Tuttle Law

A Customs & Int'l. Trade Law Firm

BIS Revises U.S. Export Encryption Regulations

September 7, 2010

June, 24, 2010, the Bureau of Industry and Security (BIS) of the Department of Commerce issued a notice in the Federal Register (75 F.R. 36482) which significantly revised the rules for the export or reexport of encryption products and related software. Following is a summary of the more significant changes to these rules.

Additional information on these changes can be found on the BIS encryption web page.

‘Ancillary Encryption” Products Removed From Category 5, Part 2

New Note 4 to Category 5, Part 2 provides that certain items incorporating or using ‘‘cryptography’’ are excluded from control under Category 5, Part 2. Specifically, the note excludes an item that incorporates or uses ‘‘cryptography’’ from Category 5, Part 2 if the item’s primary function or set of functions is not ‘‘information security,’’ computing, communications, storing information, or networking, and if the cryptographic functionality is limited to supporting such primary function or set of functions.

The primary function is the “obvious or main purpose” of the item. It is the function which is not there to support other functions. The ‘‘communications’’ and ‘‘information storage’’ primary function does not include items that support entertainment, mass commercial broadcasts, digital rights management or medical records management.

The scope of new Note 4 is coextensive with the scope of the ‘‘ancillary cryptography’’ provisions that were added to the EAR on October 3, 2008. Under that amendment, commodities and software that perform ‘‘ancillary cryptography’’ remained controlled under Category 5, Part 2, but were exempted from review and reporting requirements under License Exception ENC (§ 740.17 of the EAR) and the mass market provisions of section 742.15 of the EAR.

Items that were self-classified or classified by BIS as ‘‘ancillary cryptography’’ items after October 3, 2008 are, upon the effective date of this rule, no longer classified under Category 5, Part 2. In addition, items that were self-classified or classified by BIS under ECCN 5A992 or 5D992 based on former paragraphs (b), (c) or (h) of the note to ECCN 5A002 are now no longer classified under Category 5, Part 2. The new rule removes all references to ‘‘ancillary cryptography’’. Examples of items that are excluded from Category 5, Part 2 by Note 4 include, but are not limited to, the following:

  • Piracy and theft prevention for software or music; games and gaming;
  • household utilities and appliances;
  • printing, reproduction, imaging and video recording or playback (not videoconferencing);
  • business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery);
  • industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment, facilities systems such as fire alarm, HVAC);
  • automotive, aviation, and other transportation systems;
  • LCD TV, Blu-ray/DVD, video on demand (VoD), cinema, digital video recorders (DVRs)/personal video recorders (PVRs);
  • on-line media guides, commercial content integrity and protection, HDMI and other component interfaces; medical/clinical—including diagnostic applications, patient scheduling, and medical data records confidentiality;
  • academic instruction and testing/on-line training—tools and software; applied geosciences—mining/ drilling, atmospheric sampling/weather monitoring, mapping/surveying, dams/ hydrology; scientific visualization/ simulation/co-simulation (excluding such tools for computing, networking, or cryptanalysis);
  • data synthesis tools for social, economic, and political sciences (e.g., economic, population, global climate change, public opinion polling, forecasting and modeling);
  • software and hardware design IP protection; and computer aided design (CAD) software and other drafting tools

The items excluded from Category 5, Part 2 by Note 4 have been determined not to be of national security concern due to their encryption functionality. Items that are covered by Note 4 should be evaluated under other categories of the CCL (Supplement No. 1 to part 774 of the EAR) to determine if any other controls apply. Exporters need to re-classify such items under other categories of the CCL or designate as EAR99, as appropriate. If the result of this evaluation is that the item is not controlled under another category of the CCL (e.g., a refrigerator), the item is designated as EAR99.

Revision to Semi-annual Reporting Requirements under License Exception ENC

Prior to this new rule, semi-annual (post export) reporting was required for exports of most encryption commodities, software and components previously described in old section 740.17(b)(3) to all destinations other than Canada, and for reexports from Canada, under License Exception ENC.

This rule narrows the scope of this requirement to only apply to items described in new section 740.17(b)(2) and (3)(iii). Because of the revisions to 740.17(b)(2) and (3)(iii), some of the exclusions from the reporting requirement that were formerly in section 740.17(e)(iii) have been eliminated. It is advisable, therefore, that you verify whether your product continues to be subject to the semiannual report requirement under either (b)(2) or new paragraph (b)(3)(iii).

Exporters are reminded, however, of the recordkeeping requirements in part 762 of the EAR and that they may be required to make such records available upon request. When reporting is not required under License Exception ENC, companies need only maintain records as required by the EAR that can be reviewed by appropriate agencies of the U.S. Government upon request.

The requirement for semi-annual sales reporting to BIS and the ENC Encryption Request Coordinator of encryption items described in section 740.17(b)(2) and (b)(iii) is maintained.

Paragraph (e) of section 740.17 sets forth the requirements for semi-annual reporting.

New Encryption Exporter Registration Requirements

Exporters of encryption products falling within the scope of section 740.17(b) are now required to submit an electronic encryption registration through SNAP-R. The registration is company oriented as opposed to product oriented. The registration process is described in section 740.17(d), section 742.15(c), and in paragraph (r)(1) of Supplement 2 to part 748.

Upon submission to BIS of an encryption registration, BIS will issue an Encryption Registration Number (ERN). This registration number is confirmation that BIS has received your encryption registration. Your registration number will constitute authorization for exports and reexports of eligible items under 740.17(b)(1), and must be used on any classification requests under (b)(2) or (b)(3).

You only need to submit the registration once unless your information changes, in which case a new registration may be required. When filing a new registration, a new registration number will be generated that should be used on all subsequent annual self-classification reports or classification requests.

When an exporter or reexporter relies on the producer's self-classification (pursuant to the producer's encryption registration) or CCATS for an encryption item eligible for export or reexport under License Exception ENC under paragraph (b)(1), (b)(2), or (b)(3) of this section, it is not required to submit an encryption registration, classification request or self-classification report. It may, however, still be required to submit semi-annual reports of products falling under section 740.17(b)(2) and (3)(iii). Exporters are cautioned, however, that if they incorporate another manufacturer’s encryption product or software into their product, it is a new item and a separate registration will be required.

Instructions for submitting an encryption registration is described in §748.3 and the EAR, as well as the instructions found in paragraph (r) of Supplement 2, to part 748.

Self-Classification Permitted For Certain Products

Encryption products falling within the scope of section 740.17(b)(1) no longer require a classification request (but will require a registration and self-classification report as described by section 742.15(c)) and Supplement 8 to Part 742.

Products described in ECCN 5A002.a.1, a.2, a.5, a.6 or a.9, ECCN 5B002, and the equivalent or related software classified under ECCN 5D002 may be self-classified following registration. Exporters that perform self-classification of paragraph (b)(1) products are required to submit an annual self-classification report to BIS and NSA, as discussed below.

Low level encryption products and products that fall within new Note 4 to Category 5, Part 2 may be self-classified without registration or submitting an annual self-classification report.

Classification Requests For (b)(2) and (b)(3) Products

Classification requests are still required for encryption products falling within the scope of section 740.17(b)(2) and (b)(3). Items described in 740.17(b)(2) include:

  • Network infrastructure items as described in 740.17(b)(2)(i)(B),
  • Encryption source code that would not be eligible for export or reexport under License Exception TSU because it is not publicly available,
  • Encryption products designed, modified, adapted or customized for “government end-user(s)”,
  • Cryptographic functionality that has been modified or customized to customer specifications,
  • Cryptographic functionality or “encryption component” that is user-accessible and can be easily changed by the user,
  • Quantum crypto products,
  • Items that have been modified or customized for computers classified under ECCN 4A003,
  • Items that provide penetration capabilities that are capable of attacking, denying, disrupting or otherwise impairing the use of cyber infrastructure or networks,
  • Public safety / first responder radio (P25 or TETRA),
  • cryptanalytic items,
  • “Open Cryptographic Interface”, and
  • Encryption technology classified under ECCN 5E002.

Items described in 740.17 (b)(3) include:

  • Chips, chipsets, electronic assemblies and field programmable logic devices,
  • Cryptographic libraries, modules, development kits and toolkits, including those for operating systems and cryptographic service providers (CSPs),
  • Application-specific hardware or software development kits implementing cryptography,
  • Items that provide or perform “non-standard cryptography”, and
  • Items that provide or perform vulnerability analysis, network forensics, or computer forensics.

The 30 day classification request procedure is described in section 740.17(d). Exceptions to thirty day rule are provided for.

Encryption Self-classification Reporting

Encryption products falling within the scope of section 740.17(b)(1) or qualifying under a mass market exception (discussed below) require a self-classification report as described by section 742.15(c) and Supplement 8 to part 742 of the EAR.

Section 742.15(c) provides that the encryption self-classification report must include the information described in paragraph (a) of Supplement No. 8, Part 742, for each applicable encryption commodity, software and component exported or reexported that was self classified under §§ 740.17(b)(1) or 742.15(b)(1) of the EAR.

The self-classification report is to cover both (b)(1) and Mass Market encryption commodities, software and components that were self-classified and exported or reexported during a calendar year (January 1 through December 31). Reports must be received electronically by BIS and the ENC Encryption Request Coordinator no later than February 1 the following year.

New Mass Market Encryption Rules (Section 742.15)

For most mass market encryption products, the new rule replaces the requirement to wait 30 days for a technical review before exporting and reexporting such products with a provision that allows immediate authorization to export and reexport these products after submission of an encryption registration, subject to annual self classification reporting for exported encryption products (discussed above). These new rules are found in Section 742.15(a) and (b). Encryption products that are mass market that fall within the scope of ENC paragraph (b)(3) will still have a 30 day waiting period.

To be eligible under this provision, the encryption commodities, software and components must qualify for mass market treatment under the criteria in the Cryptography Note (Note 3) of Category 5, Part 2 (“Information Security”), of the Commerce Control List (Supplement No. 1 to part 774 of the EAR). Under Note 3 to Cat 5 Part II, a mass market product is defined as a product that is:

a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of:

  1. Over-the-counter transactions,
  2. Mail order transactions,
  3. Electronic transactions, or
  4. Telephone call transactions, and

b. The cryptographic functionality cannot be easily changed by the user.

Once an encryption registration for mass market encryption products has been submitted to BIS and accepted in SNAP-R and issuance of an Encryption Registration Number (ERN), the commodities and software are classified under ECCNs 5A992 and 5D992 respectively, and are no longer subject to “EI” and “NS” controls. Again, exporters are permitted to perform this self-classification analysis and no classification submission to BIS is required (other than registration).

Section 742.15(b) sets forth requirements pertaining to the classification of mass market encryption commodities and software. Encryption items that are described in §§ 740.17(b)(2) or (b)(3)(iii) of the EAR, will not generally qualify for self-classification for mass market treatment and a mass market classification request will still be required. See Section 742.15(b)(3).

Exporters must submit an application to BIS in accordance with the procedures described in § 748.1 and §748.3.

Instructions for registration are provided in paragraph (r) of Supplement No. 2 to part 748 and 742.15(b)(7) to receive Mass Market treatment.

Grandfathering Clause

If you received an encryption CCATS prior to June 24, 2010, or pending on June 24, 2010, you do not need a company registration or participate in annual self-classification reporting.

Classifications requests submitted between June 24 and August 25, 2010 for products falling in (b)(1), (b)(2) or (b)(3) received a grace period for filing the company encryption registration number.

Companies that are self-classifying products after August 25, 2010 under (b)(1) now require a registration. Additionally, products classified under (b)(2) or (b)(3) require registration.

List Review Approach

Because of the significant changes to these regulations, all exporters of encryption products need to reevaluate the current treatment of their products.

To start with, exporters should consider whether their products are now excluded from control in Cat.5 Part II by new Note 4, which excludes products which contain encryption but the primary function of the product is not information security, computing (including sending or storing information) or networking.  If your products fall within this category of goods, no encryption registration or annual report is required.

If your product remains in Cat.5 Part II because its primary function is information security, computing (including sending or storing information) or networking, then you need consider whether your product is “Mass Market” within the meaning of Note 3 to Cat 5 Part II, or described by section 740.17(b)(1). These products may be self-classified, but are subject to registration and annual self-classification reporting for products that were self-classified and exported during that year.

Finally, if you are not “Mass Market” within the meaning of Note 3 to Cat 5 Part II, or described by section 740.17(b)(1), you will need to file an ENC classification request with BIS and NSC. To do this you will first need to register as an encryption exporter.

Please note, only commodities and software that are classified under new paragraphs (b)(2) and (b)(3)(iii) will require submission of semi annual sales reports.  New paragraphs (b)(2) and (b)(3)(iii) are substantially different from the old paragraph (b)(3)(iii), so be sure to compare to make sure you are not continuing to report exports that you do not have to.

If you would like more information about the new regulations and how they may effect your company, or for assistance in reevaluating your existing encryption products or classification, please contact George Tuttle, III at (415) 986-8780 or george.tuttle.iii@tuttlelaw.com.


George R. Tuttle, III is an attorney with the Law Offices of George R. Tuttle in San Francisco.

The information in this article is general in nature, and is not intended to constitute legal advice or to create an attorney-client relationship with respect to any event or occurrence, and may not be considered as such.

Copyright © 2010 by Tuttle Law Offices. 
All rights reserved.
Information has been obtained from sources believed to be reliable. However, because of the possibility of human or mechanical error by our offices or by others, we do not guarantee the accuracy, adequacy, or completeness of any information and are not responsible for any errors, omissions, or for the results obtained from the use of such information.