This is a mirror of: http://www.steptoe.com/commerce.htm
Thanks to Cindy Cohn <Cindy@mcglashan.com> for posting the pointer on Cyberia-L <cyberia-l@listserv.aol.com>.
No legal analysis is complete without a particularized review of the needs and circumstances of an individual client. This and other documents on the Steptoe & Johnson LLP web page are not to be treated or relied upon as legal advice or as creating a lawyer-client relationship. Most materials are not updated, but are maintained on the page because they are nonetheless likely to be of continuing interest.
The Administration has released, and is seeking informal comments on, a draft of the new Commerce Department regulations on encryption exports.
The new regulations create a new category of controls -- "EI" (which stands for "encryption items"). The regulations divide these encryption items into 5 categories and create different licensing schemes for each.
Certain mass-market encryption software may be released, after a one-time review, from normal EI controls and made eligible for mass market treatment (which includes eligibility for all the provisions of the Export Administration Regulations applicable to other software).
"Recovery" encryption software and equipment will be eligible for a license to export and reexport in unlimited quantities to all non-embargoed destinations. Applications for key recovery and key escrow products must identify a satisfactory key recovery agent with established security policies adequate to safeguard keys or other escrowed material.
56-bit DES or equivalent non-recovery encryption items will be eligible for 6-month export and reexport licenses after an initial review of the item and the submission of a satisfactory key recovery plan demonstrating a commitment to develop key recovery products and services. Licenses can be renewed for additional six month periods depending upon the applicant's adherence to benchmarks set out in the original plan. All licenses issued under this category will expire after December 31, 1998.
All other encryption items may be eligible for "encryption licensing arrangements." These arrangements are like the distribution arrangements currently available for encryption items at the State Department. Such arrangements may allow exports and reexports of encryption software and equipment in unlimited quantities to all non-embargoed destinations, but applications must specify the sales territory and classes of end-uers. Such arrangements may also impose certain reporting requirements. Encryption items not approved for an encryption licensing arrangement may still be granted individual licenses on a case-by-case basis.
Encryption "technology" (e.g. technical data) may be licensed for export and reexport on a case-by-case basis.
As expected, the usual Commerce Department rules on foreign availability and de minimis content will not apply to encryption items. Similarly, controlled software will not be eligible for "publicly available" treatment, even if the source code or object code is published in a book or other media.
Other notable provisions of the new regulations include a "grandfather" provision for existing State Department licenses and arrangements; detailed rules concerning Internet distribution of encryption software; and a broad definition of "recoverable" encryption which includes items that allow access to unencrypted data without necessarily requiring access to the keys.
December 9, 1996
Billing Code: 3510-33-P
DEPARTMENT OF COMMERCE
Bureau of Export Administration
15 CFR Parts 732, 734, 740, 742, 744, 748, 750, 762, 768, 772, and 774
[Docket No. - ]
RIN: 0694-AB09
Encryption items transferred from the U.S. Munitions List to the Commerce
Control List.
AGENCY: Bureau of Export Administration, Commerce
ACTION: Interim rule.
SUMMARY: This interim rule amends the Export Administration Regulations
(EAR) by exercising jurisdiction over, and imposing new combined national
security and foreign policy controls on certain encryption items that were
on the United States Munitions List, consistent with Executive Order 13026
and a Presidential Memorandum, both issued by President Clinton on November
15, 1996.
On October 1, 1996, the Administration announced a plan to make it easier
for Americans to use stronger encryption products to protect their privacy,
intellectual property and other valuable information. The plan envisions
a worldwide key management infrastructure with the use of key recovery and
key escrow encryption items to promote electronic commerce and secure
communications while protecting national security and public safety. To provide
for a transition period for the development of this key management
infrastructure, this rule permits the export and reexport of 56-bit key length
DES or equivalent encryption items upon issuance by BXA of an initial license
valid for six months, if an exporter makes satisfactory commitments to build
and market recoverable encryption items and to help build the supporting
international infrastructure. This policy will apply to hardware and
software.
EFFECTIVE DATE: (THIS RULE IS EFFECTIVE: DATE OF PUBLICATION).
ADDRESSES: Written comments (six copies) should be sent to: Nancy
Crowe, Regulatory Policy Division, Bureau of Export Administration, Department
of Commerce, 14th Street and Pennsylvania Ave., N.W., Room 2705, Washington,
D.C. 20230.
FOR FURTHER INFORMATION CONTACT: James A. Lewis, Office of Strategic
Trade and Foreign Policy Controls, Telephone: (202) 482-0092.
SUPPLEMENTARY INFORMATION:
Background
On November 15, 1996, the President issued a Memorandum directing that all
encryption items controlled on the U.S. Munitions List, except those specifically
designed, developed, configured, adapted, or modified for military applications,
be transferred to the Commerce Control List. The Memorandum and Executive
Order 13026 (15 November 1996, 61 FR 58767) also set forth certain additional
provisions with respect to controls on such encryption items to be imposed
by the Department of Commerce. The Executive Order also provides for appropriate
controls on the export and foreign dissemination of encryption items controlled
on the U.S. Munitions List that are placed on the Commerce Control List.
In issuing the Memorandum the President stated:
Encryption products, when used outside the United States, can jeopardize
our foreign policy and national security interests. Moreover, such products,
when used by international criminal organizations, can threaten the safety
of U.S. citizens here and abroad, as well as the safety of the citizens of
other countries. The exportation of encryption products must be controlled
to further U.S. foreign policy objectives, and promote our national security,
including the protection of the safety of U.S. citizens abroad.
This initiative will make it easier for Americans to use stronger encryption
items to protect their privacy, intellectual property and other valuable
information. It will support the growth of electronic commerce, increase
the security of the global information infrastructure, and sustain the economic
competitiveness of U.S. encryption product manufacturers during the transition
to a key management infrastructure. Under this initiative, non-recoverable
encryption items up to 56-bit key length DES or equivalent strength will
be permitted for export and reexport after a one-time review of the item
and if the exporter makes satisfactory commitments to build and market
recoverable encryption items and to support an international key management
infrastructure. This policy will apply to hardware and software.
The relaxation of export and reexport controls on non-recoverable encryption
items up to 56-bit key length DES or equivalent strength will last until
January 1, 1999. The temporary relaxation of controls is one part of a broader
encryption policy initiative designed to promote electronic information security
and public safety.
The initiative carries out important foreign policy and national security
concerns identified by the President. Export controls on cryptographic items
are essential to controlling the spread aborad of powerful encryption products
which could be harmful to critical U.S. national security, foreign policy
and law enforcement interests. This initiative will preserve such controls
and foster the development of a key management infrastructure necessary to
protect important national security, foreign policy and law enforcement concerns.
This interim rule implements the Administration's policy on encryption exports.
This rule amends the Export Administration Regulations (EAR) by imposing
national security and foreign policy controls ("EI" for Encryption Items)
on certain information security systems and equipment, cryptographic devices,
software and components specifically designed or modified therefor, including
recoverable encryption software, and related technology ("encryption items").
"Encryption items" do not include encryption items specifically designed,
developed, configured, adapted or modified for military applications (including
command, control and intelligence applications). Such items remain on the
U.S. Munitions List, and continue to be controlled by the Department of State,
Office of Defense Trade Controls. EI controls apply to encryption software,
including recoverable encryption "software" transferred from the U.S. Munitions
List to the Commerce Control List pursuant to E.O. 13026 of November 15,
1996 (61 FR 58767).
This interim rule also amends the Export Administration Regulations to require
a license for exports and reexports to all destinations, except Canada, of
certain encryption items controlled for EI reasons. The licensing policy
is as follows:
(2) Recovery encryption software and commodities. Recovery encryption
software and equipment controlled for EI reasons under ECCN 5D002 or under
ECCN 5A002, including encryption equipment designed or modified to use
recoverable encryption software, may be released from "EI" controls and thereby
made eligible for license exception RSE after a one-time BXA review. License
exception RSE is valid for all destinations except Cuba, Iran, Iraq, Libya,
North Korea, Syria and Sudan. To determine eligibility, exporters must submit
a classification request to BXA. Requests for key escrow and key recovery
encryption items will receive favorable consideration provided that, prior
to the export or reexport, a key recovery agent satisfactory to BXA has been
identified (refer to new Supplement No. 4 to part 742) and security policies
for safeguarding the key(s) or other escrowed material/information as described
in new Supplement No. 5 to part 742 are established to the satisfaction of
BXA and are maintained after export or reexport as required by the EAR and
any license conditions. If the exporter or reexporter intends to be the key
recovery agent, then the exporter or reexporter must meet all of the requirements
of a key recovery agent identified in Supplement 5 to part 742. In addition,
the key recovery or key escrow system must meet the criteria identified in
Supplement No. 4 to part 742. Note that eligibility is dependent on continued
fulfilment of the requirements of a key recovery agent identified in Supplement
5.
(3) Non-recovery encryption items up to 56-bit key length DES or equivalent
strength supported by a satisfactory business and marketing plan for exporting
recoverable items and services. License applications from manufacturers
of non-recovery encryption items up to 56-bit key length DES or equivalent
strength will be approved for export and reexport by the Department of Commerce
upon the issuance of an export license valid for six months after an initial
BXA review of the item and the submission of a satisfactory business and
marketing plan that explains in detail the steps the applicant will take
during the two-year transition period beginning January 1, 1997 to develop,
produce, or market encryption items and services with recoverable features.
Any subsequent renewal is not automatic, and will depend on the applicant's
adherence to explicit benchmarks and milestones as set forth in the plan
submitted for the initial license application. This relaxation of controls
will last until January 1, 1999. The plan that is submitted with applications
for the export of non-recoverable encryption items up to 56-bit key length
DES or equivalent strength must include the elements in new Supplement No.
7 to part 742. Note that BXA will accept requests for export and reexport
of non-recoverable encryption items up to 56-bit key length DES or equivalent
strength under this paragraph from distributors, re-sellers, and other entities
that are not manufacturers of the encryption items. BXA will authorize exports
and reexports of such items only in instances where a license has been granted
to the manufacturer of the encryption items. The authority to so export or
reexport will be for a time period ending on the same day the producer's
authority to export or reexport ends.
(4) All other encryption items.
(ii) Applications for encryption items not authorized under an encryption
licensing arrangement. Applications for the export and reexport of all
other encryption items will be considered on a case-by-case basis.
(5) Applications for encryption technology. Applications for the export and reexport of encryption technology will be considered on a case-by-case basis.
Note that all "EI" encryption items are not subject to any mandatory decontrol or licensing requirements based on foreign availability provisions of the EAA or the EAR In section 1(a) of Executive Order 13026, the President states:
I have determined that the export of encryption products described in this section may harm national security and foreign policy interests even where comparable products are or appear to be available from sources outside the United states, and that facts and questions concerning the foreign availability of such encryption products cannot be subject to public disclosure or judicial review without revealing or implicating classified information that could harm United States national security and foreign policy interests. Accordingly, section 4(c) and 6(h)(2) - (4) of the Export Administration Act of 1979 ("the EAA") ..., all other analogous provisions the EAA relating to foreign availability, and the regulations in the EAR relating to such EAA provisions, shall not be applicable with respect to export controls on such encryption products.
This interim rule amends part 768 of the EAR, Foreign Availability, to make
clear that the provisions of that part do not apply to encryption items
transferred to the Commerce Control List.
This interim rule also amends part 734 of the EAR to exclude encryption items
transferred from the U.S. Munitions List to the Commerce Control List pursuant
to E.O. 13026 (61 FR 58767, November 15, 1996) from the de minimis
provisions for items exported from abroad. This rule also amends part 734
of the EAR to reflect that certain encryption software controlled for EI
reasons under ECCN 5D002 that has been transferred to the Department of Commerce
from the Department of State by E.O. 13026 will be subject to the EAR even
when publicly available. Such encryption software in both source code and
object code remains subject to the EAR and is not eligible for publicly available
treatment even if published in a book or any other writing or media. This
rule also amends part 740 and Supplement No. 2 to part 774 of the EAR to
reflect that encryption software will not be eligible for "mass market" treatment
under the General Software Note or for export as beta-test software under
License Exception BETA unless released from EI controls through a one-time
BXA review (refer to new Supplement No. 6 to part 742). Note that License
Exception TMP is available for temporary exports and reexports of encryption
items except under the provisions for beta-test software. Software and technology
that was controlled by the Department of Commerce prior to [INSERT EFFECTIVE
DATE] are not affected by this rule and will continue to be eligible for
the publicly available treatment. Software controlled by the Department of
Commerce prior to [INSERT EFFECTIVE DATE] will continue to be eligible for
mass market treatment under the General Software Note, and License Exception
TSU for mass-market software.
For purposes of this rule, "recovery encryption products" refer to encryption
products (including software) which allow law enforcement officials to obtain
under proper legal authority and without the cooperation or knowledge of
the user, the plaintext of encrypted data and communications. Such recoverable
products fulfill the objectives of the Administration's encryption policy.
Other approaches to access and recovery may be defined in the future.
This interim rule also amends part 742 of the EAR to reflect the new combined
national security and foreign policy controls imposed by this rule, and adds
a new Supplement No. 4 to part 742 titled "Key Recovery or Key Escrow Products
Criteria" that includes product criteria, a new Supplement No. 5 to part
742 titled "Key Recovery or Key Escrow Agent Criteria" that includes interim
requirements for key recovery agents, a new Supplement No. 6 to part 742
titled "Guidelines for Submitting a Classification Request for a Mass Market
Software Product that contains Encryption" that includes the criteria for
the one-time review of classification requests for release of certain encryption
software from EI controls, and a new Supplement No. 7 to part 742 titled
"Review Criteria for Exporter Key Recovery or Key Escrow Development Plans."
This interim rule makes conforming changes in part 748 of the EAR for
classification requests, amends part 750 of the EAR to reflect the Department
of Justice role in the review of encryption license applications, amends
the record keeping provisions of part 762 of the EAR, adds new definitions
to part 772 of the EAR, and amends the Commerce Control List (Supplement
No. 1 to part 774) by adding new EI controls under ECCNs 5A002, 5D002, and
5E002 for commodities, software and technology that are placed under Commerce
Department jurisdiction by E.O. 13026.
In certain cases, semiannual reporting requirements on quantities shipped
and country of destination will be imposed on exporters, in order to allow
the United States to fulfill the reporting requirements of the Wassenaar
Arrangement.
The scope of controls on the release to foreign nationals of technology and
software subject to the EAR may be amended in a separate Federal Register
Notice.
This rule involves no new curtailment of exports, because the transfer or
removal of items from the United States Munitions List to the CCL maintains
a continuity of controls. Therefore, the provisions regarding the impact
of new controls do not apply, and contract sanctity also does not apply to
this imposition of controls.
U.S. persons holding valid USML licenses and other approvals issued by the
Department of State prior to (INSERT DATE OF PUBLICATION) may ship remaining
balances authorized by such licenses or approvals under the authority of
the EAR by filing Shippers Export Declarations (SEDs) with District Directors
of Customs, citing this Federal Register Notice and the State Department
license number. Such shipments shall be in accordance with the terms and
conditions, including the expiration date, existing at the time of issuance
of the State license. Any reports required for distribution and other types
of agreements previously authorized by the Department of State, valid at
the time of this publication, should be henceforth submitted to the Department
of Commerce. Export violations, including the terms and conditions of export,
shall hereafter constitute a violation of the EAR.
Consistent with the provisions of section 6 of the Export Administration
Act, a foreign policy report was submitted to Congress on (DATE OF
REPORT), notifying the Congress of the Department's intention to impose
controls on certain information security systems and equipment, cryptographic
devices, software and components specifically designed or modified therefor,
and related technology that will be controlled on the CCL and that will be
subject to new control procedures.
Although the Export Administration Act (EAA) expired on August 20, 1994,
the President invoked the International Emergency Economic Powers Act and
continued in effect, to the extent permitted by law, the provisions of the
EAA and the EAR in Executive Order 12924 of August 19, 1994, notice of August
15, 1995 (60 FR 42767), and notice of August 14, 1996
(60 FR 42527).
Rulemaking Requirements
1. This interim rule has been determined to be significant for purposes of E. O. 12866.
2. Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with a collection of information, subject to the requirements of the Paperwork Reduction Act, unless that collection of information displays a currently valid OMB Control Number. This rule involves collections of information subject to the Paperwork Reduction Act of 1980 (44 U.S.C. 3501 et seq.). These collections have been approved by the Office of Management and Budget under control number 0694-0088.
3. This rule does not contain policies with Federalism implications sufficient to warrant preparation of a Federalism assessment under Executive Order 12612.
4. The provisions of the Administrative Procedure Act (5 U.S.C. 553) requiring notice of proposed rulemaking, the opportunity for public participation, and a delay in effective date, are inapplicable because this regulation involves a military and foreign affairs function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no other law requires that a notice of proposed rulemaking and an opportunity for public comment be given for this interim final rule. Because a notice of proposed rulemaking and an opportunity for public comment are not required to be given for this rule under 5 U.S.C. or by any other law, the requirements of the Regulatory Flexibility Act (5 U.S.C. 601 et seq. ) are not applicable.
However, because of the importance of the issues raised by these regulations,
this rule is issued in interim form and comments will be considered in the
development of final regulations. Accordingly, the Department encourages
interested persons who wish to comment to do so at the earliest possible
time to permit the fullest consideration of their views.
The period for submission of comments will close (INSERT DATE 45 DAYS
AFTER DATE OF PUBLICATION). The Department will consider all comments
received before the close of the comment period in developing final regulations.
Comments received after the end of the comment period will be considered
if possible, but their consideration cannot be assured. The Department will
not accept public comments accompanied by a request that a part or all of
the material be treated confidentially because of its business proprietary
nature or for any other reason. The Department will return such comments
and materials to the person submitting the comments and will not consider
them in the development of final regulations. All public comments on these
regulations will be a matter of public record and will be available for public
inspection and copying. In the interest of accuracy and completeness, the
Department requires comments in written form.
Oral comments must be followed by written memoranda, which will also be a
matter of public record and will be available for public review and copying.
Communications from agencies of the United States Government or foreign
governments will not be made available for public inspection.
The public record concerning these regulations will be maintained in the
Bureau of Export Administration Freedom of Information Records Inspection
Facility, Room 4525, Department of Commerce, 14th Street and Pennsylvania
Avenue, N.W., Washington, D.C. 20230. Records in this facility, including
written public comments and memoranda summarizing the substance of oral
communications, may be inspected and copied in accordance with regulations
published in Part 4 of Title 15 of the Code of Federal Regulations. Information
about the inspection and copying of records at the facility may be obtained
from Margaret Cornejo, Bureau of Export Administration Freedom of Information
Officer, at the above address or by calling (202) 482-5653.
List of Subjects
15 CFR part 734
15 CFR parts 732, 740, 748, 750, and 768
Administrative practice and procedure, Exports, Foreign trade, Reporting and Record keeping requirements.
15 CFR parts 742, 772, and 774
Exports, Foreign trade.
15 CFR part 744
15 CFR part 762
Accordingly, parts 732, 734, 740, 742, 744, 748, 750, 762, 768, 772, and
774 of the Export Administration Regulations (15 CFR Parts 730-799) are amended
as follows:
2. The authority citation for 15 CFR part 734 continues to read as
follows:
3. The authority citation for 15 CFR part 740 continues to read as follows:
4. The authority citation for 15 CFR part 742 continues to read as follows:
5. The authority citation for 15 CFR part 744 continues to read as follows:
6. The authority citation for 15 CFR part 748 continues to read as follows:
7. The authority citation for 15 CFR part 750 continues to read as follows:
9. The authority citation for 15 CFR part 768 continues to read as follows:
10. The authority citation for 15 CFR part 772 continues to read as follows:
11. The authority citation for 15 CFR part 774 continues to read as follows:
PART 732 - [AMENDED]
732.2 Steps regarding scope of the EAR.
(a) * * *
(b) * * * Note that encryption items controlled for EI reasons under ECCN
5D002 on the Commerce Control List (refer to Supplement No.1 to Part 774
of the EAR) shall be subject to the EAR even if they are publicly available.
Accordingly, the provisions of the EAR concerning the public availability
of items are not applicable to encryption items controlled for "EI" reasons
under ECCN 5D002.
PART 734 - [AMENDED]
734.2 Important EAR terms and principles.
(a) * * *
(b) * * *
(B) The access control system, provides every requesting or receiving party
with notice that the transfer includes or would include cryptographic software
subject to export controls under the Export Administration Act, and that
anyone receiving such a transfer cannot export the software without a license;
and
(C) Every party requesting or receiving a transfer of such software must
acknowledge affirmatively that he or she understands that the cryptographic
software is subject to export controls under the Export Administration Act,
and that anyone receiving the transfer cannot export the software without
a license; or
(ii) Takes other precautions, approved in writing by the Bureau of Export Administration, prevent transfer of such software outside the U.S. without a license.
b. By adding a new paragraph (b)(2)(ii); and
c. By revising paragraph (b)(3) to read as follows:
734.3 Items subject to the EAR.
* * * * *
(b) * * *
(ii) Encryption software controlled for "EI" reasons under ECCN 5D002 on the Commerce Control List (see Supplement No. 1 to part 774), including cryptographic source code, remain subject to the EAR. Note the publicly available provisions of the EAR are not applicable to encryption items controlled for "EI" reasons under ECCN 5D002 on the Commerce Control List (refer to Supplement No. 1 to part 774 of the EAR).
* * * * *
15. Section 734.4 is amended by revising paragraph (b) and revising paragraph
(h) to read as follows:
734.4 De minimis U.S. content.
* * * * *
(b) There is no de minimis level for the reexport of foreign-origin
items that incorporate the following:
(2) "Information security" systems and equipment, cryptographic devices, software and components specifically designed or modified therefor, and related technology controlled for "EI" reasons under ECCN 5A002 and ECCN 5D002. Certain mass market encryption software may become eligible for de minimis only after a one-time BXA review (refer to 742.15(b)(1)).
* * * * *
(h) Notwithstanding the provisions of paragraphs (c) and (d) of this section,
U.S.-origin technology controlled by ECCN 9E003a.1 through a.12, and .f,
and related controls, and encryption software controlled for "EI" reasons
under ECCN 5D002 or encryption technology controlled for "EI" reasons under
ECCN 5E002 do not lose their U.S.-origin when redrawn, used, consulted, or
otherwise commingled abroad in any respect with other software or technology
of any other origin. Therefore, any subsequent or similar software or technology
prepared or engineered abroad for the design, construction, operation, or
maintenance of any plant or equipment, or part thereof, which is based on
or uses any such U.S.-origin software or technology is subject to the EAR.
734.7 Published information and software.
* * * * *
(b) Software and information is published when it is available for general
distribution either for free or at a price that does not exceed the cost
of reproduction and distribution. See Supplement No. 1 to this part, Questions
G(1) through G(3). Note that encryption software controlled under ECCN 5D002
for "EI" reasons on the Commerce Control List (refer to Supplement No. 1
to part 774 of the EAR) remain subject to the EAR even when publicly available.
Accordingly, such encryption software in both source code and object code
remains subject to the EAR even if published in a book or any other writing
or media.
734.8 Information resulting from fundamental research.
(a) * * * Note that fundamental research provisions of this section do not
apply to encryption software in both source code and object code controlled
under ECCN 5D002 for "EI" reasons on the Commerce Control List (refer to
Supplement No. 1 to part 774 of the EAR).
734.9 Educational information.
"Educational information" referred to in 734.3(b)(3)(iii) of this part is
not subject to the EAR if it is released by instruction in catalog courses
and associated teaching laboratories of academic institutions. Dissertation
research is discussed in 734.8(b) of this part. (Refer to Supplement No.
1 to this part, Question C(1) through C(6)). Note that the educational
information provisions of this section do not apply to encryption software
in both source code and object code controlled under ECCN 5D002 for "EI"
reasons on the Commerce Control List (refer to Supplement No. 1 to part 774
of the EAR).
SUPPLEMENT NO. 1 TO PART 734 - QUESTIONS AND ANSWERS - TECHNOLOGY AND SOFTWARE
SUBJECT TO THE EAR
This Supplement No. 1 contains explanatory questions and answers relating
to technology and software that is subject to the EAR. It is intended to
give the public guidance in understanding how BXA interprets this part, but
is only illustrative, not comprehensive. In addition, facts or circumstances
that differ in any material way from those set forth in the questions or
answers will be considered under the applicable provisions of the EAR. Exporters
should note that the provisions of this supplement do not apply to encryption
items transferred from the U.S. Munitions List to the Commerce Control List
pursuant to E.O. 13026 of November 15, 1996 (61 FR 58767). See 742.15 of
the EAR. This Supplement is divided into nine sections according to topic
as follows:
* * * * *
PART 740 - LICENSE EXCEPTIONS
740.8 Recoverable software and equipment (RSE).
(a) Scope. License Exception RSE authorizes the export and reexport
of certain recovery encryption software and equipment.
(b) Eligible software and equipment. Eligible items are recovery
encryption software and equipment controlled under ECCNs 5A002 or 5D002 and
released from "EI" controls as a result of a one-time BXA review. You may
initiate this review by submitting a classification request for your product
in accordance with paragraph (d) of this section.
(c) Eligible destinations. License Exception RSE is available for
all destinations except Country Groups E:1 and E:2 (see Supplement No. 1
to part 740), Iran, Syria, and Sudan.
(d) Additional eligibility requirements. Classification requests for recovery encryption software and equipment must meet the following criteria:
(ii) Key recovery agents must meet the criteria identified in Supplement
No. 5 to part 742 of the EAR;
(iii) Key recovery agents must implement the security policies and key
recovery/key escrow procedures identified in Supplement No. 5 to part 742
of the EAR;
(iv) Key recovery agents must comply with all applicable EAR Record keeping
requirements, including record retention requirements; and
(v) Key recovery agents must carry out the key holding obligations as approved by BXA, and any violation of any of the key holding obligations shall also constitute a violation of the EAR. Note that the key recovery agent's continuing compliance with key recovery agent requirements and key safeguard procedures is a condition for use of License Exception RSE. The exporter or reexporter, whether that person is the key recovery agent or not, must submit a new classification request to BXA if there are any changes (e.g., termination, replacement, additions) to the previously approved key recovery agent.
* * * * *
(c) * * *
* * * * *
(b) * * *
(B) Items identified on the Commerce Control List as controlled for missile
technology (MT), chemical and biological warfare (CB), or nuclear
nonproliferation (NP) reasons;
(C) Regional stability items controlled under Export Control Classification
Numbers (ECCNs) 6A002, 6A003, 6D102, 6E001, 6E002, 7D001, 7E001, 7E002, and
7E101 as described in 742,6(a)(1) of the EAR; or
(D) Encryption items controlled for EI reasons as described in the Commerce
Control List.
* * * * *
740.13 Technology and software - unrestricted.
* * * * *
(d) General Software Note: "mass market" software. * * *
PART 742 - [AMENDED]
742.15 Encryption items.
(a) License requirements. Licenses are required for all destinations,
except Canada, for ECCNs having an "EI" under the "Control(s)" paragraph.
Such items include: encryption commodities controlled under ECCN 5A002;
encryption software controlled under ECCN 5D002; and encryption technology
controlled under ECCN 5E002. (Refer to part 772 of the EAR for the definition
of "encryption"). For encryption items previously on the U.S. Munitions List
and currently authorized for export or reexport under a State Department
license, distribution arrangement or any other authority of the State Department,
U.S. persons holding valid USML licenses and other approvals issued by the
Department of State prior [INSERT EFFECTIVE DATE] may ship remaining balances
authorized by such licenses or approvals under the authority of the EAR by
filing Shippers Export Declarations (SEDs) with District Directors of Customs,
citing this Federal Register Notice and the State Department license number.
Such shipments shall be in accordance with the terms and conditions, including
the expiration date, existing at the time of issuance of the State license.
Violations of such authorizations, terms and conditions constitute violations
of the EAR. Any reports required for distribution and other types of agreements
previously authorized by the Department of State, valid at the time of this
publication, should be henceforth submitted to BXA at the following address:
Office of Strategic Trade and Foreign Policy Controls
Bureau of Export Administration
Department of Commerce
14th Street and Pennsylvania Ave., N.W.
Room 2705
Washington, D.C. 20230
(b) Licensing policy. The following licensing policies apply to items
identified in paragraph (a) of this section. Except as otherwise noted,
applications will be reviewed on a case-by-case basis to determine whether
the export or reexport is consistent with U.S. national security and foreign
policy interests.
(2) Key Escrow, Key Recovery and Recovery encryption software and
commodities. Recovery encryption software and equipment controlled for
EI reasons under ECCN 5D002 or under ECCN 5A002, including encryption equipment
designed or modified to use recoverable encryption software, may be released
from "EI" controls and thereby made eligible for license exception RSE after
a one-time BXA review. License exception RSE is valid for all destinations
except Cuba, Iran, Iraq, Libya, North Korea, Syria and Sudan. To determine
eligibility, exporters must submit a classification request to BXA. Requests
for recoverable products which allow law enforcement officials to obtain,
under proper legal authority and without the cooperation or knowledge of
the user, the plaintext of the encrypted data and communications will receive
favorable consideration. Key escrow and key recovery encryption items which
will receive favorable consideration provided that, prior to the export or
reexport, a key recovery agent satisfactory to BXA has been identified (refer
to new Supplement No. 4 to part 742) and security policies for safeguarding
the key(s) or other escrowed material/information as described in new Supplement
No. 5 to part 742 are established to the satisfaction of BXA and are maintained
after export or reexport as required by the EAR and any license conditions.
If the exporter or reexporter intends to be the key recovery agent, then
the exporter or reexporter must meet all of the requirements of a key recovery
agent identified in Supplement 5 to part 742. In addition, the key recovery
or key escrow system must meet the criteria identified in Supplement No.
4 to part 742. Note that eligibility is dependent on continued fulfilment
of the requirements of a key recovery agent identified in Supplement 4.
(3) Non-recovery encryption items up to 56-bit key length DES or equivalent
strength supported by a satisfactory business and marketing plan for exporting
recoverable items and services for export.
(ii) BXA will make a determination on such license applications within 15
days of receipt. Export and reexports of non-recoverable encryption items
up to 56-bit key length DES or equivalent strength, under a license approved
under the provisions of this paragraph (b)(3), will be authorized for six
months from date of issuance of the license, and such authority may be renewed
in six month increments extending through December 31, 1998 after BXA reviews
and approves a satisfactory progress report related to the ongoing plan submitted
by the applicant. For such extensions, the applicant must submit a letter
to BXA requesting approval of the progress report and an extension of the
validity period of the license not to exceed six months. Licenses approved
under this paragraph will not be valid after December 31, 1998. Note that
BXA will accept requests for export and reexport of non-recoverable encryption
items up to 56-bit key length DES or equivalent strength under this paragraph
from distributors, re-sellers, and other entities that are not manufacturers
of the encryption items. BXA will authorize exports and reexports of such
items only in instances where a license has been granted to the manufacturer
of the encryption items. The authority to export or reexport under the provisions
of this paragraph will be for a time period ending on the same day the producer's
authority to export or reexport ends.
(4) All other encryption items.
(ii) Applications for encryption items not authorized under an encryption
licensing arrangement. Applications for the export and reexport of all
other encryption items will be considered on a case-by-case basis.
(5) Applications for encryption technology. Applications for the export
and reexport of encryption technology will be considered on a case-by-case
basis.
(c) Contract sanctity. Contract sanctity provisions are not available
for license applications reviewed under this section.
(d) [Reserved]
* * * * * * *
SUPPLEMENT NO. 4 TO PART 742 - KEY RECOVERY OR KEY ESCROW PRODUCTS CRITERIA
Key Recovery Feature.
(1) The key(s) or other escrowed material/information required to decrypt
ciphertext shall be accessible through a key recovery feature.
(2) The product's cryptographic functions shall be inoperable until the key(s)
or other escrowed material/information is recoverable through an identified
key recovery agent that satisfies the criteria in Supplement No. 5 to Part
742.
(3) The output of the product shall automatically include, in an accessible
format and with a reasonable frequency, the identity of the key recovery
agent(s) and information sufficient for the key recovery agent(s) to identify
the key(s) or other escrowed material/information required to decrypt the
ciphertext.
(4) The product's key recovery functions shall allow access to the key(s)
or other escrowed material/information needed to decrypt the ciphertext
regardless of whether the product generated or received the ciphertext.
(5) The product's key recovery functions shall allow for the recovery of
all required decryption key(s) or other escrowed material/information during
a period of authorized access without requiring repeated presentations of
access authorization to the key recovery agent(s).
Interoperability Feature
(6) The product's cryptographic functions shall interoperate with:
(ii) Non-key recovery products only when the key recovery product permits
access to the key(s) or other escrowed material/information needed to decrypt
ciphertext generated or received by the key recovery product.
Design, Implementation and Operational Assurance
(7) The product shall be resistant to efforts to disable or circumvent the
attributes described in criteria one through six.
(8) The product's cryptographic function's key(s) or other escrowed
material/information shall be escrowed with a key recovery agent(s) (who
may be a key recovery agent(s) internal to the user's organization) acceptable
to BXA in conjunction with other government agencies, pursuant to the criteria
in Supplement No. 5 to Part 742.
SUPPLEMENT NO. 5 TO PART 742 - KEY RECOVERY OR KEY ESCROW AGENT CRITERIA
KEY RECOVERY AGENT REQUIREMENTS; SECURITY POLICIES; KEY RECOVERY OR KEY ESCROW
PROCEDURES
This Supplement sets forth criteria that the Department of Commerce will
use to approve key recovery agents to support approval of the export or reexport
of key recovery encryption items controlled for EI reasons under ECCNs 5A002
and 5D002. Any arrangements between the exporter or reexporter and the key
recovery agent must reflect the provisions contained in this Supplement in
a manner satisfactory to BXA and other agencies. This Supplement outlines
the criteria for employing key recovery agent personnel for key recovery
procedures. An applicant for a license to export or reexport key recovery
items shall provide, or cause the proposed key recovery agent to provide,
to BXA sufficient information concerning any proposed key recovery agent
arrangements to permit BXA's evaluation, in conjunction with other agencies,
of the key recovery agent's security policies, key recovery procedures, and
suitability and trustworthiness to maintain the confidentiality of the key(s)
or other escrowed material/information. The key recovery agent, who must
be approved by BXA, may be the applicant for the export or reexport license
or another party legally obligated to the applicant to provide escrow services.
BXA retains the right, in addition to any other remedies, to revoke export
or reexport licenses if BXA, in conjunction with other agencies, determines
that a key recovery agent no longer meets these criteria. The requirements
related to the suitability and trustworthiness, security policies, and key
recovery procedures of the key recovery agent shall be made terms and conditions
of the export or reexport license for key recovery items. BXA shall require
the key recovery agent to provide a representation that it will comply with
such terms and conditions.
Key Recovery Agent Requirements
(1) A key recovery agent must identify by name, date and place of birth,
and social security number, individual(s) who:
b. have access to key(s) or other escrowed material/information, or
c. have access to information concerning requests for key(s) or other escrowed
material/information, or
d. respond to requests for key(s) or other escrowed material/information,
or
e. are in control of the key recovery agent and have access or authority to obtain key(s) or other escrowed material/information,
and must certify that such individual(s) meet the requirements of subparagraph
(i) or (ii) of this paragraph. BXA, in conjunction with other agencies, reserves
the right to determine at any time the suitability and trustworthiness of
such individual(s). Evidence of an individual's suitability and trustworthiness
shall include:
(i) Information indicating that the individual(s):
(A) Has no criminal convictions of any kind or pending criminal charges of any kind;(B) Has not breached fiduciary responsibilities (e.g., has not violated any surety or performance bonds); and
(C) Has favorable results of a credit check; or,
(ii) Information that the individual(s) has an active U.S. government security clearance of Secret or higher issued or updated within the last five years.
(2) The key recovery agent shall timely disclose to BXA when an individual
no longer meets the requirements of subparagraphs (a)(1)(i) or (ii).
(3) A key recovery agent must, during the life of the license, identify to
BXA by name, date and place of birth, and social security number any new
individual(s) who will assume the responsibilities set forth in paragraph
(a)(1) of this Supplement. Before that individual(s) assumes such
responsibilities, the key recovery agent must certify to BXA that the
individual(s) meets the criteria set forth in subparagraphs (a)(1)(i) or
(ii) of this Supplement. BXA, in conjunction with other agencies, reserves
the right to determine at any time the suitability and trustworthiness of
such personnel.
(4) If ownership or control of a key recovery agent is transferred, no export
may take place under previously issued approvals until the successor key
recovery agent complies with the criteria of this Supplement.
(5) Use of key recovery agents located outside the U.S. is permitted if
acceptable to BXA, in consultation with the host government, as
appropriate.
(6) Key recovery agents shall submit suitable evidence of the key recovery
agent's corporate viability and financial responsibility (e.g., a certificate
of good standing from the state of incorporation, credit reports, and
errors/omissions insurance).
(7) Key recovery agents shall disclose to BXA any of the following which
have occurred within the ten years prior to the application:
(ii) material adverse civil fraud judgments or settlements; and
(iii) debarments from federal, state, or local government contracting.
The applicant shall also timely disclose to BXA any of the foregoing occurring
during the life of the license.
(8) Key recovery agent(s) shall designate an individual(s) to be the security
and operations officer(s).
(9) A key recovery agent may be internal to a user's organization and may
consist of one or more individuals. BXA may approve such key recovery agents
if sufficient information is provided to demonstrate that appropriate safeguards
will be employed in handling key recovery requests from government entities.
These safeguards should ensure: i) the key recovery agent's structural
independence from the rest of the organization; (ii) security; and (iii)
confidentiality.
Security Policies
(1) Key recovery agents must implement security policies that assure the
confidentiality, integrity, and availability of the key(s) or other escrowed
material/information required for decryption.
(i) Procedures to assure confidentiality shall include:
(B) Applying reasonable measures to limit access to the escrow database
(e.g. using keyed or combination locks on the entrances to escrow facilities and limiting the personnel with knowledge of or access to the keys/combinations).
(ii) Procedures to assure the integrity of the escrow database (i.e. assuring the key(s) and other escrowed material/information are protected against unauthorized changes) shall include the use of access controls such as database password controls, digital signatures, system auditing, and physical access restrictions.
(iii) Procedures to assure the availability of the escrow database (i.e. assuring that key(s) and other escrowed material/information are retrievable at any time) shall include system redundance, physical security, and the use of cryptography to control access.
(2) Policies and procedures shall be designed and operated so that a failure
by a single person, procedure, or mechanism does not compromise the
confidentiality, integrity and availability of key(s)or other escrowed
material/information. Security policies and procedures may include, but are
not limited to, multi-person control of access to recoverable keys, split
keys, and back-up capabilities.
(3) Key recovery agents shall implement policies that protect against
unauthorized disclosure of information regarding whose encryption material
is stored, the fact that key(s) or other escrowed material/information was
requested or provided, and the identity of a requester. Procedures to assure
the confidentiality of this information shall include those described in
subparagraph (b)(1)(i).
(4) Key recovery agents shall provide to BXA prompt notice of a compromise
of a security policy or of the confidentiality of key(s) or other escrowed
material/information.
Key Recovery Procedures
(1) Key recovery agents shall maintain the ability to make the key(s) or
other escrowed material/information available until notified otherwise by
BXA. Key recovery agents shall make requested key(s) or other escrowed
material/information available, to the extent required by the request, within
two hours from the time they receive a request from a government agency acting
under appropriate legal authority.
(2) Key recovery agents shall maintain data regarding key recovery requests
received, release of key(s) or other escrowed key recovery material/information,
database changes, system administration access, and dates of such events
for purposes of audits by BXA, in conjunction with other agencies.
(3) In the event that:
(ii) BXA, in conjunction with other agencies, determines that there is a
risk of such dissolution or termination, or
(iii) BXA, in conjunction with other agencies, determines that the key recovery
agent is no longer suitable or trustworthy,
the key recovery agent must transfer all key recovery equipment, key(s) and/or
other material/information, key recovery database, and all administrative
information necessary to its key recovery operations to another key recovery
agent approved by BXA, in conjunction with other agencies.
SUPPLEMENT NO. 6 TO PART 742 - GUIDELINES FOR SUBMITTING A CLASSIFICATION
REQUEST FOR A MASS MARKET SOFTWARE PRODUCT THAT CONTAINS ENCRYPTION
Classification requests for release of certain mass market encryption software
from EI controls must be submitted on Form BXA-748P, in accordance with 748.3.
To expedite review of the request, clearly mark the envelope "Attn.: Mass
Market Encryption Software Classification Request". In addition, the Bureau
of Export Administration recommends that such requests be delivered via courier
service to:
Bureau of Export Administration
Office of Exporter Services
Room 2705
14th Street and Pennsylvania Ave., N.W.
Washington, D.C. 20230
(a) Requests for mass market encryption software that meet the criteria in
paragraph (a)(2) of this Supplement will be processed in seven (7) working
days from receipt of a properly completed request. Those requests for mass
market encryption software that meet the criteria of paragraph (a)(1) of
this Supplement only will be processed in fifteen (15) working days from
receipt of a properly completed request. When additional information is
requested, the request will be processed within 15 working days of the receipt
of the requested information.
(ii) The software must be designed for installation by the user without further
substantial support by the supplier. Substantial support does not include
telephone (voice only) help line services for installation or basic operation,
or basic operation training provided by the supplier; and
(iii) The software includes encryption for data confidentiality.
(2) A mass market software product that meets all the criteria established in this paragraph will be processed in seven working days from receipt of the properly completed request:
(ii) The data encryption algorithm must be RC4 and/or RC2 with a key space
no longer than 40 bits. The RC4 and RC2 algorithms are proprietary to RSA
Data Security, Inc. To ensure that the subject software is properly licensed
and correctly implemented, contact RSA Data Security, (415)595-8782;
(iii) If both RC4 and RC2 are used in the same software, their functionality
must be separate. That is, no data can be operated on by both routines;
(iv) The software must not allow the alteration of the data encryption mechanism
and its associated key spaces by the user or any other program;
(v) The key exchange used in data encryption must be:
(B) A symmetrical algorithm with a key space less than or equal to 64 bits;
and
(vi) The software must not allow the alteration of the key management mechanism
and its associated key space by the user or any other program.
(b) Instructions for the preparation and submission of a classification request
that is eligible for seven day handling are as follows:
(2) Upon receipt of the test vector, the applicant must encrypt the test
plain text input provided using the commodity's encryption routine (RC2 and/or
RC4) with the given key value. The applicant should not pre-process the test
vector by any compression or any other routine that changes its format. Place
the resultant test cipher text output in hexadecimal format on an attachment
to form BXA-748P.
(3) You must provide the following information in a cover letter to the
classification request:
(ii) State that you have reviewed and determined that the software subject
to the classification request meets the criteria of paragraph (a)(2) of this
Supplement;
(iii) State the name of the single software product being submitted for review.
A separate classification request is required for each product;
(iv) State how the software has been written to preclude user modification
of the encryption algorithm, key management mechanism, and key space;
(v) Provide the following information for the software product:
(B) Pre-processing information of plain text data before encryption (e.g.
the addition of clear text header information or compression of the data);
(C) Post-processing information of cipher text data after encryption (e.g.
the addition of clear text header information or packetization of the encrypted
data);
(D) Whether a public key algorithm or a symmetric key algorithm is used to
encrypt keys and the applicable key space;
(E) For classification requests regarding source code:
(2) Include whether the source code has been modified by deleting the encryption
algorithm, its associated key management routine(s), and all calls to the
algorithm from the source code, or by providing the encryption algorithm
and associated key management routine(s) in object code with all calls to
the algorithm hidden. You must provide the technical details on how you have
modified the source code;
(3) Include a copy of the sections of the source code that contain the encryption
algorithm, key management routines, and their related calls; and
(F) Provide any additional information which you believe would assist in
the review process.
(c) Instructions for the preparation and submission of a classification request
that is eligible for 15 day handling are as follows:
Attn.: 15 day Encryption Request Coordinator
P.O. Box 246
Annapolis Junction, MD 20701-0246
(2) You must provide the following information in a cover letter to the classification request:
(i) Clearly state at the top of the page "Mass market Software and Encryption - 15 Day Expedited Review Requested";
(ii) state that you have reviewed and determined that the software subject of the classification request, meets the criteria of paragraph (a)(1) of this Supplement;
(iii) state the name of the single software product being submitted for review. A separate classification request is required for each product;
(iv) state that a duplicate copy, in accordance with paragraph (c)(1) of this Supplement, has been sent to the 15 day Encryption Request Coordinator; and
(v) ensure that the information provided includes brochures or other documentation or specifications relating to the software, as well as any additional information which you believe would assist in the review process.
(3) Contact the Bureau of Export Administration on (202) 482-0092 prior to submission of the classification to facilitate the submission of proper documentation.
SUPPLEMENT NO. 7 TO PART 742 - REVIEW CRITERIA FOR EXPORTER KEY RECOVERY
OR KEY ESCROW DEVELOPMENT PLANS
1. In exchange for specific commitments from exporters to help build and
support a global key management infrastructure (through development, production
and marketing of recovery products and services), we will permit these companies
to export non-recoverable encryption items with 56-bit key length DES, or
equivalent, encryption items as we now permit the export of certain mass
market encryption software (i.e. rapid review, flexible licensing) for a
maximum of two years. Companies' commitments should be in the form of a letter
from senior corporate management (i.e. an officer of the company) confirming
the corporate commitment and providing (in the letter or in attachments)
the information specified below.
2. Issuance of an initial export license valid for six months will be based
on an initial BXA review in conjunction with other government agencies, and
the submission to and approval by BXA (after appropriate interagency review)
of a plan that explains in detail the steps the applicant will take to develop,
produce or market recoverable encryption products or services. Proposed recovery
products and services will be evaluated against technical criteria which
are found in Supplement No. 4 to this part.
3. Any subsequent six-month renewal is not automatic, and is subject to adherence
to explicit benchmarks and milestones as set forth in the plan submitted
for the initial license. Review will entail assessment by appropriate government
agencies, at intervals not to exceed six months, to determine if the licensee
is showing acceptable progress in meeting the milestones set forth in the
exporter's plan.
4. For the initial license, the applicant must commit to implementing a key
escrow, key recovery or recoverable products and services development plan
based on the following elements:
Criteria for Exporters
5. In its initial application, the applicant must describe its business and
marketing plan for developing key recovery, recoverable or key escrow products
and services during the two year transition period. The plan must describe
specific actions (including, to the extent applicable, research and development,
testing, production, distribution and marketing achievements and goals) and
the kinds and magnitude of resources expected to be committed under the plan.
In addition, the plan must describe how the applicant will make the transition
within two years from the export of 56-bit non-key recovery or non-key escrow
products and services to the export of key recovery, recoverable or key escrow
products and services.
6. By January 1, 1998, or within six months from receiving the initial approval
for export (whichever is later), the applicant will indicate the arrangements
for export purposes made for key recovery or key escrow (which may be internal
to the company) acceptable to BXA. Criteria for key recovery or key escrow
agents are in Supplement No. 5 to part 742.
7. The initial plan submitted by the exporter will provide the basis for
the review and approval of the initial license and any subsequent renewals
during the two year transition period. Exporters may amend the plan as needed
during the course of this period, subject to review.
Criteria for Non-Manufacturing Exporters
8. An initial license will be granted for export of non recovery products
and services only if the manufacturer of those products has submitted, and
had approved according to the criteria above, a plan to develop key recovery,
recoverable or key escrow products or services.
Additional Factors
9. An applicant may, at its discretion, provide other information to indicate
commitment to the development of a key management infrastructure, such as:
e. Public support for a key management infrastructure.
PART 744 - [AMENDED]
25. Part 744 is amended by adding a new 744.9 to read as follows:
744.9 Restrictions on activities of U.S. persons with respect to certain
encryption items.
(a) General prohibition. No U.S. person (as defined in paragraph (c)
of this section) may, without a license from BXA, knowingly provide assistance
to foreign persons, including providing training, to manufacture or to export
encryption items transferred from the U.S. Munitions List to the Commerce
Control List (Supplement No. 1 to part 774 of the EAR) pursuant to Executive
Order 13026. This provision does not apply to any activity involving such
encryption items that have been licensed or otherwise authorized by the BXA.
(b) Procedures for informing persons by BXA. BXA may inform U.S. persons,
either individually or through amendment to the EAR, that a license or other
authorization is required because an activity could involve the types of
assistance described in paragraphs (a) of this section. When such notification
is provided orally, it will be followed by a written notification within
two working days signed by the Deputy Assistant Secretary for Export
Administration. The absence of any such notification does not excuse the
U.S. person from compliance with the license requirements of paragraph (a)
of this section.
(c) Definition of U.S. person. For purposes of this section, the term
U.S. person includes:
(2) Any juridical person organized under the laws of the United States or
any jurisdiction within the United States, including foreign branches; and
(3) Any person in the United States.
(d) License review standards. Applications involving activities described
in section 744.9 will be reviewed on a case-by-case basis to determine whether
the activity is consistent with U.S. national security and foreign policy
interests.
PART 748 - [AMENDED]
26. Section 748.3 is amended by adding a new paragraph (b)(3) to read as
follows:
748.3 Classification and Advisory Opinions.
* * * * *
(b) * * *
PART 750 - [AMENDED]
b. By revising the first sentence of the paragraph (b)(2) to include "Justice";
c. By redesignating paragraph (b)(2)(iv) as (b)(2)(v); and
d. By adding a new paragraph (b)(2)(iv) to reads as follows:
750.3 Review of license applications by BXA and other government agencies
and departments.
(a) * * *
(b) * * *
* * * * *
PART 762 - [AMENDED]
762.2 Records to be retained.
(a) * * *
(b) * * *
PART 768 - [AMENDED]
* * * * *
30. In 768.3, a new sentence is added at the end of paragraph (a) to read
as follows:
(a) * * * The effect of any such determination on the effectiveness of foreign policy controls may be considered independent of this part.
PART 772 - [AMENDED]
* * * * *
Advisory Committee on Export Policy (ACEP). The ACEP voting members
include the Assistant Secretary of Commerce for Export Administration, and
Assistant Secretary-level representatives from the Departments of State,
Defense, Justice (for encryption exports), Energy, and the Arms Control and
Disarmament Agency. The appropriate representatives of the Joint Chiefs of
Staff and the Director of the Nonproliferation Center of the Central Intelligence
Agency are non-voting members. The Assistant Secretary of Commerce for Export
Administration is the Chair. Appropriate acting Assistant Secretary, Deputy
Assistant Secretary or equivalent of any agency or department may serve in
lieu of the Assistant Secretary of the concerned agency or department. Such
representatives, regardless of rank, will speak and vote on behalf of their
agencies or departments. The ACEP may invite Assistant Secretary-level
representatives of other Government agencies or departments (other than those
identified above) to participate in the activities of the ACEP when matters
of interest to such agencies or departments are under consideration. Decisions
are made by majority vote.
* * * * *
Encryption items. The phrase encryption items includes all
encryption commodities, software, and technology that contain encryption
features and are subject to the EAR. This does not include encryption items
specifically designed, developed, configured, adapted or modified for military
applications ( including command, control and intelligence applications)
which are controlled by the Department of State on the U.S. Munitions
List.
* * * * *
Commodity. Any article, material, or supply except technology and software. Note that the provisions of the EAR applicable to the control of software (e.g. publicly available provisions) are not applicable to encryption software. Encryption software is controlled because, like the items controlled under ECCN 5A002, it has a functional capacity to encrypt information on a computer system, and not because of any informational or theoretical value that such software may reflect, contain or represent, or that its export may convey to others aborad.
* * * * *
Encryption source code. A precise set of operating instructions to
a computer that, when compiled, allows for the execution of a cryptographic
function on a computer.
Encryption Object Code. Reserved.
Encryption Software. Reserved.
* * * * *
Export Administration Review Board (EARB). EARB voting members are
the Secretary of Commerce, the Secretary of State, the Secretary of Defense,
the Secretary of Energy, the Attorney General (for encryption exports), and
the Director of the Arms Control and Disarmament Agency. The Chairman of
the Joint Chiefs of Staff and the Director of Central Intelligence are non-voting
members. The Secretary of Commerce is the Chair of the EARB. No alternate
EARB members may be designated, but the acting head or deputy head of any
agency or department may serve in lieu of the head of the concerned agency
or department. The EARB may invite the heads of other Government agencies
or departments (other than those identified above) to participate in the
activities of the EARB when matters of interest to such agencies or departments
are under consideration. Decisions are made by majority vote.
* * * * *
Operating Committee (OC). The OC voting members include representatives
of appropriate agencies in the Departments of Commerce, State, Defense, Justice
(for encryption exports), and Energy and the Arms Control and Disarmament
Agency. The appropriate representatives of the Joint Chiefs of Staff and
the Director of the Nonproliferation Center of the Central Intelligence Agency
are non-voting members. The Department of Commerce representative, appointed
by the Secretary, is the Chair of the OC and serves as the Executive Secretary
of the Advisory Committee on Export Policy. The OC may invite representatives
of other Government agencies or departments (other than those identified
above) to participate in the activities of the OC when matters of interest
to such agencies or departments are under consideration.
* * * * *
PART 774 - [AMENDED]
5A002 Systems, equipment, application specific "electronic assemblies", modules or integrated circuits for "information security", and specially designed components therefor.
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country Chart
NS applies to entire entry NS Column 1
AT applies to entire entry AT Column 1
EI applies only to encryption items transferred from the U.S. Munitions List
to the Commerce Control List pursuant to E.O. 13026 of November 15, 1996
(61 FR 58767). Refer to 742.15.
License Exceptions
LVS: N/A
GBS: N/A
CIV: N/A
List of Items Controlled
Unit: $ value
Related Controls: N/A
Related Definitions: N/A
Items:
a. Designed or modified to use "cryptography" employing digital techniques to ensure "information security";
b. Designed or modified to perform cryptanalytic functions;
c. Designed or modified to use "cryptography" employing analog techniques
to ensure "information security";
Note: 5A002.c does not control the following:
2. Equipment using "fixed" band scrambling exceeding 8 bands and in which
the transpositions change not more frequently than once every ten seconds;
3. Equipment using "fixed" frequency inversion and in which the transpositions
change not more frequently than once every second;
4. Facsimile equipment;
5. Restricted audience broadcast equipment; and
6. Civil television equipment;
d. Designed or modified to suppress the compromising emanations of
information-bearing signals;
Note: 5A002.d does not control equipment specially designed to suppress
emanations for reasons of health and safety.
e. Designed or modified to use cryptographic techniques to generate the spreading
code for "spread spectrum" or hopping code for "frequency agility" systems;
f. Designed or modified to provide certified or certifiable "multilevel security"
or user isolation at a level exceeding Class B2 of the Trusted Computer System
Evaluation Criteria (TCSEC) or equivalent;
g. Communications cable systems designed or modified using mechanical, electrical
or electronic means to detect surreptitious intrusion.
Note: 5A002 does not control:
2. When restricted for use in equipment or systems excluded from control
under the note to 5A002.c, or under paragraphs b through h of this note.
b. Equipment containing "fixed" data compression or coding techniques;
c. Receiving equipment for radio broadcast, pay television or similar restricted
audience television of the consumer type, without digital encryption and
where digital decryption is limited to the video, audio or management functions;
d. Portable or mobile radiotelephones for civil use (e.g., for use with
commercial civil cellular radiocommunications systems) that are not capable
of end-to-end encryption;
e. Decryption functions specially designed to allow the execution of
copy-protected "software", provided the decryption functions are not
user-accessible;
f. Access control equipment, such as automatic teller machines, self-service
statement printers or point of sale terminals, that protects password or
personal identification numbers (PIN) or similar data to prevent unauthorized
access to facilities but does not allow for encryption of files or text,
except as directly related to the password or PIN protection;
g. Data authentication equipment that calculates a Message Authentication
Code (MAC) or similar result to ensure no alteration of text has taken place,
or to authenticate users, but does not allow for encryption of data, text
or other media other than that needed for the authentication;
h. Cryptographic equipment specially designed and limited for use in machines
for banking or money transactions, such as automatic teller machines,
self-service statement printers or point of sale terminals
* * * * *
5D002 Information Security "Software"
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country Chart
NS applies to entire entry NS Column 1
AT applies to entire entry AT Column 1
EI controls apply to encryption software, including recoverable encryption "software" transferred from the U.S. Munitions List to the Commerce Control List pursuant to E.O. 13026 of November 15, 1996 (61 FR 58767). Refer to 742.15 of the EAR.
Note: Encryption software is controlled because of its functional capacity,
and not because of any informational value of such software; that such software
is not accorded the same treatment under the EAR as other "software; and
for export licensing purposes encryption software is treated under the EAR
as a commodity included in ECCN 5A002. License Exceptions for commodities
do not apply.
Note: Encryption software controlled for EI reasons under this entry remain
subject to the EAR even when made publicly available in accordance with 734.7
of the EAR, and it is not eligible for the General Software Note ("mass market"
treatment under License Exception TSU for mass market software). After a
one-time BXA review, certain encryption software may be released from EI
controls and made eligible for the General Software Note treatment as well
as other provisions of the EAR applicable to software. Refer to 742.15(b)(1)
of the EAR, and Supplement No. 6 to part 742.
License Exceptions
GBS: N/A
CIV: N/A
List of Items Controlled
Unit: $ value
Items:
a. "Software" specially designed or modified for the "development", "production"
or "use" of equipment or "software" controlled by 5A002, 5B002 or 5D002.
b. "Software" specially designed or modified to support "technology" controlled
by 5E002.
c. Specific "software" as follows:
c.2. "Software" to certify "software" controlled by 5D002.c.1;
c.3. "Software" designed or modified to protect against malicious computer
damage, e.g., viruses;
NOTE: 5D002 does not control:
a. "Software" "required" for the "use" of equipment excluded from control under the Note to 5A002;
b. "Software" providing any of the functions of equipment excluded from control
under the Note to 5A002.
5E002 "Technology" according to the General Technology Note for the
"development", "production" or use of equipment controlled by 5A002 or 5B002
or "software" controlled by 5D002.
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country Chart
NS applies to entire entry NS Column 1
AT applies to entire entry AT Column 1
EI controls applies only to encryption technology transferred from the U.S.
Munitions List pursuant to E.O. 13026 of November 15, 1996 (61 FR 58767).
Refer to 742.15 of the EAR.
License Exceptions
CIV: N/A
TSR: N/A
List of Items Controlled
Unit: N/A
The list of items controlled is contained in the ECCN heading.
SUPPLEMENT NO. 2 TO PART 774 - GENERAL TECHNOLOGY AND SOFTWARE NOTES
* * * * *
2. Mail order transactions; or
3. Telephone call transactions; and
b. Designed for installation by the user without further substantial support
by the supplier.
Note: License Exception TSU for mass market software does not apply to encryption
software controlled for EI reasons under ECCN 5D002. Encryption software
may become eligible after a one-time BXA review according to the provision
of 742.15(b)(1) of the EAR.
DATED:
Sue E. Eckert
Assistant Secretary for
Export Administration
Copyright 1996 Steptoe & Johnson LLP
Steptoe & Johnson LLP grants permission for the contents of this publication to be reproduced and distributed in full free of charge, provided that: (i) such reproduction and distribution is limited to educational and professional non-profit use only (and not for advertising or other use); (ii) the reproductions or distributions make no edits or changes in this publication; and (iii) all reproductions and distributions include the name of the author(s) and the copyright notice(s) included in the original publication.Requests for permission to copy portions of the document should be directed to: wbatterton@steptoe.com
Thanks to Steptoe & Johnson.