Today, June 25, 2010, the US Department of Commerce Bureau of Industry and Security (BIS) issued the long-awaiting new encryption rule, which makes three major strides in decontrolling encryption items. See http://edocket.access.gpo.gov/2010/pdf/2010-15072.pdf. The new encryption rule decontrols encryption in three principal ways:

1) Registered companies can self-classify most encryption products – BIS/NSA review is no longer required for these products: The new regulation allows companies that register with the Bureau of Industry & Security (BIS) to “self-classify” mass market and many other encryption products, provided they provide an annual report to BIS and NSA about the products they have self classified. This means that companies who are registered can immediately export product that they have self-classified under license exception ENC without waiting for the 30-day review by BIS and the National Security Agency.
2) Ancillary cryptography items are completely decontrolled whereas before they were simply exempted from review and reporting requirements.
3) Most encryption technology that is reviewed can be exported without a license to non-“government end-users” provided they are not located in a country listed in Country Groups D:1 or E:1 (i.e. embargoed or sensitive countries).

We provide more details about these three changes below.

REGISTERED COMPANIES CAN SELF-CLASSIFY MOST ENCRYPTION PRODUCTS – REVIEW IS NO LONGER REQUIRED FOR MANY PRODUCTS

As noted above, the most significant of the three important changes brought about by the new regulation is to allow companies that register with BIS to “self-classify” mass market and many other encryption products, provided they provide an annual report to BIS and NSA about the products they have self classified. This means that companies who are registered can immediately export product that they have self-classified under license exception ENC.

Registration:

When a company registers (using SNAP-R) with BIS, SNAP-R will issue an Encryption Registration Number (ERN), which will start with an “R” and will be followed by 6 digits, e.g., R123456. The registration form requires that the company provide the following information, although items 4 through 7 can be omitted if the company is not the primary producer of the encryption items:

1) The point of contact information;
2) The company that exports the encryption items;
3) The categories of the company’s products;
4) Whether the products incorporate or use proprietary, unpublished or non-standard cryptographic functionality;
5) Whether the exporting company will export “encryption source code”;
6) Whether the products incorporate encryption components produced or furnished by non-U.S. sources or vendors; and
7) Whether the products are manufactured outside the United States.

Although this may look like alphabet soup, registration is not required for ALL self-classifications — only for self-classifications under License Exception ENC sections 740.17(b)(1), 740.17(b)(2) and 740.17(b)(3), and mass market encryption sections 742.15(b)(1) and 742.15(b)(3) of the EAR. What does that mean? If an exporter only exports/reexports under the following other sub-sections, no registration is required. The exporter can continue to export on its own with no registration and no annual reports:

1) 740.17(a) – license exception ENC for development of new products in certain countries abroad and for exports to “US subsidiaries”;
2) 740.17(b)(4) (short-range wireless and foreign products developed with or incorporating U.S.-origin encryption source code, components, or toolkits)
3) 740.17(c) (reexports and transfers by distributors and other companies that are not manufacturers under the same terms as the license exception held by the manufacturer); and
4) 742.15(b)(4) (mass market products that are short-range wireless encryption or foreign products developed with or incorporating U.S.-origin encryption source code, components, or toolkits).

What Can and What Cannot Be Self-Classified:

Once the company has its “R” number it can self-classify and export:

1) Commodities classified under ECCNs 5A002.a.1, .a.2, .a.5, .a.6, or .a.9, or ECCN 5B002, and
2) Equivalent or related software classified under ECCN 5D002.

The only items that CANNOT be self-classified are commodities, software or components described in paragraphs (b)(2) or (b)(3) of section 740.17 of the EAR. Some of these are the usual big communications systems and government customized products described for the past several years in 740.17(b)(2) – and called “ENC restricted” by most of industry. However, in its new rule, BIS has added a few new categories to (b)(2) and created brand new categories in (b)(3) that registered exporters cannot self-classify. These are as follows:

The new (b)(2) Categories that cannot be self-classified are:

1) network infrastructure software and commodities and components providing satellite communications if they provide transmission over satellite at data rates exceeding 10 Mbps with encryption key lengths exceeding 80 bits for symmetric algorithms.

2) encryption commodities and software that provide penetration capabilities that are capable of attacking, denying, disrupting or otherwise impairing the use of cyber infrastructure or networks;

3) Public safety / first responder radio (e.g., implementing Terrestrial Trunked Radio (TETRA) and/or Association of Public-Safety Communications Officials International (APCO) Project 25 (P25) standards);

Note: by adding these items to (b)(2), BIS has stated that these products not only continue to require a one-time review, but once reviewed, will qualify only for ENC restricted status, meaning they will continue to require a license to government end-users outside the EU and other countries listed in Supplement 3 to part 740 of the EAR (the “License Exception ENC Favorable Treatment Countries”).

The new (b)(3) categories that cannot be self-classified are:

1) Certain components and equivalent or related software as follows:

(A) Chips, chipsets, electronic assemblies and field programmable logic devices;
(B) Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs);
(C) Application-specific hardware or software development kits implementing cryptography.

(2) Non-standard (i.e. unpublished or proprietary) encryption: Encryption commodities, software and components that provide or perform “non-standard cryptography.” Non-standard cryptography is defined as:

Any implementation of “cryptography” involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body (e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published.

(3) Vulnerability analysis/computer forensics: Encryption commodities and software that provide or perform vulnerability analysis, network forensics, or computer forensics functions characterized by any of the following:

(A) Automated network analysis, visualization, or packet inspection for profiling network flow, network user or client behavior, or network structure/topology and adapting in real-time to the operating environment; or
(B) Investigation of data leakage, network breaches, and other malicious intrusion activities through triage of captured digital forensic data for law enforcement purposes or in a similarly rigorous evidentiary manner.

4) Cryptographic enabling commodities and software. Commodities and software and components that activate or enable cryptographic functionality in encryption products which would otherwise remain disabled.

This (b)(3) list of what cannot be self-classified still requires a one-time review by BIS and NSA. After the one-time review, however, these (b)(3) items are eligible for export pursuant to license exception ENC Unrestricted, which means they can be exported and reexported to all countries around the world except the countries listed in country group E:1 supplement 1 to part 740 (http://www.access.gpo.gov/bis/ear/pdf/740spir.pdf , or to prohibited end-users or end-uses.

Reporting Requirements:

As noted above, although manufacturers/exporters who are registered can self-classify and immediately export most encryption products (with the above exceptions), they must file an annual “Self-Classification Report” with BIS. The information that must be answered about each encryption item is:

1) Name of product;
2) Model/series/part number;
3) Primary manufacturer;
4) ECCN (5A002, 5B002, 5D002, 5A992 or 5D992);
5) Encryption authorization (i.e., ‘ENC’ for License Exception ENC or ‘MMKT’ for mass market); and
6) Type descriptor to describe the product (chose one from a list of 49 options)

The self-classification report must be submitted as an attachment to an e-mail to BIS (crypt-supp8@bis.doc.gov) and the ENC Encryption Request Coordinator (enc@nsa.gov) (or in disks and CDs). The report has very specific format requirements outlined in Supplement No. 8 to part 742. The information in the report must be provided in tabular or spreadsheet form, as an electronic file in comma separated values format (.csv), only.

The report is due on February 1st for the prior calendar year and is only required if the company exported (or reexported) that year. If no information has changed since the previous report, an e-mail must be sent stating that nothing has changed since the previous report or a copy of the previously submitted report must be submitted.

ANCILLARY CRYPTOGRAPHY ITEMS ARE COMPLETELY DECONTROLLED WHEREAS BEFORE THEY WERE SIMPLY EXEMPTED FROM REVIEW AND REPORTING REQUIREMENTS.

A second major change to the encryption regulations is the complete decontrol of items that use “ancillary cryptography.” Ancillary cryptography is defined as “the incorporation or application of "cryptography" by items that are not primarily useful for computing (including the operation of "digital computers"), communications, networking (includes operation, administration, management and provisioning) or "information security". Examples include: piracy and theft prevention for software, music, etc.; games and gaming; household utilities and appliances; printing, reproduction, imaging and video recording or playback (but not videoconferencing); business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery); industrial, manufacturing or mechanical systems (including robotics, other factory or heavy equipment, and facilities systems controllers, such as fire alarms and HVAC); automotive, aviation and other transportation systems.

Under the prior regulations, these items did not require a one-time review and were not subject to reporting requirements. However, exporters still needed to keep track of these items, which could still be classified as 5A002 or 5D002 license exception ENC, and to complete export clearance paperwork (e.g. AES filings) correctly.

This rule completely decontrols such items by adding a new Note 4 to Category 5 of the CCL. This note (see below) removes ancillary cryptography items completely from encryption controls of any sort, making them EAR99 (assuming they do not fall under any other ECCN in the CCL).

To meet the new definition, the following three requirements must be met:

a. The primary function or set of functions is not any of the following:

1. “Information security”;
2. A computer, including operating systems, parts and components therefore;
3. Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
4. Networking (includes operation, administration, management and provisioning);

b. The cryptographic functionality is limited to supporting their primary function or set of functions; and

c. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs a. and b. above.

This change also applies to items that were previously self-classified or classified by BIS as “ancillary cryptography” items after October 3, 2008 (when the ancillary cryptography rule came into being). These items are, upon the effective date of the new rule, no longer classified under Category 5, Part 2. Thus, exporters should re-classify items that were previously 5A002, 5D002, 5A992 or 5D992 by reason of ancillary cryptography and reclassify them as EAR99 (unless another ECCN applies). Since “ancillary cryptography” also covers some other previously excluded items — items that were self-classified or classified by BIS under ECCN 5A992 or 5D992 based on former paragraphs (b), (c) or (h) of the note to ECCN 5A0021 — this means these items (classified as 5A992 and 5D992) should also be reclassified as EAR99.

Because of the inclusion of Note 4 to Category 5, the term “ancillary cryptography” has been eliminated from the definition section of the EAR, but one suspects that export control bar will still use the term as a handy reference.

NEW LICENSE EXCEPTION ENC ELIGIBILITY FOR MOST ENCRYPTION TECHNOLOGY, TO NON-“GOVERNMENT END-USERS” OUTSIDE COUNTRY GROUP D:1 OR E:1

Another change that substantially reduces export controls – and in this case, licensing burdens – is a decontrol on encryption technology that has been reviewed. In section 740.17(b)(2)(iv)(B), encryption technology classified under ECCN 5E002 that has been reviewed may be exported and reexported under License Exception ENC to any non-“government end-user” located in a country not listed in Country Groups D:1 or E:1 of Supplement No. 1 to part 740. (See http://www.access.gpo.gov/bis/ear/pdf/740spir.pdf). Previously, all such exports and reexports of ECCN 5E002 encryption technology to end-users other than U.S. subsidiaries and companies located or headquartered in a country listed in Supplement No. 3 to part 740 required a license. BIS believes that this revision will decrease encryption licensing arrangements (ELAs) and other license applications to export or reexport encryption technology by approximately 60%. Please note, however, that this does NOT apply to certain technology: “cryptanalytic items,” “non-standard cryptography,” or “open cryptographic interfaces”. (See http://www.access.gpo.gov/bis/ear/txt/772.txt for definitions).

Other Odds and Ends Worthy of Note:

• Phrase “one time review” is dropped: now the encryption classification requests will be called classification requests just like the rest.
• Classification requests filed via SNAP-R do not have to be sent to the Encryption Coordinator at NSA. BIS will do this for you. BUT annual reports have to be submitted to both BIS and NSA.
• Reporting requirements (the requirement that exporters file semi-annual reports on exports of encryption items) have been vastly reduced. While semi-annual reports continue to be required for items that fall under 740.17(b)(2) and digital forensics items described under new section 740.17(b)(3)(iii), they are no longer required for other license exception ENC exports under (b)(3). Exporters need only maintain the customary records required under the Export Administration Regulations.

For further information regarding the above alert please contact the Arent Fox attorney with whom you work or a member of Arent Fox’s International Trade practice group.

Kay C. Georgi
georgi.kay@arentfox.com
202.857.6293

1 Former paragraphs (b), (c) or (h) of the note to ECCN 5A002 included:

(b) Receiving equipment for radio broadcast, pay television or similar restricted audience broadcast of the consumer type, without digital encryption except that exclusively used for sending the billing or program-related information back to the broadcast providers;

(c) Equipment where the cryptographic capability is not user-accessible and which is specially designed and limited to allow any of the following:

(1) Execution of copy-protected "software";
(2) Access to any of the following:

(a) Copy-protected contents stored on read-only media; or
(b) Information stored in encrypted form on media (e.g., in connection with the protection of intellectual property rights) where the media is offered for sale in identical sets to the public;

(3) Copying control of copyright protected audio/video data; or

(4) Encryption and/or decryption for protection of libraries, design attributes, or associated data for the design of semiconductor devices or integrated circuits;

(h) Equipment specially designed for the servicing of portable or mobile radiotelephones and similar client wireless devices