thefederalregister.com

Daily Rules, Proposed Rules, and Notices of the Federal Government

DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Parts 732, 734, 738, 740, 742, 744, 746, 748, 750, 762, 770, 772, and 774

[Docket No. 080211163-81224-01]

RIN 0694-AE18

Encryption Simplification

AGENCY: Bureau of Industry and Security, Commerce.
ACTION: Interim final rule.
SUMMARY: This interim final rule amends the Export Administration Regulations (EAR) to make the treatment of encryption items more consistent with the treatment of other items subject to the EAR, as well as to simplify and clarify regulations pertaining to encryption items. The restrictions pertaining to technical assistance by U.S. persons with respect to encryption items are removed, because the current export and reexport restrictions set forth in the EAR for technology already include technical assistance. This rule also removes License Exception KMI as it has become obsolete because of developments in uses of encryption. In addition, this rule removes notification requirements for items classified as 5A992, 5D992, and 5E992. This rule also increases certain parameters under License Exception ENC, which is intended to reflect advances in technology. This rule adds two new review and reporting requirement exclusion paragraphs under License Exception ENC for wireless "personal area network" items and for "ancillary cryptography" items. This rule also adds Bulgaria, Canada, Iceland, Romania, and Turkey to the list of countries that receive favorable treatment under License Exception ENC. Commodities and software pending mass market review may no longer be exported under ECCNs 5A992 and 5D992 using No License Required (NLR). However, once the mass market review has been received by BIS, then such commodities and software may be exported using License Exception ENC under ECCNs 5A002 and 5D002. This rule will reduce the paperwork burden on the public by 9% (annual dollar amount savings of approximately $14,000 to the public and $5,000 to the U.S. Government), because of the removal of certain notification requirements, addition of countries to the list of those receiving favorable treatment under License Exception ENC, and the increase of reporting and review requirement exclusions. The Departments of Commerce, State and Defense will continue to review export control, license review policies, and license exceptions for encryption items in the EAR.
DATES: Effective Date:This rule is effective October 3, 2008.
ADDRESSES: Written comments on this interim final rule may be sent by e-mail topubliccomments@bis.doc.gov. Include "Encryption rule" in the subject line of the message. Comments may also be submitted by mail or hand delivery to Sharron Cook, Office of Exporter Services, Regulatory Policy Division, Bureau of Industry and Security, Department of Commerce, 14th St. & Pennsylvania Avenue, NW., Room 2705, Washington, DC 20230, ATTN: Encryption rule; or by fax to (202) 482-3355.
FOR FURTHER INFORMATION CONTACT: For questions of a general nature contact Sharron Cook, Office of Exporter Services, Regulatory Policy Division at (202) 482-2440 or E-Mail:scook@bis.doc.gov.

For questions of a technical nature contact: The Information Technology Division, Office of National Security and Technology Transfer Controls at 202-482-0707 or E-Mail: C. Randall Pratt atcpratt@bis.doc.gov.

SUPPLEMENTARY INFORMATION:

Background Steps Regarding Scope of the EAR

This rule revises paragraph 732.2(b) of the EAR, which sets forth instructions on how to determine if your technology or software is publicly available, by adding mass market encryption software with symmetric key length exceeding 64-bits classified under ECCN 5D992. The addition of this phrase harmonizes with the scope of publicly available encryption software that is considered to be subject to the EAR because of the criteria set forth in § 734.3(b)(3) of the EAR.

Items Subject to the EAR

This rule adds a note to paragraph 734.3(a)(4) of the EAR, which sets forth the items that are subject to the EAR. The note reminds readers that certain foreign-manufactured items are subject to the EAR when developed or produced from U.S.-origin encryption items that were exported pursuant to § 740.17(a) of License Exception ENC.

Clarification of Text

This rule replaces the phrase “encryption software (including source code) transferred from the U.S. Munitions List to the Commerce Control List consistent with E.O. 13026 of November 15, 1996 (61 FR 58767) and pursuant to the Presidential Memorandum of that date” with “software controlled for “EI” reasons under ECCN 5D002 on the Commerce Control List” to clarify which software this sentence is referring to in the introductory paragraph of Supplement No. 1 to part 734 “Questions and Answers—Technology and Software subject to the EAR.”

Determining Whether a License Is Required

This rule clarifies text in § 738.4(a)(1) of the EAR that not all license requirements set forth under the “License Requirements” section of an ECCN refer to the Commerce Country Chart, but in some cases this section will contain references to a specific section in the EAR that contain license requirements for that particular ECCN. In such cases, you could not determine whether a license is required based on the ECCN and Country Chart alone and section § 738.4(a)(1) of the EAR would not apply. For example, “EI” controls are not included in the Country Chart; however licensing requirements for “EI” controlled items are included in § 742.15(a) of the EAR. In addition, this rule removes the reference in § 738.4(a)(2)(ii)(B) to notification requirements described in paragraph 742.15(b) for items classified under ECCNs 5A992, 5D992, and 5E992, because this rule removes notification requirements for these items. This rule also clarifies the reminder about the review requirements for certain mass market encryption items under ECCNs 5A992 and 5D992, by removing the reference to 5E992 and harmonizing the citation reference with the changes in this rule.

License Exception LVS

This rule revises § 740.3(d)(5) to clarify that not only exports, but reexports of encryption components or spare parts are subject to the special restriction in this paragraph. In addition, the term “item” has been replaced by correct terminology.

License Exception KMI

This rule removes § 740.8 of the EAR “License Exception KMI” as it has become obsolete because of the developments in the use of encryption. A consequential revision is also made to § 746.3(c) of the EAR, where License Exception KMI was listed. Products previously eligible for License Exception KMI will be accorded equivalent treatment under license or license exception. As a result of this change, this rule also removes Supplement No. 4 to part 742 “Key Escrow or Key Recovery Products Criteria.”

License Exception TSU

In § 740.13(d) of the EAR, this rule removes the quotation marks around the term “mass market” in the title to paragraph (d), paragraph (d)(1), footnote 1, paragraph (d)(3)(i) and paragraph (d)(3)(ii), because in the EAR double quotation marks around a term indicate that the word is defined in part 772 of the EAR, and mass market is not a defined term in part 772 of the EAR.

License Exception ENC

This rule revises § 740.17 of the EAR by reformatting paragraphs, removing redundant text, and clarifying text as needed. This rule revises the title of this section to indicate that this license exception also authorizes technology. The introductory paragraph to § 740.17 of the EAR is condensed to set forth the scope of § 740.17 of the EAR and include information not found elsewhere in § 740.17 of the EAR.

While this rule reformats the paragraphs in § 740.17 of the EAR, it was BIS's goal to minimize revisions to the enumeration of paragraphs used to classify encryption items in the past, so as to alleviate confusion about previous classifications provided by BIS that reference specific paragraphs and to reduce the number of revisions to industry's current product matrices. That being said, the paragraph titles have been revised to reflect review request requirements instead of destinations, end-uses, or types of end-users.

This rule removes paragraphs 740.17(a)(2) and (b)(2)(i) that exempted commodities and software from review requirements based on a previous review by the U.S. Government prior to October 19, 2000. These commodities and software remain exempt from review requirements, and BIS did not see the necessity of retaining such text in the Export Administration Regulations.

Paragraph 740.17(a) now describes exports and reexports authorized by License Exception ENC that do not require prior government review or post export reporting. The former paragraph (a)(2) “Items previously reviewed by the U.S. Government” is removed by this rule, as this paragraph is no longer necessary because of the passage of time. Former paragraph (a)(3) for end-uses other than internal development is moved to new paragraph (b)(1), because a review request submission is required for eligibility under this paragraph. Former paragraph (b)(1) for U.S. subsidiaries is moved to (a)(2), because authorization under this paragraph does not require prior review. In addition, this rule amends former paragraph (b)(4)(i)(A) (exempting encryption items not exceeding certain key lengths from the 30 day waiting period) by moving it to (b)(1)(ii)(A).

Section 740.17(a)(1)

This rule removes references in paragraph § 740.17(a)(1) to “technical assistance described in § 744.9 of the EAR,” because this rule removes 744.9, see explanation set forth below under “§ 744.9.” This rule clarifies text in paragraph (a)(1) so that it is understood that License Exception ENC can be used for not only internal development, but also internal production of new products.

Section 740.17(a)(2)

Paragraph 740.17(a)(2) is former paragraph (b)(1).

Section 740.17(b)

Paragraph 740.17(b) now sets forth those items authorized under License Exception ENC that require prior review by the U.S. Government. This paragraph also sets forth the “open cryptographic interface” restriction that applies to all paragraphs in 740.17(b), except for paragraph § 740.17(b)(1)(i). This introductory paragraph also sets forth the restriction to export or reexport cryptanalytic items to any “government end-user.” There is also a reference in this paragraph to paragraph (e) “reporting requirements” for exports and reexports under § 740.17(b).

Section 740.17(b)(1)

The new paragraph 740.17(b)(1) of the EAR authorizes exports and reexports under License Exception ENC that require prior government review, but allows the export or reexport to take place immediately upon registration of the review request with BIS.

Paragraph (b)(1)(i) authorizes the export and reexport of encryption items, including EI controlled commodities or software (excluding source code) that are pending review for mass market treatment (under § 742.15(b) of the EAR), to “government end-users” and non-“government end-users” located in the countries listed in Supplement 3 of part 740, as well as to foreign subsidiaries or offices of firms, organizations and governments headquartered in countries listed in Supplement 3 of part 740. This rule adds authorization under License Exception ENC for items pending mass market review, because it was not logical to temporarily classify commodities and software under ECCNs 5A992 or 5D992 that were pending mass market review under paragraph 742.15(b) and authorize export or reexport under the designation of “No License Required (NLR)” when the possible outcome of the BIS classification of the commodities and software could be ECCN 5A002 or 5D002.

New paragraph 740.17(b)(1)(ii) authorizes exports and reexports of specified encryption commodities and software to countries not listed in Supplement No. 3 to part 740. This rule revises the format of the parameters in this section from a range to an upper limit in paragraph (b)(1)(ii)(A), former paragraph (b)(4)(i)(A). In addition, the upper limit for symmetric algorithms has been raised from “key lengths not exceeding 64 bits” to “key lengths not exceeding 80 bits.” After review has been completed on these commodities or software, BIS will issue a CCATS that will indicate authorization is under paragraph (b)(2) or (b)(3) of § 740.17 of the EAR, whichever paragraph is appropriate.

Paragraph (b)(1)(ii)(B), former paragraph (b)(4)(i)(B), authorizes exports and reexports of encryption source code that would not be eligible for export or reexport under License Exception TSU, provided that a copy of the source code is included in the review request, to non-“government end-users” located in any country except a country listed in Country Group E:1 of Supplement No. 1 to part 740 of the EAR. After the review has been completed, BIS will issue a CCATS that will indicate authorization is under paragraph 740.17(b)(2) of the EAR. The text is clarified by replacing the phrase “considered publicly available” with “eligible” in order to avoid confusion about the scope of encryption source code eligible under this paragraph.

Section 740.17(b)(2)

Paragraph (b)(2) of License Exception ENC authorizes exports and reexports to non-“government end-users” located in a country not listed in Supplement No. 3 to this part or Country Group E:1 that require a prior review and 30 day waiting period. Pursuant to the new scope paragraph 740.17(b), this rule expands the scope of (b)(2) to include ECCN 5B002 to be consistent with commodities and software eligible for License Exception ENC under paragraphs (b)(1) and (b)(3) of the EAR. In addition, former paragraph (b)(2)(i) concerning transactions previously reviewed prior to October 19, 2000 by the U.S. Government is removed as the passage of time has made this paragraph unnecessary. Former paragraph (b)(2)(ii) that set forth the review request requirement is removed, as the review request requirement has been moved to the introductory text of paragraph (b)(2). Former paragraph (b)(2)(iii) is replaced by the introductory text of paragraph (b)(2).

This rule revises new paragraph (b)(2)(i), (Network infrastructure software and commodities) by adding “digital packet telephony/media (voice/video/data) over internet protocol” to the list of capabilities described.

Also in this new paragraph (b)(2)(i), the former paragraph (b)(2)(iii)(A) reference to “64 bits for symmetric algorithms” is changed to “80 bits for symmetric algorithms”, commensurate with the key length change in new paragraph (b)(1)(ii)(B). (Note: Regarding key length with respect to the authorizations and restrictions set forth in both the current and former versions of License Exception ENC § 740.17(b)(2), only `network infrastructure' commodities and software (sub-paragraph (i) in this rule) are distinguished by key length. All encryption commodities and software now enumerated in sub-paragraphs (ii)-(vi) (former sub-paragraphs (iiii)(B)-(iii)(F)) of License Exception ENC paragraph (b)(2) are controlled to “government end-users” as described, regardless of key length.)

Former paragraph (b)(2)(iii)(A)(1), new paragraph § 740.17(b)(2)(i)(A) is clarified by this rule to add quotes around the term “government end-user(s)” and now reads as follows, “Been designed, modified, adapted or customized for “government end-user(s)” or government end-use (e.g., to secure police, state security, or emergency response communications).”

This rule further revises former paragraph (b)(2)(iii)(A)(1), new paragraph (b)(2)(i)(A), which addresses aggregate encrypted WAN, MAN, VPN or backhaul throughput, by increasing the parameter from 44 Mbps to 90 Mbps.

This rule further revises former paragraph (b)(2)(iii)(A)(2), new paragraph (b)(2)(i)(B). The Wire (line), cable or fiber optic WAN, MAN or VPN single-channel input data rate is revised from “44 Mbps” to “154 Mbps.”

These revisions are not expected to result in a decrease in the number of license applications submitted for exports and reexports of items described in paragraph (b)(2) to government end-users. Most network infrastructure items currently being exported to government end-uses exceed these performance parameters. However, BIS has determined that the parameters should be adjusted in recognition of technology advances, and to avoid maintaining controls on legacy systems.

This rule replaces the “Maximum number of concurrent encrypted data tunnels or channels * * *” parameter in former paragraph (b)(2)(iii)(A)(3), new paragraph (b)(2)(i)(C) with “Media (voice/video/data) encryption or centralized key management supporting more than 250 concurrent encrypted data channels, or encrypted signaling to more than 1,000 endpoints, for digital packet telephony/media (voice/video/data) over internet protocol communications.” These amendments update these provisions of License Exception ENC to reflect advances in encryption technology. Specifically, these amendments address cryptographic developments in Datagram Transport Layer Security (DTLS)—Secure Real-Time Transport Protocol (SRTP), and encrypted communications signaling, for large Voice over Internet Protocol (VoIP) network infrastructures.

This rule also revises former paragraph (b)(2)(iii)(A)(4)(i), new paragraph (b)(2)(i)(D)(1), which addresses Air-interface coverage capabilities, by changing “maximum data rates” to “maximum transmission data rates” and changing the parameter from “5 Mbps” to “10 Mbps.” By limiting this License Exception ENC provision to the transmit (upstream) data rates and doubling the licensing threshold, these amendments reflect technology developments for certain satellite and other long-range wireless devices.

Former paragraph (b)(2)(iii)(B) that addressed encryption source code that would not be eligible for export or reexport under License Exception TSU is moved to new paragraph (b)(2)(ii), but also appears in new paragraph (b)(1)(ii)(B) for review requests that include a copy of the source code, andmay be exported or reexported without a waiting period under License Exception ENC when the review request is registered with BIS.

Former paragraph (b)(2)(iii)(C), new paragraph (b)(2)(iii) is revised by removing the reference to the open cryptographic interface restriction, because this restriction is now placed in the introductory text of paragraph 740.17(b).

Former paragraph (b)(2)(iii)(C)(1), new paragraph (b)(2)(iii)(A) is amended by revising the phrase “Been modified or customized for” to read “been designed, modified, adapted or customized for.” Quotes have been added around the term “government end-user(s)” to indicate that this term is defined in part 772 of the EAR.

This rule also revises the phrase “to secure departmental, police, state security, or emergency response communications” to read “to secure police, state, security, or emergency response communications, including encryption commodities and software for external Security Operations Center (SOC)/Network Operations Center (NOC) command and infrastructure, and digital forensics/computer forensics.” With this clarification, this rule provides examples of three such systems that are controlled for their inherent government end-use: External Security Operations Center (SOC)/Network Operations Center (NOC) command and infrastructure; public safety radio (e.g., implementing Terrestrial Trunked Radio (TETRA) and/or Association of Public-Safety Communications Officials International (APCO) Project 25 (P25) standards); and digital forensics/computer forensics.

Note:

Regarding the use of encryption by a computer forensics/digital forensics commodity or software (e.g., for securing the collection, examination, and/or reporting of data or metadata on an investigated computer), such digital/computer forensics tools would not be considered “cryptanalytic items” if the only use of “cryptography” is for encryption. However, such tools that also perform “cryptanalysis” (e.g., cracking passwords or employing other cryptanalytic techniques to derive user-encrypted data or metadata from a computer or network) would be controlled as “cryptanalytic items.”

Former paragraph (b)(2)(iii)(E), new paragraph (b)(2)(v) is revised by adding a clarifying phrase after the term “quantum cryptography” to read “as defined in ECCN 5A002 of the Commerce Control List.”

Former paragraph (b)(2)(iii)(F), new paragraph (b)(2)(vi) is revised by replacing the term “controlled” with “classified under” to clarify the scope of computers in this paragraph.

Section 740.17(b)(3)

This rule revises paragraph § 740.17(b)(3) of the EAR for export or reexport of commodities and software not listed in § 740.17(b)(2) of the EAR by both “government end-users” and non-“government end-users” by removing the redundant former paragraph (b)(3)(ii)(B) that explained the review procedures and instead inserting a reference to paragraph § 740.17(d) that sets forth these procedures. In addition, former paragraph (b)(3)(ii)(A) concerning transactions previously reviewed by the U.S. Government is removed as the passage of time has made this paragraph unnecessary. Former paragraph (b)(3)(i)(A) that set forth the ineligibility of commodities and software that provide an “open cryptographic interface” is removed because this restriction is set forth in the introductory text of paragraph 740.17(b). This rule adds text that clarifies the eligible locations of the end-users, because 740.17(a) addresses all exports to Supplement No. 3 countries. This rule relocates the restriction in former paragraph (f)(1) concerning “cryptanalytic items” to the introductory text of paragraph (b)(3).

Section 740.17(b)(4)

Former paragraph 740.17(b)(4)(i), setting forth commodities and software that are eligible for export immediately upon registration of a review request, is moved to new paragraph (b)(1)(ii). In addition, previous paragraph 740.17(b)(4)(ii), setting forth exclusions from review requirements for certain items, is reformatted as paragraph 740.17(b)(4).

Former paragraph (b)(4)(ii)(A) for short-range wireless encryption is now in new paragraph (b)(4)(i). This rule adds examples to this paragraph of short-range wireless commodities and software. An informative sentence is also added to notify the reader that certain items excluded by this paragraph may also be excluded from review under (b)(4)(iii) (personal area networks) or (b)(4)(iv) (commodities and software that provide “ancillary cryptography”).

Former paragraph (b)(4)(ii)(B) is replaced by the third, fourth, and fifth sentences of former paragraph (c), which pertains to foreign products developed with or incorporating U.S.-origin encryption source code, components, or toolkits.

This rule adds two new review requirement exclusion paragraphs. The first new paragraph (b)(4)(iii) is for wireless “personal area network” items. This rule adds the term “personal area network” and definition, as well as examples to part 772. The other new exclusion paragraph (b)(4)(iv) is for “ancillary cryptography,” which is also a newly added term/definition in part 772. The term/definition includes examples of “ancillary cryptography.” The U.S. Government has determined that it is not necessary to review the encryption functionality of such items.

Reexports and Transfers

This rule clarifies the second sentence in § 740.17(c) of the EAR (restricted transfers) by adding quotes around the term “government end-users” for consistency. The third and fourth sentences in this section concerning foreign products developed with or incorporating U.S.-origin encryption products are moved to new paragraph (b)(4)(ii), because it was misplaced and redundant to text already included in another paragraph of License Exception ENC.

Review Request Procedures

This rule removes former paragraph (d)(1) “Instructions for requesting review” because these instructions were redundant and inconsistent with the instructions for submissions on Form BIS-748P (Multipurpose Application) found in Part 748 of the EAR. Instructions for such submissions belong in Part 748 of the EAR.

This rule reformats former paragraph (d)(2) “Action by BIS” because this paragraph was entirely too long and needed to be divided by subject matter. The new subparagraph titles are: (i) Notification; (ii) After 30 days; and (iii) Hold Without Action (HWA).

This rule moves former paragraph (d)(3), “key length increases,” to the reporting requirement section under new paragraph (e)(2), because this requirement is in actuality a reporting requirement and not a review requirement. This report is required for commodities and software that, after having been reviewed and authorized for License Exception ENC by BIS, are modified only to upgrade the key length used for confidentiality or key exchange algorithms. This rule also makes the new key length a required element of the report.

Reporting Requirements

The reporting requirements for License Exception ENC are now split into two sections: Semiannual reporting requirement and reporting key length increases. This rule clarifies that the Commodity Classification Automated Tracking System (CCATS) number is a required element of the report. This rule removes former paragraph (e)(2)(iv),which required a report for exports of ECCN 5E002 items to be used for technical assistance that are not released by 744.9, because this rule removed section 744.9 of the EAR. This rule also clarifies the purpose and scope of paragraph (e)(3), regarding reportable information on foreign manufacturers and products that use encryption items in countries not listed in Supplement No. 3 to part 740.

Reporting Exclusions

This rule revises the exclusion set forth in former paragraph (e)(4)(i), new paragraph (e)(1)(iii)(A), by removing the reference to paragraph (b)(1), because (b)(1) did not require prior review or post export reporting, therefore this rule moved (b)(1) to new paragraph (a)(2).

In new paragraph (e)(1)(iii)(F), this rule expands the exclusion that was in former paragraph (e)(4)(vi) for components limited to providing short-range wireless encryption functions, by making the reporting exclusion apply to all of the items in the new paragraph (b)(4), which are those items that are excluded from review requirements (certain commodities and software that provide short-range wireless; foreign products developed with or incorporating U.S.-origin encryption source code (that have not entered United States for subsequent export), components, or toolkits; wireless “personal area network” items; and “ancillary cryptography” commodities and software).

Lastly, in new paragraph (e)(1)(iii)(J), this rule adds a new provision to exclude from reporting requirements exports of items that have been determined, on a case-by-case basis do not require the burden of semi-annual reporting. Certain exports of items that do not qualify for mass market treatment, but are authorized under License Exception ENC are not of interest for national security reasons, therefore do not warrant reporting requirements. Exporters will be notified of this exclusion on issued Commodity Classification Automated Tracking System (CCATS) documents.

Restrictions

Former paragraph § 740.17(f) “Restrictions” is removed, because the restrictions that were in this paragraph are integrated into the introductory paragraph to § 740.17 or specific paragraphs for which they apply.

Supplement No. 3 to Part 740

This rule revises the title of Supplement No. 3 to part 740 to read “License Exception ENC Favorable Treatment Countries,” because the former title of “Countries Eligible for the Provisions of § 740.17(a)” is no longer correct, as these countries are now eligible for provisions of § 740.17(b)(1) of the EAR. This rule adds Bulgaria, Canada, Iceland, Romania, and Turkey to the list of countries in Supplement No. 3 to part 740 of the EAR. Bulgaria and Romania joined the European Union by accession on January 1, 2007. The addition of Canada is simply for clarity, as licenses are not required to Canada for Encryption Items (pursuant to § 742.15(a)(1)) and License Exception ENC has been available for subsidiaries and offices of the Canadian government and private-sector end-users (along with the previous Supplement No. 3 to part 740 list of countries). Turkey and Iceland are added because they are members of the North Atlantic Treaty Organization (NATO). This will increase eligibility under License Exception ENC under new paragraphs § 740.17(a)(1) and (b)(1) of the EAR, which will decrease the necessity for submitting license applications, review requests, and semiannual reports.

This revision will reduce the number of license applications submitted to BIS for the export or reexport of encryption products classified under ECCNs 5A002 and 5D002 to Bulgaria, Iceland, Romania, and Turkey by 95 percent (approximately $37 million in exports and reexports for CY 2007). This revision will not change the amount of license applications received by BIS for the export or reexport of encryption products to Canada, because Canada, while not included in the list of countries that received favorable treatment under License Exception ENC, already received such benefits.

Section 742.15“Encryption Items”

Paragraph 742.15(a) is revised by more specifically describing what is EI controlled under ECCNs 5A002, 5D002, and 5E002. This revision harmonizes with changes this rule makes to the license requirements paragraphs of these ECCNs. In addition, a sentence is added that advises exporters to review License Exception ENC prior to submitting a license to BIS. Also, the phrase “on a computer system” is removed from the introductory text of § 742.15 in order to be more consistent with the first Note in the License Requirement section of ECCN 5D002.

Section 742.15(a)(2)License Requirements and Review Policy for ECCNS 5A992, 5D992, and 5E992

This rule removes former paragraph 742.15(a)(2), which explained license requirements and review policy for items classified under ECCNS 5A992, 5D992, and 5E992, because the purpose of § 742.15 is to set forth the license requirements and review policies for items controlled for encryption item (EI) reasons and these items are controlled for anti-terrorism (AT) reasons only. The license requirements and review policy for these items are found under appropriate anti-terrorism sections of part 742.

This rule removes the second sentence of 742.15(a)(2), because the indefinite language did not add to the transparency of licensing policy. The sentence stated, “Exports and reexports of encryption items to governments, or to Internet and telecommunications service providers for the provision of services specific to governments, may be favorably considered.” This rule removes the extraneous phrase “including those which authorize exports and reexports of encryption technology to strategic partners (as defined in § 772.1 of the EAR) of U.S. companies.” To be more transparent, this rule adds the phrase “or pre-shipment notification” to explain that ELAs may require pre-shipment notification. This rule adds a note to paragraph (a)(2) to remind exporters that once mass market encryption commodities and software have been reviewed by BIS and the ENC Encryption Request Coordinator (Ft. Meade, MD) and released from “EI” and “NS” controls pursuant to § 742.15(b) of the EAR, they are classified under ECCN 5A992 and 5D992 respectively, and are thereafter outside the scope of this section.

This rule removes the notification and review requirements for items classified under ECCNs 5A992, 5D992, and 5E992, which were set forth in former paragraphs § 742.15(b) introductory paragraph and § 742.15 (b)(1) of the EAR.

This rule adds a reference to the ENC Encryption Request Coordinator (FT. Meade, MD) with regard to the requirement for review of mass market encryption commodities and software.

Specific instructions for how to fill out form 748P (multipurpose application) for submission of a review request has been removed, because these instructions were redundant and inconsistent with the instructions found in paragraph (r) of Supplement No. 2 to part 748 of the EAR. Instead, a reference to this paragraph (r) is added to new paragraph 742.15(b)(1) “Procedures for requesting review.”

This rule removes former paragraph (b)(2)(iii) that provided authorization under the designation of “no license required (NLR)” for exports and reexports of encryption commodities

and software pending mass market treatment review by BIS to government and non-government end-users located in countries listed in Supp. No. 3 to part 740 of the EAR or for internal use of foreign subsidiaries or offices of firms, organizations and governments headquartered in Canada or in countries listed in Supp. No. 3 to part 740 of the EAR. This authorization was based on a temporary classification under ECCNs 5A992 and 5D992, which is inconsistent with the way other items are classified in the EAR, therefore this provision is removed. Instead, encryption commodities and software will remain under the classification of ECCN 5A002 and 5D002 until 30 days have passed since registration of the submitted review request or BIS issues a classification under ECCN 5A992 or 5D992. However, this rule creates a new authorization under License Exception ENC for such commodities and software pending a decision by BIS concerning mass market treatment under new paragraph 740.17(b)(1) of the EAR. This rule adds explanatory text about this new procedure in (b)(2) “Action by BIS.”

Section 742.15(b)(3)Exclusions for Notification and Review Requirements

This rule removes the former exclusion paragraphs, because it is no longer applicable and is replaced by new exclusion paragraphs from mass market review requirements under § 742.15(b). There are three new exclusions: Certain short range wireless commodities and software, wireless “personal area network” items, and “ancillary cryptography” commodities and software.

Section 742.15(b)(4)Dormant Encryption and Enabling Software and Commodities

This rule condenses this paragraph to remove text that pertained to ECCNs 5A992 and 5D992.

Section 742.15(b)(5)Examples of Mass Market Software

The phrase “designed for, bundled with, or pre-loaded on single CPU computes” is revised to read “designed for computers classified as ECCN 4A994 or EAR99.” This phrase was changed to remove outdated and confusing text related to computers. This rule also removes the last phrase “and commodities and software exported via free or anonymous downloads.” This phrase was removed because it confused the public, in that it led people to believe that if they incorporated free encryption software or open source encryption into their products that it was not subject to the EAR, which is not the case.

Supplement No. 6 to Part 742 “Guidelines for Submitting Review Requests for Encryption Items”

The option to fax support documents is removed, because that method has been replaced by either e-mailing the document in PDF or sending the document by mail. A requirement to obtain express mail certification of the mailing of support documentation is added for those that intend to rely on the 30 day registration provisions of the EAR.

Paragraph (a) is divided into 5 subparagraphs that clarify existing review requirements and procedures. Former paragraph (a) is now new subparagraph (a)(1), and is revised to add a requirement to include a brief non-technical description of the type of product being submitted,e.g., routers, disk drives, cell phones, chips, etc. Part of the introductory paragraph to Supp. No. 6 that addressed prior reviews is moved to a new subparagraph (a)(2), and is revised to add a requirement, for products with minor changes in encryption functionality, to include a cover sheet with complete reference to the previous review (CCATS#, Application Control Number (ACN), ECCN, authorization paragraph) along with a clear description of the changes. New subparagraph (a)(3) requires a description of how encryption is used in the product and the categories of encrypted data (i.e., stored data, communications, management data, internal data, etc.). New subparagraph (a)(4) requires, for mass market reviews, a specific description of who will be receiving the product and how the product is being marketed, as well as how this method of marketing and other relevant information (e.g., cost of product and volume of sales) is described by the Cryptography Note (Note 3 to Category 5, Part 2). New subparagraph (a)(5) clarifies information about any encryption source code being used.

Subparagraph (c)(1) is amended by adding the phrase “including relevant parameters, inputs and settings” to the end of the first sentence. Subparagraph (c)(6) is amended by adding more examples of communication and cryptographic functions, as well as replacing the term “encryption protocols” with a more accurate term “cryptographic protocols and methods.” An additional requirement is added to (c)(6) to describe how the protocols that are supported are used. The text of (c)(11) is revised to more clearly describe the information that would assist BIS.

The introductory text for paragraphs (d) and (e) is clarified.

Section 744.9“Restrictions on Technical Assistance by U.S. Persons With Respect to Encryption Items”

This rule removes § 744.9 of the EAR that required authorization from BIS for U.S. persons to provide technical assistance (including training) to foreign persons with the intent to aid a foreign person in the development or manufacture outside the United States of encryption commodities or software that, if of U.S.-origin, would be “EI” controlled under ECCNs 5A002 or 5D002. Section 744.9 was added to the EAR in 1996 when jurisdiction over dual-use encryption items was transferred from the Department of State to the Department of Commerce. Technical assistance is treated differently under the International Trade in Arms Regulations (ITAR) than it is in EAR. Technical assistance is considered a form of “technology” under the definition of “technology” in section 772.1 of the EAR. The EAR states that technical assistance “may take forms such as instruction, skills training, working knowledge, consulting services” and that it “may involve transfer of ‘technical data.’ ” When a person performs technical assistance, which draws upon “development,” “production,” or “use” “technology” obtained in the United States or that is of U.S.-origin, then a release of “technology” takes place, which is considered an export or reexport and may require authorization under the EAR. BIS has observed that there is rarely an application for a license submitted under the requirements of section 744.9; however, requests for authorization under section 744.9 are often included in license applications for export of ECCN 5E002 Technology. This has led BIS to conclude that people are submitting license applications for technology exports and reexports when involved in technical assistance. Therefore, to harmonize the understanding of technical assistance as it is understood in the EAR with the practical application of it by the public, BIS is removing section 744.9. This removal does not remove any license requirements for controlled encryption technology released while performing technical assistance. This amendment does not affect the scope of the note in former 744.9 in that the mere teaching or discussion of information about cryptography, including, for example, in an academic setting or in the work of groups or bodies engaged in standardsdevelopment, by itself would not establish a license requirement under ECCN 5E002, even where foreign persons are present. Section 744.9 is replaced by a “license requirement” note in ECCN 5E002 on the Commerce Control List.

Supplement No. 2 to Part 748“Unique Application and Submission Requirements”

This rule adds a sentence instructing applicants to place an “X” in the box marked “classification request” in Block 5 (Type of Application) of Form BIS-748P or select “Commodity Classification” if filing electronically, because neither the electronic nor paper forms provide a separate Block to check for submission of encryption review requests.

Section 750.3Review of License Application by BIS and Other Government Agencies and Departments

This rule makes an editorial correction by removing paragraph (b)(2)(iv) and redesignating (b)(2)(v) as (b)(2)(iv). This paragraph referred to the Arms Control and Disarmament Agency (ACDA), which no longer exists. However, ACDA's personnel and functions were absorbed by the Department of State in 1999. Therefore, this rule revises paragraph (b)(2)(iii) by adding national security and nuclear nonproliferation to the description of State Department's concerns. Missile technology is also added as a State Department concern because the State Department chairs the Missile Technology Export control interagency working group.

Section 750.7Issuance of Licenses

This rule removes paragraph (c)(2), which explained how to amend your Encryption License Agreement (ELA) by letter. BIS has observed a trend that industry has been submitting license applications for replacement or new ELAs when they want a change. In addition, it is more efficient for applicants to apply and track applications than letters, because of BIS' electronic application system. It is also easier for BIS to process and track submissions of applications than letters for the same reason. Therefore, this provision is removed.

This rule removes the third and fourth sentences in the introductory text of paragraph (d) that pertain to the responsibilities of a licensee with regard to ELAs. These sentences are removed, because a licensee may not transfer its license responsibilities.

Section 762.2Records To Be Retained

This rule removes paragraph (b)(8), which referred to records related to key escrow encryption items under License Exception KMI. This rule removes License Exception KMI and Supplement No. 4 to part 742 “Key Escrow or Key Recovery Products Criteria,” therefore this recordkeeping requirement no longer exists.

Section 770.2Item Interpretations

This rule moves paragraph (n) “Interpretation 14: Encryption commodity and software reviews,” to a new note under paragraphs 740.17(b) and 742.15(b), so that exporters do not miss this important information about when to submit a new product review when a change has occurred in the encryption product. The text of this paragraph is also revised for clarity. The note explains that a new product review is not required when a change involves: the subsequent bundling, patches, upgrades or releases of a product; name changes; or changes to a previously reviewed encryption product limited to updates in an encryption software component (e.g., version updates of an encryption library that is called by a product to provide encryption functionality where the encryption library has either already been reviewed or did not require prior review.)

Section 772.1Definition of terms as used in the Export Administration Regulations (EAR)

This rule removes the definition of “strategic partner” as this term is not used in the control or licensing of encryption items. This rule also adds definitions for two new terms “ancillary cryptography” and “personal area network,” which are associated with new review and reporting exclusions in License Exception ENC.

Commerce Control List—Supplement No. 1 to Part 774

This rule revises the Nota Bene to the Cryptography Note at the beginning of Category 5 Part 2 in order to harmonize it with the revisions in this rule.

This rule clarifies what is controlled for “EI” reasons in ECCNs 5A002, 5D002, and 5E002 by replacing the text “EI applies to encryption items transferred from the U.S. Munitions List to the Commerce Control List consistent with E.O.13026 of November 15, 1996 (61 FR 58767) and pursuant to the Presidential Memorandum of that date. Refer to § 742.15 of this subchapter.” with appropriate text that refers to specific paragraphs within those ECCNs for which EI applies. For ECCN 5A002, the new EI control reads “EI applies to 5A002.a.1, a.2, a.5, a.6 and a.9. Refer to § 742.15 of the EAR.” For ECCN 5D002, the new EI control reads, “EI applies to “software” in 5D002.a or c.1 for equipment controlled for EI reasons in ECCN 5A002. Refer to § 742.15 of the EAR.” For ECCN 5E002, the new EI control reads, “EI applies to “technology” for the “development,” “production,” or “use” of commodities or “software” controlled for EI reasons in ECCNs 5A002 or 5D002. Refer to § 742.15 of the EAR.” In addition, License Exception ENC is added to the License Exception section of each of these ECCNs, because it is the principal license exception for EI controlled items.

ECCN 5A002

This rule removes the license requirement notes section from ECCN 5A002, because there is no Wassenaar reporting requirement for this ECCN. In addition, this rule makes editorial corrections to the Related Controls paragraph by replacing the use of the term “items” with commodities when referring to ECCN 5A002 and 5A992. Moreover, this rule clarifies that if commodities are listed in paragraphs (a) through (f) in the Note to 5A002, and therefore the commodities are classified under ECCN 5A992, then the related software and technology are classified under ECCNs 5D992 and 5E992, respectively. This rule also revises Related Controls note 2 to be consistent with the mass market review procedures of § 742.15 of the EAR. This note now reads “2) After a review and classification by BIS, mass market encryption commodities that meet eligibility requirements are released from “EI” and “NS” controls. These commodities are classified under ECCN 5A992.c. See § 742.15(b) of the EAR.”

ECCN 5A992

This rule revises the anti-terrorism (AT) controls for ECCN 5A992, by placing the entire entry under AT Column 1 controls, for ease of understanding and compliance. This rule adds a new paragraph 5A992.c. This new paragraph clarifies that a mass market commodity is classified under ECCN 5A992 upon completion of Government review of a commodity in accordance with paragraph 742.15(b) of the EAR, when that review determines that the commodity meets the requirements for mass market treatment. Encryption items are no longer presumed eligible for mass market treatment while pending Government review.

ECCN 5D002

This rule removes the third note in the License Requirement section, because the information in it does not harmonize with the revision made in this rule. In addition, this rule adds another note to the Related Controls paragraph to inform the public about the review and classification of mass market software.

ECCN 5D992

This rule revises the anti-terrorism (AT) controls for ECCN 5D992, by placing the entire entry under AT Column 1 controls, for ease of understanding and compliance. Paragraphs 5D992.a.1 and a.2, and 5D992.b.1 and b.2, are combined as 5D992.a and 5D992.b, respectively, in order to simplify the entry. This rule also removes paragraph 5D992.c (“software” designed or modified to protect against malicious computer damage,e.g., viruses) from ECCN 5D992, while adding a note in the Related Control stating, “This entry does not control “software” designed or modified to protect against malicious computer damage,e.g., viruses, where the use of “cryptography” is limited to authentication, digital signature and/or the decryption of data or files.” Certain software for protection against malicious damage that meet the criteria of the Related Control note are thus now decontrolled and classified as EAR99, unless the software performs functions that are controlled under other ECCNs (whether under Category 5, part 2 or elsewhere in the Commerce Control List). Such software remains subject to the EAR and may be classified under ECCN 5D002 or 5D992 if it performs cryptographic functionality controlled by these Category 5, part 2 ECCNs (e.g., data or file encryption, including of user or system data under Secure Socket Layer (SSL) encryption, even if the cryptographic functionality is not directly user accessible.) Examples of software decontrolled by this change include certain firewall and other software for the screening of digital content and the detection and removal of viruses, spyware and unsolicited commercial e-mail.

This rule also adds a new paragraph 5D992.c. This paragraph clarifies that mass market software is classified under ECCN 5D992.c upon completion of Government review of the software in accord with § 742.15 of the EAR when that review determines that the software meets the requirements for mass market treatment. Encryption software is no longer presumed eligible for mass market treatment.

ECCN 5E002

This rule adds a License Requirement Note to remind people to consider the possibility of the release of technology when performing technical assistance; the note reads, “When a person performs or provides technical assistance that incorporates, or otherwise draws upon, “technology” that was either obtained in the United States or is of U.S.-origin, then a release of the “technology” takes place. Such technical assistance, when rendered with the intent to aid in the “development” or “production” of encryption commodities or software that would be controlled for “EI” reasons under ECCN 5A002 or 5D002, may require authorization under the EAR even if the underlying encryption algorithm to be implemented is from the public domain or is not of U.S. origin.” In addition, in order to harmonize with the revisions in this rule and for consistency, this rule adds text to the Related Controls paragraph of the List of Items Controlled section to read “This entry does not control “technology” “required” for the “use” of equipment excluded from control under the Related Controls paragraph or the Technical Notes in ECCN 5A002 or “technology” related to equipment excluded from control under ECCN 5A002. This “technology” is classified as ECCN 5E992.”

ECCN 5E992

This rule revises the anti-terrorism (AT) controls for ECCN 5E992, by placing the entire entry under AT Column 1 controls, for ease of understanding and compliance. This rule revises the references in 5E992.a and .b to conform to revisions included in this rule.

Although the Export Administration Act expired on August 20, 2001, the President, through Executive Order 13222 of August 17, 2001, 3 CFR, 2001 Comp., p. 783 (2002), as extended by the Notice of July 23, 2008, 73 FR 43603 (July 25, 2008), has continued the Export Administration Regulations in effect under the International Emergency Economic Powers Act.

Rulemaking Requirements

1. This interim final rule has been determined to be not significant for purposes of Executive Order 12866.

2. Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with a collection of information subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501et. seq.) (PRA), unless that collection of information displays a currently valid Office of Management and Budget (OMB) Control Number. This rule involves two collections of information subject to the PRA. One of the collections has been approved by OMB under control number 0694-0088, “Multi Purpose Application,” and carries a burden hour estimate of 58 minutes for a manual or electronic submission. The other collection has been approved by OMB under control number 0694-0104, “Commercial Encryption Items Under the Jurisdiction of the Department of Commerce,” and carries a burden hour estimate of 7 hours for a manual or electronic submission. Send comments regarding these burden estimates or any other aspect of these collections of information, including suggestions for reducing the burden, to Jasmeet Seehra, OMB Desk Officer, by e-mail atjseehra@omb.eop.govor by fax to (202) 395-7285; and to the Office of Administration, Bureau of Industry and Security, Department of Commerce, 14th and Pennsylvania Avenue, NW., Room 6622, Washington, DC 20230.

3. This rule does not contain policies with Federalism implications as that term is defined under Executive Order 13132.

4. The provisions of the Administrative Procedure Act (5 U.S.C. 553) requiring notice of proposed rulemaking, the opportunity for public participation, and a delay in effective date, are inapplicable because this regulation involves a military and foreign affairs function of the UnitedStates (5 U.S.C. 553(a)(1)). Further, no other law requires that a notice of proposed rulemaking and an opportunity for public comment be given for this interim final rule. Because a notice of proposed rulemaking and an opportunity for public comment are not required to be given for this rule under the Administrative Procedure Act or by any other law, the analytical requirements of the Regulatory Flexibility Act (5 U.S.C. 601et. seq.) are not applicable. Therefore, this regulation is issued in interim final form. Although there is no formal comment period, public comments on this regulation are welcome on a continuing basis. Comments should be submitted to Sharron Cook, Office of Exporter Services, Bureau of Industry and Security, Department of Commerce, 14th and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230.

List of Subjects 15 CFR Parts 732, 740, 748 and 750

Administrative practice and procedure, Exports, Reporting and recordkeeping requirements.

15 CFR Parts 738, 770 and 772

Exports.

15 CFR Part 744

Exports, Reporting and recordkeeping requirements, Terrorism.

15 CFR Part 742

Exports, Terrorism.

15 CFR Part 746

Exports, Reporting and recordkeeping requirements.

15 CFR Part 762

Administrative practice and procedure, Business and industry, Confidential business information, Exports, Reporting and recordkeeping requirements.

15 CFR Part 774

Exports, Reporting and recordkeeping requirements.

Accordingly, parts 732, 734, 738, 740, 742, 744, 746, 748, 750, 762, 770, 772 and 774 of the Export Administration Regulations (15 CFR parts 730-774) are amended as follows: PART 732—[AMENDED] 1. The authority citation for part 732 is revised to read as follows: Authority:

50 U.S.C. app. 2401et. seq.; 50 U.S.C. 1701et. seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008).

2. Section 732.2 is amended by revising paragraph (b) to read as follows:
§ 732.2 Steps Regarding Scope of the EAR

(b)Step 2: Publicly available technology and software.This step is relevant for both exports and reexports. Determine if your technology or software is publicly available as defined and explained at part 734 of the EAR. Supplement No. 1 to part 734 of the EAR contains several practical examples describing publicly available technology and software that are outside the scope of the EAR. The examples are illustrative, not comprehensive. Note that encryption software controlled for EI reasons under ECCN 5D002 on the Commerce Control List (refer to Supplement No.1 to Part 774 of the EAR) and mass market encryption software with symmetric key length exceeding 64-bits classified under ECCN 5D992 shall be subject to the EAR even if publicly available. Accordingly, the provisions of the EAR concerning the public availability of items are not applicable to encryption items controlled for “EI” reasons under ECCN 5D002 and mass market encryption software with symmetric key length exceeding 64-bits classified under ECCN 5D992.

PART 734—[AMENDED] 3. The authority citation for part 734 is revised to read as follows: Authority:

50 U.S.C. app. 2401et. seq.; 50 U.S.C. 1701et. seq.; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 FR 54079, 3 CFR, 1996 Comp. p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008); Notice of November 8, 2007, 72 FR 63963 (November 13, 2007).

4. Section 734.3 is amended by adding a note to paragraph (a)(4) to read as follows:
§ 734.3 Items Subject to the EAR

(a) * * *

(4) * * *

Note to paragraph (a)(4):

Certain foreign-manufactured items developed or produced from U.S.-origin encryption items exported pursuant to License Exception ENC are subject to the EAR. See sections 740.17(a) and 740.17(b)(4)(ii) of the EAR.

5. Supplement No. 1 to part 734 is amended by revising the introductory paragraph to read as follows: Supplement No. 1 to Part 734—Questions and Answers—Technology and Software Subject to the EAR

This Supplement No. 1 contains explanatory questions and answers relating to technology and software that is subject to the EAR. It is intended to give the public guidance in understanding how BIS interprets this part, but is only illustrative, not comprehensive. In addition, facts or circumstances that differ in any material way from those set forth in the questions or answers will be considered under the applicable provisions of the EAR. Exporters should note that the provisions of this supplement do not apply to encryption software classified under ECCN 5D002 for “EI” reasons on the Commerce Control List or to mass market encryption software with symmetric key length exceeding 64-bits classified under ECCN 5D992. This Supplement is divided into nine sections according to topic as follows:

PART 738—[AMENDED] 6. The authority citation for part 738 continues to read as follows: Authority:

50 U.S.C. app. 2401et seq.; 50 U.S.C. 1701et seq.; 10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c; 22 U.S.C. 3201et seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5; 22 U.S.C. 7201et. seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008).

7. Section 738.4 is amended by revising paragraphs (a)(1) and (a)(2)(ii)(B) to read as follows:
§ 738.4 Determining Whether a License Is Required

(a) * * *

(1)Overview.Once you have determined that your item is classified under a specific ECCN, you must use information contained in the “License Requirements” section of that ECCN in combination with the Country Chart to decide whether a license is required. Note that not all license requirements set forth under the “License Requirements” section of an ECCN refer you to the Commerce Country Chart, but in some cases this section will contain references to a specific section in the EAR for license requirements. In such cases, this section would not apply.

(2) * * *

(ii) * * *

(B) Ifno, a license is not required based on the particular Reason for Control and destination. Provided that General Prohibitions Four through Ten do not apply to your proposed transaction and that any applicable review requirements described in § 742.15(b) of the EAR have been met for certain mass market encryption items controlled under ECCNs 5A992 or 5D992, you may effect your shipment using the symbol “NLR.” Proceed to parts 758 and 762 of the EAR for information on export clearance procedures and recordkeeping requirements. Note that although you may stop after determining a license is required based on the first Reason for Control, it is best to work through each applicable Reason for Control. A full analysis of every possible licensing requirement based on each applicable Reason for Controlis requiredto determine the most advantageous License Exception available for your particular transaction and, if a license isrequired, ascertain the scope of review conducted by BIS on your license application.

PART 740—[AMENDED] 8. The authority citation for part 740 continues to read as follows: Authority:

50 U.S.C. app. 2401et seq.; 50 U.S.C. 1701et seq.; 22 U.S.C. 7201et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008).

9. Section 740.3 is amended by revising paragraph (d)(5) to read as follows:
§ 740.3 Shipments of Limited Value (LVS)

(d) * * *

(5)Exports and reexports of encryption components or spare parts.For components or spare parts controlled for “EI” reasons under ECCN 5A002, exports and reexports under this License Exception must be destined to support a commodity previously authorized for export or reexport.

§ 740.8 [Removed]
10. Remove and reserve § 740.8.
§ 740.13 [Amended]
11. Section 740.13 is amended by removing the quotation marks around the term “mass market” in paragraph (d) heading, paragraph (d)(1), footnote 1, paragraph (d)(3)(i) and paragraph (d)(3)(ii).
12. Section 740.17 is revised to read as follows:
§ 740.17 Encryption Commodities, Software and Technology (ENC).

License Exception ENC authorizes export and reexport of software and commodities and components therefor that are classified under ECCNs 5A002.a.1, a.2, a.5, a.6 or a.9, 5B002, 5D002, and technology that is classified under ECCN 5E002. This License Exception ENC does not authorize export or reexport to, or provision of any service in any country listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR, or release of source code or technology to any national of a country listed in Country Group E:1. Reexports and transfers under License Exception ENC are subject to the criteria set forth in paragraph (c) of this section. Paragraph (d) of this section sets forth information about review requests required by this section. Paragraph (e) sets forth reporting required by this section.

(a)No prior r