Additional Details from BIS Interim Final Rule on Encryption Reform

June 29, 2010 by Cindy Arevalo|Top News

The Bureau of Industry and Security has issued an interim final rule, which effective June 25, 2010, modified the requirements for License Exception ENC (Encryption Commodities, Software and Technology) and for qualifying an encryption item as mass market. The rule also amended specific license requirements for encryption items.

Comments on the interim final rule are due by August 24, 2010.

BIS states that this rule is the first step in the President’s effort to reform U.S. encryption export controls to enhance national security. (See ITT’s Online Archives or 04/21/10 news, 10042125, for BP summary of the Administration’s plans to fundamentally reform the U.S. export control system.)

(See ITT's Online Archives or 06/25/10 news, 10062539, for previous BP summary announcing this interim final rule.)

Highlights of Interim Final Rule

The following are excerpts of the interim final rule provisions that are highlighted by BIS in the preamble:

Conditional Immediate Authorization to Export Less Sensitive Encryption Items

BIS’ rule establishes two new procedures - company encryption registration and an annual self-classification report - that allow the export without a 30-day technical review of certain less sensitive encryption items under License Exception ENC or as mass market encryption items.

Product Authorization Replaced with Company “Authorization”

Prior to this rule, eligibility under 15 CFR 740.17(b)(3) for License Exception ENC and eligibility under 15 CFR 742.15(b) for mass market treatment required prior submission of a review request and 30-day technical review for most encryption items. This system of authorization centered on product-by-product authorizations.

The new system of authorization implemented by the interim final rule is based on company “authorization” (i.e., encryption registration, self-classification report procedure), which operates like a bulk license for the company’s products.

Limited Use of Technical Questionnaire

With the publication of this rule, submission of the information in Supplement No. 6 to 15 CFR Part 742 (Technical Questionnaire for Encryption Items) is now only required in support of a 30-day encryption classification request for specified “sensitive” items under License Exception ENC and mass market commodities, software and components (i.e., restricted 15 CFR 740.17(b)(2) items, specified components and digital forensics items, products that provide or perform ‘‘nonstandard cryptography,’’ and cryptographic enabling commodities and software).

All other items under License Exception ENC and mass market items may receive immediate authorization with the submission of the encryption registration and annual self classification report.

Company Encryption Registration Instructions

Scope of registration requirement. A company encryption registration is only required for authorization under:

License Exception ENC (15 CFR 740.17(b)(1), 740.17(b)(2) and 740.17(b)(3)), and
Mass market encryption (15 CFR 742.15(b)(1) and 742.15(b)(3)).

Exports and reexports described under 15 CFR 740.17(a), 740.17(b)(4), 740.17(c) and 742.15(b)(4) will continue to be authorized without the need for a submission.

Companies need to register only once, unless changes have occurred. A company only needs to register once and does not need to resubmit its encryption registration unless the answers to the questions in Supplement No. 5 to 15 CFR Part 742 changed during the previous calendar year. (See interim final rule for details on submitting encryption registrations via SNAP-R.)

Instructions for exporter agents. BIS states that because of this shift from product authorization to company “authorization”, the information in block 14 (applicant) of the encryption registration screen and the information in Supplement No. 5 to 15 CFR Part 742 must pertain to the company that seeks authorization to export and reexport encryption items that are within the scope of this rule. An agent for the exporter, such as a law firm, should not be listed in block 14. The agent may, however submit the encryption registration and list itself in block 15 (“other Party authorized to receive license”) of the encryption registration screen in SNAP--R.

More info may be required for encryption items authorized after registration. BIS states that for encryption items authorized after the submission of a company encryption registration under 15 CFR 740.17(b)(1) or 742.15(b)(1), the filer may be required to provide relevant information about the encryption functionality of the items.

Producer’s self-classification or CCATS. When an exporter or reexporter relies on the producer’s self-classification (pursuant to the producer’s encryption registration) or Commodity Classification Automated Tracking System (CCATS) for an encryption item, the exporter or reexporter is not required to submit a separate encryption registration, classification request or self-classification report to BIS under 15 CFR 740.17(b) or 742.15(b)¹.

If SNAP-R used for encryption requests, BIS contacts coordinator. This new rule removes the requirement for applicants to submit requests to the ENC Encryption Request Coordinator, if submission is made via the Simplified Network Application Processing system (SNAP--R²) for the company encryption registration and encryption classification requests.

(BIS will send encryption SNAP--R submissions to the ENC Encryption Request Coordinator instead. This change decreases the paperwork burden on applicants.)

Note that all reports (i.e., the semiannual sales report and the annual self-classification report) must continue to be submitted to both BIS and the ENC Encryption Request Coordinator by the applicant.

Information that must be included in registration. Supplement No. 5 to 15 CFR Part 742 has been revised to state that certain classification requests and self-classification reports for encryption items must be supported by a company encryption registration. The information needed for this registration is:

The point of contact;
The company that exports the encryption items;
The categories of the company’s products;
Whether the products incorporate or use proprietary, unpublished or nonstandard cryptographic functionality;
Whether the exporting company will export ‘‘encryption source code’’;
Whether the products incorporate encryption components produced or furnished by non-U.S. sources or vendors; and
Whether the products are manufactured outside the U.S.

(If the registrant is not the principal producer of encryption items, the registrant may answer questions 4 and 7 as ‘‘not applicable.’’ For all other questions, an answer must be given, or if the registrant is unsure of the answer, the registrant may state that it is unsure and explain why it is unsure of the answer to the question.)

Annual Self-Classification Report Instructions

A self-classification report will be required to be submitted annually to BIS and the ENC Encryption Request Coordinator in February for items exported or reexported the previous calendar year (i.e., January 1 through December 31) pursuant to the encryption registration and applicable 15 CFR 740.17(b)(1) or 742.15(b)(1).

Information that must be submitted. This rule adds a new Supplement No. 8 to 15 CFR Part 742 ‘‘Self-Classification Report’’ to collect information about encryption items exported pursuant to 15 CFR 740.17(b)(1) and 742.15(b)(1). The information requested is:

Name of product;
Model/series/part number;
Primary manufacturer;
ECCN (5A002, 5B002, 5D002, 5A992 or 5D992);
Encryption authorization (i.e., ‘ENC’ for License Exception ENC or ‘MMKT’ for mass market); and
Type descriptor to describe the product (chose one from a list of 49 options).

Fomat and submission requirements. The self-classification report must be submitted as an attachment to an e-mail to BIS and the ENC Encryption Request Coordinator. Reports to BIS must be submitted to a newly created e-mail address for these reports (cryptsupp8@bis.doc.gov). Reports to the ENC Encryption Request Coordinator must be submitted to its existing e-mail address (enc@nsa.gov). In lieu of e-mail, submissions of disks and CDs may be mailed to BIS and the ENC Encryption Request Coordinator.

The information in the report must be provided in tabular or spreadsheet form, as an electronic file in comma separated values format (.csv) only.

Due annually by Feb 1st (for prior year). A self-classification report for applicable encryption commodities, software and components exported or reexported during a calendar year (January 1 through December 31) must be received by BIS and the ENC Encryption Request Coordinator no later than February 1 the following year. If no information has changed since the previous report, an email must be sent stating that nothing has changed since the previous report or a copy of the previously submitted report must be submitted.

No self-classification report is required if no exports or reexports of applicable items pursuant to an encryption registration were made during the calendar year.

Limited Continuation of the 30-Day Review Requirement

Encryption Components, Non-Standard Cryptography

According to BIS, the requirement for submission of an encryption classification request and information described in Supplement No. 6 to 15 CFR Part 742, and a 30-day wait, while BIS performs its review of these submissions, remains in effect for:

all ‘‘encryption components,’’ including mass market ‘‘encryption components,’’ and
encryption commodities, software and components not described in 15 CFR 740.17(b)(2) that provide or perform ‘‘non-standard cryptography,’’ including mass market encryption commodities, software and components.

Encryption components are defined in 15 CFR Part 772, and the interim final rule adds a new definition of ‘‘non-standard cryptography’’ in 15 CFR Part 772.

Cryptographic Enabling Commodities, Software, Etc.

The interim final rule maintains the 30-day technical review requirement for commodities, software and components that activate or enable cryptographic functionality in encryption products which would otherwise remain disabled.

Sales Reporting Requirements Under License Exception ENC

The rule narrows the scope of the License Exception ENC sales reporting requirements to only apply to certain digital forensics items described under new 15 CFR 740.17(b)(3)(iii). Therefore, this rule removes some of the exclusions from sales reporting requirement paragraphs that were formerly in paragraphs (A), (C), (H), (I) and (J) of 15 CFR 740.17(e)(iii), because they are no longer necessary.

De Minimis Treatment for U.S. Content Under License Exception ENC

Under this rule, a new paragraph is added to indicate that encryption commodities and software may be considered for de minimis treatment if such products were authorized for export under License Exception ENC after submission of a company encryption registration pursuant to 15 CFR 740.17(b)(1).

License Exception ENC Eligibility for Certain Encryption Technology

Pursuant to 15 CFR 740.17(b)(2)(iv)(B), encryption technology classified under ECCN 5E002 (information security technology) that are not technology for ‘‘cryptanalytic items,’’ ‘‘non-standard cryptography,’’ or ‘‘open cryptographic interfaces’’ may now be exported and reexported under License Exception ENC to any non-‘‘government end-user’’ located in a country not listed in Country Groups D:1 or E:1 of Supplement No. 1 to 15 CFR Part 740.

According to BIS, this revision will decrease encryption licensing arrangements (ELAs) and other license applications to export or reexport encryption technology by approximately 60%.

Technical Revisions to Certain Restricted, Sensitive Items Under License Exception ENC

This rule updates the License Exception ENC specific list of restricted items in 15 CFR 740.17(b)(2), and creates a new specific list of additional sensitive items in amended 15 CFR 740.17(b)(3). These technical revisions involve network infrastructure software and commodities providing satellite communications, encryption commodities and software that provide certain penetration capabilities, certain items that perform certain vulnerability analysis, network forensics, or computer forensics, and public safety/first responder radios. (See BIS’ interim final rule for complete details on these technical revisions.)

Cryptanalytic Items

For national security reasons, the interim final rule maintains all existing licensing requirements for exports and reexports of ‘‘cryptanalytic items’’ (i.e., cryptanalytic commodities, software, and technology).

New note clarifies requirements for cryptanalytic items. This rule adds new note 3 to the introductory paragraph of 15 CFR 740.17(b)(2) and new 15 CFR 740.17(b)(2)(ii) to clarify that exports and reexports of ‘‘cryptanalytic items’’ require encryption registration and encryption classification requests, with no wait, to be eligible for License Exception ENC to non-‘‘government end-users’’ located or headquartered in countries listed in Supplement No. 3 to 15 CFR Part 740, and that the export or reexport of cryptanalytic commodities and software (listed in new 15 CFR 740.17(b)(2)(ii)) require submission of an encryption registration and a 30-day classification request before being eligible for License Exception ENC to non-“government end-users” located or headquartered in a country not listed in Supplement No. 3 to 15 CFR Part 740.

On account of the utmost sensitivity of cryptanalytic technology transfers, cryptanalytic “technology” classified under ECCN 5E002 is only License Exception ENC eligible to non-“government end-users” located or headquartered in Supplement No. 3 to 15 CFR Part 740 countries.

Non-standard cryptography, other encryption technology differentiated. The rule adds a new 15 CFR 740.17(b)(2)(iv) to describe specific encryption technology. New 15 CFR 740.17(b)(2)(iv) differentiates between “non-standard cryptography” and other encryption technology.

CCL Category 5, Part 2 “Information Security”

This rule amends Supplement 1 to Part 774, The Commerce Control List, to add a new Note 4 to Category 5, Part 2 (Information Security) to exclude certain items incorporating or using ‘‘cryptography’’ from control under Category 5, Part 2.

Primary function is not information security. Specifically, Note 4 excludes an item that incorporates or uses ‘‘cryptography’’ from Category 5, Part 2 control if the item’s primary function or set of functions is not ‘‘information security,’’ computing, communications, storing information, or networking, and if the cryptographic functionality is limited to supporting such primary function or set of functions. The primary function is the obvious, or main, purpose of the item. It is the function which is not there to support other functions. The ‘‘communications’’ and ‘‘information storage’’ primary function does not include items that support entertainment, mass commercial broadcasts, digital rights management or medical records management.

EAR99 if no other categories apply. Items that are covered by Note 4 should be evaluated under other categories of the CCL (Supplement No. 1 to 15 CFR Part 774) to determine if any other controls apply. If the result of this evaluation is that the item is not controlled under another category of the CCL, the item is designated as EAR99.

With the addition of Note 4 to Category 5, Part 2 upon the effective date of this rule, the items previously covered in paragraphs (b), (c) and (h) of the exclusion Note to ECCN 5A002 are no longer controlled under Category 5, Part 2 (by virtue of the new Note 4, irrespective of the Note to ECCN 5A002), and are therefore classified under another category of the CCL or designated as EAR99.

Ancillary cryptography not in Cat 5 Part 2. Items that were self-classified or classified by BIS as ‘‘ancillary cryptography’’ items after October 3, 2008 are, upon the effective date of this rule, no longer classified under Category 5, Part 2.

5A992 and 5D992 not in Cat 5, Part 2. In addition, items that were self-classified or classified by BIS under ECCN 5A992 or 5D992 based on former paragraphs (b), (c) or (h) of the note to ECCN 5A002 are, upon the effective date of this rule, no longer classified under Category 5, Part 2. Exporters should re-classify such items under other categories of the CCL or designate as EAR99, as appropriate.

Examples of Cat 5, Part 2 exclusions. Examples of items that are excluded from Category 5, Part 2 by Note 4 include, but are not limited to, the following:

Piracy and theft prevention for software or music

Games and gaming

Household utilities and appliances

Printing, reproduction, imaging and video recording or playback (not videoconferencing)

Business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery)

Industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment, facilities systems such as fire alarm, HVAC)

Automotive, aviation, and other transportation systems

LCD TV, Blu-ray/DVD, video on demand (VoD), cinema, digital video recorders (DVRs)/personal video recorders (PVRs)

On-line media guides, commercial content integrity and protection, HDMI and other component interfaces

Medical/clinical—including diagnostic applications, patient scheduling, and medical data records confidentiality

Academic instruction and testing/on-line training—tools and software

Applied geosciences—mining/drilling, atmospheric sampling/weather monitoring, mapping/surveying, dams/hydrology

Scientific visualization/simulation/co-simulation (excluding such tools for computing, networking, or cryptanalysis)

Data synthesis tools for social, economic, and political sciences (e.g., economic, population, global climate change, public opinion polling, forecasting and modeling);

Software and hardware design IP protection

Computer aided design (CAD) software and other drafting tools.

Smart Cards, Personal Data

This rule makes a number of revisions to ECCN 5A002, including amendments to remove from 5A002 control certain smart card readers/writers, and to add definitions for “personal data” and “readers/writers”.

Grandfathering Provisions

For encryption commodities, software and components described in, or otherwise meeting the specifications of 15 CFR 740.17(b) and 742.15(b), effective June 25, 2010, such items reviewed and classified by BIS prior to June 25, 2010 are authorized for export and reexport under the applicable provisions of 15 CFR 740.17(b) and 742.15(b), as amended upon publication of this rule, using the CCATS previously issued by BIS, without any encryption registration (i.e., the information described in Supplement No. 5 to this part), new classification by BIS, self-classification reporting (i.e., the information described in Supplement No. 8 to 15 CFR Part 742), or semi-annual sales reporting required under 15 CFR 740.17(e) provided the cryptographic functionality of the item has not changed.

These grandfathering provisions do not apply to particular commodities and software previously made eligible for License Exception ENC under former 15 CFR 740.17(b)(3) that are now listed in 15 CFR 740.17(b)(2) and therefore require a license to certain “government end-users”' outside the countries listed in Supplement No. 3 to 15 CFR Part 740. These grandfathering provisions also do not apply if the encryption functionality has changed since the encryption product was last classified by BIS, as specified in 15 CFR 740.17(d)(1)(iii) and 742.15(b)(7)(i)(C).

¹According to BIS, those who submit encryption registrations, classification requests and self-classification reports should either be knowledgeable enough about the encryption functionality to answer relevant questions pertaining to their submissions, or else possess the requisite authority or other means to ensure that such information will be made available to BIS upon request. Only License Exception ENC and mass market encryption authorizations under 15 CFR 740.17(b) and 742.15(b) to a company that has fulfilled the requirements of encryption registration (such as the producer of the item) authorize the export and reexport of the company’s encryption items by all persons, wherever located, under these sections.

²There is a new SNAP--R screen for company encryption registrations. In addition, SNAP--R will issue a specific Encryption Registration Number (ERN) for each company encryption registration electronically submitted to BIS via SNAP--R.

BIS contact - Information Technology Division (202) 482-0707

(FR Pub 06/25/10, D/N 100309131-0195-02)