Tuttle Law

A Customs & Int'l. Trade Law Firm

BIS Publishes Changes
To U.S. Export Rules
For Encryption Products & Software

June 24, 2010

The Bureau of Industry and Security (BIS) has submitted to the Federal Register for publication its long awaited changes to the Export Administration Regulations (EAR or Regulations), which modify License Exception ENC, and requirements for qualifying an encryption item as “mass market.” The expected publication date is for Friday, June 25, 2010.

Following is a summary from the overview of the new rule. The new encryption rule can be found at: http://www.tuttlelaw.com/customs_material2010-15072I.pdf


With respect to encryption products of lesser national security concern, this rule replaces the requirement to wait 30 days for a technical review before exporting such products and the requirement to file semi-annual post-export sales and distribution reports with a provision that allows immediate authorization to export and reexport these products after electronic submission to BIS of an encryption registration.  

The new regulations establish a “registration process.” BIS has created a new SNAP-R screen for encryption registrations. The instructions for submitting an encryption registration is found in paragraph (r)(1) of Supplement No. 2 to part 748, and a PDF must be attached that provides answers to Supplement No. 5 to part 742. 

New Note 4 To Category 5.II

A new Note was added to Category 5.II which provides:

Category 5, Part 2 does not apply to items incorporating or using “cryptography” and meeting all of the following:

a. The primary function or set of functions is not any of the following:

1. “Information security”;
2. A computer, including operating systems, parts and components therefor;
3. Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
4. Networking (includes operation, administration, management and provisioning);

b. The cryptographic functionality is limited to supporting their primary function or set of functions.

Annual Self-Classification Report

A condition of this new authorization for less sensitive products is submission of an annual self-classification report (see new supplement 8 to Part 742) on these commodities and software exported under License Exception ENC. 

With respect to most mass market encryption products, this rule similarly replaces the requirement to wait 30 days for a technical review before exporting and reexporting such products with a provision that allows immediate authorization to export and reexport these products after electronic submission to BIS of an encryption registration, subject to annual self-classification reporting for exported encryption products.  

Only a few categories of License Exception ENC and mass market encryption products will continue to require submission of a 30-day classification request.

Encryption items that are more strictly controlled continue to be authorized for immediate export and reexport to most end-users located in close ally countries upon submission of an encryption registration and classification request to BIS. This rule also eases licensing requirements for the export and reexport of many types of technology necessary for the development and use of encryption products, except to countries subject to export or reexport license requirements for national security reasons or anti-terrorism reasons, or that are subject to embargo or sanctions.

“Ancillary Encryption”

Items that were self-classified or classified by BIS as “ancillary cryptography” items after October 3, 2008 are, upon the effective date of this rule, no longer classified under Category 5, Part 2.  In addition, items that were self-classified or classified by BIS under ECCN 5A992 or 5D992 based on former paragraphs (b), (c) or (h) of the note to ECCN 5A002 are, upon the effective date of this rule, no longer classified under Category 5, Part 2. Exporters should reclassify such items under other categories of the CCL or designate as EAR99, as appropriate.

Examples of items that are excluded from Category 5, Part 2 by Note 4 include, but are not limited to, the following:

  • piracy and theft prevention for software or music; games and gaming;
  • household utilities and appliances;
  • printing, reproduction, imaging and video recording or playback (not videoconferencing);
  • business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery);
  • industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment);
  • facilities systems (such as fire alarm, HVAC); automotive, aviation, and other transportation systems;
  • LCD TV, Blu-ray / DVD, video on demand (VoD), cinema, digital video recorders (DVRs) / personal video recorders (PVRs);
  • on-line media guides, commercial content integrity and protection, HDMI and other component interfaces;
  • medical/clinical - including diagnostic applications, patient scheduling, and medical data records confidentiality;
  • academic instruction and testing/on-line training - tools and software;
  • applied geosciences - mining/drilling, atmospheric sampling/weather monitoring, mapping/surveying, dams/hydrology; scientific visualization/simulation/co-simulation (excluding such tools for computing, networking, or cryptanalysis);
  • data synthesis tools for social, economic, and political sciences (e.g., economic, population, global climate change, public opinion polling, forecasting and modeling);
  • software and hardware design IP protection; and computer aided design (CAD) software and other drafting tools.

Changes In Application Process

This rule also removes the requirement to file separate encryption classification requests (formerly encryption review requests) with both BIS and the ENC Encryption Request Coordinator (Ft. Meade, MD).

BIS is also amending the EAR by implementing the agreements made by the Wassenaar Arrangement at the plenary meeting in December 2009 that pertained to “information security” items. This rule adds an overarching note to exclude particular products that use cryptography from being controlled as “information security” items.  The addition of this note focuses “information security” controls on the use of encryption for computing, communications, networking and information security.  This rule also makes additional changes throughout the EAR to harmonize it with the new note. 

If you would like more information about the new rule and how it may effect your company, or for assistance in reevaluating your existing encryption products or classification, please contact George Tuttle, III at (415) 986-8780 or george.tuttle.iii@tuttlelaw.com.


George R. Tuttle, III is an attorney with the Law Offices of George R. Tuttle in San Francisco.

The information in this article is general in nature, and is not intended to constitute legal advice or to create an attorney-client relationship with respect to any event or occurrence, and may not be considered as such.

Copyright © 2010 by Tuttle Law Offices. 
All rights reserved.
Information has been obtained from sources believed to be reliable. However, because of the possibility of human or mechanical error by our offices or by others, we do not guarantee the accuracy, adequacy, or completeness of any information and are not responsible for any errors, omissions, or for the results obtained from the use of such information.