Encryption Export and Reexport Controls Revisions

Download PDF
Federal RegisterDec 9, 2004
69 Fed. Reg. 71356 (Dec. 9, 2004)

AGENCY:

Bureau of Industry and Security, Commerce.

ACTION:

Final rule.

SUMMARY:

This rule revises: the criteria for determining if a foreign made item incorporating U.S. origin encryption is subject to the Export Administration Regulations; the notification requirements for beta test encryption software and certain “publicly available” encryption software; and the review and reporting requirements for exports and reexports of certain encryption items under License Exception ENC that are neither “publicly available” nor eligible for “mass market” treatment. It also makes technical changes.

DATES:

This rule is effective December 9, 2004.

ADDRESSES:

Send comments concerning this rule via e-mail to rpd2@bis.doc.gov, fax to (202) 482-3355 or to Regulatory Policy Division, Bureau of Industry and Security, Room 2705, U.S. Department of Commerce, Washington, DC 20230. Refer to regulatory identification number 0694-AD19 in all comments.

FOR FURTHER INFORMATION CONTACT:

Norman LaCroix, Director, Information Technology Controls Division, Office of National Security and Technology Transfer Controls, (202) 482-4439.

SUPPLEMENTARY INFORMATION:

This rule removes the requirement to make a separate request for de minimis eligibility when submitting a review request for some encryption commodities and software under License Exception ENC. Foreign made items incorporating U.S. origin encryption items that have met specified notification or review requirements under mass market, License Exception TSU or License Exception ENC procedures will be treated like foreign made items that incorporate other U.S. origin items, in determining de minimis eligibility. This rule removes certain reporting requirements in License Exception TMP regarding beta test encryption software. This rule reduces the notification requirements for exports and reexports of certain “publicly available” encryption software that has been posted to the Internet pursuant to License Exception TSU by removing the requirement to notify the U.S. Government of updates or modifications if the Internet location has not changed. This rule simplifies License Exception ENC review requirements for exports and reexports of eligible encryption items, by implementing a uniform 30 day period for most encryption reviews and by clarifying the criteria by which licensing requirements to certain “government end-users” are determined. In connection with this 30 day period associated with the initial U.S. Government technical review of an encryption item, this rule authorizes BIS to, at any time, require additional technical information about an encryption item submitted for review and, if the information is not furnished, to suspend or revoke authorization to use License Exception ENC with respect to the item for which the information is sought. This rule also expands the list of countries to which certain encryption items may be sent immediately, once a review request is submitted to the U.S. Government. The list (Supplement No. 3 to part 740) now covers all current members of the European Union (EU), to include those countries that joined the EU on May 1, 2004. This rule updates and clarifies several encryption review requirements in License Exception ENC and clarifies the definition of the term “hold without action” in the Export Administration Regulations. This rule also makes some technical changes, and revises the e-mail address of the ENC Encryption Request Coordinator from enc@ncsc.mil to enc@nsa.gov to match the current e-mail address of that organization.

Although this rule is issued in final form and there is no formal comment period, comments on this rule are welcomed on an ongoing basis.

Determining When a Foreign Made Item Is Subject to the EAR

Section 734.4 of the EAR describes situations under which foreign made items are not subject to the Export Administration Regulations because the U.S. origin items that they incorporate are less than a defined “de minimis” percentage of their content. This rule removes the requirement for U.S. firms to request eligibility for de minimis treatment when submitting their encryption commodity or software for review to obtain authorization for export and reexport under License Exception ENC (§ 740.17 of the EAR). As a result, foreign made items containing most U.S. origin encryption commodities or software that have met the notification, review or determination requirements specified in revised § 734.4(b) are now treated, for purposes of de minimis calculations, in the same way as foreign made items that incorporate other U.S. origin dual-use items. However, there is no de minimis eligibility for encryption technology controlled under Export Control Classification Number (ECCN) 5E002, or for foreign made items going to a destination in Country Group E:1 when the foreign item contains U.S. origin restricted encryption content described in § 740.17(b)(2) of the EAR (e.g. network infrastructure commodities and software controlled under ECCNs 5A002 and 5D002, cryptanalytic items, and ECCN 5D002 encryption source code that is not “publicly available” as that term is used in License Exception TSU, § 740.13(e)(1) of the EAR). This rule also makes conforming changes to § 732.2(d) to reflect these new de minimis procedures.

Exports of Beta Test Encryption Software Under License Exception TMP

This rule removes the requirements to report the names and addresses of testing consignees by removing § 740.9(c)(8)(ii). It restructures, but makes no other substantive changes to § 740.9(c)(8). It retains the notification requirements of that paragraph and changes an e-mail address.

Exports of Certain “Publicly Available” Encryption Software Under License Exception TSU

For “publicly available” encryption software that has been posted to the Internet after notification to BIS and the ENC Encryption Request Coordinator under § 740.13(e), this rule removes the requirement to provide notice of updates or modifications made to the encryption software at the previously notified location. This rule makes no other substantive changes to this section, but substantially reorganizes it.

License Exception ENC Review Requirements for Certain Encryption Items That Are Neither Publicly Available Nor Determined by BIS To Be Eligible for “Mass Market” Treatment

This rule clarifies the scope of License Exception ENC by replacing, throughout § 740.17, the phrase (and its variants) “encryption items controlled under ECCN 5A002, 5D002 or 5E002, and ‘information security’ test, inspection, and production equipment controlled under ECCN 5B002” with a list of the specific ECCNs (including the sub-paragraph number, where needed for clarity) that identify which items subject to the EAR are eligible for this license exception. It consolidates the provisions and restrictions that apply to the entire license exception, in a revised introductory paragraph and a new paragraph (f), respectively. It removes repetitive references to such provisions and restrictions from various paragraphs. It also replaces the “Grandfathering” paragraph (former § 740.17(d)(2)) with specific information in paragraphs (a), (b)(2), and (b)(3) describing the extent to which prior U.S. Government reviews may be used to satisfy current License Exception ENC encryption review requirements.

This rule retains the basic structure of License Exception ENC, by addressing exports and reexports to countries listed in Supplement No. 3 to part 740 in paragraph (a) and exports to other countries in paragraph (b). Paragraph (b) continues to be further subdivided, providing separate provisions for exports and reexports to: Subsidiaries of U.S. companies (paragraph (b)(1)); non-“government end-users” for certain restricted items (as described in paragraph (b)(2)); and both “government end-users” and non-“government end-users” for all other items (paragraph (b)(3)). However, important substantive changes and clarifications are made to all of these paragraphs. Those changes and clarifications are discussed below.

Exports, Reexports and Technical Assistance to Countries Listed in Supplement No. 3 to Part 740 (§ 740.17(a))

This rule revises § 740.17(a) so that the section not only continues to authorize the export and reexport of encryption items under specified circumstances, but also allows the provision of technical assistance related to encryption items (as described in § 744.9 of the EAR), when the technical assistance is provided to end-users located or headquartered in Canada or in countries listed in Supplement No. 3 to part 740. This rule also removes the specific reference in this paragraph to the prohibition on exports or reexports of encryption source code and technology to nationals of countries listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR, as such general restrictions on the use of License Exception ENC have been consolidated into a new paragraph (f). It also divides paragraph (a) into three paragraphs designated § 740.17 (a)(1), § 740.17 (a)(2), and § 740.17(a)(3).

Section 740.17(a)(1) eliminates the requirement that the U.S. Government review the encryption items and related technical assistance prior to their being provided for internal company use in the development of new products by private sector end-users that are headquartered in Canada or in countries listed in Supplement No. 3 to part 740. However, it retains the requirement that such new product encryption items developed by those end-users be reviewed by the U.S. Government before the finished products are transferred to others. It also defines “private sector end-user” for the purposes of this paragraph.

Section 740.17(a)(2) states that certain items reviewed and authorized for export and reexport prior to October 19, 2000 are authorized for continued export and reexport under revised § 740.17(a), without additional U.S. Government review.

Section § 740.17(a)(3) retains the existing License Exception ENC provisions requiring submission of an encryption review request to BIS and the ENC Encryption Request Coordinator before export or reexport of: Finished encryption products to end-users located in countries listed in Supplement No. 3 to part 740; finished products to foreign subsidiaries and offices of end-users headquartered in Canada or in countries listed in Supplement No. 3 to part 740; and other encryption items (including technology and related technical assistance) to end-users located in, but not headquartered in, countries listed in Supplement No. 3 to part 740.

Export and Reexports to Other Countries (§ 740.17(b))

This rule makes no substantive changes to paragraph (b)(1), which deals with exports and reexports to subsidiaries of U.S. companies, but substantially reorganizes it. As with paragraph (a), the rule also removes the specific reference in this paragraph to the prohibition on exports or reexports of encryption source code and technology to nationals of countries listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR, as such general restrictions on the use of License Exception ENC have been consolidated into a new paragraph (f).

This rule replaces the previous illustrative descriptions of “retail” and other “equivalent functionality” encryption commodities and software (eligible for export and reexport to both “government end-users” and non-“government end-users” in paragraph (b)(3)), with an exclusive list in paragraph (b)(2) of those encryption commodities and software that are eligible only to non- “government end-users”. Except for commodities and software that provide an “open cryptographic interface” or that are specified in paragraph (b)(2), all encryption products eligible for License Exception ENC qualify under paragraph (b)(3), thereby removing the need for “retail” or other “equivalent functionality” considerations.

This rule also replaces the requirement for obtaining specific U.S. Government authorization before exporting or reexporting under paragraph (b)(3) with a 30 day waiting period, calculated in calendar days beginning with the date that an encryption review request for the commodity or software is registered with BIS. For encryption reviews that are not completed by BIS within this 30 day period, the exporter may ship after the waiting period has elapsed. As with similar requirements in the current rule, the 30 day waiting period does not include any time that BIS places the review request on “hold without action”. Upon completion of BIS's review, BIS will provide written notice of the provisions, if any, of § 740.17 under which the encryption item may be exported or reexported.

This rule also removes the word “retail” from § 740.17(b)(3), except in paragraph (b)(3)(ii)(A), which describes the extent to which items previously classified as “retail” may be exported and reexported under paragraph (b)(3) without further U.S. Government review. BIS believes that these changes will help readers more readily distinguish the procedure for making certain non-“mass-market” encryption commodities and software eligible for export and reexport under License Exception ENC from the procedure by which “mass market” encryption commodities and software are removed from the scope of ECCNs 5A002 or 5D002 pursuant to § 742.15(b)(2) of the EAR.

Reporting Requirements (§ 740.17(e))

This rule clarifies that the semi-annual reporting requirements of License Exception ENC apply to exports from the United States to all destinations except Canada, and to reexports from Canada to other foreign destinations. In conformance with the revisions to § 740.17(b)(3), under paragraph (e)(4) (“Exclusions from reporting requirements”) this rule removes the word “retail” and the phrase “designed for, bundled with, or pre-loaded on single CPU computers, laptops or hand-held devices.”

Other Changes to License Exception ENC

This rule eliminates all references to requesting eligibility for de minimis treatment from License Exception ENC because such special requests are no longer required due to the changes in §§ 734.4(a)(2) and 734.4(b) made by this rule. This rule revises § 740.17(d) by changing the title from “Review requirements” to “Review request procedures” to more accurately reflect its contents. This rule also substantially reorganizes paragraph (d)(3) and institutes an e-mail notification procedure in place of the previous requirement that product key length increases authorized under this paragraph be certified to BIS and the ENC Encryption Request Coordinator in a letter from a corporate official.

Lastly, this rule contains a new provision authorizing BIS to contact the submitter of a review request at any time, even after the 30-day waiting periods prescribed in §§ 740.17(b)(2)(ii) or 740.17(b)(3)(ii)(B) have passed, to request additional information about an encryption item. If the submitter does not supply the requested information within 14 days after receiving the request from BIS, BIS may suspend or revoke the submitter's right to use License Exception ENC for the item about which the additional information is sought. If the submitter requests additional time to collect the information before the date it is due to BIS, BIS may grant up to an additional 14 days if BIS concludes that such additional time is necessary.

Supplement No. 3 to Part 740

This rule adds Cyprus, Estonia, Latvia, Lithuania, Malta, Slovakia and Slovenia to Supplement No. 3 to part 740 because those countries were admitted to the European Union on May 1, 2004 and were not previously listed in this supplement. (Although the Czech Republic, Hungary and Poland were also admitted to the European Union on May 1, 2004, these three countries were previously listed in Supplement No. 3 to part 740.) This supplement identifies the countries that are eligible to receive both “mass-market” encryption products and non- “mass-market” encryption items from the United States, immediately after the U.S. origin items are registered with BIS for review (i.e., without a 30 day waiting period) under § 740.17(a) or § 742.15(b)(2) of the EAR. The addition of these countries to Supplement No. 3 continues the United States Government's practice of authorizing such immediate exports and reexports of encryption items to countries in the European Union's license-free zone. This rule also changes the title of this supplement from “License Exception ENC country group.” to “Countries eligible for the provisions of § 740.17(a).” The revised title more accurately describes the supplement, which lists the countries that are relevant to the provisions of § 740.17(a) but does not set forth any geographic limitation on the use of other provisions of License Exception ENC.

Section 742.15

This rule adds to § 742.15(b)(1) the e-mail addresses of BIS and the ENC Encryption Request Coordinator to which advance notifications of exports and reexports of encryption items controlled under ECCNs 5A992, 5D992 or 5E992 must be sent if a person wishes to export or reexport such items without a license under this section.

Supplement No. 6 to Part 742

To expedite the handling of encryption review requests and reduce the need for U.S. Government requests for additional information from submitters, this rule revises paragraph (c)(8) to require that similar information be provided regarding third-party encryption hardware components as is currently required for software components. This rule also revises paragraph (c)(11) by eliminating the word “retail” in conformance with the revisions to § 740.17(b)(3).

Section 744.9

This rule updates the paragraph pertaining to “Restrictions on Technical Assistance by U.S. Persons with Respect to Encryption Items” by replacing a previous reference to “classification request” with “encryption review request”, and by adding references to § 740.17(a)(1) and § 740.17(a)(3) in conformance with the revisions to License Exception ENC.

Section 772.1—Definition of “Hold Without Action”

This rule adds a sentence to the end of the definition to make clear that, unlike the procedure for license applications, BIS is not restricted to the circumstances described in § 750.4(c) of the EAR when determining that an encryption review request may be placed on “hold without action” status.

Administrative Changes

This rule revises the e-mail address of the ENC Encryption Request Coordinator wherever it appears in § 740.9, § 740.13, and § 740.17 from enc@ncsc.mil to enc@nsa.gov to reflect the current e-mail address of that organization. In § 740.17(e)(5)(i), this rule revises the mailing address of the BIS office to which semi-annual License Exception ENC reports are sent, to reflect the current name of that office.

Although the Export Administration Act expired on August 20, 2001, Executive Order 13222 of August 17, 2001 (3 CFR, 2001 Comp., p. 783 (2002)), as extended by the Notice of August 6, 2004, 69 FR 48763 (August 10, 2004) continues the Regulations in effect under the International Emergency Economic Powers Act.

Rulemaking Requirements:

1. This rule has been determined to be significant for purposes of E.O. 12866.

2. Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with a collection of information, subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA), unless that collection of information displays a currently valid Office of Management and Budget (OMB) Control Number. This rule contains collections of information subject to the PRA. These collections have been approved by OMB under control number 0694-0088, “Multi-Purpose Application,” which carries a burden hour estimate of 58 minutes to prepare and submit form BIS-748, and control number 0694-0104 “Encryption Items Under the Jurisdiction of the Department of Commerce, Forms BIS 742R and 742S” which carries a total estimated burden of 2,830 hours among an estimated 680 respondents. Send comments regarding these burden estimates or any other aspect of these collections of information, including suggestions for reducing the burden, to David Rostker, OMB Desk Officer, by e-mail at david_rostker@omb.eop.gov or by fax to 202.395.285; and to the Regulatory Policy Division, Bureau of Industry and Security, Department of Commerce, P.O. Box 273, Washington, DC 20044.

3. This rule does not contain policies with Federalism implications as this term is defined in Executive Order 13132.

4. The provisions of the Administrative Procedure Act (5 U.S.C. 553) requiring notice of proposed rulemaking, the opportunity for public participation, and a delay in effective date, are inapplicable because this regulation involves a military and foreign affairs function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no other law requires that a notice of proposed rulemaking and an opportunity for public comment be given for this rule. Because a notice of proposed rulemaking and an opportunity for public comment are not required to be given for this rule under 5 U.S.C. 553 or by any other law, the analytical requirements of the Regulatory Flexibility Act (5 U.S.C. 601 et seq. ) are not applicable. Therefore, this rule is being issued in final form.

List of Subjects

15 CFR Parts 732 and 740

  • Administrative practice and procedure
  • Exports
  • Reporting and recordkeeping requirements

15 CFR Part 734

  • Administrative practice and procedure
  • Exports
  • Inventions and patents
  • Research
  • Science and technology

15 CFR Part 742

  • Exports
  • Terrorism

15 CFR Part 744

  • Exports
  • Reporting and recordkeeping requirements
  • Terrorism

15 CFR Part 772

  • Exports

Accordingly, parts 732, 734, 740, 742, 744 and 772 of the Export Administration Regulations (15 CFR parts 730-799) are amended as follows:

PART 732—[AMENDED]

1. The authority citation for part 732 continues to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 6, 2004, 69 FR 48763 (August 10, 2004).

2. In § 732.2 revise the introductory text of paragraph (d) to read as follows.

§ 732.2
Steps regarding scope of the EAR.

(d) Step 4: Foreign-made items incorporating less than the de minimis level of U.S. parts, components, and materials. This step is appropriate only for items that are made outside the United States and not currently in the United States. Special requirements and restrictions apply to items that incorporate U.S. origin encryption items (see § 734.4(a)(2) and (b) of the EAR).

PART 734—[AMENDED]

3. The authority citation for part 734 is revised to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 FR 54079, 3 CFR, 1996 Comp. p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 6, 2004, 69 FR 48763 (August 10, 2004); Notice of November 4, 2004, 69 FR 64637 (November 8, 2004).

4. In § 734.4 revise paragraph (a)(2), add paragraph (b), and revise the introductory texts of paragraphs (c) and (d) to read as follows:

§ 734.4
De Minimis U.S. Content.

(a) * * *

(2) Foreign produced encryption technology that incorporates U.S. origin encryption technology controlled by ECCN 5E002 is subject to the EAR regardless of the amount of U.S. origin content.

(b) Special requirements for certain encryption items. Foreign made items that incorporate U.S. origin items that are listed in this paragraph are subject to the EAR unless they meet the de minimis level and destination requirements of paragraph (c) or (d) of this section and the requirements of this paragraph.

(1) The U.S. origin commodities or software, if controlled under ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, or 5D002, must have been:

(i) Authorized for license exception TSU because of having met the notification requirements of § 740.13(e) of the EAR (ECCN 5D002 only);

(ii) Authorized for License Exception ENC by BIS after a review pursuant to § 740.17(b)(3) of the EAR; or

(iii) Authorized for License Exception ENC by BIS after a review pursuant to § 740.17(b)(2), and the foreign made product will not be sent to any destination in Country Group E:1 in Supplement No. 1 to part 740 of the EAR.

(2) The U.S. origin encryption items, if controlled under ECCNs 5A992, 5D992, or 5E992 must:

(i) Have met the notification requirements of § 742.15(b)(1) of the EAR; or

(ii) Have been determined by BIS to be “mass market” commodities or software after a review in accordance with § 742.15(b)(2) of the EAR (ECCNs 5A992 and 5D992 only); or

(iii) Be an item described in § 742.15(b)(3)(ii) or § 742.15(b)(3)(iii) of the EAR.

Note to paragraph (b):

See supplement No. 2 to this part for de minimis calculation procedures and reporting requirements.

(c) Except as provided in paragraphs(a) and (b)(1)(iii) and subject to the provisions of paragraphs (b)(1)(i), (b)(1)(ii) and (b)(2) of this section, the following reexports are not subject to the EAR when made to a terrorist-supporting country listed in Country Group E:1 (see Supplement No. 1 to part 740 of the EAR).

(d) Except as provided in paragraph (a) of this section and subject to the provisions of paragraph (b) of this section, the following reexports are not subject to the EAR when made to countries other than those described in paragraph (c) of this section.

PART 740—[AMENDED]

5. The authority citation for part 740 continues to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; Sec. 901-911, Pub. L. 106-387; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 6, 2004, 69 FR 48763 (August 10, 2004).

6. In § 740.9, revise paragraph (c)(8) to read as follows:

§ 740.9
Temporary imports, exports, and reexports (TMP).

(c) * * *

(8) Notification of beta test encryption software. For beta test encryption software eligible under this license exception you must, by the time of export or reexport, submit the information described in paragraphs (a) through (e) of Supplement No. 6 to part 742 of the EAR by e-mail to BIS at crypt@bis.doc.gov and to the ENC Encryption Request Coordinator at enc@nsa.gov.

7. In § 740.13, revise paragraph (e) as follows.

§ 740.13
Technology and software—unrestricted (TSU).

(e) Encryption source code (and corresponding object code).

(1) Scope and eligibility. This paragraph (e) authorizes exports and reexports, without review, of encryption source code controlled by ECCN 5D002 that, if not controlled by ECCN 5D002, would be considered publicly available under § 734.3(b)(3) of the EAR. Such source code is eligible for License Exception TSU under this paragraph (e) even if it is subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code. This paragraph also authorizes the export and reexport of the corresponding object code (i.e., that which is compiled from source code that is authorized for export and reexport under this paragraph) if both the object code and the source code from which it is compiled would be considered publicly available under § 734.3(b)(3) of the EAR, if they were not controlled under ECCN 5D002.

(2) Restrictions. This paragraph (e) does not authorize:

(i) Export or reexport of any encryption software controlled under ECCN 5D002 that does not meet the requirements of paragraph (e)(1), even if the software incorporates or is specially designed to use other encryption software that meets the requirements of paragraph (e)(1) of this section; or

(ii) Any knowing export or reexport to a country listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR.

(3) Notification requirement. You must notify BIS and the ENC Encryption Request Coordinator via e-mail of the Internet location (e.g., URL or Internet address) of the source code or provide each of them a copy of the source code at or before the time you take action to make the software publicly available as that term is described in § 734.3(b)(3) of the EAR. If you elect to meet this requirement by providing copies of the source code to BIS and the ENC Encryption Request Coordinator, you must provide additional copies to each of them each time the cryptographic functionality of the software is updated or modified. If you elect to provide the Internet location of the source code, you must notify BIS and the ENC Encryption Request Coordinator each time the Internet location is changed, but you are not required to notify them of updates or modifications made to the encryption software at the previously notified location. In all instances, submit the notification or copy to crypt@bis.doc.gov and to enc@nsa.gov.

Note

to paragraph (e). Posting encryption source code and corresponding object code on the Internet (e.g., FTP or World Wide Web site) where it may be downloaded by anyone neither establishes “knowledge” of a prohibited export or reexport for purposes of this paragraph, nor triggers any “red flags” necessitating the affirmative duty to inquire under the “Know Your Customer” guidance provided in Supplement No. 3 to part 732 of the EAR.

8. In § 740.17, revise the introductory text and paragraphs (a), (b), (d) and (e), and add paragraph (f) to read as follows:

§ 740.17
Encryption software and commodities (ENC).

Subject to the eligibility criteria and restrictions described in paragraphs (a), (b) and (f) of this section, License Exception ENC is available for the export and reexport of: commodities and software controlled by ECCNs 5A002.a.1, .a.2, .a.5, and .a.6, 5B002, and 5D002 that do not meet the “mass market” criteria of the Cryptography Note (Note 3) of Category 5, part 2 (“Information Security”) of the Commerce Control List (Supplement No. 1 to part 774 of the EAR); technology controlled by ECCN 5E002; and certain technical assistance as described in § 744.9 of the EAR. The initial export or reexport of an encryption commodity or software under paragraphs (b)(2) or (b)(3) of this section is subject to a 30 day waiting period, as described in paragraph (d)(2) of this section. In addition, persons exporting or reexporting under paragraphs (a), (b)(2) or (b)(3) of this section must file the semi-annual reports required by paragraph (e) of this section. Review request procedures for encryption items eligible for License Exception ENC are described in paragraph (d) of this section (e.g., for items that have not previously been reviewed, or for items that have been reviewed but for which the cryptographic functionality has been changed). See § 742.15(b)(2) of the EAR for similar review procedures for “mass market” encryption commodities and software.

(a) Exports, reexports, and technical assistance to countries listed in Supplement No. 3 to this part. This paragraph (a) authorizes export or reexport of items controlled under ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, 5B002, 5D002, or 5E002, and provision of technical assistance described in § 744.9 of the EAR, to end-users in countries listed in Supplement No. 3 to part 740 of the EAR. This paragraph also authorizes exports or reexports to foreign subsidiaries and offices of end-users headquartered in Canada or in countries listed in Supplement No. 3 to part 740. In addition, the transaction must meet the terms of paragraphs (a)(1), (a)(2), or (a)(3) of this section.

(1) Internal development of new products. No prior review is required for exports or reexports of U.S. origin encryption items or related technical assistance under this paragraph (a) to private sector end-users that are headquartered in Canada or in countries listed in Supplement No. 3 to part 740, for internal use for the development of new products by those end-users and their offices or subsidiaries. Any encryption item produced or developed with an item exported or reexported under this paragraph (a)(1) is subject to the EAR and requires review and authorization before any sale or retransfer outside of the private sector end-user that developed it. In this paragraph (a)(1), private sector end-user means:

(i) An individual who is not acting on behalf of any foreign government; or

(ii) A commercial firm (including its subsidiary and parent firms, and other subsidiaries of the same parent) that is not wholly owned by, or otherwise controlled by or acting on behalf of, any foreign government.

(2) Items previously reviewed by the U.S. Government. No additional U.S. Government review is required under this paragraph (a) for export or reexport of encryption commodities or software or parts or components thereof that, prior to October 19, 2000, were authorized for export or reexport under a license or Encryption Licensing Arrangement, or were reviewed and authorized for export and reexport to entities other than U.S. subsidiaries under License Exception ENC. No additional U.S. Government review is required under this paragraph for export or reexport of encryption technology that, prior to October 19, 2000, was approved for export or reexport under a license or Encryption Licensing Arrangement.

(3) Other transactions. For any use not described in paragraph (a)(1) of this section, before you export or reexport any item or related technical assistance that has not been previously reviewed by the U.S. Government and authorized under this paragraph (a), you must submit a review request in accordance with paragraph (d) of this section.

(b) Exports and reexports to countries not listed in supplement No. 3 to this part. (1) Encryption items for U.S. subsidiaries. This paragraph (b)(1) authorizes export, or reexport or items controlled under ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, 5B002, 5D002 or 5E002:

(i) To any “U.S. subsidiary”; and

(ii) By a U.S. company and its subsidiaries to foreign nationals who are employees, contractors or interns of a U.S. company or its subsidiaries if the items are for internal company use, including the development of new products.

(iii) General restriction. All items produced or developed with commodities, software or technology exported under this paragraph (b)(1) are subject to the EAR and require review and authorization before sale or transfer outside the U.S. company and its subsidiaries.

(2) Encryption commodities and software restricted to non-“government end-users.” This paragraph (b)(2) authorizes the export and reexport of items described in § 740.17(b)(2)(iii) of the EAR that do not provide an “open cryptographic interface” and that are controlled by ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, or 5D002 to individuals, commercial firms, and other entities that are not “government end-users” and that are not located in a country listed in Supplement No. 3 to this part. In addition, the transaction must meet the provisions of either § 740.17(b)(2)(i) or (ii) of the EAR.

(i) Commodities and software previously reviewed by the U.S. Government. No additional U.S. Government review is required under this paragraph (b)(2) for export or reexports of encryption commodities or software or parts or components thereof that, prior to October 19, 2000, were authorized for export or reexport under a license or Encryption Licensing Arrangement, or were reviewed and authorized for export and reexport to entities other than U.S. subsidiaries under License Exception ENC.

(ii) Other commodities and software not previously reviewed. Before exporting or reexporting any item that has not been reviewed by the U.S. Government and authorized under this paragraph (b)(2), you must submit a review request in accordance with paragraph (d) of this section and wait until 30 days after that request is registered (as defined in § 750.4(a)(2) of the EAR) with BIS. Days during which the review request is on “hold without action” status are not counted towards fulfilling the 30 day waiting period.

(iii) The encryption commodities, software and components eligible for export or reexport under this paragraph (b)(2) (see paragraph (b)(3) of this section for commodities, software and components not listed in this paragraph (b)(2)(iii)) are:

(A) Network infrastructure commodities and software, and parts and components thereof (including commodities and software necessary to activate or enable cryptographic functionality in network infrastructure products) providing secure Wide Area Network (WAN), Metropolitan Area Network (MAN), Virtual Private Network (VPN), satellite, cellular or trunked communications meeting any of the following with key lengths exceeding 64-bits for symmetric algorithms:

(1) Aggregate encrypted WAN, MAN, VPN or backhaul throughput (includes communications through wireless network elements such as gateways, mobile switches, controllers, etc.) greater than 44 Mbps.; or

(2) Wire (line), cable or fiber-optic WAN, MAN or VPN single-channel input data rate exceeding 44 Mbps; or

(3) Maximum number of concurrent encrypted data tunnels or channels exceeding 250; or

(4) Air-interface coverage (e.g., through base stations, access points to mesh networks, bridges, etc.) exceeding 1,000 meters, where any of the following applies:

(i) Maximum data rates exceeding 5 Mbps (at operating ranges beyond 1,000 meters); or

(ii) Maximum number of concurrent full-duplex voice channels exceeding 30; or

(iii) Substantial support is required for installation or use.

(B) Encryption source code that would not be eligible for export or reexport under License Exception TSU because it is not publicly available as that term is used in § 740.13(e)(1) of the EAR.

(C) Encryption commodities or software that do not provide an “open cryptographic interface”, but that have:

(1) Been modified or customized for government end-user(s) or government end-use (e.g. to secure departmental, police, state security, or emergency response communications); or

(2) Cryptographic functionality that has been modified or customized to customer specification; or

(3) Cryptographic functionality or “encryption component” (except encryption software that would be considered publicly available, as that term is used in § 740.13(e)(1) of the EAR) that is user-accessible and can be easily changed by the user.

(D) “Cryptanalytic items”; or

(E) Encryption commodities and software that provide functions necessary for quantum cryptography; or

(F) Encryption commodities and software that have been modified or customized for computers controlled by ECCN 4A003.

(3) Encryption commodities, software and components available to both “government end-users” and to non-“government end-users”. This paragraph authorizes export and reexport of commodities, software and components controlled by ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, 5B002, or 5D002. To be eligible under this paragraph (b)(3) the requirements of paragraphs (b)(3)(i) and (b)(3)(ii) must be met.

(i) The commodities or software must not:

(A) Provide an “open cryptographic interface”; or

(B) Be listed in paragraph (b)(2) of this section.

(ii) Review and authorization requirement. (A) Commodities and software previously reviewed by the U.S. Government. Encryption commodities, software and components reviewed and authorized by BIS for export and reexport as “retail” commodities or software under this paragraph (b)(3) prior to December 9, 2004 do not require additional review or authorization for export or reexport under this paragraph.

(B) Other commodities and software not previously reviewed. Before exporting or reexporting any item that has not been reviewed by the U.S. Government and authorized under this paragraph (b)(3), you must submit a review request in accordance with paragraph (d) of this section and wait until 30 days after that request is registered (as defined in § 750.4(a)(2) of the EAR) with BIS. Days during which the review request is on “hold without action” are not counted towards fulfilling the 30 day waiting period.

(4) Exemptions from the 30 day waiting period and review requirements. (i) Exemptions from the 30 day waiting period. Items listed in this paragraph (b)(4)(i) may be exported or reexported under authority of paragraphs (b)(2) or (b)(3) immediately upon filing the review requests required by those paragraphs provided all other requirements for export or reexport under the paragraph being relied upon are met.

(A) Encryption commodities and software (including key management products) with key lengths not exceeding 64 bits for symmetric algorithms, 1024 bits for asymmetric key exchange algorithms, and 160 bits for elliptic curve algorithms;

(B) Encryption source code that would not be considered publicly available for export or reexport under License Exception TSU, provided that a copy of your source code is included in the review request to BIS and the ENC Encryption Request Coordinator.

(ii) Exemptions from the review requirement. The following products do not require review under this license exception, but remain subject to the EAR (including all terms and provisions of this license exception, and all licensing requirements that may apply to a particular item or transaction for reasons other than encryption):

(A) Commodities and software that would not otherwise be controlled under Category 5 (telecommunications and “information security”) of the Commerce Control List, but that are controlled under ECCN 5A002 or 5D002 only because they incorporate components or software that provide short-range wireless encryption functions (e.g., with an operating range typically not exceeding 100 meters);

(B) Foreign products developed with or incorporating U.S.-origin encryption source code, components or toolkits (or otherwise designed to operate with U.S. products, e.g., via signing), provided that the U.S.-origin encryption items (and related technical assistance, as described in § 744.9 of the EAR) have previously been reviewed and authorized by BIS and the cryptographic functionality has not been changed.

(d) Review request procedures. To request review of your encryption items under License Exception ENC (e.g., for items that have not previously been reviewed, or for items that have been reviewed but for which the cryptographic functionality has been changed), you must submit to BIS and to the ENC Encryption Request Coordinator the information described in paragraph (d)(1) of this section and in paragraphs (a) through (e) of Supplement No. 6 to part 742 of the EAR (Guidelines for Submitting Review Requests for Encryption Items).

(1) Instructions for requesting review. Review requests must be submitted on Form BIS-748P (Multipurpose Application), or its electronic equivalent, as described in § 748.3 of the EAR. To ensure that your review request is properly routed, insert the phrase “License Exception ENC” in Block 9 (Special Purpose) of the paper or electronic application. Also, place an “X” in the box marked “Classification Request” in Block 5 (Type of Application) of Form BIS-748P or select “Commodity Classification” if filing electronically. Neither the electronic nor paper forms provide a separate Block to check for the submission of encryption review requests. Failure to properly complete these items may delay consideration of your review request. Review requests that are not submitted electronically to BIS should be mailed to the address indicated on the BIS-748P form. See paragraph (e)(5)(ii) of this section for the mailing address for the ENC Encryption Request Coordinator.

(2) Action by BIS. Upon completion of its review, BIS will send you written notice of the provisions, if any, of this section under which your items may be exported or reexported. If BIS has not, within 30 days of registration of a complete review request from you, informed you that your item is not authorized for License Exception ENC, you may export or reexport under the applicable provisions of License Exception ENC. BIS may hold your review request without action if necessary to obtain additional information or for any other reason necessary to ensure an accurate determination with respect to ENC eligibility. Time on such “hold without action” status shall not be counted towards fulfilling the 30 day waiting period specified in this paragraph and in paragraphs (b)(2) and (b)(3) of this section. BIS may require you to supply additional relevant technical information about your encryption item(s) or information that pertains to their eligibility for License Exception ENC at any time, before or after the expiration of the 30 day waiting period specified in this paragraph and in paragraphs (b)(2) and (b)(3) of this section. If you do not supply such information within 14 days after receiving a request for it from BIS, BIS may return your review request(s) without action or otherwise suspend or revoke your eligibility to use License Exception ENC for that item(s). At your request, BIS may grant you up to an additional 14 days to provide the requested information. Any request for such an additional number of days must be made prior to the date by which the information was otherwise due to be provided to BIS, and may be approved if BIS concludes that additional time is necessary.

(3) Key length increases. Commodities and software that are modified only to upgrade the key length used for confidentiality or key exchange algorithms (after having been reviewed and authorized for License Exception ENC by BIS) may be exported or reexported under the previously authorized provision of License Exception ENC without further review, provided:

(i) The exporter or reexporter certifies to BIS and the ENC Encryption Request Coordinator that no change to the encryption functionality has been made other than to upgrade the key length for confidentiality or key exchange algorithms;

(ii) The certification includes the original authorization number issued by BIS and the date of issuance;

(iii) The certification is received by BIS and the ENC Encryption Request Coordinator before the export or reexport of the upgraded product; and

(iv) The certification is e-mailed to crypt@bis.doc.gov and enc@nsa.gov.

(e) Reporting requirements. (1) Semi-annual reporting requirement. Semi-annual reporting is required for exports to all destinations other than Canada, and for reexports from Canada, under this license exception. Certain encryption items and transactions are excluded from this reporting requirement (see paragraph (e)(4) of this section). For instructions on how to submit your reports, see paragraph (e)(5) of this section.

(2) General information required. Exporters must include all of the following applicable information in their reports:

(i) For items exported (or reexported from Canada) to a distributor or other reseller, including subsidiaries of U.S. firms, the name and address of the distributor or reseller, the item and the quantity exported or reexported and, if collected by the exporter as part of the distribution process, the end-user's name and address;

(ii) For items exported (or reexported from Canada) to individual consumers through direct sale (provided the transaction is not exempted from reporting under paragraph (e)(4)(iii) or (e)(4)(iv) of this section), the name and address of the recipient, the item, and the quantity exported;

(iii) For exports of ECCN 5E002 items to be used for technical assistance that are not released by § 744.9 of the EAR, the name and address of the end-user; and

(iv) For each item, the authorization number and the name of the item(s) exported (or reexported from Canada).

(3) Information on foreign manufacturers and products that use encryption items. For direct sales or transfers, under License Exception ENC, of encryption components, source code, general purpose toolkits, equipment controlled under ECCN 5B002, technology, or items that provide an “open cryptographic interface” to foreign developers or manufacturers when intended for use in foreign products developed for commercial sale, you must submit the names and addresses of the manufacturers using these encryption items and, if you know when the product is made available for commercial sale, a non-proprietary technical description of the foreign products for which these encryption items are being used (e.g., brochures, other documentation, descriptions or other identifiers of the final foreign product; the algorithm and key lengths used; general programming interfaces to the product, if known; any standards or protocols that the foreign product adheres to; and source code, if available).

(4) Exclusions from reporting requirements. Reporting is not required for the following items and transactions:

(i) Any encryption item exported or reexported under paragraph (a)(1) or (b)(1) of this section;

(ii) Encryption commodities or software with a symmetric key length not exceeding 64 bits;

(iii) Encryption commodities and software authorized under paragraph (b)(3) of this section, exported (or reexported from Canada) to individual consumers;

(iv) Encryption items exported (or reexported from Canada) via free and anonymous download;

(v) Encryption items from or to a U.S. bank, financial institution or its subsidiaries, affiliates, customers or contractors for banking or financial operations;

(vi) Items that incorporate components limited to providing short-range wireless encryption functions;

(vii) General purpose operating systems, or desktop applications (e.g., e-mail, browsers, games, word processing, data base, financial applications or utilities) authorized under paragraph (b)(3) of this section;

(viii) Client Internet appliance and client wireless LAN cards; or

(ix) Foreign products developed by bundling or compiling of source code.

(5) Submission requirements. You must submit the reports required under this section, semi-annually, to BIS and to the ENC Encryption Request Coordinator, unless otherwise provided in this paragraph (e)(5). For exports occurring between January 1 and June 30, a report is due no later than August 1 of that year. For exports occurring between July 1 and December 31, a report is due no later than February 1 the following year. These reports must be provided in electronic form. Recommended file formats for electronic submission include spreadsheets, tabular text or structured text. Exporters may request other reporting arrangements with BIS to better reflect their business models. Reports may be sent electronically to BIS at crypt@bis.doc.gov and to the ENC Encryption Request Coordinator at enc@nsa.gov, or disks and CDs containing the reports may be sent to the following addresses:

(i) Department of Commerce, Bureau of Industry and Security, Office of National Security and Technology Transfer Controls, 14th Street and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn: Encryption Reports, and

(ii) Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-6000.

(f) Restrictions. Notwithstanding any language elsewhere in this section, License Exception ENC does not authorize:

(1) Any export or reexport of any “cryptanalytic item” to any “government end-user” (as that definition is applied to encryption items); or

(2) Any export or reexport of any “open cryptographic interface” item to any end-user not located in or headquartered in Canada or in countries listed in Supplement No. 3 part 740 of the EAR; or

(3) Any export or reexport to, or provision of any service in any country listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR; or

(4) Furnishing source code or technology to any national of a country listed in Country Group E:1.

9. Revise Supplement No. 3 to part 740 to read as follows:

Supplement No. 3 to Part 740—Countries Eligible for the Provisions of § 740.17(a)

Austria.

Australia.

Belgium.

Cyprus.

Czech Republic.

Estonia.

Denmark.

Finland.

France.

Germany.

Greece.

Hungary.

Ireland.

Italy.

Japan.

Latvia.

Lithuania.

Luxembourg.

Malta.

Netherlands.

New Zealand.

Norway.

Poland.

Portugal.

Slovakia.

Slovenia.

Spain.

Sweden.

Switzerland.

United Kingdom.

PART 742—AMENDED

10. The authority citation for part 742 is revised to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; Sec. 901-911, Pub. L. 106-387; Sec. 221, Pub. L. 107-56; Sec 1503, Pub.L. 108-11,117 Stat. 559; E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Presidential Determination 2003-23 of May 7, 2003, 68 FR 26459, May 16, 2003; Notice of August 6, 2004, 69 FR 48763 (August 10, 2004); Notice of November 4, 2004, 69 FR 64637 (November 8, 2004).

11. In § 742.15, revise the first sentence of paragraph (b)(1) and the last sentence of the introductory text to paragraph (b)(2) to read as follows:

§ 742.15
Encryption items.

(b) * * *

(1) Notification requirement for specified encryption items. You may export or reexport encryption items controlled under ECCNs 5A992, 5D992, or 5E992 and identified in paragraphs (b)(1)(i) or (b)(1)(ii) of this section to most destinations without a license (NLR: No License Required), provided that you have submitted to BIS and to the ENC Encryption Request Coordinator at crypt@bis.doc.gov and enc@nsa.gov, by the time of export, the information described in paragraphs (a) through (e) of Supplement No. 6 to this part. * * *

(2) Review requirement for mass market encryption commodities and software exceeding 64 bits. * * * Encryption commodities and software that are described in § 740.17(b)(2) of the EAR do not qualify for mass market treatment.

12. In part 742, Supplement Number 6, revise paragraphs (c)(8) and (c)(11) to read as follows:

Supplement No. 6 to Part 742—Guidelines for Submitting Review Requests for Encryption Items

(c) * * *

(8) Describe the cryptographic functionality that is provided by third-party hardware or software encryption components (if any). Identify the manufacturers of the hardware or software components, including specific part numbers and version information as needed to describe the product. Describe whether the encryption software components (if any) are statically or dynamically linked.

(11) For products that meet the requirements of § 740.17(b)(3)—Encryption commodities, software and components available to both “government end-users” and to non-“government end-users”—describe how they are not restricted by the provisions of § 740.17(b)(2).

PART 744—[AMENDED]

13. The authority citation for part 744 is revised to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; Sec. 901-911, Pub. L. 106-387; Sec. 221, Pub. L. 107-56; E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 12947, 60 FR 5079, 3 CFR, 1995 Comp., p. 356; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13099, 63 FR 45167, 3 CFR, 1998 Comp., p. 208; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13224, 66 FR 49079, 3 CFR, 2001 Comp., p. 786; Notice of August 6, 2004, 69 FR 48763 (August 10, 2004); Notice of November 4, 2004, 69 FR 64637 (November 8, 2004).

14. In § 744.9, revise paragraph (a) to read:

§ 744.9
Restrictions on technical assistance by U.S. persons with respect to encryption items.

(a) General prohibition. No U.S. person may, without authorization from BIS, provide technical assistance (including training) to foreign persons with the intent to aid a foreign person in the development or manufacture outside the United States of encryption commodities and software that, if of United States origin, would be controlled for EI reasons under ECCN 5A002 or 5D002. Technical assistance may be exported and reexported immediately to nationals of the countries listed in Supplement 3 to part 740 of the EAR (except for technical assistance to government end-users for cryptanalytic items), provided that the exporter has submitted to BIS a completed encryption review request by the time of export (as described in § 740.17(a)(3) of the EAR, for technical assistance not otherwise authorized under § 740.17(a)(1) of the EAR). Note that this prohibition does not apply if the U.S. person providing the assistance has a license or is otherwise entitled to export the encryption commodities and software in question to the foreign person(s) receiving the assistance. Note in addition that the mere teaching or discussion of information about cryptography, including, for example, in an academic setting or in the work of groups or bodies engaged in standards development, by itself would not establish the intent described in this section, even where foreign persons are present.

PART 772—[AMENDED]

15. The authority citation for part 772 continues to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 6, 2004, 69 FR 48763 (August 10, 2004).

16. In § 772.1, add a sentence to the end of the definition of “hold without action” to read as follows:

§ 772.1
Definitions of terms as used in the Export Administration Regulations (EAR).

Hold Without Action (HWA). * * * Encryption review requests may be placed on hold without action status as provided in § 740.17(d)(2) and § 742.15(b)(2) of the EAR.

Dated: December 2, 2004.

Peter Lichtenbaum,

Assistant Secretary for Export Administration.

[FR Doc. 04-26992 Filed 12-8-04; 8:45 am]

BILLING CODE 3510-33-P