COMMERCIAL ENCRYPTION EXPORT CONTROLS
Export and reexport controls on commercial encryption products are administered
by the Bureau of Industry and Security (BIS) of the U.S. Department of Commerce.
Rules governing exports and reexports of encryption are found in the Export
AdministrationRegulations (EAR), 15 C.F.R. Parts 730-774. Sections 740.13,
740.17 and 742.15 of the EAR are the principal references for the export and
reexport of encryption items.
Regulations
- encryption rules published by BIS since export control jurisdiction was
transferred from the State Department to the Commerce Department in 1996.
This includes the most recent updates dated June 17, 2003 and June 6, 2002.
Guidance - step-by-step instructions and guidance
to help exporters when preparing a review request for >64-bit
mass market encryption or License Exception ENC,
applying for a license, or submitting a notification
for NLR, beta test software or
"publicly available"
source code (and corresponding object code). For exporters who are exploring
whether their products are subject to these review or notification requirements,
a basic "checklist" on encryption
and other “information security” functions is provided.
Highlights of 6/17/03 Changes to the
U.S. Encryption Policy
- Updates License Exception BAG (§740.14) to allow all persons
(except nationals of Country Group E:1 countries) to take “personal
use” encryption commodities and software to any country not
listed in Country Group E:1. Such “personal use” encryption
products may now be shipped as unaccompanied baggage to countries
not listed in Country Groups D or E. (See Supplement No. 1 to part
740 of the EAR for Country Group listings.)
- Clarifies that medical equipment and software (e.g. products for
the care of patients or the practice of medicine) that incorporate
encryption or other “information security” functions are
not classified in Category 5, Part II of the Commerce Control List.
- Clarifies that “publicly available” ECCN 5D002 encryption
source code (and the corresponding object code) is eligible for de
minimis treatment, once the notification requirements of §740.13(e)
are fulfilled.
- Publishes a “checklist”
(new Supplement No. 5 to part 742) to help exporters better identify
encryption and other “information security” functions
that are subject to U.S. export controls.
- Clarifies existing instructions related to short-range wireless
and other encryption commodities and software pre-loaded on laptops,
handheld devices, computers and other equipment.
Highlights of 6/6/02 Changes
to the
U.S. Encryption Policy
- "Mass market" encryption commodities
and software with symmetric key lengths exceeding 64-bits may now
be exported and reexported under ECCN 5A992 or 5D992, following a
30-day review.
- Equipment controlled under ECCN 5B002
may now be exported and reexported under License Exception ENC.
- Notification, review, licensing and
post-export reporting requirements for encryption items, including
"publicly available" encryption source code and "short range" wireless
products, are clarified.
|
Frequently Asked Questions |
Fact Sheet
[6/6/02]
| | |
|