BIS Issues Interim Final Rule to Reform Encryption Controls
The Bureau of Industry and Security has issued an interim final rule, effective June 25, 2010, which modifies the requirements of License Exception ENC (Encryption Commodities, Software and Technology) and the requirements for qualifying an encryption item as mass market, and amends specific license requirements for encryption items.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Comments on this rule are due by August 24, 2010. See future issue of ITT for additional details.
(BIS states that this rule is the first step in the President’s effort to reform U.S. encryption export controls to enhance national security. See ITT’s Online Archives or 04/21/10 news, 10042125, for BP summary of the Administration’s plans to fundamentally reform the U.S. export control system.)
Immediate Export Authorization for Certain Products if Company Submits an Encryption Registration
With respect to encryption products of lesser national security concern, BIS’ rule replaces the requirement to wait 30 days for a technical review before exporting such products and the requirement to file semi-annual post-export sales and distribution reports with a provision that allows immediate authorization to export and reexport these products after electronic submission to BIS of a company’s encryption registration1.
A condition of this new authorization for less sensitive products is submission of an annual self-classification report on these commodities and software exported under License Exception ENC.
With respect to most mass market encryption products, this rule similarly replaces the requirement to wait 30 days for a technical review before exporting and reexporting such products with a provision that allows immediate authorization to export and reexport these products after electronic submission to BIS of a company’s encryption registration, subject to annual self-classification reporting for exported encryption products.
(Only a few categories of License Exception ENC and mass market encryption products will continue to require submission of a 30-day classification request. Encryption items that are more strictly controlled continue to be authorized for immediate export and reexport to most end-users located in close ally countries upon submission of an encryption registration and classification request to BIS.)
Licensing Requirements Eased for Many Types of Encryption Technology
BIS’ rule also eases licensing requirements for the export and reexport of many types of technology necessary for the development and use of encryption products, except to countries subject to export or reexport license requirements for national security reasons or anti-terrorism reasons, or that are subject to embargo or sanctions.
Redundant Encryption Classification Request Requirements Removed
BIS’ rule also removes the requirement to file separate encryption classification requests (formerly encryption review requests) with both BIS and the ENC Encryption Request Coordinator (Ft. Meade, MD).
Certain Cryptography Products Excluded as “Information Security” Controls
BIS is also amending the Export Administration Regulations by implementing the agreements made by the Wassenaar Arrangement at the plenary meeting in December 2009 that pertained to “information security'' items.
BIS’ rule adds an overarching note that excludes particular products that use cryptography from being controlled as “information security” items, which focuses “information security” controls on the use of encryption for computing, communications, networking and information security. The rule also makes additional changes throughout the EAR to harmonize it with the new note.
Smart Card Readers/Writers Note Added to ECCN 5A002
BIS’ rule also replaces a note in ECCN 5A002 pertaining to personalized smart cards with a note pertaining to smart cards and smart readers/writers. As a result of this change, a definition is being removed from the EAR.
Grandfathering Provisions
For encryption commodities, software and components described in, or otherwise meeting the specifications of 15 CFR 740.17(b) and 742.15(b), effective June 25, 2010, such items reviewed and classified by BIS prior to June 25, 2010 are authorized for export and reexport under the applicable provisions of 15 CFR 740.17(b) and 742.15(b), as amended upon publication of this rule, using the CCATS previously issued by BIS, without any encryption registration (i.e., the information described in Supplement No. 5 to this part), new classification by BIS, self-classification reporting (i.e., the information described in Supplement No. 8 to 15 CFR Part 742), or semi-annual sales reporting required under 15 CFR 740.17(e) provided the cryptographic functionality of the item has not changed.
These grandfathering provisions do not apply to particular commodities and software previously made eligible for License Exception ENC under former 15 CFR 740.17(b)(3) that are now listed in 15 CFR 740.17(b)(2) and therefore require a license to certain “government end-users”' outside the countries listed in Supplement No. 3 to 15 CFR Part 740. These grandfathering provisions also do not apply if the encryption functionality has changed since the encryption product was last classified by BIS, as specified in 15 CFR 740.17(d)(1)(iii) and 742.15(b)(7)(i)(C).
1BIS notes that a company that exports under the authorizations described in BIS’ rule only needs to register once and does not need to resubmit its encryption registration (unless the answers to the questions in Supplement No. 5 to part 742 changed during the previous calendar year).
BIS contact - Information Technology Division (202) 482-0707
(FR Pub 06/25/10, D/N 100309131-0195-02)