Section



[Code of Federal Regulations]
[Title 15, Volume 2]
[Revised as of January 1, 2004]
From the U.S. Government Printing Office via GPO Access
[CITE: 15CFR740.17]

[Page 277-282]
 
                  TITLE 15--COMMERCE AND FOREIGN TRADE
 
  CHAPTER VII--BUREAU OF INDUSTRY AND SECURITY, DEPARTMENT OF COMMERCE
 
PART 740_LICENSE EXCEPTIONS--Table of Contents
 
Sec.  740.17  Encryption commodities and software (ENC).

    License Exception ENC authorizes the export and reexport of 
encryption items controlled under ECCN 5A002, 5D002 or 5E002, and 
``information security'' test, inspection, and production equipment 
controlled under ECCN 5B002. Encryption items exported and reexported 
under License Exception ENC remain subject to ``EI'' controls. No 
encryption items may be exported or reexported, under this license 
exception, to countries listed in Country Group E:1 of Supplement No. 1 
to this Part--this includes exports and reexports (as defined in Sec.  
734.2 of the EAR) of encryption source code and technology to nationals 
of these countries. Review and reporting requirements apply to certain 
exports under this license exception (paragraph (d) of this section 
describes how to submit encryption items for review; paragraph (e) of 
this section describes which exports are subject to reporting 
requirements). Certain exports and reexports to government end-users are 
authorized under paragraphs (a) and (b)(3) of this section. Section 
772.1 of the EAR defines the term ``government end-user'' as it applies 
to encryption items. Section 742.15 of the EAR describes the license 
requirements and policies that apply to exports and reexports of 
encryption items.
    (a) Exports and reexports to countries listed in Supplement 3 to 
this part. Encryption items controlled under ECCN 5A002, 5D002 or 5E002 
(except cryptanalytic items as defined in Part 772 of the EAR), and 
``information security'' test, inspection, and production equipment 
controlled under ECCN 5B002, are authorized for immediate export and 
reexport to government and non-government end-users located in the 
countries listed in Supplement 3 to this part 740, subject to the review 
requirements described in paragraph (d) of this section. Cryptanalytic 
items are authorized to non-government end-users, only, under this 
paragraph (a). Encryption items and ``information security'' test, 
inspection, and production equipment may also be exported or reexported 
to any destination eligible under this license exception for the 
internal use of foreign subsidiaries or offices of firms, organizations 
and governments headquartered in Canada or in countries listed in 
Supplement 3 to this part 740. (Note that License Exception ENC 
prohibits exports and reexports of encryption source code and technology 
to nationals of countries listed in Country Group E:1 of Supplement No. 
1 to this part.) Before you export an item for the first time under this 
license exception, you must submit to BIS and the ENC Encryption Request 
Coordinator a review request for that item, as described in paragraph 
(d) of this section. See paragraph (e) of this section for applicable 
semi-annual reporting requirements.
    (b) Exports and reexports to all other eligible countries. (1) 
Encryption items for U.S. subsidiaries. Exports and reexports of 
encryption items controlled under ECCN 5A002, 5D002 or 5E002 and 
``information security'' test, inspection, and production equipment 
controlled under ECCN 5B002, are authorized under this license 
exception, without review, to foreign subsidiaries of U.S. companies for 
any end-use not prohibited elsewhere in the EAR. This paragraph (b)(1) 
also authorizes exports and reexports by U.S. companies and their 
subsidiaries of any such items (including encryption source code and 
technology), to foreign nationals working as contractors, interns or 
employees of said U.S. companies and their subsidiaries, provided that 
the items are for internal company use, including the development of new 
products. (Note that License Exception ENC prohibits exports and 
reexports of encryption source code and technology to nationals of 
countries listed in Country Group E:1 of Supplement No. 1 to this part). 
All items produced or developed by U.S. subsidiaries with encryption

[[Page 278]]

commodities, software and technology exported under this paragraph 
(b)(1) are subject to the EAR and require review and authorization 
before any sale or retransfer outside of the U.S. company.
    (2) Encryption commodities and software to non-government end-users. 
Thirty days after registration of a completed review request by BIS 
(``registration'' is defined in Sec.  750.4(a)(2) of the EAR), 
encryption commodities, software and components controlled under ECCN 
5A002 or 5D002 (except such items which provide an open cryptographic 
interface, as defined in part 772 of the EAR), and ``information 
security'' test, inspection, or production equipment controlled under 
ECCN 5B002, are authorized for export or reexport to any individual, 
commercial firm or other non-government end-user located outside the 
countries listed in Supplement 3 to this part 740. The thirty days may 
not include any time that your review request was on hold without 
action. To request authorization under the provisions of this paragraph 
(b)(2), you must submit to BIS and the ENC Encryption Request 
Coordinator a review request as described in paragraph (d) of this 
section. See paragraph (e) of this section for applicable semi-annual 
reporting requirements. Encryption commodities and software eligible for 
export or reexport under this paragraph (b)(2) include, but are not 
limited to, the following:
    (i) Network infrastructure products, such as high end routers or 
switches designed for large volume communications, and specially 
designed software, parts, and components thereof (including commodities 
and software which activate or enable cryptographic functionality in 
network infrastructure products that would otherwise remain disabled);
    (ii) Encryption source code that would not be considered publicly 
available for export or reexport under License Exception TSU. (You may 
immediately export and reexport such encryption source code under 
License Exception ENC, provided that you have submitted a review 
request, including a copy of your source code, to BIS and the ENC 
Encryption Request Coordinator. Note that License Exception ENC 
prohibits exports and reexports of encryption source code to countries 
listed in Country Group E:1 of Supplement No. 1 to this part, or to 
nationals of these countries.);
    (iii) General purpose toolkits;
    (iv) Cryptanalytic items (as defined in part 772 of the EAR);
    (v) Commodities, software and components not otherwise authorized 
for export as mass market or retail.
    (3) Retail encryption commodities, software and components to 
government and non-government end-users. Thirty days after registration 
of a completed review request by BIS (``registration'' is defined in 
Sec.  750.4(a)(2) of the EAR), retail encryption commodities, software 
and components controlled under ECCN 5A002 or 5D002 are authorized for 
export and reexport to any individual, commercial firm or other non-
government end-user located outside the countries listed in Supplement 3 
to this part 740. The thirty days may not include any time that your 
review request was on hold without action. Once BIS has completed its 
review and authorizes your encryption commodities, software, and 
components for export or reexport as retail encryption items under 
License Exception ENC, you may also export or reexport these items to 
government end-users. To request authorization under the provisions of 
this paragraph (b)(3), you must submit to BIS and the ENC Encryption 
Request Coordinator a review request as described in paragraph (d) of 
this section. See paragraph (e) of this section for applicable semi-
annual reporting requirements.
    (i) Retail eligibility criteria. Retail encryption commodities and 
software are products and components:
    (A) Generally available to the public by means of any of the 
following:
    (1) Are sold in tangible form through retail outlets independent of 
the manufacturer;
    (2) Are specially designed for individual consumer use; or
    (3) Are sold or will be sold in large volume, without restriction, 
through mail order transactions, electronic transactions, or telephone 
call transactions; and
    (B) Meeting all of the following:

[[Page 279]]

    (1) The cryptographic functionality cannot be easily changed by the 
user;
    (2) Substantial support is not required for installation and use; 
and
    (3) The cryptographic functionality has not been modified or 
customized to customer specification.
    (ii) Additional types of retail encryption products. The following 
products will also be considered to be retail encryption products:
    (A) Encryption commodities and software (including key management 
products) with key lengths not exceeding 64 bits for symmetric 
algorithms, 1024 bits for asymmetric key exchange algorithms, and 160 
bits for elliptic curve algorithms. (You may immediately export or 
reexport such encryption commodities and software as retail items upon 
submitting a completed review request to BIS and the ENC Encryption 
Request Coordinator, in accordance with the requirements described in 
paragraph (d) of this section);
    (B) Encryption products and network-based applications that provide 
equivalent functionality to other mass market or retail encryption 
commodities and software (refer to the Cryptography Note (Note 3) to 
part II of Category 5 of the CCL for the definition of mass market 
encryption commodities and software);
    (C) Encryption products that are limited to allowing foreign-
developed cryptographic products to operate with U.S. products (e.g. 
signing). No review of the foreign-developed cryptography is required;
    (D) Encryption commodities and software that activate or enable 
cryptographic functionality in retail encryption products which would 
otherwise remain disabled.
    (iii) Examples of eligible retail encryption products: Subject to 
the retail eligibility criteria in paragraph (b)(3)(i) of this section, 
retail encryption items include, but are not limited to, the following:
    (A) General purpose operating systems that do not qualify as mass 
market;
    (B) Non-programmable encryption chips, and chips that are 
constrained by design for retail products;
    (C) Retail networking products, such as low-end routers, firewalls, 
and virtual private networking (VPN) equipment designed for small office 
or home use;
    (D) Desktop applications (e.g. e-mail, browsers, games, word 
processing, database, financial applications or utilities) that do not 
qualify as mass market;
    (E) Programmable database management systems and associated 
application servers;
    (F) Low-end servers and application-specific servers (including 
client-server applications, e.g. Secure Socket Layer (SSL)-based web 
applications and applets, servers, and portals);
    (G) Network and security management products designed for, bundled 
with, or pre-loaded on single CPU computers, low-end servers or retail 
networking products; and
    (H) Short-range wireless components and software that do not qualify 
as mass market. Commodities and software that would not otherwise be 
controlled under Category 5 (telecommunications and ``information 
security'') of the Commerce Control List, but which are controlled under 
ECCN 5A002 or 5D002 only because they incorporate components or software 
that provide short-range wireless encryption functions (e.g., with an 
operating range typically not exceeding 100 meters), may be exported or 
reexported under the retail provisions of License Exception ENC, without 
review or reporting.
    (4) Reviews for de minimis eligibility: Items controlled for ``EI'' 
reasons under ECCN 5A002, 5D002 or 5E002 are not eligible for de minimis 
treatment under Sec.  734.4 of the EAR. However, exporters may, as part 
of a review request, ask that U.S.-origin retail encryption software 
controlled under ECCN 5D002 and U.S.-origin parts and components 
controlled under ECCN 5A002, that are incorporated in foreign-made 
items, be made eligible for de minimis treatment. The review of de 
minimis eligibility for such items will take U.S. national security 
interests into account.
    (c) Reexports and transfers. U.S. or foreign distributors, resellers 
or other entities who are not original manufacturers of encryption 
commodities and software are permitted to use License Exception ENC only 
in instances where

[[Page 280]]

the export or reexport meets the applicable terms and conditions of this 
section. Transfers of encryption items listed in paragraph (b) of this 
section to government end-users, or for government end-uses, within the 
same country are prohibited, unless otherwise authorized by license or 
license exception. Foreign products developed with or incorporating 
U.S.-origin encryption source code, components or toolkits remain 
subject to the EAR, but do not require review (for encryption reasons) 
by BIS. These products can be exported or reexported under License 
Exception ENC without notification and without further authorization 
(for encryption reasons) from BIS. Such products include foreign-
developed products that are designed to operate with U.S. products 
through a cryptographic interface.
    (d) Review requirement. (1) Review request procedures. To request 
review of your encryption products under License Exception ENC, you must 
submit to BIS and to the ENC Encryption Request Coordinator the 
information described in paragraphs (a) through (e) of Supplement 6 to 
part 742 of the EAR (Guidelines for Submitting Review Requests for 
Encryption Items). Review requests must be submitted on Form BIS-748P 
(Multipurpose Application), or its electronic equivalent, as described 
in Sec.  748.3 of the EAR. To ensure that your review request is 
properly routed, insert the phrase ``License Exception ENC'' in Block 9 
(Special Purpose) of the application form and place an ``X'' in the box 
marked ``Classification Request'' in Block 5 (Type of Application)--
Block 5 does not provide a separate item to check for the submission of 
encryption review requests. Failure to properly complete these items may 
delay consideration of your review request. Review requests that are not 
submitted electronically to BIS should be mailed to the address 
indicated in Sec.  748.2(c) of the EAR. See paragraph (e)(5)(ii) of this 
section for the mailing address for the ENC Encryption Request 
Coordinator. BIS will notify you if there are any questions concerning 
your request for review under License Exception ENC (e.g., because of 
missing or incomplete support documentation). Once your review has been 
completed, BIS will notify you in writing concerning the eligibility of 
your products for export or reexport, under the provisions of this 
license exception. BIS reserves the right to suspend your eligibility to 
export and reexport under License Exception ENC and to return your 
review request without action, if you have not met the review 
requirements. You may not export or reexport retail encryption 
commodities, software and components under this license exception to 
government end-users headquartered outside of Canada and the countries 
listed in Supplement 3 to this part 740, unless you have received prior 
authorization from BIS.
    (2) Grandfathering. Encryption commodities, software, parts or 
components (except cryptanalytic items) previously approved for export 
may be exported or reexported without further review to government and 
non-government end-users in countries listed in Supplement 3 to this 
part 740, and to any non-government end-user outside the countries 
listed in Supplement 3 to this part 740 (except items which provide an 
open cryptographic interface as defined in part 772 of the EAR). This 
includes products approved under a license, an Encryption Licensing 
Arrangement, or classified as eligible to use License Exception ENC 
(except for those products that were authorized only for export to U.S. 
subsidiaries) prior to October 19, 2000. Encryption technology 
previously approved for export under a license or an Encryption 
Licensing Arrangement may be exported or reexported to government and 
non-government end-users in countries listed in Supplement 3 to this 
part 740.
    (3) Key length increases. Exporters may increase the key lengths of 
products previously classified and continue to export these products 
under the applicable provisions of License Exception ENC, without 
further review, upon certification to BIS and the ENC Encryption Request 
Coordinator in accordance with paragraph (d)(3)(ii) of this section. No 
other change in cryptographic functionality is allowed under License 
Exception ENC.
    (i) Any product previously classified as ECCN 5A002 or 5D002 (except 
encryption items that provide an open

[[Page 281]]

cryptographic interface, as defined in Sec.  772.1 of the EAR) may, with 
any upgrade to the key length used for confidentiality or key exchange 
algorithms, be exported or reexported under License Exception ENC to any 
non-government end-user without an additional review. A license is 
required to export or reexport items that provide an open cryptographic 
interface to end-users located outside the countries listed in 
Supplement 3 to this part 740. In addition, products previously reviewed 
by BIS that were determined to be eligible as ``retail'' under this 
license exception may be exported or reexported to government end-users, 
without additional review. For products not previously determined to be 
eligible as retail products, another review is required to determine 
their eligibility as ``retail'' products under paragraph (b)(3) of this 
section.
    (ii) Exporters must certify to BIS, in a letter from a corporate 
official, that the only change to the encryption product is the key 
length for confidentiality or key exchange algorithms and that there is 
no other change in cryptographic functionality. Certifications must 
include the original authorization number issued by BIS and the date of 
issuance. BIS must receive this certification prior to any export of an 
upgraded encryption product. The certification should be sent to BIS and 
a copy of the certification should be sent to the ENC Encryption Request 
Coordinator at the mailing address indicated in paragraph (e)(5) of this 
section.
    (e) Reporting requirements. (1) Semi-annual reporting requirement. 
Semi-annual reporting is required for exports and reexports under this 
license exception. Certain encryption items and transactions are 
excluded from this reporting requirement (see paragraph (e)(4) of this 
section). For instructions on how to submit your reports, see paragraph 
(e)(5) of this section.
    (2) General information required. Exporters must include all of the 
following applicable information in their reports:
    (i) For items exported to a distributor or other reseller, including 
subsidiaries of U.S. firms, the name and address of the distributor or 
reseller, the item and the quantity exported and, if collected by the 
exporter as part of the distribution process, the end-user's name and 
address;
    (ii) For items exported through direct sale, the name and address of 
the recipient, the item, and the quantity exported (except for retail 
products, if the end-user is an individual consumer);
    (iii) For exports of ECCN 5E002 items to be used for technical 
assistance that are not released by Sec.  744.9 of the EAR, the name and 
address of the end-user; and
    (iv) The authorization number and the name of the item(s) exported.
    (3) Information on foreign manufacturers and products that use 
encryption items. For direct sales or transfers, under License Exception 
ENC, of encryption components, source code, general purpose toolkits, 
equipment controlled under ECCN 5B002, technology, or items that provide 
an open cryptographic interface to foreign developers or manufacturers 
when intended for use in foreign products developed for commercial sale, 
you must submit the names and addresses of the manufacturers using these 
encryption items and, if you know when the product is made available for 
commercial sale, a non-proprietary technical description of the foreign 
products for which these encryption items are being used (e.g., 
brochures, other documentation, descriptions or other identifiers of the 
final foreign product; the algorithm and key lengths used; general 
programming interfaces to the product, if known; any standards or 
protocols that the foreign product adheres to; and source code, if 
available).
    (4) Exclusions from reporting requirements. Reporting is not 
required for the following items and transactions:
    (i) Any encryption item to U.S. subsidiaries for internal company 
use;
    (ii) Encryption commodities or software with a symmetric key length 
not exceeding 64 bits;
    (iii) Retail products exported to individual consumers;
    (iv) Encryption items exported via free or anonymous download;
    (v) Encryption items from or to a U.S. bank, financial institution 
or their subsidiaries, affiliates, customers

[[Page 282]]

or contractors for banking or financial operations;
    (vi) Items that incorporate components limited to providing short-
range wireless encryption functions;
    (vii) Retail operating systems, or desktop applications (e.g. e-
mail, browsers, games, word processing, data base, financial 
applications or utilities) designed for, bundled with, or pre-loaded on 
single CPU computers, laptops or hand-held devices;
    (viii) Client Internet appliance and client wireless LAN cards;
    (ix) Foreign products developed by bundling or compiling of source 
code.
    (5) Submission requirements. You must submit the reports required 
under this section, semi-annually, to BIS, unless otherwise provided in 
this paragraph (e)(5). For exports occurring between January 1 and June 
30, a report is due no later than August 1 of that year. For exports 
occurring between July 1 and December 31, a report is due no later than 
February 1 the following year. These reports must be provided in 
electronic form to BIS. Recommended file formats for electronic 
submission include spreadsheets, tabular text or structured text. 
Exporters may request other reporting arrangements with BIS to better 
reflect their business models. Reports may be sent electronically to BIS 
at crypt@bis.doc.gov (with a copy to the ENC Encryption Request 
Coordinator at enc@ncsc.mil), or disks and CDs containing the reports 
may be mailed to the following addresses:

(i) Department of Commerce, Bureau of Industry and Security, Office of 
    Strategic Trade and Foreign Policy Controls, 14th Street and 
    Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn: 
    Encryption Reports.
(ii) A copy of the report should be sent to: Attn: ENC Encryption 
    Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 
    20755-6000.

[67 FR 38862, June 6, 2002, as amended at 68 FR 35785, June 17, 2003]