In conjunction with adding my boutique law firm to my profile on LinkedIn, I am going to start a semi-regular blog regarding common International Trade Compliance (ITC) items that have come across my desk and are suitable and even a possibly interesting topic for a high-level explanation to the casual reader.

§120.54(a)(5) and what it means to not have an export for cloud storage is an easy and great place to start.

While these ITAR rules are in the guise of ITC, a lot the actual application overlaps with the looming CMMC (Cybersecurity Maturity Model Certification) requirements for government contractors. It is a similar practice, but a completely separate set of rules. While those requirements will likely get pushed out to 2024, good practices and common-sense today are still essential.

To keep this bite sized, I will share some useful nuggets:

I) The Arms Export Control Act (AECA) is what creates these ITAR rules. If you read the entirety of §120.54, you will see that the whole section is short and the most in-depth portion is (a)(5) in regards to ‘sending, taking, or storing technical data’. Follow these rules, and your electronic transmission of tech data will not not constitute an export.

II) You may still want to do more however, to protect you or your customer’s information. (a)(5) IS A BARE MINIMUM REQUIREMENT. AECA compliance is not really the right yardstick, best practices aligning with the future requirements for CMMC level 2 certification is likely a good place to start for most organizations.

III) Cybersecurity professionals can help you align to the appropriate level of certification, be it formal certification in anticipation of future business needs that intersect with these USG requirements; or to just mirror in practice without the need (read: expense) for the certification process. That generally isn’t the lawyers in the room, but we can help you find those aforementioned cybersecurity professionals when the topic goes beyond ITC.

IV) A layman reading of the whole section should be relatively straight-forward reading. (5)(iii) has some IT jargon. If it doesn’t make sense, that is why you have IT resources. Use them and they will likely tell you this is not a high bar to clear for your existent IT infrastructure.

V) Common sense should rule the day when it comes to §120.54 compliance because that is all you need.

– Send ITAR-controlled tech data only to US persons or to licensed entities for that SPECIFIC tech data.

– Do not use servers housed in §126.1 proscribed places like Russia, Cuba, and N. Korea. I hope that goes without saying…but I said it anyways!

– As a US-person, you can send an e-mail with technical data in it to yourself for when you land at your destination country. That is not an export.

This topic can become a deep rabbit hole for best practices and CMMC certification, but the AECA’s rules in §120.54 are not that. If you have further questions or have other trade compliance needs, do not hesitate to reach out to me directly.

Gadsden Law PLLC is here to help.

-PMH