Technology Note, for the ‘‘development’’, ‘‘production’’, or ‘‘use’’ of equipment or ‘‘software’’ controlled by 4A (except 4A980 or 4A994) or 4D (except 4D980, 4D993, 4D994). b. ‘‘Technology’’ according to the General Technology Note, other than that controlled by 4E001.a, for the ‘‘development’’ or ‘‘production’’ of equipment as follows: b.1. ‘‘Digital computers’’ having an ‘‘Adjusted Peak Performance’’ (‘‘APP’’) exceeding 15 Weighted TeraFLOPS (WT); b.2. ‘‘Electronic assemblies’’ ‘‘specially designed’’ or modified for enhancing performance by aggregation of processors so that the ‘‘APP’’ of the aggregation exceeds the limit in 4E001.b.1. c. ‘‘Technology’’ for the ‘‘development’’ of ‘‘intrusion software.’’ Note 1: 4E001.a and 4E001.c do not apply to ‘‘vulnerability disclosure’’ or ‘‘cyber incident response’’. Note 2: Note 1 does not diminish national authorities’ rights to ascertain compliance with 4E001.a and 4E001.c. Category 5—Telecommunications and ‘‘Information Security’’ Part 1—Telecommunications Notes: * * * 3. Commodities in ECCN 5A001.j, and related ‘‘software’’ specified in 5D001.c (for 5A001.j) that are also controlled in ECCNs 5A002.a, 5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3, remain controlled in Category 5— Part 2 by those entries. Category 5—Part 2 does not apply to elements of source code that implement functionality controlled by these Category 5 Part 1 ECCNs, or to any item subject to the EAR where Encryption Item (EI) functionality is absent, removed or otherwise non-existent. 4. Items in ECCN 5A001.j, 5B001.a (for 5A001.j), related ‘‘software’’ specified in 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)) and related ‘‘technology’’ specified in ECCN 5E001.a (for 5A001.j and 5D001.a (for 5A001.j)) that are also controlled for Surreptitious Listening (SL) reasons under another ECCN, will continue to be classified under the SL ECCN. * * * * 13. In Supplement No. 1 to Part 774, Category 5—Part 1, ECCN 5A001 is revised to read as follows: 5A001 Telecommunications systems, equipment, ‘‘components’’ and ‘‘accessories,’’ as follows (see List of Items Controlled). License Requirements Reason for Control: NS, SL, AT Control(s) NS applies to 5A001.a, b.5, .e, .f.3, .h. NS applies to 5A001.b (except .b.5), .c, .d, .f (except f.3), .g, and .j. SL applies to 5A001.f.1. 12. In Supplement No. 1 to Part 774, Category 5—Part 1 is amended by adding Notes 3 and 4 to the beginning of the Category after Note 2 to read as follows: 16:29 Oct 20, 2021 Jkt 256001 * ■ ■ VerDate Sep<11>2014 Control(s) PO 00000 Frm 00008 Fmt 4700 Country chart (See Supp. No. 1 to part 738) NS Column 1. NS Column 2. A license is required for all destinations, as specified in § 742.13 of the EAR. Accordingly, a column specific to this control does not appear on the Commerce Country Chart (Supplement No. 1 to Part 738 of the EAR). Note to SL paragraph: This licensing requirement does not supersede, nor does it implement, construe or limit the scope of any criminal statute, including, but not limited to the Omnibus Safe Streets Act of 1968, as amended. Sfmt 4700 AT applies to entire entry. Country chart (See Supp. No. 1 to part 738) AT Column 1. Reporting Requirements See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations. List Based License Exceptions (See Part 740 for a description of all license exceptions) LVS: N/A for 5A001.a, b.5, .e, f.3, .h and .j; $5000 for 5A001.b.1, .b.2, .b.3, .b.6, .d, f.2, f.4, and .g; $3000 for 5A001.c. GBS: Yes, except 5A001.a, .b.5, .e, .h and .j. ACE: Yes for 5A001.j, except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria Special Conditions for STA STA: License Exception STA may not be used to ship any commodity in 5A001.j to any of the destinations listed in Country Group A:5 or A:6 (See Supplement No. 1 to part 740 of the EAR), or any commodity in 5A001.b.3, .b.5 or .h to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR). List of Items Controlled Related Controls: (1) See USML Category XI for controls on direction-finding ‘‘equipment’’ including types of ‘‘equipment’’ in ECCN 5A001.e and any other military or intelligence electronic ‘‘equipment’’ that is ‘‘subject to the ITAR.’’ (2) See USML Category XI(a)(4)(iii) for controls on electronic attack and jamming ‘‘equipment’’ defined in 5A001.f and .h that are subject to the ITAR. (3) See also ECCNs 5A101, 5A980, and 5A991. Related Definitions: N/A Items: a. Any type of telecommunications equipment having any of the following characteristics, functions or features: a.1. ‘‘Specially designed’’ to withstand transitory electronic effects or electromagnetic pulse effects, both arising from a nuclear explosion; a.2. Specially hardened to withstand gamma, neutron or ion radiation; a.3. ‘‘Specially designed’’ to operate below 218 K (¥55 °C); or a.4. ‘‘Specially designed’’ to operate above 397 K (124 °C); Note: 5A001.a.3 and 5A001.a.4 apply only to electronic equipment. b. Telecommunication systems and equipment, and ‘‘specially designed’’ ‘‘components’’ and ‘‘accessories’’ therefor, having any of the following characteristics, functions or features: b.1 Being underwater untethered communications systems having any of the following: b.1.a. An acoustic carrier frequency outside the range from 20 kHz to 60 kHz; b.1.b. Using an electromagnetic carrier frequency below 30 kHz; or b.1.c. Using electronic beam steering techniques; or E:\FR\FM\21OCR1.SGM 21OCR1 jspears on DSK121TN23PROD with RULES1 Federal Register / Vol. 86, No. 201 / Thursday, October 21, 2021 / Rules and Regulations b.1.d. Using ‘‘lasers’’ or light-emitting diodes (LEDs), with an output wavelength greater than 400 nm and less than 700 nm, in a ‘‘local area network’’; b.2. Being radio equipment operating in the 1.5 MHz to 87.5 MHz band and having all of the following: b.2.a. Automatically predicting and selecting frequencies and ‘‘total digital transfer rates’’ per channel to optimize the transmission; and b.2.b. Incorporating a linear power amplifier configuration having a capability to support multiple signals simultaneously at an output power of 1 kW or more in the frequency range of 1.5 MHz or more but less than 30 MHz, or 250 W or more in the frequency range of 30 MHz or more but not exceeding 87.5 MHz, over an ‘‘instantaneous bandwidth’’ of one octave or more and with an output harmonic and distortion content of better than ¥80 dB; b.3. Being radio equipment employing ‘‘spread spectrum’’ techniques, including ‘‘frequency hopping’’ techniques, not controlled in 5A001.b.4 and having any of the following: b.3.a. User programmable spreading codes; or b.3.b. A total transmitted bandwidth which is 100 or more times the bandwidth of any one information channel and in excess of 50 kHz; Note: 5A001.b.3.b does not control radio equipment ‘‘specially designed’’ for use with any of the following: a. Civil cellular radio-communications systems; or b. Fixed or mobile satellite Earth stations for commercial civil telecommunications. Note: 5A001.b.3 does not control equipment operating at an output power of 1 W or less. b.4. Being radio equipment employing ultra-wideband modulation techniques, having user programmable channelizing codes, scrambling codes, or network identification codes and having any of the following: b.4.a. A bandwidth exceeding 500 MHz; or b.4.b. A ‘‘fractional bandwidth’’ of 20% or more; b.5. Being digitally controlled radio receivers having all of the following: b.5.a. More than 1,000 channels; b.5.b. A ‘channel switching time’ of less than 1 ms; b.5.c. Automatic searching or scanning of a part of the electromagnetic spectrum; and b.5.d. Identification of the received signals or the type of transmitter; or Note: 5A001.b.5 does not control radio equipment ‘‘specially designed’’ for use with civil cellular radio-communications systems. Technical Note: ‘Channel switching time’: the time (i.e., delay) to change from one receiving frequency to another, to arrive at or within ±0.05% of the final specified receiving frequency. Items having a specified frequency range of less than ±0.05% around their center frequency are defined to be incapable of channel frequency switching. b.6. Employing functions of digital ‘‘signal processing’’ to provide ’voice coding’ output at rates of less than 700 bit/s. Technical Notes: VerDate Sep<11>2014 16:29 Oct 20, 2021 Jkt 256001 1. For variable rate ’voice coding’, 5A001.b.6 applies to the ’voice coding’ output of continuous speech. 2. For the purpose of 5A001.b.6, ‘voice coding’ is defined as the technique to take samples of human voice and then convert these samples of human voice into a digital signal taking into account specific characteristics of human speech. c. Optical fibers of more than 500 m in length and specified by the manufacturer as being capable of withstanding a ‘proof test’ tensile stress of 2 × 109 N/m2 or more; N.B.: For underwater umbilical cables, see 8A002.a.3. Technical Note: ‘Proof Test’: on-line or offline production screen testing that dynamically applies a prescribed tensile stress over a 0.5 to 3 m length of fiber at a running rate of 2 to 5 m/s while passing between capstans approximately 150 mm in diameter. The ambient temperature is a nominal 293 K (20 °C) and relative humidity 40%. Equivalent national standards may be used for executing the proof test. d. ‘‘Electronically steerable phased array antennae’’ as follows: d.1. Rated for operation above 31.8 GHz, but not exceeding 57 GHz, and having an Effective Radiated Power (ERP) equal to or greater than +20 dBm (22.15 dBm Effective Isotropic Radiated Power (EIRP)); d.2. Rated for operation above 57 GHz, but not exceeding 66 GHz, and having an ERP equal to or greater than +24 dBm (26.15 dBm EIRP); d.3. Rated for operation above 66 GHz, but not exceeding 90 GHz, and having an ERP equal to or greater than +20 dBm (22.15 dBm EIRP); d.4. Rated for operation above 90 GHz; Note 1: 5A001.d does not control ‘electronically steerable phased array antennae’ for landing systems with instruments meeting ICAO standards covering Microwave Landing Systems (MLS). Note 2: 5A001.d does not apply to antennae specially designed for any of the following: a. Civil cellular or WLAN radiocommunications systems; b. IEEE 802.15 or wireless HDMI; or c. Fixed or mobile satellite earth stations for commercial civil telecommunications. Technical Note: For the purposes of 5A001.d ‘electronically steerable phased array antenna’ is an antenna which forms a beam by means of phase coupling, (i.e., the beam direction is controlled by the complex excitation coefficients of the radiating elements) and the direction of that beam can be varied (both in transmission and reception) in azimuth or in elevation, or both, by application of an electrical signal. e. Radio direction finding equipment operating at frequencies above 30 MHz and having all of the following, and ‘‘specially designed’’ ‘‘components’’ therefor: e.1. ‘‘Instantaneous bandwidth’’ of 10 MHz or more; and e.2. Capable of finding a Line Of Bearing (LOB) to non-cooperating radio transmitters with a signal duration of less than 1 ms; f. Mobile telecommunications interception or jamming equipment, and monitoring equipment therefor, as follows, and ‘‘specially designed’’ ‘‘components’’ therefor: PO 00000 Frm 00009 Fmt 4700 Sfmt 4700 58213 f.1. Interception equipment designed for the extraction of voice or data, transmitted over the air interface; f.2. Interception equipment not specified in 5A001.f.1, designed for the extraction of client device or subscriber identifiers (e.g., IMSI, TIMSI or IMEI), signaling, or other metadata transmitted over the air interface; f.3. Jamming equipment ‘‘specially designed’’ or modified to intentionally and selectively interfere with, deny, inhibit, degrade or seduce mobile telecommunication services and performing any of the following: f.3.a. Simulate the functions of Radio Access Network (RAN) equipment; f.3.b. Detect and exploit specific characteristics of the mobile telecommunications protocol employed (e.g., GSM); or f.3.c. Exploit specific characteristics of the mobile telecommunications protocol employed (e.g., GSM); f.4. Radio Frequency (RF) monitoring equipment designed or modified to identify the operation of items specified in 5A001.f.1, 5A001.f.2 or 5A001.f.3. Note: 5A001.f.1 and 5A001.f.2 do not apply to any of the following: a. Equipment ‘‘specially designed’’ for the interception of analog Private Mobile Radio (PMR), IEEE 802.11 WLAN; b. Equipment designed for mobile telecommunications network operators; or c. Equipment designed for the ‘‘development’’ or ‘‘production’’ of mobile telecommunications equipment or systems. N.B. 1: See also the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120– 130). For items specified by 5A001.f.1 (including as previously specified by 5A001.i), see also5A980 and the U.S. Munitions List (22 CFR part 121). N.B. 2: For radio receivers see 5A001.b.5. g. Passive Coherent Location (PCL) systems or equipment, ‘‘specially designed’’ for detecting and tracking moving objects by measuring reflections of ambient radio frequency emissions, supplied by non-radar transmitters. Technical Note: Non-radar transmitters may include commercial radio, television or cellular telecommunications base stations. Note: 5A001.g. does not control: a. Radio-astronomical equipment; or b. Systems or equipment, that require any radio transmission from the target. h. Counter Improvised Explosive Device (IED) equipment and related equipment, as follows: h.1. Radio Frequency (RF) transmitting equipment, not specified by 5A001.f, designed or modified for prematurely activating or preventing the initiation of Improvised Explosive Devices (IEDs); h.2. Equipment using techniques designed to enable radio communications in the same frequency channels on which co-located equipment specified by 5A001.h.1 is transmitting. N.B.: See also Category XI of the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120–130). i. [Reserved] N.B.: See 5A001.f.1 for items previously specified by 5A001.i. j. IP network communications surveillance systems or equipment, and ‘‘specially E:\FR\FM\21OCR1.SGM 21OCR1 58214 Federal Register / Vol. 86, No. 201 / Thursday, October 21, 2021 / Rules and Regulations designed’’ components therefor, having all of the following: j.1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone): j.1.a. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498–1)); j.1.b. Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and j.1.c. Indexing of extracted data; and j.2. Being ‘‘specially designed’’ to carry out all of the following: j.2.a. Execution of searches on the basis of ‘‘hard selectors’’; and j.2.b. Mapping of the relational network of an individual or of a group of people. Note: 5A001.j does not apply to ‘‘systems’’ or ‘‘equipment’’, ‘‘specially designed’’ for any of the following: a. Marketing purpose; b. Network Quality of Service (QoS); or c. Quality of Experience (QoE). N.B.: See also the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120– 130). Defense articles described in USML Category XI(b) are ‘‘subject to the ITAR.’’ 14. In Supplement No. 1 to Part 774 (the CCL), Category 5—Part 1, ECCN 5B001 is revised to read as follows: ■ 5B001 Telecommunication test, inspection and production equipment, ‘‘components’’ and ‘‘accessories,’’ as follows (See List of Items Controlled). License Requirements Reason for Control: NS, AT Control(s) NS applies to entire entry. AT applies to entire entry. Country chart (See Supp. No. 1 to part 738) Related Controls: See also 5B991. Related Definition: N/A Items: a. Equipment and ‘‘specially designed’’ ‘‘components’’ or ‘‘accessories’’ therefor, ‘‘specially designed’’ for the ‘‘development’’ or ‘‘production’’ of equipment, functions or features, controlled by 5A001; Note: 5B001.a does not apply to optical fiber characterization equipment. b. Equipment and ‘‘specially designed’’ ‘‘components’’ or ‘‘accessories’’ therefor, ‘‘specially designed’’ for the ‘‘development’’ of any of the following telecommunication transmission or switching equipment: b.1. [Reserved] b.2. Equipment employing a ‘‘laser’’ and having any of the following: b.2.a. A transmission wavelength exceeding 1750 nm; or b.2.b. [Reserved] b.2.c. [Reserved] b.2.d. Employing analog techniques and having a bandwidth exceeding 2.5 GHz; or Note: 5B001.b.2.d. does not include equipment ‘‘specially designed’’ for the ‘‘development’’ of commercial TV systems. b.3. [Reserved] b.4. Radio equipment employing Quadrature-Amplitude-Modulation (QAM) techniques above level 1,024. 15. In Supplement No. 1 to Part 774 (the CCL), Category 5—Part 1, ECCN 5D001 is revised to read as follows: AT Column 1. 5D001 ‘‘Software’’ as follows (see List of Items Controlled). License Requirements Reason for Control: NS, SL, AT List Based License Exceptions (See Part 740 for a description of all license exceptions) LVS: $5000, except N/A for 5B001.a (for 5A001.j) GBS: Yes, except N/A for 5B001.a (for 5A001.j) ACE: Yes for 5B001.a (for equipment and ‘‘specially designed’’ ‘‘components’’ or ‘‘accessories’’ therefor, ‘‘specially designed’’ for the ‘‘development’’ or ‘‘production’’ of equipment, functions or features, controlled by 5A001.j), except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria. Control(s) NS applies to entire entry. SL applies to the entire entry as applicable for equipment, functions, features, or characteristics controlled by 5A001.f.1. Special Conditions for STA STA: License Exception STA may not be used to ship 5B001.a equipment and ‘‘specially designed’’ components or ‘‘accessories’’ therefor, ‘‘specially designed’’ for the ‘‘development’’ or ‘‘production’’ of equipment, functions or VerDate Sep<11>2014 16:29 Oct 20, 2021 Jkt 256001 PO 00000 Frm 00010 Fmt 4700 Country chart (See Supp. No. 1 to part 738) NS Column 1. A license is required for all destinations, as specified in § 742.13 of the EAR. Accordingly, a column specific to this control does not appear on the Commerce Country Chart (Supplement No. 1 to Part 738 of the EAR). Sfmt 4700 Country chart (See Supp. No. 1 to part 738) Control(s) List of Items Controlled ■ NS Column 2. Reporting Requirements See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations. jspears on DSK121TN23PROD with RULES1 features specified by in ECCN 5A001.b.3, .b.5 or .h to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR) and 5A001.j to any of the destinations listed in Country Group A:5 or A:6. AT applies to entire entry. Note to SL paragraph: This licensing requirement does not supersede, nor does it implement, construe or limit the scope of any criminal statute, including, but not limited to the Omnibus Safe Streets Act of 1968, as amended. AT Column 1. Reporting Requirements See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations. List Based License Exceptions (See Part 740 for a description of all license exceptions) TSR: Yes, except for exports and reexports to destinations outside of those countries listed in Country Group A:5 (See Supplement No. 1 to part 740 of the EAR) of ‘‘software’’ controlled by 5D001.a and ‘‘specially designed’’ for items controlled by 5A001.b.5 and 5A001.h, and N/A for ‘‘software’’ classified under ECCN 5D001.a (for 5A001.j) or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)). ACE: Yes for 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria. Special Conditions for STA STA: License Exception STA may not be used to ship or transmit 5D001.a ‘‘software’’ ‘‘specially designed’’ for the ‘‘development’’ or ‘‘production’’ of equipment, functions or features, specified by ECCN 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)) to any of the destinations listed in Country Group A:5 or A:6 (See Supplement No.1 to part 740 of the EAR); 5A001.b.3, .b.5 or .h; and for 5D001.b. for ‘‘software’’ ‘‘specially designed’’ or modified to support ‘‘technology’’ specified by the STA paragraph in the License Exception section of ECCN 5E001 to any of the destinations listed in Country Group A:6. List of Items Controlled Related Controls: See also 5D980 and 5D991. Related Definitions: N/A Items: a. ‘‘Software’’ ‘‘specially designed’’ or modified for the ‘‘development’’, ‘‘production’’ or ‘‘use’’ of equipment, functions or features controlled by 5A001; b. [Reserved] c. Specific ‘‘software’’ ‘‘specially designed’’ or modified to provide characteristics, functions or features of equipment, controlled by 5A001 or 5B001; E:\FR\FM\21OCR1.SGM 21OCR1 Federal Register / Vol. 86, No. 201 / Thursday, October 21, 2021 / Rules and Regulations d. ‘‘Software’’ ‘‘specially designed’’ or modified for the ‘‘development’’ of any of the following telecommunication transmission or switching equipment: d.1.[Reserved] d.2. Equipment employing a ‘‘laser’’ and having any of the following: d.2.a. A transmission wavelength exceeding 1,750 nm; or d.2.b. Employing analog techniques and having a bandwidth exceeding 2.5 GHz; or Note: 5D001.d.2.b does not control ‘‘software’’ ‘‘specially designed’’ or modified for the ‘‘development’’ of commercial TV systems. d.3. [Reserved] d.4. Radio equipment employing Quadrature-Amplitude-Modulation (QAM) techniques above level 1,024. 16. In Supplement No. 1 to Part 774 (the CCL), Category 5—Part 1, ECCN 5E001 is revised to read as follows: ■ 5E001 ‘‘Technology’’ as follows (see List of Items Controlled). License Requirements Reason for Control: NS, SL, AT Control(s) NS applies to entire entry. SL applies to ‘‘technology’’ for the ‘‘development’’ or ‘‘production’’ of equipment, functions or features controlled by 5A001.f.1, or for the ‘‘development’’ or ‘‘production’’ of ‘‘software’’ controlled by ECCN 5D001.a (for 5A001.f.1). jspears on DSK121TN23PROD with RULES1 AT applies to entire entry. Country chart (See Supp. No. 1 to part 738) NS Column 1. A license is required for all destinations, as specified in § 742.13 of the EAR. Accordingly, a column specific to this control does not appear on the Commerce Country Chart (Supplement No. 1 to Part 738 of the EAR). Note to SL paragraph: This licensing requirement does not supersede, nor does it implement, construe or limit the scope of any criminal statute, including, but not limited to the Omnibus Safe Streets Act of 1968, as amended. AT Column 1. Reporting Requirements See § 743.1 of the EAR for reporting requirements for exports under License Exceptions, and Validated End-User authorizations. List Based License Exceptions (See Part 740 for a description of all license exceptions) TSR: Yes, except for exports or reexports to destinations outside of those countries listed in Country Group A:5 (See Supplement No. 1 to part 740 of the EAR) VerDate Sep<11>2014 16:29 Oct 20, 2021 Jkt 256001 of ‘‘technology’’ controlled by 5E001.a for the ‘‘development’’ or ‘‘production’’ of the following: (1) Items controlled by 5A001.b.5, .h or .j; (2) ‘‘Software’’ controlled by 5D001.a that is ‘‘specially designed’’ for the ‘‘development’’ or ‘‘production’’ of equipment, functions or features controlled by 5A001.b.5, 5A001.h, 5A001.j, or 5B001.a (for 5A001.j); or (3) ‘‘Software’’ controlled by 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)). ACE: Yes for 5E001.a (for 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j))) except to Country Group E:1 or E:2. See § 740.22 of the EAR for eligibility criteria. Special Conditions for STA STA: License Exception STA may not be used to ship or transmit ‘‘technology’’ according to the General Technology Note for the ‘‘development’’ or ‘‘production’’ of equipment, functions or features specified by 5A001.b.3, .b.5 or .h; or for ‘‘software’’ in 5D001.a or .c, that is specified in the STA paragraph in the License Exception section of ECCN 5D001 to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR); or ‘‘technology’’ specified in 5E001.a according to the General Technology Note for the ‘‘development’’ or ‘‘production’’ of equipment, functions or features specified by 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a) to any destinations listed in Country Group A:5 or A:6. List of Items Controlled Related Controls: (1) See also 5E101, 5E980 and 5E991. (2) ‘‘Technology’’ for ‘‘development’’ or ‘‘production’’ of ‘‘Monolithic Microwave Integrated Circuit’’ (‘‘MMIC’’) amplifiers that meet the control criteria given at 3A001.b.2 is controlled in 3E001; 5E001.d refers only to that additional ‘‘technology’’ ‘‘required’’ for telecommunications. Related Definitions: N/A Items: a. ‘‘Technology’’ according to the General Technology Note for the ‘‘development’’, ‘‘production’’ or ‘‘use’’ (excluding operation) of equipment, functions or features, controlled by 5A001 or ‘‘software’’ controlled by 5D001.a. b. Specific ‘‘technology’’, as follows: b.1. ‘‘Technology’’ ‘‘required’’ for the ‘‘development’’ or ‘‘production’’ of telecommunications equipment ‘‘specially designed’’ to be used on board satellites; b.2. ‘‘Technology’’ for the ‘‘development’’ or ‘‘use’’ of ‘‘laser’’ communication techniques with the capability of automatically acquiring and tracking signals and maintaining communications through exoatmosphere or sub-surface (water) media; b.3. ‘‘Technology’’ for the ‘‘development’’ of digital cellular radio base station receiving equipment whose reception capabilities that allow multi-band, multi-channel, multimode, multi-coding algorithm or multiprotocol operation can be modified by changes in ‘‘software’’; PO 00000 Frm 00011 Fmt 4700 Sfmt 4700 58215 b.4. ‘‘Technology’’ for the ‘‘development’’ of ‘‘spread spectrum’’ techniques, including ‘‘frequency hopping’’ techniques. Note: 5E001.b.4 does not apply to ‘‘technology’’ for the ‘‘development’’ of any of the following: a. Civil cellular radio-communications systems; or b. Fixed or mobile satellite Earth stations for commercial civil telecommunications. c. ‘‘Technology’’ according the General Technology Note for the ‘‘development’’ or ‘‘production’’ of any of the following: c.1. [Reserved] c.2. Equipment employing a ‘‘laser’’ and having any of the following: c.2.a. A transmission wavelength exceeding 1,750 nm; c.2.b. [Reserved] c.2.c. [Reserved] c.2.d. Employing wavelength division multiplexing techniques of optical carriers at less than 100 GHz spacing; or c.2.e. Employing analog techniques and having a bandwidth exceeding 2.5 GHz; Note: 5E001.c.2.e does not control ‘‘technology’’ for commercial TV systems. N.B.: For ‘‘technology’’ for the ‘‘development’’ or ‘‘production’’ of nontelecommunications equipment employing a ‘‘laser’’, see Product Group E of Category 6, e.g., 6E00x c.3. Equipment employing ‘‘optical switching’’ and having a switching time less than 1 ms; or c.4. Radio equipment having any of the following: c.4.a. Quadrature-Amplitude-Modulation (QAM) techniques above level 1,024; or c.4.b. Operating at input or output frequencies exceeding 31.8 GHz; or Note: 5E001.c.4.b does not control ‘‘technology’’ for equipment designed or modified for operation in any frequency band which is ‘‘allocated by the ITU’’ for radiocommunications services, but not for radiodetermination. c.4.c. Operating in the 1.5 MHz to 87.5 MHz band and incorporating adaptive techniques providing more than 15 dB suppression of an interfering signal; or c.5. [Reserved] c.6. Mobile equipment having all of the following: c.6.a. Operating at an optical wavelength greater than or equal to 200nm and less than or equal to 400nm; and c.6.b. Operating as a ‘‘local area network’’; d. ‘‘Technology’’ according to the General Technology Note for the ‘‘development’’ or ‘‘production’’ of ‘‘Monolithic Microwave Integrated Circuit’’ (‘‘MMIC’’) amplifiers ‘‘specially designed’’ for telecommunications and that are any of the following: Technical Note: For purposes of 5E001.d, the parameter peak saturated power output may also be referred to on product data sheets as output power, saturated power output, maximum power output, peak power output, or peak envelope power output. d.1. Rated for operation at frequencies exceeding 2.7 GHz up to and including 6.8 GHz with a ‘‘fractional bandwidth’’ greater than 15%, and having any of the following: d.1.a. A peak saturated power output greater than 75 W (48.75 dBm) at any E:\FR\FM\21OCR1.SGM 21OCR1 jspears on DSK121TN23PROD with RULES1 58216 Federal Register / Vol. 86, No. 201 / Thursday, October 21, 2021 / Rules and Regulations frequency exceeding 2.7 GHz up to and including 2.9 GHz; d.1.b. A peak saturated power output greater than 55 W (47.4 dBm) at any frequency exceeding 2.9 GHz up to and including 3.2 GHz; d.1.c. A peak saturated power output greater than 40 W (46 dBm) at any frequency exceeding 3.2 GHz up to and including 3.7 GHz; or d.1.d. A peak saturated power output greater than 20 W (43 dBm) at any frequency exceeding 3.7 GHz up to and including 6.8 GHz; d.2. Rated for operation at frequencies exceeding 6.8 GHz up to and including 16 GHz with a ‘‘fractional bandwidth’’ greater than 10%, and having any of the following: d.2.a. A peak saturated power output greater than 10W (40 dBm) at any frequency exceeding 6.8 GHz up to and including 8.5 GHz; or d.2.b. A peak saturated power output greater than 5W (37 dBm) at any frequency exceeding 8.5 GHz up to and including 16 GHz; d.3. Rated for operation with a peak saturated power output greater than 3 W (34.77 dBm) at any frequency exceeding 16 GHz up to and including 31.8 GHz, and with a ‘‘fractional bandwidth’’ of greater than 10%; d.4. Rated for operation with a peak saturated power output greater than 0.1n W (-70 dBm) at any frequency exceeding 31.8 GHz up to and including 37 GHz; d.5. Rated for operation with a peak saturated power output greater than 1 W (30 dBm) at any frequency exceeding 37 GHz up to and including 43.5 GHz, and with a ‘‘fractional bandwidth’’ of greater than 10%; d.6. Rated for operation with a peak saturated power output greater than 31.62 mW (15 dBm) at any frequency exceeding 43.5 GHz up to and including 75 GHz, and with a ‘‘fractional bandwidth’’ of greater than 10%; d.7. Rated for operation with a peak saturated power output greater than 10 mW (10 dBm) at any frequency exceeding 75 GHz up to and including 90 GHz, and with a ‘‘fractional bandwidth’’ of greater than 5%; or d.8. Rated for operation with a peak saturated power output greater than 0.1 nW (¥70 dBm) at any frequency exceeding 90 GHz; e. ‘‘Technology’’ according to the General Technology Note for the ‘‘development’’ or ‘‘production’’ of electronic devices and circuits, ‘‘specially designed’’ for telecommunications and containing ‘‘components’’ manufactured from ‘‘superconductive’’ materials, ‘‘specially designed’’ for operation at temperatures below the ‘‘critical temperature’’ of at least one of the ‘‘superconductive’’ constituents and having any of the following: e.1. Current switching for digital circuits using ‘‘superconductive’’ gates with a product of delay time per gate (in seconds) and power dissipation per gate (in watts) of less than 10¥14 J; or e.2. Frequency selection at all frequencies using resonant circuits with Q-values exceeding 10,000. VerDate Sep<11>2014 16:29 Oct 20, 2021 Jkt 256001 17. In supplement no. 1 to part 774, Category 5—Part 2, ECCN 5A004 is revised to read as follows: ■ 5A004 ‘‘Systems,’’ ‘‘equipment’’ and ‘‘components’’ for defeating, weakening or bypassing ‘‘information security,’’ as follows (see List of Items Controlled). License Requirements Reason for Control: NS, AT, EI Control(s) NS applies to entire entry. AT applies to entire entry. EI applies to entire entry. Country chart (See Supp. No. 1 to part 738) NS Column 1. AT Column 1. * Refer to § 742.15 of the EAR. Matthew S. Borman, Deputy Assistant Secretary for Export Administration. License Requirements Note: See § 744.17 of the EAR for additional license requirements for microprocessors having a processing speed of 5 GFLOPS or more and an arithmetic logic unit with an access width of 32 bit or more, including those incorporating ‘‘information security’’ functionality, and associated ‘‘software’’ and ‘‘technology’’ for the ‘‘production’’ or ‘‘development’’ of such microprocessors. List Based License Exceptions (See Part 740 for a Description of All License Exceptions) LVS: Yes: $500 for ‘‘components.’’ N/A for systems and equipment. GBS: N/A ENC: Yes for certain EI controlled commodities. See § 740.17 of the EAR for eligibility. List of Items Controlled Related Controls: ECCN 5A004.a controls ‘‘components’’ providing the means or functions necessary for ‘‘information security.’’ All such ‘‘components’’ are presumptively ‘‘specially designed’’ and controlled by 5A004.a. Defense articles described in USML Category XI(b), and software directly related to a defense article, are ‘‘subject to the ITAR’’; see § 120.10(a)(4). Related Definitions: N/A Items: a. Designed or modified to perform ‘cryptanalytic functions.’ Note: 5A004.a includes systems or equipment, designed or modified to perform ‘cryptanalytic functions’ by means of reverse engineering. Technical Note: ‘Cryptanalytic functions’ are functions designed to defeat cryptographic mechanisms in order to derive confidential variables or sensitive data, including clear text, passwords or cryptographic keys. b. Items, not specified by ECCNs 4A005 or 5A004.a, designed to perform all of the following: b.1. ‘Extract raw data’ from a computing or communications device; and b.2. Circumvent ‘‘authentication’’ or authorisation controls of the device, in order to perform the function described in 5A004.b.1. PO 00000 Frm 00012 Fmt 4700 Technical Note: ‘Extract raw data’ from a computing or communications device means to retrieve binary data from a storage medium, e.g., RAM, flash or hard disk, of the device without interpretation by the device’s operating system or filesystem. Note 1: 5A004.b does not apply to systems or equipment specially designed for the ‘‘development’’ or ‘‘production’’ of a computing or communications device. Note 2: 5A004.b does not include: a. Debuggers, hypervisors; b. Items limited to logical data extraction; c. Data extraction items using chip-off or JTAG; or d. Items specially designed and limited to jail-breaking or rooting. Sfmt 4700 * * * * [FR Doc. 2021–22774 Filed 10–20–21; 8:45 am] BILLING CODE 3510–33–P DEPARTMENT OF HOMELAND SECURITY U.S. Customs and Border Protection 19 CFR Chapter I Notification of Temporary Travel Restrictions Applicable to Land Ports of Entry and Ferries Service Between the United States and Mexico Office of the Secretary, U.S. Department of Homeland Security; U.S. Customs and Border Protection, U.S. Department of Homeland Security. ACTION: Notification of continuation of temporary travel restrictions. AGENCY: This Notification announces the decision of the Secretary of Homeland Security (Secretary) to continue to temporarily limit the nonessential travel of individuals from Mexico into the United States at land ports of entry along the United StatesMexico border. This Notification further announces that the Secretary intends to lift these limitations for individuals who are fully vaccinated for COVID–19 (as defined by the Centers for Disease Control and Prevention) to align with anticipated changes to international travel by air. DATES: This Notification goes into effect at 12 a.m. Eastern Daylight Time (EDT) on October 22, 2021 and will remain in effect until 11:59 p.m. Eastern Standard Time (EST) on January 21, 2022, unless amended or rescinded prior to that time. FOR FURTHER INFORMATION CONTACT: Stephanie Watson, Office of Field Operations Coronavirus Coordination Cell, U.S. Customs and Border Protection (CBP) at 202–325–0840. SUMMARY: E:\FR\FM\21OCR1.SGM 21OCR1

Agencies

[Federal Register Volume 86, Number 201 (Thursday, October 21, 2021)]
[Rules and Regulations]
[Pages 58205-58216]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-22774]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Parts 740, 772 and 774

[Docket No. 211013-0209]
RIN 0694-AH56


Information Security Controls: Cybersecurity Items

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Interim final rule, with request for comments.

-----------------------------------------------------------------------

SUMMARY: This interim final rule outlines the progress the United 
States has made in export controls pertaining to cybersecurity items, 
revised Commerce Control List (CCL) implementation, and requests from 
the public information about the impact of these revised controls on 
U.S. industry and the cybersecurity community. Specifically, this rule 
establishes a new control on these items for National Security (NS) and 
Anti-terrorism (AT) reasons, along with a new License Exception 
Authorized Cybersecurity Exports (ACE) that authorizes exports of these 
items to most destinations except in the circumstances described. These 
items warrant controls because these tools could be used for 
surveillance, espionage, or other actions that disrupt, deny or degrade 
the network or devices on it.

[[Page 58206]]


DATES: Effective date: This rule is effective January 19, 2022. 
Comments must be received by BIS no later than December 6, 2021.

ADDRESSES: Comments on this rule may be submitted to the Federal 
rulemaking portal (www.regulations.gov). The regulations.gov ID for 
this rule is: BIS-2020-0038. Please refer to RIN 0694-AH56 in all 
comments.
    All filers using the portal should use the name of the person or 
entity submitting the comments as the name of their files, in 
accordance with the instructions below. Anyone submitting business 
confidential information should clearly identify the business 
confidential portion at the time of submission, file a statement 
justifying nondisclosure and referring to the specific legal authority 
claimed, and also provide a non-confidential version of the submission.
    For comments submitted electronically containing business 
confidential information, the file name of the business confidential 
version should begin with the characters ``BC.'' Any page containing 
business confidential information must be clearly marked ``BUSINESS 
CONFIDENTIAL'' on the top of that page. The corresponding non-
confidential version of those comments must be clearly marked 
``PUBLIC.'' The file name of the non-confidential version should begin 
with the character ``P.'' Any submissions with file names that do not 
begin with either a ``BC'' or a ``P'' will be assumed to be public and 
will be made publicly available through https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: For questions regarding the Export 
Control Classification Numbers (ECCNs) included in this rule or License 
Exception ACE, contact Aaron Amundson at 202-482-0707 or email 
[email protected].

SUPPLEMENTARY INFORMATION:

Background

    In 2013, the Wassenaar Arrangement (WA) added cybersecurity items 
to the WA List, including a definition for ``intrusion software.'' The 
controls included hardware and software controls on the command and 
delivery platforms for ``intrusion software,'' the technology for the 
``development,'' ``production'' or ``use'' of the command and delivery 
platforms, and the technology for the ``development'' of ``intrusion 
software.'' On May 20, 2015, the Bureau of Industry and Security (BIS) 
published a proposed rule describing how these new controls would fit 
into the Export Administration Regulations (EAR) and requested 
information from the public about the impact on U.S. industry. The 
public comments on the proposed rule revealed serious issues concerning 
scope and implementation regarding these controls. Based on these 
comments, as well as substantial commentary from Congress, the private 
sector, academia, civil society, and others on the potential unintended 
consequences of the 2013 controls, the U.S. government returned to the 
WA to renegotiate the controls.
    In response to the proposed rule, BIS received almost 300 comments 
that raised substantial concerns about the proposed rule's scope and 
the impact the proposed rule would have on legitimate cybersecurity 
research and incident response activities. BIS also conducted extensive 
outreach with the security industry, financial institutions, and 
government agencies that manage cybersecurity.
    Comments on the previously published proposed rule focused on three 
main issues. First, many commenters asserted that the entries were 
overly broad, captured more than was intended, and, as a technical 
matter, failed to accurately describe the items intended for control. 
Second, many commenters asserted that the rule as written imposed a 
heavy and unnecessary licensing burden on legitimate transactions that 
contribute to cybersecurity. Third, many commenters suggested that the 
proposed rule's control on technology for the ``development'' of 
``intrusion software'' could cripple legitimate cybersecurity research.
    Based on these comments, the United States decided against amending 
the proposed rule and instead returned to the WA in 2016 and 2017 to 
negotiate changes to the text. In December 2017, the WA published the 
changes that resulted from those negotiations. There were three 
significant changes: First, using ``command and control'' in the 
control language for both hardware and software addressed concerns from 
cybersecurity companies to more specifically control tools that can be 
used maliciously. Second, adding a note to the control entry for 
technology for the ``development'' of ``intrusion software'' that 
excludes from the entry ``technology'' that is exchanged for 
`vulnerability disclosure' or `cyber incident response'. Third, adding 
a note to the ``software'' generation, command and control, or delivery 
entry that excludes from this entry products designed and limited to 
providing basic software updates and upgrades.
    BIS publishes this interim final rule to implement the WA 2017 
decisions related to cybersecurity. The rule creates a new License 
Exception Authorized Cybersecurity Exports (ACE) that authorizes 
exports, reexports and transfers (in-country) of cybersecurity items, 
as described in more detail below, which are not also controlled in 
Category 5--Part 2 of the CCL or for Surreptitious Listening (SL) 
reasons.
    In addition, BIS authorizes certain IP network surveillance 
products under the same License Exception ACE. These items were also 
part of the May 20, 2015 proposed rule but received far fewer comments 
than the other items in that proposed rule. BIS believes that making 
these products eligible for License Exception ACE addresses concerns 
raised in the comments on the previously published proposed rule.
    BIS believes this rule implements the WA decision of 2013, as 
amended in 2017, with regard to cybersecurity items and addresses the 
concerns expressed by industry and others about the previously 
published proposed rule. Further, because of the limited scope of this 
rule, BIS believes the impact would be minimal. However, to ensure full 
consideration of the potential impact of this rule, BIS seeks public 
comment on this interim final rule, including comments on the potential 
cost of complying with this rule, and any impacts this rule has on 
legitimate cybersecurity activities.
    No items subject to the International Traffic in Arms Regulations 
(ITAR) are being transferred to the EAR by this rule. Items and 
services described on the U.S. Munitions List (USML) at ITAR Sec.  
121.1, including military training, technical data directly related to 
a defense article, and certain hardware and software specially designed 
for intelligence purposes, remain subject to the ITAR. For software 
directly related to a defense article, see ITAR Sec.  120.10(a)(4) and 
the applicable technical data entry in each USML category. See EAR 
Sec.  734.3(b) and ITAR Sec.  120.5(a) for more on the relationship 
between the ITAR and EAR.

Specific Revisions

ECCNs 4A005 (new), 4D004 (new), 4E001.a and 4E001.c (new)

    ECCNs 4A005 and 4D004 are added, as well as a new paragraph 
4E001.c, as set forth in the amendments described below. In addition, 
the existing definition for ``intrusion software'' found in Sec.  772.1 
of the EAR applies to the new ECCNs. The entries include the 2017 WA 
notes: An exclusion Note in 4D004 for software specially designed

[[Page 58207]]

and limited to providing basic updates and upgrades and an exclusion 
Note for 4E001.c (as well as existing 4E001.a) for ``vulnerability 
disclosure'' or ``cyber incident response.'' These terms are added to 
part 772 and are further explained elsewhere in this preamble. This 
rule also adds a Note 2 to 4E001.a and .c to clarify that BIS can 
request information on items decontrolled by Note 1 to ensure 
compliance with the controls. BIS does not intend this note to require 
any additional compliance measures beyond what is otherwise required by 
the EAR. ``Software'' and ``technology'' ``published'' in the public 
domain and meeting the requirements of Sec.  734.7 of the EAR are not 
subject to the EAR.

ECCN 5A001.j ``IP network communications surveillance systems or 
equipment . . .''

    Paragraph 5A001.j ``IP network communications surveillance systems 
or equipment . . .'' is added to ECCN 5A001. License Exception ACE 
eligibility is added for 5A001.j in part 740 ``License Exception.'' 
License Exception STA conditions are revised to remove eligibility for 
5A001.j to destinations listed in Country Groups A:5 and A:6 (see 
Supplement No. 1 to part 740 of the EAR for Country Groups). License 
Exceptions GBS and LVS are also revised to remove eligibility for those 
license exceptions.

Overlap With Category 5--Part 2 (``Information Security'')

    When a cybersecurity item also incorporates particular 
``information security'' functionality specified in ECCNs 5A002.a, 
5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3 Category 5--Part 2 of the CCL 
in Supplement No. 1 to part 774 of the EAR, these Category 5--Part 2 
ECCNs prevail, provided the controlled ``information security'' 
functionality remains present and usable within the cybersecurity end 
item or executable ``software.'' Category 5--Part 2 does not apply to 
elements of source code or ``technology'' that implement functionality 
controlled in another Category, or to any item subject to the EAR where 
Encryption Item (EI) functionality is absent, removed or otherwise non-
existent.

Surreptitious Listening (SL) Controls

    All items subject to the EAR that are controlled for Surreptitious 
Listening (SL) reasons under another ECCN not added by this rule will 
continue to be classified under the SL ECCN. The WA control list 
changes related to ``intrusion software'' and IP network communications 
surveillance systems do not affect or change any EAR provision 
regarding communications intercepting devices, ``software'' or 
``technology'', or any SL control (see Sec.  742.13 of the EAR). If a 
circumstance arises where the item meets the control for national 
security (NS) because it meets the cybersecurity parameters, encryption 
item (EI) parameters, and SL parameters, then the control with the most 
restrictive licensing requirements applies, which would be SL control, 
because SL has worldwide control.

Sec.  740.22 License Exception Authorized Cybersecurity Exports (ACE)

    BIS is also establishing a new License Exception Authorized 
Cybersecurity Exports (ACE). This license exception, will appear in new 
Sec.  740.22 of the EAR, is necessary to avoid impeding legitimate 
cybersecurity research and incident response activities. Cybersecurity 
items in the wrong hands raise both national security and foreign 
policy concerns. This license exception starts with a definition 
section that defines cybersecurity items, digital artifacts, favorable 
treatment cybersecurity end user, and government end user (for the 
purpose of Sec.  740.22 only). `Cybersecurity Items' are defined in 
Sec.  740.22 as ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 
4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c, 
5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 
5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a 
(for 5A001.j)).
    License Exception ACE allows the export, reexport and transfer (in-
country) of `cybersecurity items' to most destinations, except to 
destinations listed in Country Groups E:1 and E:2 of supplement no. 1 
to part 740.
    There are two types of end-user restrictions. Restricted end users 
include a `government end user,' as defined in Sec.  740.22, of any 
country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement 
no. 1 to part 740, or a non-government end user located in a country 
listed in Country Group D:1 or D:5. For deemed exports, the `government 
end user' restriction applies, but not the `non-government end user' 
restriction.
    There are exclusions to the end-user restrictions. The restriction 
on `government end users' does not apply to exports, reexports, and 
transfers (in-country) to Country Group D countries that are also 
listed in Country Group A:6, which includes Cyprus (A:6 and D:5), 
Israel (A:6 and D:2-4), and Taiwan (A:6 and D:3), of `digital 
artifacts' that are related to a cybersecurity incident involving 
information systems owned or operated by a `favorable treatment 
cybersecurity end user,' or to police or judicial bodies in Country 
Group D countries that are also listed in Country Group A:6 for 
purposes of criminal or civil investigations or prosecutions of such 
cybersecurity incidents. In addition, the restriction does not apply to 
exports, reexports, and transfers (in-country) to national computer 
security incident response teams in Country Group D countries that are 
also listed in Country Group A:6 of `cybersecurity items' for purposes 
of responding to cybersecurity incidents, for purposes of 
`vulnerability disclosure', or for purposes of criminal investigations 
or prosecutions of such cybersecurity incidents. For exports, 
reexports, or transfers (in-country) to `government end-users' under 
License Exception ACE, there is no exclusion for activities related to 
``vulnerability disclosure'' and ``cyber incident response.'' However, 
Note 1 to ECCN 4E001 in the CCL (supplement no. 1 to part 774 of the 
EAR) excludes ``vulnerability disclosure'' and ``cyber incident 
response'' from control under 4E001.a or .c. The 4E001 exclusion note 
applies regardless of the type of end user and is unaffected by the 
restrictions in License Exception ACE.
    The restriction on non-government end users in Country Group D:1 or 
D:5 does not apply to exports, reexports or transfers (in-country) of 
cybersecurity items classified under ECCNs 4A005, 4D001.a (for 4A005 or 
4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 
4D004) and 4E001.c to any `favorable treatment cybersecurity end user.' 
In addition, this restriction does not apply to ``vulnerability 
disclosure'' or ``cyber incident response.''
    Lastly, License Exception ACE has an end-use restriction. License 
Exception ACE is not authorized if the exporter, reexporter, or 
transferor knows or has reason to know at the time of export, reexport, 
or transfer (in-country), including a deemed export or reexport, that 
the `cybersecurity item' will be used to affect the confidentiality, 
integrity or availability of information or information systems, 
without authorization by the owner, operator, or administrator of the 
information system (including the information and processes within such 
systems).

Part 772--Definitions of Terms

    BIS adds to Sec.  772.1 the WA definitions for ``cyber incident 
response,'' and ``vulnerability disclosure'', which are used in 
Category 4, new paragraph 4E001.c.

[[Page 58208]]

Conforming Changes

    Because of the addition of the cybersecurity items to the CCL, some 
conforming changes need to occur. Notes are added to Category 4 and 
Category 5--Part 1 to address the overlap between these entries and 
other entries on the CCL, as further explained below.

Notes 3 and 4 to Category 4

    To clarify the scope of existing entries in Category 5, Notes 3 and 
4 are added to Category 4 stating that cybersecurity items that are 
specified by certain ECCNs in Category 5--Part 2 or in an ECCN 
controlled for SL reasons in Category 5--Part 1 would continue to be 
classified in those ECCNs instead of the new cybersecurity ECCN. In 
addition, these cybersecurity items are eligible for the license 
exceptions and are subject to the licensing policies applicable to 
those entries in Category 5--Part 2 or in the SL-controlled ECCNs.

ECCN 4D001 ``Software''

    Paragraph 4D001.a is revised to include 4A005. License Exception 
ACE eligibility is added for 4D001.a and License Exception STA special 
conditions are revised to include the ineligibility of software 
specified in 4D001.a ``specially designed'' for the ``development'' or 
``production'' of equipment specified by ECCN 4A005 to Country Groups 
A:5 and A:6.

ECCN 4E001 ``Technology''

    In addition to the revision that adds 4E001.c, License Exception 
ACE eligibility is added for 4E001.a (for 4A005 and 4D004) and 4E001.c. 
License Exception STA ineligibility is added for 4E001.a (for 4A005 and 
4D004) and 4E001.c to destinations listed in Country Groups A:5 and 
A:6.

Notes 3 and 4 to Category 5--Part 1

    To clarify the scope of these entries and existing entries in 
Category 5 Parts 1 and 2, Notes 3 and 4 are added to Category 5--Part 1 
identifying that cybersecurity items controlled in certain Category 5--
Part 2 ECCNs will remain controlled in Category 5--Part 2 and are 
eligible for the license exceptions and are subject to the licensing 
policies applicable to those ECCNs. In addition, cybersecurity items 
specified in an ECCN controlled for SL reasons in Category 5--Part 1 
continue to be classified in those ECCNs instead of the new 
cybersecurity ECCN.

ECCN 5B001 Telecommunication Test, Inspection and Production Equipment, 
``Components'' and ``Accessories''

    License Exception ACE eligibility is added for 5B001.a (for 
equipment and ``specially designed'' ``components'' or ``accessories'' 
therefor, ``specially designed'' for the ``development'' or 
``production'' of equipment, functions or features, controlled by 
5A001.j). License Exception STA conditions are revised to remove 
eligibility for 5B001.a (for equipment and ``specially designed'' 
``components'' or ``accessories'' therefor, ``specially designed'' for 
the ``development'' or ``production'' of equipment, functions or 
features, controlled by 5A001.j) to destinations listed in Country 
Groups A:5 and A:6 (See Supplement No. 1 to part 740 of the EAR for 
Country Groups). License Exceptions LVS and GBS are revised to remove 
eligibility for 5B001.a (for 5A001.j).

ECCN 5D001 ``Software''

    License Exception ACE eligibility is added for 5D001.a (for 
equipment, functions or features specified by 5A001.j) and 5D001.c (for 
equipment specified by 5A001.j or 5B001.a). License Exception STA 
conditions are revised to remove eligibility for 5D001.a (for 
equipment, functions or features specified by 5A001.j) and 5D001.c (for 
equipment specified by 5A001.j or 5B001.a) to destinations listed in 
Country Groups A:5 and A:6 (See Supplement No. 1 to part 740 of the EAR 
for Country Groups). License Exception TSR is revised to remove 
eligibility for ``software'' classified under ECCN 5D001.a (for 
5A001.j) or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)).

ECCN 5E001 ``Technology''

    License Exception ACE eligibility is added for 5E001.a (for 
5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), or 5D001.c (for 
5A001.j or 5B001.a (for 5A001.j)). License Exception STA conditions is 
revised to remove eligibility for 5E001.a (for 5A001.j, 5B001.a (for 
5A001.j), 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a 
(for 5A001.j)) to destinations listed in Country Groups A:5 and A:6 
(See Supplement No. 1 to part 740 of the EAR for Country Groups). 
License Exception TSR is revised to remove eligibility for 
``technology'' classified under ECCN 5E001.a for 5A001.j, 5B001.a (for 
5A001.j), ECCN 5D001.a (for 5A001.j), or 5D001.c (for 5A001.j or 
5B001.a (for 5A001.j)).

ECCN 5A004 ``Systems,'' ``Equipment'' and ``Components'' for Defeating, 
Weakening or Bypassing ``Information Security''

    This rule also amends ECCN 5A004 to add 4A005 to 5A004.b. This is 
done to harmonize with the WA Dual-Use List now that ECCN 4A005 has 
been added to the CCL.

Sec.  740.11 Governments, International Organizations, International 
Inspections Under the Chemical Weapons Convention, and the 
International Space Station (GOV)

    License Exception GOV is amended to exclude cybersecurity items, as 
defined in Sec.  740.22 License Exception ACE, from paragraph (c) of 
License Exception GOV. As such, this rule revises paragraph (c)(3)(vi) 
to remove ``or'' and to revise paragraph (c)(3)(vii) to replace the 
period with a semi-colon and ``or.'' Lastly, paragraph (c)(3)(viii) is 
added to exclude ``cybersecurity items as defined in Sec.  740.22(b)(1) 
of the EAR.''

Export Control Reform Act of 2018

    On August 13, 2018, the President signed into law the John S. 
McCain National Defense Authorization Act for Fiscal Year 2019, which 
included the Export Control Reform Act of 2018 (ECRA), 50 U.S.C. 
Sections 4801-4852. ECRA provides the legal basis for BIS's principal 
authorities and serves as the authority under which BIS issues this 
proposed rule.

Executive Order Requirements

    Executive Orders 13563 and 12866 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distribute impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This interim final rule has been designated a 
``significant regulatory action'' under Executive Order 12866.
    This rule does not contain policies with Federalism implications as 
that term is defined under Executive Order 13132.

Paperwork Reduction Act Requirements

    This rule involves collections of information subject to the 
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) under the 
following information collection approved by the Office of

[[Page 58209]]

Management and Budget (OMB): 0694-0088, ``Multi-Purpose Application,'' 
and carries a burden hour estimate of 29.6 minutes for a manual or 
electronic submission. BIS will be updating this information collection 
to account for the increase in burden hours.
    For the existing ECCNs included in this rule (4D001, 4E001, 5A001, 
5A004, 5D001, 5E001), the 2020 data from the Automated Export System 
(AES) shows 980 shipments valued at $39,146,164. Of those shipments, 
120 shipments valued at $1,864,699 went to Country Group D:1 or D:5 
countries, which would make them ineligible for License Exception ACE. 
There were no shipments to Country Group E:1 or E:2. Under the 
provisions of this rule, the 120 shipments require a license 
application submission to BIS.
    As there is no specific ECCN data in AES for the new export 
controls in new ECCNs 4A005 and 4D004 or new paragraph 4E001.c, BIS 
uses other data to estimate the number of shipments of these new ECCNs 
that will require a license. Bureau of Economic Analysis (BEA) data 
from 2019 show a total dollar value of $55,657 million for Telecom, 
Computer, and Information Technology Services exports. Multiplying this 
value by 12.1% (the percentage of all exports that are subject to an 
EAR license requirement as determined by using AES data) suggests that 
$6,734,497,000 of Telecom/Computer/IT exports are now subject to EAR 
license requirements. Based on AES data on the existing ECCNs affected 
by this rule, BIS estimates the average value of each shipment for the 
new ECCNs at about $40,000, and further estimates that 0.6% of all new 
ECCN shipments (1,010 shipments) are now eligible for License Exception 
ACE and 0.03% of all new ECCN shipments (50 shipments) require a 
license application submission.
    Therefore, the annual total estimated cost associated with the 
paperwork burden imposed by this rule (that is, the projected increase 
of license application submissions based on the additional shipments 
requiring a license) is estimated to be 170 new applications x 29.6 
minutes = 5,032/60 min = 84 hours x $30 = $2,520.
    There is no paperwork submission to BIS associated with using 
License Exception ACE, and therefore there is no increase to any 
paperwork burden or information collection cost associated with License 
Exception ACE requirements in this rule.
    Any comments regarding these burden estimates or any other aspect 
of these collections of information, including suggestions for reducing 
the burden, may be submitted online at https://www.reginfo.gov/public/do/PRAMain. Find the particular information collection by using the 
search function and entering either the title of the collection, 
``Multi-Purpose Application,'' or the OMB Control Number, 0694-0088.
    Notwithstanding any other provision of law, no person is required 
to respond to, nor shall any person be subject to a penalty for failure 
to comply with a collection of information subject to the requirements 
of the PRA, unless that collection of information displays a currently 
valid OMB Control Number.

Administrative Procedure Act and Regulatory Flexibility Act 
Requirements

    Pursuant to Section 4821 of ECRA, this action is exempt from the 
Administrative Procedure Act (5 U.S.C. 553) requirements for notice of 
proposed rulemaking and opportunity for public participation.
    Further, no other law requires notice of proposed rulemaking or 
opportunity for public comment for this interim final rule. Because a 
notice of proposed rulemaking and an opportunity for public comment are 
not required under the Administrative Procedure Act or by any other 
law, the analytical requirements of the Regulatory Flexibility Act (5 
U.S.C. 601 et seq.) are not applicable. Notwithstanding, BIS believes 
this interim final rule would benefit from public comment on the impact 
of the control text and the usefulness of the new License Exception 
ACE.

List of Subjects

15 CFR Part 740

    Administrative practice and procedure, Exports, Reporting and 
recordkeeping requirements.

15 CFR Part 772

    Exports.

15 CFR Part 774

    Exports, Reporting and recordkeeping requirements.

    Accordingly, parts 740, 772, and 774 of the Export Administration 
Regulations (15 CFR parts 730 through 774) are amended as follows:

PART 740--[AMENDED]

0
1. The authority citation for part 740 continues to read as follows:

    Authority:  50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50 
U.S.C. 1701 et seq.; 22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 
58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 
2001 Comp., p. 783.


0
2. Section 740.11 is amended by revising paragraphs (c)(3)(vi) and 
(vii) and adding paragraph (c)(3)(viii) to read as follows:


Sec.  740.11  Governments, international organizations, international 
inspections under the Chemical Weapons Convention, and the 
International Space Station (GOV).

* * * * *
    (c) * * *
    (3) * * *
    (vi) Items controlled for nuclear nonproliferation (NP) reasons;
    (vii) Items listed as not eligible for License Exception STA in 
Sec.  740.20(b)(2)(ii) of the EAR; or
    (viii) Cybersecurity items as defined in Sec.  740.22(b)(1) of the 
EAR.
* * * * *

0
3. Section 740.22 is added to read as follows:


Sec.  740.22  Authorized Cybersecurity Exports (ACE).

    (a) Scope. License Exception ACE authorizes export, reexport, and 
transfer (in-country), including deemed exports and reexports, of 
`cybersecurity items,' as set forth in paragraph (b) of this section, 
subject to the restrictions set forth in paragraph (c) of this section. 
Deemed exports and reexports are authorized under this license 
exception, except for deemed exports or reexports to E:1 and E:2 
nationals as described in paragraph (c)(1)(i) of this section, to 
certain `government end-users' as described in paragraph (c)(1)(ii) of 
this section, and subject to the end-use restrictions described in 
paragraph (c)(2) of this section. Even if License Exception ACE is not 
available for a particular transaction, other license exceptions may be 
available. For example, License Exception GOV (Sec.  740.11 of the EAR) 
authorizes certain exports to U.S. government agencies and personnel. 
License Exception TMP (Sec.  740.9(a)(1) of the EAR) authorizes the 
export, reexport, and transfer (in country) of tools of the trade in 
certain situations.
    (b) Definitions. The following terms and definitions are for the 
purpose of License Exception ACE only.
    (1) Cybersecurity Items are ECCNs 4A005, 4D001.a (for 4A005 or 
4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 
4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 
5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 
5A001.j or 5D001.a (for 5A001.j)).
    (2) Digital artifacts are items (e.g., ``software'' or 
``technology'') found or discovered on an information system that show 
past or present activity pertaining to the use or compromise of,

[[Page 58210]]

or other effects on, that information system.
    (3) Favorable treatment cybersecurity end user is any of the 
following:
    (i) A ``U.S. subsidiary'';
    (ii) Providers of banking and other financial services;
    (iii) Insurance companies; or
    (iv) Civil health and medical institutions providing medical 
treatment or otherwise conducting the practice of medicine, including 
medical research.
    (4) Government end user, for the purpose of Sec.  740.22, is a 
national, regional or local department, agency or entity that provides 
any governmental function or service, including international 
governmental organizations, government operated research institutions, 
and entities and individuals who are acting on behalf of such an 
entity. This term includes retail or wholesale firms engaged in the 
manufacture, distribution, or provision of items or services, 
controlled on the Wassenaar Arrangement Munitions List.
    (c) Restrictions. License Exception ACE exports, reexports, or 
transfers (in-country) of `cybersecurity items' are subject to the 
restrictions of this paragraph (c).
    (1) Destination or end-user restrictions. License Exception ACE 
does not authorize deemed exports under paragraph (c)(1)(i) or (ii) of 
this section.The restrictions in paragraphs (c)(1)(i) and (ii) apply to 
activities, including exports, reexports, and transfers (in-country), 
related to ``vulnerability disclosure'' and ``cyber incident 
response.'' However, Note 1 to ECCN 4E001 in the CCL (supplement no. 1 
to part 774 of the EAR) excludes ``vulnerability disclosure'' and 
''cyber incident response'' from control under 4E001.a or .c.
    (i) A destination that is listed in Country Group E:1 or E:2 in 
supplement no.1 to part 740 of the EAR.
    (ii) A government end user, as defined in this section, of any 
country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement 
no. 1 to part 740. This restriction does not apply to:
    (A) Exports, reexports, and transfers (in-country) to Country Group 
D countries that are also listed in Country Group A:6 of `digital 
artifacts' that are related to a cybersecurity incident involving 
information systems owned or operated by a `favorable treatment 
cybersecurity end user', or to police or judicial bodies in Country 
Group D countries that are also listed in Country Group A:6 for 
purposes of criminal or civil investigations or prosecutions of such 
cybersecurity incidents; or
    (B) Exports, reexports, and transfers (in-country) to national 
computer security incident response teams in Country Group D countries 
that are also listed in Country Group A:6 of `cybersecurity items' for 
purposes of responding to cybersecurity incidents, for purposes of 
`vulnerability disclosure', or for purposes of criminal or civil 
investigations or prosecutions of such cybersecurity incidents.
    (iii) A non-government end user located in any country listed in 
Country Group D:1 or D:5 of Supplement No. 1 to part 740 of the EAR. 
This restriction does not apply to:
    (A) Exports, reexports or transfers (in-country) of cybersecurity 
items classified under ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 
4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) and 
4E001.c, to any `favorable treatment cybersecurity end user;'
    (B) ``Vulnerability disclosure'' or ``cyber incident response;''or
    (C) Deemed exports.
    (2) End-use restrictions. License Exception ACE is not authorized 
if the exporter, reexporter, or transferor ``knows'' or has ``reason to 
know'' at the time of export, reexport, or transfer (in-country), 
including deemed exports and reexports, that the `cybersecurity item' 
will be used to affect the confidentiality, integrity or availability 
of information or information systems, without authorization by the 
owner, operator or administrator of the information system (including 
the information and processes within such systems).

PART 772--[AMENDED]

0
4. The authority citation for part 772 is revised to read as follows:

    Authority:  50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50 
U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 
783.

0
5. Section 772.1 is amended by adding the definitions for ``cyber 
incident response'', and ``vulnerability disclosure'' to read as 
follows:


Sec.  772.1   Definitions of terms as used in the Export Administration 
Regulations (EAR).

* * * * *
    Cyber incident response. (Sec.  740.22, Cat 4) means the process of 
exchanging necessary information on a cybersecurity incident with 
individuals or organizations responsible for conducting or coordinating 
remediation to address the cybersecurity incident.
* * * * *
    Vulnerability disclosure. (Sec.  740.22, Cat 4) means the process 
of identifying, reporting, or communicating a vulnerability to, or 
analyzing a vulnerability with, individuals or organizations 
responsible for conducting or coordinating remediation for the purpose 
of resolving the vulnerability.
* * * * *

PART 774--[AMENDED]

0
6. The authority citation for part 774 continues to read as follows:

    Authority:  50 U.S.C. 4801-4852; 50 U.S.C. 4601 et seq.; 50 
U.S.C. 1701 et seq.; 10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 
287c, 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 42 U.S.C. 2139a; 15 
U.S.C. 1824a; 50 U.S.C. 4305; 22 U.S.C. 7201 et seq.; 22 U.S.C. 
7210; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 
13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783.

Supplement No. 1 to Part 774--[Amended]

0
7. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 4 is amended by adding Notes 3 and 4 to the beginning of the 
category to read as follows:

Category 4--Computers

* * * * *
    Note 3: Commodities and ``software'' in ECCNs 4A005 and 4D004 
that are also controlled in ECCNs 5A002.a, 5A004.a, 5A004.b, 
5D002.c.1, or 5D002.c.3, remain controlled in Category 5--Part 2 by 
those entries. Category 5--Part 2 does not apply to elements of 
source code that implement functionality controlled by these 
Category 4 ECCNs, or to any item subject to the EAR where Encryption 
Item (EI) functionality is absent, removed or otherwise non-
existent.
    Note 4: Items in ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 
4D004, and ``technology'' specified in ECCN 4E001.a (for 4A005, 
4D001.a (for 4A005 or 4D004) or 4D004) and 4E001.c that are also 
controlled for Surreptitious Listening (SL) reasons under another 
ECCN, will continue to be classified under the SL ECCN.

0
8. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 4 is amended by adding ECCN 4A005 after ECCN 4A004 to read as 
follows:

Supplement No. 1 to Part 774--The Commerce Control List

* * * * *
4A005 ``Systems,'' ``equipment,'' and ``components'' therefor, 
``specially designed'' or modified for the generation, command and 
control, or delivery of ``intrusion software''.

License Requirements

Reason for Control: NS, AT

 
                                            Country chart (See Supp. No.
                Control(s)                         1 to part 738)
 
NS applies to entire entry................  NS Column 1.
AT applies to entire entry................  AT Column 1.
 


[[Page 58211]]

Reporting Requirements

    See Sec.  743.1 of the EAR for reporting requirements for 
exports under License Exceptions, and Validated End-User 
authorizations.

List Based License Exceptions (See Part 740 for a description of all 
license exceptions)

LVS: N/A
GBS: N/A
APP: N/A
ACE: Yes, except to Country Group E:1 or E:2. See Sec.  740.22 of 
the EAR for eligibility criteria.

Special Conditions for STA

STA: License Exception STA may not be used to ship items specified 
by ECCN 4A005.

List of Items Controlled

Related Controls: Defense articles described in USML Category XI(b), 
and software directly related to a defense article, are ``subject to 
the ITAR''; see Sec.  120.10(a)(4).
Related Definitions: N/A
Items: The list of items controlled is contained in the ECCN 
heading.


0
9. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 4, ECCN 4D001 is revised to read as follows:

4D001 ``Software'' as follows (see List of Items Controlled).

License Requirements

Reason for Control: NS, CC, AT

 
                                            Country chart (See Supp. No.
                Control(s)                         1 to part 738)
 
NS applies to entire entry................  NS Column 1.
CC applies to ``software'' for              CC Column 1.
 computerized finger-print equipment
 controlled by 4A003 for CC reasons.
AT applies to entire entry................  AT Column 1.
 

Reporting Requirements

    See Sec.  743.1 of the EAR for reporting requirements for 
exports under License Exceptions, and Validated End-User 
authorizations.

List Based License Exceptions (See Part 740 for a description of all 
license exceptions)

TSR: Yes, except for ``software'' for the ``development'' or 
``production'' of the following:
    (1) Commodities with an ``Adjusted Peak Performance'' (``APP'') 
exceeding 29 WT; or
    (2) Commodities controlled by 4A005 or ``software'' controlled 
by 4D004.
APP: Yes to specific countries (see Sec.  740.7 of the EAR for 
eligibility criteria).
ACE: Yes for 4D001.a (for the ``development'', ``production'' or 
``use'' of equipment or ``software'' specified in ECCN 4A005 or 
4D004), except to Country Group E:1 or E:2. See Sec.  740.22 of the 
EAR for eligibility criteria.

Special Conditions for STA

STA: License Exception STA may not be used to ship or transmit 
``software'' ``specially designed'' or modified for the 
``development'' or ``production'' of equipment specified by ECCN 
4A001.a.2 or for the ``development'' or ``production'' of ``digital 
computers'' having an `Adjusted Peak Performance' (`APP') exceeding 
29 Weighted TeraFLOPS (WT) to any of the destinations listed in 
Country Group A:6 (See Supplement No.1 to part 740 of the EAR); and 
may not be used to ship or transmit ``software'' specified in 
4D001.a ``specially designed'' for the ``development'' or 
``production'' of equipment specified by ECCN 4A005 to any of the 
destinations listed in Country Group A:5 or A:6.

List of Items Controlled

Related Controls: Software described in USML Category XI(b), and 
software directly related to a defense article, is ``subject to the 
ITAR''; see Sec.  120.10(a)(4).
Related Definitions: N/A
Items:

    a. ``Software'' ``specially designed'' or modified for the 
``development'' or ``production'', of equipment or ``software'' 
controlled by 4A001, 4A003, 4A004, 4A005 or 4D (except 4D980, 4D993 
or 4D994).
    b. ``Software'', other than that controlled by 4D001.a, 
``specially designed'' or modified for the ``development'' or 
``production'' of equipment as follows:
    b.1. ``Digital computers'' having an ``Adjusted Peak 
Performance'' (``APP'') exceeding 15 Weighted TeraFLOPS (WT);
    b.2. ``Electronic assemblies'' ``specially designed'' or 
modified for enhancing performance by aggregation of processors so 
that the ``APP'' of the aggregation exceeds the limit in 4D001.b.1.


0
10. In Supplement No. 1 to Part 774, Category 4 is amended by adding 
ECCN 4D004 after ECCN 4D001 to read as follows:

4D004 ``Software'' ``specially designed'' or modified for the 
generation, command and control, or delivery of ``intrusion 
software.''

License Requirements

Reason for Control: NS, AT

 
                                            Country chart (See Supp. No.
                Control(s)                         1 to part 738)
 
NS applies to entire entry................  NS Column 1.
AT applies to entire entry................  AT Column 1.
 

List Based License Exceptions (See Part 740 for a description of all 
license exceptions)

TSR: N/A
APP: N/A
ACE: Yes, except to Country Group E:1 or E:2. See Sec.  740.22 of 
the EAR for eligibility criteria.

Special Conditions for STA

STA: License Exception STA may not be used to ship or transmit 
``software'' specified by ECCN 4D004.

List of Items Controlled

Related Controls: Software described in USML Category XI(b), and 
software directly related to a defense article, is ``subject to the 
ITAR''; see Sec.  120.10(a)(4).
Related Definitions: N/A
Items:
    The list of items controlled is contained in the ECCN heading.
    Note: 4D004 does not apply to ``software'' specially designed 
and limited to provide ``software'' updates or upgrades meeting all 
the following:
    a. The update or upgrade operates only with the authorization of 
the owner or administrator of the system receiving it; and
    b. After the update or upgrade, the ``software'' updated or 
upgraded is not any of the following:
    1. ``Software'' specified by 4D004; or
    2. ``Intrusion software.''

0
11. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 4, ECCN 4E001 is revised to read as follows:

4E001 ``Technology'' as follows (see List of Items Controlled).

License Requirements

Reason for Control: NS, MT, CC, AT

 
                                            Country chart (See Supp. No.
                Control(s)                         1 to part 738)
 
NS applies to entire entry................  NS Column 1.
MT applies to ``technology'' for items      MT Column 1.
 controlled by 4A001.a and 4A101 for MT
 reasons.
CC applies to ``software'' for              CC Column 1.
 computerized finger-print equipment
 controlled by 4A003 for CC reasons.
AT applies to entire entry................  AT Column 1.
 

Reporting Requirements

    See Sec.  743.1 of the EAR for reporting requirements for 
exports under License Exceptions, and Validated End-User 
authorizations.

List Based License Exceptions (See Part 740 for a description of all 
license exceptions)

TSR: Yes, except for the following:
    (1) ``Technology'' for the ``development'' or ``production'' of 
commodities with an ``Adjusted Peak Performance'' (``APP'') 
exceeding 29 WT or for the ``development'' or ``production'' of 
commodities controlled by 4A005 or ``software'' controlled by 4D004; 
or
    (2) ``Technology'' for the ``development'' of ``intrusion 
software''.

[[Page 58212]]

APP: Yes to specific countries. See Sec.  740.7 of the EAR for 
eligibility criteria.
ACE: Yes for 4E001.a (for the ``development'', ``production'' or 
``use'' of equipment or ``software'' specified in ECCN 4A005 or 
4D004) and for 4E001.c, except to Country Group E:1 or E:2. See 
Sec.  740.22 of the EAR for eligibility criteria.

Special Conditions for STA

STA: License Exception STA may not be used to ship or transmit 
``technology'' according to the General Technology Note for the 
``development'' or ``production'' of any of the following equipment 
or ``software'': a. Equipment specified by ECCN 4A001.a.2; b. 
``Digital computers'' having an `Adjusted Peak Performance' (`APP') 
exceeding 29 Weighted TeraFLOPS (WT); or c. ``software'' specified 
in the License Exception STA paragraph found in the License 
Exception section of ECCN 4D001 to any of the destinations listed in 
Country Group A:6 (See Supplement No. 1 to part 740 of the EAR); and 
may not be used to ship or transmit ``software'' specified in 
4E001.a (for the ``development'', ``production'' or ``use'' of 
equipment or ``software'' specified in ECCN 4A005 or 4D004) and 
4E001.c to any of the destinations listed in Country Group A:5 or 
A:6.

List of Items Controlled

Related Controls: Military training of foreign units and forces (see 
ITAR Sec.  120.9(a)(3)), and technical data (see ITAR Sec.  120.10) 
directly related to a defense article, are ``subject to the ITAR.''
Related Definitions: N/A
Items:

    a. ``Technology'' according to the General Technology Note, for 
the ``development'', ``production'', or ``use'' of equipment or 
``software'' controlled by 4A (except 4A980 or 4A994) or 4D (except 
4D980, 4D993, 4D994).
    b. ``Technology'' according to the General Technology Note, 
other than that controlled by 4E001.a, for the ``development'' or 
``production'' of equipment as follows:
    b.1. ``Digital computers'' having an ``Adjusted Peak 
Performance'' (``APP'') exceeding 15 Weighted TeraFLOPS (WT);
    b.2. ``Electronic assemblies'' ``specially designed'' or 
modified for enhancing performance by aggregation of processors so 
that the ``APP'' of the aggregation exceeds the limit in 4E001.b.1.
    c. ``Technology'' for the ``development'' of ``intrusion 
software.''
    Note 1: 4E001.a and 4E001.c do not apply to ``vulnerability 
disclosure'' or ``cyber incident response''.
    Note 2: Note 1 does not diminish national authorities' rights to 
ascertain compliance with 4E001.a and 4E001.c.


0
12. In Supplement No. 1 to Part 774, Category 5--Part 1 is amended by 
adding Notes 3 and 4 to the beginning of the Category after Note 2 to 
read as follows:

Category 5--Telecommunications and ``Information Security''

Part 1--Telecommunications

    Notes: * * *
    3. Commodities in ECCN 5A001.j, and related ``software'' 
specified in 5D001.c (for 5A001.j) that are also controlled in ECCNs 
5A002.a, 5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3, remain 
controlled in Category 5--Part 2 by those entries. Category 5--Part 
2 does not apply to elements of source code that implement 
functionality controlled by these Category 5 Part 1 ECCNs, or to any 
item subject to the EAR where Encryption Item (EI) functionality is 
absent, removed or otherwise non-existent.
    4. Items in ECCN 5A001.j, 5B001.a (for 5A001.j), related 
``software'' specified in 5D001.a (for 5A001.j) and 5D001.c (for 
5A001.j or 5B001.a (for 5A001.j)) and related ``technology'' 
specified in ECCN 5E001.a (for 5A001.j and 5D001.a (for 5A001.j)) 
that are also controlled for Surreptitious Listening (SL) reasons 
under another ECCN, will continue to be classified under the SL 
ECCN.
* * * * *


0
13. In Supplement No. 1 to Part 774, Category 5--Part 1, ECCN 5A001 is 
revised to read as follows:

5A001 Telecommunications systems, equipment, ``components'' and 
``accessories,'' as follows (see List of Items Controlled).

License Requirements

Reason for Control: NS, SL, AT

 
                                            Country chart (See Supp. No.
                Control(s)                         1 to part 738)
 
NS applies to 5A001.a, b.5, .e, .f.3, .h..  NS Column 1.
NS applies to 5A001.b (except .b.5), .c,    NS Column 2.
 .d, .f (except f.3), .g, and .j.
SL applies to 5A001.f.1...................  A license is required for
                                             all destinations, as
                                             specified in Sec.   742.13
                                             of the EAR. Accordingly, a
                                             column specific to this
                                             control does not appear on
                                             the Commerce Country Chart
                                             (Supplement No. 1 to Part
                                             738 of the EAR).
                                            Note to SL paragraph: This
                                             licensing requirement does
                                             not supersede, nor does it
                                             implement, construe or
                                             limit the scope of any
                                             criminal statute,
                                             including, but not limited
                                             to the Omnibus Safe Streets
                                             Act of 1968, as amended.
AT applies to entire entry................  AT Column 1.
 

Reporting Requirements

    See Sec.  743.1 of the EAR for reporting requirements for 
exports under License Exceptions, and Validated End-User 
authorizations.

List Based License Exceptions (See Part 740 for a description of all 
license exceptions)

LVS: N/A for 5A001.a, b.5, .e, f.3, .h and .j; $5000 for 5A001.b.1, 
.b.2, .b.3, .b.6, .d, f.2, f.4, and .g; $3000 for 5A001.c.
GBS: Yes, except 5A001.a, .b.5, .e, .h and .j.
ACE: Yes for 5A001.j, except to Country Group E:1 or E:2. See Sec.  
740.22 of the EAR for eligibility criteria

Special Conditions for STA

STA: License Exception STA may not be used to ship any commodity in 
5A001.j to any of the destinations listed in Country Group A:5 or 
A:6 (See Supplement No. 1 to part 740 of the EAR), or any commodity 
in 5A001.b.3, .b.5 or .h to any of the destinations listed in 
Country Group A:6 (See Supplement No.1 to part 740 of the EAR).

List of Items Controlled

Related Controls: (1) See USML Category XI for controls on 
direction-finding ``equipment'' including types of ``equipment'' in 
ECCN 5A001.e and any other military or intelligence electronic 
``equipment'' that is ``subject to the ITAR.'' (2) See USML Category 
XI(a)(4)(iii) for controls on electronic attack and jamming 
``equipment'' defined in 5A001.f and .h that are subject to the 
ITAR. (3) See also ECCNs 5A101, 5A980, and 5A991.
Related Definitions: N/A
Items:

    a. Any type of telecommunications equipment having any of the 
following characteristics, functions or features:
    a.1. ``Specially designed'' to withstand transitory electronic 
effects or electromagnetic pulse effects, both arising from a 
nuclear explosion;
    a.2. Specially hardened to withstand gamma, neutron or ion 
radiation;
    a.3. ``Specially designed'' to operate below 218 K (-55 [deg]C); 
or
    a.4. ``Specially designed'' to operate above 397 K (124 [deg]C);
    Note: 5A001.a.3 and 5A001.a.4 apply only to electronic 
equipment.
    b. Telecommunication systems and equipment, and ``specially 
designed'' ``components'' and ``accessories'' therefor, having any 
of the following characteristics, functions or features:
    b.1 Being underwater untethered communications systems having 
any of the following:
    b.1.a. An acoustic carrier frequency outside the range from 20 
kHz to 60 kHz;
    b.1.b. Using an electromagnetic carrier frequency below 30 kHz; 
or
    b.1.c. Using electronic beam steering techniques; or

[[Page 58213]]

    b.1.d. Using ``lasers'' or light-emitting diodes (LEDs), with an 
output wavelength greater than 400 nm and less than 700 nm, in a 
``local area network'';
    b.2. Being radio equipment operating in the 1.5 MHz to 87.5 MHz 
band and having all of the following:
    b.2.a. Automatically predicting and selecting frequencies and 
``total digital transfer rates'' per channel to optimize the 
transmission; and
    b.2.b. Incorporating a linear power amplifier configuration 
having a capability to support multiple signals simultaneously at an 
output power of 1 kW or more in the frequency range of 1.5 MHz or 
more but less than 30 MHz, or 250 W or more in the frequency range 
of 30 MHz or more but not exceeding 87.5 MHz, over an 
``instantaneous bandwidth'' of one octave or more and with an output 
harmonic and distortion content of better than -80 dB;
    b.3. Being radio equipment employing ``spread spectrum'' 
techniques, including ``frequency hopping'' techniques, not 
controlled in 5A001.b.4 and having any of the following:
    b.3.a. User programmable spreading codes; or
    b.3.b. A total transmitted bandwidth which is 100 or more times 
the bandwidth of any one information channel and in excess of 50 
kHz;
    Note: 5A001.b.3.b does not control radio equipment ``specially 
designed'' for use with any of the following:
    a. Civil cellular radio-communications systems; or
    b. Fixed or mobile satellite Earth stations for commercial civil 
telecommunications.
    Note: 5A001.b.3 does not control equipment operating at an 
output power of 1 W or less.
    b.4. Being radio equipment employing ultra-wideband modulation 
techniques, having user programmable channelizing codes, scrambling 
codes, or network identification codes and having any of the 
following:
    b.4.a. A bandwidth exceeding 500 MHz; or
    b.4.b. A ``fractional bandwidth'' of 20% or more;
    b.5. Being digitally controlled radio receivers having all of 
the following:
    b.5.a. More than 1,000 channels;
    b.5.b. A `channel switching time' of less than 1 ms;
    b.5.c. Automatic searching or scanning of a part of the 
electromagnetic spectrum; and
    b.5.d. Identification of the received signals or the type of 
transmitter; or
    Note: 5A001.b.5 does not control radio equipment ``specially 
designed'' for use with civil cellular radio-communications systems.
    Technical Note: `Channel switching time': the time (i.e., delay) 
to change from one receiving frequency to another, to arrive at or 
within 0.05% of the final specified receiving 
frequency. Items having a specified frequency range of less than 
0.05% around their center frequency are 
defined to be incapable of channel frequency switching.
    b.6. Employing functions of digital ``signal processing'' to 
provide 'voice coding' output at rates of less than 700 bit/s.
    Technical Notes:
    1. For variable rate 'voice coding', 5A001.b.6 applies to the 
'voice coding' output of continuous speech.
    2. For the purpose of 5A001.b.6, `voice coding' is defined as 
the technique to take samples of human voice and then convert these 
samples of human voice into a digital signal taking into account 
specific characteristics of human speech.
    c. Optical fibers of more than 500 m in length and specified by 
the manufacturer as being capable of withstanding a `proof test' 
tensile stress of 2 x 10\9\ N/m\2\ or more;
    N.B.: For underwater umbilical cables, see 8A002.a.3.
    Technical Note: `Proof Test': on-line or off-line production 
screen testing that dynamically applies a prescribed tensile stress 
over a 0.5 to 3 m length of fiber at a running rate of 2 to 5 m/s 
while passing between capstans approximately 150 mm in diameter. The 
ambient temperature is a nominal 293 K (20 [deg]C) and relative 
humidity 40%. Equivalent national standards may be used for 
executing the proof test.
    d. ``Electronically steerable phased array antennae'' as 
follows:
    d.1. Rated for operation above 31.8 GHz, but not exceeding 57 
GHz, and having an Effective Radiated Power (ERP) equal to or 
greater than +20 dBm (22.15 dBm Effective Isotropic Radiated Power 
(EIRP));
    d.2. Rated for operation above 57 GHz, but not exceeding 66 GHz, 
and having an ERP equal to or greater than +24 dBm (26.15 dBm EIRP);
    d.3. Rated for operation above 66 GHz, but not exceeding 90 GHz, 
and having an ERP equal to or greater than +20 dBm (22.15 dBm EIRP);
    d.4. Rated for operation above 90 GHz;
    Note 1: 5A001.d does not control `electronically steerable 
phased array antennae' for landing systems with instruments meeting 
ICAO standards covering Microwave Landing Systems (MLS).
    Note 2: 5A001.d does not apply to antennae specially designed 
for any of the following:
    a. Civil cellular or WLAN radio-communications systems;
    b. IEEE 802.15 or wireless HDMI; or
    c. Fixed or mobile satellite earth stations for commercial civil 
telecommunications.
    Technical Note: For the purposes of 5A001.d `electronically 
steerable phased array antenna' is an antenna which forms a beam by 
means of phase coupling, (i.e., the beam direction is controlled by 
the complex excitation coefficients of the radiating elements) and 
the direction of that beam can be varied (both in transmission and 
reception) in azimuth or in elevation, or both, by application of an 
electrical signal.
    e. Radio direction finding equipment operating at frequencies 
above 30 MHz and having all of the following, and ``specially 
designed'' ``components'' therefor:
    e.1. ``Instantaneous bandwidth'' of 10 MHz or more; and
    e.2. Capable of finding a Line Of Bearing (LOB) to non-
cooperating radio transmitters with a signal duration of less than 1 
ms;
    f. Mobile telecommunications interception or jamming equipment, 
and monitoring equipment therefor, as follows, and ``specially 
designed'' ``components'' therefor:
    f.1. Interception equipment designed for the extraction of voice 
or data, transmitted over the air interface;
    f.2. Interception equipment not specified in 5A001.f.1, designed 
for the extraction of client device or subscriber identifiers (e.g., 
IMSI, TIMSI or IMEI), signaling, or other metadata transmitted over 
the air interface;
    f.3. Jamming equipment ``specially designed'' or modified to 
intentionally and selectively interfere with, deny, inhibit, degrade 
or seduce mobile telecommunication services and performing any of 
the following:
    f.3.a. Simulate the functions of Radio Access Network (RAN) 
equipment;
    f.3.b. Detect and exploit specific characteristics of the mobile 
telecommunications protocol employed (e.g., GSM); or
    f.3.c. Exploit specific characteristics of the mobile 
telecommunications protocol employed (e.g., GSM);
    f.4. Radio Frequency (RF) monitoring equipment designed or 
modified to identify the operation of items specified in 5A001.f.1, 
5A001.f.2 or 5A001.f.3.
    Note: 5A001.f.1 and 5A001.f.2 do not apply to any of the 
following:
    a. Equipment ``specially designed'' for the interception of 
analog Private Mobile Radio (PMR), IEEE 802.11 WLAN;
    b. Equipment designed for mobile telecommunications network 
operators; or
    c. Equipment designed for the ``development'' or ``production'' 
of mobile telecommunications equipment or systems.
    N.B. 1: See also the International Traffic in Arms Regulations 
(ITAR) (22 CFR parts 120-130). For items specified by 5A001.f.1 
(including as previously specified by 5A001.i), see also5A980 and 
the U.S. Munitions List (22 CFR part 121).
    N.B. 2: For radio receivers see 5A001.b.5.
    g. Passive Coherent Location (PCL) systems or equipment, 
``specially designed'' for detecting and tracking moving objects by 
measuring reflections of ambient radio frequency emissions, supplied 
by non-radar transmitters.
    Technical Note: Non-radar transmitters may include commercial 
radio, television or cellular telecommunications base stations.
    Note: 5A001.g. does not control:
    a. Radio-astronomical equipment; or
    b. Systems or equipment, that require any radio transmission 
from the target.
    h. Counter Improvised Explosive Device (IED) equipment and 
related equipment, as follows:
    h.1. Radio Frequency (RF) transmitting equipment, not specified 
by 5A001.f, designed or modified for prematurely activating or 
preventing the initiation of Improvised Explosive Devices (IEDs);
    h.2. Equipment using techniques designed to enable radio 
communications in the same frequency channels on which co-located 
equipment specified by 5A001.h.1 is transmitting.
    N.B.: See also Category XI of the International Traffic in Arms 
Regulations (ITAR) (22 CFR parts 120-130).
    i. [Reserved]
    N.B.: See 5A001.f.1 for items previously specified by 5A001.i.
    j. IP network communications surveillance systems or equipment, 
and ``specially

[[Page 58214]]

designed'' components therefor, having all of the following:
    j.1. Performing all of the following on a carrier class IP 
network (e.g., national grade IP backbone):
    j.1.a. Analysis at the application layer (e.g., Layer 7 of Open 
Systems Interconnection (OSI) model (ISO/IEC 7498-1));
    j.1.b. Extraction of selected metadata and application content 
(e.g., voice, video, messages, attachments); and
    j.1.c. Indexing of extracted data; and
    j.2. Being ``specially designed'' to carry out all of the 
following:
    j.2.a. Execution of searches on the basis of ``hard selectors''; 
and
    j.2.b. Mapping of the relational network of an individual or of 
a group of people.
    Note: 5A001.j does not apply to ``systems'' or ``equipment'', 
``specially designed'' for any of the following:
    a. Marketing purpose;
    b. Network Quality of Service (QoS); or
    c. Quality of Experience (QoE).
    N.B.: See also the International Traffic in Arms Regulations 
(ITAR) (22 CFR parts 120-130). Defense articles described in USML 
Category XI(b) are ``subject to the ITAR.''

0
14. In Supplement No. 1 to Part 774 (the CCL), Category 5--Part 1, ECCN 
5B001 is revised to read as follows:

5B001 Telecommunication test, inspection and production equipment, 
``components'' and ``accessories,'' as follows (See List of Items 
Controlled).

License Requirements

Reason for Control: NS, AT

 
                                            Country chart (See Supp. No.
                Control(s)                         1 to part 738)
 
NS applies to entire entry................  NS Column 2.
AT applies to entire entry................  AT Column 1.
 

Reporting Requirements

    See Sec.  743.1 of the EAR for reporting requirements for 
exports under License Exceptions, and Validated End-User 
authorizations.

List Based License Exceptions (See Part 740 for a description of all 
license exceptions)

LVS: $5000, except N/A for 5B001.a (for 5A001.j)
GBS: Yes, except N/A for 5B001.a (for 5A001.j)
ACE: Yes for 5B001.a (for equipment and ``specially designed'' 
``components'' or ``accessories'' therefor, ``specially designed'' 
for the ``development'' or ``production'' of equipment, functions or 
features, controlled by 5A001.j), except to Country Group E:1 or 
E:2. See Sec.  740.22 of the EAR for eligibility criteria.

Special Conditions for STA

STA: License Exception STA may not be used to ship 5B001.a equipment 
and ``specially designed'' components or ``accessories'' therefor, 
``specially designed'' for the ``development'' or ``production'' of 
equipment, functions or features specified by in ECCN 5A001.b.3, 
.b.5 or .h to any of the destinations listed in Country Group A:6 
(See Supplement No.1 to part 740 of the EAR) and 5A001.j to any of 
the destinations listed in Country Group A:5 or A:6.

List of Items Controlled

Related Controls: See also 5B991.
Related Definition: N/A
Items:

    a. Equipment and ``specially designed'' ``components'' or 
``accessories'' therefor, ``specially designed'' for the 
``development'' or ``production'' of equipment, functions or 
features, controlled by 5A001;
    Note: 5B001.a does not apply to optical fiber characterization 
equipment.
    b. Equipment and ``specially designed'' ``components'' or 
``accessories'' therefor, ``specially designed'' for the 
``development'' of any of the following telecommunication 
transmission or switching equipment:
    b.1. [Reserved]
    b.2. Equipment employing a ``laser'' and having any of the 
following:
    b.2.a. A transmission wavelength exceeding 1750 nm; or
    b.2.b. [Reserved]
    b.2.c. [Reserved]
    b.2.d. Employing analog techniques and having a bandwidth 
exceeding 2.5 GHz; or
    Note: 5B001.b.2.d. does not include equipment ``specially 
designed'' for the ``development'' of commercial TV systems.
    b.3. [Reserved]
    b.4. Radio equipment employing Quadrature-Amplitude-Modulation 
(QAM) techniques above level 1,024.


0
15. In Supplement No. 1 to Part 774 (the CCL), Category 5--Part 1, ECCN 
5D001 is revised to read as follows:

5D001 ``Software'' as follows (see List of Items Controlled).

License Requirements

Reason for Control: NS, SL, AT

 
                                            Country chart (See Supp. No.
                Control(s)                         1 to part 738)
 
NS applies to entire entry................  NS Column 1.
SL applies to the entire entry as           A license is required for
 applicable for equipment, functions,        all destinations, as
 features, or characteristics controlled     specified in Sec.   742.13
 by 5A001.f.1.                               of the EAR. Accordingly, a
                                             column specific to this
                                             control does not appear on
                                             the Commerce Country Chart
                                             (Supplement No. 1 to Part
                                             738 of the EAR).
                                            Note to SL paragraph: This
                                             licensing requirement does
                                             not supersede, nor does it
                                             implement, construe or
                                             limit the scope of any
                                             criminal statute,
                                             including, but not limited
                                             to the Omnibus Safe Streets
                                             Act of 1968, as amended.
AT applies to entire entry................  AT Column 1.
 

Reporting Requirements

    See Sec.  743.1 of the EAR for reporting requirements for 
exports under License Exceptions, and Validated End-User 
authorizations.

List Based License Exceptions (See Part 740 for a description of all 
license exceptions)

TSR: Yes, except for exports and reexports to destinations outside 
of those countries listed in Country Group A:5 (See Supplement No. 1 
to part 740 of the EAR) of ``software'' controlled by 5D001.a and 
``specially designed'' for items controlled by 5A001.b.5 and 
5A001.h, and N/A for ``software'' classified under ECCN 5D001.a (for 
5A001.j) or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)).
ACE: Yes for 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 
5B001.a (for 5A001.j)), except to Country Group E:1 or E:2. See 
Sec.  740.22 of the EAR for eligibility criteria.

Special Conditions for STA

STA: License Exception STA may not be used to ship or transmit 
5D001.a ``software'' ``specially designed'' for the ``development'' 
or ``production'' of equipment, functions or features, specified by 
ECCN 5D001.a (for 5A001.j) and 5D001.c (for 5A001.j or 5B001.a (for 
5A001.j)) to any of the destinations listed in Country Group A:5 or 
A:6 (See Supplement No.1 to part 740 of the EAR); 5A001.b.3, .b.5 or 
.h; and for 5D001.b. for ``software'' ``specially designed'' or 
modified to support ``technology'' specified by the STA paragraph in 
the License Exception section of ECCN 5E001 to any of the 
destinations listed in Country Group A:6.

List of Items Controlled

Related Controls: See also 5D980 and 5D991.
Related Definitions: N/A
Items:

    a. ``Software'' ``specially designed'' or modified for the 
``development'', ``production'' or ``use'' of equipment, functions 
or features controlled by 5A001;
    b. [Reserved]
    c. Specific ``software'' ``specially designed'' or modified to 
provide characteristics, functions or features of equipment, 
controlled by 5A001 or 5B001;

[[Page 58215]]

    d. ``Software'' ``specially designed'' or modified for the 
``development'' of any of the following telecommunication 
transmission or switching equipment:
    d.1.[Reserved]
    d.2. Equipment employing a ``laser'' and having any of the 
following:
    d.2.a. A transmission wavelength exceeding 1,750 nm; or
    d.2.b. Employing analog techniques and having a bandwidth 
exceeding 2.5 GHz; or
    Note: 5D001.d.2.b does not control ``software'' ``specially 
designed'' or modified for the ``development'' of commercial TV 
systems.
    d.3. [Reserved]
    d.4. Radio equipment employing Quadrature-Amplitude-Modulation 
(QAM) techniques above level 1,024.


0
16. In Supplement No. 1 to Part 774 (the CCL), Category 5--Part 1, ECCN 
5E001 is revised to read as follows:

5E001 ``Technology'' as follows (see List of Items Controlled).

License Requirements

Reason for Control: NS, SL, AT

 
                                            Country chart (See Supp. No.
                Control(s)                         1 to part 738)
 
NS applies to entire entry................  NS Column 1.
SL applies to ``technology'' for the        A license is required for
 ``development'' or ``production'' of        all destinations, as
 equipment, functions or features            specified in Sec.   742.13
 controlled by 5A001.f.1, or for the         of the EAR. Accordingly, a
 ``development'' or ``production'' of        column specific to this
 ``software'' controlled by ECCN 5D001.a     control does not appear on
 (for 5A001.f.1).                            the Commerce Country Chart
                                             (Supplement No. 1 to Part
                                             738 of the EAR).
                                            Note to SL paragraph: This
                                             licensing requirement does
                                             not supersede, nor does it
                                             implement, construe or
                                             limit the scope of any
                                             criminal statute,
                                             including, but not limited
                                             to the Omnibus Safe Streets
                                             Act of 1968, as amended.
AT applies to entire entry................  AT Column 1.
 

Reporting Requirements

    See Sec.  743.1 of the EAR for reporting requirements for 
exports under License Exceptions, and Validated End-User 
authorizations.

List Based License Exceptions (See Part 740 for a description of all 
license exceptions)

TSR: Yes, except for exports or reexports to destinations outside of 
those countries listed in Country Group A:5 (See Supplement No. 1 to 
part 740 of the EAR) of ``technology'' controlled by 5E001.a for the 
``development'' or ``production'' of the following:
    (1) Items controlled by 5A001.b.5, .h or .j;
    (2) ``Software'' controlled by 5D001.a that is ``specially 
designed'' for the ``development'' or ``production'' of equipment, 
functions or features controlled by 5A001.b.5, 5A001.h, 5A001.j, or 
5B001.a (for 5A001.j); or
    (3) ``Software'' controlled by 5D001.c (for 5A001.j or 5B001.a 
(for 5A001.j)).
ACE: Yes for 5E001.a (for 5A001.j, 5B001.a (for 5A001.j), 5D001.a 
(for 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j))) 
except to Country Group E:1 or E:2. See Sec.  740.22 of the EAR for 
eligibility criteria.

Special Conditions for STA

STA: License Exception STA may not be used to ship or transmit 
``technology'' according to the General Technology Note for the 
``development'' or ``production'' of equipment, functions or 
features specified by 5A001.b.3, .b.5 or .h; or for ``software'' in 
5D001.a or .c, that is specified in the STA paragraph in the License 
Exception section of ECCN 5D001 to any of the destinations listed in 
Country Group A:6 (See Supplement No.1 to part 740 of the EAR); or 
``technology'' specified in 5E001.a according to the General 
Technology Note for the ``development'' or ``production'' of 
equipment, functions or features specified by 5A001.j, 5B001.a (for 
5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a) to 
any destinations listed in Country Group A:5 or A:6.

List of Items Controlled

Related Controls: (1) See also 5E101, 5E980 and 5E991. (2) 
``Technology'' for ``development'' or ``production'' of ``Monolithic 
Microwave Integrated Circuit'' (``MMIC'') amplifiers that meet the 
control criteria given at 3A001.b.2 is controlled in 3E001; 5E001.d 
refers only to that additional ``technology'' ``required'' for 
telecommunications.
Related Definitions: N/A
Items:

    a. ``Technology'' according to the General Technology Note for 
the ``development'', ``production'' or ``use'' (excluding operation) 
of equipment, functions or features, controlled by 5A001 or 
``software'' controlled by 5D001.a.
    b. Specific ``technology'', as follows:
    b.1. ``Technology'' ``required'' for the ``development'' or 
``production'' of telecommunications equipment ``specially 
designed'' to be used on board satellites;
    b.2. ``Technology'' for the ``development'' or ``use'' of 
``laser'' communication techniques with the capability of 
automatically acquiring and tracking signals and maintaining 
communications through exoatmosphere or sub-surface (water) media;
    b.3. ``Technology'' for the ``development'' of digital cellular 
radio base station receiving equipment whose reception capabilities 
that allow multi-band, multi-channel, multi-mode, multi-coding 
algorithm or multi-protocol operation can be modified by changes in 
``software'';
    b.4. ``Technology'' for the ``development'' of ``spread 
spectrum'' techniques, including ``frequency hopping'' techniques.
    Note: 5E001.b.4 does not apply to ``technology'' for the 
``development'' of any of the following:
    a. Civil cellular radio-communications systems; or
    b. Fixed or mobile satellite Earth stations for commercial civil 
telecommunications.
    c. ``Technology'' according the General Technology Note for the 
``development'' or ``production'' of any of the following:
    c.1. [Reserved]
    c.2. Equipment employing a ``laser'' and having any of the 
following:
    c.2.a. A transmission wavelength exceeding 1,750 nm;
    c.2.b. [Reserved]
    c.2.c. [Reserved]
    c.2.d. Employing wavelength division multiplexing techniques of 
optical carriers at less than 100 GHz spacing; or
    c.2.e. Employing analog techniques and having a bandwidth 
exceeding 2.5 GHz;
    Note: 5E001.c.2.e does not control ``technology'' for commercial 
TV systems.
    N.B.: For ``technology'' for the ``development'' or 
``production'' of non-telecommunications equipment employing a 
``laser'', see Product Group E of Category 6, e.g., 6E00x
    c.3. Equipment employing ``optical switching'' and having a 
switching time less than 1 ms; or
    c.4. Radio equipment having any of the following:
    c.4.a. Quadrature-Amplitude-Modulation (QAM) techniques above 
level 1,024; or
    c.4.b. Operating at input or output frequencies exceeding 31.8 
GHz; or
    Note: 5E001.c.4.b does not control ``technology'' for equipment 
designed or modified for operation in any frequency band which is 
``allocated by the ITU'' for radio-communications services, but not 
for radio-determination.
    c.4.c. Operating in the 1.5 MHz to 87.5 MHz band and 
incorporating adaptive techniques providing more than 15 dB 
suppression of an interfering signal; or
    c.5. [Reserved]
    c.6. Mobile equipment having all of the following:
    c.6.a. Operating at an optical wavelength greater than or equal 
to 200nm and less than or equal to 400nm; and
    c.6.b. Operating as a ``local area network'';
    d. ``Technology'' according to the General Technology Note for 
the ``development'' or ``production'' of ``Monolithic Microwave 
Integrated Circuit'' (``MMIC'') amplifiers ``specially designed'' 
for telecommunications and that are any of the following:
    Technical Note: For purposes of 5E001.d, the parameter peak 
saturated power output may also be referred to on product data 
sheets as output power, saturated power output, maximum power 
output, peak power output, or peak envelope power output.
    d.1. Rated for operation at frequencies exceeding 2.7 GHz up to 
and including 6.8 GHz with a ``fractional bandwidth'' greater than 
15%, and having any of the following:
    d.1.a. A peak saturated power output greater than 75 W (48.75 
dBm) at any

[[Page 58216]]

frequency exceeding 2.7 GHz up to and including 2.9 GHz;
    d.1.b. A peak saturated power output greater than 55 W (47.4 
dBm) at any frequency exceeding 2.9 GHz up to and including 3.2 GHz;
    d.1.c. A peak saturated power output greater than 40 W (46 dBm) 
at any frequency exceeding 3.2 GHz up to and including 3.7 GHz; or
    d.1.d. A peak saturated power output greater than 20 W (43 dBm) 
at any frequency exceeding 3.7 GHz up to and including 6.8 GHz;
    d.2. Rated for operation at frequencies exceeding 6.8 GHz up to 
and including 16 GHz with a ``fractional bandwidth'' greater than 
10%, and having any of the following:
    d.2.a. A peak saturated power output greater than 10W (40 dBm) 
at any frequency exceeding 6.8 GHz up to and including 8.5 GHz; or
    d.2.b. A peak saturated power output greater than 5W (37 dBm) at 
any frequency exceeding 8.5 GHz up to and including 16 GHz;
    d.3. Rated for operation with a peak saturated power output 
greater than 3 W (34.77 dBm) at any frequency exceeding 16 GHz up to 
and including 31.8 GHz, and with a ``fractional bandwidth'' of 
greater than 10%;
    d.4. Rated for operation with a peak saturated power output 
greater than 0.1n W (-70 dBm) at any frequency exceeding 31.8 GHz up 
to and including 37 GHz;
    d.5. Rated for operation with a peak saturated power output 
greater than 1 W (30 dBm) at any frequency exceeding 37 GHz up to 
and including 43.5 GHz, and with a ``fractional bandwidth'' of 
greater than 10%;
    d.6. Rated for operation with a peak saturated power output 
greater than 31.62 mW (15 dBm) at any frequency exceeding 43.5 GHz 
up to and including 75 GHz, and with a ``fractional bandwidth'' of 
greater than 10%;
    d.7. Rated for operation with a peak saturated power output 
greater than 10 mW (10 dBm) at any frequency exceeding 75 GHz up to 
and including 90 GHz, and with a ``fractional bandwidth'' of greater 
than 5%; or
    d.8. Rated for operation with a peak saturated power output 
greater than 0.1 nW (-70 dBm) at any frequency exceeding 90 GHz;
    e. ``Technology'' according to the General Technology Note for 
the ``development'' or ``production'' of electronic devices and 
circuits, ``specially designed'' for telecommunications and 
containing ``components'' manufactured from ``superconductive'' 
materials, ``specially designed'' for operation at temperatures 
below the ``critical temperature'' of at least one of the 
``superconductive'' constituents and having any of the following:
    e.1. Current switching for digital circuits using 
``superconductive'' gates with a product of delay time per gate (in 
seconds) and power dissipation per gate (in watts) of less than 
10-14 J; or
    e.2. Frequency selection at all frequencies using resonant 
circuits with Q-values exceeding 10,000.

0
17. In supplement no. 1 to part 774, Category 5--Part 2, ECCN 5A004 is 
revised to read as follows:

5A004 ``Systems,'' ``equipment'' and ``components'' for defeating, 
weakening or bypassing ``information security,'' as follows (see 
List of Items Controlled).

License Requirements

Reason for Control: NS, AT, EI

 
                                            Country chart (See Supp. No.
                Control(s)                         1 to part 738)
 
NS applies to entire entry................  NS Column 1.
AT applies to entire entry................  AT Column 1.
EI applies to entire entry................  Refer to Sec.   742.15 of
                                             the EAR.
 

    License Requirements Note: See Sec.  744.17 of the EAR for 
additional license requirements for microprocessors having a 
processing speed of 5 GFLOPS or more and an arithmetic logic unit 
with an access width of 32 bit or more, including those 
incorporating ``information security'' functionality, and associated 
``software'' and ``technology'' for the ``production'' or 
``development'' of such microprocessors.

List Based License Exceptions (See Part 740 for a Description of All 
License Exceptions)

LVS: Yes: $500 for ``components.''
N/A for systems and equipment.
GBS: N/A
ENC: Yes for certain EI controlled commodities. See Sec.  740.17 of 
the EAR for eligibility.

List of Items Controlled

Related Controls: ECCN 5A004.a controls ``components'' providing the 
means or functions necessary for ``information security.'' All such 
``components'' are presumptively ``specially designed'' and 
controlled by 5A004.a. Defense articles described in USML Category 
XI(b), and software directly related to a defense article, are 
``subject to the ITAR''; see Sec.  120.10(a)(4).
Related Definitions: N/A
Items:

    a. Designed or modified to perform `cryptanalytic functions.'
    Note: 5A004.a includes systems or equipment, designed or 
modified to perform `cryptanalytic functions' by means of reverse 
engineering.
    Technical Note: `Cryptanalytic functions' are functions designed 
to defeat cryptographic mechanisms in order to derive confidential 
variables or sensitive data, including clear text, passwords or 
cryptographic keys.
    b. Items, not specified by ECCNs 4A005 or 5A004.a, designed to 
perform all of the following:
    b.1. `Extract raw data' from a computing or communications 
device; and
    b.2. Circumvent ``authentication'' or authorisation controls of 
the device, in order to perform the function described in 5A004.b.1.
    Technical Note: `Extract raw data' from a computing or 
communications device means to retrieve binary data from a storage 
medium, e.g., RAM, flash or hard disk, of the device without 
interpretation by the device's operating system or filesystem.
    Note 1: 5A004.b does not apply to systems or equipment specially 
designed for the ``development'' or ``production'' of a computing or 
communications device.
    Note 2: 5A004.b does not include:
    a. Debuggers, hypervisors;
    b. Items limited to logical data extraction;
    c. Data extraction items using chip-off or JTAG; or
    d. Items specially designed and limited to jail-breaking or 
rooting.
* * * * *

Matthew S. Borman,
Deputy Assistant Secretary for Export Administration.
[FR Doc. 2021-22774 Filed 10-20-21; 8:45 am]
BILLING CODE 3510-33-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.