[Federal Register Volume 75, Number 122 (Friday, June 25, 2010)]
[Rules and Regulations]
[Pages 36482-36503]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-15072]
[[Page 36481]]
-----------------------------------------------------------------------
Part II
Department of Commerce
-----------------------------------------------------------------------
Bureau of Industry and Security
-----------------------------------------------------------------------
15 CFR Parts 730, 734, 738, et al.
Encryption Export Controls: Revision of License Exception ENC and Mass
Market Eligibility, Submission Procedures, Reporting Requirements,
License Application Requirements, and Addition of Note 4 to Category 5,
Part 2; Interim Final Rule
��Federal Register / Vol. 75 , No. 122 / Friday, June 25, 2010 / Rules
and Regulations��
[[Page 36482]]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR Parts 730, 734, 738, 740, 742, 748, 772 and 774
[Docket No. 100309131-0195-02]
RIN 0694-AE89
Encryption Export Controls: Revision of License Exception ENC and
Mass Market Eligibility, Submission Procedures, Reporting Requirements,
License Application Requirements, and Addition of Note 4 to Category 5,
Part 2
AGENCY: Bureau of Industry and Security, Commerce.
ACTION: Interim final rule, with request for comments.
-----------------------------------------------------------------------
SUMMARY: The Bureau of Industry and Security (BIS) is amending the
Export Administration Regulations (EAR or Regulations) to modify the
requirements of License Exception ENC, ``Encryption Commodities,
Software and Technology,'' and the requirements for qualifying an
encryption item as mass market. BIS is also amending specific license
requirements for encryption items. With respect to encryption products
of lesser national security concern, this rule replaces the requirement
to wait 30 days for a technical review before exporting such products
and the requirement to file semi-annual post-export sales and
distribution reports with a provision that allows immediate
authorization to export and reexport these products after electronic
submission to BIS of an encryption registration. A condition of this
new authorization for less sensitive products is submission of an
annual self-classification report on these commodities and software
exported under License Exception ENC. With respect to most mass market
encryption products, this rule similarly replaces the requirement to
wait 30 days for a technical review before exporting and reexporting
such products with a provision that allows immediate authorization to
export and reexport these products after electronic submission to BIS
of an encryption registration, subject to annual self-classification
reporting for exported encryption products. Only a few categories of
License Exception ENC and mass market encryption products will continue
to require submission of a 30-day classification request. Encryption
items that are more strictly controlled continue to be authorized for
immediate export and reexport to most end-users located in close ally
countries upon submission of an encryption registration and
classification request to BIS. This rule also eases licensing
requirements for the export and reexport of many types of technology
necessary for the development and use of encryption products, except to
countries subject to export or reexport license requirements for
national security reasons or anti-terrorism reasons, or that are
subject to embargo or sanctions. This rule also removes the requirement
to file separate encryption classification requests (formerly
encryption review requests) with both BIS and the ENC Encryption
Request Coordinator (Ft. Meade, MD).
BIS is also amending the EAR by implementing the agreements made by
the Wassenaar Arrangement at the plenary meeting in December 2009 that
pertained to ``information security'' items. This rule adds an
overarching note to exclude particular products that use cryptography
from being controlled as ``information security'' items. The addition
of this note focuses ``information security'' controls on the use of
encryption for computing, communications, networking and information
security. This rule also makes additional changes throughout the EAR to
harmonize it with the new note.
This rule also replaces a note in ECCN 5A002 pertaining to
personalized smart cards with a note pertaining to smart cards and
smart readers/writers. As a result of this change, a definition is
being removed from the EAR.
DATES: This rule is effective: June 25, 2010. Comments must be received
by August 24, 2010.
ADDRESSES: You may submit comments, identified by RIN 0694-AE89, by any
of the following methods:
Federal eRulemaking Portal: http://www.Regulations.gov.
Please follow the instructions for submitting comments.
E-mail: [email protected]. Please include RIN
0694-AE89 in the subject line.
Mail or Hand Delivery/Courier: U.S. Department of
Commerce, Bureau of Industry and Security, Regulatory Policy Division,
14th and Pennsylvania Ave., NW., Room H-2705, Washington, DC 20230; or
by fax to (202) 482-3355. Please insert ``0694-AE89'' in the subject
line of comments.
Comments regarding the collections of information associated with
this rule, including suggestions for reducing the burden, should be
sent to OMB Desk Officer, New Executive Office Building, Washington, DC
20503, Attention: Jasmeet Seehra, or by e-mail to [email protected] or by fax to (202) 395-7285; and to the Office of
Administration, Bureau of Industry and Security, Department of
Commerce, 14th and Pennsylvania Ave., NW., Room 6883, Washington, DC
20230.
FOR FURTHER INFORMATION CONTACT: For technical questions contact: The
Information Technology Division, Office of National Security and
Technology Transfer Controls within BIS at 202-482-0707 or by e-mail at
[email protected].
For other questions contact: Sharron Cook, Office of Exporter
Services, Bureau of Industry and Security, U.S. Department of Commerce
at (202) 482-2440 or by e-mail at [email protected].
SUPPLEMENTARY INFORMATION:
Background
To protect and preserve foreign policy and national security
interests, the United States maintains export controls on encryption
items. Encryption items may be used to maintain the secrecy of
information, and therefore may be used by persons abroad to bring harm
to law enforcement, and U.S. foreign policy and national security
interests. The U.S. Government has a critical interest in ensuring that
the legitimate needs for protecting important and sensitive information
of the public and private sectors are met, and that persons opposed to
the United States are not able to conceal hostile or criminal
activities.
When dual-use encryption items were transferred from the United
States Munitions List (USML) to the CCL on December 6, 1996, a foreign
policy reason for control, Encryption Items (EI), was imposed on these
items. A license is required to export or reexport EI-controlled items
classified under Export Control Classification Numbers (ECCNs) 5A002,
5D002 and 5E002 on the CCL to all destinations except Canada. All items
controlled for EI reasons are also controlled for National Security
(NS) reasons.
This rule enhances national security by focusing encryption export
controls and streamlining the collection and analysis of information
about encryption products, through reforms that include:
Removing review requirements for less sensitive encryption
items;
Establishing a company registration requirement for
encryption items under License Exception ENC or as mass market
encryption items;
Creating an annual self-classification report requirement
for such items pursuant to an encryption registration;
[[Page 36483]]
Making encryption technology eligible for export and
reexport under License Exception ENC, except to countries of highest
concern;
Lifting the semi-annual sales reporting for less sensitive
encryption items under License Exception ENC;
Removing the 30-day delay to export and reexport less
sensitive encryption items under License Exception ENC; and
Removing the 30-day delay to make most mass market
encryption items eligible for mass market treatment.
BIS is making these amendments to protect national security in the
face of an ever-changing global marketplace for encryption items and to
ensure continued United States adherence to multilateral regime
commitments. The changes in this rule are discussed either topically or
by section of the EAR, as applicable. This rule is the first step in
the President's effort to reform U.S. encryption export controls to
enhance national security by ensuring the continued competitiveness of
U.S. encryption products, reducing paperwork requirements for less
sensitive encryption items, making the process for submission more
efficient, updating the control parameters for controlled encryption
items and addressing the impact of export controls on electronic
components having encryption functionality. The U.S. Government will
also review other issues related to encryption controls, in keeping
with national security requirements and multilateral regime
commitments.
Review Request vs. Classification Request
This rule replaces the term ``review request'' with
``classification request'' in sections 740.17 and 742.15 so that the
terminology used in the encryption regulations is consistent with the
terminology used for other items on the Commerce Control List (CCL).
Submissions Requirements for Encryption Items
Prior to this rule, the EAR required exporters to submit review
requests to both BIS and the ENC Encryption Request Coordinator. This
new rule will reduce the paperwork burden on applicants by removing the
requirement for applicants to submit requests to the ENC Encryption
Request Coordinator when the submission is made via Simplified Network
Application Processing system (SNAP-R) for Encryption Registration and
Encryption Classification Requests. Upon effectiveness of this rule,
BIS will send encryption SNAP-R submissions to the ENC Encryption
Request Coordinator. This change will decrease the paperwork burden on
the applicants. However, all reports (i.e., the semi-annual sales
report and the annual self-classification report) must continue to be
submitted to both BIS and the ENC Encryption Request Coordinator.
Supplement No. 1 to Part 730--``Information Collection Requirements
Under the Paperwork Reduction Act: OMB Control Numbers''
This supplement is amended by removing the title for collection
number 0694-104 and adding in its place ``Commercial Encryption Items
under Commerce Jurisdiction.''
Section 734.4--De Minimis U.S. Content
This rule makes changes to (b)(1)(ii), (b)(1)(iii) and (b)(2) to
harmonize with changes to encryption procedures under sections 740.17
and 742.15(b). Paragraph (v) is added to section 734.4(b)(1) to
indicate that encryption commodities and software may be considered for
de minimis treatment if such products were authorized for export under
License Exception ENC after submission of an encryption registration
pursuant to section 740.17(b)(1) of the EAR.
Section 738.4--Determining Whether a License Is Required
This rule revises the third sentence in paragraph
738.4(a)(2)(ii)(B) of the EAR by replacing ``review'' with ``encryption
registration and classification'' to harmonize it with the new
submission requirements for encryption items.
Section 740.17--License Exception ENC
This rule revises the first sentence in sections 740.17 and
740.17(b)(2) to describe more clearly the types of items eligible for
export and reexport under License Exception ENC.
Section 740.17(a)--No Classification Request, Registration or Reporting
Required
This rule amends section 740.17(a) by removing references to
``review'' and by adding references to the encryption registration,
classification requests, self-classification reports and sales reports
to harmonize it with the new submission requirements for encryption
items. This amendment does not change any requirements or eligibility
under section 740.17(a) of the EAR.
Immediate Authorization for Less Sensitive Encryption Items and Certain
Mass Market Encryption Items With the Submission of an Encryption
Registration and Subsequent Self-Classification Annual Report
Prior to this rule, eligibility under section 740.17(b)(3) of
License Exception ENC and mass market treatment under section 742.15(b)
required prior submission of a review request and 30-day technical
review for most encryption items. This system of authorization centered
on product-by-product authorizations. The new system of authorization
implemented by this rule is based on company authorizations that
operate like a bulk license for the company's products. This rule
establishes two new procedures--i.e., the company encryption
registration and the annual self-classification report--that will allow
the export without a 30-day technical review for less sensitive
encryption items under License Exception ENC and less sensitive mass
market encryption items. The company registration requirement is
described in the new Supplement No. 5 to part 742 of the EAR. Special
instructions for submitting an encryption registration using SNAP-R are
in paragraph (r) of Supplement No. 2 to part 748 of the EAR. Because of
this shift from product authorization to company authorization, the
information in block 14 (applicant) of the encryption registration
screen and the information in Supplement No. 5 to part 742 must pertain
to the company that seeks authorization to export and reexport
encryption items that are within the scope of this rule. An agent for
the exporter, such as a law firm, should not list the agent's name in
block 14. The agent may, however submit the encryption registration and
list itself in block 15 (``other party authorized to receive license'')
of the encryption registration screen in SNAP-R. The follow-on self-
classification report would be required to be submitted annually to BIS
and the ENC Encryption Request Coordinator in February for items
exported or reexported the previous calendar year (i.e., January 1
through December 31) pursuant to the encryption registration and
applicable sections 740.17(b)(1) or 742.15(b)(1) of the EAR.
An encryption registration is only required for authorization under
License Exception ENC sections 740.17(b)(1), 740.17(b)(2) and
740.17(b)(3), and mass market encryption sections 742.15(b)(1) and
742.15(b)(3) of the EAR. Exports and reexports described under sections
740.17(a), 740.17(b)(4), 740.17(c) and
[[Page 36484]]
742.15(b)(4) will continue to be authorized without the need for a
submission. A company that exports under the authorizations described
in this rule only needs to register once and does not need to resubmit
its encryption registration unless the answers to the questions in
Supplement No. 5 to part 742 changed during the previous calendar year.
Because exporters of encryption items may not be the producers of those
encryption items, they may not know the answers to some of the
questions in Supplement No. 5 to part 742, BIS has included
instructions in Supplement No. 5 to account for this situation.
When an encryption registration is submitted via SNAP-R, SNAP-R
will issue an Encryption Registration Number (ERN), which will start
with an ``R'' and will be followed by 6 digits, e.g., R123456. This ERN
authorizes under License Exception ENC exports or reexports of the
commodities classified under ECCNs 5A002.a.1, .a.2, .a.5, .a.6, or
.a.9, or ECCN 5B002, and equivalent or related software classified
under ECCN 5D002, except any such commodities, software or components
described in paragraphs (b)(2) or (b)(3) of section 740.17 of the EAR.
The ERN also authorizes exports and reexports of commodities and
software that are released from ``EI'' and ``NS'' controls under
section 742.15(b)(1) and are classified under ECCNs 5A992 and 5D992,
respectively. These authorizations require submission of a self-
classification report to BIS and the ENC Encryption Request
Coordinator, in accordance with section 742.15(c) and Supplement No. 8
to part 742 of the EAR. For encryption items authorized after the
submission of an encryption registration under sections 740.17(b)(1) or
742.15(b)(1), the filer may be required to provide relevant information
about the encryption functionality of the items. BIS may request the
filer to provide information described in Supplement No. 6 to part 742.
Prior to this rule, when 30-day technical review and classification
by BIS was required for these less sensitive encryption items which may
now be self-classified under section 740.17(b) or 742.15(b), many
producers of these items made their encryption classifications (CCATS)
available for other parties to use when exporting or reexport their
products. Under this rule, when an exporter or reexporter relies on the
producer's self-classification (pursuant to the producer's encryption
registration) or CCATS for an encryption item, the exporter or
reexporter is not required to submit a separate encryption
registration, classification request or self-classification report to
BIS under section 740.17(b) or 742.15(b). Those who submit encryption
registrations, classification requests and self-classification reports
should either be knowledgeable enough about the encryption
functionality to answer relevant questions pertaining to their
submissions, or else possess the requisite authority or other means to
ensure that such information will be made available to BIS upon
request. Only License Exception ENC and mass market encryption
authorizations under sections 740.17(b) and 742.15(b) to a company that
has fulfilled the requirements of encryption registration (such as the
producer of the item) authorize the export and reexport of the
company's encryption items by all persons, wherever located, under
these sections.
New License Exception ENC Eligibility for Most Encryption Technology,
to Non-``Government End-Users'' Outside Country Group D:1 or E:1
In section 740.17(b)(2)(iv)(B), encryption technology classified
under ECCN 5E002 that are not technology for ``cryptanalytic items,''
``non-standard cryptography,'' or ``open cryptographic interfaces'' may
now be exported and reexported under License Exception ENC to any non-
``government end-user'' located in a country not listed in Country
Groups D:1 or E:1 of Supplement No. 1 to part 740. This change will
eliminate redundant license approvals for expired technology licenses
to the same end-users and provide exporters with a more predictable
timeframe for authorization, while maintaining U.S. Government review
of such technology under License Exception ENC. Previously, all such
exports and reexports of ECCN 5E002 encryption technology to end-users
other than U.S. subsidiaries and companies located or headquartered in
a country listed in Supplement No. 3 to part 740 required a license.
This revision will decrease encryption licensing arrangements (ELAs)
and other license applications to export or reexport encryption
technology by approximately 60%.
Technical Revisions to Sections 740.17(b)(2) and 740.17(b)(3)
This rule updates the License Exception ENC specific list of
restricted items in section 740.17(b)(2), and creates a new specific
list of additional sensitive items in amended section 740.17(b)(3).
This rule adds a new paragraph section 740.17(b)(2)(i)(A)(3)
(formerly included in section 740.17(b)(2)(i)) to clarify that network
infrastructure software and commodities and components providing
satellite communications are included on the list of items subject to
section 740.17(b)(2) if they provide transmission over satellite at
data rates exceeding 10 Mbps with encryption key lengths exceeding 80
bits for symmetric algorithms. The 10 Mbps parameter (formerly
described in paragraph (b)(2)(i)(D)(1)) is included in paragraph
(b)(2)(i)(A)(5) in this rule, for air-interface coverage at operating
ranges beyond 1,000 meters.
This rule amends the lists of items formerly at section
740.17(b)(2)(iii)(A) and adds items to the new specific list in section
740.17(b)(3). These amendments are consistent with determinations that,
for national security reasons, encryption commodities and software that
provide penetration capabilities that can be used to attack, deny,
disrupt or otherwise impair the use of cyber infrastructure or networks
require a license in order to be exported to ``government end users''
in countries other than countries listed in Supplement No. 3 to part
740. This change is implemented in new paragraph section
740.17(b)(2)(i)(F).
In addition, for national security reasons, classification requests
with a 30-day review period continue to be required for items that are
not described in the updated section 740.17(b)(2) and that provide or
perform vulnerability analysis, network forensics, or computer
forensics characterized by any of the following: automated network
analysis, visualization, or packet inspection for profiling network
flow, network user or client behavior, or network structure/topology
and adapting in real-time to the operating environment; or
investigation of data leakage, network breaches, and other malicious
intrusion activities through triage of captured digital forensic data
for law enforcement purposes or in a similarly rigorous evidentiary
manner. Therefore, this rule includes these items in the new specific
list of items in section 740.17(b)(3)(iii).
To clarify the previous provision related to ``public safety
radio,'' this rule creates a new and expanded paragraph for public
safety/first responder radios with the addition of section
740.17(b)(2)(G). Former section 740.17(b)(2)(iii)(A) is removed by this
rule. The new subparagraph (G) gives two examples of public safety/
first responder radio--Terrestrial Trunked Radio (TETRA) and ``P25''
standards. This is a clarification and does not change the license
requirements or license exception eligibility for public safety/first
responder radios.
[[Page 36485]]
Revisions for Harmonization Purposes
For national security reasons, this rule maintains all existing
licensing requirements for exports and reexports of ``cryptanalytic
items'' (i.e., cryptanalytic commodities, software, and technology.)
This rule adds new note 3 to the introductory paragraph of section
740.17(b)(2) and new section 740.17(b)(2)(ii) (formerly Sec.
740.17(b)(2)(iv)) to clarify that exports and reexports of
``cryptanalytic items'' require encryption registration and encryption
classification requests, with no wait, to be eligible for License
Exception ENC to non-``government end-users'' located or headquartered
in countries listed in Supplement No. 3 to part 740, and that the
export or reexport of cryptanalytic commodities and software (listed in
new section 740.17(b)(2)(ii)) require submission of an encryption
registration and a 30-day classification request before being eligible
for License Exception ENC to non-``government end-users'' located or
headquartered in a country not listed in Supplement No. 3 to part 740
of the EAR. On account of the utmost sensitivity of cryptanalytic
technology transfers, cryptanalytic ``technology'' classified under
ECCN 5E002 is only License Exception ENC eligible to non-``government
end-users'' located or headquartered in Supplement No. 3 to part 740
countries.
This rule adds a new section 740.17(b)(2)(iv) to describe specific
encryption technology. Prior to this rule, all encryption technology
under ECCN 5E002 required an encryption review, with no wait, for
exports under License Exception ENC to any end-users located or
headquartered in countries listed in Supplement No. 3 to part 740.
These provisions are maintained in Notes 1 and 3 to the introductory
paragraph of section (b)(2). New section 740.17(b)(2)(iv)
differentiates between ``non-standard cryptography'' and other
encryption technology. Section 740.17(b)(2)(iv)(A) maintains the
authorization for ``non-standard cryptography'' classified under ECCN
5E002 to be exported under License Exception ENC upon submission (i.e.,
no wait) of an encryption classification request, including the
submission of the answers to questions contained in Supplement No. 5
and Supplement No. 6 to part 742, to any end-user located or
headquartered in a country listed in Supplement No. 3 to part 740 of
the EAR. Section 740.17(b)(2)(iv)(B) authorizes the use of License
Exception ENC for the export of technology other than technology for
``cryptanalytic items,'' ``non-standard cryptography'' or ``open
cryptographic interfaces'' to any non-``government end-user'' located
in a country not listed in Country Group D:1 or E:1 of Supplement No. 1
to part 740, 30-days after submission of an encryption registration and
an encryption classification request.
This rule also moves paragraphs in section 742.15 to align them
with related paragraphs in section 740.17. For example, provisions for
encryption components may be found in sections 740.17(b)(3)(i) and
742.15(b)(3)(i).
``Encryption Components'' and ``Non-Standard Cryptography''--Sections
740.17(b)(3) and 742.15(b)(3)
The requirement for submission of an encryption classification
request and information described in Supplement No. 6 to part 742, and
a 30-day wait, while BIS performs its review of these submissions
remains in effect for all ``encryption components,'' including mass
market ``encryption components,'' and for encryption commodities,
software and components not described in section 740.17(b)(2) that
provide or perform ``non-standard cryptography,'' including mass market
encryption commodities, software and components. ``Encryption
components'' are defined in part 772, and this rule adds a new
definition of ``non-standard cryptography'' in part 772. ``Encryption
components'' are chips, chipsets, electronic assemblies and field
programmable logic devices, cryptographic libraries, modules,
development kits and toolkits, including for operating systems and
cryptographic service providers and application-specific hardware or
software development kits implementing cryptography. The requirements
that these items continue to be subject to the 30-day encryption
classification requests are set forth in sections 740.17(b)(3) and
742.15(b)(3). BIS and other agencies continue to study and discuss the
impact of export controls on encryption components, including system
software libraries, toolkits and electronic components having
encryption functionality.
Cryptographic Enabling Commodities, Software and Components
This rule maintains the 30-day technical review requirement for
commodities, software and components that activate or enable
cryptographic functionality in encryption products which would
otherwise remain disabled. Commodities, software and components for the
cryptographic activation of most encryption products eligible for
License Exception ENC (i.e., Sec. Sec. 740.17(b)(1), 740.17(b)(3)(ii)
or 740.17(b)(3)(iii)) or mass market treatment (i.e., Sec. Sec.
742.15(b)(1) or 742.15(b)(3)(ii)) are covered in sections
740.17(b)(3)(iv) and 742.15(b)(3)(iv), respectively. Cryptographic
activation items associated with restricted encryption commodities,
software and components are covered under section 740.17(b)(2), as
further explained by a note to paragraph (b)(2). Meanwhile, items
described under sections 740.17(b)(3)(i) or 742.15(b)(3)(i) (including
certain activation components and software) are covered by those
sections as applicable.
Section 740.17(b)(4)--Exclusions From Classification Request and
Encryption Registration Requirements
This rule removes all references to ``ancillary cryptography'' by
removing the last sentence in paragraph (b)(4)(i) and removing
paragraph (b)(4)(iv). This rule also removes the empty placeholder
paragraph (b)(4)(iii). Items that were covered by the ``ancillary
cryptography'' provisions are now excluded from control under Category
5 part 2 of the CCL with the addition of Note 4. An explanation of the
changes to Note 4 are described in more detail below under the heading
``Note 4 to Category 5, Part 2.''
Reporting Requirements Under License Exception ENC
Prior to this rule, semi-annual (post-export) sales reporting was
required for exports of most encryption commodities, software and
components previously described in section 740.17(b)(3) to all
destinations other than Canada, and for reexports from Canada, under
License Exception ENC. This rule narrows the scope of this requirement
to only apply to certain digital forensics items described under new
section 740.17(b)(3)(iii). Therefore, this rule removes some of the
exclusions from reporting requirement paragraphs that were formerly in
paragraphs (A), (C), (H), (I) and (J) of section 740.17(e)(iii),
because they are no longer necessary. When sales reporting is not
required under License Exception ENC, companies need only maintain
records as required by the EAR that can be reviewed by appropriate
agencies of the U.S. Government upon request. The requirement for semi-
annual sales reporting to BIS and the ENC Encryption Request
Coordinator of encryption items described in section 740.17(b)(2) is
maintained. As a result of these changes, BIS expects that the number
of semi-annual reports submitted to BIS annually will be reduced from
400 to less than 100 submissions per year.
[[Page 36486]]
Section 742.15--Encryption Items
This rule removes all references to ``ancillary cryptography'' by
removing the last sentence formerly in paragraph (b)(3)(i) and removing
paragraph (b)(3)(iii). This rule also removes the empty placeholder
formerly in paragraph (b)(3)(ii). With the new harmonization of
paragraphs between sections 740.17 and 742.15, paragraph (b)(3)(i) is
redesignated as paragraph (b)(4)(i).
This rule adds a new paragraph (b)(4)(ii) to exclude submission
requirements under section 742.15 for reexports of US-origin mass
market encryption commodities and software subject to the EAR or
foreign origin products developed with or incorporating U.S.-origin
mass market encryption source code, components or toolkits subject to
the EAR, that have met the submission requirements in section 742.15.
This paragraph is exactly the same as the paragraph in section
740.17(b)(4)(ii), which excludes submission requirements for reexports
of US-origin encryption items subject to the EAR or foreign products
developed with or incorporating U.S.-origin encryption source code,
components or toolkits subject to the EAR, that have met the submission
requirements in License Exception ENC under section 740.17.
Supplement No. 5 to Part 742
This rule removes all text of Supplement No. 5 to part 742 and
replaces it with seven (7) questions of the ``Encryption
Registration.'' As discussed above under the topic heading ``Immediate
authorization for less sensitive encryption items and certain mass
market encryption items with the submission of an encryption
registration and subsequent self-classification annual report,'' an
encryption registration is required for most exports under License
Exception ENC, and to be eligible for mass market treatment under
section 742.15(b)(1). The questions in Supplement No. 5 to part 742 ask
for information about:
(1) The point of contact information;
(2) The company that exports the encryption items;
(3) The categories of the company's products;
(4) Whether the products incorporate or use proprietary,
unpublished or non-standard cryptographic functionality;
(5) Whether the exporting company will export ``encryption source
code'';
(6) Whether the products incorporate encryption components produced
or furnished by non-U.S. sources or vendors; and
(7) Whether the products are manufactured outside the United
States.
If the registrant is not the principal producer of encryption
items, the registrant may answer questions 4 and 7 as ``not
applicable.'' For all other questions, an answer must be given, or if
the registrant is unsure of the answer, the registrant may state that
it is unsure and explain why it is unsure of the answer to the
question.
Supplement No. 6 to Part 742
This rule reduces the instances when exporters are required to
submit the information requested in Supplement No. 6 to part 742. Prior
to this rule, exporters were required to submit the information in
Supplement No. 6 to part 742 for every review request for License
Exception ENC and mass market encryption products. With the publication
of this rule, submission of the information in Supplement No. 6 to part
742 is now only required in support of a 30-day encryption
classification request for specified items under License Exception ENC
and mass market commodities, software and components (i.e., restricted
Sec. 740.17(b)(2) items, specified components and digital forensics
items, products that provide or perform ``non-standard cryptography,''
and cryptographic enabling commodities and software). All other items
under License Exception ENC and mass market items may receive immediate
authorization with the submission of the encryption registration and
annual self-classification report.
The title of Supplement No. 6 to part 742 is renamed ``Technical
Questionnaire for Encryption Items'' (formerly ``Guidelines for
Submitting Review Requests for Encryption Items''). The text explaining
how and where to submit a review request is removed because, as
explained earlier in the preamble, this rule modifies submission
requirements. This rule also harmonizes the text in Supplement No. 6 to
part 742 with the new procedure of only submitting this information to
BIS with classification requests, unless BIS specifically requests this
information in support of an encryption registration or self-
classification report. Paragraph (b) is removed because a duplicate
submission to the ENC Encryption Request Coordinator and BIS is no
longer necessary. The information now only needs to be submitted to BIS
via SNAP-R. Paragraph (f) is removed as a consequence of removing the
review request procedure. Therefore, paragraphs (c), (d) and (e) are
now redesignated as paragraphs (b), (c) and (d). Also, newly designated
paragraph (b)(11) (formerly paragraph (c)(11)) is revised to remove
outdated text.
Supplement No. 8 to Part 742--Self-Classification Report
In order to protect the national security of the United States and
verify the classification of encryption products exported pursuant to
sections 740.17(b)(1) and 742.15(b)(1), this rule adds Supplement No. 8
to part 742 ``Self-Classification Report'' to collect information about
such encryption products. Supplement No. 8 to part 742 sets forth
questions that must be answered about each encryption item exported
pursuant to sections 740.17(b)(1) and 742.15(b)(1). The information
requested is:
(1) Name of product;
(2) Model/series/part number;
(3) Primary manufacturer;
(4) ECCN (5A002, 5B002, 5D002, 5A992 or 5D992);
(5) Encryption authorization (i.e., `ENC' for License Exception ENC
or `MMKT' for mass market); and
(6) Type descriptor to describe the product (chose one from a list
of 49 options).
The self-classification report must be submitted as an attachment
to an e-mail to BIS and the ENC Encryption Request Coordinator. Reports
to BIS must be submitted to a newly created e-mail address for these
reports ([email protected]). Reports to the ENC Encryption
Request Coordinator must be submitted to its existing e-mail address
([email protected]). The report has very specific format requirements
outlined in Supplement No. 8 to part 742. The information in the report
must be provided in tabular or spreadsheet form, as an electronic file
in comma separated values format (.csv), only. No other formats other
than .csv will be accepted. In lieu of e-mail, submissions of disks and
CDs may be mailed to BIS and the ENC Encryption Request Coordinator as
specified in section 742.15(c)(2)(ii). A self-classification report for
applicable encryption commodities, software and components exported or
reexported during a calendar year (January 1 through December 31) must
be received by BIS and the ENC Encryption Request Coordinator no later
than February 1 the following year. If no information has changed since
the previous report, an e-mail must be sent stating that nothing has
changed since the previous report or a copy of the previously submitted
report must be submitted. No self-classification report is required if
no exports or reexports of applicable items pursuant to an encryption
registration were made during the calendar year.
[[Page 36487]]
Part 748--Application and Documentation
This rule revises the introductory paragraphs to sections 748.1(a)
and (d) to replace references to ``encryption review requests'' with
``encryption registration.'' The term ``encryption review request'' is
removed and not replaced by ``encryption registration'' in section
748.1(d)(1)(i) because submitting only one encryption registration per
year is not a valid reason for eligibility to submit manual
applications to BIS. SNAP-R issues a specific Encryption Registration
Number (ERN) for each encryption registration electronically submitted
to BIS via SNAP-R, which is used to authorize exports and reexports
under sections 740.17(b) and 742.15(b).
Section 748.3 is amended by revising the title and paragraphs (a)
and (d) to coincide with the removal of review requests, addition of
encryption registrations, and the narrowing of submission requirements.
This rule revises the paragraph entitled ``Block 5: Type of
Application'' in Supplement No. 1 to part 748 by replacing the term
``encryption review'' with ``encryption registration'' in two cases.
This rule also replaces a reference to ``classification request'' with
``encryption registration'' in one case, because encryption
registrations will have a newly created screen in SNAP-R.
This rule also revises section 748.8(r) and paragraph (r) in
Supplement No. 2 to part 748 to harmonize with the removal of review
requests and new submission procedures for encryption registration and
self-classification reports.
BIS has created a new SNAP-R screen for encryption registrations.
The instructions for submitting an encryption registration is found in
paragraph (r)(1) of Supplement No. 2 to part 748. In block 5 (Type of
Application) of SNAP-R, selecting ``encryption registration'' will
result in the appearance of the new encryption registration screen. On
that screen blocks 1-5, 14, 15, 24, and 25 are to be completed, and a
PDF must be attached that provides answers to Supplement No. 5 to part
742.
For classification requests for License Exception ENC or mass
market encryption under section 742.15, BIS has added a new check box
for block 9 (Special Purpose) on the classification request screen of
SNAP-R. The new check box states ``Check here if you are submitting
information about encryption required by 740.17 or 742.15 of the EAR.''
When that box is checked, a drop down menu will display the following
choices: License Exception ENC, Mass Market Encryption, or Encryption
Other. This rule implements new procedures in paragraph (r)(2) of
Supplement No. 2 to part 748 to address these changes in SNAP-R, as
well as instructions about documents submitted with a classification
request. In addition, there is an instruction to insert your most
recent Encryption Registration Number (ERN) in Block 24 (Additional
Information) of the encryption classification request.
Part 772--Definition of Terms
This rule removes the term ``ancillary cryptography,'' the
definition, nota bene, and related footnote from section 772.1 of the
EAR, because the newly added Note 4 to Category 5, Part 2 removes the
need for this definition.
This rule also removes the definition for ``personalized smart
card'' from section 772.1 because Note (a) of Export Control
Classification Number (ECCN) 5A002, which used the term ``personalized
smart card,'' has been replaced by new text that does not use the term.
Supplement No. 1 to Part 774--Commerce Control List
Note 4 to Category 5, Part 2
This rule adds a new Note 4 to Category 5, Part 2 to exclude
certain items incorporating or using ``cryptography'' from control
under Category 5, Part 2. Specifically, the note excludes an item that
incorporates or uses ``cryptography'' from Category 5, Part 2 control
if the item's primary function or set of functions is not ``information
security,'' computing, communications, storing information, or
networking, and if the cryptographic functionality is limited to
supporting such primary function or set of functions. The primary
function is the obvious, or main, purpose of the item. It is the
function which is not there to support other functions. The
``communications'' and ``information storage'' primary function does
not include items that support entertainment, mass commercial
broadcasts, digital rights management or medical records management.
The items excluded from Category 5, Part 2 controls by Note 4 have
been determined not to be of national security concern due to their
encryption functionality. Items that are covered by Note 4 should be
evaluated under other categories of the CCL (Supplement No. 1 to part
774 of the EAR) to determine if any other controls apply. For example,
a camera system that incorporates encryption would be evaluated under
Category 6 of the CCL; a chemical analysis software program that
incorporates encryption would be evaluated under Category 2. If the
result of this evaluation is that the item is not controlled under
another category of the CCL (e.g., a refrigerator), the item is
designated as EAR99.
Note 4 to Category 5, Part 2 covers certain items that were
previously excluded from control under ECCN 5A002 by one or more
paragraphs of the exclusion Note to ECCN 5A002. Specifically, the scope
of Note 4 includes items previously covered in paragraphs (b), (c) and
(h) of the Note to ECCN 5A002. The exclusion Note to ECCN 5A002
provides that the items listed in paragraph (a) through (i) to the Note
are controlled under ECCN 5A992. With the addition of Note 4 to
Category 5, Part 2 upon the effective date of this rule, the items
previously covered in paragraphs (b), (c) and (h) of the exclusion Note
to ECCN 5A002 are no longer controlled under Category 5, Part 2 (by
virtue of the new Note 4, irrespective of the Note to ECCN 5A002), and
are therefore classified under another category of the CCL or
designated as EAR99.
The scope of Note 4 is coextensive with the scope of the
``ancillary cryptography'' provisions that were added to the EAR on
October 3, 2008. Under that amendment, commodities and software that
perform ``ancillary cryptography'' remained controlled under Category
5, Part 2, but were exempted from review and reporting requirements
under License Exception ENC (Sec. 740.17 of the EAR) and the mass
market provisions of section 742.15 of the EAR.
Items that were self-classified or classified by BIS as ``ancillary
cryptography'' items after October 3, 2008 are, upon the effective date
of this rule, no longer classified under Category 5, Part 2. In
addition, items that were self-classified or classified by BIS under
ECCN 5A992 or 5D992 based on former paragraphs (b), (c) or (h) of the
note to ECCN 5A002 are, upon the effective date of this rule, no longer
classified under Category 5, Part 2. Exporters should re-classify such
items under other categories of the CCL or designate as EAR99, as
appropriate.
Examples of items that are excluded from Category 5, Part 2 by Note
4 include, but are not limited to, the following: Piracy and theft
prevention for software or music; games and gaming; household utilities
and appliances; printing, reproduction, imaging and video recording or
playback (not videoconferencing); business process modeling and
[[Page 36488]]
automation (e.g., supply chain management, inventory, scheduling and
delivery); industrial, manufacturing or mechanical systems (e.g.,
robotics, heavy equipment, facilities systems such as fire alarm,
HVAC); automotive, aviation, and other transportation systems; LCD TV,
Blu-ray/DVD, video on demand (VoD), cinema, digital video recorders
(DVRs)/personal video recorders (PVRs); on-line media guides,
commercial content integrity and protection, HDMI and other component
interfaces; medical/clinical--including diagnostic applications,
patient scheduling, and medical data records confidentiality; academic
instruction and testing/on-line training--tools and software; applied
geosciences--mining/drilling, atmospheric sampling/weather monitoring,
mapping/surveying, dams/hydrology; scientific visualization/simulation/
co-simulation (excluding such tools for computing, networking, or
cryptanalysis); data synthesis tools for social, economic, and
political sciences (e.g., economic, population, global climate change,
public opinion polling, forecasting and modeling); software and
hardware design IP protection; and computer aided design (CAD) software
and other drafting tools.
ECCN 5A002
This rule revises the Related Controls paragraph in ECCN 5A002 to
reflect the deletion of paragraphs from the Note in the beginning of
the Items paragraph of 5A002. The Note at the beginning of the Items
paragraph of 5A002 is amended by: Replacing paragraph (a) to remove
from 5A002 control certain smart card readers/writers, and to add
definitions for `personal data' and `readers/writers;' removing
paragraphs (b), (c) and (h) because they are now covered by newly added
Note 4 to Category 5, Part 2; deleting ``other specially designed''
before components, and adding ``specially designed for information
security'' to the end of 5A002.a to clarify the text; and deleting a
parenthetical reference to ``GPS or GLONASS'' in the nota bene,
following 5A002.a, to clarify the text.
Supplement No. 3 to Part 774--Statements of Understanding
Because the length of Supplement No. 3 to part 774 is expanding,
the need for paragraph designations is necessary. Therefore, this rule
adds paragraph designations for each of the statements of
understanding. This rule also adds a new statement of understanding
that relates to Note 4 of Category 5, Part 2. The new statement of
understanding is simply a copy of the text that previously appeared in
note (h) of ECCN 5A002, which is removed by this rule, that provides
the public a reference of the specific details about portable or mobile
radiotelephones and similar client wireless devices that are now
encompassed under the new Note 4 of Category 5, Part 2.
Grandfathering
For encryption commodities, software and components described in,
or otherwise meeting the specifications of sections 740.17(b) and
742.15(b), effective June 25, 2010, such items reviewed and classified
by BIS prior to June 25, 2010 are authorized for export and reexport
under the applicable provisions of sections 740.17(b) and 742.15(b), as
amended upon publication of this rule, using the CCATS previously
issued by BIS, without any encryption registration (i.e., the
information described in Supplement No. 5 to this part), new
classification by BIS, self-classification reporting (i.e., the
information described in Supplement No. 8 to part 742), or semi-annual
sales reporting required under section 740.17(e) provided the
cryptographic functionality of the item has not changed. These
grandfathering provisions do not apply to particular commodities and
software previously made eligible for License Exception ENC under
former paragraph (b)(3) that are now listed in paragraph (b)(2) and
therefore require a license to certain ``government end-users'' outside
the countries listed in Supplement No. 3 to part 740. These
grandfathering provisions also do not apply if the encryption
functionality has changed since the encryption product was last
classified by BIS, as specified in 740.17(d)(1)(iii) and
742.15(b)(7)(i)(C).
Export Administration Act
Since August 21, 2001, the Export Administration Act has been in
lapse. However, the President, through Executive Order 13222 of August
17, 2001 (3 CFR 2001 Comp. 783 (2002)), which has been extended by
successive Presidential Notices, the most recent being that of August
13, 2009 (74 FR 41325 (August 14, 2009)), has continued the Regulations
in effect under the International Emergency Economic Powers Act (50
U.S.C. 1701 et seq.).
Rulemaking Requirements
1. This rule has been determined to be significant for purposes of
Executive Order 12866.
2. Notwithstanding any other provision of law, no person is
required to respond to nor be subject to a penalty for failure to
comply with a collection of information, subject to the requirements of
the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA),
unless that collection of information displays a currently valid Office
of Management and Budget (OMB) Control Number. This rule involves a
collection of information that has been approved by the OMB under
control number 0694-0088, ``Multi-Purpose Application,'' which carries
a burden hour estimate of 58 minutes to prepare and submit form BIS-
748. Miscellaneous and recordkeeping activities account for 12 minutes
per submission. This rule amends a collection that has been approved by
the Office of Management and Budget under control number 0694-0104,
``Commercial Encryption Items Under the Jurisdiction of the Department
of Commerce'' by adding two new submissions: ``Encryption
registration'' and ``self-classification report.'' Although the changes
in this rule increase the number of collections under 0694-0104, the
burden hour estimate is decreased from 7 hours to 1.9 hours per
submission (manual or electronic). Send comments regarding these burden
estimates or any other aspect of these collections of information,
including suggestions for reducing the burden, to Jasmeet Seehra, OMB
Desk Officer, by e-mail at [email protected] or by fax to
(202) 395-7285; and to the Regulatory Policy Division, Bureau of
Industry and Security, Department of Commerce, 14th and Pennsylvania
Ave., NW., Room 2705, Washington, DC 20230.
3. This rule does not contain policies with Federalism implications
as that term is defined under Executive Order 13132.
4. Pursuant to 5 U.S.C. 553(a)(1), the provisions of this rule
amending the Commerce Control List (Note 4 to Category 5 part 2), the
Statements of Understanding (Supplement No. 3 to Part 774), and the
definitions provisions (Part 772) of the EAR are exempt from the
provision of the Administrative Procedure Act (5 U.S.C. 553) (APA)
requiring notice and an opportunity for public comment because this
regulation involves a military and foreign affairs function of the
United States. Immediate implementation of these amendments fulfills
the United States' international obligation to the Wassenaar
Arrangement on Export Controls for Conventional Arms and Dual Use Goods
and Technologies (Wassenaar Arrangement or WA). The Wassenaar
Arrangement contributes to international security and regional
stability by promoting greater responsibility in transfers of
[[Page 36489]]
conventional arms and dual use goods and technologies, thus preventing
destabilizing accumulations of such items. The Wassenaar Arrangement
consists of 40 member countries that act on a consensus basis and this
change was approved at the 2009 plenary session of the WA. Since the
United States is a significant exporter of encryption items,
implementation of this provision is necessary for the WA to achieve its
purpose. Any delay in implementation will create a disruption in the
movement of affected items globally because of the disharmony between
export control regulations, resulting in tension between member
countries. Export controls work best when all countries implement the
same export controls in a timely manner. Any delay in implementation
would injure the credibility of the United States in this and other
multilateral regimes. If notice and comment precedes, rather than
follows, the promulgation of this rule, the delays associated with
soliciting comments will result in the inability of the United States
to fulfill its commitment to the WA.
For the other provisions of this rule, the Department has
determined that there is good cause under 5 U.S.C. 553(b)(B) to waive
the provisions of the Administrative Procedure Act requiring notice and
the opportunity for public comment when doing so is contrary to the
public interest. This rule expedites the process for eligibility for
use of a license exception for the export of encryption items, while
maintaining the effectiveness of authorizations previously issued. If
this rule is delayed to allow for prior notice and opportunity for
public comment, U.S. industry would continue to be subject to a more
burdensome licensing process than necessary for the export of
encryption items. Because this rule will ensure the competitiveness of
U.S. industry, delaying the effectiveness of this rule is contrary to
the public interest.
For the reasons listed above, good cause exists to waive the 30-day
delay in effectiveness otherwise required by the APA. Further, no other
law requires that a notice of proposed rulemaking and an opportunity
for public comment be given for this interim final rule. Accordingly,
no regulatory flexibility analysis is required and none has been
prepared. Although notice and opportunity for comment are not required,
BIS is issuing this rule in interim final form and is seeking public
comments on these revisions.
The period for submission of comments will close August 24, 2010.
BIS will consider all comments received before the close of the comment
period in developing a final rule. Comments received after the end of
the comment period will be considered if possible, but their
consideration cannot be assured. BIS will not accept public comments
accompanied by a request that a part or all of the material be treated
confidentially because of its business proprietary nature or for any
other reason. BIS will return such comments and materials to the
persons submitting the comments and will not consider them in the
development of the final rule. All public comments on this interim rule
must be in writing (including fax or e-mail) and will be a matter of
public record, available for public inspection and copying. The Office
of Administration, Bureau of Industry and Security, U.S. Department of
Commerce, displays these public comments on BIS's Freedom of
Information Act (FOIA) Web site at http://www.bis.doc.gov/foia. This
office does not maintain a separate public inspection facility. If you
have technical difficulties accessing this Web site, please call BIS's
Office of Administration at (202) 482-0953 for assistance.
List of Subjects
15 CFR Part 730
Administrative practice and procedure, Advisory committees,
Exports, Reporting and recordkeeping requirements, Strategic and
critical materials.
15 CFR Part 734
Administrative practice and procedure, Exports, Inventions and
patents, Research Science and technology.
15 CFR Parts 738 and 772
Exports.
15 CFR Parts 740 and 748
Administrative practice and procedure, Exports, Reporting and
recordkeeping requirements.
15 CFR Part 742
Exports, Terrorism.
15 CFR Part 774
Exports, Reporting and recordkeeping requirements.
0
Accordingly, Parts 730, 734, 738, 740, 742, 748, 772 and 774 of the EAR
(15 CFR Parts 730-774) are amended as follows:
PART 730--[AMENDED]
0
1. The authority citation for part 730 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c; 22 U.S.C. 2151
note; 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s),
185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 15 U.S.C.
1824a; 50 U.S.C. app. 5; 22 U.S.C. 7201 et seq.; 22 U.S.C. 7210;
E.O. 11912, 41 FR 15825, 3 CFR, 1976 Comp., p. 114; E.O. 12002, 42
FR 35623, 3 CFR, 1977 Comp., p. 133; E.O. 12058, 43 FR 20947, 3 CFR,
1978 Comp., p. 179; E.O. 12214, 45 FR 29783, 3 CFR, 1980 Comp., p.
256; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12854,
58 FR 36587, 3 CFR, 1993 Comp., p. 179; E.O. 12918, 59 FR 28205, 3
CFR, 1994 Comp., p. 899; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp.,
p. 950; E.O. 12947, 60 FR 5079, 3 CFR, 1995 Comp., p. 356; E.O.
12981, 60 FR 62981, 3 CFR, 1995 Comp., p. 419; E.O. 13020, 61 FR
54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 FR 58767, 3 CFR,
1996 Comp., p. 228; E.O. 13099, 63 FR 45167, 3 CFR, 1998 Comp., p.
208; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13224,
66 FR 49079, 3 CFR, 2001 Comp., p. 786; E.O. 13338, 69 FR 26751, May
13, 2004; Notice of August 13, 2009, 74 FR 41325 (August 14, 2009);
Notice of November 6, 2009, 74 FR 58187 (November 10, 2009).
0
2. Supplement No. 1 is amended by removing the title for collection
number 0694-0104 and adding in its place ``Commercial Encryption Items
under Commerce Jurisdiction.''
PART 734--[AMENDED]
0
3. The authority citation for part 734 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61
FR 54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 FR 58767, 3 CFR,
1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p.
783; Notice of August 13, 2009, 74 FR 41325 (August 14, 2009);
Notice of November 6, 2009, 74 FR 58187 (November 10, 2009).
0
4. Section 734.4 is amended by revising paragraph (b)(1)(ii),
(b)(1)(iii), and (b)(1)(iv), and adding a new paragraph (b)(1)(v), to
read as follows:
Sec. 734.4 De minimis U.S. content.
* * * * *
(b) * * *
(1) * * *
(ii) Authorized for License Exception ENC by BIS after
classification pursuant to Sec. 740.17(b)(3) of the EAR;
(iii) Authorized for License Exception ENC by BIS after
classification pursuant to Sec. 740.17(b)(2) of the EAR, and the
foreign made product will not be sent to any destination in Country
Group E:1 in Supplement No. 1 to part 740 of the EAR;
(iv) Authorized for License Exception ENC pursuant to Sec.
740.17(b)(4) of the EAR; or
[[Page 36490]]
(v) Authorized for License Exception ENC after submission of an
encryption registration pursuant to Sec. 740.17(b)(1) of the EAR.
* * * * *
PART 738--[AMENDED]
0
5. The authority citation for part 738 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c; 22 U.S.C. 3201 et
seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42
U.S.C. 6212; 43 U.S.C. 1354; 15 U.S.C. 1824a; 50 U.S.C. app. 5; 22
U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3 CFR,
1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p.
783; Notice of August 13, 2009, 74 FR 41325 (August 14, 2009).
0
6. Section 738.4 is amended by revising the third and fourth sentences
in paragraph (a)(2)(ii)(B) to read as follows:
Sec. 738.4 Determining whether a license is required.
(a) * * *
(2) * * *
(ii) * * *
(B) * * * For example, any applicable encryption registration and
classification requirements described in Sec. 742.15(b) of the EAR
must be met for certain mass market encryption items to effect your
shipment using the symbol ``NLR.'' Proceed to parts 758 and 762 of the
EAR for information on export clearance procedures and recordkeeping
requirements. * * *
* * * * *
PART 740--[AMENDED]
0
7. The authority citation for part 740 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp.,
p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice
of August 13, 2009, 74 FR 41325 (August 14, 2009).
0
8. Section 740.17 is revised to read as follows:
Sec. 740.17 Encryption commodities, software and technology (ENC).
License Exception ENC authorizes export and reexport of systems,
equipment, commodities and components therefor that are classified
under ECCNs 5A002.a.1, a.2, a.5, a.6 or a.9, systems, equipment and
components therefor classified under ECCN 5B002, and equivalent or
related software and technology classified under ECCNs 5D002 or 5E002.
This License Exception ENC does not authorize export or reexport to, or
provision of any service in any country listed in Country Group E:1 in
Supplement No. 1 to part 740 of the EAR, or release of source code or
technology to any national of a country listed in Country Group E:1.
Reexports and transfers under License Exception ENC are subject to the
criteria set forth in paragraph (c) of this section. Paragraphs (b) and
(d) of this section set forth information about encryption
registrations and classifications required by this section. Paragraph
(e) sets forth reporting required by this section. For items exported
under paragraphs (b)(1), (b)(3)(i), (b)(3)(ii) or (b)(3)(iv) of this
section and therefore excluded from paragraph (e) reporting
requirements, exporters are reminded of the recordkeeping requirements
in part 762 of the EAR and that they may be required to make such
records available upon request. All classification requests,
registrations, and reports submitted to BIS pursuant to this section
for encryption items will be reviewed by the ENC Encryption Request
Coordinator, Ft. Meade, MD.
(a) No classification request, registration or reporting required.
(1) Internal ``development'' or ``production'' of new products.
License Exception ENC authorizes exports and reexports of items
described in paragraph (a)(1)(i) of this section, to end-users
described in paragraph (a)(1)(ii) of this section, for the intended
end-use described in paragraph (a)(1)(iii) of this section without
submission of encryption registration, classification request, self-
classification report or sales report to BIS.
(i) Eligible items. Eligible items are those classified under ECCNs
5A002.a.1, .a.2, .a.5, .a.6, or .a.9, ECCN 5B002, and equivalent or
related software and technology classified under ECCNs 5D002 or 5E002.
(ii) Eligible End-users. Eligible end-users are ``private sector
end-users'' wherever located that are headquartered in a country listed
in Supplement No. 3 of this part.
Note to paragraph (a)(1)(ii): A ``private sector end-user'' is:
(1) An individual who is not acting on behalf of any foreign
government; or
(2) A commercial firm (including its subsidiary and parent
firms, and other subsidiaries of the same parent) that is not wholly
owned by, or otherwise controlled by or acting on behalf of, any
foreign government.
(iii) Eligible End-use. The eligible end-use is internal
``development'' or ``production'' of new products by those end-users.
Note to paragraph (a)(1)(iii): All items produced or developed
with items exported or reexported under this paragraph (a)(1) are
subject to the EAR. These items may require the submission of a
classification request or encryption registration before sale,
reexport or transfer, unless otherwise authorized by license or
license exception.
(2) Exports and reexports to ``U.S. Subsidiaries.'' License
Exception ENC authorizes export and reexport of systems, equipment,
commodities and components therefor classified under ECCNs 5A002.a.1,
.a.2, .a.5, .a.6, or .a.9, systems, equipment, and components therefor
classified under ECCN 5B002, and equivalent or related software and
technology classified under ECCNs 5D002 or 5E002, to any ``U.S.
subsidiary,'' wherever located without submission of an encryption
registration, classification request, self-classification report or
sales report to BIS. License Exception ENC also authorizes export or
reexport of such items by a U.S. company and its subsidiaries to
foreign nationals who are employees, contractors or interns of a U.S.
company or its subsidiaries if the items are for internal company use,
including the ``development'' or ``production'' of new products,
without prior review by the U.S. Government.
Note to paragraph (a)(2): All items produced or developed with
items exported or reexported under this paragraph (a)(2) are subject
to the EAR. These items may require the submission of a
classification request or encryption registration before sale,
reexport or transfer to non-``U.S. subsidiaries,'' unless otherwise
authorized by license or license exception.
(b) Encryption registration required, with classification request
or self-classification report. Exports and reexports authorized under
paragraphs (b)(1), (b)(2) and (b)(3) of License Exception ENC require
submission of an encryption registration in accordance with paragraph
(d) of this section and the specific instructions of paragraph (r)(1)
of Supplement No. 2 to part 748 of the EAR. In addition: for paragraph
(b)(1) of this section a self-classification report in accordance with
Sec. 742.15(c) of the EAR is also required from specified exporters
and reexporters; for paragraphs (b)(2) and (b)(3) of this section, a
thirty-day (30-day) classification request is required in accordance
with paragraph (d) of this section. See paragraph (f) of this section
for grandfathering provisions applicable to certain encryption items
reviewed and classified by BIS under this license exception prior to
June 25, 2010. Only License Exception ENC authorizations under this
paragraph (b) to a company that has fulfilled the requirements of
encryption registration (such as the producer of the item) authorize
the
[[Page 36491]]
export and reexport of the company's encryption items by all persons,
wherever located, under this license exception. When an exporter or
reexporter relies on the producer's self-classification (pursuant to
the producer's encryption registration) or CCATS for an encryption item
eligible for export or reexport under License Exception ENC under
paragraph (b)(1), (b)(2), or (b)(3) of this section, it is not required
to submit an encryption registration, classification request or self-
classification report. Exporters are still required to comply with
semi-annual sales reporting requirements under paragraph (e) of this
section, even if relying on a CCATS issued to a producer for specified
encryption items described in paragraphs (b)(2) and (b)(3)(iii) of this
section.
(1) Immediate authorization. Once an encryption registration is
submitted to BIS in accordance with paragraph (d) of this section and
an Encryption Registration Number (ERN) has been issued, this paragraph
(b)(1) authorizes the exports or reexports of the associated
commodities classified under ECCNs 5A002.a.1, .a.2, .a.5, .a.6, or
.a.9, or ECCN 5B002, and equivalent or related software classified
under ECCN 5D002, except any such commodities, software or components
described in (b)(2) or (b)(3) of this section, subject to submission of
a self-classification report in accordance with Sec. 742.15(c) of the
EAR.
(2) Classification request required. Thirty (30) days after the
submission of a classification request with BIS in accordance with
paragraph (d) of this section and subject to the reporting requirements
in paragraph (e) of this section, this paragraph under License
Exception ENC authorizes certain exports or reexports of the items
submitted for classification, as further described in paragraphs
(b)(2)(i), (b)(2)(ii) and (b)(2)(iv)(B) of this section.
Note to introductory text of paragraph (b)(2): Immediately after
the classification request is submitted to BIS in accordance with
paragraph (d) of this section and subject to the reporting
requirements in paragraph (e) of this section, this paragraph also
authorizes exports or reexports of:
1. All submitted encryption items described in this paragraph
(b)(2), except ``cryptanalytic items,'' to any end-user located or
headquartered in a country listed in Supplement No. 3 to this part;
2. Encryption source code as described in paragraph (b)(2)(i)(B)
to non-``government end-users'' in any country;
3. ``Cryptanalytic items'' to non-``government end-users'',
only, located or headquartered in a country listed in Supplement No.
3 to this part; and
4. Items described in paragraphs (b)(2)(iii) and (b)(2)(iv)(A)
of this section, to specified destinations and end-users.
(i) Cryptographic commodities, software and components. The
following items to non-``government end-users'' located or
headquartered in a country not listed in Supplement No. 3 to this part:
(A) Network infrastructure software and commodities and components
thereof (including commodities and software necessary to activate or
enable cryptographic functionality in network infrastructure products)
providing secure Wide Area Network (WAN), Metropolitan Area Network
(MAN), Virtual Private Network (VPN), satellite, digital packet
telephony/media (voice, video, data) over Internet protocol, cellular
or trunked communications meeting any of the following with key lengths
exceeding 80-bits for symmetric algorithms:
(1) Aggregate encrypted WAN, MAN, VPN or backhaul throughput
(including communications through wireless network elements such as
gateways, mobile switches, and controllers) greater than 90 Mbps;
(2) Wire (line), cable or fiber-optic WAN, MAN or VPN single-
channel input data rate exceeding 154 Mbps;
(3) Transmission over satellite at data rates exceeding 10 Mbps;
(4) Media (voice/video/data) encryption or centralized key
management supporting more than 250 concurrent encrypted data channels,
or encrypted signaling to more than 1,000 endpoints, for digital packet
telephony/media (voice/video/data) over Internet protocol
communications; or
(5) Air-interface coverage (e.g., through base stations, access
points to mesh networks, and bridges) exceeding 1,000 meters, where any
of the following applies:
(i) Maximum transmission data rates exceeding 10 Mbps (at operating
ranges beyond 1,000 meters);
(ii) Maximum number of concurrent full-duplex voice channels
exceeding 30; or
(iii) Substantial support is required for installation or use;
(B) Encryption source code that would not be eligible for export or
reexport under License Exception TSU because it is not publicly
available as that term is used in Sec. 740.13(e)(1) of the EAR;
(C) Encryption software, commodities and components therefor, that
have any of the following:
(1) Been designed, modified, adapted or customized for ``government
end-user(s)'';
(2) Cryptographic functionality that has been modified or
customized to customer specification; or
(3) Cryptographic functionality or ``encryption component'' (except
encryption software that would be considered publicly available, as
that term is used in Sec. 740.13(e)(1) of the EAR) that is user-
accessible and can be easily changed by the user;
(D) Encryption commodities and software that provide functions
necessary for quantum cryptography, as defined in ECCN 5A002 of the
Commerce Control List;
(E) Encryption commodities and software that have been modified or
customized for computers classified under ECCN 4A003;
(F) Encryption commodities and software that provide penetration
capabilities that are capable of attacking, denying, disrupting or
otherwise impairing the use of cyber infrastructure or networks;
(G) Public safety/first responder radio (e.g., implementing
Terrestrial Trunked Radio (TETRA) and/or Association of Public-Safety
Communications Officials International (APCO) Project 25 (P25)
standards);
(ii) Cryptanalytic commodities and software. Commodities and
software classified as ``cryptanalytic items'' to non-``government end-
users'' located or headquartered in countries not listed in Supplement
No. 3 to this part;
(iii) ``Open cryptographic interface'' items. Items that provide an
``open cryptographic interface'', to any end-user located or
headquartered in a country listed in Supplement No. 3 to this part.
(iv) Specific encryption technology. Specific encryption technology
as follows:
(A) Technology for ``non-standard cryptography.'' Encryption
technology classified under ECCN 5E002 for ``non-standard
cryptography,'' to any end-user located or headquartered in a country
listed in Supplement No. 3 to this part;
(B) Other technology. Encryption technology classified under ECCN
5E002 except technology for ``cryptanalytic items,'' ``non-standard
cryptography'' or any ``open cryptographic interface,'' to any non-
``government end-user'' located in a country not listed in Country
Group D:1 or E:1 of Supplement No. 1 to part 740 of the EAR.
Note to paragraph (b)(2): Commodities, software, and components
that allow the end-user to activate or enable cryptographic
functionality in encryption products which would otherwise remain
disabled, are controlled according to the functionality of the
activated encryption product.
[[Page 36492]]
(3) Classification request required for specified commodities,
software and components. Thirty (30) days after a classification
request is submitted to BIS in accordance with paragraph (d) of this
section and subject to the reporting requirements in paragraph (e) of
this section, this paragraph authorizes exports or reexports of the
items submitted for classification, as further described in this
paragraph (b)(3), to any end-user, provided the item does not perform
the functions, or otherwise meet the specifications, of any item
described in paragraph (b)(2) of this section.
Note to introductory text of paragraph (b)(3): Immediately after
the classification request is submitted to BIS in accordance with
paragraph (d) of this section and subject to the reporting
requirements in paragraph (e) of this section, this paragraph also
authorizes exports or reexports of the items described in this
paragraph (b)(3) to any end-user located or headquartered in a
country listed in Supplement No. 3 to this part.
(i) Specified components classified under ECCN 5A002.a.1, .a.5 or
.a.6 and equivalent or related software classified under ECCN 5D002 not
described by paragraph (b)(2) of this section, as follows:
(A) Chips, chipsets, electronic assemblies and field programmable
logic devices;
(B) Cryptographic libraries, modules, development kits and
toolkits, including for operating systems and cryptographic service
providers (CSPs);
(C) Application-specific hardware or software development kits
implementing cryptography.
(ii) Encryption commodities, software and components not described
by paragraph (b)(2) of this section, that provide or perform ``non-
standard cryptography'' as defined in part 772 of the EAR.
(iii) Encryption commodities and software not described by
paragraph (b)(2) of this section, that provide or perform vulnerability
analysis, network forensics, or computer forensics functions
characterized by any of the following:
(A) Automated network analysis, visualization, or packet inspection
for profiling network flow, network user or client behavior, or network
structure/topology and adapting in real-time to the operating
environment; or
(B) Investigation of data leakage, network breaches, and other
malicious intrusion activities through triage of captured digital
forensic data for law enforcement purposes or in a similarly rigorous
evidentiary manner.
(iv) Cryptographic enabling commodities and software. Commodities
and software and components that activate or enable cryptographic
functionality in encryption products which would otherwise remain
disabled, where the product or cryptographic functionality is not
otherwise described in paragraphs (b)(2) or (b)(3)(i) of this section.
(4) Exclusions from classification request, encryption registration
and self-classification reporting requirements. License Exception ENC
authorizes the export and reexport of the commodities and software
described in this paragraph (b)(4) without the submission of a
classification request, encryption registration or self-classification
report to BIS, except that paragraph (b)(4)(ii) of this section does
not authorize exports from the United States of foreign products
developed with or incorporating U.S.-origin encryption source code,
components, or toolkits.
(i) Short-range wireless encryption functions. Commodities and
software that are not otherwise controlled in Category 5, but are
nonetheless classified under ECCN 5A002, 5B002 or 5D002 only because
they incorporate components or software that provide short-range
wireless encryption functions (e.g., with a nominal operating range not
exceeding 100 meters according to the manufacturer's specifications,
designed to comply with the Institute of Electrical and Electronic
Engineers (IEEE) 802.11 wireless LAN standard or the IEEE 802.15.1
standard).
Note to paragraph (b)(4)(i): An example of what this paragraph
authorizes for export without classification, registration or self-
classification reporting is a laptop computer that without
encryption would be classified under ECCN 4A994, and the Category 5,
Part 2-controlled components of the laptop only implement short-
range wireless encryption functionality. On the other hand, this
paragraph (b)(4)(i) does not apply to any commodities or software
that would still be classified under an ECCN in Category 5 even if
the short-range wireless encryption functionality were removed. For
example, certain access points, gateways and bridges are classified
under ECCN 5A991 without encryption functionality, and components
for mobile communication equipment are classified under ECCN 5A991.g
without encryption functionality. Such items, when implementing
cryptographic functionality controlled by Category 5, Part 2 are not
excluded from encryption classification, registration or self-
classification reporting by this paragraph.
(ii) Foreign products developed with or incorporating U.S.-origin
encryption source code, components, or toolkits. Foreign products
developed with or incorporating U.S.-origin encryption source code,
components or toolkits that are subject to the EAR, provided that the
U.S.-origin encryption items have previously been classified or
registered and authorized by BIS and the cryptographic functionality
has not been changed. Such products include foreign-developed products
that are designed to operate with U.S. products through a cryptographic
interface.
(c) Reexport and transfer. U.S. or foreign distributors, resellers
or other entities who are not original manufacturers of encryption
commodities and software are permitted to use License Exception ENC
only in instances where the export or reexport meets the applicable
terms and conditions of this section. Transfers of encryption items
listed in paragraph (b)(2) of this section to ``government end-users,''
or for government end-uses, within the same country are prohibited,
unless otherwise authorized by license or license exception.
(d) Encryption registration and classification request procedures.
(1) Submission requirements and instructions. To submit an
encryption registration or classification request to BIS, you must
submit an application to BIS in accordance with the procedures
described in Sec. Sec. 748.1 and 748.3 of the EAR and the instructions
in paragraph (r) of Supplement No. 2 to part 748 ``Unique Application
and Submission Requirements,'' along with other required information as
follows:
(i) Encryption registrations in support of encryption
classification requests and self-classification reports. You must
submit the applicable information as described in Supplement No. 5 to
part 742 of the EAR and follow the specific instructions of paragraph
(r)(1) of Supplement No. 2 to part 748 of the EAR, if any of the
following apply:
(A) This is your first time submitting an encryption classification
request under paragraphs (b)(2) or (b)(3) of this section since August
24, 2010;
(B) You are making an encryption item eligible for export and
reexport (including as defined for encryption software in Sec.
734.2(b)(9) of the EAR) under paragraph (b)(1) of this section for the
first time since August 24, 2010; or
(C) If you have not otherwise provided BIS the information
described in Supplement No. 5 to part 742 during the current calendar
year and your answers to the questions in Supplement No. 5 to part 742
have changed since the last time you provided answers to the questions.
(ii) Technical information submission requirements. In addition to
the encryption registration requirements of paragraph (d)(1)(i) of this
section, for all submissions of encryption classification requests for
items described under
[[Page 36493]]
paragraph (b)(2) or (b)(3) of this section, you must also provide BIS
the applicable information described in paragraphs (a) through (d) of
Supplement No. 6 to part 742 of the EAR (Technical Questionnaire for
Encryption Items). For items authorized after submission of an
encryption registration under paragraph (b)(1) of this section, you may
be required to provide BIS this Supplement No. 6 to part 742
information on an as-needed basis, upon request by BIS.
(iii) Changes in encryption functionality following a previous
classification. A new product encryption classification request (under
paragraphs (b)(2) or (b)(3) of this section) or self-classification
report (under paragraph (b)(1) of this section) is required if a change
is made to the cryptographic functionality (e.g., algorithms) or other
technical characteristics affecting License Exception ENC eligibility
(e.g., encrypted throughput) of the originally classified product.
However, a new product classification request or self-classification
report is not required when a change involves: The subsequent bundling,
patches, upgrades or releases of a product; name changes; or changes to
a previously reviewed encryption product where the change is limited to
updates of encryption software components where the product is
otherwise unchanged.
(2) Action by BIS.
(i) Encryption registrations for paragraph (b) of this section.
Upon submission to BIS of an encryption registration in accordance with
paragraph (d)(1) of this section and acceptance of the application by
SNAP-R, BIS will issue the Encryption Registration Number (ERN) via
SNAP-R, which will constitute authorization for exports and reexports
of eligible items under paragraph (b)(1) of this license exception.
(ii) For items requiring classification by BIS under paragraphs
(b)(2) and (b)(3) of this section.
(A) For classifications that require a thirty (30) day waiting
period, if BIS has not, within thirty-days (30-days) from registration
in SNAP-R of your complete classification request, informed you that
your item is not authorized for License Exception ENC, you may export
or reexport under the applicable provisions of License Exception ENC.
(B) Upon completion of its classification, BIS will issue a
Commodity Classification Automated Tracking System (CCATS) to you.
(C) Hold Without Action (HWA) for classification requests. BIS may
hold your classification request without action if necessary to obtain
additional information or for any other reason necessary to ensure an
accurate classification. Time on such ``hold without action'' status
shall not be counted towards fulfilling the thirty-day (30-day)
processing period specified in this paragraph.
(iii) BIS may require you to supply additional relevant technical
information about your encryption item(s) or information that pertains
to their eligibility for License Exception ENC at any time, before or
after the expiration of the thirty-day (30-day) processing period
specified in this paragraph and in paragraphs (b)(2) and (b)(3) of this
section, or after any registrations as required in paragraph (b)(1) of
this section. If you do not supply such information within 14 days
after receiving a request for it from BIS, BIS may return your
classification request(s) without action or otherwise suspend or revoke
your eligibility to use License Exception ENC for that item(s). At your
request, BIS may grant you up to an additional 14 days to provide the
requested information. Any request for such an additional number of
days must be made prior to the date by which the information was
otherwise due to be provided to BIS, and may be approved if BIS
concludes that additional time is necessary.
(e) Reporting requirements.
(1) Semi-annual reporting requirement. Semi-annual reporting is
required for exports to all destinations other than Canada, and for
reexports from Canada for items described under paragraphs (b)(2) and
(b)(3)(iii) of this section. Certain encryption items and transactions
are excluded from this reporting requirement, see paragraph (e)(1)(iii)
of this section. For information about what must be included in the
report and submission requirements, see paragraphs (e)(1)(i) and
(e)(1)(ii) of this section respectively.
(i) Information required. Exporters must include for each item, the
Commodity Classification Automated Tracking System (CCATS) number and
the name of the item(s) exported (or reexported from Canada), and the
following information in their reports:
(A) Distributors or resellers. For items exported (or reexported
from Canada) to a distributor or other reseller, including subsidiaries
of U.S. firms, the name and address of the distributor or reseller, the
item and the quantity exported or reexported and, if collected by the
exporter as part of the distribution process, the end-user's name and
address;
(B) Direct Sales. For items exported (or reexported from Canada)
through direct sale, the name and address of the recipient, the item,
and the quantity exported; or
(C) Foreign manufacturers and products that use encryption items.
For exports (i.e., from the United States) or direct transfers (e.g.,
by a ``U.S. subsidiary'' located outside the United States) of
encryption components, source code, general purpose toolkits, equipment
controlled under ECCN 5B002, technology, or items that provide an
``open cryptographic interface,'' to a foreign developer or
manufacturer headquartered in a country not listed in Supplement No. 3
to this part when intended for use in foreign products developed for
commercial sale, the names and addresses of the manufacturers using
these encryption items and, if known, when the product is made
available for commercial sale, a non-proprietary technical description
of the foreign products for which these encryption items are being used
(e.g., brochures, other documentation, descriptions or other
identifiers of the final foreign product; the algorithm and key lengths
used; general programming interfaces to the product, if known; any
standards or protocols that the foreign product adheres to; and source
code, if available).
(ii) Submission requirements. For exports occurring between January
1 and June 30, a report is due no later than August 1 of that year. For
exports occurring between July 1 and December 31, a report is due no
later than February 1 the following year. These reports must be
provided in electronic form. Recommended file formats for electronic
submission include spreadsheets, tabular text or structured text.
Exporters may request other reporting arrangements with BIS to better
reflect their business models. Reports may be sent electronically to
BIS at [email protected] and to the ENC Encryption Request Coordinator
at [email protected], or disks and CDs containing the reports may be sent to
the following addresses:
(A) Department of Commerce, Bureau of Industry and Security, Office
of National Security and Technology Transfer Controls, 14th Street and
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn:
Encryption Reports, and
(B) Attn: ENC Encryption Request Coordinator, 9800 Savage Road,
Suite 6940, Ft. Meade, MD 20755-6000.
(iii) Exclusions from reporting requirement. Reporting is not
required for the following items and transactions:
(A) [Reserved]
[[Page 36494]]
(B) Encryption commodities or software with a symmetric key length
not exceeding 64 bits;
(C) Encryption items exported (or reexported from Canada) via free
and anonymous download;
(D) Encryption items from or to a U.S. bank, financial institution
or its subsidiaries, affiliates, customers or contractors for banking
or financial operations;
(E) Items listed in paragraph (b)(4) of this section, unless it is
a foreign item described in paragraph (b)(4)(ii) of this section that
has entered the United States;
(F) Foreign products developed by bundling or compiling of source
code;
(2) Key length increases. Reporting is required for commodities and
software that, after having been classified and authorized for License
Exception ENC in accordance with paragraphs (b)(2) or (b)(3) of this
section, are modified only to upgrade the key length used for
confidentiality or key exchange algorithms. Such items may be exported
or reexported under the previously authorized provision of License
Exception ENC without a classification resubmission.
(i) Information required.
(A) A certification that no change to the encryption functionality
has been made other than to upgrade the key length for confidentiality
or key exchange algorithms.
(B) The original Commodity Classification Automated Tracking System
(CCATS) authorization number issued by BIS and the date of issuance.
(C) The new key length.
(ii) Submission requirements.
(A) The report must be received by BIS and the ENC Encryption
Request Coordinator before the export or reexport of the upgraded
product; and
(B) The report must be e-mailed to [email protected] and
[email protected].
(f) Grandfathering. The following provisions apply to encryption
items reviewed and classified by BIS under this license exception prior
to June 25, 2010:
(1) Items described in paragraphs (b)(1) or (b)(3) of this section.
For encryption commodities, software and components described in (or
otherwise meeting the specifications of) paragraphs (b)(1) or (b)(3) of
this section effective June 25, 2010, such items reviewed and
classified by BIS prior to June 25, 2010 are authorized for export and
reexport to eligible end-users and destinations under the applicable
paragraph (b)(1) or (b)(3) of this license exception using the CCATS
previously issued by BIS, without any encryption registration (i.e.,
the information described in Supplement No. 5 to part 742 of the EAR),
new classification by BIS, self-classification reporting (i.e., the
information described in Supplement No. 8 to part 742 of the EAR), or
semi-annual sales reporting required under section 740.17(e) provided
the cryptographic functionality of the item has not changed. See
paragraph (d)(1)(iii) of this section regarding changes in encryption
functionality following a previous classification.
(2) Items described in paragraph (b)(2) of this section.
(i) Commodities, software and components described in paragraph
(b)(2)(i) of this section. For encryption commodities, software and
components described in (or otherwise meeting the specifications of)
paragraph (b)(2)(i) of this section effective June 25, 2010, such items
reviewed and classified by BIS prior to June 25, 2010 are authorized
for export and reexport to eligible end-users and destinations under
paragraph (b)(2) of this license exception using the CCATS previously
issued by BIS, without any encryption registration (i.e., the
information described in Supplement No. 5 to part 742 of the EAR) and
new classification by BIS, provided the previous CCATS established
License Exception ENC Sec. 740.17(b)(2) treatment for the item and the
cryptographic functionality of the item has not changed. See paragraph
(d)(1)(iii) of this section regarding changes in encryption
functionality following a previous classification. An encryption
registration and updated classification must be submitted to BIS for
items described in paragraph (b)(2)(i) of this section effective June
25, 2010 if the items were not previously classified under Sec.
740.17(b)(2), even if the cryptographic functionality has not changed.
(ii) Cryptoanalytic items, open cryptographic interface items, and
encryption technology. For items described in (or otherwise meeting the
specifications of) paragraphs (b)(2)(ii), (b)(2)(iii) or (b)(2)(iv) of
this section effective June 25, 2010, such items reviewed and
classified by BIS prior to June 25, 2010 are authorized for export and
reexport to eligible end-users and destinations under paragraph (b)(2)
of this license exception using the CCATS previously issued by BIS,
without any encryption registration (i.e., the information described in
Supplement No. 5 to part 742 of the EAR), new classification by BIS, or
self-classification reporting (i.e., the information described in
Supplement No. 8 to part 742 of the EAR), provided the cryptographic
functionality of the item has not changed. See paragraph (d)(1)(iii) of
this section regarding changes in encryption functionality following a
previous classification.
PART 742--[AMENDED]
0
9. The authority citation for part 742 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 22 U.S.C. 7201 et seq.; 22
U.S.C. 7210; Sec. 1503, Pub. L. 108-11, 117 Stat. 559; E.O. 12058,
43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3
CFR, 1993 Comp., p. 608; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp.,
p. 950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O.
13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Presidential
Determination 2003-23 of May 7, 2003, 68 FR 26459, May 16, 2003;
Notice of August 13, 2009, 74 FR 41325 (August 14, 2009); Notice of
November 6, 2009, 74 FR 58187 (November 10, 2009).
0
10. Section 742.15 is amended by revising the Note to paragraph (a),
revising paragraph (b), and adding paragraphs (c) and (d) to read as
follows:
Sec. 742.15 Encryption Items.
* * * * *
(a) * * *
Note to paragraph (a): Pursuant to Note 3 to Category 5 Part 2
of the Commerce Control List in Supplement No. 1 to Part 774, mass
market encryption commodities and software may be released from
``EI'' and ``NS'' controls by submitting an encryption registration
in accord with Sec. 742.15(b) of the EAR. Once an encryption
registration has been submitted to BIS and accepted in SNAP-R as
indicated by the issuance of an Encryption Registration Number
(ERN), then the commodities and software are classified under ECCNs
5A992 and 5D992 respectively and are no longer subject to ``EI'' and
``NS'' controls.
(b) Encryption registration required, with classification request
or self-classification report, for mass market encryption commodities,
software and components with encryption exceeding 64 bits. To be
eligible for export and reexport under this paragraph (b), encryption
commodities, software and components must qualify for mass market
treatment under the criteria in the Cryptography Note (Note 3) of
Category 5, Part 2 (``Information Security''), of the Commerce Control
List (Supplement No. 1 to part 774 of the EAR), and employ a key length
greater than 64 bits for the symmetric algorithm (or, for commodities
and software not implementing any symmetric algorithms, employing a key
length greater than 768 bits for asymmetric algorithms or greater than
128 bits for elliptic curve algorithms). Encryption items that are
described in Sec. Sec. 740.17(b)(2) or (b)(3)(iii) of the EAR do not
qualify for mass market
[[Page 36495]]
treatment. This paragraph (b) does not authorize export or reexport to,
or provision of any service in any country listed in Country Group E:1
in Supplement No. 1 to part 740 of the EAR. Exports and reexports
authorized under paragraphs (b)(1) and (b)(3) of this section must be
supported by an encryption registration in accordance with paragraph
(b)(7) of this section and the specific instructions of paragraph
(r)(1) of Supplement No. 2 to part 748 of the EAR. In addition,
paragraphs (b)(1) and (b)(3) of this section set forth requirements
pertaining to the classification of mass market encryption commodities
and software. See paragraph (d) of this section for grandfathering
provisions applicable to certain encryption items reviewed and
classified by BIS under this section prior to June 25, 2010. All
classification requests, registrations, and reports submitted to BIS
pursuant to this section for encryption items will be reviewed by the
ENC Encryption Request Coordinator, Ft. Meade, MD. Only mass market
encryption authorizations under this paragraph (b) to a company that
has fulfilled the requirements of encryption registration (such as the
producer of the item) authorize the export and reexport of the
company's encryption items by all persons, wherever located, under this
section. When an exporter or reexporter relies on the producer's self-
classification (pursuant to the producer's encryption registration) or
CCATS for a mass market encryption item, it is not required to submit
an encryption registration, classification request or self-
classification report.
(1) Immediate mass market authorization. Once an encryption
registration is submitted to BIS in accordance with paragraph (b)(7) of
this section and an Encryption Registration Number (ERN) has been
issued, this paragraph (b)(1) authorizes the exports or reexports of
the associated mass market encryption commodities and software
classified under ECCNs 5A992 or 5D992 using the symbol ``NLR'', except
any such commodities, software or components described in (b)(3) of
this section, subject to submission a self-classification report in
accordance with paragraph (c) of this section.
(2) [Reserved]
(3) Classification request required for specified mass market
commodities, software and components. Thirty-days (30-days) after the
submission of a classification request to BIS in accordance with
paragraph (b)(7) of this section, this paragraph (b)(3) authorizes
exports and reexports of the mass market items submitted for
classification, using the symbol ``NLR'', provided the items qualify
for mass market treatment as described in paragraph (b) of this section
and are classified by BIS under ECCNs 5A992 or 5D992:
Note to introductory text of paragraph (b)(3): Once a mass
market classification request is accepted in SNAP-R, you may export
and reexport the encryption commodity or software under License
Exception ENC as ECCN 5A002 or 5D002, whichever is applicable, to
any end-user located or headquartered in a country listed in
Supplement No. 3 to part 740 as authorized by Sec. 740.17(b) of the
EAR, while the mass market classification request is pending review
with BIS.
(i) Specified mass market encryption components as follows:
(A) Chips, chipsets, electronic assemblies and field programmable
logic devices;
(B) Cryptographic libraries, modules, development kits and
toolkits, including for operating systems and cryptographic service
providers (CSPs);
(C) Application-specific hardware or software development kits
implementing cryptography.
(ii) Mass market encryption commodities, software and components
that provide or perform ``non-standard cryptography'' as defined in
part 772 of the EAR.
(iii) [Reserved]
(iv) Mass market cryptographic enabling commodities and software.
Commodities and software and components that themselves qualify for
mass market treatment, and activate or enable cryptographic
functionality in mass market encryption products which would otherwise
remain disabled, where the product or cryptographic functionality is
not otherwise described in paragraph (b)(3)(i) of this section.
(4) Exclusions from mass market classification request, encryption
registration and self-classification reporting requirements. The
following commodities and software do not require a submission of an
encryption registration, classification request or self-classification
report to BIS for export or reexport as mass market products:
(i) Short-range wireless encryption functions. Commodities and
software that are not otherwise controlled in Category 5, but are
nonetheless classified under ECCN 5A992 or 5D992 only because they
incorporate components or software that provide short-range wireless
encryption functions (e.g., with a nominal operating range not
exceeding 100 meters according to the manufacturer's specifications,
designed to comply with the Institute of Electrical and Electronic
Engineers (IEEE) 802.11 wireless LAN standard or the IEEE 802.15.1
standard).
Note to paragraph (b)(4)(i): An example of what this paragraph
authorizes for export without classification, registration or self-
classification reporting is a laptop computer that without
encryption would be classified under ECCN 4A994, and the Category 5,
Part 2-controlled components of the laptop only implement short-
range wireless encryption functionality. On the other hand, this
paragraph (b)(4)(i) does not apply to any commodities or software
that would still be classified under an ECCN in Category 5 even if
the short-range wireless encryption functionality were removed. For
example, certain access points, gateways and bridges are classified
under ECCN 5A991 without encryption functionality, and components
for mobile communication equipment are classified under ECCN 5A991.g
without encryption functionality. Such items, when implementing
cryptographic functionality controlled by Category 5, Part 2 are not
excluded from encryption classification, registration or self-
classification reporting by this paragraph.
(ii) Foreign products developed with or incorporating U.S.-origin
encryption source code, components, or toolkits. Foreign products
developed with or incorporating U.S.-origin encryption source code,
components or toolkits that are subject to the EAR, provided that the
U.S.-origin encryption items have previously been classified or
registered and authorized by BIS and the cryptographic functionality
has not been changed. Such products include foreign-developed products
that are designed to operate with U.S. products through a cryptographic
interface.
(5) [Reserved]
(6) Examples of mass market encryption products. Subject to the
requirements of the Cryptography Note (Note 3) in Category 5, Part 2,
of the Commerce Control List, mass market encryption products include,
but are not limited to, general purpose operating systems and desktop
applications (e.g., e-mail, browsers, games, word processing, database,
financial applications or utilities) designed for use with computers
classified as ECCN 4A994 or designated as EAR99, laptops, or hand-held
devices; commodities and software for client Internet appliances and
client wireless LAN devices; home use networking commodities and
software (e.g., personal firewalls, cable modems for personal
computers, and consumer set top boxes); and portable or mobile civil
telecommunications commodities and software (e.g., personal data
assistants (PDAs), radios, or cellular products).
(7) Mass market encryption registration and classification request
procedures.
[[Page 36496]]
(i) Submission requirements and instructions. To submit an
encryption registration or classification request to BIS for certain
mass market encryption items under this paragraph (b), you must submit
an application to BIS in accordance with the procedures described in
Sec. Sec. 748.1 and 748.3 of the EAR and the instructions in paragraph
(r) of Supplement No. 2 to part 748 ``Unique Application and Submission
Requirements'', along with other required information as follows:
(A) Encryption registration in support of mass market encryption
classification requests and self-classification reports. You must
submit the applicable information as described in Supplement No. 5 to
this part and follow the specific instructions of paragraph (r)(1) of
Supplement No. 2 to part 748 of the EAR, if any of the following apply:
(1) This is your first time submitting an encryption classification
request under paragraph (b)(3) of this section since August 24, 2010;
(2) You are making a mass market encryption product eligible for
export and reexport (including as defined for encryption software in
Sec. 734.2(b)(9) of the EAR) under paragraph (b)(1) of this section
for the first time since August 24, 2010; or
(3) If you have not otherwise provided BIS the information
described in Supplement No. 5 to this part during the current calendar
year and your answers to the questions in Supplement No. 5 to this part
have changed since the last time you provided answers to the questions.
(B) Technical information submission requirements. In addition to
the registration requirements of paragraph (b)(7)(i)(A) of this
section, for all submissions of encryption classification requests for
mass market products described under paragraph (b)(3) of this section,
you must also provide BIS the applicable information described in
paragraphs (a) through (d) of Supplement No. 6 to this part (Technical
Questionnaire for Encryption Items). For mass market products
authorized after the submission of an encryption registration under
paragraph (b)(1) of this section, you may be required to provide BIS
this information described in Supplement No. 6 to this part on an as-
needed basis, upon request by BIS.
(C) Changes in encryption functionality following a previous
classification. A new mass market encryption classification request
(under paragraph (b)(3) of this section) or self-classification (under
paragraph (b)(1) of this section) is required if a change is made to
the cryptographic functionality (e.g., algorithms) or other technical
characteristics affecting mass market eligibility (e.g., performance
enhancements to provide network infrastructure services, or
customizations to end-user specifications) of the originally classified
product. However, a new product classification request or self-
classification is not required when a change involves: the subsequent
bundling, patches, upgrades or releases of a product; name changes; or
changes to a previously reviewed encryption product where the change is
limited to updates of encryption software components where the product
is otherwise unchanged.
(ii) Action by BIS.
(A) Encryption registrations for mass market encryption items. Upon
submission to BIS of an encryption registration in accordance with
paragraph (b)(7)(i) of this section and acceptance of the application
by SNAP-R, BIS will issue the Encryption Registration Number (ERN) via
SNAP-R, which will constitute authorization under this paragraph (b).
Immediately upon receiving your ERN from BIS, you may export and
reexport mass market encryption products described in paragraph (b)(1)
of this section using the symbol ``NLR''.
(B) For mass market items requiring classification by BIS under
paragraph (b)(3) of this section.
(1) For mass market encryption classifications that require a
thirty (30)-day waiting period, if BIS has not, within thirty (30) days
from acceptance in SNAP-R of your complete classification request,
informed you that your item is not authorized as a mass market item,
you may export and reexport under the applicable provisions of this
paragraph (b). If, during the course of its review, BIS determines that
your encryption items do not qualify for mass market treatment under
the EAR, or are otherwise classified under ECCN 5A002, 5B002, 5D002 or
5E002, BIS will notify you and will review your items for eligibility
under License Exception ENC (see Sec. 740.17 of the EAR for review and
reporting requirements for encryption items under License Exception
ENC).
(2) Upon completion of its review, BIS will issue a Commodity
Classification Automated Tracking System (CCATS) to you.
(3) Hold Without Action (HWA) for mass market classification
requests. BIS may hold your mass market classification request without
action if necessary to obtain additional information or for any other
reason necessary to ensure an accurate classification. Time on such
``hold without action'' status shall not be counted towards fulfilling
the thirty-day (30-day) processing period specified in this paragraph.
(C) BIS may require you to supply additional relevant technical
information about your encryption item(s) or information that pertains
to their eligibility as mass market products at any time, before or
after the expiration of the thirty-day (30-day) processing period
specified in this paragraph and in paragraph (b)(3) of this section, or
after any registrations as required in paragraph (b)(1) of this
section. If you do not supply such information within 14 days after
receiving a request from BIS, BIS may return your classification
request without action or otherwise suspend or revoke your eligibility
to use mass market authorization for that item. At your request, BIS
may grant you up to an additional 14 days to provide the requested
information. Any request for such an additional number of days must be
made prior to the date by which the information was otherwise due to be
provided to BIS and may be approved if BIS concludes that additional
time is necessary.
(c) Self-classification reporting for certain encryption
commodities, software and components. This paragraph (c) sets forth
requirements for self-classification reporting to BIS and the ENC
Encryption Request Coordinator (Ft. Meade, MD) of encryption
commodities, software and components exported or reexported pursuant to
encryption registration under Sec. Sec. 740.17(b)(1) or 742.15(b)(1)
of the EAR. Reporting is required, effective June 25, 2010.
(1) When to report. Your self-classification report for applicable
encryption commodities, software and components exported or reexported
during a calendar year (January 1 through December 31) must be received
by BIS and the ENC Encryption Request Coordinator no later than
February 1 the following year.
(2) How to report. Encryption self-classification reports must be
sent to BIS and the ENC Encryption Request Coordinator via e-mail or
regular mail. In your submission, specify the export timeframe that
your report spans and identify points of contact to whom questions or
other inquiries pertaining to the report should be directed. Follow
these instructions for your submissions:
(i) Submissions via e-mail. Submit your encryption self-
classification report electronically to BIS at [email protected]
and to the ENC Encryption Request Coordinator at
[[Page 36497]]
[email protected], as an attachment to an e-mail. Identify your e-mail with
subject ``Self-classification report for ERN
R'', using your
most recent ERN in the subject line (so as to correspond your
encryption self-classification report to your most recent encryption
registration ERN).
(ii) Submissions on disks and CDs. The self-classification report
may be sent to the following addresses, in lieu of e-mail:
(A) Department of Commerce, Bureau of Industry and Security, Office
of National Security and Technology Transfer Controls, 14th Street and
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn:
Encryption Reports, and
(B) Attn: ENC Encryption Request Coordinator, 9800 Savage Road,
Suite 6940, Ft. Meade, MD 20755-6000.
(3) Information to report. Your encryption self-classification
report must include the information described in paragraph (a) of
Supplement No. 8 to this part for each applicable encryption commodity,
software and component exported or reexported pursuant to an encryption
registration under Sec. Sec. 740.17(b)(1) or 742.15(b)(1) of the EAR.
If no information has changed since the previously submitted report,
you must either send an e-mail stating that nothing has changed since
the previous report or submit a copy of the previously submitted
report.
(4) File format requirements. The information described in
paragraph (a) of Supplement No. 8 to this part must be provided to BIS
and the ENC Encryption Request Coordinator in tabular or spreadsheet
form, as an electronic file in comma separated values format (.csv)
adhering to the specifications set forth in paragraph (b) of Supplement
No. 8 to this part.
(d) Grandfathering. For mass market encryption commodities,
software and components described in (or otherwise meeting the
specifications of) paragraph (b) of this section effective June 25,
2010, such items reviewed and classified by BIS as mass market products
prior to June 25, 2010 are authorized for export and reexport under
paragraph (b) of this section using the CCATS previously issued by BIS,
without any encryption registration (i.e., the information described in
Supplement No. 5 to this part), new classification by BIS, or self-
classification reporting (i.e., the information described in Supplement
No. 8 to this part), provided the cryptographic functionality of the
item has not changed. See paragraph (b)(7)(i)(C) of this section
regarding changes in encryption functionality following a previous
classification.
0
11. Supplement No. 5 is revised to read as follows:
Supplement No. 5 to Part 742--Encryption Registration
Certain classification requests and self-classification reports for
encryption items must be supported by an encryption registration, i.e.,
the information as described in this Supplement, submitted as a support
documentation attachment to an application in accordance with the
procedures described in Sec. Sec. 740.17(b), 740.17(d), 742.15(b),
748.1, 748.3 and Supplement No. 2 to part 748 of the EAR.
(1) Point of Contact Information
(a) Contact Person
(b) Telephone Number
(c) Fax Number
(d) E-mail address
(e) Mailing Address
(2) Company Overview (approximately 100 words).
(3) Identify which of the following categories apply to your
company's technology/families of products:
(a) Wireless
(i) 3G cellular
(ii) 4G cellular/WiMax/LTE
(iii) Short-range wireless/WLAN
(iv) Satellite
(v) Radios
(vi) Mobile communications, n.e.s.
(b) Mobile applications
(c) Computing platforms
(d) Multimedia over IP
(e) Trusted computing
(f) Network infrastructure
(g) Link layer encryption
(h) Smartcards or other identity management
(i) Computer or network forensics
(j) Software
(i) Operating systems
(ii) Applications
(k) Toolkits/ASICs/components
(l) Information security including secure storage
(m) Gaming
(n) Cryptanalytic tools
(o) ``Open cryptographic interface'' (or other support for user-
supplied or non-standard cryptography)
(p) Other (identify any not listed above)
(q) Not Applicable (Not a producer of encryption or information
technology items)
(4) Describe whether the products incorporate or use proprietary,
unpublished or non-standard cryptographic functionality, including
encryption algorithms or protocols that have not been adopted or
approved by a duly recognized international standards body. (If unsure,
please explain.)
(5) Will your company be exporting ``encryption source code''?
(6) Do the products incorporate encryption components produced or
furnished by non-U.S. sources or vendors? (If unsure, please explain.)
(7) With respect to your company's encryption products, are any of
them manufactured outside the United States? If yes, provide
manufacturing locations. (Insert ``not applicable'', if you are not the
principal producer of encryption products.)
0
12. Supplement No. 6 is revised to read as follows;
Supplement No. 6 to Part 742--Technical Questionnaire for Encryption
Items
(a) For all encryption items:
(1) State the name(s) of each product being submitted for
classification or other consideration (as a result of a request by BIS)
and provide a brief non-technical description of the type of product
(e.g., routers, disk drives, cell phones, and chips) being submitted,
and provide brochures, data sheets, technical specifications or other
information that describes the item(s).
(2) Indicate whether there have been any prior classifications or
registrations of the product(s), if they are applicable to the current
submission. For products with minor changes in encryption
functionality, you must include a cover sheet with complete reference
to the previous review (Commodity Classification Automated Tracking
System (CCATS) number, Encryption Registration Number (ERN), Export
Control Classification Number (ECCN), authorization paragraph) along
with a clear description of the changes.
(3) Describe how encryption is used in the product and the
categories of encrypted data (e.g., stored data, communications,
management data, and internal data).
(4) For `mass market' encryption products, describe specifically to
whom and how the product is being marketed and state how this method of
marketing and other relevant information (e.g., cost of product and
volume of sales) are described by the Cryptography Note (Note 3 to
Category 5, Part 2).
(5) Is any ``encryption source code'' being provided (shipped or
bundled) as part of this offering? If yes, is this source code publicly
available source code, unchanged from the code obtained from an open
source Web site, or is it proprietary ``encryption source code?''
(b) For classification requests and other submissions for an
encryption
[[Page 36498]]
commodity or software, provide the following information:
(1) Description of all the symmetric and asymmetric encryption
algorithms and key lengths and how the algorithms are used, including
relevant parameters, inputs and settings. Specify which encryption
modes are supported (e.g., cipher feedback mode or cipher block
chaining mode).
(2) State the key management algorithms, including modulus sizes
that are supported.
(3) For products with proprietary algorithms, include a textual
description and the source code of the algorithm.
(4) Describe the pre-processing methods (e.g., data compression or
data interleaving) that are applied to the plaintext data prior to
encryption.
(5) Describe the post-processing methods (e.g., packetization,
encapsulation) that are applied to the cipher text data after
encryption.
(6) State all communication protocols (e.g., X.25, Telnet, TCP,
IEEE 802.11, IEEE 802.16, SIP * * *) and cryptographic protocols and
methods (e.g., SSL, TLS, SSH, IPSEC, IKE, SRTP, ECC, MD5, SHA, X.509,
PKCS standards * * *) that are supported and describe how they are
used.
(7) Describe the encryption-related Application Programming
Interfaces (APIs) that are implemented and/or supported. Explain which
interfaces are for internal (private) and/or external (public) use.
(8) Describe the cryptographic functionality that is provided by
third-party hardware or software encryption components (if any).
Identify the manufacturers of the hardware or software components,
including specific part numbers and version information as needed to
describe the product. Describe whether the encryption software
components (if any) are statically or dynamically linked.
(9) For commodities or software using Java byte code, describe the
techniques (including obfuscation, private access modifiers or final
classes) that are used to protect against decompilation and misuse.
(10) State how the product is written to preclude user modification
of the encryption algorithms, key management and key space.
(11) Describe whether the product meets any of the Sec.
740.17(b)(2) criteria. Provide specific data for each of the parameters
listed, as applicable (e.g., maximum aggregate encrypted user data
throughput, maximum number of concurrent encrypted channels, and
operating range for wireless products).
(12) For products which incorporate an ``open cryptographic
interface'' as defined in part 772 of the EAR, describe the
cryptographic interface.
(c) For classification requests for hardware or software
``encryption components'' other than source code (i.e., chips,
toolkits, executable or linkable modules intended for use in or
production of another encryption item) provide the following additional
information:
(1) Reference the application for which the components are used in,
if known;
(2) State if there is a general programming interface to the
component;
(3) State whether the component is constrained by function; and
(4) Identify the encryption component and include the name of the
manufacturer, component model number or other identifier.
(d) For classification requests for ``encryption source code''
provide the following information:
(1) If applicable, reference the executable (object code) product
that was previously classified by BIS or included in an encryption
registration to BIS;
(2) Include whether the source code has been modified, and the
technical details on how the source code was modified; and
(3) Upon request, include a copy of the sections of the source code
that contain the encryption algorithm, key management routines and
their related calls.
0
13. Supplement No. 8 is added to read as follows:
Supplement No. 8 to Part 742--Self-Classification Report for Encryption
Items
This supplement provides certain instructions and requirements for
self-classification reporting to BIS and the ENC Encryption Request
Coordinator (Ft. Meade, MD) of encryption commodities, software and
components exported or reexported pursuant to encryption registration
under License Exception ENC (Sec. 740.17(b)(1) only) or ``mass
market'' (Sec. 742.15(b)(1) only) provisions of the EAR. See Sec.
742.15(c) of the EAR for additional instructions and requirements
pertaining to this supplement, including when to report and how to
report.
(a) Information to report. The following information is required in
the file format as described in paragraph (b) of this supplement, for
each encryption item subject to the requirements of this supplement and
Sec. Sec. 740.17(b)(1) and 742.15(b)(1) of the EAR:
(1) Name of product (50 characters or less).
(2) Model/series/part number (50 characters or less.) If necessary,
enter `NONE' or `N/A'.
(3) Primary manufacturer (50 characters or less). Enter `SELF' if
you are the primary manufacturer of the item. If there are multiple
manufacturers for the item but none is clearly primary, either enter
the name of one of the manufacturers or else enter `MULTIPLE'. If
necessary, enter `NONE' or `N/A'.
(4) Export Control Classification Number (ECCN), selected from one
of the following:
(i) 5A002
(ii) 5B002
(iii) 5D002
(iv) 5A992
(v) 5D992
(5) Encryption authorization type identifier, selected from one of
the following, which denote eligibility under License Exception ENC
(Sec. 740.17(b)(1), only) or as `mass market' (Sec. 742.15(b)(1),
only):
(i) ENC
(ii) MMKT
(6) Item type descriptor, selected from one of the following:
(i) Access point
(ii) Cellular
(iii) Computer
(iv) Computer forensics
(v) Cryptographic accelerator
(vi) Data backup and recovery
(vii) Database
(viii) Disk/drive encryption
(ix) Distributed computing
(x) E-mail communications
(xi) Fax communications
(xii) File encryption
(xiii) Firewall
(xiv) Gateway
(xv) Intrusion detection
(xvi) Key exchange
(xvii) Key management
(xviii) Key storage
(xix) Link encryption
(xx) Local area networking (LAN)
(xxi) Metropolitan area networking (MAN)
(xxii) Modem
(xxiii) Network convergence or infrastructure n.e.s.
(xxiv) Network forensics
(xxv) Network intelligence
(xxvi) Network or systems management (OAM/OAM&P)
(xxvii) Network security monitoring
(xxviii) Network vulnerability and penetration testing
(xxix) Operating system
(xxx) Optical networking
(xxxi) Radio communications
(xxxii) Router
(xxxiii) Satellite communications
(xxxiv) Short-range wireless n.e.s.
[[Page 36499]]
(xxxv) Storage area networking (SAN)
(xxxvi) 3G/4G/LTE/WiMAX
(xxxvii) Trusted computing
(xxxviii) Videoconferencing
(xxxix) Virtual private networking (VPN)
(xl) Voice communications n.e.s.
(xli) Voice over Internet protocol (VoIP)
(xlii) Wide area networking (WAN)
(xliii) Wireless local area networking (WLAN)
(xliv) Wireless personal area networking (WPAN)
(xlv) Commodities n.e.s.
(xlvi) Components n.e.s.
(xlvii) Software n.e.s.
(xlviii) Test equipment n.e.s.
(xlix) OTHER
(b) File format requirements.
(1) The information described in paragraph (a) of this supplement
must be provided in tabular or spreadsheet form, as an electronic file
in comma separated values format (.csv), only. No file formats other
than .csv will be accepted, as your encryption self-classification
report must be directly convertible to tabular or spreadsheet format,
where each row (and all entries within a row) properly correspond to
the appropriate encryption item.
Note to paragraph (b)(1): An encryption self-classification
report data table created and stored in spreadsheet format (e.g.,
file extension .xls, .numbers, .qpw, .wb*, .wrk, and .wks) can be
converted and saved into a comma delimited file format directly from
the spreadsheet program. This .csv file is then ready for
submission.
(2) Each line of your encryption self-classification report (.csv
file) must consist of six entries as further described in this
supplement.
(3) The first line of the .csv file must consist of the following
six entries (i.e., match the following) without alteration or
variation: PRODUCT NAME, MODEL NUMBER, MANUFACTURER, ECCN,
AUTHORIZATION TYPE, ITEM TYPE.
Note to paragraph (b)(3): These first six entries (i.e., first
line) of a encryption self-classification report in .csv format
correspond to the six column headers (i.e., first row) of a
spreadsheet data file.
(4) Each subsequent line of the .csv file must correspond to a
single encryption item (or a distinguished series of products) as
described in paragraph (c) of this supplement.
(5) Each line must consist of six entries as described in paragraph
(a)(1), (a)(2), (a)(3), (a)(4), (a)(5), and (a)(6) of this supplement.
No entries may be left blank. Each entry must be separated by a comma
(,). Certain additional instructions are as follows:
(i) Line entries (a)(1) (`PRODUCT NAME') and (a)(4) (`ECCN') must
be completed with relevant information.
(ii) For entries (a)(2) (`MODEL NUMBER') and (a)(3)
(`MANUFACTURER'), if these entries do not apply to your item or
situation you may enter `NONE' or `N/A'.
(iii) For entries (a)(5) (`AUTHORIZATION TYPE'), if none of the
provided choices apply to your situation, you may enter `OTHER'.
(6) Because of .csv file format requirements, the only permitted
use of a comma is as the necessary separator between line entries. You
may not use a comma for any other reason in your encryption self-
classification report.
(c) Other instructions.
(1) The information provided in accordance with this supplement and
Sec. Sec. 740.17(b)(1), 742.15(b)(1) and 742.15(c) of the EAR must
identify product offerings as they are typically distinguished in
inventory, catalogs, marketing brochures and other promotional
materials.
(2) For families of products where all the information described in
paragraph (a) of this supplement is identical except for the model/
series/part number (entry (a)(2)), you may list and describe these
products with a single line in your .csv file using an appropriate
model/series/part number identifier (e.g., `300' or `3xx') for entry
(a)(2), provided each line in your .csv file corresponds to a single
product series (or product type) within an overall product family.
(3) For example, if Company A produces, markets and sells both a
`100' (`1xx') and a `300' (`3xx') series of product, in its encryption
self-classification report (.csv file) Company A must list the `100'
product series in one line (with entry (a)(2) completed as `100' or
`1xx') and the `300' product series in another line (with entry (a)(2)
completed as `300' or `3xx'), even if the other required information is
common to all products in the `100' and `300' series.
PART 748--[AMENDED]
0
14. The authority citations for part 748 continue to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66
FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 13, 2009, 74
FR 41325 (August 14, 2009).
0
15. Section 748.1 is amended by:
0
a. Revising the first two sentences of the introductory text to
paragraph (a);
0
b. Revising introductory text to paragraph (d); and
0
c. Revising paragraph (d)(1)(i), to read as follows:
Sec. 748.1 General provisions.
(a) Scope. In this part, references to the Export Administration
Regulations or EAR are references to 15 CFR chapter VII, subchapter C.
The provisions of this part involve requests for classifications and
advisory opinions, export license applications, encryption
registration, reexport license applications, and certain license
exception notices subject to the EAR. * * *
* * * * *
(d) Electronic Filing Required. All export and reexport license
applications (other than Special Comprehensive License or Special Iraq
Reconstruction License applications), encryption registrations, license
exception AGR notifications, and classification requests and their
accompanying documents must be filed via BIS's Simplified Network
Application Processing system (SNAP-R), unless BIS authorizes
submission via the paper forms BIS 748-P (Multipurpose Application
Form), BIS-748P-A (Item Appendix) and BIS-748P-B, (End-User Appendix).
Only original paper forms may be used. Facsimiles or reproductions are
not acceptable.
(1) * * *
(i) BIS has received no more than one submission (i.e. the total
number of export license applications, reexport license applications,
license exception AGR notifications, and classification requests) from
that party in the twelve months immediately preceding its receipt of
the current submission;
* * * * *
0
16. Section 748.3 is amended by revising the section heading and
paragraphs (a) and (d) to read as follows:
Sec. 748.3 Classification requests, advisory opinions, and encryption
registrations.
* * * * *
(a) Introduction. You may ask BIS to provide you with the correct
Export Control Classification Number down to the paragraph (or
subparagraph) level, if appropriate. BIS will advise you whether or not
your item is subject to the EAR and, if applicable, the appropriate
ECCN. This type of request is commonly referred to as a
``Classification Request.'' If requested, for a given end-use, end-
user, and/or destination, BIS will advise you whether a license is
required, or likely to be granted, for a particular transaction. Note
that these responses do not bind BIS to issuing a license in the
future. This type of request, along with requests for guidance
regarding other interpretations of the EAR, is commonly referred to as
an ``Advisory Opinion.'' The encryption provisions in
[[Page 36500]]
the EAR require the submission of an encryption registration or
classification request in accordance with Sec. 740.17(d) of the EAR in
order for certain items to be eligible for export and reexport under
License Exception ENC (see Sec. 740.17 of the EAR) or to be released
from ``EI'' controls (see Sec. Sec. 742.15(b)(1) and 742.15(b)(3) of
the EAR).
* * * * *
(d) Classification requests and encryption registration for
encryption items. A classification request or encryption registration
associated with encryption items transferred from the U.S. Munitions
List consistent with Executive Order 13026 of November 15, 1996 (3 CFR,
1996 Comp., p. 228) and pursuant to the Presidential Memorandum of that
date may be required to determine eligibility under License Exception
ENC or for release from ``EI'' controls. Refer to Supplement No. 5 to
part 742 of the EAR for information that must be included in the
encryption registration, which must be submitted in support of certain
encryption classification requests and self-classification reports.
Refer to Supplement No. 6 to part 742 of the EAR for a complete list of
technical information that is required for encryption classification
requests. Refer to Sec. 742.15(c) and Supplement No. 8 to part 742 of
the EAR for information that is required to be submitted in a self-
classification report. Refer to Sec. 742.15(b) of the EAR for
instructions regarding mass market encryption commodities and software,
including encryption registration, self-classifications and
classification requests. Refer to Sec. 740.17 of the EAR for the
provisions of License Exception ENC, including encryption registration,
self-classifications, classification requests and sales reporting. All
classification requests, registrations, and reports submitted to BIS
pursuant to Sec. Sec. 740.17 and 742.15(b) of the EAR for encryption
items will be reviewed by the ENC Encryption Request Coordinator, Ft.
Meade, MD.
0
17. Section 748.8 is amended by removing from paragraph (r) the phrase
``Encryption review requests.'' and adding in its place ``Encryption
classification requests and encryption registrations.''
0
18. Supplement No. 1 is amended by revising the paragraph for block 5
to read as follows:
Supplement No. 1 to Part 748--BIS-748P, BIS-748P-A: Item Appendix, and
BIS-748P-B: End-User Appendix; Multipurpose Application Instructions
* * * * *
Block 5: Type of Application. Export. If the items are located
within the United States, and you wish to export those items, mark the
Box labeled ``Export'' with an (X). Reexport. If the items are located
outside the United States, mark the Box labeled ``Reexport'' with an
(X). Classification. If you are requesting BIS to classify your item
against the Commerce Control List (CCL), mark the Box labeled
``Classification Request'' with an (X). Encryption Registration. If you
are requesting encryption registration under License Exception ENC
(Sec. 740.17 of the EAR) or ``mass market'' encryption provisions
(Sec. 742.15(b) of the EAR), mark the Box labeled ``Encryption
Registration'' with an (X). Special Comprehensive License. If you are
submitting a Special Comprehensive License application in accordance
with the procedures described in part 752 of the EAR, mark the Box
labeled ``Special Comprehensive License'' with an (X).
* * * * *
0
19. Supplement No. 2 is amended by revising paragraph (r) to read as
follows:
Supplement No. 2 to Part 748--Unique Application and Submission
Requirements
* * * * *
(r) Encryption registrations and classification requests. Failure
to follow the instructions in this paragraph may delay consideration of
your encryption classification request or encryption registration.
(1) Encryption registration. Fill out blocks 1-4, 14, 15, 24, and
25 pursuant to the instructions in Supplement No. 1 to this Part. Leave
blocks 6, 7, 8, 9-13, and 16-23 blank. In Block 5 (Type of
Application), place an ``X'' in the box marked ``Encryption
Registration''.
(2) Classification Requests. Fill out blocks 1-4, 14, 15, 22, and
25 pursuant to the instructions in Supplement No. 1 to this Part. Leave
blocks 6, 7, 8, 10-13, 18-21, and 23 blank. Follow the directions
specified for the blocks indicated below.
(i) In Block 5 (Type of Application), place an ``X'' in the box
marked ``classification'' or ``commodity classification'' if submitting
electronically for classification requests.
(ii) In Block 9 (Special Purpose).
(A) If submitting via SNAP-R, check the box ``check here if you are
submitting information about encryption required by 740.17 or 742.15 of
the EAR.''
(B) From the drop down menu in SNAP-R, choose:
(1) ``License Exception ENC'' if you are submitting an encryption
classification request for specified License Exception ENC provisions
(Sec. Sec. 740.17(b)(2) or (b)(3) of the EAR);
(2) ``Mass Market Encryption'' if you are submitting an encryption
classification request for certain mass market encryption items (Sec.
742.15(b)(3) of the EAR).
(3) ``Encryption--other'' if you are submitting an encryption
classification, for another reason.
(iii) In Block 24 (Additional Information), insert your most recent
Encryption Registration Number (ERN).
* * * * *
PART 772--[AMENDED]
0
20. The authority citation for part 772 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August
13, 2009, 74 FR 41325 (August 14, 2009).
0
21. Section 772.1 is amended by:
0
a. Removing the definition, nota bene and footnote No. 1 for
``ancillary cryptography'';
0
b. Removing the definition for ``personalized smart card''; and
0
c. Adding in alphabetical order the definition for ``non-standard
cryptography'', to read as follows:
Sec. 772.1 Definitions of Terms.
* * * * *
Non-standard cryptography. Means any implementation of
``cryptography'' involving the incorporation or use of proprietary or
unpublished cryptographic functionality, including encryption
algorithms or protocols that have not been adopted or approved by a
duly recognized international standards body (e.g., IEEE, IETF, ISO,
ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published.
* * * * *
PART 774--[AMENDED]
0
22. The authority citation for part 774 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c, 22 U.S.C. 3201 et
seq., 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42
U.S.C. 6212; 43 U.S.C. 1354; 15 U.S.C. 1824a; 50 U.S.C. app. 5; 22
U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3 CFR,
1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p.
783; Notice of August 13, 2009, 74 FR 41325 (August 14, 2009).
0
23. In Supplement No. 1 to part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part II
Information Security is amended by:
[[Page 36501]]
0
a. Revising the Nota Bene to the Note 3 (Cryptography Note); and
0
b. Adding a new Note 4 to the beginning of Category 5 part II, to read
as follows:
Supplement No. 1 to Part 774--The Commerce Control List
* * * * *
CATEGORY 5--TELECOMMUNICATIONS AND ``INFORMATION SECURITY'' Part II.
``INFORMATION SECURITY''
* * * * *
N.B. to Note 3 (Cryptography Note): You must submit a
classification request or encryption registration to BIS for mass
market encryption commodities and software eligible for the
Cryptography Note employing a key length greater than 64 bits for the
symmetric algorithm (or, for commodities and software not implementing
any symmetric algorithms, employing a key length greater than 768 bits
for asymmetric algorithms or greater than 128 bits for elliptic curve
algorithms) in accordance with the requirements of Sec. 742.15(b) of
the EAR in order to be released from the ``EI'' and ``NS'' controls of
ECCN 5A002 or 5D002.
Note 4: Category 5, Part 2 does not apply to items incorporating
or using ``cryptography'' and meeting all of the following:
a. The primary function or set of functions is not any of the
following:
1. ``Information security'';
2. A computer, including operating systems, parts and components
therefor;
3. Sending, receiving or storing information (except in support
of entertainment, mass commercial broadcasts, digital rights
management or medical records management); or
4. Networking (includes operation, administration, management
and provisioning);
b. The cryptographic functionality is limited to supporting
their primary function or set of functions; and
c. When necessary, details of the items are accessible and will
be provided, upon request, to the appropriate authority in the
exporter's country in order to ascertain compliance with conditions
described in paragraphs a. and b. above.
* * * * *
0
24. In Supplement No. 1 to part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part 2
Information Security, ECCN 5A002 is amended by revising the Related
Controls and the Items paragraph of the List of Items Controlled
section, to read as follows:
5A002 ``Information security'' systems, equipment and components
therefor, as follows (see List of Items Controlled).
* * * * *
List of Items Controlled
Unit: * * *
Related Controls: (1) 5A002 does not control the commodities listed in
paragraphs (a), (d), (e), (f), (g) and (i) in the Note in the items
paragraph of this entry. These commodities are instead classified under
ECCN 5A992, and related software and technology are classified under
ECCNs 5D992 and 5E992 respectively. (2) After encryption registration
to or classification by BIS, mass market encryption commodities that
meet eligibility requirements are released from ``EI'' and ``NS''
controls. These commodities are classified under ECCN 5A992.c. See
Sec. 742.15(b) of the EAR.
Related Definitions: * * *
Items:
Note: 5A002 does not control any of the following. However,
these items are instead controlled under 5A992:
(a) Smart cards and smart card `readers/writers' as follows:
(1) A smart card or an electronically readable personal document
(e.g., token coin, e-passport) that meets any of the following:
a. The cryptographic capability is restricted for use in
equipment or systems excluded from 5A002 by Note 4 in Category 5--
Part 2 or entries (b) to (i) of this Note, and cannot be
reprogrammed for any other use; or
b. Having all of the following:
1. It is specially designed and limited to allow protection of
`personal data' stored within;
2. Has been, or can only be, personalized for public or
commercial transactions or individual identification; and
3. Where the cryptographic capability is not user-accessible;
Technical Note: `Personal data' includes any data specific to a
particular person or entity, such as the amount of money stored and
data necessary for authentication.
(2) `Readers/writers' specially designed or modified, and
limited, for items specified by (a)(1) of this Note.
Technical Note: `Readers/writers' include equipment that
communicates with smart cards or electronically readable documents
through a network.
(b) [Reserved]
N.B.: See Note 4 in Category 5--Part 2 for items previously
specified in 5A002 Note (b).
(c) [Reserved]
N.B.: See Note 4 in Category 5--Part 2 for items previously
specified in 5A002 Note (c).
(d) Cryptographic equipment specially designed and limited for
banking use or `money transactions';
Technical Note: The term `money transactions' includes the
collection and settlement of fares or credit functions.
(e) Portable or mobile radiotelephones for civil use (e.g., for
use with commercial civil cellular radio communication systems) that
are not capable of transmitting encrypted data directly to another
radiotelephone or equipment (other than Radio Access Network (RAN)
equipment), nor of passing encrypted data through RAN equipment
(e.g., Radio Network Controller (RNC) or Base Station Controller
(BSC));
(f) Cordless telephone equipment not capable of end-to-end
encryption where the maximum effective range of unboosted cordless
operation (i.e., a single, unrelayed hop between terminal and home
base station) is less than 400 meters according to the
manufacturer's specifications;
(g) Portable or mobile radiotelephones and similar client
wireless devices for civil use, that implement only published or
commercial cryptographic standards (except for anti-piracy
functions, which may be non-published) and also meet the provisions
of paragraphs b. to d. of the Cryptography Note (Note 3 in Category
5--Part 2), that have been customized for a specific civil industry
application with features that do not affect the cryptographic
functionality of these original non-customized devices; or
(h) [Reserved]
N.B.: See Note 4 in Category 5--Part 2 for items previously
specified in 5A002 Note (h).
(i) Wireless ``personal area network'' equipment that implement
only published or commercial cryptographic standards and where the
cryptographic capability is limited to a nominal operating range not
exceeding 30 meters according to the manufacturer's specifications.
a. Systems, equipment, application specific ``electronic
assemblies'', modules and integrated circuits for ``information
security'', as follows, and components therefor specially designed for
``information security'':
N.B.: For the control of Global Navigation Satellite Systems (GNSS)
receiving equipment containing or employing decryption, see ECCN 7A005.
a.1. Designed or modified to use ``cryptography'' employing digital
techniques performing any cryptographic function other than
authentication or digital signature and having any of the following:
Technical Notes: 1. Authentication and digital signature
functions include their associated key management function.
2. Authentication includes all aspects of access control where
there is no encryption of files or text except as directly related
to the protection of passwords, Personal Identification Numbers
(PINs) or similar data to prevent unauthorized access.
3. ``Cryptography'' does not include ``fixed'' data compression
or coding techniques.
Note: 5A002.a.1 includes equipment designed or modified to use
``cryptography'' employing analog principles when implemented with
digital techniques.
a.1.a. A ``symmetric algorithm'' employing a key length in excess
of 56-bits; or
[[Page 36502]]
a.1.b. An ``asymmetric algorithm'' where the security of the
algorithm is based on any of the following:
a.1.b.1. Factorization of integers in excess of 512 bits (e.g.,
RSA);
a.1.b.2. Computation of discrete logarithms in a multiplicative
group of a finite field of size greater than 512 bits (e.g., Diffie-
Hellman over Z/pZ); or
a.1.b.3. Discrete logarithms in a group other than mentioned in
5A002.a.1.b.2 in excess of 112 bits (e.g., Diffie-Hellman over an
elliptic curve);
a.2. Designed or modified to perform cryptanalytic functions;
a.3. [Reserved]
a.4. Specially designed or modified to reduce the compromising
emanations of information-bearing signals beyond what is necessary for
health, safety or electromagnetic interference standards;
a.5. Designed or modified to use cryptographic techniques to
generate the spreading code for ``spread spectrum'' systems, not
controlled in 5A002.a.6., including the hopping code for ``frequency
hopping'' systems;
a.6. Designed or modified to use cryptographic techniques to
generate channelizing codes, scrambling codes or network identification
codes, for systems using ultra-wideband modulation techniques and
having any of the following:
a.6.a. A bandwidth exceeding 500 MHz; or
a.6.b. A ``fractional bandwidth'' of 20% or more;
a.7. Non-cryptographic information and communications technology
(ICT) security systems and devices evaluated to an assurance level
exceeding class EAL-6 (evaluation assurance level) of the Common
Criteria (CC) or equivalent;
a.8. Communications cable systems designed or modified using
mechanical, electrical or electronic means to detect surreptitious
intrusion;
a.9. Designed or modified to use `quantum cryptography.'
Technical Notes: 1. `Quantum cryptography' A family of
techniques for the establishment of a shared key for
``cryptography'' by measuring the quantum-mechanical properties of a
physical system (including those physical properties explicitly
governed by quantum optics, quantum field theory, or quantum
electrodynamics).
2. `Quantum cryptography' is also known as Quantum Key
Distribution (QKD).
0
25. In Supplement No. 1 to part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part 2
Information Security, ECCN 5A992 is amended by revising paragraph c. in
the items paragraph of the List of Items Controlled section, to read as
follows:
5A992 Equipment not controlled by 5A002.
* * * * *
List of Items Controlled
* * * * *
Items:
* * * * *
c. Commodities that BIS has received an encryption registration or
that have been classified as mass market encryption commodities in
accordance with Sec. 742.15(b) of the EAR.
* * * * *
0
26. In Supplement No. 1 to part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part 2
``Information Security'', ECCN 5D002 is amended by revising the Related
Controls paragraph in the List of Items Controlled section, to read as
follows:
``5D002 ``Software'' as follows (see List of Items Controlled).
* * * * *
List of Items Controlled
* * * * *
Related Controls: (1) This entry does not control ``software''
``required'' for the ``use'' of equipment excluded from control under
the Related Controls paragraph or the Technical Notes in ECCN 5A002 or
``software'' providing any of the functions of equipment excluded from
control under ECCN 5A002. This software is classified as ECCN 5D992.
(2) After an encryption registration has been submitted to BIS or
classification by BIS, mass market encryption software that meet
eligibility requirements are released from ``EI'' and ``NS'' controls.
This software is classified under ECCN 5D992.c. See Sec. 742.15(b) of
the EAR.
* * * * *
0
27. In Supplement No. 1 to part 774 (the Commerce Control List),
Category 5 Telecommunications and ``Information Security'', Part 2
Information Security, ECCN 5D992 is amended by revising paragraph c. of
the Items paragraph of the List of Items Controlled section, to read as
follows:
5D992 ``Information Security'' ``software'' not controlled by 5D002.
* * * * *
List of Items Controlled
* * * * *
Items:
* * * * *
c. ``Software'' that BIS has received an encryption registration or
that have been classified as mass market encryption software in
accordance with Sec. 742.15(b) of the EAR.
* * * * *
0
28. Supplement No. 3 is revised to read as follows:
Supplement No. 3 to Part 774--Statements of Understanding
(a) Statement of Understanding--medical equipment. Commodities that
are ``specially designed for medical end-use'' that ``incorporate''
commodities or software on the Commerce Control List (Supplement No. 1
to part 774 of the EAR) that do not have a reason for control of
Nuclear Nonproliferation (NP), Missile Technology (MT), or Chemical &
Biological Weapons (CB) are designated by the number EAR99 (i.e., are
not elsewhere specified on the Commerce Control List).
Notes to paragraph a: (1) ``Specially designed for medical end-
use'' means designed for medical treatment or the practice of
medicine (does not include medical research).
(2) Commodities or software are considered ``incorporated'' if
the commodity or software is: Essential to the functioning of the
medical equipment; customarily included in the sale of the medical
equipment; and exported or reexported with the medical equipment.
(3) Except for such software that is made publicly available
consistent with Sec. 734.3(b)(3) of the EAR, commodities and
software ``specially designed for medical end-use'' remain subject
to the EAR.
(4) See also Sec. 770.2(b) interpretation 2, for other types of
equipment that incorporate items on the Commerce Control List that
are subject to the EAR.
(5) For computers used with medical equipment, see also ECCN
4A003 note 2 regarding the ``principal element'' rule.
(6) For commodities and software specially designed for medical
end-use that incorporate an encryption or other ``information
security'' item subject to the EAR, see also Note 1 to Category 5,
Part II of the Commerce Control List.
(b) Statement of Understanding--Source Code. For the purpose of
national security controlled items, ``source code'' items are
controlled either by ``software'' or by ``software'' and ``technology''
controls, except when such ``source code'' items are explicitly
decontrolled.
(c) Category 5--Part 2--Note 4 Statement of Understanding. All
items previously described by Notes (b), (c) and (h) to 5A002 are now
described by Note 4 to Category 5--Part 2. Note (h) to 5A002 prior to
June 25, 2010 stated that the following was not controlled by 5A002:
Equipment specially designed for the servicing of portable or
mobile radiotelephones and similar client wireless devices that meet
all the
[[Page 36503]]
provisions of the Cryptography Note (Note 3 in Category 5, Part 2),
where the servicing equipment meets all of the following:
(1) The cryptographic functionality of the servicing equipment
cannot easily be changed by the user of the equipment;
(2) The servicing equipment is designed for installation without
further substantial support by the supplier; and
(3) The servicing equipment cannot change the cryptographic
functionality of the device being serviced.
Dated: June 17, 2010.
Kevin J. Wolf,
Assistant Secretary for Export Administration.
[FR Doc. 2010-15072 Filed 6-24-10; 8:45 am]
BILLING CODE 3510-33-P