On June 25, 2010, the Bureau of Industry and Security published amendments to the encryption provisions of the Export Administration Regulations (EAR). These amendments remove many items from control as encryption items. They also reduce or eliminate review and reporting requirements for many more items that remain controlled as encryption items.
Below is the full text of the summary from BIS, and here are some other useful links:
The rule amends the encryption provisions of the Export Administration Regulations (EAR) to streamline procedures for (1) less sensitive encryption items eligible for export under License Exception ENC and (2) most mass market encryption products. (Mass market encryption products are those that are sold in large quantities and are generally available to the public through common retail methods.) The rule also implements the Wassenaar Arrangement’s decontrol of items that perform “ancillary cryptography” in the Commerce Control List.
These amendments enhance national security by (1) limiting the more comprehensive technical review and reporting requirements to sensitive encryption items and (2) facilitating strategic analyses by the U.S. Government. The removal of delays and paperwork burdens associated with the review of less sensitive encryption items will also reduce interruptions to business cycles, product development efforts, manufacturing, and product rollout.
Streamlined review and reporting requirements
On March 11, 2010, President Obama announced that the Administration was working to replace the current review-and-wait process for encryption items and semi-annual sales reporting with a more efficient one-time notification-and-ship process. This rule is expected to decrease technical reviews by approximately 70% and semi-annual reporting by up to 85%.
Under the current provisions, there are three types of items subject to a 30-day technical review by the Bureau of Industry and Security (BIS) and the ENC Encryption Request Coordinator (Ft. Meade, MD): (1) mass market encryption items, which are removed from national security controls after review; (2) other less sensitive encryption items that can be exported pursuant to License Exception ENC to government and non-government end-users in destinations other than the designated terrorism-supporting countries (License Exception ENC unrestricted – current 15 C.F.R. §740.17(b)(3)); and (3) sensitive encryption items that are made eligible for License Exception ENC to non-government end-users in destinations other than the designated terrorism-supporting countries after review, but for which a license is required for export to government end-users in many countries (License Exception ENC restricted – current 15 C.F.R. § 740.17(b)(2)).
The rule removes the review requirement for most mass market and License Exception ENC unrestricted items. The items released from the review requirement include local area network (LAN) products, small routers, and most items that meet the multilateral Wassenaar Arrangement “mass market” criteria. An exporter may now self-classify these items and export them following a company registration with BIS, answering seven questions using a new submission screen in BIS’s on-line application system. The exporter will receive an “encryption registration number” upon submission of its registration. The exporter is required to file a report on an annual basis listing the items it has self-classified and exported. The rule prescribes a data format that is standard to common spreadsheet programs for the annual report. When the manufacturer or producer of an encryption item registers and provides its self-classification to another party, that party may rely on the classification and is not required either to register or to submit an annual report for eligible items. This is consistent with current License Exception ENC and mass market encryption provisions.
Certain mass market and unrestricted items remain subject to 30-day technical review requirements. These are (1) “encryption components,” (2) items that provide or perform “non-standard cryptography,” (3) certain items providing or performing vulnerability analysis, network forensics or computer forensics, and (4) cryptographic enabling commodities and software. Restricted items also remain subject to 30-day technical review requirements and still require semi-annual sales reporting. These are mostly network infrastructure items that exceed certain technical performance parameters, such as routers and 3G wireless base stations.
This rule also will extend the scope of License Exception ENC eligibility to most encryption technology (“non-standard cryptographic,” “cryptanalytic” and “open cryptographic interface” technology is excluded). Under current provisions, technology may be exported to 35 countries immediately upon submission of a technical review request, but is not eligible for export under license exception to other destinations. This rule makes most encryption technology necessary for manufacturing, development or testing of encryption items eligible for export under license exception to all countries, except those of national security concern or subject to anti-terrorism controls, after a 30-day technical review.
Finally, this rule removes the requirement for separate hard-copy submission of encryption classification requests to the Encryption Request Coordinator in Ft. Meade, Maryland. BIS will electronically refer requests that continue to be subject to the 30-day technical review to the Encryption Request Coordinator.
Decontrol of “Ancillary Cryptography” Items
Since 2008, the EAR have excluded from the 30-day technical review requirement and semi-annual reporting items that perform “ancillary cryptography.” At its December 2009 plenary meeting, the Wassenaar Arrangement member countries agreed to decontrol items meeting the “ancillary cryptography” criteria. This rule implements this decontrol by adding Note 4 (following the mass market Note 3) to Category 5, part 2, of the Commerce Control List. Items incorporating or using “cryptography” will no longer be classified under Category 5, part 2 if their primary function is not communications, networking, computing or “information security” and the cryptographic functionality is limited to supporting the primary function. Examples of such items include robotics, household appliances, fire alarm systems, inventory management software, and transportation systems. Such items may be self-classified under another category of the Commerce Control List, or as EAR99. Formal classification by BIS is available on request, as for all other items subject to the EAR.
The rule is published as “interim final” and becomes effective on the date of publication. A 60-day comment period is specified.