On December 26th, 2019 the Department of State published in the Federal Register (Volume 84, No. 247 an interim final rule that will, effective March 2020 amend the International Traffic in Arms Regulations (ITAR) to a) define activities that do not constitute an export, re-export, re-transfer or temporary import, b) create a new definition of “access information” and 3) revise the current ITAR definitions of export, re-export, re-transfer, temporary import and release.
While the technical changes noted in this interim final rule are too extensive and detailed to cover within the context of a brief blog post, by far the most important change relates to the manner in which DDTC will NOT consider it a violation to export, re-export or retransfer end-to-end encrypted non-classified ITAR technical data provided it is encrypted with minimum 128 bits of security strength to most countries provided such data remains encrypted and “access information” to such data is not released. Such transmission of encrypted data will not constitute a “controlled event” until the data is either decrypted or access information is released.
The exception to this general encryption waiver from the definition of export, re-export, retransfer is that such encrypted data must not intentionally be sent to a person in or stored in a country proscribed in §126.1 of the ITAR [Arms embargoed countries] or the Russian Federation.
In principal this new interim rule will allow for storage of non-classified ITAR restricted technical data outside of the United States provided it remains encrypted and no access information is released. For further details contact TSI Global Consulting.