DDTC Issues Guidance for Interim Final Rule for Definitions of Activities That Are Not Exports, Re-exports, Retransfers
The Directorate of Defense Trade Controls issued guidance for its December interim final rule that will revise the International Traffic in Arms Regulations to provide definitions for activities that are not exports, re-exports, retransfers or temporary imports (see 1912230052). The Feb. 20 “summary handout” previews changes to the rule, details implications for industry and summarizes which activities will not be considered controlled events. The rule will significantly reduce regulatory and compliance burdens surrounding encrypted data (see 1912300024).
The guidance also includes a Frequently Asked Questions section addressing whether traders can place all of their “ITAR stuff ‘on the cloud.’” DDTC said traders cannot place all of their “ITAR stuff” on the cloud, adding that the rule only “applies to unclassified technical data.” DDTC said “classified technical data is not covered by [the ITAR], no matter the type of encryption.”
The DDTC also clarified that, after the rule takes effect March 25, industries do not need a DDTC license to send “properly encrypted unclassified ITAR tech data” to a foreign person. However, authorizations are needed to send “unencrypted” technical data, which will be classified as a controlled export.
The agency also said technical data is “properly secured” using end-to-end encryption if it is secured using “FIPS 140-2 standard in accordance” with the National Institute for Standards and Technology or “by other methods that are at least comparable to the minimum AES 128 bits security strength.” The DDTC said further revisions to the ITAR “may supersede” this guidance, and added that users should “document the encryption’s effectiveness prior to use.”