[Federal Register: December 9, 2004 (Volume 69, Number 236)]
[Rules and Regulations]
[Page 71356-71364]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr09de04-9]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Bureau of Industry and Security
15 CFR parts 732, 734, 740, 742, 744, and 772
[Docket No. 041022290-4290-01]
RIN 0694-AD19
Encryption Export and Reexport Controls Revisions
AGENCY: Bureau of Industry and Security, Commerce.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This rule revises: the criteria for determining if a foreign
made item incorporating U.S. origin encryption is subject to the Export
Administration Regulations; the notification requirements for beta test
encryption software and certain ``publicly available'' encryption
software; and the review and reporting requirements for exports and
reexports of certain encryption items under License Exception ENC that
are neither ``publicly available'' nor eligible for ``mass market''
treatment. It also makes technical changes.
DATES: This rule is effective December 9, 2004.
ADDRESSES: Send comments concerning this rule via e-mail to
rpd2@bis.doc.gov, fax to (202) 482-3355 or to Regulatory Policy
Division, Bureau of Industry and Security, Room 2705, U.S. Department
of Commerce, Washington, DC 20230. Refer to regulatory identification
number 0694-AD19 in all comments.
FOR FURTHER INFORMATION CONTACT: Norman LaCroix, Director, Information
Technology Controls Division, Office of National Security and
Technology Transfer Controls, (202) 482-4439.
SUPPLEMENTARY INFORMATION: This rule removes the requirement to make a
separate request for de minimis eligibility when submitting a review
request for some encryption commodities and software under License
Exception ENC. Foreign made items incorporating U.S. origin encryption
items that have met specified notification or review requirements under
mass market, License Exception TSU or License Exception ENC procedures
will be treated like foreign made items that incorporate other U.S.
origin items, in determining de minimis eligibility. This rule removes
certain reporting requirements in License Exception TMP regarding beta
test encryption software. This rule reduces the notification
requirements for exports and reexports of certain ``publicly
available'' encryption software that has been posted to the Internet
pursuant to License Exception TSU by removing the requirement to notify
the U.S. Government of updates or modifications if the Internet
location has not changed. This rule simplifies License Exception ENC
review requirements for exports and reexports of eligible encryption
items, by implementing a uniform 30 day period for most encryption
reviews and by clarifying the criteria by which licensing requirements
to certain ``government end-users'' are determined. In connection with
this 30 day period associated with the initial U.S. Government
technical review of an encryption item, this rule authorizes BIS to, at
any time, require additional technical information about an encryption
item submitted for review and, if the information is not furnished, to
suspend or revoke authorization to use License Exception ENC with
respect to the item for which the information is sought. This rule also
expands the list of countries to which certain encryption items may be
sent immediately, once a review request is submitted to the U.S.
Government. The list (Supplement No. 3 to part 740) now covers all
current members of the European Union (EU), to include those countries
that joined the EU on May 1, 2004. This rule updates and clarifies
several encryption review requirements in License Exception ENC and
clarifies the definition of the term ``hold without action'' in the
Export Administration Regulations. This rule also makes some technical
changes, and revises the e-mail address of the ENC Encryption Request
Coordinator from enc@ncsc.mil to enc@nsa.gov to match the current e-
mail address of that organization.
Although this rule is issued in final form and there is no formal
comment period, comments on this rule are welcomed on an ongoing basis.
Determining When a Foreign Made Item Is Subject to the EAR
Section 734.4 of the EAR describes situations under which foreign
made items are not subject to the Export Administration Regulations
because the U.S. origin items that they incorporate are less than a
defined ``de minimis'' percentage of their content. This rule removes
the requirement for U.S. firms to request eligibility for de minimis
treatment when submitting their encryption commodity or software for
review to obtain authorization for export and reexport under License
Exception ENC (Sec. 740.17 of the EAR). As a result, foreign made
items containing most U.S. origin encryption commodities or software
that have met the notification, review or determination requirements
specified in revised Sec. 734.4(b) are now treated, for purposes of de
minimis calculations, in the same way as foreign made items that
incorporate other U.S. origin dual-use items. However, there is no de
minimis eligibility for encryption technology controlled under Export
Control Classification Number (ECCN) 5E002, or for foreign made items
going to a destination in Country Group E:1 when the foreign item
contains U.S. origin restricted encryption content described in Sec.
740.17(b)(2) of the EAR (e.g. network infrastructure commodities and
software controlled under ECCNs 5A002 and 5D002, cryptanalytic items,
and ECCN 5D002 encryption source code that is not ``publicly
available'' as that term is used in License Exception TSU, Sec.
740.13(e)(1) of the EAR). This rule also makes conforming changes to
Sec. 732.2(d) to reflect these new de minimis procedures.
Exports of Beta Test Encryption Software Under License Exception TMP
This rule removes the requirements to report the names and
addresses of testing consignees by removing Sec. 740.9(c)(8)(ii). It
restructures, but makes no other substantive changes to Sec.
740.9(c)(8). It retains the notification requirements of that paragraph
and changes an e-mail address.
Exports of Certain ``Publicly Available'' Encryption Software Under
License Exception TSU
For ``publicly available'' encryption software that has been posted
to the Internet after notification to BIS and the ENC Encryption
Request Coordinator under Sec. 740.13(e), this rule removes the
requirement to provide notice of updates or modifications made to the
encryption software at the previously notified location. This rule
makes no other substantive changes to this section, but substantially
reorganizes it.
[[Page 71357]]
License Exception ENC Review Requirements for Certain Encryption Items
That Are Neither Publicly Available Nor Determined by BIS To Be
Eligible for ``Mass Market'' Treatment
This rule clarifies the scope of License Exception ENC by
replacing, throughout Sec. 740.17, the phrase (and its variants)
``encryption items controlled under ECCN 5A002, 5D002 or 5E002, and
`information security' test, inspection, and production equipment
controlled under ECCN 5B002'' with a list of the specific ECCNs
(including the sub-paragraph number, where needed for clarity) that
identify which items subject to the EAR are eligible for this license
exception. It consolidates the provisions and restrictions that apply
to the entire license exception, in a revised introductory paragraph
and a new paragraph (f), respectively. It removes repetitive references
to such provisions and restrictions from various paragraphs. It also
replaces the ``Grandfathering'' paragraph (former Sec. 740.17(d)(2))
with specific information in paragraphs (a), (b)(2), and (b)(3)
describing the extent to which prior U.S. Government reviews may be
used to satisfy current License Exception ENC encryption review
requirements.
This rule retains the basic structure of License Exception ENC, by
addressing exports and reexports to countries listed in Supplement No.
3 to part 740 in paragraph (a) and exports to other countries in
paragraph (b). Paragraph (b) continues to be further subdivided,
providing separate provisions for exports and reexports to:
Subsidiaries of U.S. companies (paragraph (b)(1)); non-``government
end-users'' for certain restricted items (as described in paragraph
(b)(2)); and both ``government end-users'' and non-``government end-
users'' for all other items (paragraph (b)(3)). However, important
substantive changes and clarifications are made to all of these
paragraphs. Those changes and clarifications are discussed below.
Exports, Reexports and Technical Assistance to Countries Listed in
Supplement No. 3 to Part 740 (Sec. 740.17(a))
This rule revises Sec. 740.17(a) so that the section not only
continues to authorize the export and reexport of encryption items
under specified circumstances, but also allows the provision of
technical assistance related to encryption items (as described in Sec.
744.9 of the EAR), when the technical assistance is provided to end-
users located or headquartered in Canada or in countries listed in
Supplement No. 3 to part 740. This rule also removes the specific
reference in this paragraph to the prohibition on exports or reexports
of encryption source code and technology to nationals of countries
listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR,
as such general restrictions on the use of License Exception ENC have
been consolidated into a new paragraph (f). It also divides paragraph
(a) into three paragraphs designated Sec. 740.17 (a)(1), Sec. 740.17
(a)(2), and Sec. 740.17(a)(3).
Section 740.17(a)(1) eliminates the requirement that the U.S.
Government review the encryption items and related technical assistance
prior to their being provided for internal company use in the
development of new products by private sector end-users that are
headquartered in Canada or in countries listed in Supplement No. 3 to
part 740. However, it retains the requirement that such new product
encryption items developed by those end-users be reviewed by the U.S.
Government before the finished products are transferred to others. It
also defines ``private sector end-user'' for the purposes of this
paragraph.
Section 740.17(a)(2) states that certain items reviewed and
authorized for export and reexport prior to October 19, 2000 are
authorized for continued export and reexport under revised Sec.
740.17(a), without additional U.S. Government review.
Section Sec. 740.17(a)(3) retains the existing License Exception
ENC provisions requiring submission of an encryption review request to
BIS and the ENC Encryption Request Coordinator before export or
reexport of: Finished encryption products to end-users located in
countries listed in Supplement No. 3 to part 740; finished products to
foreign subsidiaries and offices of end-users headquartered in Canada
or in countries listed in Supplement No. 3 to part 740; and other
encryption items (including technology and related technical
assistance) to end-users located in, but not headquartered in,
countries listed in Supplement No. 3 to part 740.
Export and Reexports to Other Countries (Sec. 740.17(b))
This rule makes no substantive changes to paragraph (b)(1), which
deals with exports and reexports to subsidiaries of U.S. companies, but
substantially reorganizes it. As with paragraph (a), the rule also
removes the specific reference in this paragraph to the prohibition on
exports or reexports of encryption source code and technology to
nationals of countries listed in Country Group E:1 in Supplement No. 1
to part 740 of the EAR, as such general restrictions on the use of
License Exception ENC have been consolidated into a new paragraph (f).
This rule replaces the previous illustrative descriptions of
``retail'' and other ``equivalent functionality'' encryption
commodities and software (eligible for export and reexport to both
``government end-users'' and non-``government end-users'' in paragraph
(b)(3)), with an exclusive list in paragraph (b)(2) of those encryption
commodities and software that are eligible only to non- ``government
end-users''. Except for commodities and software that provide an ``open
cryptographic interface'' or that are specified in paragraph (b)(2),
all encryption products eligible for License Exception ENC qualify
under paragraph (b)(3), thereby removing the need for ``retail'' or
other ``equivalent functionality'' considerations.
This rule also replaces the requirement for obtaining specific U.S.
Government authorization before exporting or reexporting under
paragraph (b)(3) with a 30 day waiting period, calculated in calendar
days beginning with the date that an encryption review request for the
commodity or software is registered with BIS. For encryption reviews
that are not completed by BIS within this 30 day period, the exporter
may ship after the waiting period has elapsed. As with similar
requirements in the current rule, the 30 day waiting period does not
include any time that BIS places the review request on ``hold without
action''. Upon completion of BIS's review, BIS will provide written
notice of the provisions, if any, of Sec. 740.17 under which the
encryption item may be exported or reexported.
This rule also removes the word ``retail'' from Sec. 740.17(b)(3),
except in paragraph (b)(3)(ii)(A), which describes the extent to which
items previously classified as ``retail'' may be exported and
reexported under paragraph (b)(3) without further U.S. Government
review. BIS believes that these changes will help readers more readily
distinguish the procedure for making certain non-``mass-market''
encryption commodities and software eligible for export and reexport
under License Exception ENC from the procedure by which ``mass market''
encryption commodities and software are removed from the scope of ECCNs
5A002 or 5D002 pursuant to Sec. 742.15(b)(2) of the EAR.
Reporting Requirements (Sec. 740.17(e))
This rule clarifies that the semi-annual reporting requirements of
License Exception ENC apply to exports
[[Page 71358]]
from the United States to all destinations except Canada, and to
reexports from Canada to other foreign destinations. In conformance
with the revisions to Sec. 740.17(b)(3), under paragraph (e)(4)
(``Exclusions from reporting requirements'') this rule removes the word
``retail'' and the phrase ``designed for, bundled with, or pre-loaded
on single CPU computers, laptops or hand-held devices.''
Other Changes to License Exception ENC
This rule eliminates all references to requesting eligibility for
de minimis treatment from License Exception ENC because such special
requests are no longer required due to the changes in Sec. Sec.
734.4(a)(2) and 734.4(b) made by this rule. This rule revises Sec.
740.17(d) by changing the title from ``Review requirements'' to
``Review request procedures'' to more accurately reflect its contents.
This rule also substantially reorganizes paragraph (d)(3) and
institutes an e-mail notification procedure in place of the previous
requirement that product key length increases authorized under this
paragraph be certified to BIS and the ENC Encryption Request
Coordinator in a letter from a corporate official.
Lastly, this rule contains a new provision authorizing BIS to
contact the submitter of a review request at any time, even after the
30-day waiting periods prescribed in Sec. Sec. 740.17(b)(2)(ii) or
740.17(b)(3)(ii)(B) have passed, to request additional information
about an encryption item. If the submitter does not supply the
requested information within 14 days after receiving the request from
BIS, BIS may suspend or revoke the submitter's right to use License
Exception ENC for the item about which the additional information is
sought. If the submitter requests additional time to collect the
information before the date it is due to BIS, BIS may grant up to an
additional 14 days if BIS concludes that such additional time is
necessary.
Supplement No. 3 to Part 740
This rule adds Cyprus, Estonia, Latvia, Lithuania, Malta, Slovakia
and Slovenia to Supplement No. 3 to part 740 because those countries
were admitted to the European Union on May 1, 2004 and were not
previously listed in this supplement. (Although the Czech Republic,
Hungary and Poland were also admitted to the European Union on May 1,
2004, these three countries were previously listed in Supplement No. 3
to part 740.) This supplement identifies the countries that are
eligible to receive both ``mass-market'' encryption products and non-
``mass-market'' encryption items from the United States, immediately
after the U.S. origin items are registered with BIS for review (i.e.,
without a 30 day waiting period) under Sec. 740.17(a) or Sec.
742.15(b)(2) of the EAR. The addition of these countries to Supplement
No. 3 continues the United States Government's practice of authorizing
such immediate exports and reexports of encryption items to countries
in the European Union's license-free zone. This rule also changes the
title of this supplement from ``License Exception ENC country group.''
to ``Countries eligible for the provisions of Sec. 740.17(a).'' The
revised title more accurately describes the supplement, which lists the
countries that are relevant to the provisions of Sec. 740.17(a) but
does not set forth any geographic limitation on the use of other
provisions of License Exception ENC.
Section 742.15
This rule adds to Sec. 742.15(b)(1) the e-mail addresses of BIS
and the ENC Encryption Request Coordinator to which advance
notifications of exports and reexports of encryption items controlled
under ECCNs 5A992, 5D992 or 5E992 must be sent if a person wishes to
export or reexport such items without a license under this section.
Supplement No. 6 to Part 742
To expedite the handling of encryption review requests and reduce
the need for U.S. Government requests for additional information from
submitters, this rule revises paragraph (c)(8) to require that similar
information be provided regarding third-party encryption hardware
components as is currently required for software components. This rule
also revises paragraph (c)(11) by eliminating the word ``retail'' in
conformance with the revisions to Sec. 740.17(b)(3).
Section 744.9
This rule updates the paragraph pertaining to ``Restrictions on
Technical Assistance by U.S. Persons with Respect to Encryption Items''
by replacing a previous reference to ``classification request'' with
``encryption review request'', and by adding references to Sec.
740.17(a)(1) and Sec. 740.17(a)(3) in conformance with the revisions
to License Exception ENC.
Section 772.1--Definition of ``Hold Without Action''
This rule adds a sentence to the end of the definition to make
clear that, unlike the procedure for license applications, BIS is not
restricted to the circumstances described in Sec. 750.4(c) of the EAR
when determining that an encryption review request may be placed on
``hold without action'' status.
Administrative Changes
This rule revises the e-mail address of the ENC Encryption Request
Coordinator wherever it appears in Sec. 740.9, Sec. 740.13, and Sec.
740.17 from enc@ncsc.mil to enc@nsa.gov to reflect the current e-mail
address of that organization. In Sec. 740.17(e)(5)(i), this rule
revises the mailing address of the BIS office to which semi-annual
License Exception ENC reports are sent, to reflect the current name of
that office.
Although the Export Administration Act expired on August 20, 2001,
Executive Order 13222 of August 17, 2001 (3 CFR, 2001 Comp., p. 783
(2002)), as extended by the Notice of August 6, 2004, 69 FR 48763
(August 10, 2004) continues the Regulations in effect under the
International Emergency Economic Powers Act.
Rulemaking Requirements:
1. This rule has been determined to be significant for purposes of
E.O. 12866.
2. Notwithstanding any other provision of law, no person is
required to respond to, nor shall any person be subject to a penalty
for failure to comply with a collection of information, subject to the
requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et
seq.) (PRA), unless that collection of information displays a currently
valid Office of Management and Budget (OMB) Control Number. This rule
contains collections of information subject to the PRA. These
collections have been approved by OMB under control number 0694-0088,
``Multi-Purpose Application,'' which carries a burden hour estimate of
58 minutes to prepare and submit form BIS-748, and control number 0694-
0104 ``Encryption Items Under the Jurisdiction of the Department of
Commerce, Forms BIS 742R and 742S'' which carries a total estimated
burden of 2,830 hours among an estimated 680 respondents. Send comments
regarding these burden estimates or any other aspect of these
collections of information, including suggestions for reducing the
burden, to David Rostker, OMB Desk Officer, by e-mail at
david_rostker@omb.eop.gov or by fax to 202.395.285; and to the Regulatory
Policy Division, Bureau of Industry and Security, Department of
Commerce, P.O. Box 273, Washington, DC 20044.
3. This rule does not contain policies with Federalism implications
as this term is defined in Executive Order 13132.
4. The provisions of the Administrative Procedure Act (5 U.S.C.
[[Page 71359]]
553) requiring notice of proposed rulemaking, the opportunity for
public participation, and a delay in effective date, are inapplicable
because this regulation involves a military and foreign affairs
function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no
other law requires that a notice of proposed rulemaking and an
opportunity for public comment be given for this rule. Because a notice
of proposed rulemaking and an opportunity for public comment are not
required to be given for this rule under 5 U.S.C. 553 or by any other
law, the analytical requirements of the Regulatory Flexibility Act (5
U.S.C. 601 et seq. ) are not applicable. Therefore, this rule is being
issued in final form.
List of Subjects
15 CFR Parts 732 and 740
Administrative practice and procedure, Exports, Reporting and
recordkeeping requirements.
15 CFR Part 734
Administrative practice and procedure, Exports, Inventions and
patents, Research, Science and technology.
15 CFR Part 742
Exports, Terrorism.
15 CFR Part 744
Exports, Reporting and recordkeeping requirements, Terrorism.
15 CFR Part 772
Exports.
0
Accordingly, parts 732, 734, 740, 742, 744 and 772 of the Export
Administration Regulations (15 CFR parts 730-799) are amended as
follows:
PART 732--[AMENDED]
0
1. The authority citation for part 732 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66
FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 6, 2004, 69 FR
48763 (August 10, 2004).
0
2. In Sec. 732.2 revise the introductory text of paragraph (d) to read
as follows.
Sec. 732.2 Steps regarding scope of the EAR.
* * * * *
(d) Step 4: Foreign-made items incorporating less than the de
minimis level of U.S. parts, components, and materials. This step is
appropriate only for items that are made outside the United States and
not currently in the United States. Special requirements and
restrictions apply to items that incorporate U.S. origin encryption
items (see Sec. 734.4(a)(2) and (b) of the EAR).
* * * * *
PART 734--[AMENDED]
0
3. The authority citation for part 734 is revised to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61
FR 54079, 3 CFR, 1996 Comp. p. 219; E.O. 13026, 61 FR 58767, 3 CFR,
1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p.
783; Notice of August 6, 2004, 69 FR 48763 (August 10, 2004); Notice
of November 4, 2004, 69 FR 64637 (November 8, 2004).
0
4. In Sec. 734.4 revise paragraph (a)(2), add paragraph (b), and
revise the introductory texts of paragraphs (c) and (d) to read as
follows:
Sec. 734.4 De Minimis U.S. Content.
(a) * * *
(2) Foreign produced encryption technology that incorporates U.S.
origin encryption technology controlled by ECCN 5E002 is subject to the
EAR regardless of the amount of U.S. origin content.
* * * * *
(b) Special requirements for certain encryption items. Foreign made
items that incorporate U.S. origin items that are listed in this
paragraph are subject to the EAR unless they meet the de minimis level
and destination requirements of paragraph (c) or (d) of this section
and the requirements of this paragraph.
(1) The U.S. origin commodities or software, if controlled under
ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, or 5D002, must have been:
(i) Authorized for license exception TSU because of having met the
notification requirements of Sec. 740.13(e) of the EAR (ECCN 5D002
only);
(ii) Authorized for License Exception ENC by BIS after a review
pursuant to Sec. 740.17(b)(3) of the EAR; or
(iii) Authorized for License Exception ENC by BIS after a review
pursuant to Sec. 740.17(b)(2), and the foreign made product will not
be sent to any destination in Country Group E:1 in Supplement No. 1 to
part 740 of the EAR.
(2) The U.S. origin encryption items, if controlled under ECCNs
5A992, 5D992, or 5E992 must:
(i) Have met the notification requirements of Sec. 742.15(b)(1) of
the EAR; or
(ii) Have been determined by BIS to be ``mass market'' commodities
or software after a review in accordance with Sec. 742.15(b)(2) of the
EAR (ECCNs 5A992 and 5D992 only); or
(iii) Be an item described in Sec. 742.15(b)(3)(ii) or Sec.
742.15(b)(3)(iii) of the EAR.
Note to paragraph (b): See supplement No. 2 to this part for de
minimis calculation procedures and reporting requirements.
(c) Except as provided in paragraphs(a) and (b)(1)(iii) and subject
to the provisions of paragraphs (b)(1)(i), (b)(1)(ii) and (b)(2) of
this section, the following reexports are not subject to the EAR when
made to a terrorist-supporting country listed in Country Group E:1 (see
Supplement No. 1 to part 740 of the EAR).
* * * * *
(d) Except as provided in paragraph (a) of this section and subject
to the provisions of paragraph (b) of this section, the following
reexports are not subject to the EAR when made to countries other than
those described in paragraph (c) of this section.
* * * * *
PART 740--[AMENDED]
0
5. The authority citation for part 740 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
Sec. 901-911, Pub. L. 106-387; E.O. 13026, 61 FR 58767, 3 CFR, 1996
Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783;
Notice of August 6, 2004, 69 FR 48763 (August 10, 2004).
0
6. In Sec. 740.9, revise paragraph (c)(8) to read as follows:
Sec. 740.9 Temporary imports, exports, and reexports (TMP).
* * * * *
(c) * * *
(8) Notification of beta test encryption software. For beta test
encryption software eligible under this license exception you must, by
the time of export or reexport, submit the information described in
paragraphs (a) through (e) of Supplement No. 6 to part 742 of the EAR
by e-mail to BIS at crypt@bis.doc.gov and to the ENC Encryption Request
Coordinator at enc@nsa.gov.
0
7. In Sec. 740.13, revise paragraph (e) as follows.
Sec. 740.13 Technology and software--unrestricted (TSU).
* * * * *
(e) Encryption source code (and corresponding object code).
(1) Scope and eligibility. This paragraph (e) authorizes exports
and reexports, without review, of encryption source code controlled by
ECCN 5D002 that, if not controlled by ECCN 5D002, would be considered
publicly available under Sec. 734.3(b)(3) of the EAR. Such
[[Page 71360]]
source code is eligible for License Exception TSU under this paragraph
(e) even if it is subject to an express agreement for the payment of a
licensing fee or royalty for commercial production or sale of any
product developed using the source code. This paragraph also authorizes
the export and reexport of the corresponding object code (i.e., that
which is compiled from source code that is authorized for export and
reexport under this paragraph) if both the object code and the source
code from which it is compiled would be considered publicly available
under Sec. 734.3(b)(3) of the EAR, if they were not controlled under
ECCN 5D002.
(2) Restrictions. This paragraph (e) does not authorize:
(i) Export or reexport of any encryption software controlled under
ECCN 5D002 that does not meet the requirements of paragraph (e)(1),
even if the software incorporates or is specially designed to use other
encryption software that meets the requirements of paragraph (e)(1) of
this section; or
(ii) Any knowing export or reexport to a country listed in Country
Group E:1 in Supplement No. 1 to part 740 of the EAR.
(3) Notification requirement. You must notify BIS and the ENC
Encryption Request Coordinator via e-mail of the Internet location
(e.g., URL or Internet address) of the source code or provide each of
them a copy of the source code at or before the time you take action to
make the software publicly available as that term is described in Sec.
734.3(b)(3) of the EAR. If you elect to meet this requirement by
providing copies of the source code to BIS and the ENC Encryption
Request Coordinator, you must provide additional copies to each of them
each time the cryptographic functionality of the software is updated or
modified. If you elect to provide the Internet location of the source
code, you must notify BIS and the ENC Encryption Request Coordinator
each time the Internet location is changed, but you are not required to
notify them of updates or modifications made to the encryption software
at the previously notified location. In all instances, submit the
notification or copy to crypt@bis.doc.gov and to enc@nsa.gov.
Note to paragraph (e). Posting encryption source code and
corresponding object code on the Internet (e.g., FTP or World Wide
Web site) where it may be downloaded by anyone neither establishes
``knowledge'' of a prohibited export or reexport for purposes of
this paragraph, nor triggers any ``red flags'' necessitating the
affirmative duty to inquire under the ``Know Your Customer''
guidance provided in Supplement No. 3 to part 732 of the EAR.
0
8. In Sec. 740.17, revise the introductory text and paragraphs (a),
(b), (d) and (e), and add paragraph (f) to read as follows:
Sec. 740.17 Encryption software and commodities (ENC).
Subject to the eligibility criteria and restrictions described in
paragraphs (a), (b) and (f) of this section, License Exception ENC is
available for the export and reexport of: commodities and software
controlled by ECCNs 5A002.a.1, .a.2, .a.5, and .a.6, 5B002, and 5D002
that do not meet the ``mass market'' criteria of the Cryptography Note
(Note 3) of Category 5, part 2 (``Information Security'') of the
Commerce Control List (Supplement No. 1 to part 774 of the EAR);
technology controlled by ECCN 5E002; and certain technical assistance
as described in Sec. 744.9 of the EAR. The initial export or reexport
of an encryption commodity or software under paragraphs (b)(2) or
(b)(3) of this section is subject to a 30 day waiting period, as
described in paragraph (d)(2) of this section. In addition, persons
exporting or reexporting under paragraphs (a), (b)(2) or (b)(3) of this
section must file the semi-annual reports required by paragraph (e) of
this section. Review request procedures for encryption items eligible
for License Exception ENC are described in paragraph (d) of this
section (e.g., for items that have not previously been reviewed, or for
items that have been reviewed but for which the cryptographic
functionality has been changed). See Sec. 742.15(b)(2) of the EAR for
similar review procedures for ``mass market'' encryption commodities
and software.
(a) Exports, reexports, and technical assistance to countries
listed in Supplement No. 3 to this part. This paragraph (a) authorizes
export or reexport of items controlled under ECCNs 5A002.a.1, .a.2,
.a.5, or .a.6, 5B002, 5D002, or 5E002, and provision of technical
assistance described in Sec. 744.9 of the EAR, to end-users in
countries listed in Supplement No. 3 to part 740 of the EAR. This
paragraph also authorizes exports or reexports to foreign subsidiaries
and offices of end-users headquartered in Canada or in countries listed
in Supplement No. 3 to part 740. In addition, the transaction must meet
the terms of paragraphs (a)(1), (a)(2), or (a)(3) of this section.
(1) Internal development of new products. No prior review is
required for exports or reexports of U.S. origin encryption items or
related technical assistance under this paragraph (a) to private sector
end-users that are headquartered in Canada or in countries listed in
Supplement No. 3 to part 740, for internal use for the development of
new products by those end-users and their offices or subsidiaries. Any
encryption item produced or developed with an item exported or
reexported under this paragraph (a)(1) is subject to the EAR and
requires review and authorization before any sale or retransfer outside
of the private sector end-user that developed it. In this paragraph
(a)(1), private sector end-user means:
(i) An individual who is not acting on behalf of any foreign
government; or
(ii) A commercial firm (including its subsidiary and parent firms,
and other subsidiaries of the same parent) that is not wholly owned by,
or otherwise controlled by or acting on behalf of, any foreign
government.
(2) Items previously reviewed by the U.S. Government. No additional
U.S. Government review is required under this paragraph (a) for export
or reexport of encryption commodities or software or parts or
components thereof that, prior to October 19, 2000, were authorized for
export or reexport under a license or Encryption Licensing Arrangement,
or were reviewed and authorized for export and reexport to entities
other than U.S. subsidiaries under License Exception ENC. No additional
U.S. Government review is required under this paragraph for export or
reexport of encryption technology that, prior to October 19, 2000, was
approved for export or reexport under a license or Encryption Licensing
Arrangement.
(3) Other transactions. For any use not described in paragraph
(a)(1) of this section, before you export or reexport any item or
related technical assistance that has not been previously reviewed by
the U.S. Government and authorized under this paragraph (a), you must
submit a review request in accordance with paragraph (d) of this
section.
(b) Exports and reexports to countries not listed in supplement No.
3 to this part. (1) Encryption items for U.S. subsidiaries. This
paragraph (b)(1) authorizes export, or reexport or items controlled
under ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, 5B002, 5D002 or 5E002:
(i) To any ``U.S. subsidiary''; and
(ii) By a U.S. company and its subsidiaries to foreign nationals
who are employees, contractors or interns of a U.S. company or its
subsidiaries if the items are for internal company use, including the
development of new products.
(iii) General restriction. All items produced or developed with
commodities, software or technology exported under this paragraph
(b)(1) are
[[Page 71361]]
subject to the EAR and require review and authorization before sale or
transfer outside the U.S. company and its subsidiaries.
(2) Encryption commodities and software restricted to non-
``government end-users.'' This paragraph (b)(2) authorizes the export
and reexport of items described in Sec. 740.17(b)(2)(iii) of the EAR
that do not provide an ``open cryptographic interface'' and that are
controlled by ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, or 5D002 to
individuals, commercial firms, and other entities that are not
``government end-users'' and that are not located in a country listed
in Supplement No. 3 to this part. In addition, the transaction must
meet the provisions of either Sec. 740.17(b)(2)(i) or (ii) of the EAR.
(i) Commodities and software previously reviewed by the U.S.
Government. No additional U.S. Government review is required under this
paragraph (b)(2) for export or reexports of encryption commodities or
software or parts or components thereof that, prior to October 19,
2000, were authorized for export or reexport under a license or
Encryption Licensing Arrangement, or were reviewed and authorized for
export and reexport to entities other than U.S. subsidiaries under
License Exception ENC.
(ii) Other commodities and software not previously reviewed. Before
exporting or reexporting any item that has not been reviewed by the
U.S. Government and authorized under this paragraph (b)(2), you must
submit a review request in accordance with paragraph (d) of this
section and wait until 30 days after that request is registered (as
defined in Sec. 750.4(a)(2) of the EAR) with BIS. Days during which
the review request is on ``hold without action'' status are not counted
towards fulfilling the 30 day waiting period.
(iii) The encryption commodities, software and components eligible
for export or reexport under this paragraph (b)(2) (see paragraph
(b)(3) of this section for commodities, software and components not
listed in this paragraph (b)(2)(iii)) are:
(A) Network infrastructure commodities and software, and parts and
components thereof (including commodities and software necessary to
activate or enable cryptographic functionality in network
infrastructure products) providing secure Wide Area Network (WAN),
Metropolitan Area Network (MAN), Virtual Private Network (VPN),
satellite, cellular or trunked communications meeting any of the
following with key lengths exceeding 64-bits for symmetric algorithms:
(1) Aggregate encrypted WAN, MAN, VPN or backhaul throughput
(includes communications through wireless network elements such as
gateways, mobile switches, controllers, etc.) greater than 44 Mbps.; or
(2) Wire (line), cable or fiber-optic WAN, MAN or VPN single-
channel input data rate exceeding 44 Mbps; or
(3) Maximum number of concurrent encrypted data tunnels or channels
exceeding 250; or
(4) Air-interface coverage (e.g., through base stations, access
points to mesh networks, bridges, etc.) exceeding 1,000 meters, where
any of the following applies:
(i) Maximum data rates exceeding 5 Mbps (at operating ranges beyond
1,000 meters); or
(ii) Maximum number of concurrent full-duplex voice channels
exceeding 30; or
(iii) Substantial support is required for installation or use.
(B) Encryption source code that would not be eligible for export or
reexport under License Exception TSU because it is not publicly
available as that term is used in Sec. 740.13(e)(1) of the EAR.
(C) Encryption commodities or software that do not provide an
``open cryptographic interface'', but that have:
(1) Been modified or customized for government end-user(s) or
government end-use (e.g. to secure departmental, police, state
security, or emergency response communications); or
(2) Cryptographic functionality that has been modified or
customized to customer specification; or
(3) Cryptographic functionality or ``encryption component'' (except
encryption software that would be considered publicly available, as
that term is used in Sec. 740.13(e)(1) of the EAR) that is user-
accessible and can be easily changed by the user.
(D) ``Cryptanalytic items''; or
(E) Encryption commodities and software that provide functions
necessary for quantum cryptography; or
(F) Encryption commodities and software that have been modified or
customized for computers controlled by ECCN 4A003.
(3) Encryption commodities, software and components available to
both ``government end-users'' and to non-``government end-users''. This
paragraph authorizes export and reexport of commodities, software and
components controlled by ECCNs 5A002.a.1, .a.2, .a.5, or .a.6, 5B002,
or 5D002. To be eligible under this paragraph (b)(3) the requirements
of paragraphs (b)(3)(i) and (b)(3)(ii) must be met.
(i) The commodities or software must not:
(A) Provide an ``open cryptographic interface''; or
(B) Be listed in paragraph (b)(2) of this section.
(ii) Review and authorization requirement. (A) Commodities and
software previously reviewed by the U.S. Government. Encryption
commodities, software and components reviewed and authorized by BIS for
export and reexport as ``retail'' commodities or software under this
paragraph (b)(3) prior to December 9, 2004 do not require additional
review or authorization for export or reexport under this paragraph.
(B) Other commodities and software not previously reviewed. Before
exporting or reexporting any item that has not been reviewed by the
U.S. Government and authorized under this paragraph (b)(3), you must
submit a review request in accordance with paragraph (d) of this
section and wait until 30 days after that request is registered (as
defined in Sec. 750.4(a)(2) of the EAR) with BIS. Days during which
the review request is on ``hold without action'' are not counted
towards fulfilling the 30 day waiting period.
(4) Exemptions from the 30 day waiting period and review
requirements. (i) Exemptions from the 30 day waiting period. Items
listed in this paragraph (b)(4)(i) may be exported or reexported under
authority of paragraphs (b)(2) or (b)(3) immediately upon filing the
review requests required by those paragraphs provided all other
requirements for export or reexport under the paragraph being relied
upon are met.
(A) Encryption commodities and software (including key management
products) with key lengths not exceeding 64 bits for symmetric
algorithms, 1024 bits for asymmetric key exchange algorithms, and 160
bits for elliptic curve algorithms;
(B) Encryption source code that would not be considered publicly
available for export or reexport under License Exception TSU, provided
that a copy of your source code is included in the review request to
BIS and the ENC Encryption Request Coordinator.
(ii) Exemptions from the review requirement. The following products
do not require review under this license exception, but remain subject
to the EAR (including all terms and provisions of this license
exception, and all licensing requirements that may apply to a
particular item or transaction for reasons other than encryption):
(A) Commodities and software that would not otherwise be controlled
under Category 5 (telecommunications
[[Page 71362]]
and ``information security'') of the Commerce Control List, but that
are controlled under ECCN 5A002 or 5D002 only because they incorporate
components or software that provide short-range wireless encryption
functions (e.g., with an operating range typically not exceeding 100
meters);
(B) Foreign products developed with or incorporating U.S.-origin
encryption source code, components or toolkits (or otherwise designed
to operate with U.S. products, e.g., via signing), provided that the
U.S.-origin encryption items (and related technical assistance, as
described in Sec. 744.9 of the EAR) have previously been reviewed and
authorized by BIS and the cryptographic functionality has not been
changed.
* * * * *
(d) Review request procedures. To request review of your encryption
items under License Exception ENC (e.g., for items that have not
previously been reviewed, or for items that have been reviewed but for
which the cryptographic functionality has been changed), you must
submit to BIS and to the ENC Encryption Request Coordinator the
information described in paragraph (d)(1) of this section and in
paragraphs (a) through (e) of Supplement No. 6 to part 742 of the EAR
(Guidelines for Submitting Review Requests for Encryption Items).
(1) Instructions for requesting review. Review requests must be
submitted on Form BIS-748P (Multipurpose Application), or its
electronic equivalent, as described in Sec. 748.3 of the EAR. To
ensure that your review request is properly routed, insert the phrase
``License Exception ENC'' in Block 9 (Special Purpose) of the paper or
electronic application. Also, place an ``X'' in the box marked
``Classification Request'' in Block 5 (Type of Application) of Form
BIS-748P or select ``Commodity Classification'' if filing
electronically. Neither the electronic nor paper forms provide a
separate Block to check for the submission of encryption review
requests. Failure to properly complete these items may delay
consideration of your review request. Review requests that are not
submitted electronically to BIS should be mailed to the address
indicated on the BIS-748P form. See paragraph (e)(5)(ii) of this
section for the mailing address for the ENC Encryption Request
Coordinator.
(2) Action by BIS. Upon completion of its review, BIS will send you
written notice of the provisions, if any, of this section under which
your items may be exported or reexported. If BIS has not, within 30
days of registration of a complete review request from you, informed
you that your item is not authorized for License Exception ENC, you may
export or reexport under the applicable provisions of License Exception
ENC. BIS may hold your review request without action if necessary to
obtain additional information or for any other reason necessary to
ensure an accurate determination with respect to ENC eligibility. Time
on such ``hold without action'' status shall not be counted towards
fulfilling the 30 day waiting period specified in this paragraph and in
paragraphs (b)(2) and (b)(3) of this section. BIS may require you to
supply additional relevant technical information about your encryption
item(s) or information that pertains to their eligibility for License
Exception ENC at any time, before or after the expiration of the 30 day
waiting period specified in this paragraph and in paragraphs (b)(2) and
(b)(3) of this section. If you do not supply such information within 14
days after receiving a request for it from BIS, BIS may return your
review request(s) without action or otherwise suspend or revoke your
eligibility to use License Exception ENC for that item(s). At your
request, BIS may grant you up to an additional 14 days to provide the
requested information. Any request for such an additional number of
days must be made prior to the date by which the information was
otherwise due to be provided to BIS, and may be approved if BIS
concludes that additional time is necessary.
(3) Key length increases. Commodities and software that are
modified only to upgrade the key length used for confidentiality or key
exchange algorithms (after having been reviewed and authorized for
License Exception ENC by BIS) may be exported or reexported under the
previously authorized provision of License Exception ENC without
further review, provided:
(i) The exporter or reexporter certifies to BIS and the ENC
Encryption Request Coordinator that no change to the encryption
functionality has been made other than to upgrade the key length for
confidentiality or key exchange algorithms;
(ii) The certification includes the original authorization number
issued by BIS and the date of issuance;
(iii) The certification is received by BIS and the ENC Encryption
Request Coordinator before the export or reexport of the upgraded
product; and
(iv) The certification is e-mailed to
crypt@bis.doc.gov and enc@nsa.gov.
(e) Reporting requirements. (1) Semi-annual reporting requirement.
Semi-annual reporting is required for exports to all destinations other
than Canada, and for reexports from Canada, under this license
exception. Certain encryption items and transactions are excluded from
this reporting requirement (see paragraph (e)(4) of this section). For
instructions on how to submit your reports, see paragraph (e)(5) of
this section.
(2) General information required. Exporters must include all of the
following applicable information in their reports:
(i) For items exported (or reexported from Canada) to a distributor
or other reseller, including subsidiaries of U.S. firms, the name and
address of the distributor or reseller, the item and the quantity
exported or reexported and, if collected by the exporter as part of the
distribution process, the end-user's name and address;
(ii) For items exported (or reexported from Canada) to individual
consumers through direct sale (provided the transaction is not exempted
from reporting under paragraph (e)(4)(iii) or (e)(4)(iv) of this
section), the name and address of the recipient, the item, and the
quantity exported;
(iii) For exports of ECCN 5E002 items to be used for technical
assistance that are not released by Sec. 744.9 of the EAR, the name
and address of the end-user; and
(iv) For each item, the authorization number and the name of the
item(s) exported (or reexported from Canada).
(3) Information on foreign manufacturers and products that use
encryption items. For direct sales or transfers, under License
Exception ENC, of encryption components, source code, general purpose
toolkits, equipment controlled under ECCN 5B002, technology, or items
that provide an ``open cryptographic interface'' to foreign developers
or manufacturers when intended for use in foreign products developed
for commercial sale, you must submit the names and addresses of the
manufacturers using these encryption items and, if you know when the
product is made available for commercial sale, a non-proprietary
technical description of the foreign products for which these
encryption items are being used (e.g., brochures, other documentation,
descriptions or other identifiers of the final foreign product; the
algorithm and key lengths used; general programming interfaces to the
product, if known; any standards or protocols that the foreign product
adheres to; and source code, if available).
[[Page 71363]]
(4) Exclusions from reporting requirements. Reporting is not
required for the following items and transactions:
(i) Any encryption item exported or reexported under paragraph
(a)(1) or (b)(1) of this section;
(ii) Encryption commodities or software with a symmetric key length
not exceeding 64 bits;
(iii) Encryption commodities and software authorized under
paragraph (b)(3) of this section, exported (or reexported from Canada)
to individual consumers;
(iv) Encryption items exported (or reexported from Canada) via free
and anonymous download;
(v) Encryption items from or to a U.S. bank, financial institution
or its subsidiaries, affiliates, customers or contractors for banking
or financial operations;
(vi) Items that incorporate components limited to providing short-
range wireless encryption functions;
(vii) General purpose operating systems, or desktop applications
(e.g., e-mail, browsers, games, word processing, data base, financial
applications or utilities) authorized under paragraph (b)(3) of this
section;
(viii) Client Internet appliance and client wireless LAN cards; or
(ix) Foreign products developed by bundling or compiling of source
code.
(5) Submission requirements. You must submit the reports required
under this section, semi-annually, to BIS and to the ENC Encryption
Request Coordinator, unless otherwise provided in this paragraph
(e)(5). For exports occurring between January 1 and June 30, a report
is due no later than August 1 of that year. For exports occurring
between July 1 and December 31, a report is due no later than February
1 the following year. These reports must be provided in electronic
form. Recommended file formats for electronic submission include
spreadsheets, tabular text or structured text. Exporters may request
other reporting arrangements with BIS to better reflect their business
models. Reports may be sent electronically to BIS at crypt@bis.doc.gov
and to the ENC Encryption Request Coordinator at enc@nsa.gov, or disks
and CDs containing the reports may be sent to the following addresses:
(i) Department of Commerce, Bureau of Industry and Security, Office
of National Security and Technology Transfer Controls, 14th Street and
Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn:
Encryption Reports, and
(ii) Attn: ENC Encryption Request Coordinator, 9800 Savage Road,
Suite 6131, Ft. Meade, MD 20755-6000.
(f) Restrictions. Notwithstanding any language elsewhere in this
section, License Exception ENC does not authorize:
(1) Any export or reexport of any ``cryptanalytic item'' to any
``government end-user'' (as that definition is applied to encryption
items); or
(2) Any export or reexport of any ``open cryptographic interface''
item to any end-user not located in or headquartered in Canada or in
countries listed in Supplement No. 3 part 740 of the EAR; or
(3) Any export or reexport to, or provision of any service in any
country listed in Country Group E:1 in Supplement No. 1 to part 740 of
the EAR; or
(4) Furnishing source code or technology to any national of a
country listed in Country Group E:1.
0
9. Revise Supplement No. 3 to part 740 to read as follows:
Supplement No. 3 to Part 740--Countries Eligible for the Provisions of
Sec. 740.17(a)
Austria.
Australia.
Belgium.
Cyprus.
Czech Republic.
Estonia.
Denmark.
Finland.
France.
Germany.
Greece.
Hungary.
Ireland.
Italy.
Japan.
Latvia.
Lithuania.
Luxembourg.
Malta.
Netherlands.
New Zealand.
Norway.
Poland.
Portugal.
Slovakia.
Slovenia.
Spain.
Sweden.
Switzerland.
United Kingdom.
PART 742--AMENDED
0
10. The authority citation for part 742 is revised to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a;
Sec. 901-911, Pub. L. 106-387; Sec. 221, Pub. L. 107-56; Sec 1503,
Pub.L. 108-11,117 Stat. 559; E.O. 12058, 43 FR 20947, 3 CFR, 1978
Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608;
E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13026, 61
FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR,
2001 Comp., p. 783; Presidential Determination 2003-23 of May 7,
2003, 68 FR 26459, May 16, 2003; Notice of August 6, 2004, 69 FR
48763 (August 10, 2004); Notice of November 4, 2004, 69 FR 64637
(November 8, 2004).
0
11. In Sec. 742.15, revise the first sentence of paragraph (b)(1) and
the last sentence of the introductory text to paragraph (b)(2) to read
as follows:
Sec. 742.15 Encryption items.
* * * * *
(b) * * *
(1) Notification requirement for specified encryption items. You
may export or reexport encryption items controlled under ECCNs 5A992,
5D992, or 5E992 and identified in paragraphs (b)(1)(i) or (b)(1)(ii) of
this section to most destinations without a license (NLR: No License
Required), provided that you have submitted to BIS and to the ENC
Encryption Request Coordinator at crypt@bis.doc.gov and enc@nsa.gov, by
the time of export, the information described in paragraphs (a) through
(e) of Supplement No. 6 to this part. * * *
* * * * *
(2) Review requirement for mass market encryption commodities and
software exceeding 64 bits. * * * Encryption commodities and software
that are described in Sec. 740.17(b)(2) of the EAR do not qualify for
mass market treatment.
* * * * *
0
12. In part 742, Supplement Number 6, revise paragraphs (c)(8) and
(c)(11) to read as follows:
Supplement No. 6 to Part 742--Guidelines for Submitting Review Requests
for Encryption Items
* * * * *
(c) * * *
(8) Describe the cryptographic functionality that is provided by
third-party hardware or software encryption components (if any).
Identify the manufacturers of the hardware or software components,
including specific part numbers and version information as needed to
describe the product. Describe whether the encryption software
components (if any) are statically or dynamically linked.
* * * * *
(11) For products that meet the requirements of Sec.
740.17(b)(3)--
[[Page 71364]]
Encryption commodities, software and components available to both
``government end-users'' and to non-``government end-users''--describe
how they are not restricted by the provisions of Sec. 740.17(b)(2).
* * * * *
PART 744--[AMENDED]
0
13. The authority citation for part 744 is revised to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; Sec. 901-911, Pub. L. 106-
387; Sec. 221, Pub. L. 107-56; E.O. 12058, 43 FR 20947, 3 CFR, 1978
Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608;
E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 12947, 60
FR 5079, 3 CFR, 1995 Comp., p. 356; E.O. 13026, 61 FR 58767, 3 CFR,
1996 Comp., p. 228; E.O. 13099, 63 FR 45167, 3 CFR, 1998 Comp., p.
208; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13224,
66 FR 49079, 3 CFR, 2001 Comp., p. 786; Notice of August 6, 2004, 69
FR 48763 (August 10, 2004); Notice of November 4, 2004, 69 FR 64637
(November 8, 2004).
0
14. In Sec. 744.9, revise paragraph (a) to read:
Sec. 744.9 Restrictions on technical assistance by U.S. persons with
respect to encryption items.
(a) General prohibition. No U.S. person may, without authorization
from BIS, provide technical assistance (including training) to foreign
persons with the intent to aid a foreign person in the development or
manufacture outside the United States of encryption commodities and
software that, if of United States origin, would be controlled for EI
reasons under ECCN 5A002 or 5D002. Technical assistance may be exported
and reexported immediately to nationals of the countries listed in
Supplement 3 to part 740 of the EAR (except for technical assistance to
government end-users for cryptanalytic items), provided that the
exporter has submitted to BIS a completed encryption review request by
the time of export (as described in Sec. 740.17(a)(3) of the EAR, for
technical assistance not otherwise authorized under Sec. 740.17(a)(1)
of the EAR). Note that this prohibition does not apply if the U.S.
person providing the assistance has a license or is otherwise entitled
to export the encryption commodities and software in question to the
foreign person(s) receiving the assistance. Note in addition that the
mere teaching or discussion of information about cryptography,
including, for example, in an academic setting or in the work of groups
or bodies engaged in standards development, by itself would not
establish the intent described in this section, even where foreign
persons are present.
* * * * *
PART 772--[AMENDED]
0
15. The authority citation for part 772 continues to read as follows:
Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.;
E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August
6, 2004, 69 FR 48763 (August 10, 2004).
0
16. In Sec. 772.1, add a sentence to the end of the definition of
``hold without action'' to read as follows:
Sec. 772.1 Definitions of terms as used in the Export Administration
Regulations (EAR).
* * * * *
Hold Without Action (HWA). * * * Encryption review requests may be
placed on hold without action status as provided in Sec. 740.17(d)(2)
and Sec. 742.15(b)(2) of the EAR.
Dated: December 2, 2004.
Peter Lichtenbaum,
Assistant Secretary for Export Administration.
[FR Doc. 04-26992 Filed 12-8-04; 8:45 am]
BILLING CODE 3510-33-P