The U.S. Commerce Control List is broken in to 10 Categories  0 – 9 (see Supplement No. 1 to part 774 of the EAR).  Encryption items fall under Category 5, Part 2 for Information Security.  Cat. 5, Part 2 covers:

•    1) Cryptographic Information Security; (e.g., items that use cryptography)
•    2) Non-cryptographic Information Security (5A003); and
•    3) Defeating, Weakening of Bypassing Information Security (5A004)

You can find a Quick Reference Guide to Cat. 5, Part 2 here.

The controls in Cat. 5, Part 2 include multilateral and unilateral controls. The multilateral controls in Cat. 5, Part 2 of the EAR (e.g., 5A002, 5A003, 5A004, 5B002, 5D002, 5E002) come from the Wassenaar Arrangement List of Dual Use Goods and Technologies. Changes to the multilateral controls are agreed upon by the participating members of the Wassenaar Arrangement.  Unilateral controls in Cat. 5, Part 2 (e.g., 5A992.c, 5D992.c, 5E992.b) of the EAR are decided on by the United States.  

The main license exception that is used for items in Cat. 5, Part 2 is License Exception ENC (Section 740.17). License exception ENC provides a broad set of authorizations for encryption products (items that implement cryptography) that vary depending on the item, the end-user, the end-use, and the destination. There is no "unexportable" level of encryption under license exception ENC. Most encryption products can be exported to most destinations under license exception ENC, once the exporter has complied with applicable reporting and classification requirements. Some items going to some destinations require licenses.

This guidance does not apply to items subject to the exclusive jurisdiction of another agency.  For example, ITAR USML Categories XI(b),(d), and XIII(b), (l) control software, technical data, and other items specially designed for military or intelligence applications.

The following 2 flowcharts lay out the analysis to follow for determining if and how the EAR and Cat.5 Part 2 apply to a product incorporating cryptography:

Flowchart 1: Items Designed to Use Cryptography Including Items NOT controlled under Category 5 Part 2 of the EAR
Flowchart 2: Classified in Category 5, Part 2 of the EAR

Similarly, the following written outline provides the analysis to follow for determining if and how the EAR and Cat.5 Part 2 apply to a product incorporating cryptography.  

"Encryption Outline"

1.    Encryption items that are NOT subject to the EAR (publicly available)
2.    Encryption items that ARE subject to the EAR:

       a.     Encryption items that are subject to the EAR and are NOT in Cat. 5 Part 2

There are several types of items that use cryptography, but that are not classified in Cat. 5, Part 2.  Here we discuss 4 different ways an item that has encryption functionality is NOT classified under Cat. 5, Part 2.

                  1.    Key length thresholds
                  2.    Note 4 to Cat. 5, Part 2
                  3.    Authentication/Digital Signature/Copy-protection  
                  4.    Decontrol notes in 5A002  

     b.    Encryption items that are subject to the EAR and ARE in Cat. 5 Part 2

If you've gone through the steps above and have not excluded your product from the EAR or from Cat. 5 Part 2, then your product is controlled in Cat. 5, Part 2. If your product is controlled in Cat. 5, Part 2, and is classified under an ECCN other than 5A003 (and equivalent or related software and technology), then it is eligible for at least some part of license exception ENC. The next step is to determine which part of License Exception ENC the product falls under. Knowing which part of ENC the product falls under will tell you what you need to do to make the item eligible for ENC, and where the product can be exported without a license.

Types of authorization available for license exception ENC:

                  1.    Mass Market
                  2.    740.17(a)
                  3.    740.17(b)(2)
                  4.    740.17(b)(3)/Mass market
                  5.    740.17(b)(1)/ Mass market

3.    Once you determine what authorization applies to your product, then you may have to file a classification request, annual self-classification report, and/or semi-annual sales report. The links below provide instructions on how to submit reports and Encryption Reviews:

      a.     How to file an Annual Self-Classification Report
      b.     How to file a Semi-annual Report
      c.     How to Submit an ENC or Mass market classification review

4.    After you have submitted the appropriate classification and/or report, there may be some instances in which a license is still required. Information on when a license is required, types of licenses available, and how to submit are below:

     a.    When a license is required
     b.    Types of licenses available
     c.    How to file a license application

5.    FAQs
6.    Contact us

© BIS 2016