The Commerce Department’s Bureau of Industry and Security (BIS) recently published its final rule that makes significant changes to the Export Administration Regulations’ (EAR’s) requirements for items that have cryptographic features (i.e., hardware, software, middleware, firmware, source code and technology). The final rule was published on September 20, 2016, and implements the changes that were agreed at the December 15th plenary meeting of the Wassenaar Arrangements to which the United States and forty (40) other countries belong. The final rule made a number of revisions to the EAR and the Commerce Control List; however, the modifications made to the treatment of encryption items were the most significant. U.S. and foreign companies that develop, sell or distribute items that contain cryptographic features should take immediate steps to update their current product and software classifications in light of the final rule. The final rule took immediate effect on September 20, 2016. The following provides a summary of the key changes that were made —
- The final rule separates Category 5/Part 2 of the Commerce Control List into 3 subsections: (a) cryptographic information security; (b) non-cryptographic information security items in new ECCN 5A003; and, (c) defeating, weakening, or bypassing information security items in new ECCN 5A004.
- Companies of mass market items and items eligible for License Exception ENC no longer need to request encryption registration number (ERNs) from the BIS.
- The BIS added new questions to the technical questionnaire found in Supplement 6 to Part 742 of the EAR, which must be submitted by companies seeking formal commodity classification requests from the BIS for their items that have cryptographic features.
- The final rule added new ECCN 5A003 to Category 5/Part 2 of the Commerce Control List, which covers systems, equipment and components for non-cryptographic information security, such as communications cable systems designed or modified using mechanical, electrical or electronic means to detect surreptitious intrusion (physical layer security only). ECCN 5A003 also covers items that are specially designed or modified to reduce the compromising emanations of information bearing signals beyond what is necessary for health, safety or electromagnetic interference standards. Items classified as ECCN 5A003 are controlled for national security (NS Column 1) and anti-terrorism (AT Column 1) reasons. Such items are also eligible License Exception GOV in Section 740.11.
- The final rule also added new ECCN 5A004 to Category 5/Part 2 of the Commerce Control List, which covers systems, equipment and components for defeating, weakening or bypassing information security, such as items designed or modified to perform cryptanalytic functions (i.e., function designed to defeat cryptographic mechanisms in order to derive confidential variables or sensitive data, including clear text, passwords or cryptographic keys) by means of reverse engineering. Items classified as ECCN 5A004 are controlled for national security (NS), antiterrorism (AT) and encryption item (EI) reasons. Unless a license exception applies, items classified as ECCN 5A004 will require a license for export or reexport to all countries (with the exception of Canada).
- ECCNs 5A992.a, 5A992.b, 5D992.b and 5D992.b were deleted by the final rule—many of these items may now be classified as EAR99; however, companies that previously classified their items in the ECCNs that were removed by the final rule are urged to perform an internal re-classification review of these items. The only items still described on the CCL are mass market encryption items in 5A992.c and 5D992.c., as well as 5E992 technology.
- Note 1, which provided that the control status of information security items should be determined in Category 5/Part 2 even if they are components or software of other systems or equipment, was moved to the General Information Security Note in Supplement 2 to Part 774 of the EAR.
- The final rule moved the mass market encryption provisions previously contained in Part 742.15 of the EAR to the License Exception ENC provisions in Part 740.17(b)(1) and (b)(3).
- The BIS updated the Cryptography Note found in Note 3 to Category 5/Part 2.
- New Section 740.17(a)(1)(ii) of License Exception ENC was added to authorize exports, reexports, and transfers (in-country) among related parties for internal use when the parent company is headquartered in a country listed in Supplement No. 3 to Part 740 (i.e., License Exception ENC Favorable Treatment Countries). No formal commodity classification by BIS or reporting is required for such exports.
- The final rule added Croatia to the list of countries in Supplement 3 to Part 740 of the EAR.*
- New Section 740.17(a)(3) of License Exception ENC was added to authorize reexports of foreign-made products developed with or incorporating U.S. encryption source code, components or toolkits without classification by or reporting to BIS provided that the U.S.-origin encryption items have previously been classified or reported and authorized by BIS and the cryptographic function has not changed.
- Companies that obtain formal commodity classification determinations from the BIS for items that are eligible for License Exception 740.17(b)(1) are no longer required to submit annual self-classification reports for those items to the BIS and Encryption Request Coordinator.
- The final rule also revised the performance parameters for items eligible for License Exception ENC in Section 740.17(b)(2): aggregate encrypted throughput increased to 250 Mbps; the single channel input data rate criterion was removed; the 250 concurrent encrypted data channels criterion was removed; the media parameter was raised to 2,500 endpoints; and an exception was made for mass market satellite modems that use end-to-end encryption between the modem and the hub.
- New items, such as channelizing codes classified as ECCN 5A002.d and spread spectrum classified as 5A002.e were added to License Exception ENC in Section 740.17(b)(2).
- Certain items may now be exported under License Exception ENC in Section 740.17(b)(2) to “less sensitive government end users,” as defined in Part 772 of the EAR. Previously, such items could only be exported under License Exception ENC to non-government end users. The final rule’s reference to “more sensitive government end users” include agencies for science and technology, currency and monetary authorities, executive heads of state, legislative bodies, import and export control agencies, intelligence agencies, judiciaries, and airport authorities, among others. Again, the definitions for these two categories of government end users can be found in Part 772 of the EAR.
- Encryption technology classified as ECCN 5E002 is now eligible for License Exception TMP (tools of the trade) in Section 740.9 of the EAR.
- The final rule provides that publicly available encryption source code in ECCN 5D002, for which a License Exception TSU notification has been emailed to the BIS and the ENC Encryption Request Coordinator, will no longer be subject to the EAR.
- Encryption Licensing Arrangements (ELAs), which authorize exports of unlimited quantities of items for four (4) years, are no longer required for certain articles eligible for License Exception ENC that will be exported to “less sensitive government end users.” Rather, ELAs will only be required for “more sensitive government end users” in all countries with the exception of those in Country Groups E:1 or E:2 (Cuba, Iran, North Korea, Sudan and Syria).
Exporters and reexporters of commodities, software and technology that are subject to the EAR are urged to review the final rule carefully and assess its impact on the classifications and licensing requirements applicable to their operations. In many cases, companies should find that the previous administrative requirements and restrictions on certain encryption items have been lessened and that many of their items may be exported with fewer restrictions from the United States.
*The countries that comprise Supplement No. 3 to Part 740 are as follows: Australia; Austria; Belgium; Bulgaria; Canada; Croatia; Cyprus; Czech Republic; Denmark; Estonia; Finland; France; Germany; Greece; Hungary; Iceland; Ireland; Italy; Japan; Latvia; Lithuania; Luxembourg; Malta; Netherlands; New Zealand; Norway; Poland; Portugal; Romania; Slovakia; Slovenia; Spain; Sweden; Switzerland; Turkey; and, the United Kingdom.