On September 20, the Commerce Department's Bureau of Industry and Security (BIS) published a final rule containing a number of revisions to the Export Administration Regulations (EAR) based upon changes agreed at the 2015 Plenary Meeting of the Wassenaar Arrangement, a multilateral group of states, including the U.S., working together to control the international trade in sensitive and dual-use technologies. While changes have been made throughout the EAR and Commerce Control List (CCL), among the most significant of those changes are a number of revisions to the EAR's encryption regulations and the Information Security items described in Category 5, Part 2 of the CCL.

Information Security Items

Part A of Category 5, Part 2, has been reorganized and divided into three sub-categories of items:

  1. Cryptographic Information Security
  2. Non-Cryptographic Information Security
  3. Defeating, Weakening, or Bypassing Information Security

In line with these changes, a number of items under Export Control Classification Number (ECCN) 5A002 have been relocated to newly-created ECCNs 5A003 and 5A004, which are systems, equipment, and components for non-cryptographic information security, and defeating, weakening, or bypassing information security, respectively. The license requirements for these items have not changed.

ECCN 5A992 has been simplified, and now only describes mass market encryption items under ECCN 5A992.c. Paragraphs 5A992.a and 5A992.b are deleted, and the items they controlled are either now controlled at a higher level within Category 5, Part 2, or are considered EAR99. This means that items that employ only encryption algorithms with a key length of less than 56-bits (symmetric), 512 bits (asymmetric), or 112 bits (elliptic curve) are now EAR99 items, in addition to items for which encryption algorithms are used only for password protection or authentication purposes. Similarly, ECCN 5D992 now controls only mass market encryption items under 5D992.c, though some items previously controlled by that ECCN may now be classified as 4D993.

Encryption

BIS made a substantial number of changes in the two primary provisions governing encryption items: License Exception ENC (15 C.F.R. § 740.17) and Section 742.15 of the EAR. Many of these changes are aimed at streamlining the encryption rules and reducing the registration and licensing burdens faced by exporters.

First, the requirement for an encryption registration (previously set forth at Section 740.17(b)) has been eliminated. Exporters who self-classify their products under Section 740.17(b)(1) must still submit an annual self-classification report, any may continue to submit commodity classification requests for products which are otherwise eligible for self-classification. For any products so classified, they do not need to be included in that company's annual self-classification report. The self-classification reporting provisions formerly in Section 742.15 have now been moved to Section 740.17. The elimination of the encryption registration requirement will be a benefit to companies. However, annual self-classification reports now require the inclusion, on a product-specific basis, of the type of information that previously was required as part of the encryption registration process.

Second, the scope of License Exception ENC has been expanded to authorize exports, reexports, and transfers (in-country) among related parties for internal use other than "development" or "production" of new products. The list of items that require a classification request before being exported pursuant to paragraph (b)(2) of License Exception ENC has been revised to update the performance parameters for certain items, such as some network infrastructure items. Paragraph (b)(2) has also been revised to control specified cryptographic ultra-wideband or "spread spectrum" items and related software which were previously eligible for lower levels of control in paragraph (b)(1) or (b)(3).

Paragraph (b)(2)'s scope of authorization has also been expanded to include exports, reexports, and transfers (in-country) to the newly-created category of "less sensitive government end users," and is no longer strictly limited to non-government end users. In addition, certain types of satellite infrastructure equipment that meet the mass market requirements set forth in Category 5, Part 2 of the CCL are now eligible to use paragraph (b)(2).

Third, publicly available encryption object code with corresponding source code meeting a one-time notification requirement in Section 742.15(b) is not subject to the EAR. This provision and notification requirement was previously set forth in License Exception TSU.

Finally, Croatia has been added to the list of countries for License Exception ENC set forth in Supplement No. 3 to Part 740.