On March 26th the U.S. Department of State published a FINAL RULE amending the ITAR effective immediately with a series of long awaited revisions and clarifications on activities that are NOT considered exports, re-exports or re-transfers and thus do NOT require licensing authorization by the Directorate of Defense Trade Controls (DDTC). While this new regulatory change contains many new wrinkles, two of the major changes to the ITAR that TSI Global Consulting sees as important elements for our clients include:
- Export, Re-Export and Re-Transfer of unclassified ITAR controlled technical data does NOT require authorization if such data is exported [with the exception that such data may not be “intentionally” exported, re-exported or re-transferred to countries subject to a US Arms embargo (ITAR §126.1 countries or the Russian Federation] in a secured fashion using end to end encryption compliant with the Federal Information Processing Standards Publication 140–2 (FIPS 140–2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES– 128)
- Transmitting or otherwise transferring within the same foreign country technical data between or among only U.S. persons, does NOT require DDTC authorization, so long as the transmission or transfer does not result in a release to a foreign person or transfer to a person prohibited from receiving the technical data.
TSI Global Consulting Commentary:
Point (1) above effectively makes it clear that ITAR registered entities can store unclassified ITAR technical data that is properly encrypted using AES 128 Bit security in the cloud provided you take reasonable measures to ensure that the cloud service you are using is not located in Russia, China, or any Proscribed/ITAR military embargoed country delineated in ITAR §126.1. Release of such data in country through providing the de-encryption code(s) does require DDTC authorization but mere storage of the data does not constitute and export, re-export or transfer. What this new ruling also means is that under the ITAR you could hand carry an external hard drive or have properly encrypted unclassified data stored on a laptop computer that is taken out of the country to most countries and as long as the data is not de-encrypted or released while abroad such an “event” would not be considered an export, re-export or re-transfer and thus not require DDTC authorization.
Point (2) effectively means that unclassified ITAR technical data that is authorized by DDTC for export to country “x” can be re-transferred within country “x” to US persons without need for obtaining DDTC authorization provided such US persons are not on a US government denied party list. This regulatory change provides opportunities in cases where technical data needs to be shared with US contractors, subcontractors, and US military personnel abroad allowing for such interchange provided it takes place in the same country where data was authorized for export/release and that re-transfer/release is limited to US persons.
For further details on the complete scope of this Final Rule please contact TSI Global Consulting, LLC.