Barry McVay's FEDERAL CONTRACTS DISPATCH
DATE: January 14, 2000
FROM: Barry McVay, CPCM
SUBJECT: Export Administration Regulations (EAR); Revisions to Encryption Items
SOURCE: Federal Register, January 14, 2000, Vol. 65, No. 10, page 2491
AGENCIES: Bureau of Export Administration (BXA), Department of Commerce
ACTION: Interim Final Rule
SYNOPSIS: BXA is amending the EAR to allow the export and reexport of any encryption commodity or software to individuals, commercial firms, and other non-government end-users in all destinations. Also, the revision allows exports and reexports of retail encryption commodities and software to all end-users in all destinations. Post-export reporting requirements are streamlined, and changes are made to reflect amendments to the Wassenaar Arrangement.
EDITOR'S NOTE: The EAR is under Title 15 of the Code of Federal Regulations, Commerce and Foreign Trade, under "Subtitle B, Regulations Relating to Commerce and Foreign Trade," "Chapter VII, Bureau of Export Administration, Department of Commerce," then "Subchapter C, Export Administration Regulations," as Parts 730 through 774.
DATES: The rule is effective January 14, 2000. Comments must be submitted on or before May 15, 2000.
ADDRESSES: Submit comments to Frank J. Ruggiero, Regulatory Policy Division, Bureau of Export Administration, Department of Commerce, P.O. Box 273, Washington, DC 20044.
FOR FURTHER INFORMATION CONTACT: James A. Lewis, Director, Office of Strategic Trade, 202-482-0092.
SUPPLEMENTAL INFORMATION: On September 16, 1999, the Clinton administration announced a new approach to U.S. encryption export control policy. This approach rests on three principles: (1) a technical review of encryption products in advance of sale; (2) a streamlined post-export reporting system; and (3) a process that permits the government to review exports of strong encryption to foreign governments. This interim final rule reflects the new approach, and implements various changes for encryption items made by the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
The key change is in EAR 740.17, Encryption Commodities and Software (ENC):
- Paragraph (a) states that encryption items under Export Commodity Control Numbers (ECCNs) 5A002 (Systems, equipment, application specific "electronic assemblies", modules and integrated circuits for "information security", and other specially designed components therefor), 5D002 (Information Security -- "Software"), or 5E002 can be exported and reexported to foreign subsidiaries of U.S. companies, including the transfer of encryption technology to their foreign employees in the U.S. (except nationals of Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria), without technical review and classification. Any items developed by the U.S. company for sale or retransfer outside the U.S. company are subject to review and classification by BXA. Foreign companies with subsidiaries in the U.S. can apply for Encryption Licensing Arrangements (ELAs) to obtain treatment equivalent to that extended to foreign subsidiaries of U.S. parent companies.
- New paragraph (a)(2), titled "Encryption Commodities and Software," states, "you may export and reexport any encryption commodity, software and component after review and classification by BXA under ECCNs 5A002 and 5D002 to any individual, commercial firm or other non-government end-user." Previous sector-specific liberalizations for banks and financial institutions, health and medical end-users, and on-line merchants are now covered by this paragraph. Previous restrictions limiting exports to foreign commercial firms for internal company proprietary use are removed. In addition, foreign products developed from encryption components, while subject to the EAR, do not require review and classification prior to reexport. However, exports and reexports to government end-users require a license.
- New paragraph (a)(3), titled "Retail Encryption Commodities and Software," states, "you may export and reexport to any end-user encryption commodities, software and components which have been reviewed and classified as retail under ECCNs 5A002 and 5D002." The criteria for determining eligibility as a retail product include functionality, sales volume, distribution methods, ability to modify products, and requirements for substantial support by the supplier. Substantial support for retail encryption commodities and software would mean a service contract or other significant vendor support beyond what is minimally necessary for the product's operation. However, help desk calls are not considered substantial support. Finance-specific, 56-bit non-mass market products with a key exchange greater than 512 bits and up to 1024 bits, network-based applications, and other products which are functionally equivalent to retail products are considered retail products.
- New paragraph (a)(4), titled "Telecommunications and Internet Service Providers," states, "Internet and telecommunications service providers can obtain and use any encryption product for their internal use and to provide any service under License Exception ENC. However, a license is required for the use of any product not classified as retail to provide services specific to government end-users, e.g., WAN, LAN, VPN, voice and dedicated-link services; application specific and e-commerce services and PKI encryption services specifically for government end-users only."
- New paragraph (a)(4), titled "Commercial Encryption Source Code and General Purpose Encryption Toolkits", states, "You may export and reexport encryption source code not released under Sec. 740.13(e) [Technology and Software -- Unrestricted (TSU)] or general purpose toolkits (application specific toolkits are covered under components, as defined in Part 772 [Definitions of Terms])", subject to several provisions (such as notification of BXA of the Internet address or a copy of the source code).
- Paragraph (e), Eligibility for License Exception ENC, states that "finance-specific and 56-bit products previously reviewed and classified by BXA can be exported or reexported to any end-user without further review. Other encryption commodities, software or components previously approved for export can be exported and reexported without further review to any non-government end-user". In addition, "exporters can increase the key lengths of previously classified products and continue to export without another review. No other change in the cryptographic functionality is allowed." Prior to export of an upgraded product, exporters must certify in a letter from a corporate official that the only change is the key length for confidentiality or key exchange algorithms and there is no other change in cryptographic functionality.
- Paragraph (g), titled "Reporting Requirements," eliminates many of the reporting requirements under License Exception ENC. Remaining reporting requirements are streamlined to reflect business models normally used by exporters. Reporting requirements for exports and reexports of encryption components can be adjusted or reduced, on a case-by-case basis, provided an exporter supplies BXA with sufficient information during the initial technical review of the U.S. encryption component concerning its incorporation into a final foreign product. Also, post-export reporting is required for certain exports to foreign banks and financial institutions.
Various other changes are made throughout the EAR, such as the removal of Supplement No. 3 to EAR Part 740, License Exceptions, which listed countries eligible to receive certain encryption products, but is no longer necessary because such products are now eligible for export and reexport to all destinations.
FOR FURTHER INFORMATION CONTACT: Barry McVay at 703-451-5953 or by e-mail to BarryMcVay@FedGovContracts.com.
Copyright 2000 by Panoptic Enterprises. All Rights Reserved.
Return to the Dispatches Library.
Return to the Main Page.