15 CFR § 740.22 - Authorized Cybersecurity Exports (ACE).

§ 740.22 Authorized Cybersecurity Exports (ACE).

(a) Scope. License Exception ACE authorizes export, reexport, and transfer (in-country), including deemed exports and reexports, of 'cybersecurity items,' as set forth in paragraph (b) of this section, subject to the restrictions set forth in paragraph (c) of this section. Deemed exports and reexports are authorized under this license exception, except for deemed exports or reexports to E:1 and E:2 nationals as described in paragraph (c)(1) of this section, to certain 'government end users' as described in paragraph (c)(2) of this section, and subject to the end use restrictions described in paragraph (c)(4) of this section. Even if License Exception ACE is not available for a particular transaction, other license exceptions may be available. For example, License Exception GOV (§ 740.11) authorizes certain exports to U.S. Government agencies and personnel. License Exception TMP (§ 740.9(a)(1)) authorizes the export, reexport, and transfer (in country) of tools of the trade in certain situations.

(b) Definitions. The following terms and definitions are for the purpose of License Exception ACE only.

(1) 'Cybersecurity Items' are ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a (for 5A001.j)).

(2) 'Digital artifacts' are items (e.g., “software” or “technology”) found or discovered on an information system that show past or present activity pertaining to the use or compromise of, or other effects on, that information system.

(3) 'Favorable treatment cybersecurity end user' is any of the following:

(i) A “U.S. subsidiary”;

(ii) Providers of banking and other financial services;

(iii) Insurance companies; or

(iv) Civil health and medical institutions providing medical treatment or otherwise conducting the practice of medicine, including medical research.

(4) 'Government end user,' for the purpose of this section, is a national, regional, or local department, agency, or entity that provides any governmental function or service, including entities or individuals who are acting on behalf of such an entity. This term does not include any 'favorable treatment cybersecurity end user' listed in paragraph (b)(3) of this section. This term includes, but is not limited to:

(i) International governmental organizations;

(ii) Government operated research institutions;

(iii) “More-sensitive government end users”;

(iv) “Less-sensitive government end users”;

(v) Utilities (including telecommunications service providers and internet service providers) that are wholly operated or owned by a government or governmental authority or 'partially operated or owned by a government or governmental authority';

(vi) Transportation hubs and services (e.g., airlines and airports; ships and ports; railways and rail stations; buses, trucking and highways) that are wholly operated or owned by a government or governmental authority or 'partially operated or owned by a government or governmental authority'; and

(vii) Retail or wholesale firms that are wholly operated or owned by a government or governmental authority or 'partially operated or owned by a government or by a governmental authority', engaged in the manufacture, distribution, or provision of items or services specified in the Wassenaar Arrangement Munitions List.

(5) For the purposes of this section, 'partially operated or owned by a government or governmental authority' means that a foreign government or governmental authority beneficially owns or controls (whether directly or indirectly) 25 percent or more of the voting securities of the foreign entity, or a foreign government or governmental authority has the authority to appoint a majority of the members of the board of directors of the foreign entity.

(c) Restrictions. License Exception ACE does not authorize deemed exports and reexports, exports, reexports, or transfers (in-country) of 'cybersecurity items' as follows:

(1) To a destination that is listed in Country Group E:1 or E:2 in supplement no.1 to this part.

(2) To a 'government end user', as defined in this section, of any country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement no. 1 to this part, except:

(i) 'Digital artifacts' (that are related to a cybersecurity incident involving information systems owned or operated by a 'favorable treatment cybersecurity end user') to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents; or

(ii) To national computer security incident response teams in Country Group D countries that are also listed in Country Group A:6 of 'cybersecurity items' for purposes of responding to cybersecurity incidents, for purposes of “vulnerability disclosure”, or for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents.

(3) The restrictions in paragraphs (c)(1) and (2) of this section also apply to activities, including exports, reexports, and transfers (in-country), related to “vulnerability disclosure” and “cyber incident response”.

Note 1 to paragraph (c)(3):

For paragraphs (c)(1) and (2) of this section, see Note 1 to ECCN 4E001 in the CCL (supplement no. 1 to part 774 of the EAR) excluding “vulnerability disclosure” and “cyber incident response” from control under 4E001.a or .c.

(4) To a non-'government end user' located in any country listed in Country Group D:1 or D:5 of supplement no. 1 to this part, except:

(i) Cybersecurity items classified under ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) and 4E001.c, to any 'favorable treatment cybersecurity end user'.

(ii) “Vulnerability disclosure” or “cyber incident response”.

(iii) Deemed exports.

(5) If the exporter, reexporter, or transferor “knows” or has “reason to know” at the time of export, reexport, or transfer (in-country), including deemed exports and reexports, that the 'cybersecurity item' will be used to affect the confidentiality, integrity, or availability of information or information systems, without authorization by the owner, operator, or administrator of the information system (including the information and processes within such systems).

[87 FR 31951, May 26, 2022]