Encryption Export Requirements Simplified
Export of devices with encryption technology requires careful consideration to ensure compliance with often difficult and confusing federal regulations. Recent changes attempt to simplify and clarify several areas relating to systems, hardware and software.
The U.S. Department of Commerce’s Bureau of Industry and Security, which regulates the export of encrypted items, published a final rule on Sept. 20, 2016 revising both the Export Administration Regulations (EAR) and the Commerce Control List (CCL).
Goals of this effort were to:
- Simplify encryption control requirements
- Improve processes for exporters complying with the requirements
- Clarify the text outlining implementation of the regulations
Effective on the date of publication, the final rule makes a variety of procedural and substantive edits to the EAR in order to implement changes that were agreed to by the U.S. government at the 2015 Wassenaar Agreement Plenary Meeting, as described below.
Changes to CCL - Category 5, Part 2 – Information Security
|
ECCN |
Amendments |
|
5A002.a.8 5A002.a.4 |
Rules regarding systems, equipment, and components for non-cryptographic information security, such as communications cable systems designed to detect intrusion, moved to ECCN 5A003.* |
|
5A002.a.2 |
Rules regarding controls systems, equipment, and components for defeating, weakening, or bypassing information security moved to ECCN 5A004.* |
|
5B002 |
References to new 5A003 and 5A004 in paragraphs a. and b. now include equipment specially designed for the development or production of equipment controlled by 5A002, 5A003, or 5A004, rather than just 5A002. |
|
5D002 and 5E002 |
Updated for consistency with changes to 5A002 and 5B002. |
|
5A992/5D992 |
Items, except mass market, reclassified under EAR99. ECCN 5E992 amended to remove technology for production, development, or use of hardware or software that is no longer controlled under 5A992/5D992. |
*Licensing requirements remain the same.
Accompanying Changes to EAR
|
Prior to 9/20/16 |
After 9/20/16 |
|
Before exporting items under ENC-Restricted or -Unrestricted, filed encryption registration. |
Exporters must self-classify appropriately, and file the associated report, or a CCATS request, if the item is described in 15 C.F.R. § 740.17(b)(2) or (b)(3). |
|
Supplement 5 to part 742 used for encryption registration. |
Supplement 8 now used for some previously required information. |
|
Rules regarding certain cordless telephone equipment, portable, or mobile radiotelephones, and similar wireless devices under 5A002.d or .e. |
Moved from 5D002 to 15 C.F.R. § 740.17(b)(2) due to need for higher level of control. Network infrastructure performance parameters updated to be less restrictive. |
|
Authorized exports, re-exports, and transfers of network infrastructure items only to non-government end users. |
740.17(b)(2) now authorizes exports, re-exports, and transfers of network infrastructure items to “less sensitive government end users” in all countries except groups E:1 and E:2. Defines “less sensitive government end users” in part 772 as local, state, and provincial entities, and national, federal, or royal entities providing specific civil functions or services. |
In addition:
- "Grandfathering” provisions of License Exception ENC were deemed obsolete and deleted.
- 742.15 mass market provisions were moved to section 740.17.
- Requirement to notify BIS of Internet location of publicly available 5D002 encryption source was moved to section 742.15(b). Now, publicly available encryption source code, and corresponding object code, are not subject to the EAR if requirements have been met.
For full details on the final rules, see the Federal Register published on Sept. 20, 2016, 81 Fed. Reg. 64656.
Disclosure: Please note that the information provided in this article does not constitute legal advice and is not intended to be and should not be construed as legal advice. Readers with questions specific to the issues raised in this article should consult with qualified legal counsel. In the meantime, if you have any questions, please feel free to reach out to E. Martín Enriquez, menriquez@ lrrc.com or 303.628.9585.