Title 15: Commerce and Foreign Trade
PART 740—LICENSE EXCEPTIONS
§740.17 Encryption commodities, software, and technology (ENC).
License Exception ENC authorizes export, reexport, and transfer (in-country) of systems, equipment, commodities, and components therefor that are classified under ECCNs 5A002, 5B002, equivalent or related software and technology therefor classified under 5D002 or 5E002, and “cryptanalytic items” classified under ECCNs 5A004, 5D002 or 5E002. This License Exception ENC does not authorize export or reexport to, transfer (in-country) in, or provision of any service in any country listed in Country Groups E:1 or E:2 in supplement no. 1 to part 740 of the EAR, or release of source code or technology to any national of a country listed in Country Groups E:1 or E:2. Reexports and transfers (in-country) under License Exception ENC are subject to the criteria set forth in paragraph (c) of this section. Paragraphs (b) and (d) of this section set forth information about classifications required by this section. Items described in paragraphs (b)(1) and (b)(3)(i), (ii), or (iv) of this section that meet the criteria set forth in Note 3 to Category 5—Part 2 of the Commerce Control List (the “mass market” note) are classified under ECCN 5A992.c or 5D992.c following self-classification or classification by BIS and are no longer subject to “EI” and “NS” controls. Paragraph (e) sets forth reporting required by this section. For items exported under paragraphs (b)(1), (b)(3)(i), (ii), or (iv) of this section and therefore excluded from paragraph (e) reporting requirements, exporters are reminded of the recordkeeping requirements in part 762 of the EAR and that they may be required to make such records available upon request. All classification requests, and reports submitted to BIS pursuant to this section for encryption items will be reviewed by the ENC Encryption Request Coordinator, Ft. Meade, MD.
(a) No classification request or reporting required. License Exception ENC authorizes the export, reexport, or transfer (in-country) to the end users and for the end uses set forth in paragraphs (a)(1) through (3) of this section, without submission of a classification request, self-classification report or sales report to BIS.
(1) Certain exports, reexports, transfers (in-country) to 'private sector end users'—(i) Internal “development” or “production” of new products. License Exception ENC authorizes certain exports, reexports, and transfers (in-country) of items described in paragraph (a) of this section for the internal “development” or “production” of new products by 'private sector end users,' wherever located, that are headquartered in a country listed in supplement no. 3 of this part.
(ii) Certain exports, reexports, transfers (in-country) to related parties, not involving “development” or “production” of new products. For internal end uses among 'private sector end users' other than the “development” or “production” of new products, License Exception ENC authorizes exports, reexports, and transfers (in-country) of non-U.S.-origin items, described in paragraph (a) of this section, to 'private sector end users' wherever located provided that:
(A) That item became subject to the EAR after it was produced;
(B) All parties to the transaction are subsidiaries of the same parent company headquartered in a country listed in supplement no. 3 of this part; and
(C) The characteristics or capabilities of the existing item are not enhanced, unless otherwise authorized by license or license exception.
Note to paragraph (a)(1): A 'private sector end user' is either: An individual who is not acting on behalf of any foreign government; or a commercial firm (including its subsidiary and parent firms, and other subsidiaries of the same parent) that is not wholly owned by, otherwise controlled by or acting on behalf of, any foreign government.
(2) Exports, reexports, transfers (in-country) to “U.S. Subsidiaries.” License Exception ENC authorizes export, reexport, and transfer (in-country) of items described in paragraph (a) of this section to any “U.S. subsidiary,” wherever located. License Exception ENC also authorizes export, reexport, transfer (in-country) of such items by a U.S. company and its subsidiaries to foreign nationals who are employees, individual contractors or interns of a U.S. company or its subsidiaries if the items are for internal company use, including the “development” or “production” of new products, without prior review by the U.S. Government.
Note to paragraphs (a)(1) and (2): All items produced or developed with items exported, reexported, or transferred (in-country) under paragraphs (a)(1) or (2) of this section are subject to the EAR. These items may require the submission of a classification request before sale, reexport or transfer to non-“U.S. subsidiaries,” unless otherwise authorized by license or license exception.
(3) Reexports and transfers (in-country) of non-U.S. products developed with or incorporating U.S.-origin encryption source code, components, or toolkits. License Exception ENC authorizes the reexport and transfer (in-country) of non-U.S. products developed with or incorporating U.S.-origin encryption source code, components or toolkits that are subject to the EAR, provided that the U.S.-origin encryption items have previously been classified or reported and authorized by BIS and the cryptographic functionality has not been changed. Such products include non-U.S. developed products that are designed to operate with U.S. products through a cryptographic interface.
Note to paragraph (a)(3): This exception from classification and reporting requirements does not apply to non-U.S.-origin products exported from the United States.
(b) Classification request or self-classification report. For products described in paragraph (b)(1) of this section that are self-classified by the exporter, a self-classification report in accordance with paragraph (e)(3) of this section is required from specified exporters, reexporters and transferors; for products described in paragraph (b)(1) of this section that are classified by BIS via a CCATS, a self-classification report is not required. For products described in paragraphs (b)(2) and (3) of this section, a thirty-day (30-day) classification request is required in accordance with paragraph (d) of this section. An exporter, reexporter, or transferor may rely on the producer's self-classification (for products described in (b)(1), only) or CCATS for an encryption item eligible for export or reexport under License Exception ENC under paragraph (b)(1), (2), or (3) of this section. Exporters are still required to comply with semi-annual sales reporting requirements under paragraph (e)(1) or (2) of this section, even if relying on a CCATS issued to a producer for specified encryption items described in paragraphs (b)(2) and (b)(3)(iii) of this section.
Note to paragraph (b) introductory text: Mass market encryption software that would be considered publicly available under §734.3(b)(3) of the EAR, and is authorized for export under this paragraph (b), remains subject to the EAR until all applicable classification or self-classification requirements set forth in this section are fulfilled.
(1) Immediate authorization. This paragraph (b)(1) authorizes the exports, reexports, and transfers (in-country) of the associated commodities self-classified under ECCNs 5A002.a or 5B002, and equivalent or related software therefor classified under 5D002, except any such commodities, software, or components described in (b)(2) or (3) of this section, subject to submission of a self-classification report in accordance with §740.17(e)(3) of the EAR. Items described in this paragraph (b)(1) that meet the criteria set forth in Note 3 to Category 5—Part 2 of the Commerce Control List (the “mass market” note) are classified as ECCN 5A992.c or 5D992.c following self-classification or classification by BIS and are removed from “EI” and “NS” controls.
(2) Classification request required. Thirty (30) days after the submission of a classification request with BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph under License Exception ENC authorizes certain exports, reexports, and transfers (in-country) of the items specified in paragraph (b)(2) and submitted for classification.
Note to paragraph (b)(2) introductory text: Immediately after the classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph also authorizes exports, reexports, and transfers (in-country) of:
1. All submitted encryption items described in this paragraph (b)(2), except “cryptanalytic items,” to any end user located or headquartered in a country listed in supplement no. 3 to this part;
2. Encryption source code as described in paragraph (b)(2)(i)(B) to non-“government end users” in any country;
3. “Cryptanalytic items” to non-“government end users,” only, located or headquartered in a country listed in supplement no. 3 to this part; and
4. Items described in paragraphs (b)(2)(iii) and (b)(2)(iv)(A) of this section, to specified destinations and end users.
(i) Cryptographic commodities, software, and components. License Exception ENC authorizes exports, reexports, and transfers (in-country) of the items in paragraph (b)(2)(i)(A) of this section to “less sensitive government end users” and non- “government end users” located or headquartered in a country not listed in supplement no. 3 to this part, and the items in paragraphs (b)(2)(i)(B) through (H) to non “government end users” located or headquartered in a country not listed in supplement no. 3.
(A) 'Network Infrastructure.' 'Network infrastructure' commodities and software, and components therefor, meeting any of the following with key lengths exceeding 80-bits for symmetric algorithms:
(1) WAN, MAN, VPN, backhaul and long-haul. Aggregate encrypted WAN, MAN, VPN, backhaul or long-haul throughput (including communications through wireless network elements such as gateways, mobile switches, and controllers) equal to or greater than 250 Mbps;
(2) [Reserved]
(3) Satellite infrastructure. Transmission over satellite at data rates exceeding 10 Mbps;
(4) Media gateways and other unified communications (UC) infrastructure, including Voice-over-Internet Protocol (VoIP) services. Media (voice/video/data) encryption or encrypted signaling to more than 2,500 endpoints, including centralized key management therefor; or
(5) Terrestrial wireless infrastructure. Air interface coverage (e.g., through base stations, access points to mesh networks, and bridges) exceeding 1,000 meters, where any of the following applies:
(i) Maximum transmission data rates exceeding 10 Mbps (at operating ranges beyond 1,000 meters); or
(ii) Maximum number of concurrent full-duplex voice channels exceeding 30;
Notes to paragraph (b)(2)(i)(A):
1. The License Exception ENC eligibility restrictions of paragraphs (b)(2)(i)(A)(3) (satellite infrastructure) and (b)(2)(i)(A)(5) (terrestrial wireless infrastructure) do not apply to satellite terminals or modems meeting all of the following:
a. The encryption of data over satellite is exclusively from the user terminal to the gateway earth station, and limited to the air interface; and
b. The items meet the requirements of the Cryptography Note (Note 3) in Category 5—Part 2 of the Commerce Control List.
2. 'Network infrastructure' (as applied to encryption items). A 'network infrastructure' commodity or software is any “end item,” commodity or “software” for providing one or more of the following types of communications:”
(a) Wide Area Network (WAN);
(b) Metropolitan Area Network (MAN);
(c) Virtual Private Network (VPN);
(d) Satellite;
(e) Digital packet telephony/media (voice, video, data) over Internet protocol;
(f) Cellular; or
(g) Trunked.
Note 1 to paragraph 2: 'Network infrastructure' end items are typically operated by, or for, one or more of the following types of end users:
(1) Medium- or large- sized businesses or enterprises;
(2) Governments;
(3) Telecommunications service providers; or
(4) Internet service providers.
Note 2 to paragraph 2: Commodities, software, and components for the “cryptographic activation” of a 'network infrastructure' item are also considered 'network infrastructure' items.
(B) Certain “encryption source code.” “Encryption source code” that is not publicly available as that term is used in §742.15(b) of the EAR;
(C) Customized items. Encryption software, commodities and components therefor, where any of the following applies:
(1) Customized for government end users or end uses. The item has been designed, modified, adapted, or customized for “government end user(s);” or
(2) Custom or changeable cryptography. The cryptographic functionality of the item has been designed or modified to customer specification or can be easily changed by the user;
(D) Quantum cryptography. ECCN 5A002.c or 5D002 “quantum cryptography” commodities or software;
(E) [Reserved]
(F) Network penetration tools. Encryption commodities and software that provide penetration capabilities that are capable of attacking, denying, disrupting or otherwise impairing the use of cyber infrastructure or networks;
(G) Public safety/first responder radio (private mobile radio (PMR)). Public safety/first responder radio (e.g., implementing Terrestrial Trunked Radio (TETRA) and/or Association of Public-Safety Communications Officials International (APCO) Project 25 (P25) standards);
(H) Specified cryptographic ultra-wideband and “spread spectrum” items. Encryption commodities and components therefor, classified under ECCNs 5A002.d or .e, and equivalent or related software therefor classified under ECCN 5D002.
(ii) Cryptanalytic commodities and software. “Cryptanalytic items” classified in ECCN 5A004 or 5D002 to non- “government end users” located or headquartered in countries not listed in supplement no. 3 to this part.
(iii) “Open cryptographic interface” items. Items that provide an “open cryptographic interface,” to any end user located or headquartered in a country listed in supplement no. 3 to this part.
(iv) Specific encryption technology. Specific encryption technology as follows:
(A) Technology for “non-standard cryptography.” Encryption technology classified under ECCN 5E002 for “non-standard cryptography,” to any end user located or headquartered in a country listed in supplement no. 3 to this part;
(B) Other technology. Encryption technology classified under ECCN 5E002 except technology for “cryptanalytic items,” “non-standard cryptography” or any “open cryptographic interface,” to any non-“government end user” located in a country not listed in Country Group D:1, E:1, or E:2 of supplement no. 1 to part 740 of the EAR.
Note to paragraph (b)(2): Commodities, components, and software classified under ECCNs 5A002.b or 5D002.d, for the “cryptographic activation” of commodities or software specified by this paragraph (b)(2) are also controlled under this paragraph (b)(2).
(3) Classification request required for specified commodities, software, and components. Thirty (30) days after a classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph authorizes exports, reexports, and transfers (in-country) of the items submitted for classification, as further described in this paragraph (b)(3), to any end user, provided the item does not perform the functions, or otherwise meet the specifications, of any item described in paragraph (b)(2) of this section. Items described in paragraphs (b)(3)(i), (ii), or (iv) of this section that meet the criteria set forth in Note 3 to Category 5—Part 2 of the Commerce Control List (the “mass market” note) are classified under ECCN 5A992.c or 5D992.c following classification by BIS.
Note to introductory text of paragraph (b)(3): Immediately after the classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph also authorizes exports, reexports, transfers (in-country) of the items described in this paragraph (b)(3) to any end user located or headquartered in a country listed in supplement no. 3 to this part.
(i) “Components,” toolsets, and toolkits. Specified components classified under ECCN 5A002.a and equivalent or related software classified under ECCN 5D002 not described by paragraph (b)(2) of this section, as follows:
(A) Chips, chipsets, electronic assemblies and field programmable logic devices;
(B) Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs).
(ii) “Non-standard cryptography” (by items not otherwise described in paragraph (b)(2) of this section.) Encryption commodities, software and components not described by paragraph (b)(2) of this section, that provide or perform “non-standard cryptography” as defined in part 772 of the EAR.
(iii) Advanced network vulnerability analysis and digital forensics. Encryption commodities and software not described by paragraph (b)(2) of this section, that provide or perform vulnerability analysis, network forensics, or computer forensics functions characterized by any of the following:
(A) Automated network vulnerability analysis and response. Automated network analysis, visualization, or packet inspection for profiling network flow, network user or client behavior, or network structure/topology and adapting in real-time to the operating environment; or
(B) Digital forensics, including network or computer forensics. Investigation of data leakage, network breaches, and other malicious intrusion activities through triage of captured digital forensic data for law enforcement purposes or in a similarly rigorous evidentiary manner.
(iv) “Cryptographic activation” commodities, components, and software. Commodities, components, and software classified under ECCNs 5A002.b or 5D002.d where the product or cryptographic functionality is not otherwise described in paragraphs (b)(2) or (b)(3)(i) of this section.
(c) Reexport and transfer (in-country). Distributors, resellers or other entities who are not original manufacturers of encryption commodities and software are permitted to use License Exception ENC only in instances where the reexport or transfer (in-country) meets the applicable terms and conditions of this section. Transfers of encryption items listed in paragraph (b)(2) of this section to “government end users,” or for government end uses, within the same country are prohibited, unless otherwise authorized by license or license exception.
(d) Classification request procedures—(1) Submission requirements and instructions. To submit a classification request to BIS, you must submit an application to BIS in accordance with the procedures described in §§748.1 and 748.3 of the EAR and the instructions in paragraph (r) of supplement no. 2 to part 748 “Unique Application and Submission Requirements,” along with other required information as follows:
(i) [Reserved]
(ii) Technical information submission requirements. For all submissions of encryption classification requests for items described under paragraph (b)(2) or (b)(3) of this section, you must submit the applicable information described in paragraphs (a) through (d) of supplement no. 6 to part 742 of the EAR (Technical Questionnaire for Encryption Items). For items eligible for self-classification that are submitted to BIS for classification you may be required to provide BIS this supplement no. 6 to part 742 information on an as-needed basis, upon request by BIS.
(iii) Changes in encryption functionality following a previous classification. A new product encryption classification request (under paragraphs (b)(2) or (b)(3) of this section) is required if a change is made to the cryptographic functionality (e.g., algorithms) or other technical characteristics affecting License Exception ENC eligibility (e.g., encrypted throughput) of the originally classified product. However, a new product classification request is not required when a change involves: the subsequent bundling, patches, upgrades or releases of a product; name changes; or changes to a previously reviewed encryption product where the change is limited to updates of encryption software components where the product is otherwise unchanged.
(2) Action by BIS.
(i) [Reserved]
(ii) For items requiring classification by BIS under paragraphs (b)(2) and (3) of this section. (A) For classifications that require a thirty (30-day) waiting period, if BIS has not, within thirty days (30 days) from registration in SNAP-R of your complete classification request, informed you that your item is not authorized for License Exception ENC, you may export, reexport, or transfer (in-country) under the applicable provisions of License Exception ENC.
(B) Upon completion of its classification, BIS will issue a Commodity Classification Automated Tracking System (CCATS) to you.
(C) Hold Without Action (HWA) for classification requests. BIS may hold your classification request without action if necessary to obtain additional information or for any other reason necessary to ensure an accurate classification. Time on such “hold without action” status shall not be counted towards fulfilling the thirty-day (30-day) processing period specified in this paragraph.
(iii) BIS may require you to supply additional relevant technical information about your encryption item(s) or information that pertains to their eligibility for License Exception ENC at any time, before or after the expiration of the thirty-day (30-day) processing period specified in this paragraph and in paragraphs (b)(2) and (3) of this section. If you do not supply such information within 14 days after receiving a request for it from BIS, BIS may return your classification request(s) without action or otherwise suspend or revoke your eligibility to use License Exception ENC for that item(s). At your request, BIS may grant you up to an additional 14 days to provide the requested information. Any request for such an additional number of days must be made prior to the date by which the information was otherwise due to be provided to BIS, and may be approved if BIS concludes that additional time is necessary.
(e) Reporting requirements—(1) Semiannual reporting requirement. Semiannual reporting is required for exports to all destinations other than Canada, and for reexports from Canada for items described under paragraphs (b)(2) and (b)(3)(iii) of this section. Certain encryption items and transactions are excluded from this reporting requirement, see paragraph (e)(1)(iii) of this section. For information about what must be included in the report and submission requirements, see paragraphs (e)(1)(i) and (ii) of this section respectively.
(i) Information required. Exporters must include for each item, the Commodity Classification Automated Tracking System (CCATS) number and the name of the item(s) exported (or reexported from Canada), and the following information in their reports:
(A) Distributors or resellers. For items exported (or reexported from Canada) to a distributor or other reseller, including subsidiaries of U.S. firms, the name and address of the distributor or reseller, the item and the quantity exported or reexported and, if collected by the exporter as part of the distribution process, the end user's name and address;
(B) Direct sales. For items exported (or reexported from Canada) through direct sale, the name and address of the recipient, the item, and the quantity exported; or
(C) Foreign manufacturers and products that use encryption items. For exports (i.e., from the United States) or direct transfers (e.g., by a “U.S. subsidiary” located outside the United States) of encryption components, source code, general purpose toolkits, equipment controlled under ECCN 5B002, technology, or items that provide an “open cryptographic interface,” to a foreign developer or manufacturer headquartered in a country not listed in supplement no. 3 to this part when intended for use in foreign products developed for commercial sale, the names and addresses of the manufacturers using these encryption items and, if known, when the product is made available for commercial sale, a non-proprietary technical description of the foreign products for which these encryption items are being used (e.g., brochures, other documentation, descriptions or other identifiers of the final foreign product; the algorithm and key lengths used; general programming interfaces to the product, if known; any standards or protocols that the foreign product adheres to; and source code, if available).
(ii) Submission requirements. For exports occurring between January 1 and June 30, a report is due no later than August 1 of that year. For exports occurring between July 1 and December 31, a report is due no later than February 1 the following year. These reports must be provided in electronic form. Recommended file formats for electronic submission include spreadsheets, tabular text or structured text. Exporters may request other reporting arrangements with BIS to better reflect their business models. Reports may be sent electronically to BIS at crypt@bis.doc.gov and to the ENC Encryption Request Coordinator at enc@nsa.gov, or disks and CDs containing the reports may be sent to the following addresses:
(A) Department of Commerce, Bureau of Industry and Security, Office of National Security and Technology Transfer Controls, 14th Street and Pennsylvania Ave. NW., Room 2705, Washington, DC 20230, Attn: Encryption Reports, and
(B) Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6940, Ft. Meade, MD 20755-6000.
(iii) Exclusions from reporting requirement. Reporting is not required for the following items and transactions:
(A) [Reserved]
(B) Encryption commodities or software with a symmetric key length not exceeding 64 bits;
(C) Encryption items exported (or reexported from Canada) via free and anonymous download;
(D) Encryption items from or to a U.S. bank, financial institution or its subsidiaries, affiliates, customers or contractors for banking or financial operations;
(E) [Reserved]
(F) Foreign products developed by bundling or compiling of source code.
(2) Key length increases. Reporting is required for commodities and software that, after having been classified and authorized for License Exception ENC in accordance with paragraphs (b)(2) or (3) of this section, are modified only to upgrade the key length used for confidentiality or key exchange algorithms. Such items may be exported, reexported or transferred (in-country) under the previously authorized provision of Lic