[Federal Register Volume 67, Number 109 (Thursday, June 6, 2002)]
[Rules and Regulations]
[Pages 38855-38869]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-13990]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR Parts 732, 734, 738, 740, 742, 748, 770, 772, and 774
[Docket No. 020502105-2105-01]
RIN 0694-AC61
Revisions and Clarifications to Encryption Controls in the Export
Administration Regulations--Implementation of Changes in Category 5,
Part 2 (``Information Security''), of the Wassenaar Arrangement List of
Dual-Use Goods and Other Technologies
AGENCY: Bureau of Industry and Security, Commerce.
ACTION: Interim final rule.
-----------------------------------------------------------------------
SUMMARY: This rule amends the Export Administration Regulations (EAR)
to reflect changes made to the Wassenaar Arrangement List of dual-use
items, and to update and clarify other provisions of the EAR pertaining
to encryption export controls. Consistent with the Wassenaar changes,
Note No. 3 (``Cryptography Note'') to Category 5--part II (Information
Security) of the Commerce Control List (CCL) is amended to allow mass
market treatment for all encryption products, including products with
symmetric algorithms employing key lengths greater than 64-bits, that
previously were not eligible for mass market treatment. As a result,
for the first time, mass market encryption commodities and software
with symmetric key lengths exceeding 64 bits may be exported and
reexported to most destinations without a license under Export Control
Classification Numbers (ECCNs) 5A992 and 5D992, following a 30-day
review by the Bureau of Industry and Security (BIS) (formerly the
Bureau of Export Administration (BXA)). In addition, this rule, for the
first time, allows equipment controlled under ECCN 5B002 to be exported
and reexported under License Exception ENC. For all other information
security items, including encryption source code that would be
considered publicly available, this rule updates and clarifies existing
notification, review, licensing and post-export reporting requirements.
Restrictions on exports and reexports of encryption items to terrorist-
supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan and
Syria), their nationals and other sanctioned persons (individuals and
entities) are not changed by this rule.
DATES: This rule is effective June 6, 2002.
FOR FURTHER INFORMATION CONTACT: Norman E. LaCroix, Office of Strategic
Trade and Foreign Policy Controls, Bureau of Industry and Security,
Telephone: (202) 482-4439.
SUPPLEMENTARY INFORMATION:
Background
On October 19, 2000, the United States updated its encryption
export regulations to provide consistent treatment with regulations
adopted by the European Union (EU) easing export and reexport
restrictions among the 15 EU member states and Australia, Czech
Republic, Hungary, Japan, New Zealand, Norway, Poland and Switzerland.
Subsequent to the publication of this amendment to the Export
Administration Regulations (EAR), the member nations of the Wassenaar
Arrangement agreed to remove key length restrictions on encryption
hardware and software that is subject to the Cryptography Note (Note
No. 3) to Category 5--part II (Information Security) of the Commerce
Control List (CCL). This action effectively removed ``mass market''
encryption products from the list of dual-use items controlled by the
Wassenaar Arrangement.
The U.S. encryption export control policy continues to rest on
three principles: review of encryption products prior to sale,
streamlined post-export reporting, and license review of certain
exports of strong encryption to foreign government end-users.
Consistent with these principles, this amendment updates the U.S.
encryption export control policy in several areas.
For ``mass market'' encryption hardware and software products, this
rule removes Encryption Item (``EI'') and
[[Page 38856]]
National Security (``NS'') controls on such products after a 30-day
review As a result of the removal these controls, these items may be
exported without regard to any post-shipment reporting requirements. In
addition, the standard de minimis treatment for foreign products
containing such encryption products apply, i.e., exports from a foreign
country of foreign-made products containing 25 percent or less of
controlled U.S. content are not subject to the EAR, except to embargoed
and designated terrorist supporting countries. For other encryption
items, this rule clarifies the existing provisions under License
Exceptions ENC and TSU. In addition, this rule clarifies existing
review requirements for certain encryption items such as commercial
encryption products that implement elliptic curve cryptography, perform
short-range wireless functions, or incorporate encryption source code
that would be considered publicly available. Finally, this rule amends
the EAR by adding new paragraph headers, updating cross-references
between relevant sections of the EAR, and restructuring existing
provisions for clarity.
This rule does not change any other existing licensing requirements
for encryption items, including encryption technology and items that
provide an open cryptographic interface (OCI).
This action will continue to protect our national security and
foreign policy interests without impairing the ability of U.S.
companies to compete effectively in global markets. It also will
promote secure electronic commerce and privacy, and help to protect our
critical infrastructure.
The EAR is amended as follows:
1. Revised instructions for submitting encryption items for review
to determine eligibility under License Exception ENC or for ``mass
market'' treatment. Except to embargoed or designated terrorist
supporting countries and sanctioned persons, you may be able to export
and reexport your encryption item without a license, after your item is
reviewed by the Bureau of Industry and Security (BIS) and the ENC
Encryption Request Coordinator. For encryption items under License
Exception ENC, and for mass market encryption products with symmetric
key length exceeding 64 bits, a review request must contain: (1) A
completed BIS-748P hardcopy form or an equivalent electronic SNAP form
(both capture general information about the review request, such as the
name of the item, manufacturer, ECCN and a brief commodity
description), and (2) support documentation containing technical
specifications of the item, including answers to the questions set
forth in Supplement No. 6 to part 742. To clarify that separate
classification by BIS is not required, previous references to
``classification'' in Secs. 732.2, 732.3, 734.4, 740.17, 742.15,
Supplement No. 6 to Part 742, 748.3 and 770.2 are revised to read
``review''. Exporters are instructed to insert the phrase ``Mass market
encryption'' or ``License Exception ENC'' (whichever is applicable) in
Block 9 (``Special Purpose'') of the application form. Failure to
insert the appropriate phrase may delay receipt of your request by BIS.
(For compatibility with current application processing systems,
exporters should continue to place an ``X'' in the box marked
``Classification Request'' in Block 5: ``Type of Application''.) A copy
of your review request must also be sent to the ENC Encryption Request
Coordinator, via courier or mail. Insufficient or missing documentation
may delay or interrupt your authority to export and reexport your
encryption item. A fax number is now published for review requests
submitted to BIS via SNAP. Refer to Supplement No. 6 to part 742 and
Secs. 740.17(d), 742.15(b)(2) and 748.3(d) for information on
submitting encryption review requests.
2. Clarification of review and notification requirements. Except as
elsewhere specified in the EAR, a license or review by BIS is required
for encryption items with symmetric key length exceeding 64 bits. In
multiple sections, the EAR is amended to clarify when a review or
notification is (or is not) required.
a. Clarification of when no review or notification is required. i.
U.S. companies and subsidiaries. Items controlled under Category 5--
part II of the Commerce Control List (ECCNs 5A002, 5B002, 5D002, 5E002,
5A992, 5D992 and 5E992) may be exported and reexported, without review
or notification, to U.S. companies and their subsidiaries for internal
use, including the development of new products inside and outside the
United States by their employees, contractors and interns. Existing
restrictions on exports and reexports of encryption items to the
countries and foreign nationals of Cuba, Iran, Iraq, Libya, North
Korea, Syria or Sudan continue to apply. Refer to Secs. 740.17(b)(1)
and 742.15(b)(3)(i) of the EAR. Exports and reexports to foreign
companies with subsidiary locations in the United States, and to
foreign strategic partners of U.S. companies, will continue to be
favorably considered under a license or an Encryption Licensing
Arrangement (ELA). Refer to Sec. 742.15(a) of the EAR.
ii. Certain short-range wireless items. No review or notification
is required for short-range wireless products (e.g. with an operating
range typically not exceeding 100 meters) that qualify as ``mass
market'' and are only controlled under Category 5--part II of the CCL
because they incorporate parts or components with encryption
functionality specified and limited to short-range wireless functions
based on such commercial standards as Bluetooth, Home Radio Frequency
(HomeRF) and IEEE 802.11b (``WiFi''). This provision for mass market
products is found in Sec. 742.15(b)(3)(ii). A similar existing
provision for ``retail'' short-range wireless products continues under
License Exception ENC. See Sec. 740.17(b)(3)(iii)(H).
iii. Certain items with limited use of cryptography. This rule
clarifies that no review or notification is required for information
security items which employ limited forms of cryptography, but which do
not perform encryption functions (including key management) controlled
for ``EI'' reasons under ECCNs 5A002, 5D002 or 5E002. These items are
controlled under ECCNs 5A992, 5D992 and 5E992, regardless of bit length
or whether they are ``mass market''. See Sec. 742.15(b)(3)(iii). Such
items include items with cryptographic functions limited to
authentication (including secure hash functions and message
authentication codes) or digital signature, execution of copy protected
software, commercial civil cellular telephones not capable of end-to-
end encryption, and ``finance specific'' items specially designed and
limited for banking use or money transactions (e.g. highly field-
formatted with validation procedures and not easily diverted to other
end-uses). Refer to the Related Controls and Technical Notes under ECCN
5A002 in the CCL (part 774 of the EAR) for a complete list of
commodities.
Note: Previous references specific to ``finance specific'' items
under the ``retail'' provisions of License Exception ENC are removed
for clarity (Sec. 740.17(b)(3)). Products which may have end uses
related to financial operations (e.g. supply chain management), but
which are not limited by design to banking use or money
transactions, remain subject to ``EI'' controls under ECCNs 5A002
and 5D002 and continue to be eligible for export and reexport as
``retail'' encryption commodities and software, after review by BIS
under License Exception ENC.
b. Clarification of when a review is required. i. Review under
License Exception ENC. Encryption items controlled under ECCNs 5A002,
5D002 and 5E002, and equipment controlled under ECCN 5B002, require
review by BIS prior to export and reexport under
[[Page 38857]]
the updated provisions of License Exception ENC (Sec. 740.17 of the
EAR). Once BIS receives the information required for review (as
described in Supplement No. 6 to part 742 of the EAR), you may export
and reexport all such items (except cryptanalytic items to government
end-users) to organizations and companies located or headquartered in
the European Union plus eight additional countries. See Sec. 740.17(a).
Thirty days after BIS registers your review request, you may export and
reexport any encryption item, except those which provide an open
cryptographic interface (OCI), to any non-government end-user except
those in Cuba, Iran, Iraq, Libya, North Korea, Syria or Sudan. In
addition, commodities and software that do not qualify as ``mass
market'' but which qualify as ``retail'' may be exported and reexported
to government end-users, once so authorized by BIS. See
Sec. 740.17(b)(3) of the EAR for the treatment of ``retail'' encryption
commodities and software, and Sec. 740.17(b)(2) for commodities and
software and that are not eligible as retail. Products not eligible as
retail require a license to government end-users, except as authorized
under Sec. 740.17(a). Encryption technology controlled under ECCN 5E002
and items which provide an OCI are not authorized for export or
reexport under Sec. 740.17(b)(2) or (b)(3) and require a license to any
end-user outside the countries listed in Supplement No. 3 to part 740.
Exports and reexports of products reviewed by BIS under License
Exception ENC may require reporting, as described in Sec. 740.17(e).
License Exception ENC is amended with new paragraph headers and updated
text, for clarity.
ii. Review for mass market encryption products exceeding 64 bits.
Encryption commodities and software that qualify for ``mass market''
treatment under the Cryptography Note (Note 3) to part II of Category 5
of the CCL, and which implement encryption with symmetric key length
exceeding 64-bits, require review by BIS prior to export and reexport.
These No License Required (NLR) products are removed from ``EI'' and
``NS'' controls, are controlled under ECCNs 5A992 and 5D992, and remain
subject to the EAR. Similar to encryption items under License Exception
ENC, you may immediately export and reexport 64 bit mass
market encryption products to organizations and companies located or
headquartered in the European Union plus eight additional countries.
Thirty days after BIS receives your review request, you may export and
reexport your mass market encryption product to any end-user (except
embargoed or designated terrorist supporting countries and sanctioned
persons), without post-export reporting or additional national security
review for de minimis eligibility. All existing restrictions and
licensing requirements to embargoed or designated terrorist supporting
countries (Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) and
sanctioned persons are continued by this amendment. Posting of mass
market encryption software on the Internet (e.g., FTP or World Wide Web
site) where it may be downloaded by anyone would not establish
``knowledge'' of a prohibited export or reexport. In addition, such
posting would not trigger ``red flags'' necessitating the affirmative
duty to inquire under the ``Know Your Customer'' guidance provided in
Supplement No. 3 to part 732 of the EAR. See Sec. 742.15(b)(2) and
Supplement No. 6 to part 742 of the EAR for requirements, procedures
and instructions for requesting review. See Secs. 734.2, 734.3, 734.7,
734.8, 734.9, 740.13, 740.13(d) and 742.15(b) for other revisions to
the EAR which reflect these changes in ECCN and reasons for control for
64 bit mass market encryption commodities and software.
c. Clarification of when a notification is required. i. Encryption
source code that would be considered publicly available, and
corresponding object code. This rule simplifies U.S. export treatment
of encryption source code that would be considered publicly available,
by allowing all such source code (and corresponding object code) to be
exported and reexported under License Exception TSU once notification
(or a copy of the source code) is provided to BIS, regardless of
whether a fee or royalty is charged for the commercial production or
sale of products developed using this software. Refer to
Sec. 740.13(e). This rule further clarifies that these license
exception provisions do not extend to any encryption software that has
not been made publicly available, including such encryption software
that incorporates or is specially designed to use publicly available
encryption software components (ref: Sec. 740.13(e) (3)). Such
encryption software may instead be exported and reexported under
License Exception ENC, subject to the terms and conditions set forth in
Sec. 740.17 of the EAR. See Secs. 740.17(b)(2)(ii) and (iii) for
specific provisions relating to such encryption source code and general
purpose toolkits. Previous references to commercial encryption source
code under License Exception ENC (i.e., Sec. 740.17(b)(4) prior to this
amendment) are subsumed by these streamlined and clarified provisions
of the EAR.
ii. 56 bit encryption items (including 512-bit asymmetric and 112-
bit elliptic curve algorithms), and mass market encryption products not
exceeding 64 bits. This rule clarifies that, in addition to mass market
encryption commodities and software with key lengths not exceeding 64
bits for the symmetric algorithm, other encryption items with key
lengths not exceeding 56 bits for symmetric algorithms, 512 bits for
asymmetric key exchange algorithms, and 112 bits for elliptic curve
algorithms may be immediately exported and reexported No License
Required (except to embargoed or designated terrorist supporting
countries and sanctioned persons), upon notification to BIS. See
Sec. 742.15(b)(1).
The EAR is further amended by the following revisions:
3. Clarification of beta test software requirements in License
Exception TMP. In Sec. 740.9 (Temporary imports, exports and reexports
(TMP)), existing provisions for beta test encryption software are
restructured for clarity, and new paragraph headings are added.
4. Clarification of License Exception ENC requirements. In
Sec. 740.17 (Encryption Commodities and Software (ENC)), existing
provisions are restructured for clarity, and new paragraph headings are
added. Subject to the terms and conditions set forth therein, License
Exception ENC applies to encryption items that do not qualify for
``mass market'' treatment.
a. Sec. 740.17(a) (Exports and reexports to countries listed in
Supplement 3 to part 740) is revised to allow the export and reexport
of equipment controlled under ECCN 5B002 to the European Union plus
eight additional countries, under License Exception ENC. Now, all items
controlled under ECCNs 5A002, 5B002, 5D002 and 5E002, except
cryptanalytic items to government end-users, are eligible under this
provision of the EAR. This includes items that provide an open
cryptographic interface (OCI).
b. Sec. 740.17(b)(1) (Encryption items for U.S. subsidiaries) is
revised to allow equipment controlled under ECCN 5B002 to U.S.
companies and their subsidiaries under License Exception ENC. All items
controlled under ECCNs 5A002, 5B002, 5D002 and 5E002, including those
which provide an OCI, are eligible under this provision without review
or notification.
c. Sec. 740.17(b)(2) (Encryption commodities and software to non-
government end-users) is revised for
[[Page 38858]]
clarity. All items controlled under ECCNs 5A002, 5B002 and 5D002,
except items that provide an OCI, may be exported to non-government
end-users 30 days after BIS receives a completed review request. This
includes network infrastructure products, encryption source code
(immediately eligible once the review request, including a copy of the
source code, is submitted), general purpose toolkits, cryptanalytic
items, and other items that do not qualify for ``mass market'' or
``retail'' treatment. This amendment also clarifies that the EAR
imposes no additional restrictions on Internet and telecommunications
service providers. Exports and reexports of network infrastructure
commodities, software and technology to government end-users outside
the countries listed in Supplement No. 3 to part 740 continue to
require a license.
d. Sec. 740.17(b)(3) (Retail encryption commodities, software and
components to government and non-government end-users) is revised and
restructured for clarity. New paragraph headers are added, and existing
provisions are consolidated. This paragraph clarifies that the
following are among the examples of encryption products eligible for
retail treatment under License Exception ENC:
i. Encryption commodities and software (including key management
products) with key lengths not exceeding 64 bits for symmetric
algorithms, 1024 bits for asymmetric algorithms, and 160 bits for
elliptic curve algorithms (see Sec. 740.17(b)(3)(ii)(A));
ii. Encryption commodities and software which are limited to
allowing foreign-developed encryption products to operate with U.S.
products, or which activate encryption functions in other retail
products (when the encryption would otherwise remain inoperable,
``dormant'' or disabled) (see Secs. 740.17(b)(3)(ii)(C)-(D));
iii. Low-end virtual private networking (VPN) equipment (e.g. with
encrypted throughput not exceeding 10 Mbps, or supporting no more than
100 concurrent encrypted tunnels) (see Sec. 740.17(b)(3)(iii)(C));
iv. Applets and web portal software implementing Secure Socket
Layer (SSL) encryption (see Sec. 740.17(b)(3)(iii)(F));
v. Network and security management products designed for, bundled
with, or pre-loaded on single CPU computers, low-end servers or retail
networking products (see Sec. 740.17(b)(3)(iii)(G)); and
vi. Short-range wireless components and software (e.g. with an
operating range typically not exceeding 100 meters) based on commercial
standards as Bluetooth, Home Radio Frequency (HomeRF) and IEEE 802.11b
(``WiFi'') (see Sec. 740.17(b)(3)(iii)(H));
e. In Sec. 740.17(b)(4), previous provisions regarding commercial
encryption source code are now subsumed by updated provisions for:
i. Encryption source code (and corresponding object code) which
would be considered publicly available (refer to Sec. 740.13(e) of the
EAR); and
ii. Encryption source code which would not be considered publicly
available (i.e., ``company proprietary'' encryption source code). See
Sec. 740.17(b)(2)(ii).
This paragraph (b)(4) now cross-references the de minimis
provisions of Sec. 734.4 for encryption items controlled under ECCNs
5A002 and 5D002.
f. Previous references to cryptographic interfaces in former
Sec. 740.17(b)(5) are now incorporated into the general provisions of
License Exception ENC. See Sec. 740.17(a) for cryptographic interface
items to the European Union plus eight additional countries, and refer
to Sec. 740.17(b)(1) for U.S. subsidiaries. Products which are used to
establish a closed cryptographic interface (e.g. signing) continue to
be treated as ``retail'' (see Sec. 740.17(b)(3)(ii)(C)).
g. In Sec. 740.17(c) (Reexports and transfers), this rule clarifies
that foreign-developed products which are designed to operate with U.S.
products through a cryptographic interface are subject to the EAR, but
do not require review by BIS.
h. In Sec. 740.17(d) (Review requirement), instructions and
procedures for submitting review requests for encryption items under
License Exception ENC are updated and clarified.
i. In Secs. 740.17(d)(2) and (3)(i), existing grandfathering and
key length increase provisions are revised, for clarity and consistency
with Secs. 740.17(a), (b)(2) and (b)(3).
j. Sec. 740.17(e) (Reporting requirements) is restructured for
clarity. This rule clarifies that the requirements to report foreign
products developed from U.S. source code and toolkits apply only if you
know when the foreign product is made available for commercial sale.
See Sec. 740.17(e)(3). The previous reporting exemption for ``finance-
specific products'' is removed from this section, to clarify that these
products may be exported and reexported (except to embargoed or
designated terrorist supporting countries and sanctioned persons) under
ECCNs 5A992 and 5D992, without review by BIS. Refer to
Sec. 742.15(b)(3)(iii). This clarification is made for consistency with
the Wassenaar Arrangement list of dual-use items. Reporting exemptions
previously listed in under Sec. 740.17(e)(1) are now listed under
Sec. 740.17(e)(4).
5. Clarification of licensing requirements and policies for
encryption items. In Sec. 742.15(a) (Licensing requirements and
policy), existing U.S. licensing requirements and licensing policy
provisions, including those pertaining to encryption items under
Encryption Licensing Arrangements, are consolidated into clarified
provisions Sec. 742.15(a)(1)(i) (Licensing requirements) and
Sec. 742.15(a)(1)(ii) (Licensing policy).
6. Clarification of notification and review requirements for
encryption items controlled under ECCN 5A992, 5D992, or 5E992.
Sec. 742.15(b) (Notification and review requirements for encryption
items controlled under ECCNs 5A992, 5D992 and 5E992) clarifies when
notification or review is required for encryption items not controlled
for ``EI'' and ``NS'' reasons under ECCNs 5A002, 5D002 or 5E002.
i. In Sec. 742.15(b)(1), notification requirements for certain
encryption items with restricted bit lengths are clarified.
ii. In Sec. 742.15(b)(2), review requirements for 64 bit
mass market encryption products are established.
iii. In Sec. 742.15(b)(3), transactions and items which do not
require review or notification are described.
iv. Sec. 742.15(b)(4) clarifies that commodities, software and
components which activate encryption functions in 56-bit or mass-market
products (when the encryption would otherwise remain inoperable,
``dormant'' or disabled), are also controlled under ECCNs 5A992 and
5D992. Commodities and software that ``activate'' dormant 56-bit
encryption require notification under Sec. 742.15(b)(1), while
commodities and software that ``enable'' mass market products to
perform encryption exceeding 64 bits for the symmetric algorithm
require review under Sec. 742.15(b)(2).
Note: ``Activation'' commodities and software that enable ``EI''
controlled encryption functionality (e.g. 128-bit encryption of
network infrastructure data communications) are controlled under
ECCNs 5A002 and 5D002, and require review under License Exception
ENC. Refer to Sec. 740.17 of the EAR. Note that, once an encryption
item is activated with ``EI'' controlled encryption functionality,
the item is controlled under ECCN 5A002 (if hardware) or 5D002 (if
software) and may no longer be exported No License Required under
ECCNs 5A992 or 5D992.
v. In Sec. 742.15(b)(5), an illustrative, but by no means
exhaustive, list of mass market encryption products is provided.
[[Page 38859]]
7. Clarification of documentation requirements for submitting
review requests for encryption items. In Supplement No. 6 to part 742
(Guidelines for Submitting Support Documentation Required for Review
Requests for Encryption Items), instructions to exporters are updated
and clarified. Exporters are instructed to insert the appropriate
phrase ``Mass market encryption'' or ``License Exception ENC'' in Block
9 (``Special Purpose'') of the review request. (For compatibility with
current application processing systems, exporters should continue to
place an ``X'' in the box marked ``Classification Request'' in Block 5:
``Type of Application'.) Support documentation described in this
Supplement is required for the review of encryption items.
8. Clarification to distinguish encryption review requests from
classification requests. In Sec. 748.3 (Classification Requests, Review
Requests and Advisory Opinions), existing paragraph (b)(3) is removed
and replaced with a new paragraph (d) (``Review requests for encryption
items''), to clarify that the process for reviewing encryption items by
BIS, in conjunction with the ENC Encryption Request Coordinator,
obviates the need for separate classification by BIS.
9. Definition of ``cryptanalytic items'' clarified. In Sec. 772.1
(Definition of Terms), the definition of ``cryptanalytic items'' is
updated to incorporate the previous EAR definition of ``cryptanalytic
functions''. A technical note is also added to clarify that
``cryptanalytic items'' does not include software designed and limited
to protect against malicious computer damage or unauthorized system
intrusion (e.g., viruses, worms and trojan horses). Such software is
controlled under ECCN 5D992.c.
10. Revisions to the Cryptography Note and to the explanatory notes
in ECCN 5D002. In Supplement No. 1 to part 774 (the Commerce Control
List), the previous 64 bit restriction to the Cryptography Note (Note
3) to Category 5--part II is removed, consistent with the Wassenaar
Arrangement list of dual-use items. Explanatory notes to ECCN 5D002
``Information Security--Software'' are updated, for consistency with
the other revised sections of this amendment.
Rulemaking Requirements
1. This rule has been determined to be not significant for purposes
of Executive Order 12866.
2. Notwithstanding any other provision of law, no person is
required to respond to, nor shall any person be subject to a penalty
for failure to comply with, a collection of information subject to the
requirements of the Paperwork Reduction Act, unless that collection of
information displays a currently valid OMB Control Number. This rule
involves collections of information subject to the requirements of the
Paperwork Reduction Act of 1980 (44 U.S.C. 3501 et seq.). These
collections have been approved by the Office of Management and Budget
under Control Numbers 0694-0088, ``Multi-Purpose Application,'' and
0694-0104, ``Commercial Encryption Items Transferred from the
Department of State to the Department of Commerce.'' Collection 0694-
0088 carries a burden hour estimate of 45 minutes per manual submission
and 40 minutes per electronic submission. Miscellaneous and
recordkeeping activities account for 12 minutes per submission. For
collection 0694-0104, it is estimated that companies will take 5
minutes to complete notifications for source code under License
Exception TSU. It will take companies 15 minutes to complete upgrade
notifications. For reporting under License Exception ENC and licenses
for encryption items, it will take companies 8 hours to complete semi-
annual reporting requirements. Send comments regarding these burden
estimates or any other aspect of these collections of information,
including suggestions for reducing the burden, to OMB Desk Officer, New
Executive Office Building, Washington, DC 20503; and to the Regulatory
Policy Division, Bureau of Industry and Security, Department of
Commerce, P.O. Box 273, Washington, DC 20044.
3. This rule does not contain policies with Federalism implications
as that term is defined in Executive Order 13132.
4. The provisions of the Administrative Procedure Act (5 U.S.C.
553) requiring notice of proposed rulemaking, the opportunity for
public participation, and a delay in effective date, are inapplicable
because this regulation involves a military and foreign affairs
function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no
other law requires that a notice of proposed rulemaking and an
opportunity for public comment be given for this interim final rule.
Because a notice of proposed rulemaking and an opportunity for public
comment are not required to be given for this rule under 5 U.S.C. 553
or by any other law, the analytical requirements of the Regulatory
Flexibility Act (5 U.S.C. 601 et seq.) are not applicable.
Therefore, this regulation is issued in interim final form.
Although there is no formal comment period, public comments on this
regulation are welcome on a continuing basis. Comments should be
submitted to Willard Fisher, Regulatory Policy Division, Bureau of
Industry and Security, U.S. Department of Commerce, Room 2705, 14th
Street and Pennsylvania Avenue, NW., Washington, DC 20230.
List of Subjects
15 CFR Parts 732, 740, and 748
Administrative practice and procedure, Exports, Foreign trade,
Reporting and recordkeeping requirements.
15 CFR Parts 734 and 738
Administrative practice and procedure, Exports, Foreign trade.
15 CFR Parts 742, 770, and 772
Exports, Foreign trade.
15 CFR Part 774
Exports, Foreign trade, Reporting and recordkeeping requirements.
Accordingly, Parts 732, 734, 738, 740, 742, 748, 770, 772, and 774
of the Export Administration Regulations (15 CFR Parts 730-799) are
amended as follows:
1. The authority citation for 15 CFR Part 732 is revised to read as
follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66
FR 44025, August 22, 2001.
1a. The authority citation for 15 CFR Parts 740 and 748 continues
to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66
FR 44025, August 22, 2001.
2. The authority citation for 15 CFR Part 734 continues to read as
follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 12938, 59 FR 59099, 3 CFR 1994 Comp., p. 950; E.O. 13020, 61 FR
54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 FR 58767, 3 CFR,
1996 Comp., p. 228; E.O. 13222, 66 FR 44025, August 22, 2001; Notice
of November 9, 2001, 66 FR 56965, November 13, 2001.
3. The authority citation for 15 CFR Part 738 continues to read as
follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C.
287c; 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s),
185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C.
app. 466c; 50 U.S.C. app. 5; Sec. 901-911, Pub. L. 106-387; Sec.
221, Pub. L. 107-56; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p.
228; E.O. 13222, 66 FR 44025, August 22, 2001.
[[Page 38860]]
4. The authority citation for 15 CFR Part 742 continues to read as
follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a;
Sec. 901-911, Pub. L. 106-387; Sec. 221, Pub. L. 107-56; E.O. 12058,
43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3
CFR, 1993 Comp., p. 608; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp.,
p. 950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O.
13222, 66 FR 44025, August 22, 2001; Notice of November 9, 2001, 66
FR 56965, November 13, 2001.
5. The authority citation for 15 CFR Part 770 continues to read as
follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13222, 66 FR 44025, August 22, 2001.
5a. The authority citation for 15 CFR Part 772 is revised to read
as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13222, 66 FR 44025, August 22, 2001.
6. The authority citation for 15 CFR Part 774 continues to read as
follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C.
287(c); 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s),
185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C.
app. 466(c); 50 U.S.C. app. 5; Sec. 901-911, Pub. L. 106-387; Sec.
221, Pub. L. 107-56; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p.
228; E.O. 13222, 66 FR 44025, August 22, 2001.
PART 732--[AMENDED]
7. Section 732.2 is amended by revising the introductory text of
paragraph (d) to read as follows:
Sec. 732.2 Steps regarding scope of the EAR.
* * * * *
(d) Step 4: Foreign-made items incorporating less than the de
minimis level of U.S. parts, components, and materials. This step is
appropriate only for items that are made outside the United States and
not currently in the United States. Note that the following encryption
items are subject to the EAR even if they incorporate less than the de
minimis level of U.S. content: encryption items controlled for ``EI''
reasons under ECCN 5A002, 5D002 or 5E002 on the Commerce Control List
(Supplement No. 1 to Part 774 of the EAR) and mass market encryption
commodities and software, described in the Cryptography Note (Note 3)
in Category 5--Part 2 (``Information Security'') of the Commerce
Control List, that have not been reviewed by BIS and released from the
``EI'' and ``NS'' controls of ECCN 5A002 or 5D002 in accordance with
the requirements described in Sec. 742.15(b)(2) of the EAR. Exporters
may, as part of a review request, ask that certain 5A002 and 5D002
parts, components and software also be made eligible for de minimis
treatment (see Sec. 734.4(b) of the EAR). The review of de minimis
eligibility will take into account U.S. national security interests.
* * * * *
8. Section 732.3 is amended by revising paragraph (e)(2) to read as
follows:
Sec. 732.3 Steps regarding the ten general prohibitions.
* * * * *
(e) * * *
(2) Guidance for calculations. For guidance on how to calculate the
U.S.-controlled content, refer to Supplement No. 2 to part 734 of the
EAR. Note that under certain rules issued by the Office of Foreign
Assets Control, certain exports from abroad by U.S.-owned or controlled
entities may be prohibited notwithstanding the de minimis provisions of
the EAR. In addition, the de minimis exclusions from the parts and
components rule do not relieve U.S. persons of the obligation to
refrain from supporting the proliferation of weapons of mass-
destruction and missiles as provided in General Prohibition Seven (U.S.
Person Proliferation Activity) described in Sec. 736.2(b)(7) of the
EAR. Note that foreign-made items that incorporate U.S.-origin items
controlled for ``EI'' reasons under ECCN 5A002, 5D002 or 5E002 on the
Commerce Control List (Supplement No.1 to Part 774 of the EAR) are
subject to the EAR even if they incorporate less than the de minimis
level of U.S. content. However, exporters may, as part of a review
request, ask that certain 5A002 and 5D002 parts, components and
software also be made eligible for de minimis treatment (see
Sec. 734.4(b) of the EAR).
* * * * *
PART 734--[AMENDED]
9. Section 734.2 is amended by revising paragraph (b)(9)(ii) and
the introductory text of paragraph (b)(9)(iii) to read as follows:
Sec. 734.2 Important EAR terms and principles.
* * * * *
(b) * * *
(9) * * *
(i) * * *
(ii) The export of encryption source code and object code software
controlled for ``EI'' reasons under ECCN 5D002 on the Commerce Control
List (see Supplement No. 1 to part 774 of the EAR) includes
downloading, or causing the downloading of, such software to locations
(including electronic bulletin boards, Internet file transfer protocol,
and World Wide Web sites) outside the U.S., or making such software
available for transfer outside the United States, over wire, cable,
radio, electro-magnetic, photo optical, photoelectric or other
comparable communications facilities accessible to persons outside the
United States, including transfers from electronic bulletin boards,
Internet file transfer protocol and World Wide Web sites, unless the
person making the software available takes precautions adequate to
prevent unauthorized transfer of such code. See Sec. 740.13(e) of the
EAR for notification requirements for exports or reexports of
encryption source code and object code software considered to be
publicly available consistent with the provisions of Sec. 734.3(b)(3)
of the EAR.
(iii) Subject to the General Prohibitions described in part 736 of
the EAR, such precautions for Internet transfers of products eligible
for export under Sec. 740.17 (b)(2) of the EAR (encryption software
products, certain encryption source code and general purpose encryption
toolkits) shall include such measures as:
* * * * *
10. Section 734.3 is amended by revising paragraph (b)(3)
introductory text to read as follows:
Sec. 734.3 Items subject to the EAR.
* * * * *
(b) * * *
(3) Publicly available technology and software, except software
controlled for ``EI'' reasons under ECCN 5D002 on the Commerce Control
List and mass market encryption software with symmetric key length
exceeding 64-bits controlled under ECCN 5D992, that:
* * * * *
11. Section 734.4 is amended by revising paragraph (b) to read as
follows:
Sec. 734.4 De minimis U.S. content.
* * * * *
(b) There is no de minimis level for foreign-made items that
incorporate U.S.-origin items controlled for ``EI'' reasons under ECCN
5A002, 5D002 or 5E002 on the Commerce Control List (Supplement No. 1 to
Part 774 of the EAR). However, exporters may, as part of an encryption
review request, ask that software controlled under ECCN 5D002 and
eligible for export under the ``retail'' or ``source code'' provisions
of license exception ENC, and parts and components controlled under
ECCN 5A002, be made eligible for de minimis
[[Page 38861]]
treatment. The review of de minimis eligibility will take U.S. national
security interests into account. Certain encryption items controlled
under ECCNs 5A992, 5D992 and 5E992 are not eligible for de minimis
treatment, unless exporters have complied with the applicable
notification or review requirements described in Sec. 742.15(b)(1) and
(b)(2) of the EAR. Encryption items controlled by ECCN 5A992, 5D992 or
5E992 and described in Sec. 742.15(b)(3) of the EAR are not subject to
these notification or review requirements.
* * * * *
12. Section 734.7 is amended by revising paragraph (c) to read as
follows:
Sec. 734.7 Published information and software.
* * * * *
(c) Notwithstanding paragraphs (a) and (b) of this section, note
that encryption software controlled under ECCN 5D002 for ``EI'' reasons
on the Commerce Control List and mass market encryption software with
symmetric key length exceeding 64-bits controlled under ECCN 5D992
remain subject to the EAR. See Sec. 740.13(e) of the EAR for certain
exports and reexports under license exception.
13. Section 734.8 is amended by revising paragraph (a) to read as
follows:
Sec. 734.8 Information resulting from fundamental research.
(a) Fundamental research. Paragraphs (b) through (d) of this
section and Sec. 734.11 of this part provide specific rules that will
be used to determine whether research in particular institutional
contexts qualifies as ``fundamental research''. The intent behind these
rules is to identify as ``fundamental research'' basic and applied
research in science and engineering, where the resulting information is
ordinarily published and shared broadly within the scientific
community. Such research can be distinguished from proprietary research
and from industrial development, design, production, and product
utilization, the results of which ordinarily are restricted for
proprietary reasons or specific national security reasons as defined in
Sec. 734.11(b) of this part. (See Supplement No. 1 to this part,
Question D(8)). Note that the provisions of this section do not apply
to encryption software controlled under ECCN 5D002 for ``EI'' reasons
on the Commerce Control List (Supplement No. 1 to Part 774 of the EAR)
or to mass market encryption software with symmetric key length
exceeding 64-bits controlled under ECCN 5D992. See Sec. 740.13(e) of
the EAR for certain exports and reexports under license exception.
* * * * *
14. Section 734.9 is revised to read as follows:
Sec. 734.9 Educational Information.
``Educational information'' referred to in Sec. 734.3(b)(3)(iii) of
this part is not subject to the EAR if it is released by instruction in
catalog courses and associated teaching laboratories of academic
institutions. Dissertation research is discussed in Sec. 734.8(b) of
this part. (Refer to Supplement No. 1 to this part, Question C(1)
through C(6)). Note that the provisions of this section do not apply to
encryption software controlled under ECCN 5D002 for ``EI'' reasons on
the Commerce Control List or to mass market encryption software with
symmetric key length exceeding 64-bits controlled under ECCN 5D992. See
Sec. 740.13(e) of the EAR for certain exports and reexports under
license exception.
15. Section 738.4 is amended by revising paragraph (a)(2)(ii)(B) to
read as follows:
Sec. 738.4 Determining whether a license is required.
(a) * * *
(2) * * *
(ii) * * *
(B) If no, a license is not required based on the particular Reason
for Control and destination. Provided that General Prohibitions Four
through Ten do not apply to your proposed transaction and that any
applicable notification or review requirements described in
Sec. 742.15(b)(1) and (b)(2) of the EAR have been met for certain
encryption items controlled under ECCNs 5A992, 5D992 and 5E992, you may
effect your shipment using the symbol ``NLR''. Proceed to parts 758 and
762 of the EAR for information on export clearance procedures and
recordkeeping requirements. Note that although you may stop after
determining a license is required based on the first Reason for
Control, it is best to work through each applicable Reason for Control.
A full analysis of every possible licensing requirement based on each
applicable Reason for Control is required to determine the most
advantageous License Exception available for your particular
transaction and, if a license is required, ascertain the scope of
review conducted by BIS on your license application.
* * * * *
PART 740--[AMENDED]
16. Section 740.9 is amended by revising paragraph (c) to read as
follows:
Sec. 740.9 Temporary imports, exports and reexports (TMP).
* * * * *
(c) Exports of beta test software. (1) Scope. The provisions of
this paragraph (c) authorize exports and reexports to eligible
countries of beta test software intended for distribution to the
general public.
(2) Eligible countries. Encryption software controlled under ECCN
5D002 is not eligible for export or reexport to Cuba, Iran, Iraq,
Libya, North Korea, Sudan or Syria under the provisions of this
paragraph (c). All other beta test software is eligible for export or
reexport to all destinations, except Cuba, Iran, Iraq, Libya, and Sudan
under the provisions of this paragraph (c).
(3) Eligible software. All software that is controlled by the
Commerce Control List (Supplement No.1 to part 774 of the EAR), and
under Commerce licensing jurisdiction, is eligible for export and
reexport, subject to the restrictions of this paragraph (c). Encryption
software controlled for ``EI'' reasons under ECCN 5D002 is eligible for
export and reexport under this paragraph (c), provided that the
exporter has submitted the information described in paragraph (c)(8) of
this section by the time of export. Final encryption products produced
by the testing consignee are subject to any applicable provisions in
Sec. 742.15(b)(2) of the EAR (for mass market encryption commodities
and software with symmetric key length exceeding 64-bits) or
Sec. 740.17 of the EAR (License Exception ENC), including review and
reporting requirements.
(4) Conditions for use. Exports or reexports of beta test software
programs under the provisions of this paragraph (c) must meet all of
the following conditions:
(i) The software producer intends to market the software to the
general public after completion of the beta testing, as described in
the General Software Note (see Supplement 2 to part 774 of the EAR) or
the Cryptography Note in Category 5, Part 2 (``Information Security'')
of the Commerce Control List (see Supplement No.1 to part 774 of the
EAR);
(ii) The software producer provides the software to the testing
consignee free-of-charge or at a price that does not exceed the cost of
reproduction and distribution; and
(iii) The software is designed for installation by the end-user
without
[[Page 38862]]
further substantial support from the supplier.
(5) Importer Statement. Prior to exporting or reexporting any
eligible software under this paragraph (c), the exporter or reexporter
must obtain the following statement from the testing consignee, which
may be included in a contract, non-disclosure agreement, or other
document that identifies the importer, the software to be exported, the
country of destination, and the testing consignee.
``We certify that this beta test software will only be used for
beta testing purposes, and will not be rented, leased, sold,
sublicensed, assigned, or otherwise transferred. Further, we certify
that we will not transfer or export any product, process, or service
that is the direct product of the beta test software.''
(6) Use limitations. Only testing consignees that provide the
importer statement required by paragraph (c)(5) of this section may
execute any beta test software that was exported or reexported to them
under the provisions of this paragraph (c).
(7) Return or disposal of software. All beta test software exported
must be destroyed abroad or returned to the exporter within 30 days of
the end of the beta test period as defined by the software producer or,
if the software producer does not define a test period, within 30 days
of completion of the consignee's role in the test. Among other methods,
this requirement may be satisfied by a software module that will
destroy the software and all its copies at or before the end of the
beta test period.
(8) Notification and reporting of beta test encryption software.
(i) Notification. For beta test encryption software eligible under this
license exception, you must submit to BIS, by the time of export, the
information described in paragraphs (a) through (e) of Supplement 6 to
part 742 of the EAR. Submit your notification by email to BIS at
[email protected], and provide a copy of the notification to the ENC
Encryption Request Coordinator at [email protected].
(ii) Reporting. For beta test encryption software eligible under
this license exception, the exporter must submit the names and
addresses of the testing consignees (except names and addresses of
individual consumers) and the name and version of the beta software
consistent with Sec. 740.17(e)(5) of the EAR.
17. Section 740.13 is amended by revising the introductory text, by
revising paragraphs (d)(1) and (d)(2), and by revising paragraph (e) to
read as follows:
Sec. 740.13 Technology and software-- unrestricted (TSU).
This license exception authorizes exports and reexports of
operation technology and software; sales technology and software;
software updates (bug fixes); ``mass market'' software subject to the
General Software Note; and encryption source code (and corresponding
object code) that would be considered publicly available under
Sec. 734.3(b)(3) of the EAR. Note that encryption software subject to
the EAR is not subject to the General Software Note (see paragraph
(d)(2) of this section).
* * * * *
(d) General Software Note: ``mass market'' software. (1) Scope. The
provisions of paragraph (d) authorize exports and reexports of ``mass
market'' software subject to the General Software Note (see Supplement
No. 2 to part 774 of the EAR; also referenced in this section).\1\
---------------------------------------------------------------------------
\1\ ``Mass market'' software may fall under the classification
of ``general use'' software for export clearance purposes. Exporters
should consult the Census Bureau FTSR for possible SED requirements.
---------------------------------------------------------------------------
(2) Exclusions. The provisions of this paragraph (d) are not
available for encryption software controlled for ``EI'' reasons under
ECCN 5D002 or for encryption software with symmetric key length
exceeding 64-bits that qualifies as mass market encryption software
under the criteria in the Cryptography Note (Note 3) of Category 5,
Part 2, of the Commerce Control List (Supplement No. 1 to Part 774 of
the EAR). (Once such mass market encryption software has been reviewed
by BIS and released from ``EI'' and ``NS'' controls pursuant to
Sec. 742.15(b)(2) of the EAR, it is controlled under ECCN 5D992 and is
thus outside the scope of License Exception TSU.) See Sec. 742.15(b)(2)
of the EAR for exports and reexports of mass market encryption products
controlled under ECCN 5D992.
* * * * *
(e) Encryption source code (and corresponding object code). (1)
Scope. The provisions of paragraph (e) of this section authorize
exports and reexports, without review, of encryption source code
controlled under ECCN 5D002 that would be considered publicly available
under Sec. 734.3(b)(3) of the EAR, and corresponding object code
resulting from the compiling of such source code.
(2) Eligible Software. Encryption source code is eligible for
export and reexport under License Exception TSU, provided that it would
be considered publicly available under Sec. 734.3(b)(3) of the EAR.
Such encryption source code is eligible for License Exception TSU even
if it is subject to an express agreement for the payment of a licensing
fee or royalty for commercial production or sale of any product
developed using the source code. Corresponding object code resulting
from the compiling of such source code is also eligible for License
Exception TSU treatment if such object code would also be considered
publicly available under Sec. 734.3(b)(3) of the EAR.
(3) Restrictions. Encryption software controlled under ECCN 5D002
that would not be considered publicly available, but which incorporates
or is specially designed to use encryption software that would be
considered publicly available, is not eligible for export or reexport
under this paragraph (e).
(4) Country restrictions. You may not knowingly export or reexport
source code, corresponding object code or products developed with this
source code to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.
(5) Notification requirement. You must provide BIS written
notification of the Internet location (e.g., URL or Internet address)
of the source code or a copy of the source code by the time of export.
Submit the notification by email to BIS at [email protected], and
provide a copy of the notification to the ENC Encryption Request
Coordinator at [email protected].
(6) ``Knowledge'' of a prohibited export or reexport. Posting of
source code or corresponding object code on the Internet (e.g., FTP or
World Wide Web site) where it may be downloaded by anyone would not
establish ``knowledge'' of a prohibited export or reexport. See
Sec. 740.13(e)(4) of the EAR for prohibited knowing exports to Cuba,
Iran, Iraq, Libya, North Korea, Sudan and Syria. In addition, such
posting would not trigger ``red flags'' necessitating the affirmative
duty to inquire under the ``Know Your Customer'' guidance provided in
Supplement No. 3 to part 732 of the EAR.
18. Section 740.17 is revised to read as follows:
Sec. 740.17 Encryption commodities and software (ENC).
License Exception ENC authorizes the export and reexport of
encryption items controlled under ECCN 5A002, 5D002 or 5E002, and
``information security'' test, inspection, and production equipment
controlled under ECCN 5B002. Encryption items exported and reexported
under License Exception ENC remain subject to ``EI'' controls. No
encryption items may be exported or
[[Page 38863]]
reexported, under this license exception, to countries listed in
Country Group E:1 of Supplement No. 1 to this Part--this includes
exports and reexports (as defined in Sec. 734.2 of the EAR) of
encryption source code and technology to nationals of these countries.
Review and reporting requirements apply to certain exports under this
license exception (paragraph (d) of this section describes how to
submit encryption items for review; paragraph (e) of this section
describes which exports are subject to reporting requirements). Certain
exports and reexports to government end-users are authorized under
paragraphs (a) and (b)(3) of this section. Section 772.1 of the EAR
defines the term ``government end-user'' as it applies to encryption
items. Section 742.15 of the EAR describes the license requirements and
policies that apply to exports and reexports of encryption items.
(a) Exports and reexports to countries listed in Supplement 3 to
this part. Encryption items controlled under ECCN 5A002, 5D002 or 5E002
(except cryptanalytic items as defined in Part 772 of the EAR), and
``information security'' test, inspection, and production equipment
controlled under ECCN 5B002, are authorized for immediate export and
reexport to government and non-government end-users located in the
countries listed in Supplement 3 to this part 740, subject to the
review requirements described in paragraph (d) of this section.
Cryptanalytic items are authorized to non-government end-users, only,
under this paragraph (a). Encryption items and ``information security''
test, inspection, and production equipment may also be exported or
reexported to any destination eligible under this license exception for
the internal use of foreign subsidiaries or offices of firms,
organizations and governments headquartered in Canada or in countries
listed in Supplement 3 to this part 740. (Note that License Exception
ENC prohibits exports and reexports of encryption source code and
technology to nationals of countries listed in Country Group E:1 of
Supplement No. 1 to this part.) Before you export an item for the first
time under this license exception, you must submit to BIS and the ENC
Encryption Request Coordinator a review request for that item, as
described in paragraph (d) of this section. See paragraph (e) of this
section for applicable semi-annual reporting requirements.
(b) Exports and reexports to all other eligible countries. (1)
Encryption items for U.S. subsidiaries. Exports and reexports of
encryption items controlled under ECCN 5A002, 5D002 or 5E002 and
``information security'' test, inspection, and production equipment
controlled under ECCN 5B002, are authorized under this license
exception, without review, to foreign subsidiaries of U.S. companies
for any end-use not prohibited elsewhere in the EAR. This paragraph
(b)(1) also authorizes exports and reexports by U.S. companies and
their subsidiaries of any such items (including encryption source code
and technology), to foreign nationals working as contractors, interns
or employees of said U.S. companies and their subsidiaries, provided
that the items are for internal company use, including the development
of new products. (Note that License Exception ENC prohibits exports and
reexports of encryption source code and technology to nationals of
countries listed in Country Group E:1 of Supplement No. 1 to this
part). All items produced or developed by U.S. subsidiaries with
encryption commodities, software and technology exported under this
paragraph (b)(1) are subject to the EAR and require review and
authorization before any sale or retransfer outside of the U.S.
company.
(2) Encryption commodities and software to non-government end-
users. Thirty days after registration of a completed review request by
BIS (``registration'' is defined in Sec. 750.4(a)(2) of the EAR),
encryption commodities, software and components controlled under ECCN
5A002 or 5D002 (except such items which provide an open cryptographic
interface, as defined in part 772 of the EAR), and ``information
security'' test, inspection, or production equipment controlled under
ECCN 5B002, are authorized for export or reexport to any individual,
commercial firm or other non-government end-user located outside the
countries listed in Supplement 3 to this part 740. The thirty days may
not include any time that your review request was on hold without
action. To request authorization under the provisions of this paragraph
(b)(2), you must submit to BIS and the ENC Encryption Request
Coordinator a review request as described in paragraph (d) of this
section. See paragraph (e) of this section for applicable semi-annual
reporting requirements. Encryption commodities and software eligible
for export or reexport under this paragraph (b)(2) include, but are not
limited to, the following:
(i) Network infrastructure products, such as high end routers or
switches designed for large volume communications, and specially
designed software, parts, and components thereof (including commodities
and software which activate or enable cryptographic functionality in
network infrastructure products that would otherwise remain disabled);
(ii) Encryption source code that would not be considered publicly
available for export or reexport under License Exception TSU. (You may
immediately export and reexport such encryption source code under
License Exception ENC, provided that you have submitted a review
request, including a copy of your source code, to BIS and the ENC
Encryption Request Coordinator. Note that License Exception ENC
prohibits exports and reexports of encryption source code to countries
listed in Country Group E:1 of Supplement No. 1 to this part, or to
nationals of these countries.);
(iii) General purpose toolkits;
(iv) Cryptanalytic items (as defined in part 772 of the EAR);
(v) Commodities, software and components not otherwise authorized
for export as mass market or retail.
(3) Retail encryption commodities, software and components to
government and non-government end-users. Thirty days after registration
of a completed review request by BIS (``registration'' is defined in
Sec. 750.4(a)(2) of the EAR), retail encryption commodities, software
and components controlled under ECCN 5A002 or 5D002 are authorized for
export and reexport to any individual, commercial firm or other non-
government end-user located outside the countries listed in Supplement
3 to this part 740. The thirty days may not include any time that your
review request was on hold without action. Once BIS has completed its
review and authorizes your encryption commodities, software, and
components for export or reexport as retail encryption items under
License Exception ENC, you may also export or reexport these items to
government end-users. To request authorization under the provisions of
this paragraph (b)(3), you must submit to BIS and the ENC Encryption
Request Coordinator a review request as described in paragraph (d) of
this section. See paragraph (e) of this section for applicable semi-
annual reporting requirements.
(i) Retail eligibility criteria. Retail encryption commodities and
software are products and components:
(A) Generally available to the public by means of any of the
following:
(1) Are sold in tangible form through retail outlets independent of
the manufacturer;
[[Page 38864]]
(2) Are specially designed for individual consumer use; or
(3) Are sold or will be sold in large volume, without restriction,
through mail order transactions, electronic transactions, or telephone
call transactions; and
(B) Meeting all of the following:
(1) The cryptographic functionality cannot be easily changed by the
user;
(2) Substantial support is not required for installation and use;
and
(3) The cryptographic functionality has not been modified or
customized to customer specification.
(ii) Additional types of retail encryption products. The following
products will also be considered to be retail encryption products:
(A) Encryption commodities and software (including key management
products) with key lengths not exceeding 64 bits for symmetric
algorithms, 1024 bits for asymmetric key exchange algorithms, and 160
bits for elliptic curve algorithms. (You may immediately export or
reexport such encryption commodities and software as retail items upon
submitting a completed review request to BIS and the ENC Encryption
Request Coordinator, in accordance with the requirements described in
paragraph (d) of this section);
(B) Encryption products and network-based applications that provide
equivalent functionality to other mass market or retail encryption
commodities and software (refer to the Cryptography Note (Note 3) to
part II of Category 5 of the CCL for the definition of mass market
encryption commodities and software);
(C) Encryption products that are limited to allowing foreign-
developed cryptographic products to operate with U.S. products (e.g.
signing). No review of the foreign-developed cryptography is required;
(D) Encryption commodities and software that activate or enable
cryptographic functionality in retail encryption products which would
otherwise remain disabled.
(iii) Examples of eligible retail encryption products: Subject to
the retail eligibility criteria in paragraph (b)(3)(i) of this section,
retail encryption items include, but are not limited to, the following:
(A) General purpose operating systems that do not qualify as mass
market;
(B) Non-programmable encryption chips, and chips that are
constrained by design for retail products;
(C) Retail networking products, such as low-end routers, firewalls,
and virtual private networking (VPN) equipment designed for small
office or home use;
(D) Desktop applications (e.g. e-mail, browsers, games, word
processing, database, financial applications or utilities) that do not
qualify as mass market;
(E) Programmable database management systems and associated
application servers;
(F) Low-end servers and application-specific servers (including
client-server applications, e.g. Secure Socket Layer (SSL)-based web
applications and applets, servers, and portals);
(G) Network and security management products designed for, bundled
with, or pre-loaded on single CPU computers, low-end servers or retail
networking products; and
(H) Short-range wireless components and software that do not
qualify as mass market. Products that would be controlled under ECCN
5A002 or 5D002, only because they incorporate components or software
which provide short-range wireless encryption functions, may be
exported or reexported under the retail provisions of License Exception
ENC, without review or reporting.
(4) Reviews for de minimis eligibility: Items controlled for ``EI''
reasons under ECCN 5A002, 5D002 or 5E002 are not eligible for de
minimis treatment under Sec. 734.4 of the EAR. However, exporters may,
as part of a review request, ask that U.S.-origin retail encryption
software controlled under ECCN 5D002 and U.S.-origin parts and
components controlled under ECCN 5A002, that are incorporated in
foreign-made items, be made eligible for de minimis treatment. The
review of de minimis eligibility for such items will take U.S. national
security interests into account.
(c) Reexports and transfers. U.S. or foreign distributors,
resellers or other entities who are not original manufacturers of
encryption commodities and software are permitted to use License
Exception ENC only in instances where the export or reexport meets the
applicable terms and conditions of this section. Transfers of
encryption items listed in paragraph (b) of this section to government
end-users, or for government end-uses, within the same country are
prohibited, unless otherwise authorized by license or license
exception. Foreign products developed with or incorporating U.S.-origin
encryption source code, components or toolkits remain subject to the
EAR, but do not require review (for encryption reasons) by BIS. These
products can be exported or reexported under License Exception ENC
without notification and without further authorization (for encryption
reasons) from BIS. Such products include foreign-developed products
that are designed to operate with U.S. products through a cryptographic
interface.
(d) Review requirement. (1) Review request procedures. To request
review of your encryption products under License Exception ENC, you
must submit to BIS and to the ENC Encryption Request Coordinator the
information described in paragraphs (a) through (e) of Supplement 6 to
part 742 of the EAR (Guidelines for Submitting Review Requests for
Encryption Items). Review requests must be submitted on Form BIS-748P
(Multipurpose Application), or its electronic equivalent, as described
in Sec. 748.3 of the EAR. To ensure that your review request is
properly routed, insert the phrase ``License Exception ENC'' in Block 9
(Special Purpose) of the application form and place an ``X'' in the box
marked ``Classification Request'' in Block 5 (Type of Application)--
Block 5 does not provide a separate item to check for the submission of
encryption review requests. Failure to properly complete these items
may delay consideration of your review request. Review requests that
are not submitted electronically to BIS should be mailed to the address
indicated in Sec. 748.2(c) of the EAR. See paragraph (e)(5)(ii) of this
section for the mailing address for the ENC Encryption Request
Coordinator. BIS will notify you if there are any questions concerning
your request for review under License Exception ENC (e.g., because of
missing or incomplete support documentation). Once your review has been
completed, BIS will notify you in writing concerning the eligibility of
your products for export or reexport, under the provisions of this
license exception. BIS reserves the right to suspend your eligibility
to export and reexport under License Exception ENC and to return your
review request without action, if you have not met the review
requirements. You may not export or reexport retail encryption
commodities, software and components under this license exception to
government end-users headquartered outside of Canada and the countries
listed in Supplement 3 to this part 740, unless you have received prior
authorization from BIS.
(2) Grandfathering. Encryption commodities, software, parts or
components (except cryptanalytic items) previously approved for export
may be exported or reexported without further review to government and
non-government end-users in countries listed in Supplement 3 to this
part 740, and to any non-government end-user outside the countries
listed in
[[Page 38865]]
Supplement 3 to this part 740 (except items which provide an open
cryptographic interface as defined in part 772 of the EAR). This
includes products approved under a license, an Encryption Licensing
Arrangement, or classified as eligible to use License Exception ENC
(except for those products that were authorized only for export to U.S.
subsidiaries) prior to October 19, 2000. Encryption technology
previously approved for export under a license or an Encryption
Licensing Arrangement may be exported or reexported to government and
non-government end-users in countries listed in Supplement 3 to this
part 740.
(3) Key length increases. Exporters may increase the key lengths of
products previously classified and continue to export these products
under the applicable provisions of License Exception ENC, without
further review, upon certification to BIS and the ENC Encryption
Request Coordinator in accordance with paragraph (d)(3)(ii) of this
section. No other change in cryptographic functionality is allowed
under License Exception ENC.
(i) Any product previously classified as ECCN 5A002 or 5D002
(except encryption items that provide an open cryptographic interface,
as defined in Sec. 772.1 of the EAR) may, with any upgrade to the key
length used for confidentiality or key exchange algorithms, be exported
or reexported under License Exception ENC to any non-government end-
user without an additional review. A license is required to export or
reexport items that provide an open cryptographic interface to end-
users located outside the countries listed in Supplement 3 to this part
740. In addition, products previously reviewed by BIS that were
determined to be eligible as ``retail'' under this license exception
may be exported or reexported to government end-users, without
additional review. For products not previously determined to be
eligible as retail products, another review is required to determine
their eligibility as ``retail'' products under paragraph (b)(3) of this
section.
(ii) Exporters must certify to BIS, in a letter from a corporate
official, that the only change to the encryption product is the key
length for confidentiality or key exchange algorithms and that there is
no other change in cryptographic functionality. Certifications must
include the original authorization number issued by BIS and the date of
issuance. BIS must receive this certification prior to any export of an
upgraded encryption product. The certification should be sent to BIS
and a copy of the certification should be sent to the ENC Encryption
Request Coordinator at the mailing address indicated in paragraph
(e)(5) of this section.
(e) Reporting requirements. (1) Semi-annual reporting requirement.
Semi-annual reporting is required for exports and reexports under this
license exception. Certain encryption items and transactions are
excluded from this reporting requirement (see paragraph (e)(4) of this
section). For instructions on how to submit your reports, see paragraph
(e)(5) of this section.
(2) General information required. Exporters must include all of the
following applicable information in their reports:
(i) For items exported to a distributor or other reseller,
including subsidiaries of U.S. firms, the name and address of the
distributor or reseller, the item and the quantity exported and, if
collected by the exporter as part of the distribution process, the end-
user's name and address;
(ii) For items exported through direct sale, the name and address
of the recipient, the item, and the quantity exported (except for
retail products, if the end-user is an individual consumer);
(iii) For exports of ECCN 5E002 items to be used for technical
assistance that are not released by Sec. 744.9 of the EAR, the name and
address of the end-user; and
(iv) The authorization number and the name of the item(s) exported.
(3) Information on foreign manufacturers and products that use
encryption items. For direct sales or transfers, under License
Exception ENC, of encryption components, source code, general purpose
toolkits, equipment controlled under ECCN 5B002, technology, or items
that provide an open cryptographic interface to foreign developers or
manufacturers when intended for use in foreign products developed for
commercial sale, you must submit the names and addresses of the
manufacturers using these encryption items and, if you know when the
product is made available for commercial sale, a non-proprietary
technical description of the foreign products for which these
encryption items are being used (e.g., brochures, other documentation,
descriptions or other identifiers of the final foreign product; the
algorithm and key lengths used; general programming interfaces to the
product, if known; any standards or protocols that the foreign product
adheres to; and source code, if available).
(4) Exclusions from reporting requirements. Reporting is not
required for the following items and transactions:
(i) Any encryption item to U.S. subsidiaries for internal company
use;
(ii) Encryption commodities or software with a symmetric key length
not exceeding 64 bits;
(iii) Retail products exported to individual consumers;
(iv) Encryption items exported via free or anonymous download;
(v) Encryption items from or to a U.S. bank, financial institution
or their subsidiaries, affiliates, customers or contractors for banking
or financial operations;
(vi) Items that incorporate components limited to providing short-
range wireless encryption functions;
(vii) Retail operating systems, or desktop applications (e.g. e-
mail, browsers, games, word processing, data base, financial
applications or utilities) designed for, bundled with, or pre-loaded on
single CPU computers, laptops or hand-held devices;
(viii) Client Internet appliance and client wireless LAN cards;
(ix) Foreign products developed by bundling or compiling of source
code.
(5) Submission requirements. You must submit the reports required
under this section, semi-annually, to BIS, unless otherwise provided in
this paragraph (e)(5). For exports occurring between January 1 and June
30, a report is due no later than August 1 of that year. For exports
occurring between July 1 and December 31, a report is due no later than
February 1 the following year. These reports must be provided in
electronic form to BIS. Recommended file formats for electronic
submission include spreadsheets, tabular text or structured text.
Exporters may request other reporting arrangements with BIS to better
reflect their business models. Reports may be sent electronically to
BIS at [email protected] (with a copy to the ENC Encryption Request
Coordinator at [email protected]), or disks and CDs containing the reports
may be mailed to the following addresses:
(i) Department of Commerce, Bureau of Industry and Security, Office of
Strategic Trade and Foreign Policy Controls, 14th Street and
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn:
Encryption Reports.
(ii) A copy of the report should be sent to: Attn: ENC Encryption
Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-
6000.
PART 742--[AMENDED]
19. Section 742.15 is revised to read as follows:
[[Page 38866]]
Sec. 742.15 Encryption items.
Encryption items can be used to maintain the secrecy of
information, and thereby may be used by persons abroad to harm U.S.
national security, foreign policy and law enforcement interests. The
United States has a critical interest in ensuring that important and
sensitive information of the public and private sector is protected.
Consistent with our international obligations as a member of the
Wassenaar Arrangement, the United States has a responsibility to
maintain control over the export and reexport of encryption items. As
the President indicated in Executive Order 13026 and in his Memorandum
of November 15, 1996, exports and reexports of encryption software,
like exports and reexports of encryption hardware, are controlled
because of this functional capacity to encrypt information on a
computer system, and not because of any informational or theoretical
value that such software may reflect, contain, or represent, or that
its export or reexport may convey to others abroad. For this reason,
export controls on encryption software are distinguished from controls
on other software regulated under the EAR.
(a) Licensing requirements and policy--(1) Encryption items
controlled under ECCN 5A002, 5D002, or 5E002. (i) Licensing
requirements. A license is required to export or reexport encryption
items (``EI'') controlled under ECCN 5A002, 5D002 or 5E002 to all
destinations, except Canada. Refer to part 740 of the EAR, for license
exceptions that apply to certain encryption items, and to Sec. 772.1 of
the EAR for definitions of encryption items and terms. Exporters must
submit applications to obtain authorization under a license or an
Encryption Licensing Arrangement for exports and reexports of
encryption items that are not eligible for a license exception.
(ii) Licensing policy. Applications will be reviewed on a case-by-
case basis by BIS, in conjunction with other agencies, to determine
whether the export or reexport is consistent with U.S. national
security and foreign policy interests. Exports of encryption items to
governments, or Internet and telecommunications service providers for
the provision of services specific to governments, may be favorably
considered for civil uses, e.g., social or financial services to the
public; civil justice; social insurance, pensions and retirement; taxes
and communications between governments and their citizens. Encryption
Licensing Arrangements may be authorized for exports and reexports of
unlimited quantities of encryption items to all destinations, except
countries listed in Country Group E:1 of Supplement No. 1 to part 740.
Encryption Licensing Arrangements, including those which authorize
exports and reexports of encryption technology to strategic partners
(as defined in Sec. 772.1 of the EAR) of U.S. companies, are valid for
four years and may require reporting. Applicants seeking authorization
for Encryption Licensing Arrangements must specify the sales territory
and class of end-user on their license applications.
(2) Encryption items controlled under ECCN 5A992, 5D992, or 5E992.
(i) Licensing requirements. Items controlled under ECCN 5A992, 5D992 or
5E992 are controlled for anti-terrorism (AT) reasons to countries
listed in AT column 1 or AT column 2, as applicable, of the Commerce
Country Chart (Supplement No. 1 to Part 738 of the EAR). A license also
may be required to certain destinations or persons for other reasons
specified elsewhere in the EAR (e.g., embargoes). In addition, these
encryption items are subject to the notification or review requirements
described in paragraph (b)(1) and (b)(2) of this section, unless
specifically excluded by paragraph (b)(3) of this section.
(ii) Licensing policy. Applications will be reviewed on a case-by-
case basis by BIS, in conjunction with other agencies, to determine
whether the export or reexport is consistent with U.S. national
security and foreign policy interests. BIS does not authorize
Encryption Licensing Arrangements for exports and reexports of
encryption items to any of the countries listed in Country Group E:1 of
Supplement No. 1 to Part 740 of the EAR.
(b) Notification and review requirements for encryption items
controlled under ECCN 5A992, 5D992 or 5E992. You may export and
reexport encryption commodities, software and technology controlled
under ECCN 5A992, 5D992 or 5E992 without a license (NLR: No License
Required) to most destinations, in accordance with paragraph (a)(2) of
this section, provided that you have met the notification and review
requirements described in paragraphs (b)(1) and (b)(2) of this section.
Certain encryption items controlled under ECCN 5A992, 5D992 or 5E992
may be exported or reexported without notification or review--these
items are identified in paragraph (b)(3) of this section. In addition,
no post-shipment reporting is required for encryption items controlled
under ECCN 5A992, 5D992, or 5E992. See Sec. 732.5 of the EAR for
Shipper's Export Declaration (SED), Destination Control Statements
(DCS), and recordkeeping requirements for items exported and reexported
without a license (NLR).
(1) Notification requirement for specified encryption items. You
may export and reexport encryption items controlled under ECCN 5A992,
5D992 or 5E992 and identified in this paragraph (b)(1) to most
destinations without a license (NLR: No License Required), provided
that you have submitted to BIS, by the time of export, the information
described in paragraphs (a) through (e) of Supplement 6 to this part
742, and if applicable, specific information describing how your
products qualify for mass market treatment under the criteria in the
Cryptography Note (Note 3) of Category 5, Part 2, of the Commerce
Control List (Supplement No. 1 to Part 774 of the EAR). Submit this
notification to BIS by email, to [email protected], and also send a
copy to the ENC Encryption Request Coordinator, at [email protected]. If you
are unsure as to whether your encryption items are eligible for export
or reexport under this paragraph (b)(1), you should submit a request,
to BIS and to the ENC Encryption Request Coordinator, for a review of
your encryption items pursuant to the requirements of paragraph (b)(2)
of this section (for mass market encryption commodities and software),
or under the provisions of License Exception ENC (see Sec. 740.17 of
the EAR). The following encryption items controlled by ECCN 5A992,
5D992, or 5E992 are eligible for export or reexport without a license,
to most destinations, with notification only:
(i) Up to (and including) 64-bit mass market encryption commodities
and software;
(ii) Encryption items (including key management products and
company proprietary implementations) with key lengths not exceeding 56
bits for symmetric algorithms, 512 bits for asymmetric key exchange
algorithms, and 112 bits for elliptic curve algorithms;
(2) Review requirement for mass market encryption commodities and
software exceeding 64 bits: Mass market encryption commodities and
software employing a key length greater than 64 bits for the symmetric
algorithm (including such products previously reviewed by BIS and
exported under ECCN 5A002 or 5D002) remain subject to the EAR and
require review by BIS, prior to export or reexport under this paragraph
(b)(2). Encryption commodities and software that are not eligible as
retail items under License Exception ENC do not qualify for mass
[[Page 38867]]
market treatment (see Sec. 740.17(b)(3) of the EAR for retail product
eligibility under License Exception ENC.)
(i) Procedures for requesting review. To request review of your
mass market encryption products, you must submit to BIS and the ENC
Encryption Request Coordinator the information described in paragraphs
(a) through (e) of Supplement 6 to this part 742, and you must include
specific information describing how your products qualify for mass
market treatment under the criteria in the Cryptography Note (Note 3)
of Category 5, Part 2 (``Information Security''), of the Commerce
Control List (Supplement No. 1 to Part 774 of the EAR). Review requests
must be submitted on Form BIS-748P (Multipurpose Application), or its
electronic equivalent, as described in Sec. 748.3 of the EAR. To ensure
that your review request is properly routed, insert the phrase ``Mass
market encryption'' in Block 9 (Special Purpose) of the application
form and place an ``X'' in the box marked ``Classification Request'' in
Block 5 (Type of Application)--Block 5 does not provide a separate item
to check for the submission of encryption review requests. Failure to
properly complete these items may delay consideration of your review
request. Review requests that are not submitted electronically to BIS
should be mailed to the address indicated in Sec. 748.2(c) of the EAR.
Submissions to the ENC Encryption Request Coordinator should be
directed to the mailing address indicated in Sec. 740.17(e)(5)(ii) of
the EAR. BIS will notify you if there are any questions concerning your
request for review (e.g., because of missing or incomplete support
documentation).
(ii) Action by BIS. Once BIS has completed its review, you will
receive written confirmation concerning the eligibility of your items
for export or reexport as mass market encryption commodities or
software controlled under ECCN 5A992 or 5D992. If, during the course of
its review, BIS determines that your encryption items do not qualify
for mass market treatment under the EAR, or are otherwise controlled
under ECCN 5A002, 5B002, 5D002 or 5E002, BIS will notify you and will
review your commodities or software for eligibility under License
Exception ENC (see Sec. 740.17 of the EAR for review and reporting
requirements for encryption items under License Exception ENC). BIS
reserves the right to suspend your eligibility to export and reexport
under the provisions of this paragraph (b)(2) and to return review
requests, without action, if the requirements for review have not been
met.
(iii) Exports and reexports to government and non-government end-
users. Immediately upon registration by BIS of your completed review
request (``registration'' is defined in Sec. 750.4(a)(2) of the EAR),
you may export or reexport mass market encryption commodities and
software exceeding 64 bits, under ECCNs 5A992 and 5D992, without a
license (NLR: No License Required) to government and non-government
end-users located in the countries listed in Supplement 3 to part 740
of the EAR. These mass market encryption products also may be exported
or reexported, without a license (NLR), to most destinations (except
those that require a license for AT reasons or for reasons described
elsewhere in the EAR) for the internal use of foreign subsidiaries or
offices of firms, organizations and governments headquartered in Canada
or in countries listed in Supplement 3 to part 740 of the EAR. Thirty
days after BIS registers your review request, you may export or
reexport these mass market encryption products, without a license, to
government and non-government end-users located in most destinations
outside the countries listed in Supplement 3 to part 740 of the EAR
(certain destinations and persons may require a license for AT reasons
or for reasons specified elsewhere in the EAR), unless otherwise
notified by BIS (e.g., because of missing or incomplete support
documentation, or conversion to License Exception ENC review). The
thirty days may not include any time that your review request was on
hold without action. See Sec. 772.1 of the EAR for the definition of
``government end-user'' as it applies to encryption items.
(3) Exclusions from notification and review requirements. The
following items and transactions do not require notification or review
prior to export or reexport. However, a license may be required to
export or reexport these items to certain destinations for AT reasons
or for reasons set forth elsewhere in the EAR (e.g., embargoes).
(i) Encryption items for U.S. subsidiaries. Encryption items
controlled under ECCN 5A992, 5D992, or 5E992 that are exported to
foreign subsidiaries of U.S. companies (as defined in Sec. 772.1 of the
EAR) for any end-use, including the development of new products, that
is not prohibited elsewhere in the EAR. All items produced or developed
by U.S. subsidiaries with encryption commodities, software and
technology exported under this paragraph are subject to the EAR and
require review and authorization before any sale or retransfer outside
of the U.S. company.
(ii) Mass market short-range wireless products. Mass market
products that are controlled under ECCN 5A992 or 5D992 only because
they incorporate components or software which provide short-range
wireless encryption functions (e.g., wireless products with an
operating range typically not exceeding 100 meters).
(iii) Items with limited cryptographic functionality. Encryption
items controlled under ECCN 5A992, 5D992, or 5E992 for which the use of
cryptography is limited to cryptographic functions that are not
controlled for ``EI'' reasons under the EAR (e.g. items with
cryptographic functions limited to authentication or digital signature,
execution of copy protected software, and ``finance specific'' items
specially designed and limited for banking use or money transactions).
These items are described in the Related Controls paragraph and the
Technical Notes under ECCN 5A002 on the Commerce Control List
(Supplement No. 1 to part 774 of the EAR), which are cross-referenced
under ECCNs 5D002 and 5E002.
(4) Commodities and software that activate or enable cryptographic
functionality. Commodities, software, and components that allow the
end-user to activate or enable cryptographic functionality in
encryption products which would otherwise remain disabled, are
controlled according to the functionality of the activated encryption
product. The notification and review requirements enumerated in this
paragraph (b) of this section apply to commodities, software and
components which activate cryptographic functionality in encryption
products controlled under ECCNs 5A992 and 5D992. (See Sec. 740.17 of
the EAR for review and reporting requirements for commodities, software
and components that enable cryptographic functionality in encryption
products controlled under ECCNs 5A002 and 5D002.) This paragraph (b)(4)
does not authorize the export or reexport of any activated encryption
product. Separate review or authorization of the enabled encryption
product is required.
(5) Examples of mass market encryption products. Subject to the
requirements of the Cryptography Note (Note 3) in Category 5, Part 2,
of the Commerce Control List, mass market encryption products include,
but are not limited to, general purpose operating systems and desktop
applications (e.g. e-mail, browsers, games, word processing, database,
financial applications or utilities) designed for, bundled with, or
pre-loaded on single CPU computers, laptops, or hand-held
[[Page 38868]]
devices; commodities and software for client Internet appliances and
client wireless LAN devices; home use networking commodities and
software (e.g. personal firewalls, cable modems for personal computers,
and consumer set top boxes); portable or mobile civil
telecommunications commodities and software (e.g. personal data
assistants (PDAs), radios, or cellular products); and commodities and
software exported via free or anonymous downloads.
20. Supplement No. 6 to part 742 is revised to read as follows:
Supplement No. 6 to Part 742--Guidelines for Submitting Review Requests
for Encryption Items
Review requests for encryption items must be submitted on Form
BIS-748P (Multipurpose Application), or its electronic equivalent,
and supported by the documentation described in this Supplement, in
accordance with the procedures described in Sec. 748.3 of the EAR.
To ensure that your review request is properly routed, insert the
phrase ``Mass market encryption'' or ``License Exception ENC''
(whichever is applicable) in Block 9 (Special Purpose) of the
application form and place an ``X'' in the box marked
``Classification Request'' in Block 5 (Type of Application)--Block 5
does not provide a separate item to check for the submission of
encryption review requests. Failure to properly complete these items
may delay consideration of your review request. BIS recommends that
review requests be delivered via courier service to: Bureau of
Industry and Security, U.S. Department of Commerce, 14th Street and
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230. For
electronic submissions via SNAP, you may fax a copy of the support
documents to BIS at (202) 219-9179 or -9182 or you may deliver the
documents via courier service to: Bureau of Industry and Security,
Information Technology Controls Division, Room 2625, 14th Street and
Pennsylvania Ave., NW. Washington, DC 20230. In addition, you must
send a copy of your review request and all support documents to:
Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite
6131, Fort Meade, MD 20755-6000. For all review requests of
encryption items, you must provide brochures or other documentation
or specifications related to the technology, commodity or software,
relevant product descriptions, architecture specifications, and as
necessary for the review, source code. You also must indicate
whether there have been any prior reviews of the product, if such
reviews are applicable to the current submission. In addition, you
must provide the following information in a cover letter
accompanying your review request:
(a) State the name of the encryption item being submitted for
review;
(b) State that a duplicate copy has been sent to the ENC
Encryption Request Coordinator;
(c) For review requests for a commodity or software, provide the
following information:
(1) Description of all the symmetric and asymmetric encryption
algorithms and key lengths and how the algorithms are used. Specify
which encryption modes are supported (e.g., cipher feedback mode or
cipher block chaining mode).
(2) State the key management algorithms, including modulus
sizes, that are supported.
(3) For products with proprietary algorithms, include a textual
description and the source code of the algorithm.
(4) Describe the pre-processing methods (e.g., data compression
or data interleaving) that are applied to the plaintext data prior
to encryption.
(5) Describe the post-processing methods (e.g., packetization,
encapsulation) that are applied to the cipher text data after
encryption.
(6) State the communication protocols (e.g., X.25, Telnet or
TCP) and encryption protocols (e.g., SSL, IPSEC or PKCS standards)
that are supported.
(7) Describe the encryption-related Application Programming
Interfaces (APIs) that are implemented and/or supported. Explain
which interfaces are for internal (private) and/or external (public)
use.
(8) Describe whether the cryptographic routines are statically
or dynamically linked, and the routines (if any) that are provided
by third-party modules or libraries. Identify the third-party
manufacturers of the modules or toolkits.
(9) For commodities or software using Java byte code, describe
the techniques (including obfuscation, private access modifiers or
final classes) that are used to protect against decompilation and
misuse.
(10) State how the product is written to preclude user
modification of the encryption algorithms, key management and key
space.
(11) For products that qualify as ``retail'', explain how the
product meets the listed criteria in Sec. 740.17(b)(3) of the EAR.
(12) For products which incorporate an open cryptographic
interface as defined in part 772 of the EAR, describe the Open
Cryptographic Interface.
(d) For review requests regarding components, provide the
following additional information:
(1) Reference the application for which the components are used
in, if known;
(2) State if there is a general programming interface to the
component;
(3) State whether the component is constrained by function; and
(4) Identify the encryption component and include the name of
the manufacturer, component model number or other identifier.
(e) For review requests for source code, provide the following
information:
(1) If applicable, reference the executable (object code)
product that was previously reviewed;
(2) Include whether the source code has been modified, and the
technical details on how the source code was modified; and
(3) Include a copy of the sections of the source code that
contain the encryption algorithm, key management routines and their
related calls.
(f) For step-by-step instructions and guidance on submitting
review requests for encryption items, visit our webpage at
www.bis.doc.gov/Encryption and click on the navigation button
labeled ``Guidance''.
PART 748--[AMENDED]
21. Section 748.3 is amended by revising the section heading, by
adding two new sentences at the end of paragraph (a), by removing
paragraph (b)(3), and by adding a new paragraph (d), to read as
follows:
Sec. 748.3 Classification Requests, Advisory Opinions, and Encryption
Review Requests.
(a) * * * The encryption requirements in the EAR require that
certain encryption items be reviewed by BIS in order for them to be
eligible for export or reexport under License Exception ENC (see
Sec. 740.17 of the EAR) or to be released from ``EI'' controls (see
Sec. 742.15(b)(2) of the EAR). BIS makes its determination based on the
submission of a review request prepared in accordance with the
instructions in Supplement No. 6 to Part 742 of the EAR.
* * * * *
(d) Review requests for encryption items. A Department of Commerce
review of encryption items transferred from the U.S. Munitions List
consistent with Executive Order 13026 of November 15, 1996 (3 CFR, 1996
Comp., p. 228) and pursuant to the Presidential Memorandum of that date
may be required to determine eligibility under License Exception ENC or
for release from ``EI'' controls. Refer to Sec. 742.15(b) and
Supplement 6 to part 742 of the EAR for instructions regarding mass
market encryption commodities and software. Refer to Sec. 740.17 of the
EAR for the provisions of License Exception ENC.
PART 770--[AMENDED]
22. Section 770.2 is amended by revising paragraph (n) to read as
follows:
Sec. 770.2 Item interpretations.
* * * * *
(n) Interpretation 14: Encryption commodity and software reviews.
Review of encryption commodities or software is required to determine
the eligibility of certain encryption items under License Exception ENC
(see Sec. 740.17 of the EAR) or to release certain encryption items
from ``EI'' controls (see Sec. 742.15(b)(2) of the EAR). Note that
subsequent bundling, patches, upgrades or releases, including name
changes, may be exported or reexported under the applicable provisions
of the EAR without further review as long as the functional encryption
capacity of the originally reviewed product has not
[[Page 38869]]
been modified or enhanced. This interpretation does not extend to
products controlled under a different category on the CCL.
PART 772--[AMENDED]
23. Section 772.1 is amended by revising the definition of
``Cryptanalytic items'' to read as follows:
Sec. 772.1 Definitions of Terms as Used in the Export Administration
Regulations (EAR).
* * * * *
``Cryptanalytic items''. Systems, equipment, applications, specific
electronic assemblies, modules and integrated circuits designed or
modified to perform cryptanalytic functions, software having the
characteristics of cryptanalytic hardware or performing cryptanalytic
functions, or technology for the development, production or use of
cryptanalytic commodities or software.
Notes: 1. Cryptanalytic functions may include cryptanalysis,
which is the analysis of a cryptographic system or its inputs and
outputs to derive confidential variables or sensitive data including
clear text. (ISO 7498-2-1988(E), paragraph 3.3.18).
2. Functions specially designed and limited to protect against
malicious computer damage or unauthorized system intrusion (e.g.,
viruses, worms and trojan horses) are not construed to be
cryptanalytic functions.
* * * * *
PART 774--[AMENDED]
Supplement No. 1 to Part 774 (The Commerce Control List)--[Amended]
24. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 5--Telecommunications and ``Information Security'',
immediately following the heading II--``INFORMATION SECURITY'', is
amended by revising Notes 2 and 3, and by adding a new Nota Bene
(``N.B.''), immediately following Note 3, to read as follows:
Category 5--Telecommunications and ``Information Security''
* * * * *
Part 2--``Information Security''
* * * * *
Note 2: Category 5, part 2, encryption products, when
accompanying their user for the user's personal use or as tools of
trade, are eligible for License Exceptions TMP or BAG, subject to
the terms and conditions of these License Exceptions.
Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not control
items that meet all of the following:
a. Generally available to the public by being sold, without
restriction, from stock at retail selling points by means of any of
the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
b. The cryptographic functionality cannot be easily changed by
the user;
c. Designed for installation by the user without further
substantial support by the supplier; and
d. When necessary, details of the items are accessible and will
be provided, upon request, to the appropriate authority in the
exporter's country in order to ascertain compliance with conditions
described in paragraphs (a) through (c) of this note.
N.B. to Cryptography Note: Mass market encryption commodities
and software eligible for the Cryptography Note are subject to the
notification or review requirements described in Sec. 742.15(b)(1)
and (b)(2) of the EAR, unless specifically excluded from these
requirements by Sec. 742.15(b)(3) of the EAR. Mass market
commodities and software employing a key length greater than 64 bits
for the symmetric algorithm must be reviewed in accordance with the
requirements of Sec. 742.15(b)(2) of the EAR in order to be released
from the ``EI'' and ``NS'' controls of ECCN 5A002 or 5D002. All
other mass market commodities and software eligible for the
Cryptography Note are controlled under ECCN 5A992 or 5D992 (without
review) and may be exported or reexported to most destinations
without a license, following notification, in accordance with the
requirements of Sec. 742.15(b)(1) of the EAR.
* * * * *
25. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 5--Telecommunications and ``Information Security'', Part 2--
``Information Security'', is amended by revising ECCN 5D002 to read as
follows:
5D002 Information Security--``Software''
License Requirements
Reason for Control: NS, AT, EI
------------------------------------------------------------------------
Control(s) Country chart
------------------------------------------------------------------------
NS applies to entire entry............. NS Column 1.
AT applies to entire entry............. AT Column 1.
------------------------------------------------------------------------
``EI'' applies to encryption items transferred from the U.S.
Munitions List to the Commerce Control List consistent with
Executive Order 13026 of November 15, 1996 (3 CFR, 1996 Comp.,
p.228) and pursuant to the Presidential Memorandum of that date.
Refer to Sec. 742.15 of the EAR.
Note: Encryption software is controlled because of its
functional capacity, and not because of any informational value of
such software; such software is not accorded the same treatment
under the EAR as other ``software'; and for export licensing
purposes, encryption software is treated under the EAR in the same
manner as a commodity included in ECCN 5A002.
Note: Encryption software controlled for ``EI'' reasons under
this entry remains subject to the EAR even when made publicly
available in accordance with part 734 of the EAR. See Sec. 740.13(e)
of the EAR for information on releasing certain source code (and
corresponding object code) which would be considered publicly
available from ``EI'' controls.
Note: After notification to BIS, 56-bit encryption items
(including key management products not exceeding 512 bits) and up to
(and including) 64-bit mass market encryption commodities and
software are released from ``EI'' and ``NS'' controls. After a
review by BIS, all other mass market encryption commodities and
software eligible for the Cryptography Note also may be released
from ``EI'' and ``NS'' controls. See Sec. 742.15(b)(1) and (b)(2) of
the EAR.
License Exceptions
CIV: N/A
TSR: N/A
List of Items Controlled
Unit: $ value.
Related Controls: This entry does not control ``software''
``required'' for the ``use'' of equipment excluded from control
under the Related Controls paragraph or the Technical Notes in ECCN
5A002 or ``software'' providing any of the functions of equipment
excluded from control under ECCN 5A002. These items are controlled
under ECCN 5D992.
Related Definitions: 5D002.a controls ``software'' designed or
modified to use ``cryptography'' employing digital or analog
techniques to ensure ``information security'.
Items:
a. ``Software'' specially designed or modified for the
``development'', ``production'', or ``use'' of equipment or
``software'' controlled by 5A002, 5B002, or 5D002.
b. ``Software'' specially designed or modified to support
``technology'' controlled by 5E002.
c. Specific ``software'' as follows:
c.1. ``Software'' having the characteristics, or performing or
simulating the functions of the equipment controlled by 5A002 or
5B002;
c.2. ``Software'' to certify ``software'' controlled by
5D002.c.1.
Dated: May 30, 2002.
James J. Jochum,
Assistant Secretary for Export Administration.
[FR Doc. 02-13990 Filed 6-5-02; 8:45 am]
BILLING CODE 3510-33-P