On September 20 the US Department of Commerce (DOC) published a final rule revising the Commerce Control List (CCL) and other sections of the Export Administration Regulations (EAR).  The final rule implements changes agreed at the December 2015 Wassenaar Arrangement[1] plenary meeting and incorporates additional updates to the EAR.  The rule makes changes throughout the CCL – revising 58 Export Control Classification Numbers (ECCNs), adding two ECCNs, and revising license exception eligibility for seven ECCNs.  The focus of the changes are on ECCNs controlled for national security reasons, but the most significant changes appear to be to DOC’s encryption rules, which last saw major changes in June 2010.  The DOC rule changes are effective as of the publication date of September 20.

Encryption Rule RevisionsOn September 20 the US Department of Commerce (DOC) published a final rule revising the Commerce Control List (CCL) and other sections of the Export Administration Regulations (EAR). The final rule implements changes agreed at the December 2015 Wassenaar Arrangement[1] plenary meeting and incorporates additional updates to the EAR. The rule makes changes throughout the CCL – revising 58 Export Control Classification Numbers (ECCNs), adding two ECCNs, and revising license exception eligibility for seven ECCNs. The focus of the changes are on ECCNs controlled for national security reasons, but the most significant changes appear to be to DOC’s encryption rules, which last saw major changes in June 2010. The DOC rule changes are effective as of the publication date of September 20.

The DOC made a number of changes to the encryption-related export control rules in the September 20 notice. These changes include substantive and editorial revisions to Category 5 – Part 2 of the CCL, as well as modifications to registration and reporting requirements, and changes to license exception eligibility and use. The Encryption Commodities, Software, and Technology (ENC) license exception in Section 740.17 of the EAR continues to be available for most exports of encryption items.

Encryption Registrations

The DOC is no longer requiring companies to file encryption registrations and to obtain encryption registration numbers (ERNs). For over five years, the DOC had been requiring those registrations before exporters could use the mass market and ENC license exception provisions – including those involving self-classifications. As of September 20, that requirement no longer exists. The DOC will continue to gather information previously required for registrations as it is moving some of the information that was in the encryption registrations to the self-classification report for encryption items described in Supplement 8 to Part 742.

Encryption Classification Requests

In the September 20 rule change, the DOC also revised the technical questionnaire used to submit classification requests for encryption items. Found in Supplement 6 to Part 742 of the EAR, the questionnaire is newly titled to include “information security” items along with encryption items. While much of the information requested, such as descriptions of encryption algorithms and use, remains the same, there are new questions, including whether any of the submitter’s encryption products or its encryption components are manufactured outside the United States, and specifics about Part 740.17(b)(3) criteria (such as, chip, chipset, electronic assembly, digital forensics, and non-standard cryptography). Exporters submitting classification review requests should ensure that their submissions do not simply copy earlier requests, but take into account the new and reordered questions in Supplement 6 to Part 742.

Category 5 – Part 2 Changes

In its September 20 final rule, the DOC also revised the part of the CCL containing telecommunications and information security items – commonly known as the encryption section of the CCL. In particular, the DOC has made changes to ECCNs 5A002, 5B002, 5D002, 5E002, 5A992, 5D992 and 5E992, and the DOC is adding two new ECCNs to Category 5 – Part 2: 5A003 and 5A004.

The DOC is deleting the ECCNs for 5A992.a, 5A992.b, 5D992.a, and 5D992.b – requiring a significant internal re-classification effort for companies who relied on these ECCNs for certain encryption items (such as those using encryption only for authentication). These items are now controlled elsewhere on the CCL (such as in 5A991) or, in some cases, these items are now are classified as EAR99. Exporters who previously received a CCATS with ECCNs of 5A992.a, 5A992.b, 5D992.a, and 5D992.b may self-classify these items based on the changed CCL.

The DOC is also adding two new ECCNs to Category 5 – Part 2: 5A003 and 5A004. 5A003 controls “systems,” equipment,” and “components” for non-cryptographic “information security.” It includes communications cable systems designed or modified using mechanical, electrical, or electronic means to detect surreptitious intrusion (now in 5A003.a; formerly in 5A002.a.8) and items “specially designed” or modified to reduce the compromising emanations of information-bearing signals beyond what is necessary for health, safety, or electromagnetic interference standards (now in 5A003.b; formerly in 5A002.a.4). ECCN 5A003.a applies only to physical layer security. Unlike 5A002, which now has “EI,” “NS Column 1,” and “AT Column 1” as its reasons for control for all 5A002 items, 5A003 has “NS Column 2” and “AT Column 1” as its reason for control – maintaining the same controls that previously applied to the 5A003 items when they were part of 5A002.

The new ECCN 5A004 controls items that defeat, weaken, or bypass information security, including items designed or modified to perform cryptanalytic functions (formerly in 5A002.a.2). (Cryptoanalytic functions are “functions designed to defeat cryptographic mechanisms in order to derive confidential variables or sensitive data, including clear text, passwords, or cryptographic keys.”) ECCN 5A004 items have the same controls as 5A002 items and require a license to all locations except for Canada, unless a license exception applies.

Elsewhere in 5A002, some of the items in 5A002.a are now moved to 5A002.c, .d, and .e, while what was 5A002.a.7 has been taken out of the CCL altogether – removing the control on security systems and devices that have been certified to exceed class EAR-6 (evaluation assurance level). The DOC has also revised Category 5 – Part 2 by removing Note 1 and moving it to a General Information Security Note, which is found in Supplement 2 to Part 774 of the EAR. Note 1 stated that the control status of information security items was determined in Category 5 – Part 2 even if they are components, software, or functions of other systems or equipment.

Mass Market Changes

While removing some “992” items from Category 5 – Part 2 and thereby designating them as EAR99 (unless they fall elsewhere on the CCL), the DOC is maintaining the ECCNs for mass market encryption items – 5A992.c, 5D992.c, and 5E992.b. However, the DOC has moved the mass market encryption provisions from Part 742.15 to the ENC license exception in Part 740.17 of the EAR. Mass market items are now found in Part 740.17(b)(1) and (b)(3) of the ENC license exception. Note 3 to Category 5 – Part 2 (known as the “Cryptography Note”), which removes certain mass market items from control under ECCNs 5A002 and 5D002, is also updated. One of the existing Note 3 requirements for mass market items is that the price and information about the main functionality of the item must be available before purchase without the need to consult the vendor or supplier. In the September 20 notice, the DOC is adding a clarifying sentence that a simple price inquiry is not considered to be a consultation.

ENC License Exception

The DOC made a number of changes to the ENC license exception in its September 20 rule change. As an initial matter, exporters to Cuba will want to note that while ENC previously was not available for exports and services to E:1 countries (or release of source code or technology to any nationals of E:1 countries); the same restriction now applies to E:2 countries (a country group that currently includes only Cuba). As noted in the September 20 notice, this change corrects an oversight that occurred when the DOC moved Cuba from E:1 to E:2 in July 2015. Notably, this does not substantively change Cuba’s treatment under ENC, since Part 740.2 notes that exports to Cuba generally are ineligible for license exceptions unless otherwise noted in the text of the license exception itself.

Under the September 20 rule changes, the DOC is maintaining the license exception in Part 740.17(a)(1) for internal development or production of new products for certain exports to private sector end users. It is adding to that section of ENC a license exception for certain exports to related parties not involving development of production of new products. As in the past, Part 740.17(a)(1), which does not have a classification request or reporting requirement, is tied to a requirement for companies to be headquartered in a Supplement 3 country, a group that includes most countries in Europe, along with Australia, New Zealand, Turkey, and Japan. The DOC is also adding Croatia to the list of countries in Supplement 3.

The DOC is creating a new section 740.17(a)(3) in the ENC license exception to authorize re-exports of foreign made items developed with or incorporating US-origin encryption – as long as the US encryption components have been classified or reported and authorized by the DOC without changes in the encryption functionality. A similar provision was previously found in section 740.17(b)(4). As with sections 740.17(a)(1) and (a)(2), section 740.17(a)(3) does not require any classification or self-classification of the exported end items.

In a helpful change for products that qualify for self-classification in 740.17(b)(1), if those items receive a CCATS as a 740.17(b)(1) item, the exporter does not have to include reporting for those items when it submits its annual self-classification report to the DOC for (b)(1) items. The (b)(1) report is a simple annual report, but exporters who do not want to do that reporting may consider obtaining a formal CCATS rather than self-classifying these items.

There are a number of changes to items falling within 740.17(b)(2). In particular, the DOC updated the performance parameters to: (1) increase aggregate encrypted throughput from 90 Mbps to 250 Mbps; (2) delete the single channel input data rate; (3) delete 250 concurrent encrypted data channels; (4) raise the media parameter from 1,000 endpoints to 2,500; and (5) include a carve out for mass market satellite modems that use end-to-end encryption between the modem and the hub. The DOC also added items controlled under 5A002.d (channelizing codes) and 5A002.e (spread spectrum) to ENC 740.17(b)(2).

ENC 740.17(b)(2) is also revised to reflect different authorizations under the ENC license exception for different types of users. For example, it incorporates the DOC’s new definition of “less sensitive government end users” and allows exports of certain (b)(2) items to “less sensitive government end users” in addition to non-government end users. “Less sensitive government end users” (as applied to encryption items) include, for example, local government police, fire, and rescue, public safety agencies, and federal government civil service agencies, while “more sensitive government end users” include agencies for science and technology, currency and monetary authorities, executive heads of state, legislative bodies, import and export control agencies, intelligence agencies, judiciaries, and airport authorities, among others. More specifics on these definitions are found in Part 772 of the EAR. Exporters of (b)(2) items should take note of where their items fall within (b)(2) as they may have new exporting possibilities due to the changes. (Note that, in addition to adding definitions of “more sensitive government end-users” and “less sensitive government end-users” to Part 772, the DOC also clarified that government-owned public schools and universities are “government end-users” as defined in Part 772.)

The DOC removed Part 740.17(b)(4) from the ENC license exception. In addition to moving some items to the new Part 740.17(a)(3), the DOC is deleting the paragraph on short-range wireless items as most of these items have been decontrolled due to decontrol notes in ECCN 5A002 and in Note 4 to Category 5 – Part 2 of the CCL.

Other License Exception Changes for Encryption Items

The DOC is also revising the license exception eligibility for some Category 5 – Part 2 ECCNs. The new 5A003 is eligible for the GOV license exception and 5E002 is now eligible for license exception TMP pursuant to 740.9 of the EAR.

The DOC is revising license exception TSU and Part 742.15 of the EAR to state that publicly available encryption source code classified under ECCN 5D002 is no longer subject to the EAR once the TSU email notification is sent to BIS and the ENC Encryption Request Coordinator. Part 742.15(b) now contains the notification requirement that was previously found within TSU at Part 740.13(e).

Encryption Item Licensing

The DOC is continuing to utilize Encryption Licensing Arrangements (ELAs) for export authorizations for unlimited quantities of encryption commodities and software over four year periods. The new version of Part 742.15(a)(2), which describes the ELAs, utilizes the new definition of “more sensitive government end-users.” Part 742.15(a)(2) states that ELAs may be authorized for items described in Part 740.17(b)(2)(i)(A) that the DOC has classified to “more sensitive government end users” in all destinations except for Country Groups E:1 or E:2 of Supplement 1 to Part 740. The DOC may also authorize ELAs for “more sensitive government end users” for encryption commodities and software described in Part 740.17(b)(2)(ii) through (iv) under certain circumstances.

Other CCL Changes

The rule change revises 58 ECCNs in every category of the CCL, and adds two ECCNs (the encryption-related ECCNs). Outside of the encryption and information security ECCNs, the DOC is removing some items, such as certain hydraulic fluids (ECCN 1C006), from control where the items are no longer viewed as strategic goods. The DOC is also revising ECCN descriptions to describe the scope of control more accurately and to point to relevant definitions in the EAR.

One significant change outside of the encryption rule changes relates to digital computers: the DOC is raising the Adjusted Peak Performance (APP) for high performance computers. Commerce is also amending APP parameters in several places in the EAR, including in the de minimis rules and the APP license exception. The DOC concurrently is removing The Foreign National Review requirement for deemed exports under the APP license exception (and the CIV license exception).

As with other changes to the EAR and CCL through export control reform, exporters are advised to pay close attention to the September 20 modifications to the EAR in order to implement the changes in their export classifications and related processes. This rule change affects a wide swath of industries due to the changes through the EAR, but the greatest effect relates to the encryption rules. In some cases, the rules will allow exporters to simplify their processes, including potentially eliminating reporting requirements for some self-classified items. While new CCATS requests and uses of the ENC and other license exceptions all require attention to the new rule, in some cases (such as the elimination of the encryption registration requirement), the rule changes eliminate what previously were traps for the unwary. In addition to other guidance provided in this advisory, exporters are advised to review details of the rule changes carefully when applying the new rules to their export operations.