News & Insights  |  Alerts

BIS Publishes New Encryption Rule

September 22, 2016

On Tuesday, the Department of Commerce’s Bureau of Industry and Security (BIS) published a final rule easing a number of encryption-related provisions in its Export Administration Regulations (EAR). The amendments improve upon BIS’s prior rules and will streamline and facilitate the export of encryption-related products by expanding previously existing license exceptions and loosening other restrictions.

The new rule adds two Export Control Classification Numbers (ECCNs) to Category 5 Part 2 of the EAR’s Commerce Control List (CCL). In addition to ECCN 5A002 for cryptographic information security items, BIS has added ECCN 5A003 for non-cryptographic information security items and ECCN 5A004 for items defeating, weakening, or bypassing information security. The new ECCNs control certain items formerly classified as 5A002 but do not make any changes to the license requirements or license exceptions formerly applicable to those items.

Additionally, BIS deleted ECCNs 5A992/5D992 .a and .b (along with ECCN 5E992.a), which formally controlled, for example, products that use encryption only for password protection and authentication. These items are now controlled as EAR99 or elsewhere, if applicable (e.g., ECCN 5A991 for certain telecommunications equipment, ECCN 4D993). ECCNs 5A992/5D992 now control only mass market items.

BIS’s new rule also includes a number of changes to License Exception ENC, an exception in the EAR that allows companies to export many encryption products without applying for a license from the U.S. government:

  • Companies no longer are required to submit an encryption registration to BIS before self-classifying and exporting certain encryption items, though much of the information that formerly was included in the registration must now be included in the exporter’s annual encryption self-classification report.
  • If an exporter obtains a commodity classification (CCATS) from BIS for a product that is eligible for self-classification, the exporter no longer needs to include that product in its annual self-classification report.
  • A new exception authorizes exports, reexports, and in-country transfers of non-U.S.-origin items that became subject to the EAR after they were produced among related, private sector end users for internal use (other than development and production of new products) when the parent country is headquartered in a Supplement No. 3 country (License Exception ENC Favorable Treatment Countries).
  • BIS updated the ENC-restricted, or “(b)(2),” performance parameters, including those applicable to network infrastructure products. Among other changes, the aggregate encrypted throughput for controlled WAN, MAN, VPN, backhaul, and long-haul products increased from 90 Mbps to 250 Mbps, and BIS increased the endpoints for controlled media gateways and other unified communications infrastructure to 2,500.
  • Additionally, for items that remain controlled as network infrastructure hardware or software, License Exception ENC now authorizes exports to less sensitive government end users in non-Supplement No. 3 countries 30 days after submission of a classification request. As a result, worldwide encryption licensing arrangements (ELAs) are no longer required to export such items to these end users. ELAs are still required for exports to more sensitive government end users, however. The new rule provides formal definitions of “less sensitive government end user” and “more sensitive government end user,” which are consistent with BIS’s long-standing use of these terms. BIS also clarified that “government end users” include government-owned public schools and universities.
  • Further, Croatia has been added to BIS’s list of Supplement No. 3 countries (License Exception ENC Favorable Treatment Countries).

Other noteworthy changes to BIS’s encryption rules include the following:

  • BIS made revisions to the questions/answers that it typically requires for commodity classification requests in Supplement No. 6 to Part 742 of the EAR.
  • BIS also moved the former notification requirement for publicly available encryption source code in License Exception TSU to Section 742.15(b) of the EAR, and once a notification is sent, the publicly available encryption source code is no longer subject to the EAR.

Overall, although BIS’s changes may require encryption software and hardware companies to make some adjustments to their compliance programs, the revisions ultimately should ease regulatory burdens and generally are favorable to industry.