Skip to primary content
Skip to secondary content
ConsortiumInfo.org
Search
Sponsored by Gesmer Updegrove
  • Blog
  • About
  • Guide
  • SSO List
  • Meta Library
  • Newsletter
archives

BIS

Department of Commerce Gives Industry What it asked for Regarding the Entity List

9/15/2022

The U.S. Department of Commerce Bureau of Industry and Security (BIS) added Chinese 5G technology giant Huawei to its Entity List more than three years ago. The immediate result was the spread of uncertainty and doubt among the hundreds of standards setting organizations (SSOs) in which Huawei participated as well as throughout the multitudes of U.S. companies who participated in those organizations. The reason was that the rules bar U.S. companies from disclosing a broad array of technology to Entity List companies, and that’s what can happen in standards working groups. Many SSOs either refused or failed to make adequate changes to their operations to fit within the vague exemptions available to avoid the concern. In consequence, many American companies believed they needed to drop out of SSOs creating the standards those companies most wanted to influence.

On September 9, following several prior BIS releases of interim guidance and the submission of ongoing comments and requests for relief from industry (many of which we facilitated), the Department of Commerce and BIS have finally released a new Interim Final Rule that provides virtually everything commenters have asked for, and in language that in most cases is clear and actionable. While complexities and nuances remain (e.g., relating to the type of technical work being undertaken) that will still require legal analysis, the good news is that the way is clear for most SSOs to allow any Entity List company to fully participate in standards development, as well as in related activities such as conformance assessment.

Eligibility Requirements

In order for a standard to be eligible for exemption under the new rule, all of the following must be true:

                1) The technology or software must be designated as EAR99; controlled for AT reasons only on the Commerce Control List; or specifically for the “development,” “production,” and “use” of cryptographic functionality;

                2) The “release” of technology or software must be made in the context of a “standards-related activity;” and

                3) There must be intent to “publish” the resulting standard. If there is no intent to publish the resulting standard, then a license will still be required.

More specifically, the new, immediately effective Interim Final Rule:

  • Deletes the previous references to “standards” and “standards organizations,” each of which was linked to the OMB A-119 definitions that mapped in some cases to processes common to traditional SSOs but not consortia. Instead, the new rule refers to “standards-related activity,” focusing on the purpose of the exercise rather than the particular processes used to support that activity. Consortia may therefore no longer concern themselves with conforming to (for example) the ANSI Essential Requirements in order to ensure that they fit within an identified exception category.
  • Applies to all standards areas (earlier versions of the rule were said to be considering addressing only information technology standards).
  • Covers the entire Entity List and not just Huawei.
  • Covers traditional standards-related activities in addition to actual standards development, such as conformance assessment and certification testing.
  • Covers the development of various types of software created in support of standards work.
  • Exempts standards-related activity for EAR99 and Anti-Terrorism (AT)-controlled technologies and software, including in respect of certain types of cryptographic functionality.

Analysis Still Required

While overall the news is good, ambiguities remain. Some examples:

  • The Interim rule makes several references to insignificant risks associated with the release of “low-level technology” without addressing where the boundaries may exist for such technology.
  • Can a standard made available only to the members of an SSO be considered to be “published?”

Comments Requested

While the Interim Final Rule takes immediate effect, the Federal Register Notice announcing its effectiveness invites comments on the rule as released and also and poses four questions on topics where the Agency seeks further guidance (see the end of this post for the list). Comment periods may, but do not always, result in modifications to already released rules.

The Upshot

The upshot is that an SSO will want to do a careful review of all of its in-process and proposed work streams, as well as of its internal rules, to be sure they lie within the bounds of the new rule. But that aside, the long wait is over. SSOs that meet the requirements of the new Interim Final Rule can get back to the work they do best without spending scarce time on needlessly retooling their processes. And U.S. companies can once again help create the best standards possible to enable important new technologies to do their part in assisting the recovery of the world economy.

* * *

BIS Questions for Public Comment

Industries involved in standards development: BIS is requesting comments and additional information on whether the current scope of this authorization is adequate for the United States to retain its participation and lead in other areas that are important to the United States Government and industry, such as energy, artificial intelligence (AI), biotech, aerospace, and transportation. Does the current scope of the authorization hinder U.S. participation and leadership in standards development in industries where there is or may be participation by listed entities? Interested parties should provide specific examples of industries and commercial sectors which are or would be adversely affected by the current scope of the standards authorization as stated in this final rule.

Impact of other end use/end user controls: BIS is requesting comment on whether there are other provisions of the EAR that may negatively impact U.S. national security by limiting leadership and participation in standards-related activities, such as licensing requirements for other end use or end user-based controls listed in part 744 of the EAR. Commenters are asked to provide specific examples of how U.S. participation and/or leadership has (or will be) impacted by the limited application of this authorization to the license requirements in § 744.11.

Compliance burden: BIS is requesting comment from interested parties on industries and commercial sectors that are actively involved in standards development, including information on how they are affected by compliance burdens resulting from the changes promulgated in this and the previous rule.

International participation and scope of standards-related activities: BIS is requesting comment on whether the definition of “standards-related activities” promulgated in this interim final rule allows for full and open participation by U.S. companies in the development of standards. Are there aspects of the definition that should be better-defined or excluded?

Instructions for submission of comments can be found in the Addresses Section at the beginning of the CFR notice found here.

Six Standards Recommendations for the Biden Administration

9/10/2021

It is now seven months since Joe Biden took office. During that time, his administration has announced many positions and policies while continuing to work on others. One policy area previous administrations have too often neglected relates to standards, despite the vital role they play in almost all areas of commerce. This neglect has been particularly unfortunate with respect to international trade, as the United States has historically influenced global standards development and adoption more than any other single nation.

Adopting an enlightened standards policy could greatly advance the national interest in the area of information and communications technology (ICT) standards. And at no time in recent memory has the need to do so been more urgent, as trade tensions with China sustain rather than abate. Absent a change in direction in policy, there is the potential for standards wars between East and West in areas such as 5G technology.

Maintaining a healthy standards development ecosystem domestically is equally important, as standards setting organizations (SSOs) annually create hundreds of standards that are referenced into law, at great savings in time and tax dollars when compared to the costs of drafting regulations within the government.

There are six areas in which standards policy action – and in some cases inaction – by the Biden administration is most urgently needed. They are as follows:

Reduce Uncertainty for BIS Compliance

American companies are barred from disclosing many areas of technology to companies and others added to the “Entity List” maintained by the Bureau of Industry and Security (BIS). Disclosure of technology is an essential element of developing most ICT standards, and Huawei, among many other Chinese companies and universities, was added to the Entity List under the previous administration.

While BIS has issued guidance on two occasions on what processes SSOs must observe in order to permit US companies to participate when Huawei is also present, this guidance has been vague and insufficient. This ambiguity has led to multiple unfortunate consequences: SSOs have struggled to determine what specific changes they must undertake to permit risk-free participation by all; non-US SSO members are understandably unhappy with the diversion and cost of these efforts; and US companies have sometimes felt unable to participate in specific SSOs crucial to their businesses. Some SSOs have even relocated to Europe in protest of these impositions by a single country.

To rectify this situation, the Biden Administration should:

• Give clear guidance on reasonable and appropriate actions an SSO can take to permit participation by both U.S. companies and Entity List companies whose participation is essential to developing the highest quality, most universally adopted ICT standards.

• Abandon the OMB A-119 “voluntary consensus body” compliance benchmark which unfairly forces consortia to adopt fundamental changes to their processes that needlessly add to costs and delay the development of standards.

• Apply these rules to all Entity List companies, and not just Huawei.

• Restore the ability of SSOs to submit business review letters describing proposed process changes for prior approval by BIS, allowing them to take a minimal, rather than an excessively precautionary approach to compliance.

Reduce the Risk of Standards Wars

With the exception of specific treaty obligations, international adoption of standards is entirely voluntary and market driven. Competing standards can, and often have, been used as competitive weapons, both to exclude or burden foreign products or to avoid licensing costs associated with “standards essential patents” (SEPS). While both the US and China are signatories of the World Trade Organization Treaty on Technical Barriers to Trade (TTBT), which bars signatory nations from adopting local standards where suitable global standards have become widely adopted, this did not prevent China from launching its own wireless standard (WAPI) in competition with Wi-Fi a decade and a half ago, alleging that the Wi-Fi standard developed by the IEEE provided insufficient security.

The WAPI standard was encumbered by many SEPS owned by Chinese companies (as, indeed, the competing Wi-Fi standard was encumbered by SEPS owned by Western companies). Licenses to those standards were available only to certain Chinese companies. China also developed its own 4G standard (CDMA) in competition with two Western contenders. With the largest population in the world, China was able to use its competing standards to the benefit of its domestic vendors. It has every incentive to do the same now if trade tensions between the US and China do not lessen.

Significantly, Huawei is recognized as owning more 5G patents than any other company in the world. It is also believed to have been a member of c. 400 SSOs, many of which ejected Huawei or suspended its participation after it was placed on the Entity List. The intellectual property rights (IPR) policies of virtually all of these SSOs require participants to either license their SEPS on “reasonable and non-discriminatory” (RAND) terms, or to disclose them so that an attempt can be made to revise the related standards to avoid infringement. But this obligation only attaches to companies participating in the working groups that create the standards.

Excluding Huawei from participation in SSOs, and therefore from licensing obligations under the IPR policies of those SSOs, gives China the opportunity and the incentive to “weaponize” Huawei 5G patents, a great many of which will inevitably be SEPS under the standards developed by these SSOs. Huawei will be free to demand above-market fees for licenses to these SEPS – or even to withhold licenses entirely.

To avoid this potentially dangerous result, the Biden Administration should recognize that:

• There is near-universal support by US companies for participation by Huawei in 5G standards development.

• Independent of security concerns involving 5G technology, the US is better off when SSOs have access to Huawei technology and Huawei SEPs are bound by SSO RAND licensing obligations.

• China may be nearing a tipping point at which it may believe its interests would be best served by launching multiple competing standards.

Don’t Impose “Democratic Values” on Global SSOs

Beginning this past spring, a series of novel amendments were proposed to draft legislation and policy initiatives. These proposals were based on the concept that global SSOs should be required to incorporate requirements relating to openness, transparency, and consensus into their processes. Sometimes these requirements were referred to as “democratic values.” In some amendments proposed but not ultimately included in the draft United States Innovation and Competition Act of 2021 (originally titled the Endless Frontier Act), the BIS would have been required to add SSOs deemed to be lacking in democratic values to a disfavored list, with vague, threatened consequences to those that participate in their activities. While there is always the potential for a given SSO to be manipulated, and openness and transparency in themselves are laudable, respected SSOs already incorporate those values in processes. But each includes them in a fashion appropriate to its history, industry and membership.

More seriously, virtually all trade relies on the efficient operation of a global infrastructure made up of hundreds of SSOs, participation in which is voluntary, as is compliance with their standards. Each SSO is free to adopt the rules and processes it believes will best serve its goals and members. The system only works because of this flexibility, and because all stakeholders, from the largest companies and nations to the smallest, can participate on an equal basis. If individual nations begin to impose their individual litmus tests for process and governance, there is a very real possibility that this vital system, evolved over almost a century and a half, may collapse.

To reverse this trend, the Biden administration should:

• Recognize the diversity and strength of global SSOs rather than seek unnecessary and harmful rules of uniformity.

• Recognize the existential threat represented by single-nation requirements on the vast network of multinational, voluntary NGOs that is the SSO community.

• Resist calls to impose specific requirements or expectations based on “democratic values” and other specific expectations on SSOs.

• Recognize that US obligations as a signatory to the World Trade Organization TTBT are incompatible with unilaterally re-defining acceptable standards development norms and processes.

Recognize and Promote the Importance of Consortia

Since 1980, more than six hundred SSOs have been formed to develop ICT standards. In many areas of ICT, these organizations produce many more essential standards than the traditional legacy organizations (often referred to as standards development organizations, or SDOs), notably ISO, IEC, the ITU and, in the United States, SDOs accredited by the American National Standards Institute (ANSI). While the governance and processes of these new organizations (most commonly referred to as consortia) are in most respects very similar to those of SDOs, they typically operate on a more streamlined basis than SDOs in order to meet the demands of the fast-moving technology marketplace. US companies have been particularly active in forming consortia, and the standards released by these organizations have enabled the rapid development of myriad products and services in areas such as wireless, AI, “big data,” robotics, and much more.

At the same time, the US government continues to favor the definition mentioned above of “voluntary consensus standards” that originated in the Technology Transfer and Advancement Act of 1995, as further developed in Office of Management and Budget (OMB) Circular A-119. That definition maps to the traditional SDO process rather than the more expedited approach favored by consortia. While there is much to be said for adhering to the voluntary consensus body requirements in the case of health and safety standards that are referenced into law, there is little benefit to burdening the development of ICT standards with all of the same requirements. Indeed, even in the case of government procurement and statutory references, OMB A-119 only expresses an “all other things being equal” preference for voluntary consensus standards over consortium standards, citing more than a dozen examples of factors that may lead to a different standard being chosen.

To avoid needlessly burdening the essential role of consortia in ICT standards development, the Biden administration should:

• Limit the application of the OMB A-119 definition of voluntary consensus standards and standards bodies to their appropriate targets: government procurement and standards referenced into law.

• Not adopt the OMB A-119 as a reference when pursuing other standards policy goals.

• Resist international efforts (e.g., in the US-EU Trade and Technology Council) to embed SDO-derived process requirements into rules and treaties.

Restore the Country’s Reputation in Global Standards Development

In 2001, in reaction to the 9/11 attacks, the US tightened border restrictions. Global SSOs typically have multiple face-to-face meetings, and non-US participants chaffed at being fingerprinted, or having their visa requests denied entirely. These impediments have grown more burdensome for Chinese participants, despite the fact that participation by Chinese technologists in developing open standards and open source software is often highly valued by U.S. participants. Adding Huawei and other Chinese companies to the Entity List, and the disruption to hundreds of SSOs that followed, has increased international exasperation and animosity towards unilateral US requirements. There is today a growing backlash against such impositions, leading to a sense that new SSOs should be organized outside the US.

To reverse this trend, the Biden administration should:

• Avoid and reverse unilateral demands on global SSOs and standards development.

• Work to reestablish its reputation as a team player dedicated to breaking down barriers to trade.

• Recommit to its TTBA obligations and avoid messaging and initiatives that are inconsistent with these obligations.

Support Open Source Software Development

Over the past two decades, open source software (OSS) has become essential to virtually every ICT product and service. An astonishing percentage of essential technologies today are fundamentally based on OSS stacks, from operating systems to telecommunications to much more. Indeed, there is very little proprietary software today that does not incorporate some – and often a great deal – of OSS.

This dramatic evolution in software development practices has occurred with almost no recognition or support by the U.S. government; in contrast, the European Union is highly supportive of OSS, partly with the goal of leveling the competitive playing field for European SMEs. The time has come for Congress and the administration to recognize and support the vast importance and value of OSS to critical infrastructure, the economy, and all other aspects of our technology-based world.

In order to avoid impeding the further benefits of OSS, the Biden administration should:

• Recognize the importance of OSS to the national interest.

• Avoid taking actions that may inadvertently impede the further development and uptake of OSS.

• Increase the uptake of OSS by government agencies, many of which continue to utilize archaic systems.

• Amend OMB A-119 to provide the same encouragement to government personnel to participate in SSO projects and foundations as in SSOs.

The Time for Standards Policy Reform is Now

Each of the recommendations above would fine wide support in the ICT industry, and there would be little or no associated government cost to implement them. The time to act is now.

If you would like to receive an email alert of future blog posts, please complete the sign-up form in the right hand column.

Department of Commerce Clears Huawei for Standards Development – Part Way

6/16/2020

Seal of the US Department of Commerce

The long face-off between the Trump administration and Huawei involving standards development has finally been resolved. Well, yes and no, on which more below.

Initially the issue was whether standards setting organizations (“SSOs”) would be able to permit the Chinese 5G technology company and scores of its affiliates (collectively, “Huawei”) to participate in their working groups. But over time, the political landscape shifted – many of the SSOs where the action was taking place took the position that their processes were sufficiently open to make the issue moot. But some of the most active American technology companies came to a different conclusion, thereby making it impossible for them to participate without risking liability to their own government (more details can be found here).

The saga began in May of 2019, when Huawei was added to the Bureau of Industry and Security (“BIS”) Entity List, making it illegal for U.S. companies to share many kinds of technology with Huawei without a special BIS license. Initially, a Temporary General License (“TGL”) was provided that included a clause that allowed Huawei to continue to participate in (only) 5G standards development, but in August 2020, that clause was removed. At the same time, BIS released a General Advisory Opinion, noting its determination that existing regulations sufficiently addressed how the Entity List-based license requirements applied to standards development bodies, including 5G.  That left SSOs in the difficult position of determining whether their standards development rules were sufficiently open to meet the requirements of one of two safe harbors (participating in meetings and contributing to journals), neither of which was a very good fit.  

In response, global SSOs fell into three camps: those that concluded their processes didn’t meet the safe harbors and were unwilling to change. They either terminated Huawei’s membership or allowed it to remain a member but not participate in working groups. Others changed their rules to allow Huawei to continue to participate in development, or even moved their headquarters and/or reincorporated abroad (not because it made the issue go away, but in part out of frustration with the present and uncertainty about the future). The last group concluded that their processes would pass muster without change. In some cases, U.S. member companies agreed. But in others, particularly in the case of those that were more European-centric, the SSOs decided that they made the cut by taking a more liberal view of what was needed to comply.

The result was that, far from limiting Huawei’s impact, the Department of Commerce’s position ended up diminishing the ability of American companies to influence crucial 5G technology outcomes.

Months of lobbying by U.S. companies succeeded in getting the Department to try to come up with a solution, but the efforts repeatedly hit snags, notwithstanding a request by five Republican senators in mid-April to accelerate the process.

Yesterday, the logjam broke, when the Department issued a press release stating that a new regulation would be issued that would permit U.S. companies to participate in SSOs with Huawei. In it, Secretary Wilbur Ross is quoted as follows:

The United States will not cede leadership in global innovation. This action recognizes the importance of harnessing American ingenuity to advance and protect our economic and national security. The Department is committed to protecting U.S. national security and foreign policy interests by encouraging U.S. industry to fully engage and advocate for U.S. technologies to become international standards.

As a measure of the urgency with which the regulation was (finally) issued, the new permission is being released as an “interim final rule,” meaning that it is subject to a comment period and possible adjustments down the road based on those comments. Normally, the process is reversed – comments on a draft regulation are solicited and responsive changes are often made before a legally binding rule is released.

That all sounds good, but there are two “buts.” The first is that not all types of technology can be disclosed. On that topic, the regulation stipulates as follows:

Specifically, technology subject to the EAR that is designated as EAR99 or controlled on the Commerce Control List only for anti-terrorism (AT) reasons may be released to members of a standards organization without a license, including Huawei, if released for the purpose of contributing to the revision or development of a standard. 

The parsing of that limitation is beyond the scope of this blog entry, but suffice it to say that a necessary step in determining whether the new regulation will be useful to a given SSO will rely in part on performing that analysis.

The second condition of concern is that an SSO must qualify as a “voluntary consensus standards bodies,” and be engaged in developing a “standard,” each as defined in Office of Management and Budget Circular A-119 (Rev. 2016).

The full text of the draft regulation can be found here.

The good news is that the OMB Circular A-119 rules are reasonably well understood in the industry. However, in order to meet the VCSB definition, an SSO must embed a variety of processes in its rule book, including a requirement for a balance of relevant types of industry participants in working groups, a formal appeals process, and more. While wholesome in concept, these rules can slow down the process of standards development and are therefore lacking in many SSOs, particularly those in the fast-moving technology sector.

Why impose OMB Circular A-119 requirements? Compliance with this more due process-oriented approach has generally been favored for government procurement, in the case of health and safety standards, and where a standard may be referenced into law. But non-VCSB Standards are regularly consumed for all these purposes all the time despite this preference. There seems to be no compelling reason why these requirements would serve a useful purpose in this instance.

True, transparency is part of the OMB Circular A-119 requirements, and the existing exceptions for disclosing technology to Entity List companies are all based on establishing that the disclosed information can be regarded as “public.” But OMB Circular A-119 has lots of other requirements that relate only to due process, and are therefore not relevant to national security concerns. Presumably OMB Circular A-119 was simply a convenient and familiar benchmark that could be recycled to meet this new and quite different need. (See the full list of requirements at the end of this blog post).

That said, a number of industry consortium SSOs will likely decide to retool their processes in order to meet the new requirements. The bad news is that the same 5G SSOs that took a liberal view of compliance with the old rules may be similarly unwilling to make any changes to meet the new ones. Happily, some of them may already fit within the box. Others likely will not make any amendments. Where that’s the case, U.S. companies may still be left out in the cold.

Underlying these SSO decisions is the fact that many non-U.S. companies have no reason to wish to accommodate the Trump administration. Others are 5G vendors themselves, and therefore may be happier if U.S. companies were kept outside the fold. All the SSOs involved have anywhere from scores to hundreds of members, and US companies are often not in the majority.

A final interesting point about the new regulation is that it does not explicitly “preempt” the exceptions that some SSOs were relying on already to permit Huawei to participate. Given that the new regulation includes so many restrictions in addition to openness, and the fact that it only applies to Huawei, some SSOs may elect to ignore the new safe harbor and address the situation solely by increasing the level of openness and transparency of their operations in reliance on the preexisting exceptions, rough fit though they may be.

So, where does that leave us today? Better off than before, but not as well off as we would have been if the Department of Commerce had simply exempted “any SSO generally recognized in the marketplace.” In other words, everywhere the action actually takes place. My firm will likely file comments Department urging that the OMB Circular A-119 requirements be pared back to reference only those that actually relate to transparency.

It will be interesting to see how things shake out from here: which SSOs will make changes and which won’t, and which companies will satisfy themselves that a given SSO makes the grade – or doesn’t. Where the last possibility occurs, many U.S. companies will be right back where they started.

*  *  *

OMB Circular A-119


The two key elements of the Circular for current purposes are the definitions of “voluntary consensus standards body” and “standard,” which reads as follows:

     “Voluntary consensus standards body” is a type of association, organization, or technical society that plans, develops, establishes, or coordinates voluntary consensus standards using a voluntary consensus standards development process that includes the following attributes or elements:

    (i)  Openness: The procedures or processes used are open to interested parties. Such parties are provided meaningful opportunities to participate in standards development on a non-discriminatory basis. The procedures or processes for participating in standards development and for developing the standard are transparent.

    (ii)  Balance: The standards development process should be balanced. Specifically, there should be meaningful involvement from a broad range of parties, with no single interest dominating the decision-making.

    (iii)   Due process: Due process shall include documented and publically available policies and procedures, adequate notice of meetings and standards development, sufficient time to review drafts and prepare views and objections, access to views and objections of other participants, and a fair and impartial process for resolving conflicting views.

    (iv)  Appeals process: An appeals process shall be available for the impartial handling of procedural appeals.

    (v)  Consensus: Consensus is defined as general agreement, but not necessarily unanimity. During the development of consensus, comments and objections are considered using fair, impartial, open, and transparent processes.

See Section 5h of this Circular for a discussion of “international standards.”

*  *  *

a.  The term “standard,” or “technical standard,” (hereinafter “standard”) as cited in the NTTAA, includes all of the following:

(i) common and repeated use of rules, conditions, guidelines or characteristics for products or related processes and production methods, and related management systems practices;

(ii) the definition of terms; classification of components; delineation of procedures; specification of dimensions, materials, performance, designs, or operations; measurement of quality and quantity in describing materials, processes, products, systems, services, or practices; test methods and sampling procedures; formats for information and communication exchange; or descriptions of fit and measurements of size or strength; and

(iii) terminology, symbols, packaging, marking or labeling requirements as they apply to a product, process, or production method.

b.          The term “standard” does not include the following:

(i)         professional standards of personal conduct; or

(ii)         institutional codes of ethics.

Search Site

Newsletter Signup Form

Subscribe to
the standards blog
Gesmer Updegrove
  • Terms of Use and Privacy Policy
  • Contact
  • Sitemap