Information Security Updates

September 20, 2016

 

The recently published Rule (Wassenaar Arrangement 2015 Plenary Agreements Implementation, Removal of Foreign National Review Requirements, and Information Security Updates) has made changes to the EAR including to Category 5 Part 2 (C5P2). The following is a list of updates made to C5P2 and the License Exceptions that apply to C5P2.

BIS will also be updating the Encryption web site soon to reflect the changes.

For questions call the Information Technology Controls Division at (202) 482-0707.

ECCN Changes to Category 5 Part 2

·         Separates C5P2 into 3 subsections:

o   Cryptographic information security

o   Non-cryptographic information security – 5A003

o   Defeating, Weakening, or bypassing information security – 5A004

·         Deletes ECCNS 5A992/5D992 a&b, as well as 5E992.a

·         Keeps mass market ECCNs 5A992/5D992.c and 5E992.b

·         Decontrol notes (Note to 5A002.a) moved around to remove previously unused paragraphs

·         Removes previous Note 1 to C5P2 – moved to a General Information Security Note (Supp. No. 2 to Part 774), removed all the pointers in the EAR to C5P2.

·         Adds a sentence to the Note to Note 3 saying that simple price inquiry is not a consultation

·         Deletes 5A002 a.7 control on products above EAL-6.

License Exception Changes

·         License Exception TSU - Publicly available source code is no longer subject to the EAR once the email notification is sent. The Notification requirement that was previously under TSU §740.13(e), is moved to §742.15(b).

·         License Exception TMP – 5E002 encryption technology now eligible for tools of the trade provisions under 740.9.

·         §742.15 – Encryption Mass market provisions are moved from §742.15 to §740.17.

·         License Exception ENC – §740.17

o   Paragraph (a)(1) - Adds an exception for certain related parties transactions for companies headquartered in a Supp. 3 country

o   §740.17(b)(4) – Deletes paragraph on short-range wireless items, paragraph on foreign made products is moved to paragraph (a).

o   Encryption Registrations no longer required – some of the information from the registration now goes into the Supp. No. 8 to Part 742 report.

o   If an exporter submits a CCATS review for an item under §740.17(b)(1), it does NOT have to go on the self-classification report.

o   §740.17(b)(2) – updates performance parameters

§  Edited headers to make it clear that there should only be one parameter that applies to a product.

§  Aggregate encrypted throughput increased from 90 Mbps to 250 Mbps

§  Delete single channel input data rate

§  Delete 250 concurrent encrypted data channels

§  Media parameter raised from 1,000 endpoints to 2,500

§  Carve out for mass market satellite modems that use end-to-end encryption between the modem and the hub.

§  5A002.d (channelizing codes) and 5A002.e (spread spectrum) moved to §740.17(b)(2)

§  New authorization for network infrastructure items to less-sensitive government end-users.

o   Deleted grandfathering provisions

o   Croatia added to Supp. No. 3 to Part 740

o   Supp. No. 6 to Part 742 questions are revised

o   Definition of government end-user states that government-owned public schools and universities are "government end-users" as defined in Section 772.

o   Adds definition of “More sensitive government end-users” and “Less-sensitive government end-users.”

 

Note

Classifications issued for 5A992/5D992 a&b, and 5E992.a prior to the elimination of these ECCNs may now be classified elsewhere (e.g., 5A991) if applicable or EAR99.

Mass market encryption authorizations issued under 742.15(b)(1) or (b)(3) prior to this rule change continue to be authorized under the newly located mass market encryption provisions found in 740.17(b)(1) and (b)(3), respectively. A new classification is NOT required merely because the item moved from 742.15 to 740.17.

 

 

Encryption FAQs

Details

FREQUENTLY ASKED QUESTIONS

1. What is an encryption registration? How long does it take to receive a response from BIS for my encryption registration?

2. Who is required to submit an Encryption Registration, classification request or self-classification report?

3. What are my responsibilities for exporting or re-exporting encryption products where I am not the producer?

4. What should I do if I cannot obtain the encryption registration Number (ERN) or the Export Control Classification Number (ECCN) for the item from the producer or manufacturer?

5. Can a third-party applicant submit an encryption registration and self-classification report on my behalf?

6. How do I report exports and reexports of items with encryption?

7. Can I export encryption technology under License Exception ENC?

8. What is “non-standard cryptography”?

9. How do I complete Supplement No. 5 if I am a law firm or consultant filing on behalf of a producer of encryption items?

10. What if you are not the producer of the item or filing directly on behalf of the producer (e.g., law firm/consultant)?

11. What do I need to submit with an encryption commodity classification request in SNAP-R?

12. Is Supplement No. 6 to Part 742 required for obtaining paragraph 740.17(b)(1) authorization?

13. How do I submit a Supplement No. 8 –Self-Classification Report for Encryption Items?

14. When do I file Supplement No. 8 –Self-Classification Report for Encryption Items?

15. What is Note 4?

16. I have an item that was reviewed and classified by BIS and made eligible for export under paragraph (b)(3) of License Exception ENC in 2009. The encryption functionality of the item has not changed. This item is now eligible for self-classification under paragraph (b)(1) of License Exception ENC. What are my responsibilities under the new rule?

17. When do I need a “deemed export” license for encryption technology and source code?

18. Does the EAR definition of "OAM" include using encryption in performing network security monitoring functions?


1. What is an Encryption Registration? How long does it take to receive a response from BIS for my Encryption Registration?

Encryption registration is a prescribed set of information about a manufacturer and/or exporter of certain encryption items that must be submitted to the Bureau of Industry and Security as a condition of the authorization to export such items under License Exception ENC or as “mass market” items.

Advance encryption registration is required for exports and reexports of items described in paragraphs 740.17(b)(1), (b)(2), and (b)(3) and paragraphs 742.15(b)(1), and (b)(3) of the Export Administration Regulations (EAR). Registration is made through SNAP-R by submitting the questionnaire set forth in Supplement No. 5 to part 742 of the EAR (point of contact/company overview/types of products/ etc.). Registration of a manufacturer authorizes the manufacturer as well as other parties to export and reexport the manufacturer’s encryption products that the manufacturer has either self-classified or has had the items classified by BIS, pursuant to the provisions referenced above. A condition of the authorization is that the manufacturer must submit an annual self-classification report for relevant encryption items.

How long does it take to receive a response from BIS for my encryption registration? 

Once you have properly registered with BIS, the SNAP-R system will automatically issue an Encryption Registration Number (ERN), e.g., R123456, upon submission of a request.  BIS estimates that the entire registration procedure should take no more than 30 minutes.  

2. Who is required to submit an encryption registration, classification request or self-classification report?

Any party who exports certain U.S.-origin encryption products may be required to submit an encryption registration, classification request and/or self-classification report; however, if a manufacturer has registered and has self-classified relevant items and/or had items classified by BIS, and has made the classifications available to other parties such as resellers and other exporters/reexporters, such other parties are not required to register, to submit a classification request, or to submit an annual self-classification report.    

3. What are my responsibilities for exporting or re-exporting encryption products where I am not the product manufacturer?

Exporters or reexporters that are not producers of the encryption item can rely on the Encryption Registration Number (ERN), self-classification report or CCATS that is published by the producer when exporting or reexporting the registered and/or classified encryption item.  Separate encryption registration, commodity classification request or self-classification report to BIS is NOT required.

Please continue to the next question if the information is not available from the producer or manufacturer.

4. What should I do if I cannot obtain the Encryption Registration Number (ERN) or the Export Control Classification Number (ECCN) for the item from the producer or manufacturer?

If you are not the producer and are unable to obtain the producer’s information or if the producer has not submitted an encryption registration, self-classification report or commodity classification for his/her products to BIS, then you must register with BIS.  The registration process will require you to submit a properly completed Supplement No. 5 to part 742 and subsequent Supplement No. 8 Self Classification Report for the products.  You will receive an ERN for the registered products or CCATSs as appropriate.  BIS recognizes that non-producers who need to submit for encryption registration may not have all of the information necessary to complete Supplement No. 5 to part 742.  Therefore, special instructions have been included in Supplement No. 5 to account for this situation. 

For items described in Part 740.17(b)(2) and (b)(3) or Part 742.15(b)(3) that require the classification by BIS, the non-producer is required to submit as much of the technical information required in Supplement No. 6 to part 742 - Technical Questionnaire for Encryption Items as possible.  

5. Can a third-party applicant submit an encryption registration and self-classification report on my behalf?

Yes, special instructions for this purpose are provided in paragraph (r) of Supplement No. 2 to part 748 of the EAR for this purpose.  The information in block 14 (applicant) of the encryption registration screen and the information in Supplement No. 5 to part 742 must pertain to the company that seeks authorization to export and reexport encryption items that are within the scope of this rule.  An agent for the exporter, such as a law firm, should not list his/her name in block 14. The agent however may submit the encryption registration and list himself/herself in block 15 (“other party authorized to receive license”) of the encryption registration screen in SNAP-R.

6. How do I report exports and reexports of items with encryption?

All reports (i.e., the semi-annual sales report and the annual self-classification report) must be submitted to both BIS and the ENC Encryption Request Coordinator. 

An annual self-classification report is required for producers of encryption items described by paragraphs 740.17(b)(1) and 742.15(b)(1) of the EAR.  The information required and instruction for this report is provided in Supplement No. 8 to Part 742-Self-Classification Report for Encryption Items.  Reports are submitted to BIS and the Encryption Request Coordinator in February of each year for items exported or reexported during the previous calendar year (i.e., January 1 through December 31) pursuant to the encryption registration and applicable sections 740.17(b)(1) or 742.15(b)(1) of the EAR.  Annual self-classification reports are to be submitted to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it..

Semi-annual sales reporting is required for exports to all destinations other than Canada, and for reexports from Canada for items described under paragraphs (b)(2) and (b)(3)(iii) of section 740.17.  Paragraph 740.17(e)(1(iii) contains certain exclusions from this reporting requirement.  Paragraphs 740.17(e)(1)(i) and (e)(1)(ii) contains the information required and instructions for submitted the semi-annual sales reports.  The first report is due no later than August 1 for sales occurring between January 1 and June 30 of the year, and the second report is due no later than February of the following year for sales occurring between July 1 and December 31 of the year.  Semi-annual sales reports continue to be submitted to:  This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it.

7. Can I export encryption technology under License Exception ENC?

Yes, License Exception ENC is available for transfer of encryption technology.  Specifically, paragraph 740.17(b)(2)(iv) has been amended to permit exports and reexports of encryption technology as follows:

(A) Technology for "non-standard cryptography".  Encryption technology classified under ECCN 5E002 for "non-standard cryptography", to any end-user located or headquartered in a country listed in Supplement No. 3 to this part;

(B)  Other technology.  Encryption technology classified under ECCN 5E002 except technology for "cryptanalytic items", "non-standard cryptography" or any "open cryptographic interface," to any non-"government end-user" located in a country not listed in Country Group D:1 or E:1 of Supplement No. 1 to part 740 of the EAR.

8. What is “non-standard cryptography”?

Non-standard cryptography, defined in Part 772– Definition of Terms, “means any implementation of “cryptography” involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body (e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published.”

9. How do I complete Supplement No. 5 if I am a law firm or consultant filing on behalf of a producer or exporter of encryption items?

The information in Supplement No. 5 to Part 742must pertain to the registered company, not to the submitter.  Specifically, the “point of contact” information must be for the registered company, not a law firm or consultant filing on behalf of the registered company. 

10. What if you are not the producer of the item or filing directly on behalf of the producer (e.g., law firm/consultant)?

You may answer questions 4 and 7 in Supplement No. 5 to part 742as “not applicable” if your company is not the producer of the encryption item.  An answer must be give for all other questions.  An explanation is required when you are unsure.

11. What do I need to submit with an encryption commodity classification request in SNAP-R?

Encryption commodity classification determinations should be submitted through SNAP-R. Before entering SNAP-R, you should prepare the following supporting documents:

  1. Letter of Explanation
  2. Supplement No. 6 to part 742. Complete all questions. Question number 11 asks whether the item fits the criteria set forth in 740.17(b)(2)
  3. Technical Documents: This may include technical data sheets, marketing brochures, specification sheet

After accessing SNAP-R, fill-in a commodity classification determination request and upload the supporting documents into SNAP-R.

12. Is Supplement No. 6 to part 742 required for paragraph 740.17(b)(1) authorization?

If you are requesting a classification of an item is described in paragraph 740.17(b)(1) (in other words, the item is not described in either Section 740.17(b)(2) or (b)(3)), a Supplement No. 6questionnaire is not required as a supporting document.  Provide sufficient information about the item (e.g., technical data sheet and/or other explanation in a separate letter of explanation) for BIS to determine that the item is described in paragraph 740.17(b)(1).  If you are not sure that your product is authorized as 740.17(b)(1) and you want BIS to confirm that it is authorized under 740.17(b)(1), providing answers to the questions set forth in Supplement No. 6 to part 742 with your request should provide BIS with sufficient information to make this determination.     

13. How do I submit a Supplement No. 8 –Self Classification Report for Encryption Items?

The annual self-classification report must be submitted as an attachment to an e-mail to BIS and the ENC Encryption Request Coordinator.  Reports to BIS must be submitted to a newly created e-mail address for these reports (This email address is being protected from spambots. You need JavaScript enabled to view it.).  Reports to the ENC Encryption Request Coordinator must be submitted to its existing e-mail address (This email address is being protected from spambots. You need JavaScript enabled to view it.). The information in the report must be provided in tabular or spreadsheet form, as an electronic file in comma separated values format (CSV), only.  In lieu of email, submissions of disks and CDs may be mailed to BIS and the ENC Encryption Request Coordinator.

14. When do I file Supplement No. 8 –Self-Classification Report for Encryption Items?

An annual self-classification report for applicable encryption commodities, software and components exported or reexported during a calendar year (January 1 through December 31) must be received by BIS and the ENC Encryption Request Coordinator no later than February 1 the following year.  If no information has changed since the previous report, an email must be sent stating that nothing has changed since the previous report or a copy of the previously submitted report must be submitted. 

15. What is Note 4?

Note 4 to Category 5, Part 2 in the Commerce Control List (Supplement No. 1 to part 774) excludes an item that incorporates or uses “cryptography” from Category 5, Part 2 controls if the item’s primary function or set of functions is not “information security,” computing, communications, storing information, or networking, andif the cryptographic functionality is limited to supporting such primary function or set of functions.  The primary function is the obvious, or main, purpose of the item.  It is the function which is not there to support other functions.  The “communications” and “information storage” primary function does not include items that support entertainment, mass commercial broadcasts, digital rights management or medical records management.   

Examples of items that are excluded from Category 5, Part 2 by Note 4 include, but are not limited to, the following:   

  • Consumer applications.  Some examples:
  • piracy and theft prevention for software or music;
  • music, movies, tunes/music, digital photos – players, recorders and organizers
  • games/gaming – devices, runtime software, HDMI and other component interfaces, development tools
  • LCD TV, Blu-ray / DVD, video on demand (VoD), cinema, digital video recorders (DVRs) / personal video recorders (PVRs) – devices, on-line media guides, commercial content integrity and protection, HDMI and other component interfaces (not videoconferencing);
  • printers, copiers, scanners, digital cameras, Internet cameras – including parts and sub-assemblies
  • household utilities and appliances
  • Business / systems applications: systems operations, integration and control.  Some examples:
  • business process automation (BPA) – process planning and scheduling, supply chain management, inventory and delivery
  • transportation – safety and maintenance, systems monitoring and on-board controllers (including aviation, railway, and commercial automotive systems), ‘smart highway’ technologies, public transit operations and fare collection, etc.
  • industrial, manufacturing or mechanical systems - including robotics, plant safety, utilities, factory and other heavy equipment, facilities systems controllers such as fire alarms and HVAC
  • medical / clinical – including diagnostic applications, patient scheduling, and medical data records confidentiality
  • academic instruction and testing / on-line training - tools and software
  • applied geosciences – mining / drilling, atmospheric sampling / weather monitoring, mapping / surveying, dams / hydrology
  • Research / scientific / analytical.  Some examples:
  • business process management (BPM) – business process abstraction and modeling
  • scientific visualization / simulation / co-simulation (excluding such tools for computing, networking, cryptanalysis, etc.)
  • data synthesis tools for social, economic, and political sciences (e.g., economic, population, global climate change, public opinion polling, etc. forecasting and modeling)
  • Secure intellectual property (IP) delivery and installation.  Some examples:
  • software download auto-installers and updaters
  • license key product protection and similar purchase validation
  • software and hardware design IP protection
  • computer aided design (CAD) software and other drafting tools

16. I have an item that was reviewed and classified by BIS and made eligible for export under paragraph (b)(3) of License Exception ENC in 2009. The encryption functionality of the item has not changed. This item is now eligible for self-classification under paragraph (b)(1) of License Exception ENC. What are my responsibilities under the new rule?

Your item meets the grandfathering provisions set forth in section 740.17(f)(1) of the EAR.  You do not need to submit an encryption registration (Supplement No. 5), an annual self-classification report (Supplement No. 8), or semi-annual sales reports for the item.

17. When do I need a “deemed export” license for encryption technology and source code?

A license may be required in certain circumstances for both deemed exports and deemed reexports. For encryption items, the deemed export rules apply only to deemed exports of technology and to deemed reexports of technology and source code. There are no deemed export rules for transfers of encryption source code to foreign nationals in the United States. This is because of the way that section 734.2 defines exports and reexports for encryption items.

For transfers of encryption technology within the United States, section 740.17(a)(2) of license exception ENC authorizes the export and reexport of encryption technology “by a U.S. company and its subsidiaries to foreign nationals who are employees, contractors, or interns of a U.S. company . . .” There is no definition of “U.S. company” in the EAR, however, BIS has interpreted this to apply to any company operating in the United States. This means that deemed export licenses are generally not required for the transfer of encryption technology by a company in the U.S. to its foreign national employees. A deemed export license may be required if, for example, a company operating in the U.S. were to transfer encryption technology to a foreign national who is not an employee, contractor, or intern of a company in the United States. License exception ENC does not authorize deemed exports or reexports to any national of a country listed in Country Group E:1.

For deemed reexports, the end-user would have to be an employee, contractor, or intern of a “U.S. Subsidiary” for 740.17(a)(2) to apply, or a ‘private sector end-user’ headquartered in a Supplement 3 country for 740.17(a)(1) to apply. The term “contractor” in this context means a contract employee (i.e., a human person). License exception ENC does not authorize deemed exports or reexports to any national of a country listed in Country Group E:1.

Also note that as of June 25, 2010, encryption technology (except technology for “cryptanalytic items,” “Open Cryptographic Interface” items, and “non-standard cryptography”) that has been reviewed is eligible for license exception ENC to any non-government end user located outside of Country Group D:1. Also, encryption source code that has been reviewed by BIS and made eligible for license exception ENC under 740.17(b)(2) is eligible for export and reexport to any non-government end-user. Thus encryption technology and source code that have been reviewed are eligible for export and reexport to a broader range of end-users than 740.17(a) allows. Again, section 740.17 does not authorize deemed exports or reexports to any national of a country listed in Country Group E:1.

18. Does the EAR definition of "OAM" include using encryption in performing network security monitoring functions?

No. The definition of "OAM" includes "monitoring or managing the operating condition or performance of an item." BIS does not consider network security monitoring or network forensics functions to be part of monitoring or managing operating condition or performance.

The phrase "monitoring or managing the operating condition or performance of an item" is meant to include all the activities associated with keeping a computer or network-capable device in proper operating condition, including: configuring the item; checking or updating its software; monitoring device error or fault indicators; testing, diagnosing or troubleshooting the item;  measuring bandwidth, speed, available storage (e.g. free disk space) and processor / memory / power utilization; logging uptime / downtime; and capturing or measuring quality of service (QoS) indicators and Service Level Agreement-related data.

However, the "OAM" definition does not apply to cryptographic functions performed on the forwarding or data plane, such as: decrypting network traffic to reveal or analyze content (e.g., packet inspection and IP proxy services); encrypting cybersecurity-relevant data (e.g., activity signatures, indicators or event data extracted from monitored network traffic) over the forwarding plane; or securing the re-transmission of captured network activity.

Thus, products that use encryption for such network security monitoring or forensics operations, or to provision these cryptographic services, would not be released by the OAM decontrol notes (l) or (m), or the Note to 5D002.c.

Similarly, the "OAM" decontrol does not apply to security operations directed against data traversing the network, such as capturing, profiling, tracking or mapping potentially malicious network activity, or "hacking back" against such activity.

 

Back to top

License Applications

Details

How to File an Encryption License Application

In most cases, your encryption item will be eligible for export under a license exception, so you should carefully review Sections 740 and 742.15 of the Export Administration Regulations (EAR) before you submit a license application. If your product and/or end-user do not qualify for a license exception, you must request an individual export license or Encryption Licensing Arrangement (ELA) for your transaction.

Section 742.15(a)(2) of the EAR describes ELAs. Unlike individual licenses, ELAs authorize unlimited quantities of encryption commodities and software to national or federal government bureaucratic agencies, and to state, provincial or local governments, in all destinations, except countries listed in Country Group E:1 of Supplement No. 1 to part 740. ELAs are typically valid for four years and may require post-export reporting or pre-shipment notification. Applicants seeking authorization for Encryption Licensing Arrangements must specify the sales territory and class of end-user on their license applications.

This guidance is designed to help you in applying for an individual license or an ELA to export certain encryption items not eligible for a license exception and should only be used in conjunction with the relevant portions of the EAR.

Step 1: Read the relevant portions of the EAR.
You should first review Sections 742.15 and 748 of the EAR. Section 742.15 describes the licensing policy for encryption items. Section 748 provides general guidance on applying for an export license.

Step 2: Fill in the on-line SNAP-R License Application Work Item form.
When applying for an individual license, follow the instructions below.

Block

Instructions

5

Mark the export or reexport box. This is extremely important. DO NOT mark classification request. If you do, the application will be returned to you.

18

This block MAY NOT be left blank. Follow the instructions that came with the application form.

19

Follow the instructions that came with the application form for this block.

21

Describe the intended end use of the encryption item(s).

22(a)

The ECCN for encryption hardware is 5A002. The ECCN for encryption software is 5D002. The ECCN for encryption technology is 5E002.

22(j)

Provide a brief technical description including the basic purpose of the item and the type of encryption used in the product or technology (e.g., 128-bit RC4 for secure e-mail, 2048 RSA for key exchange). Please DO NOT type "See letter of explanation" or "See brochure". The information identified in this block is entered directly into the BIS computer system, and will be printed on the license issued by BIS. A brief technical description is essential.

24

Identify, by number, any previous licenses or classifications received for the same or similar encryption item.

When applying for an ELA, follow the instructions below.

Block

Instructions

5

Mark export or reexport box. This is extremely important. DO NOT mark classification request. If you do, the application will be returned to you.

9

Indicate the phrase "Encryption Licensing Arrangement" in this block.

17

Indicate "various" to denote several intermediate consignees (if applicable).

18

Indicate "various" to denote several ultimate consignees (if applicable).

19

Indicate "various" to denote several end users (if applicable). Leave blank if you have indicated "various" in block 18, and the end users are the same as the ultimate consignees. When applying to export or reexport to government end users (as defined in Part 772) outside of the countries listed in Supplement 3 to Part 740, please provide a list of countries, specific end uses, and end users in the application.

21

Describe the intended end use of the encryption item(s).

22(a)

The ECCN for encryption hardware is 5A002. The ECCN for encryption software is 5D002. The ECCN for encryption technology is 5E002.

22(e)

Indicate "1" in this box, even though you are applying for unlimited quantities.

22(f)

Indicate "unlimited" in this box.

22(j)

Provide a brief technical description including the basic purpose of the item and the type of encryption used in the software (e.g., 128-bit RC4 for secure e-mail, 2048 RSA for key exchange). Please DO NOT type 'see letter of explanation' or 'see brochure'. The information identified in this block is entered directly into the BIS computer system, and will be printed on the license issued by BIS. A brief technical description is essential.

24

Indicate the sales territory in this block (listing specific countries, not regions) and the type of end users to whom the item(s) will be exported. You may indicate any additional pertinent information in this block, such as "the items will be returned to the United States or Canada for resale".

All other blocks or block portions appropriate for license applications should be completed in accordance with Part 748 of the EAR.

Step 3: Attach supporting documents.
Supporting documents, such as technical specifications, should accompany the form. The supporting documents should include information about the encryption used, including the name and key length of the algorithm(s) in the product. In addition, you should attach relevant information about the end-user(s). You should attach a brief letter of explanation which summarizes your proposed transaction to expedite the processing of your application.

 

Information Technology Controls Division Contacts

Details

General number: 202-482-0707

Randy Wheeler
Director Ph: 202-482- 5303
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Judith Currie
Senior Export Policy Analyst
Ph: 202-482-5085
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Sylvia Jimmison
Export Policy Analyst
Ph: 202-482-2342
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Michael Pender
Senior Engineer
Ph: 202-482-2458
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Aaron Amundson
Export Policy Analyst
Ph: 202-482-5299
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Anita Zinzuvadia
Electrical Engineer
Ph: 202-482-3772
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Naomi Dubiel
Export Policy Analyst
Ph: 202-482-2954
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Reporting

Details

How to file an annual self-classification report
How to create the annual self-classification report in .CSV file format
How and when to file semi-annual reports

How to file an Annual Self-Classification Report

An annual self-classification report is a requirement for items exported under License Exception ENC - 740.17(b)(1) and Mass Market - 742.15(b)(1).

You will need a copy of Supplement No. 8 to Part 742 "Self-Classification Report."

How to report:

The annual self-classification report must be submitted as an attachment to an e-mail to BIS and the ENC Encryption Request Coordinator.

What to report:

The report has very specific format requirements outlined in Supplement No. 8 to Part 742. The information in the report must be provided in tabular or spreadsheet form, as an electronic file in comma separated values format (CSV) only. CSV format is the ONLY format that will be accepted. Click here to learn how to create the annual self-classification report in .CSV file format.

Where to report:

Reports should be emailed to BIS and the ENC Encryption Request Coordinator at This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it.. In lieu of e-mail, submissions of disks and CDs may be mailed to BIS and the ENC Encryption Request Coordinator as specified in section 742.15(c)(2)(ii) of the EAR, only if necessary.

When to report:

A annual self-classification report for applicable encryption commodities, software and components exported or reexported during a calendar year (January 1 through December 31) must be received by BIS and the ENC Encryption Request Coordinator no later than February 1 of the following year.

If no information has changed since the previous report, an e-mail must be sent stating that nothing has changed since the previous report or a copy of the previously submitted report must be submitted. No self-classification report is required if no exports or reexports of applicable items pursuant to an encryption registration were made during the calendar year.

How to create the annual self-classification report in .CSV file format

Annual self-classification report is required for commodities exported or reexported under 740.17(b)(1) and 742.15(b)(1), effective June 25, 2010.

CCATS for commodities issued by or submitted to BIS prior June 25, 2010 and that are now described under 740.17(b)(1) or 742.15(b)(1) are not required to be listed in the Annual Self-Classification Report, provided the cryptographic functionality of the item has not changed. These items are grandfathered under the June 25th rule.

The following table provides an example of the various fields required within the Annual Self-Classification Report as required per 742.15(c) and demonstrates how various instructions & tips published in Supplement 8 to part 742 works out in practice.

- First line of the annual self-classification report must consist of the following six entries: PRODUCT NAME, MODEL NAME, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM TYPE.
- No entry may be left blank.
- PRODUCT NAME and ECCN must be completed.
- For MODEL NUMBER and MANUFACTURER, if necessary, enter "NONE" or "N/A".
- For AUTHORIZATION TYPE, enter ENC or MMKT.
- For ITEM TYPE, pick from the list of item types provided in the Supp. 8 to Part 742 (a)(6).
- The only permitted use of a comma is as the necessary separator between the 6 entries for each line item. The only commas allowed are the ones inserted automatically during spreadsheet conversion.
- An encryption self-classification report data table created and stored in spreadsheet format can be converted and saved into a comma delimited file (.CSV) format directly from the spreadsheet program.

PRODUCT NAME

MODEL NUMBER

MANUFACTURER

ECCN

AUTHORIZATION TYPE

ITEM TYPE

XtraGood VPN

2010

ABC XYZ Manufacturing Inc

5A002

ENC

virtual private networking (VPN)

XtraGood Firewall

1100

SELF

5A002

MMKT

firewall

XtraGood WLAN chipset

XG-80211-xxxx

MULTIPLE

5A002

ENC

wireless local area networking (WLAN)

XtraGood Client Manager Suite

1xx

PDQ123 Software Services LLC

5D992

MMKT

network or systems management (OAM/OAM&P)

XtraGood Connectivity AP

300-xxx

MULTIPLE

5A992

MMKT

access point

XtraGood Connectivity Client Manager

NONE

PDQ123 Software Services LLC

5D992

MMKT

network or systems management (OAM/OAM&P)

XclusiveAgent – Pro Ed.

5xx

SELF

5D002

ENC

file encryption

XclusiveAgent – Home Ed.

100

SELF

5D992

MMKT

file encryption

Xclusive Agent Secure Storage Device

XA-SHD-xxx

MULTIPLE

5A992

MMKT

disk / drive encryption

XclusiveAgent Enterprise Key Token

XA-KT-xxx

ABC XYZ Manufacturing Inc

5A002

ENC

key storage

XclusiveAgent PKI

NONE

SELF

5D002

ENC

key management

Xclusive Agent Secure USB Drive

XA-SUSB-xxx

MULTIPLE

5A992

MMKT

disk/drive encryption

 

The following screen shots provide guidance on how to create the .csv file for submission:

  1. Sample screen shot of spreadsheet, including doing a "Save As..." [into .CSV format] from the spreadsheet application, like the exporter would do in creating their actual self-classification report for submission to BIS and NSA.
  2. Sample screen shot of .CSV file as viewed in the spreadsheet application. This is the file that exporters will attach to their e-mails to BIS and NSA.
  3. Sample .CSV file when viewed in Notepad. To check the validity of your CSV file, you may open the new file from a plain-text reading program such as Notepad or TextEdit.

Submit your annual self-classification report electronically to BIS as an email attachment to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it. with subject “Self-classification report for ERN R######”, using your most recent Encryption Registration Number. In your submission, specify the export time frame that your report spans and identify points of contact to whom questions or other inquires pertaining to the report should be directed.

How and when to file semi-annual reports

The semi-annual reporting requirement for License Exception ENC can be found in 740.17(e) of the EAR.

Semi-annual reporting is required for exports to all destinations other than Canada, and for reexports from Canada ONLY for items described under paragraphs 740.17(b)(2) and 740.17(b)(3)(iii).

Items other than those described in 740.17(b)(2) and 740.17(b)(3)(iii) will no longer require a report to BIS.

Certain encryption items and transactions are excluded from this reporting requirement, see paragraph 740.17(e)(1)(iii) of this section. These exclusions include:

  • Encryption commodities or software with a symmetric key length not exceeding 64 bits.
  • Encryption items exported (or reexported from Canada) via free and anonymous download.
  • Encryption items from or to a U.S. bank, financial institution or its subsidiaries, affiliates, customers or contractors for banking or financial operations.
  • Items listed in paragraph 740.17(b)(4), unless it is a foreign item described in 740.17(b)(4)(ii) that has entered the United States.
  • Foreign products developed by bundling or compiling of source code.

What to file:

  • Commodity Classification Automated Tracking System (CCATS) number.
  • Name of the item(s) exported (or reexported from Canada).
  • Distributors or resellers. For items exported (or reexported from Canada) to a distributor or other reseller, including subsidiaries of U.S. firms, the name and address of the distributor or reseller, the item and the quantity exported or reexported and, if collected by the exporter as part of the distribution process, the end user’s name and address.
  • Direct sales. For items exported (or reexported from Canada) through direct sale, the name and address of the recipient, the item, and the quantity exported.
  • Foreign manufacturers and products that use encryption items. See 740.17(e)(1)(i)(C) for full details.

When to file:

  • For exports occurring between January 1 and June 30, a report is due no later than August 1 of that year.
  • For exports occurring between July 1 and December 31, a report is due no later than February 1 the following year.
  • These reports must be provided in electronic form.
  • Recommended file formats for electronic submission include spreadsheets, tabular text or structured text.
  • Exporters may request other reporting arrangements with BIS to better reflect their business models.
  • Reports may be sent electronically to BIS at This email address is being protected from spambots. You need JavaScript enabled to view it. and to the ENC Encryption Request Coordinator at This email address is being protected from spambots. You need JavaScript enabled to view it., or disks and CDs containing the reports may be sent to the following addresses:

     Department of Commerce
     Bureau of Industry and Security
     Office of National Security and Technology Transfer Controls
     14th Street and Pennsylvania Ave., NW
     Room 2705, Washington, DC  20230
     Attn: Encryption Reports

     and

     Attn: ENC Encryption Request Coordinator
     9800 Savage Road, Suite 6940
     Ft. Meade, MD  20755-6000

Reporting Key Length Increases

Reporting is required for commodities and software that, after having been classified and authorized for License Exception ENC in accordance with paragraphs (b)(2) or (b)(3) of this section, are modified only to upgrade the key length used for confidentiality or key exchange algorithms. Such items may be exported or reexported under the previously authorized provision of License Exception ENC without a classification resubmission.

What to file for reporting key length increases:

  • Certification that no other encryption changes have been made.
  • Original Commodity Classification Automated Tracking System (CCATS).
  • New key length.

When and where to file for reporting key length increases:

  • The report must be received by BIS and the ENC Encryption Request Coordinator before the export or reexport of the upgraded product; and
  • The report must be e-mailed to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it..