[Code of Federal Regulations]
[Title 15, Volume 2, Parts 300 to 799]
[Revised as of January 1, 1999]
From the U.S. Government Printing Office via GPO Access
[CITE: 15CFR742.15]
[Page 206-210]
DEPARTMENT OF COMMERCE
PART 742--CONTROL POLICY--CCL BASED CONTROLS--Table of Contents
Sec. 742.15 Encryption items.
Encryption items can be used to maintain the secrecy of information,
and thereby may be used by persons abroad to harm national security,
foreign policy and law enforcement interests. As the President indicated
in E.O. 13026 and in his Memorandum of November 15, 1996, export of
encryption software, like export of encryption hardware, is controlled
because of this functional capacity to encrypt information on a computer
system, and not because of any informational or theoretical value that
such software may reflect, contain, or represent, or that its export may
convey to others abroad. For this reason, export controls on encryption
software are distinguished from controls on other software regulated
under the EAR.
(a) Licenses are required for exports and reexports to all
destinations, except Canada, for items controlled under ECCNs having an
``EI'' (for ``encryption items'') under the ``Control(s)'' paragraph.
Such items include: encryption commodities controlled under ECCN 5A002;
encryption software controlled under ECCN 5D002; and encryption
technology controlled under ECCN 5E002. (Refer to part 772 of the EAR
for the definition of ``encryption items'). For encryption items
previously on the U.S. Munitions List and currently authorized for
export or reexport under a State Department license, distribution
arrangement or any other authority of the State Department, U.S. persons
holding valid USML licenses and other approvals issued by the Department
of State prior to December 30, 1996 may ship remaining balances
authorized by such licenses or approvals under the authority of the EAR
by filing Shippers Export Declarations (SEDs) with District Directors of
Customs, citing the provisions of this section effective on December 30,
1996 and the State Department license number. Such shipments shall be in
accordance with the terms and conditions, including the expiration date,
existing at the time of issuance of the State license. Violations of
such authorizations, terms and conditions constitute violations of the
EAR. Any reports required for distribution and other types of agreements
previously authorized by the Department of State, valid prior to
December 30, 1996, should be henceforth submitted to BXA at the
following address: Office of Strategic Trade and Foreign Policy
Controls, Bureau of Export Administration, Department of Commerce, 14th
Street and Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230.
(b) Licensing policy. The following licensing policies apply to
items identified in paragraph (a) of this section. This section refers
you to Supplement No. 4 to this part 742. For purposes of these
supplements, ``products'' refers to commodities and software. Except as
otherwise noted, applications will be reviewed on a case-by-case basis
by BXA, in conjunction with other agencies, to determine whether the
export or reexport is consistent with U.S. national security and foreign
policy interests.
(1) Certain mass-market encryption commodities and software.
(i) Consistent with E.O. 13026 of November 15, 1996 (61 FR 58767),
certain encryption software that was transferred from the U.S. Munitions
List to the Commerce Control List pursuant to the Presidential
Memorandum of November 15, 1996, may be released from EI controls and
thereby made eligible for mass market treatment after a technical
review. Further, certain encryption commodities may be released from EI
controls and thereby
[[Page 207]]
made eligible for mass market treatment after a technical review. To
determine eligibility for mass market treatment, exporters must submit a
classification request to BXA. 56-bit mass market encryption commodities
and software using RC2, RC4, RC5, DES or CAST, and key exchange
mechanisms including, but not limited to, symmetric algorithms with the
same or double the key length authorized for the confidentiality
algorithm, asymmetric algorithms with key space of 512, 768 or up to and
including 1024 bits, proprietary key exchange mechanisms, or others, may
be eligible for a 7-day review process, and company proprietary
commodities and software implementations may be eligible for 15-day
processing. Refer to Supplement No. 6 to part 742 and Sec. 748.3(b)(3)
of the EAR for additional information. Note that the technical review is
for a determination to release encryption commodities and software in
object code only unless otherwise specifically requested. Exporters
requesting release of the source code should refer to paragraph
(b)(3)(v)(E) of Supplement No. 6 to part 742.
(ii) If, after a one-time technical review, BXA determines that the
software is released from EI controls, such software is eligible for all
provisions of the EAR applicable to other software, such as License
Exception TSU for mass-market software. Furthermore, for such software
released from EI controls, subsequent bundling, updates, or releases
consisting of or incorporating this software may be exported and
reexported without a separate one-time technical review, so long as the
functional encryption capacity (e.g., algorithm, key modulus) of the
originally reviewed mass-market encryption software has not been
modified or enhanced. However, if BXA determines that the software is
not released from EI controls, a license is required for export and
reexport to all destinations, except Canada, and license applications
will be considered on a case-by-case basis.
(iii) If after a technical review, BXA determines that the
encryption commodity is released from EI controls, the commodity is
eligible for export under License Exception ENC and all provisions of
the EAR applicable to other commodities. However, if BXA determines that
the commodity is not released from EI controls, and no License Exception
applies, a license is required for export and reexport to all
destinations, except Canada, and license applications will be considered
on a case-by-case basis.
(iv) Mass-market encryption software that has already been
classified after a technical review and that has been released from EI
controls under the provisions of this paragraph (b)(1) will be permitted
for export and reexport under license exception TSU with increases of
56-bits for the confidentiality algorithm, the same or double the key
length authorized for the confidentiality algorithm for symmetric
algorithms for key exchange mechanisms and with key spaces of 512, 768
or up to and including 1024 bits for asymmetric algorithms for key
exchange without an additional technical review, provided that there is
no other change in the cryptographic functionality. Exporters must
notify BXA in writing of the increase in the key length for the
confidentiality algorithm, the asymmetric or symmetric key exchange
algorithms, and include the original authorization number issued by BXA
and the information identified in paragraphs (a)(2)(iii) through (v) of
Supplement No. 6 to part 742 of the EAR (if this information was
submitted previously, then only identify the modifications). BXA must
receive such notification by March 31, 1999.
(A) The notification should be sent to:
Office of Strategic Trade and Foreign Policy Controls, Bureau of Export
Administration, Department of Commerce, 14th Street and Pennsylvania
Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: Encryption Upgrade
(B) A copy of the certification should be sent to:
Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis
Junction, MD 20701-0246
(2) Key escrow and key recovery encryption commodities and software.
Certain recovery encryption commodities and software of any key length
that are classified under ECCNs 5A002
[[Page 208]]
and 5D002 after a technical review are eligible for export and reexport
under License Exception KMI. See Sec. 740.8(b)(1) of the EAR for
information on additional eligibility requirements.
(3) General purpose encryption commodities and software of any key
length for use by banks and financial institutions.
(i) Commodities and software that were eligible for License
Exception TSU or KMI or have been licensed for export or reexport under
an Encryption Licensing Arrangement or a license prior to December 31,
1998, are now eligible for export and reexport under License Exception
ENC under the provisions of Sec. 740.17(b)(1) of the EAR.
(ii) For exports and reexports not eligible under a License
Exception, exports and reexports of general purpose non-voice encryption
commodities and software classified under ECCNs 5A002 and 5D002 of any
key length will generally be approved under an Encryption Licensing
Arrangement for use by banks and financial institutions (as defined in
part 772 of the EAR) in all destinations except Cuba, Iran, Iraq, Libya,
North Korea, Sudan and Syria. Applications for such commodities and
software will receive favorable consideration when the end-use is
limited to secure business financial communications or transactions and
financial communications/transactions between the bank and/or financial
institution and its customers provided that there are no concerns about
the country or end-user. No customer to customer communications or
transactions are allowed.
(iii) Note that any country or end-user prohibited in the past from
receiving encryption commodities and software under a specific
Encryption Licensing Arrangement will be reviewed on a case-by-case
basis, and may be considered by BXA for eligibility under future
Encryption Licensing Arrangement requests.
(iv) Note that distributors, resellers or other entities who are not
manufacturers of the encryption commodities and software are permitted
to use an existing Encryption Licensing Arrangement for exports and
reexports of these products only when Encryption Licensing Arrangement
has been granted to the manufacturer and the export and reexport meets
the terms and conditions of this paragraph (b)(3).
(v) There are no reporting requirements for exports to banks and
financial institutions.
(4) Financial-specific encryption items of any key length. After a
one-time technical review via a classification request, financial-
specific encryption items of any key length that are restricted by
design (e.g. highly field-formatted and validation procedures, and not
easily diverted to other end-uses) for financial applications will be
permitted for export and reexport under License Exception ENC (see
Sec. 740.17(a)(1) of the EAR). No business and marketing plan is
required.
(5) Encryption commodities and software of any key length for use by
health and medical end-users. (i) Commodities and software that have
been classified after a technical review through a classification
request or have been licensed for export under an Encryption Licensing
Arrangement or a license are eligible for export and reexport under
License Exception ENC to health and medical end-users without an
additional technical review, provided that the export or reexport meets
all the terms and conditions of that License Exception. See Sec. 740.17
of the EAR. Commodities and software that were eligible for License
Exception TSU or KMI or have been licensed for export or reexport under
an Encryption Licensing Arrangement or a license prior to December 31,
1998, are now eligible for export and reexport under License Exception
ENC under the provisions of Sec. 740.17(b)(2) of the EAR.
(ii) For exports and reexports that are not eligible under License
Exception ENC, exports and reexports of encryption commodities and
software classified under ECCNs 5A002 and 5D002 of any key length will
generally be approved under an Encryption Licensing Arrangement for use
by health and medical end-users (as defined in part 772 of the EAR) in
all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and
Syria except for non-U.S. biochemical and pharmaceutical manufacturers
and non-U.S. military health and medical entities. No customer to
customer communications or transactions are allowed.
[[Page 209]]
(iii) Note that any country or end-user prohibited in the past from
receiving encryption commodities and software under a specific
Encryption Licensing Arrangement will be reviewed on a case-by-case
basis, and may be considered by BXA for eligibility under future
Encryption Licensing Arrangement requests.
(iv) Note that distributors, resellers or other entities who are not
manufacturers of the encryption commodities and software are permitted
to use an existing Encryption Licensing Arrangement for exports and
reexports of these products only when Encryption Licensing Arrangement
has been granted to the manufacturer and the export and reexport meets
the terms and conditions of this paragraph (b)(5).
(v) You must submit to BXA the name and address of the end-user.
(6) Encryption commodities and software of any key length for on-
line merchants. (i) Commodities and software that were eligible for
export to on-line merchants under an Encryption Licensing Arrangement
prior to December 31, 1998, are now eligible for export and reexport
under License Exception ENC under the provisions of Sec. 740.17(b)(3).
(ii) Exports and reexports of encryption commodities and software
classified under ECCNs 5A002 and 5D002 of any key length which are
limited to client-server applications (e.g., Secure Socket Layer (SSL)
based applications) or applications specially designed for on-line
transactions for the purchase or sale of goods and software will be
permitted under an Export Licensing Arrangement in all destinations
except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria for use by
foreign on-line merchants as defined in part 772 of the EAR. End-use is
limited to: the purchase or sale of goods and software; and services
connected with the purchase or sale of goods and software, including
interactions between purchasers and sellers necessary for ordering,
payment and delivery of goods and software. No other end-uses or
customer to customer communications or transactions are allowed.
(iii) Applications for Encryption Licensing Arrangements for on-line
merchants will generally be approved, except for foreign on-line
merchants or their separate business units (as defined in part 772 of
the EAR) who are engaged in the manufacturing and distribution of items
or services controlled on the U.S. Munitions List. Such end-users will
be considered on a case-by-case basis.
(iv) Note that any country or end-user prohibited in the past from
receiving encryption commodities and software under a specific
Encryption Licensing Arrangement will be reviewed on a case-by-case
basis, and may be considered by BXA for eligibility under future
Encryption Licensing Arrangement requests.
(v) Note that distributors, resellers or other entities who are not
manufacturers of the encryption commodities and software are permitted
to use an existing Encryption Licensing Arrangement for exports and
reexports of these products only when Encryption Licensing Arrangement
has been granted to the manufacturer and the export and reexport meets
the terms and conditions of this paragraph (b)(6).
(v) You must submit to BXA the name and address of the end-user.
(7) Recoverable encryption commodities and software of any key
length for use by commercial entities. (i) Exports and reexports of
recoverable encryption commodities and software (as defined in part 772
of the EAR) classified under ECCNs 5A002 and 5D002 of any key length
will generally be approved under an Encryption Licensing Arrangement to
destinations designated with a ``*'' or ``**'' in Supplement No. 3 to
part 740 of the EAR to foreign commercial entities for internal company
proprietary use. Such encryption commodities and software will generally
be approved for export and reexport to foreign subsidiaries of
commercial firms headquartered in countries designated with a ``**'' in
Supplement No. 3 to part 740 of the EAR that are located in any
destination except Cuba, Iran, Iraq, Libya, North Korea, Sudan and
Syria. Exports and reexports to telecommunication and internet service
providers is permitted under this policy for internal company
proprietary use. Use by service providers to provide service to
customers is excluded from this policy,
[[Page 210]]
but exports may be possible under a license or an Encryption Licensing
Arrangement on a case-by-case basis. This policy of approval excludes
those foreign commercial firms or their separate business units (as
defined in part 772 of the EAR) engaged in the manufacturing and
distribution of items or services controlled by the U.S. Munitions List.
(ii) Note that any country or end-user prohibited in the past from
receiving encryption commodities and software under a specific
Encryption Licensing Arrangement will be reviewed on a case-by-case
basis, and may be considered by BXA for eligibility under future
Encryption Licensing Arrangement requests.
(iii) Note that distributors, resellers or other entities who are
not manufacturers of the encryption commodities and software are
permitted to use an existing Encryption Licensing Arrangement for
exports and reexports of these products only when Encryption Licensing
Arrangement has been granted to the manufacturer and the export and
reexport meets the terms and conditions of this paragraph (b)(7).
(iv) You must submit to BXA the name and address of the end-user.
(8) All other encryption items. (i) Encryption licensing
arrangement. Applicants may submit license applications for exports and
reexports of certain encryption commodities and software in unlimited
quantities for all destinations except Cuba, Iran, Iraq, Libya, North
Korea, Syria, and Sudan. Applications will be reviewed on a case-by-case
basis. If approved, encryption licensing arrangements may be valid for
extended periods as requested by the applicant in block #24 on Form BXA-
748P. In addition, the applicant must specify the sales territory and
class(es) of end-user(s). Such licenses may require the license holder
to report to BXA certain information such as ECCN, item description,
quantity, and end-user name and address.
(ii) Applications for encryption items not authorized under an
encryption licensing arrangement. Applications for the export and
reexport of all other encryption items will be considered on a case-by-
case basis.
(iii) Exports and reexports of encryption commodities and software
of any key length to ``strategic partners'' of U.S. companies will
receive favorable consideration when the end-use is for the protection
of U.S. company proprietary information.
(9) Applications for encryption technology. Applications for the
export and reexport of encryption technology will be considered on a
case-by-case basis.
(c) Contract sanctity. Contract sanctity provisions are not
available for license applications reviewed under this section.
(d) [Reserved]
[61 FR 68580, Dec. 30, 1996, as amended at 63 FR 50522, Sept. 22, 1998;
63 FR 72162, Dec. 31, 1998]