[Code of Federal Regulations]
[Title 15, Volume 2, Parts 300 to 799]
[Revised as of January 1, 1999]
From the U.S. Government Printing Office via GPO Access
[CITE: 15CFR742.15]

[Page 206-210]
 
                         DEPARTMENT OF COMMERCE
 
PART 742--CONTROL POLICY--CCL BASED CONTROLS--Table of Contents
 
Sec. 742.15  Encryption items.

    Encryption items can be used to maintain the secrecy of information, 
and thereby may be used by persons abroad to harm national security, 
foreign policy and law enforcement interests. As the President indicated 
in E.O. 13026 and in his Memorandum of November 15, 1996, export of 
encryption software, like export of encryption hardware, is controlled 
because of this functional capacity to encrypt information on a computer 
system, and not because of any informational or theoretical value that 
such software may reflect, contain, or represent, or that its export may 
convey to others abroad. For this reason, export controls on encryption 
software are distinguished from controls on other software regulated 
under the EAR.
    (a) Licenses are required for exports and reexports to all 
destinations, except Canada, for items controlled under ECCNs having an 
``EI'' (for ``encryption items'') under the ``Control(s)'' paragraph. 
Such items include: encryption commodities controlled under ECCN 5A002; 
encryption software controlled under ECCN 5D002; and encryption 
technology controlled under ECCN 5E002. (Refer to part 772 of the EAR 
for the definition of ``encryption items'). For encryption items 
previously on the U.S. Munitions List and currently authorized for 
export or reexport under a State Department license, distribution 
arrangement or any other authority of the State Department, U.S. persons 
holding valid USML licenses and other approvals issued by the Department 
of State prior to December 30, 1996 may ship remaining balances 
authorized by such licenses or approvals under the authority of the EAR 
by filing Shippers Export Declarations (SEDs) with District Directors of 
Customs, citing the provisions of this section effective on December 30, 
1996 and the State Department license number. Such shipments shall be in 
accordance with the terms and conditions, including the expiration date, 
existing at the time of issuance of the State license. Violations of 
such authorizations, terms and conditions constitute violations of the 
EAR. Any reports required for distribution and other types of agreements 
previously authorized by the Department of State, valid prior to 
December 30, 1996, should be henceforth submitted to BXA at the 
following address: Office of Strategic Trade and Foreign Policy 
Controls, Bureau of Export Administration, Department of Commerce, 14th 
Street and Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230.
    (b) Licensing policy. The following licensing policies apply to 
items identified in paragraph (a) of this section. This section refers 
you to Supplement No. 4 to this part 742. For purposes of these 
supplements, ``products'' refers to commodities and software. Except as 
otherwise noted, applications will be reviewed on a case-by-case basis 
by BXA, in conjunction with other agencies, to determine whether the 
export or reexport is consistent with U.S. national security and foreign 
policy interests.
    (1) Certain mass-market encryption commodities and software.
    (i) Consistent with E.O. 13026 of November 15, 1996 (61 FR 58767), 
certain encryption software that was transferred from the U.S. Munitions 
List to the Commerce Control List pursuant to the Presidential 
Memorandum of November 15, 1996, may be released from EI controls and 
thereby made eligible for mass market treatment after a technical 
review. Further, certain encryption commodities may be released from EI 
controls and thereby

[[Page 207]]

made eligible for mass market treatment after a technical review. To 
determine eligibility for mass market treatment, exporters must submit a 
classification request to BXA. 56-bit mass market encryption commodities 
and software using RC2, RC4, RC5, DES or CAST, and key exchange 
mechanisms including, but not limited to, symmetric algorithms with the 
same or double the key length authorized for the confidentiality 
algorithm, asymmetric algorithms with key space of 512, 768 or up to and 
including 1024 bits, proprietary key exchange mechanisms, or others, may 
be eligible for a 7-day review process, and company proprietary 
commodities and software implementations may be eligible for 15-day 
processing. Refer to Supplement No. 6 to part 742 and Sec. 748.3(b)(3) 
of the EAR for additional information. Note that the technical review is 
for a determination to release encryption commodities and software in 
object code only unless otherwise specifically requested. Exporters 
requesting release of the source code should refer to paragraph 
(b)(3)(v)(E) of Supplement No. 6 to part 742.
    (ii) If, after a one-time technical review, BXA determines that the 
software is released from EI controls, such software is eligible for all 
provisions of the EAR applicable to other software, such as License 
Exception TSU for mass-market software. Furthermore, for such software 
released from EI controls, subsequent bundling, updates, or releases 
consisting of or incorporating this software may be exported and 
reexported without a separate one-time technical review, so long as the 
functional encryption capacity (e.g., algorithm, key modulus) of the 
originally reviewed mass-market encryption software has not been 
modified or enhanced. However, if BXA determines that the software is 
not released from EI controls, a license is required for export and 
reexport to all destinations, except Canada, and license applications 
will be considered on a case-by-case basis.
    (iii) If after a technical review, BXA determines that the 
encryption commodity is released from EI controls, the commodity is 
eligible for export under License Exception ENC and all provisions of 
the EAR applicable to other commodities. However, if BXA determines that 
the commodity is not released from EI controls, and no License Exception 
applies, a license is required for export and reexport to all 
destinations, except Canada, and license applications will be considered 
on a case-by-case basis.
    (iv) Mass-market encryption software that has already been 
classified after a technical review and that has been released from EI 
controls under the provisions of this paragraph (b)(1) will be permitted 
for export and reexport under license exception TSU with increases of 
56-bits for the confidentiality algorithm, the same or double the key 
length authorized for the confidentiality algorithm for symmetric 
algorithms for key exchange mechanisms and with key spaces of 512, 768 
or up to and including 1024 bits for asymmetric algorithms for key 
exchange without an additional technical review, provided that there is 
no other change in the cryptographic functionality. Exporters must 
notify BXA in writing of the increase in the key length for the 
confidentiality algorithm, the asymmetric or symmetric key exchange 
algorithms, and include the original authorization number issued by BXA 
and the information identified in paragraphs (a)(2)(iii) through (v) of 
Supplement No. 6 to part 742 of the EAR (if this information was 
submitted previously, then only identify the modifications). BXA must 
receive such notification by March 31, 1999.
    (A) The notification should be sent to:

Office of Strategic Trade and Foreign Policy Controls, Bureau of Export 
Administration, Department of Commerce, 14th Street and Pennsylvania 
Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: Encryption Upgrade

    (B) A copy of the certification should be sent to:

Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis 
Junction, MD 20701-0246

    (2) Key escrow and key recovery encryption commodities and software. 
Certain recovery encryption commodities and software of any key length 
that are classified under ECCNs 5A002

[[Page 208]]

and 5D002 after a technical review are eligible for export and reexport 
under License Exception KMI. See Sec. 740.8(b)(1) of the EAR for 
information on additional eligibility requirements.
    (3) General purpose encryption commodities and software of any key 
length for use by banks and financial institutions.
    (i) Commodities and software that were eligible for License 
Exception TSU or KMI or have been licensed for export or reexport under 
an Encryption Licensing Arrangement or a license prior to December 31, 
1998, are now eligible for export and reexport under License Exception 
ENC under the provisions of Sec. 740.17(b)(1) of the EAR.
    (ii) For exports and reexports not eligible under a License 
Exception, exports and reexports of general purpose non-voice encryption 
commodities and software classified under ECCNs 5A002 and 5D002 of any 
key length will generally be approved under an Encryption Licensing 
Arrangement for use by banks and financial institutions (as defined in 
part 772 of the EAR) in all destinations except Cuba, Iran, Iraq, Libya, 
North Korea, Sudan and Syria. Applications for such commodities and 
software will receive favorable consideration when the end-use is 
limited to secure business financial communications or transactions and 
financial communications/transactions between the bank and/or financial 
institution and its customers provided that there are no concerns about 
the country or end-user. No customer to customer communications or 
transactions are allowed.
    (iii) Note that any country or end-user prohibited in the past from 
receiving encryption commodities and software under a specific 
Encryption Licensing Arrangement will be reviewed on a case-by-case 
basis, and may be considered by BXA for eligibility under future 
Encryption Licensing Arrangement requests.
    (iv) Note that distributors, resellers or other entities who are not 
manufacturers of the encryption commodities and software are permitted 
to use an existing Encryption Licensing Arrangement for exports and 
reexports of these products only when Encryption Licensing Arrangement 
has been granted to the manufacturer and the export and reexport meets 
the terms and conditions of this paragraph (b)(3).
    (v) There are no reporting requirements for exports to banks and 
financial institutions.
    (4) Financial-specific encryption items of any key length. After a 
one-time technical review via a classification request, financial-
specific encryption items of any key length that are restricted by 
design (e.g. highly field-formatted and validation procedures, and not 
easily diverted to other end-uses) for financial applications will be 
permitted for export and reexport under License Exception ENC (see 
Sec. 740.17(a)(1) of the EAR). No business and marketing plan is 
required.
    (5) Encryption commodities and software of any key length for use by 
health and medical end-users. (i) Commodities and software that have 
been classified after a technical review through a classification 
request or have been licensed for export under an Encryption Licensing 
Arrangement or a license are eligible for export and reexport under 
License Exception ENC to health and medical end-users without an 
additional technical review, provided that the export or reexport meets 
all the terms and conditions of that License Exception. See Sec. 740.17 
of the EAR. Commodities and software that were eligible for License 
Exception TSU or KMI or have been licensed for export or reexport under 
an Encryption Licensing Arrangement or a license prior to December 31, 
1998, are now eligible for export and reexport under License Exception 
ENC under the provisions of Sec. 740.17(b)(2) of the EAR.
    (ii) For exports and reexports that are not eligible under License 
Exception ENC, exports and reexports of encryption commodities and 
software classified under ECCNs 5A002 and 5D002 of any key length will 
generally be approved under an Encryption Licensing Arrangement for use 
by health and medical end-users (as defined in part 772 of the EAR) in 
all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
Syria except for non-U.S. biochemical and pharmaceutical manufacturers 
and non-U.S. military health and medical entities. No customer to 
customer communications or transactions are allowed.

[[Page 209]]

    (iii) Note that any country or end-user prohibited in the past from 
receiving encryption commodities and software under a specific 
Encryption Licensing Arrangement will be reviewed on a case-by-case 
basis, and may be considered by BXA for eligibility under future 
Encryption Licensing Arrangement requests.
    (iv) Note that distributors, resellers or other entities who are not 
manufacturers of the encryption commodities and software are permitted 
to use an existing Encryption Licensing Arrangement for exports and 
reexports of these products only when Encryption Licensing Arrangement 
has been granted to the manufacturer and the export and reexport meets 
the terms and conditions of this paragraph (b)(5).
    (v) You must submit to BXA the name and address of the end-user.
    (6) Encryption commodities and software of any key length for on-
line merchants. (i) Commodities and software that were eligible for 
export to on-line merchants under an Encryption Licensing Arrangement 
prior to December 31, 1998, are now eligible for export and reexport 
under License Exception ENC under the provisions of Sec. 740.17(b)(3).
    (ii) Exports and reexports of encryption commodities and software 
classified under ECCNs 5A002 and 5D002 of any key length which are 
limited to client-server applications (e.g., Secure Socket Layer (SSL) 
based applications) or applications specially designed for on-line 
transactions for the purchase or sale of goods and software will be 
permitted under an Export Licensing Arrangement in all destinations 
except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria for use by 
foreign on-line merchants as defined in part 772 of the EAR. End-use is 
limited to: the purchase or sale of goods and software; and services 
connected with the purchase or sale of goods and software, including 
interactions between purchasers and sellers necessary for ordering, 
payment and delivery of goods and software. No other end-uses or 
customer to customer communications or transactions are allowed.
    (iii) Applications for Encryption Licensing Arrangements for on-line 
merchants will generally be approved, except for foreign on-line 
merchants or their separate business units (as defined in part 772 of 
the EAR) who are engaged in the manufacturing and distribution of items 
or services controlled on the U.S. Munitions List. Such end-users will 
be considered on a case-by-case basis.
    (iv) Note that any country or end-user prohibited in the past from 
receiving encryption commodities and software under a specific 
Encryption Licensing Arrangement will be reviewed on a case-by-case 
basis, and may be considered by BXA for eligibility under future 
Encryption Licensing Arrangement requests.
    (v) Note that distributors, resellers or other entities who are not 
manufacturers of the encryption commodities and software are permitted 
to use an existing Encryption Licensing Arrangement for exports and 
reexports of these products only when Encryption Licensing Arrangement 
has been granted to the manufacturer and the export and reexport meets 
the terms and conditions of this paragraph (b)(6).
    (v) You must submit to BXA the name and address of the end-user.
    (7) Recoverable encryption commodities and software of any key 
length for use by commercial entities. (i) Exports and reexports of 
recoverable encryption commodities and software (as defined in part 772 
of the EAR) classified under ECCNs 5A002 and 5D002 of any key length 
will generally be approved under an Encryption Licensing Arrangement to 
destinations designated with a ``*'' or ``**'' in Supplement No. 3 to 
part 740 of the EAR to foreign commercial entities for internal company 
proprietary use. Such encryption commodities and software will generally 
be approved for export and reexport to foreign subsidiaries of 
commercial firms headquartered in countries designated with a ``**'' in 
Supplement No. 3 to part 740 of the EAR that are located in any 
destination except Cuba, Iran, Iraq, Libya, North Korea, Sudan and 
Syria. Exports and reexports to telecommunication and internet service 
providers is permitted under this policy for internal company 
proprietary use. Use by service providers to provide service to 
customers is excluded from this policy,

[[Page 210]]

but exports may be possible under a license or an Encryption Licensing 
Arrangement on a case-by-case basis. This policy of approval excludes 
those foreign commercial firms or their separate business units (as 
defined in part 772 of the EAR) engaged in the manufacturing and 
distribution of items or services controlled by the U.S. Munitions List.
    (ii) Note that any country or end-user prohibited in the past from 
receiving encryption commodities and software under a specific 
Encryption Licensing Arrangement will be reviewed on a case-by-case 
basis, and may be considered by BXA for eligibility under future 
Encryption Licensing Arrangement requests.
    (iii) Note that distributors, resellers or other entities who are 
not manufacturers of the encryption commodities and software are 
permitted to use an existing Encryption Licensing Arrangement for 
exports and reexports of these products only when Encryption Licensing 
Arrangement has been granted to the manufacturer and the export and 
reexport meets the terms and conditions of this paragraph (b)(7).
    (iv) You must submit to BXA the name and address of the end-user.
    (8) All other encryption items. (i) Encryption licensing 
arrangement. Applicants may submit license applications for exports and 
reexports of certain encryption commodities and software in unlimited 
quantities for all destinations except Cuba, Iran, Iraq, Libya, North 
Korea, Syria, and Sudan. Applications will be reviewed on a case-by-case 
basis. If approved, encryption licensing arrangements may be valid for 
extended periods as requested by the applicant in block #24 on Form BXA-
748P. In addition, the applicant must specify the sales territory and 
class(es) of end-user(s). Such licenses may require the license holder 
to report to BXA certain information such as ECCN, item description, 
quantity, and end-user name and address.
    (ii) Applications for encryption items not authorized under an 
encryption licensing arrangement. Applications for the export and 
reexport of all other encryption items will be considered on a case-by-
case basis.
    (iii) Exports and reexports of encryption commodities and software 
of any key length to ``strategic partners'' of U.S. companies will 
receive favorable consideration when the end-use is for the protection 
of U.S. company proprietary information.
    (9) Applications for encryption technology. Applications for the 
export and reexport of encryption technology will be considered on a 
case-by-case basis.
    (c) Contract sanctity. Contract sanctity provisions are not 
available for license applications reviewed under this section.
    (d) [Reserved]

[61 FR 68580, Dec. 30, 1996, as amended at 63 FR 50522, Sept. 22, 1998; 
63 FR 72162, Dec. 31, 1998]