On October 20, 2021, the US Department of Commerce Bureau of Industry & Security (“BIS”) published a long-awaited interim final rule announcing new restrictions on the export, reexport or in-country transfer of certain cybersecurity items used for malicious cyber activities.

In particular, it establishes:

  • new controls and licensing requirements on a range of “cybersecurity items” that can be used for malicious cyber activities (including software, hardware and technology specially designed to generate, command and control or deliver “intrusion software” as well as certain IP network communications surveillance tools);
  • a new License Exception Authorized Cybersecurity Exports (“ACE”) to allow for certain exports, reexports, or in-country transfers of these cybersecurity items to most destinations, while imposing restrictions for exports to government and non-governmental end-users in several countries under various circumstances;
  • certain permissive carve-outs from those restrictions for “software specially designed and limited to providing basic updates and upgrades” and “vulnerability disclosure” or transactions involving “cyber incident response”; and
  • a new catch-all restriction for exports, reexports and transfers where there is knowledge or reason to know that the cybersecurity item will be used for certain malicious activities without authorization of the owner, operator or administrator of the information system.

Continue reading.