On September 20, 2016, the Bureau of Industry and Security (“BIS”) published a final rule in the Federal Register implementing the 2015 Wassenaar Arrangement Plenary Agreements and that also included changes to a number of encryption-related provisions in the Export Administration Regulations (“EAR”). BIS described the changes as a “minor relaxation” intended to streamline and make more efficient the encryption requirements of the EAR. At the same time, BIS made clear that it considers the scope of encryption controls and the related License Exception ENC relatively unchanged. Key changes include:
- Changes to ECCN 5A002 and Addition of ECCNs 5A003 and 5A004:
ECCN 5A002 has been reorganized and there are now three categories of “information security” items: (1) ECCN 5A002 continues to cover “cryptographic information security” items, which remain subject to EI (Encryption), NS (National Security) Column 1 and AT (Anti-Terrorism) Column 1 controls; (2) new ECCN 5A003 covers certain “non-cryptographic information security” items previously covered under ECCN 5A002 .a.4 & .a.8 (e.g., communications cable systems for detecting surreptitious intrusion) and subject to NS Column 2 controls but not EI controls; and (3) new ECCN 5A004 covers items for “defeating, weakening, or bypassing information security” previously covered under ECCN 5A002 .a.2 (e.g., cryptanalytic items), which remain subject to EI, NS Column 1 and AT Column 1 controls. Exporters should review their existing ECCN 5A002-classified items to ensure proper classification going forward.
- Elimination of Certain 5X992 ECCNs:
ECCNs 5A992 .a & .b, 5D992 .a & .b and 5E992 .a have been eliminated. These ECCNs previously covered items falling under the decontrol notes in ECCN 5A002, such as items that use encryption solely for authentication purposes, smart cards, wireless PAN equipment, etc. These items will generally now be classified as EAR99, although BIS warns exporters that other ECCNs, such as 5A991 or Category 4, could apply. Items that are now classified as EAR99 will no longer be subject to AT controls and therefore not controlled under the EAR to Iran or Sudan. Such items could now be eligible for certain authorizations that are otherwise unavailable for 5X992 ECCNs, such as certain provisions of License Exception CCD (Consumer Communications Devices) for Cuba and Sudan and OFAC General License D-1 for Iran.
- Mass Market Items:
The only items left covered under 5X992 are those eligible for mass market treatment, i.e., those controlled under ECCN 5A/D992.c and related technology under ECCN 5E992.b. In addition, BIS moved the mass market eligibility and reporting criteria from EAR § 742.15(b) into EAR § 740.17(b), consolidating them with the provisions of License Exception ENC. BIS also clarified that a “simple price inquiry is not considered to be a consultation” when evaluating the requirement that the price of mass market items be available without the need to consult the vendor or supplier.
- Elimination of Encryption Registration Requirement:
BIS has eliminated the requirement that exporters obtain an Encryption Registration Number (“ERN”) prior to most uses of License Exception ENC, although the information previously collected in the ERN registration process will now be collected through the annual self-classification reporting process under License Exception ENC, where required. Exporters should consult the revised Supplement No. 8 to EAR Part 742 for the new information reporting requirements.
- New Definitions of “Less Sensitive Government End Users” and “More Sensitive Government End Users”:
BIS added a new definition for “less sensitive government end users.” Such end users outside Supplement No. 3 countries will be eligible for certain exports, reexports and transfers of high-performance network infrastructure items covered under License Exception ENC paragraph (b)(2) 30 days after the submission of a self-classification request to BIS; previously exports to all government end users outside the Supplement No. 3 countries had to be licensed under an Electronic Licensing Agreement (“ELA”). The addition of a separate definition for “more sensitive government end users” clarifies that these users are still subject to licensing requirements.
- Changes to the Technical Performance Control Parameters for Network Infrastructure Items:
The technical parameters for items authorized under License Exception ENC paragraph (b)(2) were increased: the aggregate encrypted WAN, MAN, VPN, backhaul or long-haul encrypted throughput was increased from equal or greater than 90 Mbps to equal or greater than 250 Mbps; and the number of endpoints for media (voice/video/data) encryption or encrypted signaling was raised from 1,000 to 2,500. Also, mass market satellite modems that use end-to-end encryption between the modem and the hub (ground-to-ground) are carved out of License Exception paragraph (b)(2) and are now eligible for export under License Exception ENC paragraph (b)(1).
- New Intra-Company Authorization:
BIS added a new authorization in License Exception ENC paragraph (a)(1)(ii) for exports, reexports and transfers of non-U.S.-origin items between related parties owned by a parent headquartered in a Supplement No. 3 country for internal use only. Such transactions do not trigger any classification or reporting requirements.
- Other Encryption-Related Changes:
- Publicly available encryption source (and related object) code will no longer be “subject to the EAR” immediately upon submission of an email notification to BIS. Previously, such source code remained subject to the EAR, but eligible for export under License Exception TSU after an email notification to BIS.
- ECCN 5E002 technology is now eligible for the “tools of trade” provision of License Exception TMP.
- Croatia was added to the list of countries in Supplement No. 3 to Part 740 that are eligible for favorable treatment under License Exception ENC.
- The Supplement 6 form for ENC classification requests has been revised, and various decontrol and technical notes have been reorganized and some renumbered.
- BIS has clarified that encryption items that have been formally classified by BIS under a CCATS ruling do not also need to be included in annual self-classification reports under License Exception ENC.
- Other Non-Encryption Key Changes:
- The Adjusted Peak Performance (APP) level for high performance computers above which exports to Tier 3 countries require a specific license has increased from 8.0 to 12.5 Weighted TeraFLOPS (WT). Associated changes have also been made to the deemed export APP thresholds.
- The Foreign National Review (“FNR”) requirements associated with the deemed export provisions of License Exceptions APP and CIV have been removed.
- Various other ECCNs have been revised in line with the changes agreed at the 2015 Wassenaar Arrangement plenary.
Overall, the effect of these changes is relatively small, although the movement of once-familiar provisions to new locations within the EAR may cause confusion in the exporting community. Exporters will need to revisit some ECCNs and ensure that they use updated versions of the EAR when completing encryption-related filings and reports. Compliance processes and procedures may also need to be revised, but may ultimately be simpler and more straightforward. BIS has published a short summary of the Information Security Updates pending a full update of its online encryption guidance.