Identifying Encryption Items

                                    Weekly ECR teleconference cancelled for Wednesday February 27.

Encryption

Encryption Links

Amendments

Encryption Export Controls, 75 Fed. Reg. 36,482 (June 25, 2010)

Section 740.17 – Encryption Commodities, Software, and Technology (ENC)

Supplement No. 1 to Part 740 – Country Groups

Supplement No. 3 to Part 740 – License Exception ENC Favorable Treatment Countries

Section 742.15 – Encryption Items

Supplement No. 5 to Part 742 – Encryption Registration

Supplement No. 6 to Part 742 – Technical Questionnaire for Encryption Items

Supplement No. 8 to Part 742 – Self-Classification Report for Encryption Items

Supplement No. 2 to Part 748 – Unique Application and Submission Requirements

Supplement No. 1 to Part 774, Category 5, Part II – Information Security

Identifying Encryption Items

Is my item classified under Category 5, Part 2, of the EAR?
How are classifications issued before the June 25, 2010 amendments grandfathered into the current encryption provisions?
What items are removed from encryption controls?

Is my item classified under Category 5, Part 2 of the EAR?

Flowchart 1 graphically describes the process used to determine whether an item is classified under Category 5, Part 2 of the Commerce Control List in the EAR.

Is the item designed to use cryptography or does it contain cryptography?

Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.

Similarly, if the item includes encryption functionality, even if the encryption functionality is not used by the item, then BIS evaluates the item based on the included encryption functionality.

Also note that Category 5, Part 2 includes certain items with Information Security functionality, whether or not the items have encryption functionality. This includes items that are specially designed or modified to reduce electromagnetic emissions; systems and devices exceeding class evaluation assurance level 6 (EAL-6) of the Common Criteria; and items designed to use quantum cryptography.

Is this hardware or software specially designed for medical end use?

The Nota Bene to Note 1 of Category 5, Part 2 provides: N.B. to Note 1: Commodities and software specially designed for medical end-use that incorporate an item in Category 5, part 2 are not classified in any ECCN in Category 5, part 2.

Items that are specially designed for medical end use are not controlled under Category 5, Part 2 of the CCL. Items specially designed for medical end use are EAR99. There is a Statement of Understanding for medical equipment in Supplement No. 3 to Part 774 of the EAR.

Is the product described by Note 4?

Items described by Note 4 are not controlled under Category 5, Part 2 of the EAR. See “What items are removed from encryption controls? ” for additional guidance.

Is the encryption functionality limited to intellectual property or copyright protection functions?

The former regulatory language explicitly identified certain products as not controlled under ECCN 5A002 if the encryption functionality was limited to certain intellectual property or copyright protection functions. Note 4 of this rule completely removes the identified products from Category 5, Part 2. See “What items are removed from encryption controls? ” for additional guidance.

How are existing encryption classifications grandfathered into the new encryption regulations?

Unrestricted classifications issued under former 740.17(b)(3)

An Unrestricted CCATS issued by BIS under former 740.17(b)(3) serves as authorization for export and reexport to eligible end-users and destinations if the reviewed item is described in the new paragraph (b)(1) or (b)(3) of license exception ENC.

Registration and classification

The exporter or reexporter may use the Unrestricted CCATS previously issued by BIS without any encryption registration (i.e., the information described in Supplement No. 5 to Part 742 of the EAR), new classification by BIS, self-classification reporting (i.e., the information described in Supplement No. 8 to Part 742 of the EAR), provided that the cryptographic functionality of the item has not changed and the item is not now described by 740.17(b)(2)(i).

An encryption registration and updated classification must be submitted to BIS for items classified under the previous provisions as eligible for export and reexport under 740.17(b)(3) that are now described in paragraph 740.17(b)(2)(i) of license exception ENC, even if the cryptographic functionality has not changed.

Semi-annual sales reporting

Using the Unrestricted CCATS previously issued by BIS under former 740.17(b)(3), the exporter or reexporter is not required to provide semi-annual sales reporting under section 740.17(e) for items described in the new paragraph (b)(1) or (b)(3), except for items described in (b)(3)(iii).

Items described in 740.17(b)(2) and (b)(3)(iii) still require semi-annual sales reporting.

Restricted Classifications issued under former 740.17(b)(2)

A Restricted CCATS issued by BIS under old 740.17(b)(2) now serves as authorization for export and reexport to eligible end-users and destinations if the reviewed item is described in the new paragraph (b)(2)(i) of license exception ENC. The exporter or reexporter may use the CCATS previously issued by BIS without any encryption registration (i.e., the information described in Supplement No. 5 to Part 742 of the EAR), new classification by BIS, or self-classification reporting (i.e., the information described in Supplement No. 8 to Part 742 of the EAR), or semi-annual sales reporting required under section 740.17(e), provided that the cryptographic functionality of the item has not changed.

Items described in 740.17(b)(2) and (b)(3)(iii) still require semi-annual sales reporting.

Cryptanalytic items, open cryptographic interface items, and encryption technology

For items described in the new 740.17(b)(2)(ii), (b)(2)(iii) or (b)(2)(iv), such items reviewed and classified by BIS prior to publication of this new rule are authorized for export and reexport to eligible end-users and destinations under paragraph (b)(2) of this license exception using the CCATS previously issued by BIS, without any encryption registration (i.e., the information described in Supplement No. 5 to Part 742 of the EAR), new classification by BIS, or self-classification reporting (i.e., the information described in Supplement No. 8 to Part 742 of the EAR), provided the cryptographic functionality of the item has not changed.

Classifications issued under the former 742.15(b) – Mass Market

For mass market encryption commodities, software and components described in the new 740.17(b), such items reviewed and classified by BIS as mass market products prior to the rule change are authorized for export and reexport under paragraph (b) of this section using the CCATS previously issued by BIS, without any encryption registration (i.e., the information described in Supplement No. 5 to Part 742), new classification by BIS, or self-classification reporting (i.e., the information described in Supplement No. 8 to Part 742), provided the cryptographic functionality of the item has not changed.

What items are removed from encryption controls?

BIS has amended the EAR by implementing the agreements made by the Wassenaar Arrangement at the plenary meeting in December 2009 that pertained to "information security" items. This rule adds an overarching note that excludes particular products that use cryptography from being controlled as "information security" items. The new note focuses "information security" controls on the use of encryption for computing, communications, networking and information security. Many items in which the use of encryption is ancillary to the primary function of the item are no longer controlled under Category 5, Part 2, of the Commerce Control List (CCL).

The Adoption of Note 4 Decontrols

The decontrols note appears as Note 4 to Category 5, Part 2 of the CCL and provides as follows:

Note 4: Category 5, Part 2 does not apply to items incorporating or using "cryptography" and meeting all of the following:

(a) The primary function or set of functions is not any of the following:
     (1) "Information security";
     (2) A computer, including operating systems, parts and components therefor;
     (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights
          management or medical records management); or
     (4) Networking (includes operation, administration, management and provisioning);
(b) The cryptographic functionality is limited to supporting their primary function or set of functions; and
(c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s
     country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.

Note 4 completely removes the decontrolled items from control under Category 5, Part 2 of the CCL.

Please note that certain products may be controlled under an ECCN elsewhere in the CCL even if they are no longer controlled for encryption reasons.

The Removal of the Term "Ancillary Cryptography" from the EAR and the Decontrol of Certain Items in the Note to 5A002

Previously, certain products were deemed "ancillary cryptography" and were exempted from the classification and reporting requirements. With the decontrols outlined in Note 4, the term "ancillary cryptography" is no longer necessary and has been removed from the EAR. Products that meet the requirements of Note 4 are no longer controlled under Category 5, Part 2.

In addition to decontrolling all items previously deemed to be "ancillary cryptography," Note 4 decontrols all items listed under former paragraphs (b), (c), and (h) of the Note in the items paragraph of ECCN 5A002.

The former regulatory language provided:
Note: 5A002 does not control any of the following. However, these items are instead controlled under 5A992:

…
(b) Receiving equipment for radio broadcast, pay television or similar restricted audience broadcast of the consumer type, without digital
     encryption except that exclusively used for sending the billing or program-related information back to the broadcast providers;
(c) Equipment where the cryptographic capability is not user-accessible and which is specially designed and limited to allow any of the
     following:
     (1) Execution of copy-protected "software";
     (2) Access to any of the following:
          (a) Copy-protected contents stored on read-only media; or
         (b) Information stored in encrypted form on media (e.g., in connection with the protection of intellectual property rights) where the
               media is offered for sale in identical sets to the public;
     (3) Copying control of copyright protected audio/video data; or
     (4) Encryption and/or decryption for protection of libraries, design attributes, or associated data for the design of semiconductor
          devices or integrated circuits;
…
(h) Equipment specially designed for the servicing of portable or mobile radiotelephones and similar client wireless devices that meet all the
     provisions of the Cryptography Note (Note 3 in Category 5, Part 2), where the servicing equipment meets all of the following:
     (1) The cryptographic functionality of the servicing equipment cannot easily be changed by the user of the equipment;
     (2) The servicing equipment is designed for installation without further substantial support by the supplier; and
     (3) The servicing equipment cannot change the cryptographic functionality of the device being serviced;
…

The effect of the decontrol language in former paragraphs (b), (c), and (h) was to change the classification of items from ECCN 5A002 to ECCN 5A992, removing the items from the scope of "encryption item" and national security control policies. However, the decontrolled items remained classified under an ECCN in Category 5, Part 2 of the CCL. In contrast, under this rule, Note 4 completely removes the decontrolled items from control under Category 5, Part 2 of the CCL.

However, the encryption components, source code and technology used to manufacture an item that uses encryption may be controlled under Category 5, Part 2, of the CCL.

No New Items Added to Encryption Controls

No items have been added to encryption controls under Category 5, Part 2, of the CCL that were not already controlled under Category 5, Part 2, of the CCL.

Please note that although no new items have been added to Category 5, Part 2, of the CCL, the specific requirements for classification of specific items controlled under Category 5, Part 2, of the CCL may have changed.