
The Bureau of Industry and Security (BIS) has expanded its Validated End User (VEU) Program to include controls for data centers in an effort to create a trusted ecosystem for artificial intelligence (AI) development. The VEU will now review applicants data centers to ensure application of appropriate safeguards and security measures. This update to the Export Administration Regulations (EAR) is being made to mitigate risks to U.S. and global security concerns.
Artificial Intelligence as Dual-Use Technology
Artificial Intelligence and machine learning have the potential for advanced military and intelligence capabilities. These include aid in the development of biological, chemical, and nuclear weapons. It also has applications for increased capabilities in planning and logistics. Additionally, AI can enhance the capabilities of electronic warfare, mass surveillance, and signals intelligence. For these reasons it is essential that access to this technology be controlled to further security interests.
Data Center VEU Authorization
This amendment to the EAR adds special requirements to the Data Center VEU Authorization in addition to those in place under the General VEU Authorization. While all VEU authorizations allow exports and reexports to VEUs separate authorizations are required for exports to third parties. With Data Center VEUs however, transfers in country are not permitted unless the transfer is to VEU at the same location.
Authorization for data centers will be permitted after review from the End-User Review Committee (ERC). The ERC is an interagency committee comprised by officials from the Departments of Commerce, Energy, Defense and Department of State. Each applicant must apply required safeguards for the protection of U.S. technology. Applicants may also be required to undergo on-site compliance reviews to inspect levels of physical and logical security as well as specific reporting requirements.
Eligibility and Application Requirements
Requests for authorization should include a list of current and potential customers, an overview of business activities and relationships, descriptions of physical and logical security requirements for each location, descriptions of policies, and an overview of the data center facility’s information security plan. The information security plan should include:
- Relevant NIST standards for cybersecurity plan
- Monitoring and Logging Plan
- Technology control plan detailing required computation for various end uses
- Baseline cloud configurations with identity and access management processes
- Personnel security plan
- Incident, identification, investigation and reporting plan
The ERC evaluations will consider if the VEU host country has provided assurance that safe and secure use of the technology will be provided. A review will be conducted to evaluate the parties history of compliance with U.S. export controls and its ability to comply with VEU requirements. The national government of parties interested in engaging in the VEU data center program should contact the Commerce and State Departments of the U.S. to make assurances that required security will be met.
VEU Reporting Requirements
Exporters and reexporters are required to obtain certifications from validated end-users regarding their compliance to VEU requirements. These certifications and all related records must be maintained per the recordkeeping requirements detailed in CFR 15 Part 762 of the EAR. Reexporters using the Data Center VEU must file semiannual reports to the BIS. Additionally, Data Center VEU users must allow review of relevant records including information from on-site reviews.
New Cybersecurity Requirements for Export Compliance
The federal government has placed cybersecurity requirements for organizations under contractual agreement such as NIST SP 800-161 and CMMC for several years now. During this time export compliance regimes have intimated cybersecurity requirements but have not defined them with as much detail. Noting that both the Departments of Commerce and State have involvement in this Validated End User amendment, it can be expected that cybersecurity is entering the export regulatory realm.
CVG Strategy Information Security Management System Consultants
Changes to the Validated End User (VEU) program adds to a growing list of government cyber requirements. To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.
CVG Strategy Export Compliance Management Programs
Export compliance requirements are a growing in complexity for businesses engaged in sales of items that are intended for international sales or could result in international sales. Failure to comply with regulations can result in criminal prosecution including imprisonment and fines. It can also result in civil penalties and disbarment from export activities.
Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization. They ensure that registration, item classifications, license applications, denied part screening, and security measures are taken that will prevent violation. They also ensure that training, auditing, and record keeping are maintained according to requirements.
CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.