[Code of Federal Regulations] [Title 15, Volume 2] [Revised as of January 1, 2004] From the U.S. Government Printing Office via GPO Access [CITE: 15CFR742.15] [Page 305-308] TITLE 15--COMMERCE AND FOREIGN TRADE CHAPTER VII--BUREAU OF INDUSTRY AND SECURITY, DEPARTMENT OF COMMERCE PART 742_CONTROL POLICY_CCL BASED CONTROLS--Table of Contents Sec. 742.15 Encryption items. Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm U.S. national security, foreign policy and law enforcement interests. The United States has a critical interest in ensuring that important and sensitive information of the public and private sector is protected. Consistent with our international obligations as a member of the Wassenaar Arrangement, the United States has a responsibility to maintain control over the export and reexport of encryption items. As the President indicated in Executive Order 13026 and in his Memorandum of November 15, 1996, exports and reexports of encryption software, like exports and reexports of encryption hardware, are controlled because of this functional capacity to encrypt information on a computer system, and not because of any informational or theoretical value that such software may reflect, contain, or represent, or that its export or reexport may convey to others abroad. For this reason, export controls on encryption software are distinguished from controls on other software regulated under the EAR. (a) Licensing requirements and policy--(1) Encryption items controlled under ECCN 5A002, 5D002, or 5E002. (i) Licensing requirements. A license is required to export or reexport encryption items (``EI'') controlled under ECCN 5A002, 5D002 or 5E002 to all destinations, except Canada. Refer to part 740 of the EAR, for license exceptions that apply to certain encryption items, and to Sec. 772.1 of the EAR for definitions of encryption items and terms. Exporters must submit applications to obtain authorization under a license or an Encryption Licensing Arrangement for exports and reexports of encryption items that are not eligible for a license exception. (ii) Licensing policy. Applications will be reviewed on a case-by- case basis by BIS, in conjunction with other agencies, to determine whether the export or reexport is consistent with U.S. national security and foreign policy interests. Exports of encryption items to governments, or Internet and telecommunications service providers for the provision of services specific to governments, may be favorably considered for civil uses, e.g., social or financial services to the public; civil justice; social insurance, pensions and retirement; taxes and communications between governments and their citizens. Encryption Licensing Arrangements may be authorized for exports and reexports of unlimited quantities of encryption items to all destinations, except countries listed in Country Group E:1 of Supplement No. 1 to part 740. Encryption Licensing Arrangements, including those which authorize exports and reexports of encryption technology to strategic partners (as defined in Sec. 772.1 of the EAR) of U.S. companies, are valid for four years and may require reporting. Applicants seeking authorization for Encryption Licensing Arrangements must specify the sales territory and class of end-user on their license applications. (2) Encryption items controlled under ECCN 5A992, 5D992, or 5E992. (i) Licensing requirements. Items controlled under [[Page 306]] ECCN 5A992, 5D992 or 5E992 are controlled for anti-terrorism (AT) reasons to countries listed in AT column 1 or AT column 2, as applicable, of the Commerce Country Chart (Supplement No. 1 to Part 738 of the EAR). A license also may be required to certain destinations or persons for other reasons specified elsewhere in the EAR (e.g., embargoes). In addition, these encryption items are subject to the notification or review requirements described in paragraph (b)(1) and (b)(2) of this section, unless specifically excluded by paragraph (b)(3) of this section. (ii) Licensing policy. Applications will be reviewed on a case-by- case basis by BIS, in conjunction with other agencies, to determine whether the export or reexport is consistent with U.S. national security and foreign policy interests. BIS does not authorize Encryption Licensing Arrangements for exports and reexports of encryption items to any of the countries listed in Country Group E:1 of Supplement No. 1 to Part 740 of the EAR. (b) Notification and review requirements for encryption items controlled under ECCN 5A992, 5D992 or 5E992. You may export and reexport encryption commodities, software and technology controlled under ECCN 5A992, 5D992 or 5E992 without a license (NLR: No License Required) to most destinations, in accordance with paragraph (a)(2) of this section, provided that you have met the notification and review requirements described in paragraphs (b)(1) and (b)(2) of this section. Certain encryption items controlled under ECCN 5A992, 5D992 or 5E992 may be exported or reexported without notification or review--these items are identified in paragraph (b)(3) of this section. In addition, no post- shipment reporting is required for encryption items controlled under ECCN 5A992, 5D992, or 5E992. See Sec. 732.5 of the EAR for Shipper's Export Declaration (SED), Destination Control Statements (DCS), and recordkeeping requirements for items exported and reexported without a license (NLR). (1) Notification requirement for specified encryption items. You may export or reexport encryption items controlled under ECCN 5A992, 5D992 or 5E992 and identified in paragraphs (b)(1)(i) and (b)(1)(ii) of this section to most destinations without a license (NLR: No License Required), provided that you have submitted to BIS, by the time of export, the information described in paragraphs (a) through (e) of Supplement No. 6 of this part. For notifications submitted under paragraph (b)(1)(i) of this section, you must also provide specific information describing how your products qualify for mass market treatment under the criteria in the Cryptography Note (Note 3) of Category 5, Part 2, of the Commerce Control List (Supplement No. 1 to part 774 of the EAR). If you are unsure as to whether your encryption items are eligible for export or reexport under this paragraph (b)(1), you should submit a request, to BIS and to the ENC Encryption Request Coordinator, for a review of your encryption items pursuant to the requirements of paragraph (b)(2) of this section (for mass market encryption commodities and software), or under the provisions of License Exception ENC (see Sec. 740.17 of the EAR). The following encryption items controlled by ECCN 5A992, 5D992, or 5E992 are eligible for export or reexport without a license, to most destinations, with notification only: (i) Up to (and including) 64-bit mass market encryption commodities and software; (ii) Encryption items (including key management products and company proprietary implementations) with key lengths not exceeding 56 bits for symmetric algorithms, 512 bits for asymmetric key exchange algorithms, and 112 bits for elliptic curve algorithms; (2) Review requirement for mass market encryption commodities and software exceeding 64 bits: Mass market encryption commodities and software employing a key length greater than 64 bits for the symmetric algorithm (including such products previously reviewed by BIS and exported under ECCN 5A002 or 5D002) remain subject to the EAR and require review by BIS, prior to export or reexport under this paragraph (b)(2). Encryption commodities and software that are not eligible as retail items under License Exception ENC do not qualify for mass market treatment (see [[Page 307]] Sec. 740.17(b)(3) of the EAR for retail product eligibility under License Exception ENC.) (i) Procedures for requesting review. To request review of your mass market encryption products, you must submit to BIS and the ENC Encryption Request Coordinator the information described in paragraphs (a) through (e) of Supplement 6 to this part 742, and you must include specific information describing how your products qualify for mass market treatment under the criteria in the Cryptography Note (Note 3) of Category 5, Part 2 (``Information Security''), of the Commerce Control List (Supplement No. 1 to Part 774 of the EAR). Review requests must be submitted on Form BIS-748P (Multipurpose Application), or its electronic equivalent, as described in Sec. 748.3 of the EAR. To ensure that your review request is properly routed, insert the phrase ``Mass market encryption'' in Block 9 (Special Purpose) of the application form and place an ``X'' in the box marked ``Classification Request'' in Block 5 (Type of Application)--Block 5 does not provide a separate item to check for the submission of encryption review requests. Failure to properly complete these items may delay consideration of your review request. Review requests that are not submitted electronically to BIS should be mailed to the address indicated in Sec. 748.2(c) of the EAR. Submissions to the ENC Encryption Request Coordinator should be directed to the mailing address indicated in Sec. 740.17(e)(5)(ii) of the EAR. BIS will notify you if there are any questions concerning your request for review (e.g., because of missing or incomplete support documentation). (ii) Action by BIS. Once BIS has completed its review, you will receive written confirmation concerning the eligibility of your items for export or reexport as mass market encryption commodities or software controlled under ECCN 5A992 or 5D992. If, during the course of its review, BIS determines that your encryption items do not qualify for mass market treatment under the EAR, or are otherwise controlled under ECCN 5A002, 5B002, 5D002 or 5E002, BIS will notify you and will review your commodities or software for eligibility under License Exception ENC (see Sec. 740.17 of the EAR for review and reporting requirements for encryption items under License Exception ENC). BIS reserves the right to suspend your eligibility to export and reexport under the provisions of this paragraph (b)(2) and to return review requests, without action, if the requirements for review have not been met. (iii) Exports and reexports to government and non-government end- users. Immediately upon registration by BIS of your completed review request (``registration'' is defined in Sec. 750.4(a)(2) of the EAR), you may export or reexport mass market encryption commodities and software exceeding 64 bits, under ECCNs 5A992 and 5D992, without a license (NLR: No License Required) to government and non-government end- users located in the countries listed in Supplement 3 to part 740 of the EAR. These mass market encryption products also may be exported or reexported, without a license (NLR), to most destinations (except those that require a license for AT reasons or for reasons described elsewhere in the EAR) for the internal use of foreign subsidiaries or offices of firms, organizations and governments headquartered in Canada or in countries listed in Supplement 3 to part 740 of the EAR. Thirty days after BIS registers your review request, you may export or reexport these mass market encryption products, without a license, to government and non-government end-users located in most destinations outside the countries listed in Supplement 3 to part 740 of the EAR (certain destinations and persons may require a license for AT reasons or for reasons specified elsewhere in the EAR), unless otherwise notified by BIS (e.g., because of missing or incomplete support documentation, or conversion to License Exception ENC review). The thirty days may not include any time that your review request was on hold without action. See Sec. 772.1 of the EAR for the definition of ``government end-user'' as it applies to encryption items. (3) Exclusions from notification and review requirements. The following items [[Page 308]] and transactions do not require notification or review prior to export or reexport. However, a license may be required to export or reexport these items to certain destinations for AT reasons or for reasons set forth elsewhere in the EAR (e.g., embargoes). (i) Encryption items for U.S. subsidiaries. Encryption items controlled under ECCN 5A992, 5D992, or 5E992 that are exported to foreign subsidiaries of U.S. companies (as defined in Sec. 772.1 of the EAR) for any end-use, including the development of new products, that is not prohibited elsewhere in the EAR. All items produced or developed by U.S. subsidiaries with encryption commodities, software and technology exported under this paragraph are subject to the EAR and require review and authorization before any sale or retransfer outside of the U.S. company. (ii) Mass market short-range wireless commodities or software. Mass market commodities or software that would not otherwise be controlled under Category 5 (telecommunications and ``information security'') of the Commerce Control List, but which are controlled under ECCN 5A992 or 5D992 only because they incorporate components or software that provide short-range wireless encryption functions (e.g., wireless products with an operating range typically not exceeding 100 meters). (iii) Items with limited cryptographic functionality. Encryption items controlled under ECCN 5A992, 5D992, or 5E992 for which the use of cryptography is limited to cryptographic functions that are not controlled for ``EI'' reasons under the EAR (e.g. items with cryptographic functions limited to authentication or digital signature, execution of copy protected software, and ``finance specific'' items specially designed and limited for banking use or money transactions). These items are described in the Related Controls paragraph and the Technical Notes under ECCN 5A002 on the Commerce Control List (Supplement No. 1 to part 774 of the EAR), which are cross-referenced under ECCNs 5D002 and 5E002. (4) Commodities and software that activate or enable cryptographic functionality. Commodities, software, and components that allow the end- user to activate or enable cryptographic functionality in encryption products which would otherwise remain disabled, are controlled according to the functionality of the activated encryption product. The notification and review requirements enumerated in this paragraph (b) of this section apply to commodities, software and components which activate cryptographic functionality in encryption products controlled under ECCNs 5A992 and 5D992. (See Sec. 740.17 of the EAR for review and reporting requirements for commodities, software and components that enable cryptographic functionality in encryption products controlled under ECCNs 5A002 and 5D002.) This paragraph (b)(4) does not authorize the export or reexport of any activated encryption product. Separate review or authorization of the enabled encryption product is required. (5) Examples of mass market encryption products. Subject to the requirements of the Cryptography Note (Note 3) in Category 5, Part 2, of the Commerce Control List, mass market encryption products include, but are not limited to, general purpose operating systems and desktop applications (e.g. e-mail, browsers, games, word processing, database, financial applications or utilities) designed for, bundled with, or pre- loaded on single CPU computers, laptops, or hand-held devices; commodities and software for client Internet appliances and client wireless LAN devices; home use networking commodities and software (e.g. personal firewalls, cable modems for personal computers, and consumer set top boxes); portable or mobile civil telecommunications commodities and software (e.g. personal data assistants (PDAs), radios, or cellular products); and commodities and software exported via free or anonymous downloads. [67 FR 38865, June 6, 2002, as amended at 68 FR 35785, June 17, 2003]