[Federal Register Volume 65, Number 203 (Thursday, October 19, 2000)]
[Rules and Regulations]
[Pages 62600-62610]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 00-26646]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Export Administration

15 CFR Parts 732, 734, 740, 742, 744, 748, 770, 772 and 774

[Docket No. 001006282-0282-01]
RIN 0694-AC32


Revisions to Encryption Items

AGENCY: Bureau of Export Administration, Commerce.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This rule amends the Export Administration Regulations (EAR) 
and implements the July 17 White House announcement to streamline the 
export and reexport of encryption items to European Union (EU) member 
states, Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, 
Poland and Switzerland under License Exception ENC. The 30-day waiting 
period and the previous distinction between government and non-
government end-users are removed by this rule for these destinations. 
This rule makes further revisions and clarifications to the rule 
published on January 14, 2000 including changes in the treatment of 
products incorporating short-range wireless technologies, open 
cryptographic interfaces, beta test software, encryption source code, 
and U.S. content (de minimis) requirements. This rule also allows, for 
the first time, exporters to self-classify unilateral controlled 
encryption products (that fall under Export Control Classification 
Numbers (ECCNs) 5A992, 5D992 and 5E992) upon notification to the Bureau 
of Export Administration (BXA). Restrictions on exports by U.S. persons 
to terrorist-supporting states (Cuba, Iran, Iraq, Libya, North Korea, 
Sudan or Syria), their nationals and other sanctioned entities are not 
changed by this rule.

DATES: This rule is effective October 19, 2000.

FOR FURTHER INFORMATION CONTACT: James A. Lewis, Director, Office of 
Strategic Trade, at (202) 482-4196.

SUPPLEMENTARY INFORMATION:

Background

    On July 17, 2000, the United States announced further updates to 
its encryption export policy coinciding with the recent regulations 
adopted by the European Union which ease exports among 23 countries. 
This action is consistent with the Administration's decision to ensure 
that U.S. companies are not disadvantaged by such changes and will be 
able to compete effectively

[[Page 62601]]

in these markets. Post-export reports were examined and action taken 
for the requirements to more accurately reflect companies' business 
models. The rule further streamlines reexport controls by considering 
certain components and software for de minimis treatment. The review of 
de minimis eligibility will take into account national security 
interests. These steps continue to serve the full range of national 
interests: promote electronic commerce, support law enforcement and 
national security and protect privacy.
    Specifically, this rule amends the EAR in the following ways:
    1. In Sec. 732.2 (Steps Regarding Scope of the EAR) conforming 
changes are made with respect to de minimis consideration for 
encryption items controlled under ECCNs 5A002 and 5D002, as described 
in paragraph (2) below.
    2. In Sec. 734.4 (De Minimis U.S. Content), software controlled 
under ECCN 5D002 eligible for export under the ``retail'' or ``source 
code'' provisions of license exception ENC and parts and components 
controlled under ECCN 5A002 may be made eligible for de minimis 
treatment after review and classification by BXA. As a result of this 
change, certain U.S. origin encryption items, incorporated into foreign 
products, which were previously prohibited from de minimis 
consideration, may now be made eligible in a process similar to that 
used now for retail determinations. Examples include retail operating 
systems and desktop applications (e.g. e-mail, browsers, games, word 
processing, database, financial applications or utilities) designed 
for, bundled with, or pre-loaded on single CPU computers, laptops, 
hand-held devices, or components or software designed for use in retail 
communication devices (e.g. wireless devices or smart cards), or 
decontrolled products. Exporters applying for de minimis eligibility 
must explain why the part or component would qualify for de minimis 
treatment in the support documents included with the classification 
request. De minimis eligibility continues to apply to encryption items 
controlled under ECCNs 5A992, 5D992 and 5E992.
    3. Sec. 740.9 (Temporary imports, exports and reexports (TMP)), now 
includes encryption software controlled for EI reasons under ECCN 5D002 
to be allowed under the beta test provisions of License Exception TMP. 
The exporter must provide BXA the information described in Supplement 6 
to Part 742 by the time of export. Exporters should note that any final 
resulting product will require review and classification under the 
provisions of Sec. 740.17. Names and addresses of the testers, except 
individual consumers, and the name and version of the beta software are 
to be reported every six months consistent with Sec. 740.17(e)(5). 
Encryption software controlled under ECCN 5D992 is eligible for this 
beta test provision.
    4. Sec. 740.13 (Technology and Software Unrestricted (TSU)) 
clarifies the treatment of open source object code. Object code 
compiled from source code eligible for License Exception TSU can also 
be exported under the provisions of License Exception TSU if the 
requirements of Sec. 740.13 are met and no fee or payment is required 
for object code (other than reasonable and customary fees for 
reproduction and distribution). Object code for which there is a fee or 
payment can be exported under the provisions of 740.17(b)(4)(i). The 
intent of this section is to release publicly available software 
available without charge (e.g. ``freeware'') from control. Also in 
Sec. 740.13, crypt@bxa.doc.gov address is added to prompt exporters to 
notify BXA electronically. Exporters should note the intent of the 
phrase ``released from EI controls'' in 740.13(e) means that 5D002 
software eligible for TSU is released from the mandatory access 
controls procedures described in 734.2(b)(9)(ii).
    5. In Sec. 740.17 (Encryption Commodities and Software (ENC)), 
language is added to further streamline the export and reexport of 
encryption items under License Exception ENC and to parallel the 
changes adopted by the EU. Please note that the paragraph numbering was 
changed in this section to simplify the structure and provide for more 
changes to License Exception ENC. License Exception ENC (Encryption 
Commodities and Software) is revised as follows:
    a. Sec. 740.17 begins with an introductory paragraph describing the 
commodity and country scope of License Exception ENC.
    b. Sec. 740.17(a) adds a provision to allow all encryption items, 
except for ``cryptanalytic products,'' as specified in ECCN 5A002.a.2 
and the software and technology relating to these cryptanalytic 
commodities (defined in part 772), to be exported to EU member states, 
Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland 
and Switzerland (listed in Supplement 3 to Part 740), under License 
Exception ENC provided the exporter has submitted to BXA a completed 
classification request by the time of export. Exports and reexports to 
foreign subsidiaries or offices of firms, organizations and governments 
headquartered in Canada or in the above-listed countries for internal 
use are also eligible under this provision.
    c. Sec. 740.17(b) adds an introductory paragraph for the provisions 
set out under License Exception ENC for exports to countries outside of 
those listed in Supplement 3 to part 740, as well as for exports and 
reeexports of items which provide an open cryptographic interface.
    d. Sec. 740.17(b)(1) (Encryption Items to U.S. Subsidiaries) is 
revised to clarify that foreign nationals, who may not be permanent 
employees (contractors, interns, etc.) working for U.S. companies are 
eligible to receive technology controlled under ECCN 5E002 in the 
United States under License Exception ENC. Note that all encryption 
items produced or developed by U.S. subsidiaries continue to be subject 
to the EAR and require review and classification before any sale or 
retransfer outside of the U.S. company.
    e. In Sec. 740.17(b)(2)(i) (Encryption Commodities and Software), 
any encryption commodity, general purpose toolkit, software and 
component is authorized for export or reexport, after review and 
classification by BXA under ECCNs 5A002 and 5D002, to any individual, 
commercial firm or other non-government end-user located outside the 
countries listed in Supplement 3 to Part 740 under License Exception 
ENC. Exporters should note that a license is still required for exports 
to government end-users in these destinations. In addition, to further 
streamline License Exception ENC, the provisions for general purpose 
toolkits is moved from paragraph (a)(5) to this paragraph (b)(2)(i).
    f. In Sec. 740.17(b)(2)(ii) (Encryption Commodities and Software), 
to simplify the regulation, the paragraph on Internet or 
telecommunications service providers was deleted and the part relating 
to products not classified as retail was moved to this paragraph. Note 
that Internet and telecommunications service providers may now provide 
services to the governments of the countries listed in Supplement 3 to 
Part 740 under License Exception ENC. Such exports previously required 
a license under former paragraph (a)(4). Exporters should note that a 
license is still required for exports to government end-users located 
in other destinations.
    g. In Sec. 740.17(b)(3) (Retail Encryption Commodities and 
Software), License Exception ENC is revised to authorize, without prior 
review and classification or reporting, those items which are 
controlled only because they incorporate components providing

[[Page 62602]]

encryption functionality which is limited to short-range wireless 
encryption, such as those based on the Bluetooth and Home Radio 
Frequency (HomeRF) specifications. Examples of such products include 
audio devices, cameras and videos, computer accessories, handheld 
devices, mobile phones and consumer appliances (e.g., refrigerators, 
microwaves and washing machines). The part of the Internet or 
telecommunications service providers paragraph relating to obtaining 
retail products under License Exception ENC and using them to provide 
service to any entity is moved to this paragraph. As a result of this 
revision, former paragraph (a)(4) (Internet and Telecommunications 
Service Providers) is removed.
    h. Additional changes are made under Sec. 740.17(b)(3). In 
paragraph (i)(C), a clarification is made to allow the retail 
provisions to include anticipated sales by changing the phrase ``sold 
in large volume'' to ``which are sold or will be sold in large 
volume.'' To further streamline the encryption controls, exporters may 
now export and reexport finance-specific encryption products and 56-bit 
products (with key exchange mechanisms greater than 512 bits and up to 
and including 1024 bits) immediately after submitting a completed 
classification request to BXA. As a result, the former paragraphs 
(a)(3)(vi) and (vii), which relate to these items, are combined into 
one paragraph.
    i. Sec. 740.17(b)(4) (Commercial encryption source code) is revised 
to clarify that object code resulting from the compiling of source code 
which would be considered publicly available and eligible for export 
under License Exception ENC or TSU can also be exported or reexported 
under ENC if the requirements of Sec. 740.17(b)(4)(i) are otherwise 
met. Commercial encryption source code which would not be considered 
publicly available may now be exported or reexported using License 
Exception ENC to any non-government end-user immediately after 
submitting a completed classification request. Requirements for source 
code containing an open cryptographic interface are addressed 
separately in paragraph (b)(5). For the purpose of streamlining the 
provisions of License Exception ENC, references to general purpose 
toolkits are removed and are now addressed in Sec. 740.17(b)(2) and 
(c).
    j. Sec. 740.17(b)(5) (Cryptographic interfaces) is added to 
authorize the export and reexport of encryption commodities, software 
and components which provide an open cryptographic interface to any 
end-user located in the countries listed in Supplement 3 to Part 740 
under License Exception ENC. Exports and reexports to other 
destinations continue to require a license except to subsidiaries of a 
U.S. company for their internal use. This paragraph also permits 
encryption products that enable foreign developed products to operate 
with U.S. products (e.g. digitally signing) to be exported or 
reexported to any eligible end-user. The foreign ``enabled'' product is 
not subject to review, however, and limited reporting is required as 
specified in Sec. 740.17(e)(3).
    k. Sec. 740.17(c) (Reexports and Transfers) is added by combining 
the transfer provisions of paragraph (c) with former paragraph (d) 
relating to exports and reexports of foreign products incorporating 
U.S. encryption source code, components or general purpose encryption 
toolkits, former paragraph (h) relating to distributors and resellers, 
and the related provisions of former paragraph (b)(5)(iv).
    l. In Sec. 740.17(d),(Eligibility for License Exception ENC), 
conforming changes are made to review and classification requirements 
and grandfathering provisions to take into account the new policy that 
allows most exports of encryption to the countries listed in Supplement 
3 to Part 740.
    m. In Sec. 740.17(e) (Reporting requirements), new paragraphs are 
added to eliminate reporting requirements for consumer products 
incorporating short-range wireless encryption, client Internet 
appliance and client wireless LAN cards, and for retail operating 
systems or desktop applications (e.g., browsers, e-mail, word 
processing, database, games, financial applications or utilities) 
designed for, bundled with, or preloaded on single CPU computers , 
laptops or handheld devices. In addition, a new paragraph is added to 
eliminate reporting requirements for foreign products developed by 
bundling or compiling of source code. This rule clarifies that 
exporters must report only exports to subsidiaries of U.S. companies 
when the U.S. subsidiary is reselling or distributing the product. The 
reporting obligation is consistent with the provisions for distributors 
or resellers. Lastly, since exporters may now export technology to the 
countries listed in Supplement 3 to Part 740 under License Exception 
ENC, the semi-annual reports require the name and address of the 
manufacturer using the technology when intended for use in foreign 
products developed for commercial sale and a non-proprietary technical 
description of what is being developed using that technology. For 
further streamlining, the requirement of reporting exports to Internet 
and telecommunication service providers immediately is removed. These 
exports are now reported consistent with the semi-annual time frames.
    n. Remaining reporting requirements are streamlined to reflect 
business models normally used by exporters. Note that reporting for 
exports and reexports of encryption components can be adjusted or 
reduced, on a case-by-case basis, provided an exporter supplies BXA 
with sufficient information during the initial technical review of the 
U.S. encryption component concerning its incorporation in a final 
foreign product. Companies should request such adjustments or 
reductions from BXA to ensure that reporting requirements reflect their 
business model.
    o. Supplement No. 3 to Part 740 is created to identify those 
countries which are now eligible for the expanded treatment under 
License Exception ENC based on the new policy.
    6. Sec. 742.15 (Encryption Items) revises the licensing policy for 
export and reexports of encryption items, as follows:
    a. The license requirements section is streamlined.
    b. Combines into one paragraph (1)(i) the former subparagraphs 
which individually described the eligibility for 56-bit encryption 
items, key management products and 64-bit mass market encryption 
commodities and software. In addition, adds a provision to allow 
exporters to self-classify these encryption items under ECCNs 5A992, 
5D992, and 5E992. After submitting the information described in 
paragraphs (a) through (e) of Supplement 6 to part 742 to BXA, these 
encryption items may be exported and reexported as ``NLR'' (No License 
Required). This submission is not a classification and no response is 
required from BXA for shipment.
    c. Removes the requirement that all products developed using U.S. 
encryption items are subject to the EAR. This clarifies that de minimis 
eligibility applies for encryption commodities controlled under ECCNs 
5A992, 5D992 and 5E992. In addition, BXA may apply, on a case-by-case 
basis, the de minimis rule to foreign products incorporating 5A002 and 
5D002 parts, components and software which are eligible for export 
under the ``retail'' or ``source code'' provisions of License Exception 
ENC.
    d. Adds the provision that any end-user located in the countries 
listed in Supplement 3 to Part 740 is eligible to receive encryption 
items classified by BXA under ECCNs 5A002, 5D002 and 5E002. Exports and 
reexports to foreign

[[Page 62603]]

subsidiaries or offices of firms, organizations and governments 
headquartered in the above-listed countries are also eligible under 
this provision.
    7. Supplement No. 6 to Part 742 is further streamlined to provide 
more detailed guidelines for submitting a classification request for 
encryption items.
    8. Sec. 744.9 is revised to expressly provide that the restrictions 
imposed by that section do not prohibit technical assistance abroad by 
U.S. persons in connection with the discussion of information in the 
work of groups or bodies engaged in standards development.
    9. In Sec. 748.3 (Classification and Advisory Opinions), is revised 
to clarify that exporters may self-classify 5A992, 5D992 and 5E992 
items after submitting by the time of export the information described 
in paragraphs 1-5 of Supplement 6 to Part 742.
    10. In Sec. 770.2 (Interpretation 14), conforming changes are made 
to regulatory citations.
    11. In Part 772 (Definition of Terms), the definition of 
``cryptanalytic items'' is added.
    12. In Part 774, ECCNs 5A002, 5A992, 5D992, and 5E992 are revised 
to clarify that items previously classified under 5A002, 5D002 and 
5E002 continue to be controlled for AT1 reasons.
    Licenses required for export or reexports to governments for 
network management products not classified as retail which do not allow 
for encryption of data by the network users may be considered favorably 
for civil end-uses.
    For further clarity, this rule makes clear that the seven terrorist 
designated countries are not eligible under the provisions of License 
Exception ENC.
    BXA received a number of comments on the January 14 regulation (65 
FR 2492). These comments all reflected certain common themes: that the 
regulation was too complex; that the United States needed to match any 
EU action; that reporting should be reduced or eliminated and that 
encryption items should be made eligible for de minimis treatment. 
These comments were carefully considered by the Interagency Working 
Group on Cryptography in the development of this regulation, and a 
number of the concerns are explicitly addressed by this regulation. 
Section 740.17 (License Exception ENC) has been shortened and 
simplified. It also implements a number of changes to streamline U.S. 
practice and bring it into line with EU licensing practice. Reporting 
requirements have been greatly reduced by the elimination of reporting 
required from foreign subsidiaries of U.S. firms and for software used 
on low level computers. Finally, this regulation institutes a process 
whereby certain retail encryption products can now be made eligible for 
de minimis treatment.
    Although the Export Administration Act (EAA) expired on August 20, 
1994, the President invoked the International Emergency Economic Powers 
Act and continued in effect the EAR, and, to the extent permitted by 
law, the provisions of the EAA in Executive Order 12924 of August 19, 
1994, as extended by the President's notices of August 15, 1995 (60 FR 
42767), August 14, 1996 (61 FR 42527), August 13, 1997 (62 FR 43629), 
August 13, 1998 (63 FR 44121), August 10, 1999 (64 F.R. 44101), and 
August 8, 2000 (65 FR 48347).

Rulemaking Requirements

    1. This final rule has been determined to be significant for 
purposes of Executive Order 12866.
    2. Notwithstanding any other provision of law, no person is 
required to respond to, nor shall any person be subject to a penalty 
for failure to comply with a collection of information, subject to the 
requirements of the Paperwork Reduction Act (PRA), unless that 
collection of information displays a currently valid OMB Control 
Number. This rule involves collections of information subject to the 
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). These 
collections have been approved by the Office of Management and Budget 
under control numbers 0694-0088, ``Multi-Purpose Application'' and 
0694-0104, ``Commercial Encryption Items Transferred from the 
Department of State to the Department of Commerce.'' Collection 0694-
0088 carries a burden hour estimate of 45 minutes per manual submission 
and 40 minutes per electronic submission. Miscellaneous and 
recordkeeping activities account for 12 minutes per submission. For 
collection 0694-0104, it is estimated it will take companies 5 minutes 
to complete notifications for source code under License Exceptions TSU 
and ENC. It will take companies 15 minutes to complete upgrade 
notifications. For reporting under License Exception ENC and licenses 
for encryption items, it will take companies 8 hours to complete semi-
annual reporting requirements.
    3. This rule does not contain policies with Federalism implications 
sufficient to warrant preparation of a Federalism assessment under 
Executive Order 13132.
    4. The provisions of the Administrative Procedure Act (5 U.S.C. 
553) requiring notice of proposed Rulemaking, the opportunity for 
public participation, and a delay in effective date, are inapplicable 
because this regulation involves a military and foreign affairs 
function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no 
other law requires that a notice of proposed rulemaking and an 
opportunity for public comment be given for this final rule. Because a 
notice of proposed rulemaking and an opportunity for public comment are 
not required to be given for this rule under 5 U.S.C. 553, or by any 
other law, the analytical requirements of the Regulatory Flexibility 
Act (5 U.S.C. 601 et seq.) are not applicable. Therefore, this 
regulation is issued in final form. Although there is no formal comment 
period, public comments on this regulation are welcome on a continuing 
basis. Comments should be submitted to Kirsten Mortimer, Office of 
Exporter Services, Bureau of Export Administration, Department of 
Commerce, P.O. Box 273, Washington, D.C. 20044.
    Copies of the public record concerning these regulations may be 
requested from: Bureau of Export Administration, Office of 
Administration, U.S. Department of Commerce, Room 6883, 14th and 
Constitution Avenue, NW, Washington, DC 20230; (202) 482-0637. This 
component does not maintain a separate public inspection facility. 
Requesters should first view BXA's website (which can be reached 
through http://www.bxa.doc.gov). If requesters cannot access BXA's 
website, please call the number above for assistance.

List of Subjects

15 CFR Parts 732, 740 and 748

    Administrative practice and procedure, Exports, Foreign trade, 
Reporting and recordkeeping requirements.

15 CFR Part 734

    Administrative practice and procedure, Exports, Foreign trade.

15 CFR Parts 742, 770, 772 and 774

    Exports, Foreign trade.

15 CFR Part 744

    Exports, Foreign trade, reporting and recordkeeping requirements.

    Accordingly, parts 732, 734, 740, 742, 744, 748, 770, 772 and 774 
of the Export Administration Regulations (15 CFR parts 730 through 799) 
are amended as follows:
    1. The authority citation for parts 732, 748, 770, and 772 are 
revised to read as follows:


[[Page 62604]]


    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 13026, 61 
FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of August 3, 2000 (65 FR 
48347, August 8, 2000).

    2. The authority citation for part 734 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 12938, 59 
FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 FR 54079, 3 CFR, 
1996 Comp. p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 
228; Notice of November 12, 1998, 63 FR 63589, 3 CFR, 1998 Comp., p. 
305; Notice of August 3, 2000 (65 FR 48347, August 8, 2000).

    3. The authority citation for part 740 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 13026, 61 
FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of August 3, 2000 (65 FR 
48347, August 8, 2000).

    4. The authority citation for part 742 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 
E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 
FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12924, 59 FR 43437, 3 CFR, 
1994 Comp., p. 917; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 
950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of 
November 12, 1998, 63 FR 63589, 3 CFR, 1998 Comp., p. 305; Notice of 
August 3, 2000 (65 FR 48347, August 8, 2000).

    5. The authority citation for part 744 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; E.O. 12058, 43 FR 20947, 3 
CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., 
p. 608; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 
12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13026, 61 FR 
58767, 3 CFR, 1996 Comp., p. 228; Notice of November 12, 1998, 63 FR 
63589, 3 CFR, 1998 Comp., p. 305; Notice of August 3, 2000 (65 FR 
48347, August 8, 2000).

    6. The authority citation for part 774 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C. 
287c, 22 U.S.C. 3201 et seq., 22 U.S.C. 6004; 30 U.S.C. 185(s), 
185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. 
app. 466c; 50 U.S.C. app. 5; E.O. 12924, 59 FR 43437, 3 CFR, 1994 
Comp., p. 917; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; 
Notice of August 3, 2000 (65 FR 48347, August 8, 2000).

PART 732--[AMENDED]

    7. Section 732.2 is amended by revising paragraph (d) introductory 
text to read as follows:


Sec. 732.2  Steps regarding scope of the EAR.

* * * * *
    (d) Step 4: Foreign-made items incorporating less than the de 
minimis level of U.S. parts, components, and materials. This step is 
appropriate only for items that are made outside the United States and 
not currently in the United States. Note that encryption items 
controlled for EI reasons under ECCNs 5A002, 5D002 or 5E002 on the 
Commerce Control List (refer to Supplement No.1 to Part 774 of the EAR) 
are subject to the EAR even if they incorporate less than the de 
minimis level of U.S. content. However, exporters may, as part of a 
classification request, ask that certain 5A002 and 5D002 parts, 
components and software also be made eligible for de minimis treatment 
(see Sec. 734.4(b) of the EAR). The review of de minimis eligibility 
will take into account national security interests.
* * * * *

    8. Section 732.3 is amended by revising paragraph (e)(2) to read as 
follows:


Sec. 732.3  Steps regarding the ten general prohibitions.

* * * * *
    (e) Step 10: Foreign-made items incorporating U.S.-origin items and 
the de minimis rule.
* * * * *
    (2) Guidance for calculations. For guidance on how to calculate the 
U.S.-controlled content, refer to Supplement No. 2 to part 734 of the 
EAR. Note that certain rules issued by the Office of Foreign Assets 
Control, certain exports from abroad by U.S.-owned or controlled 
entities may be prohibited notwithstanding the de minimis provisions of 
the EAR. In addition, the de minimis exclusions from the parts and 
components rule do not relieve U.S. persons of the obligation to 
refrain from supporting the proliferation of weapons of mass-
destruction and missiles as provided in General Prohibition Seven (U.S. 
Person Proliferation Activity) described in Sec. 736.2(b)(7) of the 
EAR. Note that encryption items controlled for EI reasons under ECCNs 
5A002, 5D002 or 5E002 on the Commerce Control List (refer to Supplement 
No.1 to Part 774 of the EAR) are subject to the EAR even if they 
incorporate less than the de minimis level of U.S. content. However, 
exporters may, as part of a classification request, ask that certain 
5A002 and 5D002 parts, components and software also be made eligible 
for de minimis treatment (see Sec. 734.4(b) of the EAR).
* * * * *

PART 734--[AMENDED]

    9. Section 734.4 is amended by revising paragraph (b) to read as 
follows:


Sec. 734.4  De minimis U.S. content.

* * * * *
    (b) There is no de minimis level for items controlled for EI 
reasons under ECCNs 5A002, 5D002 and 5E002 absent written authorization 
from BXA. Exporters may, as part of a classification request, ask that 
software controlled under ECCN 5D002 and eligible for export under the 
``retail'' or ``source code'' provisions of license exception ENC, and 
parts and components controlled under ECCN 5A002, be made eligible for 
de minimis treatment. The review of de minimis eligibility will take 
into account national security interests.
* * * * *

PART 740--[AMENDED]

    10. Section 740.9 is amended by adding a sentence at the end of 
paragraph (c)(2) and by revising paragraphs (c)(3) and (c)(4)(i) to 
read as follows:


Sec. 740.9  Temporary imports, exports, and reexports (TMP).

* * * * *
    (c) Exports of beta test software * * *
    (2) * * * In addition, encryption software under ECCN 5D002 is 
further restricted from being exported or reexported to Cuba, Iran, 
Iraq, Libya, North Korea, Sudan or Syria.
    (3) Eligible software. All software that is controlled by the 
Commerce Control List (Supplement No. 1 to part 774 of the EAR), and 
under Commerce licensing jurisdiction, is eligible for export and 
reexport, subject to the restrictions of this paragraph (c). Encryption 
software controlled for EI reasons under ECCN 5D002 is eligible for 
export and reexport under this paragraph (c) provided the exporter has 
submitted by the time of export the information described in paragraphs 
(a) through (e) of Supplement 6 to Part 742 to BXA, with a copy to the 
ENC Encryption Request Coordinator. The names and addresses of the 
testing consignees, except names and addresses of individual consumers, 
and the name and version of the beta software should be reported 
consistent with Sec. 740.17(e)(5). Any final product must

[[Page 62605]]

be reviewed and classified under the requirements of Sec. 740.17.
    (4) * * *
    (i) The software producer intends to market the software to the 
general public after completion of the beta testing, as described in 
the General Software Note found in Supplement 2 to Part 774 or the 
Cryptography Note in Category 5--part II of the Commerce Control List 
(Supplement No. 1 to part 774 of the EAR);
* * * * *

    11. Section 740.13 is amended by revising paragraph (e) to read as 
follows:


Sec. 740.13  Technology and software--unrestricted (TSU).

* * * * *
    (e) Unrestricted encryption source code.(1) Encryption source code 
controlled under ECCN 5D002, which would be considered publicly 
available under Sec. 734.3(b)(3) of the EAR and which is not subject to 
an express agreement for the payment of a licensing fee or royalty for 
commercial production or sale of any product developed with the source 
code is released from EI controls and may be exported or reexported 
without review under License Exception TSU, provided you have submitted 
written notification to BXA of the Internet location (e.g., URL or 
Internet address) or a copy of the source code by the time of export. 
Send the notification to BXA at crypt@bxa.doc.gov with a copy to ENC 
Encryption Request Coordinator, or see Sec. 740.17(e)(5) for the 
mailing addresses. Intellectual property protection (e.g., copyright, 
patent or trademark) will not, by itself, be construed as an express 
agreement for the payment of a licensing fee or royalty for commercial 
production or sale of any product developed using the source code.
    (2) Object code resulting from the compiling of source code which 
would be considered publicly available can be exported under TSU if the 
requirements of this section are otherwise met and no fee or payment 
(other than reasonable and customary fees for reproduction and 
distribution) is required for the object code. See Sec. 740.17(b)(4)(i) 
for the treatment of object code where a fee or payment is required.
    (3) You may not knowingly export or reexport source code or 
products developed with this source code to Cuba, Iran, Iraq, Libya, 
North Korea, Sudan or Syria.
    (4) Posting of the source code or corresponding object code on the 
Internet (e.g., FTP or World Wide Web site) where it may be downloaded 
by anyone would not establish ``knowledge'' of a prohibited export or 
reexport, including that described in paragraph (e)(2) of this section. 
In addition, such posting would not trigger ``red flags'' necessitating 
the affirmative duty to inquire under the ``Know Your Customer'' 
guidance provided in Supplement No. 3 to part 732 of the EAR.

    12. Section 740.17 is revised to read as follows:


Sec. 740.17  Encryption commodities and software (ENC).

    License Exception ENC authorizes the export and reexport of 
encryption items classified under ECCNs 5A002, 5D002 and 5E002. No 
encryption item(s) may be exported under this license exception to 
Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria. Reporting 
requirements apply to exports made under the authority of License 
Exception ENC; see paragraph (e) of this section for these 
requirements.
    (a) Exports and reexports of encryption items. Exports and 
reexports of encryption items classified under ECCNs 5A002, 5D002 and 
5E002 are authorized to any end-user located in the countries listed in 
Supplement 3 to this part 740, except for exports of cryptanalytic 
items (as defined in Part 772 of the EAR) to government end-users. 
These items may also be exported or reexported to any destination for 
the internal use of foreign subsidiaries or offices of firms, 
organizations and governments headquartered in Canada or in countries 
listed in Supplement 3 to this part 740.
    (b) For all other countries, you may export and reexport encryption 
commodities, software and components (as defined in part 772 of the 
EAR) under the provisions of License Exception ENC as enumerated in 
this section. For exports and reexports of encryption items which 
contain an open cryptographic interface (as defined in part 772 of the 
EAR), see paragraph (b)(5) of this section.
    (1) Encryption items for U.S. subsidiaries. Exports and reexports 
of any encryption item classified under ECCNs 5A002, 5D002 and 5E002 of 
any key length are authorized to foreign subsidiaries of U.S. companies 
(as defined in part 772 of the EAR) without review and classification. 
This includes source code and technology for internal company use, such 
as the development of new products. License Exception ENC also 
authorizes transfers by U.S. companies of encryption technology 
controlled under 5E002 to foreign nationals in the United States, 
(except nationals of Cuba, Iran, Iraq, Libya, North Korea, Sudan or 
Syria) for internal company use, including the development of new 
products. All items produced or developed by U.S. subsidiaries with 
encryption commodities, software and technology exported under this 
paragraph are subject to the EAR and require review and classification 
before any sale or retransfer outside of the U.S. company.
    (2) Encryption commodities and software. (i) Exports and reexports 
of any encryption commodity, general purpose toolkit, software and 
component are authorized after review and classification by BXA under 
ECCNs 5A002 and 5D002 to any individual, commercial firm or other non-
government end-user outside the countries (except Cuba, Iraq, Iran, 
Libya, North Korea, Sudan or Syria) listed in Supplement 3 to this part 
740. Encryption products classified under this paragraph require a 
license before export and reexport to governments (as defined in part 
772 of the EAR) outside the countries listed in Supplement 3 to this 
part 740. The restriction limiting exports or reexports to internal 
company proprietary use is removed.
    (ii) Certain restrictions apply to Internet and telecommunications 
service providers. Internet and telecommunications service providers 
can obtain and use any encryption product for their internal use and to 
provide any service under License Exception ENC. However, a license is 
required for the use of any product not classified as retail to provide 
services specific to government end-users outside the countries listed 
in Supplement 3 to this part 740, e.g., WAN, LAN, VPN, voice and 
dedicated-link services; application specific and e-commerce services 
and PKI encryption services specifically for government end-users.
    (3) Retail encryption commodities and software. Exports and 
reexports to any end-user of encryption commodities, software and 
components are authorized after review and classification by BXA as 
retail under ECCNs 5A002 and 5D002. Encryption products exported or 
reexported under this paragraph (b)(3) can be used to provide services 
to any entity. Internet or telecommunications service providers can 
obtain retail products under License Exception ENC and use them to 
provide any service to any entity. Retail encryption commodities, 
software and components are products:
    (i) Generally available to the public by means of any of the 
following:
    (A) Sold in tangible form through retail outlets independent of the 
manufacturer;
    (B) Specifically designed for individual consumer use and sold or

[[Page 62606]]

transferred through tangible or intangible means; or
    (C) Which are sold or will be sold in large volume without 
restriction through mail order transactions, electronic transactions, 
or telephone call transactions; and
    (ii) Meeting all of the following:
    (A) The cryptographic functionality cannot be easily changed by the 
user;
    (B) Substantial support is not required for installation and use;
    (C) The cryptographic functionality has not been modified or 
customized to customer specification; and
    (D) Are not network infrastructure products such as high end 
routers or switches designed for large volume communications.
    (iii) Subject to the criteria in paragraphs (b)(3)(i) and (ii) of 
this section, retail encryption products include (but are not limited 
to) general purpose operating systems and their associated user-
interface client software or general purpose operating systems with 
embedded networking and server capabilities; non-programmable 
encryption chips and chips that are constrained by design for retail 
products; low-end routers, firewalls and networking or cable equipment 
designed for small office or home use; programmable database management 
systems and associated application servers; low-end servers and 
application-specific servers (including client-server applications, 
e.g., Secure Socket Layer (SSL)-based applications) that interface 
directly with the user; and encryption products distributed without 
charge or through free or anonymous downloads.
    (iv) Encryption products and network-based applications which 
provide functionality equivalent to other encryption products 
classified as retail will be considered retail.
    (v) 56-bit products with key exchange mechanisms greater than 512 
bits and up to and including 1024 bits, or equivalent products not 
classified as mass market, or finance-specific encryption commodities 
and software of any key length restricted by design (e.g., highly 
field-formatted with validation procedures and not easily diverted to 
other end-uses) and used to secure financial communications such as 
electronic commerce may be exported under the retail provisions of this 
section immediately after submitting a completed classification request 
to BXA.
    (vi) Items which would be controlled only because they incorporate 
components or software which provide short-range wireless encryption 
functions may be exported without review and classification by BXA and 
without reporting under the retail provisions of this section.
    (4) Commercial encryption source code. Exports and reexports of 
encryption source code not released under Sec. 740.13(e) are authorized 
subject to the following provisions:
    (i) Encryption source code which would be considered publicly 
available under Sec. 734.3(b)(3) of the EAR and which is subject to an 
express agreement for the payment of a licensing fee or royalty for 
commercial production or sale of any product developed using the source 
code (or object code resulting from compiling of any encryption such 
source code which would be considered publicly available) can be 
exported or reexported using License Exception ENC to any end-user 
without review and classification provided you have submitted to BXA 
(with a copy to the ENC Encryption Request Coordinator) by the time of 
export, written notification of the Internet location (e.g. URL or 
Internet address) or a copy of the source code. You may not knowingly 
export or reexport source code, object code or products developed with 
this source code to Cuba, Iran, Iraq, Libya, North Korea, Sudan or 
Syria. Posting of the source code or corresponding object code on the 
Internet (e.g., FTP or World Wide Web site) where it may be downloaded 
by anyone would not establish ``knowledge'' of a prohibited export or 
reexport. In addition, such posting would not trigger ``red flags'' 
necessitating the affirmative duty to inquire under the ``Know Your 
Customer'' guidance provided in Supplement No. 3 to part 732 of the 
EAR.
    (ii) Encryption source code which would not be considered publicly 
available and which does not include source code that when compiled 
provides an open cryptographic interface (see paragraph (b)(5) of this 
section), may be exported or reexported using License Exception ENC to 
any individual, commercial firm or other non-government end-user after 
submitting a complete classification request to BXA with a copy to the 
ENC Coordinator.
    (5) Cryptographic interfaces. (i) Exports or reexports of 
encryption commodities, software and components which provide an open 
cryptographic interface (as defined in part 772 of the EAR) may be 
exported under License Exception ENC to any end-user located in any 
country listed in Supplement 3 to this part 740. Exports or reexports 
to other destinations of encryption commodities, software and 
components which provide an open cryptographic interface are not 
eligible to use License Exception ENC and require a license (unless 
exported to a subsidiary of a U.S. company under paragraph (b)(1) of 
this section). This does not apply to source code that would be 
considered publicly available under Sec. 734.3(b)(3) of the EAR.
    (ii) Encryption items which are limited to allowing foreign-
developed cryptographic products to operate with U.S. products (e.g. 
signing) can be exported or reexported under License Exception ENC to 
any end-user. Such exports are subject to reporting requirements (see 
paragraph (e)(3) of this section). No review of the foreign-developed 
cryptography is required.
    (c) Reexports and Transfers. U.S. or foreign distributors, 
resellers or other entities who are not original manufacturers of 
encryption commodities and software are permitted to use License 
Exception ENC only in instances where the export or reexport meets the 
applicable terms and conditions of this section. Transfers of 
encryption items listed in paragraph (b) of this section to government 
end-users or end-uses within the same country are prohibited unless 
otherwise authorized by license or license exception. Foreign products 
developed with or incorporating U.S.-origin encryption source code, 
components or toolkits remain subject to the EAR but do not require 
review and classification by BXA and can be exported or reexported 
without further authorization.
    (d) Eligibility for License Exception ENC. (1) Review and 
classification. You may initiate review and classification of your 
encryption items as required by this section by submitting a 
classification request in accordance with the provisions of 
Sec. 748.3(b) and Supplement 6 to Part 742 of the EAR. Indicate 
``License Exception ENC'' in Block 9: Special purpose, on form BXA-
748P. Submit the original request to BXA and send a copy of the request 
to ENC Encryption Request Coordinator (see paragraph (e)(5) of this 
section for mailing addresses).
    (i) Exporters may immediately export and reexport any encryption 
item except ``cryptanalytic items'' as defined in part 772 of the EAR 
to any end-user located in the countries listed in Supplement 3 to this 
part 740 provided the exporter has submitted to BXA a completed 
classification request by the time of export.
    (ii) Exporters may, thirty days after receipt of a completed 
classification request by BXA, export and reexport to any non-
government end-user located outside the countries listed in Supplement 
3 to this part 740 any encryption product eligible under

[[Page 62607]]

paragraph (b)(2), (b)(3) or (b)(4) of this section unless otherwise 
notified by BXA. No exports to government end-users located outside of 
countries listed in Supplement 3 to this part 740 are allowed under 
this provision. BXA reserves the right to suspend eligibility to export 
under this provision while a classification is pending.
    (2) Grandfathering. Finance-specific and 56-bit products previously 
reviewed and classified by BXA can be exported and reexported to any 
end-user without further review. Other encryption commodities, software 
or components previously approved for export can be exported and 
reexported without further review to any end-user in countries listed 
in Supplement 3 to this part 740 countries and to any non-government 
end-user outside of the countries listed in Supplement 3 to this part 
740. This includes products approved under a license, an Encryption 
Licensing Arrangement, or classified as eligible to use License 
Exception ENC (except for those products which were only authorized for 
export to U.S. subsidiaries). Exports of products not classified by BXA 
as ``retail'' to governments of countries not listed in Supplement 3 to 
this part 740 require a license.
    (3) Key length increases. Exporters can increase the key lengths of 
previously classified products and continue to export without another 
review. No other change in the cryptographic functionality is allowed.
    (i) Any product previously classified as 5A002 or 5D002 can, with 
any upgrade to the key length used for confidentiality or key exchange 
algorithms, be exported or reexported under provisions of License 
Exception ENC to any non-government end-user without an additional 
review. Another classification is necessary to determine eligibility as 
a ``retail'' product under paragraph (b)(3) of this section.
    (ii) Exporters must certify to BXA in a letter from a corporate 
official that the only change to the encryption product is the key 
length for confidentiality or key exchange algorithms and there is no 
other change in cryptographic functionality. Certifications must 
include the original authorization number issued by BXA and the date of 
issuance. BXA must receive this certification prior to any export of an 
upgraded product. The certification should be sent to BXA, with a copy 
sent to the ENC Encryption Request Coordinator (see paragraph (e)(5) of 
this section for mailing addresses).
    (e) Reporting requirements. (1) No reporting is required for 
exports of:
    (i) Any encryption to U.S. subsidiaries for internal company use;
    (ii) Finance-specific products;
    (iii) Encryption commodities or software with a symmetric key 
length not exceeding 64 bits or otherwise classified as qualifying for 
mass market treatment;
    (iv) Retail products exported to individual consumers;
    (v) Items exported via free or anonymous download;
    (vi) Encryption items from or to a U.S. bank, financial institution 
or their subsidiaries, affiliates, customers or contractors for banking 
or financial operations;
    (vii) Items which incorporate components limited to providing 
short-range wireless encryption functions;
    (viii) Retail operating systems, or desktop applications (e.g. e-
mail, browsers, games, word processing, data base, financial 
applications or utilities) designed for, bundled with, or pre-loaded on 
single CPU computers, laptops or hand-held devices;
    (ix) Client Internet appliance and client wireless LAN cards;
    (x) Foreign products developed by bundling or compiling of source 
code.
    (2) Exporters must provide all available information as follows:
    (i) For items exported to a distributor or other reseller, 
including subsidiaries of U.S. firms, the name and address of the 
distributor or reseller, the item and the quantity exported and, if 
collected as part of the distribution process by the exporter, the end-
user's name and address;
    (ii) For items exported through direct sale, the name and address 
of the recipient, the item, and the quantity exported (except for 
retail products if the end-user is an individual consumer); and
    (iii) For exports of 5E002 items to be used for technical 
assistance and which are not released by Sec. 744.9 of the EAR, the 
name and address of the end-user.
    (3) For direct sales or transfers of encryption components, 
commercial source code described under paragraph (b)(4) of this 
section, technology or general purpose encryption toolkits to foreign 
manufacturers when intended for use in foreign products developed for 
commercial sale, you must submit the names and addresses of the 
manufacturers using these items and, when the product is made available 
for commercial sale, a non-proprietary technical description of the 
foreign products for which the component, source code or toolkit are 
being used (e.g., brochures, other documentation, descriptions or other 
identifiers of the final foreign product; the algorithm and key lengths 
used; general programming interfaces to the product, if known; any 
standards or protocols that the foreign product adheres to; and source 
code, if available.).
    (4) Exporters of encryption commodities, software and components 
which were previously classified under License Exception ENC, or which 
have been licensed for export under an Encryption Licensing 
Arrangement, must comply with the reporting requirements of this 
section.
    (5) You must submit reports required under this section semi-
annually to BXA, unless otherwise provided in this paragraph (e)(5). 
For exports occurring between January 1 and June 30, a report is due no 
later than August 1 of that year. For exports occurring between July 1 
and December 31, a report is due no later than February 1 the following 
year. Reports must include the classification or other authorization 
number. These reports must be provided in electronic form to BXA; 
suggested file formats for electronic submission include spreadsheets, 
tabular text or structured text. Exporters may request other reporting 
arrangements with BXA to better reflect their business models. Reports 
should be sent electronically to crypt@bxa.doc.gov, or disks and CDs 
can be mailed to the following addresses:
    (i) Department of Commerce, Bureau of Export Administration, Office 
of Strategic Trade and Foreign Policy Controls, 14th Street and 
Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: 
Encryption Reports.
    (ii) A copy of the report should be sent to: Attn: ENC Encryption 
Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-
6000.

    13. A new Supplement No. 3 is added to part 740 to read as follows:

Supplement No. 3 to Part 740--License Exception ENC Country Group

Austria
Australia
Belgium
Czech Republic
Denmark
Finland
France
Germany
Greece
Hungary
Ireland
Italy
Japan
Luxembourg
Netherlands
New Zealand
Norway
Poland
Portugal
Spain
Sweden

[[Page 62608]]

Switzerland
United Kingdom

PART 742--[AMENDED]

    14. Section 742.15 is amended by revising paragraphs (a), (b) 
introductory text, (b)(1), and (b)(2) to read as follows:


Sec. 742.15  Encryption items.

* * * * *
    (a) License requirements. Licenses are required for exports and 
reexports of encryption items (EI) classified under ECCNS 5A002, 5D002 
and 5E002 to all destinations except Canada. Refer to part 740 of this 
EAR for licensing exceptions and to part 772 of the EAR for the 
definition of ``encryption items.''
    (b) Licensing policy. The following licensing policies apply to 
items identified in paragraph (a) of this section. Except as otherwise 
noted, applications will be reviewed on a case-by-case basis by BXA, in 
conjunction with other agencies, to determine whether the export or 
reexport is consistent with U.S. national security and foreign policy 
interests. For subsequent bundling and updates of these items see 
paragraph (n) of Sec. 770.2 of the EAR. No exports without a license 
are authorized to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.
    (1) Encryption items under ECCNs 5A992, 5D992 and 5E992. Certain 
encryption commodities, software and technology may be classified under 
ECCNs 5A992, 5D992 or 5E992. These items continue to be subject to AT1 
controls. Such items include encryption commodities, software and 
technology with key lengths up to and including 56-bits with an 
asymmetric key exchange algorithm not exceeding 512 bits; products 
which only provide key management with asymmetric key exchange 
algorithms not exceeding 512 bits; and mass market encryption 
commodities and software with key lengths not exceeding 64-bits for the 
symmetric algorithm. Refer to the Cryptography Note (Note 3) to part II 
of Category 5 of the CCL for a definition of mass market encryption 
commodities and software. Key exchange mechanisms, proprietary key 
exchange mechanisms, or company proprietary commodities and software 
implementations may also be eligible for this treatment. Exporters may 
self-classify such 5A992, 5D992 or 5E992 items and export them without 
review and classification by BXA provided you have submitted to BXA and 
the ENC Encryption Request Coordinator by the time of export the 
information described in paragraphs (a) through (e) of Supplement 6 to 
this part 742. Notification should be made by e-mail to 
crypt@bxa.doc.gov.
    (2) Encryption items under ECCNs 5A002, 5D002 and 5E002. All 
encryption commodities, software and components classified by BXA under 
ECCNs 5A002, 5D002 and 5E002 except cryptanalytic items are authorized 
for export and reexport to any end-user in the countries listed in 
Supplement 3 to Part 740 of the EAR. Items classified by BXA as retail 
products under ECCNs 5A002 and 5D002 are authorized for export and 
reexport to any end-user. All 5A002, 5D002 and 5E002 encryption items 
are authorized for export or reexport to any individual, commercial 
firm or other non-government end-user in countries not listed in 
Supplement 3 to Part 740 of the EAR. No exports of such items are 
authorized without a license to Cuba, Iran, Iraq, North Korea, Libya, 
Sudan or Syria. Any encryption item (including technology classified 
under ECCN 5E002) is authorized for export or reexport to U.S. 
subsidiaries (as defined in part 772).
* * * * *

    15. Supplement No. 6 to part 742 is revised to read as follows:

Supplement No. 6 to Part 742--Guidelines for Submitting a 
Classification Request for Encryption Items

    Classification requests for encryption items must be submitted 
on Form BXA-748P, in accordance with Sec. 748.3 of the EAR. Insert 
the phrase ``License Exception ENC'' in Block 9: Special Purpose in 
Form BXA-748P. Failure to insert this phrase will delay processing. 
BXA recommends that such requests be delivered via courier service 
to: Bureau of Export Administration, Office of Exporter Services, 
Room 2705, 14th Street and Pennsylvania Ave., N.W. Washington, D.C. 
20230. For electronic submissions via SNAP, you may fax a copy of 
the support documents to BXA at (202) 501-0784. In addition, you 
must send a copy of the classification request and all support 
documents to: Attn: ENC Encryption Request Coordinator, 9800 Savage 
Road, Suite 6131, Fort Meade, MD 20755-6000. For all classification 
requests of encryption items provide brochures or other 
documentation or specifications related to the technology, commodity 
or software, relevant product descriptions, architecture 
specifications, and as necessary for the technical review, source 
code. Also, indicate any prior reviews and classifications of the 
product, if applicable to the current submission. Provide the 
following information in a cover letter with the classification 
request:
    (a) State the name of the encryption item being submitted for 
review.
    (b) State that a duplicate copy has been sent to the ENC 
Encryption Request Coordinator.
    (c)For classification request for a commodity or software, 
provide the following information:
    (1) Description of all the symmetric and asymmetric encryption 
algorithms and key lengths and how the algorithms are used. Specify 
which encryption modes are supported (e.g., cipher feedback mode or 
cipher block chaining mode).
    (2) State the key management algorithms, including modulus 
sizes, that are supported.
    (3) For products with proprietary algorithms, include a textual 
description and the source code of the algorithm.
    (4) Describe the pre-processing methods (e.g., data compression 
or data interleaving) that are applied to the plaintext data prior 
to encryption.
    (5) Describe the post-processing methods (e.g., packetization, 
encapsulation) that are applied to the cipher text data after 
encryption.
    (6) State the communication protocols (e.g., X.25, Telnet or 
TCP) and encryption protocols (e.g., SSL, IPSEC or PKCS standards) 
that are supported.
    (7) Describe the encryption-related Application Programming 
Interfaces (APIs) that are implemented and/or supported. Explain 
which interfaces are for internal (private) and/or external (public) 
use.
    (8) Describe whether the cryptographic routines are statically 
or dynamically linked, and the routines (if any) that are provided 
by third-party modules or libraries. Identify the third-party 
manufacturers of the modules or toolkits.
    (9) For commodities or software using Java byte code, describe 
the techniques (including obfuscation, private access modifiers or 
final classes) that are used to protect against decompilation and 
misuse.
    (10) State how the product is written to preclude user 
modification of the encryption algorithms, key management and key 
space.
    (11) For products that qualify as ``retail'', explain how the 
product meets the listed criteria in Sec. 740.17(b)(3) of the EAR.
    (12) For products which incorporate an open cryptographic 
interface as defined in part 772 of the EAR, describe the Open 
Cryptographic Interface.
    (d) For classification requests regarding components, provide 
the following additional information:
    (1) Reference the application for which the components are used 
in, if known;
    (2) State if there is a general programming interface to the 
component;
    (3) State whether the component is constrained by function; and
    (4) the encryption component and include the name of the 
manufacturer, component model number or other identifier.
    (e) For classification requests for source code, provide the 
following information:
    (1) If applicable, reference the executable (object code) 
product that was previously reviewed;
    (2) Include whether the source code has been modified, and the 
technical details on how the source code was modified; and
    (3) Include a copy of the sections of the source code that 
contain the encryption algorithm, key management routines and their 
related calls.
    (f) For step-by-step instructions and guidance on submitting 
classification requests for License Exception ENC, visit our webpage 
at www.bxa.gov/Encryption.

[[Page 62609]]

PART 744--[AMENDED]

    16. Section 744.9 is amended by revising paragraph (a) to read as 
follows:


Sec. 744.9  Restrictions on technical assistance by U.S. persons with 
respect to encryption items.

    (a) General prohibition. No U.S. person may, without authorization 
from BXA, provide technical assistance (including training) to foreign 
persons with the intent to aid a foreign person in the development or 
manufacture outside the United States of encryption commodities and 
software that, if of United States origin, would be controlled for EI 
reasons under ECCN 5A002 or 5D002. Technical assistance may be exported 
immediately to nationals of the countries listed in Supplement 3 to 
part 740 of the EAR (except for technical assistance to government end-
users for cryptanalytic items) provided the exporter has submitted to 
BXA a completed classification request by the time of export. Note that 
this prohibition does not apply if the U.S. person providing the 
assistance has a license or is otherwise entitled to export the 
encryption commodities and software in question to the foreign 
person(s) receiving the assistance. Note in addition that the mere 
teaching or discussion of information about cryptography, including, 
for example, in an academic setting or in the work of groups or bodies 
engaged in standards development, by itself would not establish the 
intent described in this section, even where foreign persons are 
present.
* * * * *

PART 748--[AMENDED]

    17. Section 748.3 is amended by revising paragraph (b)(3) to read 
as follows:


Sec. 748.3  Classification and Advisory Opinions.

* * * * *
    (b) * * *
    (3) Classification requests for a Department of Commerce review of 
encryption software transferred from the U.S. Munitions List consistent 
with Executive Order 13026 of November 15, 1996 (3 CFR, 1996 Comp., p. 
228) and pursuant to the Presidential Memorandum of that date are 
required prior to export to determine eligibility for release from EI 
controls. Exporters may self-classify 5A992, 5D992 or 5E992 items after 
submitting to BXA and the ENC Encryption Request Coordinator by the 
time of export the information described in paragraphs 1-5 of 
Supplement 6 to Part 742 of the EAR. Refer to Sec. 742.15(b) and 
Supplement No. 6 to Part 742 of the EAR for instructions on submitting 
such requests for mass market encryption software.
* * * * *

PART 770--[AMENDED]

    17. Section 770.2 is amended by revising paragraph (n) to read as 
follows:


Sec. 770.2  Item interpretations.

* * * * *
    (n) Interpretation 14: Encryption commodity and software reviews. 
Classification of encryption commodities or software is required to 
determine eligibility for certain licensing mechanisms (see 
Secs. 740.13(e) and 740.17 of the EAR) and exports to subsidiaries of 
U.S. companies (see Sec. 740.17(b)(1) of the EAR). Note that subsequent 
bundling, patches, upgrades or releases, including name changes, may be 
exported or reexported under the applicable provisions of the EAR 
without further review as long as the functional encryption capacity of 
the originally reviewed product has not been modified or enhanced. This 
does not extend to products controlled under a different category on 
the CCL.

PART 772--[AMENDED]

    18. Part 772 is amended by designating the existing text as 
Sec. 772.1 and adding a section heading, by adding the definition of 
``Cryptanalytic items'' in alphabetical order, and by revising the 
definition of ``Open cryptographic interface'', to read as follows:


Sec. 772.1  Definitions of terms as used in the Export Administration 
Regulations (EAR).

* * * * *
    ``Cryptanalytic items''. Systems, equipment, applications, specific 
electronic assemblies, modules and integrated circuits designed or 
modified to perform cryptanalytic functions, software having the 
characteristics of cryptanalytic hardware or performing cryptanalytic 
functions, or technology for the development, production or use of 
cryptanalytic commodities or software.
* * * * *
    ``Open cryptographic interface''. A mechanism which is designed to 
allow a customer or other party to insert cryptographic functionality 
without the intervention, help or assistance of the manufacturer or its 
agents, e.g., manufacturer's signing of cryptographic code or 
proprietary interfaces. If the cryptographic interface implements a 
fixed set of cryptographic algorithms, key lengths or key exchange 
management systems, that cannot be changed, it will not be considered 
an ``open'' cryptographic interface. All general application 
programming interfaces (e.g., those that accept either a cryptographic 
or non-cryptographic interface but do not themselves maintain any 
cryptographic functionality) will not be considered ``open'' 
cryptographic interfaces.
* * * * *

PART 774--[AMENDED]

    19. In Supplement No. 1 to part 774 (the Commerce Control List), 
Category 5--Telecommunications and ``Information Security'', part II. 
``Information Security'', Export Control Classification Numbers (ECCNs) 
5A002, 5A992, 5D992, and 5E992 are amended by revising the ``List of 
Items Controlled'' section to read as follows:

5A002  Systems, equipment, application specific ``electronic 
assemblies'', modules and integrated circuits for ``information 
security'', and other specially designed components therefor.

* * * * *

List of Items Controlled

Unit: $ value
    Related Controls: See also 5A992. This entry does not control: 
(a) ``Personalized smart cards'' where the cryptographic capability 
is restricted for use in equipment or systems excluded from control 
paragraphs (b) through (f) of this note. Note that if a 
``personalized smart card'' has multiple functions, the control 
status of each function is assessed individually; (b) Receiving 
equipment for radio broadcast, pay television or similar restricted 
audience broadcast of the consumer type, without digital encryption 
except that exclusively used for sending the billing or program-
related information back to the broadcast providers; (c) Portable or 
mobile radiotelephones for civil use (e.g., for use with commercial 
civil cellular radio communications systems) that are not capable of 
end-to-end encryption; (d) Equipment where the cryptographic 
capability is not user-accessible and which is specially designed 
and limited to allow any of the following: (1) Execution of copy-
protected ``software''; (2) access to any of the following: (a) 
Copy-protected read-only media; or (b) Information stored in 
encrypted form on media (e.g., in connection with the protection of 
intellectual property rights) where the media is offered for sale in 
identical sets to the public; or (3) one-time encryption of 
copyright protected audio/video data; (e) Cryptographic equipment 
specially designed and limited for banking use or money 
transactions; (f) Cordless telephone equipment not capable of end-
to-end encryption where the maximum effective range of unboosted 
cordless operation (e.g., a single, unrelayed hop between terminal 
and home basestation) is less than 400 meters

[[Page 62610]]

according to the manufacturer's specifications. These items are 
controlled under ECCN 5A992.
    Related Definitions: (1) The term ``money transactions'' in 
paragraph (e) of Related Controls includes the collection and 
settlement of fares or credit functions. (2) For the control of 
global navigation satellite systems receiving equipment containing 
or employing decryption (e.g., GPS or GLONASS) see 7A005.
    Items:

    Technical Note: Parity bits are not included in the key length.

    a. Systems, equipment, application specific ``electronic 
assemblies'', modules and integrated circuits for ``information 
security'', and other specially designed components therefor:
    a.1. Designed or modified to use ``cryptography'' employing 
digital techniques performing any cryptographic function other than 
authentication or digital signature having any of the following:

    Technical Notes: 1. Authentication and digital signature 
functions include their associated key management function.

    2. Authentication includes all aspects of access control where 
there is no encryption of files or text except as directly related 
to the protection of passwords, Personal Identification Numbers 
(PINs) or similar data to prevent unauthorized access.
    3. ``Cryptography'' does not include ``fixed'' data compression 
or coding techniques.


    Note: 5A002.a.1 includes equipment designed or modified to use 
``cryptography'' employing analog principles when implemented with 
digital techniques.

    a.1.a. A ``symmetric algorithm'' employing a key length in 
excess of 56-bits; or
    a.1.b. An ``asymmetric algorithm'' where the security of the 
algorithm is based on any of the following:
    a.1.b.1. Factorization of integers in excess of 512 bits (e.g., 
RSA);
    a.1.b.2. Computation of discrete logarithms in a multiplicative 
group of a finite field of size greater than 512 bits (e.g., Diffie-
Hellman over Z/pZ); or
    a.1.b.3. Discrete logarithms in a group other than mentioned in 
5A002.a.1.b.2 in excess of 112 bits (e.g., Diffie-Hellman over an 
elliptic curve);
    a.2. Designed or modified to perform cryptanalytic functions;
    a.3. [Reserved]
    a.4. Specially designed or modified to reduce the compromising 
emanations of information-bearing signals beyond what is necessary 
for health, safety or electromagnetic interference standards;
    a.5. Designed or modified to use cryptographic techniques to 
generate the spreading code for ``spread spectrum'' systems, 
including the hopping code for ``frequency hopping'' systems;
    a.6. Designed or modified to provide certified or certifiable 
``multilevel security'' or user isolation at a level exceeding Class 
B2 of the Trusted Computer System Evaluation Criteria (TCSEC) or 
equivalent;
    a.7. Communications cable systems designed or modified using 
mechanical, electrical or electronic means to detect surreptitious 
intrusion.

5A992  Equipment not controlled by 5A002.

* * * * *

List of Items Controlled

Unit: $ value
Related Controls: N/A
Related Definitions: N/A
Items:
    a. Telecommunications and other information security equipment 
containing encryption.
    b. ``Information security'' equipment, n.e.s., (e.g., 
cryptographic, cryptanalytic, and cryptologic equipment, n.e.s.) and 
components therefor.

5D992  ``Information Security'' ``software'' not controlled by 5D002.

* * * * *

List of Items Controlled

Unit: $ value
Related Controls: N/A
Related Definitions: N/A
Items: 1
    a. ``Software'', as follows:
    a.1 ``Software'' specially designed or modified for the 
``development'', ``production'', or ``use'' of telecommunications 
and other information security equipment containing encryption 
(e.g., equipment controlled by 5A992.a);
    a.2. ``Software'' specially designed or modified for the 
``development'', ``production:, or ``use'' of information security 
or cryptologic equipment (e.g., equipment controlled by 5A992.b).
    b. ``Software'', as follows:
    b.1. ``Software'' having the characteristics, or performing or 
simulating the functions of the equipment controlled by 5A992.a.
    b.2. ``Software'' having the characteristics, or performing or 
simulating the functions of the equipment controlled by 5A992.b.
    c. ``Software'' designed or modified to protect against 
malicious computer damage, e.g., viruses.

5E992  ``Information Security'' ``technology'', not controlled by 
5E002.

* * * * *

List of Items Controlled

Unit: N/A
Related Controls: N/A
Related Definitions: N/A
Items:
    a. ``Technology'' n.e.s., for the ``development'', 
``production'' or ``use'' of telecommunications equipment and other 
information security and containing encryption (e.g., equipment 
controlled by 5A992.a) or ``software'' controlled by 5D992.a.1 or 
b.1.
    b. ``Technology'', n.e.s., for the ``development'', 
``production'' or ``use'' of ``information security'' or cryptologic 
equipment (e.g., equipment controlled by 5A992.b), or ``software'' 
controlled by 5D992.a.2, b.2, or c.

    Dated: October 11, 2000.
R. Roger Majak,
Assistant Secretary for Export Administration.
[FR Doc. 00-26646 Filed 10-18-00; 8:45 am]
BILLING CODE 3510-33-P