DDTC, BIS Propose New Rules on Defense Services, Cloud Computing and Harmonized Definitions

Peter Jeydel. Jack Hayes, Edward Krauland, Meredith Rathbone, Andy Irwin, Alexandra Baj, and Stephen Heifetz
July 6, 2015


On June 3, 2015, the Commerce Department’s Bureau of Industry and Security (BIS) and the State Department’s Directorate of Defense Trade Controls (DDTC) issued companion proposed rules that constitute one of the last major pieces of the current Administration’s Export Control Reform (ECR) initiative.  The rules are only regulatory proposals at this stage and will not have any legal effect until issued in final form.  They have three primary objectives: 1) to clarify, update and narrow the scope of “defense services” that are subject to the International Traffic in Arms Regulations (ITAR), 2) to limit and clarify controls under both the ITAR and the Export Administration Regulations (EAR) over the electronic transmission and storage of data secured using end-to-end encryption, which will encompass many cloud computing activities, and 3) to modify and harmonize key definitions in the ITAR and EAR.  The agencies posted a fact sheet and a side-by-side comparison of the new definitions on their websites.

BIS and DDTC will accept comments on these proposed rules until August 3, 2015.  The agencies have requested comments from industry and stakeholders on any unintended consequences or suggested revisions, as well as on the proposed delayed effective date of a future final rule of 30 days, rather than a 6 month delayed effective date as applied for previous ECR rules.

Defense Services

DDTC’s rule sets out a second round of proposed changes seeking to clarify, update, and narrow the scope of ITAR-controlled defense services.  The first proposed rule, on which we previously advised, was published on April 13, 2011.  On May 24, 2013, DDTC republished the first proposed rule, incorporating some of the comments received, and included within the definition of defense services certain assistance related to spacecraft.  On May 26, 2015, DDTC issued another proposed rule, on which we recently advised, clarifying issues related to the registration and licensing of US persons who may provide defense services when employed by foreign companies.  The current proposed rule makes significant revisions to the scope of controls on defense services in an effort to clarify the controls and align them with US policy objectives, and to de-control a significant amount of activity that is currently subject to licensing requirements.  The rule sets out five areas of control over defense services, along with a number of exclusions, as described below.

1) Assistance with relevant prior knowledge of US-origin technical data

The 2015 proposed rule would significantly narrow the scope of control on post-development activities involving ITAR-controlled defense articles by excluding activities by persons who do not have prior knowledge of directly relevant US-origin technical data.  The 2015 proposed rule would impose controls on furnishing assistance to a foreign person in the production, assembly, testing, intermediate- or depot-level maintenance, modification, demilitarization, destruction, or processing of a defense article, but only if the person furnishing the assistance had prior knowledge of US-origin technical data directly related to the particular defense article. 

The definition would not appear to impose a licensing requirement, for instance, on a US person employee of a foreign company whose knowledge is limited to foreign-origin technical data or US-origin technical data that is not directly related to the defense articles that their work involves.  For example, without obtaining a license, a US employee of a foreign company seemingly would be able to assist with testing a US-origin defense article if the assistance were based entirely on information obtained from testing similar foreign-origin articles.  Furthermore, a proposed note would specifically exclude US person individuals located abroad who only receive US-origin technical data as a result of activities (such as employment) on behalf of a foreign person. Consequently, the manner in which a US person acquires and utilizes technical data would become an important factor in determining whether a license may be required.  However, in practice, this proposed rule may be difficult to administer, particularly in situations where foreign-origin technical data may be derived from US-origin technical data directly related to defense articles.

The current defense services rule in §120.9 of the ITAR controls a broader array of activities, and does not depend on the person’s prior knowledge of relevant technical data.  It controls “the furnishing of assistance (including training) to foreign persons” for a number of defined undertakings, including all “maintenance” assistance, without distinction for the level of maintenance.  There are exemptions for training in the basic operation and maintenance of authorized defense articles and maintenance training in support of NATO member countries, Australia, Japan or Sweden.  However, there may be forms of assistance that may not fall within the maintenance training exemption.

The 2015 proposed rule would provide that assistance with organizational-level (basic-level) maintenance is not controlled as a defense service.  In addition, basic maintenance on defense articles that are not subject to US Government authorization would no longer be controlled.  This could include, for instance, assistance with basic maintenance on defense articles produced by foreign persons outside the United States without US-origin technical data that did not require US Government authorization. 

Importantly, DDTC notes in the proposed rule that, to the extent these activities might be considered organizational-level maintenance, such as modification or testing, and are conducted as part of the “development” of a defense article, they would constitute “development” and would be controlled as defense services under the rules discussed in Section 2, below.

Interestingly, this provision of the 2015 proposed rule does not explicitly control “repair” activities, which are currently controlled under the §120.9 definition.  Certain repair undertakings potentially could be included within the scope of “maintenance” and “modification,” which are covered under the proposed definition.  “Repair” is included in other areas of the 2015 proposed rule (as discussed in Section 5, below), and was included in prior iterations of the defense services definition.  Consequently, omission of repair from the 2015 proposed rule may raise interpretative questions.

The 2015 proposed rule is also different from the 2011 proposed rule, which would have controlled assistance “using other than public domain data.”  The 2015 proposed rule focuses on whether the person providing the services has knowledge of US-origin technical data directly related to the defense article that is the subject of the assistance, rather than whether data is actually used.  Furthermore, the focus of the 2015 proposed rule is on ITAR-controlled technical data rather the broader category of “other than public domain data,” which could have included confidential or business proprietary information not directly related to a defense article and could also have included technology subject to the EAR.  In addition, DDTC chose to limit the 2015 proposed rule to situations involving “US-origin” technical data (a limitation that DDTC had decided not to include in 2011).  These changes significantly narrow the broad scope of the defense services control proposed in 2011, and, if adopted in final form, could de-control a significant amount of activity that is currently subject to ITAR licensing requirements. 

2) Assistance with development or integration

The 2015 proposed rule treats “development” and “integration” activities separately from those listed above (production, assembly, testing, intermediate- or depot-level maintenance, modification, demilitarization, destruction, and processing).  It would broadly control assistance to foreign persons in the development of defense articles or in integrating them with any other item, without the limitations discussed above (e.g. prior knowledge of relevant US-origin technical data).  In particular, the integration control would apply even for items that are not subject to the ITAR and even when no technical data is used.  “Integration” is defined broadly to include “any engineering analysis needed to unite” the items, including the introduction of software to enable the operation of a defense article.  Yet DDTC would distinguish between integration and mere “installation,” which would not be subject to defense services controls.  Under the 2015 proposed rule, installation would involve “putting an item in its predetermined place without the use of technical data or any modifications to the defense article involved, other than to accommodate the fit of the item with the defense article” (“fit” is defined as an item’s “ability to physically interface or connect with or become an integral part of another item”).  DDTC’s description of “installation” suggests it is more akin to “plug and play,” and is therefore a less sophisticated process than “integration.” 

Unlike the other activities discussed in Section 1 above, there would be no significant de-controlling of development and integration activities under the 2015 proposed rule, as compared with the current rule in §120.9.  As mentioned above, the ITAR currently require a license for the “furnishing of assistance (including training) to foreign persons” in the listed activity areas, which is substantially identical language to that in the new proposed rule on development and integration.  

However, it is not entirely clear whether the proposed rule’s use of the word “integration” indicates a different scope of control than that which currently exists.  The ITAR do not explicitly refer to “integration” assistance, but rather focus on assistance with production, modification and development, among other activities.  The definition of “specially designed” in § 120.41 states that “production” includes integration and “development” includes integration design, but only “for the purpose of this definition [of specially designed].”  Thus, it is not clear whether those clarifications apply to the definition of defense services.  A plain reading of the language might suggest that a new control on integration activities is being proposed, but, in practice, that type of activity has generally been treated as controlled under the existing §120.9.

By comparison, the 2011 proposed rule did not treat development activities separately, and only would control them if they involved the use of “other than public domain data.”  As far as integration is concerned, the 2011 proposed rule only covered integration into defense articles of items on the US Munitions List (USML) or the Commerce Control List (CCL).  The 2015 proposed rule would be broader in two respects.  First, it includes the integration of a defense article with “any other item,” not just those on the USML or CCL.  Second, by using the word “with”, the proposed rule would apparently cover integration of other items into defense articles and vice-versa.  The 2011 proposed rule, by contrast, only covered integration of items “into” defense articles. 

DDTC rejected comments suggesting they limit these controls solely to integration of defense articles with 500 series (spacecraft) or 600 series (military) items on the CCL.  DDTC reasoned that the controls on integration are focused on the defense article, not the other item.  The agency also rejected comments to limit controls on integration to changes in “function” of the defense article and exclude changes to “fit.”  Instead, DDTC adopted a narrower exclusion based on the concept of “installation,” where the service must not use technical data directly related to the defense article.  Additionally, DDTC notes in the 2015 proposed rule that, while minor modifications may be made to a defense article without the activity being controlled as integration, all modifications of defense articles, regardless of sophistication, would be controlled if performed by someone with prior knowledge of US-origin technical data. 

For integration of 600 series items into defense articles, DDTC clarified that a BIS license may be required for the export of the 600 series item, but a separate DDTC license would be required for the performance of the defense service.  (Although DDTC did not say so explicitly, this dual licensing requirement would presumably also apply to 500 series items to be integrated into defense articles.)  DDTC decided to retain controls on development and integration, even when no US-origin technical data is being exported, based on the rationale that the ITAR’s controls over defense services is not limited to “US-origin” technical data.  That statement would imply that the limitation related to prior knowledge of US-origin technical data in Section 1 was a policy choice by DDTC to de-control certain activities, and is not reflective of the agency’s view of its potential jurisdiction over the service activities of US persons. 

Overall, the new proposed rule as written would likely not lead to significant changes in the scope of controls over development and integration activities, except by limiting the meaning of integration by introducing the de-controlled concept of “installation.”  

3) Assistance with employment of defense articles

DDTC proposes to control assistance to foreign persons, regardless of whether technical data is used, “in the employment of a defense article, other than basic operation of a defense article authorized by the US government for export to the same recipient.”  It is unclear from the proposal whether DDTC intended a material distinction between the concepts of “employment” and “operation,” which is currently included in §120.9, and, if so, what any such distinction would be.  Employment is not a defined term in the 2015 proposed rule.  Presumably, DDTC intended to distinguish between assistance in the employment of defense articles that are and are not authorized by the US Government for export to the recipient of the assistance.  The exclusion related to authorized articles would be limited to assistance with “basic” operation.

This proposed rule is probably not significantly different from the current §120.9 controls on assistance to foreign persons in “operation” and “use” of defense articles.  The term “employment” in the proposed rule may have a similar meaning as “operation” and “use” in the current rule, although it is not clear why DDTC changed the terminology, or if there is an intended difference in meaning.  By using the “basic operation” language, DDTC may intend that the proposed exclusion have a similar scope as the existing exemption for basic maintenance training, except not limited to “training.”  In that respect, the proposed exclusion may be slightly broader than the existing exemption. 

The 2015 proposed rule does differ significantly from the 2011 proposal, however, which only would have controlled training or advice in the employment of defense articles if provided to “foreign units and forces.”  The current proposal would potentially apply to a broader array of counterparts (all foreign persons) in the private sector and outside the armed forces.

The absence of a specific control in the 2015 proposed rule for “military training of foreign units and forces,” as exists under current §120.9, may de-control certain activities related to the provision of military training and advice. To be outside the scope of the ITAR, it would appear that those activities could not involve the employment of any defense articles.  While most military training would involve the employment of defense articles, there are some obvious activities that may not (e.g., training a military on use of dual-use equipment).  Also, it is not clear if “military advice,” which is currently controlled, would remain controlled to the same extent under the new proposed rule.  Such advice may not require the use of defense articles and may instead involve advice and instruction on tactical movements, leadership, etc., which may not be clearly controlled under the new proposed rule.  Moreover, it appears that DDTC is not proposing to control as a defense service military training involving only CCL 600 series military items, which may constitute a significant loosening of controls (although there may be separate BIS licensing requirements for any associated release of controlled information, including “technical assistance”).

Overall, the controls on assistance with employment of defense articles may narrow a bit under this proposal, with a somewhat broader exclusion for assistance with basic operation, and by leaving out certain military training activities not involving the employment of defense articles or combat operations, as noted below.

4) Involvement in combat operations

The 2015 proposed rule would implement a new control on participating in or directing combat operations for a foreign person, except as a draftee into the armed forces of a foreign country.  Activities such as assistance in the use of defense articles, transferring technical data or military training are currently controlled under §120.9.  Yet there may be other combat or command activities that are not currently controlled and that would fall under the controls of this proposed provision.  The new proposed exclusion for draftees may be slightly narrower than the current exclusion, which covers all “services performed” by US person draftees as a member of the regular military forces of a foreign nation.  Rather than covering all services, the current exclusion only appears to relate to participating in or directing combat operations. 

5) Assisting proscribed countries 

The proposed rule would control the furnishing of assistance (including training) to the government of a proscribed country listed in § 126.1 in the development, production, operation, installation, maintenance, repair, overhaul, or refurbishing of a defense article or a part, component, accessory or attachment specially designed for a defense article.  It is not entirely clear why DDTC did not include other activities such as assembly, testing, modification, demilitarization, destruction, or processing.  It is also unclear why they would include development but not integration.  It is worth noting that this appears to be the only context in which installation would be generally controlled.  Presumably, employment of defense articles was omitted because it is already broadly controlled in subsection 3 and therefore would be denied for § 126.1 countries under that provision.

Exclusions from the scope of controlled defense services

The 2015 proposed rule excludes from control servicing items that are subject to the EAR without the use of technical data, even if the item subject to the EAR has been integrated into a defense article or vice-versa (provided the assistance does not involve a proscribed country).  Likewise, as mentioned above, it excludes all installation of items into defense articles or vice-versa.  These would be welcome new clarifications of the ITAR’s scope.

The 2015 proposed rule also excludes the furnishing of assistance by a foreign person not in the United States, which is not currently controlled under the ITAR as long as no US-origin defense articles or technical data are involved.  While this may be viewed as a welcome statement of DDTC’s jurisdictional limitations, it also may introduce ambiguity, because the exclusion as written does not condition its applicability on the absence of other potentially jurisdiction-triggering activities like transfers of US-origin defense articles or technical data.  That ambiguity is particularly evident because other exclusions discussed below do condition their applicability in such a way.      

In addition, the proposed rule excludes from control providing services as an employee of a foreign person, unless the activities fall into one of the categories of defense services described above.  That similarly would appear to have no effect as compared with the current scope of the ITAR, which, as a set of regulations related to defense trade, does not control the mere act of serving as an employee of a foreign person, if not performing a defense service. 

Additional excluded activities would be providing law enforcement, physical security, or personal protective services (including training and advice), unless otherwise controlled, and medical, logistical (other than maintenance), translation, financial, legal, scheduling, or administrative services.  There are also exclusions for assistance by foreign governments to foreign persons in the United States pursuant to an arrangement with the Department of Defense, and instruction in general scientific, mathematical, or engineering principles commonly taught in schools, colleges and universities. 

The proposed rule also clarifies that the ITAR would no longer control the furnishing of technical data as a defense service, but transfers of technical data would remain controlled.  Instead, the concept of defense services would be focused on the provision of assistance related to defense articles. 

Electronic Data Transmission and Storage - Cloud Computing

The proposed rules from BIS and DDTC would exclude from the definitions of export, reexport and (re)transfer the electronic transmission and storage of adequately secured technology/technical data.  To complement that de-control (which is not entirely new, but clarifies a number of preexisting guidance materials), the agencies have proposed a restriction on the unauthorized release of the means of accessing the secured data in clear text.  This regulatory policy change represents an acknowledgement by the agencies that users often have no knowledge of or control over the routing of data through various countries by internet service and infrastructure providers or the storage of data in different countries by cloud operators. 

Both proposed rules state that the following would not constitute an export, reexport or (re)transfer: sending, taking or storing technology/technical data or software that is: (i) unclassified; (ii) secured using end-to-end encryption; (iii) secured using cryptographic modules (hardware or software) compliant with Federal Information Processing Standards (FIPS) Publication 140-2 or its successors, supplemented by software implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current US National Institute for Standards and Technology publications; and (iv) not stored in a proscribed US arms embargoed country or Russia.  BIS also added at the end of part (iii) “or other similarly effective cryptographic means,” indicating BIS may be more flexible than DDTC about the specific encryption methods that may be used to qualify for this safe-harbor provision.

Both agencies define “end-to-end encryption” as the provision of uninterrupted cryptographic protection of data between an originator and an intended recipient, including between an individual and himself or herself.  End-to-end encryption involves encrypting data by the originating party and keeping that data encrypted except by the intended recipient, where the means to access the data in unencrypted form is not given to any third party, including to any Internet service provider, application service provider or cloud service provider. 

Alongside that new safe-harbor provision for the electronic transmission and storage overseas of controlled data in encrypted form, there is a new restriction on releasing the means of accessing the data in clear text.  The agencies’ formulations of the new restriction – in the form of a revised definition of “export” – are slightly different, and they are seeking comment on which one more clearly describes the control.  Both of the proposed definitions are based on the act of releasing or otherwise transferring decryption keys, network access codes, passwords, software or other information.  But BIS conditions its proposal by adding “with ‘knowledge’” that providing such access would “cause or permit the transfer” of clear text data to a foreign national.  DDTC, on the other hand, does not require knowledge, and focuses on whether such acts would “allow access” to the clear text data, “regardless of whether such data has been or will be transferred.”  The difference between, on the one hand, permitting a transfer and, on the other, allowing access, is subtle.  The agencies say they intend that the act of providing physical access to unsecured data would be a controlled event if it is ITAR technical data, but not if it is EAR technology, unless in the latter case the person acts with knowledge that it will cause or permit a transfer of clear text data to a foreign national.

DDTC is also clarifying the existing rule that posting controlled technical data to the Internet (or another publicly available network) requires prior authorization, even without specific knowledge that a foreign national may access it.  DDTC has also prohibited exporting, reexporting, retransferring, or otherwise making available to the public technical data or software with knowledge that it was previously released without authorization.  These provisions should serve as reminders that use of the Internet or other public media for any purpose related to controlled technical data may carry risks, even if it appears that the information may be already in the public domain or that no foreign national is likely to access it.  DDTC may expect any public posting of potentially controlled information without prior authorization to be based on reasonable due diligence and a determination that the information is not ITAR-controlled technical data, e.g. because it was already in the public domain, or has otherwise been authorized for release by the US government.

New and Modified Definitions

The agencies have proposed modifying several key definitions in the ITAR and EAR in order to harmonize the language they use when the intended meaning is the same, and to highlight intended differences in meaning.  Both agencies set out revised definitions of “technology”/”technical data,” “required,” “peculiarly responsible,” “fundamental research,” “export,” “reexport,” “release,” and “transfer”/”retransfer.”  BIS has also proposed new definitions for “proscribed person,” “published,” “applied research,” and “publicly available encryption software,” and a revised definition of “basic scientific research.”  DDTC has set out new definitions for “public domain” and “production,” and revisions to “defense article,” “defense service,” and “technical data.”

DDTC describes its new definition of defense article as not making a substantive change or constituting a change in policy.  However, by adding software to the definition of defense article and removing it from the definition of technical data, questions may be raised about whether, under this new scheme, software would be automatically controlled when directly related to a defense article, under the technical data catch-all paragraphs on the USML.  The agency says that specific and catch-all controls on software “will be added elsewhere throughout the ITAR as warranted.”  But until those additions are made, there may be software that is no longer clearly controlled even when directly related to a defense article.  DDTC also states that it intends to begin enumerating certain types of technical data on the USML. 

Other Changes

DDTC is revising an existing exemption to allow foreign persons who are authorized to receive ITAR-controlled technical data in the United States to receive the same data while on temporary duty for their employer outside the United States.  But they added an affirmative obligation to secure the data while abroad.

DDTC also clarifies that providing false information as part of a license application is not only an ITAR violation but also may void the license.


The new proposed definition of ITAR defense services may de-control significant areas of activity, such as post-development activities involving ITAR-controlled defense articles by persons that do not have prior knowledge of directly relevant US-origin technical data, along with installation services and some types of military training that do not involve the use of defense articles or the transfer of technical data.  It remains unclear whether DDTC intended to de-control such a broad array of activity, and any actual regulatory changes will not occur until the agencies publish final rules.  In addition, the new and harmonized definitions, including the provisions directed at the cloud computing industry, may clarify a few points in the regulations, but they also raise new ambiguities that stakeholders may want to comment on by August 3. 

We will continue to keep you apprised of export controls developments.  If you have questions about these issues, please contact Peter Jeydel at +1 202 429 6291, Jack Hayes at +1 202 429 6491, Edward Krauland at +1 202 429 8083, Meredith Rathbone, at +1 202 429 6437, or Alex Baj at +1 202 429 6478 in our Washington office, or Andy Irwin at +1 202 429 8177 in our Washington office or +1 310 734 1926 in our Century City office.  You can also follow us on Twitter (@SteptoeIntlReg).