There are no EAR obligations associated with the item unless it is exported, reexported, or transferred. These are specially defined terms in the EAR. See Section 734 for guidance on the definition of export, reexport, and transfer.

Certain foreign made items that contain less than a de minimis amount of U.S. origin content are not subject to the EAR. See 734.4 of the EAR.

Publicly Available:

Encryption items that are publicly available as further described below are not subject to the Export Administration Regulation. Sections 734.3(b)(3) and 734.7 define what is publicly available and published. Common examples are free apps posted online or mass market software available as a free download.

Specifically:

1. Mass market encryption object code software that is made "publicly available"

   •Once the mass market item is properly classified under the relevant section of 740.17(b)(1) or (b)(3) (after a classification by BIS (5D992.c) or self-classification with self-classification report), if the software is then made "publicly available" it is not subject to the EAR.
                   •For example, an App made for a smartphone or computer that that meets the Mass Market criteria (as described in Note 3 of Cat. 5 Part 2) that is made available free of charge would be considered "publicly available". In this case you would have to first comply with the mass market requirement under 740.17 (b)(1) or (b)(3) by self-classification as 5D992.c with self-classification report (or submitting classification request to BIS) only once. Then, if the item is made publicly available (e.g., free to download) it would be considered not subject to the EAR anymore.

"Publicly available" encryption source code is not subject to the EAR once the email notification per section 742.15(b) is sent.

   •A common example would be open source encryption source code available for free online.

"Publicly available" encryption object code is not subject to the EAR when the corresponding source code is also "publicly available" and has been notified as specified under Part 742.15(b).

Note 1: Notifications made before September 2016 under License Exception TSU (740.13) remain valid under 742.15. A new notification is not required.

Note 2: While open source code itself may be publicly available and not subject to the EAR, an item is not considered publicly available merely because it incorporates or calls to publicly available open source code. Rather, a new item with encryption functionality has been created which would need to be evaluated as a whole under the EAR.

 

If the item is not publicly available, the next analysis is whether the item is using ‘cryptography for data confidentiality’.

Technical Note 1 under 5A002.a defines what ‘cryptography for data confidentiality’ means:

1.            For the purposes of 5A002.a., 'cryptography for data confidentiality’ means “cryptography” that employs digital techniques and performs any cryptographic function other than any of the following:

a.            "Authentication";

b.            Digital signature;

c.             Data integrity;

d.            Non-repudiation;

e.            Digital rights management, including the execution of copy-protected "software";

f.             Encryption or decryption in support of entertainment, mass commercial broadcasts or medical records management; or

g.            Key management in support of any function described in paragraph a. to f. above.

The use of cryptography limited to a-g listed above, results in a classification of the product NOT in 5A002.a. In that case, you should review other entries in Category 5 Part 2 and other Categories on the CCL (e.g., Cat. 4 or Cat. 5, Part 1). If it is not described in any other Category then it can be classified as EAR99.

“Authentication” is defined as: Verifying the identity of user, process or device, often as a prerequisite to allowing access to resources in an information system. This includes verifying the origin or content of a message or other information, and all aspects of access control where there is no encryption of files or text except as directly related to the protection of passwords, Personal Identification Numbers (PINs) or similar data to prevent unauthorized access.

Digital signature, data integrity and non-repudiation functions are also not covered by Cat. 5, Part 2. These are means for providing proof of the integrity and origin of data.

Digital Rights Management (DRM), including copyright protection, is encryption that is used to verify that someone has a right to download or use software or view content. Examples include:

  • License key product protection and similar purchase validation
  • Software and hardware design IP protection
  • Piracy and theft prevention for software, music, etc.

Encryption/decryption in support of entertainment, mass commercial broadcast and medical records management in also excluded. Examples include:

  • Games and gaming – devices, runtime software, HDMI and other component interfaces
  • Music movie, tunes/music, digital photos – dedicated players, recorders, and organizers
  • LCD-TV, Blu-ray/ DVD, Video of Demand, cinema, digital video recorders (DVRs)/ personal video recorders (PVRs) – devices, on-line media guides, commercial content integrity and protection, HDMI and other component interfaces
  • Medical/ clinical – including patient scheduling, and medical data records confidentiality.

On August 15, 2017 the Wassenaar Arrangement 2016 Plenary Agreements Implementation was published in the Federal Register.

Here is a summary of the changes made to Category 5, Part 2.

The U.S. Commerce Control List (CCL) is broken in to 10 Categories  0 – 9 (see Supplement No. 1 to part 774 of the EAR).  Encryption items fall under Category 5, Part 2 for Information Security.  Cat. 5, Part 2 covers:


•    1) Cryptographic Information Security; (e.g., items that use cryptography)

•    2) Non-cryptographic Information Security (5A003); and

•    3) Defeating, Weakening of Bypassing Information Security (5A004)

You can find a Quick Reference Guide to Cat. 5, Part 2 here.


The controls in Cat. 5, Part 2 include multilateral and unilateral controls. The multilateral controls in Cat. 5, Part 2 of the EAR (e.g., 5A002, 5A003, 5A004, 5B002, 5D002, 5E002) come from the Wassenaar Arrangement List of Dual Use Goods and Technologies. Changes to the multilateral controls are agreed upon by the participating members of the Wassenaar Arrangement.  Unilateral controls in Cat. 5, Part 2 (e.g., 5A992.c, 5D992.c, 5E992.b) of the EAR are decided on by the United States.  

 
The main license exception that is used for items in Cat. 5, Part 2 is License Exception ENC (Section 740.17). License exception ENC provides a broad set of authorizations for encryption products (items that implement cryptography) that vary depending on the item, the end-user, the end-use, and the destination. There is no "unexportable" level of encryption under license exception ENC. Most encryption products can be exported to most destinations under license exception ENC, once the exporter has complied with applicable reporting and classification requirements. Some items going to some destinations require licenses.


This guidance does not apply to items subject to the exclusive jurisdiction of another agency.  For example, ITAR USML Categories XI(b),(d), and XIII(b), (l) control software, technical data, and other items specially designed for military or intelligence applications.

 
The following 2 flowcharts lay out the analysis to follow for determining if and how the EAR and Cat.5 Part 2 apply to a product incorporating cryptography:

Flowchart 1: Items Designed to Use Cryptography Including Items NOT controlled under Category 5 Part 2 of the EAR
Flowchart 2: Classified in Category 5, Part 2 of the EAR

Similarly, the following written outline provides the analysis to follow for determining if and how the EAR and Cat.5 Part 2 apply to a product incorporating cryptography.  Although Category 5 Part 2 controls more than just cryptography, most items that are in Category 5 Part 2 fall under 5A002.a, 5A002.b, 5A004, or 5A992 or their software and technology equivalents. 

"Encryption Outline"

1.    Encryption items that are NOT subject to the EAR (publicly available)
2.    Items subject to Cat. 5, Part 2:

a. 5A002.a (and equivalent software under 5D002 c.1) applies to items that:

i. Use ‘cryptography for data confidentiality’; and

ii.  Have ‘in excess of 56 bits of symmetric key length, or equivalent’; and

iii.  Have cryptography described in 1 and 2 above that is useable without “cryptographic activation” or has already been activated; and

iv.  Are described under 5A002 a.1 – a.4; and

v.  Are not described by Decontrol notes.

b. 5A992.c (and software equivalence controlled under 5D992.c) is also known as mass market. These items meet all of the above descried under 5A002.a and Note 3 to Category 5, Part 2. See the MASS MARKET section for more information.

c. 5A002.b (and software equivalence controlled under 5D002.b) applies to items designed or modified to enable, by means of “cryptographic activation,” an item to achieve/exceed the controlled performance levels for functionality specified by 5A002.a not otherwise enabled (e.g., license key to enable cryptography).

d. 5A004 (and equivalent software controlled under 5D002.c.3) applies to items designed or modified to perform ‘cryptanalytic functions’ including by means of reverse engineering.

e. The following are less commonly used entries:

 

 

3. License Exception ENC and mass market

If you've gone through the steps above and your product is controlled in Cat. 5, Part 2 under an ECCN other than 5A003 (and equivalent or related software and technology), then it is eligible for at least some part of license exception ENC. The next step is to determine which part of License Exception ENC the product falls under. Knowing which part of ENC the product falls under will tell you what you need to do to make the item eligible for ENC, and where the product can be exported without a license.


Types of authorization available for license exception ENC:

                  a.   Mass Market
                  b.   740.17(a)
                  c.   740.17(b)(2)
                  d.   740.17(b)(3)/Mass market
                  e.   740.17(b)(1)/ Mass market

4.    Once you determine what authorization applies to your product, then you may have to file a classification request, annual self-classification report, and/or semi-annual sales report. The links below provide instructions on how to submit reports and Encryption Reviews:

      a.     How to file an Annual Self-Classification Report
      b.     How to file a Semi-annual Report
      c.     How to Submit an ENC or Mass market classification review

5.    After you have submitted the appropriate classification and/or report, there may be some instances in which a license is still required. Information on when a license is required, types of licenses available, and how to submit are below:

     a.   When a License is Required
     b.   Types of licenses available
     c.   How to file a license application

6.    FAQs
7.    Contact us

 

5A002.a includes items where the cryptographic capability is usable without “cryptographic activation” or has been activated.

“Cryptographic activation” (Cat 5P2) Any technique that activates or enables cryptographic capability of an item, by means of a secure mechanism implemented by the manufacturer of the item, where this mechanism is uniquely bound to any of the following:

1. A single instance of the item; or

2. One customer, for multiple instances of the item.

Technical Notes to definition of “Cryptographic activation”:

1. “Cryptographic activation” techniques and mechanisms may be implemented as hardware, “software” or “technology”.

2. Mechanisms for “cryptographic activation” can, for example, be serial number-based license keys or authentication instruments such as digitally signed certificates.


That is to say, if the cryptography cannot be used it would not be controlled in 5A002.a. Also, if the cryptography requires a “cryptographic activation” (e.g., license key) to be enabled, then the item without or before the cryptography is activated would not be controlled in 5A002.a.

Conversely, an item that has cryptography that is usable without any “cryptographic activation” (e.g., license key) could be controlled in 5A002.a. Also items that do require a cryptographic activation that has been activated would be controlled in Cat. 5 Part 2.

General number: 202-482-0707

Aaron Amundson
Director
Ph: 202-482-5299
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Sylvia Jimmison
Export Policy Analyst
Ph: 202-482-2342
E-mail:
This email address is being protected from spambots. You need JavaScript enabled to view it.  

Michael Pender
Sr. Electronics Engineer
Ph: 202-482-2458
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Anita Zinzuvadia
Sr. Electronics Engineer
Ph: 202-482-3772
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Naomi Dubiel
Export  Administration Specialist
Ph: 202-482-2954
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

T. Renee Osborne
Management & Program Analyst
Ph: 202.482.9065
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

   
© BIS 2016