Section 15CFR742.15



[Code of Federal Regulations]
[Title 15, Volume 2]
[Revised as of January 1, 2002]
From the U.S. Government Printing Office via GPO Access
[CITE: 15CFR742.15]

[Page 304-305]
 
                  TITLE 15--COMMERCE AND FOREIGN TRADE
 
  CHAPTER VII--BUREAU OF EXPORT ADMINISTRATION, DEPARTMENT OF COMMERCE
 
PART 742--CONTROL POLICY--CCL BASED CONTROLS--Table of Contents
 
Sec. 742.15  Encryption items.

    Encryption items can be used to maintain the secrecy of information, 
and thereby may be used by persons abroad to harm national security, 
foreign policy and law enforcement interests. The U.S. has a critical 
interest in ensuring that important and sensitive information of the 
public and private sector is protected. Consistent with our 
international obligations as a member of the Wassenaar Arrangement, the 
U.S. has a responsibility to maintain control over the export of 
encryption items. As the President indicated in Executive Order 13026 
and in his Memorandum of November 15, 1996, export of encryption 
software, like export of encryption hardware, is controlled because of 
this functional capacity to encrypt information on a computer system, 
and not because of any informational or theoretical value that such 
software may reflect, contain, or represent, or that its export may 
convey to others abroad. For this reason, export controls on encryption 
software are distinguished from controls on other software regulated 
under the EAR.
    (a) License requirements. Licenses are required for exports and 
reexports of encryption items (EI) classified under ECCNS 5A002, 5D002 
and 5E002 to all destinations except Canada. Refer to part 740 of this 
EAR for licensing exceptions and to part 772 of the EAR for the 
definition of ``encryption items.''
    (b) Licensing policy. The following licensing policies apply to 
items identified in paragraph (a) of this section. Except as otherwise 
noted, applications will be reviewed on a case-by-case basis by BXA, in 
conjunction with other agencies, to determine whether the export or 
reexport is consistent with U.S. national security and foreign policy 
interests. For subsequent bundling and updates of these items see 
paragraph (n) of Sec. 770.2 of the EAR. No exports without a license are 
authorized to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.
    (1) Encryption items under ECCNs 5A992, 5D992 and 5E992. Certain 
encryption commodities, software and technology may be classified under 
ECCNs 5A992, 5D992 or 5E992. These items continue to be subject to AT1 
controls. Such items include encryption commodities, software and 
technology with key lengths up to and including 56-bits with an 
asymmetric key exchange algorithm not exceeding 512 bits; products which 
only provide key management with asymmetric key exchange algorithms not 
exceeding 512 bits; and mass market encryption commodities and software 
with key lengths not exceeding 64-bits for the symmetric algorithm. 
Refer to the Cryptography Note (Note 3) to part II of Category 5 of the 
CCL for a definition of mass market encryption commodities and software. 
Key exchange mechanisms, proprietary key exchange mechanisms, or company 
proprietary commodities and software implementations may also be 
eligible for this treatment. Exporters may self-classify such 5A992, 
5D992 or 5E992 items and export them without review and classification 
by BXA provided you have submitted to BXA and the ENC Encryption Request 
Coordinator by the time of export the information described in 
paragraphs (a) through (e) of Supplement 6 to this part 742. 
Notification should be made by e-mail to crypt@bxa.doc.gov.
    (2) Encryption items under ECCNs 5A002, 5D002 and 5E002. All 
encryption commodities, software and components classified by BXA under 
ECCNs 5A002, 5D002 and 5E002 except cryptanalytic items are authorized 
for export and reexport to any end-user in the countries listed in 
Supplement 3 to Part 740 of the EAR. Items classified by BXA as retail 
products under ECCNs 5A002 and 5D002 are authorized for export and 
reexport to any end-user. All 5A002, 5D002 and 5E002 encryption items 
are authorized for export or reexport to any individual, commercial firm 
or other non-government end-user in countries not listed in Supplement 3 
to Part 740 of the EAR. No exports of such items are authorized without 
a license to Cuba, Iran, Iraq, North Korea, Libya, Sudan or Syria. Any 
encryption item (including technology classified under ECCN 5E002) is 
authorized for export or reexport to U.S. subsidiaries (as defined in 
part 772).
    (3) Encryption licensing. Exporters may submit applications for 
licenses or Encryption Licensing Arrangements for exports and reexports 
of encryption

[[Page 305]]

items not eligible for license exception, including exports and 
reexports of encryption technology to strategic partners of U.S. 
companies (as defined in part 772). For Encryption Licensing 
Arrangements, the applicant must specify the sales territory and class 
of end-user. Encryption Licensing Arrangements granted for exports of 
unlimited quantities for all destinations except Cuba, Iran, Iraq, 
Libya, North Korea, Sudan or Syria, are valid for four years, and may 
require reporting. Licenses are required for exports of encryption items 
to governments, or Internet and telecommunications service providers for 
the provision of services specific to governments, and may be favorably 
considered for civil uses, e.g., social or financial services to the 
public; civil justice; social insurance, pensions and retirement; taxes 
and communications between governments and their citizens.

[65 FR 2499, Jan. 14, 2000, as amended at 65 FR 62608, Oct. 19, 2000]