US Dept. of Commerce - RFC
-----------------------------------------------------------------------
[Federal Register: December 31, 1998 (Volume 63, Number 251)]
[Rules and Regulations]
[Page 72156-72167]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr31de98-18]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Bureau of Export Administration
15 CFR Parts 740, 742, 743, 772 and 774
[Docket No. 9809-11233-8318-02]
RIN 0694-AB80
Encryption Items
AGENCY: Bureau of Export Administration, Commerce.
ACTION: Interim rule; request for comments.
-----------------------------------------------------------------------
SUMMARY: This interim rule amends the Export Administration Regulations
(EAR) for exports and reexports of encryption commodities and software
to U.S. subsidiaries, insurance companies, health and medical end-
users, on-line merchants and foreign commercial firms. This rule
implements the Administration's initiative to update it's encryption
policy, and will streamline U.S. encryption export and reexport
controls.
DATES: This rule is effective: December 31, 1998. Comments must be
received on or before March 1, 1999.
ADDRESSES: Written comments on this rule should be sent to Nancy Crowe,
Regulatory Policy Division, Bureau of Export Administration, Department
of Commerce, P.O. Box 273, Washington, DC 20044. Express mail address:
Nancy Crowe, Regulatory Policy Division, Bureau of Export
Administration, Department of Commerce, 14th Street and Pennsylanvia
Ave, N.W., Room 2705, Washington, DC 20230.
FOR FURTHER INFORMATION CONTACT: James Lewis, Office of Strategic Trade
and Foreign Policy Controls, Bureau of Export Administration,
Telephone: (202) 482-0092.
SUPPLEMENTARY INFORMATION: On September 16, 1998, the Administration
announced a series of steps to update its encryption policy in a way
that meets the full range of national interests. These steps will
promote electronic commerce, support law enforcement and national
security, and protect privacy. They also further streamline exports and
reexports of key recovery products, and other recoverable encryption
products, which allow for the recovery of plaintext, and permit exports
and reexports of encryption of any key length (with or without key
recovery) to several industry sectors. This interim rule amends the EAR
for exports and reexports of encryption commodities and software to
U.S. subsidiaries, insurance companies, health and medical end-users,
on-line merchants and foreign commercial firms. Specifically, this rule
amends the EAR in the following ways:
1. In Sec. 740.8, Key Management Infrastructure, removes the key
recovery agent requirements for License Exception KMI eligibility for
exports and reexports of recovery encryption commodities and software.
Further, key recovery commitment plans and the six month progress
reviews are eliminated and exporters are no longer required to name or
submit to BXA additional information on a key recovery agent prior to
export. The products may be exported or reexported under License
Exception KMI after a technical review. Note also that 56-bit products
supported by a KMI plan that have been classified after a technical
review and are eligible under License Exception KMI are now eligible
for export and reexport under License Exception ENC (see
Sec. 740.17(a)(3) of the EAR).
2. Also in Sec. 740.8, removes and adds to newly created License
Exception ENC the paragraphs concerning financial-specific encryption
commodities and software and general purpose encryption commodities and
software for banks and financial institutions. This transfer will
simplify the use of License Exceptions for encryption commodities and
software and creates no change in policy.
3. In part 740, creates new License Exception ENC by adding
Sec. 740.17, Encryption commodities and software. This new License
Exception is divided into two significant parts: a global
[[Page 72157]]
category including the use of License Exception ENC for exports and
reexports of encryption commodities and software to all destinations,
except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria; and a
country specific category permitting the use of License Exception ENC
for exports and reexports of encryption commodities and software to
countries listed in Supplement No. 3 to part 740. This new License
Exception allows the following exports and reexports of encryption
commodities and software that are classified under ECCNs 5A002 and
5D002, after a technical review that considers the cryptographic
functionality of the product:
a. Exports and reexports of encryption commodities, software and
technology, including source code of any key length are also eligible
under this license exception to U.S. subsidiaries for internal company
proprietary use to all destinations except Cuba, Iran, Iraq, Libya,
North Korea, Sudan and Syria. Encryption chips, integrated circuits,
toolkits, executable or linkable modules, which can modify or enhance
the cryptographic functionality (e.g., the confidentiality algorithm,
key space and key exchange mechanism) or incorporate the cryptographic
function in another item are eligible for license exception ENC only
for export to U.S. subsidiaries. Note that exports to ``strategic
partners'' of U.S. companies, such as subcontractors and joint
ventures, will be considered favorably under a license when the end-use
is for the protection of U.S. company proprietary information. For the
purposes of this regulation, consideration as a ``strategic partner,''
as defined in part 772, should not be deemed to alter or affect any
legal relationship that might otherwise exist between the relevant
parties.
b. Encryption commodities, including mass market and non-mass
market, and non-mass market software incorporating symmetric algorithms
with key lengths up to and including 56-bits, such as DES or equivalent
(such as RC2, RC4, RC5 and CAST) to all destinations except Cuba, Iran,
Iraq, Libya, North Korea, Sudan and Syria. Encryption chips, integrated
circuits, toolkits and executable or linkable modules are not
authorized for export under License Exception ENC and will require a
license or an Encryption Licensing Arrangement. Note that subsequent
bundling, updates or releases may be exported and reexported under
applicable provisions of the EAR without a separate technical review as
long as the functional encryption capacity of the originally reviewed
encryption commodities, including mass market and non-mass market, and
non-mass market software has not been modified or enhanced.
c. Authorizes insurance companies to receive general purpose
encryption commodities and software of any key length that have been
classified after a technical review. This change corresponds with the
addition of insurance companies to the definition of financial
institutions in part 772. With this change, exports and reexports of
general purpose encryption commodities and software are eligible under
License Exception ENC to financial institutions (including insurance
companies) in all destinations listed in Supplement No. 3 to part 740,
and to branches of these entities located worldwide except countries
that support international terrorism (Cuba, Iran, Iraq, Libya, North
Korea, Sudan and Syria).
d. Encryption commodities and software of any key length to health
and medical end-users in all destinations listed in Supplement No. 3 to
part 740. Exports and reexports of such commodities and software are
not eligible under License Exception ENC to non-U.S. biochemical and
pharmaceutical manufacturers and non-U.S. military health and medical
entities. Licenses for such entities will be considered on a case-by-
case basis.
e. Encryption commodities and software of any key length for on-
line merchants in all destinations listed in Supplement No. 3 to part
740. Such commodities and software must be limited to client-server
applications (e.g., Secure Socket Layer (SSL) based applications) or
applications specially designed for on-line transactions. End-use is
limited to the purchase or sale of goods and software; and services
connected with the purchase or sale of goods and software, including
interactions between purchasers and sellers necessary for ordering,
payment and delivery of goods and software. No other end-uses or
customer to customer communications or transactions are allowed.
Foreign on-line merchants or their separate business units who are
engaged in the manufacturing and distribution of items or services
controlled on the U.S. Munitions List are excluded. Foreign government
end-users also are excluded from this License Exception.
Examples of permitted end-uses under License Exception ENC for on-
line merchants include buying and selling goods and software through an
electronic medium, which may involve the ordering of, and payment for
goods and software; placing and receiving orders; pricing,
configuration, validation and ordering of products; obtaining copies of
invoices; reviewing shipping schedules; notification of shipments or
changes; and placing reservations and purchasing airline tickets. It
allows for contract manufacturers to directly access demand and
inventory information; direct purchasing with trading partners;
approval functions for requisitions which require approval; and on-line
catalogue purchases, and the electronic exchange of purchase or sales
information by multiple trading partners. It does not include such end-
uses as general purpose messaging, collaborative research projects
(e.g., collaborative engineering), data warehousing, remote computing
services or electronic communications services.
4. In Supplement No. 3 to part 740, adds Czech Republic and United
States to the list of countries to clarify that branches of Czech
Republic and U.S. banks and financial institutions, located worldwide
except in countries that support international terrorism (Cuba, Iran,
Iraq, Libya, North Korea, Sudan and Syria) may receive general purpose
encryption commodities and software limited to secure business
financial communications or transactions and financial communications
or transactions between the bank and/or financial institution and its
customers. Supplement No. 3 is also amended to reflect the licensing
policy for exports and reexports of recoverable encryption commodities
and software to commercial entities located in certain countries and
subsidiaries of commercial entities headquartered in certain countries,
wherever located, except Cuba, Iran, Iraq, Libya, North Korea, Sudan
and Syria.
5. In Sec. 742.15, revises the licensing policy for exports and
reexports of encryption items as follows:
a. Removes the business and marketing plan requirement for exports
of non-recovery 56-bit DES or equivalent encryption items.
b. Authorizes upgrades of 40-bit mass-market encryption software
that has already been classified after a technical review and released
from EI controls. Such software may be upgraded to 56-bits for the
confidentiality algorithm without an additional technical review.
c. Makes certain encryption commodities eligible for mass-market
treatment.
d. For exports and reexports of general purpose encryption
commodities and software of any key length that are not eligible under
License Exception ENC, insurance companies are now eligible to receive
[[Page 72158]]
such products under an Encryption Licensing Arrangement. This is
consistent with the addition of insurance companies to the definition
of financial institutions in part 772. Such encryption commodities and
software will receive favorable consideration when the end-use is
limited to secure financial communications or transactions, provided
that there are no concerns about the country or specific end-user.
e. For exports and reexports of encryption commodities and software
of any key length not eligible under License Exception ENC, such
commodities and software will generally be approved under an Encryption
Licensing Arrangement to all health and medical end-users, except non-
U.S. biochemical and pharmaceutical manufacturers and non-U.S. military
health and medical entities, in all destinations except Cuba, Iran,
Iraq, Libya, North Korea, Sudan and Syria.
f. For exports and reexports of encryption commodities and software
of any key length not eligible under License Exception ENC, such
commodities and software will generally be approved under an Encryption
Licensing Arrangement to on-line merchants in all destinations except
Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. The end-use is
limited to the purchase or sale of goods and software; and services
connected with the purchase or sale of goods and software including
interactions between purchasers and sellers necessary for ordering,
payment and delivery of goods and software. No other end-uses or
customer-to-customer communications or transactions are allowed.
g. Exports and reexports of recoverable encryption commodities and
software of any key length for use by commercial entities will
generally be approved under an Encryption Licensing Arrangement to
destinations listed in Supplement No. 3 to part 740 for the protection
of company proprietary information. Such encryption commodities and
software will also generally be approved for export and reexport to
worldwide foreign subsidiaries of commercial firms headquartered in
certain countries, except to subsidiaries located in Cuba, Iran, Iraq,
Libya, North Korea, Sudan and Syria.
Note that any country or end-user prohibited in the past from
receiving encryption commodities and software under a specific
Encryption Licensing Arrangement is reviewed on a case-by-case basis,
and may be considered by BXA for eligibility under future Encryption
Licensing Arrangement requests. All other exports and reexports of
encryption items are reviewed on a case-by-case basis under a license
application.
6. Also in Sec. 742.15, clarifies the reporting requirement for
exports to certain end-users.
7. In part 772, revises the definition of financial institution to
include the meaning of insurance company and adds definitions for
business unit, health and medical end-user, on-line merchant,
recoverable commodities and software, strategic partner (of a U.S.
company), and U.S. subsidiary. Also clarifies that such definitions
only apply to encryption items.
BXA will in the near future update these regulations to reflect
changes to encryption controls in the Wassenaar Arrangement and to
address public comments on the September 22, 1998 rule (63 FR 50516)
that implemented new licensing policies for banks and financial
institutions.
Rulemaking Requirements
1. This interim rule has been determined to be significant for
purposes of E.O. 12866.
2. Notwithstanding any other provision of law, no person is
required to respond to, nor shall any person be subject to a penalty
for failure to comply with a collection of information, subject to the
requirements of the Paperwork Reduction Act, unless that collection of
information displays a currently valid Office of Management and Budget
Control Number. This rule contains collections of information subject
to the Paperwork Reduction Act of 1980 (44 U.S.C. 3501 et seq.). These
collections have been approved by the Office of Management and Budget
under control numbers 0694-0088, ``Multi-Purpose Application,'' which
carries a burden hour estimate of 52.5 minutes per submission; and
0694-0104, ``Commercial Encryption Items Transferred from the
Department of State to the Department of Commerce.'' The Department has
submitted to OMB an emergency request for approval of the changes to
the collection of information under OMB control number 0694-0104.
Comments on collection 0694-0104 will be accepted until March 1, 1999.
It will take companies 15 minutes to complete each certification.
It will take companies 15 minutes to complete notifications. For
reporting under License Exception KMI, it will take companies 1 hour to
complete KMI reporting. For reporting under License Exception ENC, it
will take companies 4 hours to complete ENC reporting.
3. This rule does not contain policies with Federalism implications
sufficient to warrant preparation of a Federalism assessment under E.O.
12612.
4. The provisions of the Administrative Procedure Act (5 U.S.C.
553) requiring notice of proposed rulemaking, the opportunity for
public participation, and a delay in effective date, are inapplicable
because this regulation involves a military and foreign affairs
function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no
other law requires that a notice of proposed rulemaking and an
opportunity for public comment be given for this interim final rule.
Because a notice of proposed rulemaking and an opportunity for public
comment are not required to be given for this rule under 5 U.S.C. or by
any other law, the requirements of the Regulatory Flexibility Act (5
U.S.C. 601 et seq. ) are not applicable.
However, because of the importance of the issues raised by these
regulations, this rule is issued in interim form and comments will be
considered in the development of final regulations. Accordingly, the
Department of Commerce encourages interested persons who wish to
comment to do so at the earliest possible time to permit the fullest
consideration of their views.
The period for submission of comments will close March 1, 1999. The
Department will consider all comments received before the close of the
comment period in developing final regulations. Comments received after
the end of the comment period will be considered if possible, but their
consideration cannot be assured. The Department will not accept public
comments accompanied by a request that a part or all of the material be
treated confidentially because of its business proprietary nature or
for any other reason. The Department will return such comments and
materials to the persons submitting the comments and will not consider
them in the development of final regulations. All public comments on
these regulations will be a matter of public record and will be
available for public inspection and copying. In the interest of
accuracy and completeness, the Department requires comments in written
form. Comments should be provided with 5 copies.
Oral comments must be followed by written memoranda, which will
also be a matter of public record and will be available for public
review and copying.
The public record concerning these regulations will be maintained
in the Bureau of Export Administration Freedom of Information Records
[[Page 72159]]
Inspection Facility, Room 4525, Department of Commerce, 14th Street and
Pennsylvania Avenue, N.W., Washington, D.C. 20230. Records in this
facility, including written public comments and memoranda summarizing
the substance of oral communications, may be inspected and copied in
accordance with regulations published in part 4 of Title 15 of the Code
of Federal Regulations. Information about the inspection and copying of
records at the facility may be obtained from Henry Gaston, Bureau of
Export Administration Freedom of Information Officer, at the above
address or by calling (202) 482-0500.
The reporting burden for this collection is estimated to be
approximately 815 hours, including the time for gathering and
maintaining the data needed for completing and reviewing the collection
of information. Comments are invited on: (a) whether the collection of
information is necessary for the proper performance of the functions of
the agency, including whether the information shall have practical
utility; (b) the accuracy of the agency's estimate of the burden of the
proposed collection of information; (c) ways to enhance the quality,
utility, and clarity of the information to be collected; and (d) ways
to minimize the burden of the collection of information on respondents,
including through the use of automated collection techniques or other
forms of information technology. Comments regarding these burden
estimates or any other aspect of the collection of information,
including suggestions for reducing the burdens, should be forward to
Nancy Crowe, Regulatory Policy Division, Office of Exporter Services,
Bureau of Export Administration, Department of Commerce, P.O. Box 273,
Washington, D.C. 20044, and David Rostker, Office of Management and
Budget, OMB/OIRA, 725 17th Street, NW, NEOB Rm. 10202,Washington, D.C.
20503.
List of Subjects
15 CFR Parts 740 and 743
Administrative practice and procedure, Exports, Foreign trade,
Reporting and recordkeeping requirements.
15 CFR Parts 742, 772 and 774
Exports, foreign trade.
Accordingly, 15 CFR Chapter 7, Subchapter C, is amended as follows:
1. The authority citation for 15 CFR parts 740 and 772 continues to
read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; Executive Order
13026 (November 15, 1996, 61 FR 58767); Notice of August 17, 1998
(63 FR 55121, August 17, 1998).
2. The authority citation for 15 CFR part 742 continues to read as
follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a;
E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 3
CFR, 1993 Comp., p. 608; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp.,
p. 917; E.O. 12938, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 3 CFR,
1996 Comp. p. 219; E.O. 13026, 3 CFR, 1996 Comp., p. 228; Notice of
August 17, 1998 (63 FR 55121, August 17, 1998).
3. The authority citation for 15 CFR part 743 continues to read as
follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; Notice of August
17, 1998 (63 FR 55121, August 17, 1998).
4. The authority citation for 15 CFR part 774 continues to read as
follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C.
287c; 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; Sec. 201, Pub. L. 104-
58, 109 Stat. 557 (30 U.S.C. 185(s)); 30 U.S.C. 185(u); 42 U.S.C.
2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50
U.S.C. app. 5; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917;
Executive Order 13026 (November 15, 1996, 61 FR 58767); Notice of
August 17, 1998 (63 FR 55121, August 17, 1998).
PART 740--[AMENDED]
5. Section 740.8 is amended:
a. By revising the section title;
b. By revising paragraph (b);
c. By removing paragraph (d); and
d. By redesignating paragraph (e) as paragraph (d) to read as
follows:
Sec. 740.8 Key management infrastructure (KMI)
(a) * * *
(b) Eligible commodities and software. (1) Recovery encryption
commodities and software of any key length controlled under ECCNs 5A002
and 5D002 that have been classified after a technical review through a
classification request. Key escrow and key recovery commodities and
software must meet the criteria identified in Supplement No. 4 to part
742 of the EAR.
(2) For such classification requests, indicate ``License Exception
KMI'' in block 9 on Form BXA-748P. Submit the original request to BXA
in accordance with Sec. 748.3 of the EAR and send a copy of the request
to:
Attn: KMI Encryption Request Coordinator, P.O. Box 246, Annapolis
Junction, MD 20701-0246
* * * * *
6. Part 740 is amended by adding a new Sec. 740.17 to read as
follows:
Sec. 740.17 Encryption commodities and software (ENC).
(a) Exports and reexports of encryption commodities and software to
all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and
Syria.
(1) Financial-specific encryption commodities and software of any
key length.
(i) Scope. You may export and reexport financial-specific
encryption commodities and software (which are not eligible under the
provisions of License Exception TSU for mass market software such as
SET or similar protocols) of any key length that are restricted by
design (e.g., highly field-formatted with validation procedures, and
not easily diverted to other end-uses) for financial applications to
secure financial communications/transactions for end-uses such as
financial transfers, or electronic commerce.
(ii) Eligible commodities and software. Encryption commodities and
software of any key length classified under ECCNs 5A002 and 5D002 after
a technical review (see paragraph (c) of this section). These
commodities and software must be specifically designed and limited for
use in the processing of electronic financial (commerce) transactions,
which implements cryptography in specifically delineated fields such as
merchant's identification, the customer's identification and address,
the merchandise purchased and the payment mechanism. It does not allow
for encryption of data, text or other media except as directly related
to these elements of the electronic transaction to support financial
communications/transactions. Notwithstanding the provisions of
paragraph (c)(2) of this section, financial-specific commodities and
software that were made eligible for License Exception KMI after a
technical review prior to December 31, 1998, are now eligible for
export and reexport under License Exception ENC under the provisions of
this paragraph (a)(1).
(iii) Eligible destinations. Upon approval of your classification
request, you may export and reexport under License Exception ENC
financial-specific encryption commodities and software, as defined in
this paragraph (a)(1), of any key length to all destinations except
Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.
(iv) Reporting requirements. There are no reporting requirements.
(2) Encryption commodities and software of any key length for U.S.
subsidiaries. (i) Scope. You may export
[[Page 72160]]
and reexport encryption commodities and software of any key length
under License Exception ENC to U.S. subsidiaries (as defined in part
772 of the EAR) subject to the conditions of this paragraph (a)(2).
Note that distributors, resellers or other entities that are not
manufacturers of the encryption commodities and software are permitted
to use License Exception ENC for U.S. subsidiaries only in instances
where the export or reexport meets the terms and conditions of this
paragraph (a)(2).
(ii) Eligible commodities and software. Encryption commodities,
software and technology of any key length classified under ECCNs 5A002,
5D002 and 5E002 after a technical review (see paragraph (c) of this
section). This includes encryption chips, integrated circuits,
toolkits, executable or linkable modules, source code and technology to
U.S. subsidiaries for internal company proprietary use, including the
development of new products.
(iii) Eligible destinations; retransfers. You may export and
reexport under License Exception ENC encryption commodities, software
and technology of any key length to U.S. subsidiaries for internal
company proprietary use, including the development of new products, in
all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and
Syria. All items developed using U.S. encryption commodities, software
and technology are subject to the EAR. For exports and reexports to
strategic partners of U.S. companies (as defined in part 772) see
Sec. 742.15(b)(8) of the EAR. Retransfers to other end-users or end-
uses are prohibited without prior authorization.
(iv) Reporting requirements. There are no reporting requirements.
(3) Encryption commodities, including mass market and non-mass
market, and non-mass market encryption software incorporating symmetric
algorithms with key lengths up to and including 56-bits, such as DES or
equivalent. (i) Scope. You may export and reexport encryption
commodities, including mass market and non-mass market commodities, and
non-mass market software with key lengths up to and including 56-bits,
such as DES or equivalent, under License Exception ENC subject to the
conditions of this paragraph (a)(3). For information concerning the
technical review of encryption mass market commodities and mass market
software refer to Sec. 742.15(b)(1) of the EAR. Note that encryption
mass market software remains eligible under License Exception TSU.
(ii) Eligible commodities and software. (A) Mass market and non-
mass market encryption commodities and non-mass market software having
symmetric algorithms with key lengths up to and including 56-bits, such
as DES or equivalent (such as RC2, RC4, RC5, and CAST) which are
classified as a result of a technical review (see paragraph (c) of this
section). The commodity or software must not allow the alteration of
the cryptographic functionality by the user or any other program.
Encryption chips, integrated circuits, toolkits and executable or
linkable modules are not authorized for export under the provisions of
paragraph (a)(3).
(B)(1) For mass market and non-mass market encryption commodities
and non-mass market encryption software, exporters of 40-bit or less
encryption commodities and software which have been made eligible for
License Exception KMI or License Exception TSU or have been licensed
for export under an Encryption Licensing Arrangement or a license prior
to December 31, 1998, will be permitted to export and reexport these
commodities and software under license exception ENC with increased key
lengths up to and including 56-bits for the confidentiality algorithm,
with key exchange mechanisms including symmetric algorithms with the
same or double key length authorized for the confidentiality algorithm,
and asymmetric algorithms for key exchange with key space of 512, 768
or up to and including 1024 bits without an additional technical
review, provided that there is no other change in cryptographic
functionality. Exporters must certify to BXA that the only change to
the encryption is the increase in the key length for the
confidentiality algorithm, the asymmetric or symmetric key exchange
algorithms and that there is no other change in cryptographic
functionality. Such certifications must be in the form of a letter from
senior corporate management and include the original authorization
number issued by BXA, the date of issuance and the information
identified in paragraphs (a)(2) (iii) throught (v) of Supplement No. 6
to part 742 of the EAR. (If this information was submitted previously,
then only identify the modifications.) BXA must receive such
certification by March 31, 1999, and prior to any export of such
upgraded product.
(2) The certification should be sent to:
Office of Strategic Trade and Foreign Policy Controls, Bureau of
Export Administration, Department of Commerce, 14th Street and
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn:
Encryption Upgrade
(3) A copy of the certification should be sent to:
Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis
Junction, MD 20701-0246
(C) After March 31, 1999, any increase (upgrade) in the
confidentiality algorithm and the key exchange algorithm must be
reviewed by BXA through a classification request (see Sec. 748.3 of the
EAR). In Block 9 of form BXA-748P, indicate ``Key Length Upgrade.''
(iii) Eligible destinations. License Exception ENC is available for
exports and reexports of encryption commodities and software with key
length up to and including 56-bits, such as DES or equivalent to all
destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and
Syria.
(iv) Reporting requirements. See paragraph (d) of this section for
reporting requirements.
(b) Exports and reexports of certain encryption commodities and
software to countries listed in Supplement No. 3 to part 740 of the
EAR. (1) General purpose encryption commodities and software of any key
length for use by banks/financial institutions. (i) Scope. You may
export and reexport general purpose, non-voice encryption commodities
and software of any key length to banks and financial institutions (as
defined in part 772 of the EAR) in specified destinations, subject to
the conditions of this paragraph (b)(1). Note that distributors,
resellers or other entities who are not manufacturers of the encryption
commodities and software are permitted to use License Exception ENC for
banks and financial institutions only in instances where the export or
reexport meets the terms and conditions of this paragraph (b)(1).
(ii) Eligible commodities and software. General purpose, non-voice
encryption commodities and software of any key length classified under
ECCNs 5A002 and 5D002 after a technical review (see paragraph (c) of
this section). Note that software and commodities that have already
been approved under an Encryption Licensing Arrangement to banks and
financial institutions in specified countries may now be exported or
reexported to other banks and financial institutions in those countries
under the same Encryption Licensing Arrangement.
(iii) Eligible destinations; retransfers. Upon approval of your
classification request, you may export and reexport
[[Page 72161]]
under License Exception ENC general purpose, non-voice encryption
commodities and software, as defined in this paragraph (b)(1), of any
key length to banks and financial institutions in all destinations
listed in Supplement No. 3 to this part and to branches of such banks
and financial institutions wherever established, except Cuba, Iran,
Iraq, Libya, North Korea, Sudan and Syria. End-use is limited to secure
business financial communications or transactions and financial
communications/transactions between the bank and/or financial
institution and its customers. No customer to customer communications
or transactions are allowed. Retransfers to other end-users or end-uses
are prohibited without prior authorization.
(iv) Reporting requirements. There are no reporting requirements.
(2) Health and medical end-users. (i) Scope. You may export and
reexport encryption commodities and software of any key length under
License Exception ENC to health and medical end-users (as defined in
part 772 of the EAR) in specified destinations, subject to the
conditions of this paragraph (b)(2). Note that distributors, resellers
or other entities who are not manufacturers of the encryption
commodities and software are permitted to use License Exception ENC for
health and medical end-users only in instances where the export or
reexport meets the terms and conditions of this paragraph (b)(2).
(ii) Eligible commodities and software. Encryption commodities and
software of any key length classified under ECCNs 5A002 and 5D002 after
a technical review (see paragraph (c) of this section).
(iii) Eligible destinations; retransfers. You may export and
reexport under License Exception ENC encryption commodities and
software of any key length to health and medical end-users in all
destinations listed in Supplement No. 3 to this part. Non-U.S.
biochemical and pharmaceutical manufacturers, and non-U.S. military
health and medical entities are not eligible to receive encryption
commodities and software under License Exception ENC (see Sec. 742.15
of the EAR for licensing information on these end-users, as well as
additional countries). End-use is limited to securing health and
medical transactions to health and medical end-users. No customer to
customer communications or transactions are allowed. Retransfers to
other end-users or end-uses are prohibited without prior authorization.
(iv) Reporting requirements. See paragraph (d) of this section for
reporting requirements for exports under this License Exception.
(3) Encryption commodities and software of any key length for on-
line merchants. (i) Scope. You may export and reexport encryption
commodities and software of any key length under License Exception ENC
to on-line merchants (as defined in part 772 of the EAR) in specified
destinations, subject to the conditions of this paragraph (b)(3). End-
use is limited to: the purchase or sale of goods and software; and
services connected with the purchase or sale of goods and software
including interactions between purchasers and sellers necessary for
ordering, payment and delivery of goods and software. No other end-uses
or customer to customer communications or transactions are allowed.
Foreign on-line merchants or their separate business units (as defined
in part 772 of the EAR) who are engaged in the manufacturing and
distribution of items or services controlled on the U.S. Munitions List
are excluded. Foreign government end-users are also excluded from this
License Exception. Note that distributors, resellers or other entities
who are not manufacturers of the encryption commodities and software
are permitted to use License Exception ENC for on-line merchants only
in instances where the export or reexport meets the terms and
conditions of this paragraph (b)(3).
(ii) Eligible commodities and software. Encryption commodities and
software of any key length classified under ECCNs 5A002 and 5D002 after
a technical review (see paragraph (c) of this section). Such
commodities and software must be limited to client-server applications
(e.g. Secure Socket Layer (SSL) based applications) or applications
specially designed for on-line transactions for the purchase or sale of
goods and software; and services connected with the purchase or sale of
goods and software, including interactions between purchasers and
sellers necessary for ordering, payment and delivery of goods and
software. Notwithstanding the provisions of paragraph (c)(2) of this
section, commodities and software that were eligible for export to on-
line merchants under an Encryption Licensing Arrangement or license
prior to December 31, 1998, are now eligible for export and reexport
under License Exception ENC under the provisions of this paragraph
(b)(3).
(iii) Eligible destinations; retransfers. You may export and
reexport encryption commodities and software under License Exception
ENC to on-line merchants in all destinations listed in Supplement No. 3
to this part, except to foreign on-line merchants or their separate
business units who are engaged in the manufacturing and distribution of
items or services controlled on the U.S. Munitions List. Retransfers to
other end-users or end-uses are prohibited without prior authorization.
(iv) Reporting requirements. See paragraph (d) of this section for
reporting requirements for exports under this License Exception.
(c) Technical review to determine eligibility for License Exception
ENC. (1) You may initiate a technical review required by paragraph (a)
or (b) of this section by submitting a classification request for your
product in accordance with the provisions of Sec. 748.3(b) of the EAR.
Indicate ``License Exception ENC'' in Block 9: Special purpose, on form
BXA-748P. Submit the original request to BXA in accordance with
Sec. 748.3 of the EAR and send a copy of the request to:
Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis
Junction, MD 20701-0246
(2) Commodities and software that have been made eligible for
License Exception TSU or KMI or which have been approved for export
under an Encryption Licensing Arrangement or a license prior to
December 31, 1998 are eligible for export and reexport under all
paragraphs of License Exception ENC, except paragraphs (a)(1) and
(b)(3) of this section, without an additional technical review,
provided that the export or reexport meets all the terms and conditions
of this License Exception. For all other commodities and software, a
technical review will determine eligibility for License Exception ENC
by reviewing the confidentiality algorithm, key space, and key exchange
mechanism.
(3) For export and reexport of encryption commodities and software
under paragraph (a)(3) of this section, examples of eligible key
exchange mechanisms include, but are not limited to, symmetric
algorithms with the same or double the key length authorized for the
confidentiality algorithm, asymmetric algorithms with key space of 512,
768 or up to and including 1024 bits, proprietary key exchange
mechanisms, or others.
(4) For export and reexport of encryption commodities and software
under paragraph (b)(3) of the License Exception ENC, exporters, in
order to expedite review of the classification, should submit, as
applicable, the following types of information to support the
classification request:
[[Page 72162]]
(i) Information describing how the product is limited to a client-
server application or application specially designed or tailored to the
conditions outlined in the License Exception;
(ii) Information describing the end-user environment to which the
application will be limited;
(iii) Information explaining how the product will not permit
customer-to-customer communications or transactions above 56-bits;
(iv) Information on the process by which the merchant(s) or
application will limit access to authorized users; or
(v) Details of the encryption system, including how it is limited
to the application or cannot be diverted to other end-uses.
(d) Reporting requirements. (1) You must provide to BXA the names
and addresses for exports to the following end-users:
(i) All military and government end-users for non-mass market
commodities and non-mass market software exports authorized under
paragraph (a)(3) of this section;
(ii) All health and medical end-users for exports authorized under
paragraph (b)(2) of this section, and
(iii) All foreign on-line merchants for exports authorized under
paragraph (b)(3) of this section.
(2) You must submit reports no later than February 1 and no later
than August 1 of any given year. Specifically, the report must identify
the end-user name and address and country of ultimate destination, as
well as the classification or other authorization number. Send the
report to the following address:
Office of Strategic Trade and Foreign Policy Controls, Bureau of
Export Administration, Department of Commerce, 14th Street and
Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn:
Encryption Reports
7. Supplement No. 3 is revised to read as follows:
Supplement No. 3 to Part 740--Countries Eligible To Receive General
Purpose Encryption Commodities and Software
*Commercial entities and their branches located in these
countries or any country listed in this Supplement and designated
with one or two asterisks are eligible to receive ``recoverable''
encryption commodities and software of any key length for internal
company proprietary use. See Sec. 742.15(b)(7) of the EAR.
**Commercial entities headquartered in these countries and their
branches wherever located (except Cuba, Iran, Iraq, Libya, North
Korea, Sudan and Syria) are eligible to receive ``recoverable''
encryption commodities and software of any key length for internal
company proprietary use. See Sec. 742.15(b)(7) of the EAR.
PART 742--[AMENDED]
8. Section 742.15 is amended:
a. By revising the first sentence of paragraph (a);
b. By revising the phrase ``Supplements No. 4, No. 5 and No. 7'' in
the introductory paragraph (b) to read ``Supplement No. 4'';
c. By revising the phrase ``encryption software'' in the title to
paragraph (b)(1) to read ``encryption commodities and software'';
d. By revising paragraph (b)(1)(i);
e. By adding new paragraphs (b)(1)(iii) and (b)(1)(iv);
f. By revising paragraph (b)(2);
g. By removing paragraph (b)(3);
h. By redesignating paragraphs (b)(4) and (5) as (b)(3) and (4);
i. By revising newly redesignated paragraphs (b)(3);
j. By revising the heading of newly redesignated paragraph (b)(4);
k. By removing the phrase ``non-recoverable'' in the first sentence
of newly redesignated paragraph (b)(4).
l. By revising the phrase ``under License Exception KMI (see
Sec. 740.8 of the EAR)'' in newly redesignated paragraph (b)(4) to read
``License Exception ENC (see Sec. 740.17(a)(1) of the EAR)'';
m. By redesignating paragraph (b)(6) and (7) as (b)(8) and (9);
n. By adding new paragraphs (b)(5), (6) and (7); and
o. By adding a new paragraph (b)(8)(iii) to read as follows:
Sec. 742.15 Encryption items.
* * * * *
(a) Licenses are required for exports and reexports to all
destinations, except Canada, for items controlled under ECCNs having an
``EI'' (for ``encryption items'') under the ``Control(s)'' paragraph. *
* *
(b) * * *
(1) * * *
(i) Consistent with E.O. 13026 of November 15, 1996 (61 FR 58767),
certain encryption software that was transferred from the U.S.
Munitions List to the Commerce Control List pursuant to the
Presidential Memorandum of November 15, 1996, may be released from EI
controls and thereby made eligible for mass market treatment after a
technical review. Further, certain encryption commodities may be
released from EI controls and thereby made eligible for mass market
treatment after a technical review. To determine eligibility for mass
market treatment, exporters must submit a classification request to
BXA. 56-bit mass market encryption commodities and software using RC2,
RC4, RC5, DES or CAST, and key exchange mechanisms including, but not
limited to, symmetric algorithms with the same or double the key length
authorized for the confidentiality algorithm, asymmetric algorithms
with key space of 512, 768 or up to and including 1024 bits,
proprietary key exchange mechanisms, or others, may be eligible for a
7-day review process, and company proprietary commodities and software
implementations may be eligible for 15-day processing. Refer to
Supplement No. 6 to part 742 and Sec. 748.3(b)(3) of the EAR for
additional information. Note that the technical review is for a
determination to release encryption commodities and software in object
code only unless otherwise specifically requested. Exporters requesting
release of the source code should refer to paragraph (b)(3)(v)(E) of
Supplement No. 6 to part 742.
(ii) * * *
(iii) If after a technical review, BXA determines that the
encryption commodity is released from EI controls, the commodity is
eligible for export under License Exception ENC and all provisions of
the EAR applicable to other commodities. However, if BXA determines
that the commodity is not released from EI controls, and no License
Exception applies, a license is required for export and reexport to all
destinations, except Canada, and license applications will be
considered on a case-by-case basis.
(iv) Mass-market encryption software that has already been
classified after a technical review and that has been released from EI
controls under the provisions of this paragraph (b)(1) will be
permitted for export and reexport under license exception TSU with
increases of 56-bits for the confidentiality algorithm, the same or
double the key length authorized for the confidentiality algorithm for
symmetric
[[Page 72163]]
algorithms for key exchange mechanisms and with key spaces of 512, 768
or up to and including 1024 bits for asymmetric algorithms for key
exchange without an additional technical review, provided that there is
no other change in the cryptographic functionality. Exporters must
notify BXA in writing of the increase in the key length for the
confidentiality algorithm, the asymmetric or symmetric key exchange
algorithms, and include the original authorization number issued by BXA
and the information identified in paragraphs (a)(2)(iii) through (v) of
Supplement No. 6 to part 742 of the EAR (if this information was
submitted previously, then only identify the modifications). BXA must
receive such notification by March 31, 1999.
(A) The notification should be sent to:
Office of Strategic Trade and Foreign Policy Controls, Bureau of
Export Administration, Department of Commerce, 14th Street and
Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn:
Encryption Upgrade
(B) A copy of the certification should be sent to:
Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis
Junction, MD 20701-0246
(2) Key escrow and key recovery encryption commodities and
software. Certain recovery encryption commodities and software of any
key length that are classified under ECCNs 5A002 and 5D002 after a
technical review are eligible for export and reexport under License
Exception KMI. See Sec. 740.8(b)(1) of the EAR for information on
additional eligibility requirements.
(3) General purpose encryption commodities and software of any key
length for use by banks and financial institutions.
(i) Commodities and software that were eligible for License
Exception TSU or KMI or have been licensed for export or reexport under
an Encryption Licensing Arrangement or a license prior to December 31,
1998, are now eligible for export and reexport under License Exception
ENC under the provisions of Sec. 740.17(b)(1) of the EAR.
(ii) For exports and reexports not eligible under a License
Exception, exports and reexports of general purpose non-voice
encryption commodities and software classified under ECCNs 5A002 and
5D002 of any key length will generally be approved under an Encryption
Licensing Arrangement for use by banks and financial institutions (as
defined in part 772 of the EAR) in all destinations except Cuba, Iran,
Iraq, Libya, North Korea, Sudan and Syria. Applications for such
commodities and software will receive favorable consideration when the
end-use is limited to secure business financial communications or
transactions and financial communications/transactions between the bank
and/or financial institution and its customers provided that there are
no concerns about the country or end-user. No customer to customer
communications or transactions are allowed.
(iii) Note that any country or end-user prohibited in the past from
receiving encryption commodities and software under a specific
Encryption Licensing Arrangement will be reviewed on a case-by-case
basis, and may be considered by BXA for eligibility under future
Encryption Licensing Arrangement requests.
(iv) Note that distributors, resellers or other entities who are
not manufacturers of the encryption commodities and software are
permitted to use an existing Encryption Licensing Arrangement for
exports and reexports of these products only when Encryption Licensing
Arrangement has been granted to the manufacturer and the export and
reexport meets the terms and conditions of this paragraph (b)(3).
(v) There are no reporting requirements for exports to banks and
financial institutions.
(4) Financial-specific encryption items of any key length.* * *
(5) Encryption commodities and software of any key length for use
by health and medical end-users. (i) Commodities and software that have
been classified after a technical review through a classification
request or have been licensed for export under an Encryption Licensing
Arrangement or a license are eligible for export and reexport under
License Exception ENC to health and medical end-users without an
additional technical review, provided that the export or reexport meets
all the terms and conditions of that License Exception. See Sec. 740.17
of the EAR. Commodities and software that were eligible for License
Exception TSU or KMI or have been licensed for export or reexport under
an Encryption Licensing Arrangement or a license prior to December 31,
1998, are now eligible for export and reexport under License Exception
ENC under the provisions of Sec. 740.17(b)(2) of the EAR.
(ii) For exports and reexports that are not eligible under License
Exception ENC, exports and reexports of encryption commodities and
software classified under ECCNs 5A002 and 5D002 of any key length will
generally be approved under an Encryption Licensing Arrangement for use
by health and medical end-users (as defined in part 772 of the EAR) in
all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and
Syria except for non-U.S. biochemical and pharmaceutical manufacturers
and non-U.S. military health and medical entities. No customer to
customer communications or transactions are allowed.
(iii) Note that any country or end-user prohibited in the past from
receiving encryption commodities and software under a specific
Encryption Licensing Arrangement will be reviewed on a case-by-case
basis, and may be considered by BXA for eligibility under future
Encryption Licensing Arrangement requests.
(iv) Note that distributors, resellers or other entities who are
not manufacturers of the encryption commodities and software are
permitted to use an existing Encryption Licensing Arrangement for
exports and reexports of these products only when Encryption Licensing
Arrangement has been granted to the manufacturer and the export and
reexport meets the terms and conditions of this paragraph (b)(5).
(v) You must submit to BXA the name and address of the end-user.
(6) Encryption commodities and software of any key length for on-
line merchants. (i) Commodities and software that were eligible for
export to on-line merchants under an Encryption Licensing Arrangement
prior to December 31, 1998, are now eligible for export and reexport
under License Exception ENC under the provisions of Sec. 740.17(b)(3).
(ii) Exports and reexports of encryption commodities and software
classified under ECCNs 5A002 and 5D002 of any key length which are
limited to client-server applications (e.g., Secure Socket Layer (SSL)
based applications) or applications specially designed for on-line
transactions for the purchase or sale of goods and software will be
permitted under an Export Licensing Arrangement in all destinations
except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria for use by
foreign on-line merchants as defined in part 772 of the EAR. End-use is
limited to: the purchase or sale of goods and software; and services
connected with the purchase or sale of goods and software, including
interactions between purchasers and sellers necessary for ordering,
payment and delivery of goods and software. No other end-uses or
customer to customer communications or transactions are allowed.
(iii) Applications for Encryption Licensing Arrangements for on-
line
[[Page 72164]]
merchants will generally be approved, except for foreign on-line
merchants or their separate business units (as defined in part 772 of
the EAR) who are engaged in the manufacturing and distribution of items
or services controlled on the U.S. Munitions List. Such end-users will
be considered on a case-by-case basis.
(iv) Note that any country or end-user prohibited in the past from
receiving encryption commodities and software under a specific
Encryption Licensing Arrangement will be reviewed on a case-by-case
basis, and may be considered by BXA for eligibility under future
Encryption Licensing Arrangement requests.
(v) Note that distributors, resellers or other entities who are not
manufacturers of the encryption commodities and software are permitted
to use an existing Encryption Licensing Arrangement for exports and
reexports of these products only when Encryption Licensing Arrangement
has been granted to the manufacturer and the export and reexport meets
the terms and conditions of this paragraph (b)(6).
(v) You must submit to BXA the name and address of the end-user.
(7) Recoverable encryption commodities and software of any key
length for use by commercial entities. (i) Exports and reexports of
recoverable encryption commodities and software (as defined in part 772
of the EAR) classified under ECCNs 5A002 and 5D002 of any key length
will generally be approved under an Encryption Licensing Arrangement to
destinations designated with a ``*'' or ``**'' in Supplement No. 3 to
part 740 of the EAR to foreign commercial entities for internal company
proprietary use. Such encryption commodities and software will
generally be approved for export and reexport to foreign subsidiaries
of commercial firms headquartered in countries designated with a ``**''
in Supplement No. 3 to part 740 of the EAR that are located in any
destination except Cuba, Iran, Iraq, Libya, North Korea, Sudan and
Syria. Exports and reexports to telecommunication and internet service
providers is permitted under this policy for internal company
proprietary use. Use by service providers to provide service to
customers is excluded from this policy, but exports may be possible
under a license or an Encryption Licensing Arrangement on a case-by-
case basis. This policy of approval excludes those foreign commercial
firms or their separate business units (as defined in part 772 of the
EAR) engaged in the manufacturing and distribution of items or services
controlled by the U.S. Munitions List.
(ii) Note that any country or end-user prohibited in the past from
receiving encryption commodities and software under a specific
Encryption Licensing Arrangement will be reviewed on a case-by-case
basis, and may be considered by BXA for eligibility under future
Encryption Licensing Arrangement requests.
(iii) Note that distributors, resellers or other entities who are
not manufacturers of the encryption commodities and software are
permitted to use an existing Encryption Licensing Arrangement for
exports and reexports of these products only when Encryption Licensing
Arrangement has been granted to the manufacturer and the export and
reexport meets the terms and conditions of this paragraph (b)(7).
(iv) You must submit to BXA the name and address of the end-user.
(8) All other encryption items. * * *
(iii) Exports and reexports of encryption commodities and software
of any key length to ``strategic partners'' of U.S. companies will
receive favorable consideration when the end-use is for the protection
of U.S. company proprietary information.
* * * * *
9. Supplement No. 4 to part 742 is amended by revising paragraph
(8) to read as follows:
Supplement No. 4 to Part 742--Key Escrow or Key Recoverable
Products Criteria
* * * * *
(8) The product's cryptographic function's key(s) or other
material/information required to decrypt ciphertext shall be accessible
to government officials under proper legal authority.
10. Part 742 is amended by removing and reserving Supplement No. 5
and Supplement No. 7.
11. Supplement No. 6 to part 742 is revised to read as follows:
Supplement No. 6 to Part 742--Guidelines for Submitting a
Classification Request for Mass Market Encryption Commodities and
Software
Classification requests for release of certain mass market
encryption commodities and software from EI controls must be submitted
on Form BXA-748P, in accordance with Sec. 748.3 of the EAR. To expedite
review of the request, clearly mark the envelope ``Attn.: Mass Market
Encryption (Commodity) or (Software) Classification Request''. In Block
9: Special Purpose of the Form BXA-748P, you must insert the phrase
``Mass Market Encryption (Commodity) or (Software). Failure to insert
this phrase will delay processing. In addition, the Bureau of Export
Administration recommends that such requests be delivered via courier
service to: Bureau of Export Administration, Office of Exporter
Services, Room 2705, 14th Street and Pennsylvania Ave., N.W.,
Washington, D.C. 20230. In addition, send a copy of the request and all
supporting documents by Express Mail to: Attn: Mass Market Encryption
Request Coordinator, P.O. Box 246, Annapolis Junction, MD 20701-0246.
(a) Requests for mass market encryption commodities and software
that meet the criteria in paragraph (a)(2) of this Supplement will be
processed in seven (7) working days from receipt of a properly
completed request. Those requests for mass market encryption
commodities and software that meet the criteria of paragraph (a)(1) of
this Supplement only will be processed in fifteen (15) working days
from receipt of a properly completed request. When additional
information is requested, the request will be processed within 15
working days of the receipt of the requested information.
(1) A mass market product that meets the criteria established in
this paragraph will be processed in fifteen (15) working days from
receipt of the properly completed request:
(i) The commodity or software must be mass market. Mass market
commodities and software that are available to the public via sales
from stock at retail selling points by means of over-the-counter
transactions, mail order transactions, or telephone call transactions;
(ii) The commodity or software must be designed for installation by
the user without further substantial support by the supplier.
Substantial support does not include telephone (voice only) help line
services for installation or basic operation, or basic operation
training provided by the supplier; and
(iii) The commodity or software includes encryption for data
confidentiality.
(2) A mass market commodity or software product that meets all the
criteria established in this paragraph will be processed in seven (7)
working days from receipt of the properly completed request:
(i) The commodity or software meets all the criteria established in
paragraph (a)(1) (i) through (iii) of this Supplement;
(ii) The confidentiality algorithm must be RC2, RC4, RC5, DES or
CAST with a key space no longer than 56-bits. The RC2, RC4 and RC5
algorithms are proprietary to RSA Data Security, Inc. To ensure that
the subject commodity or
[[Page 72165]]
software is properly licensed and correctly implemented, contact RSA
Data Security, (415) 595-8782. The CAST algorithm is proprietary to
Entrust Technologies, Inc. To ensure that the subject software is
properly licensed and correctly implemented, contact Entrust
Technologies, Inc., (972) 994-8000;
(iii) If any combination of RC2, RC4, RC5, DES or CAST are used in
the same commodity or software, their functionality must be separate.
That is, no data can be operated sequentially on by both routines or
multiply by either routine;
(iv) The commodity or software must not allow the alteration of the
confidentiality mechanism and its associated key spaces by the user or
any other program;
(v) The key exchange used in confidentiality must be:
(A) A public key algorithm with a key space less than or equal to a
512-bit, 768-bit or up to and including 1024 bit modulus and/or;
(B) A symmetric algorithm with a key space less than or equal to
112-bits; and
(vi) The commodity or software must not allow the alteration of the
key management mechanism and its associated key space by the user or
any other program.
(b)(1) To submit a classification request for a product that is
eligible for the seven-day handling, you must provide the following
information in a cover letter to the classification request. Send the
original to the Bureau of Export Administration. Send a copy of the
application and all supporting documentation by Express Mail to:
Attn.: Mass Market Encryption Request Coordinator, P.O. Box 246,
Annapolis Junction, MD 20701-0246
(2) Instructions for the preparation and submission of a
classification request that is eligible for seven day handling are as
follows:
(3) If the commodity or software product meets the criteria in
paragraph (a)(2) of this Supplement, you must call the Department of
Commerce on (202) 482-0092 to obtain a test vector, or submit to BXA a
copy of the encryption subsystem source code. The test vector or source
code must be used in the classification process to confirm that the
software has properly implemented the approved encryption algorithms.
(4) Upon receipt of the test vector, the applicant must encrypt the
test plain text input provided using the product's encryption routine
(RC2, RC4, RC5, DES or CAST) with the given key value. The applicant
should not pre-process the test vector by any compression or any other
routine that changes its format. Place the resultant test cipher text
output in hexadecimal format on an attachment to form BXA-748P.
(5) You must provide the following information in a cover letter to
the classification request:
(i) Clearly state at the top of the page ``Mass Market Encryption
(Commodity) (Software)--7 Day Expedited Review Requested'';
(ii) State that you have reviewed and determined that the commodity
or software subject to the classification request meets the criteria of
paragraph (a)(2) of this Supplement;
(iii) State the name of the single commodity or software product
being submitted for review. A separate classification request is
required for each product;
(iv) State how the commodity or software has been written to
preclude user modification of the encryption algorithm, key management
mechanism, and key space;
(v) Provide the following information for the commodity or software
product:
(A) Whether the commodity or software uses the RC2, RC4, RC5, DES
or CAST algorithm and how the algorithm(s) is used. If any combination
of these algorithms are used in the same product, and also state how
the functionality of each is separated to assure that no data is
operated by more than one algorithm;
(B) Pre-processing information of plaintext data before encryption
(e.g. the addition of clear text header information or compression of
the data);
(C) Post-processing information of cipher text data after
encryption (e.g. the addition of clear text header information or
packetization of the encrypted data);
(D) Whether a public key algorithm or a symmetric key algorithm is
used to encrypt keys and the applicable key space;
(E) For classification requests regarding source code:
(1) Reference the applicable executable product that has already
received a technical review;
(2) Include whether the source code has been modified by deleting
the encryption algorithm, its associated key management routine(s), and
all calls to the algorithm from the source code, or by providing the
encryption algorithm and associated key management routine(s) in object
code with all calls to the algorithm hidden. You must provide the
technical details on how you have modified the source code;
(3) Include a copy of the sections of the source code that contain
the encryption algorithm, key management routines, and their related
calls; and
(F) Provide any additional information which you believe would
assist in the review process.
(c) Instructions for the preparation and submission of a
classification request that is eligible for 15-day handling are as
follows:
(1) If the commodity or software product meets only the criteria in
paragraph (a)(1) of this Supplement, you must prepare a classification
request. Send the original to the Bureau of Export Administration. Send
a copy of the application and all supporting documentation by Express
Mail to:
Attn.: Mass Market Encryption Request Coordinator, P.O. Box 246,
Annapolis Junction, MD 20701-0246
(2) You must provide the following information in a cover letter to
the classification request:
(i) Clearly state at the top of the page ``Mass Market Encryption
(Commodity)(Software)--15 Day Expedited Review Requested'';
(ii) State that you have reviewed and determined that the commodity
or software subject of the classification request, meets the criteria
of paragraph (a)(1) of this Supplement;
(iii) State the name of the single commodity or software product
being submitted for review. A separate classification request is
required for each product;
(iv) State that a duplicate copy, in accordance with paragraph
(c)(1) of this Supplement, has been sent to the 15-day Encryption
Request Coordinator; and
(v) Ensure that the information provided includes brochures or
other documentation or specifications relating to the commodity or
software, as well as any additional information which you believe would
assist in the review process.
(3) Contact the Bureau of Export Administration on (202) 482-0707
prior to submission of the classification to facilitate the submission
of proper documentation.
PART 743--[AMENDED]
12. Section 743.1 is amended:
a. By revising the phrase ``GOV and KMI (under the provisions of
Sec. 740.8(b)(2)(ii) and (iii) only)'' in paragraph (b) to read
``ENC''; and
b. By removing the phrase '', 5A002, 5B002, 5D002, and 5E002'' in
paragraph (c)(1)(v).
PART 772--[AMENDED]
13. Part 772 is amended by revising the definition of ``Financial
Institution'' and adding, in alphabetical order, new definitions for
``Business Unit'',
[[Page 72166]]
``Health/medical end-user'', ``On-line merchant'', ``Recoverable
commodities and software'', ``Strategic partner,'' and ``U.S.
subsidiary''.
* * * * *
Business Unit. As applied to encryption items, means a unit of a
business which, whether or not separately incorporated, has:
(a) A distinct organizational structure which does not overlap with
other business units of the same business;
(b) A distinct set of accounts; and
(c) Separate facilities for purchase, sale, delivery, and
production of goods and services.
* * * * *
Financial Institution. As applied to encryption items, means any of
the following:
(a) A broker, dealer, government securities broker or dealer, self-
regulatory organization, investment company or investment adviser,
which is regulated or supervised by the Securities and Exchange
Commission or a self-regulatory organization that is registered with
the Securities and Exchange Commission; or
(b) A broker, dealer, government securities broker or dealer,
investment company, investment adviser, or entity that engages in
securities activities that, if conducted in the United States, would be
described by the definition of the term ``self-regulatory
organization'' in the Securities Exchange Act of 1934, which is
organized under the laws of a foreign country and regulated or
supervised by a foreign securities authority; or
(c) A U.S. board of trade that is designated as a contract market
by the Commodity Futures Trading Commission or a futures commission
merchant that is regulated or supervised by the Commodity Futures
Trading Commission; or
(d) A U.S. entity engaged primarily in the business of issuing a
general purpose charge, debit, or stored value card, or a branch of, or
affiliate controlled by, such an entity; or
(e) A branch or affiliate of any of the entities listed in
paragraphs (a), (b), or (c) of this definition regulated or supervised
by the Securities and Exchange Commission, the Commodity Futures
Trading Commission, or a foreign securities authority; or
(f) An affiliate of any of the entities listed in paragraph (a),
(b), (c), or (e), of this definition engaged solely in the business of
providing data processing services to one or more bank or financial
institutions, or a branch of such an affiliate; or
(g) A company organized and regulated under the laws of any of the
United States and its branches and affiliates whose primary and
predominant business activity is the writing of insurance or the
reinsuring of risks; or a company organized and regulated under the
laws of a foreign country and its branches and affiliates whose primary
and predominant business activity is the writing of insurance or the
reinsuring of risks.
* * * * *
Health/medical end-user. As applied to encryption items, means any
entity, including civilian government agencies, the primary purpose of
which is the provision of medical or other health services. The term
medical or other health services includes the following items or
services:
(a) Physicians' services and services and supplies furnished as an
incident to a physician's professional service (such as laboratory
services), of kinds which are commonly furnished in physicians'
offices; services provided by a physician assistant or by a nurse
practitioner; including services which would be physicians' services if
furnished by a physician and which are performed by a physician
assistant under the supervision of a physician, or services which would
be physicians' services if furnished by a physician and which are
performed by a nurse practitioner or clinical nurse specialist in
collaboration with a physician; certified nurse-midwife services or
services of a certified registered nurse anesthetist;
(b) Hospital services incident to physicians services rendered to
outpatients and hospitalization services incident to such services;
ambulance services;
(c) Psychologist services or clinical social worker services; or
(d) Health cost reimbursers (e.g., health insurers, HMOs).
* * * * *
On-line merchant. As applied to encryption items, means an entity
regularly engaged in lawful commerce that uses means of electronic
communications (e.g., the Internet) to conduct commercial transactions.
* * * * *
Recoverable commodities and software. As applied to encryption
items, means any of the following:
(a) A stored data product containing a recovery feature that, when
activated, allows recovery of the plaintext of encrypted data without
the assistance of the end-user; or
(b) A product or system designed such that a network administrator
or other authorized persons who are removed from the end-user can
provide law enforcement access to plaintext without the knowledge or
assistance of the end-user. This includes, for example, products or
systems where plaintext exists and is accessible at intermediate points
in a network or infrastructure system, enterprise-controlled recovery
systems, and products which permit recovery of plaintext at the server
where a system administrator controls or can provide recovery of
plaintext across an enterprise.
Note to this definition: ``Plaintext'' indicates that data that
is initially received by or presented to the recoverable product
before encryption takes place.
* * * * *
Strategic partner (of a U.S. company). As applied to encryption
items, means a foreign-based entity that:
(a) Has a business need to share the proprietary information with
one or more U.S. companies; and
(b) Is contractually bound to the U.S. company (e.g., has an
established pattern of continuing or recurring contractual relations).
* * * * *
U.S. subsidiary. As applied to encryption items, means
(a) A foreign branch of a U.S. company; or
(b) A foreign subsidiary or entity of a U.S. entity in which:
(1) The U.S. entity beneficially owns or controls (whether directly
or indirectly) 25 percent or more of the voting securities of the
foreign subsidiary or entity, if no other persons owns or controls
(whether directly or indirectly) an equal or larger percentage; or
(2) The foreign entity is operated by the U.S. entity pursuant to
the provisions of an exclusive management contract; or
(3) A majority of the members of the board of directors of the
foreign subsidiary or entity also are members of the comparable
governing body of the U.S. entity; or
(4) The U.S. entity has the authority to appoint the majority of
the members of the board of directors of the foreign subsidiary or
entity; or
(5) The U.S. entity has the authority to appoint the chief
operating officer of the foreign subsidiary or entity.
PART 774--[AMENDED]
14. In Supplement No. 1 to part 774, Category 5--Telecommunications
and Information Security is amended by revising the License
Requirements section of ECCNs 5A002 and 5D002 to read as follows:
5A002 Systems, equipment, application specific ``assemblies'',
modules or integrated circuits for ``information security'', and
specially designed components therefor.
[[Page 72167]]
License Requirements
Reason for Control: NS, AT, EI
------------------------------------------------------------------------
Control(s) Country chart
------------------------------------------------------------------------
NS applies to entire entry........... NS Column 1.
AT applies to entire entry........... AT Column 1.
------------------------------------------------------------------------
EI applies to encryption items transferred from the U.S.
Munitions List to the Commerce Control List consistent with E.O.
13026 of November 15, 1996 (61 FR 58767) and pursuant to the
Presidential Memorandum of that date. Refer to Sec. 742.15 of this
subchapter.
* * * * *
5D002 Information Security--``Software''.
License Requirements
Reason for Control: NS, AT, EI
------------------------------------------------------------------------
Control(s) Country chart
------------------------------------------------------------------------
NS applies to entire entry........... NS Column 1.
AT applies to entire entry........... AT Column 1.
------------------------------------------------------------------------
EI applies to encryption items transferred from the U.S.
Munitions List to the Commerce Control List consistent with E.O.
13026 of November 15, 1996 (61 FR 58767) and pursuant to the
Presidential Memorandum of that date. Refer to Sec. 742.15 of the
EAR.
Note: Encryption software is controlled because of its
functional capacity, and not because of any informational value of
such software; such software is not accorded the same treatment
under the EAR as other ``software''; and for export licensing
purposes, encryption software is treated under the EAR in the same
manner as a commodity included in ECCN 5A002. License Exceptions for
commodities are not applicable.
Note: Encryption software controlled for EI reasons under this
entry remains subject to the EAR even when made publicly available
in accordance with part 734 of the EAR, and it is not eligible for
the General Software Note (``mass market'' treatment under License
Exception TSU for mass market software). After a technical review,
certain encryption software may be released from EI controls and
made eligible for the General Software Note treatment as well as
other provisions of the EAR applicable to software. Refer to
Sec. 742.15(b)(1) of the EAR, and Supplement No. 6 to part 742 of
the EAR.
* * * * *
Dated: December 23, 1998.
R. Roger Majak,
Assistant Secretary for Export Administration.
[FR Doc. 98-34669 Filed 12-30-98; 8:45 am]
BILLING CODE 3510-33-P