Encryption Simplification Rule of October 3, 2008 (73 FR 57495)
Summary of Amendments to the Export Administration Regulations
Restructures license exception ENC based on what type of review and waiting period are required.
- Adds Bulgaria, Canada, Iceland, Romania, and Turkey to the list of countries that receive favorable treatment under License Exception ENC (Supplement 3 to Part 740).
- Removes obsolete License Exception KMI.
- Removes notification requirements for certain items classified as 5A992, 5D992, and 5E992.
- Increases certain performance parameters under paragraph (b)(2) of License Exception ENC.
- Defines wireless “personal area networks” and “ancillary cryptography” and excludes these items from review and reporting requirements.
- Revises “Guidelines for Submitting Review Requests for Encryption Items,” Supplement No. 6 to part 742.
- Removes Section 744.9, “Technical assistance by U.S. persons with respect to encryption items.”
- Makes it clear that commodities and software pending mass market review are authorized by License Exception ENC under ECCNs 5A002 and 5D002. After the mass market review is complete, such commodities and software may be exported under ECCNs 5A992 and 5D992 using No License Required (NLR).
License Exception ENC (Section 740.17)
New paragraph (a) - No Notification or Review Required
- Private end user in countries on Supplement 3 to Part 740 (§740.17(a)(1)) (for internal development of new products, only)
- To U.S. subsidiaries (§ 740.17(a)(2)) and employees of U.S, companies (internal use)
- Short-range wireless items not controlled under Cat. 5 (§§ 740.17(b)(4)(i) and 742.15(b)(3)(ii))
- =100 meter range
- Examples: IEEE 802.11 and 802.15.1
- May self classify under 5x002 or 5x992 as appropriate
- “Personal Area Network” items – 740.17(b)(4)(iii):arbitrary number of interconnected 'data devices' communicating directly with each other; and confined to immediate vicinity of an individual person or device controller (e.g., single room, office, or automobile).
- <30 meters
- IEEE 802.15.1: class 2 and 3, but not class 1
- May Self Classify as 5x002 or 5x992, as appropriate
Wireless “Personal Area Network” Examples
- Hands-free headsets
- Wireless networking between personal computers
- Wireless mice, keyboards, printers
- GPS receivers
- Bar code scanners
- Game consoles wireless controllers
- Data capable wireless telephones
- Software for transfer of riles using OBEX
- “Ancillary Cryptography” 740.17(b)(4)(iv): not primarily useful for computing (including the operation of "digital computers"), communications, networking (includes operation, administration, management and provisioning) or "information security".
- May Self Classify as 5x002 or 5x992, as appropriate
“Ancillary Cryptography” Examples
- Piracy and theft prevention for software, music, etc.
- Games and gaming
- Household utilities and appliances
- Printing, reproduction, imaging and video recording or playback
- Business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery)
- Industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment, facilities systems such as fire alarm, HVAC)
- Automotive, aviation, and other transportation systems
Section 740.17 --new paragraph (b) -- Review Required
- Products with the following encryption functionality require review* :
- 56/512/112-bit sym/asym/ellip encryption (5A002 a.1)
*excluding items using only limited cryptographic functionality (Category 5 Part 2, Related Control Note); Short-range wireless; Wireless PAN; or “Ancillary Cryptography” (740.17(b)(4))
- Items requiring review may be eligible for License Exception ENC (§740.17 (b)(2), (b)(3))
Section 742.15: Encryption Items
- Notification no longer required for ECCN 5A992/5D992 or 5E992 items (previous section 742.15 (b)(1)
Mass Marketed Encryption Products (Section 742.15(b) – no review for short-range wireless; Wireless Personal Area Networks” or “Ancillary Cryptography”
(paragraph (b)(3))
Supplement 3 to Part 740 as of October 3, 2008:
Austria, Australia, Bulgaria, Belgium, Canada, Cyprus, Czech Republic, Estonia, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, United Kingdom
Paragraph 740.17 |
End User authorized (Outside E-1) |
Item Description or Purpose of Export |
Review Required? |
(a)(1) |
Private in Supp 3 |
Dev/Production only |
No Review* |
(a)(2) |
U.S. Subs |
Any internal purpose |
No Review* |
(b)(1)(i) |
In Supp 3 |
End Use or Transfer |
Review no wait |
(b)(1)(ii) |
Outside Supp 3 |
<80/1024/160 and Source code |
Review no wait |
(b)(2) |
No Gov’t outside Supp 3 |
Any purpose |
Review with 30 day wait |
(b)(3) |
All except E-1 |
Any purpose |
Review with 30 day wait |
(b)(4) |
All except E-1 |
Short-range Wireless
Wireless PAN;
Ancillary Crypto |
No Review |
(e) Reporting requirements for (b)(2), and (b)(3) |
Section 740.17(a): No Review or Reporting
- Applies to 5A002, 5B002, 5D002, and 5E002
- §740.17(a)(1) Internal “development” or “production” of new products
- No review, notification or reporting
- Only to “private sector companies” HQed in Supp. 3 country
- End use limited to internal use for the development or production of new products.
- §740.17(a)(2) U.S. Subsidiaries
- No review, notification or reporting
- Only to U.S. Subsidiaries as defined in 772. HQed in U.S.
- Internal use
- Employees of U.S. companies or U.S. subsidiaries
Section 740.17(b)(1): Review required without waiting period
- Applies to 5A002, 5B002, and 5D002
- §740.17(b)(1)(i) Review required without waiting period to Supp 3 Countries
- Review Required prior to export
- Can export immediately after complete submission
- Only to Supplement 3 private companies and governments
- End use is not limited
- pending mass market reviews may be exported under this section
- Also includes 5E002
- §740.17(b)(1)(ii) Review required without waiting period to Non-Supp 3 Countries
- <80 Symmetric
- <1024 Asymmetric
- <160 Elliptic Curve
- Source Code to non-government end users
§ 740.17(b)(2) ENC “Restricted”
Review required with 30 day wait
- Applies to 5A002, 5B002, and 5D002
- Products authorized under (b)(2) include:
- network infrastructure products
- source code that is not “publicly available”
- certain specialized commodities and software
- Require a license if going to government end-users not in a Supp 3 country.
- Question 11 of Supp. 6 means “evaluate your products against (b)(2) Criteria”
§ 740.17 (b)(2)(i)-(vi) Criteria
- Network infrastructure items with any of the following:
- Aggregate encrypted WAN, MAN, VPN or backhaul throughput exceeding 90 Mbps.; or
- Single-channel input data rate exceeding 154 Mbps; or
- 250 concurrent encrypted data channels, or encrypted signaling to more than 1,000 endpoints for VOIP or converged products; or
- Air-interface coverage exceeding 1,000 meters, with:
- Maximum data rates >10 Mbps (at >1,000 meters); or
- Max # of concurrent full-duplex voice channels >30; or
- Substantial support is required for installation or use.
- Encryption source code not authorized by EAR §740.13(e)(1)
- Encryption items:
- that have been modified or customized for government end-user/ end-use (e.g., (SOC/NOC); or
- modified or customized to customer specifications; or
- user-accessible & easily changed by user
- “Cryptanalytic items”; or
- Providing functions necessary for quantum cryptography; or
- Modified for computers controlled by ECCN 4A003
§ 740.17(b)(3) ENC “Unrestricted”
Review required with 30-day waiting period
- Everything else not listed in (b)(2) designed to use encryption (5A002, 5B002, 5D002):
- If not (b)(2) or Mass Market, then (b)(3).
- Export to both non-government AND government end-users without a license.
§ 740.17 (b)(4): Items excluded from review requirements
- Short-range wireless encryption functions
- Foreign products developed with US-origin encryption source code, components or toolkits
- Wireless “personal area network” items
Modifications to a Reviewed Product
- New review needed:
- Changes Cryptographic functionality affecting License Exception ENC eligibility
- New review NOT needed:
- Modifications do not change cryptographic functionality
- Name changes, version changes, updates to 3rd party encryption library
- See “Note to paragraph (b)” at end of 740.17(b)
- To Country Group E:1 destinations
- Products that require a review or notification to authorize export but that have not been reviewed or notified
- Cryptanalytic items” to “government end-users”
- To end users not headquartered in Supplement 3 countries
- Encryption “technology” and “technical assistance”
- “Open cryptographic interface” (OCI) products
- “Restricted” (ENC B2)encryption products to “government end-users”
Information Technology Contacts
General number: 202-482-0707
Randy Pratt
Director
Ph: 202-482- 5303
E-mail: cpratt@bis.doc.gov
Judith Currie
Senior Export Policy Analyst
Ph: 202-482-5085
E-mail: jcurrie@bis.doc.gov
Sylvia Jimmison
Export Policy Analyst
Ph: 202-482-2342
E-mail: sjimmiso@bis.doc.gov
Joe Young
Senior Engineer
Ph: 202-482-4197
E-mail: jyoung@bis.doc.gov
Michael Pender
Senior Engineer
Ph: 202-482-2458
E-mail: mpender@bis.doc.gov
Aaron Amundson
Export Policy Analyst
Ph: 202-482-5299
E-mail: aamundso@bis.doc.gov
Anita Zinzuvadia
BIS-Western Regional Office
Electrical Engineer
Ph: 949-660-0144x131
E-mail: azinzuva@bis.doc.gov
|
