Michael PenderU.S. Department of Commerce

December 14, 2011

What are encryption items that require authorization to export?

When is authorization required for exporting encryption items?

What kinds of export authorization are available?

How to apply for authorization to export an encryption item

Differences between a “review request” and a ‘notification’

Differences between ‘restricted’, ‘unrestricted’ and “mass market” encryption items

Any item exported from the United States

Reexports of U.S. origin items

Foreign-made products incorporating greater than de minimis U.S. controlled content

Certain foreign-made direct product of U.S. technology

Remote access to a system Encrypted data Music/video/multimedia (we control the

software and equipment that encrypts/decrypts, not the content)

Compression Coding techniques for reliable transmission

(e.g. CDMA, parity bits) Medical devices

Note 4 adopted by Wassenaar Encryption used for “primary function” that is NOT

computing, networking, communications, information security

Examples: ◦ Piracy and theft prevention for software, music, etc.◦ Household utilities and appliances◦ Printing, reproduction, imaging and video recording or

playback—not videoconferencing◦ Business process modeling and automation (e.g., supply

chain management, inventory, scheduling and delivery)◦ Industrial, manufacturing or mechanical systems (e.g.,

robotics, heavy equipment, facilities systems such as fire alarm, HVAC)

◦ Automotive, aviation, and other transportation systems

Considerations:

◦ General purpose vs. application specific

◦ “Primary function” of the product Results in an EAR99 classification or classification

under a different category of the control list Other reasons for decontrol result in classification of

5A992/5D992 (5A002 decontrol notes/ authentication only)

◦ Use of encryption

Items that are identified in Category 5, Part 2 of the Commerce Control List

Items designed or modified to use cryptography whose primary function is:◦ “Information security”◦ Computing◦ Communications◦ Networking

Not ‘fixed’ coding or other schemes for ensuring reliable transmission of information that don’t involve hidden or obscured information

Controlled for EI, NS and AT reasons (Wassenaar):◦ 5A002 : hardware◦ 5D002 : software◦ 5E002 : technology

Controlled for NS and AT reasons (Wassenaar):◦ 5B002: test equipment

Controlled for AT reasons only (U.S. unilateral):◦ 5A992 : hardware◦ 5D992 : software◦ 5E992 : technology

License exception TSU – EAR part 740.13◦ Used for “publicly available” items ◦ Required ‘notification’

License exception ENC – EAR part 740.17◦ Registration◦ Self-Classification◦ Encryption Review

Mass Market Review – EAR part 742.15 Other license exceptions

◦ TMP – EAR part 740.9◦ GOV – EAR part 740.11◦ BAG – EAR part 740.14

The source code must be available to the general public◦ available at no charge or◦ available at a charge that does not exceed the cost

of reproduction and distribution◦ no limitations on further distribution

Required notifications ◦ Described in 740.13(e)◦ email to crypt @bis.doc.gov and enc@nsa.gov

License Exception ENC◦ ‘restricted’ items (740.17(b)(2))◦ ‘unrestricted’ items (740.17(b)(3))◦ “self-classifiable” items (740.17(b)(1))

Terms like ‘retail’ are not used anymore.

Described in EAR part 742.15(b)

◦ Items that are not listed in 740.17(b)(2) or (b)(3)(iii) ◦ Meets the criteria in Note 3 to Category 5, part II

Generally available to the public by being sold, without restriction, from stock at retail selling points…

The cryptographic functionality cannot be easily changed by the user;

Designed for installation without further substantial support by the supplier; and

When necessary, details are available…

Classification by BIS/NSA Required ◦ “Restricted” and “unrestricted” items under ENC

and listed mass market items (740.17(b)(2)/(b)(3) and 742.15(b)(3))

Self-classification Permitted◦ “Other” items (740.17(b)(1) and 742.15(b)(1)

Company registration required for 5A002/5D002/E002 items and mass market items

One registration per company, not per product

Exporters may rely on manufacturer’s registration/product classification…but BIS won’t provide that information

All “other” (740.17 (b)(1) and 742.15 (b)(1)items

Submitted by email to NSA and BIS Submitted in .cvs (comma separated

values) format Six specified data fields: name of product,

model number, manufacturer, ECCN, ENC or mass market, item type (of 49 listed)

Individual validated licenses (IVLs)◦ Specific transactions involving identified parties

receiving specific goods and for a specific purpose◦ Typically have a 2 year validity period

Encryption Licensing Arrangements (ELAs)◦ Generally involves unlimited sales of specific

goods to government end users in a certain country or group of countries

◦ Typically have a 4 year validity period No License Required (NLR) transactions

◦ Sometimes a license is still required…

Broad authorization for exports not eligible for License Exception ENC (most “restricted” items to government end users in non- “ENC favorable treatment” countries)

“Less sensitive” government end users - “worldwide” ELAs

“More sensitive” government end users – “single country” ELAs

4-year validity Semi-annual sales reporting

May include self-classified items

5A992, 5D992, 5E992

No License Required (NLR)

Controlled to AT countries: Cuba, Sudan, Syria, North Korea and Iran

No review by BIS is required

BIS encryption web site:www.bis.doc.gov/encryption

EAR on the web:◦ www.access.gpo.gov/bis/ear_data.html

Specific questions:◦ Information Technology Controls Division

(202) 482-0707