On September 20, 2016, the Department of Commerce, Bureau of Industry and Security (BIS), issued a Final Rule updating the Export Administration Regulations (EAR) and the Commerce Control List (CCL) as a result of the Wassenaar Arrangement Plenary Agreement (2015) on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (the Wassenaar Arrangement), a multilateral group of 41 countries, including the United States, that advocates for "effective export controls on strategic items." U.S. implementation of changes agreed to by the Wassenaar Arrangement ensures a "level playing field" with competitors in other Participating States and here represents a relaxation of certain U.S. encryption controls. The Final Rule is 38 pages of amendments, primarily made to harmonize the EAR and CCL with the Wassenaar Arrangement changes, the most significant of which, related to encryption-related items and technology, are highlighted here.
1. Key Changes to Information Security Controls (CCL, Category 5, Part 2)
Recognizing that the Wassenaar Arrangement changes eliminated the need for certain subcategories and created a need for other, new subcategories, there are significant changes to Category 5, Part 2:
- ECCNs previously covering items not otherwise controlled by ECCN 5A002 have been eliminated. ECCNs 5A992.a & .b, 5D992.a & .b, and 5E992 have been removed from the CCL. Items previously classified under these ECCNs – e.g., certain smart cards and smart card readers/writers, cryptographic equipment specially designed for banking use, etc. – are now considered EAR99, or should be classified within a different section of the CCL (e.g., Cat. 5, Part 1, or Cat. 4). Decontrolling these items means that they could now be eligible for certain BIS License Exceptions or OFAC General Licenses that were not available to 5X992 items – for example, exports to Cuba or Sudan in certain circumstances.
- Encryption items previously classified as ECCN 5A002 (information security systems, equipment, and components) have been subdivided into three separate categories, each with a different ECCN:
- A revamped ECCN 5A002 has been narrowed in scope to include only "cryptographic information security items."
- A newly created ECCN 5A003 (non-cryptographic information security items), which encompasses certain items formerly classified as ECCNs 5A002.a.4 and 5A002.a.8.
- A newly created ECCN 5A004 (items defeating, weakening, or bypassing information security), which encompasses certain items formerly classified as ECCN 5A002.a.2.
The same license requirements and exceptions that applied to items when classified as ECCN 5A002 apply to those items now classified under 5A003 and 5A004. BIS also made conforming changes to existing ECCNs 5B002 (information security test, inspection, and "production" equipment), 5D002 (information security software), and 5E002 (information security technology).
2. Mass Market Encryption Items
Given that many items previously classified as ECCN 5A992, pursuant to the exclusion Note in 5A002 are now classified as EAR99 (or potentially controlled elsewhere on the CCL), ECCN 5A992 has been amended to reference only the items that remain categorized therein: mass market encryption items controlled under ECCNs 5A992.c, 5D992.c, and related ECCN 5E992.b technology. In acknowledging the association of these provisions, BIS consolidated the mass market eligibility provisions in License Exception ENC (§ 740.17(b)) from §742.15. Importantly, BIS added a Note regarding mass market eligibility, clarifying that a "simple price inquiry is not considered to be a consultation" in order to fulfill the mass market requirement that the product be able to be installed without "consultation" by the supplier.
3. License Exception ENC – Elimination of Encryption Registration Requirement
License Exception ENC authorizes the export, reexport, and transfer without a license of certain encryption items to companies in countries listed in Part 740, Supplement No. 3. Companies using License Exception ENC had been required to submit an "Encryption Registration" to BIS, along with a classification request or self-classification report, depending on the product classification. These changes have eliminated the requirement to submit an Encryption Registration. However, exporters must now familiarize themselves with an expanded annual Self-classification Report (Supplement No. 8 to Part 742), which requests information previously required in the Registration. Notably, companies that receive a formal commodity classification determination (CCATS) confirming that an item may be self-classified are not required to include that item on their self-classification report. In addition, Supplement No. 3 to Part 740 has been expanded to include Croatia (an EU member), which harmonizes the U.S. and EU lists of countries that do not require a license for encryption items.
4. New Category of "Less Sensitive Government End Users" under License Exception ENC
New categories of "more" and "less" sensitive government end users have carved up the previous definition of government end users (as applied to encryption items). A new definition of "less sensitive government end users" (Part 772) comprises local/state/provincial governments and national/federal/royal government agencies fulfilling certain non-military-related functions, such as census-taking, civil public works, weather service, public health, etc. These government agencies are understood to be less likely to use encryption for their purposes.
5. Technical Performance Parameters for "Network Infrastructure" Items
The performance parameters for Part 740.17(b)(2) network infrastructure items (understood to be "ENC Restricted") have increased – for aggregate encrypted WAN, MAN, VPN, backhaul, or long-haul throughput (including communications through wireless network elements such as gateways, mobile switches, and controllers) – from more than 90 Mbps to 250 Mbps or more. Media encryption encrypted signaling is raised from more than 1,000 to 2,500 endpoints. Certain mass market satellite modems are also eligible for export under ENC, § 740.17(b)(2). This Section has also been amended to authorize exports of network infrastructure items to certain non-government end users, and to "less sensitive government end users."
* * * * * * * * * *
The changes included here are not exhaustive. For example, the Adjusted Peak Performance (APP) level for high-performance computers (above which a specific license is required for export) has been adjusted from 8.0 to 12.5 Weighted TeraFLOPS (trillion floating point operations per second) (WT), and certain "intra-company" transfers of controlled non-U.S.-origin items for internal use no longer trigger reporting or classification requirements. While each of the amendments taken alone does not radically change the U.S. encryption controls landscape, in the aggregate these changes mean that exporters and reexporters must update product records, and review templates and processes to ensure not only compliance, but also that your business is operating as efficiently as possible and taking advantage of potential opportunities under these new rules.