Where Industry and Security Intersect
What's New | Sitemap | Search
In 1998, the Vice President promised that we would continue to review our encryption policy and make the necessary updates taking into account market demand and advances in information technology while protecting the needs of privacy, national security and law enforcement. On September 16, 1999, the U.S. announced a new approach to its encryption control policy. The core of the export part of this policy rests on three principles: a technical review of encryption products in advance of sale, a streamlined post-export reporting system that takes into account industry's distribution models, and review of some exports to foreign government end-users. An implementing regulation was published on January 14, 2000 and the public commentary period was 120 days. The Administration committed to ensure U.S. exporters would not be disadvantaged by steps the European Union took to create a "free-trade zone". We reviewed the comments, and on July 17, 2000, the Administration announced further changes to our policy, and on October 19, 2000, we published a final encryption rule. The October rule permits most encryption products to be exported to the 15 nations of the European Union and 8 other trading partners, including Australia, Japan, New Zealand, Norway, Switzerland, Czech Republic, Poland, and Hungary. The new regulation tracks with recent regulations adopted by the European Union, thus assuring continued competitiveness of U.S. industry in international markets.
In January 2000, we implemented an interim-final regulation based a new paradigm described above. At that time, we committed to take the necessary steps to ensure the U.S. exporters are not disadvantaged as a result of the European Union’s implementation of their dual-use regulation. The October rule makes our policy comparable to the EU’s and implements other updates based on industry’s comments to the January interim-final rule.
This regulation allows American encryption exporters to effectively compete, consistent with the Administration’s January 2000 commitment. Exporters can now ship immediately, without waiting for a response, to EU countries and certain other major trading partners after filing a classification request with BXA. This covers all encryption products except cryptanalytic items (i.e., those specifically designed to break codes).
These products will be exportable under License Exception ENC to all but sanctioned or embargoed countries.
In developing both the January and October 2000 regulations, the Administration worked closely with stakeholders to assure a workable and balanced approach. The October regulation is the final revised rule and implements changes based largely on public comments. While minor adjustments or clarifications may be needed, our intent is to allow both government and industry sufficient time to gain experience with the new regulation to continue to ensure workability. Industry will be able to take full advantage of the incorporated updates.
Encryption items do not require authorization when exported to Canada. Canadian subsidiaries, for clarification purposes, are also included in the new policy allowing exports to the European Union and an additional eight countries under License Exception ENC after filing a classification request.
The October regulation also contains a grandfathering@ clause, similar to the one in our January regulation, that allows exporters to use License Exception ENC to end-users located in the countries listed in Supplement 3 to Part 740 and non-government end-users outside of these countries if their encryption commodity or software was previously reviewed under a license, Encryption Licensing Arrangement or received License Exception ENC eligibility. However, to determine if your product qualifies for retail@, a separate classification and review is required by BXA. Additionally, pending applications will be reviewed under the new policy.
Yes. Any product that contains an interface that is not fixed and that permits a third party to insert cryptographic functionality, needs a binding mechanism to be considered a closed interface. Products that contain an open cryptographic interface may now be exported to end-users located in Supplement 3 to Part 740 countries under License Exception ENC. Exporters are encouraged to review the definition for "open cryptographic interface" in Part 772.
Open cryptographic interfaces (OCIs) allow customers or other parties to insert their own cryptography, such as algorithms and key exchange mechanisms, without any intervention, help, or assistance from the manufacturer or its agents. An encryption product with an OCI provides an "open door" for the use of encryption that has not been authenticated or otherwise enabled for use with the product. By contrast, an encryption product which uses digital signatures, static binding, or other proprietary means to restrict access to the underlying cryptography is said to have a "closed" cryptographic interface.
The term "dormant cryptography" refers to items which, at the time of export, contain embedded cryptographic parts or components which are rendered functionally inert or inactive by design. This dormant cryptography must be "activated" or "enabled" (typically using special components or software purchased separately) by the manufacturer before it can be used to encrypt data. Items with "dormant cryptography", and the associated commodities, software, or technology by which the cryptography is enabled, are controlled under the EAR and subject to all applicable EI, NS, and AT controls.
Two categories of encryption items can be self-classified under ECCNs 5A992, 5D992 or 5E992. These items continue to be subject to AT1 controls. Encryption commodities and software specified under related controls under ECCN 5A002 on the Commerce Control List (CCL) do not require review (i.e., access control systems, data authentication equipment, certain smart cards, certain cellular telephones, etc.). The October regulation allows exporters to self-classify certain encryption commodities, software and technology under ECCN 5A992, 5D992 or 5E992. Encryption items eligible for this treatment are encryption items with key lengths up to and including 56-bits with an asymmetric key exchange algorithm not exceeding 512 bits; products which only provide key management with asymmetric key exchange algorithms not exceeding 512 bits; and mass market encryption commodities and software with key lengths not exceeding 64-bits for the symmetric algorithm. The Cryptography Note (Note 3) to part 2 of Category 5 of the CCL defines mass market encryption commodities and software. Before exporting these items, you must submit to BXA and the ENC Encryption Request Coordinator the information described in Supplement 6 to Part 742. All other encryption items controlled under ECCNs 5A002, 5D002 and 5E002 require a review, either through a classification request or a license (both an individual license and an ELA), by BXA. (This review requirement does not apply to publicly available source code eligible under Sections 740.13(e) and 740.17(b)(4)(i), which require written notification by the time of export. Also, exports to U.S. subsidiaries do not require a review when used for internal purposes (see Section 740.17(b)(1))
Reminder: We do suggest that you have these items formally classified by BXA if you are unsure of the proper classification.
A classification request is a formal submission to BXA in which BXA will respond with an official classification of the item submitted. For encryption, we also review the item for license exception eligibility, such as License Exception ENC or KMI. A notification, on the other hand, is a requirement that certain information be submitted to BXA. While such information may be spot-checked for compliance, BXA will not issue an official response. The exporter is responsible for classifying his/her product correctly and submitting in information specified in Supplement 6 to Part 742. Two types of product notifications are implemented by the October rule (1) NLR self-classifications; and (2) applications for the export of beta test encryption software. Both require submission of the information described Supplement 6 to Part 742 to BXA prior to export. Exporters should submit the notification electronically to BXA to crypt@bxa.doc.gov.
The Cryptography Note in Part 774 states that ECCNs 5A002 and 5D002 do not control encryption items that meet certain distribution and technical criteria. The technical criteria are that the cryptographic functionality cannot be easily changed by the user, the product is designed for installation by the user without further substantial support by the supplier, and the product does not contain a "symmetric algorithm" using a key length greater than 64-bit. Note that exporters may now self classify items that meet the criteria of the Cryptography Note after submitting the information in Supplement 6 to Part 742. Technical information on the product must be available, upon request, to BXA.
(A) For commodity classification requests, send the original BXA Form 748P, 748P-A (if applicable) and support documents to the Bureau of Export Administration, U.S. Department of Commerce, 14th Street and Pennsylvania Avenue, N.W., Room 2705, Washington, D.C. 20444, Attn: "Application Enclosed". A copy of the entire application (forms and supporting documents) must also be mailed to Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-6000. Failure to follow these instructions for submitting commodity classification requests will result in delays.
(B) For post-export reports, certification letters, and notifications, you may submit them electronically viae-Mail (suggested file formats include Spreadsheets, tabular text or structured text), or send it in electronic form (e.g., disk or CDROM) to the Department of Commerce, Bureau of Export Administration, Office of Strategic Trade and Foreign Policy Controls, 14th Street and Pennsylvania Avenue, N.W., Room 2625, Washington, DC 20230, Attn: Encryption Reports. A copy must also be mailed to Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6131, Ft. Meade, MD 20755-6000. Please indicate the type of report, certification, or notification on the subject line as indicated in licensing guidance on this web page.
You may increase the confidentiality or key exchange algorithm's key length of your encryption product without another review, e.g., 56-bit DES to 168-bit 3DES, and be eligible for export under License Exception ENC to any end-user located in the Supplement 3 to Part 740 countries and any non-government end-user outside of these destinations. However, no other change in the encryption functionality is permitted under this provision in the EAR. A letter certifying the key length increase should be sent to BXA. You may also register a key length upgrade via letter for products that were classified as "retail".
Most encryption items are "grandfathered" if they were previously reviewed under a license, Encryption License Arrangement (ELA) or classified as eligible to use License Exception ENC. You may now use License Exception ENC to export to any end-user located in the Supplement 3 to Part 740 countries and to non-government end-users outside the EU+8. The only classifications that can not be "grandfathered" are ones granted to U.S. subsidiaries under License Exception ENC prior to the January 2000 regulation.
No, a review of the foreign product is not required. For instance, the foreign "enabled" product is not subject to review. However, and limited reporting is required as specified in §740.17(e)(3). In case of a product developed by a U.S. subsidiary, the developed encryption product requires a review and classification, since the original export to the U.S. subsidiary was not reviewed by BXA.
License Exception ENC, as it pertains to exports of technology (not products), can only be used if the end-user meets the definition of U.S. subsidiary (as defined in Part 772 of the EAR). Exporters may submit ELAs to export technology to their foreign parent or subsidiaries; however, the foreign product developed with this technology is not subject to a review and licensing by BXA.
Safe, efficient, and reliable public networks are essential our national critical infrastructure, and for the sustained growth of global electronic commerce. Many system administration, Public Key Infrastructure (PKI), and other products that are designed for the secure management, configuration, or administration of public networks, but which themselves are not capable of encrypting high volume communications across the network, have been made eligible for export as "retail" products. Further, when licenses are required for exports to governments for network management products that are not classified as retail, they will be considered favorably for civil end uses.
Commercial encryption products, both retail and non-retail, which implement "EI"-controlled cryptographic functionality (such as 128-bit symmetric encryption), are not eligible for License Exception TSU. Commercial products may incorporate encryption from any number of sources, including commercial toolkits, open source encryption libraries, or proprietary components. All commercial encryption products that do not provide an open cryptographic interface are eligible for export under license exception ENC, regardless of the source of the underlying encryption.
No. Source code does not have to be posted on the Internet in order to be considered publicly available. For instance, source code distributed at open sessions of international standards bodies is considered to have been made publicly available.
The web site must be configured to check the Internet Protocol (IP) address of the person requesting the encryption product for transfer or download to ensure that the requester's address is not a foreign government domain name. In addition, the receiver of the encryption download or transfer must indicate that the software is not intended to be used by a government end-user. The web site must also inform the receiver or requestor the software is subject to the EAR, and it cannot be transferred without a license or other authorization. See Section 734.2(b)(9)(iii).
Yes, it can as the definition of the export of encryption source code and object code software under the provisions of section 734.2(b)(9) includes such action. For publicly available source code under sections 740.13(e) and 740.17(b)(4)(i), while such source code is exempted under section 734.2(b)(9)(ii) and (iii), and is thus not subject to those provisions (including screening procedures), the source code nonetheless remains subject to the EAR. Please note that section 734.2(b)(9)(i) defines "export" to include the actual shipment, transfer, or transmission out of the United States or transfer in the United States to an embassy or affiliate of a foreign country. For all other encryption source code and object code software, posting constitutes an export unless the person making the software available on the Internet takes precautions to prevent unauthorized transfers.
Posting of publicly available source code on the Internet (e.g., FTP or World Wide Web site), where it may be downloaded by anyone, would not establish "knowledge" (as that term is defined in the EAR) of a prohibited export or reexport, i.e., an export or reexport that would otherwise require a license. Such posting would not trigger "red flags" necessitating the affirmative duty to inquire under the "Know Your Customer" guidance provided in Supplement No. 3 to Part 732. Compliance with EAR requirements as to prohibited exports and reexports (see the General Prohibitions in Part 736) still apply. So, for example, a license would be required for you to e-mail or directly transfer such source code to a national located in a prohibited country (e.g., Sudan) or to a prohibited end-user (e.g., an entity listed on BXA's Entity List found at Supplement No. 4 to Part 744).
Yes. The listing of eligible Internet postings described in License Exception TSU, e.g., FTP and World Wide Web site, is illustrative in nature, not exclusive.
Yes, under the revised regulations, encryption source code that would be publicly available (and posting to the Internet itself would make it publicly available), and which is not subject to an express agreement for the payment of a licensing fee or royalty for the commercial production or sale of any product developed using the source code, would be eligible under License Exception TSU for "unrestricted" source code. Under this policy, the software may be exported without prior submission to the government for technical review (although concurrent notification of the export is required). In addition, software exported under this exception may be posted to the Internet without restriction and would not be subject to any requirement to screen for access. Also, such posting would not constitute knowledge of an export to a prohibited destination under the EAR, including one of the seven terrorist states. A license requirement would apply only to knowing exports and reexports (i.e., direct transfer or e-mail) of the software to prohibited end-users and destinations. In addition, exporters are not restrained from providing technical assistance (as described in Section 744.9) to foreign persons working with such source code.
No.
In your business practice, it is prudent to use a standard of care to ensure that you will not violate any of the prohibition identified in the EAR. The EAR does not require a person posting software on the Internet to implement screening procedures for the terrorist countries. For publicly available source code exported under a license exception, once such source code is posted to the Internet, a license requirement exists or remains for "knowing" transfers (i.e., direct transfer or e-mail) to a prohibited end-user or destination. For any "retail" or other encryption software exported under a license exception by means of Internet posting, export restrictions to the seven terrorist states remain in place and exporters should take the steps necessary to prevent an export in violation of such restrictions. The "Know Your Customer" guidance in Supplement No. 3 to Part 732 provides companies with guidelines on how to comply with their responsibilities under the EAR. Please note that section 734.2(b)(9)(iii) contains screening procedures to prevent the transfer of certain encryption software to foreign government end-users.
U.S. origin encryption hardware, software, and technology items, which are controlled for "EI" reasons under the Export Administration Regulations (EAR), may be exported under license or license exception. Through commodity review and classification, BXA determines the export eligibility of "EI" items. Other Information Security commodities and technology, which are released from "EI" controls, do not require authorization for export under license or license exception ENC, and therefore do not require formal classification by BXA.
One classification request should be submitted for eligibility to export under License Exception ENC. We envision that a product will qualify for either "retail" or "non-retail" treatment, and therefore, exporters should submit one classification and not separate ones for authorization to export under each provision of License Exception ENC.
For certain products, government review of source code may be required as provided in Supplement 6 to part 742. As with all transactions, the U.S. government considers this information confidential. Please note that publicly available source eligible under sections 740.13(e) and 740.17(b)(4)(i) does not require prior review and classification but rather written notification by the time of export.
The 30-day clock begins on the day BXA receives your classification request, and it is logged into our system. You should check the automated system "STELA" by calling 202-482-2752. Your application must be in the system for 30 calendar days before you can use the provision to export and reexport to any non-government end-user located outside the countries listed in Supplement 3 to part 740 any encryption product eligible under License Exception ENC unless otherwise notified by BXA.
No, your classification request will not be delayed or treated any differently than any other application.
You may call "STELA" to determine if your classification request is entered into our system at 202-482-2752. If you do not hear from us, your request is moving through the review process. Please read the relevant parts of the Export Administration Regulation (EAR) to determine where your product fits within the encryption policy and Supplement 6 to Part 742 of the (EAR) before you submit your classification request. Also, additional guidance is located on the web page. for submitting notifications, license applications and classification requests. If we have any questions or need more information, we will contact you.
Examples of encryption items that may be considered for de minimis include software programs such as e-mail, browsers, games, word processing, database, financial applications or utilities that are designed for, bundled with, or pre-loaded on single CPU computers, laptops, hand-held devices, or components. Also, components or software designed for use in retail communication devices such as wireless devices or smart cards, or decontrolled products. Exporters applying for de minimis eligibility must explain why the part or component would qualify for de minimis treatment in the support documents included with the classification request. De minimis eligibility continues to apply to encryption items controlled under ECCNs 5A992, 5D992 and 5E992.
This change, when implemented, will allow certain retail encryption products, such as components which will be incorporated into foreign-made consumer items, to be made eligible for de minimis treatment after a review for national security interests. Exporters cannot make this determination on their own. They need written confirmation from BXA that their product is eligible for de minimis. Then, if the U.S.-origin component as embedded in the foreign product meets the de minimus calculations, it is no longer subject to US export regulations. Note that this rule does not affect de minimis calculations.
A classification is necessary to determine whether an encryption product qualifies as "retail". The review process is similar to what has been done in the past, however, exporters should review the retail section of License Exception ENC and address how their products meet the listed criteria. BXA will work with exporters to gather any additional necessary information. We strive for this review and classification to take no longer than other classification requests.
Criteria:
The "retail" section of License Exception ENC contains four sets of encryption
products.
The first set is encryption commodities or software that are generally available to the public by being (1) sold through retail outlets, (2) specially designed for individual consumer use, or (3) which are or will be sold in large volume without restrictions through mail order, electronic or telephone sales. For encryption products to qualify as "retail" under this first part, your encryption product has to be distributed in one of these three ways. However, these products cannot:
(a) allow the cryptographic functionality to be easily changed by the user, (b) require substantial support to install and use, (c) be modified or customized for the customer and (d) be designed to be used as network infrastructure products. If your product meets the above criteria, then it may be considered "retail". The regulation contains an illustrative but not restricted list of examples of the types of products that are considered "retail" under this section. All of this is taken into account to qualify for "retail", it is not based on the key length of the encryption items.
The second set is those products that function similarly to other products classified as "retail". The products are reviewed for their overall functionality and not simply their security functions. We intend to compare products which are similar in function, but may be incorporated differently, i.e., bundled vs. standalone.
The third set of products is finance-specific products that are restricted by design for such functions as e-commerce and financial transactions. These products are highly field formatted and are not capable of performing general purpose encryption, such as e-mail messaging. Inclusion in this category is not based on the algorithm keysize. Also included in this set are non-mass market 56-bit products with asymmetric key exchanges between 512 to 1024-bits. These products are based on the key length of the encryption. Exporters may submit a classification request for this set of products and export immediately.
The last set is items which would be controlled only because they incorporate components or software which provide short-range wireless encryption functions. These items may be exported without review and classification by BXA and without reporting under the retail provisions of License Exception ENC. These include consumer products, for example, audio devices, cameras and videos, computer accessories, hand held devices, mobile phones and consumer appliances (e.g., refrigerators, washing machines and microwave ovens) that communicate with each other via short range wireless technologies. Examples of these types of technology are Bluetooth and HomeRF. A review and classification is still required for the components and software that is used to develop the end- products.
A "retail" encryption product that is "sold in large volume" is produced and widely available through various distribution methods. While there is not an exact amount, most products that will qualify under this set are produced in the thousands of units per month. Additionally, we are now permitting new products that will be sold in large volume to qualify for this criterion on a case-by-case basis. Exporters should include in their support documents projections of sales. For instance, the introduction of a new firewall product’s sales may be based on the sales of the existing firewall product line. Most likely, however, it will take time for a start-up company to establish its products in the marketplace, these will be reviewed on a case-by-case basis.
We recognize that certain encryption products are distributed through various channels, making it impossible, in practical terms, to control who the end-user may be. We have accommodated several of industry's aims by creating a new regulatory category called "retail". While the "retail" and the category "mass market" are not equivalent, the retail definition includes significant flexibility. In practice, many products are classified as retail.
The term "equivalent functionality" is not limited to comparing two products' encryption security features. Rather it is the overall functionality of the entire product. We compare products that function similarly, regardless if the product contains embedded capabilities or is a standalone item.
Since January, we have allowed many low-end servers, routers and firewalls that are designed for small office networks or home offices to qualify for "retail". These products are sold in large volume and widely available through various distribution methods. These are encryption products that are not designed to handle large throughput or network traffic.
In certain instances, a license is required to provide encryption services to government end-users outside of the countries located in Supplement 3 to Part 740. Under License Exception ENC, Internet and telecommunications service providers may use retail products to provide service to any end-user. However, they will require a license to provide services using products not classified as retail to government end-users outside of the countries located in Supplement 3 to Part 740. Examples are WANs, LANs, VPNs, voice and dedicated-link services; application specific and e-commerce services, and PKI encryption services specifically for government end-users only.
No, exports to Telcos and ISPs are now in accordance with the semi-annual requirement. Examples of "network infrastructure" products include high-end switches or routers, which are designed for large volume communications.
Reporting is essential to protect our national security interests. Changes in this regulation have streamlined and reduced the reporting requirement to that which is most important.
This new exception means that no reporting is required for exports of single processor computers, laptops and hand-held devices when pre-loaded or bundled with encryption software.
When an individual buys a "retail" product, there is no reporting requirement. However, companies may determine this in a variety of ways, e.g., the number of seats or user licenses purchased, screening for business vs. individual uses, etc.
During the normal course of business, exporters may gain information about the ultimate end-user depending on their contractual relationship with the distributor or reseller. In these instances, BXA would like that information included in their reports. This clause is not designed to alter or strain the exporter's current business practice.
You are required to submit a classification request to BXA prior to exporting the commodity or software. However, for exports to the Supplement 3 to Part 740 countries, you may export immediately after you submit a completed classification. For non-government end-users outside of these destinations, you may export after your classification request has been in our system for 30 days. There are some post-export reporting requirements; however, there are no further licensing restrictions. Additionally, no review of the foreign developed product is required.
When sold to foreign manufacturers, post-export reporting is limited to the name and address of the manufacturer plus any non-proprietary information of the foreign products developed when manufactured for commercial sale. This information might include brochures, other documentation, descriptions or other identifiers of the final foreign product; the algorithm and key lengths used; general programming interfaces to the product, if known; any standards or protocols that the foreign product adheres to; and source code, if available. If for the manufacturer's internal use, only the name and address is required.
Exporters may request adjustments to the reporting requirements in a letter submitted to BXA. The information provided must include the specific products and reasons justifying why adjustments should be approved. These requests will be reviewed on a case-by-case basis, and BXA will issue a formal response to the exporter.
The January regulation added a definition of "government end-user" in Part 772. The definition covers government organizations at the central, regional, and local levels, which are departments, agencies, or entities performing governmental functions. Review the definition carefully for examples of organizations that are included in the definition and organizations which are not. For example, a governmental corporation that manufactures or distributes items or services controlled on the Wassenaar Munitions List is a "government end-user." (You can access the Wassenaar Munitions List at the following URL address: www.wassenaar.org.) Excluded from the definition are organizations that may be wholly or partially government-owned, but have certain specific purposes. Such organizations include utilities, such as gas, electricity, telecommunications providers and Internet service providers; transportation, such as train systems, subway systems and airport authorities, broadcast or entertainment, such as television broadcasters; educational organizations, such as schools, colleges and universities; civil health and medical organizations, such as hospitals and clinics; retail or wholesale firms; and manufacturers or industrial entities that do not manufacture or distribute Wassenaar List items or services.
If you are unsure of whether a particular end-user meets the definition, you may submit an advisory opinion request to the Bureau of Export Administration, or submit a license application for your transaction.
In such cases involving foreign government ownership, exporters must review the definition of "government end-user" to see if the foreign company qualifies. However, control or involvement of a foreign government in the foreign subsidiary of the U.S. company does not constitute ownership.
Licenses are required to export and reexport certain items to end-users located outside of the Supplement 3 to Part 740 countries. Examples include technology controlled under ECCN 5E002, encryption products that contain an open cryptographic interface (OCI) and products that do not qualify as "retail" when exported to government end-users. In addition, all exports to the terrorist or embargoed countries require a license.
You must apply for a license to export encryption items to the above-noted terrorist-supporting countries as well as other embargoed destinations, e.g., Serbia and the Taliban controlled areas of Afghanistan. For specific information, you may contact BXA's Office of Strategic Trade & Foreign Policy Controls or, depending on the country, the Treasury's Office of Foreign Asset Controls (URL: www.treas.gov/ofac).
In general, you will have to submit individual licenses for exports of encryption products to entities that meet the "government end-user" definition. However, applications for ELAs for government end users may be considered on a case-by-case basis. In such applications, you should be as specific as possible concerning the country or countries, the government entity or entities who will be using the products, and the end-use of the product.
Exporters may submit applications for ELAs for exports of encryption technology to strategic partners of U.S. companies. In addition, foreign companies with subsidiaries in the United States may apply for ELAs to export encryption technology to its worldwide locations. All ELA applications will be reviewed on a case-by-case basis and are valid for four years.
The licensing policy for exports of encryption products to entities that meet the "government end-user" definition is described in Section 742.15(b)(3). Applications for civil end uses, such as social or financial services to the public, civil justice, social insurance pensions and retirement, taxes, and communications between governments and their citizens will be favorably considered. This reflects the existing licensing practice for government end-users. Applications for other end-uses will be reviewed on a case-by-case basis.
In-country transfers of encryption items (which have not been classified as retail) to foreign government end-users are prohibited unless otherwise authorized by license or license exception.
You are not required to submit any documentation to BXA prior to export. A review and classification is required before any sale or transfer outside of the U.S. company with limited reporting requirements.
You are required to submit a classification request to BXA prior to exporting the commodity or software. However, for exports to end-users located in the Supplement 3 to Part 740 countries, you may export immediately after you submit a completed classification. For non-government end-users outside of these destinations, you may export after your classification request has been in our system for 30 days. There are some post-export reporting requirements; however, there are no further licensing restrictions. Exporters should also review section 740.17(e)(2) regarding "grandfathering" of existing products, in which case an additional classification is not required.
Source code provided to an international standards body for distribution at open meetings is considered to have been made publicly available. However, if you provide proprietary source code to a standards body with a stipulation that the code is not made public (e.g. restricted to a select group of committee members), then your code is not considered publicly available.
The January rule implemented the Administration's new approach to encryption policy and was published as an interim final with a request for comments. The October rule implements the Administration’s commitment to make our policy comparable to our European Union partners, and took into account the comments on the January regulation. Although there is no formal comment period, public comments on this regulation are welcome on a continuing basis.