Where Industry and Security Intersect
What's New | Sitemap | Search
Note: This rule does not change any of the existing restrictions on exports and reexports of encryption items to designated terrorist supporting countries and nationals of such countries, and persons designated in Part 744 of the EAR.
This rule updates our mass market encryption policies, consistent with global policy developments, and clarifies existing procedures and requirements for other types of dual-use encryption items. Our major trading and security partners, such as the European Union, Japan and other member nations of the Wassenaar Arrangement, also have updated their mass market encryption export control policies. The guiding principles for U.S. encryption export control policy have not changed. The policy continues to rest on three tenets: a review of encryption products in advance of sale, a streamlined post-export reporting system that takes into account differing distribution models, and review of certain exports to foreign government end-users. This rule will continue to protect our national security and foreign policy interests without impairing the ability of U.S. companies to compete effectively in global markets.
For the first time, mass market encryption products using symmetric encryption algorithms with key lengths exceeding 64 bits will be eligible for export and reexport under Export Control Classification Numbers (ECCNs) 5A992 and 5D992 after a 30-day review by the Bureau of Industry and Security (BIS) and the ENC Encryption Request Coordinator. There are no post-export reporting requirements or licensing requirements related to the export or reexport of these mass market encryption products once this review is completed. See Note.
Also for the first time, all encryption source code that would be considered publicly available under Section 734.3(b)(3) of the EAR (such as source code posted to the Internet) and the corresponding object code may be exported and reexported under License Exception TSU -- Technology and Software Unrestricted (specifically, Section 740.13(e) of the EAR), once notification (or a copy of the source code) is provided to BIS and the ENC Encryption Request Coordinator. See Note. Even if a license fee or royalty is charged for commercial production or sale of products developed using the source code, such source code is eligible for license exception TSU and no post-export reporting is required.
This rule further updates and clarifies licensing requirements and license exception provisions for all other dual-use information security items listed on the Commerce Control List, including test and production equipment controlled under ECCN 5B002, short-range wireless products and products with cryptographic functions limited to password protection, user authentication, digital signatures, and banking transactions.
Under the U.S. encryption export control policy, most products with strong encryption features may be exported and reexported to all destinations without a license, once the product is reviewed by BIS and the ENC Encryption Request Coordinator. See Note. In our updated regulations, the term "review request" refers to the process through which BIS reviews certain encryption items prior to their initial export, to determine whether these items qualify for "mass market" or "retail" treatment (or are otherwise eligible for export and reexport under License Exception ENC). To submit an encryption "review request" to BIS, use the same application form (BIS/BXA-748P, or its SNAP-R electronic equivalent) as you would for a "classification request" of a non-encryption item. Sections 740.17, 742.15(b)(2), 748.3(d) and Supplement No. 6 to part 742 of the EAR describe the support documentation requirements for review requests, as well as the procedures you must follow. This review process enables the United States to satisfy its national security needs without imposing burdensome licensing requirements to non-sanctioned destinations or persons. To clarify that encryption items do not require separate classification by BIS, previous references to "classification requests" for encryption items are revised in this rule to read "review requests".
A review request is a formal application to BIS for an export determination (as described in the answer to question three above) using form BIS/BXA-748P or its SNAP-R electronic equivalent. As such, it generates an official response from BIS. A notification is a submission of certain information required by the EAR to BIS (with a copy to the ENC Encryption Request Coordinator) in a letter or email. In certain situations, once proper notification has been submitted, you may immediately export your encryption item without submitting a review request to BIS. Unlike a review request, BIS will not provide an official response to an encryption notification unless we have questions regarding your notification.
Generally, commodities, software and technology for the encryption of data (except passwords and other types of authentication data) using symmetric algorithms with more than 64 bits of key, or for key management functions using asymmetric algorithms with more than 512 bits of key, require review by BIS and other agencies (either through a review request or, if required, through a license application) for export or reexport outside the United States and Canada. See Note. Except for cryptanalytic ("code-breaking") items to government end-users, you may export and reexport any encryption item to the "EU+8" (the European Union, Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland and Switzerland) once you register a completed review request with BIS and the ENC Encryption Request Coordinator under License Exception ENC.
Except for encryption technology and items that provide an open cryptographic interface (such as for "crypto-with-a-hole" applications or unrestricted "third party" cryptography), you may also export and reexport any encryption item to non-government end-users outside the "EU+8" 30 calendar days after your request is registered with BIS and the ENC Encryption Request Coordinator. See Note. Furthermore, you may export and reexport "retail" encryption commodities, software and components to government end-users (except those in Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) once the review is completed and your product is authorized by BIS for "retail" treatment. Please note that the License Exception ENC prohibition against exports and reexports to Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria also applies to exports and reexports of encryption source code and technology to nationals of these countries. Further, exporters are referred to Section 734.2 of the EAR for applicable definitions of "export" and "reexport" which apply to encryption source code and technology.
Special provisions apply to mass market encryption commodities and software with symmetric key lengths greater than 64 bits. Under the updated U.S. policy, such products may be exported and reexported to government end-users 30 calendar days after you register a completed review request with BIS and the ENC Encryption Request Coordinator, unless you are otherwise notified by BIS. For the regulatory details of these various encryption review request provisions, see Sections 740.17 and 742.15(b)(2) of the EAR.
The following items may be exported and reexported to all destinations (except designated terrorist supporting countries, nationals of such countries, and persons designated in Part 744 of the EAR)once proper notification is given to BIS and the ENC Encryption Request Coordinator: encryption source code that would be considered publicly available under Section 734.3(b)(3) of the EAR and the corresponding object code; encryption items with key lengths less than or equal to 56 bits for symmetric algorithms, 512 bits for asymmetric algorithms and 112 bits for elliptic curve algorithms; mass market encryption products with symmetric key lengths not exceeding 64 bits; and beta test encryption software. Also, you may increase the key length of a previously reviewed encryption item by submitting a certification letter, provided that this is the only change in cryptographic functionality. See Sections 740.9(c)(8), 740.13(e), 740.17(d)(3) and 742.15(b)(1) for notification requirements for encryption items under the EAR.
No review or notification is required to export any encryption item to overseas subsidiaries of U.S. companies (except subsidiaries in Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria - this includes "exports" and "reexports," as defined by Section 734.2 of the EAR, of encryption source code and technology to foreign nationals of these countries) for internal company use, including the development of new products. Likewise, no review or notification is required for encryption items with limited cryptographic capabilities described in the Technical and Related Control notes under ECCN 5A002 of Category 5, Part 2 ("Information Security") of the Commerce Control List (Supplement No. 1 to Part 774 of the EAR), such as authentication, access control, digital signature, copy protection, banking use or money transactions, and cell phones that do not allow encrypted access to the Internet or other forms of "end-to-end" encryption. Products that are only controlled as "Information Security" items because they incorporate parts and components with limited short-range wireless encryption capabilities (e.g. consumer products conforming to the Bluetooth, Home Radio Frequency - HomeRF or IEEE 802.11b - "WiFi" standards with operating range typically not exceeding 100 meters) also do not require review or notification unless a license is otherwise required.
A license is required to export or reexport encryption items controlled under ECCN 5A002, 5D002 or 5E002, and equipment controlled under ECCN 5B002, to all destinations except Canada, unless otherwise specified or authorized by the EAR (e.g., under a license exception). For instance, the following are examples of transactions that would require a license: technology controlled under ECCN 5E002 and "open cryptographic interface" items to end-users (except U.S. subsidiaries - see Section 740.17(b)(1) of the EAR) outside the "EU+8" and Canada; cryptanalytic items to government end-users except Canada; and encryption commodities and software that do not meet the "retail" criteria, such as high end routers and switches, general purpose toolkits and encryption source code that would not be considered publicly available, to government end-users outside the "EU+8" and Canada (see Sections 740.17(a) and 740.17(b)(2) of the EAR). License applications are reviewed on a case-by-case basis by BIS in conjunction with other agencies, to determine whether the export or reexport is consistent with U.S. national security and foreign policy interests.
Outside the "EU+8", Encryption Licensing Arrangements ("ELA") may be authorized for exports and reexports of unlimited quantities of specified encryption commodities to commercial (and certain civil government) end-users, after interagency review. Such licenses are valid for four years and may require reporting. In general, exports and reexports to strategic partners (as defined in Section 772.1 of the EAR) of U.S. companies are favorably considered. Applicants seeking authorization for an ELA must specify the requested sales territory and class of end-user(s) on their license applications.
Generally, "retail" encryption products are commodities and software controlled under ECCNs 5A002 and 5D002, respectively, that are sold in large volume, typically through electronic or telephone transactions or through retail outlets independent of the manufacturer. Furthermore, "retail" encryption products do not require substantial support for installation and use, and their cryptographic functionality cannot be easily changed by the user. Similarly, if an encryption product has been modified or customized to customer specification, then it is not eligible for "retail" treatment. See Section 740.17(b)(3)(i) for specific eligibility criteria relating to "retail" encryption products.
In addition to products that meet these specific criteria, certain additional types of encryption products are eligible for the "retail" provisions of License Exception ENC. For instance, encryption products that provide equivalent functionality to other products that have already been given "retail" treatment will also be given "retail" treatment. See Section 740.17(b)(3)(ii) of the EAR for a list of products that will be given "retail" treatment, even if they do not themselves meet the specific criteria enumerated in Section 740.17(b)(3)(i).
The term "mass market" encryption refers to the items described in the Cryptography Note (Note 3) to Category 5, Part 2 ("Information Security") of the Commerce Control List (Supplement No. 1 to Part 774 of the EAR). Encryption commodities and software that are authorized for "mass market" treatment are controlled under ECCNs 5A992 and 5D992 respectively. "Retail" encryption products remain controlled for Encryption Item ("EI") and National Security ("NS") reasons under ECCNs 5A002 and 5D002. Both types of products are controlled for Anti-Terrorism ("AT") reasons. Once a product is authorized by BIS for "retail" or "mass market" treatment, it may be exported or reexported to both non-government and government end-users. See Note. Certain post-export reporting requirements apply to "retail" encryption products (refer to Section 740.17(e) of the EAR). Furthermore, "retail" encryption parts, components and software controlled under ECCN 5A002 or 5D002 are not eligible for de minimis treatment when incorporated into foreign products, unless such eligibility is specifically requested of BIS and BIS approves the request. National security interests are taken into account when such de minimis eligibility requests are considered.
Both "retail" and "mass market" encryption products with symmetric key lengths exceeding 64-bits require review by BIS and the ENC Encryption Request Coordinator prior to their initial export outside the United States and Canada. The requirements and procedures for "retail" review requests under License Exception ENC are described in Sections 740.17(b)(3) and 740.17(d)(1) of the EAR, while the requirements and procedures for "mass market" review requests are described in Section 742.15(b)(2).
As with any encryption review request, you must submit to BIS and the ENC Encryption Request Coordinator the information required by Supplement 6 to Part 742 of the EAR when requesting "retail" or "mass market" treatment. However, for "mass market" requests, you must also include specific information describing how the products meet the criteria of the Cryptography Note (Note 3) to Category 5, Part 2 of the Commerce Control List, while for "retail" requests, describe how the products qualify under Section 740.17(b)(3)(i) or 740.17(b)(3)(ii).
If you submit an encryption review request and BIS determines that your product meets the "retail" criteria of Section 740.17(b)(3)(i) (or else is eligible under the provisions of Section 740.17(b)(3)(ii), such as for functionally equivalent products), BIS will provide you with an official notice authorizing the export or reexport of your product as a "retail" encryption product. You may not export or reexport your encryption product under the "retail" provisions of License Exception ENC unless and until you are so authorized by BIS.
For "mass market" review requests, BIS will also provide you with an official notice authorizing your product for "mass market" treatment when the review is completed. However, you may take certain actions even before you receive an official notice from BIS. As is the case with products submitted for review under License Exception ENC, you may export or reexport your "mass market" encryption product to the "EU+8" once your review request is registered with BIS and the ENC Encryption Request Coordinator. If you have properly submitted your "mass market" review request and have provided all the necessary information, unless you are otherwise notified by BIS, you may also export and reexport your "mass market" encryption product outside the "EU+8" 30 calendar days after your review request is registered, even if you have not yet received your official notice of "mass market" authorization. See Note.
Unlike the "retail" provisions of License Exception ENC, there are no "equivalent functionality" provisions for "mass market" encryption commodities and software under the EAR. Each "mass market" encryption product must itself satisfy the criteria of the Cryptography Note (Note 3) to Category 5, Part 2 of the Commerce Control List. Consequently, equivalent functionality is not a basis for determining "mass market" eligibility. Otherwise, the criteria used to determine "mass market" and "retail" eligibility are very similar.
Therefore, encryption items that are not eligible for "retail" treatment under License Exception ENC (such as encryption technology, open cryptographic interface items, network infrastructure products, encryption source code and general purpose toolkits), or else are eligible for "retail" treatment only because they are functionally equivalent to other "retail" products, are not eligible for "mass market" treatment under the EAR.
A previous review as a "retail" encryption product under License Exception ENC is not required in order to qualify for "mass market" treatment. However, if a product was previously approved as "retail" under License Exception ENC, exporters should reference the previous application control number when submitting a review request for mass market treatment under Section 742.15(b)(2) of the EAR.
Pending requests for review under License Exception ENC that were submitted to BIS before this new rule was published will continue to be reviewed by BIS under License Exception ENC. If you believe your product may now be eligible for "mass market" consideration, you will need to submit a new review request under the updated provisions of Section 742.15(b)(2). As with all other "mass market" review requests, your 30-day "waiting period" for exports and reexports outside the "EU+8" (except to U.S. subsidiaries) will begin when your new request is registered with BIS and the ENC Encryption Request Coordinator. If you are considering whether you should reapply under these new "mass market" provisions, please review the Cryptography Note and the requirements of Section 742.15(b)(2) of the EAR to determine how this may affect your product.
No, there is no such provision. Because "equivalent functionality" and other unique provisions for "retail" treatment under License Exception ENC are not included in the Cryptography Note (Note 3) to Category 5, Part 2 of the Commerce Control List, BIS must establish that the product meets each of the criteria of the Cryptography Note, even if the product was previously approved as a "retail" encryption item. For encryption products with symmetric key lengths greater than 64-bits, you must submit a new review request in accordance with the requirements of Section 742.15(b)(2) and Supplement No. 6 to part 742 of the EAR, to establish the product's eligibility under the updated regulations.
Encryption source code that would not be considered publicly available under Section 734.3(b)(3) of the EAR (including general purpose toolkits that also contain such encryption source code) is eligible for export and reexport under License Exception ENC to government and non-government end users in the "EU+8", and also to non-government end-users outside the "EU+8" (see Note)once you have submitted a review request, including a copy of the source code, to BIS and the ENC Encryption Request Coordinator. Refer to Section 740.17(b)(2)(ii) and paragraph (e) of Supplement No. 6 to part 742 of the EAR for more information on these provisions, and to paragraph (e)(3) of Section 740.17 (License Exception ENC) for certain post-export reporting requirements.
No, as described, the new encryption product would not be considered publicly available under Section 734.3(b)(3) of the EAR. Therefore, such a product is not eligible for export and reexport under paragraph (e) of Section 740.13 (License Exception TSU). Commercial encryption products that are subject to the EAR, including "retail" and "mass market" products, may incorporate encryption from any number of sources, including general purpose toolkits, open source encryption libraries, or proprietary components. Such commercial encryption products are eligible for export under the appropriate provisions of Sections 740.17 or 742.15 of the EAR, depending on the key length and the type of product, regardless of the source of the underlying encryption.
The definition of "government end-user" (as applied to encryption items) in Section 772.1 of the EAR is not changed by this new rule. The definition covers certain government organizations at the central, regional, and local levels, which are departments, agencies, or entities performing governmental functions, including governmental corporations that manufacture or distribute items or services controlled on the Wassenaar Munitions List (you can access the Wassenaar Munitions List on the Internet at www.wassenaar.org), governmental research institutions and international governmental organizations.
Excluded from the definition are certain organizations that may be wholly or partially government-owned, such as providers of gas, electricity, telecommunications and Internet service; transportation agencies and entities, such as bus, train and airport authorities; broadcast or entertainment entities such as radio or television organizations; educational organizations, such as schools, colleges and universities; civil health and medical organizations, such as hospitals and clinics; retail or wholesale firms; and manufacturers or industrial entities that do not manufacture or distribute Wassenaar Munitions List items or services.
If you are unsure of whether a particular end-user meets the definition of "government end-user" as applied to encryption items, you may submit an advisory opinion request to the Bureau of Industry and Security, or else submit a license application if the end-user is headquartered outside the "EU+8" and your transaction involves a product that is not eligible for "retail" or "mass market" treatment.
Although there is no formal comment period, public comments on this rule are welcome on a continuing basis. Written comments should be submitted to Willard Fisher, Regulatory Policy Division, Bureau of Industry and Security, U.S. Department of Commerce, Room 2705, 14th Street and Pennsylvania Avenue, NW, Washington, DC 20230