BIS Issues Regulation Reforming Encryption Export Controls
The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) took the first step in the export control reform process by publishing an interim final rule in today's Federal Register making significant changes to the Export Administration Regulations (EAR) governing the export of hardware and software containing encryption algorithms and functions.
This interim final rule, which goes into effect today, June 25, 2010, implements the President's statement in a speech at the Export-Import Bank's annual conference in March 2010 that the current review-and-wait and semi-annual sales reporting requirements would be replaced with a "more efficient" one-time notification-and-ship process. While today's regulation eliminates the 30 day technical review and waiting requirement for most software and hardware containing encryption functionality eligible for license exception ENC and qualifying for "mass market" treatment, the new regulation establishes a new company registration requirement and an annual self-classification reporting requirement.
Today's interim final rule also implements the significant change to encryption export controls made at the Wassenaar Arrangement's December 2009 Plenary by revising note 4 to Category 5, Part 2 of the Commerce Control List (CCL) to exclude from the scope of encryption controls items where the cryptography's primary function is not related to communications, networking, computing or “information security.”
According to BIS, the changes made in this regulation are intended to enhance national security allowing BIS and other government agencies to focus their resources on more sensitive encryption items. This effort is also intended to enhance U.S. exports by reducing interruptions to business cycles and enhancing product development efforts, manufacturing, and product rollout.
While today's regulation is the first step in the reform of export controls on software and hardware containing encryption, BIS has indicated that it will continue to review encryption export controls to ensure the continued competitiveness of U.S. encryption products. This effort will include a review of the current controls on publicly available encryption software, integrated circuits with encryption functionality, high-speed routers and other types of restricted encryption products.
The following is a summary of the significant aspects of the reforms made today to U.S. export controls on software and hardware containing software and hardware:
A. Changes Made to Encryption Review and Reporting Requirements
Under current encryption controls, three types of items are subject to a 30-day technical review by BIS and the ENC Encryption Request Coordinator at the National Security Agency in Fort Meade:
(1) mass market encryption software (classified as ECCN 5D992.c);
(2) certain less sensitive encryption items (ECCNs 5A992 and 5D992) that can be exported pursuant to License Exception ENC to government and non-government end-users in destinations other than the designated terrorism-supporting countries (License Exception ENC unrestricted - current 15 C.F.R. §740.17(b)(3)); and
(3) sensitive encryption items (ECCNs 5A002 and 5D002) that are made eligible for License Exception ENC to non-government end-users in destinations other than the designated terrorism-supporting countries after review, but for which a license is required for export to government end-users in many countries (License Exception ENC restricted - current 15 C.F.R. § 740.17(b)(2)).
Today's rule removes the review requirement for most mass market and license exception ENC unrestricted items. The items removed from the review requirement include Local Area Network (LAN) products small routers, and most items that meet the multilateral Wassenaar Arrangement “mass market” criteria. Exporters may now self-classify these items and export them following the submission of a company registration with BIS, answering seven questions using a new submission screen in SNAP-R, BIS’s online system (see screenshot of new registration page below). Upon submission of its registration to BIS the exporter will receive an “encryption registration number” (ERN). Upon receipt of the ERN, the export under license exception ENC will be authorized for certain ECCNs and the exporter or reexporter will not be required to submit a separate encryption registration, classification request or self-classification report to BIS. However, the party submitting the company registration to BIS will be required to file a report on an annual basis listing the items it has self-classified and exported.
Certain mass market and unrestricted items remain subject to 30-day technical review requirements. These items include:
(1) encryption components;
(2) items that provide or perform non-standard cryptography;
(3) certain items providing or performing vulnerability analysis, network forensics or computer forensics; and
(4) cryptographic enabling commodities and software.
Certain restricted items, such as network infrastructure items that exceed certain technical performance parameters, such as routers and 3G wireless base stations, remain subject to a 30-day technical review requirements and require semi-annual sales reporting.
This rule also extends the scope of License Exception ENC eligibility to most encryption technology necessary for manufacturing, development or testing of encryption items to all countries, except those of national security concern or subject to anti-terrorism controls, after the submission of a 30-day review.
The new rule eliminates the 30-day technical review requirement to export most "mass market" products containing encryption functionality. Mass market encryption products are those that are sold in large quantities and are generally available to the public through common retail methods. Exporters and manufacturers of mass market encryption products may now self-classify their products and export them without a license after submission of a company registration via SNAP-R. An annual self-classification report will be required to be submitted.
BIS estimates that the changes made by today's regulation should decrease technical review submissions by approximately 70% and semi-annual reporting by up to 85%. While technical review submissions will decrease, the submission of exporter registration and annual reporting will not completely eliminate the export control burdens associated with encryption items.
B. Changes Made to Items Incorporating "Ancillary Cryptography”
In December 2009, the Wassenaar Arrangement's member countries agreed to decontrol items meeting the “ancillary cryptography” criteria. This rule implements this decontrol by adding Note 4 to Category 5, part 2, of the Commerce Control List and by removing all references to "ancillary cryptography" from the EAR. The new note 4 to Category 5 part 2, reads as follows:
Note 4: Category 5, Part 2 does not apply to items incorporating or using “cryptography” and meeting all of the following:
a. The primary function or set of functions is not any of the following:
1. “Information security”;
2. A computer, including operating systems, parts and components therefor;
3. Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
4. Networking (includes operation, administration, management and provisioning);
b. The cryptographic functionality is limited to supporting their primary function or set of functions; and
c. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs a. and b. above.
As a result, items incorporating or using “cryptography” will no longer be classified under Category 5, part 2 if their primary function is not communications, networking, computing or “information security” and the cryptographic functionality is limited to supporting the primary function. Examples of such items include robotics, household appliances, fire alarm systems, inventory management software and transportation systems. Such items may be classified under another category of the Commerce Control List or as EAR99.
C. Other Changes to Encryption Export Controls
The interim final rule contains a provision grandfathering most items previously reviewed and classified by BIS for export. As a result, such items will not be subject to the new encryption registration or reporting requirements, as long as the encryption functionality has not changed.
This regulation also makes a number of other important changes to encryption export controls and review and reporting requirements. As a result, manufacturers, developers and exporters of software and hardware containing encryption algorithms and code should carefully review today's regulation to review the specific requirements applicable to the export of such products.
SNAP-R Encryption Registration Screen Shot
Labels: BIS, Export Controls