Page 278 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 278

reason, during the Cold War, the government developed a complex set
               of regulations governing the export of sensitive hardware and software

               products to other nations. The regulations include the management of
               transborder data flow of new technologies, intellectual property, and
               personally identifying information.

               Until recently, it was difficult to export high-powered computers
               outside the United States, except to a select handful of allied nations.
               The controls on exporting encryption software were even more severe,

               rendering it virtually impossible to export any encryption technology
               outside the country. Recent changes in federal policy have relaxed
               these restrictions and provided for more open commerce.

               Two sets of federal regulations governing imports and exports are of
               particular interest to cybersecurity professionals.

                    The International Traffic in Arms Regulations (ITAR) controls the
                    export of items that are specifically designated as military and
                    defense items, including technical information related to those

                    items. The items covered under ITAR appear on a list called the
                    United States Munitions List (USML), maintained in 22 CFR 121.

                    The Export Administration Regulations (EAR) cover a broader set
                    of items that are designed for commercial use but may have
                    military applications. Items covered by EAR appear on the
                    Commerce Control List (CCL) maintained by the U.S. Department
                    of Commerce. Notably, EAR includes an entire category covering

                    information security products.


               Computer Export Controls

               Currently, U.S. firms can export high-performance computing systems
               to virtually any country without receiving prior approval from the
               government. There are exceptions to this rule for countries designated
               by the Department of Commerce’s Bureau of Industry and Security as
               countries of concern based on the fact that they pose a threat of
               nuclear proliferation, they are classified as state sponsors of terrorism,

               or other concerns. These countries include Cuba, Iran, North Korea,
               Sudan, and Syria.
   273   274   275   276   277   278   279   280   281   282   283