Highlights:

• The Bureau of Industry and Security on Sept. 8, 2022 released an interim final rule expanding an authorization for the release of some controlled software and technology to all entities on the agency’s Entity List if the release is for the purposes of standards-setting activities. Previously, the authorization had applied only for some Entity List entities, namely Huawei and its affiliates. The interim rule takes effect Sept. 9, 2022.

• The long-anticipated interim final rule also amends definitions related to the authorization, including by setting a new definition for what is a standards-setting activity. It allows release of software and technology for cryptographic standards. The previously issued authorization had also only mentioned technology, and not software.

• Industry had called for the expansion of the authorization in recent years, saying that restricting the authorization to Huawei was causing uncertainty and chilling participation in standards bodies. The national security threat from ceding U.S. participation “outweighs the risks related to the limited release of certain low-level technology and software to parties on the Entity List in the context of a ‘standards-related activity,’” BIS said in the new interim final rule.

Under an interim rule issued by BIS early this afternoon, the US government is loosening restrictions on the sharing of specific technology with blacklisted firms, seeking to maintain the United States’ lead in setting international standards as China closes the gap.  Specifically, under that rule, no license will be required to export certain items subject to the EAR to various entities listed on BIS’s Entity List (including Huawei, for example) for standard-setting purposes, including encryption software and technology for standard-setting purposes. 

We have had discussions with BIS officials who said that (1) this change was indeed needed to allow US companies to participate in standard-setting discussions with Huawei (and other listed companies) on information-security standards and (2) more details will be forthcoming in FAQs following the publication of the rule in the Federal Register on Sept. 9, 2022. In 2019, the Trump Administration added Huawei and a number of its non-American affiliates to a blacklist that curtails that company’s access to critical US suppliers. The policy, however, has led US companies to limit their participation in standards-related activities at a time when Chinese companies are ramping-up efforts to increase their clout. Especially throughout congressional consideration of the CHIPS Act, supporters of that legislation cited concern that China’s government and its largest companies have been taking a larger role in technical groups that determine how technology is designed and applied globally, theoretically conferring on corporations that the US has considered national security threats a competitive edge in the international marketplace. 

To elaborate on exactly what changed, under the old rule, no license was required for technology subject to the EAR that is designated as EAR99, or controlled on the Commerce Control List for anti-terrorism reasons only, when released to members of a “standards organization” (see § 772.1) for the purpose of contributing to the revision or development of a “standard” (see § 772.1).

However, under this new rule, no license will be required for “technology” or “software” designated EAR99 or controlled on the CCL for anti-terrorism reasons only, when such a release is for a “standards-related activity.” In addition, a license will not be required for the release of the following ECCN “items” level paragraphs of “technology” or “software” specifically for the “development,” “production,” or “use” of cryptographic functionality when such a release is for a “standards-related activity:” “software” that is classified under ECCN 5D002.b or 5D002.c.1 (for equipment specified in ECCN 5A002.a and 5A002.c only); “technology” that is classified under ECCN 5E002 (for equipment specified in ECCN 5A002.a, .b and .c); and “technology” for software controlled under ECCN 5D002.b or .c.1 (for equipment specified in ECCN 5A002.a and .c only).