[Federal Register Volume 65, Number 10 (Friday, January 14, 2000)]
[Rules and Regulations]
[Pages 2492-2502]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-983]



[[Page 2491]]



Part III





Department of Commerce





_______________________________________________________________________



Bureau of Export Administration



_______________________________________________________________________



15 CFR Parts 734, 740, et al.



Revisions to Encryption Items; Interim Final Rule

Federal Register / Vol. 65, No. 10 / Friday, January 14, 2000 / Rules 
and Regulations

[[Page 2492]]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Export Administration

15 CFR Parts 734, 740, 742, 770, 772, and 774

[Docket No. 000110010-0010-01]
RIN: 0694-AC11


Revisions to Encryption Items

AGENCY: Bureau of Export Administration, Commerce.

ACTION: Interim final rule; request for comments.

-----------------------------------------------------------------------

SUMMARY: This rule amends the Export Administration Regulations (EAR) 
to allow the export and reexport of any encryption commodity or 
software to individuals, commercial firms, and other non-government 
end-users in all destinations. It also allows exports and reexports of 
retail encryption commodities and software to all end-users in all 
destinations. Post-export reporting requirements are streamlined, and 
changes are made to reflect amendments to the Wassenaar Arrangement. 
This rule implements the encryption policy announced by the White House 
on September 16 and will simplify U.S. encryption export rules. 
Restrictions on terrorist supporting states (Cuba, Iran, Iraq, Libya, 
North Korea, Sudan or Syria), their nationals and other sanctioned 
entities are not changed by this rule.

DATES: This rule is effective January 14, 2000. Comments must be 
received on or before May 15, 2000.

ADDRESSES: Written comments on this rule should be sent to Frank J. 
Ruggiero, Regulatory Policy Division, Bureau of Export Administration, 
Department of Commerce, P.O. Box 273, Washington, DC 20044. Express 
mail address: Frank J. Ruggiero, Regulatory Policy Division, Bureau of 
Export Administration, Department of Commerce, 14th Street and 
Pennsylvania Ave, N.W., Room 2705, Washington, DC 20230.

FOR FURTHER INFORMATION CONTACT: James A. Lewis, Director, Office of 
Strategic Trade, at (202) 482-0092.

SUPPLEMENTARY INFORMATION:

Background:

    On September 16, 1999, the U.S. announced a new approach to its 
encryption export control policy. This approach rests on three 
principles: A technical review of encryption products in advance of 
sale, a streamlined post-export reporting system, and a process that 
permits the government to review exports of strong encryption to 
foreign governments. The full range of national interests continue to 
be served by this new policy: supporting law enforcement and national 
security, protecting privacy and promoting electronic commerce. 
Encryption export controls will be simplified and U.S. companies will 
have new opportunities to sell their products in the global 
marketplace.
    This regulation also implements changes for encryption items made 
by the Wassenaar Arrangement, including: conversion of Category 5--Part 
2 (Information Security) of the Commerce Control List (CCL) to a 
positive list; creation of a Cryptography Note and removal of 
encryption software from the General Software Note; decontrol of 64-bit 
mass market software and commodities, including components; and 
decontrol of certain 512-bit key management products.
    The EAR is amended as follows:
    1. In Sec. 734.2, Important EAR Terms and Principles, unrestricted 
encryption source code under Sec. 740.13(e), commercial encryption 
source code under Sec. 740.17(a)(5)(i) and retail products under 
Sec. 740.17(a)(3) are exempted from Internet download screening 
requirements in Sec. 734.2 (b)(9)(iii). A revised screening mechanism 
for other encryption products exported to government end-users is 
added. Please note that Sec. 734.2(b)(9) contains the relevant 
definitions for the export of encryption source code and object code 
software. In addition, cross-referencing changes are made to 
Secs. 734.7, 734.8, and 734.9.
    2. In Sec. 740.13, Technology and Software Unrestricted, changes 
are made to reflect amendments to the Wassenaar Arrangement. 
Specifically, encryption software is no longer eligible for mass market 
treatment under the General Software Note. Encryption commodities and 
software are now eligible for mass market treatment under the new 
Cryptography Note in Category 5--Part 2 of the CCL. This Note 
multilaterally decontrols mass market encryption commodities and 
software up to and including 64-bits. Such products, after review and 
classification by BXA, are classified under Export Commodity Control 
Numbers (ECCNs) 5A992 or 5D992, thereby releasing them from ``EI'' 
(Encryption Items) and ``NS'' (National Security) controls, and making 
them eligible for export and reexport to all destinations (see 
Sec. 742.15(b)(1)(iii) of the EAR). Once mass market encryption 
software and commodities are released from ``EI'' controls they may be 
eligible for de minimis and publicly available treatment (see part 734 
of the EAR).
    3. Also in Sec. 740.13, to, in part, take into account the ``open 
source'' approach to software development, unrestricted encryption 
source code not subject to an express agreement for the payment of a 
licensing fee or royalty for commercial production or sale of any 
product developed using the source code can, without review, be 
released from ``EI'' controls and exported and reexported under License 
Exception TSU. Intellectual property protection (e.g., copyright, 
patent, or trademark) would not, by itself, be construed as an express 
agreement for the payment of a licensing fee or royalty for commercial 
production or sale of any product developed using the source code. To 
qualify, exporters must notify BXA of the Internet location (e.g., URL 
or Internet address) or provide a copy of the source code by the time 
of export. These notifications are only required for the initial 
export; there are no notification requirements for end-users 
subsequently using the source code. Notification can be made by e-mail 
to crypt@bxa.doc.gov.
    Review and classification are not required for foreign made 
products using this source code. Moreover, under Sec. 744.9, exporters 
of unrestricted encryption source code are not restrained from 
providing technical assistance to foreign persons working with such 
source code. In addition, exporters of source code are not subject to 
Internet download screening requirements under Sec. 734.2(b)(9)(iii). 
Posting of the source code on the Internet (e.g., FTP or World Wide Web 
site), where it may be downloaded by anyone, would not establish 
``knowledge'' (as that term is defined in the EAR) of a prohibited 
export or reexport. Such posting would not trigger ``red flags'' 
necessitating the affirmative duty to inquire under the ``Know Your 
Customer'' guidance provided in Supplement No. 3 to Part 732. 
Otherwise, compliance with EAR requirements as to prohibited exports 
and reexports still apply.
    4. In Sec. 740.17, Encryption Commodities and Software, language is 
added to implement the Administration's new policy. License Exception 
ENC (Encryption Commodities and Software) is revised as follows:
    a. Encryption items under ECCNs 5A002, 5D002 or 5E002 can be 
exported and reexported to foreign subsidiaries of U.S. companies, 
including the transfer of encryption technology to their foreign 
employees in the U.S., without technical review and classification. Any 
items developed by the U.S. company for sale or retransfer outside the 
U.S. company are subject to review and classification by BXA. Foreign 
companies with subsidiaries in the U.S.

[[Page 2493]]

can apply for Encryption Licensing Arrangements (ELAs) to obtain 
treatment equivalent to that extended to foreign subsidiaries of U.S. 
parent companies.
    b. A new paragraph, entitled ``Encryption commodities and 
software,'' is created to implement the broad authorization for 
encryption exports contained in the September 16 announcement. Under 
this paragraph, any encryption commodity, software or components of any 
key length classified under ECCNs 5A002 and 5D002 can be exported and 
reexported to individuals, commercial firms and other non-government 
end-users. Previous sector-specific liberalizations for banks and 
financial institutions, health and medical end-users and on-line 
merchants are subsumed into this new paragraph. Previous restrictions 
limiting exports to foreign commercial firms for internal company 
proprietary use are removed. In addition, foreign products developed 
from encryption components, while subject to the EAR, do not require 
review and classification prior to reexport. Exports and reexports to 
government end-users require a license.
    c. A new paragraph entitled ``Retail encryption commodities and 
software'' is created. Retail encryption commodities and software under 
ECCNs 5A002 and 5D002 are those which are widely available and can be 
exported and reexported to any end-user (including any Internet and 
telecommunications service provider), to provide products and services 
(e.g., e-commerce, client-server applications, or software 
subscriptions) to any end-user. The criteria to determine eligibility 
as a retail product include functionality, sales volume, distribution 
methods, ability to modify products and requirements for substantial 
support by the supplier. Substantial support for retail encryption 
commodities and software would mean a service contract or other 
significant vendor support beyond what is minimally necessary for the 
product's operation. Help desk calls are not considered substantial 
support. Refer to Sec. 740.17(a)(3) of the EAR for a detailed 
definition of retail encryption commodities and software (which may 
include components as well as encryption source code) and an 
illustrative, yet non-restrictive, list of such products. Finance-
specific, 56-bit non-mass market products with a key exchange greater 
than 512 bits and up to 1024 bits, network-based applications and other 
products which are functionally equivalent to retail products are 
considered retail products.
    Encryption software patches for retail products remain eligible 
under License Exception TSU and certain upgrades for retail products, 
where the cryptographic functionality has not changed, are authorized 
under License Exception ENC. Also, foreign products developed from 
retail encryption components, while subject to the EAR, require no 
technical review or license authorization prior to reexport; however, 
post-export reporting requirements exist. Retail encryption products 
are not subject to Internet download screening requirements listed in 
Sec. 734.2(b)(9)(iii); however, all other general prohibitions, such as 
those for the seven terrorist-supporting countries, apply.
    d. A new paragraph is added to License Exception ENC entitled 
``Telecommunications and Internet service providers.'' 
Telecommunications and Internet service providers can obtain and use 
any encryption product under this license exception to provide 
encryption services, including public key infrastructure services for 
the general public; however, provision of services specific to 
governments (e.g., running a virtual private network for a government 
agency), will require a license.
    e. A paragraph entitled ``Commercial encryption source code and 
general purpose encryption toolkits'' is added. You may export and 
reexport general purpose encryption toolkits and encryption source 
code, not released under Sec. 740.13, classified under ECCN 5D002, 
subject to the following provisions:
    (1) Commercial encryption source code which would be considered 
publicly available under Sec. 734.3 and which is subject to an express 
agreement for the payment of a licensing fee or royalty for commercial 
production or sale of any product developed using the source code, can 
be exported or reexported to any end-user. This source code, which 
includes some ``community'' source code, may be exported or reexported 
without review and classification, provided you have submitted to BXA, 
by the time of export, written notification of the Internet location 
(e.g., URL or Internet address) or a copy of the source code. These 
notifications are only required for the initial export; there are no 
notification requirements for end-users subsequently utilizing the 
source code. The notification can be sent via e-mail to 
crypt@bxa.doc.gov.
    (2) Encryption source code which would not be considered publicly 
available may be exported or reexported to any non-government end-user 
after review and classification by BXA.
    (3) General purpose encryption toolkits may be exported and 
reexported after review and classification by BXA to any non-government 
end-user.

    Note to this paragraph: Neither review and classification nor 
reexport licensing requirements are required under this section for 
foreign finished products using U.S.-origin source code, toolkits 
and components; yet the foreign finished products remain subject to 
the EAR. Post-export reporting for foreign products developed for 
commercial sale with source code and general purpose encryption 
toolkits exported under this paragraph is limited to the name and 
address of the foreign manufacturer and certain non-proprietary 
technical information about the foreign product. Exporters should 
always be aware of the General Prohibitions identified in part 736 
of the EAR (e.g., prohibited exports and reexports to Denied Persons 
and embargoed destinations).

    f. Grandfathering and Upgrades in Key Length: Encryption 
commodities and software previously approved under a license, or 
eligible for License Exception ENC, excluding items previously approved 
only to U.S. subsidiaries, can be exported and reexported to non-
government end-users without additional review and classification. 
Previously classified financial-specific or certain 56-bit products are 
eligible for export and reexport to any end-users without an additional 
classification. All previously classified products can be upgraded 
provided the only change is in the key length used for confidentiality 
and key exchange. Exporters must, prior to export of an upgraded 
product, certify in a letter from a corporate official the only change 
is the key length for confidentiality or key exchange algorithms and 
there is no other change in cryptographic functionality.
    g. Exporters may export any product to any non-government end-user 
30 days after receipt by BXA of a complete classification request, 
unless otherwise notified by BXA. No exports to government end-users 
are allowed under this provision and BXA reserves the right to suspend 
eligibility in those instances where requested additional information 
has not been provided or when the classification review is not 
proceeding in an appropriate fashion.
    h. Reporting requirements under License Exception ENC are 
eliminated for many encryption items. Remaining reporting requirements 
are streamlined to reflect business models normally used by exporters. 
Note that reporting requirements for exports and reexports of 
encryption components can be adjusted or reduced, on a case-by-case 
basis, provided an exporter supplies BXA with sufficient information 
during the initial technical review of the U.S.

[[Page 2494]]

encryption component concerning its incorporation into a final foreign 
product. Examples include those components restricted by their design 
for use in certain types of products. BXA will notify exporters of such 
treatment in its classification determination. All required 
notifications, upgrade certifications and reports should be sent 
electronically or mailed to the addresses cited in this regulation.

    Note to this paragraph: Post-export reporting is required for 
certain exports to foreign banks and financial institutions.

    5. In part 740, Supplement No. 3 is removed. Supplement No. 3 
previously listed countries eligible to receive certain encryption 
products; such products are now eligible for export and reexport to all 
destinations.
    6. In Sec. 742.15, the licensing policy section for exports and 
reexports of encryption items is changed as follows:
    a. Review and classification are required by BXA before certain 
encryption items can be released from ``EI'' and ``NS'' controls under 
ECCNs 5A992, 5D992 and 5E992. These items include: 64-bit mass market 
encryption commodities and software; certain encryption items up to and 
including 56-bits; and asymmetric key exchange algorithms not exceeding 
512 bits or an elliptic curve at 112 bits. Encryption items under these 
ECCNs do not require a license or license exception and may be exported 
and reexported as ``NLR'' (No License Required).
    b. Upgrades: 40 and 56-bit DES or equivalent mass market 
commodities and software previously classified as eligible for License 
Exception ENC or TSU may be upgraded to 64-bits for the confidentiality 
algorithm. Exporters must, prior to export of an upgraded product, 
certify to BXA in a letter from a corporate official that the only 
change is the key length for confidentiality or key exchange algorithms 
and there is no other change in cryptographic functionality. Note that 
other mass market encryption commodities and software previously 
exported under License Exception ENC or TSU are now classified as 
either 5A992 or 5D992 and eligible for ``NLR'' treatment. Encryption 
items under 5A992, 5D992 and 5E992 are not subject to Internet download 
screening requirements listed in Sec. 734.2(b)(9)(iii).
    c. The licensing policies for exports and reexports of encryption 
items for banks and financial institutions, health and medical end-
users, and on-line merchants, as well as U.S. subsidiaries, are 
subsumed into a new licensing policy paragraph for all encryption items 
under ECCNs 5A002, 5D002 or 5E002 eligible for License Exception ENC. 
For U.S. subsidiaries, any encryption item (including technology 
classified under 5E002 to foreign employees located in the U.S.) is 
permitted for export or reexport under License Exception ENC without 
review and classification. Also, any encryption item, including 
components, under ECCNs 5A002 or 5D002 can be exported and reexported 
to non-government end-users in all destinations. Retail products under 
5A002 or 5D002 can be exported and reexported to all end-users.
    d. Licenses required for exports and reexports of encryption items 
to governments, or Internet and telecommunications service providers 
for the provision of services specific to governments, may be 
considered favorably for civil uses.
    e. Under Encryption Licensing Arrangements (ELAs), distributors and 
resellers can export and reexport under ELAs as long as they comply 
with restrictions contained in the ELA.
    7. In Sec. 770.2, Commodity interpretations, a new interpretation 
for ``Encryption commodity and software reviews'' is added. This 
interpretation clarifies which encryption items require a review and 
what a review entails.
    8. In part 772, Definition of terms, definitions for the following 
terms are added: Asymmetric Algorithm, Encryption Component, Government 
End-User, Open Cryptographic Interface and Symmetric Algorithm.
    9. In part 774, the Commerce Control List, ECCNs 5A002 and 5D002 
are revised to reflect changes in the Wassenaar Arrangement, and the 
Cryptography Note is added as Note 3 to Category 5--Part 2.
    In addition to these changes, BXA is making the following 
clarifications and interpretations for all encryption items subject to 
the EAR.
    1. The review and classification process is used to classify 
encryption items for their proper licensing mechanism and not to delay 
or deny a proposed transaction. Once a classification request is 
received, the item's specifications are reviewed and processed in 
accordance with Sec. 748.3 of the EAR to determine its classification. 
Once completed, exporters will receive a document by mail informing 
them of the product's technical classification and proper licensing 
mechanism. The EAR also provides an appeal process for exporters 
unsatisfied with BXA's product classification (see Sec. 756.2 of the 
EAR).
    2. It is BXA's intent to allow end-users of encryption items to 
provide their customers with encryption products and services. However, 
exports to Internet and telecommunications service providers are 
subject to restrictions when providing services specific to government 
end-users.
    3. It was not the intent of the new Wassenaar language for ECCN 
5A002 to be more restrictive concerning Message Authentication Codes 
(MAC). ``Data authentication equipment that calculates a Message 
Authentication Code (MAC) or similar result to ensure no alteration of 
text has taken place, or to authenticate users, but does not allow for 
encryption of data, text or other media other than that needed for the 
authentication'' continues to be excluded from control under 5A002. 
These commodities are controlled under ECCN 5A992.
    4. Note that Sec. 740.8, Key Management Infrastructure (KMI), 
authorizes the export and reexport of certain encryption software and 
commodities under License Exception KMI and will continue as an 
eligible licensing mechanism for encryption products.
    5. A number of companies have expressed concern that the European 
Union (EU) may implement a general authorization permitting encryption 
items to be exported freely within the EU and other specified 
countries. If and when the EU implements such an authorization, the 
Administration will take the necessary steps to ensure U.S. exporters 
are not disadvantaged.
    6. Note that Serbia and the Taliban controlled areas of Afghanistan 
are embargoed destinations.
    7. Please refer to the BXA website at ``www.bxa.doc.gov'' for a 
detailed explanation of the EAR, the Commerce Control List, the 
licensing process and key terms used in this regulation. Although the 
Export Administration Act (EAA) expired on August 20, 1994, the 
President invoked the International Emergency Economic Powers Act and 
continued in effect the EAR, and, to the extent permitted by law, the 
provisions of the EAA in Executive Order 12924 of August 19, 1994, as 
extended by the President's notices of August 15, 1995 (60 FR 42767), 
August 14, 1996 (61 FR 42527), August 13, 1997 (62 FR 43629), August 
13, 1998 (63 FR 44121), and August 10, 1999 (64 FR 44101).

Rulemaking Requirements

    1. This interim final rule has been determined to be significant 
for purposes of E.O. 12866.
    2. Notwithstanding any other provision of law, no person is 
required to respond to, nor shall any person be subject to a penalty 
for failure to comply with a collection of information, subject to the 
requirements of the Paperwork

[[Page 2495]]

Reduction Act (PRA), unless that collection of information displays a 
currently valid OMB Control Number. This rule involves collections of 
information subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 
3501 et seq.). These collections have been approved by the Office of 
Management and Budget under control numbers 0694-0088, ``Multi-Purpose 
Application'' and 0694-0104, ``Commercial Encryption Items Transferred 
from the Department of State to the Department of Commerce.'' The 
Department has submitted to OMB an emergency request for approval of 
the changes to the collection of information under OMB control number 
0694-0104.
    This interim final rule reduces the annual burden hours associated 
with collection 0694-0104 from 703 hours to 692 hours, and reduces 
collection 0694-0088 by 200 burden hours. For collection 0694-0104, it 
is estimated it will take companies 5 minutes to complete notifications 
for source code under License Exceptions TSU and ENC. It will take 
companies 15 minutes to complete upgrade notifications. For reporting 
under License Exception ENC and licenses for encryption items, it will 
take companies 4 hours to complete semi-annual reporting requirements.
    Comments on collection 0694-0104 are welcome, and will be accepted 
until April 13, 2000. Comments are invited on: (a) Whether the 
collection of information is necessary for the proper performance of 
the functions of the agency, including whether the information shall 
have practical utility; (b) the accuracy of the agency's estimate of 
the burden of the proposed collection of information; (c) ways to 
enhance the quality, utility, and clarity of the information to be 
collected; and (d) ways to minimize the burden of the collection of 
information on respondents, including through the use of automated 
collection techniques or other forms of information technology. 
Comments regarding these burden estimates or any other aspect of the 
collection of information, including suggestions for reducing the 
burdens, should be forward to Frank J. Ruggiero, Regulatory Policy 
Division, Office of Exporter Services, Bureau of Export Administration, 
Department of Commerce, P.O. Box 273, Washington, D.C. 20044, and David 
Rostker, Office of Management and Budget, OMB/OIRA, 725 17th Street, 
NW, NEOB Rm. 10202, Washington, D.C. 20503.
    3. This rule does not contain policies with Federalism implications 
sufficient to warrant preparation of a Federalism assessment under 
Executive Order 13132.
    4. The provisions of the Administrative Procedure Act (5 U.S.C. 
553) requiring notice of proposed Rulemaking, the opportunity for 
public participation, and a delay in effective date, are inapplicable 
because this regulation involves a military and foreign affairs 
function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no 
other law requires that a notice of proposed rulemaking and an 
opportunity for public comment be given for this interim final rule. 
Because a notice of proposed rulemaking and an opportunity for public 
comment are not required to be given for this rule under 5 U.S.C. or by 
any other law, the analytical requirements of the Regulatory 
Flexibility Act (5 U.S.C. 601 et seq.) are not applicable.
    However, because of the importance of the issues raised by this 
regulation, it is issued in interim final form and comments will be 
considered in the development of final regulations. Accordingly, the 
Department of Commerce encourages interested persons who wish to 
comment to do so at the earliest possible time to permit the fullest 
consideration of their views.
    The period for submission of comments will close May 15, 2000. The 
Department will consider all comments received before the close of the 
comment period in developing final regulations. Comments received after 
the end of the comment period will be considered if possible, but their 
consideration cannot be assured. The Department will not accept public 
comments accompanied by a request that a part or all of the material be 
treated confidentially because of its business proprietary nature or 
for any other reason. The Department will return such comments and 
materials to the persons submitting the comments and will not consider 
them in the development of final regulations. All public comments on 
these regulations will be a matter of public record and will be 
available for public inspection and copying. In the interest of 
accuracy and completeness, the Department requires comments in written 
form. Comments should be provided with 5 copies.
    Oral comments must be followed by written memoranda, which will 
also be a matter of public record and will be available for public 
review and copying.
    The public record concerning these regulations will be maintained 
in the Bureau of Export Administration Freedom of Information Records 
Inspection Facility, Room 6881, Department of Commerce, 14th Street and 
Pennsylvania Avenue, N.W., Washington, DC 20230. Records in this 
facility, including written public comments and memoranda summarizing 
the substance of oral communications, may be inspected and copied in 
accordance with regulations published in Part 4 of Title 15 of the Code 
of Federal Regulations. Information about the inspection and copying of 
records at the facility may be obtained from the Bureau of Export 
Administration Freedom of Information Officer, at the above address or 
by calling (202) 482-0500.

List of Subjects

15 CFR Part 734

    Administrative practice and procedure, Exports, Foreign trade.

15 CFR Part 740

    Administrative practice and procedure, Exports, Foreign trade, 
Reporting and record keeping requirements.

15 CFR Parts 742, 770, 772, and 774

    Exports, Foreign Trade.

    Accordingly, parts 734, 740, 742, 770, 772, and 774 of the Export 
Administration Regulations (15 CFR parts 730 through 799) are amended 
as follows:
    1. The authority citation for part 734 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 12938, 59 
FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 FR 54079, 3 CFR, 
1996 Comp. p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 
228; Notice of November 12, 1998, 63 FR 63589, 3 CFR, 1998 Comp., p. 
305; Notice of August 10, 1999, 64 FR 44101 (August 13, 1999).

    2. The authority citation for part 740 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 13026, 61 
FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of August 10, 1999, 64 
FR 44101 (August 13, 1999).

    3. The authority citation for part 742 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 
E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 
FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12924, 59 FR 43437, 3 CFR, 
1994 Comp., p. 917; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 
950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of 
November 12, 1998, 63 FR 63589, 3 CFR, 1998 Comp., p. 305; Notice of 
August 10, 1999, 64 FR 44101 (August 13, 1999).


[[Page 2496]]


    4. The authority citation for part 770 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 13026, 61 
FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of August 10, 1999, 64 
FR 44101 (August 13, 1999).

    5. The authority citation for part 772 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 13026, 61 
FR 58767, 3 CFR, 1996 Comp., p. 228; Notice of August 10, 1999, 64 
FR 44101 (August 13, 1999).

    6. The authority citation for part 774 continues to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C. 
287c, 22 U.S.C. 3201 et seq., 22 U.S.C. 6004; 30 U.S.C. 185(s), 
185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. 
app. 466c; 50 U.S.C. app. 5; E.O. 12924, 59 FR 43437, 3 CFR, 1994 
Comp., p. 917; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; 
Notice of August 10, 1999, 64 FR 44101 (August 13, 1999).

PART 734--[AMENDED]

    7. Section 734.2 is amended by revising paragraph (b)(9)(ii) and 
adding new paragraph (b)(9)(iii) to read as follows:


Sec. 734.2  Important EAR terms and principles.

* * * * *
    (b) * * *
    (9) * * *
    (i) * * *
    (ii) The export of encryption source code and object code software 
controlled for ``EI'' reasons under ECCN 5D002 on the Commerce Control 
List (see Supplement No. 1 to part 774 of the EAR), except for source 
code eligible for export under Secs. 740.13(e) and 740.17(a)(5)(i), 
includes downloading, or causing the downloading of, such software to 
locations (including electronic bulletin boards, Internet file transfer 
protocol, and World Wide Web sites) outside the U.S., or making such 
software available for transfer outside the United States, over wire, 
cable, radio, electromagnetic, photo optical, photoelectric or other 
comparable communications facilities accessible to persons outside the 
United States, including transfers from electronic bulletin boards, 
Internet file transfer protocol and World Wide Web sites, unless the 
person making the software available takes precautions adequate to 
prevent unauthorized transfer of such code.
    (iii) Subject to the General Prohibitions described in part 736 of 
the EAR, such precautions for Internet transfers of products eligible 
for export under Secs. 740.17(a)(2) (encryption software products), 
(a)(5)(ii) (certain encryption source code) and (a)(5)(iii) (encryption 
toolkits) shall include such measures as:
    (A) The access control system, either through automated means or 
human intervention, checks the address of every system outside of the 
U.S. or Canada requesting or receiving a transfer and verifies such 
systems do not have a domain name or Internet address of a foreign 
government end-user (e.g., ``.gov,'' ``.gouv,'' ``.mil'' or similar 
addresses);
    (B) The access control system provides every requesting or 
receiving party with notice that the transfer includes or would include 
cryptographic software subject to export controls under the Export 
Administration Regulations, and anyone receiving such a transfer cannot 
export the software without a license or other authorization; and
    (C) Every party requesting or receiving a transfer of such software 
must acknowledge affirmatively that the software is not intended for 
use by a government end-user, as defined in part 772, and he or she 
understands the cryptographic software is subject to export controls 
under the Export Administration Regulations and anyone receiving the 
transfer cannot export the software without a license or other 
authorization. BXA will consider acknowledgments in electronic form 
provided they are adequate to assure legal undertakings similar to 
written acknowledgments.


Sec. 734.4  [Amended]

    8. Section 734.4 is amended by revising the last sentence of 
paragraph (b) to read as follows: ``Certain encryption commodities, 
software and technology controlled under ECCNs 5A992, 5D992, and 5E992 
may be eligible for de minimis (refer to Sec. 742.15(b)(1)).''
    9. Section 734.7 is amended by revising paragraph (c) to read as 
follows:


Sec. 734.7  Published information and software.

* * * * *
    (c) Notwithstanding paragraphs (a) and (b) of this section, note 
that encryption software controlled under ECCN 5D002 for ``EI'' reasons 
on the Commerce Control List (refer to Supplement No. 1 to part 774 of 
the EAR) remains subject to the EAR (refer to Secs. 740.13(e) and 
740.17(a)(5)(i) of the EAR for release under license exception).


Sec. 734.8  [Amended]

    10. Section 734.8 is amended by revising the last sentence of 
paragraph (a) to read as follows: ``Note that the provisions of this 
section do not apply to encryption software controlled under ECCN 5D002 
for ``EI'' reasons on the Commerce Control List (refer to 
Secs. 740.13(e) and 740.17(a)(5)(i) of the EAR for release under 
license exception).''


Sec. 734.9  [Amended]

    11. Section 734.9 is amended by revising the last sentence to read 
as follows: ``Note that the provisions of this section do not apply to 
encryption software controlled under ECCN 5D002 for ``EI'' reasons on 
the Commerce Control List (refer to Secs. 740.13(e) and 740.17(a)(5)(i) 
of the EAR for release under license exception).''

PART 740--[AMENDED]

    12. Section 740.8 is amended by revising the address in paragraph 
(b)(2) to read as follows:


Sec. 740.8  Key management infrastructure (KMI).

* * * * *
    (b) * * *
    (2) * * *
    Attn: KMI Encryption Request Coordinator, 9800 Savage Road, Suite 
6131, Fort Meade, MD 20755-6000.
* * * * *
    13. Section 740.13 is amended by:
    a. By revising the introductory paragraph;
    b. By revising paragraph (d)(2); and
    c. By adding new paragraph (e) to read as follows:


Sec. 740.13  Technology and software--unrestricted (TSU)

    This license exception authorizes exports and reexports of 
operation technology and software; sales technology and software; 
software updates (bug fixes); ``mass market'' software subject to the 
General Software Note; and unrestricted encryption source code. Note 
that encryption software is not subject to the General Software Note 
(see paragraph (d)(2) of this section).
* * * * *
    (d) * * *
    (2) Software not eligible for this license exception. This license 
exception is not available for certain encryption software controlled 
under ECCN 5D002. (Refer to the Cryptography Note in Category 5--Part 2 
of the Commerce Control List for information

[[Page 2497]]

on Mass Market Encryption commodities and software. Also refer to 
Secs. 742.15(b)(1) and 748.3(b) of the EAR for information on item 
classifications for release from ``EI'' controls and ``NS'' controls).
* * * * *
    (e) Unrestricted encryption source code.
    (1) Encryption source code controlled under 5D002, which would be 
considered publicly available under Sec. 734.3(b)(3) and which is not 
subject to an express agreement for the payment of a licensing fee or 
royalty for commercial production or sale of any product developed with 
the source code, is released from ``EI'' controls and may be exported 
or reexported without review under License Exception TSU, provided you 
have submitted written notification to BXA of the Internet location 
(e.g., URL or Internet address) or a copy of the source code by the 
time of export. Submit the notification to BXA and send a copy to ENC 
Encryption Request Coordinator (see Sec. 740.17(g)(5) for mailing 
addresses). Intellectual property protection (e.g., copyright, patent 
or trademark) will not, by itself, be construed as an express agreement 
for the payment of a licensing fee or royalty for commercial production 
or sale of any product developed using the source code.
    (2) You may not knowingly export or reexport source code or 
products developed with this source code to Cuba, Iran, Iraq, Libya, 
North Korea, Sudan or Syria.
    (3) Posting of the source code on the Internet (e.g., FTP or World 
Wide Web site) where the source code may be downloaded by anyone would 
not establish ``knowledge'' of a prohibited export or reexport, 
including that described in paragraph (e)(2) of this section. In 
addition, such posting would not trigger ``red flags'' necessitating 
the affirmative duty to inquire under the ``Know Your Customer'' 
guidance provided in Supplement No. 3 to part 732 of the EAR.
    14. Section 740.17 is revised to read as follows:


Sec. 740.17  Encryption commodities and software (ENC).

    (a) Exports and reexports of certain encryption commodities and 
software. As enumerated in this section, you may export and reexport 
encryption commodities, software and components (as defined in part 772 
EAR) under License Exception ENC. License Exception ENC cannot be used 
if the encryption commodity or software provides an open cryptographic 
interface (as defined in part 772), unless the export is to a 
subsidiary of a U.S. company, as described in paragraph (a)(1) of this 
section.
    (1) Encryption commodities, software, and technology for U.S. 
subsidiaries. You may export and reexport any encryption item of any 
key length under ECCNs 5A002, 5D002 and 5E002 to foreign subsidiaries 
of U.S. companies (as defined in part 772) without review and 
classification. This includes source code and technology for internal 
company use, such as the development of new products. U.S. firms may 
also transfer under License Exception ENC encryption technology (5E002) 
to their foreign employees in the U.S. (except nationals of Cuba, Iran, 
Iraq, Libya, North Korea, Sudan or Syria) for internal company use, 
including the development of new products. All items produced or 
developed by U.S. subsidiaries with encryption commodities, software 
and technology exported under this paragraph are subject to the EAR and 
require review and classification before any sale or retransfer outside 
of the U.S. company.
    (2) Encryption commodities and software. You may export and 
reexport any encryption commodity, software and component after review 
and classification by BXA under ECCNs 5A002 and 5D002 to any 
individual, commercial firm or other non-government end-user. 
Encryption products classified under this paragraph require a license 
for export and reexport to government end-users (as defined in part 
772). The former restriction limiting exports or reexports to internal 
company proprietary use is removed.
    (3) Retail encryption commodities and software. You may export and 
reexport to any end-user encryption commodities, software and 
components which have been reviewed and classified as retail under 
ECCNs 5A002 and 5D002. Retail encryption commodities, software and 
components are products:
    (i) Generally available to the public by means of any of the 
following:
    (A) Sold in tangible form through retail outlets independent of the 
manufacturer;
    (B) Specifically designed for individual consumer use and sold or 
transferred through tangible or intangible means; or
    (C) Sold in large volume without restriction through mail order 
transactions, electronic transactions, or telephone call transactions; 
and
    (ii) Meeting all of the following:
    (A) The cryptographic functionality cannot be easily changed by the 
user;
    (B) Do not require substantial support for installation and use;
    (C) The cryptographic functionality has not been modified or 
customized to customer specification; and
    (D) Are not network infrastructure products such as high end 
routers or switches designed for large volume communications.
    (iii) Subject to the criteria in paragraphs (a)(3)(i) and (ii) of 
this section, retail encryption products include (but are not limited 
to) general purpose operating systems and their associated user-
interface client software or general purpose operating systems with 
embedded networking and server capabilities; non-programmable 
encryption chips and chips that are constrained by design for retail 
products; low-end routers, firewalls and networking or cable equipment 
designed for small office or home use; programmable database management 
systems and associated application servers; low-end servers and 
application-specific servers (including client-server applications, 
e.g., Secure Socket Layer (SSL)-based applications) that interface 
directly with the user; and encryption products distributed without 
charge or through free or anonymous downloads.
    (iv) Encryption products and network-based applications which 
provide functionality equivalent to other encryption products 
classified as retail will be considered retail.
    (v) Encryption products exported or reexported under paragraph 
(a)(3) of this section can be used to provide services to any entity.
    (vi) Finance-specific encryption commodities and software of any 
key length restricted by design (e.g., highly field-formatted with 
validation procedures and not easily diverted to other end-uses) and 
used to secure financial communications such as electronic commerce 
will be considered retail encryption products.
    (vii) 56-bit products with key exchange mechanisms greater than 512 
bits and up to and including 1024 bits, or equivalent products not 
classified as mass market, will be considered retail.
    (4) Internet and Telecommunications service providers. Certain 
restrictions apply to Internet and telecommunications service 
providers. Any Internet or telecommunications service provider can 
obtain retail products under License Exception ENC and use them to 
provide any service to any entity. Internet and telecommunications 
service providers can obtain and use any encryption product for their 
internal use and to provide any service under License Exception ENC. 
However, a license is required for the use of any product not

[[Page 2498]]

classified as retail to provide services specific to government end-
users, e.g., WAN, LAN, VPN, voice and dedicated-link services; 
application specific and e-commerce services and PKI encryption 
services specifically for government end-users only.
    (5) Commercial encryption source code and general purpose toolkits. 
You may export and reexport encryption source code not released under 
Sec. 740.13(e) or general purpose toolkits (application specific 
toolkits are covered under components, as defined in part 772), subject 
to the following provisions:
    (i) Encryption source code, which would be considered publicly 
available under Sec. 734.3(b)(3) of the EAR and which is subject to an 
express agreement for the payment of a licensing fee or royalty for 
commercial production or sale of any product developed using the source 
code, can be exported or reexported using License Exception ENC to any 
end-user without review and classification, provided you have submitted 
to BXA, by the time of export, written notification of the Internet 
location (e.g. URL or Internet address) or a copy of the source code. 
You may not knowingly export or reexport source code or products 
developed with this source code to Cuba, Iran, Iraq, Libya, North 
Korea, Sudan or Syria. Posting of the source code on the Internet 
(e.g., FTP or World Wide Web site) where the source code may be 
downloaded by anyone would not establish ``knowledge'' of a prohibited 
export or reexport. In addition, such posting would not trigger ``red 
flags'' necessitating the affirmative duty to inquire under the ``Know 
Your Customer'' guidance provided in Supplement No. 3 to part 732 of 
the EAR.
    (ii) Encryption source code which would neither be considered 
publicly available nor includes source code that when compiled provides 
an open cryptographic interface (see Sec. 740.17(f)), may be exported 
or reexported using License Exception ENC to any non-government end-
user after review and classification by BXA.
    (iii) General purpose encryption toolkits may be exported or 
reexported after review and classification by BXA under License 
Exception ENC to any non-government end-user.
    (iv) Any foreign product developed for commercial sale using 
encryption source code or general purpose toolkits exported under 
paragraph (a)(5) of this section is subject to reporting requirements 
under paragraph (g)(3) of this section. Foreign products developed by 
bundling or compiling of source code are not subject to this reporting 
requirement.
    (b) Ineligible destinations. No encryption item(s) may be exported 
or reexported under this license exception to Cuba, Iran, Iraq, Libya, 
North Korea, Sudan or Syria.
    (c) Transfers. Transfers of encryption items listed in paragraph 
(a) of this section to government end-users or end-uses within the same 
country are prohibited unless otherwise authorized by license or 
license exception.
    (d) Exports and reexports of foreign products incorporating U.S. 
encryption source code, components or general purpose encryption 
toolkits. Foreign products developed with or incorporating U.S.-origin 
encryption source code, components or toolkits remain subject to the 
EAR, but do not require review and classification by BXA and can be 
exported or reexported without further authorization.
    (e) Eligibility for License Exception ENC. (1) Review and 
classification. You may initiate review and classification of your 
encryption commodities and software as required by paragraph (a) of 
this section by submitting a classification request in accordance with 
the provisions of Sec. 748.3(b) and Supplement 6 to part 742 of the 
EAR. Indicate ``License Exception ENC'' in Block 9: Special purpose, on 
form BXA-748P. Submit the original request to BXA in accordance with 
Sec. 748.3 of the EAR and send a copy of the request to ENC Encryption 
Request Coordinator (see paragraph (g)(5) of this section for mailing 
addresses). Thirty days after receipt of a complete classification 
request by BXA, unless otherwise notified by BXA, exporters may export 
and reexport to any non-government end-user any encryption product 
eligible under paragraphs (a)(2), (a)(4) and (a)(5) of this section. No 
exports to government end-users are allowed under this provision, and 
BXA reserves the right to suspend eligibility to export while a 
classification is pending.
    (2) Grandfathering. Finance-specific and 56-bit products previously 
reviewed and classified by BXA can be exported or reexported to any 
end-user without further review. Other encryption commodities, software 
or components previously approved for export can be exported and 
reexported without further review to any non-government end-user under 
the provisions of Sec. 740.17 (a). This includes products approved 
under a license, an Encryption Licensing Arrangement, or previously 
classified as eligible to use License Exception ENC (except for those 
products which were only authorized for export to U.S. subsidiaries). 
Exports to government end-users require a license unless BXA has 
classified the product as a ``retail'' product under paragraph (a)(3) 
of this section.
    (3) Key Length Increases. Exporters can increase the key lengths of 
previously classified products and continue to export without another 
review. No other change in the cryptographic functionality is allowed.
    (i) Any product previously classified as 5A002 or 5D002 can, with 
any upgrade to the key length used for confidentiality or key exchange 
algorithms, be exported or reexported under provisions of License 
Exception ENC to any non-government end-user without an additional 
review. Another classification is necessary to determine eligibility as 
a ``retail'' product under paragraph (a)(3) of this section.
    (ii) Exporters must certify to BXA in a letter from a corporate 
official that the only change to the encryption product is the key 
length for confidentiality or key exchange algorithms and there is no 
other change in cryptographic functionality. Certifications must 
include the original authorization number issued by BXA and the date of 
issuance. BXA must receive this certification prior to any export of an 
upgraded product. The certification should be sent to BXA, with a copy 
sent to the ENC Encryption Request Coordinator (see paragraph (g)(5) of 
this section for mailing addresses).
    (f) Open cryptographic interfaces. License Exception ENC shall not 
apply to exports or reexports of encryption commodities, software and 
components (unless exported to a subsidiary of a U.S. company under 
paragraph (a)(1) of this section), if the encryption product provides 
an open cryptographic interface (as defined in part 772). This does not 
apply to source code that would be considered publicly available under 
Sec. 734.3(b)(3).
    (g) Reporting requirements. (1) No reporting is required for 
exports of:
    (i) Any encryption to U.S. subsidiaries;
    (ii) Finance-specific products;
    (iii) Encryption commodities or software with a symmetric key 
length not exceeding 64 bits or otherwise classified as qualifying for 
mass market treatment;
    (iv) Retail products exported to individual consumers;
    (v) Any export made via free or anonymous download; and
    (vi) Any export made from or to a U.S. bank, financial institution 
or their subsidiaries, affiliates, customers or contractors for banking 
or financial operations.

[[Page 2499]]

    (2) Exporters must provide all available information as follows:
    (i) For items exported to a distributor or other reseller, the name 
and address of the distributor or reseller and the quantity exported 
and, if collected in the normal course of business, the end-user's name 
and address;
    (ii) For items exported through direct sale, the name and address 
of the recipient and the quantity exported (except for retail products 
if the end-user is an individual consumer); and
    (3) For direct sales or transfers of encryption components, 
commercial source code described under Sec. 740.17(a)(5) or general 
purpose encryption toolkits to foreign manufacturers, you must submit 
the names and addresses of the manufacturers using such encryption 
components, commercial source code or general purpose encryption 
toolkits and a non-proprietary technical description of the products 
for which the component, source code or toolkit are being used (e.g., 
brochures, other documentation, descriptions or other identifiers of 
the final foreign product; the algorithm and key lengths used; general 
programming interfaces to the product, if known; any standards or 
protocols that the foreign product adheres to; and source code, if 
available).
    (4) Exporters of encryption commodities, software and components 
which were previously classified under License Exception ENC, or which 
have been licensed for export under an Encryption Licensing 
Arrangement, must comply with the reporting requirements of this 
section.
    (5) Beginning January 14, 2000, you must submit reports required 
under this section semi-annually to BXA, unless otherwise provided in 
this paragraph. For exports occurring between January 1 and June 30, a 
report is due no later than August 1. For exports occurring between 
July 1 and December 31, a report is due no later than February 1. For 
exports and reexports to Internet and telecommunications service 
providers of network infrastructure products (e.g., high-end routers or 
switches designed for large volume communications), reports are due by 
the time of export. Reports must include the classification or other 
authorization number. These reports must be provided in electronic form 
to BXA; suggested file formats for electronic submission include 
spreadsheets, tabular text or structured text. Exporters may request 
other reporting arrangements with BXA to better reflect their business 
models. Reports should be sent electronically to crypt@bxa.doc.gov, or 
disks and CDs can be mailed to the following addresses:
    (i) Department of Commerce, Bureau of Export Administration, Office 
of Strategic Trade and Foreign Policy Controls, 14th Street and 
Pennsylvania Ave., N.W., Room 2705, Washington, DC 20230, Attn: 
Encryption Reports.
    (ii) A copy of the report should be sent to: Attn: ENC Encryption 
Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-
6000.
    (h) Distributors and resellers. U.S. or foreign distributors, 
resellers or other entities who are not original manufacturers of 
encryption commodities and software are permitted to use License 
Exception ENC only in instances where the export or reexport meets the 
applicable terms and conditions of Sec. 740.17.

PART 742--[AMENDED]

    15. Section 742.15 is revised to read as follows:


Sec. 742.15  Encryption items.

    Encryption items can be used to maintain the secrecy of 
information, and thereby may be used by persons abroad to harm national 
security, foreign policy and law enforcement interests. The U.S. has a 
critical interest in ensuring that important and sensitive information 
of the public and private sector is protected. Consistent with our 
international obligations as a member of the Wassenaar Arrangement, the 
U.S. has a responsibility to maintain control over the export of 
encryption items. As the President indicated in Executive Order 13026 
and in his Memorandum of November 15, 1996, export of encryption 
software, like export of encryption hardware, is controlled because of 
this functional capacity to encrypt information on a computer system, 
and not because of any informational or theoretical value that such 
software may reflect, contain, or represent, or that its export may 
convey to others abroad. For this reason, export controls on encryption 
software are distinguished from controls on other software regulated 
under the EAR.
    (a) License requirements. Licenses are required for exports and 
reexports to all destinations, except Canada, for items controlled 
under ECCNs having an ``EI'' (for ``encryption items'') under the 
``Control(s)'' paragraph. Such items include: encryption commodities 
controlled under ECCN 5A002; encryption software controlled under ECCN 
5D002; and encryption technology controlled under ECCN 5E002. Refer to 
part 772 of the EAR for the definition of ``encryption items''.
    (b) Licensing policy. The following licensing policies apply to 
items identified in paragraph (a) of this section. Except as otherwise 
noted, applications will be reviewed on a case-by-case basis by BXA, in 
conjunction with other agencies, to determine whether the export or 
reexport is consistent with U.S. national security and foreign policy 
interests. For subsequent bundling and updates of these items see 
paragraph (n) of Sec. 770.2 of the EAR.
    (1) Encryption commodities, software and technology under ECCNs 
5A992, 5D992 and 5E992. Certain encryption commodities, software and 
technology may, after classification by BXA as ECCNs 5A992, 5D992 or 
5E992, be released from ``EI'' or ``NS'' controls. Items controlled 
under these ECCNs are eligible for export and reexport to all 
destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan or 
Syria. Refer to Sec. 748.3(b)(3) of the EAR for additional information 
regarding classification requests. The following encryption items may 
be eligible for such treatment:
    (i) 56-bit encryption commodities, software and technology. 
Encryption commodities, software and technology up to and including 56-
bits with an asymmetric key exchange algorithm not exceeding 512 bits 
may be classified under ECCNs 5A992, 5D992 or 5E992.
    (ii) Key management products. Products which only provide key 
management with asymmetric key exchange algorithms not exceeding 512 
bits may be eligible for classification under ECCNs 5A992 or 5D992.
    (iii) 64-bit mass market encryption commodities and software. (A) 
Mass market encryption commodities and software with key lengths not 
exceeding 64-bit for the symmetric algorithm may be eligible for 
classification by BXA under ECCNs 5A992 or 5D992.
    Refer to the Cryptography Note (Note 3) to part 2 of Category 5 of 
the CCL for a definition of mass market encryption commodities and 
software. Key exchange mechanisms, proprietary key exchange mechanisms, 
or company proprietary commodities and software implementations may 
also be eligible for this treatment. Refer to Supplement No. 6 to part 
742 and Sec. 748.3(b)(3) of the EAR for additional information.
    (B) Mass market encryption commodities and software (e.g., 40 and 
56-bit DES or equivalent) previously eligible for License Exception TSU 
(or for hardware, ENC) may increase key lengths for the confidentiality 
algorithm up to 64 bits and still be exported as a mass market product 
without an additional review. Exporters must

[[Page 2500]]

certify to BXA in a letter from a corporate official the only change to 
the encryption product is the key length for confidentiality or key 
exchange algorithms and there is no other change in cryptographic 
functionality. Certifications must include the original authorization 
number issued by BXA and the date of issuance. BXA must receive this 
certification prior to any export of upgraded products. The 
certification should be sent to BXA, with a copy to ENC Encryption 
Request Coordinator at the following addresses:
    (1) Department of Commerce, Bureau of Export Administration, Office 
of Strategic Trade and Foreign Policy Controls, 14th Street and 
Pennsylvania Ave., N.W., Room 2705, Washington, DC 20230.
    (2) A copy of the report should be sent to: Attn: ENC Encryption 
Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-
6000.
    (iv) For classification of these encryption items under these 
ECCNs, mark ``NLR'' in Block 9: Special purpose, on Form BXA-748P, of 
your classification request.
    (2) Encryption commodities and software eligible for classification 
under ECCNs 5A002, 5D002 and 5E002 and qualified for License Exception 
ENC. Items classified by BXA as retail products under ECCNs 5A002 and 
5D002 are permitted for export and reexport to any end-user. All other 
encryption commodities, software and components classified by BXA under 
ECCNs 5A002 and 5D002 may be exported to any individual, commercial 
firm or other non-government end-user. Any encryption item (including 
technology classified under 5E002) will be permitted for export or 
reexport to U.S. subsidiaries (as defined in part 772). Products 
developed using U.S. encryption items are subject to the EAR. No 
exports are authorized to Cuba, Iran, Iraq, Libya, North Korea, Sudan 
or Syria.
    (3) Encryption licensing. Exporters may submit applications for 
licenses or Encryption Licensing Arrangements for exports and reexports 
of encryption items not eligible for license exception, including 
exports and reexports of encryption technology to strategic partners of 
U.S. companies (as defined in part 772). For Encryption Licensing 
Arrangements, the applicant must specify the sales territory and class 
of end-user. Encryption Licensing Arrangements granted for exports of 
unlimited quantities for all destinations except Cuba, Iran, Iraq, 
Libya, North Korea, Sudan or Syria, are valid for four years, and may 
require reporting.
    Licenses are required for exports of encryption items to 
governments, or Internet and telecommunications service providers for 
the provision of services specific to governments, and may be favorably 
considered for civil uses, e.g., social or financial services to the 
public; civil justice; social insurance, pensions and retirement; taxes 
and communications between governments and their citizens.
    16. Supplement No. 6 to Part 742 is revised to read as follows:

Supplement No. 6 to Part 742--Guidelines for Submitting a 
Classification Request for Encryption Items

    Classification requests for encryption items must be submitted on 
Form BXA-748P, in accordance with Sec. 748.3 of the EAR. Insert in 
Block 9: Special Purpose of the Form BXA-748P, the phrase ``License 
Exception ENC'' or ``NLR'', based on your classification request. 
Failure to insert this phrase will delay processing. In addition, the 
Bureau of Export Administration recommends that such requests be 
delivered via courier service to: Bureau of Export Administration, 
Office of Exporter Services, Room 2705, 14th Street and Pennsylvania 
Ave., NW, Washington, DC 20230. In addition, you must send a copy of 
the request and all supporting documents to: Attn: ENC Encryption 
Request Coordinator, 9800 Savage Road, Suite 6131, Fort Meade, MD 
20755-6000.
    (a) Requests for encryption items will be processed in thirty (30) 
days from receipt of a properly completed request.
    (b) To submit a classification request for a technical review of 
commodities and software, ensure that the information provided includes 
brochures or other documentation or specifications (to include 
applicable cryptographic source code) related to the technology, 
commodity or software, as well as any additional information which you 
believe would assist the review process. You must provide the following 
information in a cover letter to the classification request:
    (1) Clearly state at the top of the page either ``ENC'' or 
``NLR''--``30 Day Technical Review Requested;''
    (2) State that you have reviewed and determined that the commodity 
or software subject to the classification request meets the criteria of 
this Supplement;
    (3) State the name of the commodity or software product being 
submitted for review;
    (4) State how the commodity or software has been written to 
preclude user modification of the encryption algorithm, key management 
mechanism, and key space;
    (5) State that a duplicate copy has been sent to the ENC Encryption 
Request Coordinator;
    (6) Provide the following information for the commodity or software 
product:
    (i) Description of all encryption algorithms and key lengths, e.g. 
source code, and how the algorithms are used. If any combination of 
different algorithms are used in the same product, also state how each 
is applied to the data.
    (ii) Pre-processing information of plaintext data before encryption 
(e.g. compression of the data).
    (iii) Post-processing information of cipher text data after 
encryption (e.g. packetization of the encrypted data).
    (iv) For classification requests regarding object code or Java byte 
code, describe what techniques (including obfuscation, private access 
modifiers, final classes) are used to protect against decompilation and 
misuse.
    (v) For classification requests regarding components:
    (A) Reference the application for the components if known;
    (B) State if there is a general programming interface to the 
component;
    (C) State whether the component is constrained by function;
    (D) List any standards and protocols that the component adheres to;
    (E) Include a complete description of all functionalities and their 
accessibility; and
    (F) Encryption components need to be clearly identified to include 
the name of the manufacturer, component model number, or other 
identifier.
    (vi) For classification requests regarding source code:
    (A) If applicable, reference the executable product that has 
already received a technical review;
    (B) Include whether the source code has been modified and, if 
modified, provide the technical details on how the source code was 
modified;
    (C) Include a copy of the sections of the source code that contain 
the encryption algorithm, key management routines, and their related 
calls.

PART 770--[AMENDED]

    17. Section 770.2 is amended by adding new paragraph (n) to read as 
follows:


Sec. 770.2  Item interpretations.

* * * * *
    (n) Interpretation 14: Encryption commodity and software reviews. 
Classification of encryption

[[Page 2501]]

commodities or software is required to determine eligibility for all 
licensing mechanisms except source code (see Secs. 740.13(e) and 
740.17(a)(5)(i) of the EAR) and exports to subsidiaries of U.S. firms 
(see Sec. 740.17(a)(1)). Note that subsequent bundling, patches, 
upgrades or releases, including name changes, may be exported or 
reexported under the applicable provisions of the EAR without further 
technical review as long as the functional encryption capacity of the 
originally reviewed encryption product has not been modified or 
enhanced. This does not extend to products controlled under a different 
category on the CCL.
    18. Part 772 is amended by removing the definitions for ``Health/
medical end-user'' and ``On-line merchant'' and adding definitions for 
``asymmetric algorithm'', ``encryption component'', ``government end-
user'', ``open cryptographic interface'', and ``symmetric algorithm'' 
in alphabetical order, to read as follows:

PART 772--DEFINITIONS OF TERMS

* * * * *
    ``Asymmetric algorithm''. (Cat 5, Part II) A cryptographic 
algorithm using different, mathematically-related keys for encryption 
and decryption. A common use of ``asymmetric algorithms'' is key 
management.
* * * * *
    ``Encryption component''. Any encryption commodity or software 
(except source code), including encryption chips, integrated circuits, 
application specific encryption toolkits, or executable or linkable 
modules that alone are incapable of performing complete cryptographic 
functions, and is designed or intended for use in or the production of 
another encryption item.
* * * * *
    Government end-user (as applied to encryption items). A government 
end-user is any foreign central, regional or local government 
department, agency, or other entity performing governmental functions; 
including governmental research institutions, governmental corporations 
or their separate business units (as defined in part 772 of the EAR) 
which are engaged in the manufacture or distribution of items or 
services controlled on the Wassenaar Munitions List, and international 
governmental organizations. This term does not include: utilities 
(including telecommunications companies and Internet service 
providers); banks and financial institutions; transportation; broadcast 
or entertainment; educational organizations; civil health and medical 
organizations; retail or wholesale firms; and manufacturing or 
industrial entities not engaged in the manufacture or distribution of 
items or services controlled on the Wassenaar Munitions List.
* * * * *
    ``Open cryptographic interface''. A mechanism which is designed to 
allow a customer or other party to insert cryptographic functionality 
without the intervention, help or assistance of the manufacturer or its 
agents, e.g., manufacturer's signing of cryptographic code or 
proprietary interfaces. If the cryptographic interface implements a 
fixed set of cryptographic algorithms, key lengths or key exchange 
management systems, that cannot be changed, it will not be considered 
an ``open'' cryptographic interface. All general application 
programming interfaces (e.g., those that accept either a cryptographic 
or non-cryptographic interface but do not themselves maintain any 
cryptographic functionality) will not be considered ``open'' 
cryptographic interfaces.
* * * * *
    ``Symmetric algorithm''. (Cat 5, Part II) A cryptographic algorithm 
using an identical key for both encryption and decryption. A common use 
of ``symmetric algorithms'' is confidentiality of data.
* * * * *

PART 774--[AMENDED]

Supplement No. 1 to Part 774 [Amended]

    19. Supplement No. 1 to Part 774, Category 5--Telecommunications 
and Information Security, is amended:
    a. By revising, immediately following EAR 99, the heading for 
``Part 2--`Information Security,' '' removing the Note, and inserting 
in its place three new Notes;
    b. By revising the heading and the ``List of Items Controlled'' for 
ECCN 5A002; and
    c. By revising the Licensing Requirements section of ECCN 5D002 to 
read as follows:

Category 15--Telecommunications and ``Information Security''

* * * * *

II. ``Information Security''

    Note 1: The control status of ``information security'' 
equipment, ``software'', systems, application specific ``electronic 
assemblies'', modules, integrated circuits, components, or functions 
is determined in Category 5, Part 2 even if they are components or 
``electronic assemblies'' of other equipment.
    Note 2: Category 5, Part 2 encryption products, when 
accompanying their user for the user's personal use, are eligible 
for License Exceptions TMP or BAG.
    Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not control 
items that meet all of the following:
    a. Generally available to the public by being sold, without 
restriction, from stock at retail selling points by means of any of 
the following:
    1. Over-the-counter transactions;
    2. Mail order transactions;
    3. Electronic transactions; or
    4. Telephone call transactions;
    b. The cryptographic functionality cannot be easily changed by 
the user;
    c. Designed for installation by the user without further 
substantial support by the supplier;
    d. Does not contain a ``symmetric algorithm'' employing a key 
length exceeding 64-bits; and
    e. When necessary, details of the items are accessible and will 
be provided, upon request, to the appropriate authority in the 
exporter's country in order to ascertain compliance with conditions 
described in paragraphs (a) through (d) of this note. See 
Sec. 742.15(b)(1) of the EAR.
* * * * *


5A002  Systems, equipment, application specific ``electronic 
assemblies'', modules and integrated circuits for ``information 
security'', and other specially designed components therefor.

* * * * *

List of Items Controlled

    Unit: $ value.
    Related Controls: See also 5A992. This entry does not control: (a) 
``Personalized smart cards'' where the cryptographic capability is 
restricted for use in equipment or systems excluded from control 
paragraphs (b) through (f) of this note. Note that if a ``personalized 
smart card'' has multiple functions, the control status of each 
function is assessed individually; (b) receiving equipment for radio 
broadcast, pay television or similar restricted audience television of 
the consumer type, without digital encryption except that exclusively 
used for sending the billing or program-related information back to the 
broadcast providers; (c) portable or mobile radiotelephones for civil 
use (e.g., for use with commercial civil cellular radio communications 
systems) that are not capable of end-to-end encryption; (d) equipment 
where the cryptographic capability is not user-accessible and which is 
specially designed and limited to allow any of the following: (1) 
Execution of copy-protected ``software''; (2) access to any of the 
following: (a) Copy-protected read-only media; or (b) information 
stored in encrypted form on media (e.g., in connection with the 
protection of intellectual property rights) where the media is offered 
for sale in identical sets

[[Page 2502]]

to the public; or (3) one-time encryption of copyright protected audio/
video data; (e) cryptographic equipment specially designed and limited 
for banking use or money transactions; (f) cordless telephone equipment 
not capable of end-to-end encryption where the maximum effective range 
of unboosted cordless operation (e.g., a single, unrelayed hop between 
terminal and home basestation) is less than 400 meters according to the 
manufacturer's specifications.
    Related Definitions: (1) The term money transactions in paragraph 
(e) of Related Controls includes the collection and settlement of fares 
or credit functions.
    (2) For the control of global navigation satellite systems 
receiving equipment containing or employing decryption (e.g., GPS or 
GLONASS) see 7A005.
Items
    Technical Note: Parity bits are not included in the key length.

    a. Systems, equipment, application specific ``electronic 
assemblies'', modules and integrated circuits for ``information 
security'', and other specially designed components therefor:
    a.1. Designed or modified to use ``cryptography'' employing digital 
techniques performing any cryptographic function other than 
authentication or digital signature having any of the following:

    Technical Notes: 1. Authentication and digital signature 
functions include their associated key management function.
    2. Authentication includes all aspects of access control where 
there is no encryption of files or text except as directly related 
to the protection of passwords, Personal Identification Numbers 
(PINs) or similar data to prevent unauthorized access.
    3. ``Cryptography'' does not include ``fixed'' data compression 
or coding techniques.

    Note: 5A002.a.1 includes equipment designed or modified to use 
``cryptography'' employing analogue principles when implemented with 
digital techniques.

    a.1.a. A ``symmetric algorithm'' employing a key length in excess 
of 56-bits; or
    a.1.b. An ``asymmetric algorithm'' where the security of the 
algorithm is based on any of the following:
    a.1.b.1. Factorization of integers in excess of 512 bits (e.g., 
RSA);
    a.1.b.2. Computation of discrete logarithms in a multiplicative 
group of a finite field of size greater than 512 bits (e.g., Diffie-
Hellman over Z/pZ); or
    a.1.b.3. Discrete logarithms in a group other than mentioned in 
5A002a.1.b.2 in excess of 112 bits (e.g., Diffie-Hellman over an 
elliptic curve);
    a.2. Designed or modified to perform crypto analytic functions;
    a.3. [Reserved]
    a.4. Specially designed or modified to reduce the compromising 
emanations of information-bearing signals beyond what is necessary for 
the health, safety or electromagnetic interference standards;
    a.5. Designed or modified to use cryptographic techniques to 
generate the spreading code for ``spread spectrum'' or the hopping code 
for ``frequency agility'' systems;
    a.6. Designed or modified to provide certified or certifiable 
``multilevel security'' or user isolation at a level exceeding Class B2 
of the Trusted Computer System Evaluation Criteria (TCSEC) or 
equivalent;
    a.7. Communications cable systems designed or modified using 
mechanical, electrical or electronic means to detect surreptitious 
intrusion.
* * * * *


5D002  Information Security--``Software''.

License Requirements

    Reason for Control: NS, AT, EI.

------------------------------------------------------------------------
                Control(s)                          Country chart
------------------------------------------------------------------------
NS applies to entire entry................  NS Column 1
AT applies to entire entry................  AT Column 1
------------------------------------------------------------------------

    EI applies to encryption items transferred from the U.S. Munitions 
List to the Commerce Control List consistent with E.O. 13026 of 
November 15, 1996 (61 FR 58767) and pursuant to the Presidential 
Memorandum of that date. Refer to Sec. 742.15 of the EAR.

    Note: Encryption software is controlled because of its 
functional capacity, and not because of any informational value of 
such software; such software is not accorded the same treatment 
under the EAR as other ``software''; and for export licensing 
purposes, encryption software is treated under the EAR in the same 
manner as a commodity included in ECCN 5A002.

    Note: Encryption software controlled for ``EI'' reasons under 
this entry remains subject to the EAR even when made publicly 
available in accordance with part 734 of the EAR. See 
Secs. 740.13(e) and 740.17(5)(i) of the EAR for information on 
releasing certain source code which may be considered publicly 
available from ``EI'' controls.

    Note: After a technical review, 56-bit items, key management 
products not exceeding 512 bits and mass market encryption 
commodities and software eligible for the Cryptography Note (see 
Sec. 742.15(b)(1) of the EAR) may be released from ``EI'' and ``NS'' 
controls.

    License Exceptions: * * *
* * * * *
    20. Supplement No. 2 to part 774 (General Technology and Software 
Notes) is amended by revising the Note at the end of the Supplement to 
read as follows:

Supplement No. 2 to Part 774--General Technology and Software Notes

* * * * *
    Note: The General Software Note does not apply to ``software'' 
controlled by Category 5, Part 2 (``Information Security''). For 
``software'' controlled by Category 5, Part 2, see Supplement No. 1 
to Part 774, Category 5, Part 2, Note 3--Cryptography Note.

    Dated: January 11, 2000.
R. Roger Majak,
Assistant Secretary for Export Administration.
[FR Doc. 00-983 Filed 1-12-00; 9:04 am]
BILLING CODE 3510-33-P