740.17—Encryption commodities, software and technology (ENC).
License Exception ENC authorizes export and reexport of systems, equipment, commodities and components therefor that are classified under ECCNs 5A002.a.1, a.2, a.5, a.6 or a.9, systems, equipment and components therefor classified under ECCN 5B002, and equivalent or related software and technology classified under ECCNs 5D002 or 5E002. This License Exception ENC does not authorize export or reexport to, or provision of any service in any country listed in Country Group E:1 in supplement No. 1 to part 740 of the EAR, or release of source code or technology to any national of a country listed in Country Group E:1. Reexports and transfers under License Exception ENC are subject to the criteria set forth in paragraph (c) of this section. Paragraphs (b) and (d) of this section set forth information about encryption registrations and classifications required by this section. Paragraph (e) sets forth reporting required by this section. For items exported under paragraphs (b)(1), (b)(3)(i), (b)(3)(ii) or (b)(3)(iv) of this section and therefore excluded from paragraph (e) reporting requirements, exporters are reminded of the recordkeeping requirements in part 762 of the EAR and that they may be required to make such records available upon request. All classification requests, registrations, and reports submitted to BIS pursuant to this section for encryption items will be reviewed by the ENC Encryption Request Coordinator, Ft. Meade, MD.
(1) Internal “development” or “production” of new products.
License Exception ENC authorizes exports and reexports of items described in paragraph (a)(1)(i) of this section, to end-users described in paragraph (a)(1)(ii) of this section, for the intended end-use described in paragraph (a)(1)(iii) of this section without submission of encryption registration, classification request, self-classification report or sales report to BIS.
(i) Eligible items.
Eligible items are those classified under ECCNs 5A002.a.1, .a.2, .a.5, .a.6, or .a.9, ECCN 5B002, and equivalent or related software and technology classified under ECCNs 5D002 or 5E002.
(ii) Eligible End-users.
Eligible end-users are “private sector end-users” wherever located that are headquartered in a country listed in supplement No. 3 of this part.
Code of Federal Regulations
Code of Federal Regulations
287
(iii) Eligible End-use.
The eligible end-use is internal “development” or “production” of new products by those end-users.
Code of Federal Regulations
(2)
Exports and reexports to “U.S. Subsidiaries.” License Exception ENC authorizes export and reexport of systems, equipment, commodities and components therefor classified under ECCNs 5A002.a.1, .a.2, .a.5, .a.6, or .a.9, systems, equipment, and components therefor classified under ECCN 5B002, and equivalent or related software and technology classified under ECCNs 5D002 or 5E002, to any “U.S. subsidiary,” wherever located without submission of an encryption registration, classification request, self-classification report or sales report to BIS. License Exception ENC also authorizes export or reexport of such items by a U.S. company and its subsidiaries to foreign nationals who are employees, contractors or interns of a U.S. company or its subsidiaries if the items are for internal company use, including the “development” or “production” of new products, without prior review by the U.S. Government.
Code of Federal Regulations
(b) Encryption registration required, with classification request or self-classification report.
Exports and reexports authorized under paragraphs (b)(1), (b)(2) and (b)(3) of License Exception ENC require submission of an encryption registration in accordance with paragraph (d) of this section and the specific instructions of paragraph (r)(1) of supplement No. 2 to part 748 of the EAR. For items self-classified under paragraph (b)(1) of this section from June 25, 2010 through August 24, 2010, and for requests for classification under paragraphs (b)(2) and (b)(3) of this section submitted from June 25, 2010 through August 24, 2010, exporters have until August 24, 2010 to submit their encryption registrations. In addition: for paragraph (b)(1) of this section a self-classification report in accordance with § 742.15(c) of the EAR is also required from specified exporters and reexporters; for paragraphs (b)(2) and (b)(3) of this section, a thirty-day (30-day) classification request is required in accordance with paragraph (d) of this section. See paragraph (f) of this section for grandfathering provisions applicable to certain encryption items reviewed and classified by BIS under this license exception prior to June 25, 2010. Only License Exception ENC authorizations under this paragraph (b) to a company that has fulfilled the requirements of encryption registration (such as the producer of the item) authorize the export and reexport of the company's encryption items by all persons, wherever located, under this license exception. When an exporter or reexporter relies on the producer's self-classification (pursuant to the producer's encryption registration) or CCATS for an encryption item eligible for export or reexport under License Exception ENC under paragraph (b)(1), (b)(2), or (b)(3) of this section, it is not required to submit an encryption registration, classification request or self-classification report. Exporters are still required to comply with semi-annual sales reporting requirements under paragraph (e) of this section, even if relying on a CCATS issued to a producer for specified encryption items described in paragraphs (b)(2) and (b)(3)(iii) of this section.
(1) Immediate authorization.
Once an encryption registration is submitted to BIS in accordance with paragraph (d) of this section and an Encryption Registration Number (ERN) has been issued, this paragraph (b)(1) authorizes the exports or reexports of the associated commodities classified under ECCNs 5A002.a.1, .a.2, .a.5, .a.6, or .a.9, or ECCN 5B002, and equivalent or related software classified under ECCN 5D002, except any such commodities, software or components described in (b)(2) or (b)(3) of this section, subject to submission of a self-classification report in accordance with § 742.15(c) of the EAR.
(2) Classification request required.
Thirty (30) days after the submission of a classification request with BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph under License Exception ENC authorizes certain exports or reexports of the items submitted for classification, as further described in paragraphs (b)(2)(i), (b)(2)(ii) and (b)(2)(iv)(B) of this section.
Code of Federal Regulations
(i) Cryptographic commodities, software and components.
The following items to non-“government end-users” located or headquartered in a country not listed in supplement No. 3 to this part:
(A)
Network infrastructure software and commodities and components thereof (including commodities and software necessary to activate or enable cryptographic functionality in network infrastructure products) providing secure Wide Area Network (WAN), Metropolitan Area Network (MAN), Virtual Private Network (VPN), satellite, digital packet telephony/media (voice, video, data) over Internet protocol, cellular or trunked communications meeting any of the following with key lengths exceeding 80-bits for symmetric algorithms:
(1) Aggregate encrypted WAN, MAN, VPN or backhaul throughput (including communications through wireless network elements such as gateways, mobile switches, and controllers) greater than 90 Mbps;
(2) Wire (line), cable or fiber-optic WAN, MAN or VPN single-channel input data rate exceeding 154 Mbps;
(3) Transmission over satellite at data rates exceeding 10 Mbps;
(4) Media (voice/video/data) encryption or centralized key management supporting more than 250 concurrent encrypted data channels, or encrypted signaling to more than 1,000 endpoints, for digital packet telephony/media (voice/video/data) over Internet protocol communications; or
(5) Air-interface coverage (e.g., through base stations, access points to mesh networks, and bridges) exceeding 1,000 meters, where any of the following applies:
(i) Maximum transmission data rates exceeding 10 Mbps (at operating ranges beyond 1,000 meters);
(ii) Maximum number of concurrent full-duplex voice channels exceeding 30; or
(iii) Substantial support is required for installation or use;
(B)
Encryption source code that would not be eligible for export or reexport under License Exception TSU because it is not publicly available as that term is used in § 740.13(e)(1) of the EAR;
(1) Been designed, modified, adapted or customized for “government end-user(s)”;
(2) Cryptographic functionality that has been modified or customized to customer specification; or
(3) Cryptographic functionality or “encryption component” (except encryption software that would be considered publicly available, as that term is used in § 740.13(e)(1) of the EAR) that is user-accessible and can be easily changed by the user;
(D)
Encryption commodities and software that provide functions necessary for quantum cryptography, as defined in ECCN 5A002 of the Commerce Control List;
(E)
Encryption commodities and software that have been modified or customized for computers classified under ECCN 4A003;
(F)
Encryption commodities and software that provide penetration capabilities that are capable of attacking, denying, disrupting or otherwise impairing the use of cyber infrastructure or networks;
(G)
Public safety/first responder radio (e.g., implementing Terrestrial Trunked Radio (TETRA) and/or Association of Public-Safety Communications Officials International (APCO) Project 25 (P25) standards);
(ii) Cryptanalytic commodities and software.
Commodities and software classified as “cryptanalytic items” to non-“government end-users” located or headquartered in countries not listed in supplement No. 3 to this part;
(iii) “Open cryptographic interface” items.
Items that provide an “open cryptographic interface”, to any end-user located or headquartered in a country listed in supplement No. 3 to this part.
(A)
Technology for “non-standard cryptography.” Encryption technology classified under ECCN 5E002 for “non-standard cryptography,” to any end-user located or headquartered in a country listed in supplement No. 3 to this part;
(B) Other technology.
Encryption technology classified under ECCN 5E002 except technology for “cryptanalytic items,” “non-standard cryptography” or any “open cryptographic interface,” to any non-“government end-user” located in a country not listed in Country Group D:1 or E:1 of supplement No. 1 to part 740 of the EAR.
Code of Federal Regulations
(3)
Classification request required for
specified commodities, software and components. Thirty (30) days after a classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph authorizes exports or reexports of the items submitted for classification, as further described in this paragraph (b)(3), to any end-user, provided the item does not perform the functions, or otherwise meet the specifications, of any item described in paragraph (b)(2) of this section.
Code of Federal Regulations
(i)
Specified components classified under ECCN 5A002.a.1, .a.5 or .a.6 and equivalent or related software classified under ECCN 5D002 not described by paragraph (b)(2) of this section, as follows:
(B)
Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs);
(ii)
Encryption commodities, software and components not described by paragraph (b)(2) of this section, that provide or perform “non-standard cryptography” as defined in part 772 of the EAR.
(iii)
Encryption commodities and software not described by paragraph (b)(2) of this section, that provide or perform vulnerability analysis, network forensics, or computer forensics functions characterized by any of the following:
(A)
Automated network analysis, visualization, or packet inspection for profiling network flow, network user or client behavior, or network structure/topology and adapting in real-time to the operating environment; or
(B)
Investigation of data leakage, network breaches, and other malicious intrusion activities through triage of captured digital forensic data for law enforcement purposes or in a similarly rigorous evidentiary manner.
(iv) Cryptographic enabling commodities and software.
Commodities and software and components that activate or enable cryptographic functionality in encryption products which would otherwise remain disabled, where the product or cryptographic functionality is not otherwise described in paragraphs (b)(2) or (b)(3)(i) of this section.
(4) Exclusions from classification request, encryption registration and self-classification reporting requirements.
License Exception ENC authorizes the export and reexport of the commodities and software described in this paragraph (b)(4) without the submission of a classification request, encryption registration or self-classification report to BIS, except that paragraph (b)(4)(ii) of this section does not authorize exports from the United States of foreign products developed with or incorporating U.S.-origin encryption source code, components, or toolkits.
(i) Short-range wireless encryption functions.
Commodities and software that are not otherwise controlled in Category 5, but are nonetheless classified under ECCN 5A002, 5B002 or 5D002 only because they incorporate components or software that provide short-range wireless encryption functions (e.g., with a nominal operating range not exceeding 100 meters according to the manufacturer's specifications, designed to comply with the Institute of Electrical and Electronic Engineers (IEEE) 802.11 wireless LAN standard or the IEEE 802.15.1 standard).
Code of Federal Regulations
(ii) Foreign products developed with or incorporating U.S.-origin encryption source code, components, or toolkits.
Foreign products developed with or incorporating U.S.-origin encryption source code, components or toolkits that are subject to the EAR, provided that the U.S.-origin encryption items have previously been classified or registered and authorized by BIS and the cryptographic functionality has not been changed. Such products include foreign-developed products that are designed to operate with U.S. products through a cryptographic interface.
(c) Reexport and transfer.
U.S. or foreign distributors, resellers or other entities who are not original manufacturers of encryption commodities and software are permitted to use License Exception ENC only in instances where the export or reexport meets the applicable terms and conditions of this section. Transfers of encryption items listed in paragraph (b)(2) of this section to “government end-users,” or for government end-uses, within the same country are prohibited, unless otherwise authorized by license or license exception.
(d) Encryption registration and classification request procedures—
(1) Submission requirements and instructions.
To submit an encryption registration or classification request to BIS, you must submit an application to BIS in accordance with the procedures described in §§ 748.1 and 748.3 of the EAR and the instructions in paragraph (r) of supplement No. 2 to part 748 “Unique Application and Submission Requirements,” along with other required information as follows:
(i) Encryption registrations in support of encryption classification requests and self-classification reports.
You must submit the applicable information as described in supplement No. 5 to part 742 of the EAR and follow the specific instructions of paragraph (r)(1) of supplement No. 2 to part 748 of the EAR, if any of the following apply:
(A)
This is your first time submitting an encryption classification request under paragraphs (b)(2) or (b)(3) of this section since August 24, 2010;
(B)
You are making an encryption item eligible for export and reexport (including as defined for encryption software in § 734.2(b)(9) of the EAR) under paragraph (b)(1) of this section for the first time since August 24, 2010; or
(C)
If you have not otherwise provided BIS the information described in supplement No. 5 to part 742 during the current calendar year and your answers to the questions in supplement No. 5 to part 742 have changed since the last time you provided answers to the questions.
(ii) Technical information submission requirements.
In addition to the encryption registration requirements of paragraph (d)(1)(i) of this section, for all submissions of encryption classification requests for items described under paragraph (b)(2) or (b)(3) of this section, you must also provide BIS the applicable information described in paragraphs (a) through (d) of supplement No. 6 to part 742 of the EAR (Technical Questionnaire for Encryption Items). For items authorized after submission of an encryption registration under paragraph (b)(1) of this section, you may be required to provide BIS this supplement No. 6 to part 742 information on an as-needed basis, upon request by BIS.
(iii) Changes in encryption functionality following a previous classification.
A new product encryption classification request (under paragraphs (b)(2) or (b)(3) of this section) or self-classification report (under paragraph (b)(1) of this section) is required if a change is made to the cryptographic functionality (e.g., algorithms) or other technical characteristics affecting License Exception ENC eligibility (e.g., encrypted throughput) of the originally classified product. However, a new product classification request or self-classification report is not required when a change involves: The subsequent bundling, patches, upgrades or releases of a product; name changes; or changes to a previously reviewed encryption product where the change is limited to updates of encryption software components where the product is otherwise unchanged.
(i) Encryption registrations for paragraph (b) of this section.
Upon submission to BIS of an encryption registration in accordance with paragraph (d)(1) of this section and acceptance of the application by SNAP-R, BIS will issue the Encryption Registration Number (ERN) via SNAP-R, which will constitute authorization for exports and reexports of eligible items under paragraph (b)(1) of this license exception.
(A)
For classifications that require a thirty (30) day waiting period, if BIS has not, within thirty-days (30-days) from registration in SNAP-R of your complete classification request, informed you that your item is not authorized for License Exception ENC, you may export or reexport under the applicable provisions of License Exception ENC.
(B)
Upon completion of its classification, BIS will issue a Commodity Classification Automated Tracking System (CCATS) to you.
(C) Hold Without Action (HWA) for classification requests.
BIS may hold your classification request without action if necessary to obtain additional information or for any other reason necessary to ensure an accurate classification. Time on such “hold without action” status shall not be counted towards fulfilling the thirty-day (30-day) processing period specified in this paragraph.
(iii)
BIS may require you to supply additional relevant technical information about your encryption item(s) or information that pertains to their eligibility for License Exception ENC at any time, before or after the expiration of the thirty-day (30-day) processing period specified in this paragraph and in paragraphs (b)(2) and (b)(3) of this section, or after any registrations as required in paragraph (b)(1) of this section. If you do not supply such information within 14 days after receiving a request for it from BIS, BIS may return your classification request(s) without action or otherwise suspend or revoke your eligibility to use License Exception ENC for that item(s). At your request, BIS may grant you up to an additional 14 days to provide the requested information. Any request for such an additional number of days must be made prior to the date by which the information was otherwise due to be provided to BIS, and may be approved if BIS concludes that additional time is necessary.
(e) Reporting requirements—
(1) Semi-annual reporting requirement.
Semi-annual reporting is required for exports to all destinations other than Canada, and for reexports from Canada for items described under paragraphs (b)(2) and (b)(3)(iii) of this section. Certain encryption items and transactions are excluded from this reporting requirement, see paragraph (e)(1)(iii) of this section. For information about what must be included in the report and submission requirements, see paragraphs (e)(1)(i) and (e)(1)(ii) of this section respectively.
(i) Information required.
Exporters must include for each item, the Commodity Classification Automated Tracking System (CCATS) number and the name of the item(s) exported (or reexported from Canada), and the following information in their reports:
(A) Distributors or resellers.
For items exported (or reexported from Canada) to a distributor or other reseller, including subsidiaries of U.S. firms, the name and address of the distributor or reseller, the item and the quantity exported or reexported and, if collected by the exporter as part of the distribution process, the end-user's name and address;
(B) Direct Sales.
For items exported (or reexported from Canada) through direct sale, the name and address of the recipient, the item, and the quantity exported; or
(C) Foreign manufacturers and products that use encryption items.
For exports (i.e., from the United States) or direct transfers (e.g., by a “U.S. subsidiary” located outside the United States) of encryption components, source code, general purpose toolkits, equipment controlled under ECCN 5B002, technology, or items that provide an “open cryptographic interface,” to a foreign developer or manufacturer headquartered in a country not listed in supplement No. 3 to this part when intended for use in foreign products developed for commercial sale, the names and addresses of the manufacturers using these encryption items and, if known, when the product is made available for commercial sale, a non-proprietary technical description of the foreign products for which these encryption items are being used (e.g., brochures, other documentation, descriptions or other identifiers of the final foreign product; the algorithm and key lengths used; general programming interfaces to the product, if known; any standards or protocols that the foreign product adheres to; and source code, if available).
(ii) Submission requirements.
For exports occurring between January 1 and June 30, a report is due no later than August 1 of that year. For exports occurring between July 1 and December 31, a report is due no later than February 1 the following year. These reports must be provided in electronic form. Recommended file formats for electronic submission include spreadsheets, tabular text or structured text. Exporters may request other reporting arrangements with BIS to better reflect their business models. Reports may be sent electronically to BIS at crypt@bis.doc.gov and to the ENC Encryption Request Coordinator at enc@nsa.gov, or disks and CDs containing the reports may be sent to the following addresses:
(A)
Department of Commerce, Bureau of Industry and Security, Office of National Security and Technology Transfer Controls, 14th Street and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn: Encryption Reports, and
(B)
Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6940, Ft. Meade, MD 20755-6000.
(iii) Exclusions from reporting requirement.
Reporting is not required for the following items and transactions:
(D)
Encryption items from or to a U.S. bank, financial institution or its subsidiaries, affiliates, customers or contractors for banking or financial operations;
(E)
Items listed in paragraph (b)(4) of this section, unless it is a foreign item described in paragraph (b)(4)(ii) of this section that has entered the United States;
(2) Key length increases.
Reporting is required for commodities and software that, after having been classified and authorized for License Exception ENC in accordance with paragraphs (b)(2) or (b)(3) of this section, are modified only to upgrade the key length used for confidentiality or key exchange algorithms. Such items may be exported or reexported under the previously authorized provision of License Exception ENC without a classification resubmission.
(A)
A certification that no change to the encryption functionality has been made other than to upgrade the key length for confidentiality or key exchange algorithms.
(B)
The original Commodity Classification Automated Tracking System (CCATS) authorization number issued by BIS and the date of issuance.
(A)
The report must be received by BIS and the ENC Encryption Request Coordinator before the export or reexport of the upgraded product; and
(f) Grandfathering.
The following provisions apply to encryption items reviewed and classified by BIS under this license exception prior to June 25, 2010:
(1) Items described in paragraphs (b)(1) or (b)(3) of this section.
For encryption commodities, software and components described in (or otherwise meeting the specifications of) paragraphs (b)(1) or (b)(3) of this section effective June 25, 2010, such items reviewed and classified by BIS prior to June 25, 2010 are authorized for export and reexport to eligible end-users and destinations under the applicable paragraph (b)(1) or (b)(3) of this license exception using the CCATS previously issued by BIS, without any encryption registration (i.e., the information described in supplement No. 5 to part 742 of the EAR), new classification by BIS, self-classification reporting (i.e., the information described in supplement No. 8 to part 742 of the EAR), or semi-annual sales reporting required under section 740.17(e) provided the cryptographic functionality of the item has not changed. See paragraph (d)(1)(iii) of this section regarding changes in encryption functionality following a previous classification.
(i) Commodities, software and components described in paragraph (b)(2)(i) of this section.
For encryption commodities, software and components described in (or otherwise meeting the specifications of) paragraph (b)(2)(i) of this section effective June 25, 2010, such items reviewed and classified by BIS prior to June 25, 2010 are authorized for export and reexport to eligible end-users and destinations under paragraph (b)(2) of this license exception using the CCATS previously issued by BIS, without any encryption registration (i.e., the information described in supplement No. 5 to part 742 of the EAR) and new classification by BIS, provided the previous CCATS established License Exception ENC § 740.17(b)(2) treatment for the item and the cryptographic functionality of the item has not changed. See paragraph (d)(1)(iii) of this section regarding changes in encryption functionality following a previous classification. An encryption registration and updated classification must be submitted to BIS for items described in paragraph (b)(2)(i) of this section effective June 25, 2010 if the items were not previously classified under § 740.17(b)(2), even if the cryptographic functionality has not changed.
(ii) Cryptoanalytic items, open cryptographic interface items, and encryption technology.
For items described in (or otherwise meeting the specifications of) paragraphs (b)(2)(ii), (b)(2)(iii) or (b)(2)(iv) of this section effective June 25, 2010, such items reviewed and classified by BIS prior to June 25, 2010 are authorized for export and reexport to eligible end-users and destinations under paragraph (b)(2) of this license exception using the CCATS previously issued by BIS, without any encryption registration (i.e., the information described in supplement No. 5 to part 742 of the EAR), new classification by BIS, or self-classification reporting (i.e., the information described in supplement No. 8 to part 742 of the EAR), provided the cryptographic functionality of the item has not changed. See paragraph (d)(1)(iii) of this section regarding changes in encryption functionality following a previous classification.