The Bureau of Industry and Security (BIS) recently published changes to its encryption regulations in an effort to simplify the text and focus the scope of controls. The biggest change is that Note 4, the “primary purpose exemption,” has been replaced by a positive list of controlled items. These changes also introduce the term “cryptography for data confidentiality” as the key to defining what is and is not captured by the new positive list.

Many companies will need to review encryption classifications in light of these changes, and many other companies that have encryption in software (or hardware) that have not addressed export control issues should take advantage of this change in the rules to do so now.