On December 10, 2003, the Bureau of Industry and Security issued a final rule to revise the Commerce Control List which regulates export of US technologhy. Below are excerpts involving encryption. The full rule: http://cryptome.org/bis121003.txt [Excerpts] [Federal Register: December 10, 2003 (Volume 68, Number 237)] [Rules and Regulations] [Page 68975-68996] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr10de03-13] [[Page 68975]] ----------------------------------------------------------------------- Part II Department of Commerce ----------------------------------------------------------------------- Bureau of Industry and Security ----------------------------------------------------------------------- 15 CFR Parts 740, 743, 772, and 774 December 2002 Wassenaar Arrangement Plenary Agreement Implementation: Categories 1, 2, 3, 4, 5, 6, and 7 of the Commerce Control List, and Reporting Requirements; Final Rule [[Page 68976]] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE Bureau of Industry and Security 15 CFR Parts 740, 743, 772, and 774 [Docket No. 031017263-3263-01] RIN 0694-AC85 December 2002 Wassenaar Arrangement Plenary Agreement Implementation: Categories 1, 2, 3, 4, 5, 6, and 7 of the Commerce Control List, and Reporting Requirements AGENCY: Bureau of Industry and Security, Commerce. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Bureau of Industry and Security (BIS) maintains the Commerce Control List (CCL), which identifies items subject to Department of Commerce export controls. This final rule revises certain entries controlled for national security reasons in Categories 1, 2, 3, 4, 5 Part I (telecommunications), 5 Part II (information security), 6, and 7 to conform with changes in the List of Dual-Use Goods and Technologies maintained and agreed to by governments participating in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement). The Wassenaar Arrangement controls strategic items with the objective of improving regional and international security and stability. The purpose of this final rule is to make the necessary changes to the Commerce Control List to implement revisions to the Wassenaar List that were agreed upon in the December 2002 meeting, to make necessary revisions to reporting requirements and License Exception GOV restrictions, and to add a statement of understanding for medical equipment. EFFECTIVE DATE: This rule is effective: December 10, 2003. FOR FURTHER INFORMATION CONTACT: Patricia Muldonian, Office of Strategic Trade and Foreign Policy Controls, Bureau of Industry and Security, U.S. Department of Commerce at (202) 482-5400. SUPPLEMENTARY INFORMATION: Background In July 1996, the United States and thirty-two other countries gave final approval to the establishment of a new multilateral export control arrangement, called the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement). The Wassenaar Arrangement contributes to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations of such items. Participating states have committed to exchange information on exports of dual-use goods and technologies to non-participating states for the purposes of enhancing transparency and assisting in developing common understandings of the risks associated with the transfers of these items. This rule revises a number of national security controlled entries on the Commerce Control List (CCL) to conform with December 2002 revisions to the Wassenaar List of Dual-Use Goods and Technologies. This rule also revises language to provide a complete or more accurate description of controls. A detailed description of the revisions to the CCL is provided below. Specifically, this rule makes the following amendments to the Commerce Control List: ***** Category 5--Part II--Information Security [sbull] ECCN 5A002 is amended by: (a) Moving and rearranging the text that describes what is not controlled in this entry from the Related Controls paragraph of the List of Items Controlled section to a Note in the beginning of the Item paragraph of the List of Items Controlled section; (b) Dividing the existing text in paragraph (a) of the note (regarding ``personalized smart cards'') into sub-paragraph 1 and a N.B.; and (c) Moving the related control note in paragraph 2 of the Related Definitions paragraph of the List of Items Controlled section to a N.B. following 5A002.a. ***** List of Items Controlled Unit: * * * Related Controls: 5A002 does not control the items listed in paragraphs (a) through (f) in the Note in the items paragraph of this entry. These items are instead controlled under ECCN 5A992. Related Definitions: N/A Items: Note: 5A002 does not control the following. However, these items are instead controlled under 5A992: (a) ``Personalized smart cards'': (1) Where the cryptographic capability is restricted for use in equipment or systems excluded from control paragraphs (b) through (f) of this Note; or (2) For general public-use applications where the cryptographic capability is not user-accessible and it is specially designed and limited to allow protection of personal data stored within. N.B.: If a ``personalized smart card'' has multiple functions, the control status of each function is assessed individually. (b) Receiving equipment for radio broadcast, pay television or similar restricted audience broadcast of the consumer type, without digital encryption except that exclusively used for sending the billing or program-related information back to the broadcast providers. (c) Equipment where the cryptographic capability is not user- accessible and which is specially designed and limited to allow any of the following: (1) Execution of copy-protected ``software'; (2) Access to any of the following: (a) Copy-protected contents stored on read-only media; or (b) Information stored in encrypted form on media (e.g., in connection with the protection of intellectual property rights) where the media is offered for sale in identical sets to the public; or (3) Copying control of copyright protected audio/video data. (d) Cryptographic equipment specially designed and limited for banking use or money transactions; (e) Portable or mobile radiotelephones for civil use (e.g., for use with commercial civil cellular radio communications systems) that are not capable of end-to-end encryption. N.B.: The term ``money transactions'' includes the collection and settlement of fares or credit functions. (f) Cordless telephone equipment not capable of end-to-end encryption where the maximum effective range of unboosted cordless operation (e.g., a single, unrelayed hop between terminal and home basestation) is less than 400 meters according to the manufacturer's specifications. Technical Note: Parity bits are not included in the key length. a. Systems, equipment, application specific ``electronic assemblies'', modules and integrated circuits for ``information security'', as follows, and other specially designed components therefor: N.B.: For the control of global navigation satellite systems receiving equipment containing or employing decryption (e.g., GPS or GLONASS) see 7A005. a.1. Designed or modified to use ``cryptography'' employing digital techniques performing any cryptographic function other than authentication or digital signature having any of the following: Technical Notes: 1. Authentication and digital signature functions include their associated key management function. 2. Authentication includes all aspects of access control where there is no encryption of files or text except as directly related to the protection of passwords, Personal Identification Numbers (PINs) or similar data to prevent unauthorized access. 3. ``Cryptography'' does not include ``fixed'' data compression or coding techniques. Note: 5A002.a.1 includes equipment designed or modified to use ``cryptography'' employing analog principles when implemented with digital techniques. a.1.a. A ``symmetric algorithm'' employing a key length in excess of 56-bits; or a.1.b. An ``asymmetric algorithm'' where the security of the algorithm is based on any of the following: a.1.b.1. Factorization of integers in excess of 512 bits (e.g., RSA); a.1.b.2. Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie- Hellman over Z/pZ); or a.1.b.3. Discrete logarithms in a group other than mentioned in 5A002.a.1.b.2 in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve); a.2. Designed or modified to perform cryptanalytic functions; a.3. [RESERVED] a.4. Specially designed or modified to reduce the compromising emanations of information-bearing signals beyond what is necessary for health, safety or electromagnetic interference standards; a.5. Designed or modified to use cryptographic techniques to generate the spreading code for ``spread spectrum'' systems, including the hopping code for ``frequency hopping'' systems; a.6. Designed or modified to use cryptographic techniques to generate channelizing or scrambling codes for ``time-modulated ultra-wideband'' systems; a.7. Designed or modified to provide certified or certifiable ``multilevel security'' or user isolation at a level exceeding Class B2 of the Trusted Computer System Evaluation Criteria (TCSEC) or equivalent; a.8. Communications cable systems designed or modified using mechanical, electrical or electronic means to detect surreptitious intrusion. ***** Supplement No. 3 to Part 774--Statements of Understanding Statement of Understanding--medical equipment: Commodities that are ``specially designed for medical end-use'' that ``incorporate'' commodities or software on the Commerce Control List (Supplement No. 1 to part 774 of the EAR) that do not have a reason for control of Nuclear Nonproliferation (NP), Missile Technology (MT), or Chemical & Biological Weapons (CB) are designated by the number EAR99 (i.e., are not elsewhere specified on the Commerce Control List). Notes applicable to State of Understanding related to Medical Equipment: (1) ``Specially designed for medical end-use'' means designed for medical treatment or the practice of medicine (does not include medical research). (2) ``Incorporate'' into medical equipment means to integrate with, or work indistinguishably into such equipment. (3) Except for such software that is made publicly available consistent with Sec. 734.3(b)(3) of the EAR, commodities and software ``specially designed for medical end-use'' remain subject to the EAR. (4) See also Sec. 770.2(b) interpretation 2, for other types of equipment that incorporate items on the Commerce Control List that are subject to the EAR. (5) For computers used with medical equipment, see also ECCN 4A003 note 2 regarding the ``principal element'' rule. (6) For commodities and software specially designed for medical end-use that incorporate an encryption or other ``information security'' item subject to the EAR, see also Note 1 to Category 5, Part II of the Commerce Control List. *****