15 C.F.R. § 740.17 Encryption commodities and software (ENC).
Title 15 - Commerce and Foreign Trade
Subject to the eligibility criteria and restrictions described in paragraphs (a), (b) and (f) of this section, License Exception ENC is available for the export and reexport of: commodities and software controlled by ECCNs 5A002.a.1, .a.2, .a.5, and .a.6, 5B002, and 5D002 that do not meet the “mass market” criteria of the Cryptography Note (Note 3) of Category 5, part 2 (“Information Security”) of the Commerce Control List (Supplement No. 1 to part 774 of the EAR); technology controlled by ECCN 5E002; and certain technical assistance as described in §744.9 of the EAR. The initial export or reexport of an encryption commodity or software under paragraphs (b)(2) or (b)(3) of this section is subject to a 30 day waiting period, as described in paragraph (d)(2) of this section. In addition, persons exporting or reexporting under paragraphs (a), (b)(2) or (b)(3) of this section must file the semi-annual reports required by paragraph (e) of this section. Review request procedures for encryption items eligible for License Exception ENC are described in paragraph (d) of this section (e.g., for items that have not previously been reviewed, or for items that have been reviewed but for which the cryptographic functionality has been changed). See §742.15(b)(2) of the EAR for similar review procedures for “mass market” encryption commodities and software. (a) Exports, reexports, and technical assistance to countries listed in Supplement No. 3 to this part. This paragraph (a) authorizes export or reexport of items controlled under ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, 5B002, 5D002, or 5E002, and provision of technical assistance described in §744.9 of the EAR, to end-users in countries listed in Supplement No. 3 to part 740 of the EAR. This paragraph also authorizes exports or reexports to foreign subsidiaries and offices of end-users headquartered in Canada or in countries listed in Supplement No. 3 to part 740. In addition, the transaction must meet the terms of paragraphs (a)(1), (a)(2), or (a)(3) of this section. (1) Internal development of new products. No prior review is required for exports or reexports of U.S. origin encryption items or related technical assistance under this paragraph (a) to private sector end-users that are headquartered in Canada or in countries listed in Supplement No. 3 to part 740, for internal use for the development of new products by those end-users and their offices or subsidiaries. Any encryption item produced or developed with an item exported or reexported under this paragraph (a)(1) is subject to the EAR and requires review and authorization before any sale or retransfer outside of the private sector end-user that developed it. In this paragraph (a)(1), private sector end-user means: (i) An individual who is not acting on behalf of any foreign government; or (ii) A commercial firm (including its subsidiary and parent firms, and other subsidiaries of the same parent) that is not wholly owned by, or otherwise controlled by or acting on behalf of, any foreign government. (2) Items previously reviewed by the U.S. Government. No additional U.S. Government review is required under this paragraph (a) for export or reexport of encryption commodities or software or parts or components thereof that, prior to October 19, 2000, were authorized for export or reexport under a license or Encryption Licensing Arrangement, or were reviewed and authorized for export and reexport to entities other than U.S. subsidiaries under License Exception ENC. No additional U.S. Government review is required under this paragraph for export or reexport of encryption technology that, prior to October 19, 2000, was approved for export or reexport under a license or Encryption Licensing Arrangement. (3) Other transactions. For any use not described in paragraph (a)(1) of this section, before you export or reexport any item or related technical assistance that has not been previously reviewed by the U.S. Government and authorized under this paragraph (a), you must submit a review request in accordance with paragraph (d) of this section. (b) Exports and reexports to countries not listed in supplement No. 3 to this part—(1) Encryption items for U.S. subsidiaries. This paragraph (b)(1) authorizes export, or reexport or items controlled under ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, 5B002, 5D002 or 5E002: (i) To any “U.S. subsidiary”; and (ii) By a U.S. company and its subsidiaries to foreign nationals who are employees, contractors or interns of a U.S. company or its subsidiaries if the items are for internal company use, including the development of new products. (iii) General restriction. All items produced or developed with commodities, software or technology exported under this paragraph (b)(1) are subject to the EAR and require review and authorization before sale or transfer outside the U.S. company and its subsidiaries. (2) Encryption commodities and software restricted to non-“government end-users.” This paragraph (b)(2) authorizes the export and reexport of items described in §740.17(b)(2)(iii) of the EAR that do not provide an “open cryptographic interface” and that are controlled by ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, or 5D002 to individuals, commercial firms, and other entities that are not “government end-users” and that are not located in a country listed in Supplement No. 3 to this part. In addition, the transaction must meet the provisions of either §740.17(b)(2)(i) or (ii) of the EAR. (i) Commodities and software previously reviewed by the U.S. Government. No additional U.S. Government review is required under this paragraph (b)(2) for export or reexports of encryption commodities or software or parts or components thereof that, prior to October 19, 2000, were authorized for export or reexport under a license or Encryption Licensing Arrangement, or were reviewed and authorized for export and reexport to entities other than U.S. subsidiaries under License Exception ENC. (ii) Other commodities and software not previously reviewed. Before exporting or reexporting any item that has not been reviewed by the U.S. Government and authorized under this paragraph (b)(2), you must submit a review request in accordance with paragraph (d) of this section and wait until 30 days after that request is registered (as defined in §750.4(a)(2) of the EAR) with BIS. Days during which the review request is on “hold without action” status are not counted towards fulfilling the 30 day waiting period. (iii) The encryption commodities, software and components eligible for export or reexport under this paragraph (b)(2) (see paragraph (b)(3) of this section for commodities, software and components not listed in this paragraph (b)(2)(iii)) are: (A) Network infrastructure commodities and software, and parts and components thereof (including commodities and software necessary to activate or enable cryptographic functionality in network infrastructure products) providing secure Wide Area Network (WAN), Metropolitan Area Network (MAN), Virtual Private Network (VPN), satellite, cellular or trunked communications meeting any of the following with key lengths exceeding 64-bits for symmetric algorithms: (1) Aggregate encrypted WAN, MAN, VPN or backhaul throughput (includes communications through wireless network elements such as gateways, mobile switches, controllers, etc.) greater than 44 Mbps.; or (2) Wire (line), cable or fiber-optic WAN, MAN or VPN single-channel input data rate exceeding 44 Mbps; or (3) Maximum number of concurrent encrypted data tunnels or channels exceeding 250; or (4) Air-interface coverage (e.g., through base stations, access points to mesh networks, bridges, etc.) exceeding 1,000 meters, where any of the following applies: (i) Maximum data rates exceeding 5 Mbps (at operating ranges beyond 1,000 meters); or (ii) Maximum number of concurrent full-duplex voice channels exceeding 30; or (iii) Substantial support is required for installation or use. (B) Encryption source code that would not be eligible for export or reexport under License Exception TSU because it is not publicly available as that term is used in §740.13(e)(1) of the EAR. (C) Encryption commodities or software that do not provide an “open cryptographic interface”, but that have: (1) Been modified or customized for government end-user(s) or government end-use (e.g. to secure departmental, police, state security, or emergency response communications); or (2) Cryptographic functionality that has been modified or customized to customer specification; or (3) Cryptographic functionality or “encryption component” (except encryption software that would be considered publicly available, as that term is used in §740.13(e)(1) of the EAR) that is user-accessible and can be easily changed by the user. (D) “Cryptanalytic items”; or (E) Encryption commodities and software that provide functions necessary for quantum cryptography; or (F) Encryption commodities and software that have been modified or customized for computers controlled by ECCN 4A003. (3) Encryption commodities, software and components available to both “government end-users” and to non-“government end-users”. This paragraph authorizes export and reexport of commodities, software and components controlled by ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, 5B002, or 5D002. To be eligible under this paragraph (b)(3) the requirements of paragraphs (b)(3)(i) and (b)(3)(ii) must be met. (i) The commodities or software must not: (A) Provide an “open cryptographic interface”; or (B) Be listed in paragraph (b)(2) of this section. (ii) Review and authorization requirement. (A) Commodities and software previously reviewed by the U.S. Government. Encryption commodities, software and components reviewed and authorized by BIS for export and reexport as “retail” commodities or software under this paragraph (b)(3) prior to December 9, 2004 do not require additional review or authorization for export or reexport under this paragraph. (B) Other commodities and software not previously reviewed. Before exporting or reexporting any item that has not been reviewed by the U.S. Government and authorized under this paragraph (b)(3), you must submit a review request in accordance with paragraph (d) of this section and wait until 30 days after that request is registered (as defined in §750.4(a)(2) of the EAR) with BIS. Days during which the review request is on “hold without action” are not counted towards fulfilling the 30 day waiting period. (4) Exemptions from the 30 day waiting period and review requirements. (i) Exemptions from the 30 day waiting period. Items listed in this paragraph (b)(4)(i) may be exported or reexported under authority of paragraphs (b)(2) or (b)(3) immediately upon filing the review requests required by those paragraphs provided all other requirements for export or reexport under the paragraph being relied upon are met. (A) Encryption commodities and software (including key management products) with key lengths not exceeding 64 bits for symmetric algorithms, 1024 bits for asymmetric key exchange algorithms, and 160 bits for elliptic curve algorithms; (B) Encryption source code that would not be considered publicly available for export or reexport under License Exception TSU, provided that a copy of your source code is included in the review request to BIS and the ENC Encryption Request Coordinator. (ii) Exemptions from the review requirement. The following products do not require review under this license exception, but remain subject to the EAR (including all terms and provisions of this license exception, and all licensing requirements that may apply to a particular item or transaction for reasons other than encryption): (A) Commodities and software that would not otherwise be controlled under Category 5 (telecommunications and “information security”) of the Commerce Control List, but that are controlled under ECCN 5A002 or 5D002 only because they incorporate components or software that provide short-range wireless encryption functions (e.g., with an operating range typically not exceeding 100 meters); (B) Foreign products developed with or incorporating U.S.-origin encryption source code, components or toolkits (or otherwise designed to operate with U.S. products, e.g., via signing), provided that the U.S.-origin encryption items (and related technical assistance, as described in §744.9 of the EAR) have previously been reviewed and authorized by BIS and the cryptographic functionality has not been changed. (c) Reexports and transfers. U.S. or foreign distributors, resellers or other entities who are not original manufacturers of encryption commodities and software are permitted to use License Exception ENC only in instances where the export or reexport meets the applicable terms and conditions of this section. Transfers of encryption items listed in paragraph (b) of this section to government end-users, or for government end-uses, within the same country are prohibited, unless otherwise authorized by license or license exception. Foreign products developed with or incorporating U.S.-origin encryption source code, components or toolkits remain subject to the EAR, but do not require review (for encryption reasons) by BIS. These products can be exported or reexported under License Exception ENC without notification and without further authorization (for encryption reasons) from BIS. Such products include foreign-developed products that are designed to operate with U.S. products through a cryptographic interface. (d) Review request procedures. To request review of your encryption items under License Exception ENC (e.g., for items that have not previously been reviewed, or for items that have been reviewed but for which the cryptographic functionality has been changed), you must submit to BIS and to the ENC Encryption Request Coordinator the information described in paragraph (d)(1) of this section and in paragraphs (a) through (e) of Supplement No. 6 to part 742 of the EAR (Guidelines for Submitting Review Requests for Encryption Items). (1) Instructions for requesting review. Review requests must be submitted on Form BIS–748P (Multipurpose Application), or its electronic equivalent, as described in §748.3 of the EAR. To ensure that your review request is properly routed, insert the phrase “License Exception ENC” in Block 9 (Special Purpose) of the paper or electronic application. Also, place an “X” in the box marked “Classification Request” in Block 5 (Type of Application) of Form BIS–748P or select “Commodity Classification” if filing electronically. Neither the electronic nor paper forms provide a separate Block to check for the submission of encryption review requests. Failure to properly complete these items may delay consideration of your review request. Review requests that are not submitted electronically to BIS should be mailed to the address indicated on the BIS–748P form. See paragraph (e)(5)(ii) of this section for the mailing address for the ENC Encryption Request Coordinator. (2) Action by BIS. Upon completion of its review, BIS will send you written notice of the provisions, if any, of this section under which your items may be exported or reexported. If BIS has not, within 30 days of registration of a complete review request from you, informed you that your item is not authorized for License Exception ENC, you may export or reexport under the applicable provisions of License Exception ENC. BIS may hold your review request without action if necessary to obtain additional information or for any other reason necessary to ensure an accurate determination with respect to ENC eligibility. Time on such “hold without action” status shall not be counted towards fulfilling the 30 day waiting period specified in this paragraph and in paragraphs (b)(2) and (b)(3) of this section. BIS may require you to supply additional relevant technical information about your encryption item(s) or information that pertains to their eligibility for License Exception ENC at any time, before or after the expiration of the 30 day waiting period specified in this paragraph and in paragraphs (b)(2) and (b)(3) of this section. If you do not supply such information within 14 days after receiving a request for it from BIS, BIS may return your review request(s) without action or otherwise suspend or revoke your eligibility to use License Exception ENC for that item(s). At your request, BIS may grant you up to an additional 14 days to provide the requested information. Any request for such an additional number of days must be made prior to the date by which the information was otherwise due to be provided to BIS, and may be approved if BIS concludes that additional time is necessary. (3) Key length increases. Commodities and software that are modified only to upgrade the key length used for confidentiality or key exchange algorithms (after having been reviewed and authorized for License Exception ENC by BIS) may be exported or reexported under the previously authorized provision of License Exception ENC without further review, provided: (i) The exporter or reexporter certifies to BIS and the ENC Encryption Request Coordinator that no change to the encryption functionality has been made other than to upgrade the key length for confidentiality or key exchange algorithms; (ii) The certification includes the original authorization number issued by BIS and the date of issuance; (iii) The certification is received by BIS and the ENC Encryption Request Coordinator before the export or reexport of the upgraded product; and (iv) The certification is e-mailed to [email protected] and [email protected]. (e) Reporting requirements—(1) Semi-annual reporting requirement. Semi-annual reporting is required for exports to all destinations other than Canada, and for reexports from Canada, under this license exception. Certain encryption items and transactions are excluded from this reporting requirement (see paragraph (e)(4) of this section). For instructions on how to submit your reports, see paragraph (e)(5) of this section. (2) General information required. Exporters must include all of the following applicable information in their reports: (i) For items exported (or reexported from Canada) to a distributor or other reseller, including subsidiaries of U.S. firms, the name and address of the distributor or reseller, the item and the quantity exported or reexported and, if collected by the exporter as part of the distribution process, the end-user's name and address; (ii) For items exported (or reexported from Canada) to individual consumers through direct sale (provided the transaction is not exempted from reporting under paragraph (e)(4)(iii) or (e)(4)(iv) of this section), the name and address of the recipient, the item, and the quantity exported; (iii) For exports of ECCN 5E002 items to be used for technical assistance that are not released by §744.9 of the EAR, the name and address of the end-user; and (iv) For each item, the authorization number and the name of the item(s) exported (or reexported from Canada). (3) Information on foreign manufacturers and products that use encryption items. For direct sales or transfers, under License Exception ENC, of encryption components, source code, general purpose toolkits, equipment controlled under ECCN 5B002, technology, or items that provide an “open cryptographic interface” to foreign developers or manufacturers when intended for use in foreign products developed for commercial sale, you must submit the names and addresses of the manufacturers using these encryption items and, if you know when the product is made available for commercial sale, a non-proprietary technical description of the foreign products for which these encryption items are being used (e.g., brochures, other documentation, descriptions or other identifiers of the final foreign product; the algorithm and key lengths used; general programming interfaces to the product, if known; any standards or protocols that the foreign product adheres to; and source code, if available). (4) Exclusions from reporting requirements. Reporting is not required for the following items and transactions: (i) Any encryption item exported or reexported under paragraph (a)(1) or (b)(1) of this section; (ii) Encryption commodities or software with a symmetric key length not exceeding 64 bits; (iii) Encryption commodities and software authorized under paragraph (b)(3) of this section, exported (or reexported from Canada) to individual consumers; (iv) Encryption items exported (or reexported from Canada) via free and anonymous download; (v) Encryption items from or to a U.S. bank, financial institution or its subsidiaries, affiliates, customers or contractors for banking or financial operations; (vi) Items that incorporate components limited to providing short-range wireless encryption functions; (vii) General purpose operating systems, or desktop applications (e.g., e-mail, browsers, games, word processing, data base, financial applications or utilities) authorized under paragraph (b)(3) of this section; (viii) Client Internet appliance and client wireless LAN cards; or (ix) Foreign products developed by bundling or compiling of source code. (5) Submission requirements. You must submit the reports required under this section, semi-annually, to BIS and to the ENC Encryption Request Coordinator, unless otherwise provided in this paragraph (e)(5). For exports occurring between January 1 and June 30, a report is due no later than August 1 of that year. For exports occurring between July 1 and December 31, a report is due no later than February 1 the following year. These reports must be provided in electronic form. Recommended file formats for electronic submission include spreadsheets, tabular text or structured text. Exporters may request other reporting arrangements with BIS to better reflect their business models. Reports may be sent electronically to BIS at [email protected] and to the ENC Encryption Request Coordinator at [email protected], or disks and CDs containing the reports may be sent to the following addresses: (i) Department of Commerce, Bureau of Industry and Security, Office of National Security and Technology Transfer Controls, 14th Street and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn: Encryption Reports, and (ii) Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6940, Ft. Meade, MD 20755–6000. (f) Restrictions. Notwithstanding any language elsewhere in this section, License Exception ENC does not authorize: (1) Any export or reexport of any “cryptanalytic item” to any “government end-user” (as that definition is applied to encryption items); or (2) Any export or reexport of any “open cryptographic interface” item to any end-user not located in or headquartered in Canada or in countries listed in Supplement No. 3 part 740 of the EAR; or (3) Any export or reexport to, or provision of any service in any country listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR; or (4) Furnishing source code or technology to any national of a country listed in Country Group E:1. [67 FR 38862, June 6, 2002, as amended at 68 FR 35785, June 17, 2003; 69 FR 71360, Dec. 9, 2004; 70 FR 22249, Apr. 29, 2005]
Title 15: Commerce and Foreign Trade
PART 740—LICENSE EXCEPTIONS
§ 740.17 Encryption commodities and software (ENC).
