An Update to the AI Diffusion Rule

In March 2025, Coalfire published a blog related to the proposed AI Diffusion Memo. The AI Diffusion Framework was originally set to go into effect on May 15, 2025. However, two days before that deadline, the Department of Commerce (DoC) rescinded the AI Diffusion Rule. In its place, the DoC provided updated guidance aimed at strengthening export controls of AI models and computing integrated circuits (ICs), specifically those classified under ECCNs 3A090.a, 4A090.a, and .z items. 

The DoC released three additional key guidance documents summarized below:

1. Guidance on Exports of Advanced Computing ICs to the People’s Republic of China (PRC)
   • Certain advanced computing ICs, specifically Huawei Ascend chips (e.g., 910B, 910C, 910D), are believed to have been developed using certain US software or technology.  They are likely in violation of US export control laws.
   • Utilizing these chips without explicit authorization from the Bureau of Industry and Security (BIS) may be subject to enforcement action, including criminal and administrative penalties.
   • Exporters must confirm with suppliers that appropriate export licenses exist to export, reexport, and/or transfer advanced computing ICs.
2. Controls on Advanced Computing ICs to Train AI Models
   • Advanced-computing ICs classified under ECCNs 3A90.a, 4A090.a, and .z, are considered capable of enabling military intelligence and weapons of mass destruction by countries in Country Group D:5 and Macau.
   • Any knowledge of the export, reexport, or transfer of ICs or AI chips which may be used to conduct AI training models in Country Group D:5 and Macau require a license from BIS.
   • Companies must conduct due diligence on all customers and suppliers, including IaaS providers and data centers, to ensure that appropriate licenses are in place. Refer to the Know Your Customer Guidance and the additional guidance below.
3. Industry Guidance to Prevent Diversion of Advanced Computing ICs
   • Transactional and behavioral red flags indicating potential diversion include but are not limited to:
     • The customer has not previously received advanced ICs before October 2022.
     • The customer requests a sudden increase in exports after October 2022.
     • The customer is newly incorporated in Country Group D:5, or the headquarters is unknown.
     • The customer has little to no online presence.
     • The customer’s data center does not have appropriate cyber, physical, and supply chain security measures in place.
   • Recommended due diligence measures include, but are not limited to:
     • Verify customer incorporation details (e.g., headquarters, delivery address, incorporate dates, ownership, website, supply chain role).
     • Confirm that the intended use of the item (either by the customer or end user) aligns to the nature of the ordered products.
     • Obtain end-user certifications to affirm products will not be exported, reexported, or transferred to Country Group D:5 or Macau.
     • Request attestations from the customer’s data center(s) on appropriate infrastructure and security measures. As a best practice, suppliers should conduct on-site visits or utilize a qualified third party to confirm attestations.

Coalfire’s Role in Continued Support of Compliance

As an accredited Third-Party Assessor Organization (3PAO), Coalfire is qualified to assess and evaluate data centers and IaaS providers on cybersecurity best practices. Coalfire delivers a full suite of professional services, managed services, and technology platforms to help our clients and federal agencies solve their toughest cyber challenges. With more than 20 years of proven cybersecurity leadership, Coalfire combines extensive cloud expertise, industry knowledge, and innovative approaches to fuel success. 

As AI technologies continue to evolve, we expect additional guidance to come from the current administration and BIS. Coalfire remains committed to supporting our clients throughout this journey.