Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.


3 October 2008


[Federal Register: October 3, 2008 (Volume 73, Number 193)]
[Rules and Regulations]               
[Page 57495-57512]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr03oc08-4]                         

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Parts 732, 734, 738, 740, 742, 744, 746, 748, 750, 762, 770, 
772, and 774

[Docket No. 080211163-81224-01]
RIN 0694-AE18

 
Encryption Simplification

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Interim final rule.

-----------------------------------------------------------------------

SUMMARY: This interim final rule amends the Export Administration 
Regulations (EAR) to make the treatment of encryption items more 
consistent with the treatment of other items subject to the EAR, as 
well as to simplify and clarify regulations pertaining to encryption 
items. The restrictions pertaining to technical assistance by U.S. 
persons with respect to encryption items are removed, because the 
current export and reexport restrictions set forth in the EAR for 
technology already include technical assistance. This rule also removes 
License Exception KMI as it has become obsolete because of developments 
in uses of encryption. In addition, this rule removes notification 
requirements for items classified as 5A992, 5D992, and 5E992. This rule 
also increases certain parameters under License Exception ENC, which is 
intended to reflect advances in technology. This rule adds two new 
review and reporting requirement exclusion paragraphs under License 
Exception ENC for wireless ``personal area network'' items and for 
``ancillary cryptography'' items. This rule also adds Bulgaria, Canada, 
Iceland, Romania, and Turkey to the list of countries that receive 
favorable treatment under License Exception ENC. Commodities and 
software pending mass market review may no longer be exported under 
ECCNs 5A992 and 5D992 using No License Required (NLR). However, once 
the mass market review has been received by BIS, then such commodities 
and software may be exported using License Exception ENC under ECCNs 
5A002 and 5D002. This rule will reduce the paperwork burden on the 
public by 9% (annual dollar amount savings of approximately $14,000 to 
the public and $5,000 to the U.S. Government), because of the removal 
of certain notification requirements, addition of countries to the list 
of those receiving favorable treatment under License Exception ENC, and 
the increase of reporting and review requirement exclusions. The 
Departments of Commerce, State and Defense will continue to review 
export control, license review policies, and license exceptions for 
encryption items in the EAR.

DATES: Effective Date: This rule is effective October 3, 2008.

ADDRESSES: Written comments on this interim final rule may be sent by 
e-mail to publiccomments@bis.doc.gov. Include ``Encryption rule'' in 
the subject line of the message. Comments may also be submitted by mail 
or hand delivery to Sharron Cook, Office of Exporter Services, 
Regulatory Policy Division, Bureau of Industry and Security, Department 
of Commerce, 14th St. & Pennsylvania Avenue, NW., Room 2705, 
Washington, DC 20230, ATTN: Encryption rule; or by fax to (202) 482-
3355.

FOR FURTHER INFORMATION CONTACT: For questions of a general nature 
contact Sharron Cook, Office of Exporter Services, Regulatory Policy 
Division at (202) 482-2440 or E-Mail: scook@bis.doc.gov.
    For questions of a technical nature contact: The Information 
Technology Division, Office of National Security and Technology 
Transfer Controls at 202-482-0707 or E-Mail: C. Randall Pratt at 
cpratt@bis.doc.gov.

SUPPLEMENTARY INFORMATION: 

Background

Steps Regarding Scope of the EAR

    This rule revises paragraph 732.2(b) of the EAR, which sets forth 
instructions on how to determine if your technology or software is 
publicly available, by adding mass market encryption software with 
symmetric key length exceeding 64-bits classified under ECCN 5D992. The 
addition of this phrase harmonizes with the scope of publicly available 
encryption software that is considered to be subject to the EAR because 
of the criteria set forth in Sec.  734.3(b)(3) of the EAR.

[[Page 57496]]

Items Subject to the EAR

    This rule adds a note to paragraph 734.3(a)(4) of the EAR, which 
sets forth the items that are subject to the EAR. The note reminds 
readers that certain foreign-manufactured items are subject to the EAR 
when developed or produced from U.S.-origin encryption items that were 
exported pursuant to Sec.  740.17(a) of License Exception ENC.

Clarification of Text

    This rule replaces the phrase ``encryption software (including 
source code) transferred from the U.S. Munitions List to the Commerce 
Control List consistent with E.O. 13026 of November 15, 1996 (61 FR 
58767) and pursuant to the Presidential Memorandum of that date'' with 
``software controlled for ``EI'' reasons under ECCN 5D002 on the 
Commerce Control List'' to clarify which software this sentence is 
referring to in the introductory paragraph of Supplement No. 1 to part 
734 ``Questions and Answers--Technology and Software subject to the 
EAR.''

Determining Whether a License Is Required

    This rule clarifies text in Sec.  738.4(a)(1) of the EAR that not 
all license requirements set forth under the ``License Requirements'' 
section of an ECCN refer to the Commerce Country Chart, but in some 
cases this section will contain references to a specific section in the 
EAR that contain license requirements for that particular ECCN. In such 
cases, you could not determine whether a license is required based on 
the ECCN and Country Chart alone and section Sec.  738.4(a)(1) of the 
EAR would not apply. For example, ``EI'' controls are not included in 
the Country Chart; however licensing requirements for ``EI'' controlled 
items are included in Sec.  742.15(a) of the EAR. In addition, this 
rule removes the reference in Sec.  738.4(a)(2)(ii)(B) to notification 
requirements described in paragraph 742.15(b) for items classified 
under ECCNs 5A992, 5D992, and 5E992, because this rule removes 
notification requirements for these items. This rule also clarifies the 
reminder about the review requirements for certain mass market 
encryption items under ECCNs 5A992 and 5D992, by removing the reference 
to 5E992 and harmonizing the citation reference with the changes in 
this rule.

License Exception LVS

    This rule revises Sec.  740.3(d)(5) to clarify that not only 
exports, but reexports of encryption components or spare parts are 
subject to the special restriction in this paragraph. In addition, the 
term ``item'' has been replaced by correct terminology.

License Exception KMI

    This rule removes Sec.  740.8 of the EAR ``License Exception KMI'' 
as it has become obsolete because of the developments in the use of 
encryption. A consequential revision is also made to Sec.  746.3(c) of 
the EAR, where License Exception KMI was listed. Products previously 
eligible for License Exception KMI will be accorded equivalent 
treatment under license or license exception. As a result of this 
change, this rule also removes Supplement No. 4 to part 742 ``Key 
Escrow or Key Recovery Products Criteria.''

License Exception TSU

    In Sec.  740.13(d) of the EAR, this rule removes the quotation 
marks around the term ``mass market'' in the title to paragraph (d), 
paragraph (d)(1), footnote 1, paragraph (d)(3)(i) and paragraph 
(d)(3)(ii), because in the EAR double quotation marks around a term 
indicate that the word is defined in part 772 of the EAR, and mass 
market is not a defined term in part 772 of the EAR.

License Exception ENC

    This rule revises Sec.  740.17 of the EAR by reformatting 
paragraphs, removing redundant text, and clarifying text as needed. 
This rule revises the title of this section to indicate that this 
license exception also authorizes technology. The introductory 
paragraph to Sec.  740.17 of the EAR is condensed to set forth the 
scope of Sec.  740.17 of the EAR and include information not found 
elsewhere in Sec.  740.17 of the EAR.
    While this rule reformats the paragraphs in Sec.  740.17 of the 
EAR, it was BIS's goal to minimize revisions to the enumeration of 
paragraphs used to classify encryption items in the past, so as to 
alleviate confusion about previous classifications provided by BIS that 
reference specific paragraphs and to reduce the number of revisions to 
industry's current product matrices. That being said, the paragraph 
titles have been revised to reflect review request requirements instead 
of destinations, end-uses, or types of end-users.
    This rule removes paragraphs 740.17(a)(2) and (b)(2)(i) that 
exempted commodities and software from review requirements based on a 
previous review by the U.S. Government prior to October 19, 2000. These 
commodities and software remain exempt from review requirements, and 
BIS did not see the necessity of retaining such text in the Export 
Administration Regulations.
    Paragraph 740.17(a) now describes exports and reexports authorized 
by License Exception ENC that do not require prior government review or 
post export reporting. The former paragraph (a)(2) ``Items previously 
reviewed by the U.S. Government'' is removed by this rule, as this 
paragraph is no longer necessary because of the passage of time. Former 
paragraph (a)(3) for end-uses other than internal development is moved 
to new paragraph (b)(1), because a review request submission is 
required for eligibility under this paragraph. Former paragraph (b)(1) 
for U.S. subsidiaries is moved to (a)(2), because authorization under 
this paragraph does not require prior review. In addition, this rule 
amends former paragraph (b)(4)(i)(A) (exempting encryption items not 
exceeding certain key lengths from the 30 day waiting period) by moving 
it to (b)(1)(ii)(A).

Section 740.17(a)(1)

    This rule removes references in paragraph Sec.  740.17(a)(1) to 
``technical assistance described in Sec.  744.9 of the EAR,'' because 
this rule removes 744.9, see explanation set forth below under ``Sec.  
744.9.'' This rule clarifies text in paragraph (a)(1) so that it is 
understood that License Exception ENC can be used for not only internal 
development, but also internal production of new products.

Section 740.17(a)(2)

    Paragraph 740.17(a)(2) is former paragraph (b)(1).

Section 740.17(b)

    Paragraph 740.17(b) now sets forth those items authorized under 
License Exception ENC that require prior review by the U.S. Government. 
This paragraph also sets forth the ``open cryptographic interface'' 
restriction that applies to all paragraphs in 740.17(b), except for 
paragraph Sec.  740.17(b)(1)(i). This introductory paragraph also sets 
forth the restriction to export or reexport cryptanalytic items to any 
``government end-user.'' There is also a reference in this paragraph to 
paragraph (e) ``reporting requirements'' for exports and reexports 
under Sec.  740.17(b).

Section 740.17(b)(1)

    The new paragraph 740.17(b)(1) of the EAR authorizes exports and 
reexports under License Exception ENC that require prior government 
review, but allows the export or reexport to take place immediately 
upon registration of the review request with BIS.

[[Page 57497]]

    Paragraph (b)(1)(i) authorizes the export and reexport of 
encryption items, including EI controlled commodities or software 
(excluding source code) that are pending review for mass market 
treatment (under Sec.  742.15(b) of the EAR), to ``government end-
users'' and non-``government end-users'' located in the countries 
listed in Supplement 3 of part 740, as well as to foreign subsidiaries 
or offices of firms, organizations and governments headquartered in 
countries listed in Supplement 3 of part 740. This rule adds 
authorization under License Exception ENC for items pending mass market 
review, because it was not logical to temporarily classify commodities 
and software under ECCNs 5A992 or 5D992 that were pending mass market 
review under paragraph 742.15(b) and authorize export or reexport under 
the designation of ``No License Required (NLR)'' when the possible 
outcome of the BIS classification of the commodities and software could 
be ECCN 5A002 or 5D002.
    New paragraph 740.17(b)(1)(ii) authorizes exports and reexports of 
specified encryption commodities and software to countries not listed 
in Supplement No. 3 to part 740. This rule revises the format of the 
parameters in this section from a range to an upper limit in paragraph 
(b)(1)(ii)(A), former paragraph (b)(4)(i)(A). In addition, the upper 
limit for symmetric algorithms has been raised from ``key lengths not 
exceeding 64 bits'' to ``key lengths not exceeding 80 bits.'' After 
review has been completed on these commodities or software, BIS will 
issue a CCATS that will indicate authorization is under paragraph 
(b)(2) or (b)(3) of Sec.  740.17 of the EAR, whichever paragraph is 
appropriate.
    Paragraph (b)(1)(ii)(B), former paragraph (b)(4)(i)(B), authorizes 
exports and reexports of encryption source code that would not be 
eligible for export or reexport under License Exception TSU, provided 
that a copy of the source code is included in the review request, to 
non-``government end-users'' located in any country except a country 
listed in Country Group E:1 of Supplement No. 1 to part 740 of the EAR. 
After the review has been completed, BIS will issue a CCATS that will 
indicate authorization is under paragraph 740.17(b)(2) of the EAR. The 
text is clarified by replacing the phrase ``considered publicly 
available'' with ``eligible'' in order to avoid confusion about the 
scope of encryption source code eligible under this paragraph.

Section 740.17(b)(2)

    Paragraph (b)(2) of License Exception ENC authorizes exports and 
reexports to non-``government end-users'' located in a country not 
listed in Supplement No. 3 to this part or Country Group E:1 that 
require a prior review and 30 day waiting period. Pursuant to the new 
scope paragraph 740.17(b), this rule expands the scope of (b)(2) to 
include ECCN 5B002 to be consistent with commodities and software 
eligible for License Exception ENC under paragraphs (b)(1) and (b)(3) 
of the EAR. In addition, former paragraph (b)(2)(i) concerning 
transactions previously reviewed prior to October 19, 2000 by the U.S. 
Government is removed as the passage of time has made this paragraph 
unnecessary. Former paragraph (b)(2)(ii) that set forth the review 
request requirement is removed, as the review request requirement has 
been moved to the introductory text of paragraph (b)(2). Former 
paragraph (b)(2)(iii) is replaced by the introductory text of paragraph 
(b)(2).
    This rule revises new paragraph (b)(2)(i), (Network infrastructure 
software and commodities) by adding ``digital packet telephony/media 
(voice/video/data) over internet protocol'' to the list of capabilities 
described.
    Also in this new paragraph (b)(2)(i), the former paragraph 
(b)(2)(iii)(A) reference to ``64 bits for symmetric algorithms'' is 
changed to ``80 bits for symmetric algorithms'', commensurate with the 
key length change in new paragraph (b)(1)(ii)(B). (Note: Regarding key 
length with respect to the authorizations and restrictions set forth in 
both the current and former versions of License Exception ENC Sec.  
740.17(b)(2), only `network infrastructure' commodities and software 
(sub-paragraph (i) in this rule) are distinguished by key length. All 
encryption commodities and software now enumerated in sub-paragraphs 
(ii)-(vi) (former sub-paragraphs (iiii)(B)-(iii)(F)) of License 
Exception ENC paragraph (b)(2) are controlled to ``government end-
users'' as described, regardless of key length.)
    Former paragraph (b)(2)(iii)(A)(1), new paragraph Sec.  
740.17(b)(2)(i)(A) is clarified by this rule to add quotes around the 
term ``government end-user(s)'' and now reads as follows, ``Been 
designed, modified, adapted or customized for ``government end-
user(s)'' or government end-use (e.g., to secure police, state 
security, or emergency response communications).''
    This rule further revises former paragraph (b)(2)(iii)(A)(1), new 
paragraph (b)(2)(i)(A), which addresses aggregate encrypted WAN, MAN, 
VPN or backhaul throughput, by increasing the parameter from 44 Mbps to 
90 Mbps.
    This rule further revises former paragraph (b)(2)(iii)(A)(2), new 
paragraph (b)(2)(i)(B). The Wire (line), cable or fiber optic WAN, MAN 
or VPN single-channel input data rate is revised from ``44 Mbps'' to 
``154 Mbps.''
    These revisions are not expected to result in a decrease in the 
number of license applications submitted for exports and reexports of 
items described in paragraph (b)(2) to government end-users. Most 
network infrastructure items currently being exported to government 
end-uses exceed these performance parameters. However, BIS has 
determined that the parameters should be adjusted in recognition of 
technology advances, and to avoid maintaining controls on legacy 
systems.
    This rule replaces the ``Maximum number of concurrent encrypted 
data tunnels or channels * * *'' parameter in former paragraph 
(b)(2)(iii)(A)(3), new paragraph (b)(2)(i)(C) with ``Media (voice/
video/data) encryption or centralized key management supporting more 
than 250 concurrent encrypted data channels, or encrypted signaling to 
more than 1,000 endpoints, for digital packet telephony/media (voice/
video/data) over internet protocol communications.'' These amendments 
update these provisions of License Exception ENC to reflect advances in 
encryption technology. Specifically, these amendments address 
cryptographic developments in Datagram Transport Layer Security 
(DTLS)--Secure Real-Time Transport Protocol (SRTP), and encrypted 
communications signaling, for large Voice over Internet Protocol (VoIP) 
network infrastructures.
    This rule also revises former paragraph (b)(2)(iii)(A)(4)(i), new 
paragraph (b)(2)(i)(D)(1), which addresses Air-interface coverage 
capabilities, by changing ``maximum data rates'' to ``maximum 
transmission data rates'' and changing the parameter from ``5 Mbps'' to 
``10 Mbps.'' By limiting this License Exception ENC provision to the 
transmit (upstream) data rates and doubling the licensing threshold, 
these amendments reflect technology developments for certain satellite 
and other long-range wireless devices.
    Former paragraph (b)(2)(iii)(B) that addressed encryption source 
code that would not be eligible for export or reexport under License 
Exception TSU is moved to new paragraph (b)(2)(ii), but also appears in 
new paragraph (b)(1)(ii)(B) for review requests that include a copy of 
the source code, and

[[Page 57498]]

may be exported or reexported without a waiting period under License 
Exception ENC when the review request is registered with BIS.
    Former paragraph (b)(2)(iii)(C), new paragraph (b)(2)(iii) is 
revised by removing the reference to the open cryptographic interface 
restriction, because this restriction is now placed in the introductory 
text of paragraph 740.17(b).
    Former paragraph (b)(2)(iii)(C)(1), new paragraph (b)(2)(iii)(A) is 
amended by revising the phrase ``Been modified or customized for'' to 
read ``been designed, modified, adapted or customized for.'' Quotes 
have been added around the term ``government end-user(s)'' to indicate 
that this term is defined in part 772 of the EAR.
    This rule also revises the phrase ``to secure departmental, police, 
state security, or emergency response communications'' to read ``to 
secure police, state, security, or emergency response communications, 
including encryption commodities and software for external Security 
Operations Center (SOC)/Network Operations Center (NOC) command and 
infrastructure, and digital forensics/computer forensics.'' With this 
clarification, this rule provides examples of three such systems that 
are controlled for their inherent government end-use: External Security 
Operations Center (SOC)/Network Operations Center (NOC) command and 
infrastructure; public safety radio (e.g., implementing Terrestrial 
Trunked Radio (TETRA) and/or Association of Public-Safety 
Communications Officials International (APCO) Project 25 (P25) 
standards); and digital forensics/computer forensics.

    Note: Regarding the use of encryption by a computer forensics/
digital forensics commodity or software (e.g., for securing the 
collection, examination, and/or reporting of data or metadata on an 
investigated computer), such digital/computer forensics tools would 
not be considered ``cryptanalytic items'' if the only use of 
``cryptography'' is for encryption. However, such tools that also 
perform ``cryptanalysis'' (e.g., cracking passwords or employing 
other cryptanalytic techniques to derive user-encrypted data or 
metadata from a computer or network) would be controlled as 
``cryptanalytic items.''

    Former paragraph (b)(2)(iii)(E), new paragraph (b)(2)(v) is revised 
by adding a clarifying phrase after the term ``quantum cryptography'' 
to read ``as defined in ECCN 5A002 of the Commerce Control List.''
    Former paragraph (b)(2)(iii)(F), new paragraph (b)(2)(vi) is 
revised by replacing the term ``controlled'' with ``classified under'' 
to clarify the scope of computers in this paragraph.

Section 740.17(b)(3)

    This rule revises paragraph Sec.  740.17(b)(3) of the EAR for 
export or reexport of commodities and software not listed in Sec.  
740.17(b)(2) of the EAR by both ``government end-users'' and non-
``government end-users'' by removing the redundant former paragraph 
(b)(3)(ii)(B) that explained the review procedures and instead 
inserting a reference to paragraph Sec.  740.17(d) that sets forth 
these procedures. In addition, former paragraph (b)(3)(ii)(A) 
concerning transactions previously reviewed by the U.S. Government is 
removed as the passage of time has made this paragraph unnecessary. 
Former paragraph (b)(3)(i)(A) that set forth the ineligibility of 
commodities and software that provide an ``open cryptographic 
interface'' is removed because this restriction is set forth in the 
introductory text of paragraph 740.17(b). This rule adds text that 
clarifies the eligible locations of the end-users, because 740.17(a) 
addresses all exports to Supplement No. 3 countries. This rule 
relocates the restriction in former paragraph (f)(1) concerning 
``cryptanalytic items'' to the introductory text of paragraph (b)(3).

Section 740.17(b)(4)

    Former paragraph 740.17(b)(4)(i), setting forth commodities and 
software that are eligible for export immediately upon registration of 
a review request, is moved to new paragraph (b)(1)(ii). In addition, 
previous paragraph 740.17(b)(4)(ii), setting forth exclusions from 
review requirements for certain items, is reformatted as paragraph 
740.17(b)(4).
    Former paragraph (b)(4)(ii)(A) for short-range wireless encryption 
is now in new paragraph (b)(4)(i). This rule adds examples to this 
paragraph of short-range wireless commodities and software. An 
informative sentence is also added to notify the reader that certain 
items excluded by this paragraph may also be excluded from review under 
(b)(4)(iii) (personal area networks) or (b)(4)(iv) (commodities and 
software that provide ``ancillary cryptography'').
    Former paragraph (b)(4)(ii)(B) is replaced by the third, fourth, 
and fifth sentences of former paragraph (c), which pertains to foreign 
products developed with or incorporating U.S.-origin encryption source 
code, components, or toolkits.
    This rule adds two new review requirement exclusion paragraphs. The 
first new paragraph (b)(4)(iii) is for wireless ``personal area 
network'' items. This rule adds the term ``personal area network'' and 
definition, as well as examples to part 772. The other new exclusion 
paragraph (b)(4)(iv) is for ``ancillary cryptography,'' which is also a 
newly added term/definition in part 772. The term/definition includes 
examples of ``ancillary cryptography.'' The U.S. Government has 
determined that it is not necessary to review the encryption 
functionality of such items.

Reexports and Transfers

    This rule clarifies the second sentence in Sec.  740.17(c) of the 
EAR (restricted transfers) by adding quotes around the term 
``government end-users'' for consistency. The third and fourth 
sentences in this section concerning foreign products developed with or 
incorporating U.S.-origin encryption products are moved to new 
paragraph (b)(4)(ii), because it was misplaced and redundant to text 
already included in another paragraph of License Exception ENC.

Review Request Procedures

    This rule removes former paragraph (d)(1) ``Instructions for 
requesting review'' because these instructions were redundant and 
inconsistent with the instructions for submissions on Form BIS-748P 
(Multipurpose Application) found in Part 748 of the EAR. Instructions 
for such submissions belong in Part 748 of the EAR.
    This rule reformats former paragraph (d)(2) ``Action by BIS'' 
because this paragraph was entirely too long and needed to be divided 
by subject matter. The new subparagraph titles are: (i) Notification; 
(ii) After 30 days; and (iii) Hold Without Action (HWA).
    This rule moves former paragraph (d)(3), ``key length increases,'' 
to the reporting requirement section under new paragraph (e)(2), 
because this requirement is in actuality a reporting requirement and 
not a review requirement. This report is required for commodities and 
software that, after having been reviewed and authorized for License 
Exception ENC by BIS, are modified only to upgrade the key length used 
for confidentiality or key exchange algorithms. This rule also makes 
the new key length a required element of the report.

Reporting Requirements

    The reporting requirements for License Exception ENC are now split 
into two sections: Semiannual reporting requirement and reporting key 
length increases. This rule clarifies that the Commodity Classification 
Automated Tracking System (CCATS) number is a required element of the 
report. This rule removes former paragraph (e)(2)(iv),

[[Page 57499]]

which required a report for exports of ECCN 5E002 items to be used for 
technical assistance that are not released by 744.9, because this rule 
removed section 744.9 of the EAR. This rule also clarifies the purpose 
and scope of paragraph (e)(3), regarding reportable information on 
foreign manufacturers and products that use encryption items in 
countries not listed in Supplement No. 3 to part 740.

Reporting Exclusions

    This rule revises the exclusion set forth in former paragraph 
(e)(4)(i), new paragraph (e)(1)(iii)(A), by removing the reference to 
paragraph (b)(1), because (b)(1) did not require prior review or post 
export reporting, therefore this rule moved (b)(1) to new paragraph 
(a)(2).
    In new paragraph (e)(1)(iii)(F), this rule expands the exclusion 
that was in former paragraph (e)(4)(vi) for components limited to 
providing short-range wireless encryption functions, by making the 
reporting exclusion apply to all of the items in the new paragraph 
(b)(4), which are those items that are excluded from review 
requirements (certain commodities and software that provide short-range 
wireless; foreign products developed with or incorporating U.S.-origin 
encryption source code (that have not entered United States for 
subsequent export), components, or toolkits; wireless ``personal area 
network'' items; and ``ancillary cryptography'' commodities and 
software).
    Lastly, in new paragraph (e)(1)(iii)(J), this rule adds a new 
provision to exclude from reporting requirements exports of items that 
have been determined, on a case-by-case basis do not require the burden 
of semi-annual reporting. Certain exports of items that do not qualify 
for mass market treatment, but are authorized under License Exception 
ENC are not of interest for national security reasons, therefore do not 
warrant reporting requirements. Exporters will be notified of this 
exclusion on issued Commodity Classification Automated Tracking System 
(CCATS) documents.

Restrictions

    Former paragraph Sec.  740.17(f) ``Restrictions'' is removed, 
because the restrictions that were in this paragraph are integrated 
into the introductory paragraph to Sec.  740.17 or specific paragraphs 
for which they apply.

Supplement No. 3 to Part 740

    This rule revises the title of Supplement No. 3 to part 740 to read 
``License Exception ENC Favorable Treatment Countries,'' because the 
former title of ``Countries Eligible for the Provisions of Sec.  
740.17(a)'' is no longer correct, as these countries are now eligible 
for provisions of Sec.  740.17(b)(1) of the EAR. This rule adds 
Bulgaria, Canada, Iceland, Romania, and Turkey to the list of countries 
in Supplement No. 3 to part 740 of the EAR. Bulgaria and Romania joined 
the European Union by accession on January 1, 2007. The addition of 
Canada is simply for clarity, as licenses are not required to Canada 
for Encryption Items (pursuant to Sec.  742.15(a)(1)) and License 
Exception ENC has been available for subsidiaries and offices of the 
Canadian government and private-sector end-users (along with the 
previous Supplement No. 3 to part 740 list of countries). Turkey and 
Iceland are added because they are members of the North Atlantic Treaty 
Organization (NATO). This will increase eligibility under License 
Exception ENC under new paragraphs Sec.  740.17(a)(1) and (b)(1) of the 
EAR, which will decrease the necessity for submitting license 
applications, review requests, and semiannual reports.
    This revision will reduce the number of license applications 
submitted to BIS for the export or reexport of encryption products 
classified under ECCNs 5A002 and 5D002 to Bulgaria, Iceland, Romania, 
and Turkey by 95 percent (approximately $37 million in exports and 
reexports for CY 2007). This revision will not change the amount of 
license applications received by BIS for the export or reexport of 
encryption products to Canada, because Canada, while not included in 
the list of countries that received favorable treatment under License 
Exception ENC, already received such benefits.

Section 742.15 ``Encryption Items''

    Paragraph 742.15(a) is revised by more specifically describing what 
is EI controlled under ECCNs 5A002, 5D002, and 5E002. This revision 
harmonizes with changes this rule makes to the license requirements 
paragraphs of these ECCNs. In addition, a sentence is added that 
advises exporters to review License Exception ENC prior to submitting a 
license to BIS. Also, the phrase ``on a computer system'' is removed 
from the introductory text of Sec.  742.15 in order to be more 
consistent with the first Note in the License Requirement section of 
ECCN 5D002.

Section 742.15(a)(2) License Requirements and Review Policy for ECCNS 
5A992, 5D992, and 5E992

    This rule removes former paragraph 742.15(a)(2), which explained 
license requirements and review policy for items classified under ECCNS 
5A992, 5D992, and 5E992, because the purpose of Sec.  742.15 is to set 
forth the license requirements and review policies for items controlled 
for encryption item (EI) reasons and these items are controlled for 
anti-terrorism (AT) reasons only. The license requirements and review 
policy for these items are found under appropriate anti-terrorism 
sections of part 742.
    This rule removes the second sentence of 742.15(a)(2), because the 
indefinite language did not add to the transparency of licensing 
policy. The sentence stated, ``Exports and reexports of encryption 
items to governments, or to Internet and telecommunications service 
providers for the provision of services specific to governments, may be 
favorably considered.'' This rule removes the extraneous phrase 
``including those which authorize exports and reexports of encryption 
technology to strategic partners (as defined in Sec.  772.1 of the EAR) 
of U.S. companies.'' To be more transparent, this rule adds the phrase 
``or pre-shipment notification'' to explain that ELAs may require pre-
shipment notification. This rule adds a note to paragraph (a)(2) to 
remind exporters that once mass market encryption commodities and 
software have been reviewed by BIS and the ENC Encryption Request 
Coordinator (Ft. Meade, MD) and released from ``EI'' and ``NS'' 
controls pursuant to Sec.  742.15(b) of the EAR, they are classified 
under ECCN 5A992 and 5D992 respectively, and are thereafter outside the 
scope of this section.
    This rule removes the notification and review requirements for 
items classified under ECCNs 5A992, 5D992, and 5E992, which were set 
forth in former paragraphs Sec.  742.15(b) introductory paragraph and 
Sec.  742.15 (b)(1) of the EAR.
    This rule adds a reference to the ENC Encryption Request 
Coordinator (FT. Meade, MD) with regard to the requirement for review 
of mass market encryption commodities and software.
    Specific instructions for how to fill out form 748P (multipurpose 
application) for submission of a review request has been removed, 
because these instructions were redundant and inconsistent with the 
instructions found in paragraph (r) of Supplement No. 2 to part 748 of 
the EAR. Instead, a reference to this paragraph (r) is added to new 
paragraph 742.15(b)(1) ``Procedures for requesting review.''
    This rule removes former paragraph (b)(2)(iii) that provided 
authorization under the designation of ``no license required (NLR)'' 
for exports and reexports of encryption commodities

[[Page 57500]]

and software pending mass market treatment review by BIS to government 
and non-government end-users located in countries listed in Supp. No. 3 
to part 740 of the EAR or for internal use of foreign subsidiaries or 
offices of firms, organizations and governments headquartered in Canada 
or in countries listed in Supp. No. 3 to part 740 of the EAR. This 
authorization was based on a temporary classification under ECCNs 5A992 
and 5D992, which is inconsistent with the way other items are 
classified in the EAR, therefore this provision is removed. Instead, 
encryption commodities and software will remain under the 
classification of ECCN 5A002 and 5D002 until 30 days have passed since 
registration of the submitted review request or BIS issues a 
classification under ECCN 5A992 or 5D992. However, this rule creates a 
new authorization under License Exception ENC for such commodities and 
software pending a decision by BIS concerning mass market treatment 
under new paragraph 740.17(b)(1) of the EAR. This rule adds explanatory 
text about this new procedure in (b)(2) ``Action by BIS.''

Section 742.15(b)(3) Exclusions for Notification and Review 
Requirements

    This rule removes the former exclusion paragraphs, because it is no 
longer applicable and is replaced by new exclusion paragraphs from mass 
market review requirements under Sec.  742.15(b). There are three new 
exclusions: Certain short range wireless commodities and software, 
wireless ``personal area network'' items, and ``ancillary 
cryptography'' commodities and software.

Section 742.15(b)(4) Dormant Encryption and Enabling Software and 
Commodities

    This rule condenses this paragraph to remove text that pertained to 
ECCNs 5A992 and 5D992.

Section 742.15(b)(5) Examples of Mass Market Software

    The phrase ``designed for, bundled with, or pre-loaded on single 
CPU computes'' is revised to read ``designed for computers classified 
as ECCN 4A994 or EAR99.'' This phrase was changed to remove outdated 
and confusing text related to computers. This rule also removes the 
last phrase ``and commodities and software exported via free or 
anonymous downloads.'' This phrase was removed because it confused the 
public, in that it led people to believe that if they incorporated free 
encryption software or open source encryption into their products that 
it was not subject to the EAR, which is not the case.

Supplement No. 6 to Part 742 ``Guidelines for Submitting Review 
Requests for Encryption Items''

    The option to fax support documents is removed, because that method 
has been replaced by either e-mailing the document in PDF or sending 
the document by mail. A requirement to obtain express mail 
certification of the mailing of support documentation is added for 
those that intend to rely on the 30 day registration provisions of the 
EAR.
    Paragraph (a) is divided into 5 subparagraphs that clarify existing 
review requirements and procedures. Former paragraph (a) is now new 
subparagraph (a)(1), and is revised to add a requirement to include a 
brief non-technical description of the type of product being submitted, 
e.g., routers, disk drives, cell phones, chips, etc. Part of the 
introductory paragraph to Supp. No. 6 that addressed prior reviews is 
moved to a new subparagraph (a)(2), and is revised to add a 
requirement, for products with minor changes in encryption 
functionality, to include a cover sheet with complete reference to the 
previous review (CCATS, Application Control Number (ACN), 
ECCN, authorization paragraph) along with a clear description of the 
changes. New subparagraph (a)(3) requires a description of how 
encryption is used in the product and the categories of encrypted data 
(i.e., stored data, communications, management data, internal data, 
etc.). New subparagraph (a)(4) requires, for mass market reviews, a 
specific description of who will be receiving the product and how the 
product is being marketed, as well as how this method of marketing and 
other relevant information (e.g., cost of product and volume of sales) 
is described by the Cryptography Note (Note 3 to Category 5, Part 2). 
New subparagraph (a)(5) clarifies information about any encryption 
source code being used.
    Subparagraph (c)(1) is amended by adding the phrase ``including 
relevant parameters, inputs and settings'' to the end of the first 
sentence. Subparagraph (c)(6) is amended by adding more examples of 
communication and cryptographic functions, as well as replacing the 
term ``encryption protocols'' with a more accurate term ``cryptographic 
protocols and methods.'' An additional requirement is added to (c)(6) 
to describe how the protocols that are supported are used. The text of 
(c)(11) is revised to more clearly describe the information that would 
assist BIS.
    The introductory text for paragraphs (d) and (e) is clarified.

Section 744.9 ``Restrictions on Technical Assistance by U.S. Persons 
With Respect to Encryption Items''

    This rule removes Sec.  744.9 of the EAR that required 
authorization from BIS for U.S. persons to provide technical assistance 
(including training) to foreign persons with the intent to aid a 
foreign person in the development or manufacture outside the United 
States of encryption commodities or software that, if of U.S.-origin, 
would be ``EI'' controlled under ECCNs 5A002 or 5D002. Section 744.9 
was added to the EAR in 1996 when jurisdiction over dual-use encryption 
items was transferred from the Department of State to the Department of 
Commerce. Technical assistance is treated differently under the 
International Trade in Arms Regulations (ITAR) than it is in EAR. 
Technical assistance is considered a form of ``technology'' under the 
definition of ``technology'' in section 772.1 of the EAR. The EAR 
states that technical assistance ``may take forms such as instruction, 
skills training, working knowledge, consulting services'' and that it 
``may involve transfer of `technical data.' '' When a person performs 
technical assistance, which draws upon ``development,'' ``production,'' 
or ``use'' ``technology'' obtained in the United States or that is of 
U.S.-origin, then a release of ``technology'' takes place, which is 
considered an export or reexport and may require authorization under 
the EAR. BIS has observed that there is rarely an application for a 
license submitted under the requirements of section 744.9; however, 
requests for authorization under section 744.9 are often included in 
license applications for export of ECCN 5E002 Technology. This has led 
BIS to conclude that people are submitting license applications for 
technology exports and reexports when involved in technical assistance. 
Therefore, to harmonize the understanding of technical assistance as it 
is understood in the EAR with the practical application of it by the 
public, BIS is removing section 744.9. This removal does not remove any 
license requirements for controlled encryption technology released 
while performing technical assistance. This amendment does not affect 
the scope of the note in former 744.9 in that the mere teaching or 
discussion of information about cryptography, including, for example, 
in an academic setting or in the work of groups or bodies engaged in 
standards

[[Page 57501]]

development, by itself would not establish a license requirement under 
ECCN 5E002, even where foreign persons are present. Section 744.9 is 
replaced by a ``license requirement'' note in ECCN 5E002 on the 
Commerce Control List.

Supplement No. 2 to Part 748 ``Unique Application and Submission 
Requirements''

    This rule adds a sentence instructing applicants to place an ``X'' 
in the box marked ``classification request'' in Block 5 (Type of 
Application) of Form BIS-748P or select ``Commodity Classification'' if 
filing electronically, because neither the electronic nor paper forms 
provide a separate Block to check for submission of encryption review 
requests.

Section 750.3 Review of License Application by BIS and Other Government 
Agencies and Departments

    This rule makes an editorial correction by removing paragraph 
(b)(2)(iv) and redesignating (b)(2)(v) as (b)(2)(iv). This paragraph 
referred to the Arms Control and Disarmament Agency (ACDA), which no 
longer exists. However, ACDA's personnel and functions were absorbed by 
the Department of State in 1999. Therefore, this rule revises paragraph 
(b)(2)(iii) by adding national security and nuclear nonproliferation to 
the description of State Department's concerns. Missile technology is 
also added as a State Department concern because the State Department 
chairs the Missile Technology Export control interagency working group.

Section 750.7 Issuance of Licenses

    This rule removes paragraph (c)(2), which explained how to amend 
your Encryption License Agreement (ELA) by letter. BIS has observed a 
trend that industry has been submitting license applications for 
replacement or new ELAs when they want a change. In addition, it is 
more efficient for applicants to apply and track applications than 
letters, because of BIS' electronic application system. It is also 
easier for BIS to process and track submissions of applications than 
letters for the same reason. Therefore, this provision is removed.
    This rule removes the third and fourth sentences in the 
introductory text of paragraph (d) that pertain to the responsibilities 
of a licensee with regard to ELAs. These sentences are removed, because 
a licensee may not transfer its license responsibilities.

Section 762.2 Records To Be Retained

    This rule removes paragraph (b)(8), which referred to records 
related to key escrow encryption items under License Exception KMI. 
This rule removes License Exception KMI and Supplement No. 4 to part 
742 ``Key Escrow or Key Recovery Products Criteria,'' therefore this 
recordkeeping requirement no longer exists.

Section 770.2 Item Interpretations

    This rule moves paragraph (n) ``Interpretation 14: Encryption 
commodity and software reviews,'' to a new note under paragraphs 
740.17(b) and 742.15(b), so that exporters do not miss this important 
information about when to submit a new product review when a change has 
occurred in the encryption product. The text of this paragraph is also 
revised for clarity. The note explains that a new product review is not 
required when a change involves: the subsequent bundling, patches, 
upgrades or releases of a product; name changes; or changes to a 
previously reviewed encryption product limited to updates in an 
encryption software component (e.g., version updates of an encryption 
library that is called by a product to provide encryption functionality 
where the encryption library has either already been reviewed or did 
not require prior review.)

Section 772.1 Definition of terms as used in the Export Administration 
Regulations (EAR)

    This rule removes the definition of ``strategic partner'' as this 
term is not used in the control or licensing of encryption items. This 
rule also adds definitions for two new terms ``ancillary cryptography'' 
and ``personal area network,'' which are associated with new review and 
reporting exclusions in License Exception ENC.

Commerce Control List--Supplement No. 1 to Part 774

    This rule revises the Nota Bene to the Cryptography Note at the 
beginning of Category 5 Part 2 in order to harmonize it with the 
revisions in this rule.
    This rule clarifies what is controlled for ``EI'' reasons in ECCNs 
5A002, 5D002, and 5E002 by replacing the text ``EI applies to 
encryption items transferred from the U.S. Munitions List to the 
Commerce Control List consistent with E.O.13026 of November 15, 1996 
(61 FR 58767) and pursuant to the Presidential Memorandum of that date. 
Refer to Sec.  742.15 of this subchapter.'' with appropriate text that 
refers to specific paragraphs within those ECCNs for which EI applies. 
For ECCN 5A002, the new EI control reads ``EI applies to 5A002.a.1, 
a.2, a.5, a.6 and a.9. Refer to Sec.  742.15 of the EAR.'' For ECCN 
5D002, the new EI control reads, ``EI applies to ``software'' in 
5D002.a or c.1 for equipment controlled for EI reasons in ECCN 5A002. 
Refer to Sec.  742.15 of the EAR.'' For ECCN 5E002, the new EI control 
reads, ``EI applies to ``technology'' for the ``development,'' 
``production,'' or ``use'' of commodities or ``software'' controlled 
for EI reasons in ECCNs 5A002 or 5D002. Refer to Sec.  742.15 of the 
EAR.'' In addition, License Exception ENC is added to the License 
Exception section of each of these ECCNs, because it is the principal 
license exception for EI controlled items.

ECCN 5A002

    This rule removes the license requirement notes section from ECCN 
5A002, because there is no Wassenaar reporting requirement for this 
ECCN. In addition, this rule makes editorial corrections to the Related 
Controls paragraph by replacing the use of the term ``items'' with 
commodities when referring to ECCN 5A002 and 5A992. Moreover, this rule 
clarifies that if commodities are listed in paragraphs (a) through (f) 
in the Note to 5A002, and therefore the commodities are classified 
under ECCN 5A992, then the related software and technology are 
classified under ECCNs 5D992 and 5E992, respectively. This rule also 
revises Related Controls note 2 to be consistent with the mass market 
review procedures of Sec.  742.15 of the EAR. This note now reads ``2) 
After a review and classification by BIS, mass market encryption 
commodities that meet eligibility requirements are released from ``EI'' 
and ``NS'' controls. These commodities are classified under ECCN 
5A992.c. See Sec.  742.15(b) of the EAR.''

ECCN 5A992

    This rule revises the anti-terrorism (AT) controls for ECCN 5A992, 
by placing the entire entry under AT Column 1 controls, for ease of 
understanding and compliance. This rule adds a new paragraph 5A992.c. 
This new paragraph clarifies that a mass market commodity is classified 
under ECCN 5A992 upon completion of Government review of a commodity in 
accordance with paragraph 742.15(b) of the EAR, when that review 
determines that the commodity meets the requirements for mass market 
treatment. Encryption items are no longer presumed eligible for mass 
market treatment while pending Government review.

[[Page 57502]]

ECCN 5D002

    This rule removes the third note in the License Requirement 
section, because the information in it does not harmonize with the 
revision made in this rule. In addition, this rule adds another note to 
the Related Controls paragraph to inform the public about the review 
and classification of mass market software.

ECCN 5D992

    This rule revises the anti-terrorism (AT) controls for ECCN 5D992, 
by placing the entire entry under AT Column 1 controls, for ease of 
understanding and compliance. Paragraphs 5D992.a.1 and a.2, and 
5D992.b.1 and b.2, are combined as 5D992.a and 5D992.b, respectively, 
in order to simplify the entry. This rule also removes paragraph 
5D992.c (``software'' designed or modified to protect against malicious 
computer damage, e.g., viruses) from ECCN 5D992, while adding a note in 
the Related Control stating, ``This entry does not control ``software'' 
designed or modified to protect against malicious computer damage, 
e.g., viruses, where the use of ``cryptography'' is limited to 
authentication, digital signature and/or the decryption of data or 
files.'' Certain software for protection against malicious damage that 
meet the criteria of the Related Control note are thus now decontrolled 
and classified as EAR99, unless the software performs functions that 
are controlled under other ECCNs (whether under Category 5, part 2 or 
elsewhere in the Commerce Control List). Such software remains subject 
to the EAR and may be classified under ECCN 5D002 or 5D992 if it 
performs cryptographic functionality controlled by these Category 5, 
part 2 ECCNs (e.g., data or file encryption, including of user or 
system data under Secure Socket Layer (SSL) encryption, even if the 
cryptographic functionality is not directly user accessible.) Examples 
of software decontrolled by this change include certain firewall and 
other software for the screening of digital content and the detection 
and removal of viruses, spyware and unsolicited commercial e-mail.
    This rule also adds a new paragraph 5D992.c. This paragraph 
clarifies that mass market software is classified under ECCN 5D992.c 
upon completion of Government review of the software in accord with 
Sec.  742.15 of the EAR when that review determines that the software 
meets the requirements for mass market treatment. Encryption software 
is no longer presumed eligible for mass market treatment.

ECCN 5E002

    This rule adds a License Requirement Note to remind people to 
consider the possibility of the release of technology when performing 
technical assistance; the note reads, ``When a person performs or 
provides technical assistance that incorporates, or otherwise draws 
upon, ``technology'' that was either obtained in the United States or 
is of U.S.-origin, then a release of the ``technology'' takes place. 
Such technical assistance, when rendered with the intent to aid in the 
``development'' or ``production'' of encryption commodities or software 
that would be controlled for ``EI'' reasons under ECCN 5A002 or 5D002, 
may require authorization under the EAR even if the underlying 
encryption algorithm to be implemented is from the public domain or is 
not of U.S. origin.'' In addition, in order to harmonize with the 
revisions in this rule and for consistency, this rule adds text to the 
Related Controls paragraph of the List of Items Controlled section to 
read ``This entry does not control ``technology'' ``required'' for the 
``use'' of equipment excluded from control under the Related Controls 
paragraph or the Technical Notes in ECCN 5A002 or ``technology'' 
related to equipment excluded from control under ECCN 5A002. This 
``technology'' is classified as ECCN 5E992.''

ECCN 5E992

    This rule revises the anti-terrorism (AT) controls for ECCN 5E992, 
by placing the entire entry under AT Column 1 controls, for ease of 
understanding and compliance. This rule revises the references in 
5E992.a and .b to conform to revisions included in this rule.
    Although the Export Administration Act expired on August 20, 2001, 
the President, through Executive Order 13222 of August 17, 2001, 3 CFR, 
2001 Comp., p. 783 (2002), as extended by the Notice of July 23, 2008, 
73 FR 43603 (July 25, 2008), has continued the Export Administration 
Regulations in effect under the International Emergency Economic Powers 
Act.

Rulemaking Requirements

    1. This interim final rule has been determined to be not 
significant for purposes of Executive Order 12866.
    2. Notwithstanding any other provision of law, no person is 
required to respond to, nor shall any person be subject to a penalty 
for failure to comply with a collection of information subject to the 
requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et. 
seq.) (PRA), unless that collection of information displays a currently 
valid Office of Management and Budget (OMB) Control Number. This rule 
involves two collections of information subject to the PRA. One of the 
collections has been approved by OMB under control number 0694-0088, 
``Multi Purpose Application,'' and carries a burden hour estimate of 58 
minutes for a manual or electronic submission. The other collection has 
been approved by OMB under control number 0694-0104, ``Commercial 
Encryption Items Under the Jurisdiction of the Department of 
Commerce,'' and carries a burden hour estimate of 7 hours for a manual 
or electronic submission. Send comments regarding these burden 
estimates or any other aspect of these collections of information, 
including suggestions for reducing the burden, to Jasmeet Seehra, OMB 
Desk Officer, by e-mail at jseehra@omb.eop.gov or by fax to (202) 395-
7285; and to the Office of Administration, Bureau of Industry and 
Security, Department of Commerce, 14th and Pennsylvania Avenue, NW., 
Room 6622, Washington, DC 20230.
    3. This rule does not contain policies with Federalism implications 
as that term is defined under Executive Order 13132.
    4. The provisions of the Administrative Procedure Act (5 U.S.C. 
553) requiring notice of proposed rulemaking, the opportunity for 
public participation, and a delay in effective date, are inapplicable 
because this regulation involves a military and foreign affairs 
function of the United States (5 U.S.C. 553(a)(1)). Further, no other 
law requires that a notice of proposed rulemaking and an opportunity 
for public comment be given for this interim final rule. Because a 
notice of proposed rulemaking and an opportunity for public comment are 
not required to be given for this rule under the Administrative 
Procedure Act or by any other law, the analytical requirements of the 
Regulatory Flexibility Act (5 U.S.C. 601 et. seq.) are not applicable. 
Therefore, this regulation is issued in interim final form. Although 
there is no formal comment period, public comments on this regulation 
are welcome on a continuing basis. Comments should be submitted to 
Sharron Cook, Office of Exporter Services, Bureau of Industry and 
Security, Department of Commerce, 14th and Pennsylvania Ave., NW., Room 
2705, Washington, DC 20230.

[[Page 57503]]

List of Subjects

15 CFR Parts 732, 740, 748 and 750

    Administrative practice and procedure, Exports, Reporting and 
recordkeeping requirements.

15 CFR Parts 738, 770 and 772

    Exports.

15 CFR Part 744

    Exports, Reporting and recordkeeping requirements, Terrorism.

15 CFR Part 742

    Exports, Terrorism.

15 CFR Part 746

    Exports, Reporting and recordkeeping requirements.

15 CFR Part 762

    Administrative practice and procedure, Business and industry, 
Confidential business information, Exports, Reporting and recordkeeping 
requirements.

15 CFR Part 774

    Exports, Reporting and recordkeeping requirements.

0
Accordingly, parts 732, 734, 738, 740, 742, 744, 746, 748, 750, 762, 
770, 772 and 774 of the Export Administration Regulations (15 CFR parts 
730-774) are amended as follows:

PART 732--[AMENDED]

0
1. The authority citation for part 732 is revised to read as follows:

    Authority: 50 U.S.C. app. 2401 et. seq.; 50 U.S.C. 1701 et. 
seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 
13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 
2008, 73 FR 43603 (July 25, 2008).


0
2. Section 732.2 is amended by revising paragraph (b) to read as 
follows:


Sec.  732.2  Steps Regarding Scope of the EAR

* * * * *
    (b) Step 2: Publicly available technology and software. This step 
is relevant for both exports and reexports. Determine if your 
technology or software is publicly available as defined and explained 
at part 734 of the EAR. Supplement No. 1 to part 734 of the EAR 
contains several practical examples describing publicly available 
technology and software that are outside the scope of the EAR. The 
examples are illustrative, not comprehensive. Note that encryption 
software controlled for EI reasons under ECCN 5D002 on the Commerce 
Control List (refer to Supplement No.1 to Part 774 of the EAR) and mass 
market encryption software with symmetric key length exceeding 64-bits 
classified under ECCN 5D992 shall be subject to the EAR even if 
publicly available. Accordingly, the provisions of the EAR concerning 
the public availability of items are not applicable to encryption items 
controlled for ``EI'' reasons under ECCN 5D002 and mass market 
encryption software with symmetric key length exceeding 64-bits 
classified under ECCN 5D992.
* * * * *

PART 734--[AMENDED]

0
3. The authority citation for part 734 is revised to read as follows:

    Authority: 50 U.S.C. app. 2401 et. seq.; 50 U.S.C. 1701 et. 
seq.; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 
13020, 61 FR 54079, 3 CFR, 1996 Comp. p. 219; E.O. 13026, 61 FR 
58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 
2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 
2008); Notice of November 8, 2007, 72 FR 63963 (November 13, 2007).


0
4. Section 734.3 is amended by adding a note to paragraph (a)(4) to 
read as follows:


Sec.  734.3  Items Subject to the EAR

    (a) * * *
    (4) * * *

    Note to paragraph (a)(4): Certain foreign-manufactured items 
developed or produced from U.S.-origin encryption items exported 
pursuant to License Exception ENC are subject to the EAR. See 
sections 740.17(a) and 740.17(b)(4)(ii) of the EAR.



0
5. Supplement No. 1 to part 734 is amended by revising the introductory 
paragraph to read as follows:

Supplement No. 1 to Part 734--Questions and Answers--Technology and 
Software Subject to the EAR

    This Supplement No. 1 contains explanatory questions and answers 
relating to technology and software that is subject to the EAR. It is 
intended to give the public guidance in understanding how BIS 
interprets this part, but is only illustrative, not comprehensive. In 
addition, facts or circumstances that differ in any material way from 
those set forth in the questions or answers will be considered under 
the applicable provisions of the EAR. Exporters should note that the 
provisions of this supplement do not apply to encryption software 
classified under ECCN 5D002 for ``EI'' reasons on the Commerce Control 
List or to mass market encryption software with symmetric key length 
exceeding 64-bits classified under ECCN 5D992. This Supplement is 
divided into nine sections according to topic as follows:
* * * * *

PART 738--[AMENDED]

0
6. The authority citation for part 738 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c; 22 U.S.C. 3201 et 
seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42 
U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5; 
22 U.S.C. 7201 et. seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3 
CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., 
p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008).


0
7. Section 738.4 is amended by revising paragraphs (a)(1) and 
(a)(2)(ii)(B) to read as follows:


Sec.  738.4  Determining Whether a License Is Required

    (a) * * *
    (1) Overview. Once you have determined that your item is classified 
under a specific ECCN, you must use information contained in the 
``License Requirements'' section of that ECCN in combination with the 
Country Chart to decide whether a license is required. Note that not 
all license requirements set forth under the ``License Requirements'' 
section of an ECCN refer you to the Commerce Country Chart, but in some 
cases this section will contain references to a specific section in the 
EAR for license requirements. In such cases, this section would not 
apply.
    (2) * * *
    (ii) * * *
    (B) If no, a license is not required based on the particular Reason 
for Control and destination. Provided that General Prohibitions Four 
through Ten do not apply to your proposed transaction and that any 
applicable review requirements described in Sec.  742.15(b) of the EAR 
have been met for certain mass market encryption items controlled under 
ECCNs 5A992 or 5D992, you may effect your shipment using the symbol 
``NLR.'' Proceed to parts 758 and 762 of the EAR for information on 
export clearance procedures and recordkeeping requirements. Note that 
although you may stop after determining a license is required based on 
the first Reason for Control, it is best to work through each 
applicable Reason for Control. A full analysis of every possible 
licensing requirement based on each applicable Reason for Control is 
required to determine the most advantageous License Exception available 
for your particular transaction and, if a license is

[[Page 57504]]

required, ascertain the scope of review conducted by BIS on your 
license application.
* * * * *

PART 740--[AMENDED]

0
8. The authority citation for part 740 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., 
p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice 
of July 23, 2008, 73 FR 43603 (July 25, 2008).


0
9. Section 740.3 is amended by revising paragraph (d)(5) to read as 
follows:


Sec.  740.3  Shipments of Limited Value (LVS)

* * * * *
    (d) * * *
    (5) Exports and reexports of encryption components or spare parts. 
For components or spare parts controlled for ``EI'' reasons under ECCN 
5A002, exports and reexports under this License Exception must be 
destined to support a commodity previously authorized for export or 
reexport.
* * * * *

Sec.  740.8  [Removed]

0
10. Remove and reserve Sec.  740.8.

Sec.  740.13  [Amended]

0
11. Section 740.13 is amended by removing the quotation marks around 
the term ``mass market'' in paragraph (d) heading, paragraph (d)(1), 
footnote 1, paragraph (d)(3)(i) and paragraph (d)(3)(ii).


0
12. Section 740.17 is revised to read as follows:


Sec.  740.17  Encryption Commodities, Software and Technology (ENC).

    License Exception ENC authorizes export and reexport of software 
and commodities and components therefor that are classified under ECCNs 
5A002.a.1, a.2, a.5, a.6 or a.9, 5B002, 5D002, and technology that is 
classified under ECCN 5E002. This License Exception ENC does not 
authorize export or reexport to, or provision of any service in any 
country listed in Country Group E:1 in Supplement No. 1 to part 740 of 
the EAR, or release of source code or technology to any national of a 
country listed in Country Group E:1. Reexports and transfers under 
License Exception ENC are subject to the criteria set forth in 
paragraph (c) of this section. Paragraph (d) of this section sets forth 
information about review requests required by this section. Paragraph 
(e) sets forth reporting required by this section.
    (a) No prior review or post export reporting required--(1) Internal 
``development'' or ``production'' of new products. License Exception 
ENC authorizes exports and reexports of items described in paragraph 
(a)(1)(i) of this section, to end-users described in paragraph 
(a)(1)(ii) of this section, for the intended end-use described in 
paragraph (a)(1)(iii) of this section without prior review by the U.S. 
Government.
    (i) Eligible items. Eligible items are those classified under ECCNs 
5A002.a.1, .a.2, .a.5, .a.6, or .a.9, 5B002, 5D002, or 5E002.
    (ii) Eligible end-users. Eligible end-users are ``private sector 
end-users'' wherever located, except to countries listed in Country 
Group E:1 (see Supplement No. 1 to part 740 of the EAR) that are 
headquartered in a country listed in Supplement No. 3 of this part.

    Note to paragraph (a)(1)(ii): A ``private sector end-user'' is:
    (1) An individual who is not acting on behalf of any foreign 
government; or
    (2) A commercial firm (including its subsidiary and parent 
firms, and other subsidiaries of the same parent) that is not wholly 
owned by, or otherwise controlled by or acting on behalf of, any 
foreign government.
    (iii) Eligible end-use. The eligible end-use is internal 
``development'' or ``production'' of new products by those end-
users.
    Note to paragraph (a)(1)(iii): All items produced or developed 
with items exported or reexported under this paragraph (a)(1) are 
subject to the EAR. These items may require review and authorization 
before sale, reexport or transfer, unless otherwise authorized by 
license or license exception.

    (2) Exports and reexports to ``U.S. Subsidiaries.'' License 
Exception ENC authorizes export and reexport of items classified under 
ECCNs 5A002.a.1, .a.2, .a.5, .a.6, or .a.9, 5B002, 5D002, or 5E002 to 
any ``U.S. subsidiary,'' wherever located, except to countries listed 
in Country Group E:1 (see Supplement No. 1 to part 740 of the EAR), 
without prior review by the U.S. Government. License Exception ENC also 
authorizes export or reexport of such items by a U.S. company and its 
subsidiaries to foreign nationals who are employees, contractors or 
interns of a U.S. company or its subsidiaries if the items are for 
internal company use, including the ``development'' or ``production'' 
of new products, without prior review by the U.S. Government.
    Note to paragraph (a)(2): All items produced or developed with 
items exported or reexported under this paragraph (a)(2) are subject to 
the EAR. These items may require review and authorization before sale, 
reexport or transfer, unless otherwise authorized by license or license 
exception.
    (b) Prior review required. License Exception ENC authorizes the 
export and reexport of commodities and software that require a license 
under ECCNs 5A002.a.1, a.2, a.5, a.6, or a.9, 5B002, or 5D002. 
Paragraph (b)(1)(i) of this section also authorizes the export and 
reexport of ``technology'' controlled for EI reasons under ECCN 5E002 
to the end-users indicated in paragraph (b)(1)(i). Exports and 
reexports authorized under this paragraph (b) of License Exception ENC 
require submission of a review request in accordance with paragraph (d) 
of this section. License Exception ENC does not authorize the export or 
reexport of cryptanalytic items to any ``government end-user''. Export 
or reexport of items that provide an ``open cryptographic interface'' 
is only authorized under paragraph (b)(1)(i) of this section. Exports 
and reexports authorized under paragraph (b) of this section are 
subject to reporting requirements in accordance with paragraph (e) of 
this section.
    (1) Review required without waiting period. Once your review 
request is registered with BIS in accordance with paragraph (d) of this 
section, License Exception ENC authorizes the exports or reexports 
(except to countries listed in Country Group E:1 of Supplement No. 1 to 
part 740 of the EAR) to the following destinations:
    (i) Export and reexport to countries listed in Supplement No. 3 of 
this part. License Exception ENC authorizes the export and reexport of 
encryption items, including EI controlled commodities or software 
(excluding source code) that are pending review for mass market 
treatment (under Sec.  742.15(b) of the EAR), to ``government end-
users'' and non-``government end-users'' located in countries listed in 
Supplement 3 of this part, as well as to foreign subsidiaries or 
offices of firms, organizations and governments headquartered in 
countries listed in Supplement 3 of this part.
    (ii) Export and reexport to countries not listed in Supplement No. 
3 of this part. License Exception ENC authorizes the export and 
reexport of the following commodities and software:
    (A) Encryption commodities and software (including key management 
products), as follows: for symmetric algorithms with key lengths not 
exceeding 80 bits; for asymmetric algorithms with key lengths not 
exceeding 1,024 bits; and for elliptic curve algorithms with key 
lengths not exceeding 160 bits. (After review has been completed, the 
issued Commodity Classification Automated Tracking

[[Page 57505]]

System (CCATS) document will indicate authorization is under paragraph 
(b)(2) or (b)(3) of this section, whichever paragraph is appropriate.)
    (B) Encryption source code that would not be eligible for export or 
reexport under License Exception TSU, provided that a copy of the 
source code is included in the review request, to non-''government end-
users'' located in any country except a country listed in Country Group 
E:1 of Supplement No. 1 to part 740 of the EAR. (After the review has 
been completed, the issued Commodity Classification Automated Tracking 
System (CCATS) document will indicate authorization is under paragraph 
(b)(2) of this section.)
    (2) Review required with 30 day wait (non-``government end-users'' 
only). Thirty days after your review request is registered with BIS in 
accordance with paragraph (d) of this section and subject to the 
reporting requirements in paragraph (e) of this section, License 
Exception ENC authorizes the export or reexport of the following 
commodities and software to non-``government end-users'' located in a 
country not listed in Supplement No. 3 to this part or Country Group 
E:1 of Supplement No. 1 to part 740 of the EAR:
    (i) Network infrastructure software and commodities and components 
thereof (including commodities and software necessary to activate or 
enable cryptographic functionality in network infrastructure products) 
providing secure Wide Area Network (WAN), Metropolitan Area Network 
(MAN), Virtual Private Network (VPN), satellite, digital packet 
telephony/media (voice, video, data) over internet protocol, cellular 
or trunked communications meeting any of the following with key lengths 
exceeding 80-bits for symmetric algorithms:
    (A) Aggregate encrypted WAN, MAN, VPN or backhaul throughput 
(includes communications through wireless network elements such as 
gateways, mobile switches, controllers, etc) greater than 90 Mbps;
    (B) Wire (line), cable or fiber-optic WAN, MAN or VPN single-
channel input data rate exceeding 154 Mbps;
    (C) Media (voice/video/data) encryption or centralized key 
management supporting more than 250 concurrent encrypted data channels, 
or encrypted signaling to more than 1,000 endpoints, for digital packet 
telephony/media (voice/video/data) over internet protocol 
communications; or
    (D) Air-interface coverage (e.g., through base stations, access 
points to mesh networks, bridges, etc.) exceeding 1,000 meters, where 
any of the following applies:
    (1) Maximum transmission data rates exceeding 10 Mbps (at operating 
ranges beyond 1,000 meters);
    (2) Maximum number of concurrent full-duplex voice channels 
exceeding 30; or
    (3) Substantial support is required for installation or use;
    (ii) Encryption source code that would not be eligible for export 
or reexport under License Exception TSU because it is not publicly 
available as that term is used in Sec.  740.13(e)(1) of the EAR, and 
the export or reexport of the encryption source code that is not 
otherwise eligible for License Exception ENC under paragraph 
(b)(1)(ii)(B) of this section;
    (iii) Encryption software, commodities or components therefor, that 
have any of the following:
    (A) Been designed, modified, adapted or customized for ``government 
end-user(s)'' or government end-use (e.g., to secure police, state 
security, or emergency response communications), including encryption 
commodities and software for external security operations center (SOC)/
network operations center (NOC) command and infrastructure, public 
safety radio, and digital forensics/computer forensics;
    (B) Cryptographic functionality that has been modified or 
customized to customer specification; or
    (C) Cryptographic functionality or ``encryption component'' (except 
encryption software that would be considered publicly available, as 
that term is used in Sec.  740.13(e)(1) of the EAR) that is user-
accessible and can be easily changed by the user;
    (iv) ``Cryptanalytic items'';
    (v) Encryption commodities and software that provide functions 
necessary for quantum cryptography, as defined in ECCN 5A002 of the 
Commerce Control List;
    (vi) Encryption commodities and software that have been modified or 
customized for computers classified under ECCN 4A003.
    (3) Review required with 30 day waiting period (``government end-
users'' or non-``government end-users''). Thirty days after your review 
request is registered with BIS in accordance with paragraph (d) of this 
section, License Exception ENC authorizes the export and reexport of 
software and commodities and components not listed in paragraph (b)(2) 
of this section to either ``government end-users'' or non-``government 
end-users'' located in a country not listed in Supplement No. 3 to this 
part or Country Group E:1 of Supplement No. 1 to part 740 of the EAR.
    (4) Items excluded from review requirements--(i) Short-range 
wireless encryption functions. Commodities and software not otherwise 
controlled in Category 5, but that are classified under ECCN 5A002, 
5B002 or 5D002 only because they incorporate components or software 
that provide short-range wireless encryption functions (e.g., with a 
nominal operating range not exceeding 100 meters according to the 
manufacturer's specifications). Commodities and software included in 
this description include those designed to comply with the Institute of 
Electrical and Electronic Engineers (IEEE) 802.11 wireless LAN standard 
(35 meters) for short-range use and those designed to comply with the 
IEEE 802.15.1 standard that provide only the short-range wireless 
encryption functionality, and would not be classified under Category 5, 
part 1 of the CCL (telecommunications) absent this encryption 
functionality. Certain items excluded from review by this paragraph may 
also be excluded from review under paragraph (b)(4)(iii) of this 
section (personal area networks) or paragraph (b)(4)(iv) of this 
section (commodities and software that provide ``ancillary 
cryptography'').
    (ii) Foreign products developed with or incorporating U.S.-origin 
encryption source code, components, or toolkits. Foreign products 
developed with or incorporating U.S.-origin encryption source code, 
components or toolkits that are subject to the EAR, provided that the 
U.S.-origin encryption items have previously been reviewed and 
authorized by BIS and the cryptographic functionality has not been 
changed. Such products include foreign-developed products that are 
designed to operate with U.S. products through a cryptographic 
interface.
    (iii) Wireless ``personal area network'' items. Wireless ``personal 
area network'' items that implement only published or commercial 
cryptographic standards and where the cryptographic capability is 
limited to a nominal operating range not exceeding 30 meters according 
to the manufacturer's specifications. See Nota Bene of the definition 
for ``personal area network'' in Sec.  772.1 of the EAR.
    (iv) ``Ancillary cryptography.'' Commodities and software that 
perform ``ancillary cryptography.'' See Nota Bene of definition of 
``ancillary cryptography'' in Sec.  772.1 of the EAR.

    Note to paragraph (b): A new product review is required if a 
change is made to the cryptographic functionality (e.g., algorithms) 
or other technical characteristics affecting License Exception ENC 
eligibility (e.g., encrypted throughput) of the originally

[[Page 57506]]

reviewed product. However, a new product review is not required when 
a change involves: The subsequent bundling, patches, upgrades or 
releases of a product; name changes; or changes to a previously 
reviewed encryption product where the change is limited to updates 
of encryption software components where the product is otherwise 
unchanged.

    (c) Reexport and transfer. U.S. or foreign distributors, resellers 
or other entities who are not original manufacturers of encryption 
commodities and software are permitted to use License Exception ENC 
only in instances where the export or reexport meets the applicable 
terms and conditions of this section. Transfers of encryption items 
listed in paragraph (b)(2) of this section to ``government end-users,'' 
or for government end-uses, within the same country are prohibited, 
unless otherwise authorized by license or license exception.
    (d) Review request procedures--(1) Submission. To request review of 
your encryption items under License Exception ENC, you must submit to 
BIS and to the ENC Encryption Request Coordinator form BIS-748P 
(Multipurpose Application), or its electronic equivalent in accordance 
with the instructions in paragraph (r) of Supplement No. 2 to part 748 
``Unique Application and Submission Requirements'' and the applicable 
information described in paragraphs (a) through (e) of Supplement No. 6 
to part 742 of the EAR (Guidelines for Submitting Review Requests for 
Encryption Items). Failure to properly complete these items may delay 
consideration of your review request.
    (2) Action by BIS--(i) Notification. Upon completion of its review, 
BIS will send you written notice of the provisions of this section, if 
any, under which your items may be exported or reexported.
    (ii) After 30 days. If BIS has not, within 30 days of registration 
of a complete review request from you, informed you that your item is 
not authorized for License Exception ENC, you may export or reexport 
under the applicable provisions of License Exception ENC.
    (iii) Hold Without Action (HWA). BIS may hold your review request 
without action if necessary to obtain additional information or for any 
other reason necessary to ensure an accurate determination with respect 
to ENC eligibility. Time on such ``hold without action'' status shall 
not be counted towards fulfilling the 30 day waiting period specified 
in this paragraph and in paragraphs (b)(2) and (b)(3) of this section. 
BIS may require you to supply additional relevant technical information 
about your encryption item(s) or information that pertains to their 
eligibility for License Exception ENC at any time, before or after the 
expiration of the 30 day waiting period specified in this paragraph and 
in paragraphs (b)(2) and (b)(3) of this section. If you do not supply 
such information within 14 days after receiving a request for it from 
BIS, BIS may return your review request(s) without action or otherwise 
suspend or revoke your eligibility to use License Exception ENC for 
that item(s). At your request, BIS may grant you up to an additional 14 
days to provide the requested information. Any request for such an 
additional number of days must be made prior to the date by which the 
information was otherwise due to be provided to BIS, and may be 
approved if BIS concludes that additional time is necessary.
    (e) Reporting requirements--(1) Semi-annual reporting requirement. 
Semi-annual reporting is required for exports to all destinations other 
than Canada, and for reexports from Canada, under this license 
exception. Certain encryption items and transactions are excluded from 
this reporting requirement, see paragraph (e)(1)(iii) of this section. 
For information about what must be included in the report and 
submission requirements, see paragraphs (e)(1)(i) and (e)(1)(ii) of 
this section respectively.
    (i) Information required. Exporters must include for each item, the 
Commodity Classification Automated Tracking System (CCATS) number and 
the name of the item(s) exported (or reexported from Canada), and the 
following information in their reports:
    (A) Distributors or resellers. For items exported (or reexported 
from Canada) to a distributor or other reseller, including subsidiaries 
of U.S. firms, the name and address of the distributor or reseller, the 
item and the quantity exported or reexported and, if collected by the 
exporter as part of the distribution process, the end-user's name and 
address;
    (B) Individual consumers. For items exported (or reexported from 
Canada) to individual consumers through direct sale, the name and 
address of the recipient, the item, and the quantity exported; or
    (C) Foreign manufacturers and products that use encryption items. 
For exports (i.e., from the United States) or direct transfers (e.g. by 
a ``U.S. subsidiary'' located outside the United States) of encryption 
components, source code, general purpose toolkits, equipment controlled 
under ECCN 5B002, technology, or items that provide an ``open 
cryptographic interface'' exported to a foreign developer or 
manufacturer headquartered in a country not listed in Supplement No. 3 
to this part when intended for use in foreign products developed for 
commercial sale, the names and addresses of the manufacturers using 
these encryption items and, if known, when the product is made 
available for commercial sale, a non-proprietary technical description 
of the foreign products for which these encryption items are being used 
(e.g., brochures, other documentation, descriptions or other 
identifiers of the final foreign product; the algorithm and key lengths 
used; general programming interfaces to the product, if known; any 
standards or protocols that the foreign product adheres to; and source 
code, if available).
    (ii) Submission requirements. For exports occurring between January 
1 and June 30, a report is due no later than August 1 of that year. For 
exports occurring between July 1 and December 31, a report is due no 
later than February 1 the following year. These reports must be 
provided in electronic form. Recommended file formats for electronic 
submission include spreadsheets, tabular text or structured text. 
Exporters may request other reporting arrangements with BIS to better 
reflect their business models. Reports may be sent electronically to 
BIS at crypt@bis.doc.gov and to the ENC Encryption Request Coordinator 
at enc@nsa.gov, or disks and CDs containing the reports may be sent to 
the following addresses:
    (A) Department of Commerce, Bureau of Industry and Security, Office 
of National Security and Technology Transfer Controls, 14th Street and 
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn: 
Encryption Reports, and
    (B) Attn: ENC Encryption Request Coordinator, 9800 Savage Road, 
Suite 6940, Ft. Meade, MD 20755-6000.
    (iii) Exclusions from reporting requirement. Reporting is not 
required for the following items and transactions:
    (A) Any encryption item exported (or reexported from Canada) under 
paragraph (a) of this section;
    (B) Encryption commodities or software with a symmetric key length 
not exceeding 64 bits;
    (C) Encryption commodities or software authorized under paragraph 
(b)(3) of this section, exported (or reexported from Canada) to 
individual consumers;

[[Page 57507]]

    (D) Encryption items exported (or reexported from Canada) via free 
and anonymous download;
    (E) Encryption items from or to a U.S. bank, financial institution 
or its subsidiaries, affiliates, customers or contractors for banking 
or financial operations;
    (F) Items listed in (b)(4) of this section, unless it is a foreign 
item described in (b)(4)(ii) that has entered the United States;
    (G) Foreign products developed by bundling or compiling of source 
code;
    (H) General purpose operating systems, or desktop applications 
(e.g., e-mail, browsers, games, word processing, data base, financial 
applications or utilities) authorized under paragraph (b)(3) of this 
section;
    (I) Client Internet appliance and client wireless LAN cards; or
    (J) Other items as determined on a case-by-case basis.
    (2) Reporting key length increases. Reporting is required for 
commodities and software that, after having been reviewed and 
authorized for License Exception ENC by BIS, are modified only to 
upgrade the key length used for confidentiality or key exchange 
algorithms. Such items may be exported or reexported under the 
previously authorized provision of License Exception ENC without 
further review.
    (i) Information required. (A) A certification that no change to the 
encryption functionality has been made other than to upgrade the key 
length for confidentiality or key exchange algorithms.
    (B) The original Commodity Classification Automated Tracking System 
(CCATS) authorization number issued by BIS and the date of issuance.
    (C) The new key length.
    (ii) Submission requirements. (A) The report must be received by 
BIS and the ENC Encryption Request Coordinator before the export or 
reexport of the upgraded product; and
    (B) The report is e-mailed to crypt@bis.doc.gov and enc@nsa.gov.

Supplement No. 3 to Part 740 [Amended]

0
13. Supplement No. 3 is amended by:
0
a. Revising the heading to read ``License Exception ENC Favorable 
Treatment Countries''; and
0
b. Adding Bulgaria, Canada, Iceland, Romania, and Turkey in alphabetic 
order.

PART 742--[AMENDED]

0
14. The authority citation for part 742 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 22 U.S.C. 7201 et seq.; 22 
U.S.C. 7210; Sec 1503, Pub. L. 108-11, 117 Stat. 559; E.O. 12058, 43 
FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 
1993 Comp., p. 608; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 
950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 
66 FR 44025, 3 CFR, 2001 Comp., p. 783; Presidential Determination 
2003-23 of May 7, 2003, 68 FR 26459, May 16, 2003; Notice of July 
23, 2008, 73 FR 43603 (July 25, 2008); Notice of November 8, 2007, 
72 FR 63963 (November 13, 2007).


0
15. Section 742.15 is revised to read as follows:


Sec.  742.15  Encryption items.

    Encryption items can be used to maintain the secrecy of 
information, and thereby may be used by persons abroad to harm U.S. 
national security, foreign policy and law enforcement interests. The 
United States has a critical interest in ensuring that important and 
sensitive information of the public and private sector is protected. 
Consistent with our international obligations as a member of the 
Wassenaar Arrangement, the United States has a responsibility to 
maintain control over the export and reexport of encryption items. As 
the President indicated in Executive Order 13026 and in his Memorandum 
of November 15, 1996, exports and reexports of encryption software, 
like exports and reexports of encryption hardware, are controlled 
because of this functional capacity to encrypt information, and not 
because of any informational or theoretical value that such software 
may reflect, contain, or represent, or that its export or reexport may 
convey to others abroad. For this reason, export controls on encryption 
software are distinguished from controls on other software regulated 
under the EAR.
    (a) Licensing requirements and policy--(1) Licensing requirements. 
A license is required to export or reexport encryption items (``EI'') 
classified under ECCN 5A002.a.1, a.2, a.5, a.6 and a.9; 5D002.a or c.1 
for equipment controlled for EI reasons in ECCN 5A002; or 5E002 for 
``technology'' for the ``development,'' ``production,'' or ``use'' of 
commodities or ``software'' controlled for EI reasons in ECCNs 5A002 or 
5D002 to all destinations, except Canada. Refer to part 740 of the EAR 
for license exceptions that apply to certain encryption items, and to 
Sec.  772.1 of the EAR for definitions of encryption items and terms. 
Most encryption items may be exported under the provisions of License 
Exception ENC set forth in Sec.  740.17 of the EAR. Before submitting a 
license application, please review License Exception ENC to determine 
whether this license exception is available for your item or 
transaction. For exports and reexports of encryption items that are not 
eligible for a license exception, exporters must submit an application 
to obtain authorization under a license or an Encryption Licensing 
Arrangement.
    (2) Licensing policy. Applications will be reviewed on a case-by-
case basis by BIS, in conjunction with other agencies, to determine 
whether the export or reexport is consistent with U.S. national 
security and foreign policy interests. Encryption Licensing 
Arrangements (ELAs) may be authorized for exports and reexports of 
unlimited quantities of encryption commodities and software to national 
or federal government bureaucratic agencies for civil use, and to 
state, provincial or local governments, in all destinations, except 
countries listed in Country Group E:1 of Supplement No. 1 to part 740. 
ELAs are valid for four years and may require post-export reporting or 
pre-shipment notification. Applicants seeking authorization for 
Encryption Licensing Arrangements must specify the sales territory and 
class of end-user on their license applications.

    Note to paragraph (a): Pursuant to Note 3 to Category 5 Part 2 
of the Commerce Control List in Supplement No. 1 to part 774, once 
mass market encryption commodities and software have been reviewed 
by BIS and the ENC Encryption Request Coordinator (Ft. Meade, MD) 
and released from ``EI'' and ``NS'' controls pursuant to Sec.  
742.15(b) of the EAR, they are classified under ECCN 5A992 and 5D992 
respectively, and are thereafter outside the scope of this section.

    (b) Review requirement for mass market encryption commodities and 
software exceeding 64 bits: Mass market encryption commodities and 
software employing a key length greater than 64 bits for the symmetric 
algorithm (including such products previously reviewed by BIS and 
exported under ECCN 5A002 or 5D002) are subject to the EAR and require 
review by BIS and the ENC Encryption Request Coordinator (Ft. Meade, 
MD), prior to export or reexport. Encryption commodities and software 
that are described in Sec.  740.17(b)(2) of the EAR do not qualify for 
mass market treatment. A new product review is required if a change is 
made to the cryptographic functionality (e.g., algorithms) or other 
technical characteristics affecting mass market eligibility (e.g., 
performance enhancements to provide network infrastructure services, or 
customizations to end-user specifications) of the originally reviewed 
product. However, a new product review is not required when a change 
involves: The subsequent

[[Page 57508]]

bundling, patches, upgrades or releases of a product; name changes; or 
changes to a previously reviewed encryption product where the change is 
limited to updates of encryption software components where the product 
is otherwise unchanged.
    (1) Procedures for requesting review. To request review of your 
mass market encryption products, you must submit to BIS and the ENC 
Encryption Request Coordinator the information described in paragraphs 
(a) through (e) of Supplement No. 6 to this part 742, and you must 
include specific information describing how your products qualify for 
mass market treatment under the criteria in the Cryptography Note (Note 
3) of Category 5, Part 2 (``Information Security''), of the Commerce 
Control List (Supplement No. 1 to part 774 of the EAR). Review requests 
must be submitted on Form BIS-748P (Multipurpose Application), or its 
electronic equivalent, as described in Sec.  748.3 of the EAR. See 
paragraph (r) of Supplement No. 2 to Part 748 of the EAR for special 
instructions about this submission. Review requests that are not 
submitted electronically to BIS should be mailed to the address 
indicated in Sec.  748.2(c) of the EAR. Submissions to the ENC 
Encryption Request Coordinator should be directed to the mailing 
address indicated in Sec.  740.17(e)(1)(ii) of the EAR. BIS will notify 
you if there are any questions concerning your request for review 
(e.g., because of missing or incompatible support documentation).
    (2) Action by BIS. Once BIS has completed its review, you will 
receive written confirmation concerning the eligibility of your items 
for export or reexport as mass market encryption commodities or 
software classified under ECCN 5A992 or 5D992. If, during the course of 
its review, BIS determines that your encryption items do not qualify 
for mass market treatment under the EAR, or are otherwise classified 
under ECCN 5A002, 5B002, 5D002 or 5E002, BIS will notify you and will 
review your commodities or software for eligibility under License 
Exception ENC (see Sec.  740.17 of the EAR for review and reporting 
requirements for encryption items under License Exception ENC). BIS 
reserves the right to suspend your eligibility to export and reexport 
under the provisions of this paragraph (b) and to return review 
requests, without action, if the requirements for review have not been 
met. Thirty days after BIS registers your review request, you may 
export or reexport these mass market encryption products, without a 
license, to government and non-government end-users located in most 
destinations outside the countries listed in Supplement No. 3 to part 
740 of the EAR (certain destinations and persons may require a license 
for anti-terrorism (AT) reasons or for reasons specified elsewhere in 
the EAR), unless otherwise notified by BIS (e.g., because of missing or 
incomplete support documentation or conversion to License Exception ENC 
review.) The thirty days does not include any time that your review 
request is on hold without action.
    (3) Exclusions from review requirements. The following commodities 
and software do not require review prior to export or reexport as mass 
market products.
    (i) Short-range wireless encryption functions. Commodities and 
software not otherwise controlled in Category 5, but that are 
classified under ECCN 5A992 or 5D992 only because they incorporate 
components or software that provide short-range wireless encryption 
functions (e.g., with a nominal operating range not exceeding 100 
meters according to the manufacturer's specifications). Commodities and 
software included in this description include those designed to comply 
with the Institute of Electrical and Electronic Engineers (IEEE) 802.11 
wireless LAN standard (35 meters) for short-range use and those 
designed to comply with the IEEE 802.15.1 standard that provide only 
the short-range wireless encryption functionality, and would not be 
classified under Category 5, part 1 of the CCL (telecommunications) 
absent this encryption functionality. Certain items excluded from 
review by this paragraph may also be excluded from review under 
paragraph (b)(3)(ii) of this section (personal area networks) or 
paragraph (b)(3)(iii) of this section (commodities and software that 
provide ``ancillary cryptography'').
    (ii) Wireless ``personal area network'' items. Wireless ``personal 
area network'' items that implement only published or commercial 
cryptographic standards and where the cryptographic capability is 
limited to a nominal operating range not exceeding 30 meters according 
to the manufacturer's specifications. See Nota Bene of the definition 
for ``personal area network'' in Sec.  772.1 of the EAR.
    (iii) ``Ancillary cryptography''. Commodities and software that 
perform ``ancillary cryptography.'' See Nota Bene of definition of 
``ancillary cryptography'' in Sec.  772.1 of the EAR.
    (4) Commodities and software that activate or enable cryptographic 
functionality. Commodities, software, and components that allow the 
end-user to activate or enable cryptographic functionality in 
encryption products which would otherwise remain disabled, are 
controlled according to the functionality of the activated encryption 
product.
    (5) Examples of mass market encryption products. Subject to the 
requirements of the Cryptography Note (Note 3) in Category 5, Part 2, 
of the Commerce Control List, mass market encryption products include, 
but are not limited to, general purpose operating systems and desktop 
applications (e.g., e-mail, browsers, games, word processing, database, 
financial applications or utilities) designed for use with computers 
classified as ECCN 4A994 or EAR99, laptops, or hand-held devices; 
commodities and software for client Internet appliances and client 
wireless LAN devices; home use networking commodities and software 
(e.g., personal firewalls, cable modems for personal computers, and 
consumer set top boxes); and portable or mobile civil 
telecommunications commodities and software (e.g., personal data 
assistants (PDAs), radios, or cellular products).

Supplement No. 4 to Part 742 [Removed]

0
16. Supplement No. 4 to Part 742 is removed and reserved.
0
17. Supplement No. 6 to Part 742 is amended by:
0
a. Revising the introductory paragraph;
0
b. Revising paragraph (a);
0
c. Revising paragraphs (c)(1), (c)(6), and (c)(11);
0
e. Revising the introductory paragraphs of (d) and (e), to read as 
follows:

Supplement No. 6 to Part 742--Guidelines for Submitting Review Requests 
for Encryption Items

    Review requests for encryption items must be submitted on Form 
BIS-748P (Multipurpose Application), or its electronic equivalent, 
and supported by the documentation described in this Supplement, in 
accordance with the procedures described in Sec.  748.3 of the EAR. 
To ensure that your review request is properly routed, insert the 
phrase ``Mass market encryption'' or ``License Exception ENC'' 
(whichever is applicable) in Block 9 (Special Purpose) of the 
application form and place an ``X'' in the box marked 
``Classification Request'' in Block 5 (Type of Application)--Block 5 
does not provide a separate item to check for the submission of 
encryption review requests. Failure to properly complete these items 
may delay consideration of your review request. BIS recommends that 
review requests be delivered via courier service or be sent to: 
Bureau of Industry and Security, U.S. Department of Commerce, 14th 
Street and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230.

[[Page 57509]]

    For electronic submissions via SNAP-R, support documents not 
readily attached in PDF format must be sent to: Bureau of Industry 
and Security, Information Technology Controls Division, Room 2093, 
14th Street and Pennsylvania Ave., NW., Washington, DC 20230.
    In addition, you must send a copy of your review request and all 
support documents to: Attn: ENC Encryption Request Coordinator, 9800 
Savage Road, Suite 6940, Fort Meade, MD 20755-6000.
    If you intend to rely on the 30 day registration provisions of 
the regulations, express mail certification of these documents is 
needed.
    (a)(1) State the name(s) of each product being submitted for 
review and provide a brief non-technical description of the type of 
product (e.g., routers, disk drives, cell phones, chips, etc.) being 
submitted.
    (2) Indicate whether there have been any prior reviews of the 
product(s), if such reviews are applicable to the current 
submission. For products with minor changes in encryption 
functionality, you must include a cover sheet with complete 
reference to the previous review (Commodity Classification Automated 
Tracking System (CCATS) number, Application Control Number (ACN), 
Export Control Classification Number (ECCN), authorization 
paragraph) along with a clear description of the changes.
    (3) Describe how encryption is used in the product and the 
categories of encrypted data (e.g., stored data, communications, 
management data, internal data, etc.).
    (4) For mass market review requests, describe specifically to 
whom and how the product is being marketed and state how this method 
of marketing and other relevant information (e.g., cost of product 
and volume of sales) are described by the Cryptography Note (Note 3 
to Category 5, Part 2).
    (5) Is any ``encryption source code'' being provided (shipped or 
bundled) as part of this offering? If yes, is this source code 
publicly available source code, unchanged from the code obtained 
from an open source web site, or is it proprietary ``encryption 
source code?''
* * * * *
    (c) * * *
    (1) Description of all the symmetric and asymmetric encryption 
algorithms and key lengths and how the algorithms are used, 
including relevant parameters, inputs and settings. Specify which 
encryption modes are supported (e.g., cipher feedback mode or cipher 
block chaining mode).
* * * * *
    (6) State all communication protocols (e.g., X.25, Telnet, TCP, 
IEEE 802.11, IEEE 802.16, SIP * * *) and cryptographic protocols and 
methods (e.g., SSL, TLS, SSH, IPSEC, IKE, SRTP, ECCN, MD5, SHA, 
X.509, PKCS standards * * *) that are supported and describe how 
they are used.
* * * * *
    (11) License Exception ENC `Restricted' commodities and software 
described by the criteria in Sec.  740.17(b)(2) require licenses to 
certain ``government end-users.'' Describe whether the product(s) 
meet any of the Sec.  740.17(b)(2) criteria. Provide specific data 
for each of the parameters listed, as applicable (e.g., maximum 
aggregate encrypted user data throughput, maximum number of 
concurrent encrypted channels, and operating range for wireless 
products). If the Sec.  740.17(b)(2) parameters are not applicable 
to the commodity or software, clearly explain why (e.g., by 
providing specific data evaluated against the Sec.  740.17(b)(2) 
thresholds.)
    (d) For review requests for hardware or software ``encryption 
components'' other than source code (i.e., chips, toolkits, 
executable or linkable modules intended for use in or production of 
another encryption item) provide the following additional 
information:
* * * * *
    (e) For review requests for ``encryption source code'' provide 
the following information:
* * * * *

PART 744--[AMENDED]

0
18. The authority citation for part 744 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 22 U.S.C. 7201 et seq.; 22 
U.S.C. 7210; E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; 
E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12938, 59 
FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 12947, 60 FR 5079, 3 CFR, 
1995 Comp., p. 356; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 
228; E.O. 13099, 63 FR 45167, 3 CFR, 1998 Comp., p. 208; E.O. 13222, 
66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13224, 66 FR 49079, 3 
CFR, 2001 Comp., p. 786; Notice of July 23, 2008, 73 FR 43603 (July 
25, 2008); Notice of November 8, 2007, 72 FR 63963 (November 13, 
2007).


Sec.  744.9  [Removed]

0
19. Remove and reserve Sec.  744.9.

PART 746--[AMENDED]

0
20. The authority citation for part 746 is revised to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
22 U.S.C. 287c; Sec 1503, Pub. L. 108-11, 117 Stat. 559; 22 U.S.C. 
6004; 22 U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 12854, 58 FR 
36587, 3 CFR, 1993 Comp., p. 614; E.O. 12918, 59 FR 28205, 3 CFR, 
1994 Comp., p. 899; E.O. 13222, 3 CFR, 2001 Comp., p. 783; 
Presidential Determination 2003-23 of May 7, 2003, 68 FR 26459, May 
16, 2003; Presidential Determination 2007-7 of December 7, 2006, 72 
FR 1899 (January 16, 2007); Notice of July 23, 2008, 73 FR 43603 
(July 25, 2008).


Sec.  746.3  [Amended]

0
21. Section 746.3 is amended in paragraph (c) by revising the phrase 
``License Exceptions: CIV, APP, TMP, RPL, GOV, GFT, TSU, BAG, AVS, ENC 
or KMI.'' to read ``License Exceptions: CIV, APP, TMP, RPL, GOV, GFT, 
TSU, BAG, AVS, or ENC.''

PART 748--[AMENDED]

0
22. The authority citation for part 748 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 
FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 
43603 (July 25, 2008).


0
23. Supplement No. 2 to part 748 is amended by revising paragraph (r) 
to read as follows:

Supplement No. 2 to Part 748--Unique Application and Submission 
Requirements

* * * * *
    (r) Encryption review requests. Enter, in Block 9 (Special 
Purpose) of the BIS-748P, ``License Exception ENC'' if you are 
submitting an encryption review request for License Exception ENC 
(Sec.  740.17 of the EAR) or ``mass market encryption'' if you are 
submitting an encryption review request under the mass market 
encryption provisions (Sec.  742.15(b) of the EAR). If you seek an 
encryption review for another reason, enter ``encryption--other''. 
Neither the electronic nor paper forms provide a separate Block to 
check for the submission of encryption review requests, therefore 
you must also, place an ``X'' in the box marked ``Classification 
Request'' in Block 5 (Type of Application) of Form BIS-748P or 
select ``Commodity Classification'' if filing electronically. 
Failure to properly complete these items may delay consideration of 
your review request.
* * * * *

PART 750--[AMENDED]

0
24. The authority citation for part 750 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
Sec. 1503, Pub. L. 108-11, 117 Stat. 559; E.O. 13026, 61 FR 58767, 3 
CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., 
p. 783; Presidential Determination 2003-23 of May 7, 2003, 68 FR 
26459, May 16, 2003; Notice of July 23, 2008, 73 FR 43603 (July 25, 
2008).


0
25. Section 750.3 is amended by:
0
a. Removing paragraph (b)(2)(iv) and redesignating paragraph (b)(2)(v) 
as (b)(2)(iv); and
0
b. Revising (b)(2)(iii) to read as follows:


Sec.  750.3  Review of License Applications by BIS and Other Government 
Agencies and Departments.

* * * * *
    (b) * * *
    (2) * * *
    (iii) The Department of State is concerned primarily with items 
controlled for national security, nuclear nonproliferation, missile 
technology,

[[Page 57510]]

regional stability, anti-terrorism, crime control reasons, and 
sanctions; and
* * * * *


Sec.  750.7  [Amended]

0
26. Section 750.7 is amended by:
0
a. Removing and reserving paragraph (c)(2); and
0
b. Removing the third and fourth sentences in the introductory text of 
paragraph (d).

PART 762--[AMENDED]

0
27. The authority citation for part 762 is revised to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 
23, 2008, 73 FR 43603 (July 25, 2008).


Sec.  762.2  [Amended]

0
28. Section 762.2 is amended by removing and reserving paragraph 
(b)(8).

PART 770--[AMENDED]

0
29. The authority citation for part 770 is revised to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 
23, 2008, 73 FR 43603 (July 25, 2008).


Sec.  770.2  [Amended]

0
30. Section 770.2 is amended by removing paragraph (n).

PART 772--[AMENDED]

0
31. The authority citation for part 772 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 
23, 2008, 73 FR 43603 (July 25, 2008).


0
32. Section 772.1 is amended by:
0
a. Removing the term and definition ``strategic partners (of a U.S. 
company)''; and
0
b. Adding the terms and definitions for ``ancillary cryptography'' and 
``personal area network'' in alphabetic order, to read as follows:


Sec.  772.1  Definitions of terms as used in the Export Administration 
Regulations (EAR).

* * * * *
    Ancillary cryptography. The incorporation or application of 
``cryptography'' by items that are not primarily useful for computing 
(including the operation of ``digital computers''), communications, 
networking (includes operation, administration, management and 
provisioning) or ``information security''.
    N.B. Commodities and software that perform ``ancillary 
cryptography'' (e.g., are specially designed and limited to: piracy and 
theft prevention for software, music, etc.; games and gaming; household 
utilities and appliances; printing, reproduction, imaging and video 
recording or playback (but not videoconferencing); business process 
modeling and automation (e.g., supply chain management, inventory, 
scheduling and delivery); industrial, manufacturing or mechanical 
systems (including robotics, other factory or heavy equipment, 
facilities systems controllers including fire alarms and HVAC); 
automotive, aviation and other transportation systems). Commodities and 
software included in this description are not limited to wireless 
communication and are not limited by range or key length.
* * * * *
    Personal area network. A data communication system having all of 
the following characteristics:
    (a) Allows an arbitrary number of independent or interconnected 
`data devices'' to communicate directly with each other; and
    (b) Is confined to the communication between devices within the 
immediate vicinity of an individual person or device controller (e.g., 
single room, office, or automobile).
    Technical Note: `Data device' means equipment capable of 
transmitting or receiving sequences of digital information.
    N.B. ``Personal area network'' items include but are not limited to 
items designed to comply with the Institute of Electrical and 
Electronic Engineers (IEEE) 802.15.1 standard, class 2 (10 meters) and 
class 3 (1 meter), but not class 1 (100 meters) items. This includes 
most home networking devices, but not long-range enterprise equipment 
or components that can be used in long-range equipment. IEEE 802.15.1 
class 2 and class 3 devices include hands-free headsets, wireless 
networking between personal computers, wireless mice, keyboards and 
printers, Global Positioning Systems (GPS) receivers, bar code scanners 
and game console wireless controllers, as well as data-capable wireless 
telephones and devices or software for transfer of files between 
devices using Object Exchange (OBEX).
* * * * *

PART 774--[AMENDED]

0
33. The authority citation for part 774 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c, 22 U.S.C. 3201 et 
seq., 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42 
U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5; 
22 U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3 
CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., 
p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008).

Supplement No. 1 to Part 774--[Amended]

0
34. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 5 Telecommunications and ``Information Security'', Part 2 
Information Security is amended by revising the Nota Bene to 
Cryptography Note, to read as follows:

CATEGORY 5--TELECOMMUNICATIONS AND ``INFORMATION SECURITY''

* * * * *

II. ``Information Security''

* * * * *
    N.B. to Cryptography Note: Mass market encryption commodities 
and software eligible for the Cryptography Note employing a key 
length greater than 64 bits for the symmetric algorithm must be 
reviewed in accordance with the requirements of Sec.  742.15(b) of 
the EAR in order to be released from the ``EI'' and ``NS'' controls 
of ECCN 5A002 or 5D002.


0
35. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 5 Telecommunications and ``Information Security'', Part 2 
Information Security, Export Control Classification Number (ECCN) 5A002 
is amended by
0
a. Revising the EI paragraph of the License Requirements section;
0
b. Removing the License Requirements Notes from the License 
Requirements section;
0
c. Adding a license exception paragraph to the License Exception 
section; and
0
d. Revising the Related Controls paragraph of the List of Items 
Controlled section, to read as follows:

5A002 Systems, equipment, application specific ``electronic 
assemblies'', modules and integrated circuits for ``information 
security'', as follows (see List of Items Controlled), and other 
specially designed components therefor.

License Requirements

* * * * *


------------------------------------------------------------------------
               Control(s)                         Country chart
------------------------------------------------------------------------
                                         ...............................
------------------------------------------------------------------------

* * * * *
    EI applies to 5A002.a.1, a.2, a.5, a.6 and a.9. Refer to Sec.  
742.15 of the EAR.

License Exceptions

* * * * *
    ENC: Yes for certain EI controlled commodities, see Sec.  740.17 
of the EAR for eligibility.

[[Page 57511]]

List of Items Controlled

    Unit: * * *
    Related Controls: (1) 5A002 does not control the commodities 
listed in paragraphs (a) through (f) in the Note in the items 
paragraph of this entry. These commodities are instead classified 
under ECCN 5A992, and related software and technology are classified 
under ECCNs 5D992 and 5E992 respectively. (2) After a review and 
classification by BIS, mass market encryption commodities that meet 
eligibility requirements are released from ``EI'' and ``NS'' 
controls. These commodities are classified under ECCN 5A992.c. See 
Sec.  742.15(b) of the EAR.
    Related Definitions: * * *
    Items: * * *


0
36. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 5 Telecommunications and ``Information Security'', Part 2 
Information Security, Export Control Classification Number (ECCN) 5A992 
is amended by revising the License Requirements section and paragraph c 
in the items paragraph of the List of Items Controlled section, to read 
as follows:

5A992 Equipment not controlled by 5A002.

License Requirements

* * * * *


------------------------------------------------------------------------
               Control(s)                         Country chart
------------------------------------------------------------------------
AT applies to entire entry.............  AT Column 1.
------------------------------------------------------------------------

* * * * *

List of Items Controlled

* * * * *
    Items:
* * * * *
    c. Commodities that have been reviewed and determined to be mass 
market encryption commodities in accordance with Sec.  742.15(b) of 
the EAR.

0
37. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 5 Telecommunications and ``Information Security'', Part 2 
``Information Security'', Export Control Classification Number (ECCN) 
5D002 is amended by:
0
a. Revising the EI paragraph of the License Requirements section;
0
b. Adding a new license exception to the License Exception section;
0
c. Removing the third Note in the License Requirements section; and
0
d. Revising the Related Controls paragraph in the List of Items 
Controlled section, to read as follows:

5D002 Information Security--``Software''.

License Requirements

* * * * *


------------------------------------------------------------------------
               Control(s)                         Country chart
------------------------------------------------------------------------
                                         ...............................
------------------------------------------------------------------------

* * * * *
    EI applies to ``software'' in 5D002.a or c.1 for equipment 
controlled for EI reasons in ECCN 5A002. Refer to Sec.  742.15 of 
the EAR.
* * * * *

License Exceptions

* * * * *
    ENC: Yes for certain EI controlled software, see Sec.  740.17 of 
the EAR for eligibility.

List of Items Controlled

    Unit: $ value
    Related Controls: (1) This entry does not control ``software'' 
``required'' for the ``use'' of equipment excluded from control 
under the Related Controls paragraph or the Technical Notes in ECCN 
5A002 or ``software'' providing any of the functions of equipment 
excluded from control under ECCN 5A002. This software is classified 
as ECCN 5D992. (2) After a review and classification by BIS, mass 
market encryption software that meet eligibility requirements are 
released from ``EI'' and ``NS'' controls. This software is 
classified under ECCN 5D992.c. See Sec.  742.15(b) of the EAR.
    Related Definitions: * * *
    Items: * * *


0
38. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 5 Telecommunications and ``Information Security'', Part 2 
Information Security, Export Control Classification Number (ECCN) 5D992 
is amended by:
0
a. Revising the License Requirements section;
0
b. Revising the Related Controls paragraph of the List of Items 
Controlled section; and
0
c. Revising the Items paragraph of the List of Items Controlled 
section, to read as follows:

5D992 ``Information Security'' ``software'' not controlled by 5D002.

License Requirements.

* * * * *


------------------------------------------------------------------------
               Control(s)                         Country chart
------------------------------------------------------------------------
AT applies to entire entry.............  AT Column 1.
------------------------------------------------------------------------

* * * * *

List of Items Controlled

    Unit: * * *
    Related Controls: This entry does not control ``software'' 
designed or modified to protect against malicious computer damage, 
e.g., viruses, where the use of ``cryptography'' is limited to 
authentication, digital signature and/or the decryption of data or 
files.
    Related Definitions: * * *
    Items:
    a. ``Software'' specially designed or modified for the 
``development,'' ``production,'' or ``use'' of equipment controlled 
by ECCN 5A992.a or 5A992.b.
    b. ``Software'' having the characteristics, or performing or 
simulating the functions of the equipment controlled by ECCN 5A992.a 
or 5A992.b.
    c. ``Software'' that has been reviewed and determined to be mass 
market encryption software in accordance with Sec.  742.15(b) of the 
EAR.


0
39. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 5 Telecommunications and ``Information Security'', Part 2 
Information Security, Export Control Classification Number (ECCN) 5E002 
is amended by:
0
a. Revising the EI paragraph and adding a License Requirement Note in 
the License Requirements section; and
0
b. Revising the Related Control paragraph of the List of Items 
Controlled section, to read as follows:

5E002 ``Technology'' according to the General Technology Note for the 
``development'', ``production'' or ``use'' of equipment controlled by 
5A002 or 5B002 or ``software'' controlled by 5D002.

License Requirements

* * * * *


------------------------------------------------------------------------
               Control(s)                         Country chart
------------------------------------------------------------------------
                                         ...............................
------------------------------------------------------------------------

* * * * *
    EI applies to ``technology'' for the ``development,'' 
``production,'' or ``use'' of commodities or ``software'' controlled 
for EI reasons in ECCNs 5A002 or 5D002. Refer to Sec.  742.15 of the 
EAR.
    License Requirement Note: When a person performs or provides 
technical assistance that incorporates, or otherwise draws upon, 
``technology'' that was either obtained in the United States or is 
of US-origin, then a release of the ``technology'' takes place. Such 
technical assistance, when rendered with the intent to aid in the 
``development'' or ``production'' of encryption commodities or 
software that would be controlled for ``EI'' reasons under ECCN 
5A002 or 5D002, may require authorization under the EAR even if the 
underlying encryption algorithm to be implemented is from the public 
domain or is not of U.S. origin.
* * * * *

List of Items Controlled

* * * * *
    Related Controls: See also 5E992. This entry does not control 
``technology'' ``required'' for the ``use'' of equipment excluded 
from control under the Related Controls paragraph or the Technical 
Notes in ECCN 5A002 or ``technology'' related to equipment excluded 
from control under ECCN 5A002. This ``technology'' is classified as 
ECCN 5E992.
* * * * *

0
40. In Supplement No. 1 to Part 774 (the Commerce Control List), 
Category 5

[[Page 57512]]

Telecommunications and ``Information Security'', Part 2 Information 
Security, Export Control Classification Number (ECCN) 5E992 is amended 
by revising the License Requirements section and the List of Items 
Controlled section, to read as follows:

5E992 ``Information Security'' ``technology'', not controlled by 5E002.

License Requirements

* * * * *


------------------------------------------------------------------------
               Control(s)                         Country chart
------------------------------------------------------------------------
AT applies to entire entry.............  AT Column 1.
------------------------------------------------------------------------

* * * * *

List of Items Controlled

* * * * *
    Items:
    a. ``Technology'' n.e.s., for the ``development'', 
``production'' or ``use'' of equipment controlled by 5A992.a, 
``information security''or cryptologic equipment controlled by 
5A992.b or ``software'' controlled by 5D992.a or b.
    b. ``Technology'', n.e.s., for the ``use'' of mass market 
commodities controlled by 5A992.c or mass market ``software'' 
controlled by 5D992.c.

    Dated: September 26, 2008.
Christopher R. Wall,
Assistant Secretary for Export Administration.
 [FR Doc. E8-23201 Filed 10-2-08; 8:45 am]

BILLING CODE 3510-33-P