Key Differences Remain in the Export Regulation Regimes, Spurring Cybersecurity Reviews

By: Olga Torres, Managing Member and Derrick Kyle, Associate
Date: 02/17/2017

Over the past decade, the availability of cloud computing services has grown exponentially to the point where cloud access is now viewed almost as a public utility. Cloud Service Providers (“CSPs”) may operate internationally, and CSP servers are often located in countries other than that of the user, leading to export control concerns.

However, as most exporters are aware, in June 2016 the Bureau of Industry and Security (“BIS”) created a carve-out from the Export Administration Regulations’ (“EAR”) definition of “export” for the sending, taking, or storing of unclassified encrypted technology when certain criteria are met.[1] As long as the security criteria are met, storing EAR-controlled technology in the cloud, even if in foreign countries, will not be considered an export of the technology. Importantly, the BIS rule requires security controls that are in accordance with the U.S. National Institute of Standards and Technology (“NIST”)[2] publications or “other equally or more effective cryptographic means.”

Meanwhile, the Directorate of Defense Trade Controls (“DDTC”), which administers the International Traffic in Arms Regulations (“ITAR”), has not published a parallel carve-out rule.[3]  At a recent export event, Robert Monjay of DDTC stated that DDTC did not publish a carve-out rule because, unlike BIS, DDTC was not comfortable using a U.S. Government standard such as the NIST published guidance i.e., FIPS 140-2.[4] Mr. Monjay stated that DDTC intends to publish a carve-out rule (similar to the BIS rule) in the spring or summer of 2017.  Therefore, the storing or transmission of ITAR-controlled technical data, whether encrypted or not, across international boundaries continues to require DDTC authorization. As such, companies seeking to store data in the cloud or transmit it internationally must ascertain the correct jurisdiction of the data because the EAR and ITAR export definitions are currently not harmonized.

With the recent changes to the EAR export definition, and ITAR changes on the way, exporters should use this as an opportunity to improve their cybersecurity, not only for application of the BIS encryption carve-out, but also for general security protection against hacking and other illicit activities. The NIST provides a Framework for Improving Critical Infrastructure Cyber Security (“the Framework”), available at The Framework is geared toward critical infrastructure industries but can be useful for any business. The Framework provides guidelines for core cybersecurity functions: Identify, Protect, Detect, Respond, and Recover. Effective encryption is just one piece of an adequate cybersecurity regime, which should also include physical security, periodic training, monitoring, and response and recovery planning, among other measures.

A review of cybersecurity measures is especially recommended for defense contractors as the Department of Defense (“DoD”) recently published a final rule[5] concerning cybersecurity safeguards and cyber-incident reporting for defense contractors that handle covered defense information (“CDI”).[6] The rule requires defense contractors with access to CDI data to implement NIST SP 800-171 controls by the end of 2017. Defense contractors are also required to report a cybersecurity data breach within 72 hours of its discovery. Further, under a proposed DoD rule,[7] if a data breach results in a violation of U.S. export controls, DoD can temporarily revoke the defense contractor’s ability to access export controlled technical data and technology.[8] If the defense contractor is unable to rebut the information leading to the temporary revocation within twenty days, the contractor may become disqualified from participating in future DoD contracts.

Aside from an overall cybersecurity review, companies should also update export compliance manuals and technology control plans to reflect the difference in the handling of export controlled data between the ITAR and the EAR. Businesses should also consider submitting a voluntary self-disclosure to the relevant agency in the event that ITAR-controlled technical data is exported without authorization, encrypted EAR-controlled technology is transmitted without qualifying for the carve-out, or if their company network gets hacked and an export violation occurs.

If you or your company need help understanding or complying with any of the above-referenced encryption or cybersecurity rules or revisions, please do not hesitate to contact us.


[1] The criteria is as follows: 1) the technology is secured using “end-to-end encryption,” 2) the encryption is compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2), and 3) the technology is not intentionally stored in Russia or countries listed in Country Group D:5. Revisions to Definitions in the EAR, 81 Fed. Reg. 35,586, 35,604 (June 3, 2016) (15 CFR § 734.18).

[2] NIST maintains a list of vendors with validated FIPS 140-2 compliant cryptographic modules at

[3] DDTC published a proposed rule with a similar encryption carve-out, but that rule never became final. ITAR: Revisions to Definitions of Defense Services, Technical Data, and Public Domain; Electronic Transmission and Storage of Technical Data; and Related Definitions, 80 Fed. Reg. 31,526 (June 3, 2015).

[4] Robert Monjay, Webinar by the American Bar Association Section of International Law, Cloud Standards of NIST, the ITAR, and the EAR (Jan. 12, 2017).

[5] Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018), 81 Fed. Reg. 72,986 (Oct. 21, 2016).

[6] Covered defense information means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is— (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

[7] Withholding of Unclassified Technical Data and Technology from Public Disclosure, 81 Fed. Reg. 75,352 (Oct. 31, 2016).

[8] The DoD proposed rule uses the ITAR definition of “technical data” found at 22 CFR § 120.10 and the EAR definition of “technology” found at 15 CFR § 772.1.