[Federal Register Volume 69, Number 236 (Thursday, December 9, 2004)]
[Rules and Regulations]
[Pages 71356-71364]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-26992]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR parts 732, 734, 740, 742, 744, and 772

[Docket No. 041022290-4290-01]
RIN 0694-AD19


Encryption Export and Reexport Controls Revisions

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This rule revises: the criteria for determining if a foreign 
made item incorporating U.S. origin encryption is subject to the Export 
Administration Regulations; the notification requirements for beta test 
encryption software and certain ``publicly available'' encryption 
software; and the review and reporting requirements for exports and 
reexports of certain encryption items under License Exception ENC that 
are neither ``publicly available'' nor eligible for ``mass market'' 
treatment. It also makes technical changes.

DATES: This rule is effective December 9, 2004.

ADDRESSES: Send comments concerning this rule via e-mail to 
[email protected], fax to (202) 482-3355 or to Regulatory Policy 
Division, Bureau of Industry and Security, Room 2705, U.S. Department 
of Commerce, Washington, DC 20230. Refer to regulatory identification 
number 0694-AD19 in all comments.

FOR FURTHER INFORMATION CONTACT: Norman LaCroix, Director, Information 
Technology Controls Division, Office of National Security and 
Technology Transfer Controls, (202) 482-4439.

SUPPLEMENTARY INFORMATION: This rule removes the requirement to make a 
separate request for de minimis eligibility when submitting a review 
request for some encryption commodities and software under License 
Exception ENC. Foreign made items incorporating U.S. origin encryption 
items that have met specified notification or review requirements under 
mass market, License Exception TSU or License Exception ENC procedures 
will be treated like foreign made items that incorporate other U.S. 
origin items, in determining de minimis eligibility. This rule removes 
certain reporting requirements in License Exception TMP regarding beta 
test encryption software. This rule reduces the notification 
requirements for exports and reexports of certain ``publicly 
available'' encryption software that has been posted to the Internet 
pursuant to License Exception TSU by removing the requirement to notify 
the U.S. Government of updates or modifications if the Internet 
location has not changed. This rule simplifies License Exception ENC 
review requirements for exports and reexports of eligible encryption 
items, by implementing a uniform 30 day period for most encryption 
reviews and by clarifying the criteria by which licensing requirements 
to certain ``government end-users'' are determined. In connection with 
this 30 day period associated with the initial U.S. Government 
technical review of an encryption item, this rule authorizes BIS to, at 
any time, require additional technical information about an encryption 
item submitted for review and, if the information is not furnished, to 
suspend or revoke authorization to use License Exception ENC with 
respect to the item for which the information is sought. This rule also 
expands the list of countries to which certain encryption items may be 
sent immediately, once a review request is submitted to the U.S. 
Government. The list (Supplement No. 3 to part 740) now covers all 
current members of the European Union (EU), to include those countries 
that joined the EU on May 1, 2004. This rule updates and clarifies 
several encryption review requirements in License Exception ENC and 
clarifies the definition of the term ``hold without action'' in the 
Export Administration Regulations. This rule also makes some technical 
changes, and revises the e-mail address of the ENC Encryption Request 
Coordinator from [email protected] to [email protected] to match the current e-
mail address of that organization.
    Although this rule is issued in final form and there is no formal 
comment period, comments on this rule are welcomed on an ongoing basis.

Determining When a Foreign Made Item Is Subject to the EAR

    Section 734.4 of the EAR describes situations under which foreign 
made items are not subject to the Export Administration Regulations 
because the U.S. origin items that they incorporate are less than a 
defined ``de minimis'' percentage of their content. This rule removes 
the requirement for U.S. firms to request eligibility for de minimis 
treatment when submitting their encryption commodity or software for 
review to obtain authorization for export and reexport under License 
Exception ENC (Sec.  740.17 of the EAR). As a result, foreign made 
items containing most U.S. origin encryption commodities or software 
that have met the notification, review or determination requirements 
specified in revised Sec.  734.4(b) are now treated, for purposes of de 
minimis calculations, in the same way as foreign made items that 
incorporate other U.S. origin dual-use items. However, there is no de 
minimis eligibility for encryption technology controlled under Export 
Control Classification Number (ECCN) 5E002, or for foreign made items 
going to a destination in Country Group E:1 when the foreign item 
contains U.S. origin restricted encryption content described in Sec.  
740.17(b)(2) of the EAR (e.g. network infrastructure commodities and 
software controlled under ECCNs 5A002 and 5D002, cryptanalytic items, 
and ECCN 5D002 encryption source code that is not ``publicly 
available'' as that term is used in License Exception TSU, Sec.  
740.13(e)(1) of the EAR). This rule also makes conforming changes to 
Sec.  732.2(d) to reflect these new de minimis procedures.

Exports of Beta Test Encryption Software Under License Exception TMP

    This rule removes the requirements to report the names and 
addresses of testing consignees by removing Sec.  740.9(c)(8)(ii). It 
restructures, but makes no other substantive changes to Sec.  
740.9(c)(8). It retains the notification requirements of that paragraph 
and changes an e-mail address.

Exports of Certain ``Publicly Available'' Encryption Software Under 
License Exception TSU

    For ``publicly available'' encryption software that has been posted 
to the Internet after notification to BIS and the ENC Encryption 
Request Coordinator under Sec.  740.13(e), this rule removes the 
requirement to provide notice of updates or modifications made to the 
encryption software at the previously notified location. This rule 
makes no other substantive changes to this section, but substantially 
reorganizes it.

[[Page 71357]]

License Exception ENC Review Requirements for Certain Encryption Items 
That Are Neither Publicly Available Nor Determined by BIS To Be 
Eligible for ``Mass Market'' Treatment

    This rule clarifies the scope of License Exception ENC by 
replacing, throughout Sec.  740.17, the phrase (and its variants) 
``encryption items controlled under ECCN 5A002, 5D002 or 5E002, and 
`information security' test, inspection, and production equipment 
controlled under ECCN 5B002'' with a list of the specific ECCNs 
(including the sub-paragraph number, where needed for clarity) that 
identify which items subject to the EAR are eligible for this license 
exception. It consolidates the provisions and restrictions that apply 
to the entire license exception, in a revised introductory paragraph 
and a new paragraph (f), respectively. It removes repetitive references 
to such provisions and restrictions from various paragraphs. It also 
replaces the ``Grandfathering'' paragraph (former Sec.  740.17(d)(2)) 
with specific information in paragraphs (a), (b)(2), and (b)(3) 
describing the extent to which prior U.S. Government reviews may be 
used to satisfy current License Exception ENC encryption review 
requirements.
    This rule retains the basic structure of License Exception ENC, by 
addressing exports and reexports to countries listed in Supplement No. 
3 to part 740 in paragraph (a) and exports to other countries in 
paragraph (b). Paragraph (b) continues to be further subdivided, 
providing separate provisions for exports and reexports to: 
Subsidiaries of U.S. companies (paragraph (b)(1)); non-``government 
end-users'' for certain restricted items (as described in paragraph 
(b)(2)); and both ``government end-users'' and non-``government end-
users'' for all other items (paragraph (b)(3)). However, important 
substantive changes and clarifications are made to all of these 
paragraphs. Those changes and clarifications are discussed below.

Exports, Reexports and Technical Assistance to Countries Listed in 
Supplement No. 3 to Part 740 (Sec.  740.17(a))

    This rule revises Sec.  740.17(a) so that the section not only 
continues to authorize the export and reexport of encryption items 
under specified circumstances, but also allows the provision of 
technical assistance related to encryption items (as described in Sec.  
744.9 of the EAR), when the technical assistance is provided to end-
users located or headquartered in Canada or in countries listed in 
Supplement No. 3 to part 740. This rule also removes the specific 
reference in this paragraph to the prohibition on exports or reexports 
of encryption source code and technology to nationals of countries 
listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR, 
as such general restrictions on the use of License Exception ENC have 
been consolidated into a new paragraph (f). It also divides paragraph 
(a) into three paragraphs designated Sec.  740.17 (a)(1), Sec.  740.17 
(a)(2), and Sec.  740.17(a)(3).
    Section 740.17(a)(1) eliminates the requirement that the U.S. 
Government review the encryption items and related technical assistance 
prior to their being provided for internal company use in the 
development of new products by private sector end-users that are 
headquartered in Canada or in countries listed in Supplement No. 3 to 
part 740. However, it retains the requirement that such new product 
encryption items developed by those end-users be reviewed by the U.S. 
Government before the finished products are transferred to others. It 
also defines ``private sector end-user'' for the purposes of this 
paragraph.
    Section 740.17(a)(2) states that certain items reviewed and 
authorized for export and reexport prior to October 19, 2000 are 
authorized for continued export and reexport under revised Sec.  
740.17(a), without additional U.S. Government review.
    Section Sec.  740.17(a)(3) retains the existing License Exception 
ENC provisions requiring submission of an encryption review request to 
BIS and the ENC Encryption Request Coordinator before export or 
reexport of: Finished encryption products to end-users located in 
countries listed in Supplement No. 3 to part 740; finished products to 
foreign subsidiaries and offices of end-users headquartered in Canada 
or in countries listed in Supplement No. 3 to part 740; and other 
encryption items (including technology and related technical 
assistance) to end-users located in, but not headquartered in, 
countries listed in Supplement No. 3 to part 740.

Export and Reexports to Other Countries (Sec.  740.17(b))

    This rule makes no substantive changes to paragraph (b)(1), which 
deals with exports and reexports to subsidiaries of U.S. companies, but 
substantially reorganizes it. As with paragraph (a), the rule also 
removes the specific reference in this paragraph to the prohibition on 
exports or reexports of encryption source code and technology to 
nationals of countries listed in Country Group E:1 in Supplement No. 1 
to part 740 of the EAR, as such general restrictions on the use of 
License Exception ENC have been consolidated into a new paragraph (f).
    This rule replaces the previous illustrative descriptions of 
``retail'' and other ``equivalent functionality'' encryption 
commodities and software (eligible for export and reexport to both 
``government end-users'' and non-``government end-users'' in paragraph 
(b)(3)), with an exclusive list in paragraph (b)(2) of those encryption 
commodities and software that are eligible only to non- ``government 
end-users''. Except for commodities and software that provide an ``open 
cryptographic interface'' or that are specified in paragraph (b)(2), 
all encryption products eligible for License Exception ENC qualify 
under paragraph (b)(3), thereby removing the need for ``retail'' or 
other ``equivalent functionality'' considerations.
    This rule also replaces the requirement for obtaining specific U.S. 
Government authorization before exporting or reexporting under 
paragraph (b)(3) with a 30 day waiting period, calculated in calendar 
days beginning with the date that an encryption review request for the 
commodity or software is registered with BIS. For encryption reviews 
that are not completed by BIS within this 30 day period, the exporter 
may ship after the waiting period has elapsed. As with similar 
requirements in the current rule, the 30 day waiting period does not 
include any time that BIS places the review request on ``hold without 
action''. Upon completion of BIS's review, BIS will provide written 
notice of the provisions, if any, of Sec.  740.17 under which the 
encryption item may be exported or reexported.
    This rule also removes the word ``retail'' from Sec.  740.17(b)(3), 
except in paragraph (b)(3)(ii)(A), which describes the extent to which 
items previously classified as ``retail'' may be exported and 
reexported under paragraph (b)(3) without further U.S. Government 
review. BIS believes that these changes will help readers more readily 
distinguish the procedure for making certain non-``mass-market'' 
encryption commodities and software eligible for export and reexport 
under License Exception ENC from the procedure by which ``mass market'' 
encryption commodities and software are removed from the scope of ECCNs 
5A002 or 5D002 pursuant to Sec.  742.15(b)(2) of the EAR.

Reporting Requirements (Sec.  740.17(e))

    This rule clarifies that the semi-annual reporting requirements of 
License Exception ENC apply to exports

[[Page 71358]]

from the United States to all destinations except Canada, and to 
reexports from Canada to other foreign destinations. In conformance 
with the revisions to Sec.  740.17(b)(3), under paragraph (e)(4) 
(``Exclusions from reporting requirements'') this rule removes the word 
``retail'' and the phrase ``designed for, bundled with, or pre-loaded 
on single CPU computers, laptops or hand-held devices.''

Other Changes to License Exception ENC

    This rule eliminates all references to requesting eligibility for 
de minimis treatment from License Exception ENC because such special 
requests are no longer required due to the changes in Sec. Sec.  
734.4(a)(2) and 734.4(b) made by this rule. This rule revises Sec.  
740.17(d) by changing the title from ``Review requirements'' to 
``Review request procedures'' to more accurately reflect its contents. 
This rule also substantially reorganizes paragraph (d)(3) and 
institutes an e-mail notification procedure in place of the previous 
requirement that product key length increases authorized under this 
paragraph be certified to BIS and the ENC Encryption Request 
Coordinator in a letter from a corporate official.
    Lastly, this rule contains a new provision authorizing BIS to 
contact the submitter of a review request at any time, even after the 
30-day waiting periods prescribed in Sec. Sec.  740.17(b)(2)(ii) or 
740.17(b)(3)(ii)(B) have passed, to request additional information 
about an encryption item. If the submitter does not supply the 
requested information within 14 days after receiving the request from 
BIS, BIS may suspend or revoke the submitter's right to use License 
Exception ENC for the item about which the additional information is 
sought. If the submitter requests additional time to collect the 
information before the date it is due to BIS, BIS may grant up to an 
additional 14 days if BIS concludes that such additional time is 
necessary.

Supplement No. 3 to Part 740

    This rule adds Cyprus, Estonia, Latvia, Lithuania, Malta, Slovakia 
and Slovenia to Supplement No. 3 to part 740 because those countries 
were admitted to the European Union on May 1, 2004 and were not 
previously listed in this supplement. (Although the Czech Republic, 
Hungary and Poland were also admitted to the European Union on May 1, 
2004, these three countries were previously listed in Supplement No. 3 
to part 740.) This supplement identifies the countries that are 
eligible to receive both ``mass-market'' encryption products and non- 
``mass-market'' encryption items from the United States, immediately 
after the U.S. origin items are registered with BIS for review (i.e., 
without a 30 day waiting period) under Sec.  740.17(a) or Sec.  
742.15(b)(2) of the EAR. The addition of these countries to Supplement 
No. 3 continues the United States Government's practice of authorizing 
such immediate exports and reexports of encryption items to countries 
in the European Union's license-free zone. This rule also changes the 
title of this supplement from ``License Exception ENC country group.'' 
to ``Countries eligible for the provisions of Sec.  740.17(a).'' The 
revised title more accurately describes the supplement, which lists the 
countries that are relevant to the provisions of Sec.  740.17(a) but 
does not set forth any geographic limitation on the use of other 
provisions of License Exception ENC.

Section 742.15

    This rule adds to Sec.  742.15(b)(1) the e-mail addresses of BIS 
and the ENC Encryption Request Coordinator to which advance 
notifications of exports and reexports of encryption items controlled 
under ECCNs 5A992, 5D992 or 5E992 must be sent if a person wishes to 
export or reexport such items without a license under this section.

Supplement No. 6 to Part 742

    To expedite the handling of encryption review requests and reduce 
the need for U.S. Government requests for additional information from 
submitters, this rule revises paragraph (c)(8) to require that similar 
information be provided regarding third-party encryption hardware 
components as is currently required for software components. This rule 
also revises paragraph (c)(11) by eliminating the word ``retail'' in 
conformance with the revisions to Sec.  740.17(b)(3).

Section 744.9

    This rule updates the paragraph pertaining to ``Restrictions on 
Technical Assistance by U.S. Persons with Respect to Encryption Items'' 
by replacing a previous reference to ``classification request'' with 
``encryption review request'', and by adding references to Sec.  
740.17(a)(1) and Sec.  740.17(a)(3) in conformance with the revisions 
to License Exception ENC.

Section 772.1--Definition of ``Hold Without Action''

    This rule adds a sentence to the end of the definition to make 
clear that, unlike the procedure for license applications, BIS is not 
restricted to the circumstances described in Sec.  750.4(c) of the EAR 
when determining that an encryption review request may be placed on 
``hold without action'' status.

Administrative Changes

    This rule revises the e-mail address of the ENC Encryption Request 
Coordinator wherever it appears in Sec.  740.9, Sec.  740.13, and Sec.  
740.17 from [email protected] to [email protected] to reflect the current e-mail 
address of that organization. In Sec.  740.17(e)(5)(i), this rule 
revises the mailing address of the BIS office to which semi-annual 
License Exception ENC reports are sent, to reflect the current name of 
that office.
    Although the Export Administration Act expired on August 20, 2001, 
Executive Order 13222 of August 17, 2001 (3 CFR, 2001 Comp., p. 783 
(2002)), as extended by the Notice of August 6, 2004, 69 FR 48763 
(August 10, 2004) continues the Regulations in effect under the 
International Emergency Economic Powers Act.
    Rulemaking Requirements:
    1. This rule has been determined to be significant for purposes of 
E.O. 12866.
    2. Notwithstanding any other provision of law, no person is 
required to respond to, nor shall any person be subject to a penalty 
for failure to comply with a collection of information, subject to the 
requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et 
seq.) (PRA), unless that collection of information displays a currently 
valid Office of Management and Budget (OMB) Control Number. This rule 
contains collections of information subject to the PRA. These 
collections have been approved by OMB under control number 0694-0088, 
``Multi-Purpose Application,'' which carries a burden hour estimate of 
58 minutes to prepare and submit form BIS-748, and control number 0694-
0104 ``Encryption Items Under the Jurisdiction of the Department of 
Commerce, Forms BIS 742R and 742S'' which carries a total estimated 
burden of 2,830 hours among an estimated 680 respondents. Send comments 
regarding these burden estimates or any other aspect of these 
collections of information, including suggestions for reducing the 
burden, to David Rostker, OMB Desk Officer, by e-mail at [email protected] or by fax to 202.395.285; and to the Regulatory 
Policy Division, Bureau of Industry and Security, Department of 
Commerce, P.O. Box 273, Washington, DC 20044.
    3. This rule does not contain policies with Federalism implications 
as this term is defined in Executive Order 13132.
    4. The provisions of the Administrative Procedure Act (5 U.S.C.

[[Page 71359]]

553) requiring notice of proposed rulemaking, the opportunity for 
public participation, and a delay in effective date, are inapplicable 
because this regulation involves a military and foreign affairs 
function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no 
other law requires that a notice of proposed rulemaking and an 
opportunity for public comment be given for this rule. Because a notice 
of proposed rulemaking and an opportunity for public comment are not 
required to be given for this rule under 5 U.S.C. 553 or by any other 
law, the analytical requirements of the Regulatory Flexibility Act (5 
U.S.C. 601 et seq. ) are not applicable. Therefore, this rule is being 
issued in final form.

List of Subjects

15 CFR Parts 732 and 740

    Administrative practice and procedure, Exports, Reporting and 
recordkeeping requirements.

15 CFR Part 734

    Administrative practice and procedure, Exports, Inventions and 
patents, Research, Science and technology.

15 CFR Part 742

    Exports, Terrorism.

15 CFR Part 744

    Exports, Reporting and recordkeeping requirements, Terrorism.

15 CFR Part 772

    Exports.

0
Accordingly, parts 732, 734, 740, 742, 744 and 772 of the Export 
Administration Regulations (15 CFR parts 730-799) are amended as 
follows:

PART 732--[AMENDED]

0
1. The authority citation for part 732 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 
FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 6, 2004, 69 FR 
48763 (August 10, 2004).


0
2. In Sec.  732.2 revise the introductory text of paragraph (d) to read 
as follows.


Sec.  732.2  Steps regarding scope of the EAR.

* * * * *
    (d) Step 4: Foreign-made items incorporating less than the de 
minimis level of U.S. parts, components, and materials. This step is 
appropriate only for items that are made outside the United States and 
not currently in the United States. Special requirements and 
restrictions apply to items that incorporate U.S. origin encryption 
items (see Sec.  734.4(a)(2) and (b) of the EAR).
* * * * *

PART 734--[AMENDED]

0
3. The authority citation for part 734 is revised to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 
FR 54079, 3 CFR, 1996 Comp. p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 
1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 
783; Notice of August 6, 2004, 69 FR 48763 (August 10, 2004); Notice 
of November 4, 2004, 69 FR 64637 (November 8, 2004).


0
4. In Sec.  734.4 revise paragraph (a)(2), add paragraph (b), and 
revise the introductory texts of paragraphs (c) and (d) to read as 
follows:


Sec.  734.4  De Minimis U.S. Content.

    (a) * * *
    (2) Foreign produced encryption technology that incorporates U.S. 
origin encryption technology controlled by ECCN 5E002 is subject to the 
EAR regardless of the amount of U.S. origin content.
* * * * *
    (b) Special requirements for certain encryption items. Foreign made 
items that incorporate U.S. origin items that are listed in this 
paragraph are subject to the EAR unless they meet the de minimis level 
and destination requirements of paragraph (c) or (d) of this section 
and the requirements of this paragraph.
    (1) The U.S. origin commodities or software, if controlled under 
ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, or 5D002, must have been:
    (i) Authorized for license exception TSU because of having met the 
notification requirements of Sec.  740.13(e) of the EAR (ECCN 5D002 
only);
    (ii) Authorized for License Exception ENC by BIS after a review 
pursuant to Sec.  740.17(b)(3) of the EAR; or
    (iii) Authorized for License Exception ENC by BIS after a review 
pursuant to Sec.  740.17(b)(2), and the foreign made product will not 
be sent to any destination in Country Group E:1 in Supplement No. 1 to 
part 740 of the EAR.
    (2) The U.S. origin encryption items, if controlled under ECCNs 
5A992, 5D992, or 5E992 must:
    (i) Have met the notification requirements of Sec.  742.15(b)(1) of 
the EAR; or
    (ii) Have been determined by BIS to be ``mass market'' commodities 
or software after a review in accordance with Sec.  742.15(b)(2) of the 
EAR (ECCNs 5A992 and 5D992 only); or
    (iii) Be an item described in Sec.  742.15(b)(3)(ii) or Sec.  
742.15(b)(3)(iii) of the EAR.

    Note to paragraph (b): See supplement No. 2 to this part for de 
minimis calculation procedures and reporting requirements.

    (c) Except as provided in paragraphs(a) and (b)(1)(iii) and subject 
to the provisions of paragraphs (b)(1)(i), (b)(1)(ii) and (b)(2) of 
this section, the following reexports are not subject to the EAR when 
made to a terrorist-supporting country listed in Country Group E:1 (see 
Supplement No. 1 to part 740 of the EAR).
* * * * *
    (d) Except as provided in paragraph (a) of this section and subject 
to the provisions of paragraph (b) of this section, the following 
reexports are not subject to the EAR when made to countries other than 
those described in paragraph (c) of this section.
* * * * *

PART 740--[AMENDED]

0
5. The authority citation for part 740 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
Sec. 901-911, Pub. L. 106-387; E.O. 13026, 61 FR 58767, 3 CFR, 1996 
Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; 
Notice of August 6, 2004, 69 FR 48763 (August 10, 2004).


0
6. In Sec.  740.9, revise paragraph (c)(8) to read as follows:


Sec.  740.9  Temporary imports, exports, and reexports (TMP).

* * * * *
    (c) * * *
    (8) Notification of beta test encryption software. For beta test 
encryption software eligible under this license exception you must, by 
the time of export or reexport, submit the information described in 
paragraphs (a) through (e) of Supplement No. 6 to part 742 of the EAR 
by e-mail to BIS at [email protected] and to the ENC Encryption Request 
Coordinator at [email protected].

0
7. In Sec.  740.13, revise paragraph (e) as follows.


Sec.  740.13  Technology and software--unrestricted (TSU).

* * * * *
    (e) Encryption source code (and corresponding object code).
    (1) Scope and eligibility. This paragraph (e) authorizes exports 
and reexports, without review, of encryption source code controlled by 
ECCN 5D002 that, if not controlled by ECCN 5D002, would be considered 
publicly available under Sec.  734.3(b)(3) of the EAR. Such

[[Page 71360]]

source code is eligible for License Exception TSU under this paragraph 
(e) even if it is subject to an express agreement for the payment of a 
licensing fee or royalty for commercial production or sale of any 
product developed using the source code. This paragraph also authorizes 
the export and reexport of the corresponding object code (i.e., that 
which is compiled from source code that is authorized for export and 
reexport under this paragraph) if both the object code and the source 
code from which it is compiled would be considered publicly available 
under Sec.  734.3(b)(3) of the EAR, if they were not controlled under 
ECCN 5D002.
    (2) Restrictions. This paragraph (e) does not authorize:
    (i) Export or reexport of any encryption software controlled under 
ECCN 5D002 that does not meet the requirements of paragraph (e)(1), 
even if the software incorporates or is specially designed to use other 
encryption software that meets the requirements of paragraph (e)(1) of 
this section; or
    (ii) Any knowing export or reexport to a country listed in Country 
Group E:1 in Supplement No. 1 to part 740 of the EAR.
    (3) Notification requirement. You must notify BIS and the ENC 
Encryption Request Coordinator via e-mail of the Internet location 
(e.g., URL or Internet address) of the source code or provide each of 
them a copy of the source code at or before the time you take action to 
make the software publicly available as that term is described in Sec.  
734.3(b)(3) of the EAR. If you elect to meet this requirement by 
providing copies of the source code to BIS and the ENC Encryption 
Request Coordinator, you must provide additional copies to each of them 
each time the cryptographic functionality of the software is updated or 
modified. If you elect to provide the Internet location of the source 
code, you must notify BIS and the ENC Encryption Request Coordinator 
each time the Internet location is changed, but you are not required to 
notify them of updates or modifications made to the encryption software 
at the previously notified location. In all instances, submit the 
notification or copy to [email protected] and to [email protected].

    Note  to paragraph (e). Posting encryption source code and 
corresponding object code on the Internet (e.g., FTP or World Wide 
Web site) where it may be downloaded by anyone neither establishes 
``knowledge'' of a prohibited export or reexport for purposes of 
this paragraph, nor triggers any ``red flags'' necessitating the 
affirmative duty to inquire under the ``Know Your Customer'' 
guidance provided in Supplement No. 3 to part 732 of the EAR.


0
8. In Sec.  740.17, revise the introductory text and paragraphs (a), 
(b), (d) and (e), and add paragraph (f) to read as follows:


Sec.  740.17  Encryption software and commodities (ENC).

    Subject to the eligibility criteria and restrictions described in 
paragraphs (a), (b) and (f) of this section, License Exception ENC is 
available for the export and reexport of: commodities and software 
controlled by ECCNs 5A002.a.1, .a.2, .a.5, and .a.6, 5B002, and 5D002 
that do not meet the ``mass market'' criteria of the Cryptography Note 
(Note 3) of Category 5, part 2 (``Information Security'') of the 
Commerce Control List (Supplement No. 1 to part 774 of the EAR); 
technology controlled by ECCN 5E002; and certain technical assistance 
as described in Sec.  744.9 of the EAR. The initial export or reexport 
of an encryption commodity or software under paragraphs (b)(2) or 
(b)(3) of this section is subject to a 30 day waiting period, as 
described in paragraph (d)(2) of this section. In addition, persons 
exporting or reexporting under paragraphs (a), (b)(2) or (b)(3) of this 
section must file the semi-annual reports required by paragraph (e) of 
this section. Review request procedures for encryption items eligible 
for License Exception ENC are described in paragraph (d) of this 
section (e.g., for items that have not previously been reviewed, or for 
items that have been reviewed but for which the cryptographic 
functionality has been changed). See Sec.  742.15(b)(2) of the EAR for 
similar review procedures for ``mass market'' encryption commodities 
and software.
    (a) Exports, reexports, and technical assistance to countries 
listed in Supplement No. 3 to this part. This paragraph (a) authorizes 
export or reexport of items controlled under ECCNs 5A002.a.1, .a.2, 
.a.5, or .a.6, 5B002, 5D002, or 5E002, and provision of technical 
assistance described in Sec.  744.9 of the EAR, to end-users in 
countries listed in Supplement No. 3 to part 740 of the EAR. This 
paragraph also authorizes exports or reexports to foreign subsidiaries 
and offices of end-users headquartered in Canada or in countries listed 
in Supplement No. 3 to part 740. In addition, the transaction must meet 
the terms of paragraphs (a)(1), (a)(2), or (a)(3) of this section.
    (1) Internal development of new products. No prior review is 
required for exports or reexports of U.S. origin encryption items or 
related technical assistance under this paragraph (a) to private sector 
end-users that are headquartered in Canada or in countries listed in 
Supplement No. 3 to part 740, for internal use for the development of 
new products by those end-users and their offices or subsidiaries. Any 
encryption item produced or developed with an item exported or 
reexported under this paragraph (a)(1) is subject to the EAR and 
requires review and authorization before any sale or retransfer outside 
of the private sector end-user that developed it. In this paragraph 
(a)(1), private sector end-user means:
    (i) An individual who is not acting on behalf of any foreign 
government; or
    (ii) A commercial firm (including its subsidiary and parent firms, 
and other subsidiaries of the same parent) that is not wholly owned by, 
or otherwise controlled by or acting on behalf of, any foreign 
government.
    (2) Items previously reviewed by the U.S. Government. No additional 
U.S. Government review is required under this paragraph (a) for export 
or reexport of encryption commodities or software or parts or 
components thereof that, prior to October 19, 2000, were authorized for 
export or reexport under a license or Encryption Licensing Arrangement, 
or were reviewed and authorized for export and reexport to entities 
other than U.S. subsidiaries under License Exception ENC. No additional 
U.S. Government review is required under this paragraph for export or 
reexport of encryption technology that, prior to October 19, 2000, was 
approved for export or reexport under a license or Encryption Licensing 
Arrangement.
    (3) Other transactions. For any use not described in paragraph 
(a)(1) of this section, before you export or reexport any item or 
related technical assistance that has not been previously reviewed by 
the U.S. Government and authorized under this paragraph (a), you must 
submit a review request in accordance with paragraph (d) of this 
section.
    (b) Exports and reexports to countries not listed in supplement No. 
3 to this part. (1) Encryption items for U.S. subsidiaries. This 
paragraph (b)(1) authorizes export, or reexport or items controlled 
under ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, 5B002, 5D002 or 5E002:
    (i) To any ``U.S. subsidiary''; and
    (ii) By a U.S. company and its subsidiaries to foreign nationals 
who are employees, contractors or interns of a U.S. company or its 
subsidiaries if the items are for internal company use, including the 
development of new products.
    (iii) General restriction. All items produced or developed with 
commodities, software or technology exported under this paragraph 
(b)(1) are

[[Page 71361]]

subject to the EAR and require review and authorization before sale or 
transfer outside the U.S. company and its subsidiaries.
    (2) Encryption commodities and software restricted to non-
``government end-users.'' This paragraph (b)(2) authorizes the export 
and reexport of items described in Sec.  740.17(b)(2)(iii) of the EAR 
that do not provide an ``open cryptographic interface'' and that are 
controlled by ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, or 5D002 to 
individuals, commercial firms, and other entities that are not 
``government end-users'' and that are not located in a country listed 
in Supplement No. 3 to this part. In addition, the transaction must 
meet the provisions of either Sec.  740.17(b)(2)(i) or (ii) of the EAR.
    (i) Commodities and software previously reviewed by the U.S. 
Government. No additional U.S. Government review is required under this 
paragraph (b)(2) for export or reexports of encryption commodities or 
software or parts or components thereof that, prior to October 19, 
2000, were authorized for export or reexport under a license or 
Encryption Licensing Arrangement, or were reviewed and authorized for 
export and reexport to entities other than U.S. subsidiaries under 
License Exception ENC.
    (ii) Other commodities and software not previously reviewed. Before 
exporting or reexporting any item that has not been reviewed by the 
U.S. Government and authorized under this paragraph (b)(2), you must 
submit a review request in accordance with paragraph (d) of this 
section and wait until 30 days after that request is registered (as 
defined in Sec.  750.4(a)(2) of the EAR) with BIS. Days during which 
the review request is on ``hold without action'' status are not counted 
towards fulfilling the 30 day waiting period.
    (iii) The encryption commodities, software and components eligible 
for export or reexport under this paragraph (b)(2) (see paragraph 
(b)(3) of this section for commodities, software and components not 
listed in this paragraph (b)(2)(iii)) are:
    (A) Network infrastructure commodities and software, and parts and 
components thereof (including commodities and software necessary to 
activate or enable cryptographic functionality in network 
infrastructure products) providing secure Wide Area Network (WAN), 
Metropolitan Area Network (MAN), Virtual Private Network (VPN), 
satellite, cellular or trunked communications meeting any of the 
following with key lengths exceeding 64-bits for symmetric algorithms:
    (1) Aggregate encrypted WAN, MAN, VPN or backhaul throughput 
(includes communications through wireless network elements such as 
gateways, mobile switches, controllers, etc.) greater than 44 Mbps.; or
    (2) Wire (line), cable or fiber-optic WAN, MAN or VPN single-
channel input data rate exceeding 44 Mbps; or
    (3) Maximum number of concurrent encrypted data tunnels or channels 
exceeding 250; or
    (4) Air-interface coverage (e.g., through base stations, access 
points to mesh networks, bridges, etc.) exceeding 1,000 meters, where 
any of the following applies:
    (i) Maximum data rates exceeding 5 Mbps (at operating ranges beyond 
1,000 meters); or
    (ii) Maximum number of concurrent full-duplex voice channels 
exceeding 30; or
    (iii) Substantial support is required for installation or use.
    (B) Encryption source code that would not be eligible for export or 
reexport under License Exception TSU because it is not publicly 
available as that term is used in Sec.  740.13(e)(1) of the EAR.
    (C) Encryption commodities or software that do not provide an 
``open cryptographic interface'', but that have:
    (1) Been modified or customized for government end-user(s) or 
government end-use (e.g. to secure departmental, police, state 
security, or emergency response communications); or
    (2) Cryptographic functionality that has been modified or 
customized to customer specification; or
    (3) Cryptographic functionality or ``encryption component'' (except 
encryption software that would be considered publicly available, as 
that term is used in Sec.  740.13(e)(1) of the EAR) that is user-
accessible and can be easily changed by the user.
    (D) ``Cryptanalytic items''; or
    (E) Encryption commodities and software that provide functions 
necessary for quantum cryptography; or
    (F) Encryption commodities and software that have been modified or 
customized for computers controlled by ECCN 4A003.
    (3) Encryption commodities, software and components available to 
both ``government end-users'' and to non-``government end-users''. This 
paragraph authorizes export and reexport of commodities, software and 
components controlled by ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, 5B002, 
or 5D002. To be eligible under this paragraph (b)(3) the requirements 
of paragraphs (b)(3)(i) and (b)(3)(ii) must be met.
    (i) The commodities or software must not:
    (A) Provide an ``open cryptographic interface''; or
    (B) Be listed in paragraph (b)(2) of this section.
    (ii) Review and authorization requirement. (A) Commodities and 
software previously reviewed by the U.S. Government. Encryption 
commodities, software and components reviewed and authorized by BIS for 
export and reexport as ``retail'' commodities or software under this 
paragraph (b)(3) prior to December 9, 2004 do not require additional 
review or authorization for export or reexport under this paragraph.
    (B) Other commodities and software not previously reviewed. Before 
exporting or reexporting any item that has not been reviewed by the 
U.S. Government and authorized under this paragraph (b)(3), you must 
submit a review request in accordance with paragraph (d) of this 
section and wait until 30 days after that request is registered (as 
defined in Sec.  750.4(a)(2) of the EAR) with BIS. Days during which 
the review request is on ``hold without action'' are not counted 
towards fulfilling the 30 day waiting period.
    (4) Exemptions from the 30 day waiting period and review 
requirements. (i) Exemptions from the 30 day waiting period. Items 
listed in this paragraph (b)(4)(i) may be exported or reexported under 
authority of paragraphs (b)(2) or (b)(3) immediately upon filing the 
review requests required by those paragraphs provided all other 
requirements for export or reexport under the paragraph being relied 
upon are met.
    (A) Encryption commodities and software (including key management 
products) with key lengths not exceeding 64 bits for symmetric 
algorithms, 1024 bits for asymmetric key exchange algorithms, and 160 
bits for elliptic curve algorithms;
    (B) Encryption source code that would not be considered publicly 
available for export or reexport under License Exception TSU, provided 
that a copy of your source code is included in the review request to 
BIS and the ENC Encryption Request Coordinator.
    (ii) Exemptions from the review requirement. The following products 
do not require review under this license exception, but remain subject 
to the EAR (including all terms and provisions of this license 
exception, and all licensing requirements that may apply to a 
particular item or transaction for reasons other than encryption):
    (A) Commodities and software that would not otherwise be controlled 
under Category 5 (telecommunications

[[Page 71362]]

and ``information security'') of the Commerce Control List, but that 
are controlled under ECCN 5A002 or 5D002 only because they incorporate 
components or software that provide short-range wireless encryption 
functions (e.g., with an operating range typically not exceeding 100 
meters);
    (B) Foreign products developed with or incorporating U.S.-origin 
encryption source code, components or toolkits (or otherwise designed 
to operate with U.S. products, e.g., via signing), provided that the 
U.S.-origin encryption items (and related technical assistance, as 
described in Sec.  744.9 of the EAR) have previously been reviewed and 
authorized by BIS and the cryptographic functionality has not been 
changed.
* * * * *
    (d) Review request procedures. To request review of your encryption 
items under License Exception ENC (e.g., for items that have not 
previously been reviewed, or for items that have been reviewed but for 
which the cryptographic functionality has been changed), you must 
submit to BIS and to the ENC Encryption Request Coordinator the 
information described in paragraph (d)(1) of this section and in 
paragraphs (a) through (e) of Supplement No. 6 to part 742 of the EAR 
(Guidelines for Submitting Review Requests for Encryption Items).
    (1) Instructions for requesting review. Review requests must be 
submitted on Form BIS-748P (Multipurpose Application), or its 
electronic equivalent, as described in Sec.  748.3 of the EAR. To 
ensure that your review request is properly routed, insert the phrase 
``License Exception ENC'' in Block 9 (Special Purpose) of the paper or 
electronic application. Also, place an ``X'' in the box marked 
``Classification Request'' in Block 5 (Type of Application) of Form 
BIS-748P or select ``Commodity Classification'' if filing 
electronically. Neither the electronic nor paper forms provide a 
separate Block to check for the submission of encryption review 
requests. Failure to properly complete these items may delay 
consideration of your review request. Review requests that are not 
submitted electronically to BIS should be mailed to the address 
indicated on the BIS-748P form. See paragraph (e)(5)(ii) of this 
section for the mailing address for the ENC Encryption Request 
Coordinator.
    (2) Action by BIS. Upon completion of its review, BIS will send you 
written notice of the provisions, if any, of this section under which 
your items may be exported or reexported. If BIS has not, within 30 
days of registration of a complete review request from you, informed 
you that your item is not authorized for License Exception ENC, you may 
export or reexport under the applicable provisions of License Exception 
ENC. BIS may hold your review request without action if necessary to 
obtain additional information or for any other reason necessary to 
ensure an accurate determination with respect to ENC eligibility. Time 
on such ``hold without action'' status shall not be counted towards 
fulfilling the 30 day waiting period specified in this paragraph and in 
paragraphs (b)(2) and (b)(3) of this section. BIS may require you to 
supply additional relevant technical information about your encryption 
item(s) or information that pertains to their eligibility for License 
Exception ENC at any time, before or after the expiration of the 30 day 
waiting period specified in this paragraph and in paragraphs (b)(2) and 
(b)(3) of this section. If you do not supply such information within 14 
days after receiving a request for it from BIS, BIS may return your 
review request(s) without action or otherwise suspend or revoke your 
eligibility to use License Exception ENC for that item(s). At your 
request, BIS may grant you up to an additional 14 days to provide the 
requested information. Any request for such an additional number of 
days must be made prior to the date by which the information was 
otherwise due to be provided to BIS, and may be approved if BIS 
concludes that additional time is necessary.
    (3) Key length increases. Commodities and software that are 
modified only to upgrade the key length used for confidentiality or key 
exchange algorithms (after having been reviewed and authorized for 
License Exception ENC by BIS) may be exported or reexported under the 
previously authorized provision of License Exception ENC without 
further review, provided:
    (i) The exporter or reexporter certifies to BIS and the ENC 
Encryption Request Coordinator that no change to the encryption 
functionality has been made other than to upgrade the key length for 
confidentiality or key exchange algorithms;
    (ii) The certification includes the original authorization number 
issued by BIS and the date of issuance;
    (iii) The certification is received by BIS and the ENC Encryption 
Request Coordinator before the export or reexport of the upgraded 
product; and
    (iv) The certification is e-mailed to [email protected] and 
[email protected].
    (e) Reporting requirements. (1) Semi-annual reporting requirement. 
Semi-annual reporting is required for exports to all destinations other 
than Canada, and for reexports from Canada, under this license 
exception. Certain encryption items and transactions are excluded from 
this reporting requirement (see paragraph (e)(4) of this section). For 
instructions on how to submit your reports, see paragraph (e)(5) of 
this section.
    (2) General information required. Exporters must include all of the 
following applicable information in their reports:
    (i) For items exported (or reexported from Canada) to a distributor 
or other reseller, including subsidiaries of U.S. firms, the name and 
address of the distributor or reseller, the item and the quantity 
exported or reexported and, if collected by the exporter as part of the 
distribution process, the end-user's name and address;
    (ii) For items exported (or reexported from Canada) to individual 
consumers through direct sale (provided the transaction is not exempted 
from reporting under paragraph (e)(4)(iii) or (e)(4)(iv) of this 
section), the name and address of the recipient, the item, and the 
quantity exported;
    (iii) For exports of ECCN 5E002 items to be used for technical 
assistance that are not released by Sec.  744.9 of the EAR, the name 
and address of the end-user; and
    (iv) For each item, the authorization number and the name of the 
item(s) exported (or reexported from Canada).
    (3) Information on foreign manufacturers and products that use 
encryption items. For direct sales or transfers, under License 
Exception ENC, of encryption components, source code, general purpose 
toolkits, equipment controlled under ECCN 5B002, technology, or items 
that provide an ``open cryptographic interface'' to foreign developers 
or manufacturers when intended for use in foreign products developed 
for commercial sale, you must submit the names and addresses of the 
manufacturers using these encryption items and, if you know when the 
product is made available for commercial sale, a non-proprietary 
technical description of the foreign products for which these 
encryption items are being used (e.g., brochures, other documentation, 
descriptions or other identifiers of the final foreign product; the 
algorithm and key lengths used; general programming interfaces to the 
product, if known; any standards or protocols that the foreign product 
adheres to; and source code, if available).

[[Page 71363]]

    (4) Exclusions from reporting requirements. Reporting is not 
required for the following items and transactions:
    (i) Any encryption item exported or reexported under paragraph 
(a)(1) or (b)(1) of this section;
    (ii) Encryption commodities or software with a symmetric key length 
not exceeding 64 bits;
    (iii) Encryption commodities and software authorized under 
paragraph (b)(3) of this section, exported (or reexported from Canada) 
to individual consumers;
    (iv) Encryption items exported (or reexported from Canada) via free 
and anonymous download;
    (v) Encryption items from or to a U.S. bank, financial institution 
or its subsidiaries, affiliates, customers or contractors for banking 
or financial operations;
    (vi) Items that incorporate components limited to providing short-
range wireless encryption functions;
    (vii) General purpose operating systems, or desktop applications 
(e.g., e-mail, browsers, games, word processing, data base, financial 
applications or utilities) authorized under paragraph (b)(3) of this 
section;
    (viii) Client Internet appliance and client wireless LAN cards; or
    (ix) Foreign products developed by bundling or compiling of source 
code.
    (5) Submission requirements. You must submit the reports required 
under this section, semi-annually, to BIS and to the ENC Encryption 
Request Coordinator, unless otherwise provided in this paragraph 
(e)(5). For exports occurring between January 1 and June 30, a report 
is due no later than August 1 of that year. For exports occurring 
between July 1 and December 31, a report is due no later than February 
1 the following year. These reports must be provided in electronic 
form. Recommended file formats for electronic submission include 
spreadsheets, tabular text or structured text. Exporters may request 
other reporting arrangements with BIS to better reflect their business 
models. Reports may be sent electronically to BIS at [email protected] 
and to the ENC Encryption Request Coordinator at [email protected], or disks 
and CDs containing the reports may be sent to the following addresses:
    (i) Department of Commerce, Bureau of Industry and Security, Office 
of National Security and Technology Transfer Controls, 14th Street and 
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn: 
Encryption Reports, and
    (ii) Attn: ENC Encryption Request Coordinator, 9800 Savage Road, 
Suite 6131, Ft. Meade, MD 20755-6000.
    (f) Restrictions. Notwithstanding any language elsewhere in this 
section, License Exception ENC does not authorize:
    (1) Any export or reexport of any ``cryptanalytic item'' to any 
``government end-user'' (as that definition is applied to encryption 
items); or
    (2) Any export or reexport of any ``open cryptographic interface'' 
item to any end-user not located in or headquartered in Canada or in 
countries listed in Supplement No. 3 part 740 of the EAR; or
    (3) Any export or reexport to, or provision of any service in any 
country listed in Country Group E:1 in Supplement No. 1 to part 740 of 
the EAR; or
    (4) Furnishing source code or technology to any national of a 
country listed in Country Group E:1.

0
9. Revise Supplement No. 3 to part 740 to read as follows:
Supplement No. 3 to Part 740--Countries Eligible for the Provisions of 
Sec.  740.17(a)
    Austria.
    Australia.
    Belgium.
    Cyprus.
    Czech Republic.
    Estonia.
    Denmark.
    Finland.
    France.
    Germany.
    Greece.
    Hungary.
    Ireland.
    Italy.
    Japan.
    Latvia.
    Lithuania.
    Luxembourg.
    Malta.
    Netherlands.
    New Zealand.
    Norway.
    Poland.
    Portugal.
    Slovakia.
    Slovenia.
    Spain.
    Sweden.
    Switzerland.
    United Kingdom.

PART 742--AMENDED

0
10. The authority citation for part 742 is revised to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 
Sec. 901-911, Pub. L. 106-387; Sec. 221, Pub. L. 107-56; Sec 1503, 
Pub.L. 108-11,117 Stat. 559; E.O. 12058, 43 FR 20947, 3 CFR, 1978 
Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; 
E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13026, 61 
FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 
2001 Comp., p. 783; Presidential Determination 2003-23 of May 7, 
2003, 68 FR 26459, May 16, 2003; Notice of August 6, 2004, 69 FR 
48763 (August 10, 2004); Notice of November 4, 2004, 69 FR 64637 
(November 8, 2004).


0
11. In Sec.  742.15, revise the first sentence of paragraph (b)(1) and 
the last sentence of the introductory text to paragraph (b)(2) to read 
as follows:


Sec.  742.15  Encryption items.

* * * * *
    (b) * * *
    (1) Notification requirement for specified encryption items. You 
may export or reexport encryption items controlled under ECCNs 5A992, 
5D992, or 5E992 and identified in paragraphs (b)(1)(i) or (b)(1)(ii) of 
this section to most destinations without a license (NLR: No License 
Required), provided that you have submitted to BIS and to the ENC 
Encryption Request Coordinator at [email protected] and [email protected], by 
the time of export, the information described in paragraphs (a) through 
(e) of Supplement No. 6 to this part. * * *
* * * * *
    (2) Review requirement for mass market encryption commodities and 
software exceeding 64 bits. * * * Encryption commodities and software 
that are described in Sec.  740.17(b)(2) of the EAR do not qualify for 
mass market treatment.
* * * * *

0
12. In part 742, Supplement Number 6, revise paragraphs (c)(8) and 
(c)(11) to read as follows:
Supplement No. 6 to Part 742--Guidelines for Submitting Review Requests 
for Encryption Items
* * * * *
    (c) * * *
    (8) Describe the cryptographic functionality that is provided by 
third-party hardware or software encryption components (if any). 
Identify the manufacturers of the hardware or software components, 
including specific part numbers and version information as needed to 
describe the product. Describe whether the encryption software 
components (if any) are statically or dynamically linked.
* * * * *
    (11) For products that meet the requirements of Sec.  
740.17(b)(3)--

[[Page 71364]]

Encryption commodities, software and components available to both 
``government end-users'' and to non-``government end-users''--describe 
how they are not restricted by the provisions of Sec.  740.17(b)(2).
* * * * *

PART 744--[AMENDED]

0
13. The authority citation for part 744 is revised to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; Sec. 901-911, Pub. L. 106-
387; Sec. 221, Pub. L. 107-56; E.O. 12058, 43 FR 20947, 3 CFR, 1978 
Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; 
E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 12947, 60 
FR 5079, 3 CFR, 1995 Comp., p. 356; E.O. 13026, 61 FR 58767, 3 CFR, 
1996 Comp., p. 228; E.O. 13099, 63 FR 45167, 3 CFR, 1998 Comp., p. 
208; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13224, 
66 FR 49079, 3 CFR, 2001 Comp., p. 786; Notice of August 6, 2004, 69 
FR 48763 (August 10, 2004); Notice of November 4, 2004, 69 FR 64637 
(November 8, 2004).


0
14. In Sec.  744.9, revise paragraph (a) to read:


Sec.  744.9  Restrictions on technical assistance by U.S. persons with 
respect to encryption items.

    (a) General prohibition. No U.S. person may, without authorization 
from BIS, provide technical assistance (including training) to foreign 
persons with the intent to aid a foreign person in the development or 
manufacture outside the United States of encryption commodities and 
software that, if of United States origin, would be controlled for EI 
reasons under ECCN 5A002 or 5D002. Technical assistance may be exported 
and reexported immediately to nationals of the countries listed in 
Supplement 3 to part 740 of the EAR (except for technical assistance to 
government end-users for cryptanalytic items), provided that the 
exporter has submitted to BIS a completed encryption review request by 
the time of export (as described in Sec.  740.17(a)(3) of the EAR, for 
technical assistance not otherwise authorized under Sec.  740.17(a)(1) 
of the EAR). Note that this prohibition does not apply if the U.S. 
person providing the assistance has a license or is otherwise entitled 
to export the encryption commodities and software in question to the 
foreign person(s) receiving the assistance. Note in addition that the 
mere teaching or discussion of information about cryptography, 
including, for example, in an academic setting or in the work of groups 
or bodies engaged in standards development, by itself would not 
establish the intent described in this section, even where foreign 
persons are present.
* * * * *

PART 772--[AMENDED]

0
15. The authority citation for part 772 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 
6, 2004, 69 FR 48763 (August 10, 2004).


0
16. In Sec.  772.1, add a sentence to the end of the definition of 
``hold without action'' to read as follows:


Sec.  772.1  Definitions of terms as used in the Export Administration 
Regulations (EAR).

* * * * *
    Hold Without Action (HWA). * * * Encryption review requests may be 
placed on hold without action status as provided in Sec.  740.17(d)(2) 
and Sec.  742.15(b)(2) of the EAR.

    Dated: December 2, 2004.
Peter Lichtenbaum,
Assistant Secretary for Export Administration.
[FR Doc. 04-26992 Filed 12-8-04; 8:45 am]
BILLING CODE 3510-33-P