OMB Approves BIS 2022 Wassenaar Final Rule

On Friday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from DOC’s Bureau of Industry and Security (BIS) on “Implementation of 2022 Wassenaar Arrangement Decisions”. The rule was submitted to OIRA on July 18^th, 2023.

According to the entry for this rule making in the Spring 2023 Unified Agenda:

“The Bureau of Industry and Security is amending the Export Administration Regulations.  This final rule revises the Commerce Control List to reflect implementation of 2022 Wassenaar Arrangement decisions.”

As I noted in my earlier post: “At this point it would be hard to determine from public documents whether this rule will include changes affecting cyber or cybersecurity product classifications.”

We may see this final rule published in the Federal Register later this week.

OMB Approves BIS Final Rule for 2021 Wassenaar Agreement

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule (likely an interim final rule) by the DOC’s Bureau of Industry and Security for Implementation of 2021 Wassenaar Arrangement Decisions. An earlier IFR covered four ‘emerging and foundational’ technologies that were addressed in the 2021 Wassenaar agreement, this rulemaking covers the remainder. As such it may include additional cybersecurity controls.

These Wassenaar rules are implementations of international agreements reached under the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. BIS publishes these rules as interim final rules as they are technically exempt for the ‘publish and comment’ requirements faced by most rulemakings. The rules typically have a delayed effective date to allow for public comments and, if enough objections are raised, BIS may further delay the effective dates to make appropriate changes to the rule.

The IFR will likely be published next week in the Federal Register.

OMB Approves BIS 2021 Wassenaar Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had approved a final rule from the DOC’s Bureau of Industry and Security (BIS) for “Implementation of 2021 Wassenaar Arrangement Decisions”. The rule will revise the Commerce Control List (CCL) to implement the remaining changes made to the Wassenaar Arrangement List of Dual-Use Goods and Technologies. In August, BIS published their Emerging and Foundational Technologies rule that addressed some of the areas of the 2021 Wassenaar agreement. 

The August rule did not address any cybersecurity issues. There is no current information on whether or not this current final rule will address those issues.

Latest BIS IFR Does Not Affect Cybersecurity Devices

The DOC’s Bureau of Industry and Security published an interim final rule in Monday’s (available on line today) Federal Register (87 FR 49979-49986) on “Implementation of Certain 2021 Wassenaar Arrangement Decisions on Four Section 1758 Technologies”. I wrote about this rulemaking being approved by OMB’s Office of Information and Regulatory Affairs earlier this month, without knowing what matter would be covered. The four technologies covered in this rulemaking have nothing to do with cybersecurity.

These Wassenaar rules are implementations of international agreements reached under the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. This particular rule deals with four technologies that meet the criteria of Section 1758 of the Export Control Reform Act (50 USC 4817). It makes the changes to the following Export Control Classification Numbers:

• Adds to ECCN 3C001 new paragraphs .e for Ga2O3 and .f for diamond,

• Amends ECCN 3C005 by adding Ga2O3 and diamond to ECCN 3C005 paragraphs .a and .b, respectively,

• Adding new ECCN 3D006 to the CCL to control ECAD “software” “specially designed” for the “development” of integrated circuits having any GAAFET structure and meeting the parameters set forth in ECCN 3D006, and

• Adds paragraph [ECCN] 9E003.a.2.e to control development and production technology for combustors utilizing `pressure gain combustion' that are not described on the USML.

OMB Approves BIS Wassenaar Arrangement Interim Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs announced that it had approved an interim final rule from the DOC’s Bureau of Industry and Security (BIS) on “Emerging and Foundational Technologies: Implementation of Certain 2021 Wassenaar Arrangement Decisions.” There was no notice of proposed rulemaking on this IFR.

As I noted when this rulemaking was sent to OIRA, the language of 50 USC 4817 is broad enough to include just about any emerging technology that someone could determine to be critical to the security of the United States. It could certainly include cybersecurity related emerging technologies. We will have to wait and see what technology is included in this rulemaking. That should not cause any problems (SIGH).

Information System Technical Advisory Committee Meeting – 4-27-22

The DOC’s Bureau of Information and Security (BIS) published a revision notice in the Federal Register (87 FR 21614) revising the meeting date information for the April 27^th, 2022 meeting of the Information Systems Technical Advisory Committee (ISTAC) that was published on Friday. The meeting was changed from two days to a single day. I missed Friday’s notice.

The agenda for the public portion of the meeting includes:

• Welcome and Introductions,

• Working Group Reports,

• Ideas for Wassenaar Proposals 2023,

• Old Business.

I tried to dive into the ISTAC web site to figure out what the working group reports might be covering, but the ISTAC web site is almost two years out-of-date. Still, any insight into what might end up in the 2023 Wassenaar agreement could be interesting.

The public is invited to join the public portion of the teleconference. Personnel wishing to participate should contact Ms. Yvette Springer at Yvette.Springer@bis.doc.gov by April 20, 2022.

ISTAC to Discuss Wassenaar Proposals for 2017

Today the DOC’s Bureau of Industry and Security (BIS) published a meeting notice in the Federal Register (81 FR 43185) for a meeting of the Information Systems Technical Advisory Committee (ISTAC). The partially closed two-day meeting will be held on July 27^th and 28^th, 2016 in San Diego, CA. The session on the 27^th will be open to the public and will be available via teleconference.

Two of the public session items may be of specific interest to readers of this blog:

• Comments on ECCN 5A001.J; and

• Wassenaar Proposals for 2017.

Export classification control number (ECCN) 5A001.J is the controversial export control language for ‘intrusion software’. BIS withdrew the proposed language that caused so much discord last year. I would suspect that this is the replacement language that BIS is proposing. I have not yet seen a copy of this new proposed language.

Last year the cybersecurity community was pretty much caught by surprise with the proposed intrusion software language that BIS proposed based upon the DOC interpretation of the latest Wassenaar language. In order to get ahead of future changes in these export controls, the community needs to pay attention to the development of the Wassenaar agreements.

There will be limited public seating for this meeting so advanced registration is recommended. The same is true for access to the teleconference. Written comments may be submitted on the topics to be discussed. The only method referenced for submitting written comments is via email (Yvette.Springer(@bis.doc.gov). 

Committee Hearings – Week of 01-10-16

Both the Senate and House will be in session this week. The big news is, of course, the President’s State of the Union Address to Congress on Tuesday evening, but there will be two hearings this week in the House that may be of specific interest to readers of this blog. Both deal with cybersecurity matters.

Government IT Systems

The House Oversight and Government Reform Committee will hold a markup hearing on Tuesday. One of the bill currently on the list to be considered is an as of yet unintroduced bill entitled “the Federal Information Systems Safeguards Act of 2016”. There is no copy of the bill on the Committee web site.

Wassenaar

There will be a joint hearing on Tuesday with the Information Technology Subcommittee of the House Oversight and Government Reform Committee and the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee of the House Homeland Security Committee. It will review “Wassenaar: Cybersecurity and Export Control”. The witness list includes:

• Kevin J. Wolf, Department of Commerce;

• Ann K. Ganzer, Department of State;

• Phyllis Schneck,  Department of Homeland Security

• Cheri Flynn McGuire, Symantec

• Iain Mulholland, VMware, Inc.

• Cristin Flynn Goodwin, Microsoft Corporation

• Dean C. Garfield, Information Technology Industry Council