[Federal Register Volume 73, Number 193 (Friday, October 3, 2008)]
[Rules and Regulations]
[Pages 57495-57512]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-23201]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR Parts 732, 734, 738, 740, 742, 744, 746, 748, 750, 762, 770,
772, and 774
[Docket No. 080211163-81224-01]
RIN 0694-AE18
Encryption Simplification
AGENCY: Bureau of Industry and Security, Commerce.
ACTION: Interim final rule.
-----------------------------------------------------------------------
SUMMARY: This interim final rule amends the Export Administration
Regulations (EAR) to make the treatment of encryption items more
consistent with the treatment of other items subject to the EAR, as
well as to simplify and clarify regulations pertaining to encryption
items. The restrictions pertaining to technical assistance by U.S.
persons with respect to encryption items are removed, because the
current export and reexport restrictions set forth in the EAR for
technology already include technical assistance. This rule also removes
License Exception KMI as it has become obsolete because of developments
in uses of encryption. In addition, this rule removes notification
requirements for items classified as 5A992, 5D992, and 5E992. This rule
also increases certain parameters under License Exception ENC, which is
intended to reflect advances in technology. This rule adds two new
review and reporting requirement exclusion paragraphs under License
Exception ENC for wireless ``personal area network'' items and for
``ancillary cryptography'' items. This rule also adds Bulgaria, Canada,
Iceland, Romania, and Turkey to the list of countries that receive
favorable treatment under License Exception ENC. Commodities and
software pending mass market review may no longer be exported under
ECCNs 5A992 and 5D992 using No License Required (NLR). However, once
the mass market review has been received by BIS, then such commodities
and software may be exported using License Exception ENC under ECCNs
5A002 and 5D002. This rule will reduce the paperwork burden on the
public by 9% (annual dollar amount savings of approximately $14,000 to
the public and $5,000 to the U.S. Government), because of the removal
of certain notification requirements, addition of countries to the list
of those receiving favorable treatment under License Exception ENC, and
the increase of reporting and review requirement exclusions. The
Departments of Commerce, State and Defense will continue to review
export control, license review policies, and license exceptions for
encryption items in the EAR.
DATES: Effective Date: This rule is effective October 3, 2008.
ADDRESSES: Written comments on this interim final rule may be sent by
e-mail to [email protected]. Include ``Encryption rule'' in
the subject line of the message. Comments may also be submitted by mail
or hand delivery to Sharron Cook, Office of Exporter Services,
Regulatory Policy Division, Bureau of Industry and Security, Department
of Commerce, 14th St. & Pennsylvania Avenue, NW., Room 2705,
Washington, DC 20230, ATTN: Encryption rule; or by fax to (202) 482-
3355.
FOR FURTHER INFORMATION CONTACT: For questions of a general nature
contact Sharron Cook, Office of Exporter Services, Regulatory Policy
Division at (202) 482-2440 or E-Mail: [email protected].
For questions of a technical nature contact: The Information
Technology Division, Office of National Security and Technology
Transfer Controls at 202-482-0707 or E-Mail: C. Randall Pratt at
[email protected].
SUPPLEMENTARY INFORMATION:
Background
Steps Regarding Scope of the EAR
This rule revises paragraph 732.2(b) of the EAR, which sets forth
instructions on how to determine if your technology or software is
publicly available, by adding mass market encryption software with
symmetric key length exceeding 64-bits classified under ECCN 5D992. The
addition of this phrase harmonizes with the scope of publicly available
encryption software that is considered to be subject to the EAR because
of the criteria set forth in Sec. 734.3(b)(3) of the EAR.
[[Page 57496]]
Items Subject to the EAR
This rule adds a note to paragraph 734.3(a)(4) of the EAR, which
sets forth the items that are subject to the EAR. The note reminds
readers that certain foreign-manufactured items are subject to the EAR
when developed or produced from U.S.-origin encryption items that were
exported pursuant to Sec. 740.17(a) of License Exception ENC.
Clarification of Text
This rule replaces the phrase ``encryption software (including
source code) transferred from the U.S. Munitions List to the Commerce
Control List consistent with E.O. 13026 of November 15, 1996 (61 FR
58767) and pursuant to the Presidential Memorandum of that date'' with
``software controlled for ``EI'' reasons under ECCN 5D002 on the
Commerce Control List'' to clarify which software this sentence is
referring to in the introductory paragraph of Supplement No. 1 to part
734 ``Questions and Answers--Technology and Software subject to the
EAR.''
Determining Whether a License Is Required
This rule clarifies text in Sec. 738.4(a)(1) of the EAR that not
all license requirements set forth under the ``License Requirements''
section of an ECCN refer to the Commerce Country Chart, but in some
cases this section will contain references to a specific section in the
EAR that contain license requirements for that particular ECCN. In such
cases, you could not determine whether a license is required based on
the ECCN and Country Chart alone and section Sec. 738.4(a)(1) of the
EAR would not apply. For example, ``EI'' controls are not included in
the Country Chart; however licensing requirements for ``EI'' controlled
items are included in Sec. 742.15(a) of the EAR. In addition, this
rule removes the reference in Sec. 738.4(a)(2)(ii)(B) to notification
requirements described in paragraph 742.15(b) for items classified
under ECCNs 5A992, 5D992, and 5E992, because this rule removes
notification requirements for these items. This rule also clarifies the
reminder about the review requirements for certain mass market
encryption items under ECCNs 5A992 and 5D992, by removing the reference
to 5E992 and harmonizing the citation reference with the changes in
this rule.
License Exception LVS
This rule revises Sec. 740.3(d)(5) to clarify that not only
exports, but reexports of encryption components or spare parts are
subject to the special restriction in this paragraph. In addition, the
term ``item'' has been replaced by correct terminology.
License Exception KMI
This rule removes Sec. 740.8 of the EAR ``License Exception KMI''
as it has become obsolete because of the developments in the use of
encryption. A consequential revision is also made to Sec. 746.3(c) of
the EAR, where License Exception KMI was listed. Products previously
eligible for License Exception KMI will be accorded equivalent
treatment under license or license exception. As a result of this
change, this rule also removes Supplement No. 4 to part 742 ``Key
Escrow or Key Recovery Products Criteria.''
License Exception TSU
In Sec. 740.13(d) of the EAR, this rule removes the quotation
marks around the term ``mass market'' in the title to paragraph (d),
paragraph (d)(1), footnote 1, paragraph (d)(3)(i) and paragraph
(d)(3)(ii), because in the EAR double quotation marks around a term
indicate that the word is defined in part 772 of the EAR, and mass
market is not a defined term in part 772 of the EAR.
License Exception ENC
This rule revises Sec. 740.17 of the EAR by reformatting
paragraphs, removing redundant text, and clarifying text as needed.
This rule revises the title of this section to indicate that this
license exception also authorizes technology. The introductory
paragraph to Sec. 740.17 of the EAR is condensed to set forth the
scope of Sec. 740.17 of the EAR and include information not found
elsewhere in Sec. 740.17 of the EAR.
While this rule reformats the paragraphs in Sec. 740.17 of the
EAR, it was BIS's goal to minimize revisions to the enumeration of
paragraphs used to classify encryption items in the past, so as to
alleviate confusion about previous classifications provided by BIS that
reference specific paragraphs and to reduce the number of revisions to
industry's current product matrices. That being said, the paragraph
titles have been revised to reflect review request requirements instead
of destinations, end-uses, or types of end-users.
This rule removes paragraphs 740.17(a)(2) and (b)(2)(i) that
exempted commodities and software from review requirements based on a
previous review by the U.S. Government prior to October 19, 2000. These
commodities and software remain exempt from review requirements, and
BIS did not see the necessity of retaining such text in the Export
Administration Regulations.
Paragraph 740.17(a) now describes exports and reexports authorized
by License Exception ENC that do not require prior government review or
post export reporting. The former paragraph (a)(2) ``Items previously
reviewed by the U.S. Government'' is removed by this rule, as this
paragraph is no longer necessary because of the passage of time. Former
paragraph (a)(3) for end-uses other than internal development is moved
to new paragraph (b)(1), because a review request submission is
required for eligibility under this paragraph. Former paragraph (b)(1)
for U.S. subsidiaries is moved to (a)(2), because authorization under
this paragraph does not require prior review. In addition, this rule
amends former paragraph (b)(4)(i)(A) (exempting encryption items not
exceeding certain key lengths from the 30 day waiting period) by moving
it to (b)(1)(ii)(A).
Section 740.17(a)(1)
This rule removes references in paragraph Sec. 740.17(a)(1) to
``technical assistance described in Sec. 744.9 of the EAR,'' because
this rule removes 744.9, see explanation set forth below under ``Sec.
744.9.'' This rule clarifies text in paragraph (a)(1) so that it is
understood that License Exception ENC can be used for not only internal
development, but also internal production of new products.
Section 740.17(a)(2)
Paragraph 740.17(a)(2) is former paragraph (b)(1).
Section 740.17(b)
Paragraph 740.17(b) now sets forth those items authorized under
License Exception ENC that require prior review by the U.S. Government.
This paragraph also sets forth the ``open cryptographic interface''
restriction that applies to all paragraphs in 740.17(b), except for
paragraph Sec. 740.17(b)(1)(i). This introductory paragraph also sets
forth the restriction to export or reexport cryptanalytic items to any
``government end-user.'' There is also a reference in this paragraph to
paragraph (e) ``reporting requirements'' for exports and reexports
under Sec. 740.17(b).
Section 740.17(b)(1)
The new paragraph 740.17(b)(1) of the EAR authorizes exports and
reexports under License Exception ENC that require prior government
review, but allows the export or reexport to take place immediately
upon registration of the review request with BIS.
[[Page 57497]]
Paragraph (b)(1)(i) authorizes the export and reexport of
encryption items, including EI controlled commodities or software
(excluding source code) that are pending review for mass market
treatment (under Sec. 742.15(b) of the EAR), to ``government end-
users'' and non-``government end-users'' located in the countries
listed in Supplement 3 of part 740, as well as to foreign subsidiaries
or offices of firms, organizations and governments headquartered in
countries listed in Supplement 3 of part 740. This rule adds
authorization under License Exception ENC for items pending mass market
review, because it was not logical to temporarily classify commodities
and software under ECCNs 5A992 or 5D992 that were pending mass market
review under paragraph 742.15(b) and authorize export or reexport under
the designation of ``No License Required (NLR)'' when the possible
outcome of the BIS classification of the commodities and software could
be ECCN 5A002 or 5D002.
New paragraph 740.17(b)(1)(ii) authorizes exports and reexports of
specified encryption commodities and software to countries not listed
in Supplement No. 3 to part 740. This rule revises the format of the
parameters in this section from a range to an upper limit in paragraph
(b)(1)(ii)(A), former paragraph (b)(4)(i)(A). In addition, the upper
limit for symmetric algorithms has been raised from ``key lengths not
exceeding 64 bits'' to ``key lengths not exceeding 80 bits.'' After
review has been completed on these commodities or software, BIS will
issue a CCATS that will indicate authorization is under paragraph
(b)(2) or (b)(3) of Sec. 740.17 of the EAR, whichever paragraph is
appropriate.
Paragraph (b)(1)(ii)(B), former paragraph (b)(4)(i)(B), authorizes
exports and reexports of encryption source code that would not be
eligible for export or reexport under License Exception TSU, provided
that a copy of the source code is included in the review request, to
non-``government end-users'' located in any country except a country
listed in Country Group E:1 of Supplement No. 1 to part 740 of the EAR.
After the review has been completed, BIS will issue a CCATS that will
indicate authorization is under paragraph 740.17(b)(2) of the EAR. The
text is clarified by replacing the phrase ``considered publicly
available'' with ``eligible'' in order to avoid confusion about the
scope of encryption source code eligible under this paragraph.
Section 740.17(b)(2)
Paragraph (b)(2) of License Exception ENC authorizes exports and
reexports to non-``government end-users'' located in a country not
listed in Supplement No. 3 to this part or Country Group E:1 that
require a prior review and 30 day waiting period. Pursuant to the new
scope paragraph 740.17(b), this rule expands the scope of (b)(2) to
include ECCN 5B002 to be consistent with commodities and software
eligible for License Exception ENC under paragraphs (b)(1) and (b)(3)
of the EAR. In addition, former paragraph (b)(2)(i) concerning
transactions previously reviewed prior to October 19, 2000 by the U.S.
Government is removed as the passage of time has made this paragraph
unnecessary. Former paragraph (b)(2)(ii) that set forth the review
request requirement is removed, as the review request requirement has
been moved to the introductory text of paragraph (b)(2). Former
paragraph (b)(2)(iii) is replaced by the introductory text of paragraph
(b)(2).
This rule revises new paragraph (b)(2)(i), (Network infrastructure
software and commodities) by adding ``digital packet telephony/media
(voice/video/data) over internet protocol'' to the list of capabilities
described.
Also in this new paragraph (b)(2)(i), the former paragraph
(b)(2)(iii)(A) reference to ``64 bits for symmetric algorithms'' is
changed to ``80 bits for symmetric algorithms'', commensurate with the
key length change in new paragraph (b)(1)(ii)(B). (Note: Regarding key
length with respect to the authorizations and restrictions set forth in
both the current and former versions of License Exception ENC Sec.
740.17(b)(2), only `network infrastructure' commodities and software
(sub-paragraph (i) in this rule) are distinguished by key length. All
encryption commodities and software now enumerated in sub-paragraphs
(ii)-(vi) (former sub-paragraphs (iiii)(B)-(iii)(F)) of License
Exception ENC paragraph (b)(2) are controlled to ``government end-
users'' as described, regardless of key length.)
Former paragraph (b)(2)(iii)(A)(1), new paragraph Sec.
740.17(b)(2)(i)(A) is clarified by this rule to add quotes around the
term ``government end-user(s)'' and now reads as follows, ``Been
designed, modified, adapted or customized for ``government end-
user(s)'' or government end-use (e.g., to secure police, state
security, or emergency response communications).''
This rule further revises former paragraph (b)(2)(iii)(A)(1), new
paragraph (b)(2)(i)(A), which addresses aggregate encrypted WAN, MAN,
VPN or backhaul throughput, by increasing the parameter from 44 Mbps to
90 Mbps.
This rule further revises former paragraph (b)(2)(iii)(A)(2), new
paragraph (b)(2)(i)(B). The Wire (line), cable or fiber optic WAN, MAN
or VPN single-channel input data rate is revised from ``44 Mbps'' to
``154 Mbps.''
These revisions are not expected to result in a decrease in the
number of license applications submitted for exports and reexports of
items described in paragraph (b)(2) to government end-users. Most
network infrastructure items currently being exported to government
end-uses exceed these performance parameters. However, BIS has
determined that the parameters should be adjusted in recognition of
technology advances, and to avoid maintaining controls on legacy
systems.
This rule replaces the ``Maximum number of concurrent encrypted
data tunnels or channels * * *'' parameter in former paragraph
(b)(2)(iii)(A)(3), new paragraph (b)(2)(i)(C) with ``Media (voice/
video/data) encryption or centralized key management supporting more
than 250 concurrent encrypted data channels, or encrypted signaling to
more than 1,000 endpoints, for digital packet telephony/media (voice/
video/data) over internet protocol communications.'' These amendments
update these provisions of License Exception ENC to reflect advances in
encryption technology. Specifically, these amendments address
cryptographic developments in Datagram Transport Layer Security
(DTLS)--Secure Real-Time Transport Protocol (SRTP), and encrypted
communications signaling, for large Voice over Internet Protocol (VoIP)
network infrastructures.
This rule also revises former paragraph (b)(2)(iii)(A)(4)(i), new
paragraph (b)(2)(i)(D)(1), which addresses Air-interface coverage
capabilities, by changing ``maximum data rates'' to ``maximum
transmission data rates'' and changing the parameter from ``5 Mbps'' to
``10 Mbps.'' By limiting this License Exception ENC provision to the
transmit (upstream) data rates and doubling the licensing threshold,
these amendments reflect technology developments for certain satellite
and other long-range wireless devices.
Former paragraph (b)(2)(iii)(B) that addressed encryption source
code that would not be eligible for export or reexport under License
Exception TSU is moved to new paragraph (b)(2)(ii), but also appears in
new paragraph (b)(1)(ii)(B) for review requests that include a copy of
the source code, and
[[Page 57498]]
may be exported or reexported without a waiting period under License
Exception ENC when the review request is registered with BIS.
Former paragraph (b)(2)(iii)(C), new paragraph (b)(2)(iii) is
revised by removing the reference to the open cryptographic interface
restriction, because this restriction is now placed in the introductory
text of paragraph 740.17(b).
Former paragraph (b)(2)(iii)(C)(1), new paragraph (b)(2)(iii)(A) is
amended by revising the phrase ``Been modified or customized for'' to
read ``been designed, modified, adapted or customized for.'' Quotes
have been added around the term ``government end-user(s)'' to indicate
that this term is defined in part 772 of the EAR.
This rule also revises the phrase ``to secure departmental, police,
state security, or emergency response communications'' to read ``to
secure police, state, security, or emergency response communications,
including encryption commodities and software for external Security
Operations Center (SOC)/Network Operations Center (NOC) command and
infrastructure, and digital forensics/computer forensics.'' With this
clarification, this rule provides examples of three such systems that
are controlled for their inherent government end-use: External Security
Operations Center (SOC)/Network Operations Center (NOC) command and
infrastructure; public safety radio (e.g., implementing Terrestrial
Trunked Radio (TETRA) and/or Association of Public-Safety
Communications Officials International (APCO) Project 25 (P25)
standards); and digital forensics/computer forensics.
Note: Regarding the use of encryption by a computer forensics/
digital forensics commodity or software (e.g., for securing the
collection, examination, and/or reporting of data or metadata on an
investigated computer), such digital/computer forensics tools would
not be considered ``cryptanalytic items'' if the only use of
``cryptography'' is for encryption. However, such tools that also
perform ``cryptanalysis'' (e.g., cracking passwords or employing
other cryptanalytic techniques to derive user-encrypted data or
metadata from a computer or network) would be controlled as
``cryptanalytic items.''
Former paragraph (b)(2)(iii)(E), new paragraph (b)(2)(v) is revised
by adding a clarifying phrase after the term ``quantum cryptography''
to read ``as defined in ECCN 5A002 of the Commerce Control List.''
Former paragraph (b)(2)(iii)(F), new paragraph (b)(2)(vi) is
revised by replacing the term ``controlled'' with ``classified under''
to clarify the scope of computers in this paragraph.
Section 740.17(b)(3)
This rule revises paragraph Sec. 740.17(b)(3) of the EAR for
export or reexport of commodities and software not listed in Sec.
740.17(b)(2) of the EAR by both ``government end-users'' and non-
``government end-users'' by removing the redundant former paragraph
(b)(3)(ii)(B) that explained the review procedures and instead
inserting a reference to paragraph Sec. 740.17(d) that sets forth
these procedures. In addition, former paragraph (b)(3)(ii)(A)
concerning transactions previously reviewed by the U.S. Government is
removed as the passage of time has made this paragraph unnecessary.
Former paragraph (b)(3)(i)(A) that set forth the ineligibility of
commodities and software that provide an ``open cryptographic
interface'' is removed because this restriction is set forth in the
introductory text of paragraph 740.17(b). This rule adds text that
clarifies the eligible locations of the end-users, because 740.17(a)
addresses all exports to Supplement No. 3 countries. This rule
relocates the restriction in former paragraph (f)(1) concerning
``cryptanalytic items'' to the introductory text of paragraph (b)(3).
Section 740.17(b)(4)
Former paragraph 740.17(b)(4)(i), setting forth commodities and
software that are eligible for export immediately upon registration of
a review request, is moved to new paragraph (b)(1)(ii). In addition,
previous paragraph 740.17(b)(4)(ii), setting forth exclusions from
review requirements for certain items, is reformatted as paragraph
740.17(b)(4).
Former paragraph (b)(4)(ii)(A) for short-range wireless encryption
is now in new paragraph (b)(4)(i). This rule adds examples to this
paragraph of short-range wireless commodities and software. An
informative sentence is also added to notify the reader that certain
items excluded by this paragraph may also be excluded from review under
(b)(4)(iii) (personal area networks) or (b)(4)(iv) (commodities and
software that provide ``ancillary cryptography'').
Former paragraph (b)(4)(ii)(B) is replaced by the third, fourth,
and fifth sentences of former paragraph (c), which pertains to foreign
products developed with or incorporating U.S.-origin encryption source
code, components, or toolkits.
This rule adds two new review requirement exclusion paragraphs. The
first new paragraph (b)(4)(iii) is for wireless ``personal area
network'' items. This rule adds the term ``personal area network'' and
definition, as well as examples to part 772. The other new exclusion
paragraph (b)(4)(iv) is for ``ancillary cryptography,'' which is also a
newly added term/definition in part 772. The term/definition includes
examples of ``ancillary cryptography.'' The U.S. Government has
determined that it is not necessary to review the encryption
functionality of such items.
Reexports and Transfers
This rule clarifies the second sentence in Sec. 740.17(c) of the
EAR (restricted transfers) by adding quotes around the term
``government end-users'' for consistency. The third and fourth
sentences in this section concerning foreign products developed with or
incorporating U.S.-origin encryption products are moved to new
paragraph (b)(4)(ii), because it was misplaced and redundant to text
already included in another paragraph of License Exception ENC.
Review Request Procedures
This rule removes former paragraph (d)(1) ``Instructions for
requesting review'' because these instructions were redundant and
inconsistent with the instructions for submissions on Form BIS-748P
(Multipurpose Application) found in Part 748 of the EAR. Instructions
for such submissions belong in Part 748 of the EAR.
This rule reformats former paragraph (d)(2) ``Action by BIS''
because this paragraph was entirely too long and needed to be divided
by subject matter. The new subparagraph titles are: (i) Notification;
(ii) After 30 days; and (iii) Hold Without Action (HWA).
This rule moves former paragraph (d)(3), ``key length increases,''
to the reporting requirement section under new paragraph (e)(2),
because this requirement is in actuality a reporting requirement and
not a review requirement. This report is required for commodities and
software that, after having been reviewed and authorized for License
Exception ENC by BIS, are modified only to upgrade the key length used
for confidentiality or key exchange algorithms. This rule also makes
the new key length a required element of the report.
Reporting Requirements
The reporting requirements for License Exception ENC are now split
into two sections: Semiannual reporting requirement and reporting key
length increases. This rule clarifies that the Commodity Classification
Automated Tracking System (CCATS) number is a required element of the
report. This rule removes former paragraph (e)(2)(iv),
[[Page 57499]]
which required a report for exports of ECCN 5E002 items to be used for
technical assistance that are not released by 744.9, because this rule
removed section 744.9 of the EAR. This rule also clarifies the purpose
and scope of paragraph (e)(3), regarding reportable information on
foreign manufacturers and products that use encryption items in
countries not listed in Supplement No. 3 to part 740.
Reporting Exclusions
This rule revises the exclusion set forth in former paragraph
(e)(4)(i), new paragraph (e)(1)(iii)(A), by removing the reference to
paragraph (b)(1), because (b)(1) did not require prior review or post
export reporting, therefore this rule moved (b)(1) to new paragraph
(a)(2).
In new paragraph (e)(1)(iii)(F), this rule expands the exclusion
that was in former paragraph (e)(4)(vi) for components limited to
providing short-range wireless encryption functions, by making the
reporting exclusion apply to all of the items in the new paragraph
(b)(4), which are those items that are excluded from review
requirements (certain commodities and software that provide short-range
wireless; foreign products developed with or incorporating U.S.-origin
encryption source code (that have not entered United States for
subsequent export), components, or toolkits; wireless ``personal area
network'' items; and ``ancillary cryptography'' commodities and
software).
Lastly, in new paragraph (e)(1)(iii)(J), this rule adds a new
provision to exclude from reporting requirements exports of items that
have been determined, on a case-by-case basis do not require the burden
of semi-annual reporting. Certain exports of items that do not qualify
for mass market treatment, but are authorized under License Exception
ENC are not of interest for national security reasons, therefore do not
warrant reporting requirements. Exporters will be notified of this
exclusion on issued Commodity Classification Automated Tracking System
(CCATS) documents.
Restrictions
Former paragraph Sec. 740.17(f) ``Restrictions'' is removed,
because the restrictions that were in this paragraph are integrated
into the introductory paragraph to Sec. 740.17 or specific paragraphs
for which they apply.
Supplement No. 3 to Part 740
This rule revises the title of Supplement No. 3 to part 740 to read
``License Exception ENC Favorable Treatment Countries,'' because the
former title of ``Countries Eligible for the Provisions of Sec.
740.17(a)'' is no longer correct, as these countries are now eligible
for provisions of Sec. 740.17(b)(1) of the EAR. This rule adds
Bulgaria, Canada, Iceland, Romania, and Turkey to the list of countries
in Supplement No. 3 to part 740 of the EAR. Bulgaria and Romania joined
the European Union by accession on January 1, 2007. The addition of
Canada is simply for clarity, as licenses are not required to Canada
for Encryption Items (pursuant to Sec. 742.15(a)(1)) and License
Exception ENC has been available for subsidiaries and offices of the
Canadian government and private-sector end-users (along with the
previous Supplement No. 3 to part 740 list of countries). Turkey and
Iceland are added because they are members of the North Atlantic Treaty
Organization (NATO). This will increase eligibility under License
Exception ENC under new paragraphs Sec. 740.17(a)(1) and (b)(1) of the
EAR, which will decrease the necessity for submitting license
applications, review requests, and semiannual reports.
This revision will reduce the number of license applications
submitted to BIS for the export or reexport of encryption products
classified under ECCNs 5A002 and 5D002 to Bulgaria, Iceland, Romania,
and Turkey by 95 percent (approximately $37 million in exports and
reexports for CY 2007). This revision will not change the amount of
license applications received by BIS for the export or reexport of
encryption products to Canada, because Canada, while not included in
the list of countries that received favorable treatment under License
Exception ENC, already received such benefits.
Section 742.15 ``Encryption Items''
Paragraph 742.15(a) is revised by more specifically describing what
is EI controlled under ECCNs 5A002, 5D002, and 5E002. This revision
harmonizes with changes this rule makes to the license requirements
paragraphs of these ECCNs. In addition, a sentence is added that
advises exporters to review License Exception ENC prior to submitting a
license to BIS. Also, the phrase ``on a computer system'' is removed
from the introductory text of Sec. 742.15 in order to be more
consistent with the first Note in the License Requirement section of
ECCN 5D002.
Section 742.15(a)(2) License Requirements and Review Policy for ECCNS
5A992, 5D992, and 5E992
This rule removes former paragraph 742.15(a)(2), which explained
license requirements and review policy for items classified under ECCNS
5A992, 5D992, and 5E992, because the purpose of Sec. 742.15 is to set
forth the license requirements and review policies for items controlled
for encryption item (EI) reasons and these items are controlled for
anti-terrorism (AT) reasons only. The license requirements and review
policy for these items are found under appropriate anti-terrorism
sections of part 742.
This rule removes the second sentence of 742.15(a)(2), because the
indefinite language did not add to the transparency of licensing
policy. The sentence stated, ``Exports and reexports of encryption
items to governments, or to Internet and telecommunications service
providers for the provision of services specific to governments, may be
favorably considered.'' This rule removes the extraneous phrase
``including those which authorize exports and reexports of encryption
technology to strategic partners (as defined in Sec. 772.1 of the EAR)
of U.S. companies.'' To be more transparent, this rule adds the phrase
``or pre-shipment notification'' to explain that ELAs may require pre-
shipment notification. This rule adds a note to paragraph (a)(2) to
remind exporters that once mass market encryption commodities and
software have been reviewed by BIS and the ENC Encryption Request
Coordinator (Ft. Meade, MD) and released from ``EI'' and ``NS''
controls pursuant to Sec. 742.15(b) of the EAR, they are classified
under ECCN 5A992 and 5D992 respectively, and are thereafter outside the
scope of this section.
This rule removes the notification and review requirements for
items classified under ECCNs 5A992, 5D992, and 5E992, which were set
forth in former paragraphs Sec. 742.15(b) introductory paragraph and
Sec. 742.15 (b)(1) of the EAR.
This rule adds a reference to the ENC Encryption Request
Coordinator (FT. Meade, MD) with regard to the requirement for review
of mass market encryption commodities and software.
Specific instructions for how to fill out form 748P (multipurpose
application) for submission of a review request has been removed,
because these instructions were redundant and inconsistent with the
instructions found in paragraph (r) of Supplement No. 2 to part 748 of
the EAR. Instead, a reference to this paragraph (r) is added to new
paragraph 742.15(b)(1) ``Procedures for requesting review.''
This rule removes former paragraph (b)(2)(iii) that provided
authorization under the designation of ``no license required (NLR)''
for exports and reexports of encryption commodities
[[Page 57500]]
and software pending mass market treatment review by BIS to government
and non-government end-users located in countries listed in Supp. No. 3
to part 740 of the EAR or for internal use of foreign subsidiaries or
offices of firms, organizations and governments headquartered in Canada
or in countries listed in Supp. No. 3 to part 740 of the EAR. This
authorization was based on a temporary classification under ECCNs 5A992
and 5D992, which is inconsistent with the way other items are
classified in the EAR, therefore this provision is removed. Instead,
encryption commodities and software will remain under the
classification of ECCN 5A002 and 5D002 until 30 days have passed since
registration of the submitted review request or BIS issues a
classification under ECCN 5A992 or 5D992. However, this rule creates a
new authorization under License Exception ENC for such commodities and
software pending a decision by BIS concerning mass market treatment
under new paragraph 740.17(b)(1) of the EAR. This rule adds explanatory
text about this new procedure in (b)(2) ``Action by BIS.''
Section 742.15(b)(3) Exclusions for Notification and Review
Requirements
This rule removes the former exclusion paragraphs, because it is no
longer applicable and is replaced by new exclusion paragraphs from mass
market review requirements under Sec. 742.15(b). There are three new
exclusions: Certain short range wireless commodities and software,
wireless ``personal area network'' items, and ``ancillary
cryptography'' commodities and software.
Section 742.15(b)(4) Dormant Encryption and Enabling Software and
Commodities
This rule condenses this paragraph to remove text that pertained to
ECCNs 5A992 and 5D992.
Section 742.15(b)(5) Examples of Mass Market Software
The phrase ``designed for, bundled with, or pre-loaded on single
CPU computes'' is revised to read ``designed for computers classified
as ECCN 4A994 or EAR99.'' This phrase was changed to remove outdated
and confusing text related to computers. This rule also removes the
last phrase ``and commodities and software exported via free or
anonymous downloads.'' This phrase was removed because it confused the
public, in that it led people to believe that if they incorporated free
encryption software or open source encryption into their products that
it was not subject to the EAR, which is not the case.
Supplement No. 6 to Part 742 ``Guidelines for Submitting Review
Requests for Encryption Items''
The option to fax support documents is removed, because that method
has been replaced by either e-mailing the document in PDF or sending
the document by mail. A requirement to obtain express mail
certification of the mailing of support documentation is added for
those that intend to rely on the 30 day registration provisions of the
EAR.
Paragraph (a) is divided into 5 subparagraphs that clarify existing
review requirements and procedures. Former paragraph (a) is now new
subparagraph (a)(1), and is revised to add a requirement to include a
brief non-technical description of the type of product being submitted,
e.g., routers, disk drives, cell phones, chips, etc. Part of the
introductory paragraph to Supp. No. 6 that addressed prior reviews is
moved to a new subparagraph (a)(2), and is revised to add a
requirement, for products with minor changes in encryption
functionality, to include a cover sheet with complete reference to the
previous review (CCATS, Application Control Number (ACN),
ECCN, authorization paragraph) along with a clear description of the
changes. New subparagraph (a)(3) requires a description of how
encryption is used in the product and the categories of encrypted data
(i.e., stored data, communications, management data, internal data,
etc.). New subparagraph (a)(4) requires, for mass market reviews, a
specific description of who will be receiving the product and how the
product is being marketed, as well as how this method of marketing and
other relevant information (e.g., cost of product and volume of sales)
is described by the Cryptography Note (Note 3 to Category 5, Part 2).
New subparagraph (a)(5) clarifies information about any encryption
source code being used.
Subparagraph (c)(1) is amended by adding the phrase ``including
relevant parameters, inputs and settings'' to the end of the first
sentence. Subparagraph (c)(6) is amended by adding more examples of
communication and cryptographic functions, as well as replacing the
term ``encryption protocols'' with a more accurate term ``cryptographic
protocols and methods.'' An additional requirement is added to (c)(6)
to describe how the protocols that are supported are used. The text of
(c)(11) is revised to more clearly describe the information that would
assist BIS.
The introductory text for paragraphs (d) and (e) is clarified.
Section 744.9 ``Restrictions on Technical Assistance by U.S. Persons
With Respect to Encryption Items''
This rule removes Sec. 744.9 of the EAR that required
authorization from BIS for U.S. persons to provide technical assistance
(including training) to foreign persons with the intent to aid a
foreign person in the development or manufacture outside the United
States of encryption commodities or software that, if of U.S.-origin,
would be ``EI'' controlled under ECCNs 5A002 or 5D002. Section 744.9
was added to the EAR in 1996 when jurisdiction over dual-use encryption
items was transferred from the Department of State to the Department of
Commerce. Technical assistance is treated differently under the
International Trade in Arms Regulations (ITAR) than it is in EAR.
Technical assistance is considered a form of ``technology'' under the
definition of ``technology'' in section 772.1 of the EAR. The EAR
states that technical assistance ``may take forms such as instruction,
skills training, working knowledge, consulting services'' and that it
``may involve transfer of `technical data.' '' When a person performs
technical assistance, which draws upon ``development,'' ``production,''
or ``use'' ``technology'' obtained in the United States or that is of
U.S.-origin, then a release of ``technology'' takes place, which is
considered an export or reexport and may require authorization under
the EAR. BIS has observed that there is rarely an application for a
license submitted under the requirements of section 744.9; however,
requests for authorization under section 744.9 are often included in
license applications for export of ECCN 5E002 Technology. This has led
BIS to conclude that people are submitting license applications for
technology exports and reexports when involved in technical assistance.
Therefore, to harmonize the understanding of technical assistance as it
is understood in the EAR with the practical application of it by the
public, BIS is removing section 744.9. This removal does not remove any
license requirements for controlled encryption technology released
while performing technical assistance. This amendment does not affect
the scope of the note in former 744.9 in that the mere teaching or
discussion of information about cryptography, including, for example,
in an academic setting or in the work of groups or bodies engaged in
standards
[[Page 57501]]
development, by itself would not establish a license requirement under
ECCN 5E002, even where foreign persons are present. Section 744.9 is
replaced by a ``license requirement'' note in ECCN 5E002 on the
Commerce Control List.
Supplement No. 2 to Part 748 ``Unique Application and Submission
Requirements''
This rule adds a sentence instructing applicants to place an ``X''
in the box marked ``classification request'' in Block 5 (Type of
Application) of Form BIS-748P or select ``Commodity Classification'' if
filing electronically, because neither the electronic nor paper forms
provide a separate Block to check for submission of encryption review
requests.
Section 750.3 Review of License Application by BIS and Other Government
Agencies and Departments
This rule makes an editorial correction by removing paragraph
(b)(2)(iv) and redesignating (b)(2)(v) as (b)(2)(iv). This paragraph
referred to the Arms Control and Disarmament Agency (ACDA), which no
longer exists. However, ACDA's personnel and functions were absorbed by
the Department of State in 1999. Therefore, this rule revises paragraph
(b)(2)(iii) by adding national security and nuclear nonproliferation to
the description of State Department's concerns. Missile technology is
also added as a State Department concern because the State Department
chairs the Missile Technology Export control interagency working group.
Section 750.7 Issuance of Licenses
This rule removes paragraph (c)(2), which explained how to amend
your Encryption License Agreement (ELA) by letter. BIS has observed a
trend that industry has been submitting license applications for
replacement or new ELAs when they want a change. In addition, it is
more efficient for applicants to apply and track applications than
letters, because of BIS' electronic application system. It is also
easier for BIS to process and track submissions of applications than
letters for the same reason. Therefore, this provision is removed.
This rule removes the third and fourth sentences in the
introductory text of paragraph (d) that pertain to the responsibilities
of a licensee with regard to ELAs. These sentences are removed, because
a licensee may not transfer its license responsibilities.
Section 762.2 Records To Be Retained
This rule removes paragraph (b)(8), which referred to records
related to key escrow encryption items under License Exception KMI.
This rule removes License Exception KMI and Supplement No. 4 to part
742 ``Key Escrow or Key Recovery Products Criteria,'' therefore this
recordkeeping requirement no longer exists.
Section 770.2 Item Interpretations
This rule moves paragraph (n) ``Interpretation 14: Encryption
commodity and software reviews,'' to a new note under paragraphs
740.17(b) and 742.15(b), so that exporters do not miss this important
information about when to submit a new product review when a change has
occurred in the encryption product. The text of this paragraph is also
revised for clarity. The note explains that a new product review is not
required when a change involves: the subsequent bundling, patches,
upgrades or releases of a product; name changes; or changes to a
previously reviewed encryption product limited to updates in an
encryption software component (e.g., version updates of an encryption
library that is called by a product to provide encryption functionality
where the encryption library has either already been reviewed or did
not require prior review.)
Section 772.1 Definition of terms as used in the Export Administration
Regulations (EAR)
This rule removes the definition of ``strategic partner'' as this
term is not used in the control or licensing of encryption items. This
rule also adds definitions for two new terms ``ancillary cryptography''
and ``personal area network,'' which are associated with new review and
reporting exclusions in License Exception ENC.
Commerce Control List--Supplement No. 1 to Part 774
This rule revises the Nota Bene to the Cryptography Note at the
beginning of Category 5 Part 2 in order to harmonize it with the
revisions in this rule.
This rule clarifies what is controlled for ``EI'' reasons in ECCNs
5A002, 5D002, and 5E002 by replacing the text ``EI applies to
encryption items transferred from the U.S. Munitions List to the
Commerce Control List consistent with E.O.13026 of November 15, 1996
(61 FR 58767) and pursuant to the Presidential Memorandum of that date.
Refer to Sec. 742.15 of this subchapter.'' with appropriate text that
refers to specific paragraphs within those ECCNs for which EI applies.
For ECCN 5A002, the new EI control reads ``EI applies to 5A002.a.1,
a.2, a.5, a.6 and a.9. Refer to Sec. 742.15 of the EAR.'' For ECCN
5D002, the new EI control reads, ``EI applies to ``software'' in
5D002.a or c.1 for equipment controlled for EI reasons in ECCN 5A002.
Refer to Sec. 742.15 of the EAR.'' For ECCN 5E002, the new EI control
reads, ``EI applies to ``technology'' for the ``development,''
``production,'' or ``use'' of commodities or ``software'' controlled
for EI reasons in ECCNs 5A002 or 5D002. Refer to Sec. 742.15 of the
EAR.'' In addition, License Exception ENC is added to the License
Exception section of each of these ECCNs, because it is the principal
license exception for EI controlled items.
ECCN 5A002
This rule removes the license requirement notes section from ECCN
5A002, because there is no Wassenaar reporting requirement for this
ECCN. In addition, this rule makes editorial corrections to the Related
Controls paragraph by replacing the use of the term ``items'' with
commodities when referring to ECCN 5A002 and 5A992. Moreover, this rule
clarifies that if commodities are listed in paragraphs (a) through (f)
in the Note to 5A002, and therefore the commodities are classified
under ECCN 5A992, then the related software and technology are
classified under ECCNs 5D992 and 5E992, respectively. This rule also
revises Related Controls note 2 to be consistent with the mass market
review procedures of Sec. 742.15 of the EAR. This note now reads ``2)
After a review and classification by BIS, mass market encryption
commodities that meet eligibility requirements are released from ``EI''
and ``NS'' controls. These commodities are classified under ECCN
5A992.c. See Sec. 742.15(b) of the EAR.''
ECCN 5A992
This rule revises the anti-terrorism (AT) controls for ECCN 5A992,
by placing the entire entry under AT Column 1 controls, for ease of
understanding and compliance. This rule adds a new paragraph 5A992.c.
This new paragraph clarifies that a mass market commodity is classified
under ECCN 5A992 upon completion of Government review of a commodity in
accordance with paragraph 742.15(b) of the EAR, when that review
determines that the commodity meets the requirements for mass market
treatment. Encryption items are no longer presumed eligible for mass
market treatment while pending Government review.
[[Page 57502]]
ECCN 5D002
This rule removes the third note in the License Requirement
section, because the information in it does not harmonize with the
revision made in this rule. In addition, this rule adds another note to
the Related Controls paragraph to inform the public about the review
and classification of mass market software.
ECCN 5D992
This rule revises the anti-terrorism (AT) controls for ECCN 5D992,
by placing the entire entry under AT Column 1 controls, for ease of
understanding and compliance. Paragraphs 5D992.a.1 and a.2, and
5D992.b.1 and b.2, are combined as 5D992.a and 5D992.b, respectively,
in order to simplify the entry. This rule also removes paragraph
5D992.c (``software'' designed or modified to protect against malicious
computer damage, e.g., viruses) from ECCN 5D992, while adding a note in
the Related Control stating, ``This entry does not control ``software''
designed or modified to protect against malicious computer damage,
e.g., viruses, where the use of ``cryptography'' is limited to
authentication, digital signature and/or the decryption of data or
files.'' Certain software for protection against malicious damage that
meet the criteria of the Related Control note are thus now decontrolled
and classified as EAR99, unless the software performs functions that
are controlled under other ECCNs (whether under Category 5, part 2 or
elsewhere in the Commerce Control List). Such software remains subject
to the EAR and may be classified under ECCN 5D002 or 5D992 if it
performs cryptographic functionality controlled by these Category 5,
part 2 ECCNs (e.g., data or file encryption, including of user or
system data under Secure Socket Layer (SSL) encryption, even if the
cryptographic functionality is not directly user accessible.) Examples
of software decontrolled by this change include certain firewall and
other software for the screening of digital content and the detection
and removal of viruses, spyware and unsolicited commercial e-mail.
This rule also adds a new paragraph 5D992.c. This paragraph
clarifies that mass market software is classified under ECCN 5D992.c
upon completion of Government review of the software in accord with
Sec. 742.15 of the EAR when that review determines that the software
meets the requirements for mass market treatment. Encryption software
is no longer presumed eligible for mass market treatment.
ECCN 5E002
This rule adds a License Requirement Note to remind people to
consider the possibility of the release of technology when performing
technical assistance; the note reads, ``When a person performs or
provides technical assistance that incorporates, or otherwise draws
upon, ``technology'' that was either obtained in the United States or
is of U.S.-origin, then a release of the ``technology'' takes place.
Such technical assistance, when rendered with the intent to aid in the
``development'' or ``production'' of encryption commodities or software
that would be controlled for ``EI'' reasons under ECCN 5A002 or 5D002,
may require authorization under the EAR even if the underlying
encryption algorithm to be implemented is from the public domain or is
not of U.S. origin.'' In addition, in order to harmonize with the
revisions in this rule and for consistency, this rule adds text to the
Related Controls paragraph of the List of Items Controlled section to
read ``This entry does not control ``technology'' ``required'' for the
``use'' of equipment excluded from control under the Related Controls
paragraph or the Technical Notes in ECCN 5A002 or ``technology''
related to equipment excluded from control under ECCN 5A002. This
``technology'' is classified as ECCN 5E992.''
ECCN 5E992
This rule revises the anti-terrorism (AT) controls for ECCN 5E992,
by placing the entire entry under AT Column 1 controls, for ease of
understanding and compliance. This rule revises the references in
5E992.a and .b to conform to revisions included in this rule.
Although the Export Administration Act expired on August 20, 2001,
the President, through Executive Order 13222 of August 17, 2001, 3 CFR,
2001 Comp., p. 783 (2002), as extended by the Notice of July 23, 2008,
73 FR 43603 (July 25, 2008), has continued the Export Administration
Regulations in effect under the International Emergency Economic Powers
Act.
Rulemaking Requirements
1. This interim final rule has been determined to be not
significant for purposes of Executive Order 12866.
2. Notwithstanding any other provision of law, no person is
required to respond to, nor shall any person be subject to a penalty
for failure to comply with a collection of information subject to the
requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et.
seq.) (PRA), unless that collection of information displays a currently
valid Office of Management and Budget (OMB) Control Number. This rule
involves two collections of information subject to the PRA. One of the
collections has been approved by OMB under control number 0694-0088,
``Multi Purpose Application,'' and carries a burden hour estimate of 58
minutes for a manual or electronic submission. The other collection has
been approved by OMB under control number 0694-0104, ``Commercial
Encryption Items Under the Jurisdiction of the Department of
Commerce,'' and carries a burden hour estimate of 7 hours for a manual
or electronic submission. Send comments regarding these burden
estimates or any other aspect of these collections of information,
including suggestions for reducing the burden, to Jasmeet Seehra, OMB
Desk Officer, by e-mail at [email protected] or by fax to (202) 395-
7285; and to the Office of Administration, Bureau of Industry and
Security, Department of Commerce, 14th and Pennsylvania Avenue, NW.,
Room 6622, Washington, DC 20230.
3. This rule does not contain policies with Federalism implications
as that term is defined under Executive Order 13132.
4. The provisions of the Administrative Procedure Act (5 U.S.C.
553) requiring notice of proposed rulemaking, the opportunity for
public participation, and a delay in effective date, are inapplicable
because this regulation involves a military and foreign affairs
function of the United States (5 U.S.C. 553(a)(1)). Further, no other
law requires that a notice of proposed rulemaking and an opportunity
for public comment be given for this interim final rule. Because a
notice of proposed rulemaking and an opportunity for public comment are
not required to be given for this rule under the Administrative
Procedure Act or by any other law, the analytical requirements of the
Regulatory Flexibility Act (5 U.S.C. 601 et. seq.) are not applicable.
Therefore, this regulation is issued in interim final form. Although
there is no formal comment period, public comments on this regulation
are welcome on a continuing basis. Comments should be submitted to
Sharron Cook, Office of Exporter Services, Bureau of Industry and
Security, Department of Commerce, 14th and Pennsylvania Ave., NW., Room
2705, Washington, DC 20230.
[[Page 57503]]
List of Subjects
15 CFR Parts 732, 740, 748 and 750
Administrative practice and procedure, Exports, Reporting and
recordkeeping requirements.
15 CFR Parts 738, 770 and 772
Exports.
15 CFR Part 744
Exports, Reporting and recordkeeping requirements, Terrorism.
15 CFR Part 742
Exports, Terrorism.
15 CFR Part 746
Exports, Reporting and recordkeeping requirements.
15 CFR Part 762
Administrative practice and procedure, Business and industry,
Confidential business information, Exports, Reporting and recordkeeping
requirements.
15 CFR Part 774
Exports, Reporting and recordkeeping requirements.
0
Accordingly, parts 732, 734, 738, 740, 742, 744, 746, 748, 750, 762,
770, 772 and 774 of the Export Administration Regulations (15 CFR parts
730-774) are amended as follows:
PART 732--[AMENDED]
0
1. The authority citation for part 732 is revised to read as follows:
Authority: 50 U.S.C. app. 2401 et. seq.; 50 U.S.C. 1701 et.
seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O.
13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23,
2008, 73 FR 43603 (July 25, 2008).
0
2. Section 732.2 is amended by revising paragraph (b) to read as
follows:
Sec. 732.2 Steps Regarding Scope of the EAR
* * * * *
(b) Step 2: Publicly available technology and software. This step
is relevant for both exports and reexports. Determine if your
technology or software is publicly available as defined and explained
at part 734 of the EAR. Supplement No. 1 to part 734 of the EAR
contains several practical examples describing publicly available
technology and software that are outside the scope of the EAR. The
examples are illustrative, not comprehensive. Note that encryption
software controlled for EI reasons under ECCN 5D002 on the Commerce
Control List (refer to Supplement No.1 to Part 774 of the EAR) and mass
market encryption software with symmetric key length exceeding 64-bits
classified under ECCN 5D992 shall be subject to the EAR even if
publicly available. Accordingly, the provisions of the EAR concerning
the public availability of items are not applicable to encryption items
controlled for ``EI'' reasons under ECCN 5D002 and mass market
encryption software with symmetric key length exceeding 64-bits
classified under ECCN 5D992.
* * * * *
PART 734--[AMENDED]
0
3. The authority citation for part 734 is revised to read as follows:
Authority: 50 U.S.C. app. 2401 et. seq.; 50 U.S.C. 1701 et.
seq.; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O.
13020, 61 FR 54079, 3 CFR, 1996 Comp. p. 219; E.O. 13026, 61 FR
58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR,
2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25,
2008); Notice of November 8, 2007, 72 FR 63963 (November 13, 2007).
0
4. Section 734.3 is amended by adding a note to paragraph (a)(4) to
read as follows:
Sec. 734.3 Items Subject to the EAR
(a) * * *
(4) * * *
Note to paragraph (a)(4): Certain foreign-manufactured items
developed or produced from U.S.-origin encryption items exported
pursuant to License Exception ENC are subject to the EAR. See
sections 740.17(a) and 740.17(b)(4)(ii) of the EAR.
0
5. Supplement No. 1 to part 734 is amended by revising the introductory
paragraph to read as follows:
Supplement No. 1 to Part 734--Questions and Answers--Technology and
Software Subject to the EAR
This Supplement No. 1 contains explanatory questions and answers
relating to technology and software that is subject to the EAR. It is
intended to give the public guidance in understanding how BIS
interprets this part, but is only illustrative, not comprehensive. In
addition, facts or circumstances that differ in any material way from
those set forth in the questions or answers will be considered under
the applicable provisions of the EAR. Exporters should note that the
provisions of this supplement do not apply to encryption software
classified under ECCN 5D002 for ``EI'' reasons on the Commerce Control
List or to mass market encryption software with symmetric key length
exceeding 64-bits classified under ECCN 5D992. This Supplement is
divided into nine sections according to topic as follows:
* * * * *
PART 738--[AMENDED]
0
6. The authority citation for part 738 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c; 22 U.S.C. 3201 et
seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42
U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5;
22 U.S.C. 7201 et. seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3
CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp.,
p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008).
0
7. Section 738.4 is amended by revising paragraphs (a)(1) and
(a)(2)(ii)(B) to read as follows:
Sec. 738.4 Determining Whether a License Is Required
(a) * * *
(1) Overview. Once you have determined that your item is classified
under a specific ECCN, you must use information contained in the
``License Requirements'' section of that ECCN in combination with the
Country Chart to decide whether a license is required. Note that not
all license requirements set forth under the ``License Requirements''
section of an ECCN refer you to the Commerce Country Chart, but in some
cases this section will contain references to a specific section in the
EAR for license requirements. In such cases, this section would not
apply.
(2) * * *
(ii) * * *
(B) If no, a license is not required based on the particular Reason
for Control and destination. Provided that General Prohibitions Four
through Ten do not apply to your proposed transaction and that any
applicable review requirements described in Sec. 742.15(b) of the EAR
have been met for certain mass market encryption items controlled under
ECCNs 5A992 or 5D992, you may effect your shipment using the symbol
``NLR.'' Proceed to parts 758 and 762 of the EAR for information on
export clearance procedures and recordkeeping requirements. Note that
although you may stop after determining a license is required based on
the first Reason for Control, it is best to work through each
applicable Reason for Control. A full analysis of every possible
licensing requirement based on each applicable Reason for Control is
required to determine the most advantageous License Exception available
for your particular transaction and, if a license is
[[Page 57504]]
required, ascertain the scope of review conducted by BIS on your
license application.
* * * * *
PART 740--[AMENDED]
0
8. The authority citation for part 740 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp.,
p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice
of July 23, 2008, 73 FR 43603 (July 25, 2008).
0
9. Section 740.3 is amended by revising paragraph (d)(5) to read as
follows:
Sec. 740.3 Shipments of Limited Value (LVS)
* * * * *
(d) * * *
(5) Exports and reexports of encryption components or spare parts.
For components or spare parts controlled for ``EI'' reasons under ECCN
5A002, exports and reexports under this License Exception must be
destined to support a commodity previously authorized for export or
reexport.
* * * * *
Sec. 740.8 [Removed]
0
10. Remove and reserve Sec. 740.8.
Sec. 740.13 [Amended]
0
11. Section 740.13 is amended by removing the quotation marks around
the term ``mass market'' in paragraph (d) heading, paragraph (d)(1),
footnote 1, paragraph (d)(3)(i) and paragraph (d)(3)(ii).
0
12. Section 740.17 is revised to read as follows:
Sec. 740.17 Encryption Commodities, Software and Technology (ENC).
License Exception ENC authorizes export and reexport of software
and commodities and components therefor that are classified under ECCNs
5A002.a.1, a.2, a.5, a.6 or a.9, 5B002, 5D002, and technology that is
classified under ECCN 5E002. This License Exception ENC does not
authorize export or reexport to, or provision of any service in any
country listed in Country Group E:1 in Supplement No. 1 to part 740 of
the EAR, or release of source code or technology to any national of a
country listed in Country Group E:1. Reexports and transfers under
License Exception ENC are subject to the criteria set forth in
paragraph (c) of this section. Paragraph (d) of this section sets forth
information about review requests required by this section. Paragraph
(e) sets forth reporting required by this section.
(a) No prior review or post export reporting required--(1) Internal
``development'' or ``production'' of new products. License Exception
ENC authorizes exports and reexports of items described in paragraph
(a)(1)(i) of this section, to end-users described in paragraph
(a)(1)(ii) of this section, for the intended end-use described in
paragraph (a)(1)(iii) of this section without prior review by the U.S.
Government.
(i) Eligible items. Eligible items are those classified under ECCNs
5A002.a.1, .a.2, .a.5, .a.6, or .a.9, 5B002, 5D002, or 5E002.
(ii) Eligible end-users. Eligible end-users are ``private sector
end-users'' wherever located, except to countries listed in Country
Group E:1 (see Supplement No. 1 to part 740 of the EAR) that are
headquartered in a country listed in Supplement No. 3 of this part.
Note to paragraph (a)(1)(ii): A ``private sector end-user'' is:
(1) An individual who is not acting on behalf of any foreign
government; or
(2) A commercial firm (including its subsidiary and parent
firms, and other subsidiaries of the same parent) that is not wholly
owned by, or otherwise controlled by or acting on behalf of, any
foreign government.
(iii) Eligible end-use. The eligible end-use is internal
``development'' or ``production'' of new products by those end-
users.
Note to paragraph (a)(1)(iii): All items produced or developed
with items exported or reexported under this paragraph (a)(1) are
subject to the EAR. These items may require review and authorization
before sale, reexport or transfer, unless otherwise authorized by
license or license exception.
(2) Exports and reexports to ``U.S. Subsidiaries.'' License
Exception ENC authorizes export and reexport of items classified under
ECCNs 5A002.a.1, .a.2, .a.5, .a.6, or .a.9, 5B002, 5D002, or 5E002 to
any ``U.S. subsidiary,'' wherever located, except to countries listed
in Country Group E:1 (see Supplement No. 1 to part 740 of the EAR),
without prior review by the U.S. Government. License Exception ENC also
authorizes export or reexport of such items by a U.S. company and its
subsidiaries to foreign nationals who are employees, contractors or
interns of a U.S. company or its subsidiaries if the items are for
internal company use, including the ``development'' or ``production''
of new products, without prior review by the U.S. Government.
Note to paragraph (a)(2): All items produced or developed with
items exported or reexported under this paragraph (a)(2) are subject to
the EAR. These items may require review and authorization before sale,
reexport or transfer, unless otherwise authorized by license or license
exception.
(b) Prior review required. License Exception ENC authorizes the
export and reexport of commodities and software that require a license
under ECCNs 5A002.a.1, a.2, a.5, a.6, or a.9, 5B002, or 5D002.
Paragraph (b)(1)(i) of this section also authorizes the export and
reexport of ``technology'' controlled for EI reasons under ECCN 5E002
to the end-users indicated in paragraph (b)(1)(i). Exports and
reexports authorized under this paragraph (b) of License Exception ENC
require submission of a review request in accordance with paragraph (d)
of this section. License Exception ENC does not authorize the export or
reexport of cryptanalytic items to any ``government end-user''. Export
or reexport of items that provide an ``open cryptographic interface''
is only authorized under paragraph (b)(1)(i) of this section. Exports
and reexports authorized under paragraph (b) of this section are
subject to reporting requirements in accordance with paragraph (e) of
this section.
(1) Review required without waiting period. Once your review
request is registered with BIS in accordance with paragraph (d) of this
section, License Exception ENC authorizes the exports or reexports
(except to countries listed in Country Group E:1 of Supplement No. 1 to
part 740 of the EAR) to the following destinations:
(i) Export and reexport to countries listed in Supplement No. 3 of
this part. License Exception ENC authorizes the export and reexport of
encryption items, including EI controlled commodities or software
(excluding source code) that are pending review for mass market
treatment (under Sec. 742.15(b) of the EAR), to ``government end-
users'' and non-``government end-users'' located in countries listed in
Supplement 3 of this part, as well as to foreign subsidiaries or
offices of firms, organizations and governments headquartered in
countries listed in Supplement 3 of this part.
(ii) Export and reexport to countries not listed in Supplement No.
3 of this part. License Exception ENC authorizes the export and
reexport of the following commodities and software:
(A) Encryption commodities and software (including key management
products), as follows: for symmetric algorithms with key lengths not
exceeding 80 bits; for asymmetric algorithms with key lengths not
exceeding 1,024 bits; and for elliptic curve algorithms with key
lengths not exceeding 160 bits. (After review has been completed, the
issued Commodity Classification Automated Tracking
[[Page 57505]]
System (CCATS) document will indicate authorization is under paragraph
(b)(2) or (b)(3) of this section, whichever paragraph is appropriate.)
(B) Encryption source code that would not be eligible for export or
reexport under License Exception TSU, provided that a copy of the
source code is included in the review request, to non-''government end-
users'' located in any country except a country listed in Country Group
E:1 of Supplement No. 1 to part 740 of the EAR. (After the review has
been completed, the issued Commodity Classification Automated Tracking
System (CCATS) document will indicate authorization is under paragraph
(b)(2) of this section.)
(2) Review required with 30 day wait (non-``government end-users''
only). Thirty days after your review request is registered with BIS in
accordance with paragraph (d) of this section and subject to the
reporting requirements in paragraph (e) of this section, License
Exception ENC authorizes the export or reexport of the following
commodities and software to non-``government end-users'' located in a
country not listed in Supplement No. 3 to this part or Country Group
E:1 of Supplement No. 1 to part 740 of the EAR:
(i) Network infrastructure software and commodities and components
thereof (including commodities and software necessary to activate or
enable cryptographic functionality in network infrastructure products)
providing secure Wide Area Network (WAN), Metropolitan Area Network
(MAN), Virtual Private Network (VPN), satellite, digital packet
telephony/media (voice, video, data) over internet protocol, cellular
or trunked communications meeting any of the following with key lengths
exceeding 80-bits for symmetric algorithms:
(A) Aggregate encrypted WAN, MAN, VPN or backhaul throughput
(includes communications through wireless network elements such as
gateways, mobile switches, controllers, etc) greater than 90 Mbps;
(B) Wire (line), cable or fiber-optic WAN, MAN or VPN single-
channel input data rate exceeding 154 Mbps;
(C) Media (voice/video/data) encryption or centralized key
management supporting more than 250 concurrent encrypted data channels,
or encrypted signaling to more than 1,000 endpoints, for digital packet
telephony/media (voice/video/data) over internet protocol
communications; or
(D) Air-interface coverage (e.g., through base stations, access
points to mesh networks, bridges, etc.) exceeding 1,000 meters, where
any of the following applies:
(1) Maximum transmission data rates exceeding 10 Mbps (at operating
ranges beyond 1,000 meters);
(2) Maximum number of concurrent full-duplex voice channels
exceeding 30; or
(3) Substantial support is required for installation or use;
(ii) Encryption source code that would not be eligible for export
or reexport under License Exception TSU because it is not publicly
available as that term is used in Sec. 740.13(e)(1) of the EAR, and
the export or reexport of the encryption source code that is not
otherwise eligible for License Exception ENC under paragraph
(b)(1)(ii)(B) of this section;
(iii) Encryption software, commodities or components therefor, that
have any of the following:
(A) Been designed, modified, adapted or customized for ``government
end-user(s)'' or government end-use (e.g., to secure police, state
security, or emergency response communications), including encryption
commodities and software for external security operations center (SOC)/
network operations center (NOC) command and infrastructure, public
safety radio, and digital forensics/computer forensics;
(B) Cryptographic functionality that has been modified or
customized to customer specification; or
(C) Cryptographic functionality or ``encryption component'' (except
encryption software that would be considered publicly available, as
that term is used in Sec. 740.13(e)(1) of the EAR) that is user-
accessible and can be easily changed by the user;
(iv) ``Cryptanalytic items'';
(v) Encryption commodities and software that provide functions
necessary for quantum cryptography, as defined in ECCN 5A002 of the
Commerce Control List;
(vi) Encryption commodities and software that have been modified or
customized for computers classified under ECCN 4A003.
(3) Review required with 30 day waiting period (``government end-
users'' or non-``government end-users''). Thirty days after your review
request is registered with BIS in accordance with paragraph (d) of this
section, License Exception ENC authorizes the export and reexport of
software and commodities and components not listed in paragraph (b)(2)
of this section to either ``government end-users'' or non-``government
end-users'' located in a country not listed in Supplement No. 3 to this
part or Country Group E:1 of Supplement No. 1 to part 740 of the EAR.
(4) Items excluded from review requirements--(i) Short-range
wireless encryption functions. Commodities and software not otherwise
controlled in Category 5, but that are classified under ECCN 5A002,
5B002 or 5D002 only because they incorporate components or software
that provide short-range wireless encryption functions (e.g., with a
nominal operating range not exceeding 100 meters according to the
manufacturer's specifications). Commodities and software included in
this description include those designed to comply with the Institute of
Electrical and Electronic Engineers (IEEE) 802.11 wireless LAN standard
(35 meters) for short-range use and those designed to comply with the
IEEE 802.15.1 standard that provide only the short-range wireless
encryption functionality, and would not be classified under Category 5,
part 1 of the CCL (telecommunications) absent this encryption
functionality. Certain items excluded from review by this paragraph may
also be excluded from review under paragraph (b)(4)(iii) of this
section (personal area networks) or paragraph (b)(4)(iv) of this
section (commodities and software that provide ``ancillary
cryptography'').
(ii) Foreign products developed with or incorporating U.S.-origin
encryption source code, components, or toolkits. Foreign products
developed with or incorporating U.S.-origin encryption source code,
components or toolkits that are subject to the EAR, provided that the
U.S.-origin encryption items have previously been reviewed and
authorized by BIS and the cryptographic functionality has not been
changed. Such products include foreign-developed products that are
designed to operate with U.S. products through a cryptographic
interface.
(iii) Wireless ``personal area network'' items. Wireless ``personal
area network'' items that implement only published or commercial
cryptographic standards and where the cryptographic capability is
limited to a nominal operating range not exceeding 30 meters according
to the manufacturer's specifications. See Nota Bene of the definition
for ``personal area network'' in Sec. 772.1 of the EAR.
(iv) ``Ancillary cryptography.'' Commodities and software that
perform ``ancillary cryptography.'' See Nota Bene of definition of
``ancillary cryptography'' in Sec. 772.1 of the EAR.
Note to paragraph (b): A new product review is required if a
change is made to the cryptographic functionality (e.g., algorithms)
or other technical characteristics affecting License Exception ENC
eligibility (e.g., encrypted throughput) of the originally
[[Page 57506]]
reviewed product. However, a new product review is not required when
a change involves: The subsequent bundling, patches, upgrades or
releases of a product; name changes; or changes to a previously
reviewed encryption product where the change is limited to updates
of encryption software components where the product is otherwise
unchanged.
(c) Reexport and transfer. U.S. or foreign distributors, resellers
or other entities who are not original manufacturers of encryption
commodities and software are permitted to use License Exception ENC
only in instances where the export or reexport meets the applicable
terms and conditions of this section. Transfers of encryption items
listed in paragraph (b)(2) of this section to ``government end-users,''
or for government end-uses, within the same country are prohibited,
unless otherwise authorized by license or license exception.
(d) Review request procedures--(1) Submission. To request review of
your encryption items under License Exception ENC, you must submit to
BIS and to the ENC Encryption Request Coordinator form BIS-748P
(Multipurpose Application), or its electronic equivalent in accordance
with the instructions in paragraph (r) of Supplement No. 2 to part 748
``Unique Application and Submission Requirements'' and the applicable
information described in paragraphs (a) through (e) of Supplement No. 6
to part 742 of the EAR (Guidelines for Submitting Review Requests for
Encryption Items). Failure to properly complete these items may delay
consideration of your review request.
(2) Action by BIS--(i) Notification. Upon completion of its review,
BIS will send you written notice of the provisions of this section, if
any, under which your items may be exported or reexported.
(ii) After 30 days. If BIS has not, within 30 days of registration
of a complete review request from you, informed you that your item is
not authorized for License Exception ENC, you may export or reexport
under the applicable provisions of License Exception ENC.
(iii) Hold Without Action (HWA). BIS may hold your review request
without action if necessary to obtain additional information or for any
other reason necessary to ensure an accurate determination with respect
to ENC eligibility. Time on such ``hold without action'' status shall
not be counted towards fulfilling the 30 day waiting period specified
in this paragraph and in paragraphs (b)(2) and (b)(3) of this section.
BIS may require you to supply additional relevant technical information
about your encryption item(s) or information that pertains to their
eligibility for License Exception ENC at any time, before or after the
expiration of the 30 day waiting period specified in this paragraph and
in paragraphs (b)(2) and (b)(3) of this section. If you do not supply
such information within 14 days after receiving a request for it from
BIS, BIS may return your review request(s) without action or otherwise
suspend or revoke your eligibility to use License Exception ENC for
that item(s). At your request, BIS may grant you up to an additional 14
days to provide the requested information. Any request for such an
additional number of days must be made prior to the date by which the
information was otherwise due to be provided to BIS, and may be
approved if BIS concludes that additional time is necessary.
(e) Reporting requirements--(1) Semi-annual reporting requirement.
Semi-annual reporting is required for exports to all destinations other
than Canada, and for reexports from Canada, under this license
exception. Certain encryption items and transactions are excluded from
this reporting requirement, see paragraph (e)(1)(iii) of this section.
For information about what must be included in the report and
submission requirements, see paragraphs (e)(1)(i) and (e)(1)(ii) of
this section respectively.
(i) Information required. Exporters must include for each item, the
Commodity Classification Automated Tracking System (CCATS) number and
the name of the item(s) exported (or reexported from Canada), and the
following information in their reports:
(A) Distributors or resellers. For items exported (or reexported
from Canada) to a distributor or other reseller, including subsidiaries
of U.S. firms, the name and address of the distributor or reseller, the
item and the quantity exported or reexported and, if collected by the
exporter as part of the distribution process, the end-user's name and
address;
(B) Individual consumers. For items exported (or reexported from
Canada) to individual consumers through direct sale, the name and
address of the recipient, the item, and the quantity exported; or
(C) Foreign manufacturers and products that use encryption items.
For exports (i.e., from the United States) or direct transfers (e.g. by
a ``U.S. subsidiary'' located outside the United States) of encryption
components, source code, general purpose toolkits, equipment controlled
under ECCN 5B002, technology, or items that provide an ``open
cryptographic interface'' exported to a foreign developer or
manufacturer headquartered in a country not listed in Supplement No. 3
to this part when intended for use in foreign products developed for
commercial sale, the names and addresses of the manufacturers using
these encryption items and, if known, when the product is made
available for commercial sale, a non-proprietary technical description
of the foreign products for which these encryption items are being used
(e.g., brochures, other documentation, descriptions or other
identifiers of the final foreign product; the algorithm and key lengths
used; general programming interfaces to the product, if known; any
standards or protocols that the foreign product adheres to; and source
code, if available).
(ii) Submission requirements. For exports occurring between January
1 and June 30, a report is due no later than August 1 of that year. For
exports occurring between July 1 and December 31, a report is due no
later than February 1 the following year. These reports must be
provided in electronic form. Recommended file formats for electronic
submission include spreadsheets, tabular text or structured text.
Exporters may request other reporting arrangements with BIS to better
reflect their business models. Reports may be sent electronically to
BIS at [email protected] and to the ENC Encryption Request Coordinator
at [email protected], or disks and CDs containing the reports may be sent to
the following addresses:
(A) Department of Commerce, Bureau of Industry and Security, Office
of National Security and Technology Transfer Controls, 14th Street and
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn:
Encryption Reports, and
(B) Attn: ENC Encryption Request Coordinator, 9800 Savage Road,
Suite 6940, Ft. Meade, MD 20755-6000.
(iii) Exclusions from reporting requirement. Reporting is not
required for the following items and transactions:
(A) Any encryption item exported (or reexported from Canada) under
paragraph (a) of this section;
(B) Encryption commodities or software with a symmetric key length
not exceeding 64 bits;
(C) Encryption commodities or software authorized under paragraph
(b)(3) of this section, exported (or reexported from Canada) to
individual consumers;
[[Page 57507]]
(D) Encryption items exported (or reexported from Canada) via free
and anonymous download;
(E) Encryption items from or to a U.S. bank, financial institution
or its subsidiaries, affiliates, customers or contractors for banking
or financial operations;
(F) Items listed in (b)(4) of this section, unless it is a foreign
item described in (b)(4)(ii) that has entered the United States;
(G) Foreign products developed by bundling or compiling of source
code;
(H) General purpose operating systems, or desktop applications
(e.g., e-mail, browsers, games, word processing, data base, financial
applications or utilities) authorized under paragraph (b)(3) of this
section;
(I) Client Internet appliance and client wireless LAN cards; or
(J) Other items as determined on a case-by-case basis.
(2) Reporting key length increases. Reporting is required for
commodities and software that, after having been reviewed and
authorized for License Exception ENC by BIS, are modified only to
upgrade the key length used for confidentiality or key exchange
algorithms. Such items may be exported or reexported under the
previously authorized provision of License Exception ENC without
further review.
(i) Information required. (A) A certification that no change to the
encryption functionality has been made other than to upgrade the key
length for confidentiality or key exchange algorithms.
(B) The original Commodity Classification Automated Tracking System
(CCATS) authorization number issued by BIS and the date of issuance.
(C) The new key length.
(ii) Submission requirements. (A) The report must be received by
BIS and the ENC Encryption Request Coordinator before the export or
reexport of the upgraded product; and
(B) The report is e-mailed to [email protected] and [email protected].
Supplement No. 3 to Part 740 [Amended]
0
13. Supplement No. 3 is amended by:
0
a. Revising the heading to read ``License Exception ENC Favorable
Treatment Countries''; and
0
b. Adding Bulgaria, Canada, Iceland, Romania, and Turkey in alphabetic
order.
PART 742--[AMENDED]
0
14. The authority citation for part 742 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 22 U.S.C. 7201 et seq.; 22
U.S.C. 7210; Sec 1503, Pub. L. 108-11, 117 Stat. 559; E.O. 12058, 43
FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR,
1993 Comp., p. 608; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p.
950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222,
66 FR 44025, 3 CFR, 2001 Comp., p. 783; Presidential Determination
2003-23 of May 7, 2003, 68 FR 26459, May 16, 2003; Notice of July
23, 2008, 73 FR 43603 (July 25, 2008); Notice of November 8, 2007,
72 FR 63963 (November 13, 2007).
0
15. Section 742.15 is revised to read as follows:
Sec. 742.15 Encryption items.
Encryption items can be used to maintain the secrecy of
information, and thereby may be used by persons abroad to harm U.S.
national security, foreign policy and law enforcement interests. The
United States has a critical interest in ensuring that important and
sensitive information of the public and private sector is protected.
Consistent with our international obligations as a member of the
Wassenaar Arrangement, the United States has a responsibility to
maintain control over the export and reexport of encryption items. As
the President indicated in Executive Order 13026 and in his Memorandum
of November 15, 1996, exports and reexports of encryption software,
like exports and reexports of encryption hardware, are controlled
because of this functional capacity to encrypt information, and not
because of any informational or theoretical value that such software
may reflect, contain, or represent, or that its export or reexport may
convey to others abroad. For this reason, export controls on encryption
software are distinguished from controls on other software regulated
under the EAR.
(a) Licensing requirements and policy--(1) Licensing requirements.
A license is required to export or reexport encryption items (``EI'')
classified under ECCN 5A002.a.1, a.2, a.5, a.6 and a.9; 5D002.a or c.1
for equipment controlled for EI reasons in ECCN 5A002; or 5E002 for
``technology'' for the ``development,'' ``production,'' or ``use'' of
commodities or ``software'' controlled for EI reasons in ECCNs 5A002 or
5D002 to all destinations, except Canada. Refer to part 740 of the EAR
for license exceptions that apply to certain encryption items, and to
Sec. 772.1 of the EAR for definitions of encryption items and terms.
Most encryption items may be exported under the provisions of License
Exception ENC set forth in Sec. 740.17 of the EAR. Before submitting a
license application, please review License Exception ENC to determine
whether this license exception is available for your item or
transaction. For exports and reexports of encryption items that are not
eligible for a license exception, exporters must submit an application
to obtain authorization under a license or an Encryption Licensing
Arrangement.
(2) Licensing policy. Applications will be reviewed on a case-by-
case basis by BIS, in conjunction with other agencies, to determine
whether the export or reexport is consistent with U.S. national
security and foreign policy interests. Encryption Licensing
Arrangements (ELAs) may be authorized for exports and reexports of
unlimited quantities of encryption commodities and software to national
or federal government bureaucratic agencies for civil use, and to
state, provincial or local governments, in all destinations, except
countries listed in Country Group E:1 of Supplement No. 1 to part 740.
ELAs are valid for four years and may require post-export reporting or
pre-shipment notification. Applicants seeking authorization for
Encryption Licensing Arrangements must specify the sales territory and
class of end-user on their license applications.
Note to paragraph (a): Pursuant to Note 3 to Category 5 Part 2
of the Commerce Control List in Supplement No. 1 to part 774, once
mass market encryption commodities and software have been reviewed
by BIS and the ENC Encryption Request Coordinator (Ft. Meade, MD)
and released from ``EI'' and ``NS'' controls pursuant to Sec.
742.15(b) of the EAR, they are classified under ECCN 5A992 and 5D992
respectively, and are thereafter outside the scope of this section.
(b) Review requirement for mass market encryption commodities and
software exceeding 64 bits: Mass market encryption commodities and
software employing a key length greater than 64 bits for the symmetric
algorithm (including such products previously reviewed by BIS and
exported under ECCN 5A002 or 5D002) are subject to the EAR and require
review by BIS and the ENC Encryption Request Coordinator (Ft. Meade,
MD), prior to export or reexport. Encryption commodities and software
that are described in Sec. 740.17(b)(2) of the EAR do not qualify for
mass market treatment. A new product review is required if a change is
made to the cryptographic functionality (e.g., algorithms) or other
technical characteristics affecting mass market eligibility (e.g.,
performance enhancements to provide network infrastructure services, or
customizations to end-user specifications) of the originally reviewed
product. However, a new product review is not required when a change
involves: The subsequent
[[Page 57508]]
bundling, patches, upgrades or releases of a product; name changes; or
changes to a previously reviewed encryption product where the change is
limited to updates of encryption software components where the product
is otherwise unchanged.
(1) Procedures for requesting review. To request review of your
mass market encryption products, you must submit to BIS and the ENC
Encryption Request Coordinator the information described in paragraphs
(a) through (e) of Supplement No. 6 to this part 742, and you must
include specific information describing how your products qualify for
mass market treatment under the criteria in the Cryptography Note (Note
3) of Category 5, Part 2 (``Information Security''), of the Commerce
Control List (Supplement No. 1 to part 774 of the EAR). Review requests
must be submitted on Form BIS-748P (Multipurpose Application), or its
electronic equivalent, as described in Sec. 748.3 of the EAR. See
paragraph (r) of Supplement No. 2 to Part 748 of the EAR for special
instructions about this submission. Review requests that are not
submitted electronically to BIS should be mailed to the address
indicated in Sec. 748.2(c) of the EAR. Submissions to the ENC
Encryption Request Coordinator should be directed to the mailing
address indicated in Sec. 740.17(e)(1)(ii) of the EAR. BIS will notify
you if there are any questions concerning your request for review
(e.g., because of missing or incompatible support documentation).
(2) Action by BIS. Once BIS has completed its review, you will
receive written confirmation concerning the eligibility of your items
for export or reexport as mass market encryption commodities or
software classified under ECCN 5A992 or 5D992. If, during the course of
its review, BIS determines that your encryption items do not qualify
for mass market treatment under the EAR, or are otherwise classified
under ECCN 5A002, 5B002, 5D002 or 5E002, BIS will notify you and will
review your commodities or software for eligibility under License
Exception ENC (see Sec. 740.17 of the EAR for review and reporting
requirements for encryption items under License Exception ENC). BIS
reserves the right to suspend your eligibility to export and reexport
under the provisions of this paragraph (b) and to return review
requests, without action, if the requirements for review have not been
met. Thirty days after BIS registers your review request, you may
export or reexport these mass market encryption products, without a
license, to government and non-government end-users located in most
destinations outside the countries listed in Supplement No. 3 to part
740 of the EAR (certain destinations and persons may require a license
for anti-terrorism (AT) reasons or for reasons specified elsewhere in
the EAR), unless otherwise notified by BIS (e.g., because of missing or
incomplete support documentation or conversion to License Exception ENC
review.) The thirty days does not include any time that your review
request is on hold without action.
(3) Exclusions from review requirements. The following commodities
and software do not require review prior to export or reexport as mass
market products.
(i) Short-range wireless encryption functions. Commodities and
software not otherwise controlled in Category 5, but that are
classified under ECCN 5A992 or 5D992 only because they incorporate
components or software that provide short-range wireless encryption
functions (e.g., with a nominal operating range not exceeding 100
meters according to the manufacturer's specifications). Commodities and
software included in this description include those designed to comply
with the Institute of Electrical and Electronic Engineers (IEEE) 802.11
wireless LAN standard (35 meters) for short-range use and those
designed to comply with the IEEE 802.15.1 standard that provide only
the short-range wireless encryption functionality, and would not be
classified under Category 5, part 1 of the CCL (telecommunications)
absent this encryption functionality. Certain items excluded from
review by this paragraph may also be excluded from review under
paragraph (b)(3)(ii) of this section (personal area networks) or
paragraph (b)(3)(iii) of this section (commodities and software that
provide ``ancillary cryptography'').
(ii) Wireless ``personal area network'' items. Wireless ``personal
area network'' items that implement only published or commercial
cryptographic standards and where the cryptographic capability is
limited to a nominal operating range not exceeding 30 meters according
to the manufacturer's specifications. See Nota Bene of the definition
for ``personal area network'' in Sec. 772.1 of the EAR.
(iii) ``Ancillary cryptography''. Commodities and software that
perform ``ancillary cryptography.'' See Nota Bene of definition of
``ancillary cryptography'' in Sec. 772.1 of the EAR.
(4) Commodities and software that activate or enable cryptographic
functionality. Commodities, software, and components that allow the
end-user to activate or enable cryptographic functionality in
encryption products which would otherwise remain disabled, are
controlled according to the functionality of the activated encryption
product.
(5) Examples of mass market encryption products. Subject to the
requirements of the Cryptography Note (Note 3) in Category 5, Part 2,
of the Commerce Control List, mass market encryption products include,
but are not limited to, general purpose operating systems and desktop
applications (e.g., e-mail, browsers, games, word processing, database,
financial applications or utilities) designed for use with computers
classified as ECCN 4A994 or EAR99, laptops, or hand-held devices;
commodities and software for client Internet appliances and client
wireless LAN devices; home use networking commodities and software
(e.g., personal firewalls, cable modems for personal computers, and
consumer set top boxes); and portable or mobile civil
telecommunications commodities and software (e.g., personal data
assistants (PDAs), radios, or cellular products).
Supplement No. 4 to Part 742 [Removed]
0
16. Supplement No. 4 to Part 742 is removed and reserved.
0
17. Supplement No. 6 to Part 742 is amended by:
0
a. Revising the introductory paragraph;
0
b. Revising paragraph (a);
0
c. Revising paragraphs (c)(1), (c)(6), and (c)(11);
0
e. Revising the introductory paragraphs of (d) and (e), to read as
follows:
Supplement No. 6 to Part 742--Guidelines for Submitting Review Requests
for Encryption Items
Review requests for encryption items must be submitted on Form
BIS-748P (Multipurpose Application), or its electronic equivalent,
and supported by the documentation described in this Supplement, in
accordance with the procedures described in Sec. 748.3 of the EAR.
To ensure that your review request is properly routed, insert the
phrase ``Mass market encryption'' or ``License Exception ENC''
(whichever is applicable) in Block 9 (Special Purpose) of the
application form and place an ``X'' in the box marked
``Classification Request'' in Block 5 (Type of Application)--Block 5
does not provide a separate item to check for the submission of
encryption review requests. Failure to properly complete these items
may delay consideration of your review request. BIS recommends that
review requests be delivered via courier service or be sent to:
Bureau of Industry and Security, U.S. Department of Commerce, 14th
Street and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230.
[[Page 57509]]
For electronic submissions via SNAP-R, support documents not
readily attached in PDF format must be sent to: Bureau of Industry
and Security, Information Technology Controls Division, Room 2093,
14th Street and Pennsylvania Ave., NW., Washington, DC 20230.
In addition, you must send a copy of your review request and all
support documents to: Attn: ENC Encryption Request Coordinator, 9800
Savage Road, Suite 6940, Fort Meade, MD 20755-6000.
If you intend to rely on the 30 day registration provisions of
the regulations, express mail certification of these documents is
needed.
(a)(1) State the name(s) of each product being submitted for
review and provide a brief non-technical description of the type of
product (e.g., routers, disk drives, cell phones, chips, etc.) being
submitted.
(2) Indicate whether there have been any prior reviews of the
product(s), if such reviews are applicable to the current
submission. For products with minor changes in encryption
functionality, you must include a cover sheet with complete
reference to the previous review (Commodity Classification Automated
Tracking System (CCATS) number, Application Control Number (ACN),
Export Control Classification Number (ECCN), authorization
paragraph) along with a clear description of the changes.
(3) Describe how encryption is used in the product and the
categories of encrypted data (e.g., stored data, communications,
management data, internal data, etc.).
(4) For mass market review requests, describe specifically to
whom and how the product is being marketed and state how this method
of marketing and other relevant information (e.g., cost of product
and volume of sales) are described by the Cryptography Note (Note 3
to Category 5, Part 2).
(5) Is any ``encryption source code'' being provided (shipped or
bundled) as part of this offering? If yes, is this source code
publicly available source code, unchanged from the code obtained
from an open source web site, or is it proprietary ``encryption
source code?''
* * * * *
(c) * * *
(1) Description of all the symmetric and asymmetric encryption
algorithms and key lengths and how the algorithms are used,
including relevant parameters, inputs and settings. Specify which
encryption modes are supported (e.g., cipher feedback mode or cipher
block chaining mode).
* * * * *
(6) State all communication protocols (e.g., X.25, Telnet, TCP,
IEEE 802.11, IEEE 802.16, SIP * * *) and cryptographic protocols and
methods (e.g., SSL, TLS, SSH, IPSEC, IKE, SRTP, ECCN, MD5, SHA,
X.509, PKCS standards * * *) that are supported and describe how
they are used.
* * * * *
(11) License Exception ENC `Restricted' commodities and software
described by the criteria in Sec. 740.17(b)(2) require licenses to
certain ``government end-users.'' Describe whether the product(s)
meet any of the Sec. 740.17(b)(2) criteria. Provide specific data
for each of the parameters listed, as applicable (e.g., maximum
aggregate encrypted user data throughput, maximum number of
concurrent encrypted channels, and operating range for wireless
products). If the Sec. 740.17(b)(2) parameters are not applicable
to the commodity or software, clearly explain why (e.g., by
providing specific data evaluated against the Sec. 740.17(b)(2)
thresholds.)
(d) For review requests for hardware or software ``encryption
components'' other than source code (i.e., chips, toolkits,
executable or linkable modules intended for use in or production of
another encryption item) provide the following additional
information:
* * * * *
(e) For review requests for ``encryption source code'' provide
the following information:
* * * * *
PART 744--[AMENDED]
0
18. The authority citation for part 744 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 22 U.S.C. 7201 et seq.; 22
U.S.C. 7210; E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179;
E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12938, 59
FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 12947, 60 FR 5079, 3 CFR,
1995 Comp., p. 356; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p.
228; E.O. 13099, 63 FR 45167, 3 CFR, 1998 Comp., p. 208; E.O. 13222,
66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13224, 66 FR 49079, 3
CFR, 2001 Comp., p. 786; Notice of July 23, 2008, 73 FR 43603 (July
25, 2008); Notice of November 8, 2007, 72 FR 63963 (November 13,
2007).
Sec. 744.9 [Removed]
0
19. Remove and reserve Sec. 744.9.
PART 746--[AMENDED]
0
20. The authority citation for part 746 is revised to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
22 U.S.C. 287c; Sec 1503, Pub. L. 108-11, 117 Stat. 559; 22 U.S.C.
6004; 22 U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 12854, 58 FR
36587, 3 CFR, 1993 Comp., p. 614; E.O. 12918, 59 FR 28205, 3 CFR,
1994 Comp., p. 899; E.O. 13222, 3 CFR, 2001 Comp., p. 783;
Presidential Determination 2003-23 of May 7, 2003, 68 FR 26459, May
16, 2003; Presidential Determination 2007-7 of December 7, 2006, 72
FR 1899 (January 16, 2007); Notice of July 23, 2008, 73 FR 43603
(July 25, 2008).
Sec. 746.3 [Amended]
0
21. Section 746.3 is amended in paragraph (c) by revising the phrase
``License Exceptions: CIV, APP, TMP, RPL, GOV, GFT, TSU, BAG, AVS, ENC
or KMI.'' to read ``License Exceptions: CIV, APP, TMP, RPL, GOV, GFT,
TSU, BAG, AVS, or ENC.''
PART 748--[AMENDED]
0
22. The authority citation for part 748 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66
FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR
43603 (July 25, 2008).
0
23. Supplement No. 2 to part 748 is amended by revising paragraph (r)
to read as follows:
Supplement No. 2 to Part 748--Unique Application and Submission
Requirements
* * * * *
(r) Encryption review requests. Enter, in Block 9 (Special
Purpose) of the BIS-748P, ``License Exception ENC'' if you are
submitting an encryption review request for License Exception ENC
(Sec. 740.17 of the EAR) or ``mass market encryption'' if you are
submitting an encryption review request under the mass market
encryption provisions (Sec. 742.15(b) of the EAR). If you seek an
encryption review for another reason, enter ``encryption--other''.
Neither the electronic nor paper forms provide a separate Block to
check for the submission of encryption review requests, therefore
you must also, place an ``X'' in the box marked ``Classification
Request'' in Block 5 (Type of Application) of Form BIS-748P or
select ``Commodity Classification'' if filing electronically.
Failure to properly complete these items may delay consideration of
your review request.
* * * * *
PART 750--[AMENDED]
0
24. The authority citation for part 750 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
Sec. 1503, Pub. L. 108-11, 117 Stat. 559; E.O. 13026, 61 FR 58767, 3
CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp.,
p. 783; Presidential Determination 2003-23 of May 7, 2003, 68 FR
26459, May 16, 2003; Notice of July 23, 2008, 73 FR 43603 (July 25,
2008).
0
25. Section 750.3 is amended by:
0
a. Removing paragraph (b)(2)(iv) and redesignating paragraph (b)(2)(v)
as (b)(2)(iv); and
0
b. Revising (b)(2)(iii) to read as follows:
Sec. 750.3 Review of License Applications by BIS and Other Government
Agencies and Departments.
* * * * *
(b) * * *
(2) * * *
(iii) The Department of State is concerned primarily with items
controlled for national security, nuclear nonproliferation, missile
technology,
[[Page 57510]]
regional stability, anti-terrorism, crime control reasons, and
sanctions; and
* * * * *
Sec. 750.7 [Amended]
0
26. Section 750.7 is amended by:
0
a. Removing and reserving paragraph (c)(2); and
0
b. Removing the third and fourth sentences in the introductory text of
paragraph (d).
PART 762--[AMENDED]
0
27. The authority citation for part 762 is revised to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July
23, 2008, 73 FR 43603 (July 25, 2008).
Sec. 762.2 [Amended]
0
28. Section 762.2 is amended by removing and reserving paragraph
(b)(8).
PART 770--[AMENDED]
0
29. The authority citation for part 770 is revised to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July
23, 2008, 73 FR 43603 (July 25, 2008).
Sec. 770.2 [Amended]
0
30. Section 770.2 is amended by removing paragraph (n).
PART 772--[AMENDED]
0
31. The authority citation for part 772 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July
23, 2008, 73 FR 43603 (July 25, 2008).
0
32. Section 772.1 is amended by:
0
a. Removing the term and definition ``strategic partners (of a U.S.
company)''; and
0
b. Adding the terms and definitions for ``ancillary cryptography'' and
``personal area network'' in alphabetic order, to read as follows:
Sec. 772.1 Definitions of terms as used in the Export Administration
Regulations (EAR).
* * * * *
Ancillary cryptography. The incorporation or application of
``cryptography'' by items that are not primarily useful for computing
(including the operation of ``digital computers''), communications,
networking (includes operation, administration, management and
provisioning) or ``information security''.
N.B. Commodities and software that perform ``ancillary
cryptography'' (e.g., are specially designed and limited to: piracy and
theft prevention for software, music, etc.; games and gaming; household
utilities and appliances; printing, reproduction, imaging and video
recording or playback (but not videoconferencing); business process
modeling and automation (e.g., supply chain management, inventory,
scheduling and delivery); industrial, manufacturing or mechanical
systems (including robotics, other factory or heavy equipment,
facilities systems controllers including fire alarms and HVAC);
automotive, aviation and other transportation systems). Commodities and
software included in this description are not limited to wireless
communication and are not limited by range or key length.
* * * * *
Personal area network. A data communication system having all of
the following characteristics:
(a) Allows an arbitrary number of independent or interconnected
`data devices'' to communicate directly with each other; and
(b) Is confined to the communication between devices within the
immediate vicinity of an individual person or device controller (e.g.,
single room, office, or automobile).
Technical Note: `Data device' means equipment capable of
transmitting or receiving sequences of digital information.
N.B. ``Personal area network'' items include but are not limited to
items designed to comply with the Institute of Electrical and
Electronic Engineers (IEEE) 802.15.1 standard, class 2 (10 meters) and
class 3 (1 meter), but not class 1 (100 meters) items. This includes
most home networking devices, but not long-range enterprise equipment
or components that can be used in long-range equipment. IEEE 802.15.1
class 2 and class 3 devices include hands-free headsets, wireless
networking between personal computers, wireless mice, keyboards and
printers, Global Positioning Systems (GPS) receivers, bar code scanners
and game console wireless controllers, as well as data-capable wireless
telephones and devices or software for transfer of files between
devices using Object Exchange (OBEX).
* * * * *
PART 774--[AMENDED]
0
33. The authority citation for part 774 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c, 22 U.S.C. 3201 et
seq., 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42
U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5;
22 U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3
CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp.,
p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008).
Supplement No. 1 to Part 774--[Amended]
0
34. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part 2
Information Security is amended by revising the Nota Bene to
Cryptography Note, to read as follows:
CATEGORY 5--TELECOMMUNICATIONS AND ``INFORMATION SECURITY''
* * * * *
II. ``Information Security''
* * * * *
N.B. to Cryptography Note: Mass market encryption commodities
and software eligible for the Cryptography Note employing a key
length greater than 64 bits for the symmetric algorithm must be
reviewed in accordance with the requirements of Sec. 742.15(b) of
the EAR in order to be released from the ``EI'' and ``NS'' controls
of ECCN 5A002 or 5D002.
0
35. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part 2
Information Security, Export Control Classification Number (ECCN) 5A002
is amended by
0
a. Revising the EI paragraph of the License Requirements section;
0
b. Removing the License Requirements Notes from the License
Requirements section;
0
c. Adding a license exception paragraph to the License Exception
section; and
0
d. Revising the Related Controls paragraph of the List of Items
Controlled section, to read as follows:
5A002 Systems, equipment, application specific ``electronic
assemblies'', modules and integrated circuits for ``information
security'', as follows (see List of Items Controlled), and other
specially designed components therefor.
License Requirements
* * * * *
------------------------------------------------------------------------
Control(s) Country chart
------------------------------------------------------------------------
...............................
------------------------------------------------------------------------
* * * * *
EI applies to 5A002.a.1, a.2, a.5, a.6 and a.9. Refer to Sec.
742.15 of the EAR.
License Exceptions
* * * * *
ENC: Yes for certain EI controlled commodities, see Sec. 740.17
of the EAR for eligibility.
[[Page 57511]]
List of Items Controlled
Unit: * * *
Related Controls: (1) 5A002 does not control the commodities
listed in paragraphs (a) through (f) in the Note in the items
paragraph of this entry. These commodities are instead classified
under ECCN 5A992, and related software and technology are classified
under ECCNs 5D992 and 5E992 respectively. (2) After a review and
classification by BIS, mass market encryption commodities that meet
eligibility requirements are released from ``EI'' and ``NS''
controls. These commodities are classified under ECCN 5A992.c. See
Sec. 742.15(b) of the EAR.
Related Definitions: * * *
Items: * * *
0
36. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part 2
Information Security, Export Control Classification Number (ECCN) 5A992
is amended by revising the License Requirements section and paragraph c
in the items paragraph of the List of Items Controlled section, to read
as follows:
5A992 Equipment not controlled by 5A002.
License Requirements
* * * * *
------------------------------------------------------------------------
Control(s) Country chart
------------------------------------------------------------------------
AT applies to entire entry............. AT Column 1.
------------------------------------------------------------------------
* * * * *
List of Items Controlled
* * * * *
Items:
* * * * *
c. Commodities that have been reviewed and determined to be mass
market encryption commodities in accordance with Sec. 742.15(b) of
the EAR.
0
37. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part 2
``Information Security'', Export Control Classification Number (ECCN)
5D002 is amended by:
0
a. Revising the EI paragraph of the License Requirements section;
0
b. Adding a new license exception to the License Exception section;
0
c. Removing the third Note in the License Requirements section; and
0
d. Revising the Related Controls paragraph in the List of Items
Controlled section, to read as follows:
5D002 Information Security--``Software''.
License Requirements
* * * * *
------------------------------------------------------------------------
Control(s) Country chart
------------------------------------------------------------------------
...............................
------------------------------------------------------------------------
* * * * *
EI applies to ``software'' in 5D002.a or c.1 for equipment
controlled for EI reasons in ECCN 5A002. Refer to Sec. 742.15 of
the EAR.
* * * * *
License Exceptions
* * * * *
ENC: Yes for certain EI controlled software, see Sec. 740.17 of
the EAR for eligibility.
List of Items Controlled
Unit: $ value
Related Controls: (1) This entry does not control ``software''
``required'' for the ``use'' of equipment excluded from control
under the Related Controls paragraph or the Technical Notes in ECCN
5A002 or ``software'' providing any of the functions of equipment
excluded from control under ECCN 5A002. This software is classified
as ECCN 5D992. (2) After a review and classification by BIS, mass
market encryption software that meet eligibility requirements are
released from ``EI'' and ``NS'' controls. This software is
classified under ECCN 5D992.c. See Sec. 742.15(b) of the EAR.
Related Definitions: * * *
Items: * * *
0
38. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part 2
Information Security, Export Control Classification Number (ECCN) 5D992
is amended by:
0
a. Revising the License Requirements section;
0
b. Revising the Related Controls paragraph of the List of Items
Controlled section; and
0
c. Revising the Items paragraph of the List of Items Controlled
section, to read as follows:
5D992 ``Information Security'' ``software'' not controlled by 5D002.
License Requirements.
* * * * *
------------------------------------------------------------------------
Control(s) Country chart
------------------------------------------------------------------------
AT applies to entire entry............. AT Column 1.
------------------------------------------------------------------------
* * * * *
List of Items Controlled
Unit: * * *
Related Controls: This entry does not control ``software''
designed or modified to protect against malicious computer damage,
e.g., viruses, where the use of ``cryptography'' is limited to
authentication, digital signature and/or the decryption of data or
files.
Related Definitions: * * *
Items:
a. ``Software'' specially designed or modified for the
``development,'' ``production,'' or ``use'' of equipment controlled
by ECCN 5A992.a or 5A992.b.
b. ``Software'' having the characteristics, or performing or
simulating the functions of the equipment controlled by ECCN 5A992.a
or 5A992.b.
c. ``Software'' that has been reviewed and determined to be mass
market encryption software in accordance with Sec. 742.15(b) of the
EAR.
0
39. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part 2
Information Security, Export Control Classification Number (ECCN) 5E002
is amended by:
0
a. Revising the EI paragraph and adding a License Requirement Note in
the License Requirements section; and
0
b. Revising the Related Control paragraph of the List of Items
Controlled section, to read as follows:
5E002 ``Technology'' according to the General Technology Note for the
``development'', ``production'' or ``use'' of equipment controlled by
5A002 or 5B002 or ``software'' controlled by 5D002.
License Requirements
* * * * *
------------------------------------------------------------------------
Control(s) Country chart
------------------------------------------------------------------------
...............................
------------------------------------------------------------------------
* * * * *
EI applies to ``technology'' for the ``development,''
``production,'' or ``use'' of commodities or ``software'' controlled
for EI reasons in ECCNs 5A002 or 5D002. Refer to Sec. 742.15 of the
EAR.
License Requirement Note: When a person performs or provides
technical assistance that incorporates, or otherwise draws upon,
``technology'' that was either obtained in the United States or is
of US-origin, then a release of the ``technology'' takes place. Such
technical assistance, when rendered with the intent to aid in the
``development'' or ``production'' of encryption commodities or
software that would be controlled for ``EI'' reasons under ECCN
5A002 or 5D002, may require authorization under the EAR even if the
underlying encryption algorithm to be implemented is from the public
domain or is not of U.S. origin.
* * * * *
List of Items Controlled
* * * * *
Related Controls: See also 5E992. This entry does not control
``technology'' ``required'' for the ``use'' of equipment excluded
from control under the Related Controls paragraph or the Technical
Notes in ECCN 5A002 or ``technology'' related to equipment excluded
from control under ECCN 5A002. This ``technology'' is classified as
ECCN 5E992.
* * * * *
0
40. In Supplement No. 1 to Part 774 (the Commerce Control List),
Category 5
[[Page 57512]]
Telecommunications and ``Information Security'', Part 2 Information
Security, Export Control Classification Number (ECCN) 5E992 is amended
by revising the License Requirements section and the List of Items
Controlled section, to read as follows:
5E992 ``Information Security'' ``technology'', not controlled by 5E002.
License Requirements
* * * * *
------------------------------------------------------------------------
Control(s) Country chart
------------------------------------------------------------------------
AT applies to entire entry............. AT Column 1.
------------------------------------------------------------------------
* * * * *
List of Items Controlled
* * * * *
Items:
a. ``Technology'' n.e.s., for the ``development'',
``production'' or ``use'' of equipment controlled by 5A992.a,
``information security''or cryptologic equipment controlled by
5A992.b or ``software'' controlled by 5D992.a or b.
b. ``Technology'', n.e.s., for the ``use'' of mass market
commodities controlled by 5A992.c or mass market ``software''
controlled by 5D992.c.
Dated: September 26, 2008.
Christopher R. Wall,
Assistant Secretary for Export Administration.
[FR Doc. E8-23201 Filed 10-2-08; 8:45 am]
BILLING CODE 3510-33-P