Department of Commerce Gives Industry What it asked for Regarding the Entity List

The U.S. Department of Commerce Bureau of Industry and Security (BIS) added Chinese 5G technology giant Huawei to its Entity List more than three years ago. The immediate result was the spread of uncertainty and doubt among the hundreds of standards setting organizations (SSOs) in which Huawei participated as well as throughout the multitudes of U.S. companies who participated in those organizations. The reason was that the rules bar U.S. companies from disclosing a broad array of technology to Entity List companies, and that’s what can happen in standards working groups. Many SSOs either refused or failed to make adequate changes to their operations to fit within the vague exemptions available to avoid the concern. In consequence, many American companies believed they needed to drop out of SSOs creating the standards those companies most wanted to influence.

On September 9, following several prior BIS releases of interim guidance and the submission of ongoing comments and requests for relief from industry (many of which we facilitated), the Department of Commerce and BIS have finally released a new Interim Final Rule that provides virtually everything commenters have asked for, and in language that in most cases is clear and actionable. While complexities and nuances remain (e.g., relating to the type of technical work being undertaken) that will still require legal analysis, the good news is that the way is clear for most SSOs to allow any Entity List company to fully participate in standards development, as well as in related activities such as conformance assessment.

Eligibility Requirements

In order for a standard to be eligible for exemption under the new rule, all of the following must be true:

                1) The technology or software must be designated as EAR99; controlled for AT reasons only on the Commerce Control List; or specifically for the “development,” “production,” and “use” of cryptographic functionality;

                2) The “release” of technology or software must be made in the context of a “standards-related activity;” and

                3) There must be intent to “publish” the resulting standard. If there is no intent to publish the resulting standard, then a license will still be required.

More specifically, the new, immediately effective Interim Final Rule:

  • Deletes the previous references to “standards” and “standards organizations,” each of which was linked to the OMB A-119 definitions that mapped in some cases to processes common to traditional SSOs but not consortia. Instead, the new rule refers to “standards-related activity,” focusing on the purpose of the exercise rather than the particular processes used to support that activity. Consortia may therefore no longer concern themselves with conforming to (for example) the ANSI Essential Requirements in order to ensure that they fit within an identified exception category.
  • Can a standard made available only to the members of an SSO be considered to be “published?”
  • Applies to all standards areas (earlier versions of the rule were said to be considering addressing only information technology standards).
  • Covers the entire Entity List and not just Huawei.
  • Covers traditional standards-related activities in addition to actual standards development, such as conformance assessment and certification testing.
  • Covers the development of various types of software created in support of standards work.
  • Exempts standards-related activity for EAR99 and Anti-Terrorism (AT)-controlled technologies and software, including in respect of certain types of cryptographic functionality.

Analysis Still Required

While overall the news is good, ambiguities remain. Some examples:

  • The Interim rule makes several references to insignificant risks associated with the release of “low-level technology” without addressing where the boundaries may exist for such technology.
  • Can a standard made available only to the members of an SSO be considered to be “published?”

Comments Requested

While the Interim Final Rule takes immediate effect, the Federal Register Notice announcing its effectiveness invites comments on the rule as released and also and poses four questions on topics where the Agency seeks further guidance (see the end of this post for the list). Comment periods may, but do not always, result in modifications to already released rules.

The Upshot

The upshot is that an SSO will want to do a careful review of all of its in-process and proposed work streams, as well as of its internal rules, to be sure they lie within the bounds of the new rule. But that aside, the long wait is over. SSOs that meet the requirements of the new Interim Final Rule can get back to the work they do best without spending scarce time on needlessly retooling their processes. And U.S. companies can once again help create the best standards possible to enable important new technologies to do their part in assisting the recovery of the world economy.

* * *

BIS Questions for Public Comment

Industries involved in standards development: BIS is requesting comments and additional information on whether the current scope of this authorization is adequate for the United States to retain its participation and lead in other areas that are important to the United States Government and industry, such as energy, artificial intelligence (AI), biotech, aerospace, and transportation. Does the current scope of the authorization hinder U.S. participation and leadership in standards development in industries where there is or may be participation by listed entities? Interested parties should provide specific examples of industries and commercial sectors which are or would be adversely affected by the current scope of the standards authorization as stated in this final rule.

Impact of other end use/end user controls: BIS is requesting comment on whether there are other provisions of the EAR that may negatively impact U.S. national security by limiting leadership and participation in standards-related activities, such as licensing requirements for other end use or end user-based controls listed in part 744 of the EAR. Commenters are asked to provide specific examples of how U.S. participation and/or leadership has (or will be) impacted by the limited application of this authorization to the license requirements in § 744.11.

Compliance burden: BIS is requesting comment from interested parties on industries and commercial sectors that are actively involved in standards development, including information on how they are affected by compliance burdens resulting from the changes promulgated in this and the previous rule.

International participation and scope of standards-related activities: BIS is requesting comment on whether the definition of “standards-related activities” promulgated in this interim final rule allows for full and open participation by U.S. companies in the development of standards. Are there aspects of the definition that should be better-defined or excluded?

Instructions for submission of comments can be found in the Addresses Section at the beginning of the CFR notice found here.

Leave a Reply

Your email address will not be published.