May I self-classify my encryption item and export it WITHOUT an encryption registration?
May I self-classify my encryption item and export it WITH an encryption registration?
How to file an encryption registration

May I self-classify my encryption item and export it WITHOUT an encryption registration?

Flowchart 2 provides an overview of how to determine whether your product can be self-classified and exported without an encryption registration.

If you have a product that is controlled under Category 5, Part 2, certain products and transactions do not require any encryption registration, classification, or post-export reporting. This includes:

- Products classified under 5x992, including:

  • Products with key lengths not exceeding 56 bits symmetric, 512 bits asymmetric and/or 112-bit elliptic curve.
  • Mass market products with key lengths not exceeding 64 bits symmetric, or if no symmetric algorithms, not exceeding 768 bits asymmetric and/or 128 bits elliptic curve.
  • Certain mass market products listed under 742.15(b)(4).
  • Products with limited cryptographic functionality as described in the Note to 5A002.
  • Products that use encryption for authentication only.

- Certain 5x002 products/transactions, including:

  • Certain products/transactions are eligible for license exception ENC without any registration, classification, or reporting, including:
    • Exports and reexports to "private sector end-users" as described in 740.17(a)(1).
    • Exports and reexports to a “U.S. Subisidary” as described in 740.17(a)(2).
    • Certain products listed under 740.17(b)(4).
  • Certain products that require only a notification before export:
    • “Publicly available” encryption software and source code under license exception TSU (740.13).
    • Beta Test software under license exception TMP (740.9).

In addition, if you are relying on the producer’s self-classification (pursuant to the producer’s encryption registration) or CCATS for an encryption item eligible for export or reexport under License Exception ENC or mass market, you are not required to submit an encryption registration, classification request or self-classification report. You are still required to comply with semi-annual sales reporting requirements under paragraph 740.17(e).

May I self-classify my encryption items WITH an encryption registration?

License Exception ENC – 740.17(b)(1) and Mass Market provision - 742.15(b)(1) allow self-classification of an item and export after submission of a required encryption registration.

Self-Classify as 5A002, 5B002 or 5D002

Many less sensitive encryption items may be self-classified and exported or reexported as 5A002, 5B002, or 5D002 after submission of an encryption registration (or confirming that the manufacturer has submitted an encryption registration).* These items may be exported under License Exception ENC - 740.17(b)(1). Encryption items that may be self-classified under 740.17(b)(1) as 5A002, 5B002, or 5D002 with an encryption registration should not be items described in 740.17(b)(2) and (b)(3).

Items described in 740.17(b)(2) include:

  • Network infrastructure items as disclosed in 740.17(b)(2)(i)(B).
  • Encryption source code that would not be eligible for export or reexport under License Exception TSU because it is not publicly available as that term is used in §740.13(e)(1) of the EAR.
  • Been designed, modified, adapted or customized for "government end-user(s)".
  • Cryptographic functionality that has been modified or customized to customer specification.
  • Cryptographic functionality or "encryption component" that is user-accessible and can be easily changed by the user.
  • Quantum crypto.
  • Items that have been modified or customized for computers classified under ECCN 4A003.
  • Items that provide penetration capabilities that are capable of attacking, denying, disrupting or otherwise impairing the use of cyber infrastructure or networks.
  • Public safety/first responder radio (P25 or TETRA).
  • Cryptanalytic items.
  • "Open Cryptographic Interface".
  • Encryption technology classified under ECCN 5E002.

Items described in 740.17 (b)(3) include:

  • Chips, chipsets, electronic assemblies and field programmable logic devices.
  • Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs).
  • Application-specific hardware or software development kits implementing cryptography.
  • Items that provide or perform "non-standard cryptography".
  • Items that provide or perform vulnerability analysis, network forensics, or computer forensics.

Items that are self-classified with an encryption registration per 740.17(b)(1) ALSO require an annual self-classification report.

Self-Classify as 5A992 or 5D992 for Mass Market items

To be considered Mass Market, the item should first meet the criteria listed in Note 3 to Category 5, Part 2. Many mass market encryption hardware and software may be self-classified and exported or reexported as 5A992 or 5D992 after submission of an encryption registration (or confirming that the manufacturer has submitted and encryption registration).* These items may be exported under the Mass Market provision of 742.15(b)(1). Mass Market encryption items that may be self-classified per 742.15(b)(1) as 5A992 and 5D992 with an encryption registration should not be items described in 742.15 (b)(3). Items described in 742.15 (b)(3) include:

  • Meet Note 3, and are.
  • Chips, chipsets, electronic assemblies, and field programmable logic devices.
  • Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs).
  • Application-specific hardware or software development kits implementing cryptography.
  • Mass market encryption commodities, software and components that provide or perform “non-standard cryptography” as defined in Part 772 of the EAR.

Items that are self-classified with an encryption registration per 742.15(b)(1) ALSO require an annual self-classification report.

* Reminder: There are also several items that may be self-classified without an encryption registration.

How to file an encryption registration

BIS has created a new SNAP-R screen for encryption registrations. The instructions for submitting an encryption registration are found in paragraph (r) of Supplement No. 2 to Part 748

In block 5 (Type of Application) of SNAP-R, selecting "encryption registration" will result in the appearance of the new encryption registration screen. On that screen blocks 1-5, 14, 15, 24, and 25 are to be completed, and a PDF must be attached that provides answers to Supplement No. 5 to Part 742.

Here is a link to an example view in SNAP-R.

When an encryption registration is submitted via SNAP-R, SNAP-R will issue an Encryption Registration Number (ERN), which will start with an “R” and will be followed by 6 digits, e.g., R123456. This registration number is confirmation that BIS has received your encryption registration.

A company that exports under the authorization of the encryption registration does not need to resubmit its encryption registration unless the answers to the questions in Supplement No. 5 to Part 742 changed during the previous calendar year.

How do I complete the Supplement 5 if I am filing on behalf of a manufacturer (or producer) of an encryption items (e.g., law firm/consultant)?

If you are filing as an agent for the exporter (e.g., a law or consulting firm), block 14 (applicant) must pertain to the company that seeks authorization to export. The agent may, however, list itself in block 15 (“other party authorized to receive the license”).

What if you are not the manufacturer or producer of the item or not filing directly on behalf of the manufacturer or producer (e,g., law firm/consultant)?

If the registrant is not the principal producer (or filing on behalf of the principle producer) of encryption items, the registrant may answer questions 4 and 7 as “not applicable.” For all other questions, an answer must be given, or if the registrant is unsure of the answer, the registrant may state that it is unsure and explain why.

Using a manufacturer’s Encryption Registration Number (ERN):

Once a manufacturer (or producer) of the encryption item submits its Encryption Registration (i.e., the information described in Supplement No. 5 to Part 742 of the EAR) to BIS, the manufacturer’s encryption items become eligible for export and reexport under the applicable provision of section 740.17(b) and 742.15(b) of the EAR, subject to the conditions and restriction of those sections.

Encryption Registration Numbers (ERN) issued to the manufacturer (or producer) authorize the export and reexport of the manufacturer’s encryption items by all persons, wherever located, who are eligible to use the applicable provisions of section 740.17(b) and 742.17(b) of the EAR.

If the manufacturer will not share its ERN, has not filed for an ERN, or you cannot locate the manufacturer’s ERN, then the exporter (non-producer) should file for the exporter’s own ERN.

   
© BIS 2016