High Performance Computers

Encryption FAQs

Details

FREQUENTLY ASKED QUESTIONS

1. What is an encryption registration? How long does it take to receive a response from BIS for my encryption registration?

2. Who is required to submit an Encryption Registration, classification request or self-classification report?

3. What are my responsibilities for exporting or re-exporting encryption products where I am not the producer?

4. What should I do if I cannot obtain the encryption registration Number (ERN) or the Export Control Classification Number (ECCN) for the item from the producer or manufacturer?

5. Can a third-party applicant submit an encryption registration and self-classification report on my behalf?

6. How do I report exports and reexports of items with encryption?

7. Can I export encryption technology under License Exception ENC?

8. What is “non-standard cryptography”?

9. How do I complete Supplement No. 5 if I am a law firm or consultant filing on behalf of a producer of encryption items?

10. What if you are not the producer of the item or filing directly on behalf of the producer (e.g., law firm/consultant)?

11. What do I need to submit with an encryption commodity classification request in SNAP-R?

12. Is Supplement No. 6 to Part 742 required for obtaining paragraph 740.17(b)(1) authorization?

13. How do I submit a Supplement No. 8 –Self-Classification Report for Encryption Items?

14. When do I file Supplement No. 8 –Self-Classification Report for Encryption Items?

15. What is Note 4?

16. I have an item that was reviewed and classified by BIS and made eligible for export under paragraph (b)(3) of License Exception ENC in 2009. The encryption functionality of the item has not changed. This item is now eligible for self-classification under paragraph (b)(1) of License Exception ENC. What are my responsibilities under the new rule?

17. When do I need a “deemed export” license for encryption technology and source code?


1. What is an Encryption Registration? How long does it take to receive a response from BIS for my Encryption Registration?

Encryption registration is a prescribed set of information about a manufacturer and/or exporter of certain encryption items that must be submitted to the Bureau of Industry and Security as a condition of the authorization to export such items under License Exception ENC or as “mass market” items.

Advance encryption registration is required for exports and reexports of items described in paragraphs 740.17(b)(1), (b)(2), and (b)(3) and paragraphs 742.15(b)(1), and (b)(3) of the Export Administration Regulations (EAR). Registration is made through SNAP-R by submitting the questionnaire set forth in Supplement No. 5 to part 742 of the EAR (point of contact/company overview/types of products/ etc.). Registration of a manufacturer authorizes the manufacturer as well as other parties to export and reexport the manufacturer’s encryption products that the manufacturer has either self-classified or has had the items classified by BIS, pursuant to the provisions referenced above. A condition of the authorization is that the manufacturer must submit an annual self-classification report for relevant encryption items.

How long does it take to receive a response from BIS for my encryption registration? 

Once you have properly registered with BIS, the SNAP-R system will automatically issue an Encryption Registration Number (ERN), e.g., R123456, upon submission of a request.  BIS estimates that the entire registration procedure should take no more than 30 minutes.  

2. Who is required to submit an encryption registration, classification request or self-classification report?

Any party who exports certain U.S.-origin encryption products may be required to submit an encryption registration, classification request and/or self-classification report; however, if a manufacturer has registered and has self-classified relevant items and/or had items classified by BIS, and has made the classifications available to other parties such as resellers and other exporters/reexporters, such other parties are not required to register, to submit a classification request, or to submit an annual self-classification report.    

3. What are my responsibilities for exporting or re-exporting encryption products where I am not the product manufacturer?

Exporters or reexporters that are not producers of the encryption item can rely on the Encryption Registration Number (ERN), self-classification report or CCATS that is published by the producer when exporting or reexporting the registered and/or classified encryption item.  Separate encryption registration, commodity classification request or self-classification report to BIS is NOT required.

Please continue to the next question if the information is not available from the producer or manufacturer.

4. What should I do if I cannot obtain the Encryption Registration Number (ERN) or the Export Control Classification Number (ECCN) for the item from the producer or manufacturer?

If you are not the producer and are unable to obtain the producer’s information or if the producer has not submitted an encryption registration, self-classification report or commodity classification for his/her products to BIS, then you must register with BIS.  The registration process will require you to submit a properly completed Supplement No. 5 to part 742 and subsequent Supplement No. 8 Self Classification Report for the products.  You will receive an ERN for the registered products or CCATSs as appropriate.  BIS recognizes that non-producers who need to submit for encryption registration may not have all of the information necessary to complete Supplement No. 5 to part 742.  Therefore, special instructions have been included in Supplement No. 5 to account for this situation. 

For items described in Part 740.17(b)(2) and (b)(3) or Part 742.15(b)(3) that require the classification by BIS, the non-producer is required to submit as much of the technical information required in Supplement No. 6 to part 742 - Technical Questionnaire for Encryption Items as possible.  

5. Can a third-party applicant submit an encryption registration and self-classification report on my behalf?

Yes, special instructions for this purpose are provided in paragraph (r) of Supplement No. 2 to part 748 of the EAR for this purpose.  The information in block 14 (applicant) of the encryption registration screen and the information in Supplement No. 5 to part 742 must pertain to the company that seeks authorization to export and reexport encryption items that are within the scope of this rule.  An agent for the exporter, such as a law firm, should not list his/her name in block 14. The agent however may submit the encryption registration and list himself/herself in block 15 (“other party authorized to receive license”) of the encryption registration screen in SNAP-R.

6. How do I report exports and reexports of items with encryption?

All reports (i.e., the semi-annual sales report and the annual self-classification report) must be submitted to both BIS and the ENC Encryption Request Coordinator. 

An annual self-classification report is required for producers of encryption items described by paragraphs 740.17(b)(1) and 742.15(b)(1) of the EAR.  The information required and instruction for this report is provided in Supplement No. 8 to Part 742-Self-Classification Report for Encryption Items.  Reports are submitted to BIS and the Encryption Request Coordinator in February of each year for items exported or reexported during the previous calendar year (i.e., January 1 through December 31) pursuant to the encryption registration and applicable sections 740.17(b)(1) or 742.15(b)(1) of the EAR.  Annual self-classification reports are to be submitted to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it. .

Semi-annual sales reporting is required for exports to all destinations other than Canada, and for reexports from Canada for items described under paragraphs (b)(2) and (b)(3)(iii) of section 740.17.  Paragraph 740.17(e)(1(iii) contains certain exclusions from this reporting requirement.  Paragraphs 740.17(e)(1)(i) and (e)(1)(ii) contains the information required and instructions for submitted the semi-annual sales reports.  The first report is due no later than August 1 for sales occurring between January 1 and June 30 of the year, and the second report is due no later than February of the following year for sales occurring between July 1 and December 31 of the year.  Semi-annual sales reports continue to be submitted to:  This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it.

7. Can I export encryption technology under License Exception ENC?

Yes, License Exception ENC is available for transfer of encryption technology.  Specifically, paragraph 740.17(b)(2)(iv) has been amended to permit exports and reexports of encryption technology as follows:

(A) Technology for "non-standard cryptography".  Encryption technology classified under ECCN 5E002 for "non-standard cryptography", to any end-user located or headquartered in a country listed in Supplement No. 3 to this part;

(B)  Other technology.  Encryption technology classified under ECCN 5E002 except technology for "cryptanalytic items", "non-standard cryptography" or any "open cryptographic interface," to any non-"government end-user" located in a country not listed in Country Group D:1 or E:1 of Supplement No. 1 to part 740 of the EAR.

8. What is “non-standard cryptography”?

Non-standard cryptography, defined in Part 772– Definition of Terms, “means any implementation of “cryptography” involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body (e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published.”

9. How do I complete Supplement No. 5 if I am a law firm or consultant filing on behalf of a producer or exporter of encryption items?

The information in Supplement No. 5 to Part 742must pertain to the registered company, not to the submitter.  Specifically, the “point of contact” information must be for the registered company, not a law firm or consultant filing on behalf of the registered company. 

10. What if you are not the producer of the item or filing directly on behalf of the producer (e.g., law firm/consultant)?

You may answer questions 4 and 7 in Supplement No. 5 to part 742as “not applicable” if your company is not the producer of the encryption item.  An answer must be give for all other questions.  An explanation is required when you are unsure.

11. What do I need to submit with an encryption commodity classification request in SNAP-R?

Encryption commodity classification determinations should be submitted through SNAP-R. Before entering SNAP-R, you should prepare the following supporting documents:

  1. Letter of Explanation
  2. Supplement No. 6 to part 742. Complete all questions. Question number 11 asks whether the item fits the criteria set forth in 740.17(b)(2)
  3. Technical Documents: This may include technical data sheets, marketing brochures, specification sheet

After accessing SNAP-R, fill-in a commodity classification determination request and upload the supporting documents into SNAP-R.

12. Is Supplement No. 6 to part 742 required for paragraph 740.17(b)(1) authorization?

If you are requesting a classification of an item is described in paragraph 740.17(b)(1) (in other words, the item is not described in either Section 740.17(b)(2) or (b)(3)), a Supplement No. 6questionnaire is not required as a supporting document.  Provide sufficient information about the item (e.g., technical data sheet and/or other explanation in a separate letter of explanation) for BIS to determine that the item is described in paragraph 740.17(b)(1).  If you are not sure that your product is authorized as 740.17(b)(1) and you want BIS to confirm that it is authorized under 740.17(b)(1), providing answers to the questions set forth in Supplement No. 6 to part 742 with your request should provide BIS with sufficient information to make this determination.     

13. How do I submit a Supplement No. 8 –Self Classification Report for Encryption Items?

The annual self-classification report must be submitted as an attachment to an e-mail to BIS and the ENC Encryption Request Coordinator.  Reports to BIS must be submitted to a newly created e-mail address for these reports (This email address is being protected from spambots. You need JavaScript enabled to view it. ).  Reports to the ENC Encryption Request Coordinator must be submitted to its existing e-mail address (This email address is being protected from spambots. You need JavaScript enabled to view it. ). The information in the report must be provided in tabular or spreadsheet form, as an electronic file in comma separated values format (CSV), only.  In lieu of email, submissions of disks and CDs may be mailed to BIS and the ENC Encryption Request Coordinator.

14. When do I file Supplement No. 8 –Self-Classification Report for Encryption Items?

An annual self-classification report for applicable encryption commodities, software and components exported or reexported during a calendar year (January 1 through December 31) must be received by BIS and the ENC Encryption Request Coordinator no later than February 1 the following year.  If no information has changed since the previous report, an email must be sent stating that nothing has changed since the previous report or a copy of the previously submitted report must be submitted. 

15. What is Note 4?

Note 4 to Category 5, Part 2 in the Commerce Control List (Supplement No. 1 to part 774) excludes an item that incorporates or uses “cryptography” from Category 5, Part 2 controls if the item’s primary function or set of functions is not “information security,” computing, communications, storing information, or networking, andif the cryptographic functionality is limited to supporting such primary function or set of functions.  The primary function is the obvious, or main, purpose of the item.  It is the function which is not there to support other functions.  The “communications” and “information storage” primary function does not include items that support entertainment, mass commercial broadcasts, digital rights management or medical records management.   

Examples of items that are excluded from Category 5, Part 2 by Note 4 include, but are not limited to, the following:   

  • Consumer applications.  Some examples:
  • piracy and theft prevention for software or music;
  • music, movies, tunes/music, digital photos – players, recorders and organizers
  • games/gaming – devices, runtime software, HDMI and other component interfaces, development tools
  • LCD TV, Blu-ray / DVD, video on demand (VoD), cinema, digital video recorders (DVRs) / personal video recorders (PVRs) – devices, on-line media guides, commercial content integrity and protection, HDMI and other component interfaces (not videoconferencing);
  • printers, copiers, scanners, digital cameras, Internet cameras – including parts and sub-assemblies
  • household utilities and appliances
  • Business / systems applications: systems operations, integration and control.  Some examples:
  • business process automation (BPA) – process planning and scheduling, supply chain management, inventory and delivery
  • transportation – safety and maintenance, systems monitoring and on-board controllers (including aviation, railway, and commercial automotive systems), ‘smart highway’ technologies, public transit operations and fare collection, etc.
  • industrial, manufacturing or mechanical systems - including robotics, plant safety, utilities, factory and other heavy equipment, facilities systems controllers such as fire alarms and HVAC
  • medical / clinical – including diagnostic applications, patient scheduling, and medical data records confidentiality
  • academic instruction and testing / on-line training - tools and software
  • applied geosciences – mining / drilling, atmospheric sampling / weather monitoring, mapping / surveying, dams / hydrology
  • Research / scientific / analytical.  Some examples:
  • business process management (BPM) – business process abstraction and modeling
  • scientific visualization / simulation / co-simulation (excluding such tools for computing, networking, cryptanalysis, etc.)
  • data synthesis tools for social, economic, and political sciences (e.g., economic, population, global climate change, public opinion polling, etc. forecasting and modeling)
  • Secure intellectual property (IP) delivery and installation.  Some examples:
  • software download auto-installers and updaters
  • license key product protection and similar purchase validation
  • software and hardware design IP protection
  • computer aided design (CAD) software and other drafting tools

16. I have an item that was reviewed and classified by BIS and made eligible for export under paragraph (b)(3) of License Exception ENC in 2009. The encryption functionality of the item has not changed. This item is now eligible for self-classification under paragraph (b)(1) of License Exception ENC. What are my responsibilities under the new rule?

Your item meets the grandfathering provisions set forth in section 740.17(f)(1) of the EAR.  You do not need to submit an encryption registration (Supplement No. 5), an annual self-classification report (Supplement No. 8), or semi-annual sales reports for the item.

17. When do I need a “deemed export” license for encryption technology and source code?

A license may be required in certain circumstances for both deemed exports and deemed reexports. For encryption items, the deemed export rules apply only to deemed exports of technology and to deemed reexports of technology and source code. There are no deemed export rules for transfers of encryption source code to foreign nationals in the United States. This is because of the way that section 734.2 defines exports and reexports for encryption items.

For transfers of encryption technology within the United States, section 740.17(a)(2) of license exception ENC authorizes the export and reexport of encryption technology “by a U.S. company and its subsidiaries to foreign nationals who are employees, contractors, or interns of a U.S. company . . .” There is no definition of “U.S. company” in the EAR, however, BIS has interpreted this to apply to any company operating in the United States. This means that deemed export licenses are generally not required for the transfer of encryption technology by a company in the U.S. to its foreign national employees. A deemed export license may be required if, for example, a company operating in the U.S. were to transfer encryption technology to a foreign national who is not an employee, contractor, or intern of a company in the United States. License exception ENC does not authorize deemed exports or reexports to any national of a country listed in Country Group E:1.

For deemed reexports, the end-user would have to be an employee, contractor, or intern of a “U.S. Subsidiary” for 740.17(a)(2) to apply, or a ‘private sector end-user’ headquartered in a Supplement 3 country for 740.17(a)(1) to apply. The term “contractor” in this context means a contract employee (i.e., a human person). License exception ENC does not authorize deemed exports or reexports to any national of a country listed in Country Group E:1.

Also note that as of June 25, 2010, encryption technology (except technology for “cryptanalytic items,” “Open Cryptographic Interface” items, and “non-standard cryptography”) that has been reviewed is eligible for license exception ENC to any non-government end user located outside of Country Group D:1. Also, encryption source code that has been reviewed by BIS and made eligible for license exception ENC under 740.17(b)(2) is eligible for export and reexport to any non-government end-user. Thus encryption technology and source code that have been reviewed are eligible for export and reexport to a broader range of end-users than 740.17(a) allows. Again, section 740.17 does not authorize deemed exports or reexports to any national of a country listed in Country Group E:1.

 

Back to top

Information Technology Controls Division Contacts

Details

General number: 202-482-0707

Randy Wheeler
Director Ph: 202-482- 5303
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Judith Currie
Senior Export Policy Analyst
Ph: 202-482-5085
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Sylvia Jimmison
Export Policy Analyst
Ph: 202-482-2342
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Michael Pender
Senior Engineer
Ph: 202-482-2458
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Aaron Amundson
Export Policy Analyst
Ph: 202-482-5299
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Anita Zinzuvadia
Electrical Engineer
Ph: 202-482-3772
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Naomi Dubiel
Export Policy Analyst
Ph: 202-482-2954
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Reporting

Details

How to file an annual self-classification report
How to create the annual self-classification report in .CSV file format
How and when to file semi-annual reports

How to file an Annual Self-Classification Report

An annual self-classification report is a requirement for items exported under License Exception ENC - 740.17(b)(1) and Mass Market - 742.15(b)(1).

You will need a copy of Supplement No. 8 to Part 742 "Self-Classification Report."

How to report:

The annual self-classification report must be submitted as an attachment to an e-mail to BIS and the ENC Encryption Request Coordinator.

What to report:

The report has very specific format requirements outlined in Supplement No. 8 to Part 742. The information in the report must be provided in tabular or spreadsheet form, as an electronic file in comma separated values format (CSV) only. CSV format is the ONLY format that will be accepted. Click here to learn how to create the annual self-classification report in .CSV file format.

Where to report:

Reports should be emailed to BIS and the ENC Encryption Request Coordinator at This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it. . In lieu of e-mail, submissions of disks and CDs may be mailed to BIS and the ENC Encryption Request Coordinator as specified in section 742.15(c)(2)(ii) of the EAR, only if necessary.

When to report:

A annual self-classification report for applicable encryption commodities, software and components exported or reexported during a calendar year (January 1 through December 31) must be received by BIS and the ENC Encryption Request Coordinator no later than February 1 of the following year.

If no information has changed since the previous report, an e-mail must be sent stating that nothing has changed since the previous report or a copy of the previously submitted report must be submitted. No self-classification report is required if no exports or reexports of applicable items pursuant to an encryption registration were made during the calendar year.

How to create the annual self-classification report in .CSV file format

Annual self-classification report is required for commodities exported or reexported under 740.17(b)(1) and 742.15(b)(1), effective June 25, 2010.

CCATS for commodities issued by or submitted to BIS prior June 25, 2010 and that are now described under 740.17(b)(1) or 742.15(b)(1) are not required to be listed in the Annual Self-Classification Report, provided the cryptographic functionality of the item has not changed. These items are grandfathered under the June 25th rule.

The following table provides an example of the various fields required within the Annual Self-Classification Report as required per 742.15(c) and demonstrates how various instructions & tips published in Supplement 8 to part 742 works out in practice.

- First line of the annual self-classification report must consist of the following six entries: PRODUCT NAME, MODEL NAME, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM TYPE.
- No entry may be left blank.
- PRODUCT NAME and ECCN must be completed.
- For MODEL NUMBER and MANUFACTURER, if necessary, enter "NONE" or "N/A".
- For AUTHORIZATION TYPE, enter ENC or MMKT.
- For ITEM TYPE, pick from the list of item types provided in the Supp. 8 to Part 742 (a)(6).
- The only permitted use of a comma is as the necessary separator between the 6 entries for each line item. The only commas allowed are the ones inserted automatically during spreadsheet conversion.
- An encryption self-classification report data table created and stored in spreadsheet format can be converted and saved into a comma delimited file (.CSV) format directly from the spreadsheet program.

PRODUCT NAME

MODEL NUMBER

MANUFACTURER

ECCN

AUTHORIZATION TYPE

ITEM TYPE

XtraGood VPN

2010

ABC XYZ Manufacturing Inc

5A002

ENC

virtual private networking (VPN)

XtraGood Firewall

1100

SELF

5A002

MMKT

firewall

XtraGood WLAN chipset

XG-80211-xxxx

MULTIPLE

5A002

ENC

wireless local area networking (WLAN)

XtraGood Client Manager Suite

1xx

PDQ123 Software Services LLC

5D992

MMKT

network or systems management (OAM/OAM&P)

XtraGood Connectivity AP

300-xxx

MULTIPLE

5A992

MMKT

access point

XtraGood Connectivity Client Manager

NONE

PDQ123 Software Services LLC

5D992

MMKT

network or systems management (OAM/OAM&P)

XclusiveAgent – Pro Ed.

5xx

SELF

5D002

ENC

file encryption

XclusiveAgent – Home Ed.

100

SELF

5D992

MMKT

file encryption

Xclusive Agent Secure Storage Device

XA-SHD-xxx

MULTIPLE

5A992

MMKT

disk / drive encryption

XclusiveAgent Enterprise Key Token

XA-KT-xxx

ABC XYZ Manufacturing Inc

5A002

ENC

key storage

XclusiveAgent PKI

NONE

SELF

5D002

ENC

key management

Xclusive Agent Secure USB Drive

XA-SUSB-xxx

MULTIPLE

5A992

MMKT

disk/drive encryption

 

The following screen shots provide guidance on how to create the .csv file for submission:

  1. Sample screen shot of spreadsheet, including doing a "Save As..." [into .CSV format] from the spreadsheet application, like the exporter would do in creating their actual self-classification report for submission to BIS and NSA.
  2. Sample screen shot of .CSV file as viewed in the spreadsheet application. This is the file that exporters will attach to their e-mails to BIS and NSA.
  3. Sample .CSV file when viewed in Notepad. To check the validity of your CSV file, you may open the new file from a plain-text reading program such as Notepad or TextEdit.

Submit your annual self-classification report electronically to BIS as an email attachment to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it. with subject “Self-classification report for ERN R######”, using your most recent Encryption Registration Number. In your submission, specify the export time frame that your report spans and identify points of contact to whom questions or other inquires pertaining to the report should be directed.

How and when to file semi-annual reports

The semi-annual reporting requirement for License Exception ENC can be found in 740.17(e) of the EAR.

Semi-annual reporting is required for exports to all destinations other than Canada, and for reexports from Canada ONLY for items described under paragraphs 740.17(b)(2) and 740.17(b)(3)(iii).

Items other than those described in 740.17(b)(2) and 740.17(b)(3)(iii) will no longer require a report to BIS.

Certain encryption items and transactions are excluded from this reporting requirement, see paragraph 740.17(e)(1)(iii) of this section. These exclusions include:

  • Encryption commodities or software with a symmetric key length not exceeding 64 bits.
  • Encryption items exported (or reexported from Canada) via free and anonymous download.
  • Encryption items from or to a U.S. bank, financial institution or its subsidiaries, affiliates, customers or contractors for banking or financial operations.
  • Items listed in paragraph 740.17(b)(4), unless it is a foreign item described in 740.17(b)(4)(ii) that has entered the United States.
  • Foreign products developed by bundling or compiling of source code.

What to file:

  • Commodity Classification Automated Tracking System (CCATS) number.
  • Name of the item(s) exported (or reexported from Canada).
  • Distributors or resellers. For items exported (or reexported from Canada) to a distributor or other reseller, including subsidiaries of U.S. firms, the name and address of the distributor or reseller, the item and the quantity exported or reexported and, if collected by the exporter as part of the distribution process, the end user’s name and address.
  • Direct sales. For items exported (or reexported from Canada) through direct sale, the name and address of the recipient, the item, and the quantity exported.
  • Foreign manufacturers and products that use encryption items. See 740.17(e)(1)(i)(C) for full details.

When to file:

  • For exports occurring between January 1 and June 30, a report is due no later than August 1 of that year.
  • For exports occurring between July 1 and December 31, a report is due no later than February 1 the following year.
  • These reports must be provided in electronic form.
  • Recommended file formats for electronic submission include spreadsheets, tabular text or structured text.
  • Exporters may request other reporting arrangements with BIS to better reflect their business models.
  • Reports may be sent electronically to BIS at This email address is being protected from spambots. You need JavaScript enabled to view it. and to the ENC Encryption Request Coordinator at This email address is being protected from spambots. You need JavaScript enabled to view it. , or disks and CDs containing the reports may be sent to the following addresses:

     Department of Commerce
     Bureau of Industry and Security
     Office of National Security and Technology Transfer Controls
     14th Street and Pennsylvania Ave., NW
     Room 2705, Washington, DC  20230
     Attn: Encryption Reports

     and

     Attn: ENC Encryption Request Coordinator
     9800 Savage Road, Suite 6940
     Ft. Meade, MD  20755-6000

Reporting Key Length Increases

Reporting is required for commodities and software that, after having been classified and authorized for License Exception ENC in accordance with paragraphs (b)(2) or (b)(3) of this section, are modified only to upgrade the key length used for confidentiality or key exchange algorithms. Such items may be exported or reexported under the previously authorized provision of License Exception ENC without a classification resubmission.

What to file for reporting key length increases:

  • Certification that no other encryption changes have been made.
  • Original Commodity Classification Automated Tracking System (CCATS).
  • New key length.

When and where to file for reporting key length increases:

  • The report must be received by BIS and the ENC Encryption Request Coordinator before the export or reexport of the upgraded product; and
  • The report must be e-mailed to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it. .
 

License Applications

Details

How to File an Encryption License Application

In most cases, your encryption item will be eligible for export under a license exception, so you should carefully review Sections 740 and 742.15 of the Export Administration Regulations (EAR) before you submit a license application. If your product and/or end-user do not qualify for a license exception, you must request an individual export license or Encryption Licensing Arrangement (ELA) for your transaction.

Section 742.15(a)(2) of the EAR describes ELAs. Unlike individual licenses, ELAs authorize unlimited quantities of encryption commodities and software to national or federal government bureaucratic agencies, and to state, provincial or local governments, in all destinations, except countries listed in Country Group E:1 of Supplement No. 1 to part 740. ELAs are typically valid for four years and may require post-export reporting or pre-shipment notification. Applicants seeking authorization for Encryption Licensing Arrangements must specify the sales territory and class of end-user on their license applications.

This guidance is designed to help you in applying for an individual license or an ELA to export certain encryption items not eligible for a license exception and should only be used in conjunction with the relevant portions of the EAR.

Step 1: Read the relevant portions of the EAR.
You should first review Sections 742.15 and 748 of the EAR. Section 742.15 describes the licensing policy for encryption items. Section 748 provides general guidance on applying for an export license.

Step 2: Fill in the on-line SNAP-R License Application Work Item form.
When applying for an individual license, follow the instructions below.

Block

Instructions

5

Mark the export or reexport box. This is extremely important. DO NOT mark classification request. If you do, the application will be returned to you.

18

This block MAY NOT be left blank. Follow the instructions that came with the application form.

19

Follow the instructions that came with the application form for this block.

21

Describe the intended end use of the encryption item(s).

22(a)

The ECCN for encryption hardware is 5A002. The ECCN for encryption software is 5D002. The ECCN for encryption technology is 5E002.

22(j)

Provide a brief technical description including the basic purpose of the item and the type of encryption used in the product or technology (e.g., 128-bit RC4 for secure e-mail, 2048 RSA for key exchange). Please DO NOT type "See letter of explanation" or "See brochure". The information identified in this block is entered directly into the BIS computer system, and will be printed on the license issued by BIS. A brief technical description is essential.

24

Identify, by number, any previous licenses or classifications received for the same or similar encryption item.

When applying for an ELA, follow the instructions below.

Block

Instructions

5

Mark export or reexport box. This is extremely important. DO NOT mark classification request. If you do, the application will be returned to you.

9

Indicate the phrase "Encryption Licensing Arrangement" in this block.

17

Indicate "various" to denote several intermediate consignees (if applicable).

18

Indicate "various" to denote several ultimate consignees (if applicable).

19

Indicate "various" to denote several end users (if applicable). Leave blank if you have indicated "various" in block 18, and the end users are the same as the ultimate consignees. When applying to export or reexport to government end users (as defined in Part 772) outside of the countries listed in Supplement 3 to Part 740, please provide a list of countries, specific end uses, and end users in the application.

21

Describe the intended end use of the encryption item(s).

22(a)

The ECCN for encryption hardware is 5A002. The ECCN for encryption software is 5D002. The ECCN for encryption technology is 5E002.

22(e)

Indicate "1" in this box, even though you are applying for unlimited quantities.

22(f)

Indicate "unlimited" in this box.

22(j)

Provide a brief technical description including the basic purpose of the item and the type of encryption used in the software (e.g., 128-bit RC4 for secure e-mail, 2048 RSA for key exchange). Please DO NOT type 'see letter of explanation' or 'see brochure'. The information identified in this block is entered directly into the BIS computer system, and will be printed on the license issued by BIS. A brief technical description is essential.

24

Indicate the sales territory in this block (listing specific countries, not regions) and the type of end users to whom the item(s) will be exported. You may indicate any additional pertinent information in this block, such as "the items will be returned to the United States or Canada for resale".

All other blocks or block portions appropriate for license applications should be completed in accordance with Part 748 of the EAR.

Step 3: Attach supporting documents.
Supporting documents, such as technical specifications, should accompany the form. The supporting documents should include information about the encryption used, including the name and key length of the algorithm(s) in the product. In addition, you should attach relevant information about the end-user(s). You should attach a brief letter of explanation which summarizes your proposed transaction to expedite the processing of your application.

Classification

Details

If encryption registration IS required, AND you cannot self-classify the item, then you must file an encryption classification request.

What items require an encryption classification?
How to file a License Exception ENC classification request
Additional guidance for License Exception ENC (740.17) items
How to file a mass market classification request
Additional guidance for Mass Market (742.15) items

What items require an encryption classification?

Items described in License Exception ENC - 740.17(b)(2) and (b)(3), and items described in the Mass Market provision - 742.15(b)(3), require submission of an encryption classification request to BIS before export.

License Exception ENC

The following descriptions of items still require an encryption classification request under License Exception ENC:

Items described in 740.17(b)(2) include:

  • Network infrastructure commodities, software, and components as described in 740.17(b)(2)(i)(A).
  • Encryption source code that would not be eligible for export or reexport under License Exception TSU because it is not publicly available as that term is used in 740.13(e)(1) of the EAR.
  • Commodities, software, and components that have been designed, modified, adapted or customized for "government end-user(s)".
  • Commodities, software, and components with cryptographic functionality that has been modified or customized to customer specification.
  • Commodities, software, and components with cryptographic functionality or "encryption component" that is user-accessible and can be easily changed by the user.
  • Commodities and software for quantum cryptography.
  • Commodities and software that have been modified or customized for computers classified under ECCN 4A003.
  • Commodities and software that provide penetration capabilities that are capable of attacking, denying, disrupting or otherwise impairing the use of cyber infrastructure or networks.
  • Public safety/first responder radio (P25 or TETRA).
  • cryptanalytic items.
  • "Cryptographic items".
  • "Open Cryptographic Interface" items.
  • Encryption technology classified under ECCN 5E002.

After an encryption classification submission has been made via SNAP-R and subject to the reporting requirements in paragraph 740.17(e), all items under 740.17(b)(2), except cryptanalytic items, may be immediately exported to countries listed in Supplement No. 3 to Part 740.

There is a 30-day wait while the encryption classification is pending before exports of (b)(2) items may be made outside of the countries listed in Supplement No. 3 to Part 740.

A license will be required for exports to "government end user(s)" outside the countries listed in Supplement No. 3 to Part 740.

In addition:

  • Cryptanalytic items require a license for export to any "government end user" anywhere except Canada.
  • "Non-standard" technology (5E002), cryptanalytic technology (5E002), and open cryptographic interface items may be exported only to end users located or headquartered in Supplement 3 countries using License Exception ENC.
  • Other 5E002 technology may be exported after review to any non-"government end-user" not located in a country listed in Country Group D:1 or E:1.

Items described in 740.17(b)(3) include:

  • Chips, chipsets, electronic assemblies and field programmable logic devices.
  • Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs).
  • Application-specific hardware or software development kits implementing cryptography.
  • Items that provide or perform "non-standard cryptography".
  • Items that provide or perform vulnerability analysis, network forensics, or computer forensics as described in 740.17(b)(3)(iii) (these items are subject to the reporting requirements in paragraph 740.17(e)).

After an encryption classification submission has been made via SNAP-R, and subject to the reporting requirements in paragraph 740.17(e), all items under 740.17(b)(3), except cryptanalytic items, may be immediately exported to countries listed in Supplement No. 3 to Part 740.

There is a 30-day wait while the encryption classification is pending before exports of (b)(3) items may be made outside of the countries listed in Supplement No. 3 to Part 740.

Mass Market

The following descriptions of items still require a mass market encryption classification request under the Encryption Mass Market provision:

Items described in 742.15(b)(3) include commodities and software that meet Note 3 to Category 5, Part 2 and are:

  • Chips, chipsets, electronic assemblies and field programmable logic devices.
  • Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs).
  • Application-specific hardware or software development kits implementing cryptography.
  • Mass market encryption commodities, software and components that provide or perform "non-standard cryptography" as defined in Part 772 of the EAR.

Once a mass market classification request is accepted in SNAP-R, you may export and reexport the encryption commodity or software under License Exception ENC as ECCN 5A002 or 5D002, whichever is applicable, to any end-user located or headquartered in a country listed in Supplement No. 3 to Part 740 as authorized by 740.17(b) of the EAR, while the mass market classification request is pending review with BIS.

Thirty (30) days after the submission of a classification request to BIS, Section 742.15(b)(3) authorizes exports and reexports of the mass market items submitted for classification, using the symbol "NLR", provided the items qualify for mass market treatment and are classified by BIS under ECCNs 5A992 or 5D992.

How to file a License Exception ENC classification request

Below are the steps to take to export under Sections 740.17(b)(2) or (b)(3) of the EAR:

Step 1: Determine whether the products you want to export are described by either Section 740.17(b)(2) or (b)(3) of the EAR and therefore require a License Exception ENC classification. If so, then proceed to the next step.

Step 2: If you are not the manufacturer or producer of the products, determine whether the manufacturer or producer has filed a License Exception ENC classification request. If the manufacturer or producer has filed an ENC classification, then you may export immediately based on the manufacturer’s classification of the product. If you are the manufacturer or producer, or if you cannot obtain the manufacturer’s classification information, then follow the steps below.

Step 3: Register for Simplified Network Application Process Redesign (SNAP-R). After you have received your Company Identification Number (CIN) and have activated your account, within SNAP-R select “Encryption Registration.” Complete and attach a PDF version of Supplement No. 5 to Part 742.

Step 4: Return to the main SNAP-R screen and select Classification Request, then check the encryption checkbox. Block instructions:

  • Block 9: A pulldown list will appear in the Special Purpose block. Select "License Exception ENC."
  • Block 14-15: Be sure the information in these blocks is complete and correct, because this is where the official response from BIS will be sent. If both blocks are filled in, the official response will be sent to the individual or entity identified in Block 15.
  • Block 22(a): Enter 5A002 for hardware, 5D002 for software, or 5E002 for technology.
  • Block 22(c): Enter the product name with model number, if available.
  • Block 22(i): Enter the name of the manufacturer. If you will sell the product under your company's label, then enter the name of your company in the manufacturer block.
  • Block 22(j): Provide a brief technical description including the basic purpose of the encryption item (e.g., XYZ is a PDA used for ...) and the type of encryption used in the software (e.g., 168-bit Triple DES for secure e-mail, 1024-bit RSA for key exchange). Comments such as "See letter of explanation" or "See brochure" are not sufficient. The information identified in this block is entered directly into the BIS license application database, and will be printed on the official response issued by BIS. A brief technical description is essential. All other blocks or block portions appropriate for review requests should be completed in accordance with Part 748 of the EAR.
  • Block 24: Insert your most recent encryption registration number (ERN).

Step 5: Prepare a PDF document containing the information and documentation described in Supplement No. 6 to Part 742 of the EAR. Attach this and other product information.

Step 6: Supplement 1 to Part 748 provides general multipurpose application instructions. Apply over the Internet using BIS' SNAP-R. You may include up to six items on a classification.

Step 7: Submit the application to BIS electronically through SNAP-R. You will obtain an Application Control Number that begins with the letter Z. Use this number in all communications with BIS about your classification request.

Step 8: Export items described by Section 740.17(b)(2) or (3) immediately if you obtained a classification request from the producer or thirty (30) days after the submission of a classification request to BIS in accordance with Section 740.17(d). Items submitted for classification may be immediately exported to countries listed in Supplement No. 3 to Part 740.

Additional guidance for License Exception ENC (740.17) items

How to file a mass market classification request

Below are the steps to take to export under Section 742.15(b)(3) of the EAR.

Step 1: Determine whether the products you want to export qualify for mass market treatment under the criteria in the Cryptography Note (Note 3) of Category 5, Part 2 ("Information Security"), of the Commerce Control List (Supplement No. 1 to part 774 of the EAR). If so, proceed to the next step.

Step 2: Determine that the products are mass marketed encryption components (chips, electronic assemblies, crypto libraries), toolkits, development kits, and non-standard crypto items described in 742.15 (b)(3) of the EAR.

Step 3: If you are not the manufacturer or producer of the products, determine whether the manufacturer or producer has filed a Mass Market classification request. If they have, you may export immediately based on the manufacturer’s Mass Market classification.

Step 4: Register for Simplified Network Application Process Redesign (SNAP-R). After you have received your Company Identification Number (CIN) and have activated your account, within SNAP-R select “Encryption Registration.” If required, complete the encryption registration by attaching a PDF version of Supplement No. 5 to Part 742.

Step 5: Return to the main SNAP-R screen and select "Classification Request" and check the encryption checkbox. Block instructions

  • Block 9: A pulldown list will appear in the Special Purpose block. Select "Mass Market Encryption."
  • Block 14-15: Be sure the information in these blocks is complete and correct, because this is where the official response from BIS will be sent. If both blocks are filled in, the official response will be sent to the individual or entity identified in Block 15.
  • Block 22(a): For hardware, enter 5A992. For software, enter 5D992.
  • Block 22(c): Enter the product name with model number, if available.
  • Block 22(i): Enter the name of the manufacturer. If you will sell the product under your company's label, then enter the name of your company in the manufacturer block.
  • Block 22(j): Provide a brief technical description including the basic purpose of the encryption item (e.g., XYZ is a PDA used for ...) and the type of encryption used in the software (e.g., 168-bit Triple DES for secure e-mail, 1024-bit RSA for key exchange). Comments such as "See letter of explanation" or "See brochure" are not sufficient. The information identified in this block is entered directly into the BIS license application database, and will be printed on the official response issued by BIS. A brief technical description is essential. All other blocks or block portions appropriate for review requests should be completed in accordance with Part 748 of the EAR.
  • Block 24: Insert your most recent encryption registration number (ERN).

Step 6: Prepare the following supporting documentation for your classification requests for products that are described in 742.15(b)(3) of the EAR.

  1. Demonstrate that the commodities and software meet the criteria of the Cryptography Note [Note 3 of Category 5, Part 2, of the Commerce Control List (Supplement No. 1 to Part 774 of the EAR)]. Compare your product with the Cryptography Note criteria and state specifically where and how it is mass marketed.
  2. Prepare a document containing the information and documentation described in Supplement No. 6 to Part 742 of the EAR.

Step 7: Submit the application to BIS electronically through SNAP-R and attach supporting documents prepared in Step 5 above. Supporting documents include a justification of how the item(s) meets the criteria of the Cryptography Note as well as the documentation required by Supplement No. 6 to Part 742. Supplement No. 6 to Part 742 of the EAR contains details regarding the technical information you must submit. You will obtain and Application Control Number that begins with the letter Z. Use this number in all communications with BIS about your classification request.

Step 8: Items described by Section 742.15(b)(3) may be exported immediately thirty-days (30-days) after the submission of a classification request to BIS in accordance with 742.15(b)(7). Section 742.15(b)(3) authorizes exports and reexports of the mass market items submitted for classification, using the symbol "NLR", provided the items qualify for mass market treatment as described in paragraph (b) of this section and are classified by BIS under ECCNs 5A992 or 5D992.

Additional guidance for Mass Market (742.15) items