Crypto export restrictions

RESOURCES:Cat. five, Part 2: Quick Reference GuideFlowchart 1

Flowchart 2 ENC/Mass Market 740.17 Table

Network InfrastructureQuick link to Regulations:

PDF of 8/15/2017 Federal Register

PDF of 9/20/2016 Federal Register740.17 License Exception ENC742.15 Encryption ItemsCategory 5, Part 2 772 – DefinitionsSupplement eight to Part 742Supplement 6 to Part 742

Encryption and Export Administration Regulations (EAR)

Here is a summary of the choices modifications made to license exception ENC by using this rule.

The U.S. Commerce Control List (CCL) is damaged in to ten Categories  0 – nine (see Supplement No. 1 to element 774 of the EAR).  Encryption objects fall underneath Category 5, Part 2 for Information Security.  Cat. five, Part 2 covers:

•    1) Cryptographic Information Security; (e.g., gadgets that use cryptography)•    2) Non-cryptographic Information Security (5A003); and•    three) Defeating, Weakening of Bypassing Information Security (5A004)

You can discover a Quick Reference Guide to Cat. five, Part 2 here.

The controls in Cat. 5, Part 2 encompass multilateral and unilateral controls. The multilateral controls in Cat. 5, Part 2 of the choices EAR (e.g., 5A002, 5A003, 5A004, 5B002, 5D002, 5E002) come from the Wassenaar Arrangement List of Dual Use Goods and Technologies. Changes to the choices multilateral controls are agreed upon through the collaborating individuals of the choices Wassenaar Arrangement.  Unilateral controls in Cat. five, Part 2 (e.g., 5A992.c, 5D992.c, 5E992.b) of the EAR are determined on via the choices United States.  

 The fundamental license exception this is used for gadgets in Cat. 5, Part 2 is License Exception ENC (Section 740.17). License exception ENC gives a huge set of authorizations for encryption products (objects that implement cryptography) that modify relying on the object, the give up-person, the choices stop-use, and the choices vacation spot. There isn’t any “unexportable” degree of encryption beneath license exception ENC. Most encryption merchandise may be exported to maximum destinations below license exception ENC, as soon as the exporter has complied with applicable reporting and classification requirements. Some gadgets going to a few destinations require licenses.

This steerage does now not apply to gadgets problem to the special jurisdiction of every other company.  For instance, ITAR USML Categories XI(b),(d), and XIII(b), (l) manage software program, technical statistics, and other items especially designed for military or intelligence programs.

 The following 2 flowcharts lay out the choices evaluation to comply with for figuring out if and the way the EAR and Cat.5 Part 2 observe to a product incorporating cryptography:Flowchart 1: Items Designed to Use Cryptography Including Items NOT managed below Category five Part 2 of the choices EAR Flowchart 2: Classified in Category five, Part 2 of the choices EARSimilarly, the subsequent written define gives the analysis to comply with for determining if and how the choices EAR and Cat.five Part 2 follow to a product incorporating cryptography.  Although Category five Part 2 controls extra than simply cryptography, most items which can be in Category 5 Part 2 fall under 5A002.a, 5A002.b, 5A004, or 5A992 or their software and technology equivalents. 

1.    Encryption objects which can be NOT concern to the EAR (publicly to be had)2.    Items situation to Cat. five, Part 2:

a. 5A002.a (and equal software beneath 5D002 c.1) applies to gadgets that:

i. Use ‘cryptography for facts confidentiality’; and

ii.  Have ‘in extra of 56 bits of symmetric key period, or equal’; and

iii.  Have cryptography defined in 1 and a couple of above where the choices cryptographic functionality is usable, activated, or may be activated by means of “cryptographic activation” no longer employing a steady mechanism; and

iv.  Are described below 5A002 a.1 – a.four; and

v.  Are not defined by way of Decontrol notes.

b. 5A992.c (and software program equivalence controlled beneath 5D992.c) is likewise known as mass marketplace. These objects meet all the above descried underneath 5A002.a and Note 3 to Category 5, Part 2. See the choices MASS MARKET segment for extra data.

c. 5A002.b (and software equivalence controlled below 5D002.b) applies to objects designed or changed to allow, by using “cryptographic activation,” an item to obtain/exceed the choices controlled performance stages for functionality specified via 5A002.a now not otherwise enabled (e.g., license key to enable cryptography). d. 5A004 (and equivalent software program managed under 5D002.c.three) applies to objects designed or modified to carry out ‘cryptanalytic capabilities’ inclusive of via opposite engineering.e. The following are less normally used entries:

5A003 (and equivalent software program managed beneath 5D002.c.2) applies to communication cables systems designed to hit upon surreptitious intrusion and additionally applies to objects in particular designed to lessen the compromising emanations of information-bearing alerts beyond what is vital for health, protection or electromagnetic interference standards.

5A002.c-.e (and equal software controlled below 5D002.c.1) controls things like Quantum Key Distribution, cryptographic techniques for structures using ultra-wideband modulation, and cryptographic strategies to generate spreading code for spread spectrum.

3. License Exception ENC and mass marketIf you’ve got long gone thru the steps above and your product is managed in Cat. 5, Part 2 under an ECCN aside from 5A003 (and equivalent or associated software program and generation), then it’s far eligible for at the least some a part of license exception ENC. The subsequent step is to determine which part of License Exception ENC the choices product falls beneath. Knowing which part of ENC the product falls underneath will inform you what you want to do to make the object eligible for ENC, and where the choices product can be exported without a license.

Types of authorization to be had for license exception ENC:                  a.   Mass Market                   b.   740.17(a)                  c.   740.17(b)(2)                  d.   740.17(b)(three)/Mass market                  e.   740.17(b)(1)/ Mass market4.    Once you determine what authorization applies to your product, then you can need to report a classification request, annual self-class file, and/or semi-annual income report. The links beneath provide commands on a way to post reports and Encryption Reviews:      a.     How to document an Annual Self-Classification Report      b.     How to file a Semi-annual Report      c.     How to Submit an ENC or Mass marketplace category review5.    After you have submitted the right class and/or record, there can be some times in which a license is still required. Information on whilst a license is needed, forms of licenses available, and how to submit are under:      a.   When a License is Required      b.   Types of licenses available      c.   How to report a license application6.    FAQs7.    Contact us