[Federal Register Volume 67, Number 109 (Thursday, June 6, 2002)]
[Rules and Regulations]
[Pages 38855-38869]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-13990]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Parts 732, 734, 738, 740, 742, 748, 770, 772, and 774

[Docket No. 020502105-2105-01]
RIN 0694-AC61


Revisions and Clarifications to Encryption Controls in the Export 
Administration Regulations--Implementation of Changes in Category 5, 
Part 2 (``Information Security''), of the Wassenaar Arrangement List of 
Dual-Use Goods and Other Technologies

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Interim final rule.

-----------------------------------------------------------------------

SUMMARY: This rule amends the Export Administration Regulations (EAR) 
to reflect changes made to the Wassenaar Arrangement List of dual-use 
items, and to update and clarify other provisions of the EAR pertaining 
to encryption export controls. Consistent with the Wassenaar changes, 
Note No. 3 (``Cryptography Note'') to Category 5--part II (Information 
Security) of the Commerce Control List (CCL) is amended to allow mass 
market treatment for all encryption products, including products with 
symmetric algorithms employing key lengths greater than 64-bits, that 
previously were not eligible for mass market treatment. As a result, 
for the first time, mass market encryption commodities and software 
with symmetric key lengths exceeding 64 bits may be exported and 
reexported to most destinations without a license under Export Control 
Classification Numbers (ECCNs) 5A992 and 5D992, following a 30-day 
review by the Bureau of Industry and Security (BIS) (formerly the 
Bureau of Export Administration (BXA)). In addition, this rule, for the 
first time, allows equipment controlled under ECCN 5B002 to be exported 
and reexported under License Exception ENC. For all other information 
security items, including encryption source code that would be 
considered publicly available, this rule updates and clarifies existing 
notification, review, licensing and post-export reporting requirements. 
Restrictions on exports and reexports of encryption items to terrorist-
supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
Syria), their nationals and other sanctioned persons (individuals and 
entities) are not changed by this rule.

DATES: This rule is effective June 6, 2002.

FOR FURTHER INFORMATION CONTACT: Norman E. LaCroix, Office of Strategic 
Trade and Foreign Policy Controls, Bureau of Industry and Security, 
Telephone: (202) 482-4439.

SUPPLEMENTARY INFORMATION:

Background

    On October 19, 2000, the United States updated its encryption 
export regulations to provide consistent treatment with regulations 
adopted by the European Union (EU) easing export and reexport 
restrictions among the 15 EU member states and Australia, Czech 
Republic, Hungary, Japan, New Zealand, Norway, Poland and Switzerland. 
Subsequent to the publication of this amendment to the Export 
Administration Regulations (EAR), the member nations of the Wassenaar 
Arrangement agreed to remove key length restrictions on encryption 
hardware and software that is subject to the Cryptography Note (Note 
No. 3) to Category 5--part II (Information Security) of the Commerce 
Control List (CCL). This action effectively removed ``mass market'' 
encryption products from the list of dual-use items controlled by the 
Wassenaar Arrangement.
    The U.S. encryption export control policy continues to rest on 
three principles: review of encryption products prior to sale, 
streamlined post-export reporting, and license review of certain 
exports of strong encryption to foreign government end-users. 
Consistent with these principles, this amendment updates the U.S. 
encryption export control policy in several areas.
    For ``mass market'' encryption hardware and software products, this 
rule removes Encryption Item (``EI'') and

[[Page 38856]]

National Security (``NS'') controls on such products after a 30-day 
review As a result of the removal these controls, these items may be 
exported without regard to any post-shipment reporting requirements. In 
addition, the standard de minimis treatment for foreign products 
containing such encryption products apply, i.e., exports from a foreign 
country of foreign-made products containing 25 percent or less of 
controlled U.S. content are not subject to the EAR, except to embargoed 
and designated terrorist supporting countries. For other encryption 
items, this rule clarifies the existing provisions under License 
Exceptions ENC and TSU. In addition, this rule clarifies existing 
review requirements for certain encryption items such as commercial 
encryption products that implement elliptic curve cryptography, perform 
short-range wireless functions, or incorporate encryption source code 
that would be considered publicly available. Finally, this rule amends 
the EAR by adding new paragraph headers, updating cross-references 
between relevant sections of the EAR, and restructuring existing 
provisions for clarity.
    This rule does not change any other existing licensing requirements 
for encryption items, including encryption technology and items that 
provide an open cryptographic interface (OCI).
    This action will continue to protect our national security and 
foreign policy interests without impairing the ability of U.S. 
companies to compete effectively in global markets. It also will 
promote secure electronic commerce and privacy, and help to protect our 
critical infrastructure.
    The EAR is amended as follows:
    1. Revised instructions for submitting encryption items for review 
to determine eligibility under License Exception ENC or for ``mass 
market'' treatment. Except to embargoed or designated terrorist 
supporting countries and sanctioned persons, you may be able to export 
and reexport your encryption item without a license, after your item is 
reviewed by the Bureau of Industry and Security (BIS) and the ENC 
Encryption Request Coordinator. For encryption items under License 
Exception ENC, and for mass market encryption products with symmetric 
key length exceeding 64 bits, a review request must contain: (1) A 
completed BIS-748P hardcopy form or an equivalent electronic SNAP form 
(both capture general information about the review request, such as the 
name of the item, manufacturer, ECCN and a brief commodity 
description), and (2) support documentation containing technical 
specifications of the item, including answers to the questions set 
forth in Supplement No. 6 to part 742. To clarify that separate 
classification by BIS is not required, previous references to 
``classification'' in Secs. 732.2, 732.3, 734.4, 740.17, 742.15, 
Supplement No. 6 to Part 742, 748.3 and 770.2 are revised to read 
``review''. Exporters are instructed to insert the phrase ``Mass market 
encryption'' or ``License Exception ENC'' (whichever is applicable) in 
Block 9 (``Special Purpose'') of the application form. Failure to 
insert the appropriate phrase may delay receipt of your request by BIS. 
(For compatibility with current application processing systems, 
exporters should continue to place an ``X'' in the box marked 
``Classification Request'' in Block 5: ``Type of Application''.) A copy 
of your review request must also be sent to the ENC Encryption Request 
Coordinator, via courier or mail. Insufficient or missing documentation 
may delay or interrupt your authority to export and reexport your 
encryption item. A fax number is now published for review requests 
submitted to BIS via SNAP. Refer to Supplement No. 6 to part 742 and 
Secs. 740.17(d), 742.15(b)(2) and 748.3(d) for information on 
submitting encryption review requests.
    2. Clarification of review and notification requirements. Except as 
elsewhere specified in the EAR, a license or review by BIS is required 
for encryption items with symmetric key length exceeding 64 bits. In 
multiple sections, the EAR is amended to clarify when a review or 
notification is (or is not) required.
    a. Clarification of when no review or notification is required. i. 
U.S. companies and subsidiaries. Items controlled under Category 5--
part II of the Commerce Control List (ECCNs 5A002, 5B002, 5D002, 5E002, 
5A992, 5D992 and 5E992) may be exported and reexported, without review 
or notification, to U.S. companies and their subsidiaries for internal 
use, including the development of new products inside and outside the 
United States by their employees, contractors and interns. Existing 
restrictions on exports and reexports of encryption items to the 
countries and foreign nationals of Cuba, Iran, Iraq, Libya, North 
Korea, Syria or Sudan continue to apply. Refer to Secs. 740.17(b)(1) 
and 742.15(b)(3)(i) of the EAR. Exports and reexports to foreign 
companies with subsidiary locations in the United States, and to 
foreign strategic partners of U.S. companies, will continue to be 
favorably considered under a license or an Encryption Licensing 
Arrangement (ELA). Refer to Sec. 742.15(a) of the EAR.
    ii. Certain short-range wireless items. No review or notification 
is required for short-range wireless products (e.g. with an operating 
range typically not exceeding 100 meters) that qualify as ``mass 
market'' and are only controlled under Category 5--part II of the CCL 
because they incorporate parts or components with encryption 
functionality specified and limited to short-range wireless functions 
based on such commercial standards as Bluetooth, Home Radio Frequency 
(HomeRF) and IEEE 802.11b (``WiFi''). This provision for mass market 
products is found in Sec. 742.15(b)(3)(ii). A similar existing 
provision for ``retail'' short-range wireless products continues under 
License Exception ENC. See Sec. 740.17(b)(3)(iii)(H).
    iii. Certain items with limited use of cryptography. This rule 
clarifies that no review or notification is required for information 
security items which employ limited forms of cryptography, but which do 
not perform encryption functions (including key management) controlled 
for ``EI'' reasons under ECCNs 5A002, 5D002 or 5E002. These items are 
controlled under ECCNs 5A992, 5D992 and 5E992, regardless of bit length 
or whether they are ``mass market''. See Sec. 742.15(b)(3)(iii). Such 
items include items with cryptographic functions limited to 
authentication (including secure hash functions and message 
authentication codes) or digital signature, execution of copy protected 
software, commercial civil cellular telephones not capable of end-to-
end encryption, and ``finance specific'' items specially designed and 
limited for banking use or money transactions (e.g. highly field-
formatted with validation procedures and not easily diverted to other 
end-uses). Refer to the Related Controls and Technical Notes under ECCN 
5A002 in the CCL (part 774 of the EAR) for a complete list of 
commodities.

    Note: Previous references specific to ``finance specific'' items 
under the ``retail'' provisions of License Exception ENC are removed 
for clarity (Sec. 740.17(b)(3)). Products which may have end uses 
related to financial operations (e.g. supply chain management), but 
which are not limited by design to banking use or money 
transactions, remain subject to ``EI'' controls under ECCNs 5A002 
and 5D002 and continue to be eligible for export and reexport as 
``retail'' encryption commodities and software, after review by BIS 
under License Exception ENC.

    b. Clarification of when a review is required. i. Review under 
License Exception ENC. Encryption items controlled under ECCNs 5A002, 
5D002 and 5E002, and equipment controlled under ECCN 5B002, require 
review by BIS prior to export and reexport under

[[Page 38857]]

the updated provisions of License Exception ENC (Sec. 740.17 of the 
EAR). Once BIS receives the information required for review (as 
described in Supplement No. 6 to part 742 of the EAR), you may export 
and reexport all such items (except cryptanalytic items to government 
end-users) to organizations and companies located or headquartered in 
the European Union plus eight additional countries. See Sec. 740.17(a). 
Thirty days after BIS registers your review request, you may export and 
reexport any encryption item, except those which provide an open 
cryptographic interface (OCI), to any non-government end-user except 
those in Cuba, Iran, Iraq, Libya, North Korea, Syria or Sudan. In 
addition, commodities and software that do not qualify as ``mass 
market'' but which qualify as ``retail'' may be exported and reexported 
to government end-users, once so authorized by BIS. See 
Sec. 740.17(b)(3) of the EAR for the treatment of ``retail'' encryption 
commodities and software, and Sec. 740.17(b)(2) for commodities and 
software and that are not eligible as retail. Products not eligible as 
retail require a license to government end-users, except as authorized 
under Sec. 740.17(a). Encryption technology controlled under ECCN 5E002 
and items which provide an OCI are not authorized for export or 
reexport under Sec. 740.17(b)(2) or (b)(3) and require a license to any 
end-user outside the countries listed in Supplement No. 3 to part 740. 
Exports and reexports of products reviewed by BIS under License 
Exception ENC may require reporting, as described in Sec. 740.17(e). 
License Exception ENC is amended with new paragraph headers and updated 
text, for clarity.
    ii. Review for mass market encryption products exceeding 64 bits. 
Encryption commodities and software that qualify for ``mass market'' 
treatment under the Cryptography Note (Note 3) to part II of Category 5 
of the CCL, and which implement encryption with symmetric key length 
exceeding 64-bits, require review by BIS prior to export and reexport. 
These No License Required (NLR) products are removed from ``EI'' and 
``NS'' controls, are controlled under ECCNs 5A992 and 5D992, and remain 
subject to the EAR. Similar to encryption items under License Exception 
ENC, you may immediately export and reexport 64 bit mass 
market encryption products to organizations and companies located or 
headquartered in the European Union plus eight additional countries. 
Thirty days after BIS receives your review request, you may export and 
reexport your mass market encryption product to any end-user (except 
embargoed or designated terrorist supporting countries and sanctioned 
persons), without post-export reporting or additional national security 
review for de minimis eligibility. All existing restrictions and 
licensing requirements to embargoed or designated terrorist supporting 
countries (Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) and 
sanctioned persons are continued by this amendment. Posting of mass 
market encryption software on the Internet (e.g., FTP or World Wide Web 
site) where it may be downloaded by anyone would not establish 
``knowledge'' of a prohibited export or reexport. In addition, such 
posting would not trigger ``red flags'' necessitating the affirmative 
duty to inquire under the ``Know Your Customer'' guidance provided in 
Supplement No. 3 to part 732 of the EAR. See Sec. 742.15(b)(2) and 
Supplement No. 6 to part 742 of the EAR for requirements, procedures 
and instructions for requesting review. See Secs. 734.2, 734.3, 734.7, 
734.8, 734.9, 740.13, 740.13(d) and 742.15(b) for other revisions to 
the EAR which reflect these changes in ECCN and reasons for control for 
64 bit mass market encryption commodities and software.
    c. Clarification of when a notification is required. i. Encryption 
source code that would be considered publicly available, and 
corresponding object code. This rule simplifies U.S. export treatment 
of encryption source code that would be considered publicly available, 
by allowing all such source code (and corresponding object code) to be 
exported and reexported under License Exception TSU once notification 
(or a copy of the source code) is provided to BIS, regardless of 
whether a fee or royalty is charged for the commercial production or 
sale of products developed using this software. Refer to 
Sec. 740.13(e). This rule further clarifies that these license 
exception provisions do not extend to any encryption software that has 
not been made publicly available, including such encryption software 
that incorporates or is specially designed to use publicly available 
encryption software components (ref: Sec. 740.13(e) (3)). Such 
encryption software may instead be exported and reexported under 
License Exception ENC, subject to the terms and conditions set forth in 
Sec. 740.17 of the EAR. See Secs. 740.17(b)(2)(ii) and (iii) for 
specific provisions relating to such encryption source code and general 
purpose toolkits. Previous references to commercial encryption source 
code under License Exception ENC (i.e., Sec. 740.17(b)(4) prior to this 
amendment) are subsumed by these streamlined and clarified provisions 
of the EAR.
    ii. 56 bit encryption items (including 512-bit asymmetric and 112-
bit elliptic curve algorithms), and mass market encryption products not 
exceeding 64 bits. This rule clarifies that, in addition to mass market 
encryption commodities and software with key lengths not exceeding 64 
bits for the symmetric algorithm, other encryption items with key 
lengths not exceeding 56 bits for symmetric algorithms, 512 bits for 
asymmetric key exchange algorithms, and 112 bits for elliptic curve 
algorithms may be immediately exported and reexported No License 
Required (except to embargoed or designated terrorist supporting 
countries and sanctioned persons), upon notification to BIS. See 
Sec. 742.15(b)(1).
    The EAR is further amended by the following revisions:
    3. Clarification of beta test software requirements in License 
Exception TMP. In Sec. 740.9 (Temporary imports, exports and reexports 
(TMP)), existing provisions for beta test encryption software are 
restructured for clarity, and new paragraph headings are added.
    4. Clarification of License Exception ENC requirements. In 
Sec. 740.17 (Encryption Commodities and Software (ENC)), existing 
provisions are restructured for clarity, and new paragraph headings are 
added. Subject to the terms and conditions set forth therein, License 
Exception ENC applies to encryption items that do not qualify for 
``mass market'' treatment.
    a. Sec. 740.17(a) (Exports and reexports to countries listed in 
Supplement 3 to part 740) is revised to allow the export and reexport 
of equipment controlled under ECCN 5B002 to the European Union plus 
eight additional countries, under License Exception ENC. Now, all items 
controlled under ECCNs 5A002, 5B002, 5D002 and 5E002, except 
cryptanalytic items to government end-users, are eligible under this 
provision of the EAR. This includes items that provide an open 
cryptographic interface (OCI).
    b. Sec. 740.17(b)(1) (Encryption items for U.S. subsidiaries) is 
revised to allow equipment controlled under ECCN 5B002 to U.S. 
companies and their subsidiaries under License Exception ENC. All items 
controlled under ECCNs 5A002, 5B002, 5D002 and 5E002, including those 
which provide an OCI, are eligible under this provision without review 
or notification.
    c. Sec. 740.17(b)(2) (Encryption commodities and software to non-
government end-users) is revised for

[[Page 38858]]

clarity. All items controlled under ECCNs 5A002, 5B002 and 5D002, 
except items that provide an OCI, may be exported to non-government 
end-users 30 days after BIS receives a completed review request. This 
includes network infrastructure products, encryption source code 
(immediately eligible once the review request, including a copy of the 
source code, is submitted), general purpose toolkits, cryptanalytic 
items, and other items that do not qualify for ``mass market'' or 
``retail'' treatment. This amendment also clarifies that the EAR 
imposes no additional restrictions on Internet and telecommunications 
service providers. Exports and reexports of network infrastructure 
commodities, software and technology to government end-users outside 
the countries listed in Supplement No. 3 to part 740 continue to 
require a license.
    d. Sec. 740.17(b)(3) (Retail encryption commodities, software and 
components to government and non-government end-users) is revised and 
restructured for clarity. New paragraph headers are added, and existing 
provisions are consolidated. This paragraph clarifies that the 
following are among the examples of encryption products eligible for 
retail treatment under License Exception ENC:
    i. Encryption commodities and software (including key management 
products) with key lengths not exceeding 64 bits for symmetric 
algorithms, 1024 bits for asymmetric algorithms, and 160 bits for 
elliptic curve algorithms (see Sec. 740.17(b)(3)(ii)(A));
    ii. Encryption commodities and software which are limited to 
allowing foreign-developed encryption products to operate with U.S. 
products, or which activate encryption functions in other retail 
products (when the encryption would otherwise remain inoperable, 
``dormant'' or disabled) (see Secs. 740.17(b)(3)(ii)(C)-(D));
    iii. Low-end virtual private networking (VPN) equipment (e.g. with 
encrypted throughput not exceeding 10 Mbps, or supporting no more than 
100 concurrent encrypted tunnels) (see Sec. 740.17(b)(3)(iii)(C));
    iv. Applets and web portal software implementing Secure Socket 
Layer (SSL) encryption (see Sec. 740.17(b)(3)(iii)(F));
    v. Network and security management products designed for, bundled 
with, or pre-loaded on single CPU computers, low-end servers or retail 
networking products (see Sec. 740.17(b)(3)(iii)(G)); and
    vi. Short-range wireless components and software (e.g. with an 
operating range typically not exceeding 100 meters) based on commercial 
standards as Bluetooth, Home Radio Frequency (HomeRF) and IEEE 802.11b 
(``WiFi'') (see Sec. 740.17(b)(3)(iii)(H));
    e. In Sec. 740.17(b)(4), previous provisions regarding commercial 
encryption source code are now subsumed by updated provisions for:
    i. Encryption source code (and corresponding object code) which 
would be considered publicly available (refer to Sec. 740.13(e) of the 
EAR); and
    ii. Encryption source code which would not be considered publicly 
available (i.e., ``company proprietary'' encryption source code). See 
Sec. 740.17(b)(2)(ii).
    This paragraph (b)(4) now cross-references the de minimis 
provisions of Sec. 734.4 for encryption items controlled under ECCNs 
5A002 and 5D002.
    f. Previous references to cryptographic interfaces in former 
Sec. 740.17(b)(5) are now incorporated into the general provisions of 
License Exception ENC. See Sec. 740.17(a) for cryptographic interface 
items to the European Union plus eight additional countries, and refer 
to Sec. 740.17(b)(1) for U.S. subsidiaries. Products which are used to 
establish a closed cryptographic interface (e.g. signing) continue to 
be treated as ``retail'' (see Sec. 740.17(b)(3)(ii)(C)).
    g. In Sec. 740.17(c) (Reexports and transfers), this rule clarifies 
that foreign-developed products which are designed to operate with U.S. 
products through a cryptographic interface are subject to the EAR, but 
do not require review by BIS.
    h. In Sec. 740.17(d) (Review requirement), instructions and 
procedures for submitting review requests for encryption items under 
License Exception ENC are updated and clarified.
    i. In Secs. 740.17(d)(2) and (3)(i), existing grandfathering and 
key length increase provisions are revised, for clarity and consistency 
with Secs. 740.17(a), (b)(2) and (b)(3).
    j. Sec. 740.17(e) (Reporting requirements) is restructured for 
clarity. This rule clarifies that the requirements to report foreign 
products developed from U.S. source code and toolkits apply only if you 
know when the foreign product is made available for commercial sale. 
See Sec. 740.17(e)(3). The previous reporting exemption for ``finance-
specific products'' is removed from this section, to clarify that these 
products may be exported and reexported (except to embargoed or 
designated terrorist supporting countries and sanctioned persons) under 
ECCNs 5A992 and 5D992, without review by BIS. Refer to 
Sec. 742.15(b)(3)(iii). This clarification is made for consistency with 
the Wassenaar Arrangement list of dual-use items. Reporting exemptions 
previously listed in under Sec. 740.17(e)(1) are now listed under 
Sec. 740.17(e)(4).
    5. Clarification of licensing requirements and policies for 
encryption items. In Sec. 742.15(a) (Licensing requirements and 
policy), existing U.S. licensing requirements and licensing policy 
provisions, including those pertaining to encryption items under 
Encryption Licensing Arrangements, are consolidated into clarified 
provisions Sec. 742.15(a)(1)(i) (Licensing requirements) and 
Sec. 742.15(a)(1)(ii) (Licensing policy).
    6. Clarification of notification and review requirements for 
encryption items controlled under ECCN 5A992, 5D992, or 5E992. 
Sec. 742.15(b) (Notification and review requirements for encryption 
items controlled under ECCNs 5A992, 5D992 and 5E992) clarifies when 
notification or review is required for encryption items not controlled 
for ``EI'' and ``NS'' reasons under ECCNs 5A002, 5D002 or 5E002.
    i. In Sec. 742.15(b)(1), notification requirements for certain 
encryption items with restricted bit lengths are clarified.
    ii. In Sec. 742.15(b)(2), review requirements for 64 bit 
mass market encryption products are established.
    iii. In Sec. 742.15(b)(3), transactions and items which do not 
require review or notification are described.
    iv. Sec. 742.15(b)(4) clarifies that commodities, software and 
components which activate encryption functions in 56-bit or mass-market 
products (when the encryption would otherwise remain inoperable, 
``dormant'' or disabled), are also controlled under ECCNs 5A992 and 
5D992. Commodities and software that ``activate'' dormant 56-bit 
encryption require notification under Sec. 742.15(b)(1), while 
commodities and software that ``enable'' mass market products to 
perform encryption exceeding 64 bits for the symmetric algorithm 
require review under Sec. 742.15(b)(2).

    Note: ``Activation'' commodities and software that enable ``EI'' 
controlled encryption functionality (e.g. 128-bit encryption of 
network infrastructure data communications) are controlled under 
ECCNs 5A002 and 5D002, and require review under License Exception 
ENC. Refer to Sec. 740.17 of the EAR. Note that, once an encryption 
item is activated with ``EI'' controlled encryption functionality, 
the item is controlled under ECCN 5A002 (if hardware) or 5D002 (if 
software) and may no longer be exported No License Required under 
ECCNs 5A992 or 5D992.

    v. In Sec. 742.15(b)(5), an illustrative, but by no means 
exhaustive, list of mass market encryption products is provided.

[[Page 38859]]

    7. Clarification of documentation requirements for submitting 
review requests for encryption items. In Supplement No. 6 to part 742 
(Guidelines for Submitting Support Documentation Required for Review 
Requests for Encryption Items), instructions to exporters are updated 
and clarified. Exporters are instructed to insert the appropriate 
phrase ``Mass market encryption'' or ``License Exception ENC'' in Block 
9 (``Special Purpose'') of the review request. (For compatibility with 
current application processing systems, exporters should continue to 
place an ``X'' in the box marked ``Classification Request'' in Block 5: 
``Type of Application'.) Support documentation described in this 
Supplement is required for the review of encryption items.
    8. Clarification to distinguish encryption review requests from 
classification requests. In Sec. 748.3 (Classification Requests, Review 
Requests and Advisory Opinions), existing paragraph (b)(3) is removed 
and replaced with a new paragraph (d) (``Review requests for encryption 
items''), to clarify that the process for reviewing encryption items by 
BIS, in conjunction with the ENC Encryption Request Coordinator, 
obviates the need for separate classification by BIS.
    9. Definition of ``cryptanalytic items'' clarified. In Sec. 772.1 
(Definition of Terms), the definition of ``cryptanalytic items'' is 
updated to incorporate the previous EAR definition of ``cryptanalytic 
functions''. A technical note is also added to clarify that 
``cryptanalytic items'' does not include software designed and limited 
to protect against malicious computer damage or unauthorized system 
intrusion (e.g., viruses, worms and trojan horses). Such software is 
controlled under ECCN 5D992.c.
    10. Revisions to the Cryptography Note and to the explanatory notes 
in ECCN 5D002. In Supplement No. 1 to part 774 (the Commerce Control 
List), the previous 64 bit restriction to the Cryptography Note (Note 
3) to Category 5--part II is removed, consistent with the Wassenaar 
Arrangement list of dual-use items. Explanatory notes to ECCN 5D002 
``Information Security--Software'' are updated, for consistency with 
the other revised sections of this amendment.

Rulemaking Requirements

    1. This rule has been determined to be not significant for purposes 
of Executive Order 12866.
    2. Notwithstanding any other provision of law, no person is 
required to respond to, nor shall any person be subject to a penalty 
for failure to comply with, a collection of information subject to the 
requirements of the Paperwork Reduction Act, unless that collection of 
information displays a currently valid OMB Control Number. This rule 
involves collections of information subject to the requirements of the 
Paperwork Reduction Act of 1980 (44 U.S.C. 3501 et seq.). These 
collections have been approved by the Office of Management and Budget 
under Control Numbers 0694-0088, ``Multi-Purpose Application,'' and 
0694-0104, ``Commercial Encryption Items Transferred from the 
Department of State to the Department of Commerce.'' Collection 0694-
0088 carries a burden hour estimate of 45 minutes per manual submission 
and 40 minutes per electronic submission. Miscellaneous and 
recordkeeping activities account for 12 minutes per submission. For 
collection 0694-0104, it is estimated that companies will take 5 
minutes to complete notifications for source code under License 
Exception TSU. It will take companies 15 minutes to complete upgrade 
notifications. For reporting under License Exception ENC and licenses 
for encryption items, it will take companies 8 hours to complete semi-
annual reporting requirements. Send comments regarding these burden 
estimates or any other aspect of these collections of information, 
including suggestions for reducing the burden, to OMB Desk Officer, New 
Executive Office Building, Washington, DC 20503; and to the Regulatory 
Policy Division, Bureau of Industry and Security, Department of 
Commerce, P.O. Box 273, Washington, DC 20044.
    3. This rule does not contain policies with Federalism implications 
as that term is defined in Executive Order 13132.
    4. The provisions of the Administrative Procedure Act (5 U.S.C. 
553) requiring notice of proposed rulemaking, the opportunity for 
public participation, and a delay in effective date, are inapplicable 
because this regulation involves a military and foreign affairs 
function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no 
other law requires that a notice of proposed rulemaking and an 
opportunity for public comment be given for this interim final rule. 
Because a notice of proposed rulemaking and an opportunity for public 
comment are not required to be given for this rule under 5 U.S.C. 553 
or by any other law, the analytical requirements of the Regulatory 
Flexibility Act (5 U.S.C. 601 et seq.) are not applicable.
    Therefore, this regulation is issued in interim final form. 
Although there is no formal comment period, public comments on this 
regulation are welcome on a continuing basis. Comments should be 
submitted to Willard Fisher, Regulatory Policy Division, Bureau of 
Industry and Security, U.S. Department of Commerce, Room 2705, 14th 
Street and Pennsylvania Avenue, NW., Washington, DC 20230.

List of Subjects

15 CFR Parts 732, 740, and 748

    Administrative practice and procedure, Exports, Foreign trade, 
Reporting and recordkeeping requirements.

15 CFR Parts 734 and 738

    Administrative practice and procedure, Exports, Foreign trade.

15 CFR Parts 742, 770, and 772

    Exports, Foreign trade.

15 CFR Part 774

    Exports, Foreign trade, Reporting and recordkeeping requirements.

    Accordingly, Parts 732, 734, 738, 740, 742, 748, 770, 772, and 774 
of the Export Administration Regulations (15 CFR Parts 730-799) are 
amended as follows:
    1. The authority citation for 15 CFR Part 732 is revised to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 
FR 44025, August 22, 2001.


    1a. The authority citation for 15 CFR Parts 740 and 748 continues 
to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 
FR 44025, August 22, 2001.

    2. The authority citation for 15 CFR Part 734 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12938, 59 FR 59099, 3 CFR 1994 Comp., p. 950; E.O. 13020, 61 FR 
54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 
1996 Comp., p. 228; E.O. 13222, 66 FR 44025, August 22, 2001; Notice 
of November 9, 2001, 66 FR 56965, November 13, 2001.

    3. The authority citation for 15 CFR Part 738 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C. 
287c; 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 
185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. 
app. 466c; 50 U.S.C. app. 5; Sec. 901-911, Pub. L. 106-387; Sec. 
221, Pub. L. 107-56; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 
228; E.O. 13222, 66 FR 44025, August 22, 2001.


[[Page 38860]]


    4. The authority citation for 15 CFR Part 742 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 
Sec. 901-911, Pub. L. 106-387; Sec. 221, Pub. L. 107-56; E.O. 12058, 
43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 
CFR, 1993 Comp., p. 608; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., 
p. 950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 
13222, 66 FR 44025, August 22, 2001; Notice of November 9, 2001, 66 
FR 56965, November 13, 2001.

    5. The authority citation for 15 CFR Part 770 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13222, 66 FR 44025, August 22, 2001.

    5a. The authority citation for 15 CFR Part 772 is revised to read 
as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13222, 66 FR 44025, August 22, 2001.

    6. The authority citation for 15 CFR Part 774 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C. 
287(c); 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 
185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. 
app. 466(c); 50 U.S.C. app. 5; Sec. 901-911, Pub. L. 106-387; Sec. 
221, Pub. L. 107-56; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 
228; E.O. 13222, 66 FR 44025, August 22, 2001.

PART 732--[AMENDED]

    7. Section 732.2 is amended by revising the introductory text of 
paragraph (d) to read as follows:


Sec. 732.2  Steps regarding scope of the EAR.

* * * * *
    (d) Step 4: Foreign-made items incorporating less than the de 
minimis level of U.S. parts, components, and materials. This step is 
appropriate only for items that are made outside the United States and 
not currently in the United States. Note that the following encryption 
items are subject to the EAR even if they incorporate less than the de 
minimis level of U.S. content: encryption items controlled for ``EI'' 
reasons under ECCN 5A002, 5D002 or 5E002 on the Commerce Control List 
(Supplement No. 1 to Part 774 of the EAR) and mass market encryption 
commodities and software, described in the Cryptography Note (Note 3) 
in Category 5--Part 2 (``Information Security'') of the Commerce 
Control List, that have not been reviewed by BIS and released from the 
``EI'' and ``NS'' controls of ECCN 5A002 or 5D002 in accordance with 
the requirements described in Sec. 742.15(b)(2) of the EAR. Exporters 
may, as part of a review request, ask that certain 5A002 and 5D002 
parts, components and software also be made eligible for de minimis 
treatment (see Sec. 734.4(b) of the EAR). The review of de minimis 
eligibility will take into account U.S. national security interests.
* * * * *

    8. Section 732.3 is amended by revising paragraph (e)(2) to read as 
follows:


Sec. 732.3  Steps regarding the ten general prohibitions.

* * * * *
    (e) * * *
    (2) Guidance for calculations. For guidance on how to calculate the 
U.S.-controlled content, refer to Supplement No. 2 to part 734 of the 
EAR. Note that under certain rules issued by the Office of Foreign 
Assets Control, certain exports from abroad by U.S.-owned or controlled 
entities may be prohibited notwithstanding the de minimis provisions of 
the EAR. In addition, the de minimis exclusions from the parts and 
components rule do not relieve U.S. persons of the obligation to 
refrain from supporting the proliferation of weapons of mass-
destruction and missiles as provided in General Prohibition Seven (U.S. 
Person Proliferation Activity) described in Sec. 736.2(b)(7) of the 
EAR. Note that foreign-made items that incorporate U.S.-origin items 
controlled for ``EI'' reasons under ECCN 5A002, 5D002 or 5E002 on the 
Commerce Control List (Supplement No.1 to Part 774 of the EAR) are 
subject to the EAR even if they incorporate less than the de minimis 
level of U.S. content. However, exporters may, as part of a review 
request, ask that certain 5A002 and 5D002 parts, components and 
software also be made eligible for de minimis treatment (see 
Sec. 734.4(b) of the EAR).
* * * * *

PART 734--[AMENDED]

    9. Section 734.2 is amended by revising paragraph (b)(9)(ii) and 
the introductory text of paragraph (b)(9)(iii) to read as follows:


Sec. 734.2  Important EAR terms and principles.

* * * * *
    (b) * * *
    (9) * * *
    (i) * * *
    (ii) The export of encryption source code and object code software 
controlled for ``EI'' reasons under ECCN 5D002 on the Commerce Control 
List (see Supplement No. 1 to part 774 of the EAR) includes 
downloading, or causing the downloading of, such software to locations 
(including electronic bulletin boards, Internet file transfer protocol, 
and World Wide Web sites) outside the U.S., or making such software 
available for transfer outside the United States, over wire, cable, 
radio, electro-magnetic, photo optical, photoelectric or other 
comparable communications facilities accessible to persons outside the 
United States, including transfers from electronic bulletin boards, 
Internet file transfer protocol and World Wide Web sites, unless the 
person making the software available takes precautions adequate to 
prevent unauthorized transfer of such code. See Sec. 740.13(e) of the 
EAR for notification requirements for exports or reexports of 
encryption source code and object code software considered to be 
publicly available consistent with the provisions of Sec. 734.3(b)(3) 
of the EAR.
    (iii) Subject to the General Prohibitions described in part 736 of 
the EAR, such precautions for Internet transfers of products eligible 
for export under Sec. 740.17 (b)(2) of the EAR (encryption software 
products, certain encryption source code and general purpose encryption 
toolkits) shall include such measures as:
* * * * *

    10. Section 734.3 is amended by revising paragraph (b)(3) 
introductory text to read as follows:


Sec. 734.3  Items subject to the EAR.

* * * * *
    (b) * * *
    (3) Publicly available technology and software, except software 
controlled for ``EI'' reasons under ECCN 5D002 on the Commerce Control 
List and mass market encryption software with symmetric key length 
exceeding 64-bits controlled under ECCN 5D992, that:
* * * * *

    11. Section 734.4 is amended by revising paragraph (b) to read as 
follows:


Sec. 734.4  De minimis U.S. content.

* * * * *
    (b) There is no de minimis level for foreign-made items that 
incorporate U.S.-origin items controlled for ``EI'' reasons under ECCN 
5A002, 5D002 or 5E002 on the Commerce Control List (Supplement No. 1 to 
Part 774 of the EAR). However, exporters may, as part of an encryption 
review request, ask that software controlled under ECCN 5D002 and 
eligible for export under the ``retail'' or ``source code'' provisions 
of license exception ENC, and parts and components controlled under 
ECCN 5A002, be made eligible for de minimis

[[Page 38861]]

treatment. The review of de minimis eligibility will take U.S. national 
security interests into account. Certain encryption items controlled 
under ECCNs 5A992, 5D992 and 5E992 are not eligible for de minimis 
treatment, unless exporters have complied with the applicable 
notification or review requirements described in Sec. 742.15(b)(1) and 
(b)(2) of the EAR. Encryption items controlled by ECCN 5A992, 5D992 or 
5E992 and described in Sec. 742.15(b)(3) of the EAR are not subject to 
these notification or review requirements.
* * * * *

    12. Section 734.7 is amended by revising paragraph (c) to read as 
follows:


Sec. 734.7  Published information and software.

* * * * *
    (c) Notwithstanding paragraphs (a) and (b) of this section, note 
that encryption software controlled under ECCN 5D002 for ``EI'' reasons 
on the Commerce Control List and mass market encryption software with 
symmetric key length exceeding 64-bits controlled under ECCN 5D992 
remain subject to the EAR. See Sec. 740.13(e) of the EAR for certain 
exports and reexports under license exception.

    13. Section 734.8 is amended by revising paragraph (a) to read as 
follows:


Sec. 734.8  Information resulting from fundamental research.

    (a) Fundamental research. Paragraphs (b) through (d) of this 
section and Sec. 734.11 of this part provide specific rules that will 
be used to determine whether research in particular institutional 
contexts qualifies as ``fundamental research''. The intent behind these 
rules is to identify as ``fundamental research'' basic and applied 
research in science and engineering, where the resulting information is 
ordinarily published and shared broadly within the scientific 
community. Such research can be distinguished from proprietary research 
and from industrial development, design, production, and product 
utilization, the results of which ordinarily are restricted for 
proprietary reasons or specific national security reasons as defined in 
Sec. 734.11(b) of this part. (See Supplement No. 1 to this part, 
Question D(8)). Note that the provisions of this section do not apply 
to encryption software controlled under ECCN 5D002 for ``EI'' reasons 
on the Commerce Control List (Supplement No. 1 to Part 774 of the EAR) 
or to mass market encryption software with symmetric key length 
exceeding 64-bits controlled under ECCN 5D992. See Sec. 740.13(e) of 
the EAR for certain exports and reexports under license exception.
* * * * *

    14. Section 734.9 is revised to read as follows:


Sec. 734.9  Educational Information.

    ``Educational information'' referred to in Sec. 734.3(b)(3)(iii) of 
this part is not subject to the EAR if it is released by instruction in 
catalog courses and associated teaching laboratories of academic 
institutions. Dissertation research is discussed in Sec. 734.8(b) of 
this part. (Refer to Supplement No. 1 to this part, Question C(1) 
through C(6)). Note that the provisions of this section do not apply to 
encryption software controlled under ECCN 5D002 for ``EI'' reasons on 
the Commerce Control List or to mass market encryption software with 
symmetric key length exceeding 64-bits controlled under ECCN 5D992. See 
Sec. 740.13(e) of the EAR for certain exports and reexports under 
license exception.

    15. Section 738.4 is amended by revising paragraph (a)(2)(ii)(B) to 
read as follows:


Sec. 738.4  Determining whether a license is required.

    (a) * * *
    (2) * * *
    (ii) * * *
    (B) If no, a license is not required based on the particular Reason 
for Control and destination. Provided that General Prohibitions Four 
through Ten do not apply to your proposed transaction and that any 
applicable notification or review requirements described in 
Sec. 742.15(b)(1) and (b)(2) of the EAR have been met for certain 
encryption items controlled under ECCNs 5A992, 5D992 and 5E992, you may 
effect your shipment using the symbol ``NLR''. Proceed to parts 758 and 
762 of the EAR for information on export clearance procedures and 
recordkeeping requirements. Note that although you may stop after 
determining a license is required based on the first Reason for 
Control, it is best to work through each applicable Reason for Control. 
A full analysis of every possible licensing requirement based on each 
applicable Reason for Control is required to determine the most 
advantageous License Exception available for your particular 
transaction and, if a license is required, ascertain the scope of 
review conducted by BIS on your license application.
* * * * *

PART 740--[AMENDED]

    16. Section 740.9 is amended by revising paragraph (c) to read as 
follows:


Sec. 740.9  Temporary imports, exports and reexports (TMP).

* * * * *
    (c) Exports of beta test software. (1) Scope. The provisions of 
this paragraph (c) authorize exports and reexports to eligible 
countries of beta test software intended for distribution to the 
general public.
    (2) Eligible countries. Encryption software controlled under ECCN 
5D002 is not eligible for export or reexport to Cuba, Iran, Iraq, 
Libya, North Korea, Sudan or Syria under the provisions of this 
paragraph (c). All other beta test software is eligible for export or 
reexport to all destinations, except Cuba, Iran, Iraq, Libya, and Sudan 
under the provisions of this paragraph (c).
    (3) Eligible software. All software that is controlled by the 
Commerce Control List (Supplement No.1 to part 774 of the EAR), and 
under Commerce licensing jurisdiction, is eligible for export and 
reexport, subject to the restrictions of this paragraph (c). Encryption 
software controlled for ``EI'' reasons under ECCN 5D002 is eligible for 
export and reexport under this paragraph (c), provided that the 
exporter has submitted the information described in paragraph (c)(8) of 
this section by the time of export. Final encryption products produced 
by the testing consignee are subject to any applicable provisions in 
Sec. 742.15(b)(2) of the EAR (for mass market encryption commodities 
and software with symmetric key length exceeding 64-bits) or 
Sec. 740.17 of the EAR (License Exception ENC), including review and 
reporting requirements.
    (4) Conditions for use. Exports or reexports of beta test software 
programs under the provisions of this paragraph (c) must meet all of 
the following conditions:
    (i) The software producer intends to market the software to the 
general public after completion of the beta testing, as described in 
the General Software Note (see Supplement 2 to part 774 of the EAR) or 
the Cryptography Note in Category 5, Part 2 (``Information Security'') 
of the Commerce Control List (see Supplement No.1 to part 774 of the 
EAR);
    (ii) The software producer provides the software to the testing 
consignee free-of-charge or at a price that does not exceed the cost of 
reproduction and distribution; and
    (iii) The software is designed for installation by the end-user 
without

[[Page 38862]]

further substantial support from the supplier.
    (5) Importer Statement. Prior to exporting or reexporting any 
eligible software under this paragraph (c), the exporter or reexporter 
must obtain the following statement from the testing consignee, which 
may be included in a contract, non-disclosure agreement, or other 
document that identifies the importer, the software to be exported, the 
country of destination, and the testing consignee.

    ``We certify that this beta test software will only be used for 
beta testing purposes, and will not be rented, leased, sold, 
sublicensed, assigned, or otherwise transferred. Further, we certify 
that we will not transfer or export any product, process, or service 
that is the direct product of the beta test software.''

    (6) Use limitations. Only testing consignees that provide the 
importer statement required by paragraph (c)(5) of this section may 
execute any beta test software that was exported or reexported to them 
under the provisions of this paragraph (c).
    (7) Return or disposal of software. All beta test software exported 
must be destroyed abroad or returned to the exporter within 30 days of 
the end of the beta test period as defined by the software producer or, 
if the software producer does not define a test period, within 30 days 
of completion of the consignee's role in the test. Among other methods, 
this requirement may be satisfied by a software module that will 
destroy the software and all its copies at or before the end of the 
beta test period.
    (8) Notification and reporting of beta test encryption software. 
(i) Notification. For beta test encryption software eligible under this 
license exception, you must submit to BIS, by the time of export, the 
information described in paragraphs (a) through (e) of Supplement 6 to 
part 742 of the EAR. Submit your notification by email to BIS at 
[email protected], and provide a copy of the notification to the ENC 
Encryption Request Coordinator at [email protected].
    (ii) Reporting. For beta test encryption software eligible under 
this license exception, the exporter must submit the names and 
addresses of the testing consignees (except names and addresses of 
individual consumers) and the name and version of the beta software 
consistent with Sec. 740.17(e)(5) of the EAR.

    17. Section 740.13 is amended by revising the introductory text, by 
revising paragraphs (d)(1) and (d)(2), and by revising paragraph (e) to 
read as follows:


Sec. 740.13  Technology and software-- unrestricted (TSU).

    This license exception authorizes exports and reexports of 
operation technology and software; sales technology and software; 
software updates (bug fixes); ``mass market'' software subject to the 
General Software Note; and encryption source code (and corresponding 
object code) that would be considered publicly available under 
Sec. 734.3(b)(3) of the EAR. Note that encryption software subject to 
the EAR is not subject to the General Software Note (see paragraph 
(d)(2) of this section).
* * * * *
    (d) General Software Note: ``mass market'' software. (1) Scope. The 
provisions of paragraph (d) authorize exports and reexports of ``mass 
market'' software subject to the General Software Note (see Supplement 
No. 2 to part 774 of the EAR; also referenced in this section).\1\
---------------------------------------------------------------------------

    \1\ ``Mass market'' software may fall under the classification 
of ``general use'' software for export clearance purposes. Exporters 
should consult the Census Bureau FTSR for possible SED requirements.
---------------------------------------------------------------------------

    (2) Exclusions. The provisions of this paragraph (d) are not 
available for encryption software controlled for ``EI'' reasons under 
ECCN 5D002 or for encryption software with symmetric key length 
exceeding 64-bits that qualifies as mass market encryption software 
under the criteria in the Cryptography Note (Note 3) of Category 5, 
Part 2, of the Commerce Control List (Supplement No. 1 to Part 774 of 
the EAR). (Once such mass market encryption software has been reviewed 
by BIS and released from ``EI'' and ``NS'' controls pursuant to 
Sec. 742.15(b)(2) of the EAR, it is controlled under ECCN 5D992 and is 
thus outside the scope of License Exception TSU.) See Sec. 742.15(b)(2) 
of the EAR for exports and reexports of mass market encryption products 
controlled under ECCN 5D992.
* * * * *
    (e) Encryption source code (and corresponding object code). (1) 
Scope. The provisions of paragraph (e) of this section authorize 
exports and reexports, without review, of encryption source code 
controlled under ECCN 5D002 that would be considered publicly available 
under Sec. 734.3(b)(3) of the EAR, and corresponding object code 
resulting from the compiling of such source code.
    (2) Eligible Software. Encryption source code is eligible for 
export and reexport under License Exception TSU, provided that it would 
be considered publicly available under Sec. 734.3(b)(3) of the EAR. 
Such encryption source code is eligible for License Exception TSU even 
if it is subject to an express agreement for the payment of a licensing 
fee or royalty for commercial production or sale of any product 
developed using the source code. Corresponding object code resulting 
from the compiling of such source code is also eligible for License 
Exception TSU treatment if such object code would also be considered 
publicly available under Sec. 734.3(b)(3) of the EAR.
    (3) Restrictions. Encryption software controlled under ECCN 5D002 
that would not be considered publicly available, but which incorporates 
or is specially designed to use encryption software that would be 
considered publicly available, is not eligible for export or reexport 
under this paragraph (e).
    (4) Country restrictions. You may not knowingly export or reexport 
source code, corresponding object code or products developed with this 
source code to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.
    (5) Notification requirement. You must provide BIS written 
notification of the Internet location (e.g., URL or Internet address) 
of the source code or a copy of the source code by the time of export. 
Submit the notification by email to BIS at [email protected], and 
provide a copy of the notification to the ENC Encryption Request 
Coordinator at [email protected].
    (6) ``Knowledge'' of a prohibited export or reexport. Posting of 
source code or corresponding object code on the Internet (e.g., FTP or 
World Wide Web site) where it may be downloaded by anyone would not 
establish ``knowledge'' of a prohibited export or reexport. See 
Sec. 740.13(e)(4) of the EAR for prohibited knowing exports to Cuba, 
Iran, Iraq, Libya, North Korea, Sudan and Syria. In addition, such 
posting would not trigger ``red flags'' necessitating the affirmative 
duty to inquire under the ``Know Your Customer'' guidance provided in 
Supplement No. 3 to part 732 of the EAR.

    18. Section 740.17 is revised to read as follows:


Sec. 740.17  Encryption commodities and software (ENC).

    License Exception ENC authorizes the export and reexport of 
encryption items controlled under ECCN 5A002, 5D002 or 5E002, and 
``information security'' test, inspection, and production equipment 
controlled under ECCN 5B002. Encryption items exported and reexported 
under License Exception ENC remain subject to ``EI'' controls. No 
encryption items may be exported or

[[Page 38863]]

reexported, under this license exception, to countries listed in 
Country Group E:1 of Supplement No. 1 to this Part--this includes 
exports and reexports (as defined in Sec. 734.2 of the EAR) of 
encryption source code and technology to nationals of these countries. 
Review and reporting requirements apply to certain exports under this 
license exception (paragraph (d) of this section describes how to 
submit encryption items for review; paragraph (e) of this section 
describes which exports are subject to reporting requirements). Certain 
exports and reexports to government end-users are authorized under 
paragraphs (a) and (b)(3) of this section. Section 772.1 of the EAR 
defines the term ``government end-user'' as it applies to encryption 
items. Section 742.15 of the EAR describes the license requirements and 
policies that apply to exports and reexports of encryption items.
    (a) Exports and reexports to countries listed in Supplement 3 to 
this part. Encryption items controlled under ECCN 5A002, 5D002 or 5E002 
(except cryptanalytic items as defined in Part 772 of the EAR), and 
``information security'' test, inspection, and production equipment 
controlled under ECCN 5B002, are authorized for immediate export and 
reexport to government and non-government end-users located in the 
countries listed in Supplement 3 to this part 740, subject to the 
review requirements described in paragraph (d) of this section. 
Cryptanalytic items are authorized to non-government end-users, only, 
under this paragraph (a). Encryption items and ``information security'' 
test, inspection, and production equipment may also be exported or 
reexported to any destination eligible under this license exception for 
the internal use of foreign subsidiaries or offices of firms, 
organizations and governments headquartered in Canada or in countries 
listed in Supplement 3 to this part 740. (Note that License Exception 
ENC prohibits exports and reexports of encryption source code and 
technology to nationals of countries listed in Country Group E:1 of 
Supplement No. 1 to this part.) Before you export an item for the first 
time under this license exception, you must submit to BIS and the ENC 
Encryption Request Coordinator a review request for that item, as 
described in paragraph (d) of this section. See paragraph (e) of this 
section for applicable semi-annual reporting requirements.
    (b) Exports and reexports to all other eligible countries. (1) 
Encryption items for U.S. subsidiaries. Exports and reexports of 
encryption items controlled under ECCN 5A002, 5D002 or 5E002 and 
``information security'' test, inspection, and production equipment 
controlled under ECCN 5B002, are authorized under this license 
exception, without review, to foreign subsidiaries of U.S. companies 
for any end-use not prohibited elsewhere in the EAR. This paragraph 
(b)(1) also authorizes exports and reexports by U.S. companies and 
their subsidiaries of any such items (including encryption source code 
and technology), to foreign nationals working as contractors, interns 
or employees of said U.S. companies and their subsidiaries, provided 
that the items are for internal company use, including the development 
of new products. (Note that License Exception ENC prohibits exports and 
reexports of encryption source code and technology to nationals of 
countries listed in Country Group E:1 of Supplement No. 1 to this 
part). All items produced or developed by U.S. subsidiaries with 
encryption commodities, software and technology exported under this 
paragraph (b)(1) are subject to the EAR and require review and 
authorization before any sale or retransfer outside of the U.S. 
company.
    (2) Encryption commodities and software to non-government end-
users. Thirty days after registration of a completed review request by 
BIS (``registration'' is defined in Sec. 750.4(a)(2) of the EAR), 
encryption commodities, software and components controlled under ECCN 
5A002 or 5D002 (except such items which provide an open cryptographic 
interface, as defined in part 772 of the EAR), and ``information 
security'' test, inspection, or production equipment controlled under 
ECCN 5B002, are authorized for export or reexport to any individual, 
commercial firm or other non-government end-user located outside the 
countries listed in Supplement 3 to this part 740. The thirty days may 
not include any time that your review request was on hold without 
action. To request authorization under the provisions of this paragraph 
(b)(2), you must submit to BIS and the ENC Encryption Request 
Coordinator a review request as described in paragraph (d) of this 
section. See paragraph (e) of this section for applicable semi-annual 
reporting requirements. Encryption commodities and software eligible 
for export or reexport under this paragraph (b)(2) include, but are not 
limited to, the following:
    (i) Network infrastructure products, such as high end routers or 
switches designed for large volume communications, and specially 
designed software, parts, and components thereof (including commodities 
and software which activate or enable cryptographic functionality in 
network infrastructure products that would otherwise remain disabled);
    (ii) Encryption source code that would not be considered publicly 
available for export or reexport under License Exception TSU. (You may 
immediately export and reexport such encryption source code under 
License Exception ENC, provided that you have submitted a review 
request, including a copy of your source code, to BIS and the ENC 
Encryption Request Coordinator. Note that License Exception ENC 
prohibits exports and reexports of encryption source code to countries 
listed in Country Group E:1 of Supplement No. 1 to this part, or to 
nationals of these countries.);
    (iii) General purpose toolkits;
    (iv) Cryptanalytic items (as defined in part 772 of the EAR);
    (v) Commodities, software and components not otherwise authorized 
for export as mass market or retail.
    (3) Retail encryption commodities, software and components to 
government and non-government end-users. Thirty days after registration 
of a completed review request by BIS (``registration'' is defined in 
Sec. 750.4(a)(2) of the EAR), retail encryption commodities, software 
and components controlled under ECCN 5A002 or 5D002 are authorized for 
export and reexport to any individual, commercial firm or other non-
government end-user located outside the countries listed in Supplement 
3 to this part 740. The thirty days may not include any time that your 
review request was on hold without action. Once BIS has completed its 
review and authorizes your encryption commodities, software, and 
components for export or reexport as retail encryption items under 
License Exception ENC, you may also export or reexport these items to 
government end-users. To request authorization under the provisions of 
this paragraph (b)(3), you must submit to BIS and the ENC Encryption 
Request Coordinator a review request as described in paragraph (d) of 
this section. See paragraph (e) of this section for applicable semi-
annual reporting requirements.
    (i) Retail eligibility criteria. Retail encryption commodities and 
software are products and components:
    (A) Generally available to the public by means of any of the 
following:
    (1) Are sold in tangible form through retail outlets independent of 
the manufacturer;

[[Page 38864]]

    (2) Are specially designed for individual consumer use; or
    (3) Are sold or will be sold in large volume, without restriction, 
through mail order transactions, electronic transactions, or telephone 
call transactions; and
    (B) Meeting all of the following:
    (1) The cryptographic functionality cannot be easily changed by the 
user;
    (2) Substantial support is not required for installation and use; 
and
    (3) The cryptographic functionality has not been modified or 
customized to customer specification.
    (ii) Additional types of retail encryption products. The following 
products will also be considered to be retail encryption products:
    (A) Encryption commodities and software (including key management 
products) with key lengths not exceeding 64 bits for symmetric 
algorithms, 1024 bits for asymmetric key exchange algorithms, and 160 
bits for elliptic curve algorithms. (You may immediately export or 
reexport such encryption commodities and software as retail items upon 
submitting a completed review request to BIS and the ENC Encryption 
Request Coordinator, in accordance with the requirements described in 
paragraph (d) of this section);
    (B) Encryption products and network-based applications that provide 
equivalent functionality to other mass market or retail encryption 
commodities and software (refer to the Cryptography Note (Note 3) to 
part II of Category 5 of the CCL for the definition of mass market 
encryption commodities and software);
    (C) Encryption products that are limited to allowing foreign-
developed cryptographic products to operate with U.S. products (e.g. 
signing). No review of the foreign-developed cryptography is required;
    (D) Encryption commodities and software that activate or enable 
cryptographic functionality in retail encryption products which would 
otherwise remain disabled.
    (iii) Examples of eligible retail encryption products: Subject to 
the retail eligibility criteria in paragraph (b)(3)(i) of this section, 
retail encryption items include, but are not limited to, the following:
    (A) General purpose operating systems that do not qualify as mass 
market;
    (B) Non-programmable encryption chips, and chips that are 
constrained by design for retail products;
    (C) Retail networking products, such as low-end routers, firewalls, 
and virtual private networking (VPN) equipment designed for small 
office or home use;
    (D) Desktop applications (e.g. e-mail, browsers, games, word 
processing, database, financial applications or utilities) that do not 
qualify as mass market;
    (E) Programmable database management systems and associated 
application servers;
    (F) Low-end servers and application-specific servers (including 
client-server applications, e.g. Secure Socket Layer (SSL)-based web 
applications and applets, servers, and portals);
    (G) Network and security management products designed for, bundled 
with, or pre-loaded on single CPU computers, low-end servers or retail 
networking products; and
    (H) Short-range wireless components and software that do not 
qualify as mass market. Products that would be controlled under ECCN 
5A002 or 5D002, only because they incorporate components or software 
which provide short-range wireless encryption functions, may be 
exported or reexported under the retail provisions of License Exception 
ENC, without review or reporting.
    (4) Reviews for de minimis eligibility: Items controlled for ``EI'' 
reasons under ECCN 5A002, 5D002 or 5E002 are not eligible for de 
minimis treatment under Sec. 734.4 of the EAR. However, exporters may, 
as part of a review request, ask that U.S.-origin retail encryption 
software controlled under ECCN 5D002 and U.S.-origin parts and 
components controlled under ECCN 5A002, that are incorporated in 
foreign-made items, be made eligible for de minimis treatment. The 
review of de minimis eligibility for such items will take U.S. national 
security interests into account.
    (c) Reexports and transfers. U.S. or foreign distributors, 
resellers or other entities who are not original manufacturers of 
encryption commodities and software are permitted to use License 
Exception ENC only in instances where the export or reexport meets the 
applicable terms and conditions of this section. Transfers of 
encryption items listed in paragraph (b) of this section to government 
end-users, or for government end-uses, within the same country are 
prohibited, unless otherwise authorized by license or license 
exception. Foreign products developed with or incorporating U.S.-origin 
encryption source code, components or toolkits remain subject to the 
EAR, but do not require review (for encryption reasons) by BIS. These 
products can be exported or reexported under License Exception ENC 
without notification and without further authorization (for encryption 
reasons) from BIS. Such products include foreign-developed products 
that are designed to operate with U.S. products through a cryptographic 
interface.
    (d) Review requirement. (1) Review request procedures. To request 
review of your encryption products under License Exception ENC, you 
must submit to BIS and to the ENC Encryption Request Coordinator the 
information described in paragraphs (a) through (e) of Supplement 6 to 
part 742 of the EAR (Guidelines for Submitting Review Requests for 
Encryption Items). Review requests must be submitted on Form BIS-748P 
(Multipurpose Application), or its electronic equivalent, as described 
in Sec. 748.3 of the EAR. To ensure that your review request is 
properly routed, insert the phrase ``License Exception ENC'' in Block 9 
(Special Purpose) of the application form and place an ``X'' in the box 
marked ``Classification Request'' in Block 5 (Type of Application)--
Block 5 does not provide a separate item to check for the submission of 
encryption review requests. Failure to properly complete these items 
may delay consideration of your review request. Review requests that 
are not submitted electronically to BIS should be mailed to the address 
indicated in Sec. 748.2(c) of the EAR. See paragraph (e)(5)(ii) of this 
section for the mailing address for the ENC Encryption Request 
Coordinator. BIS will notify you if there are any questions concerning 
your request for review under License Exception ENC (e.g., because of 
missing or incomplete support documentation). Once your review has been 
completed, BIS will notify you in writing concerning the eligibility of 
your products for export or reexport, under the provisions of this 
license exception. BIS reserves the right to suspend your eligibility 
to export and reexport under License Exception ENC and to return your 
review request without action, if you have not met the review 
requirements. You may not export or reexport retail encryption 
commodities, software and components under this license exception to 
government end-users headquartered outside of Canada and the countries 
listed in Supplement 3 to this part 740, unless you have received prior 
authorization from BIS.
    (2) Grandfathering. Encryption commodities, software, parts or 
components (except cryptanalytic items) previously approved for export 
may be exported or reexported without further review to government and 
non-government end-users in countries listed in Supplement 3 to this 
part 740, and to any non-government end-user outside the countries 
listed in

[[Page 38865]]

Supplement 3 to this part 740 (except items which provide an open 
cryptographic interface as defined in part 772 of the EAR). This 
includes products approved under a license, an Encryption Licensing 
Arrangement, or classified as eligible to use License Exception ENC 
(except for those products that were authorized only for export to U.S. 
subsidiaries) prior to October 19, 2000. Encryption technology 
previously approved for export under a license or an Encryption 
Licensing Arrangement may be exported or reexported to government and 
non-government end-users in countries listed in Supplement 3 to this 
part 740.
    (3) Key length increases. Exporters may increase the key lengths of 
products previously classified and continue to export these products 
under the applicable provisions of License Exception ENC, without 
further review, upon certification to BIS and the ENC Encryption 
Request Coordinator in accordance with paragraph (d)(3)(ii) of this 
section. No other change in cryptographic functionality is allowed 
under License Exception ENC.
    (i) Any product previously classified as ECCN 5A002 or 5D002 
(except encryption items that provide an open cryptographic interface, 
as defined in Sec. 772.1 of the EAR) may, with any upgrade to the key 
length used for confidentiality or key exchange algorithms, be exported 
or reexported under License Exception ENC to any non-government end-
user without an additional review. A license is required to export or 
reexport items that provide an open cryptographic interface to end-
users located outside the countries listed in Supplement 3 to this part 
740. In addition, products previously reviewed by BIS that were 
determined to be eligible as ``retail'' under this license exception 
may be exported or reexported to government end-users, without 
additional review. For products not previously determined to be 
eligible as retail products, another review is required to determine 
their eligibility as ``retail'' products under paragraph (b)(3) of this 
section.
    (ii) Exporters must certify to BIS, in a letter from a corporate 
official, that the only change to the encryption product is the key 
length for confidentiality or key exchange algorithms and that there is 
no other change in cryptographic functionality. Certifications must 
include the original authorization number issued by BIS and the date of 
issuance. BIS must receive this certification prior to any export of an 
upgraded encryption product. The certification should be sent to BIS 
and a copy of the certification should be sent to the ENC Encryption 
Request Coordinator at the mailing address indicated in paragraph 
(e)(5) of this section.
    (e) Reporting requirements. (1) Semi-annual reporting requirement. 
Semi-annual reporting is required for exports and reexports under this 
license exception. Certain encryption items and transactions are 
excluded from this reporting requirement (see paragraph (e)(4) of this 
section). For instructions on how to submit your reports, see paragraph 
(e)(5) of this section.
    (2) General information required. Exporters must include all of the 
following applicable information in their reports:
    (i) For items exported to a distributor or other reseller, 
including subsidiaries of U.S. firms, the name and address of the 
distributor or reseller, the item and the quantity exported and, if 
collected by the exporter as part of the distribution process, the end-
user's name and address;
    (ii) For items exported through direct sale, the name and address 
of the recipient, the item, and the quantity exported (except for 
retail products, if the end-user is an individual consumer);
    (iii) For exports of ECCN 5E002 items to be used for technical 
assistance that are not released by Sec. 744.9 of the EAR, the name and 
address of the end-user; and
    (iv) The authorization number and the name of the item(s) exported.
    (3) Information on foreign manufacturers and products that use 
encryption items. For direct sales or transfers, under License 
Exception ENC, of encryption components, source code, general purpose 
toolkits, equipment controlled under ECCN 5B002, technology, or items 
that provide an open cryptographic interface to foreign developers or 
manufacturers when intended for use in foreign products developed for 
commercial sale, you must submit the names and addresses of the 
manufacturers using these encryption items and, if you know when the 
product is made available for commercial sale, a non-proprietary 
technical description of the foreign products for which these 
encryption items are being used (e.g., brochures, other documentation, 
descriptions or other identifiers of the final foreign product; the 
algorithm and key lengths used; general programming interfaces to the 
product, if known; any standards or protocols that the foreign product 
adheres to; and source code, if available).
    (4) Exclusions from reporting requirements. Reporting is not 
required for the following items and transactions:
    (i) Any encryption item to U.S. subsidiaries for internal company 
use;
    (ii) Encryption commodities or software with a symmetric key length 
not exceeding 64 bits;
    (iii) Retail products exported to individual consumers;
    (iv) Encryption items exported via free or anonymous download;
    (v) Encryption items from or to a U.S. bank, financial institution 
or their subsidiaries, affiliates, customers or contractors for banking 
or financial operations;
    (vi) Items that incorporate components limited to providing short-
range wireless encryption functions;
    (vii) Retail operating systems, or desktop applications (e.g. e-
mail, browsers, games, word processing, data base, financial 
applications or utilities) designed for, bundled with, or pre-loaded on 
single CPU computers, laptops or hand-held devices;
    (viii) Client Internet appliance and client wireless LAN cards;
    (ix) Foreign products developed by bundling or compiling of source 
code.
    (5) Submission requirements. You must submit the reports required 
under this section, semi-annually, to BIS, unless otherwise provided in 
this paragraph (e)(5). For exports occurring between January 1 and June 
30, a report is due no later than August 1 of that year. For exports 
occurring between July 1 and December 31, a report is due no later than 
February 1 the following year. These reports must be provided in 
electronic form to BIS. Recommended file formats for electronic 
submission include spreadsheets, tabular text or structured text. 
Exporters may request other reporting arrangements with BIS to better 
reflect their business models. Reports may be sent electronically to 
BIS at [email protected] (with a copy to the ENC Encryption Request 
Coordinator at [email protected]), or disks and CDs containing the reports 
may be mailed to the following addresses:

(i) Department of Commerce, Bureau of Industry and Security, Office of 
Strategic Trade and Foreign Policy Controls, 14th Street and 
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn: 
Encryption Reports.
(ii) A copy of the report should be sent to: Attn: ENC Encryption 
Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-
6000.

PART 742--[AMENDED]

    19. Section 742.15 is revised to read as follows:

[[Page 38866]]

Sec. 742.15  Encryption items.

    Encryption items can be used to maintain the secrecy of 
information, and thereby may be used by persons abroad to harm U.S. 
national security, foreign policy and law enforcement interests. The 
United States has a critical interest in ensuring that important and 
sensitive information of the public and private sector is protected. 
Consistent with our international obligations as a member of the 
Wassenaar Arrangement, the United States has a responsibility to 
maintain control over the export and reexport of encryption items. As 
the President indicated in Executive Order 13026 and in his Memorandum 
of November 15, 1996, exports and reexports of encryption software, 
like exports and reexports of encryption hardware, are controlled 
because of this functional capacity to encrypt information on a 
computer system, and not because of any informational or theoretical 
value that such software may reflect, contain, or represent, or that 
its export or reexport may convey to others abroad. For this reason, 
export controls on encryption software are distinguished from controls 
on other software regulated under the EAR.
    (a) Licensing requirements and policy--(1) Encryption items 
controlled under ECCN 5A002, 5D002, or 5E002. (i) Licensing 
requirements. A license is required to export or reexport encryption 
items (``EI'') controlled under ECCN 5A002, 5D002 or 5E002 to all 
destinations, except Canada. Refer to part 740 of the EAR, for license 
exceptions that apply to certain encryption items, and to Sec. 772.1 of 
the EAR for definitions of encryption items and terms. Exporters must 
submit applications to obtain authorization under a license or an 
Encryption Licensing Arrangement for exports and reexports of 
encryption items that are not eligible for a license exception.
    (ii) Licensing policy. Applications will be reviewed on a case-by-
case basis by BIS, in conjunction with other agencies, to determine 
whether the export or reexport is consistent with U.S. national 
security and foreign policy interests. Exports of encryption items to 
governments, or Internet and telecommunications service providers for 
the provision of services specific to governments, may be favorably 
considered for civil uses, e.g., social or financial services to the 
public; civil justice; social insurance, pensions and retirement; taxes 
and communications between governments and their citizens. Encryption 
Licensing Arrangements may be authorized for exports and reexports of 
unlimited quantities of encryption items to all destinations, except 
countries listed in Country Group E:1 of Supplement No. 1 to part 740. 
Encryption Licensing Arrangements, including those which authorize 
exports and reexports of encryption technology to strategic partners 
(as defined in Sec. 772.1 of the EAR) of U.S. companies, are valid for 
four years and may require reporting. Applicants seeking authorization 
for Encryption Licensing Arrangements must specify the sales territory 
and class of end-user on their license applications.
    (2) Encryption items controlled under ECCN 5A992, 5D992, or 5E992. 
(i) Licensing requirements. Items controlled under ECCN 5A992, 5D992 or 
5E992 are controlled for anti-terrorism (AT) reasons to countries 
listed in AT column 1 or AT column 2, as applicable, of the Commerce 
Country Chart (Supplement No. 1 to Part 738 of the EAR). A license also 
may be required to certain destinations or persons for other reasons 
specified elsewhere in the EAR (e.g., embargoes). In addition, these 
encryption items are subject to the notification or review requirements 
described in paragraph (b)(1) and (b)(2) of this section, unless 
specifically excluded by paragraph (b)(3) of this section.
    (ii) Licensing policy. Applications will be reviewed on a case-by-
case basis by BIS, in conjunction with other agencies, to determine 
whether the export or reexport is consistent with U.S. national 
security and foreign policy interests. BIS does not authorize 
Encryption Licensing Arrangements for exports and reexports of 
encryption items to any of the countries listed in Country Group E:1 of 
Supplement No. 1 to Part 740 of the EAR.
    (b) Notification and review requirements for encryption items 
controlled under ECCN 5A992, 5D992 or 5E992. You may export and 
reexport encryption commodities, software and technology controlled 
under ECCN 5A992, 5D992 or 5E992 without a license (NLR: No License 
Required) to most destinations, in accordance with paragraph (a)(2) of 
this section, provided that you have met the notification and review 
requirements described in paragraphs (b)(1) and (b)(2) of this section. 
Certain encryption items controlled under ECCN 5A992, 5D992 or 5E992 
may be exported or reexported without notification or review--these 
items are identified in paragraph (b)(3) of this section. In addition, 
no post-shipment reporting is required for encryption items controlled 
under ECCN 5A992, 5D992, or 5E992. See Sec. 732.5 of the EAR for 
Shipper's Export Declaration (SED), Destination Control Statements 
(DCS), and recordkeeping requirements for items exported and reexported 
without a license (NLR).
    (1) Notification requirement for specified encryption items. You 
may export and reexport encryption items controlled under ECCN 5A992, 
5D992 or 5E992 and identified in this paragraph (b)(1) to most 
destinations without a license (NLR: No License Required), provided 
that you have submitted to BIS, by the time of export, the information 
described in paragraphs (a) through (e) of Supplement 6 to this part 
742, and if applicable, specific information describing how your 
products qualify for mass market treatment under the criteria in the 
Cryptography Note (Note 3) of Category 5, Part 2, of the Commerce 
Control List (Supplement No. 1 to Part 774 of the EAR). Submit this 
notification to BIS by email, to [email protected], and also send a 
copy to the ENC Encryption Request Coordinator, at [email protected]. If you 
are unsure as to whether your encryption items are eligible for export 
or reexport under this paragraph (b)(1), you should submit a request, 
to BIS and to the ENC Encryption Request Coordinator, for a review of 
your encryption items pursuant to the requirements of paragraph (b)(2) 
of this section (for mass market encryption commodities and software), 
or under the provisions of License Exception ENC (see Sec. 740.17 of 
the EAR). The following encryption items controlled by ECCN 5A992, 
5D992, or 5E992 are eligible for export or reexport without a license, 
to most destinations, with notification only:
    (i) Up to (and including) 64-bit mass market encryption commodities 
and software;
    (ii) Encryption items (including key management products and 
company proprietary implementations) with key lengths not exceeding 56 
bits for symmetric algorithms, 512 bits for asymmetric key exchange 
algorithms, and 112 bits for elliptic curve algorithms;
    (2) Review requirement for mass market encryption commodities and 
software exceeding 64 bits: Mass market encryption commodities and 
software employing a key length greater than 64 bits for the symmetric 
algorithm (including such products previously reviewed by BIS and 
exported under ECCN 5A002 or 5D002) remain subject to the EAR and 
require review by BIS, prior to export or reexport under this paragraph 
(b)(2). Encryption commodities and software that are not eligible as 
retail items under License Exception ENC do not qualify for mass

[[Page 38867]]

market treatment (see Sec. 740.17(b)(3) of the EAR for retail product 
eligibility under License Exception ENC.)
    (i) Procedures for requesting review. To request review of your 
mass market encryption products, you must submit to BIS and the ENC 
Encryption Request Coordinator the information described in paragraphs 
(a) through (e) of Supplement 6 to this part 742, and you must include 
specific information describing how your products qualify for mass 
market treatment under the criteria in the Cryptography Note (Note 3) 
of Category 5, Part 2 (``Information Security''), of the Commerce 
Control List (Supplement No. 1 to Part 774 of the EAR). Review requests 
must be submitted on Form BIS-748P (Multipurpose Application), or its 
electronic equivalent, as described in Sec. 748.3 of the EAR. To ensure 
that your review request is properly routed, insert the phrase ``Mass 
market encryption'' in Block 9 (Special Purpose) of the application 
form and place an ``X'' in the box marked ``Classification Request'' in 
Block 5 (Type of Application)--Block 5 does not provide a separate item 
to check for the submission of encryption review requests. Failure to 
properly complete these items may delay consideration of your review 
request. Review requests that are not submitted electronically to BIS 
should be mailed to the address indicated in Sec. 748.2(c) of the EAR. 
Submissions to the ENC Encryption Request Coordinator should be 
directed to the mailing address indicated in Sec. 740.17(e)(5)(ii) of 
the EAR. BIS will notify you if there are any questions concerning your 
request for review (e.g., because of missing or incomplete support 
documentation).
    (ii) Action by BIS. Once BIS has completed its review, you will 
receive written confirmation concerning the eligibility of your items 
for export or reexport as mass market encryption commodities or 
software controlled under ECCN 5A992 or 5D992. If, during the course of 
its review, BIS determines that your encryption items do not qualify 
for mass market treatment under the EAR, or are otherwise controlled 
under ECCN 5A002, 5B002, 5D002 or 5E002, BIS will notify you and will 
review your commodities or software for eligibility under License 
Exception ENC (see Sec. 740.17 of the EAR for review and reporting 
requirements for encryption items under License Exception ENC). BIS 
reserves the right to suspend your eligibility to export and reexport 
under the provisions of this paragraph (b)(2) and to return review 
requests, without action, if the requirements for review have not been 
met.
    (iii) Exports and reexports to government and non-government end-
users. Immediately upon registration by BIS of your completed review 
request (``registration'' is defined in Sec. 750.4(a)(2) of the EAR), 
you may export or reexport mass market encryption commodities and 
software exceeding 64 bits, under ECCNs 5A992 and 5D992, without a 
license (NLR: No License Required) to government and non-government 
end-users located in the countries listed in Supplement 3 to part 740 
of the EAR. These mass market encryption products also may be exported 
or reexported, without a license (NLR), to most destinations (except 
those that require a license for AT reasons or for reasons described 
elsewhere in the EAR) for the internal use of foreign subsidiaries or 
offices of firms, organizations and governments headquartered in Canada 
or in countries listed in Supplement 3 to part 740 of the EAR. Thirty 
days after BIS registers your review request, you may export or 
reexport these mass market encryption products, without a license, to 
government and non-government end-users located in most destinations 
outside the countries listed in Supplement 3 to part 740 of the EAR 
(certain destinations and persons may require a license for AT reasons 
or for reasons specified elsewhere in the EAR), unless otherwise 
notified by BIS (e.g., because of missing or incomplete support 
documentation, or conversion to License Exception ENC review). The 
thirty days may not include any time that your review request was on 
hold without action. See Sec. 772.1 of the EAR for the definition of 
``government end-user'' as it applies to encryption items.
    (3) Exclusions from notification and review requirements. The 
following items and transactions do not require notification or review 
prior to export or reexport. However, a license may be required to 
export or reexport these items to certain destinations for AT reasons 
or for reasons set forth elsewhere in the EAR (e.g., embargoes).
    (i) Encryption items for U.S. subsidiaries. Encryption items 
controlled under ECCN 5A992, 5D992, or 5E992 that are exported to 
foreign subsidiaries of U.S. companies (as defined in Sec. 772.1 of the 
EAR) for any end-use, including the development of new products, that 
is not prohibited elsewhere in the EAR. All items produced or developed 
by U.S. subsidiaries with encryption commodities, software and 
technology exported under this paragraph are subject to the EAR and 
require review and authorization before any sale or retransfer outside 
of the U.S. company.
    (ii) Mass market short-range wireless products. Mass market 
products that are controlled under ECCN 5A992 or 5D992 only because 
they incorporate components or software which provide short-range 
wireless encryption functions (e.g., wireless products with an 
operating range typically not exceeding 100 meters).
    (iii) Items with limited cryptographic functionality. Encryption 
items controlled under ECCN 5A992, 5D992, or 5E992 for which the use of 
cryptography is limited to cryptographic functions that are not 
controlled for ``EI'' reasons under the EAR (e.g. items with 
cryptographic functions limited to authentication or digital signature, 
execution of copy protected software, and ``finance specific'' items 
specially designed and limited for banking use or money transactions). 
These items are described in the Related Controls paragraph and the 
Technical Notes under ECCN 5A002 on the Commerce Control List 
(Supplement No. 1 to part 774 of the EAR), which are cross-referenced 
under ECCNs 5D002 and 5E002.
    (4) Commodities and software that activate or enable cryptographic 
functionality. Commodities, software, and components that allow the 
end-user to activate or enable cryptographic functionality in 
encryption products which would otherwise remain disabled, are 
controlled according to the functionality of the activated encryption 
product. The notification and review requirements enumerated in this 
paragraph (b) of this section apply to commodities, software and 
components which activate cryptographic functionality in encryption 
products controlled under ECCNs 5A992 and 5D992. (See Sec. 740.17 of 
the EAR for review and reporting requirements for commodities, software 
and components that enable cryptographic functionality in encryption 
products controlled under ECCNs 5A002 and 5D002.) This paragraph (b)(4) 
does not authorize the export or reexport of any activated encryption 
product. Separate review or authorization of the enabled encryption 
product is required.
    (5) Examples of mass market encryption products. Subject to the 
requirements of the Cryptography Note (Note 3) in Category 5, Part 2, 
of the Commerce Control List, mass market encryption products include, 
but are not limited to, general purpose operating systems and desktop 
applications (e.g. e-mail, browsers, games, word processing, database, 
financial applications or utilities) designed for, bundled with, or 
pre-loaded on single CPU computers, laptops, or hand-held

[[Page 38868]]

devices; commodities and software for client Internet appliances and 
client wireless LAN devices; home use networking commodities and 
software (e.g. personal firewalls, cable modems for personal computers, 
and consumer set top boxes); portable or mobile civil 
telecommunications commodities and software (e.g. personal data 
assistants (PDAs), radios, or cellular products); and commodities and 
software exported via free or anonymous downloads.

    20. Supplement No. 6 to part 742 is revised to read as follows:

Supplement No. 6 to Part 742--Guidelines for Submitting Review Requests 
for Encryption Items

    Review requests for encryption items must be submitted on Form 
BIS-748P (Multipurpose Application), or its electronic equivalent, 
and supported by the documentation described in this Supplement, in 
accordance with the procedures described in Sec. 748.3 of the EAR. 
To ensure that your review request is properly routed, insert the 
phrase ``Mass market encryption'' or ``License Exception ENC'' 
(whichever is applicable) in Block 9 (Special Purpose) of the 
application form and place an ``X'' in the box marked 
``Classification Request'' in Block 5 (Type of Application)--Block 5 
does not provide a separate item to check for the submission of 
encryption review requests. Failure to properly complete these items 
may delay consideration of your review request. BIS recommends that 
review requests be delivered via courier service to: Bureau of 
Industry and Security, U.S. Department of Commerce, 14th Street and 
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230. For 
electronic submissions via SNAP, you may fax a copy of the support 
documents to BIS at (202) 219-9179 or -9182 or you may deliver the 
documents via courier service to: Bureau of Industry and Security, 
Information Technology Controls Division, Room 2625, 14th Street and 
Pennsylvania Ave., NW. Washington, DC 20230. In addition, you must 
send a copy of your review request and all support documents to: 
Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 
6131, Fort Meade, MD 20755-6000. For all review requests of 
encryption items, you must provide brochures or other documentation 
or specifications related to the technology, commodity or software, 
relevant product descriptions, architecture specifications, and as 
necessary for the review, source code. You also must indicate 
whether there have been any prior reviews of the product, if such 
reviews are applicable to the current submission. In addition, you 
must provide the following information in a cover letter 
accompanying your review request:
    (a) State the name of the encryption item being submitted for 
review;
    (b) State that a duplicate copy has been sent to the ENC 
Encryption Request Coordinator;
    (c) For review requests for a commodity or software, provide the 
following information:
    (1) Description of all the symmetric and asymmetric encryption 
algorithms and key lengths and how the algorithms are used. Specify 
which encryption modes are supported (e.g., cipher feedback mode or 
cipher block chaining mode).
    (2) State the key management algorithms, including modulus 
sizes, that are supported.
    (3) For products with proprietary algorithms, include a textual 
description and the source code of the algorithm.
    (4) Describe the pre-processing methods (e.g., data compression 
or data interleaving) that are applied to the plaintext data prior 
to encryption.
    (5) Describe the post-processing methods (e.g., packetization, 
encapsulation) that are applied to the cipher text data after 
encryption.
    (6) State the communication protocols (e.g., X.25, Telnet or 
TCP) and encryption protocols (e.g., SSL, IPSEC or PKCS standards) 
that are supported.
    (7) Describe the encryption-related Application Programming 
Interfaces (APIs) that are implemented and/or supported. Explain 
which interfaces are for internal (private) and/or external (public) 
use.
    (8) Describe whether the cryptographic routines are statically 
or dynamically linked, and the routines (if any) that are provided 
by third-party modules or libraries. Identify the third-party 
manufacturers of the modules or toolkits.
    (9) For commodities or software using Java byte code, describe 
the techniques (including obfuscation, private access modifiers or 
final classes) that are used to protect against decompilation and 
misuse.
    (10) State how the product is written to preclude user 
modification of the encryption algorithms, key management and key 
space.
    (11) For products that qualify as ``retail'', explain how the 
product meets the listed criteria in Sec. 740.17(b)(3) of the EAR.
    (12) For products which incorporate an open cryptographic 
interface as defined in part 772 of the EAR, describe the Open 
Cryptographic Interface.
    (d) For review requests regarding components, provide the 
following additional information:
    (1) Reference the application for which the components are used 
in, if known;
    (2) State if there is a general programming interface to the 
component;
    (3) State whether the component is constrained by function; and
    (4) Identify the encryption component and include the name of 
the manufacturer, component model number or other identifier.
    (e) For review requests for source code, provide the following 
information:
    (1) If applicable, reference the executable (object code) 
product that was previously reviewed;
    (2) Include whether the source code has been modified, and the 
technical details on how the source code was modified; and
    (3) Include a copy of the sections of the source code that 
contain the encryption algorithm, key management routines and their 
related calls.
    (f) For step-by-step instructions and guidance on submitting 
review requests for encryption items, visit our webpage at 
www.bis.doc.gov/Encryption and click on the navigation button 
labeled ``Guidance''.

PART 748--[AMENDED]

    21. Section 748.3 is amended by revising the section heading, by 
adding two new sentences at the end of paragraph (a), by removing 
paragraph (b)(3), and by adding a new paragraph (d), to read as 
follows:


Sec. 748.3  Classification Requests, Advisory Opinions, and Encryption 
Review Requests.

    (a) * * * The encryption requirements in the EAR require that 
certain encryption items be reviewed by BIS in order for them to be 
eligible for export or reexport under License Exception ENC (see 
Sec. 740.17 of the EAR) or to be released from ``EI'' controls (see 
Sec. 742.15(b)(2) of the EAR). BIS makes its determination based on the 
submission of a review request prepared in accordance with the 
instructions in Supplement No. 6 to Part 742 of the EAR.
* * * * *
    (d) Review requests for encryption items. A Department of Commerce 
review of encryption items transferred from the U.S. Munitions List 
consistent with Executive Order 13026 of November 15, 1996 (3 CFR, 1996 
Comp., p. 228) and pursuant to the Presidential Memorandum of that date 
may be required to determine eligibility under License Exception ENC or 
for release from ``EI'' controls. Refer to Sec. 742.15(b) and 
Supplement 6 to part 742 of the EAR for instructions regarding mass 
market encryption commodities and software. Refer to Sec. 740.17 of the 
EAR for the provisions of License Exception ENC.

PART 770--[AMENDED]

    22. Section 770.2 is amended by revising paragraph (n) to read as 
follows:


Sec. 770.2  Item interpretations.

* * * * *
    (n) Interpretation 14: Encryption commodity and software reviews. 
Review of encryption commodities or software is required to determine 
the eligibility of certain encryption items under License Exception ENC 
(see Sec. 740.17 of the EAR) or to release certain encryption items 
from ``EI'' controls (see Sec. 742.15(b)(2) of the EAR). Note that 
subsequent bundling, patches, upgrades or releases, including name 
changes, may be exported or reexported under the applicable provisions 
of the EAR without further review as long as the functional encryption 
capacity of the originally reviewed product has not

[[Page 38869]]

been modified or enhanced. This interpretation does not extend to 
products controlled under a different category on the CCL.

PART 772--[AMENDED]

    23. Section 772.1 is amended by revising the definition of 
``Cryptanalytic items'' to read as follows:


Sec. 772.1  Definitions of Terms as Used in the Export Administration 
Regulations (EAR).

* * * * *
    ``Cryptanalytic items''. Systems, equipment, applications, specific 
electronic assemblies, modules and integrated circuits designed or 
modified to perform cryptanalytic functions, software having the 
characteristics of cryptanalytic hardware or performing cryptanalytic 
functions, or technology for the development, production or use of 
cryptanalytic commodities or software.

    Notes: 1. Cryptanalytic functions may include cryptanalysis, 
which is the analysis of a cryptographic system or its inputs and 
outputs to derive confidential variables or sensitive data including 
clear text. (ISO 7498-2-1988(E), paragraph 3.3.18).
    2. Functions specially designed and limited to protect against 
malicious computer damage or unauthorized system intrusion (e.g., 
viruses, worms and trojan horses) are not construed to be 
cryptanalytic functions.

* * * * *

PART 774--[AMENDED]

Supplement No. 1 to Part 774 (The Commerce Control List)--[Amended]

    24. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 5--Telecommunications and ``Information Security'', 
immediately following the heading II--``INFORMATION SECURITY'', is 
amended by revising Notes 2 and 3, and by adding a new Nota Bene 
(``N.B.''), immediately following Note 3, to read as follows:

Category 5--Telecommunications and ``Information Security''

* * * * *

Part 2--``Information Security''

* * * * *

    Note 2: Category 5, part 2, encryption products, when 
accompanying their user for the user's personal use or as tools of 
trade, are eligible for License Exceptions TMP or BAG, subject to 
the terms and conditions of these License Exceptions.


    Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not control 
items that meet all of the following:
    a. Generally available to the public by being sold, without 
restriction, from stock at retail selling points by means of any of 
the following:

    1. Over-the-counter transactions;
    2. Mail order transactions;
    3. Electronic transactions; or
    4. Telephone call transactions;

    b. The cryptographic functionality cannot be easily changed by 
the user;
    c. Designed for installation by the user without further 
substantial support by the supplier; and
    d. When necessary, details of the items are accessible and will 
be provided, upon request, to the appropriate authority in the 
exporter's country in order to ascertain compliance with conditions 
described in paragraphs (a) through (c) of this note.


    N.B. to Cryptography Note: Mass market encryption commodities 
and software eligible for the Cryptography Note are subject to the 
notification or review requirements described in Sec. 742.15(b)(1) 
and (b)(2) of the EAR, unless specifically excluded from these 
requirements by Sec. 742.15(b)(3) of the EAR. Mass market 
commodities and software employing a key length greater than 64 bits 
for the symmetric algorithm must be reviewed in accordance with the 
requirements of Sec. 742.15(b)(2) of the EAR in order to be released 
from the ``EI'' and ``NS'' controls of ECCN 5A002 or 5D002. All 
other mass market commodities and software eligible for the 
Cryptography Note are controlled under ECCN 5A992 or 5D992 (without 
review) and may be exported or reexported to most destinations 
without a license, following notification, in accordance with the 
requirements of Sec. 742.15(b)(1) of the EAR.

* * * * *

    25. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 5--Telecommunications and ``Information Security'', Part 2--
``Information Security'', is amended by revising ECCN 5D002 to read as 
follows:

5D002 Information Security--``Software''

License Requirements

Reason for Control: NS, AT, EI

------------------------------------------------------------------------
                Control(s)                         Country chart
------------------------------------------------------------------------
 NS applies to entire entry.............  NS Column 1.
 AT applies to entire entry.............  AT Column 1.
------------------------------------------------------------------------

    ``EI'' applies to encryption items transferred from the U.S. 
Munitions List to the Commerce Control List consistent with 
Executive Order 13026 of November 15, 1996 (3 CFR, 1996 Comp., 
p.228) and pursuant to the Presidential Memorandum of that date. 
Refer to Sec. 742.15 of the EAR.

    Note: Encryption software is controlled because of its 
functional capacity, and not because of any informational value of 
such software; such software is not accorded the same treatment 
under the EAR as other ``software'; and for export licensing 
purposes, encryption software is treated under the EAR in the same 
manner as a commodity included in ECCN 5A002.


    Note: Encryption software controlled for ``EI'' reasons under 
this entry remains subject to the EAR even when made publicly 
available in accordance with part 734 of the EAR. See Sec. 740.13(e) 
of the EAR for information on releasing certain source code (and 
corresponding object code) which would be considered publicly 
available from ``EI'' controls.


    Note: After notification to BIS, 56-bit encryption items 
(including key management products not exceeding 512 bits) and up to 
(and including) 64-bit mass market encryption commodities and 
software are released from ``EI'' and ``NS'' controls. After a 
review by BIS, all other mass market encryption commodities and 
software eligible for the Cryptography Note also may be released 
from ``EI'' and ``NS'' controls. See Sec. 742.15(b)(1) and (b)(2) of 
the EAR.

License Exceptions

CIV: N/A
TSR: N/A

List of Items Controlled

    Unit: $ value.
    Related Controls: This entry does not control ``software'' 
``required'' for the ``use'' of equipment excluded from control 
under the Related Controls paragraph or the Technical Notes in ECCN 
5A002 or ``software'' providing any of the functions of equipment 
excluded from control under ECCN 5A002. These items are controlled 
under ECCN 5D992.
    Related Definitions: 5D002.a controls ``software'' designed or 
modified to use ``cryptography'' employing digital or analog 
techniques to ensure ``information security'.
    Items:
    a. ``Software'' specially designed or modified for the 
``development'', ``production'', or ``use'' of equipment or 
``software'' controlled by 5A002, 5B002, or 5D002.
    b. ``Software'' specially designed or modified to support 
``technology'' controlled by 5E002.
    c. Specific ``software'' as follows:
    c.1. ``Software'' having the characteristics, or performing or 
simulating the functions of the equipment controlled by 5A002 or 
5B002;
    c.2. ``Software'' to certify ``software'' controlled by 
5D002.c.1.

    Dated: May 30, 2002.
James J. Jochum,
Assistant Secretary for Export Administration.
[FR Doc. 02-13990 Filed 6-5-02; 8:45 am]
BILLING CODE 3510-33-P