[Federal Register Volume 63, Number 251 (Thursday, December 31, 1998)]
[Rules and Regulations]
[Pages 72156-72167]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-34669]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Export Administration

15 CFR Parts 740, 742, 743, 772 and 774

[Docket No. 9809-11233-8318-02]
RIN 0694-AB80


Encryption Items

AGENCY: Bureau of Export Administration, Commerce.

ACTION: Interim rule; request for comments.

-----------------------------------------------------------------------

SUMMARY: This interim rule amends the Export Administration Regulations 
(EAR) for exports and reexports of encryption commodities and software 
to U.S. subsidiaries, insurance companies, health and medical end-
users, on-line merchants and foreign commercial firms. This rule 
implements the Administration's initiative to update it's encryption 
policy, and will streamline U.S. encryption export and reexport 
controls.

DATES: This rule is effective: December 31, 1998. Comments must be 
received on or before March 1, 1999.

ADDRESSES: Written comments on this rule should be sent to Nancy Crowe, 
Regulatory Policy Division, Bureau of Export Administration, Department 
of Commerce, P.O. Box 273, Washington, DC 20044. Express mail address: 
Nancy Crowe, Regulatory Policy Division, Bureau of Export 
Administration, Department of Commerce, 14th Street and Pennsylanvia 
Ave, N.W., Room 2705, Washington, DC 20230.

FOR FURTHER INFORMATION CONTACT: James Lewis, Office of Strategic Trade 
and Foreign Policy Controls, Bureau of Export Administration, 
Telephone: (202) 482-0092.

SUPPLEMENTARY INFORMATION: On September 16, 1998, the Administration 
announced a series of steps to update its encryption policy in a way 
that meets the full range of national interests. These steps will 
promote electronic commerce, support law enforcement and national 
security, and protect privacy. They also further streamline exports and 
reexports of key recovery products, and other recoverable encryption 
products, which allow for the recovery of plaintext, and permit exports 
and reexports of encryption of any key length (with or without key 
recovery) to several industry sectors. This interim rule amends the EAR 
for exports and reexports of encryption commodities and software to 
U.S. subsidiaries, insurance companies, health and medical end-users, 
on-line merchants and foreign commercial firms. Specifically, this rule 
amends the EAR in the following ways:
    1. In Sec. 740.8, Key Management Infrastructure, removes the key 
recovery agent requirements for License Exception KMI eligibility for 
exports and reexports of recovery encryption commodities and software. 
Further, key recovery commitment plans and the six month progress 
reviews are eliminated and exporters are no longer required to name or 
submit to BXA additional information on a key recovery agent prior to 
export. The products may be exported or reexported under License 
Exception KMI after a technical review. Note also that 56-bit products 
supported by a KMI plan that have been classified after a technical 
review and are eligible under License Exception KMI are now eligible 
for export and reexport under License Exception ENC (see 
Sec. 740.17(a)(3) of the EAR).
    2. Also in Sec. 740.8, removes and adds to newly created License 
Exception ENC the paragraphs concerning financial-specific encryption 
commodities and software and general purpose encryption commodities and 
software for banks and financial institutions. This transfer will 
simplify the use of License Exceptions for encryption commodities and 
software and creates no change in policy.
    3. In part 740, creates new License Exception ENC by adding 
Sec. 740.17, Encryption commodities and software. This new License 
Exception is divided into two significant parts: a global

[[Page 72157]]

category including the use of License Exception ENC for exports and 
reexports of encryption commodities and software to all destinations, 
except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria; and a 
country specific category permitting the use of License Exception ENC 
for exports and reexports of encryption commodities and software to 
countries listed in Supplement No. 3 to part 740. This new License 
Exception allows the following exports and reexports of encryption 
commodities and software that are classified under ECCNs 5A002 and 
5D002, after a technical review that considers the cryptographic 
functionality of the product:
    a. Exports and reexports of encryption commodities, software and 
technology, including source code of any key length are also eligible 
under this license exception to U.S. subsidiaries for internal company 
proprietary use to all destinations except Cuba, Iran, Iraq, Libya, 
North Korea, Sudan and Syria. Encryption chips, integrated circuits, 
toolkits, executable or linkable modules, which can modify or enhance 
the cryptographic functionality (e.g., the confidentiality algorithm, 
key space and key exchange mechanism) or incorporate the cryptographic 
function in another item are eligible for license exception ENC only 
for export to U.S. subsidiaries. Note that exports to ``strategic 
partners'' of U.S. companies, such as subcontractors and joint 
ventures, will be considered favorably under a license when the end-use 
is for the protection of U.S. company proprietary information. For the 
purposes of this regulation, consideration as a ``strategic partner,'' 
as defined in part 772, should not be deemed to alter or affect any 
legal relationship that might otherwise exist between the relevant 
parties.
    b. Encryption commodities, including mass market and non-mass 
market, and non-mass market software incorporating symmetric algorithms 
with key lengths up to and including 56-bits, such as DES or equivalent 
(such as RC2, RC4, RC5 and CAST) to all destinations except Cuba, Iran, 
Iraq, Libya, North Korea, Sudan and Syria. Encryption chips, integrated 
circuits, toolkits and executable or linkable modules are not 
authorized for export under License Exception ENC and will require a 
license or an Encryption Licensing Arrangement. Note that subsequent 
bundling, updates or releases may be exported and reexported under 
applicable provisions of the EAR without a separate technical review as 
long as the functional encryption capacity of the originally reviewed 
encryption commodities, including mass market and non-mass market, and 
non-mass market software has not been modified or enhanced.
    c. Authorizes insurance companies to receive general purpose 
encryption commodities and software of any key length that have been 
classified after a technical review. This change corresponds with the 
addition of insurance companies to the definition of financial 
institutions in part 772. With this change, exports and reexports of 
general purpose encryption commodities and software are eligible under 
License Exception ENC to financial institutions (including insurance 
companies) in all destinations listed in Supplement No. 3 to part 740, 
and to branches of these entities located worldwide except countries 
that support international terrorism (Cuba, Iran, Iraq, Libya, North 
Korea, Sudan and Syria).
    d. Encryption commodities and software of any key length to health 
and medical end-users in all destinations listed in Supplement No. 3 to 
part 740. Exports and reexports of such commodities and software are 
not eligible under License Exception ENC to non-U.S. biochemical and 
pharmaceutical manufacturers and non-U.S. military health and medical 
entities. Licenses for such entities will be considered on a case-by-
case basis.
    e. Encryption commodities and software of any key length for on-
line merchants in all destinations listed in Supplement No. 3 to part 
740. Such commodities and software must be limited to client-server 
applications (e.g., Secure Socket Layer (SSL) based applications) or 
applications specially designed for on-line transactions. End-use is 
limited to the purchase or sale of goods and software; and services 
connected with the purchase or sale of goods and software, including 
interactions between purchasers and sellers necessary for ordering, 
payment and delivery of goods and software. No other end-uses or 
customer to customer communications or transactions are allowed. 
Foreign on-line merchants or their separate business units who are 
engaged in the manufacturing and distribution of items or services 
controlled on the U.S. Munitions List are excluded. Foreign government 
end-users also are excluded from this License Exception.
    Examples of permitted end-uses under License Exception ENC for on-
line merchants include buying and selling goods and software through an 
electronic medium, which may involve the ordering of, and payment for 
goods and software; placing and receiving orders; pricing, 
configuration, validation and ordering of products; obtaining copies of 
invoices; reviewing shipping schedules; notification of shipments or 
changes; and placing reservations and purchasing airline tickets. It 
allows for contract manufacturers to directly access demand and 
inventory information; direct purchasing with trading partners; 
approval functions for requisitions which require approval; and on-line 
catalogue purchases, and the electronic exchange of purchase or sales 
information by multiple trading partners. It does not include such end-
uses as general purpose messaging, collaborative research projects 
(e.g., collaborative engineering), data warehousing, remote computing 
services or electronic communications services.
    4. In Supplement No. 3 to part 740, adds Czech Republic and United 
States to the list of countries to clarify that branches of Czech 
Republic and U.S. banks and financial institutions, located worldwide 
except in countries that support international terrorism (Cuba, Iran, 
Iraq, Libya, North Korea, Sudan and Syria) may receive general purpose 
encryption commodities and software limited to secure business 
financial communications or transactions and financial communications 
or transactions between the bank and/or financial institution and its 
customers. Supplement No. 3 is also amended to reflect the licensing 
policy for exports and reexports of recoverable encryption commodities 
and software to commercial entities located in certain countries and 
subsidiaries of commercial entities headquartered in certain countries, 
wherever located, except Cuba, Iran, Iraq, Libya, North Korea, Sudan 
and Syria.
    5. In Sec. 742.15, revises the licensing policy for exports and 
reexports of encryption items as follows:
    a. Removes the business and marketing plan requirement for exports 
of non-recovery 56-bit DES or equivalent encryption items.
    b. Authorizes upgrades of 40-bit mass-market encryption software 
that has already been classified after a technical review and released 
from EI controls. Such software may be upgraded to 56-bits for the 
confidentiality algorithm without an additional technical review.
    c. Makes certain encryption commodities eligible for mass-market 
treatment.
    d. For exports and reexports of general purpose encryption 
commodities and software of any key length that are not eligible under 
License Exception ENC, insurance companies are now eligible to receive

[[Page 72158]]

such products under an Encryption Licensing Arrangement. This is 
consistent with the addition of insurance companies to the definition 
of financial institutions in part 772. Such encryption commodities and 
software will receive favorable consideration when the end-use is 
limited to secure financial communications or transactions, provided 
that there are no concerns about the country or specific end-user.
    e. For exports and reexports of encryption commodities and software 
of any key length not eligible under License Exception ENC, such 
commodities and software will generally be approved under an Encryption 
Licensing Arrangement to all health and medical end-users, except non-
U.S. biochemical and pharmaceutical manufacturers and non-U.S. military 
health and medical entities, in all destinations except Cuba, Iran, 
Iraq, Libya, North Korea, Sudan and Syria.
    f. For exports and reexports of encryption commodities and software 
of any key length not eligible under License Exception ENC, such 
commodities and software will generally be approved under an Encryption 
Licensing Arrangement to on-line merchants in all destinations except 
Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. The end-use is 
limited to the purchase or sale of goods and software; and services 
connected with the purchase or sale of goods and software including 
interactions between purchasers and sellers necessary for ordering, 
payment and delivery of goods and software. No other end-uses or 
customer-to-customer communications or transactions are allowed.
    g. Exports and reexports of recoverable encryption commodities and 
software of any key length for use by commercial entities will 
generally be approved under an Encryption Licensing Arrangement to 
destinations listed in Supplement No. 3 to part 740 for the protection 
of company proprietary information. Such encryption commodities and 
software will also generally be approved for export and reexport to 
worldwide foreign subsidiaries of commercial firms headquartered in 
certain countries, except to subsidiaries located in Cuba, Iran, Iraq, 
Libya, North Korea, Sudan and Syria.
    Note that any country or end-user prohibited in the past from 
receiving encryption commodities and software under a specific 
Encryption Licensing Arrangement is reviewed on a case-by-case basis, 
and may be considered by BXA for eligibility under future Encryption 
Licensing Arrangement requests. All other exports and reexports of 
encryption items are reviewed on a case-by-case basis under a license 
application.
    6. Also in Sec. 742.15, clarifies the reporting requirement for 
exports to certain end-users.
    7. In part 772, revises the definition of financial institution to 
include the meaning of insurance company and adds definitions for 
business unit, health and medical end-user, on-line merchant, 
recoverable commodities and software, strategic partner (of a U.S. 
company), and U.S. subsidiary. Also clarifies that such definitions 
only apply to encryption items.
    BXA will in the near future update these regulations to reflect 
changes to encryption controls in the Wassenaar Arrangement and to 
address public comments on the September 22, 1998 rule (63 FR 50516) 
that implemented new licensing policies for banks and financial 
institutions.

Rulemaking Requirements

    1. This interim rule has been determined to be significant for 
purposes of E.O. 12866.
    2. Notwithstanding any other provision of law, no person is 
required to respond to, nor shall any person be subject to a penalty 
for failure to comply with a collection of information, subject to the 
requirements of the Paperwork Reduction Act, unless that collection of 
information displays a currently valid Office of Management and Budget 
Control Number. This rule contains collections of information subject 
to the Paperwork Reduction Act of 1980 (44 U.S.C. 3501 et seq.). These 
collections have been approved by the Office of Management and Budget 
under control numbers 0694-0088, ``Multi-Purpose Application,'' which 
carries a burden hour estimate of 52.5 minutes per submission; and 
0694-0104, ``Commercial Encryption Items Transferred from the 
Department of State to the Department of Commerce.'' The Department has 
submitted to OMB an emergency request for approval of the changes to 
the collection of information under OMB control number 0694-0104. 
Comments on collection 0694-0104 will be accepted until March 1, 1999.
    It will take companies 15 minutes to complete each certification. 
It will take companies 15 minutes to complete notifications. For 
reporting under License Exception KMI, it will take companies 1 hour to 
complete KMI reporting. For reporting under License Exception ENC, it 
will take companies 4 hours to complete ENC reporting.
    3. This rule does not contain policies with Federalism implications 
sufficient to warrant preparation of a Federalism assessment under E.O. 
12612.
    4. The provisions of the Administrative Procedure Act (5 U.S.C. 
553) requiring notice of proposed rulemaking, the opportunity for 
public participation, and a delay in effective date, are inapplicable 
because this regulation involves a military and foreign affairs 
function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no 
other law requires that a notice of proposed rulemaking and an 
opportunity for public comment be given for this interim final rule. 
Because a notice of proposed rulemaking and an opportunity for public 
comment are not required to be given for this rule under 5 U.S.C. or by 
any other law, the requirements of the Regulatory Flexibility Act (5 
U.S.C. 601 et seq. ) are not applicable.
    However, because of the importance of the issues raised by these 
regulations, this rule is issued in interim form and comments will be 
considered in the development of final regulations. Accordingly, the 
Department of Commerce encourages interested persons who wish to 
comment to do so at the earliest possible time to permit the fullest 
consideration of their views.
    The period for submission of comments will close March 1, 1999. The 
Department will consider all comments received before the close of the 
comment period in developing final regulations. Comments received after 
the end of the comment period will be considered if possible, but their 
consideration cannot be assured. The Department will not accept public 
comments accompanied by a request that a part or all of the material be 
treated confidentially because of its business proprietary nature or 
for any other reason. The Department will return such comments and 
materials to the persons submitting the comments and will not consider 
them in the development of final regulations. All public comments on 
these regulations will be a matter of public record and will be 
available for public inspection and copying. In the interest of 
accuracy and completeness, the Department requires comments in written 
form. Comments should be provided with 5 copies.
    Oral comments must be followed by written memoranda, which will 
also be a matter of public record and will be available for public 
review and copying.
    The public record concerning these regulations will be maintained 
in the Bureau of Export Administration Freedom of Information Records

[[Page 72159]]

Inspection Facility, Room 4525, Department of Commerce, 14th Street and 
Pennsylvania Avenue, N.W., Washington, D.C. 20230. Records in this 
facility, including written public comments and memoranda summarizing 
the substance of oral communications, may be inspected and copied in 
accordance with regulations published in part 4 of Title 15 of the Code 
of Federal Regulations. Information about the inspection and copying of 
records at the facility may be obtained from Henry Gaston, Bureau of 
Export Administration Freedom of Information Officer, at the above 
address or by calling (202) 482-0500.
    The reporting burden for this collection is estimated to be 
approximately 815 hours, including the time for gathering and 
maintaining the data needed for completing and reviewing the collection 
of information. Comments are invited on: (a) whether the collection of 
information is necessary for the proper performance of the functions of 
the agency, including whether the information shall have practical 
utility; (b) the accuracy of the agency's estimate of the burden of the 
proposed collection of information; (c) ways to enhance the quality, 
utility, and clarity of the information to be collected; and (d) ways 
to minimize the burden of the collection of information on respondents, 
including through the use of automated collection techniques or other 
forms of information technology. Comments regarding these burden 
estimates or any other aspect of the collection of information, 
including suggestions for reducing the burdens, should be forward to 
Nancy Crowe, Regulatory Policy Division, Office of Exporter Services, 
Bureau of Export Administration, Department of Commerce, P.O. Box 273, 
Washington, D.C. 20044, and David Rostker, Office of Management and 
Budget, OMB/OIRA, 725 17th Street, NW, NEOB Rm. 10202,Washington, D.C. 
20503.

List of Subjects

15 CFR Parts 740 and 743

    Administrative practice and procedure, Exports, Foreign trade, 
Reporting and recordkeeping requirements.

15 CFR Parts 742, 772 and 774

    Exports, foreign trade.

    Accordingly, 15 CFR Chapter 7, Subchapter C, is amended as follows:
    1. The authority citation for 15 CFR parts 740 and 772 continues to 
read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; Executive Order 
13026 (November 15, 1996, 61 FR 58767); Notice of August 17, 1998 
(63 FR 55121, August 17, 1998).

    2. The authority citation for 15 CFR part 742 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 
E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 3 
CFR, 1993 Comp., p. 608; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., 
p. 917; E.O. 12938, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 3 CFR, 
1996 Comp. p. 219; E.O. 13026, 3 CFR, 1996 Comp., p. 228; Notice of 
August 17, 1998 (63 FR 55121, August 17, 1998).

    3. The authority citation for 15 CFR part 743 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; Notice of August 
17, 1998 (63 FR 55121, August 17, 1998).

    4. The authority citation for 15 CFR part 774 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C. 
287c; 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; Sec. 201, Pub. L. 104-
58, 109 Stat. 557 (30 U.S.C. 185(s)); 30 U.S.C. 185(u); 42 U.S.C. 
2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 
U.S.C. app. 5; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; 
Executive Order 13026 (November 15, 1996, 61 FR 58767); Notice of 
August 17, 1998 (63 FR 55121, August 17, 1998).

PART 740--[AMENDED]

    5. Section 740.8 is amended:
    a. By revising the section title;
    b. By revising paragraph (b);
    c. By removing paragraph (d); and
    d. By redesignating paragraph (e) as paragraph (d) to read as 
follows:


Sec. 740.8  Key management infrastructure (KMI)

    (a) * * *
    (b) Eligible commodities and software. (1) Recovery encryption 
commodities and software of any key length controlled under ECCNs 5A002 
and 5D002 that have been classified after a technical review through a 
classification request. Key escrow and key recovery commodities and 
software must meet the criteria identified in Supplement No. 4 to part 
742 of the EAR.
    (2) For such classification requests, indicate ``License Exception 
KMI'' in block 9 on Form BXA-748P. Submit the original request to BXA 
in accordance with Sec. 748.3 of the EAR and send a copy of the request 
to:

Attn: KMI Encryption Request Coordinator, P.O. Box 246, Annapolis 
Junction, MD 20701-0246
* * * * *
    6. Part 740 is amended by adding a new Sec. 740.17 to read as 
follows:


Sec. 740.17  Encryption commodities and software (ENC).

    (a) Exports and reexports of encryption commodities and software to 
all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
Syria.
    (1) Financial-specific encryption commodities and software of any 
key length.
    (i) Scope. You may export and reexport financial-specific 
encryption commodities and software (which are not eligible under the 
provisions of License Exception TSU for mass market software such as 
SET or similar protocols) of any key length that are restricted by 
design (e.g., highly field-formatted with validation procedures, and 
not easily diverted to other end-uses) for financial applications to 
secure financial communications/transactions for end-uses such as 
financial transfers, or electronic commerce.
    (ii) Eligible commodities and software. Encryption commodities and 
software of any key length classified under ECCNs 5A002 and 5D002 after 
a technical review (see paragraph (c) of this section). These 
commodities and software must be specifically designed and limited for 
use in the processing of electronic financial (commerce) transactions, 
which implements cryptography in specifically delineated fields such as 
merchant's identification, the customer's identification and address, 
the merchandise purchased and the payment mechanism. It does not allow 
for encryption of data, text or other media except as directly related 
to these elements of the electronic transaction to support financial 
communications/transactions. Notwithstanding the provisions of 
paragraph (c)(2) of this section, financial-specific commodities and 
software that were made eligible for License Exception KMI after a 
technical review prior to December 31, 1998, are now eligible for 
export and reexport under License Exception ENC under the provisions of 
this paragraph (a)(1).
    (iii) Eligible destinations. Upon approval of your classification 
request, you may export and reexport under License Exception ENC 
financial-specific encryption commodities and software, as defined in 
this paragraph (a)(1), of any key length to all destinations except 
Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.
    (iv) Reporting requirements. There are no reporting requirements.
    (2) Encryption commodities and software of any key length for U.S. 
subsidiaries. (i) Scope. You may export

[[Page 72160]]

and reexport encryption commodities and software of any key length 
under License Exception ENC to U.S. subsidiaries (as defined in part 
772 of the EAR) subject to the conditions of this paragraph (a)(2). 
Note that distributors, resellers or other entities that are not 
manufacturers of the encryption commodities and software are permitted 
to use License Exception ENC for U.S. subsidiaries only in instances 
where the export or reexport meets the terms and conditions of this 
paragraph (a)(2).
    (ii) Eligible commodities and software. Encryption commodities, 
software and technology of any key length classified under ECCNs 5A002, 
5D002 and 5E002 after a technical review (see paragraph (c) of this 
section). This includes encryption chips, integrated circuits, 
toolkits, executable or linkable modules, source code and technology to 
U.S. subsidiaries for internal company proprietary use, including the 
development of new products.
    (iii) Eligible destinations; retransfers. You may export and 
reexport under License Exception ENC encryption commodities, software 
and technology of any key length to U.S. subsidiaries for internal 
company proprietary use, including the development of new products, in 
all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
Syria. All items developed using U.S. encryption commodities, software 
and technology are subject to the EAR. For exports and reexports to 
strategic partners of U.S. companies (as defined in part 772) see 
Sec. 742.15(b)(8) of the EAR. Retransfers to other end-users or end-
uses are prohibited without prior authorization.
    (iv) Reporting requirements. There are no reporting requirements.
    (3) Encryption commodities, including mass market and non-mass 
market, and non-mass market encryption software incorporating symmetric 
algorithms with key lengths up to and including 56-bits, such as DES or 
equivalent. (i) Scope. You may export and reexport encryption 
commodities, including mass market and non-mass market commodities, and 
non-mass market software with key lengths up to and including 56-bits, 
such as DES or equivalent, under License Exception ENC subject to the 
conditions of this paragraph (a)(3). For information concerning the 
technical review of encryption mass market commodities and mass market 
software refer to Sec. 742.15(b)(1) of the EAR. Note that encryption 
mass market software remains eligible under License Exception TSU.
    (ii) Eligible commodities and software. (A) Mass market and non-
mass market encryption commodities and non-mass market software having 
symmetric algorithms with key lengths up to and including 56-bits, such 
as DES or equivalent (such as RC2, RC4, RC5, and CAST) which are 
classified as a result of a technical review (see paragraph (c) of this 
section). The commodity or software must not allow the alteration of 
the cryptographic functionality by the user or any other program. 
Encryption chips, integrated circuits, toolkits and executable or 
linkable modules are not authorized for export under the provisions of 
paragraph (a)(3).
    (B)(1) For mass market and non-mass market encryption commodities 
and non-mass market encryption software, exporters of 40-bit or less 
encryption commodities and software which have been made eligible for 
License Exception KMI or License Exception TSU or have been licensed 
for export under an Encryption Licensing Arrangement or a license prior 
to December 31, 1998, will be permitted to export and reexport these 
commodities and software under license exception ENC with increased key 
lengths up to and including 56-bits for the confidentiality algorithm, 
with key exchange mechanisms including symmetric algorithms with the 
same or double key length authorized for the confidentiality algorithm, 
and asymmetric algorithms for key exchange with key space of 512, 768 
or up to and including 1024 bits without an additional technical 
review, provided that there is no other change in cryptographic 
functionality. Exporters must certify to BXA that the only change to 
the encryption is the increase in the key length for the 
confidentiality algorithm, the asymmetric or symmetric key exchange 
algorithms and that there is no other change in cryptographic 
functionality. Such certifications must be in the form of a letter from 
senior corporate management and include the original authorization 
number issued by BXA, the date of issuance and the information 
identified in paragraphs (a)(2) (iii) throught (v) of Supplement No. 6 
to part 742 of the EAR. (If this information was submitted previously, 
then only identify the modifications.) BXA must receive such 
certification by March 31, 1999, and prior to any export of such 
upgraded product.
    (2) The certification should be sent to:

Office of Strategic Trade and Foreign Policy Controls, Bureau of 
Export Administration, Department of Commerce, 14th Street and 
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn: 
Encryption Upgrade

    (3) A copy of the certification should be sent to:

Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis 
Junction, MD 20701-0246

    (C) After March 31, 1999, any increase (upgrade) in the 
confidentiality algorithm and the key exchange algorithm must be 
reviewed by BXA through a classification request (see Sec. 748.3 of the 
EAR). In Block 9 of form BXA-748P, indicate ``Key Length Upgrade.''
    (iii) Eligible destinations. License Exception ENC is available for 
exports and reexports of encryption commodities and software with key 
length up to and including 56-bits, such as DES or equivalent to all 
destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
Syria.
    (iv) Reporting requirements. See paragraph (d) of this section for 
reporting requirements.
    (b) Exports and reexports of certain encryption commodities and 
software to countries listed in Supplement No. 3 to part 740 of the 
EAR. (1) General purpose encryption commodities and software of any key 
length for use by banks/financial institutions. (i) Scope. You may 
export and reexport general purpose, non-voice encryption commodities 
and software of any key length to banks and financial institutions (as 
defined in part 772 of the EAR) in specified destinations, subject to 
the conditions of this paragraph (b)(1). Note that distributors, 
resellers or other entities who are not manufacturers of the encryption 
commodities and software are permitted to use License Exception ENC for 
banks and financial institutions only in instances where the export or 
reexport meets the terms and conditions of this paragraph (b)(1).
    (ii) Eligible commodities and software. General purpose, non-voice 
encryption commodities and software of any key length classified under 
ECCNs 5A002 and 5D002 after a technical review (see paragraph (c) of 
this section). Note that software and commodities that have already 
been approved under an Encryption Licensing Arrangement to banks and 
financial institutions in specified countries may now be exported or 
reexported to other banks and financial institutions in those countries 
under the same Encryption Licensing Arrangement.
    (iii) Eligible destinations; retransfers. Upon approval of your 
classification request, you may export and reexport

[[Page 72161]]

under License Exception ENC general purpose, non-voice encryption 
commodities and software, as defined in this paragraph (b)(1), of any 
key length to banks and financial institutions in all destinations 
listed in Supplement No. 3 to this part and to branches of such banks 
and financial institutions wherever established, except Cuba, Iran, 
Iraq, Libya, North Korea, Sudan and Syria. End-use is limited to secure 
business financial communications or transactions and financial 
communications/transactions between the bank and/or financial 
institution and its customers. No customer to customer communications 
or transactions are allowed. Retransfers to other end-users or end-uses 
are prohibited without prior authorization.
    (iv) Reporting requirements. There are no reporting requirements.
    (2) Health and medical end-users. (i) Scope. You may export and 
reexport encryption commodities and software of any key length under 
License Exception ENC to health and medical end-users (as defined in 
part 772 of the EAR) in specified destinations, subject to the 
conditions of this paragraph (b)(2). Note that distributors, resellers 
or other entities who are not manufacturers of the encryption 
commodities and software are permitted to use License Exception ENC for 
health and medical end-users only in instances where the export or 
reexport meets the terms and conditions of this paragraph (b)(2).
    (ii) Eligible commodities and software. Encryption commodities and 
software of any key length classified under ECCNs 5A002 and 5D002 after 
a technical review (see paragraph (c) of this section).
    (iii) Eligible destinations; retransfers. You may export and 
reexport under License Exception ENC encryption commodities and 
software of any key length to health and medical end-users in all 
destinations listed in Supplement No. 3 to this part. Non-U.S. 
biochemical and pharmaceutical manufacturers, and non-U.S. military 
health and medical entities are not eligible to receive encryption 
commodities and software under License Exception ENC (see Sec. 742.15 
of the EAR for licensing information on these end-users, as well as 
additional countries). End-use is limited to securing health and 
medical transactions to health and medical end-users. No customer to 
customer communications or transactions are allowed. Retransfers to 
other end-users or end-uses are prohibited without prior authorization.
    (iv) Reporting requirements. See paragraph (d) of this section for 
reporting requirements for exports under this License Exception.
    (3) Encryption commodities and software of any key length for on-
line merchants. (i) Scope. You may export and reexport encryption 
commodities and software of any key length under License Exception ENC 
to on-line merchants (as defined in part 772 of the EAR) in specified 
destinations, subject to the conditions of this paragraph (b)(3). End-
use is limited to: the purchase or sale of goods and software; and 
services connected with the purchase or sale of goods and software 
including interactions between purchasers and sellers necessary for 
ordering, payment and delivery of goods and software. No other end-uses 
or customer to customer communications or transactions are allowed. 
Foreign on-line merchants or their separate business units (as defined 
in part 772 of the EAR) who are engaged in the manufacturing and 
distribution of items or services controlled on the U.S. Munitions List 
are excluded. Foreign government end-users are also excluded from this 
License Exception. Note that distributors, resellers or other entities 
who are not manufacturers of the encryption commodities and software 
are permitted to use License Exception ENC for on-line merchants only 
in instances where the export or reexport meets the terms and 
conditions of this paragraph (b)(3).
    (ii) Eligible commodities and software. Encryption commodities and 
software of any key length classified under ECCNs 5A002 and 5D002 after 
a technical review (see paragraph (c) of this section). Such 
commodities and software must be limited to client-server applications 
(e.g. Secure Socket Layer (SSL) based applications) or applications 
specially designed for on-line transactions for the purchase or sale of 
goods and software; and services connected with the purchase or sale of 
goods and software, including interactions between purchasers and 
sellers necessary for ordering, payment and delivery of goods and 
software. Notwithstanding the provisions of paragraph (c)(2) of this 
section, commodities and software that were eligible for export to on-
line merchants under an Encryption Licensing Arrangement or license 
prior to December 31, 1998, are now eligible for export and reexport 
under License Exception ENC under the provisions of this paragraph 
(b)(3).
    (iii) Eligible destinations; retransfers. You may export and 
reexport encryption commodities and software under License Exception 
ENC to on-line merchants in all destinations listed in Supplement No. 3 
to this part, except to foreign on-line merchants or their separate 
business units who are engaged in the manufacturing and distribution of 
items or services controlled on the U.S. Munitions List. Retransfers to 
other end-users or end-uses are prohibited without prior authorization.
    (iv) Reporting requirements. See paragraph (d) of this section for 
reporting requirements for exports under this License Exception.
    (c) Technical review to determine eligibility for License Exception 
ENC. (1) You may initiate a technical review required by paragraph (a) 
or (b) of this section by submitting a classification request for your 
product in accordance with the provisions of Sec. 748.3(b) of the EAR. 
Indicate ``License Exception ENC'' in Block 9: Special purpose, on form 
BXA-748P. Submit the original request to BXA in accordance with 
Sec. 748.3 of the EAR and send a copy of the request to:

Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis 
Junction, MD 20701-0246

    (2) Commodities and software that have been made eligible for 
License Exception TSU or KMI or which have been approved for export 
under an Encryption Licensing Arrangement or a license prior to 
December 31, 1998 are eligible for export and reexport under all 
paragraphs of License Exception ENC, except paragraphs (a)(1) and 
(b)(3) of this section, without an additional technical review, 
provided that the export or reexport meets all the terms and conditions 
of this License Exception. For all other commodities and software, a 
technical review will determine eligibility for License Exception ENC 
by reviewing the confidentiality algorithm, key space, and key exchange 
mechanism.
    (3) For export and reexport of encryption commodities and software 
under paragraph (a)(3) of this section, examples of eligible key 
exchange mechanisms include, but are not limited to, symmetric 
algorithms with the same or double the key length authorized for the 
confidentiality algorithm, asymmetric algorithms with key space of 512, 
768 or up to and including 1024 bits, proprietary key exchange 
mechanisms, or others.
    (4) For export and reexport of encryption commodities and software 
under paragraph (b)(3) of the License Exception ENC, exporters, in 
order to expedite review of the classification, should submit, as 
applicable, the following types of information to support the 
classification request:

[[Page 72162]]

    (i) Information describing how the product is limited to a client-
server application or application specially designed or tailored to the 
conditions outlined in the License Exception;
    (ii) Information describing the end-user environment to which the 
application will be limited;
    (iii) Information explaining how the product will not permit 
customer-to-customer communications or transactions above 56-bits;
    (iv) Information on the process by which the merchant(s) or 
application will limit access to authorized users; or
    (v) Details of the encryption system, including how it is limited 
to the application or cannot be diverted to other end-uses.
    (d) Reporting requirements. (1) You must provide to BXA the names 
and addresses for exports to the following end-users:
    (i) All military and government end-users for non-mass market 
commodities and non-mass market software exports authorized under 
paragraph (a)(3) of this section;
    (ii) All health and medical end-users for exports authorized under 
paragraph (b)(2) of this section, and
    (iii) All foreign on-line merchants for exports authorized under 
paragraph (b)(3) of this section.
    (2) You must submit reports no later than February 1 and no later 
than August 1 of any given year. Specifically, the report must identify 
the end-user name and address and country of ultimate destination, as 
well as the classification or other authorization number. Send the 
report to the following address:

Office of Strategic Trade and Foreign Policy Controls, Bureau of 
Export Administration, Department of Commerce, 14th Street and 
Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: 
Encryption Reports

    7. Supplement No. 3 is revised to read as follows:
Supplement No. 3 to Part 740--Countries Eligible To Receive General 
Purpose Encryption Commodities and Software
Anguilla*
Antigua*
Argentina*
Aruba*
Austria**
Australia**
Bahamas*
Barbados*
Belgium**
Brazil*
Canada**
Croatia
Czech Republic*
Denmark**
Dominica*
Ecuador*
Finland**
France **
Germany**
Greece*
Hong Kong
Hungary*
Iceland**
Ireland**
Italy**
Japan**
Kenya*
Luxembourg**
Monaco*
The Netherlands**
New Zealand**
Norway**
Poland*
Portugal**
St. Kitts & Nevis*
St. Vincent/Grenadines*
Seychelles*
Singapore
Spain**
Sweden**
Switzerland**
Trinidad & Tobago*
Turkey*
Uruguay*
United Kingdom**
United States**
    *Commercial entities and their branches located in these 
countries or any country listed in this Supplement and designated 
with one or two asterisks are eligible to receive ``recoverable'' 
encryption commodities and software of any key length for internal 
company proprietary use. See Sec. 742.15(b)(7) of the EAR.
    **Commercial entities headquartered in these countries and their 
branches wherever located (except Cuba, Iran, Iraq, Libya, North 
Korea, Sudan and Syria) are eligible to receive ``recoverable'' 
encryption commodities and software of any key length for internal 
company proprietary use. See Sec. 742.15(b)(7) of the EAR.

PART 742--[AMENDED]

    8. Section 742.15 is amended:
    a. By revising the first sentence of paragraph (a);
    b. By revising the phrase ``Supplements No. 4, No. 5 and No. 7'' in 
the introductory paragraph (b) to read ``Supplement No. 4'';
    c. By revising the phrase ``encryption software'' in the title to 
paragraph (b)(1) to read ``encryption commodities and software'';
    d. By revising paragraph (b)(1)(i);
    e. By adding new paragraphs (b)(1)(iii) and (b)(1)(iv);
    f. By revising paragraph (b)(2);
    g. By removing paragraph (b)(3);
    h. By redesignating paragraphs (b)(4) and (5) as (b)(3) and (4);
    i. By revising newly redesignated paragraphs (b)(3);
    j. By revising the heading of newly redesignated paragraph (b)(4);
    k. By removing the phrase ``non-recoverable'' in the first sentence 
of newly redesignated paragraph (b)(4).
    l. By revising the phrase ``under License Exception KMI (see 
Sec. 740.8 of the EAR)'' in newly redesignated paragraph (b)(4) to read 
``License Exception ENC (see Sec. 740.17(a)(1) of the EAR)'';
    m. By redesignating paragraph (b)(6) and (7) as (b)(8) and (9);
    n. By adding new paragraphs (b)(5), (6) and (7); and
    o. By adding a new paragraph (b)(8)(iii) to read as follows:


Sec. 742.15  Encryption items.

* * * * *
    (a) Licenses are required for exports and reexports to all 
destinations, except Canada, for items controlled under ECCNs having an 
``EI'' (for ``encryption items'') under the ``Control(s)'' paragraph. * 
* *
    (b) * * *
    (1) * * *
    (i) Consistent with E.O. 13026 of November 15, 1996 (61 FR 58767), 
certain encryption software that was transferred from the U.S. 
Munitions List to the Commerce Control List pursuant to the 
Presidential Memorandum of November 15, 1996, may be released from EI 
controls and thereby made eligible for mass market treatment after a 
technical review. Further, certain encryption commodities may be 
released from EI controls and thereby made eligible for mass market 
treatment after a technical review. To determine eligibility for mass 
market treatment, exporters must submit a classification request to 
BXA. 56-bit mass market encryption commodities and software using RC2, 
RC4, RC5, DES or CAST, and key exchange mechanisms including, but not 
limited to, symmetric algorithms with the same or double the key length 
authorized for the confidentiality algorithm, asymmetric algorithms 
with key space of 512, 768 or up to and including 1024 bits, 
proprietary key exchange mechanisms, or others, may be eligible for a 
7-day review process, and company proprietary commodities and software 
implementations may be eligible for 15-day processing. Refer to 
Supplement No. 6 to part 742 and Sec. 748.3(b)(3) of the EAR for 
additional information. Note that the technical review is for a 
determination to release encryption commodities and software in object 
code only unless otherwise specifically requested. Exporters requesting 
release of the source code should refer to paragraph (b)(3)(v)(E) of 
Supplement No. 6 to part 742.
    (ii) * * *
    (iii) If after a technical review, BXA determines that the 
encryption commodity is released from EI controls, the commodity is 
eligible for export under License Exception ENC and all provisions of 
the EAR applicable to other commodities. However, if BXA determines 
that the commodity is not released from EI controls, and no License 
Exception applies, a license is required for export and reexport to all 
destinations, except Canada, and license applications will be 
considered on a case-by-case basis.
    (iv) Mass-market encryption software that has already been 
classified after a technical review and that has been released from EI 
controls under the provisions of this paragraph (b)(1) will be 
permitted for export and reexport under license exception TSU with 
increases of 56-bits for the confidentiality algorithm, the same or 
double the key length authorized for the confidentiality algorithm for 
symmetric

[[Page 72163]]

algorithms for key exchange mechanisms and with key spaces of 512, 768 
or up to and including 1024 bits for asymmetric algorithms for key 
exchange without an additional technical review, provided that there is 
no other change in the cryptographic functionality. Exporters must 
notify BXA in writing of the increase in the key length for the 
confidentiality algorithm, the asymmetric or symmetric key exchange 
algorithms, and include the original authorization number issued by BXA 
and the information identified in paragraphs (a)(2)(iii) through (v) of 
Supplement No. 6 to part 742 of the EAR (if this information was 
submitted previously, then only identify the modifications). BXA must 
receive such notification by March 31, 1999.
    (A) The notification should be sent to:

Office of Strategic Trade and Foreign Policy Controls, Bureau of 
Export Administration, Department of Commerce, 14th Street and 
Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: 
Encryption Upgrade

    (B) A copy of the certification should be sent to:

Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis 
Junction, MD 20701-0246

    (2) Key escrow and key recovery encryption commodities and 
software. Certain recovery encryption commodities and software of any 
key length that are classified under ECCNs 5A002 and 5D002 after a 
technical review are eligible for export and reexport under License 
Exception KMI. See Sec. 740.8(b)(1) of the EAR for information on 
additional eligibility requirements.
    (3) General purpose encryption commodities and software of any key 
length for use by banks and financial institutions.
    (i) Commodities and software that were eligible for License 
Exception TSU or KMI or have been licensed for export or reexport under 
an Encryption Licensing Arrangement or a license prior to December 31, 
1998, are now eligible for export and reexport under License Exception 
ENC under the provisions of Sec. 740.17(b)(1) of the EAR.
    (ii) For exports and reexports not eligible under a License 
Exception, exports and reexports of general purpose non-voice 
encryption commodities and software classified under ECCNs 5A002 and 
5D002 of any key length will generally be approved under an Encryption 
Licensing Arrangement for use by banks and financial institutions (as 
defined in part 772 of the EAR) in all destinations except Cuba, Iran, 
Iraq, Libya, North Korea, Sudan and Syria. Applications for such 
commodities and software will receive favorable consideration when the 
end-use is limited to secure business financial communications or 
transactions and financial communications/transactions between the bank 
and/or financial institution and its customers provided that there are 
no concerns about the country or end-user. No customer to customer 
communications or transactions are allowed.
    (iii) Note that any country or end-user prohibited in the past from 
receiving encryption commodities and software under a specific 
Encryption Licensing Arrangement will be reviewed on a case-by-case 
basis, and may be considered by BXA for eligibility under future 
Encryption Licensing Arrangement requests.
    (iv) Note that distributors, resellers or other entities who are 
not manufacturers of the encryption commodities and software are 
permitted to use an existing Encryption Licensing Arrangement for 
exports and reexports of these products only when Encryption Licensing 
Arrangement has been granted to the manufacturer and the export and 
reexport meets the terms and conditions of this paragraph (b)(3).
    (v) There are no reporting requirements for exports to banks and 
financial institutions.
    (4) Financial-specific encryption items of any key length.* * *
    (5) Encryption commodities and software of any key length for use 
by health and medical end-users. (i) Commodities and software that have 
been classified after a technical review through a classification 
request or have been licensed for export under an Encryption Licensing 
Arrangement or a license are eligible for export and reexport under 
License Exception ENC to health and medical end-users without an 
additional technical review, provided that the export or reexport meets 
all the terms and conditions of that License Exception. See Sec. 740.17 
of the EAR. Commodities and software that were eligible for License 
Exception TSU or KMI or have been licensed for export or reexport under 
an Encryption Licensing Arrangement or a license prior to December 31, 
1998, are now eligible for export and reexport under License Exception 
ENC under the provisions of Sec. 740.17(b)(2) of the EAR.
    (ii) For exports and reexports that are not eligible under License 
Exception ENC, exports and reexports of encryption commodities and 
software classified under ECCNs 5A002 and 5D002 of any key length will 
generally be approved under an Encryption Licensing Arrangement for use 
by health and medical end-users (as defined in part 772 of the EAR) in 
all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
Syria except for non-U.S. biochemical and pharmaceutical manufacturers 
and non-U.S. military health and medical entities. No customer to 
customer communications or transactions are allowed.
    (iii) Note that any country or end-user prohibited in the past from 
receiving encryption commodities and software under a specific 
Encryption Licensing Arrangement will be reviewed on a case-by-case 
basis, and may be considered by BXA for eligibility under future 
Encryption Licensing Arrangement requests.
    (iv) Note that distributors, resellers or other entities who are 
not manufacturers of the encryption commodities and software are 
permitted to use an existing Encryption Licensing Arrangement for 
exports and reexports of these products only when Encryption Licensing 
Arrangement has been granted to the manufacturer and the export and 
reexport meets the terms and conditions of this paragraph (b)(5).
    (v) You must submit to BXA the name and address of the end-user.
    (6) Encryption commodities and software of any key length for on-
line merchants. (i) Commodities and software that were eligible for 
export to on-line merchants under an Encryption Licensing Arrangement 
prior to December 31, 1998, are now eligible for export and reexport 
under License Exception ENC under the provisions of Sec. 740.17(b)(3).
    (ii) Exports and reexports of encryption commodities and software 
classified under ECCNs 5A002 and 5D002 of any key length which are 
limited to client-server applications (e.g., Secure Socket Layer (SSL) 
based applications) or applications specially designed for on-line 
transactions for the purchase or sale of goods and software will be 
permitted under an Export Licensing Arrangement in all destinations 
except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria for use by 
foreign on-line merchants as defined in part 772 of the EAR. End-use is 
limited to: the purchase or sale of goods and software; and services 
connected with the purchase or sale of goods and software, including 
interactions between purchasers and sellers necessary for ordering, 
payment and delivery of goods and software. No other end-uses or 
customer to customer communications or transactions are allowed.
    (iii) Applications for Encryption Licensing Arrangements for on-
line

[[Page 72164]]

merchants will generally be approved, except for foreign on-line 
merchants or their separate business units (as defined in part 772 of 
the EAR) who are engaged in the manufacturing and distribution of items 
or services controlled on the U.S. Munitions List. Such end-users will 
be considered on a case-by-case basis.
    (iv) Note that any country or end-user prohibited in the past from 
receiving encryption commodities and software under a specific 
Encryption Licensing Arrangement will be reviewed on a case-by-case 
basis, and may be considered by BXA for eligibility under future 
Encryption Licensing Arrangement requests.
    (v) Note that distributors, resellers or other entities who are not 
manufacturers of the encryption commodities and software are permitted 
to use an existing Encryption Licensing Arrangement for exports and 
reexports of these products only when Encryption Licensing Arrangement 
has been granted to the manufacturer and the export and reexport meets 
the terms and conditions of this paragraph (b)(6).
    (v) You must submit to BXA the name and address of the end-user.
    (7) Recoverable encryption commodities and software of any key 
length for use by commercial entities. (i) Exports and reexports of 
recoverable encryption commodities and software (as defined in part 772 
of the EAR) classified under ECCNs 5A002 and 5D002 of any key length 
will generally be approved under an Encryption Licensing Arrangement to 
destinations designated with a ``*'' or ``**'' in Supplement No. 3 to 
part 740 of the EAR to foreign commercial entities for internal company 
proprietary use. Such encryption commodities and software will 
generally be approved for export and reexport to foreign subsidiaries 
of commercial firms headquartered in countries designated with a ``**'' 
in Supplement No. 3 to part 740 of the EAR that are located in any 
destination except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
Syria. Exports and reexports to telecommunication and internet service 
providers is permitted under this policy for internal company 
proprietary use. Use by service providers to provide service to 
customers is excluded from this policy, but exports may be possible 
under a license or an Encryption Licensing Arrangement on a case-by-
case basis. This policy of approval excludes those foreign commercial 
firms or their separate business units (as defined in part 772 of the 
EAR) engaged in the manufacturing and distribution of items or services 
controlled by the U.S. Munitions List.
    (ii) Note that any country or end-user prohibited in the past from 
receiving encryption commodities and software under a specific 
Encryption Licensing Arrangement will be reviewed on a case-by-case 
basis, and may be considered by BXA for eligibility under future 
Encryption Licensing Arrangement requests.
    (iii) Note that distributors, resellers or other entities who are 
not manufacturers of the encryption commodities and software are 
permitted to use an existing Encryption Licensing Arrangement for 
exports and reexports of these products only when Encryption Licensing 
Arrangement has been granted to the manufacturer and the export and 
reexport meets the terms and conditions of this paragraph (b)(7).
    (iv) You must submit to BXA the name and address of the end-user.
    (8) All other encryption items. * * *
    (iii) Exports and reexports of encryption commodities and software 
of any key length to ``strategic partners'' of U.S. companies will 
receive favorable consideration when the end-use is for the protection 
of U.S. company proprietary information.
* * * * *
    9. Supplement No. 4 to part 742 is amended by revising paragraph 
(8) to read as follows:

Supplement No. 4 to Part 742--Key Escrow or Key Recoverable 
Products Criteria

* * * * *
    (8) The product's cryptographic function's key(s) or other 
material/information required to decrypt ciphertext shall be accessible 
to government officials under proper legal authority.
    10. Part 742 is amended by removing and reserving Supplement No. 5 
and Supplement No. 7.
    11. Supplement No. 6 to part 742 is revised to read as follows:

Supplement No. 6 to Part 742--Guidelines for Submitting a 
Classification Request for Mass Market Encryption Commodities and 
Software

    Classification requests for release of certain mass market 
encryption commodities and software from EI controls must be submitted 
on Form BXA-748P, in accordance with Sec. 748.3 of the EAR. To expedite 
review of the request, clearly mark the envelope ``Attn.: Mass Market 
Encryption (Commodity) or (Software) Classification Request''. In Block 
9: Special Purpose of the Form BXA-748P, you must insert the phrase 
``Mass Market Encryption (Commodity) or (Software). Failure to insert 
this phrase will delay processing. In addition, the Bureau of Export 
Administration recommends that such requests be delivered via courier 
service to: Bureau of Export Administration, Office of Exporter 
Services, Room 2705, 14th Street and Pennsylvania Ave., N.W., 
Washington, D.C. 20230. In addition, send a copy of the request and all 
supporting documents by Express Mail to: Attn: Mass Market Encryption 
Request Coordinator, P.O. Box 246, Annapolis Junction, MD 20701-0246.
    (a) Requests for mass market encryption commodities and software 
that meet the criteria in paragraph (a)(2) of this Supplement will be 
processed in seven (7) working days from receipt of a properly 
completed request. Those requests for mass market encryption 
commodities and software that meet the criteria of paragraph (a)(1) of 
this Supplement only will be processed in fifteen (15) working days 
from receipt of a properly completed request. When additional 
information is requested, the request will be processed within 15 
working days of the receipt of the requested information.
    (1) A mass market product that meets the criteria established in 
this paragraph will be processed in fifteen (15) working days from 
receipt of the properly completed request:
    (i) The commodity or software must be mass market. Mass market 
commodities and software that are available to the public via sales 
from stock at retail selling points by means of over-the-counter 
transactions, mail order transactions, or telephone call transactions;
    (ii) The commodity or software must be designed for installation by 
the user without further substantial support by the supplier. 
Substantial support does not include telephone (voice only) help line 
services for installation or basic operation, or basic operation 
training provided by the supplier; and
    (iii) The commodity or software includes encryption for data 
confidentiality.
    (2) A mass market commodity or software product that meets all the 
criteria established in this paragraph will be processed in seven (7) 
working days from receipt of the properly completed request:
    (i) The commodity or software meets all the criteria established in 
paragraph (a)(1) (i) through (iii) of this Supplement;
    (ii) The confidentiality algorithm must be RC2, RC4, RC5, DES or 
CAST with a key space no longer than 56-bits. The RC2, RC4 and RC5 
algorithms are proprietary to RSA Data Security, Inc. To ensure that 
the subject commodity or

[[Page 72165]]

software is properly licensed and correctly implemented, contact RSA 
Data Security, (415) 595-8782. The CAST algorithm is proprietary to 
Entrust Technologies, Inc. To ensure that the subject software is 
properly licensed and correctly implemented, contact Entrust 
Technologies, Inc., (972) 994-8000;
    (iii) If any combination of RC2, RC4, RC5, DES or CAST are used in 
the same commodity or software, their functionality must be separate. 
That is, no data can be operated sequentially on by both routines or 
multiply by either routine;
    (iv) The commodity or software must not allow the alteration of the 
confidentiality mechanism and its associated key spaces by the user or 
any other program;
    (v) The key exchange used in confidentiality must be:
    (A) A public key algorithm with a key space less than or equal to a 
512-bit, 768-bit or up to and including 1024 bit modulus and/or;
    (B) A symmetric algorithm with a key space less than or equal to 
112-bits; and
    (vi) The commodity or software must not allow the alteration of the 
key management mechanism and its associated key space by the user or 
any other program.
    (b)(1) To submit a classification request for a product that is 
eligible for the seven-day handling, you must provide the following 
information in a cover letter to the classification request. Send the 
original to the Bureau of Export Administration. Send a copy of the 
application and all supporting documentation by Express Mail to:

Attn.: Mass Market Encryption Request Coordinator, P.O. Box 246, 
Annapolis Junction, MD 20701-0246

    (2) Instructions for the preparation and submission of a 
classification request that is eligible for seven day handling are as 
follows:
    (3) If the commodity or software product meets the criteria in 
paragraph (a)(2) of this Supplement, you must call the Department of 
Commerce on (202) 482-0092 to obtain a test vector, or submit to BXA a 
copy of the encryption subsystem source code. The test vector or source 
code must be used in the classification process to confirm that the 
software has properly implemented the approved encryption algorithms.
    (4) Upon receipt of the test vector, the applicant must encrypt the 
test plain text input provided using the product's encryption routine 
(RC2, RC4, RC5, DES or CAST) with the given key value. The applicant 
should not pre-process the test vector by any compression or any other 
routine that changes its format. Place the resultant test cipher text 
output in hexadecimal format on an attachment to form BXA-748P.
    (5) You must provide the following information in a cover letter to 
the classification request:
    (i) Clearly state at the top of the page ``Mass Market Encryption 
(Commodity) (Software)--7 Day Expedited Review Requested'';
    (ii) State that you have reviewed and determined that the commodity 
or software subject to the classification request meets the criteria of 
paragraph (a)(2) of this Supplement;
    (iii) State the name of the single commodity or software product 
being submitted for review. A separate classification request is 
required for each product;
    (iv) State how the commodity or software has been written to 
preclude user modification of the encryption algorithm, key management 
mechanism, and key space;
    (v) Provide the following information for the commodity or software 
product:
    (A) Whether the commodity or software uses the RC2, RC4, RC5, DES 
or CAST algorithm and how the algorithm(s) is used. If any combination 
of these algorithms are used in the same product, and also state how 
the functionality of each is separated to assure that no data is 
operated by more than one algorithm;
    (B) Pre-processing information of plaintext data before encryption 
(e.g. the addition of clear text header information or compression of 
the data);
    (C) Post-processing information of cipher text data after 
encryption (e.g. the addition of clear text header information or 
packetization of the encrypted data);
    (D) Whether a public key algorithm or a symmetric key algorithm is 
used to encrypt keys and the applicable key space;
    (E) For classification requests regarding source code:
    (1) Reference the applicable executable product that has already 
received a technical review;
    (2) Include whether the source code has been modified by deleting 
the encryption algorithm, its associated key management routine(s), and 
all calls to the algorithm from the source code, or by providing the 
encryption algorithm and associated key management routine(s) in object 
code with all calls to the algorithm hidden. You must provide the 
technical details on how you have modified the source code;
    (3) Include a copy of the sections of the source code that contain 
the encryption algorithm, key management routines, and their related 
calls; and
    (F) Provide any additional information which you believe would 
assist in the review process.
    (c) Instructions for the preparation and submission of a 
classification request that is eligible for 15-day handling are as 
follows:
    (1) If the commodity or software product meets only the criteria in 
paragraph (a)(1) of this Supplement, you must prepare a classification 
request. Send the original to the Bureau of Export Administration. Send 
a copy of the application and all supporting documentation by Express 
Mail to:

Attn.: Mass Market Encryption Request Coordinator, P.O. Box 246, 
Annapolis Junction, MD 20701-0246

    (2) You must provide the following information in a cover letter to 
the classification request:
    (i) Clearly state at the top of the page ``Mass Market Encryption 
(Commodity)(Software)--15 Day Expedited Review Requested'';
    (ii) State that you have reviewed and determined that the commodity 
or software subject of the classification request, meets the criteria 
of paragraph (a)(1) of this Supplement;
    (iii) State the name of the single commodity or software product 
being submitted for review. A separate classification request is 
required for each product;
    (iv) State that a duplicate copy, in accordance with paragraph 
(c)(1) of this Supplement, has been sent to the 15-day Encryption 
Request Coordinator; and
    (v) Ensure that the information provided includes brochures or 
other documentation or specifications relating to the commodity or 
software, as well as any additional information which you believe would 
assist in the review process.
    (3) Contact the Bureau of Export Administration on (202) 482-0707 
prior to submission of the classification to facilitate the submission 
of proper documentation.

PART 743--[AMENDED]

    12. Section 743.1 is amended:
    a. By revising the phrase ``GOV and KMI (under the provisions of 
Sec. 740.8(b)(2)(ii) and (iii) only)'' in paragraph (b) to read 
``ENC''; and
    b. By removing the phrase '', 5A002, 5B002, 5D002, and 5E002'' in 
paragraph (c)(1)(v).

PART 772--[AMENDED]

    13. Part 772 is amended by revising the definition of ``Financial 
Institution'' and adding, in alphabetical order, new definitions for 
``Business Unit'',

[[Page 72166]]

``Health/medical end-user'', ``On-line merchant'', ``Recoverable 
commodities and software'', ``Strategic partner,'' and ``U.S. 
subsidiary''.
* * * * *
    Business Unit. As applied to encryption items, means a unit of a 
business which, whether or not separately incorporated, has:
    (a) A distinct organizational structure which does not overlap with 
other business units of the same business;
    (b) A distinct set of accounts; and
    (c) Separate facilities for purchase, sale, delivery, and 
production of goods and services.
* * * * *
    Financial Institution. As applied to encryption items, means any of 
the following:
    (a) A broker, dealer, government securities broker or dealer, self-
regulatory organization, investment company or investment adviser, 
which is regulated or supervised by the Securities and Exchange 
Commission or a self-regulatory organization that is registered with 
the Securities and Exchange Commission; or
    (b) A broker, dealer, government securities broker or dealer, 
investment company, investment adviser, or entity that engages in 
securities activities that, if conducted in the United States, would be 
described by the definition of the term ``self-regulatory 
organization'' in the Securities Exchange Act of 1934, which is 
organized under the laws of a foreign country and regulated or 
supervised by a foreign securities authority; or
    (c) A U.S. board of trade that is designated as a contract market 
by the Commodity Futures Trading Commission or a futures commission 
merchant that is regulated or supervised by the Commodity Futures 
Trading Commission; or
    (d) A U.S. entity engaged primarily in the business of issuing a 
general purpose charge, debit, or stored value card, or a branch of, or 
affiliate controlled by, such an entity; or
    (e) A branch or affiliate of any of the entities listed in 
paragraphs (a), (b), or (c) of this definition regulated or supervised 
by the Securities and Exchange Commission, the Commodity Futures 
Trading Commission, or a foreign securities authority; or
    (f) An affiliate of any of the entities listed in paragraph (a), 
(b), (c), or (e), of this definition engaged solely in the business of 
providing data processing services to one or more bank or financial 
institutions, or a branch of such an affiliate; or
    (g) A company organized and regulated under the laws of any of the 
United States and its branches and affiliates whose primary and 
predominant business activity is the writing of insurance or the 
reinsuring of risks; or a company organized and regulated under the 
laws of a foreign country and its branches and affiliates whose primary 
and predominant business activity is the writing of insurance or the 
reinsuring of risks.
* * * * *
    Health/medical end-user. As applied to encryption items, means any 
entity, including civilian government agencies, the primary purpose of 
which is the provision of medical or other health services. The term 
medical or other health services includes the following items or 
services:
    (a) Physicians' services and services and supplies furnished as an 
incident to a physician's professional service (such as laboratory 
services), of kinds which are commonly furnished in physicians' 
offices; services provided by a physician assistant or by a nurse 
practitioner; including services which would be physicians' services if 
furnished by a physician and which are performed by a physician 
assistant under the supervision of a physician, or services which would 
be physicians' services if furnished by a physician and which are 
performed by a nurse practitioner or clinical nurse specialist in 
collaboration with a physician; certified nurse-midwife services or 
services of a certified registered nurse anesthetist;
    (b) Hospital services incident to physicians services rendered to 
outpatients and hospitalization services incident to such services; 
ambulance services;
    (c) Psychologist services or clinical social worker services; or
    (d) Health cost reimbursers (e.g., health insurers, HMOs).
* * * * *
    On-line merchant. As applied to encryption items, means an entity 
regularly engaged in lawful commerce that uses means of electronic 
communications (e.g., the Internet) to conduct commercial transactions.
* * * * *
    Recoverable commodities and software. As applied to encryption 
items, means any of the following:
    (a) A stored data product containing a recovery feature that, when 
activated, allows recovery of the plaintext of encrypted data without 
the assistance of the end-user; or
    (b) A product or system designed such that a network administrator 
or other authorized persons who are removed from the end-user can 
provide law enforcement access to plaintext without the knowledge or 
assistance of the end-user. This includes, for example, products or 
systems where plaintext exists and is accessible at intermediate points 
in a network or infrastructure system, enterprise-controlled recovery 
systems, and products which permit recovery of plaintext at the server 
where a system administrator controls or can provide recovery of 
plaintext across an enterprise.

    Note to this definition: ``Plaintext'' indicates that data that 
is initially received by or presented to the recoverable product 
before encryption takes place.
* * * * *
    Strategic partner (of a U.S. company). As applied to encryption 
items, means a foreign-based entity that:
    (a) Has a business need to share the proprietary information with 
one or more U.S. companies; and
    (b) Is contractually bound to the U.S. company (e.g., has an 
established pattern of continuing or recurring contractual relations).
* * * * *
    U.S. subsidiary. As applied to encryption items, means
    (a) A foreign branch of a U.S. company; or
    (b) A foreign subsidiary or entity of a U.S. entity in which:
    (1) The U.S. entity beneficially owns or controls (whether directly 
or indirectly) 25 percent or more of the voting securities of the 
foreign subsidiary or entity, if no other persons owns or controls 
(whether directly or indirectly) an equal or larger percentage; or
    (2) The foreign entity is operated by the U.S. entity pursuant to 
the provisions of an exclusive management contract; or
    (3) A majority of the members of the board of directors of the 
foreign subsidiary or entity also are members of the comparable 
governing body of the U.S. entity; or
    (4) The U.S. entity has the authority to appoint the majority of 
the members of the board of directors of the foreign subsidiary or 
entity; or
    (5) The U.S. entity has the authority to appoint the chief 
operating officer of the foreign subsidiary or entity.

PART 774--[AMENDED]

    14. In Supplement No. 1 to part 774, Category 5--Telecommunications 
and Information Security is amended by revising the License 
Requirements section of ECCNs 5A002 and 5D002 to read as follows:

    5A002 Systems, equipment, application specific ``assemblies'', 
modules or integrated circuits for ``information security'', and 
specially designed components therefor.

[[Page 72167]]

License Requirements

                     Reason for Control: NS, AT, EI
------------------------------------------------------------------------
              Control(s)                         Country chart
------------------------------------------------------------------------
NS applies to entire entry...........  NS Column 1.
AT applies to entire entry...........  AT Column 1.
------------------------------------------------------------------------

    EI applies to encryption items transferred from the U.S. 
Munitions List to the Commerce Control List consistent with E.O. 
13026 of November 15, 1996 (61 FR 58767) and pursuant to the 
Presidential Memorandum of that date. Refer to Sec. 742.15 of this 
subchapter.
* * * * *
    5D002 Information Security--``Software''.

License Requirements

                     Reason for Control: NS, AT, EI
------------------------------------------------------------------------
              Control(s)                         Country chart
------------------------------------------------------------------------
NS applies to entire entry...........  NS Column 1.
AT applies to entire entry...........  AT Column 1.
------------------------------------------------------------------------

    EI applies to encryption items transferred from the U.S. 
Munitions List to the Commerce Control List consistent with E.O. 
13026 of November 15, 1996 (61 FR 58767) and pursuant to the 
Presidential Memorandum of that date. Refer to Sec. 742.15 of the 
EAR.

    Note: Encryption software is controlled because of its 
functional capacity, and not because of any informational value of 
such software; such software is not accorded the same treatment 
under the EAR as other ``software''; and for export licensing 
purposes, encryption software is treated under the EAR in the same 
manner as a commodity included in ECCN 5A002. License Exceptions for 
commodities are not applicable.

    Note: Encryption software controlled for EI reasons under this 
entry remains subject to the EAR even when made publicly available 
in accordance with part 734 of the EAR, and it is not eligible for 
the General Software Note (``mass market'' treatment under License 
Exception TSU for mass market software). After a technical review, 
certain encryption software may be released from EI controls and 
made eligible for the General Software Note treatment as well as 
other provisions of the EAR applicable to software. Refer to 
Sec. 742.15(b)(1) of the EAR, and Supplement No. 6 to part 742 of 
the EAR.
* * * * *
    Dated: December 23, 1998.
R. Roger Majak,
Assistant Secretary for Export Administration.
[FR Doc. 98-34669 Filed 12-30-98; 8:45 am]
BILLING CODE 3510-33-P