6 June 2002 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ------------------------------------------------------------------------- [Federal Register: June 6, 2002 (Volume 67, Number 109)] [Rules and Regulations] [Page 38855-38869] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr06jn02-6] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE Bureau of Industry and Security 15 CFR Parts 732, 734, 738, 740, 742, 748, 770, 772, and 774 [Docket No. 020502105-2105-01] RIN 0694-AC61 Revisions and Clarifications to Encryption Controls in the Export Administration Regulations--Implementation of Changes in Category 5, Part 2 (``Information Security''), of the Wassenaar Arrangement List of Dual-Use Goods and Other Technologies AGENCY: Bureau of Industry and Security, Commerce. ACTION: Interim final rule. ----------------------------------------------------------------------- SUMMARY: This rule amends the Export Administration Regulations (EAR) to reflect changes made to the Wassenaar Arrangement List of dual-use items, and to update and clarify other provisions of the EAR pertaining to encryption export controls. Consistent with the Wassenaar changes, Note No. 3 (``Cryptography Note'') to Category 5--part II (Information Security) of the Commerce Control List (CCL) is amended to allow mass market treatment for all encryption products, including products with symmetric algorithms employing key lengths greater than 64-bits, that previously were not eligible for mass market treatment. As a result, for the first time, mass market encryption commodities and software with symmetric key lengths exceeding 64 bits may be exported and reexported to most destinations without a license under Export Control Classification Numbers (ECCNs) 5A992 and 5D992, following a 30-day review by the Bureau of Industry and Security (BIS) (formerly the Bureau of Export Administration (BXA)). In addition, this rule, for the first time, allows equipment controlled under ECCN 5B002 to be exported and reexported under License Exception ENC. For all other information security items, including encryption source code that would be considered publicly available, this rule updates and clarifies existing notification, review, licensing and post-export reporting requirements. Restrictions on exports and reexports of encryption items to terrorist- supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria), their nationals and other sanctioned persons (individuals and entities) are not changed by this rule. DATES: This rule is effective June 6, 2002. FOR FURTHER INFORMATION CONTACT: Norman E. LaCroix, Office of Strategic Trade and Foreign Policy Controls, Bureau of Industry and Security, Telephone: (202) 482-4439. SUPPLEMENTARY INFORMATION: Background On October 19, 2000, the United States updated its encryption export regulations to provide consistent treatment with regulations adopted by the European Union (EU) easing export and reexport restrictions among the 15 EU member states and Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland and Switzerland. Subsequent to the publication of this amendment to the Export Administration Regulations (EAR), the member nations of the Wassenaar Arrangement agreed to remove key length restrictions on encryption hardware and software that is subject to the Cryptography Note (Note No. 3) to Category 5--part II (Information Security) of the Commerce Control List (CCL). This action effectively removed ``mass market'' encryption products from the list of dual-use items controlled by the Wassenaar Arrangement. The U.S. encryption export control policy continues to rest on three principles: review of encryption products prior to sale, streamlined post-export reporting, and license review of certain exports of strong encryption to foreign government end-users. Consistent with these principles, this amendment updates the U.S. encryption export control policy in several areas. For ``mass market'' encryption hardware and software products, this rule removes Encryption Item (``EI'') and [[Page 38856]] National Security (``NS'') controls on such products after a 30-day review As a result of the removal these controls, these items may be exported without regard to any post-shipment reporting requirements. In addition, the standard de minimis treatment for foreign products containing such encryption products apply, i.e., exports from a foreign country of foreign-made products containing 25 percent or less of controlled U.S. content are not subject to the EAR, except to embargoed and designated terrorist supporting countries. For other encryption items, this rule clarifies the existing provisions under License Exceptions ENC and TSU. In addition, this rule clarifies existing review requirements for certain encryption items such as commercial encryption products that implement elliptic curve cryptography, perform short-range wireless functions, or incorporate encryption source code that would be considered publicly available. Finally, this rule amends the EAR by adding new paragraph headers, updating cross-references between relevant sections of the EAR, and restructuring existing provisions for clarity. This rule does not change any other existing licensing requirements for encryption items, including encryption technology and items that provide an open cryptographic interface (OCI). This action will continue to protect our national security and foreign policy interests without impairing the ability of U.S. companies to compete effectively in global markets. It also will promote secure electronic commerce and privacy, and help to protect our critical infrastructure. The EAR is amended as follows: 1. Revised instructions for submitting encryption items for review to determine eligibility under License Exception ENC or for ``mass market'' treatment. Except to embargoed or designated terrorist supporting countries and sanctioned persons, you may be able to export and reexport your encryption item without a license, after your item is reviewed by the Bureau of Industry and Security (BIS) and the ENC Encryption Request Coordinator. For encryption items under License Exception ENC, and for mass market encryption products with symmetric key length exceeding 64 bits, a review request must contain: (1) A completed BIS-748P hardcopy form or an equivalent electronic SNAP form (both capture general information about the review request, such as the name of the item, manufacturer, ECCN and a brief commodity description), and (2) support documentation containing technical specifications of the item, including answers to the questions set forth in Supplement No. 6 to part 742. To clarify that separate classification by BIS is not required, previous references to ``classification'' in Secs. 732.2, 732.3, 734.4, 740.17, 742.15, Supplement No. 6 to Part 742, 748.3 and 770.2 are revised to read ``review''. Exporters are instructed to insert the phrase ``Mass market encryption'' or ``License Exception ENC'' (whichever is applicable) in Block 9 (``Special Purpose'') of the application form. Failure to insert the appropriate phrase may delay receipt of your request by BIS. (For compatibility with current application processing systems, exporters should continue to place an ``X'' in the box marked ``Classification Request'' in Block 5: ``Type of Application''.) A copy of your review request must also be sent to the ENC Encryption Request Coordinator, via courier or mail. Insufficient or missing documentation may delay or interrupt your authority to export and reexport your encryption item. A fax number is now published for review requests submitted to BIS via SNAP. Refer to Supplement No. 6 to part 742 and Secs. 740.17(d), 742.15(b)(2) and 748.3(d) for information on submitting encryption review requests. 2. Clarification of review and notification requirements. Except as elsewhere specified in the EAR, a license or review by BIS is required for encryption items with symmetric key length exceeding 64 bits. In multiple sections, the EAR is amended to clarify when a review or notification is (or is not) required. a. Clarification of when no review or notification is required. i. U.S. companies and subsidiaries. Items controlled under Category 5-- part II of the Commerce Control List (ECCNs 5A002, 5B002, 5D002, 5E002, 5A992, 5D992 and 5E992) may be exported and reexported, without review or notification, to U.S. companies and their subsidiaries for internal use, including the development of new products inside and outside the United States by their employees, contractors and interns. Existing restrictions on exports and reexports of encryption items to the countries and foreign nationals of Cuba, Iran, Iraq, Libya, North Korea, Syria or Sudan continue to apply. Refer to Secs. 740.17(b)(1) and 742.15(b)(3)(i) of the EAR. Exports and reexports to foreign companies with subsidiary locations in the United States, and to foreign strategic partners of U.S. companies, will continue to be favorably considered under a license or an Encryption Licensing Arrangement (ELA). Refer to Sec. 742.15(a) of the EAR. ii. Certain short-range wireless items. No review or notification is required for short-range wireless products (e.g. with an operating range typically not exceeding 100 meters) that qualify as ``mass market'' and are only controlled under Category 5--part II of the CCL because they incorporate parts or components with encryption functionality specified and limited to short-range wireless functions based on such commercial standards as Bluetooth, Home Radio Frequency (HomeRF) and IEEE 802.11b (``WiFi''). This provision for mass market products is found in Sec. 742.15(b)(3)(ii). A similar existing provision for ``retail'' short-range wireless products continues under License Exception ENC. See Sec. 740.17(b)(3)(iii)(H). iii. Certain items with limited use of cryptography. This rule clarifies that no review or notification is required for information security items which employ limited forms of cryptography, but which do not perform encryption functions (including key management) controlled for ``EI'' reasons under ECCNs 5A002, 5D002 or 5E002. These items are controlled under ECCNs 5A992, 5D992 and 5E992, regardless of bit length or whether they are ``mass market''. See Sec. 742.15(b)(3)(iii). Such items include items with cryptographic functions limited to authentication (including secure hash functions and message authentication codes) or digital signature, execution of copy protected software, commercial civil cellular telephones not capable of end-to- end encryption, and ``finance specific'' items specially designed and limited for banking use or money transactions (e.g. highly field- formatted with validation procedures and not easily diverted to other end-uses). Refer to the Related Controls and Technical Notes under ECCN 5A002 in the CCL (part 774 of the EAR) for a complete list of commodities. Note: Previous references specific to ``finance specific'' items under the ``retail'' provisions of License Exception ENC are removed for clarity (Sec. 740.17(b)(3)). Products which may have end uses related to financial operations (e.g. supply chain management), but which are not limited by design to banking use or money transactions, remain subject to ``EI'' controls under ECCNs 5A002 and 5D002 and continue to be eligible for export and reexport as ``retail'' encryption commodities and software, after review by BIS under License Exception ENC. b. Clarification of when a review is required. i. Review under License Exception ENC. Encryption items controlled under ECCNs 5A002, 5D002 and 5E002, and equipment controlled under ECCN 5B002, require review by BIS prior to export and reexport under [[Page 38857]] the updated provisions of License Exception ENC (Sec. 740.17 of the EAR). Once BIS receives the information required for review (as described in Supplement No. 6 to part 742 of the EAR), you may export and reexport all such items (except cryptanalytic items to government end-users) to organizations and companies located or headquartered in the European Union plus eight additional countries. See Sec. 740.17(a). Thirty days after BIS registers your review request, you may export and reexport any encryption item, except those which provide an open cryptographic interface (OCI), to any non-government end-user except those in Cuba, Iran, Iraq, Libya, North Korea, Syria or Sudan. In addition, commodities and software that do not qualify as ``mass market'' but which qualify as ``retail'' may be exported and reexported to government end-users, once so authorized by BIS. See Sec. 740.17(b)(3) of the EAR for the treatment of ``retail'' encryption commodities and software, and Sec. 740.17(b)(2) for commodities and software and that are not eligible as retail. Products not eligible as retail require a license to government end-users, except as authorized under Sec. 740.17(a). Encryption technology controlled under ECCN 5E002 and items which provide an OCI are not authorized for export or reexport under Sec. 740.17(b)(2) or (b)(3) and require a license to any end-user outside the countries listed in Supplement No. 3 to part 740. Exports and reexports of products reviewed by BIS under License Exception ENC may require reporting, as described in Sec. 740.17(e). License Exception ENC is amended with new paragraph headers and updated text, for clarity. ii. Review for mass market encryption products exceeding 64 bits. Encryption commodities and software that qualify for ``mass market'' treatment under the Cryptography Note (Note 3) to part II of Category 5 of the CCL, and which implement encryption with symmetric key length exceeding 64-bits, require review by BIS prior to export and reexport. These No License Required (NLR) products are removed from ``EI'' and ``NS'' controls, are controlled under ECCNs 5A992 and 5D992, and remain subject to the EAR. Similar to encryption items under License Exception ENC, you may immediately export and reexport 64 bit mass market encryption products to organizations and companies located or headquartered in the European Union plus eight additional countries. Thirty days after BIS receives your review request, you may export and reexport your mass market encryption product to any end-user (except embargoed or designated terrorist supporting countries and sanctioned persons), without post-export reporting or additional national security review for de minimis eligibility. All existing restrictions and licensing requirements to embargoed or designated terrorist supporting countries (Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) and sanctioned persons are continued by this amendment. Posting of mass market encryption software on the Internet (e.g., FTP or World Wide Web site) where it may be downloaded by anyone would not establish ``knowledge'' of a prohibited export or reexport. In addition, such posting would not trigger ``red flags'' necessitating the affirmative duty to inquire under the ``Know Your Customer'' guidance provided in Supplement No. 3 to part 732 of the EAR. See Sec. 742.15(b)(2) and Supplement No. 6 to part 742 of the EAR for requirements, procedures and instructions for requesting review. See Secs. 734.2, 734.3, 734.7, 734.8, 734.9, 740.13, 740.13(d) and 742.15(b) for other revisions to the EAR which reflect these changes in ECCN and reasons for control for 64 bit mass market encryption commodities and software. c. Clarification of when a notification is required. i. Encryption source code that would be considered publicly available, and corresponding object code. This rule simplifies U.S. export treatment of encryption source code that would be considered publicly available, by allowing all such source code (and corresponding object code) to be exported and reexported under License Exception TSU once notification (or a copy of the source code) is provided to BIS, regardless of whether a fee or royalty is charged for the commercial production or sale of products developed using this software. Refer to Sec. 740.13(e). This rule further clarifies that these license exception provisions do not extend to any encryption software that has not been made publicly available, including such encryption software that incorporates or is specially designed to use publicly available encryption software components (ref: Sec. 740.13(e) (3)). Such encryption software may instead be exported and reexported under License Exception ENC, subject to the terms and conditions set forth in Sec. 740.17 of the EAR. See Secs. 740.17(b)(2)(ii) and (iii) for specific provisions relating to such encryption source code and general purpose toolkits. Previous references to commercial encryption source code under License Exception ENC (i.e., Sec. 740.17(b)(4) prior to this amendment) are subsumed by these streamlined and clarified provisions of the EAR. ii. 56 bit encryption items (including 512-bit asymmetric and 112- bit elliptic curve algorithms), and mass market encryption products not exceeding 64 bits. This rule clarifies that, in addition to mass market encryption commodities and software with key lengths not exceeding 64 bits for the symmetric algorithm, other encryption items with key lengths not exceeding 56 bits for symmetric algorithms, 512 bits for asymmetric key exchange algorithms, and 112 bits for elliptic curve algorithms may be immediately exported and reexported No License Required (except to embargoed or designated terrorist supporting countries and sanctioned persons), upon notification to BIS. See Sec. 742.15(b)(1). The EAR is further amended by the following revisions: 3. Clarification of beta test software requirements in License Exception TMP. In Sec. 740.9 (Temporary imports, exports and reexports (TMP)), existing provisions for beta test encryption software are restructured for clarity, and new paragraph headings are added. 4. Clarification of License Exception ENC requirements. In Sec. 740.17 (Encryption Commodities and Software (ENC)), existing provisions are restructured for clarity, and new paragraph headings are added. Subject to the terms and conditions set forth therein, License Exception ENC applies to encryption items that do not qualify for ``mass market'' treatment. a. Sec. 740.17(a) (Exports and reexports to countries listed in Supplement 3 to part 740) is revised to allow the export and reexport of equipment controlled under ECCN 5B002 to the European Union plus eight additional countries, under License Exception ENC. Now, all items controlled under ECCNs 5A002, 5B002, 5D002 and 5E002, except cryptanalytic items to government end-users, are eligible under this provision of the EAR. This includes items that provide an open cryptographic interface (OCI). b. Sec. 740.17(b)(1) (Encryption items for U.S. subsidiaries) is revised to allow equipment controlled under ECCN 5B002 to U.S. companies and their subsidiaries under License Exception ENC. All items controlled under ECCNs 5A002, 5B002, 5D002 and 5E002, including those which provide an OCI, are eligible under this provision without review or notification. c. Sec. 740.17(b)(2) (Encryption commodities and software to non- government end-users) is revised for [[Page 38858]] clarity. All items controlled under ECCNs 5A002, 5B002 and 5D002, except items that provide an OCI, may be exported to non-government end-users 30 days after BIS receives a completed review request. This includes network infrastructure products, encryption source code (immediately eligible once the review request, including a copy of the source code, is submitted), general purpose toolkits, cryptanalytic items, and other items that do not qualify for ``mass market'' or ``retail'' treatment. This amendment also clarifies that the EAR imposes no additional restrictions on Internet and telecommunications service providers. Exports and reexports of network infrastructure commodities, software and technology to government end-users outside the countries listed in Supplement No. 3 to part 740 continue to require a license. d. Sec. 740.17(b)(3) (Retail encryption commodities, software and components to government and non-government end-users) is revised and restructured for clarity. New paragraph headers are added, and existing provisions are consolidated. This paragraph clarifies that the following are among the examples of encryption products eligible for retail treatment under License Exception ENC: i. Encryption commodities and software (including key management products) with key lengths not exceeding 64 bits for symmetric algorithms, 1024 bits for asymmetric algorithms, and 160 bits for elliptic curve algorithms (see Sec. 740.17(b)(3)(ii)(A)); ii. Encryption commodities and software which are limited to allowing foreign-developed encryption products to operate with U.S. products, or which activate encryption functions in other retail products (when the encryption would otherwise remain inoperable, ``dormant'' or disabled) (see Secs. 740.17(b)(3)(ii)(C)-(D)); iii. Low-end virtual private networking (VPN) equipment (e.g. with encrypted throughput not exceeding 10 Mbps, or supporting no more than 100 concurrent encrypted tunnels) (see Sec. 740.17(b)(3)(iii)(C)); iv. Applets and web portal software implementing Secure Socket Layer (SSL) encryption (see Sec. 740.17(b)(3)(iii)(F)); v. Network and security management products designed for, bundled with, or pre-loaded on single CPU computers, low-end servers or retail networking products (see Sec. 740.17(b)(3)(iii)(G)); and vi. Short-range wireless components and software (e.g. with an operating range typically not exceeding 100 meters) based on commercial standards as Bluetooth, Home Radio Frequency (HomeRF) and IEEE 802.11b (``WiFi'') (see Sec. 740.17(b)(3)(iii)(H)); e. In Sec. 740.17(b)(4), previous provisions regarding commercial encryption source code are now subsumed by updated provisions for: i. Encryption source code (and corresponding object code) which would be considered publicly available (refer to Sec. 740.13(e) of the EAR); and ii. Encryption source code which would not be considered publicly available (i.e., ``company proprietary'' encryption source code). See Sec. 740.17(b)(2)(ii). This paragraph (b)(4) now cross-references the de minimis provisions of Sec. 734.4 for encryption items controlled under ECCNs 5A002 and 5D002. f. Previous references to cryptographic interfaces in former Sec. 740.17(b)(5) are now incorporated into the general provisions of License Exception ENC. See Sec. 740.17(a) for cryptographic interface items to the European Union plus eight additional countries, and refer to Sec. 740.17(b)(1) for U.S. subsidiaries. Products which are used to establish a closed cryptographic interface (e.g. signing) continue to be treated as ``retail'' (see Sec. 740.17(b)(3)(ii)(C)). g. In Sec. 740.17(c) (Reexports and transfers), this rule clarifies that foreign-developed products which are designed to operate with U.S. products through a cryptographic interface are subject to the EAR, but do not require review by BIS. h. In Sec. 740.17(d) (Review requirement), instructions and procedures for submitting review requests for encryption items under License Exception ENC are updated and clarified. i. In Secs. 740.17(d)(2) and (3)(i), existing grandfathering and key length increase provisions are revised, for clarity and consistency with Secs. 740.17(a), (b)(2) and (b)(3). j. Sec. 740.17(e) (Reporting requirements) is restructured for clarity. This rule clarifies that the requirements to report foreign products developed from U.S. source code and toolkits apply only if you know when the foreign product is made available for commercial sale. See Sec. 740.17(e)(3). The previous reporting exemption for ``finance- specific products'' is removed from this section, to clarify that these products may be exported and reexported (except to embargoed or designated terrorist supporting countries and sanctioned persons) under ECCNs 5A992 and 5D992, without review by BIS. Refer to Sec. 742.15(b)(3)(iii). This clarification is made for consistency with the Wassenaar Arrangement list of dual-use items. Reporting exemptions previously listed in under Sec. 740.17(e)(1) are now listed under Sec. 740.17(e)(4). 5. Clarification of licensing requirements and policies for encryption items. In Sec. 742.15(a) (Licensing requirements and policy), existing U.S. licensing requirements and licensing policy provisions, including those pertaining to encryption items under Encryption Licensing Arrangements, are consolidated into clarified provisions Sec. 742.15(a)(1)(i) (Licensing requirements) and Sec. 742.15(a)(1)(ii) (Licensing policy). 6. Clarification of notification and review requirements for encryption items controlled under ECCN 5A992, 5D992, or 5E992. Sec. 742.15(b) (Notification and review requirements for encryption items controlled under ECCNs 5A992, 5D992 and 5E992) clarifies when notification or review is required for encryption items not controlled for ``EI'' and ``NS'' reasons under ECCNs 5A002, 5D002 or 5E002. i. In Sec. 742.15(b)(1), notification requirements for certain encryption items with restricted bit lengths are clarified. ii. In Sec. 742.15(b)(2), review requirements for 64 bit mass market encryption products are established. iii. In Sec. 742.15(b)(3), transactions and items which do not require review or notification are described. iv. Sec. 742.15(b)(4) clarifies that commodities, software and components which activate encryption functions in 56-bit or mass-market products (when the encryption would otherwise remain inoperable, ``dormant'' or disabled), are also controlled under ECCNs 5A992 and 5D992. Commodities and software that ``activate'' dormant 56-bit encryption require notification under Sec. 742.15(b)(1), while commodities and software that ``enable'' mass market products to perform encryption exceeding 64 bits for the symmetric algorithm require review under Sec. 742.15(b)(2). Note: ``Activation'' commodities and software that enable ``EI'' controlled encryption functionality (e.g. 128-bit encryption of network infrastructure data communications) are controlled under ECCNs 5A002 and 5D002, and require review under License Exception ENC. Refer to Sec. 740.17 of the EAR. Note that, once an encryption item is activated with ``EI'' controlled encryption functionality, the item is controlled under ECCN 5A002 (if hardware) or 5D002 (if software) and may no longer be exported No License Required under ECCNs 5A992 or 5D992. v. In Sec. 742.15(b)(5), an illustrative, but by no means exhaustive, list of mass market encryption products is provided. [[Page 38859]] 7. Clarification of documentation requirements for submitting review requests for encryption items. In Supplement No. 6 to part 742 (Guidelines for Submitting Support Documentation Required for Review Requests for Encryption Items), instructions to exporters are updated and clarified. Exporters are instructed to insert the appropriate phrase ``Mass market encryption'' or ``License Exception ENC'' in Block 9 (``Special Purpose'') of the review request. (For compatibility with current application processing systems, exporters should continue to place an ``X'' in the box marked ``Classification Request'' in Block 5: ``Type of Application'.) Support documentation described in this Supplement is required for the review of encryption items. 8. Clarification to distinguish encryption review requests from classification requests. In Sec. 748.3 (Classification Requests, Review Requests and Advisory Opinions), existing paragraph (b)(3) is removed and replaced with a new paragraph (d) (``Review requests for encryption items''), to clarify that the process for reviewing encryption items by BIS, in conjunction with the ENC Encryption Request Coordinator, obviates the need for separate classification by BIS. 9. Definition of ``cryptanalytic items'' clarified. In Sec. 772.1 (Definition of Terms), the definition of ``cryptanalytic items'' is updated to incorporate the previous EAR definition of ``cryptanalytic functions''. A technical note is also added to clarify that ``cryptanalytic items'' does not include software designed and limited to protect against malicious computer damage or unauthorized system intrusion (e.g., viruses, worms and trojan horses). Such software is controlled under ECCN 5D992.c. 10. Revisions to the Cryptography Note and to the explanatory notes in ECCN 5D002. In Supplement No. 1 to part 774 (the Commerce Control List), the previous 64 bit restriction to the Cryptography Note (Note 3) to Category 5--part II is removed, consistent with the Wassenaar Arrangement list of dual-use items. Explanatory notes to ECCN 5D002 ``Information Security--Software'' are updated, for consistency with the other revised sections of this amendment. Rulemaking Requirements 1. This rule has been determined to be not significant for purposes of Executive Order 12866. 2. Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with, a collection of information subject to the requirements of the Paperwork Reduction Act, unless that collection of information displays a currently valid OMB Control Number. This rule involves collections of information subject to the requirements of the Paperwork Reduction Act of 1980 (44 U.S.C. 3501 et seq.). These collections have been approved by the Office of Management and Budget under Control Numbers 0694-0088, ``Multi-Purpose Application,'' and 0694-0104, ``Commercial Encryption Items Transferred from the Department of State to the Department of Commerce.'' Collection 0694- 0088 carries a burden hour estimate of 45 minutes per manual submission and 40 minutes per electronic submission. Miscellaneous and recordkeeping activities account for 12 minutes per submission. For collection 0694-0104, it is estimated that companies will take 5 minutes to complete notifications for source code under License Exception TSU. It will take companies 15 minutes to complete upgrade notifications. For reporting under License Exception ENC and licenses for encryption items, it will take companies 8 hours to complete semi- annual reporting requirements. Send comments regarding these burden estimates or any other aspect of these collections of information, including suggestions for reducing the burden, to OMB Desk Officer, New Executive Office Building, Washington, DC 20503; and to the Regulatory Policy Division, Bureau of Industry and Security, Department of Commerce, P.O. Box 273, Washington, DC 20044. 3. This rule does not contain policies with Federalism implications as that term is defined in Executive Order 13132. 4. The provisions of the Administrative Procedure Act (5 U.S.C. 553) requiring notice of proposed rulemaking, the opportunity for public participation, and a delay in effective date, are inapplicable because this regulation involves a military and foreign affairs function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no other law requires that a notice of proposed rulemaking and an opportunity for public comment be given for this interim final rule. Because a notice of proposed rulemaking and an opportunity for public comment are not required to be given for this rule under 5 U.S.C. 553 or by any other law, the analytical requirements of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) are not applicable. Therefore, this regulation is issued in interim final form. Although there is no formal comment period, public comments on this regulation are welcome on a continuing basis. Comments should be submitted to Willard Fisher, Regulatory Policy Division, Bureau of Industry and Security, U.S. Department of Commerce, Room 2705, 14th Street and Pennsylvania Avenue, NW., Washington, DC 20230. List of Subjects 15 CFR Parts 732, 740, and 748 Administrative practice and procedure, Exports, Foreign trade, Reporting and recordkeeping requirements. 15 CFR Parts 734 and 738 Administrative practice and procedure, Exports, Foreign trade. 15 CFR Parts 742, 770, and 772 Exports, Foreign trade. 15 CFR Part 774 Exports, Foreign trade, Reporting and recordkeeping requirements. Accordingly, Parts 732, 734, 738, 740, 742, 748, 770, 772, and 774 of the Export Administration Regulations (15 CFR Parts 730-799) are amended as follows: 1. The authority citation for 15 CFR Part 732 is revised to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, August 22, 2001. 1a. The authority citation for 15 CFR Parts 740 and 748 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, August 22, 2001. 2. The authority citation for 15 CFR Part 734 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12938, 59 FR 59099, 3 CFR 1994 Comp., p. 950; E.O. 13020, 61 FR 54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, August 22, 2001; Notice of November 9, 2001, 66 FR 56965, November 13, 2001. 3. The authority citation for 15 CFR Part 738 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C. 287c; 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5; Sec. 901-911, Pub. L. 106-387; Sec. 221, Pub. L. 107-56; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, August 22, 2001. [[Page 38860]] 4. The authority citation for 15 CFR Part 742 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; Sec. 901-911, Pub. L. 106-387; Sec. 221, Pub. L. 107-56; E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, August 22, 2001; Notice of November 9, 2001, 66 FR 56965, November 13, 2001. 5. The authority citation for 15 CFR Part 770 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, August 22, 2001. 5a. The authority citation for 15 CFR Part 772 is revised to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, August 22, 2001. 6. The authority citation for 15 CFR Part 774 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C. 287(c); 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466(c); 50 U.S.C. app. 5; Sec. 901-911, Pub. L. 106-387; Sec. 221, Pub. L. 107-56; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, August 22, 2001. PART 732--[AMENDED] 7. Section 732.2 is amended by revising the introductory text of paragraph (d) to read as follows: Sec. 732.2 Steps regarding scope of the EAR. * * * * * (d) Step 4: Foreign-made items incorporating less than the de minimis level of U.S. parts, components, and materials. This step is appropriate only for items that are made outside the United States and not currently in the United States. Note that the following encryption items are subject to the EAR even if they incorporate less than the de minimis level of U.S. content: encryption items controlled for ``EI'' reasons under ECCN 5A002, 5D002 or 5E002 on the Commerce Control List (Supplement No. 1 to Part 774 of the EAR) and mass market encryption commodities and software, described in the Cryptography Note (Note 3) in Category 5--Part 2 (``Information Security'') of the Commerce Control List, that have not been reviewed by BIS and released from the ``EI'' and ``NS'' controls of ECCN 5A002 or 5D002 in accordance with the requirements described in Sec. 742.15(b)(2) of the EAR. Exporters may, as part of a review request, ask that certain 5A002 and 5D002 parts, components and software also be made eligible for de minimis treatment (see Sec. 734.4(b) of the EAR). The review of de minimis eligibility will take into account U.S. national security interests. * * * * * 8. Section 732.3 is amended by revising paragraph (e)(2) to read as follows: Sec. 732.3 Steps regarding the ten general prohibitions. * * * * * (e) * * * (2) Guidance for calculations. For guidance on how to calculate the U.S.-controlled content, refer to Supplement No. 2 to part 734 of the EAR. Note that under certain rules issued by the Office of Foreign Assets Control, certain exports from abroad by U.S.-owned or controlled entities may be prohibited notwithstanding the de minimis provisions of the EAR. In addition, the de minimis exclusions from the parts and components rule do not relieve U.S. persons of the obligation to refrain from supporting the proliferation of weapons of mass- destruction and missiles as provided in General Prohibition Seven (U.S. Person Proliferation Activity) described in Sec. 736.2(b)(7) of the EAR. Note that foreign-made items that incorporate U.S.-origin items controlled for ``EI'' reasons under ECCN 5A002, 5D002 or 5E002 on the Commerce Control List (Supplement No.1 to Part 774 of the EAR) are subject to the EAR even if they incorporate less than the de minimis level of U.S. content. However, exporters may, as part of a review request, ask that certain 5A002 and 5D002 parts, components and software also be made eligible for de minimis treatment (see Sec. 734.4(b) of the EAR). * * * * * PART 734--[AMENDED] 9. Section 734.2 is amended by revising paragraph (b)(9)(ii) and the introductory text of paragraph (b)(9)(iii) to read as follows: Sec. 734.2 Important EAR terms and principles. * * * * * (b) * * * (9) * * * (i) * * * (ii) The export of encryption source code and object code software controlled for ``EI'' reasons under ECCN 5D002 on the Commerce Control List (see Supplement No. 1 to part 774 of the EAR) includes downloading, or causing the downloading of, such software to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the U.S., or making such software available for transfer outside the United States, over wire, cable, radio, electro-magnetic, photo optical, photoelectric or other comparable communications facilities accessible to persons outside the United States, including transfers from electronic bulletin boards, Internet file transfer protocol and World Wide Web sites, unless the person making the software available takes precautions adequate to prevent unauthorized transfer of such code. See Sec. 740.13(e) of the EAR for notification requirements for exports or reexports of encryption source code and object code software considered to be publicly available consistent with the provisions of Sec. 734.3(b)(3) of the EAR. (iii) Subject to the General Prohibitions described in part 736 of the EAR, such precautions for Internet transfers of products eligible for export under Sec. 740.17 (b)(2) of the EAR (encryption software products, certain encryption source code and general purpose encryption toolkits) shall include such measures as: * * * * * 10. Section 734.3 is amended by revising paragraph (b)(3) introductory text to read as follows: Sec. 734.3 Items subject to the EAR. * * * * * (b) * * * (3) Publicly available technology and software, except software controlled for ``EI'' reasons under ECCN 5D002 on the Commerce Control List and mass market encryption software with symmetric key length exceeding 64-bits controlled under ECCN 5D992, that: * * * * * 11. Section 734.4 is amended by revising paragraph (b) to read as follows: Sec. 734.4 De minimis U.S. content. * * * * * (b) There is no de minimis level for foreign-made items that incorporate U.S.-origin items controlled for ``EI'' reasons under ECCN 5A002, 5D002 or 5E002 on the Commerce Control List (Supplement No. 1 to Part 774 of the EAR). However, exporters may, as part of an encryption review request, ask that software controlled under ECCN 5D002 and eligible for export under the ``retail'' or ``source code'' provisions of license exception ENC, and parts and components controlled under ECCN 5A002, be made eligible for de minimis [[Page 38861]] treatment. The review of de minimis eligibility will take U.S. national security interests into account. Certain encryption items controlled under ECCNs 5A992, 5D992 and 5E992 are not eligible for de minimis treatment, unless exporters have complied with the applicable notification or review requirements described in Sec. 742.15(b)(1) and (b)(2) of the EAR. Encryption items controlled by ECCN 5A992, 5D992 or 5E992 and described in Sec. 742.15(b)(3) of the EAR are not subject to these notification or review requirements. * * * * * 12. Section 734.7 is amended by revising paragraph (c) to read as follows: Sec. 734.7 Published information and software. * * * * * (c) Notwithstanding paragraphs (a) and (b) of this section, note that encryption software controlled under ECCN 5D002 for ``EI'' reasons on the Commerce Control List and mass market encryption software with symmetric key length exceeding 64-bits controlled under ECCN 5D992 remain subject to the EAR. See Sec. 740.13(e) of the EAR for certain exports and reexports under license exception. 13. Section 734.8 is amended by revising paragraph (a) to read as follows: Sec. 734.8 Information resulting from fundamental research. (a) Fundamental research. Paragraphs (b) through (d) of this section and Sec. 734.11 of this part provide specific rules that will be used to determine whether research in particular institutional contexts qualifies as ``fundamental research''. The intent behind these rules is to identify as ``fundamental research'' basic and applied research in science and engineering, where the resulting information is ordinarily published and shared broadly within the scientific community. Such research can be distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary reasons or specific national security reasons as defined in Sec. 734.11(b) of this part. (See Supplement No. 1 to this part, Question D(8)). Note that the provisions of this section do not apply to encryption software controlled under ECCN 5D002 for ``EI'' reasons on the Commerce Control List (Supplement No. 1 to Part 774 of the EAR) or to mass market encryption software with symmetric key length exceeding 64-bits controlled under ECCN 5D992. See Sec. 740.13(e) of the EAR for certain exports and reexports under license exception. * * * * * 14. Section 734.9 is revised to read as follows: Sec. 734.9 Educational Information. ``Educational information'' referred to in Sec. 734.3(b)(3)(iii) of this part is not subject to the EAR if it is released by instruction in catalog courses and associated teaching laboratories of academic institutions. Dissertation research is discussed in Sec. 734.8(b) of this part. (Refer to Supplement No. 1 to this part, Question C(1) through C(6)). Note that the provisions of this section do not apply to encryption software controlled under ECCN 5D002 for ``EI'' reasons on the Commerce Control List or to mass market encryption software with symmetric key length exceeding 64-bits controlled under ECCN 5D992. See Sec. 740.13(e) of the EAR for certain exports and reexports under license exception. 15. Section 738.4 is amended by revising paragraph (a)(2)(ii)(B) to read as follows: Sec. 738.4 Determining whether a license is required. (a) * * * (2) * * * (ii) * * * (B) If no, a license is not required based on the particular Reason for Control and destination. Provided that General Prohibitions Four through Ten do not apply to your proposed transaction and that any applicable notification or review requirements described in Sec. 742.15(b)(1) and (b)(2) of the EAR have been met for certain encryption items controlled under ECCNs 5A992, 5D992 and 5E992, you may effect your shipment using the symbol ``NLR''. Proceed to parts 758 and 762 of the EAR for information on export clearance procedures and recordkeeping requirements. Note that although you may stop after determining a license is required based on the first Reason for Control, it is best to work through each applicable Reason for Control. A full analysis of every possible licensing requirement based on each applicable Reason for Control is required to determine the most advantageous License Exception available for your particular transaction and, if a license is required, ascertain the scope of review conducted by BIS on your license application. * * * * * PART 740--[AMENDED] 16. Section 740.9 is amended by revising paragraph (c) to read as follows: Sec. 740.9 Temporary imports, exports and reexports (TMP). * * * * * (c) Exports of beta test software. (1) Scope. The provisions of this paragraph (c) authorize exports and reexports to eligible countries of beta test software intended for distribution to the general public. (2) Eligible countries. Encryption software controlled under ECCN 5D002 is not eligible for export or reexport to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria under the provisions of this paragraph (c). All other beta test software is eligible for export or reexport to all destinations, except Cuba, Iran, Iraq, Libya, and Sudan under the provisions of this paragraph (c). (3) Eligible software. All software that is controlled by the Commerce Control List (Supplement No.1 to part 774 of the EAR), and under Commerce licensing jurisdiction, is eligible for export and reexport, subject to the restrictions of this paragraph (c). Encryption software controlled for ``EI'' reasons under ECCN 5D002 is eligible for export and reexport under this paragraph (c), provided that the exporter has submitted the information described in paragraph (c)(8) of this section by the time of export. Final encryption products produced by the testing consignee are subject to any applicable provisions in Sec. 742.15(b)(2) of the EAR (for mass market encryption commodities and software with symmetric key length exceeding 64-bits) or Sec. 740.17 of the EAR (License Exception ENC), including review and reporting requirements. (4) Conditions for use. Exports or reexports of beta test software programs under the provisions of this paragraph (c) must meet all of the following conditions: (i) The software producer intends to market the software to the general public after completion of the beta testing, as described in the General Software Note (see Supplement 2 to part 774 of the EAR) or the Cryptography Note in Category 5, Part 2 (``Information Security'') of the Commerce Control List (see Supplement No.1 to part 774 of the EAR); (ii) The software producer provides the software to the testing consignee free-of-charge or at a price that does not exceed the cost of reproduction and distribution; and (iii) The software is designed for installation by the end-user without [[Page 38862]] further substantial support from the supplier. (5) Importer Statement. Prior to exporting or reexporting any eligible software under this paragraph (c), the exporter or reexporter must obtain the following statement from the testing consignee, which may be included in a contract, non-disclosure agreement, or other document that identifies the importer, the software to be exported, the country of destination, and the testing consignee. ``We certify that this beta test software will only be used for beta testing purposes, and will not be rented, leased, sold, sublicensed, assigned, or otherwise transferred. Further, we certify that we will not transfer or export any product, process, or service that is the direct product of the beta test software.'' (6) Use limitations. Only testing consignees that provide the importer statement required by paragraph (c)(5) of this section may execute any beta test software that was exported or reexported to them under the provisions of this paragraph (c). (7) Return or disposal of software. All beta test software exported must be destroyed abroad or returned to the exporter within 30 days of the end of the beta test period as defined by the software producer or, if the software producer does not define a test period, within 30 days of completion of the consignee's role in the test. Among other methods, this requirement may be satisfied by a software module that will destroy the software and all its copies at or before the end of the beta test period. (8) Notification and reporting of beta test encryption software. (i) Notification. For beta test encryption software eligible under this license exception, you must submit to BIS, by the time of export, the information described in paragraphs (a) through (e) of Supplement 6 to part 742 of the EAR. Submit your notification by email to BIS at crypt@bis.doc.gov, and provide a copy of the notification to the ENC Encryption Request Coordinator at enc@ncsc.mil. (ii) Reporting. For beta test encryption software eligible under this license exception, the exporter must submit the names and addresses of the testing consignees (except names and addresses of individual consumers) and the name and version of the beta software consistent with Sec. 740.17(e)(5) of the EAR. 17. Section 740.13 is amended by revising the introductory text, by revising paragraphs (d)(1) and (d)(2), and by revising paragraph (e) to read as follows: Sec. 740.13 Technology and software-- unrestricted (TSU). This license exception authorizes exports and reexports of operation technology and software; sales technology and software; software updates (bug fixes); ``mass market'' software subject to the General Software Note; and encryption source code (and corresponding object code) that would be considered publicly available under Sec. 734.3(b)(3) of the EAR. Note that encryption software subject to the EAR is not subject to the General Software Note (see paragraph (d)(2) of this section). * * * * * (d) General Software Note: ``mass market'' software. (1) Scope. The provisions of paragraph (d) authorize exports and reexports of ``mass market'' software subject to the General Software Note (see Supplement No. 2 to part 774 of the EAR; also referenced in this section).\1\ --------------------------------------------------------------------------- \1\ ``Mass market'' software may fall under the classification of ``general use'' software for export clearance purposes. Exporters should consult the Census Bureau FTSR for possible SED requirements. --------------------------------------------------------------------------- (2) Exclusions. The provisions of this paragraph (d) are not available for encryption software controlled for ``EI'' reasons under ECCN 5D002 or for encryption software with symmetric key length exceeding 64-bits that qualifies as mass market encryption software under the criteria in the Cryptography Note (Note 3) of Category 5, Part 2, of the Commerce Control List (Supplement No. 1 to Part 774 of the EAR). (Once such mass market encryption software has been reviewed by BIS and released from ``EI'' and ``NS'' controls pursuant to Sec. 742.15(b)(2) of the EAR, it is controlled under ECCN 5D992 and is thus outside the scope of License Exception TSU.) See Sec. 742.15(b)(2) of the EAR for exports and reexports of mass market encryption products controlled under ECCN 5D992. * * * * * (e) Encryption source code (and corresponding object code). (1) Scope. The provisions of paragraph (e) of this section authorize exports and reexports, without review, of encryption source code controlled under ECCN 5D002 that would be considered publicly available under Sec. 734.3(b)(3) of the EAR, and corresponding object code resulting from the compiling of such source code. (2) Eligible Software. Encryption source code is eligible for export and reexport under License Exception TSU, provided that it would be considered publicly available under Sec. 734.3(b)(3) of the EAR. Such encryption source code is eligible for License Exception TSU even if it is subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code. Corresponding object code resulting from the compiling of such source code is also eligible for License Exception TSU treatment if such object code would also be considered publicly available under Sec. 734.3(b)(3) of the EAR. (3) Restrictions. Encryption software controlled under ECCN 5D002 that would not be considered publicly available, but which incorporates or is specially designed to use encryption software that would be considered publicly available, is not eligible for export or reexport under this paragraph (e). (4) Country restrictions. You may not knowingly export or reexport source code, corresponding object code or products developed with this source code to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria. (5) Notification requirement. You must provide BIS written notification of the Internet location (e.g., URL or Internet address) of the source code or a copy of the source code by the time of export. Submit the notification by email to BIS at crypt@bis.doc.gov, and provide a copy of the notification to the ENC Encryption Request Coordinator at enc@ncsc.mil. (6) ``Knowledge'' of a prohibited export or reexport. Posting of source code or corresponding object code on the Internet (e.g., FTP or World Wide Web site) where it may be downloaded by anyone would not establish ``knowledge'' of a prohibited export or reexport. See Sec. 740.13(e)(4) of the EAR for prohibited knowing exports to Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. In addition, such posting would not trigger ``red flags'' necessitating the affirmative duty to inquire under the ``Know Your Customer'' guidance provided in Supplement No. 3 to part 732 of the EAR. 18. Section 740.17 is revised to read as follows: Sec. 740.17 Encryption commodities and software (ENC). License Exception ENC authorizes the export and reexport of encryption items controlled under ECCN 5A002, 5D002 or 5E002, and ``information security'' test, inspection, and production equipment controlled under ECCN 5B002. Encryption items exported and reexported under License Exception ENC remain subject to ``EI'' controls. No encryption items may be exported or [[Page 38863]] reexported, under this license exception, to countries listed in Country Group E:1 of Supplement No. 1 to this Part--this includes exports and reexports (as defined in Sec. 734.2 of the EAR) of encryption source code and technology to nationals of these countries. Review and reporting requirements apply to certain exports under this license exception (paragraph (d) of this section describes how to submit encryption items for review; paragraph (e) of this section describes which exports are subject to reporting requirements). Certain exports and reexports to government end-users are authorized under paragraphs (a) and (b)(3) of this section. Section 772.1 of the EAR defines the term ``government end-user'' as it applies to encryption items. Section 742.15 of the EAR describes the license requirements and policies that apply to exports and reexports of encryption items. (a) Exports and reexports to countries listed in Supplement 3 to this part. Encryption items controlled under ECCN 5A002, 5D002 or 5E002 (except cryptanalytic items as defined in Part 772 of the EAR), and ``information security'' test, inspection, and production equipment controlled under ECCN 5B002, are authorized for immediate export and reexport to government and non-government end-users located in the countries listed in Supplement 3 to this part 740, subject to the review requirements described in paragraph (d) of this section. Cryptanalytic items are authorized to non-government end-users, only, under this paragraph (a). Encryption items and ``information security'' test, inspection, and production equipment may also be exported or reexported to any destination eligible under this license exception for the internal use of foreign subsidiaries or offices of firms, organizations and governments headquartered in Canada or in countries listed in Supplement 3 to this part 740. (Note that License Exception ENC prohibits exports and reexports of encryption source code and technology to nationals of countries listed in Country Group E:1 of Supplement No. 1 to this part.) Before you export an item for the first time under this license exception, you must submit to BIS and the ENC Encryption Request Coordinator a review request for that item, as described in paragraph (d) of this section. See paragraph (e) of this section for applicable semi-annual reporting requirements. (b) Exports and reexports to all other eligible countries. (1) Encryption items for U.S. subsidiaries. Exports and reexports of encryption items controlled under ECCN 5A002, 5D002 or 5E002 and ``information security'' test, inspection, and production equipment controlled under ECCN 5B002, are authorized under this license exception, without review, to foreign subsidiaries of U.S. companies for any end-use not prohibited elsewhere in the EAR. This paragraph (b)(1) also authorizes exports and reexports by U.S. companies and their subsidiaries of any such items (including encryption source code and technology), to foreign nationals working as contractors, interns or employees of said U.S. companies and their subsidiaries, provided that the items are for internal company use, including the development of new products. (Note that License Exception ENC prohibits exports and reexports of encryption source code and technology to nationals of countries listed in Country Group E:1 of Supplement No. 1 to this part). All items produced or developed by U.S. subsidiaries with encryption commodities, software and technology exported under this paragraph (b)(1) are subject to the EAR and require review and authorization before any sale or retransfer outside of the U.S. company. (2) Encryption commodities and software to non-government end- users. Thirty days after registration of a completed review request by BIS (``registration'' is defined in Sec. 750.4(a)(2) of the EAR), encryption commodities, software and components controlled under ECCN 5A002 or 5D002 (except such items which provide an open cryptographic interface, as defined in part 772 of the EAR), and ``information security'' test, inspection, or production equipment controlled under ECCN 5B002, are authorized for export or reexport to any individual, commercial firm or other non-government end-user located outside the countries listed in Supplement 3 to this part 740. The thirty days may not include any time that your review request was on hold without action. To request authorization under the provisions of this paragraph (b)(2), you must submit to BIS and the ENC Encryption Request Coordinator a review request as described in paragraph (d) of this section. See paragraph (e) of this section for applicable semi-annual reporting requirements. Encryption commodities and software eligible for export or reexport under this paragraph (b)(2) include, but are not limited to, the following: (i) Network infrastructure products, such as high end routers or switches designed for large volume communications, and specially designed software, parts, and components thereof (including commodities and software which activate or enable cryptographic functionality in network infrastructure products that would otherwise remain disabled); (ii) Encryption source code that would not be considered publicly available for export or reexport under License Exception TSU. (You may immediately export and reexport such encryption source code under License Exception ENC, provided that you have submitted a review request, including a copy of your source code, to BIS and the ENC Encryption Request Coordinator. Note that License Exception ENC prohibits exports and reexports of encryption source code to countries listed in Country Group E:1 of Supplement No. 1 to this part, or to nationals of these countries.); (iii) General purpose toolkits; (iv) Cryptanalytic items (as defined in part 772 of the EAR); (v) Commodities, software and components not otherwise authorized for export as mass market or retail. (3) Retail encryption commodities, software and components to government and non-government end-users. Thirty days after registration of a completed review request by BIS (``registration'' is defined in Sec. 750.4(a)(2) of the EAR), retail encryption commodities, software and components controlled under ECCN 5A002 or 5D002 are authorized for export and reexport to any individual, commercial firm or other non- government end-user located outside the countries listed in Supplement 3 to this part 740. The thirty days may not include any time that your review request was on hold without action. Once BIS has completed its review and authorizes your encryption commodities, software, and components for export or reexport as retail encryption items under License Exception ENC, you may also export or reexport these items to government end-users. To request authorization under the provisions of this paragraph (b)(3), you must submit to BIS and the ENC Encryption Request Coordinator a review request as described in paragraph (d) of this section. See paragraph (e) of this section for applicable semi- annual reporting requirements. (i) Retail eligibility criteria. Retail encryption commodities and software are products and components: (A) Generally available to the public by means of any of the following: (1) Are sold in tangible form through retail outlets independent of the manufacturer; [[Page 38864]] (2) Are specially designed for individual consumer use; or (3) Are sold or will be sold in large volume, without restriction, through mail order transactions, electronic transactions, or telephone call transactions; and (B) Meeting all of the following: (1) The cryptographic functionality cannot be easily changed by the user; (2) Substantial support is not required for installation and use; and (3) The cryptographic functionality has not been modified or customized to customer specification. (ii) Additional types of retail encryption products. The following products will also be considered to be retail encryption products: (A) Encryption commodities and software (including key management products) with key lengths not exceeding 64 bits for symmetric algorithms, 1024 bits for asymmetric key exchange algorithms, and 160 bits for elliptic curve algorithms. (You may immediately export or reexport such encryption commodities and software as retail items upon submitting a completed review request to BIS and the ENC Encryption Request Coordinator, in accordance with the requirements described in paragraph (d) of this section); (B) Encryption products and network-based applications that provide equivalent functionality to other mass market or retail encryption commodities and software (refer to the Cryptography Note (Note 3) to part II of Category 5 of the CCL for the definition of mass market encryption commodities and software); (C) Encryption products that are limited to allowing foreign- developed cryptographic products to operate with U.S. products (e.g. signing). No review of the foreign-developed cryptography is required; (D) Encryption commodities and software that activate or enable cryptographic functionality in retail encryption products which would otherwise remain disabled. (iii) Examples of eligible retail encryption products: Subject to the retail eligibility criteria in paragraph (b)(3)(i) of this section, retail encryption items include, but are not limited to, the following: (A) General purpose operating systems that do not qualify as mass market; (B) Non-programmable encryption chips, and chips that are constrained by design for retail products; (C) Retail networking products, such as low-end routers, firewalls, and virtual private networking (VPN) equipment designed for small office or home use; (D) Desktop applications (e.g. e-mail, browsers, games, word processing, database, financial applications or utilities) that do not qualify as mass market; (E) Programmable database management systems and associated application servers; (F) Low-end servers and application-specific servers (including client-server applications, e.g. Secure Socket Layer (SSL)-based web applications and applets, servers, and portals); (G) Network and security management products designed for, bundled with, or pre-loaded on single CPU computers, low-end servers or retail networking products; and (H) Short-range wireless components and software that do not qualify as mass market. Products that would be controlled under ECCN 5A002 or 5D002, only because they incorporate components or software which provide short-range wireless encryption functions, may be exported or reexported under the retail provisions of License Exception ENC, without review or reporting. (4) Reviews for de minimis eligibility: Items controlled for ``EI'' reasons under ECCN 5A002, 5D002 or 5E002 are not eligible for de minimis treatment under Sec. 734.4 of the EAR. However, exporters may, as part of a review request, ask that U.S.-origin retail encryption software controlled under ECCN 5D002 and U.S.-origin parts and components controlled under ECCN 5A002, that are incorporated in foreign-made items, be made eligible for de minimis treatment. The review of de minimis eligibility for such items will take U.S. national security interests into account. (c) Reexports and transfers. U.S. or foreign distributors, resellers or other entities who are not original manufacturers of encryption commodities and software are permitted to use License Exception ENC only in instances where the export or reexport meets the applicable terms and conditions of this section. Transfers of encryption items listed in paragraph (b) of this section to government end-users, or for government end-uses, within the same country are prohibited, unless otherwise authorized by license or license exception. Foreign products developed with or incorporating U.S.-origin encryption source code, components or toolkits remain subject to the EAR, but do not require review (for encryption reasons) by BIS. These products can be exported or reexported under License Exception ENC without notification and without further authorization (for encryption reasons) from BIS. Such products include foreign-developed products that are designed to operate with U.S. products through a cryptographic interface. (d) Review requirement. (1) Review request procedures. To request review of your encryption products under License Exception ENC, you must submit to BIS and to the ENC Encryption Request Coordinator the information described in paragraphs (a) through (e) of Supplement 6 to part 742 of the EAR (Guidelines for Submitting Review Requests for Encryption Items). Review requests must be submitted on Form BIS-748P (Multipurpose Application), or its electronic equivalent, as described in Sec. 748.3 of the EAR. To ensure that your review request is properly routed, insert the phrase ``License Exception ENC'' in Block 9 (Special Purpose) of the application form and place an ``X'' in the box marked ``Classification Request'' in Block 5 (Type of Application)-- Block 5 does not provide a separate item to check for the submission of encryption review requests. Failure to properly complete these items may delay consideration of your review request. Review requests that are not submitted electronically to BIS should be mailed to the address indicated in Sec. 748.2(c) of the EAR. See paragraph (e)(5)(ii) of this section for the mailing address for the ENC Encryption Request Coordinator. BIS will notify you if there are any questions concerning your request for review under License Exception ENC (e.g., because of missing or incomplete support documentation). Once your review has been completed, BIS will notify you in writing concerning the eligibility of your products for export or reexport, under the provisions of this license exception. BIS reserves the right to suspend your eligibility to export and reexport under License Exception ENC and to return your review request without action, if you have not met the review requirements. You may not export or reexport retail encryption commodities, software and components under this license exception to government end-users headquartered outside of Canada and the countries listed in Supplement 3 to this part 740, unless you have received prior authorization from BIS. (2) Grandfathering. Encryption commodities, software, parts or components (except cryptanalytic items) previously approved for export may be exported or reexported without further review to government and non-government end-users in countries listed in Supplement 3 to this part 740, and to any non-government end-user outside the countries listed in [[Page 38865]] Supplement 3 to this part 740 (except items which provide an open cryptographic interface as defined in part 772 of the EAR). This includes products approved under a license, an Encryption Licensing Arrangement, or classified as eligible to use License Exception ENC (except for those products that were authorized only for export to U.S. subsidiaries) prior to October 19, 2000. Encryption technology previously approved for export under a license or an Encryption Licensing Arrangement may be exported or reexported to government and non-government end-users in countries listed in Supplement 3 to this part 740. (3) Key length increases. Exporters may increase the key lengths of products previously classified and continue to export these products under the applicable provisions of License Exception ENC, without further review, upon certification to BIS and the ENC Encryption Request Coordinator in accordance with paragraph (d)(3)(ii) of this section. No other change in cryptographic functionality is allowed under License Exception ENC. (i) Any product previously classified as ECCN 5A002 or 5D002 (except encryption items that provide an open cryptographic interface, as defined in Sec. 772.1 of the EAR) may, with any upgrade to the key length used for confidentiality or key exchange algorithms, be exported or reexported under License Exception ENC to any non-government end- user without an additional review. A license is required to export or reexport items that provide an open cryptographic interface to end- users located outside the countries listed in Supplement 3 to this part 740. In addition, products previously reviewed by BIS that were determined to be eligible as ``retail'' under this license exception may be exported or reexported to government end-users, without additional review. For products not previously determined to be eligible as retail products, another review is required to determine their eligibility as ``retail'' products under paragraph (b)(3) of this section. (ii) Exporters must certify to BIS, in a letter from a corporate official, that the only change to the encryption product is the key length for confidentiality or key exchange algorithms and that there is no other change in cryptographic functionality. Certifications must include the original authorization number issued by BIS and the date of issuance. BIS must receive this certification prior to any export of an upgraded encryption product. The certification should be sent to BIS and a copy of the certification should be sent to the ENC Encryption Request Coordinator at the mailing address indicated in paragraph (e)(5) of this section. (e) Reporting requirements. (1) Semi-annual reporting requirement. Semi-annual reporting is required for exports and reexports under this license exception. Certain encryption items and transactions are excluded from this reporting requirement (see paragraph (e)(4) of this section). For instructions on how to submit your reports, see paragraph (e)(5) of this section. (2) General information required. Exporters must include all of the following applicable information in their reports: (i) For items exported to a distributor or other reseller, including subsidiaries of U.S. firms, the name and address of the distributor or reseller, the item and the quantity exported and, if collected by the exporter as part of the distribution process, the end- user's name and address; (ii) For items exported through direct sale, the name and address of the recipient, the item, and the quantity exported (except for retail products, if the end-user is an individual consumer); (iii) For exports of ECCN 5E002 items to be used for technical assistance that are not released by Sec. 744.9 of the EAR, the name and address of the end-user; and (iv) The authorization number and the name of the item(s) exported. (3) Information on foreign manufacturers and products that use encryption items. For direct sales or transfers, under License Exception ENC, of encryption components, source code, general purpose toolkits, equipment controlled under ECCN 5B002, technology, or items that provide an open cryptographic interface to foreign developers or manufacturers when intended for use in foreign products developed for commercial sale, you must submit the names and addresses of the manufacturers using these encryption items and, if you know when the product is made available for commercial sale, a non-proprietary technical description of the foreign products for which these encryption items are being used (e.g., brochures, other documentation, descriptions or other identifiers of the final foreign product; the algorithm and key lengths used; general programming interfaces to the product, if known; any standards or protocols that the foreign product adheres to; and source code, if available). (4) Exclusions from reporting requirements. Reporting is not required for the following items and transactions: (i) Any encryption item to U.S. subsidiaries for internal company use; (ii) Encryption commodities or software with a symmetric key length not exceeding 64 bits; (iii) Retail products exported to individual consumers; (iv) Encryption items exported via free or anonymous download; (v) Encryption items from or to a U.S. bank, financial institution or their subsidiaries, affiliates, customers or contractors for banking or financial operations; (vi) Items that incorporate components limited to providing short- range wireless encryption functions; (vii) Retail operating systems, or desktop applications (e.g. e- mail, browsers, games, word processing, data base, financial applications or utilities) designed for, bundled with, or pre-loaded on single CPU computers, laptops or hand-held devices; (viii) Client Internet appliance and client wireless LAN cards; (ix) Foreign products developed by bundling or compiling of source code. (5) Submission requirements. You must submit the reports required under this section, semi-annually, to BIS, unless otherwise provided in this paragraph (e)(5). For exports occurring between January 1 and June 30, a report is due no later than August 1 of that year. For exports occurring between July 1 and December 31, a report is due no later than February 1 the following year. These reports must be provided in electronic form to BIS. Recommended file formats for electronic submission include spreadsheets, tabular text or structured text. Exporters may request other reporting arrangements with BIS to better reflect their business models. Reports may be sent electronically to BIS at crypt@bis.doc.gov (with a copy to the ENC Encryption Request Coordinator at enc@ncsc.mil), or disks and CDs containing the reports may be mailed to the following addresses: (i) Department of Commerce, Bureau of Industry and Security, Office of Strategic Trade and Foreign Policy Controls, 14th Street and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn: Encryption Reports. (ii) A copy of the report should be sent to: Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755- 6000. PART 742--[AMENDED] 19. Section 742.15 is revised to read as follows: [[Page 38866]] Sec. 742.15 Encryption items. Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm U.S. national security, foreign policy and law enforcement interests. The United States has a critical interest in ensuring that important and sensitive information of the public and private sector is protected. Consistent with our international obligations as a member of the Wassenaar Arrangement, the United States has a responsibility to maintain control over the export and reexport of encryption items. As the President indicated in Executive Order 13026 and in his Memorandum of November 15, 1996, exports and reexports of encryption software, like exports and reexports of encryption hardware, are controlled because of this functional capacity to encrypt information on a computer system, and not because of any informational or theoretical value that such software may reflect, contain, or represent, or that its export or reexport may convey to others abroad. For this reason, export controls on encryption software are distinguished from controls on other software regulated under the EAR. (a) Licensing requirements and policy--(1) Encryption items controlled under ECCN 5A002, 5D002, or 5E002. (i) Licensing requirements. A license is required to export or reexport encryption items (``EI'') controlled under ECCN 5A002, 5D002 or 5E002 to all destinations, except Canada. Refer to part 740 of the EAR, for license exceptions that apply to certain encryption items, and to Sec. 772.1 of the EAR for definitions of encryption items and terms. Exporters must submit applications to obtain authorization under a license or an Encryption Licensing Arrangement for exports and reexports of encryption items that are not eligible for a license exception. (ii) Licensing policy. Applications will be reviewed on a case-by- case basis by BIS, in conjunction with other agencies, to determine whether the export or reexport is consistent with U.S. national security and foreign policy interests. Exports of encryption items to governments, or Internet and telecommunications service providers for the provision of services specific to governments, may be favorably considered for civil uses, e.g., social or financial services to the public; civil justice; social insurance, pensions and retirement; taxes and communications between governments and their citizens. Encryption Licensing Arrangements may be authorized for exports and reexports of unlimited quantities of encryption items to all destinations, except countries listed in Country Group E:1 of Supplement No. 1 to part 740. Encryption Licensing Arrangements, including those which authorize exports and reexports of encryption technology to strategic partners (as defined in Sec. 772.1 of the EAR) of U.S. companies, are valid for four years and may require reporting. Applicants seeking authorization for Encryption Licensing Arrangements must specify the sales territory and class of end-user on their license applications. (2) Encryption items controlled under ECCN 5A992, 5D992, or 5E992. (i) Licensing requirements. Items controlled under ECCN 5A992, 5D992 or 5E992 are controlled for anti-terrorism (AT) reasons to countries listed in AT column 1 or AT column 2, as applicable, of the Commerce Country Chart (Supplement No. 1 to Part 738 of the EAR). A license also may be required to certain destinations or persons for other reasons specified elsewhere in the EAR (e.g., embargoes). In addition, these encryption items are subject to the notification or review requirements described in paragraph (b)(1) and (b)(2) of this section, unless specifically excluded by paragraph (b)(3) of this section. (ii) Licensing policy. Applications will be reviewed on a case-by- case basis by BIS, in conjunction with other agencies, to determine whether the export or reexport is consistent with U.S. national security and foreign policy interests. BIS does not authorize Encryption Licensing Arrangements for exports and reexports of encryption items to any of the countries listed in Country Group E:1 of Supplement No. 1 to Part 740 of the EAR. (b) Notification and review requirements for encryption items controlled under ECCN 5A992, 5D992 or 5E992. You may export and reexport encryption commodities, software and technology controlled under ECCN 5A992, 5D992 or 5E992 without a license (NLR: No License Required) to most destinations, in accordance with paragraph (a)(2) of this section, provided that you have met the notification and review requirements described in paragraphs (b)(1) and (b)(2) of this section. Certain encryption items controlled under ECCN 5A992, 5D992 or 5E992 may be exported or reexported without notification or review--these items are identified in paragraph (b)(3) of this section. In addition, no post-shipment reporting is required for encryption items controlled under ECCN 5A992, 5D992, or 5E992. See Sec. 732.5 of the EAR for Shipper's Export Declaration (SED), Destination Control Statements (DCS), and recordkeeping requirements for items exported and reexported without a license (NLR). (1) Notification requirement for specified encryption items. You may export and reexport encryption items controlled under ECCN 5A992, 5D992 or 5E992 and identified in this paragraph (b)(1) to most destinations without a license (NLR: No License Required), provided that you have submitted to BIS, by the time of export, the information described in paragraphs (a) through (e) of Supplement 6 to this part 742, and if applicable, specific information describing how your products qualify for mass market treatment under the criteria in the Cryptography Note (Note 3) of Category 5, Part 2, of the Commerce Control List (Supplement No. 1 to Part 774 of the EAR). Submit this notification to BIS by email, to crypt@bis.doc.gov, and also send a copy to the ENC Encryption Request Coordinator, at enc@ncsc.mil. If you are unsure as to whether your encryption items are eligible for export or reexport under this paragraph (b)(1), you should submit a request, to BIS and to the ENC Encryption Request Coordinator, for a review of your encryption items pursuant to the requirements of paragraph (b)(2) of this section (for mass market encryption commodities and software), or under the provisions of License Exception ENC (see Sec. 740.17 of the EAR). The following encryption items controlled by ECCN 5A992, 5D992, or 5E992 are eligible for export or reexport without a license, to most destinations, with notification only: (i) Up to (and including) 64-bit mass market encryption commodities and software; (ii) Encryption items (including key management products and company proprietary implementations) with key lengths not exceeding 56 bits for symmetric algorithms, 512 bits for asymmetric key exchange algorithms, and 112 bits for elliptic curve algorithms; (2) Review requirement for mass market encryption commodities and software exceeding 64 bits: Mass market encryption commodities and software employing a key length greater than 64 bits for the symmetric algorithm (including such products previously reviewed by BIS and exported under ECCN 5A002 or 5D002) remain subject to the EAR and require review by BIS, prior to export or reexport under this paragraph (b)(2). Encryption commodities and software that are not eligible as retail items under License Exception ENC do not qualify for mass [[Page 38867]] market treatment (see Sec. 740.17(b)(3) of the EAR for retail product eligibility under License Exception ENC.) (i) Procedures for requesting review. To request review of your mass market encryption products, you must submit to BIS and the ENC Encryption Request Coordinator the information described in paragraphs (a) through (e) of Supplement 6 to this part 742, and you must include specific information describing how your products qualify for mass market treatment under the criteria in the Cryptography Note (Note 3) of Category 5, Part 2 (``Information Security''), of the Commerce Control List (Supplement No. 1 to Part 774 of the EAR). Review requests must be submitted on Form BIS-748P (Multipurpose Application), or its electronic equivalent, as described in Sec. 748.3 of the EAR. To ensure that your review request is properly routed, insert the phrase ``Mass market encryption'' in Block 9 (Special Purpose) of the application form and place an ``X'' in the box marked ``Classification Request'' in Block 5 (Type of Application)--Block 5 does not provide a separate item to check for the submission of encryption review requests. Failure to properly complete these items may delay consideration of your review request. Review requests that are not submitted electronically to BIS should be mailed to the address indicated in Sec. 748.2(c) of the EAR. Submissions to the ENC Encryption Request Coordinator should be directed to the mailing address indicated in Sec. 740.17(e)(5)(ii) of the EAR. BIS will notify you if there are any questions concerning your request for review (e.g., because of missing or incomplete support documentation). (ii) Action by BIS. Once BIS has completed its review, you will receive written confirmation concerning the eligibility of your items for export or reexport as mass market encryption commodities or software controlled under ECCN 5A992 or 5D992. If, during the course of its review, BIS determines that your encryption items do not qualify for mass market treatment under the EAR, or are otherwise controlled under ECCN 5A002, 5B002, 5D002 or 5E002, BIS will notify you and will review your commodities or software for eligibility under License Exception ENC (see Sec. 740.17 of the EAR for review and reporting requirements for encryption items under License Exception ENC). BIS reserves the right to suspend your eligibility to export and reexport under the provisions of this paragraph (b)(2) and to return review requests, without action, if the requirements for review have not been met. (iii) Exports and reexports to government and non-government end- users. Immediately upon registration by BIS of your completed review request (``registration'' is defined in Sec. 750.4(a)(2) of the EAR), you may export or reexport mass market encryption commodities and software exceeding 64 bits, under ECCNs 5A992 and 5D992, without a license (NLR: No License Required) to government and non-government end-users located in the countries listed in Supplement 3 to part 740 of the EAR. These mass market encryption products also may be exported or reexported, without a license (NLR), to most destinations (except those that require a license for AT reasons or for reasons described elsewhere in the EAR) for the internal use of foreign subsidiaries or offices of firms, organizations and governments headquartered in Canada or in countries listed in Supplement 3 to part 740 of the EAR. Thirty days after BIS registers your review request, you may export or reexport these mass market encryption products, without a license, to government and non-government end-users located in most destinations outside the countries listed in Supplement 3 to part 740 of the EAR (certain destinations and persons may require a license for AT reasons or for reasons specified elsewhere in the EAR), unless otherwise notified by BIS (e.g., because of missing or incomplete support documentation, or conversion to License Exception ENC review). The thirty days may not include any time that your review request was on hold without action. See Sec. 772.1 of the EAR for the definition of ``government end-user'' as it applies to encryption items. (3) Exclusions from notification and review requirements. The following items and transactions do not require notification or review prior to export or reexport. However, a license may be required to export or reexport these items to certain destinations for AT reasons or for reasons set forth elsewhere in the EAR (e.g., embargoes). (i) Encryption items for U.S. subsidiaries. Encryption items controlled under ECCN 5A992, 5D992, or 5E992 that are exported to foreign subsidiaries of U.S. companies (as defined in Sec. 772.1 of the EAR) for any end-use, including the development of new products, that is not prohibited elsewhere in the EAR. All items produced or developed by U.S. subsidiaries with encryption commodities, software and technology exported under this paragraph are subject to the EAR and require review and authorization before any sale or retransfer outside of the U.S. company. (ii) Mass market short-range wireless products. Mass market products that are controlled under ECCN 5A992 or 5D992 only because they incorporate components or software which provide short-range wireless encryption functions (e.g., wireless products with an operating range typically not exceeding 100 meters). (iii) Items with limited cryptographic functionality. Encryption items controlled under ECCN 5A992, 5D992, or 5E992 for which the use of cryptography is limited to cryptographic functions that are not controlled for ``EI'' reasons under the EAR (e.g. items with cryptographic functions limited to authentication or digital signature, execution of copy protected software, and ``finance specific'' items specially designed and limited for banking use or money transactions). These items are described in the Related Controls paragraph and the Technical Notes under ECCN 5A002 on the Commerce Control List (Supplement No. 1 to part 774 of the EAR), which are cross-referenced under ECCNs 5D002 and 5E002. (4) Commodities and software that activate or enable cryptographic functionality. Commodities, software, and components that allow the end-user to activate or enable cryptographic functionality in encryption products which would otherwise remain disabled, are controlled according to the functionality of the activated encryption product. The notification and review requirements enumerated in this paragraph (b) of this section apply to commodities, software and components which activate cryptographic functionality in encryption products controlled under ECCNs 5A992 and 5D992. (See Sec. 740.17 of the EAR for review and reporting requirements for commodities, software and components that enable cryptographic functionality in encryption products controlled under ECCNs 5A002 and 5D002.) This paragraph (b)(4) does not authorize the export or reexport of any activated encryption product. Separate review or authorization of the enabled encryption product is required. (5) Examples of mass market encryption products. Subject to the requirements of the Cryptography Note (Note 3) in Category 5, Part 2, of the Commerce Control List, mass market encryption products include, but are not limited to, general purpose operating systems and desktop applications (e.g. e-mail, browsers, games, word processing, database, financial applications or utilities) designed for, bundled with, or pre-loaded on single CPU computers, laptops, or hand-held [[Page 38868]] devices; commodities and software for client Internet appliances and client wireless LAN devices; home use networking commodities and software (e.g. personal firewalls, cable modems for personal computers, and consumer set top boxes); portable or mobile civil telecommunications commodities and software (e.g. personal data assistants (PDAs), radios, or cellular products); and commodities and software exported via free or anonymous downloads. 20. Supplement No. 6 to part 742 is revised to read as follows: Supplement No. 6 to Part 742--Guidelines for Submitting Review Requests for Encryption Items Review requests for encryption items must be submitted on Form BIS-748P (Multipurpose Application), or its electronic equivalent, and supported by the documentation described in this Supplement, in accordance with the procedures described in Sec. 748.3 of the EAR. To ensure that your review request is properly routed, insert the phrase ``Mass market encryption'' or ``License Exception ENC'' (whichever is applicable) in Block 9 (Special Purpose) of the application form and place an ``X'' in the box marked ``Classification Request'' in Block 5 (Type of Application)--Block 5 does not provide a separate item to check for the submission of encryption review requests. Failure to properly complete these items may delay consideration of your review request. BIS recommends that review requests be delivered via courier service to: Bureau of Industry and Security, U.S. Department of Commerce, 14th Street and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230. For electronic submissions via SNAP, you may fax a copy of the support documents to BIS at (202) 219-9179 or -9182 or you may deliver the documents via courier service to: Bureau of Industry and Security, Information Technology Controls Division, Room 2625, 14th Street and Pennsylvania Ave., NW. Washington, DC 20230. In addition, you must send a copy of your review request and all support documents to: Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6131, Fort Meade, MD 20755-6000. For all review requests of encryption items, you must provide brochures or other documentation or specifications related to the technology, commodity or software, relevant product descriptions, architecture specifications, and as necessary for the review, source code. You also must indicate whether there have been any prior reviews of the product, if such reviews are applicable to the current submission. In addition, you must provide the following information in a cover letter accompanying your review request: (a) State the name of the encryption item being submitted for review; (b) State that a duplicate copy has been sent to the ENC Encryption Request Coordinator; (c) For review requests for a commodity or software, provide the following information: (1) Description of all the symmetric and asymmetric encryption algorithms and key lengths and how the algorithms are used. Specify which encryption modes are supported (e.g., cipher feedback mode or cipher block chaining mode). (2) State the key management algorithms, including modulus sizes, that are supported. (3) For products with proprietary algorithms, include a textual description and the source code of the algorithm. (4) Describe the pre-processing methods (e.g., data compression or data interleaving) that are applied to the plaintext data prior to encryption. (5) Describe the post-processing methods (e.g., packetization, encapsulation) that are applied to the cipher text data after encryption. (6) State the communication protocols (e.g., X.25, Telnet or TCP) and encryption protocols (e.g., SSL, IPSEC or PKCS standards) that are supported. (7) Describe the encryption-related Application Programming Interfaces (APIs) that are implemented and/or supported. Explain which interfaces are for internal (private) and/or external (public) use. (8) Describe whether the cryptographic routines are statically or dynamically linked, and the routines (if any) that are provided by third-party modules or libraries. Identify the third-party manufacturers of the modules or toolkits. (9) For commodities or software using Java byte code, describe the techniques (including obfuscation, private access modifiers or final classes) that are used to protect against decompilation and misuse. (10) State how the product is written to preclude user modification of the encryption algorithms, key management and key space. (11) For products that qualify as ``retail'', explain how the product meets the listed criteria in Sec. 740.17(b)(3) of the EAR. (12) For products which incorporate an open cryptographic interface as defined in part 772 of the EAR, describe the Open Cryptographic Interface. (d) For review requests regarding components, provide the following additional information: (1) Reference the application for which the components are used in, if known; (2) State if there is a general programming interface to the component; (3) State whether the component is constrained by function; and (4) Identify the encryption component and include the name of the manufacturer, component model number or other identifier. (e) For review requests for source code, provide the following information: (1) If applicable, reference the executable (object code) product that was previously reviewed; (2) Include whether the source code has been modified, and the technical details on how the source code was modified; and (3) Include a copy of the sections of the source code that contain the encryption algorithm, key management routines and their related calls. (f) For step-by-step instructions and guidance on submitting review requests for encryption items, visit our webpage at www.bis.doc.gov/Encryption and click on the navigation button labeled ``Guidance''. PART 748--[AMENDED] 21. Section 748.3 is amended by revising the section heading, by adding two new sentences at the end of paragraph (a), by removing paragraph (b)(3), and by adding a new paragraph (d), to read as follows: Sec. 748.3 Classification Requests, Advisory Opinions, and Encryption Review Requests. (a) * * * The encryption requirements in the EAR require that certain encryption items be reviewed by BIS in order for them to be eligible for export or reexport under License Exception ENC (see Sec. 740.17 of the EAR) or to be released from ``EI'' controls (see Sec. 742.15(b)(2) of the EAR). BIS makes its determination based on the submission of a review request prepared in accordance with the instructions in Supplement No. 6 to Part 742 of the EAR. * * * * * (d) Review requests for encryption items. A Department of Commerce review of encryption items transferred from the U.S. Munitions List consistent with Executive Order 13026 of November 15, 1996 (3 CFR, 1996 Comp., p. 228) and pursuant to the Presidential Memorandum of that date may be required to determine eligibility under License Exception ENC or for release from ``EI'' controls. Refer to Sec. 742.15(b) and Supplement 6 to part 742 of the EAR for instructions regarding mass market encryption commodities and software. Refer to Sec. 740.17 of the EAR for the provisions of License Exception ENC. PART 770--[AMENDED] 22. Section 770.2 is amended by revising paragraph (n) to read as follows: Sec. 770.2 Item interpretations. * * * * * (n) Interpretation 14: Encryption commodity and software reviews. Review of encryption commodities or software is required to determine the eligibility of certain encryption items under License Exception ENC (see Sec. 740.17 of the EAR) or to release certain encryption items from ``EI'' controls (see Sec. 742.15(b)(2) of the EAR). Note that subsequent bundling, patches, upgrades or releases, including name changes, may be exported or reexported under the applicable provisions of the EAR without further review as long as the functional encryption capacity of the originally reviewed product has not [[Page 38869]] been modified or enhanced. This interpretation does not extend to products controlled under a different category on the CCL. PART 772--[AMENDED] 23. Section 772.1 is amended by revising the definition of ``Cryptanalytic items'' to read as follows: Sec. 772.1 Definitions of Terms as Used in the Export Administration Regulations (EAR). * * * * * ``Cryptanalytic items''. Systems, equipment, applications, specific electronic assemblies, modules and integrated circuits designed or modified to perform cryptanalytic functions, software having the characteristics of cryptanalytic hardware or performing cryptanalytic functions, or technology for the development, production or use of cryptanalytic commodities or software. Notes: 1. Cryptanalytic functions may include cryptanalysis, which is the analysis of a cryptographic system or its inputs and outputs to derive confidential variables or sensitive data including clear text. (ISO 7498-2-1988(E), paragraph 3.3.18). 2. Functions specially designed and limited to protect against malicious computer damage or unauthorized system intrusion (e.g., viruses, worms and trojan horses) are not construed to be cryptanalytic functions. * * * * * PART 774--[AMENDED] Supplement No. 1 to Part 774 (The Commerce Control List)--[Amended] 24. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 5--Telecommunications and ``Information Security'', immediately following the heading II--``INFORMATION SECURITY'', is amended by revising Notes 2 and 3, and by adding a new Nota Bene (``N.B.''), immediately following Note 3, to read as follows: Category 5--Telecommunications and ``Information Security'' * * * * * Part 2--``Information Security'' * * * * * Note 2: Category 5, part 2, encryption products, when accompanying their user for the user's personal use or as tools of trade, are eligible for License Exceptions TMP or BAG, subject to the terms and conditions of these License Exceptions. Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not control items that meet all of the following: a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: 1. Over-the-counter transactions; 2. Mail order transactions; 3. Electronic transactions; or 4. Telephone call transactions; b. The cryptographic functionality cannot be easily changed by the user; c. Designed for installation by the user without further substantial support by the supplier; and d. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs (a) through (c) of this note. N.B. to Cryptography Note: Mass market encryption commodities and software eligible for the Cryptography Note are subject to the notification or review requirements described in Sec. 742.15(b)(1) and (b)(2) of the EAR, unless specifically excluded from these requirements by Sec. 742.15(b)(3) of the EAR. Mass market commodities and software employing a key length greater than 64 bits for the symmetric algorithm must be reviewed in accordance with the requirements of Sec. 742.15(b)(2) of the EAR in order to be released from the ``EI'' and ``NS'' controls of ECCN 5A002 or 5D002. All other mass market commodities and software eligible for the Cryptography Note are controlled under ECCN 5A992 or 5D992 (without review) and may be exported or reexported to most destinations without a license, following notification, in accordance with the requirements of Sec. 742.15(b)(1) of the EAR. * * * * * 25. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 5--Telecommunications and ``Information Security'', Part 2-- ``Information Security'', is amended by revising ECCN 5D002 to read as follows: 5D002 Information Security--``Software'' License Requirements Reason for Control: NS, AT, EI ------------------------------------------------------------------------ Control(s) Country chart ------------------------------------------------------------------------ NS applies to entire entry............. NS Column 1. AT applies to entire entry............. AT Column 1. ------------------------------------------------------------------------ ``EI'' applies to encryption items transferred from the U.S. Munitions List to the Commerce Control List consistent with Executive Order 13026 of November 15, 1996 (3 CFR, 1996 Comp., p.228) and pursuant to the Presidential Memorandum of that date. Refer to Sec. 742.15 of the EAR. Note: Encryption software is controlled because of its functional capacity, and not because of any informational value of such software; such software is not accorded the same treatment under the EAR as other ``software'; and for export licensing purposes, encryption software is treated under the EAR in the same manner as a commodity included in ECCN 5A002. Note: Encryption software controlled for ``EI'' reasons under this entry remains subject to the EAR even when made publicly available in accordance with part 734 of the EAR. See Sec. 740.13(e) of the EAR for information on releasing certain source code (and corresponding object code) which would be considered publicly available from ``EI'' controls. Note: After notification to BIS, 56-bit encryption items (including key management products not exceeding 512 bits) and up to (and including) 64-bit mass market encryption commodities and software are released from ``EI'' and ``NS'' controls. After a review by BIS, all other mass market encryption commodities and software eligible for the Cryptography Note also may be released from ``EI'' and ``NS'' controls. See Sec. 742.15(b)(1) and (b)(2) of the EAR. License Exceptions CIV: N/A TSR: N/A List of Items Controlled Unit: $ value. Related Controls: This entry does not control ``software'' ``required'' for the ``use'' of equipment excluded from control under the Related Controls paragraph or the Technical Notes in ECCN 5A002 or ``software'' providing any of the functions of equipment excluded from control under ECCN 5A002. These items are controlled under ECCN 5D992. Related Definitions: 5D002.a controls ``software'' designed or modified to use ``cryptography'' employing digital or analog techniques to ensure ``information security'. Items: a. ``Software'' specially designed or modified for the ``development'', ``production'', or ``use'' of equipment or ``software'' controlled by 5A002, 5B002, or 5D002. b. ``Software'' specially designed or modified to support ``technology'' controlled by 5E002. c. Specific ``software'' as follows: c.1. ``Software'' having the characteristics, or performing or simulating the functions of the equipment controlled by 5A002 or 5B002; c.2. ``Software'' to certify ``software'' controlled by 5D002.c.1. Dated: May 30, 2002. James J. Jochum, Assistant Secretary for Export Administration. [FR Doc. 02-13990 Filed 6-5-02; 8:45 am] BILLING CODE 3510-33-P