On March 29, 2021 the Implementation of Wassenaar Arrangement 2019 Plenary Decisions was published in the Federal Register. This rule included changes to license exception ENC Section 740.17 of the EAR.
Here is a summary of the changes made to license exception ENC by this rule.
The U.S. Commerce Control List (CCL) is broken in to 10 Categories 0 – 9 (see Supplement No. 1 to part 774 of the EAR). Encryption items fall under Category 5, Part 2 for Information Security. Cat. 5, Part 2 covers:
• 1) Cryptographic Information Security; (e.g., items that use cryptography)
• 2) Non-cryptographic Information Security (5A003); and
• 3) Defeating, Weakening of Bypassing Information Security (5A004)
You can find a Quick Reference Guide to Cat. 5, Part 2 here.
The controls in Cat. 5, Part 2 include multilateral and unilateral controls. The multilateral controls in Cat. 5, Part 2 of the EAR (e.g., 5A002, 5A003, 5A004, 5B002, 5D002, 5E002) come from the Wassenaar Arrangement List of Dual Use Goods and Technologies. Changes to the multilateral controls are agreed upon by the participating members of the Wassenaar Arrangement. Unilateral controls in Cat. 5, Part 2 (e.g., 5A992.c, 5D992.c, 5E992.b) of the EAR are decided on by the United States.
The main license exception that is used for items in Cat. 5, Part 2 is License Exception ENC (Section 740.17). License exception ENC provides a broad set of authorizations for encryption products (items that implement cryptography) that vary depending on the item, the end-user, the end-use, and the destination. There is no "unexportable" level of encryption under license exception ENC. Most encryption products can be exported to most destinations under license exception ENC, once the exporter has complied with applicable reporting and classification requirements. Some items going to some destinations require licenses.
This guidance does not apply to items subject to the exclusive jurisdiction of another agency. For example, ITAR USML Categories XI(b),(d), and XIII(b), (l) control software, technical data, and other items specially designed for military or intelligence applications.
The following 2 flowcharts lay out the analysis to follow for determining if and how the EAR and Cat.5 Part 2 apply to a product incorporating cryptography:
Flowchart 1: Items Designed to Use Cryptography Including Items NOT controlled under Category 5 Part 2 of the EAR
Flowchart 2: Classified in Category 5, Part 2 of the EAR
Similarly, the following written outline provides the analysis to follow for determining if and how the EAR and Cat.5 Part 2 apply to a product incorporating cryptography. Although Category 5 Part 2 controls more than just cryptography, most items that are in Category 5 Part 2 fall under 5A002.a, 5A002.b, 5A004, or 5A992 or their software and technology equivalents.
"Encryption Outline"
1. Encryption items that are NOT subject to the EAR (publicly available)
2. Items subject to Cat. 5, Part 2:
a. 5A002.a (and equivalent software under 5D002 c.1) applies to items that:
i. Use ‘cryptography for data confidentiality’; and
ii. Have ‘in excess of 56 bits of symmetric key length, or equivalent’; and
iv. Are described under 5A002 a.1 – a.4; and
v. Are not described by Decontrol notes.
b. 5A992.c (and software equivalence controlled under 5D992.c) is also known as mass market. These items meet all of the above descried under 5A002.a and Note 3 to Category 5, Part 2. See the MASS MARKET section for more information.
c. 5A002.b (and software equivalence controlled under 5D002.b) applies to items designed or modified to enable, by means of “cryptographic activation,” an item to achieve/exceed the controlled performance levels for functionality specified by 5A002.a not otherwise enabled (e.g., license key to enable cryptography).
d. 5A004 (and equivalent software controlled under 5D002.c.3) applies to items designed or modified to perform ‘cryptanalytic functions’ including by means of reverse engineering.
e. The following are less commonly used entries:
5A003 (and equivalent software controlled under 5D002.c.2) applies to communication cables systems designed to detect surreptitious intrusion and also applies to items specially designed to reduce the compromising emanations of information-bearing signals beyond what is necessary for health, safety or electromagnetic interference standards.
5A002.c-.e (and equivalent software controlled under 5D002.c.1) controls such things as Quantum Key Distribution, cryptographic techniques for systems using ultra-wideband modulation, and cryptographic techniques to generate spreading code for spread spectrum.
3. License Exception ENC and mass market
If you've gone through the steps above and your product is controlled in Cat. 5, Part 2 under an ECCN other than 5A003 (and equivalent or related software and technology), then it is eligible for at least some part of license exception ENC. The next step is to determine which part of License Exception ENC the product falls under. Knowing which part of ENC the product falls under will tell you what you need to do to make the item eligible for ENC, and where the product can be exported without a license.
Types of authorization available for license exception ENC:
a. Mass Market
b. 740.17(a)
c. 740.17(b)(2)
d. 740.17(b)(3)/Mass market
e. 740.17(b)(1)/ Mass market
4. Once you determine what authorization applies to your product, then you may have to file a classification request, annual self-classification report, and/or semi-annual sales report. The links below provide instructions on how to submit reports and Encryption Reviews:
a. How to file an Annual Self-Classification Report
b. How to file a Semi-annual Report
c. How to Submit an ENC or Mass market classification review
5. After you have submitted the appropriate classification and/or report, there may be some instances in which a license is still required. Information on when a license is required, types of licenses available, and how to submit are below:
a. When a License is Required
b. Types of licenses available
c. How to file a license application
6. FAQs
7. Contact us