Encryption Simplification

Federal Register: October 3, 2008 (Volume 73, Number 193)

Rules and Regulations

Page 57495-57512

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

DOCID:fr03oc08-4

DEPARTMENT OF COMMERCE

Bureau of Industry and Security 15 CFR Parts 732, 734, 738, 740, 742, 744, 746, 748, 750, 762, 770, 772, and 774

Docket No. 080211163-81224-01

RIN 0694-AE18

Encryption Simplification

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Interim final rule.

SUMMARY: This interim final rule amends the Export Administration

Regulations (EAR) to make the treatment of encryption items more consistent with the treatment of other items subject to the EAR, as well as to simplify and clarify regulations pertaining to encryption items. The restrictions pertaining to technical assistance by U.S. persons with respect to encryption items are removed, because the current export and reexport restrictions set forth in the EAR for technology already include technical assistance. This rule also removes

License Exception KMI as it has become obsolete because of developments in uses of encryption. In addition, this rule removes notification requirements for items classified as 5A992, 5D992, and 5E992. This rule also increases certain parameters under License Exception ENC, which is intended to reflect advances in technology. This rule adds two new review and reporting requirement exclusion paragraphs under License

Exception ENC for wireless ``personal area network'' items and for

``ancillary cryptography'' items. This rule also adds Bulgaria, Canada,

Iceland, Romania, and Turkey to the list of countries that receive favorable treatment under License Exception ENC. Commodities and software pending mass market review may no longer be exported under

ECCNs 5A992 and 5D992 using No License Required (NLR). However, once the mass market review has been received by BIS, then such commodities and software may be exported using License Exception ENC under ECCNs 5A002 and 5D002. This rule will reduce the paperwork burden on the public by 9% (annual dollar amount savings of approximately $14,000 to the public and $5,000 to the U.S. Government), because of the removal of certain notification requirements, addition of countries to the list of those receiving favorable treatment under License Exception ENC, and the increase of reporting and review requirement exclusions. The

Departments of Commerce, State and Defense will continue to review export control, license review policies, and license exceptions for encryption items in the EAR.

DATES: Effective Date: This rule is effective October 3, 2008.

ADDRESSES: Written comments on this interim final rule may be sent by e-mail to publiccomments@bis.doc.gov. Include ``Encryption rule'' in the subject line of the message. Comments may also be submitted by mail or hand delivery to Sharron Cook, Office of Exporter Services,

Regulatory Policy Division, Bureau of Industry and Security, Department of Commerce, 14th St. & Pennsylvania Avenue, NW., Room 2705,

Washington, DC 20230, ATTN: Encryption rule; or by fax to (202) 482- 3355.

FOR FURTHER INFORMATION CONTACT: For questions of a general nature contact Sharron Cook, Office of Exporter Services, Regulatory Policy

Division at (202) 482-2440 or E-Mail: scook@bis.doc.gov.

For questions of a technical nature contact: The Information

Technology Division, Office of National Security and Technology

Transfer Controls at 202-482-0707 or E-Mail: C. Randall Pratt at cpratt@bis.doc.gov.

SUPPLEMENTARY INFORMATION:

Background

Steps Regarding Scope of the EAR

This rule revises paragraph 732.2(b) of the EAR, which sets forth instructions on how to determine if your technology or software is publicly available, by adding mass market encryption software with symmetric key length exceeding 64-bits classified under ECCN 5D992. The addition of this phrase harmonizes with the scope of publicly available encryption software that is considered to be subject to the EAR because of the criteria set forth in Sec. 734.3(b)(3) of the EAR.

Page 57496

Items Subject to the EAR

This rule adds a note to paragraph 734.3(a)(4) of the EAR, which sets forth the items that are subject to the EAR. The note reminds readers that certain foreign-manufactured items are subject to the EAR when developed or produced from U.S.-origin encryption items that were exported pursuant to Sec. 740.17(a) of License Exception ENC.

Clarification of Text

This rule replaces the phrase ``encryption software (including source code) transferred from the U.S. Munitions List to the Commerce

Control List consistent with E.O. 13026 of November 15, 1996 (61 FR 58767) and pursuant to the Presidential Memorandum of that date'' with

``software controlled for ``EI'' reasons under ECCN 5D002 on the

Commerce Control List'' to clarify which software this sentence is referring to in the introductory paragraph of Supplement No. 1 to part 734 ``Questions and Answers--Technology and Software subject to the

EAR.''

Determining Whether a License Is Required

This rule clarifies text in Sec. 738.4(a)(1) of the EAR that not all license requirements set forth under the ``License Requirements'' section of an ECCN refer to the Commerce Country Chart, but in some cases this section will contain references to a specific section in the

EAR that contain license requirements for that particular ECCN. In such cases, you could not determine whether a license is required based on the ECCN and Country Chart alone and section Sec. 738.4(a)(1) of the

EAR would not apply. For example, ``EI'' controls are not included in the Country Chart; however licensing requirements for ``EI'' controlled items are included in Sec. 742.15(a) of the EAR. In addition, this rule removes the reference in Sec. 738.4(a)(2)(ii)(B) to notification requirements described in paragraph 742.15(b) for items classified under ECCNs 5A992, 5D992, and 5E992, because this rule removes notification requirements for these items. This rule also clarifies the reminder about the review requirements for certain mass market encryption items under ECCNs 5A992 and 5D992, by removing the reference to 5E992 and harmonizing the citation reference with the changes in this rule.

License Exception LVS

This rule revises Sec. 740.3(d)(5) to clarify that not only exports, but reexports of encryption components or spare parts are subject to the special restriction in this paragraph. In addition, the term ``item'' has been replaced by correct terminology.

License Exception KMI

This rule removes Sec. 740.8 of the EAR ``License Exception KMI'' as it has become obsolete because of the developments in the use of encryption. A consequential revision is also made to Sec. 746.3(c) of the EAR, where License Exception KMI was listed. Products previously eligible for License Exception KMI will be accorded equivalent treatment under license or license exception. As a result of this change, this rule also removes Supplement No. 4 to part 742 ``Key

Escrow or Key Recovery Products Criteria.''

License Exception TSU

In Sec. 740.13(d) of the EAR, this rule removes the quotation marks around the term ``mass market'' in the title to paragraph (d), paragraph (d)(1), footnote 1, paragraph (d)(3)(i) and paragraph

(d)(3)(ii), because in the EAR double quotation marks around a term indicate that the word is defined in part 772 of the EAR, and mass market is not a defined term in part 772 of the EAR.

License Exception ENC

This rule revises Sec. 740.17 of the EAR by reformatting paragraphs, removing redundant text, and clarifying text as needed.

This rule revises the title of this section to indicate that this license exception also authorizes technology. The introductory paragraph to Sec. 740.17 of the EAR is condensed to set forth the scope of Sec. 740.17 of the EAR and include information not found elsewhere in Sec. 740.17 of the EAR.

While this rule reformats the paragraphs in Sec. 740.17 of the

EAR, it was BIS's goal to minimize revisions to the enumeration of paragraphs used to classify encryption items in the past, so as to alleviate confusion about previous classifications provided by BIS that reference specific paragraphs and to reduce the number of revisions to industry's current product matrices. That being said, the paragraph titles have been revised to reflect review request requirements instead of destinations, end-uses, or types of end-users.

This rule removes paragraphs 740.17(a)(2) and (b)(2)(i) that exempted commodities and software from review requirements based on a previous review by the U.S. Government prior to October 19, 2000. These commodities and software remain exempt from review requirements, and

BIS did not see the necessity of retaining such text in the Export

Administration Regulations.

Paragraph 740.17(a) now describes exports and reexports authorized by License Exception ENC that do not require prior government review or post export reporting. The former paragraph (a)(2) ``Items previously reviewed by the U.S. Government'' is removed by this rule, as this paragraph is no longer necessary because of the passage of time. Former paragraph (a)(3) for end-uses other than internal development is moved to new paragraph (b)(1), because a review request submission is required for eligibility under this paragraph. Former paragraph (b)(1) for U.S. subsidiaries is moved to (a)(2), because authorization under this paragraph does not require prior review. In addition, this rule amends former paragraph (b)(4)(i)(A) (exempting encryption items not exceeding certain key lengths from the 30 day waiting period) by moving it to (b)(1)(ii)(A).

Section 740.17(a)(1)

This rule removes references in paragraph Sec. 740.17(a)(1) to

``technical assistance described in Sec. 744.9 of the EAR,'' because this rule removes 744.9, see explanation set forth below under ``Sec. 744.9.'' This rule clarifies text in paragraph (a)(1) so that it is understood that License Exception ENC can be used for not only internal development, but also internal production of new products.

Section 740.17(a)(2)

Paragraph 740.17(a)(2) is former paragraph (b)(1).

Section 740.17(b)

Paragraph 740.17(b) now sets forth those items authorized under

License Exception ENC that require prior review by the U.S. Government.

This paragraph also sets forth the ``open cryptographic interface'' restriction that applies to all paragraphs in 740.17(b), except for paragraph Sec. 740.17(b)(1)(i). This introductory paragraph also sets forth the restriction to export or reexport cryptanalytic items to any

``government end-user.'' There is also a reference in this paragraph to paragraph (e) ``reporting requirements'' for exports and reexports under Sec. 740.17(b).

Section 740.17(b)(1)

The new paragraph 740.17(b)(1) of the EAR authorizes exports and reexports under License Exception ENC that require prior government review, but allows the export or reexport to take place immediately upon registration of the review request with BIS.

Page 57497

Paragraph (b)(1)(i) authorizes the export and reexport of encryption items, including EI controlled commodities or software

(excluding source code) that are pending review for mass market treatment (under Sec. 742.15(b) of the EAR), to ``government end- users'' and non-``government end-users'' located in the countries listed in Supplement 3 of part 740, as well as to foreign subsidiaries or offices of firms, organizations and governments headquartered in countries listed in Supplement 3 of part 740. This rule adds authorization under License Exception ENC for items pending mass market review, because it was not logical to temporarily classify commodities and software under ECCNs 5A992 or 5D992 that were pending mass market review under paragraph 742.15(b) and authorize export or reexport under the designation of ``No License Required (NLR)'' when the possible outcome of the BIS classification of the commodities and software could be ECCN 5A002 or 5D002.

New paragraph 740.17(b)(1)(ii) authorizes exports and reexports of specified encryption commodities and software to countries not listed in Supplement No. 3 to part 740. This rule revises the format of the parameters in this section from a range to an upper limit in paragraph

(b)(1)(ii)(A), former paragraph (b)(4)(i)(A). In addition, the upper limit for symmetric algorithms has been raised from ``key lengths not exceeding 64 bits'' to ``key lengths not exceeding 80 bits.'' After review has been completed on these commodities or software, BIS will issue a CCATS that will indicate authorization is under paragraph

(b)(2) or (b)(3) of Sec. 740.17 of the EAR, whichever paragraph is appropriate.

Paragraph (b)(1)(ii)(B), former paragraph (b)(4)(i)(B), authorizes exports and reexports of encryption source code that would not be eligible for export or reexport under License Exception TSU, provided that a copy of the source code is included in the review request, to non-``government end-users'' located in any country except a country listed in Country Group E:1 of Supplement No. 1 to part 740 of the EAR.

After the review has been completed, BIS will issue a CCATS that will indicate authorization is under paragraph 740.17(b)(2) of the EAR. The text is clarified by replacing the phrase ``considered publicly available'' with ``eligible'' in order to avoid confusion about the scope of encryption source code eligible under this paragraph.

Section 740.17(b)(2)

Paragraph (b)(2) of License Exception ENC authorizes exports and reexports to non-``government end-users'' located in a country not listed in Supplement No. 3 to this part or Country Group E:1 that require a prior review and 30 day waiting period. Pursuant to the new scope paragraph 740.17(b), this rule expands the scope of (b)(2) to include ECCN 5B002 to be consistent with commodities and software eligible for License Exception ENC under paragraphs (b)(1) and (b)(3) of the EAR. In addition, former paragraph (b)(2)(i) concerning transactions previously reviewed prior to October 19, 2000 by the U.S.

Government is removed as the passage of time has made this paragraph unnecessary. Former paragraph (b)(2)(ii) that set forth the review request requirement is removed, as the review request requirement has been moved to the introductory text of paragraph (b)(2). Former paragraph (b)(2)(iii) is replaced by the introductory text of paragraph

(b)(2).

This rule revises new paragraph (b)(2)(i), (Network infrastructure software and commodities) by adding ``digital packet telephony/media

(voice/video/data) over internet protocol'' to the list of capabilities described.

Also in this new paragraph (b)(2)(i), the former paragraph

(b)(2)(iii)(A) reference to ``64 bits for symmetric algorithms'' is changed to ``80 bits for symmetric algorithms'', commensurate with the key length change in new paragraph (b)(1)(ii)(B). (Note: Regarding key length with respect to the authorizations and restrictions set forth in both the current and former versions of License Exception ENC Sec. 740.17(b)(2), only `network infrastructure' commodities and software

(sub-paragraph (i) in this rule) are distinguished by key length. All encryption commodities and software now enumerated in sub-paragraphs

(ii)-(vi) (former sub-paragraphs (iiii)(B)-(iii)(F)) of License

Exception ENC paragraph (b)(2) are controlled to ``government end- users'' as described, regardless of key length.)

Former paragraph (b)(2)(iii)(A)(1), new paragraph Sec. 740.17(b)(2)(i)(A) is clarified by this rule to add quotes around the term ``government end-user(s)'' and now reads as follows, ``Been designed, modified, adapted or customized for ``government end- user(s)'' or government end-use (e.g., to secure police, state security, or emergency response communications).''

This rule further revises former paragraph (b)(2)(iii)(A)(1), new paragraph (b)(2)(i)(A), which addresses aggregate encrypted WAN, MAN,

VPN or backhaul throughput, by increasing the parameter from 44 Mbps to 90 Mbps.

This rule further revises former paragraph (b)(2)(iii)(A)(2), new paragraph (b)(2)(i)(B). The Wire (line), cable or fiber optic WAN, MAN or VPN single-channel input data rate is revised from ``44 Mbps'' to

``154 Mbps.''

These revisions are not expected to result in a decrease in the number of license applications submitted for exports and reexports of items described in paragraph (b)(2) to government end-users. Most network infrastructure items currently being exported to government end-uses exceed these performance parameters. However, BIS has determined that the parameters should be adjusted in recognition of technology advances, and to avoid maintaining controls on legacy systems.

This rule replaces the ``Maximum number of concurrent encrypted data tunnels or channels * * *'' parameter in former paragraph

(b)(2)(iii)(A)(3), new paragraph (b)(2)(i)(C) with ``Media (voice/ video/data) encryption or centralized key management supporting more than 250 concurrent encrypted data channels, or encrypted signaling to more than 1,000 endpoints, for digital packet telephony/media (voice/ video/data) over internet protocol communications.'' These amendments update these provisions of License Exception ENC to reflect advances in encryption technology. Specifically, these amendments address cryptographic developments in Datagram Transport Layer Security

(DTLS)--Secure Real-Time Transport Protocol (SRTP), and encrypted communications signaling, for large Voice over Internet Protocol (VoIP) network infrastructures.

This rule also revises former paragraph (b)(2)(iii)(A)(4)(i), new paragraph (b)(2)(i)(D)(1), which addresses Air-interface coverage capabilities, by changing ``maximum data rates'' to ``maximum transmission data rates'' and changing the parameter from ``5 Mbps'' to

``10 Mbps.'' By limiting this License Exception ENC provision to the transmit (upstream) data rates and doubling the licensing threshold, these amendments reflect technology developments for certain satellite and other long-range wireless devices.

Former paragraph (b)(2)(iii)(B) that addressed encryption source code that would not be eligible for export or reexport under License

Exception TSU is moved to new paragraph (b)(2)(ii), but also appears in new paragraph (b)(1)(ii)(B) for review requests that include a copy of the source code, and

Page 57498

may be exported or reexported without a waiting period under License

Exception ENC when the review request is registered with BIS.

Former paragraph (b)(2)(iii)(C), new paragraph (b)(2)(iii) is revised by removing the reference to the open cryptographic interface restriction, because this restriction is now placed in the introductory text of paragraph 740.17(b).

Former paragraph (b)(2)(iii)(C)(1), new paragraph (b)(2)(iii)(A) is amended by revising the phrase ``Been modified or customized for'' to read ``been designed, modified, adapted or customized for.'' Quotes have been added around the term ``government end-user(s)'' to indicate that this term is defined in part 772 of the EAR.

This rule also revises the phrase ``to secure departmental, police, state security, or emergency response communications'' to read ``to secure police, state, security, or emergency response communications, including encryption commodities and software for external Security

Operations Center (SOC)/Network Operations Center (NOC) command and infrastructure, and digital forensics/computer forensics.'' With this clarification, this rule provides examples of three such systems that are controlled for their inherent government end-use: External Security

Operations Center (SOC)/Network Operations Center (NOC) command and infrastructure; public safety radio (e.g., implementing Terrestrial

Trunked Radio (TETRA) and/or Association of Public-Safety

Communications Officials International (APCO) Project 25 (P25) standards); and digital forensics/computer forensics.

Note: Regarding the use of encryption by a computer forensics/ digital forensics commodity or software (e.g., for securing the collection, examination, and/or reporting of data or metadata on an investigated computer), such digital/computer forensics tools would not be considered ``cryptanalytic items'' if the only use of

``cryptography'' is for encryption. However, such tools that also perform ``cryptanalysis'' (e.g., cracking passwords or employing other cryptanalytic techniques to derive user-encrypted data or metadata from a computer or network) would be controlled as

``cryptanalytic items.''

Former paragraph (b)(2)(iii)(E), new paragraph (b)(2)(v) is revised by adding a clarifying phrase after the term ``quantum cryptography'' to read ``as defined in ECCN 5A002 of the Commerce Control List.''

Former paragraph (b)(2)(iii)(F), new paragraph (b)(2)(vi) is revised by replacing the term ``controlled'' with ``classified under'' to clarify the scope of computers in this paragraph.

Section 740.17(b)(3)

This rule revises paragraph Sec. 740.17(b)(3) of the EAR for export or reexport of commodities and software not listed in Sec. 740.17(b)(2) of the EAR by both ``government end-users'' and non-

``government end-users'' by removing the redundant former paragraph

(b)(3)(ii)(B) that explained the review procedures and instead inserting a reference to paragraph Sec. 740.17(d) that sets forth these procedures. In addition, former paragraph (b)(3)(ii)(A) concerning transactions previously reviewed by the U.S. Government is removed as the passage of time has made this paragraph unnecessary.

Former paragraph (b)(3)(i)(A) that set forth the ineligibility of commodities and software that provide an ``open cryptographic interface'' is removed because this restriction is set forth in the introductory text of paragraph 740.17(b). This rule adds text that clarifies the eligible locations of the end-users, because 740.17(a) addresses all exports to Supplement No. 3 countries. This rule relocates the restriction in former paragraph (f)(1) concerning

``cryptanalytic items'' to the introductory text of paragraph (b)(3).

Section 740.17(b)(4)

Former paragraph 740.17(b)(4)(i), setting forth commodities and software that are eligible for export immediately upon registration of a review request, is moved to new paragraph (b)(1)(ii). In addition, previous paragraph 740.17(b)(4)(ii), setting forth exclusions from review requirements for certain items, is reformatted as paragraph 740.17(b)(4).

Former paragraph (b)(4)(ii)(A) for short-range wireless encryption is now in new paragraph (b)(4)(i). This rule adds examples to this paragraph of short-range wireless commodities and software. An informative sentence is also added to notify the reader that certain items excluded by this paragraph may also be excluded from review under

(b)(4)(iii) (personal area networks) or (b)(4)(iv) (commodities and software that provide ``ancillary cryptography'').

Former paragraph (b)(4)(ii)(B) is replaced by the third, fourth, and fifth sentences of former paragraph (c), which pertains to foreign products developed with or incorporating U.S.-origin encryption source code, components, or toolkits.

This rule adds two new review requirement exclusion paragraphs. The first new paragraph (b)(4)(iii) is for wireless ``personal area network'' items. This rule adds the term ``personal area network'' and definition, as well as examples to part 772. The other new exclusion paragraph (b)(4)(iv) is for ``ancillary cryptography,'' which is also a newly added term/definition in part 772. The term/definition includes examples of ``ancillary cryptography.'' The U.S. Government has determined that it is not necessary to review the encryption functionality of such items.

Reexports and Transfers

This rule clarifies the second sentence in Sec. 740.17(c) of the

EAR (restricted transfers) by adding quotes around the term

``government end-users'' for consistency. The third and fourth sentences in this section concerning foreign products developed with or incorporating U.S.-origin encryption products are moved to new paragraph (b)(4)(ii), because it was misplaced and redundant to text already included in another paragraph of License Exception ENC.

Review Request Procedures

This rule removes former paragraph (d)(1) ``Instructions for requesting review'' because these instructions were redundant and inconsistent with the instructions for submissions on Form BIS-748P

(Multipurpose Application) found in Part 748 of the EAR. Instructions for such submissions belong in Part 748 of the EAR.

This rule reformats former paragraph (d)(2) ``Action by BIS'' because this paragraph was entirely too long and needed to be divided by subject matter. The new subparagraph titles are: (i) Notification;

(ii) After 30 days; and (iii) Hold Without Action (HWA).

This rule moves former paragraph (d)(3), ``key length increases,'' to the reporting requirement section under new paragraph (e)(2), because this requirement is in actuality a reporting requirement and not a review requirement. This report is required for commodities and software that, after having been reviewed and authorized for License

Exception ENC by BIS, are modified only to upgrade the key length used for confidentiality or key exchange algorithms. This rule also makes the new key length a required element of the report.

Reporting Requirements

The reporting requirements for License Exception ENC are now split into two sections: Semiannual reporting requirement and reporting key length increases. This rule clarifies that the Commodity Classification

Automated Tracking System (CCATS) number is a required element of the report. This rule removes former paragraph (e)(2)(iv),

Page 57499

which required a report for exports of ECCN 5E002 items to be used for technical assistance that are not released by 744.9, because this rule removed section 744.9 of the EAR. This rule also clarifies the purpose and scope of paragraph (e)(3), regarding reportable information on foreign manufacturers and products that use encryption items in countries not listed in Supplement No. 3 to part 740.

Reporting Exclusions

This rule revises the exclusion set forth in former paragraph

(e)(4)(i), new paragraph (e)(1)(iii)(A), by removing the reference to paragraph (b)(1), because (b)(1) did not require prior review or post export reporting, therefore this rule moved (b)(1) to new paragraph

(a)(2).

In new paragraph (e)(1)(iii)(F), this rule expands the exclusion that was in former paragraph (e)(4)(vi) for components limited to providing short-range wireless encryption functions, by making the reporting exclusion apply to all of the items in the new paragraph

(b)(4), which are those items that are excluded from review requirements (certain commodities and software that provide short-range wireless; foreign products developed with or incorporating U.S.-origin encryption source code (that have not entered United States for subsequent export), components, or toolkits; wireless ``personal area network'' items; and ``ancillary cryptography'' commodities and software).

Lastly, in new paragraph (e)(1)(iii)(J), this rule adds a new provision to exclude from reporting requirements exports of items that have been determined, on a case-by-case basis do not require the burden of semi-annual reporting. Certain exports of items that do not qualify for mass market treatment, but are authorized under License Exception

ENC are not of interest for national security reasons, therefore do not warrant reporting requirements. Exporters will be notified of this exclusion on issued Commodity Classification Automated Tracking System

(CCATS) documents.

Restrictions

Former paragraph Sec. 740.17(f) ``Restrictions'' is removed, because the restrictions that were in this paragraph are integrated into the introductory paragraph to Sec. 740.17 or specific paragraphs for which they apply.

Supplement No. 3 to Part 740

This rule revises the title of Supplement No. 3 to part 740 to read

``License Exception ENC Favorable Treatment Countries,'' because the former title of ``Countries Eligible for the Provisions of Sec. 740.17(a)'' is no longer correct, as these countries are now eligible for provisions of Sec. 740.17(b)(1) of the EAR. This rule adds

Bulgaria, Canada, Iceland, Romania, and Turkey to the list of countries in Supplement No. 3 to part 740 of the EAR. Bulgaria and Romania joined the European Union by accession on January 1, 2007. The addition of

Canada is simply for clarity, as licenses are not required to Canada for Encryption Items (pursuant to Sec. 742.15(a)(1)) and License

Exception ENC has been available for subsidiaries and offices of the

Canadian government and private-sector end-users (along with the previous Supplement No. 3 to part 740 list of countries). Turkey and

Iceland are added because they are members of the North Atlantic Treaty

Organization (NATO). This will increase eligibility under License

Exception ENC under new paragraphs Sec. 740.17(a)(1) and (b)(1) of the

EAR, which will decrease the necessity for submitting license applications, review requests, and semiannual reports.

This revision will reduce the number of license applications submitted to BIS for the export or reexport of encryption products classified under ECCNs 5A002 and 5D002 to Bulgaria, Iceland, Romania, and Turkey by 95 percent (approximately $37 million in exports and reexports for CY 2007). This revision will not change the amount of license applications received by BIS for the export or reexport of encryption products to Canada, because Canada, while not included in the list of countries that received favorable treatment under License

Exception ENC, already received such benefits.

Section 742.15 ``Encryption Items''

Paragraph 742.15(a) is revised by more specifically describing what is EI controlled under ECCNs 5A002, 5D002, and 5E002. This revision harmonizes with changes this rule makes to the license requirements paragraphs of these ECCNs. In addition, a sentence is added that advises exporters to review License Exception ENC prior to submitting a license to BIS. Also, the phrase ``on a computer system'' is removed from the introductory text of Sec. 742.15 in order to be more consistent with the first Note in the License Requirement section of

ECCN 5D002.

Section 742.15(a)(2) License Requirements and Review Policy for ECCNS 5A992, 5D992, and 5E992

This rule removes former paragraph 742.15(a)(2), which explained license requirements and review policy for items classified under ECCNS 5A992, 5D992, and 5E992, because the purpose of Sec. 742.15 is to set forth the license requirements and review policies for items controlled for encryption item (EI) reasons and these items are controlled for anti-terrorism (AT) reasons only. The license requirements and review policy for these items are found under appropriate anti-terrorism sections of part 742.

This rule removes the second sentence of 742.15(a)(2), because the indefinite language did not add to the transparency of licensing policy. The sentence stated, ``Exports and reexports of encryption items to governments, or to Internet and telecommunications service providers for the provision of services specific to governments, may be favorably considered.'' This rule removes the extraneous phrase

``including those which authorize exports and reexports of encryption technology to strategic partners (as defined in Sec. 772.1 of the EAR) of U.S. companies.'' To be more transparent, this rule adds the phrase

``or pre-shipment notification'' to explain that ELAs may require pre- shipment notification. This rule adds a note to paragraph (a)(2) to remind exporters that once mass market encryption commodities and software have been reviewed by BIS and the ENC Encryption Request

Coordinator (Ft. Meade, MD) and released from ``EI'' and ``NS'' controls pursuant to Sec. 742.15(b) of the EAR, they are classified under ECCN 5A992 and 5D992 respectively, and are thereafter outside the scope of this section.

This rule removes the notification and review requirements for items classified under ECCNs 5A992, 5D992, and 5E992, which were set forth in former paragraphs Sec. 742.15(b) introductory paragraph and

Sec. 742.15 (b)(1) of the EAR.

This rule adds a reference to the ENC Encryption Request

Coordinator (FT. Meade, MD) with regard to the requirement for review of mass market encryption commodities and software.

Specific instructions for how to fill out form 748P (multipurpose application) for submission of a review request has been removed, because these instructions were redundant and inconsistent with the instructions found in paragraph (r) of Supplement No. 2 to part 748 of the EAR. Instead, a reference to this paragraph (r) is added to new paragraph 742.15(b)(1) ``Procedures for requesting review.''

This rule removes former paragraph (b)(2)(iii) that provided authorization under the designation of ``no license required (NLR)'' for exports and reexports of encryption commodities

Page 57500

and software pending mass market treatment review by BIS to government and non-government end-users located in countries listed in Supp. No. 3 to part 740 of the EAR or for internal use of foreign subsidiaries or offices of firms, organizations and governments headquartered in Canada or in countries listed in Supp. No. 3 to part 740 of the EAR. This authorization was based on a temporary classification under ECCNs 5A992 and 5D992, which is inconsistent with the way other items are classified in the EAR, therefore this provision is removed. Instead, encryption commodities and software will remain under the classification of ECCN 5A002 and 5D002 until 30 days have passed since registration of the submitted review request or BIS issues a classification under ECCN 5A992 or 5D992. However, this rule creates a new authorization under License Exception ENC for such commodities and software pending a decision by BIS concerning mass market treatment under new paragraph 740.17(b)(1) of the EAR. This rule adds explanatory text about this new procedure in (b)(2) ``Action by BIS.''

Section 742.15(b)(3) Exclusions for Notification and Review

Requirements

This rule removes the former exclusion paragraphs, because it is no longer applicable and is replaced by new exclusion paragraphs from mass market review requirements under Sec. 742.15(b). There are three new exclusions: Certain short range wireless commodities and software, wireless ``personal area network'' items, and ``ancillary cryptography'' commodities and software.

Section 742.15(b)(4) Dormant Encryption and Enabling Software and

Commodities

This rule condenses this paragraph to remove text that pertained to

ECCNs 5A992 and 5D992.

Section 742.15(b)(5) Examples of Mass Market Software

The phrase ``designed for, bundled with, or pre-loaded on single

CPU computes'' is revised to read ``designed for computers classified as ECCN 4A994 or EAR99.'' This phrase was changed to remove outdated and confusing text related to computers. This rule also removes the last phrase ``and commodities and software exported via free or anonymous downloads.'' This phrase was removed because it confused the public, in that it led people to believe that if they incorporated free encryption software or open source encryption into their products that it was not subject to the EAR, which is not the case.

Supplement No. 6 to Part 742 ``Guidelines for Submitting Review

Requests for Encryption Items''

The option to fax support documents is removed, because that method has been replaced by either e-mailing the document in PDF or sending the document by mail. A requirement to obtain express mail certification of the mailing of support documentation is added for those that intend to rely on the 30 day registration provisions of the

EAR.

Paragraph (a) is divided into 5 subparagraphs that clarify existing review requirements and procedures. Former paragraph (a) is now new subparagraph (a)(1), and is revised to add a requirement to include a brief non-technical description of the type of product being submitted, e.g., routers, disk drives, cell phones, chips, etc. Part of the introductory paragraph to Supp. No. 6 that addressed prior reviews is moved to a new subparagraph (a)(2), and is revised to add a requirement, for products with minor changes in encryption functionality, to include a cover sheet with complete reference to the previous review (CCATS, Application Control Number (ACN),

ECCN, authorization paragraph) along with a clear description of the changes. New subparagraph (a)(3) requires a description of how encryption is used in the product and the categories of encrypted data

(i.e., stored data, communications, management data, internal data, etc.). New subparagraph (a)(4) requires, for mass market reviews, a specific description of who will be receiving the product and how the product is being marketed, as well as how this method of marketing and other relevant information (e.g., cost of product and volume of sales) is described by the Cryptography Note (Note 3 to Category 5, Part 2).

New subparagraph (a)(5) clarifies information about any encryption source code being used.

Subparagraph (c)(1) is amended by adding the phrase ``including relevant parameters, inputs and settings'' to the end of the first sentence. Subparagraph (c)(6) is amended by adding more examples of communication and cryptographic functions, as well as replacing the term ``encryption protocols'' with a more accurate term ``cryptographic protocols and methods.'' An additional requirement is added to (c)(6) to describe how the protocols that are supported are used. The text of

(c)(11) is revised to more clearly describe the information that would assist BIS.

The introductory text for paragraphs (d) and (e) is clarified.

Section 744.9 ``Restrictions on Technical Assistance by U.S. Persons

With Respect to Encryption Items''

This rule removes Sec. 744.9 of the EAR that required authorization from BIS for U.S. persons to provide technical assistance

(including training) to foreign persons with the intent to aid a foreign person in the development or manufacture outside the United

States of encryption commodities or software that, if of U.S.-origin, would be ``EI'' controlled under ECCNs 5A002 or 5D002. Section 744.9 was added to the EAR in 1996 when jurisdiction over dual-use encryption items was transferred from the Department of State to the Department of

Commerce. Technical assistance is treated differently under the

International Trade in Arms Regulations (ITAR) than it is in EAR.

Technical assistance is considered a form of ``technology'' under the definition of ``technology'' in section 772.1 of the EAR. The EAR states that technical assistance ``may take forms such as instruction, skills training, working knowledge, consulting services'' and that it

``may involve transfer of `technical data.' '' When a person performs technical assistance, which draws upon ``development,'' ``production,'' or ``use'' ``technology'' obtained in the United States or that is of

U.S.-origin, then a release of ``technology'' takes place, which is considered an export or reexport and may require authorization under the EAR. BIS has observed that there is rarely an application for a license submitted under the requirements of section 744.9; however, requests for authorization under section 744.9 are often included in license applications for export of ECCN 5E002 Technology. This has led

BIS to conclude that people are submitting license applications for technology exports and reexports when involved in technical assistance.

Therefore, to harmonize the understanding of technical assistance as it is understood in the EAR with the practical application of it by the public, BIS is removing section 744.9. This removal does not remove any license requirements for controlled encryption technology released while performing technical assistance. This amendment does not affect the scope of the note in former 744.9 in that the mere teaching or discussion of information about cryptography, including, for example, in an academic setting or in the work of groups or bodies engaged in standards

Page 57501

development, by itself would not establish a license requirement under

ECCN 5E002, even where foreign persons are present. Section 744.9 is replaced by a ``license requirement'' note in ECCN 5E002 on the

Commerce Control List.

Supplement No. 2 to Part 748 ``Unique Application and Submission

Requirements''

This rule adds a sentence instructing applicants to place an ``X'' in the box marked ``classification request'' in Block 5 (Type of

Application) of Form BIS-748P or select ``Commodity Classification'' if filing electronically, because neither the electronic nor paper forms provide a separate Block to check for submission of encryption review requests.

Section 750.3 Review of License Application by BIS and Other Government

Agencies and Departments

This rule makes an editorial correction by removing paragraph

(b)(2)(iv) and redesignating (b)(2)(v) as (b)(2)(iv). This paragraph referred to the Arms Control and Disarmament Agency (ACDA), which no longer exists. However, ACDA's personnel and functions were absorbed by the Department of State in 1999. Therefore, this rule revises paragraph

(b)(2)(iii) by adding national security and nuclear nonproliferation to the description of State Department's concerns. Missile technology is also added as a State Department concern because the State Department chairs the Missile Technology Export control interagency working group.

Section 750.7 Issuance of Licenses

This rule removes paragraph (c)(2), which explained how to amend your Encryption License Agreement (ELA) by letter. BIS has observed a trend that industry has been submitting license applications for replacement or new ELAs when they want a change. In addition, it is more efficient for applicants to apply and track applications than letters, because of BIS' electronic application system. It is also easier for BIS to process and track submissions of applications than letters for the same reason. Therefore, this provision is removed.

This rule removes the third and fourth sentences in the introductory text of paragraph (d) that pertain to the responsibilities of a licensee with regard to ELAs. These sentences are removed, because a licensee may not transfer its license responsibilities.

Section 762.2 Records To Be Retained

This rule removes paragraph (b)(8), which referred to records related to key escrow encryption items under License Exception KMI.

This rule removes License Exception KMI and Supplement No. 4 to part 742 ``Key Escrow or Key Recovery Products Criteria,'' therefore this recordkeeping requirement no longer exists.

Section 770.2 Item Interpretations

This rule moves paragraph (n) ``Interpretation 14: Encryption commodity and software reviews,'' to a new note under paragraphs 740.17(b) and 742.15(b), so that exporters do not miss this important information about when to submit a new product review when a change has occurred in the encryption product. The text of this paragraph is also revised for clarity. The note explains that a new product review is not required when a change involves: the subsequent bundling, patches, upgrades or releases of a product; name changes; or changes to a previously reviewed encryption product limited to updates in an encryption software component (e.g., version updates of an encryption library that is called by a product to provide encryption functionality where the encryption library has either already been reviewed or did not require prior review.)

Section 772.1 Definition of terms as used in the Export Administration

Regulations (EAR)

This rule removes the definition of ``strategic partner'' as this term is not used in the control or licensing of encryption items. This rule also adds definitions for two new terms ``ancillary cryptography'' and ``personal area network,'' which are associated with new review and reporting exclusions in License Exception ENC.

Commerce Control List--Supplement No. 1 to Part 774

This rule revises the Nota Bene to the Cryptography Note at the beginning of Category 5 Part 2 in order to harmonize it with the revisions in this rule.

This rule clarifies what is controlled for ``EI'' reasons in ECCNs 5A002, 5D002, and 5E002 by replacing the text ``EI applies to encryption items transferred from the U.S. Munitions List to the

Commerce Control List consistent with E.O.13026 of November 15, 1996

(61 FR 58767) and pursuant to the Presidential Memorandum of that date.

Refer to Sec. 742.15 of this subchapter.'' with appropriate text that refers to specific paragraphs within those ECCNs for which EI applies.

For ECCN 5A002, the new EI control reads ``EI applies to 5A002.a.1, a.2, a.5, a.6 and a.9. Refer to Sec. 742.15 of the EAR.'' For ECCN 5D002, the new EI control reads, ``EI applies to ``software'' in 5D002.a or c.1 for equipment controlled for EI reasons in ECCN 5A002.

Refer to Sec. 742.15 of the EAR.'' For ECCN 5E002, the new EI control reads, ``EI applies to ``technology'' for the ``development,''

``production,'' or ``use'' of commodities or ``software'' controlled for EI reasons in ECCNs 5A002 or 5D002. Refer to Sec. 742.15 of the

EAR.'' In addition, License Exception ENC is added to the License

Exception section of each of these ECCNs, because it is the principal license exception for EI controlled items.

ECCN 5A002

This rule removes the license requirement notes section from ECCN 5A002, because there is no Wassenaar reporting requirement for this

ECCN. In addition, this rule makes editorial corrections to the Related

Controls paragraph by replacing the use of the term ``items'' with commodities when referring to ECCN 5A002 and 5A992. Moreover, this rule clarifies that if commodities are listed in paragraphs (a) through (f) in the Note to 5A002, and therefore the commodities are classified under ECCN 5A992, then the related software and technology are classified under ECCNs 5D992 and 5E992, respectively. This rule also revises Related Controls note 2 to be consistent with the mass market review procedures of Sec. 742.15 of the EAR. This note now reads ``2)

After a review and classification by BIS, mass market encryption commodities that meet eligibility requirements are released from ``EI'' and ``NS'' controls. These commodities are classified under ECCN 5A992.c. See Sec. 742.15(b) of the EAR.''

ECCN 5A992

This rule revises the anti-terrorism (AT) controls for ECCN 5A992, by placing the entire entry under AT Column 1 controls, for ease of understanding and compliance. This rule adds a new paragraph 5A992.c.

This new paragraph clarifies that a mass market commodity is classified under ECCN 5A992 upon completion of Government review of a commodity in accordance with paragraph 742.15(b) of the EAR, when that review determines that the commodity meets the requirements for mass market treatment. Encryption items are no longer presumed eligible for mass market treatment while pending Government review.

Page 57502

ECCN 5D002

This rule removes the third note in the License Requirement section, because the information in it does not harmonize with the revision made in this rule. In addition, this rule adds another note to the Related Controls paragraph to inform the public about the review and classification of mass market software.

ECCN 5D992

This rule revises the anti-terrorism (AT) controls for ECCN 5D992, by placing the entire entry under AT Column 1 controls, for ease of understanding and compliance. Paragraphs 5D992.a.1 and a.2, and 5D992.b.1 and b.2, are combined as 5D992.a and 5D992.b, respectively, in order to simplify the entry. This rule also removes paragraph 5D992.c (``software'' designed or modified to protect against malicious computer damage, e.g., viruses) from ECCN 5D992, while adding a note in the Related Control stating, ``This entry does not control ``software'' designed or modified to protect against malicious computer damage, e.g., viruses, where the use of ``cryptography'' is limited to authentication, digital signature and/or the decryption of data or files.'' Certain software for protection against malicious damage that meet the criteria of the Related Control note are thus now decontrolled and classified as EAR99, unless the software performs functions that are controlled under other ECCNs (whether under Category 5, part 2 or elsewhere in the Commerce Control List). Such software remains subject to the EAR and may be classified under ECCN 5D002 or 5D992 if it performs cryptographic functionality controlled by these Category 5, part 2 ECCNs (e.g., data or file encryption, including of user or system data under Secure Socket Layer (SSL) encryption, even if the cryptographic functionality is not directly user accessible.) Examples of software decontrolled by this change include certain firewall and other software for the screening of digital content and the detection and removal of viruses, spyware and unsolicited commercial e-mail.

This rule also adds a new paragraph 5D992.c. This paragraph clarifies that mass market software is classified under ECCN 5D992.c upon completion of Government review of the software in accord with

Sec. 742.15 of the EAR when that review determines that the software meets the requirements for mass market treatment. Encryption software is no longer presumed eligible for mass market treatment.

ECCN 5E002

This rule adds a License Requirement Note to remind people to consider the possibility of the release of technology when performing technical assistance; the note reads, ``When a person performs or provides technical assistance that incorporates, or otherwise draws upon, ``technology'' that was either obtained in the United States or is of U.S.-origin, then a release of the ``technology'' takes place.

Such technical assistance, when rendered with the intent to aid in the

``development'' or ``production'' of encryption commodities or software that would be controlled for ``EI'' reasons under ECCN 5A002 or 5D002, may require authorization under the EAR even if the underlying encryption algorithm to be implemented is from the public domain or is not of U.S. origin.'' In addition, in order to harmonize with the revisions in this rule and for consistency, this rule adds text to the

Related Controls paragraph of the List of Items Controlled section to read ``This entry does not control ``technology'' ``required'' for the

``use'' of equipment excluded from control under the Related Controls paragraph or the Technical Notes in ECCN 5A002 or ``technology'' related to equipment excluded from control under ECCN 5A002. This

``technology'' is classified as ECCN 5E992.''

ECCN 5E992

This rule revises the anti-terrorism (AT) controls for ECCN 5E992, by placing the entire entry under AT Column 1 controls, for ease of understanding and compliance. This rule revises the references in 5E992.a and .b to conform to revisions included in this rule.

Although the Export Administration Act expired on August 20, 2001, the President, through Executive Order 13222 of August 17, 2001, 3 CFR, 2001 Comp., p. 783 (2002), as extended by the Notice of July 23, 2008, 73 FR 43603 (July 25, 2008), has continued the Export Administration

Regulations in effect under the International Emergency Economic Powers

Act.

Rulemaking Requirements 1. This interim final rule has been determined to be not significant for purposes of Executive Order 12866. 2. Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with a collection of information subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et. seq.) (PRA), unless that collection of information displays a currently valid Office of Management and Budget (OMB) Control Number. This rule involves two collections of information subject to the PRA. One of the collections has been approved by OMB under control number 0694-0088,

``Multi Purpose Application,'' and carries a burden hour estimate of 58 minutes for a manual or electronic submission. The other collection has been approved by OMB under control number 0694-0104, ``Commercial

Encryption Items Under the Jurisdiction of the Department of

Commerce,'' and carries a burden hour estimate of 7 hours for a manual or electronic submission. Send comments regarding these burden estimates or any other aspect of these collections of information, including suggestions for reducing the burden, to Jasmeet Seehra, OMB

Desk Officer, by e-mail at jseehra@omb.eop.gov or by fax to (202) 395- 7285; and to the Office of Administration, Bureau of Industry and

Security, Department of Commerce, 14th and Pennsylvania Avenue, NW.,

Room 6622, Washington, DC 20230. 3. This rule does not contain policies with Federalism implications as that term is defined under Executive Order 13132. 4. The provisions of the Administrative Procedure Act (5 U.S.C. 553) requiring notice of proposed rulemaking, the opportunity for public participation, and a delay in effective date, are inapplicable because this regulation involves a military and foreign affairs function of the United States (5 U.S.C. 553(a)(1)). Further, no other law requires that a notice of proposed rulemaking and an opportunity for public comment be given for this interim final rule. Because a notice of proposed rulemaking and an opportunity for public comment are not required to be given for this rule under the Administrative

Procedure Act or by any other law, the analytical requirements of the

Regulatory Flexibility Act (5 U.S.C. 601 et. seq.) are not applicable.

Therefore, this regulation is issued in interim final form. Although there is no formal comment period, public comments on this regulation are welcome on a continuing basis. Comments should be submitted to

Sharron Cook, Office of Exporter Services, Bureau of Industry and

Security, Department of Commerce, 14th and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230.

Page 57503

List of Subjects 15 CFR Parts 732, 740, 748 and 750

Administrative practice and procedure, Exports, Reporting and recordkeeping requirements. 15 CFR Parts 738, 770 and 772

Exports. 15 CFR Part 744

Exports, Reporting and recordkeeping requirements, Terrorism. 15 CFR Part 742

Exports, Terrorism. 15 CFR Part 746

Exports, Reporting and recordkeeping requirements. 15 CFR Part 762

Administrative practice and procedure, Business and industry,

Confidential business information, Exports, Reporting and recordkeeping requirements. 15 CFR Part 774

Exports, Reporting and recordkeeping requirements. 0

Accordingly, parts 732, 734, 738, 740, 742, 744, 746, 748, 750, 762, 770, 772 and 774 of the Export Administration Regulations (15 CFR parts 730-774) are amended as follows:

PART 732--[AMENDED] 0 1. The authority citation for part 732 is revised to read as follows:

Authority: 50 U.S.C. app. 2401 et. seq.; 50 U.S.C. 1701 et. seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008). 0 2. Section 732.2 is amended by revising paragraph (b) to read as follows:

Sec. 732.2 Steps Regarding Scope of the EAR

* * * * *

(b) Step 2: Publicly available technology and software. This step is relevant for both exports and reexports. Determine if your technology or software is publicly available as defined and explained at part 734 of the EAR. Supplement No. 1 to part 734 of the EAR contains several practical examples describing publicly available technology and software that are outside the scope of the EAR. The examples are illustrative, not comprehensive. Note that encryption software controlled for EI reasons under ECCN 5D002 on the Commerce

Control List (refer to Supplement No.1 to Part 774 of the EAR) and mass market encryption software with symmetric key length exceeding 64-bits classified under ECCN 5D992 shall be subject to the EAR even if publicly available. Accordingly, the provisions of the EAR concerning the public availability of items are not applicable to encryption items controlled for ``EI'' reasons under ECCN 5D002 and mass market encryption software with symmetric key length exceeding 64-bits classified under ECCN 5D992.

* * * * *

PART 734--[AMENDED] 0 3. The authority citation for part 734 is revised to read as follows:

Authority: 50 U.S.C. app. 2401 et. seq.; 50 U.S.C. 1701 et. seq.; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 FR 54079, 3 CFR, 1996 Comp. p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008); Notice of November 8, 2007, 72 FR 63963 (November 13, 2007). 0 4. Section 734.3 is amended by adding a note to paragraph (a)(4) to read as follows:

Sec. 734.3 Items Subject to the EAR

(a) * * *

(4) * * *

Note to paragraph (a)(4): Certain foreign-manufactured items developed or produced from U.S.-origin encryption items exported pursuant to License Exception ENC are subject to the EAR. See sections 740.17(a) and 740.17(b)(4)(ii) of the EAR. 0 5. Supplement No. 1 to part 734 is amended by revising the introductory paragraph to read as follows:

Supplement No. 1 to Part 734--Questions and Answers--Technology and

Software Subject to the EAR

This Supplement No. 1 contains explanatory questions and answers relating to technology and software that is subject to the EAR. It is intended to give the public guidance in understanding how BIS interprets this part, but is only illustrative, not comprehensive. In addition, facts or circumstances that differ in any material way from those set forth in the questions or answers will be considered under the applicable provisions of the EAR. Exporters should note that the provisions of this supplement do not apply to encryption software classified under ECCN 5D002 for ``EI'' reasons on the Commerce Control

List or to mass market encryption software with symmetric key length exceeding 64-bits classified under ECCN 5D992. This Supplement is divided into nine sections according to topic as follows:

* * * * *

PART 738--[AMENDED] 0 6. The authority citation for part 738 continues to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c; 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42

U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5; 22 U.S.C. 7201 et. seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3

CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008). 0 7. Section 738.4 is amended by revising paragraphs (a)(1) and

(a)(2)(ii)(B) to read as follows:

Sec. 738.4 Determining Whether a License Is Required

(a) * * *

(1) Overview. Once you have determined that your item is classified under a specific ECCN, you must use information contained in the

``License Requirements'' section of that ECCN in combination with the

Country Chart to decide whether a license is required. Note that not all license requirements set forth under the ``License Requirements'' section of an ECCN refer you to the Commerce Country Chart, but in some cases this section will contain references to a specific section in the

EAR for license requirements. In such cases, this section would not apply.

(2) * * *

(ii) * * *

(B) If no, a license is not required based on the particular Reason for Control and destination. Provided that General Prohibitions Four through Ten do not apply to your proposed transaction and that any applicable review requirements described in Sec. 742.15(b) of the EAR have been met for certain mass market encryption items controlled under

ECCNs 5A992 or 5D992, you may effect your shipment using the symbol

``NLR.'' Proceed to parts 758 and 762 of the EAR for information on export clearance procedures and recordkeeping requirements. Note that although you may stop after determining a license is required based on the first Reason for Control, it is best to work through each applicable Reason for Control. A full analysis of every possible licensing requirement based on each applicable Reason for Control is required to determine the most advantageous License Exception available for your particular transaction and, if a license is

Page 57504

required, ascertain the scope of review conducted by BIS on your license application.

* * * * *

PART 740--[AMENDED] 0 8. The authority citation for part 740 continues to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008). 0 9. Section 740.3 is amended by revising paragraph (d)(5) to read as follows:

Sec. 740.3 Shipments of Limited Value (LVS)

* * * * *

(d) * * *

(5) Exports and reexports of encryption components or spare parts.

For components or spare parts controlled for ``EI'' reasons under ECCN 5A002, exports and reexports under this License Exception must be destined to support a commodity previously authorized for export or reexport.

* * * * *

Sec. 740.8 [Removed] 0 10. Remove and reserve Sec. 740.8.

Sec. 740.13 [Amended] 0 11. Section 740.13 is amended by removing the quotation marks around the term ``mass market'' in paragraph (d) heading, paragraph (d)(1), footnote 1, paragraph (d)(3)(i) and paragraph (d)(3)(ii). 0 12. Section 740.17 is revised to read as follows:

Sec. 740.17 Encryption Commodities, Software and Technology (ENC).

License Exception ENC authorizes export and reexport of software and commodities and components therefor that are classified under ECCNs 5A002.a.1, a.2, a.5, a.6 or a.9, 5B002, 5D002, and technology that is classified under ECCN 5E002. This License Exception ENC does not authorize export or reexport to, or provision of any service in any country listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR, or release of source code or technology to any national of a country listed in Country Group E:1. Reexports and transfers under

License Exception ENC are subject to the criteria set forth in paragraph (c) of this section. Paragraph (d) of this section sets forth information about review requests required by this section. Paragraph

(e) sets forth reporting required by this section.

(a) No prior review or post export reporting required--(1) Internal

``development'' or ``production'' of new products. License Exception

ENC authorizes exports and reexports of items described in paragraph

(a)(1)(i) of this section, to end-users described in paragraph

(a)(1)(ii) of this section, for the intended end-use described in paragraph (a)(1)(iii) of this section without prior review by the U.S.

Government.

(i) Eligible items. Eligible items are those classified under ECCNs 5A002.a.1, .a.2, .a.5, .a.6, or .a.9, 5B002, 5D002, or 5E002.

(ii) Eligible end-users. Eligible end-users are ``private sector end-users'' wherever located, except to countries listed in Country

Group E:1 (see Supplement No. 1 to part 740 of the EAR) that are headquartered in a country listed in Supplement No. 3 of this part.

Note to paragraph (a)(1)(ii): A ``private sector end-user'' is:

(1) An individual who is not acting on behalf of any foreign government; or

(2) A commercial firm (including its subsidiary and parent firms, and other subsidiaries of the same parent) that is not wholly owned by, or otherwise controlled by or acting on behalf of, any foreign government.

(iii) Eligible end-use. The eligible end-use is internal

``development'' or ``production'' of new products by those end- users.

Note to paragraph (a)(1)(iii): All items produced or developed with items exported or reexported under this paragraph (a)(1) are subject to the EAR. These items may require review and authorization before sale, reexport or transfer, unless otherwise authorized by license or license exception.

(2) Exports and reexports to ``U.S. Subsidiaries.'' License

Exception ENC authorizes export and reexport of items classified under

ECCNs 5A002.a.1, .a.2, .a.5, .a.6, or .a.9, 5B002, 5D002, or 5E002 to any ``U.S. subsidiary,'' wherever located, except to countries listed in Country Group E:1 (see Supplement No. 1 to part 740 of the EAR), without prior review by the U.S. Government. License Exception ENC also authorizes export or reexport of such items by a U.S. company and its subsidiaries to foreign nationals who are employees, contractors or interns of a U.S. company or its subsidiaries if the items are for internal company use, including the ``development'' or ``production'' of new products, without prior review by the U.S. Government.

Note to paragraph (a)(2): All items produced or developed with items exported or reexported under this paragraph (a)(2) are subject to the EAR. These items may require review and authorization before sale, reexport or transfer, unless otherwise authorized by license or license exception.

(b) Prior review required. License Exception ENC authorizes the export and reexport of commodities and software that require a license under ECCNs 5A002.a.1, a.2, a.5, a.6, or a.9, 5B002, or 5D002.

Paragraph (b)(1)(i) of this section also authorizes the export and reexport of ``technology'' controlled for EI reasons under ECCN 5E002 to the end-users indicated in paragraph (b)(1)(i). Exports and reexports authorized under this paragraph (b) of License Exception ENC require submission of a review request in accordance with paragraph (d) of this section. License Exception ENC does not authorize the export or reexport of cryptanalytic items to any ``government end-user''. Export or reexport of items that provide an ``open cryptographic interface'' is only authorized under paragraph (b)(1)(i) of this section. Exports and reexports authorized under paragraph (b) of this section are subject to reporting requirements in accordance with paragraph (e) of this section.

(1) Review required without waiting period. Once your review request is registered with BIS in accordance with paragraph (d) of this section, License Exception ENC authorizes the exports or reexports

(except to countries listed in Country Group E:1 of Supplement No. 1 to part 740 of the EAR) to the following destinations:

(i) Export and reexport to countries listed in Supplement No. 3 of this part. License Exception ENC authorizes the export and reexport of encryption items, including EI controlled commodities or software

(excluding source code) that are pending review for mass market treatment (under Sec. 742.15(b) of the EAR), to ``government end- users'' and non-``government end-users'' located in countries listed in

Supplement 3 of this part, as well as to foreign subsidiaries or offices of firms, organizations and governments headquartered in countries listed in Supplement 3 of this part.

(ii) Export and reexport to countries not listed in Supplement No. 3 of this part. License Exception ENC authorizes the export and reexport of the following commodities and software:

(A) Encryption commodities and software (including key management products), as follows: for symmetric algorithms with key lengths not exceeding 80 bits; for asymmetric algorithms with key lengths not exceeding 1,024 bits; and for elliptic curve algorithms with key lengths not exceeding 160 bits. (After review has been completed, the issued Commodity Classification Automated Tracking

Page 57505

System (CCATS) document will indicate authorization is under paragraph

(b)(2) or (b)(3) of this section, whichever paragraph is appropriate.)

(B) Encryption source code that would not be eligible for export or reexport under License Exception TSU, provided that a copy of the source code is included in the review request, to non-''government end- users'' located in any country except a country listed in Country Group

E:1 of Supplement No. 1 to part 740 of the EAR. (After the review has been completed, the issued Commodity Classification Automated Tracking

System (CCATS) document will indicate authorization is under paragraph

(b)(2) of this section.)

(2) Review required with 30 day wait (non-``government end-users'' only). Thirty days after your review request is registered with BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, License

Exception ENC authorizes the export or reexport of the following commodities and software to non-``government end-users'' located in a country not listed in Supplement No. 3 to this part or Country Group

E:1 of Supplement No. 1 to part 740 of the EAR:

(i) Network infrastructure software and commodities and components thereof (including commodities and software necessary to activate or enable cryptographic functionality in network infrastructure products) providing secure Wide Area Network (WAN), Metropolitan Area Network

(MAN), Virtual Private Network (VPN), satellite, digital packet telephony/media (voice, video, data) over internet protocol, cellular or trunked communications meeting any of the following with key lengths exceeding 80-bits for symmetric algorithms:

(A) Aggregate encrypted WAN, MAN, VPN or backhaul throughput

(includes communications through wireless network elements such as gateways, mobile switches, controllers, etc) greater than 90 Mbps;

(B) Wire (line), cable or fiber-optic WAN, MAN or VPN single- channel input data rate exceeding 154 Mbps;

(C) Media (voice/video/data) encryption or centralized key management supporting more than 250 concurrent encrypted data channels, or encrypted signaling to more than 1,000 endpoints, for digital packet telephony/media (voice/video/data) over internet protocol communications; or

(D) Air-interface coverage (e.g., through base stations, access points to mesh networks, bridges, etc.) exceeding 1,000 meters, where any of the following applies:

(1) Maximum transmission data rates exceeding 10 Mbps (at operating ranges beyond 1,000 meters);

(2) Maximum number of concurrent full-duplex voice channels exceeding 30; or

(3) Substantial support is required for installation or use;

(ii) Encryption source code that would not be eligible for export or reexport under License Exception TSU because it is not publicly available as that term is used in Sec. 740.13(e)(1) of the EAR, and the export or reexport of the encryption source code that is not otherwise eligible for License Exception ENC under paragraph

(b)(1)(ii)(B) of this section;

(iii) Encryption software, commodities or components therefor, that have any of the following:

(A) Been designed, modified, adapted or customized for ``government end-user(s)'' or government end-use (e.g., to secure police, state security, or emergency response communications), including encryption commodities and software for external security operations center (SOC)/ network operations center (NOC) command and infrastructure, public safety radio, and digital forensics/computer forensics;

(B) Cryptographic functionality that has been modified or customized to customer specification; or

(C) Cryptographic functionality or ``encryption component'' (except encryption software that would be considered publicly available, as that term is used in Sec. 740.13(e)(1) of the EAR) that is user- accessible and can be easily changed by the user;

(iv) ``Cryptanalytic items'';

(v) Encryption commodities and software that provide functions necessary for quantum cryptography, as defined in ECCN 5A002 of the

Commerce Control List;

(vi) Encryption commodities and software that have been modified or customized for computers classified under ECCN 4A003.

(3) Review required with 30 day waiting period (``government end- users'' or non-``government end-users''). Thirty days after your review request is registered with BIS in accordance with paragraph (d) of this section, License Exception ENC authorizes the export and reexport of software and commodities and components not listed in paragraph (b)(2) of this section to either ``government end-users'' or non-``government end-users'' located in a country not listed in Supplement No. 3 to this part or Country Group E:1 of Supplement No. 1 to part 740 of the EAR.

(4) Items excluded from review requirements--(i) Short-range wireless encryption functions. Commodities and software not otherwise controlled in Category 5, but that are classified under ECCN 5A002, 5B002 or 5D002 only because they incorporate components or software that provide short-range wireless encryption functions (e.g., with a nominal operating range not exceeding 100 meters according to the manufacturer's specifications). Commodities and software included in this description include those designed to comply with the Institute of

Electrical and Electronic Engineers (IEEE) 802.11 wireless LAN standard

(35 meters) for short-range use and those designed to comply with the

IEEE 802.15.1 standard that provide only the short-range wireless encryption functionality, and would not be classified under Category 5, part 1 of the CCL (telecommunications) absent this encryption functionality. Certain items excluded from review by this paragraph may also be excluded from review under paragraph (b)(4)(iii) of this section (personal area networks) or paragraph (b)(4)(iv) of this section (commodities and software that provide ``ancillary cryptography'').

(ii) Foreign products developed with or incorporating U.S.-origin encryption source code, components, or toolkits. Foreign products developed with or incorporating U.S.-origin encryption source code, components or toolkits that are subject to the EAR, provided that the

U.S.-origin encryption items have previously been reviewed and authorized by BIS and the cryptographic functionality has not been changed. Such products include foreign-developed products that are designed to operate with U.S. products through a cryptographic interface.

(iii) Wireless ``personal area network'' items. Wireless ``personal area network'' items that implement only published or commercial cryptographic standards and where the cryptographic capability is limited to a nominal operating range not exceeding 30 meters according to the manufacturer's specifications. See Nota Bene of the definition for ``personal area network'' in Sec. 772.1 of the EAR.

(iv) ``Ancillary cryptography.'' Commodities and software that perform ``ancillary cryptography.'' See Nota Bene of definition of

``ancillary cryptography'' in Sec. 772.1 of the EAR.

Note to paragraph (b): A new product review is required if a change is made to the cryptographic functionality (e.g., algorithms) or other technical characteristics affecting License Exception ENC eligibility (e.g., encrypted throughput) of the originally

Page 57506

reviewed product. However, a new product review is not required when a change involves: The subsequent bundling, patches, upgrades or releases of a product; name changes; or changes to a previously reviewed encryption product where the change is limited to updates of encryption software components where the product is otherwise unchanged.

(c) Reexport and transfer. U.S. or foreign distributors, resellers or other entities who are not original manufacturers of encryption commodities and software are permitted to use License Exception ENC only in instances where the export or reexport meets the applicable terms and conditions of this section. Transfers of encryption items listed in paragraph (b)(2) of this section to ``government end-users,'' or for government end-uses, within the same country are prohibited, unless otherwise authorized by license or license exception.

(d) Review request procedures--(1) Submission. To request review of your encryption items under License Exception ENC, you must submit to

BIS and to the ENC Encryption Request Coordinator form BIS-748P

(Multipurpose Application), or its electronic equivalent in accordance with the instructions in paragraph (r) of Supplement No. 2 to part 748

``Unique Application and Submission Requirements'' and the applicable information described in paragraphs (a) through (e) of Supplement No. 6 to part 742 of the EAR (Guidelines for Submitting Review Requests for

Encryption Items). Failure to properly complete these items may delay consideration of your review request.

(2) Action by BIS--(i) Notification. Upon completion of its review,

BIS will send you written notice of the provisions of this section, if any, under which your items may be exported or reexported.

(ii) After 30 days. If BIS has not, within 30 days of registration of a complete review request from you, informed you that your item is not authorized for License Exception ENC, you may export or reexport under the applicable provisions of License Exception ENC.

(iii) Hold Without Action (HWA). BIS may hold your review request without action if necessary to obtain additional information or for any other reason necessary to ensure an accurate determination with respect to ENC eligibility. Time on such ``hold without action'' status shall not be counted towards fulfilling the 30 day waiting period specified in this paragraph and in paragraphs (b)(2) and (b)(3) of this section.

BIS may require you to supply additional relevant technical information about your encryption item(s) or information that pertains to their eligibility for License Exception ENC at any time, before or after the expiration of the 30 day waiting period specified in this paragraph and in paragraphs (b)(2) and (b)(3) of this section. If you do not supply such information within 14 days after receiving a request for it from

BIS, BIS may return your review request(s) without action or otherwise suspend or revoke your eligibility to use License Exception ENC for that item(s). At your request, BIS may grant you up to an additional 14 days to provide the requested information. Any request for such an additional number of days must be made prior to the date by which the information was otherwise due to be provided to BIS, and may be approved if BIS concludes that additional time is necessary.

(e) Reporting requirements--(1) Semi-annual reporting requirement.

Semi-annual reporting is required for exports to all destinations other than Canada, and for reexports from Canada, under this license exception. Certain encryption items and transactions are excluded from this reporting requirement, see paragraph (e)(1)(iii) of this section.

For information about what must be included in the report and submission requirements, see paragraphs (e)(1)(i) and (e)(1)(ii) of this section respectively.

(i) Information required. Exporters must include for each item, the

Commodity Classification Automated Tracking System (CCATS) number and the name of the item(s) exported (or reexported from Canada), and the following information in their reports:

(A) Distributors or resellers. For items exported (or reexported from Canada) to a distributor or other reseller, including subsidiaries of U.S. firms, the name and address of the distributor or reseller, the item and the quantity exported or reexported and, if collected by the exporter as part of the distribution process, the end-user's name and address;

(B) Individual consumers. For items exported (or reexported from

Canada) to individual consumers through direct sale, the name and address of the recipient, the item, and the quantity exported; or

(C) Foreign manufacturers and products that use encryption items.

For exports (i.e., from the United States) or direct transfers (e.g. by a ``U.S. subsidiary'' located outside the United States) of encryption components, source code, general purpose toolkits, equipment controlled under ECCN 5B002, technology, or items that provide an ``open cryptographic interface'' exported to a foreign developer or manufacturer headquartered in a country not listed in Supplement No. 3 to this part when intended for use in foreign products developed for commercial sale, the names and addresses of the manufacturers using these encryption items and, if known, when the product is made available for commercial sale, a non-proprietary technical description of the foreign products for which these encryption items are being used

(e.g., brochures, other documentation, descriptions or other identifiers of the final foreign product; the algorithm and key lengths used; general programming interfaces to the product, if known; any standards or protocols that the foreign product adheres to; and source code, if available).

(ii) Submission requirements. For exports occurring between January 1 and June 30, a report is due no later than August 1 of that year. For exports occurring between July 1 and December 31, a report is due no later than February 1 the following year. These reports must be provided in electronic form. Recommended file formats for electronic submission include spreadsheets, tabular text or structured text.

Exporters may request other reporting arrangements with BIS to better reflect their business models. Reports may be sent electronically to

BIS at crypt@bis.doc.gov and to the ENC Encryption Request Coordinator at enc@nsa.gov, or disks and CDs containing the reports may be sent to the following addresses:

(A) Department of Commerce, Bureau of Industry and Security, Office of National Security and Technology Transfer Controls, 14th Street and

Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn:

Encryption Reports, and

(B) Attn: ENC Encryption Request Coordinator, 9800 Savage Road,

Suite 6940, Ft. Meade, MD 20755-6000.

(iii) Exclusions from reporting requirement. Reporting is not required for the following items and transactions:

(A) Any encryption item exported (or reexported from Canada) under paragraph (a) of this section;

(B) Encryption commodities or software with a symmetric key length not exceeding 64 bits;

(C) Encryption commodities or software authorized under paragraph

(b)(3) of this section, exported (or reexported from Canada) to individual consumers;

Page 57507

(D) Encryption items exported (or reexported from Canada) via free and anonymous download;

(E) Encryption items from or to a U.S. bank, financial institution or its subsidiaries, affiliates, customers or contractors for banking or financial operations;

(F) Items listed in (b)(4) of this section, unless it is a foreign item described in (b)(4)(ii) that has entered the United States;

(G) Foreign products developed by bundling or compiling of source code;

(H) General purpose operating systems, or desktop applications

(e.g., e-mail, browsers, games, word processing, data base, financial applications or utilities) authorized under paragraph (b)(3) of this section;

(I) Client Internet appliance and client wireless LAN cards; or

(J) Other items as determined on a case-by-case basis.

(2) Reporting key length increases. Reporting is required for commodities and software that, after having been reviewed and authorized for License Exception ENC by BIS, are modified only to upgrade the key length used for confidentiality or key exchange algorithms. Such items may be exported or reexported under the previously authorized provision of License Exception ENC without further review.

(i) Information required. (A) A certification that no change to the encryption functionality has been made other than to upgrade the key length for confidentiality or key exchange algorithms.

(B) The original Commodity Classification Automated Tracking System

(CCATS) authorization number issued by BIS and the date of issuance.

(C) The new key length.

(ii) Submission requirements. (A) The report must be received by

BIS and the ENC Encryption Request Coordinator before the export or reexport of the upgraded product; and

(B) The report is e-mailed to crypt@bis.doc.gov and enc@nsa.gov.

Supplement No. 3 to Part 740 [Amended] 0 13. Supplement No. 3 is amended by: 0 a. Revising the heading to read ``License Exception ENC Favorable

Treatment Countries''; and 0 b. Adding Bulgaria, Canada, Iceland, Romania, and Turkey in alphabetic order.

PART 742--[AMENDED] 0 14. The authority citation for part 742 continues to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 22 U.S.C. 7201 et seq.; 22

U.S.C. 7210; Sec 1503, Pub. L. 108-11, 117 Stat. 559; E.O. 12058, 43

FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Presidential Determination 2003-23 of May 7, 2003, 68 FR 26459, May 16, 2003; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008); Notice of November 8, 2007, 72 FR 63963 (November 13, 2007). 0 15. Section 742.15 is revised to read as follows:

Sec. 742.15 Encryption items.

Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm U.S. national security, foreign policy and law enforcement interests. The

United States has a critical interest in ensuring that important and sensitive information of the public and private sector is protected.

Consistent with our international obligations as a member of the

Wassenaar Arrangement, the United States has a responsibility to maintain control over the export and reexport of encryption items. As the President indicated in Executive Order 13026 and in his Memorandum of November 15, 1996, exports and reexports of encryption software, like exports and reexports of encryption hardware, are controlled because of this functional capacity to encrypt information, and not because of any informational or theoretical value that such software may reflect, contain, or represent, or that its export or reexport may convey to others abroad. For this reason, export controls on encryption software are distinguished from controls on other software regulated under the EAR.

(a) Licensing requirements and policy--(1) Licensing requirements.

A license is required to export or reexport encryption items (``EI'') classified under ECCN 5A002.a.1, a.2, a.5, a.6 and a.9; 5D002.a or c.1 for equipment controlled for EI reasons in ECCN 5A002; or 5E002 for

``technology'' for the ``development,'' ``production,'' or ``use'' of commodities or ``software'' controlled for EI reasons in ECCNs 5A002 or 5D002 to all destinations, except Canada. Refer to part 740 of the EAR for license exceptions that apply to certain encryption items, and to

Sec. 772.1 of the EAR for definitions of encryption items and terms.

Most encryption items may be exported under the provisions of License

Exception ENC set forth in Sec. 740.17 of the EAR. Before submitting a license application, please review License Exception ENC to determine whether this license exception is available for your item or transaction. For exports and reexports of encryption items that are not eligible for a license exception, exporters must submit an application to obtain authorization under a license or an Encryption Licensing

Arrangement.

(2) Licensing policy. Applications will be reviewed on a case-by- case basis by BIS, in conjunction with other agencies, to determine whether the export or reexport is consistent with U.S. national security and foreign policy interests. Encryption Licensing

Arrangements (ELAs) may be authorized for exports and reexports of unlimited quantities of encryption commodities and software to national or federal government bureaucratic agencies for civil use, and to state, provincial or local governments, in all destinations, except countries listed in Country Group E:1 of Supplement No. 1 to part 740.

ELAs are valid for four years and may require post-export reporting or pre-shipment notification. Applicants seeking authorization for

Encryption Licensing Arrangements must specify the sales territory and class of end-user on their license applications.

Note to paragraph (a): Pursuant to Note 3 to Category 5 Part 2 of the Commerce Control List in Supplement No. 1 to part 774, once mass market encryption commodities and software have been reviewed by BIS and the ENC Encryption Request Coordinator (Ft. Meade, MD) and released from ``EI'' and ``NS'' controls pursuant to Sec. 742.15(b) of the EAR, they are classified under ECCN 5A992 and 5D992 respectively, and are thereafter outside the scope of this section.

(b) Review requirement for mass market encryption commodities and software exceeding 64 bits: Mass market encryption commodities and software employing a key length greater than 64 bits for the symmetric algorithm (including such products previously reviewed by BIS and exported under ECCN 5A002 or 5D002) are subject to the EAR and require review by BIS and the ENC Encryption Request Coordinator (Ft. Meade,

MD), prior to export or reexport. Encryption commodities and software that are described in Sec. 740.17(b)(2) of the EAR do not qualify for mass market treatment. A new product review is required if a change is made to the cryptographic functionality (e.g., algorithms) or other technical characteristics affecting mass market eligibility (e.g., performance enhancements to provide network infrastructure services, or customizations to end-user specifications) of the originally reviewed product. However, a new product review is not required when a change involves: The subsequent

Page 57508

bundling, patches, upgrades or releases of a product; name changes; or changes to a previously reviewed encryption product where the change is limited to updates of encryption software components where the product is otherwise unchanged.

(1) Procedures for requesting review. To request review of your mass market encryption products, you must submit to BIS and the ENC

Encryption Request Coordinator the information described in paragraphs

(a) through (e) of Supplement No. 6 to this part 742, and you must include specific information describing how your products qualify for mass market treatment under the criteria in the Cryptography Note (Note 3) of Category 5, Part 2 (``Information Security''), of the Commerce

Control List (Supplement No. 1 to part 774 of the EAR). Review requests must be submitted on Form BIS-748P (Multipurpose Application), or its electronic equivalent, as described in Sec. 748.3 of the EAR. See paragraph (r) of Supplement No. 2 to Part 748 of the EAR for special instructions about this submission. Review requests that are not submitted electronically to BIS should be mailed to the address indicated in Sec. 748.2(c) of the EAR. Submissions to the ENC

Encryption Request Coordinator should be directed to the mailing address indicated in Sec. 740.17(e)(1)(ii) of the EAR. BIS will notify you if there are any questions concerning your request for review

(e.g., because of missing or incompatible support documentation).

(2) Action by BIS. Once BIS has completed its review, you will receive written confirmation concerning the eligibility of your items for export or reexport as mass market encryption commodities or software classified under ECCN 5A992 or 5D992. If, during the course of its review, BIS determines that your encryption items do not qualify for mass market treatment under the EAR, or are otherwise classified under ECCN 5A002, 5B002, 5D002 or 5E002, BIS will notify you and will review your commodities or software for eligibility under License

Exception ENC (see Sec. 740.17 of the EAR for review and reporting requirements for encryption items under License Exception ENC). BIS reserves the right to suspend your eligibility to export and reexport under the provisions of this paragraph (b) and to return review requests, without action, if the requirements for review have not been met. Thirty days after BIS registers your review request, you may export or reexport these mass market encryption products, without a license, to government and non-government end-users located in most destinations outside the countries listed in Supplement No. 3 to part 740 of the EAR (certain destinations and persons may require a license for anti-terrorism (AT) reasons or for reasons specified elsewhere in the EAR), unless otherwise notified by BIS (e.g., because of missing or incomplete support documentation or conversion to License Exception ENC review.) The thirty days does not include any time that your review request is on hold without action.

(3) Exclusions from review requirements. The following commodities and software do not require review prior to export or reexport as mass market products.

(i) Short-range wireless encryption functions. Commodities and software not otherwise controlled in Category 5, but that are classified under ECCN 5A992 or 5D992 only because they incorporate components or software that provide short-range wireless encryption functions (e.g., with a nominal operating range not exceeding 100 meters according to the manufacturer's specifications). Commodities and software included in this description include those designed to comply with the Institute of Electrical and Electronic Engineers (IEEE) 802.11 wireless LAN standard (35 meters) for short-range use and those designed to comply with the IEEE 802.15.1 standard that provide only the short-range wireless encryption functionality, and would not be classified under Category 5, part 1 of the CCL (telecommunications) absent this encryption functionality. Certain items excluded from review by this paragraph may also be excluded from review under paragraph (b)(3)(ii) of this section (personal area networks) or paragraph (b)(3)(iii) of this section (commodities and software that provide ``ancillary cryptography'').

(ii) Wireless ``personal area network'' items. Wireless ``personal area network'' items that implement only published or commercial cryptographic standards and where the cryptographic capability is limited to a nominal operating range not exceeding 30 meters according to the manufacturer's specifications. See Nota Bene of the definition for ``personal area network'' in Sec. 772.1 of the EAR.

(iii) ``Ancillary cryptography''. Commodities and software that perform ``ancillary cryptography.'' See Nota Bene of definition of

``ancillary cryptography'' in Sec. 772.1 of the EAR.

(4) Commodities and software that activate or enable cryptographic functionality. Commodities, software, and components that allow the end-user to activate or enable cryptographic functionality in encryption products which would otherwise remain disabled, are controlled according to the functionality of the activated encryption product.

(5) Examples of mass market encryption products. Subject to the requirements of the Cryptography Note (Note 3) in Category 5, Part 2, of the Commerce Control List, mass market encryption products include, but are not limited to, general purpose operating systems and desktop applications (e.g., e-mail, browsers, games, word processing, database, financial applications or utilities) designed for use with computers classified as ECCN 4A994 or EAR99, laptops, or hand-held devices; commodities and software for client Internet appliances and client wireless LAN devices; home use networking commodities and software

(e.g., personal firewalls, cable modems for personal computers, and consumer set top boxes); and portable or mobile civil telecommunications commodities and software (e.g., personal data assistants (PDAs), radios, or cellular products).

Supplement No. 4 to Part 742 [Removed] 0 16. Supplement No. 4 to Part 742 is removed and reserved. 0 17. Supplement No. 6 to Part 742 is amended by: 0 a. Revising the introductory paragraph; 0 b. Revising paragraph (a); 0 c. Revising paragraphs (c)(1), (c)(6), and (c)(11); 0 e. Revising the introductory paragraphs of (d) and (e), to read as follows:

Supplement No. 6 to Part 742--Guidelines for Submitting Review Requests for Encryption Items

Review requests for encryption items must be submitted on Form

BIS-748P (Multipurpose Application), or its electronic equivalent, and supported by the documentation described in this Supplement, in accordance with the procedures described in Sec. 748.3 of the EAR.

To ensure that your review request is properly routed, insert the phrase ``Mass market encryption'' or ``License Exception ENC''

(whichever is applicable) in Block 9 (Special Purpose) of the application form and place an ``X'' in the box marked

``Classification Request'' in Block 5 (Type of Application)--Block 5 does not provide a separate item to check for the submission of encryption review requests. Failure to properly complete these items may delay consideration of your review request. BIS recommends that review requests be delivered via courier service or be sent to:

Bureau of Industry and Security, U.S. Department of Commerce, 14th

Street and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230.

Page 57509

For electronic submissions via SNAP-R, support documents not readily attached in PDF format must be sent to: Bureau of Industry and Security, Information Technology Controls Division, Room 2093, 14th Street and Pennsylvania Ave., NW., Washington, DC 20230.

In addition, you must send a copy of your review request and all support documents to: Attn: ENC Encryption Request Coordinator, 9800

Savage Road, Suite 6940, Fort Meade, MD 20755-6000.

If you intend to rely on the 30 day registration provisions of the regulations, express mail certification of these documents is needed.

(a)(1) State the name(s) of each product being submitted for review and provide a brief non-technical description of the type of product (e.g., routers, disk drives, cell phones, chips, etc.) being submitted.

(2) Indicate whether there have been any prior reviews of the product(s), if such reviews are applicable to the current submission. For products with minor changes in encryption functionality, you must include a cover sheet with complete reference to the previous review (Commodity Classification Automated

Tracking System (CCATS) number, Application Control Number (ACN),

Export Control Classification Number (ECCN), authorization paragraph) along with a clear description of the changes.

(3) Describe how encryption is used in the product and the categories of encrypted data (e.g., stored data, communications, management data, internal data, etc.).

(4) For mass market review requests, describe specifically to whom and how the product is being marketed and state how this method of marketing and other relevant information (e.g., cost of product and volume of sales) are described by the Cryptography Note (Note 3 to Category 5, Part 2).

(5) Is any ``encryption source code'' being provided (shipped or bundled) as part of this offering? If yes, is this source code publicly available source code, unchanged from the code obtained from an open source web site, or is it proprietary ``encryption source code?''

* * * * *

(c) * * *

(1) Description of all the symmetric and asymmetric encryption algorithms and key lengths and how the algorithms are used, including relevant parameters, inputs and settings. Specify which encryption modes are supported (e.g., cipher feedback mode or cipher block chaining mode).

* * * * *

(6) State all communication protocols (e.g., X.25, Telnet, TCP,

IEEE 802.11, IEEE 802.16, SIP * * *) and cryptographic protocols and methods (e.g., SSL, TLS, SSH, IPSEC, IKE, SRTP, ECCN, MD5, SHA,

X.509, PKCS standards * * *) that are supported and describe how they are used.

* * * * *

(11) License Exception ENC `Restricted' commodities and software described by the criteria in Sec. 740.17(b)(2) require licenses to certain ``government end-users.'' Describe whether the product(s) meet any of the Sec. 740.17(b)(2) criteria. Provide specific data for each of the parameters listed, as applicable (e.g., maximum aggregate encrypted user data throughput, maximum number of concurrent encrypted channels, and operating range for wireless products). If the Sec. 740.17(b)(2) parameters are not applicable to the commodity or software, clearly explain why (e.g., by providing specific data evaluated against the Sec. 740.17(b)(2) thresholds.)

(d) For review requests for hardware or software ``encryption components'' other than source code (i.e., chips, toolkits, executable or linkable modules intended for use in or production of another encryption item) provide the following additional information:

* * * * *

(e) For review requests for ``encryption source code'' provide the following information:

* * * * *

PART 744--[AMENDED] 0 18. The authority citation for part 744 continues to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 22 U.S.C. 7201 et seq.; 22

U.S.C. 7210; E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179;

E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12938, 59

FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 12947, 60 FR 5079, 3 CFR, 1995 Comp., p. 356; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13099, 63 FR 45167, 3 CFR, 1998 Comp., p. 208; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13224, 66 FR 49079, 3

CFR, 2001 Comp., p. 786; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008); Notice of November 8, 2007, 72 FR 63963 (November 13, 2007).

Sec. 744.9 [Removed] 0 19. Remove and reserve Sec. 744.9.

PART 746--[AMENDED] 0 20. The authority citation for part 746 is revised to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 287c; Sec 1503, Pub. L. 108-11, 117 Stat. 559; 22 U.S.C. 6004; 22 U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 12854, 58 FR 36587, 3 CFR, 1993 Comp., p. 614; E.O. 12918, 59 FR 28205, 3 CFR, 1994 Comp., p. 899; E.O. 13222, 3 CFR, 2001 Comp., p. 783;

Presidential Determination 2003-23 of May 7, 2003, 68 FR 26459, May 16, 2003; Presidential Determination 2007-7 of December 7, 2006, 72

FR 1899 (January 16, 2007); Notice of July 23, 2008, 73 FR 43603

(July 25, 2008).

Sec. 746.3 [Amended] 0 21. Section 746.3 is amended in paragraph (c) by revising the phrase

``License Exceptions: CIV, APP, TMP, RPL, GOV, GFT, TSU, BAG, AVS, ENC or KMI.'' to read ``License Exceptions: CIV, APP, TMP, RPL, GOV, GFT,

TSU, BAG, AVS, or ENC.''

PART 748--[AMENDED] 0 22. The authority citation for part 748 continues to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;

E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66

FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008). 0 23. Supplement No. 2 to part 748 is amended by revising paragraph (r) to read as follows:

Supplement No. 2 to Part 748--Unique Application and Submission

Requirements

* * * * *

(r) Encryption review requests. Enter, in Block 9 (Special

Purpose) of the BIS-748P, ``License Exception ENC'' if you are submitting an encryption review request for License Exception ENC

(Sec. 740.17 of the EAR) or ``mass market encryption'' if you are submitting an encryption review request under the mass market encryption provisions (Sec. 742.15(b) of the EAR). If you seek an encryption review for another reason, enter ``encryption--other''.

Neither the electronic nor paper forms provide a separate Block to check for the submission of encryption review requests, therefore you must also, place an ``X'' in the box marked ``Classification

Request'' in Block 5 (Type of Application) of Form BIS-748P or select ``Commodity Classification'' if filing electronically.

Failure to properly complete these items may delay consideration of your review request.

* * * * *

PART 750--[AMENDED] 0 24. The authority citation for part 750 continues to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;

Sec. 1503, Pub. L. 108-11, 117 Stat. 559; E.O. 13026, 61 FR 58767, 3

CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Presidential Determination 2003-23 of May 7, 2003, 68 FR 26459, May 16, 2003; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008). 0 25. Section 750.3 is amended by: 0 a. Removing paragraph (b)(2)(iv) and redesignating paragraph (b)(2)(v) as (b)(2)(iv); and 0 b. Revising (b)(2)(iii) to read as follows:

Sec. 750.3 Review of License Applications by BIS and Other Government

Agencies and Departments.

* * * * *

(b) * * *

(2) * * *

(iii) The Department of State is concerned primarily with items controlled for national security, nuclear nonproliferation, missile technology,

Page 57510

regional stability, anti-terrorism, crime control reasons, and sanctions; and

* * * * *

Sec. 750.7 [Amended] 0 26. Section 750.7 is amended by: 0 a. Removing and reserving paragraph (c)(2); and 0 b. Removing the third and fourth sentences in the introductory text of paragraph (d).

PART 762--[AMENDED] 0 27. The authority citation for part 762 is revised to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;

E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008).

Sec. 762.2 [Amended] 0 28. Section 762.2 is amended by removing and reserving paragraph

(b)(8).

PART 770--[AMENDED] 0 29. The authority citation for part 770 is revised to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;

E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008).

Sec. 770.2 [Amended] 0 30. Section 770.2 is amended by removing paragraph (n).

PART 772--[AMENDED] 0 31. The authority citation for part 772 continues to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;

E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008). 0 32. Section 772.1 is amended by: 0 a. Removing the term and definition ``strategic partners (of a U.S. company)''; and 0 b. Adding the terms and definitions for ``ancillary cryptography'' and

``personal area network'' in alphabetic order, to read as follows:

Sec. 772.1 Definitions of terms as used in the Export Administration

Regulations (EAR).

* * * * *

Ancillary cryptography. The incorporation or application of

``cryptography'' by items that are not primarily useful for computing

(including the operation of ``digital computers''), communications, networking (includes operation, administration, management and provisioning) or ``information security''.

N.B. Commodities and software that perform ``ancillary cryptography'' (e.g., are specially designed and limited to: piracy and theft prevention for software, music, etc.; games and gaming; household utilities and appliances; printing, reproduction, imaging and video recording or playback (but not videoconferencing); business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery); industrial, manufacturing or mechanical systems (including robotics, other factory or heavy equipment, facilities systems controllers including fire alarms and HVAC); automotive, aviation and other transportation systems). Commodities and software included in this description are not limited to wireless communication and are not limited by range or key length.

* * * * *

Personal area network. A data communication system having all of the following characteristics:

(a) Allows an arbitrary number of independent or interconnected

`data devices'' to communicate directly with each other; and

(b) Is confined to the communication between devices within the immediate vicinity of an individual person or device controller (e.g., single room, office, or automobile).

Technical Note: `Data device' means equipment capable of transmitting or receiving sequences of digital information.

N.B. ``Personal area network'' items include but are not limited to items designed to comply with the Institute of Electrical and

Electronic Engineers (IEEE) 802.15.1 standard, class 2 (10 meters) and class 3 (1 meter), but not class 1 (100 meters) items. This includes most home networking devices, but not long-range enterprise equipment or components that can be used in long-range equipment. IEEE 802.15.1 class 2 and class 3 devices include hands-free headsets, wireless networking between personal computers, wireless mice, keyboards and printers, Global Positioning Systems (GPS) receivers, bar code scanners and game console wireless controllers, as well as data-capable wireless telephones and devices or software for transfer of files between devices using Object Exchange (OBEX).

* * * * *

PART 774--[AMENDED] 0 33. The authority citation for part 774 continues to read as follows:

Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c, 22 U.S.C. 3201 et seq., 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42

U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5; 22 U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3

CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008).

Supplement No. 1 to Part 774--[Amended] 0 34. In Supplement No. 1 to Part 774 (the Commerce Control List),

Category 5 Telecommunications and ``Information Security'', Part 2

Information Security is amended by revising the Nota Bene to

Cryptography Note, to read as follows:

CATEGORY 5--TELECOMMUNICATIONS AND ``INFORMATION SECURITY''

* * * * *

2. ``Information Security''

* * * * *

N.B. to Cryptography Note: Mass market encryption commodities and software eligible for the Cryptography Note employing a key length greater than 64 bits for the symmetric algorithm must be reviewed in accordance with the requirements of Sec. 742.15(b) of the EAR in order to be released from the ``EI'' and ``NS'' controls of ECCN 5A002 or 5D002. 0 35. In Supplement No. 1 to Part 774 (the Commerce Control List),

Category 5 Telecommunications and ``Information Security'', Part 2

Information Security, Export Control Classification Number (ECCN) 5A002 is amended by 0 a. Revising the EI paragraph of the License Requirements section; 0 b. Removing the License Requirements Notes from the License

Requirements section; 0 c. Adding a license exception paragraph to the License Exception section; and 0 d. Revising the Related Controls paragraph of the List of Items

Controlled section, to read as follows: 5A002 Systems, equipment, application specific ``electronic assemblies'', modules and integrated circuits for ``information security'', as follows (see List of Items Controlled), and other specially designed components therefor.

License Requirements

* * * * *

Control(s)

Country chart

...............................

* * * * *

EI applies to 5A002.a.1, a.2, a.5, a.6 and a.9. Refer to Sec. 742.15 of the EAR.

License Exceptions

* * * * *

ENC: Yes for certain EI controlled commodities, see Sec. 740.17 of the EAR for eligibility.

Page 57511

List of Items Controlled

Unit: * * *

Related Controls: (1) 5A002 does not control the commodities listed in paragraphs (a) through (f) in the Note in the items paragraph of this entry. These commodities are instead classified under ECCN 5A992, and related software and technology are classified under ECCNs 5D992 and 5E992 respectively. (2) After a review and classification by BIS, mass market encryption commodities that meet eligibility requirements are released from ``EI'' and ``NS'' controls. These commodities are classified under ECCN 5A992.c. See

Sec. 742.15(b) of the EAR.

Related Definitions: * * *

Items: * * * 0 36. In Supplement No. 1 to Part 774 (the Commerce Control List),

Category 5 Telecommunications and ``Information Security'', Part 2

Information Security, Export Control Classification Number (ECCN) 5A992 is amended by revising the License Requirements section and paragraph c in the items paragraph of the List of Items Controlled section, to read as follows: 5A992 Equipment not controlled by 5A002.

License Requirements

* * * * *

Control(s)

Country chart

AT applies to entire entry............. AT Column 1.

* * * * *

List of Items Controlled

* * * * *

Items:

* * * * * c. Commodities that have been reviewed and determined to be mass market encryption commodities in accordance with Sec. 742.15(b) of the EAR. 0 37. In Supplement No. 1 to Part 774 (the Commerce Control List),

Category 5 Telecommunications and ``Information Security'', Part 2

``Information Security'', Export Control Classification Number (ECCN) 5D002 is amended by: 0 a. Revising the EI paragraph of the License Requirements section; 0 b. Adding a new license exception to the License Exception section; 0 c. Removing the third Note in the License Requirements section; and 0 d. Revising the Related Controls paragraph in the List of Items

Controlled section, to read as follows: 5D002 Information Security--``Software''.

License Requirements

* * * * *

Control(s)

Country chart

...............................

* * * * *

EI applies to ``software'' in 5D002.a or c.1 for equipment controlled for EI reasons in ECCN 5A002. Refer to Sec. 742.15 of the EAR.

* * * * *

License Exceptions

* * * * *

ENC: Yes for certain EI controlled software, see Sec. 740.17 of the EAR for eligibility.

List of Items Controlled

Unit: $ value

Related Controls: (1) This entry does not control ``software''

``required'' for the ``use'' of equipment excluded from control under the Related Controls paragraph or the Technical Notes in ECCN 5A002 or ``software'' providing any of the functions of equipment excluded from control under ECCN 5A002. This software is classified as ECCN 5D992. (2) After a review and classification by BIS, mass market encryption software that meet eligibility requirements are released from ``EI'' and ``NS'' controls. This software is classified under ECCN 5D992.c. See Sec. 742.15(b) of the EAR.

Related Definitions: * * *

Items: * * * 0 38. In Supplement No. 1 to Part 774 (the Commerce Control List),

Category 5 Telecommunications and ``Information Security'', Part 2

Information Security, Export Control Classification Number (ECCN) 5D992 is amended by: 0 a. Revising the License Requirements section; 0 b. Revising the Related Controls paragraph of the List of Items

Controlled section; and 0 c. Revising the Items paragraph of the List of Items Controlled section, to read as follows: 5D992 ``Information Security'' ``software'' not controlled by 5D002.

License Requirements.

* * * * *

Control(s)

Country chart

AT applies to entire entry............. AT Column 1.

* * * * *

List of Items Controlled

Unit: * * *

Related Controls: This entry does not control ``software'' designed or modified to protect against malicious computer damage, e.g., viruses, where the use of ``cryptography'' is limited to authentication, digital signature and/or the decryption of data or files.

Related Definitions: * * *

Items: a. ``Software'' specially designed or modified for the

``development,'' ``production,'' or ``use'' of equipment controlled by ECCN 5A992.a or 5A992.b. b. ``Software'' having the characteristics, or performing or simulating the functions of the equipment controlled by ECCN 5A992.a or 5A992.b. c. ``Software'' that has been reviewed and determined to be mass market encryption software in accordance with Sec. 742.15(b) of the

EAR. 0 39. In Supplement No. 1 to Part 774 (the Commerce Control List),

Category 5 Telecommunications and ``Information Security'', Part 2

Information Security, Export Control Classification Number (ECCN) 5E002 is amended by: 0 a. Revising the EI paragraph and adding a License Requirement Note in the License Requirements section; and 0 b. Revising the Related Control paragraph of the List of Items

Controlled section, to read as follows: 5E002 ``Technology'' according to the General Technology Note for the

``development'', ``production'' or ``use'' of equipment controlled by 5A002 or 5B002 or ``software'' controlled by 5D002.

License Requirements

* * * * *

Control(s)

Country chart

...............................

* * * * *

EI applies to ``technology'' for the ``development,''

``production,'' or ``use'' of commodities or ``software'' controlled for EI reasons in ECCNs 5A002 or 5D002. Refer to Sec. 742.15 of the

EAR.

License Requirement Note: When a person performs or provides technical assistance that incorporates, or otherwise draws upon,

``technology'' that was either obtained in the United States or is of US-origin, then a release of the ``technology'' takes place. Such technical assistance, when rendered with the intent to aid in the

``development'' or ``production'' of encryption commodities or software that would be controlled for ``EI'' reasons under ECCN 5A002 or 5D002, may require authorization under the EAR even if the underlying encryption algorithm to be implemented is from the public domain or is not of U.S. origin.

* * * * *

List of Items Controlled

* * * * *

Related Controls: See also 5E992. This entry does not control

``technology'' ``required'' for the ``use'' of equipment excluded from control under the Related Controls paragraph or the Technical

Notes in ECCN 5A002 or ``technology'' related to equipment excluded from control under ECCN 5A002. This ``technology'' is classified as

ECCN 5E992.

* * * * * 0 40. In Supplement No. 1 to Part 774 (the Commerce Control List),

Category 5

Page 57512

Telecommunications and ``Information Security'', Part 2 Information

Security, Export Control Classification Number (ECCN) 5E992 is amended by revising the License Requirements section and the List of Items

Controlled section, to read as follows: 5E992 ``Information Security'' ``technology'', not controlled by 5E002.

License Requirements

* * * * *

Control(s)

Country chart

AT applies to entire entry............. AT Column 1.

* * * * *

List of Items Controlled

* * * * *

Items: a. ``Technology'' n.e.s., for the ``development'',

``production'' or ``use'' of equipment controlled by 5A992.a,

``information security''or cryptologic equipment controlled by 5A992.b or ``software'' controlled by 5D992.a or b. b. ``Technology'', n.e.s., for the ``use'' of mass market commodities controlled by 5A992.c or mass market ``software'' controlled by 5D992.c.

Dated: September 26, 2008.

Christopher R. Wall,

Assistant Secretary for Export Administration.

FR Doc. E8-23201 Filed 10-2-08; 8:45 am

BILLING CODE 3510-33-P