Where Industry and Security Intersect
What's New | Sitemap | Search
Flowchart 1 graphically describes the process used to determine whether an item is classified under Category 5, Part 2 of the Commerce Control List in the EAR.
Is the item designed to use cryptography or does it contain cryptography?
Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.
Similarly, if the item includes encryption functionality, even if the encryption functionality is not used by the item, then BIS evaluates the item based on the included encryption functionality.
Also note that Category 5, Part 2 includes certain items with Information Security functionality, whether or not the items have encryption functionality. This includes items that are specially designed or modified to reduce electromagnetic emissions; systems and devices exceeding class evaluation assurance level 6 (EAL-6) of the Common Criteria; and items designed to use quantum cryptography.
Is this hardware or software specially designed for medical end use?
The Nota Bene to Note 1 of Category 5, Part 2 provides:
Items that are specially designed for medical end use are not controlled under Category 5, Part 2 of the CCL. Items specially designed for medical end use are EAR99. There is a Statement of Understanding for medical equipment in Supplement No. 3 to Part 774 of the EAR.
Is the product described by Note 4?
Items described by Note 4 are not controlled under Category 5, Part 2 of the EAR. See “What items are removed from encryption controls?” for additional guidance.
Is the encryption functionality limited to intellectual property or copyright protection functions?
The former regulatory language explicitly identified certain products as not controlled under ECCN 5A002 if the encryption functionality was limited to certain intellectual property or copyright protection functions. Note 4 of this rule completely removes the identified products from Category 5, Part 2. See “What items are removed from encryption controls?” for additional guidance.