George N. GrammasPartnerChair, International Trade / Global Import and Export ComplianceSquire Patton BoggsGeorge.Grammas@squirepb.com | squirepattonboggs.com

2550 M Street, NWWashington, DC 20037United StatesT +1 202 626 6234M +1 240 606 7026

Complying With US Encryption ControlsCompared to UK Controls

7 Devonshire SquareLondonEC2M 4YHEnglandT +44 20 7655 1301

AGENDA

• Encryption Control ListInterpretations (US)

• Compliance DocumentationBased on Classification

• ENC ComplianceDocumentation

3squirepattonboggs.com

Items Designed to Use Encryption NOTControlled Under Category 5—Part 2

Is item designed to usecryptography or does itcontain cryptography?

Is item described inNote 4 (formerly,

“ancillary” crypto.)?

Ite

mis

no

tc

on

tro

lle

du

nd

er

Ca

teg

ory

5—

Pa

rt2

of

the

CC

L

No

Yes

Yes

Yes

NoIs item described in adecontrol note in

5A002?

No

No

4squirepattonboggs.com

Note 4 to Category 5—Part 2

a. The primary function or set of functions is not any of the following:

1. “Information security”;

2. A computer, including operating systems, parts and components therefor;

3. Sending, receiving or storing information (except in support of entertainment,

mass commercial broadcasts, digital rights management or medical records

management); or

4. Networking (includes operation, administration, management and provisioning);

b. The cryptographic functionality is limited to supporting their primaryfunction or set of functions; and

c. When necessary, details of the items are accessible and will be provided,upon request, to the appropriate authority in the exporter's country in order toascertain compliance with conditions described in paragraphs a. and b.above.

5squirepattonboggs.com

Note 4 to Category 5—Part 2, in Application

For some items, test can be subjective

When in doubt, CCATS

Self-classification analysis must be documented, particularly for EAR99determinations

Note 4, paragraph c.: “details of the items are accessible and will be provided, upon

request”

Recent CCATS responses suggest that IoT devices and software usingencryption for communications of status reports, configuration commands,etc. are excluded from Cat.5—Part 2 under Note 4.

These items do engage in “sending, receiving or storing information”

Assumptions: 1. The product contains or uses encryption (key length > 56 bits symmetric, 512bits asymmetric, or 112 bits elliptic curve)

2. The product is not specifically designed for medical use3. The product is not a smart card or smart card reader4. The product is not specifically designed for banking use or money transactions

Does Product meet ancillary encryption test?Cat. 5, Part II, Note 4.

Is Product a radiotelephone w/o end-to-end encryption?ECCN 5A002, Note (c).

Is Product a radiotelephone customized for specific industry?ECCN 5A002, Note (e).

Is Product cordless telephone w/ range limited to 400 meters?ECCN 5A002, Note (d).

Is Product wireless net. equip. w/ range limited to 30 meters?ECCN 5A002, Note (f).

Is the encryption dormant or not activated?ECCN 5A002, Note (g).

Is Product equip. where encryption is used only for authentication, digitalsignature, or execution of copy-protected software?

ECCN 5A002(a)(1).

Is Product software where encryption is only for OAM and uses onlypublished or commercial encryption standards?

ECCN 5D002.c.

Is Product civil mobile telecom. Radio Access Network (RAN) equipment?ECCN 5A002, Note (h).

Is Product a router, switch or relay where encryption Is for only OAM?ECCN 5A002, Note (i).

Is Product general purpose computing equip. or server where encryption isintegral to OS or CPU, or limited to OAM?

ECCN 5A002, Note (j).

Does Product qualify formass-market treatment?

Cat. 5—Part 2, Note 3.

After encryption self-classification, Productunder ECCN 5A992(hardware) or 5D992(software). NLR to all

destinations except Cuba,Iran, Syria, Sudan and

North Korea.

Product is classifiedunder ECCN 5A002(hardware) or 5D002

(software). Consider useof License Exceptions

ENC and TSR.

ClassifyProduct on

CCL orEAR99 (notin Cat. 5—

Part 2)._______

Note: Itemspreviously5A992.a or

.b nowremoved

fromCategory5—Part 2.Classify

under otherECCN orEAR99

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

no

no

no

no

no

no

no

no

no

no

no

no

7squirepattonboggs.com

Items Designed to Use Encryption Controlledunder Category 5—Part 2

Does the item meetcriteria for Mass

Market, in Note 3?

Classify under 5A992.cor 5D992.c, or 5E992.b

• Determine if item can beself-classified or if BISclassification is required,under ENC 740.17(b) (i.e.,(b)(3)(i), (ii), or (iv) item?)

• Document self-classification (if applicable)

• File annual reports onself-classified mass marketitems

Yes

No

Classify in 5A002, 5D002, or5E002

• Determine ENC eligibility anddocument analysis

• Determine if item can be self-classified or if BIS classification isrequired (i.e., (b)(2) or (b)(3))

• File annual report on self-classifieditems or semi-annual sales reports for(b)(2) or (b)(3)(iii) items

8squirepattonboggs.com

Mass Market Documentation: CryptographyNote, Note 3 to Category 5—Part 2

Encryption Registration Numbers no longer used

Compliance documentation for mass-market self-classification

Exporter must have documented self-classification, including all information set forth

in Technical Questionnaire at Supplement No. 6 to EAR Part 742

• Exporter “may be required to provide BIS this supplement no. 6 to part 742 information onan as-needed bases, upon request by BIS” (EAR § 740.17(d)(1)(ii))

• Document that the item is not under ENC (b)(2) or (b)(3)

“When necessary, details of the items are accessible and will be provided, upon

request…” (Note 3, paragraph a.5)

Document compliance with Note 3

New self-classification or classification request may be required if encryptionchanges or if used in a different item to be exported

Annual self-classification reports for encryption items that were exportedduring the previous year

9squirepattonboggs.com

ENC Compliance: Para (a)

Section 740.17(a) of the EAR – no (b)(2)/(b)(3) review and no reporting:

(a)(1)(i): internal development

• ECCN of 5A002 or 5D002

• Private sector end users, wherever located, that are headquartered in a country listed inSupplement 3

• Product must be used for internal development or production of new products by that user

(a)(1)(ii): internal uses other than development for non US-origin items

• Private sector end users, wherever located, if parties are subs of same parent in a countrylisted in Supplement 3

• Items became subject to EAR after produced; capabilities not enhanced (unlessauthorized)

(a)(2): exports to U.S. subsidiaries

• ECCN of 5A002 or 5D002

• Export must be made to a U.S. subsidiary, or foreign nationals who are employees,contractors, or interns of a U.S. company or its subsidiaries

• Must be for internal company use, including development or production of new products

(a)(3): foreign-made products developed with or incorporating U.S. encryption

source code, components or toolkits

• Item must have prior classification or reporting and authorization by BIS

10squirepattonboggs.com

ENC Compliance: Para (b)

Two levels of control: “restricted” and “unrestricted”

“Restricted” – Section 740.17(b)(2)

• License required for government end-users located in any country other than the“Supplement No. 3” countries; license NOT required for non-government end-users

• Authorizes exports, reexports, and transfers (in-country) of ‘‘network infrastructure’’ items to‘‘less sensitive government end users’’ in all countries except Country Group E:1 and E:2

• Requires BIS/NSA classification determination (with 30-day waiting period)

• Semi-annual export reporting

• Items described in Section 740.17(b)(2), including network infrastructure items; sourcecode; cryptanalytic items; open cryptographic interface items; and public safety items

“Unrestricted” – Sections 740.17(b)(1) and (b)(3)

• License NOT required for government or non-government end-users

• Items described in Section 740.17(b)(3)

- Requires BIS/NSA classification determination (with 30-day waiting period)

- Some items subject to semi-annual export reporting requirement

- Examples: chips and chipsets; “non-standard” cryptography; cryptographic libraries, modules anddevelopment kits; application-specific development kits; and network and computer forensics items

• Items described in Section 740.17(b)(1)

- Requires annual self-classification reporting

- Items not covered by 740.17(b)(2) or (b)(3)

11squirepattonboggs.com

ENC Compliance for 5x002 Items: Summary

Analyze and document ENC eligibility for items

Self-classification or CCATS

On a case-by-case basis, determine ENC applicability to country ofdestination, end-use, and end-user

Annual self-classification reports

Items eligible for self-classification but submitted for CCATS not required in annual

reports

Semi-annual reporting for exports of (b)(2) and (b)(3)(iii) items

George N. GrammasPartnerChair, International Trade / Global Import and Export ComplianceSquire Patton BoggsGeorge.Grammas@squirepb.com | squirepattonboggs.com

2550 M Street, NWWashington, DC 20037United StatesT +1 202 626 6234M +1 240 606 7026

Complying With US Encryption ControlsCompared to UK Controls

7 Devonshire SquareLondonEC2M 4YHEnglandT +44 20 7655 1301