Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm U.S. national security, foreign policy and law enforcement interests. The United States has a critical interest in ensuring that important and sensitive information of the public and private sector is protected. Consistent with our international obligations as a member of the Wassenaar Arrangement, the United States has a responsibility to maintain control over the export and reexport of encryption items. As the President indicated in Executive Order 13026 and in his Memorandum of November 15, 1996, exports and reexports of encryption software, like exports and reexports of encryption hardware, are controlled because of this functional capacity to encrypt information, and not because of any informational or theoretical value that such software may reflect, contain, or represent, or that its export or reexport may convey to others abroad. For this reason, export controls on encryption software are distinguished from controls on other software regulated under the EAR.
(a) Licensing requirements and policy--(1) Licensing requirements. A license is required to export or reexport encryption items (``EI'') classified under 5A002.a.1, .a.2, .a.5, .a.6, .a.9, and .b; 5D002.a, .c.1 or .d for equipment and ``software'' controlled for EI reasons in ECCNs 5A002 or 5D002; or 5E002 for ``technology'' for the ``development,'' ``production,'' or ``use'' of commodities or ``software'' controlled for EI reasons in ECCNs 5A002 or 5D002 to all destinations, except Canada. Refer to part 740 of the EAR for license exceptions that apply to certain encryption items, and to Sec. 772.1 of the EAR for definitions of encryption items and terms. Most encryption items may be exported under the provisions of License Exception ENC set forth in Sec. 740.17 of the EAR. Before submitting a license application, please review License Exception ENC to determine whether this license exception is available for your item or transaction. For exports and reexports of encryption items that are not eligible for a license exception, exporters must submit an application to obtain authorization under a license or an Encryption Licensing Arrangement.
(1) Licensing requirements. A license is required to export or reexport encryption items (``EI'') classified under 5A002.a.1, .a.2, .a.5, .a.6, .a.9, and .b; 5D002.a, .c.1 or .d for equipment and ``software'' controlled for EI reasons in ECCNs 5A002 or 5D002; or 5E002 for ``technology'' for the ``development,'' ``production,'' or ``use'' of commodities or ``software'' controlled for EI reasons in ECCNs 5A002 or 5D002 to all destinations, except Canada. Refer to part 740 of the EAR for license exceptions that apply to certain encryption items, and to Sec. 772.1 of the EAR for definitions of encryption items and terms. Most encryption items may be exported under the provisions of License Exception ENC set forth in Sec. 740.17 of the EAR. Before submitting a license application, please review License Exception ENC to determine whether this license exception is available for your item or transaction. For exports and reexports of encryption items that are not eligible for a license exception, exporters must submit an application to obtain authorization under a license or an Encryption Licensing Arrangement.
(2) Licensing policy. Applications will be reviewed on a case-by-case basis by BIS, in conjunction with other agencies, to determine whether the export or reexport is consistent with U.S. national security and foreign policy interests. Encryption Licensing Arrangements (ELAs) may be authorized for exports and reexports of unlimited quantities of encryption commodities and software to national or federal government bureaucratic agencies for civil use, and to state, provincial or local governments, in all destinations, except countries listed in Country Group E:1 of Supplement No. 1 to part 740. ELAs are valid for four years and may require post-export reporting or pre-shipment notification. Applicants seeking authorization for Encryption Licensing Arrangements must specify the sales territory and class of end-user on their license applications.
Note to paragraph (a): Pursuant to Note 3 to Category 5 Part 2 of the Commerce Control List in Supplement No. 1 to Part 774, mass market encryption commodities and software may be released from ``EI'' and ``NS'' controls by submitting an encryption registration in accord with Sec. 742.15(b) of the EAR. Once an encryption registration has been submitted to BIS and accepted in SNAP-R as indicated by the issuance of an Encryption Registration Number (ERN), then the commodities and software are classified under ECCNs 5A992 and 5D992 respectively and are no longer subject to ``EI'' and ``NS'' controls.
(b) Encryption registration required, with classification request or self-classification report, for mass market encryption commodities, software and components with encryption exceeding 64 bits. To be eligible for export and reexport under this paragraph (b), encryption commodities, software and components must qualify for mass market treatment under the criteria in the Cryptography Note (Note 3) of Category 5, Part 2 (``Information Security''), of the Commerce Control List (Supplement No. 1 to part 774 of the EAR), and employ a key length greater than 64 bits for the symmetric algorithm (or, for commodities and software not implementing any symmetric algorithms, employing a key length greater than 768 bits for asymmetric algorithms or greater than 128 bits for elliptic curve algorithms). Encryption items that are described in Sec. Sec. 740.17(b)(2) or (b)(3)(iii) of the EAR do not qualify for mass market treatment. This paragraph (b) does not authorize export or reexport to, or provision of any service in any country listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR. Exports and reexports authorized under paragraphs (b)(1) and (b)(3) of this section (including of mass market encryption software that would be considered publicly available under Sec. 734.3(b)(3) of the EAR) must be supported by an encryption registration in accordance with paragraph (b)(7) of this section and the specific instructions of paragraph (r)(1) of Supplement No. 2 to part 748 of the EAR. For items self-classified under paragraph (b)(1) of this section from June 25, 2010 through August 24, 2010, and for requests for classification under paragraph (b)(3) of this section submitted from June 25, 2010 through August 24, 2010, exporters have until August 24, 2010 to submit their encryption registrations.In addition, paragraphs (b)(1) and (b)(3) of this section set forth requirements pertaining to the classification of mass market encryption commodities and software. See paragraph (d) of this section for grandfathering provisions applicable to certain encryption items reviewed and classified by BIS under this section prior to June 25, 2010. All classification requests, registrations, and reports submitted to BIS pursuant to this section for encryption items will be reviewed by the ENC Encryption Request Coordinator, Ft. Meade, MD. Only mass market encryption authorizations under this paragraph (b) to a company that has fulfilled the requirements of encryption registration (such as the producer of the item) authorize the export and reexport of the company's encryption items by all persons, wherever located, under this section. When an exporter or reexporter relies on the producer's self-classification (pursuant to the producer's encryption registration) or CCATS for a mass market encryption item, it is not required to submit an encryption registration, classification request or self-classification report.
Note to introductory text of paragraph (b): Mass market encryption software that would be considered publicly available under Sec. 734.3(b)(3) of the EAR, and is authorized for export and reexport under this paragraph (b), remains subject to the EAR until the encryption registration and all applicable classification or self-classification requirements set forth in this section are fulfilled.
(1) Immediate mass market authorization. Once an encryption registration is submitted to BIS in accordance with paragraph (b)(7) of this section and an Encryption Registration Number (ERN) has been issued, this paragraph (b)(1) authorizes the exports or reexports of the associated mass market encryption commodities and software classified under ECCNs 5A992 or 5D992 using the symbol ``NLR'', except any such commodities, software or components described in (b)(3) of this section, subject to submission a self-classification report in accordance with paragraph (c) of this section.
(2) [Reserved]
(3) Classification request required for specified mass market commodities, software and components. Thirty-days (30-days) after the submission of a classification request to BIS in accordance with paragraph (b)(7) of this section, this paragraph (b)(3) authorizes exports and reexports of the mass market items submitted for classification, using the symbol ``NLR'', provided the items qualify for mass market treatment as described in paragraph (b) of this section and are classified by BIS under ECCNs 5A992 or 5D992:
Note to introductory text of paragraph (b)(3): Once a mass market classification request is accepted in SNAP-R, you may export and reexport the encryption commodity or software under License Exception ENC as ECCN 5A002 or 5D002, whichever is applicable, to any end-user located or headquartered in a country listed in supplement No. 3 to part 740 as authorized by Sec. 740.17(b) of the EAR, while the mass market classification request is pending review with BIS.
(i) Specified mass market encryption components as follows:
(A) Chips, chipsets, electronic assemblies and field programmable logic devices;
(B) Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs);
(C) Application-specific hardware or software development kits implementing cryptography.
(ii) Mass market encryption commodities, software and components that provide or perform ``non-standard cryptography'' as defined in part 772 of the EAR.
(iii) [Reserved]
(iv) Mass market cryptographic enabling commodities and software. Commodities and software and components that themselves qualify for mass market treatment, and activate or enable cryptographic functionality in mass market encryption products which would otherwise remain disabled, where the product or cryptographic functionality is not otherwise described in paragraph (b)(3)(i) of this section.
(4) Exclusions from mass market classification request, encryption registration and self-classification reporting requirements. The following commodities and software do not require a submission of an encryption registration, classification request or self-classification report to BIS for export or reexport as mass market products:
(i) Short-range wireless encryption functions. Commodities and software that are not otherwise controlled in Category 5, but are nonetheless classified under ECCN 5A992 or 5D992 only because they incorporate components or software that provide short-range wireless encryption functions (e.g., with a nominal operating range not exceeding 100 meters according to the manufacturer's specifications, designed to comply with the Institute of Electrical and Electronic Engineers (IEEE) 802.11 wireless LAN standard or the IEEE 802.15.1 standard).
Note to paragraph (b)(4)(i): An example of what this paragraph authorizes for export without classification, registration or self-classification reporting is a laptop computer that without encryption would be classified under ECCN 4A994, and the Category 5, Part 2-controlled components of the laptop only implement short-range wireless encryption functionality. On the other hand, this paragraph (b)(4)(i) does not apply to any commodities or software that would still be classified under an ECCN in Category 5 even if the short-range wireless encryption functionality were removed. For example, certain access points, gateways and bridges are classified under ECCN 5A991 without encryption functionality, and components for mobile communication equipment are classified under ECCN 5A991.g without encryption functionality. Such items, when implementing cryptographic functionality controlled by Category 5, Part 2 are not excluded from encryption classification, registration or self-classification reporting by this paragraph.
(ii) Foreign products developed with or incorporating U.S.-origin encryption source code, components, or toolkits. Foreign products developed with or incorporating U.S.-origin encryption source code, components or toolkits that are subject to the EAR, provided that the U.S.-origin encryption items have previously been classified or registered and authorized by BIS and the cryptographic functionality has not been changed. Such products include foreign-developed products that are designed to operate with U.S. products through a cryptographic interface.
(5) [Reserved]
(6) Examples of mass market encryption products. Subject to the requirements of the Cryptography Note (Note 3) in Category 5, Part 2, of the Commerce Control List, mass market encryption products include, but are not limited to, general purpose operating systems and desktop applications (e.g., e-mail, browsers, games, word processing, database, financial applications or utilities) designed for use with computers classified as ECCN 4A994 or designated as EAR99, laptops, or hand-held devices; commodities and software for client Internet appliances and client wireless LAN devices; home use networking commodities and software (e.g., personal firewalls, cable modems for personal computers, and consumer set top boxes); and portable or mobile civil telecommunications commodities and software (e.g., personal data assistants (PDAs), radios, or cellular products).
(7) Mass market encryption registration and classification request procedures--(i) Submission requirements and instructions. To submit an encryption registration or classification request to BIS for certain mass market encryption items under this paragraph (b), you must submit an application to BIS in accordance with the procedures described in Sec. Sec. 748.1 and 748.3 of the EAR and the instructions in paragraph (r) of Supplement No. 2 to part 748 ``Unique Application and Submission Requirements'', along with other required information as follows:
(i) Submission requirements and instructions. To submit an encryption registration or classification request to BIS for certain mass market encryption items under this paragraph (b), you must submit an application to BIS in accordance with the procedures described in Sec. Sec. 748.1 and 748.3 of the EAR and the instructions in paragraph (r) of Supplement No. 2 to part 748 ``Unique Application and Submission Requirements'', along with other required information as follows:
(A) Encryption registration in support of mass market encryption classification requests and self-classification reports. You must submit the applicable information as described in Supplement No. 5 to this part and follow the specific instructions of paragraph (r)(1) of Supplement No. 2 to part 748 of the EAR, if any of the following apply:
(1) This is your first time submitting an encryption classification request under paragraph (b)(3) of this section since August 24, 2010;
(2) You are making a mass market encryption product eligible for export and reexport (including as defined for encryption software in Sec. 734.2(b)(9) of the EAR) under paragraph (b)(1) of this section for the first time since August 24, 2010; or
(3) If you have not otherwise provided BIS the information described in Supplement No. 5 to this part during the current calendar year and your answers to the questions in Supplement No. 5 to this part have changed since the last time you provided answers to the questions.
(B) Technical information submission requirements. In addition to the registration requirements of paragraph (b)(7)(i)(A) of this section, for all submissions of encryption classification requests for mass market products described under paragraph (b)(3) of this section, you must also provide BIS the applicable information described in paragraphs (a) through (d) of Supplement No. 6 to this part (Technical Questionnaire for Encryption Items). For mass market products authorized after the submission of an encryption registration under paragraph (b)(1) of this section, you may be required to provide BIS this information described in Supplement No. 6 to this part on an as-needed basis, upon request by BIS.
(C) Changes in encryption functionality following a previous classification. A new mass market encryption classification request (under paragraph (b)(3) of this section) or self-classification (under paragraph (b)(1) of this section) is required if a change is made to the cryptographic functionality (e.g., algorithms) or other technical characteristics affecting mass market eligibility (e.g., performance enhancements to provide network infrastructure services, or customizations to end-user specifications) of the originally classified product. However, a new product classification request or self-classification is not required when a change involves: the subsequent bundling, patches, upgrades or releases of a product; name changes; or changes to a previously reviewed encryption product where the change is limited to updates of encryption software components where the product is otherwise unchanged.
(ii) Action by BIS--(A) Encryption registrations for mass market encryption items. Upon submission to BIS of an encryption registration in accordance with paragraph (b)(7)(i) of this section and acceptance of the application by SNAP-R, BIS will issue the Encryption Registration Number (ERN) via SNAP-R, which will constitute authorization under this paragraph (b). Immediately upon receiving your ERN from BIS, you may export and reexport mass market encryption products described in paragraph (b)(1) of this section using the symbol ``NLR''.
(A) Encryption registrations for mass market encryption items. Upon submission to BIS of an encryption registration in accordance with paragraph (b)(7)(i) of this section and acceptance of the application by SNAP-R, BIS will issue the Encryption Registration Number (ERN) via SNAP-R, which will constitute authorization under this paragraph (b). Immediately upon receiving your ERN from BIS, you may export and reexport mass market encryption products described in paragraph (b)(1) of this section using the symbol ``NLR''.
(B) For mass market items requiring classification by BIS under paragraph (b)(3) of this section. (1) For mass market encryption classifications that require a thirty (30)-day waiting period, if BIS has not, within thirty (30) days from acceptance in SNAP-R of your complete classification request, informed you that your item is not authorized as a mass market item, you may export and reexport under the applicable provisions of this paragraph (b). If, during the course of its review, BIS determines that your encryption items do not qualify for mass market treatment under the EAR, or are otherwise classified under ECCN 5A002, 5B002, 5D002 or 5E002, BIS will notify you and will review your items for eligibility under License Exception ENC (see Sec. 740.17 of the EAR for review and reporting requirements for encryption items under License Exception ENC).
(2) Upon completion of its review, BIS will issue a Commodity Classification Automated Tracking System (CCATS) to you.
(3) Hold Without Action (HWA) for mass market classification requests. BIS may hold your mass market classification request without action if necessary to obtain additional information or for any other reason necessary to ensure an accurate classification. Time on such ``hold without action'' status shall not be counted towards fulfilling the thirty-day (30-day) processing period specified in this paragraph.
(C) BIS may require you to supply additional relevant technical information about your encryption item(s) or information that pertains to their eligibility as mass market products at any time, before or after the expiration of the thirty-day (30-day) processing period specified in this paragraph and in paragraph (b)(3) of this section, or after any registrations as required in paragraph (b)(1) of this section. If you do not supply such information within 14 days after receiving a request from BIS, BIS may return your classification request without action or otherwise suspend or revoke your eligibility to use mass market authorization for that item. At your request, BIS may grant you up to an additional 14 days to provide the requested information. Any request for such an additional number of days must be made prior to the date by which the information was otherwise due to be provided to BIS and may be approved if BIS concludes that additional time is necessary.
(c) Self-classification reporting for certain encryption commodities, software and components. This paragraph (c) sets forth requirements for self-classification reporting to BIS and the ENC Encryption Request Coordinator (Ft. Meade, MD) of encryption commodities, software and components exported or reexported pursuant to encryption registration under Sec. Sec. 740.17(b)(1) or 742.15(b)(1) of the EAR. Reporting is required, effective June 25, 2010.
(1) When to report. Your self-classification report for applicable encryption commodities, software and components exported or reexported during a calendar year (January 1 through December 31) must be received by BIS and the ENC Encryption Request Coordinator no later than February 1 the following year.
(2) How to report. Encryption self-classification reports must be sent to BIS and the ENC Encryption Request Coordinator via e-mail or regular mail. In your submission, specify the export timeframe that your report spans and identify points of contact to whom questions or other inquiries pertaining to the report should be directed. Follow these instructions for your submissions: