COMMERCIAL ENCRYPTION EXPORT CONTROLS
Export and reexport controls on commercial encryption products are administered by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce. Rules governing exports and reexports of encryption items are found in the Export Administration Regulations (EAR), 15 C.F.R. Parts 730-774. Sections 740.13, 740.17 and 742.15 of the EAR are the principal references for the export and reexport of encryption items.
Regulations
- encryption rules published by BIS since export control jurisdiction was transferred from the State Department to the Commerce Department in 1996. This rule includes the most recent updates dated December 9, 2004.
Guidance - step-by-step instructions and guidance
to help exporters when preparing a review request for >64-bit
mass market encryption or License Exception ENC,
applying for a license, or submitting a notification
for NLR, beta test software or
"publicly available"
source code (and corresponding object code). For exporters who are exploring
whether their products are subject to these review or notification requirements,
a basic "checklist" on encryption
and other “information security” functions is provided.
Advisory Opinions - advisory opinions related to encryption items may be reviewed on the advisory opinions web page.
Highlights of 12/9/04 Changes to the
U.S. Encryption Policy
• Simplifies License Exception ENC by:
– Implementing a uniform 30-day review period for most encryption reviews.
– Clarifying the criteria by which the licensing requirement to certain “government end-
users” is determined.
– Removing the word "retail" from the license exception (except in a "grandfathering" paragraph that
permits items previously given "retail" treatment to be exported and reexported under the license
exception without further U.S. Government review.)
– Removing the requirement to make separate request for de minimis eligibility for encryption
commodities and software submitted for review.
• Revises existing provisions regarding the European Union's "license-free zone" by:
– Updating Supplement No. 3 to part 740 so that this list of EU "license-free zone" countries (where
certain encryption items may be sent immediately, once a complete review request is submitted) now
covers all members of the EU, to include those countries that joined the EU on May 1, 2004.
– Allowing encryption items and related technical assistance to private sector end-users headquartered
in Canada or any country listed in Supplement 3 to part 740 for internal company use in the
development of new products, without prior technical review. (NOTE: review is still required for
any resulting new products that are developed, before the products are provided to others.)
• Permits “publicly available” encryption software that has been posted to the Internet under the notification procedures of License Exception TSU (§740.13(e) of the EAR) to be updated or modified without additional notification, provided the Internet location of the software has not changed.
• Removes the requirement that exporters of beta test encryption software report the names and addresses of their beta testers.
• Allows key lengths of products that have previously been reviewed and authorized under License Exception ENC to be increased with a simple e-mail notification procedure (instead of through a certified letter from a corporate official).
|
Fact Sheet
[12/9/04]
| | | | | | |
