New BIS License Type C64 – (ACE) Authorized Cybersecurity Exports

Registered United States Census Bureau Logo

January 7, 2022

New BIS License Type C64 - (ACE) Authorized Cybersecurity Exports

On Thursday, October 21, 2021, the Department of Commerce, Bureau of Industry and Security (BIS) published an interim final rule (https://www.govinfo.gov/content/pkg/FR-2021-10-21/pdf/2021-22774.pdf) that becomes effective January 19, 2022.  This interim final rule establishes a new control on cyber security items and a new License Exception “Authorized Cybersecurity Exports” (ACE) that authorizes exports of these items to most destinations except in the circumstances described in the rule.  As a result of this rule, the following changes will be made to the Automated Export System (AES) in order for exporters and authorized agents to successfully report electronic export information in the AES.

The Addition of Two Export Control Classification Numbers (ECCN)

ECCNs 4A005 and 4D004 will be added to the AES ECCN reference table.

Note: By using any of the License Exceptions or “No License Required” (NLR), you are certifying that the terms, provisions, and conditions described in the Export Administration Regulations (EAR) have been met.

A New License Code has been added to the AES

An update has been made to AES to create a new License Code C64 Authorized Cybersecurity Exports (ACE) that authorizes exports, reexports and transfers (in-country) of cybersecurity items and certain IP network surveillance products, which are not also controlled in Category 5—Part 2 of the Commerce Control List (CCL) or for Surreptitious Listening (SL) reasons.  License Exception ACE allows the export, reexport and transfer (in- country) of ‘cybersecurity items’ to most destinations, except to destinations listed in Country Groups E:1 and E:2 of supplement no. 1 to part 740 of the EAR. (https://www.bis.doc.gov/index.php/documents/regulations-docs/2255-supplement-no-1-to-part-740-country-groups-1).

AES filers must adhere to the following new reporting when using C64 (ACE) to prevent the return of fatal errors from AES.

  • Report License Code: C64 Authorized Cybersecurity Exports (ACE)
  • Allowable ECCN’s: The following ECCNs are eligible 4A005, 4D001, 4D004, 4E001, 5A001, 5B001, 5D001, and 5E001 to the extent permitted under part 740 of the EAR and the respective ECCN entry.
  • Allowable Export Information Codes: All except UG
  • Allowable Modes of Transportation: All except ‘70’ (Fixed Transport)

Please refer to §740.22 Authorized Cybersecurity Exports (ACE) in the EAR for additional requirements for this license exception. There are two types of end-user restrictions for license exception ACE which include a ‘government end user,’ as defined in § 740.22, of any country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement no. 1 to part 740, or a non-government end user located in a country listed in Country Group D:1 or D:5. 

A complete list of all of the AES License Codes and reporting instructions for these types can be found at https://www.cbp.gov/document/guidance/aestir-appendix-f-license-and-license-exemption-type-codes

For questions regarding these upcoming AES changes, please contact the Bureau of Industry and Security at one of the phone numbers below.

Outreach and Educational Services Division (located in Washington, DC) (202) 482-4811

Office of Technology Evaluation (located in Washington, DC): (202) 482-4933

Western Regional Office (located in Irvine, CA) (949) 660–0144

Northern California branch (located in San Jose, CA) (408) 998-8806

We're Here to Help

We're here to help you get the most out of Census Bureau data. If you have a question, give us a call at 1-800-549-0595.