Home >Policies and Regulations >Encryption

COMMERCIAL ENCRYPTION EXPORT CONTROLS

Export and reexport controls on commercial encryption products are administered by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce. Rules governing exports and reexports of encryption are found in the Export AdministrationRegulations (EAR), 15 C.F.R. Parts 730-774. Sections 740.13, 740.17 and 742.15 of the EAR are the principal references for the export and reexport of encryption items.

Regulations - encryption rules published by BIS since export control jurisdiction was transferred from the State Department to the Commerce Department in 1996. This includes the most recent updates dated June 17, 2003 and June 6, 2002.

Guidance - step-by-step instructions and guidance to help exporters when preparing a review request for >64-bit mass market encryption or License Exception ENC, applying for a license, or submitting a notification for NLR, beta test software or "publicly available" source code (and corresponding object code). For exporters who are exploring whether their products are subject to these review or notification requirements, a basic "checklist" on encryption and other “information security” functions is provided.

Highlights of 6/17/03 Changes to the
U.S. Encryption Policy

  • Updates License Exception BAG (§740.14) to allow all persons (except nationals of Country Group E:1 countries) to take “personal use” encryption commodities and software to any country not listed in Country Group E:1. Such “personal use” encryption products may now be shipped as unaccompanied baggage to countries not listed in Country Groups D or E. (See Supplement No. 1 to part 740 of the EAR for Country Group listings.)

  • Clarifies that medical equipment and software (e.g. products for the care of patients or the practice of medicine) that incorporate encryption or other “information security” functions are not classified in Category 5, Part II of the Commerce Control List.

  • Clarifies that “publicly available” ECCN 5D002 encryption source code (and the corresponding object code) is eligible for de minimis treatment, once the notification requirements of §740.13(e) are fulfilled.

  • Publishes a “checklist” (new Supplement No. 5 to part 742) to help exporters better identify encryption and other “information security” functions that are subject to U.S. export controls.

  • Clarifies existing instructions related to short-range wireless and other encryption commodities and software pre-loaded on laptops, handheld devices, computers and other equipment.

Highlights of 6/6/02 Changes to the
U.S. Encryption Policy

  • "Mass market" encryption commodities and software with symmetric key lengths exceeding 64-bits may now be exported and reexported under ECCN 5A992 or 5D992, following a 30-day review.

  • Equipment controlled under ECCN 5B002 may now be exported and reexported under License Exception ENC.

  • Notification, review, licensing and post-export reporting requirements for encryption items, including "publicly available" encryption source code and "short range" wireless products, are clarified.

Frequently Asked Questions | Fact Sheet [6/6/02]

 

                          

 
FOIA | Disclaimer | Privacy Policy Statement | Information Quality
Department of Commerce | Contact Us