THE FINAL CYBER RULE
Dissecting BIS’ Final “Cyber Rule” for Intrusion Software
Associate Export Compliance Counsel
The long-anticipated “cyber rule” and debated export controls on intrusion software have balanced U.S. foreign policy and national security concerns with the need for maintaining a regulatory framework that allows for legitimate cybersecurity transactions. The language of the interim rule reflected several years of negotiations codified in the multilateral 1996 Wassenaar Arrangement and incorporated significant U.S. stakeholder input received by BIS over the years through its various attempts to propose the controls. How should industry be applying this rule? What questions should they be asking and what steps should be taken to ensure compliance?
- Are items that are being exported outside the U.S. controlled as cybersecurity items?
- Do other standards apply, e.g., ITAR, certain encryption controls, or surreptitious listening or national security controls?
- Mapping the country of destination for these items and its eligibility under License Exception ACE
- Defining the proposed “end users” of these items and whether they would fall within one of the categories of government end users
- Determining the proposed end use or purpose for these items, including whether any exception would apply
- Regulations being proposed that might require companies to maintain a detailed and up to date Software Bill of Materials (SBOM)
- Comparing the Cyber Rule with other countries’ cyber-surveillance mitigation efforts