Review – BIS Publishes Peptide Synthesis Equipment ANPRM

Today the DOC’s Bureau of Industry and Commerce (BIC) published an advanced notice of proposed rulemaking (ANPRM) in the Federal Register (87 FR 55930-55932) on “Imposition of Section 1758  Technology Export Controls on Instruments for the Automated Chemical Synthesis of Peptides”. BIS is soliciting public comments on the potential uses of this technology, particularly with respect to its impact on U.S. national security.

Public Comments

BIS is soliciting public comments on this ANPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; 220826-0174). Comments should be submitted by October 28^th, 2022.

Commentary

I have a little bit of an editorial difference with BIS in regards to labeling the peptide toxins listed in (ECCN) 1C351(d) as potential biological weapons. Most people think of infectious agents as potential biological weapons since they provide for the spread of disease. Bio-toxins require direct contact of some sort with the toxin for their affect. The toxins in 1C351(d) are considered to be ‘bio-toxins’ because they are produced and isolated from active living organisms.

The advent of commercial scale automated protein synthesis equipment takes these toxins out of the ‘bio-toxin’ category and into the chemical weapon category. This takes these toxins into a completely new area of concern and should be acknowledged as such.

For more details about what information BIS is looking for in this ANPRM, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bis-publishes-peptide-synthesis-equipment - subscription required.

OMB Approves BIS Information Security Controls Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a ‘Final Rule’ for DOC’s Bureau of Industry and Security (BIS) for “Information Security Controls: Cybersecurity Items”. When this was sent to OIRA back in March, the submission was billed as a “Delay of Effective Date”, but there is no mention of that in yesterday’s announcement. It could be the final rule for the interim rule that was published last October. Well, we will see what is going on when this is published in the Federal Register, probably this coming week.

BIS Sends Another Wassenaar Final Rule to OMB

The OMB’s Office of Information and Regulatory Affairs (OIRA) announced yesterday that it had received a direct final rule from the DOC’s Bureau of Industry and Security on “Emerging Technology: Implementation of Certain 2021 Wassenaar Arrangement Decisions”.

According to the Fall 2021 Unified Agenda entry for this rulemaking:

“The Bureau of Industry and Security (BIS) maintains, as part of its Export Administration Regulations (EAR), the Commerce Control List (CCL), which identifies certain items subject to Department of Commerce jurisdiction.  This final rule revises the CCL, as well as corresponding parts of the EAR, to implement certain changes made to the Wassenaar Arrangement List of Dual-Use Goods and Technologies (WA List) maintained and agreed to by governments participating in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement, or WA) at the December 2021 WA Plenary meeting.  The Wassenaar Arrangement advocates implementation of effective export controls on strategic items with the objective of improving regional and international security and stability.  This final rule implements multilateral controls on recently developed or developing technologies, which were identified by the WA December 2021 WA Plenary Meeting in a manner contemplated by [§1758 (50 USC 4817) of] the Export Control Reform Act of 2018 (ECRA) [PL 115-232] to identify emerging technologies that are essential to U.S. national security.  This rule harmonizes the CCL with the WA December 2021 Plenary Meeting decisions that pertain to these technologies.  The inclusion of the technologies in this final rule is consistent with the requirements of ECRA and the decision of the WA to add such technologies to its control lists, thereby making exports of such technologies subject to multilateral control.  As these technologies are recently developed or developing technologies that are essential to the national security of the United States, early implementation of the applicable WA December 2021 Plenary agreements is warranted.  The remaining WA 2021 Plenary agreements will be implemented in a separate rule.”

The language of §4817 is broad enough to include just about any emerging technology that someone could determine to be critical to the security of the United States. It could certainly include cybersecurity related emerging technologies. We will have to wait and see what technology is included in this rulemaking. That should not cause any problems (SIGH).

BIS is in a tough place here. They are tasked with writing rules to implement these Wassenaar agreement quickly so that they can go into effect here when the rest of the world puts them into effect. Unfortunately, this has come back to bite BIS in uncomfortable places in the past. It may do so again here.

BIS Sends Info Sec Controls Delay to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of delay of effective date from the DOC’s Bureau of Industry and Security (BIS) for their “Information Security Controls: Cybersecurity Items” interim final rule. This would be the second such delay. The current effective date was March 7^th, 2022.

Interestingly, the Fall 2021 Unified Agenda entry for this rulemaking made the following comment:

“Risks: The risks of publishing this rule is that it has unexpected consequences, which is why there is a 90 day delayed effective date and 45 day comment period that will allow the public to comment on the rule.”

Apparently, BIS continues to find ‘unexpected consequences’.

BIS Delays Effective Date of Information Security Controls IFR

The DOC’s Bureau of Industry and Security (BIS) published a notice in today’s Federal Register (87 FR 1670-1671) establishing a delay of the effective date of their interim final rule IFR, “Information Security Controls: Cybersecurity Items”, that was published in October 2021. The new effective date will be March 7^th, 2022.

Today’s notice reports that public comments on the IFR indicated that many organizations would require additional time to set up compliance procedures to bring their export operations inline with the new requirements. BIS is providing that time in the notice as well as providing notice that they will be issuing additional guidance on implementing the IFR.

Review - Public Comments - Information Security Controls: Cybersecurity Items – 12-11-21

On October 21^st, 2021 DOC’s DOC’s Bureau of Industry and Security (BIS) published an interim final rule (IFR) in the Federal Register on “Information Security Controls: Cybersecurity Items”. BIS solicited public comments on the IFR with a closing date for those comments of December 6^th, 2021, and an effective date for the new regulation of January 19^th, 2021. This week the first four comments showed up on the Regulations.gov comment site (Docket # BIS-2020-0038).

Those comments were received from:

Information Technology Industry Council,

Akin Gump Strauss Hauer & Feld LLP,

Maxar Technologies, and

Cordyceps Systems

I expect that we will continue to see additional comments submitted to this rulemaking even though we are past the close of comments date. Neither the comments received to date, nor those received in the near future will have any effect on the effective date of this IFR, nor will these comments cause BIS to make any changes to those regulations until the time comes around for the submission of a final rule.

For more details about the comments submitted to date, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-comments-information-security - subscription required.

BIC Sends New Wassenaar NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from DOC’s Bureau of Industry and Security (BIS) for “Title: Information Security Controls: Cybersecurity Items”. The Spring 2021 Unified Agenda list for the rulemaking describes it thus:

“In 2013, the Wassenaar Arrangement (WA) added cybersecurity items to the WA List. On May 20, 2015, the Bureau of Industry and Security (BIS) published a proposed rule showing the public how these new controls would fit into the Export Administration Regulations (EAR) and requested information about the impact on U.S. industry. The public comments revealed serious scope and implementation issues regarding these controls and the proposed rule. Based on these comments, as well as substantial commentary from Congress, the private sector, academia, civil society, and others on the potential unintended consequences of the 2013 control, the U.S. government returned to WA to renegotiate the controls. This Notice outlines the progress the U.S. has made in this area, proposed Commerce Control List (CCL) implementation, and requests from the public information about the impact of these revised controls on U.S. industry and the cybersecurity community.”

Bills Introduced – 02-15-18

With the Senate heading home for a week in district (and the House preparing to do the same) there were 65 bills introduced yesterday. Of those, four may be of specific interest to readers of this blog:

HR 5040 To authorize the President to control the export, reexport, and transfer of commodities, software, and technology to protect the national security, and to promote the foreign policy, of the United States, and for other purposes. Rep. Royce, Edward R. [R-CA-39]

S 2444 A bill to provide for enhanced energy grid security. Sen. Cantwell, Maria [D-WA]

S 2445 A bill to provide for the modernization of the electric grid, and for other purposes. Sen. Cantwell, Maria [D-WA] 

S 2447 A bill to accelerate smart building development, and for other purposes. Sen. Cantwell, Maria [D-WA]

With all of these bills I will be looking for control system cybersecurity issues in determining whether or not to continue coverage of the bill in this blog. I suspect hat S 2444 has the highest chance of future coverage.

As always, the large number of bills introduced before an extended stay outside of Washington is seldom due to an increased interest in legislative activity. Most of the bills introduced yesterday will receive no consideration on the Hill. Most are introduced to allow the submitter to claim to be taking action of interest in speaking before organizations and financial supporters back home.

ISTAC to Discuss Wassenaar Proposals for 2017

Today the DOC’s Bureau of Industry and Security (BIS) published a meeting notice in the Federal Register (81 FR 43185) for a meeting of the Information Systems Technical Advisory Committee (ISTAC). The partially closed two-day meeting will be held on July 27^th and 28^th, 2016 in San Diego, CA. The session on the 27^th will be open to the public and will be available via teleconference.

Two of the public session items may be of specific interest to readers of this blog:

• Comments on ECCN 5A001.J; and

• Wassenaar Proposals for 2017.

Export classification control number (ECCN) 5A001.J is the controversial export control language for ‘intrusion software’. BIS withdrew the proposed language that caused so much discord last year. I would suspect that this is the replacement language that BIS is proposing. I have not yet seen a copy of this new proposed language.

Last year the cybersecurity community was pretty much caught by surprise with the proposed intrusion software language that BIS proposed based upon the DOC interpretation of the latest Wassenaar language. In order to get ahead of future changes in these export controls, the community needs to pay attention to the development of the Wassenaar agreements.

There will be limited public seating for this meeting so advanced registration is recommended. The same is true for access to the teleconference. Written comments may be submitted on the topics to be discussed. The only method referenced for submitting written comments is via email (Yvette.Springer(@bis.doc.gov).