Encryption FAQs – Bureau of Industry and Security

1. What is an encryption registration? How long does it take to receive a response from BIS for my encryption registration?

2. Who is required to submit an Encryption Registration, classification request or self-classification report?

3. What are my responsibilities for exporting or re-exporting encryption products where I am not the producer?

4. What should I do if I cannot obtain the encryption registration Number (ERN) or the Export Control Classification Number (ECCN) for the item from the producer or manufacturer?

5. Can a third-party applicant submit an encryption registration and self-classification report on my behalf?

6. How do I report exports and reexports of items with encryption?

7. Can I export encryption technology under License Exception ENC?

8. What is non-standard cryptography?

9. How do I complete Supplement No. 5 if I am a law firm or consultant filing on behalf of a producer of encryption items?

10. What if you are not the producer of the item or filing directly on behalf of the producer (e.g., law firm/consultant)?

11. What do I need to submit with an encryption commodity classification request in SNAP-R?

12. Is Supplement No. 6 to Part 742 required for obtaining paragraph 740.17(b)(1) authorization?

13. How do I submit a Supplement No. 8 Self-Classification Report for Encryption Items?

14. When do I file Supplement No. 8 Self-Classification Report for Encryption Items?

15. What is Note 4?

16. I have an item that was reviewed and classified by BIS and made eligible for export under paragraph (b)(3) of License Exception ENC in 2009. The encryption functionality of the item has not changed. This item is now eligible for self-classification under paragraph (b)(1) of License Exception ENC. What are my responsibilities under the new rule?

17. When do I need a deemed export license for encryption technology and source code?

18. Does the EAR definition of "OAM" include using encryption in performing network security monitoring functions?

1. What is an Encryption Registration? How long does it take to receive a response from BIS for my Encryption Registration?

Encryption registration is a prescribed set of information about a manufacturer and/or exporter of certain encryption items that must be submitted to the Bureau of Industry and Security as a condition of the authorization to export such items under License Exception ENC or as mass market items.

Advance encryption registration is required for exports and reexports of items described in paragraphs 740.17(b)(1), (b)(2), and (b)(3) and paragraphs 742.15(b)(1), and (b)(3) of the Export Administration Regulations (EAR). Registration is made through SNAP-R by submitting the questionnaire set forth in Supplement No. 5 to part 742 of the EAR (point of contact/company overview/types of products/ etc.). Registration of a manufacturer authorizes the manufacturer as well as other parties to export and reexport the manufacturers encryption products that the manufacturer has either self-classified or has had the items classified by BIS, pursuant to the provisions referenced above. A condition of the authorization is that the manufacturer must submit an annual self-classification report for relevant encryption items.

How long does it take to receive a response from BIS for my encryption registration?

Once you have properly registered with BIS, the SNAP-R system will automatically issue an Encryption Registration Number (ERN), e.g., R123456, upon submission of a request. BIS estimates that the entire registration procedure should take no more than 30 minutes.

2. Who is required to submit an encryption registration, classification request or self-classification report?

Any party who exports certain U.S.-origin encryption products may be required to submit an encryption registration, classification request and/or self-classification report; however, if a manufacturer has registered and has self-classified relevant items and/or had items classified by BIS, and has made the classifications available to other parties such as resellers and other exporters/reexporters, such other parties are not required to register, to submit a classification request, or to submit an annual self-classification report.

3. What are my responsibilities for exporting or re-exporting encryption products where I am not the product manufacturer?

Exporters or reexporters that are not producers of the encryption item can rely on the Encryption Registration Number (ERN), self-classification report or CCATS that is published by the producer when exporting or reexporting the registered and/or classified encryption item. Separate encryption registration, commodity classification request or self-classification report to BIS is NOT required.

Please continue to the next question if the information is not available from the producer or manufacturer.

4. What should I do if I cannot obtain the Encryption Registration Number (ERN) or the Export Control Classification Number (ECCN) for the item from the producer or manufacturer?

If you are not the producer and are unable to obtain the producers information or if the producer has not submitted an encryption registration, self-classification report or commodity classification for his/her products to BIS, then you must register with BIS. The registration process will require you to submit a properly completed Supplement No. 5 to part 742 and subsequent Supplement No. 8 Self Classification Report for the products. You will receive an ERN for the registered products or CCATSs as appropriate. BIS recognizes that non-producers who need to submit for encryption registration may not have all of the information necessary to complete Supplement No. 5 to part 742. Therefore, special instructions have been included in Supplement No. 5 to account for this situation.

For items described in Part 740.17(b)(2) and (b)(3) or Part 742.15(b)(3) that require the classification by BIS, the non-producer is required to submit as much of the technical information required in Supplement No. 6 to part 742 - Technical Questionnaire for Encryption Items as possible.

5. Can a third-party applicant submit an encryption registration and self-classification report on my behalf?

Yes, special instructions for this purpose are provided in paragraph (r) of Supplement No. 2 to part 748 of the EAR for this purpose. The information in block 14 (applicant) of the encryption registration screen and the information in Supplement No. 5 to part 742 must pertain to the company that seeks authorization to export and reexport encryption items that are within the scope of this rule. An agent for the exporter, such as a law firm, should not list his/her name in block 14. The agent however may submit the encryption registration and list himself/herself in block 15 (other party authorized to receive license) of the encryption registration screen in SNAP-R.

6. How do I report exports and reexports of items with encryption?

All reports (i.e., the semi-annual sales report and the annual self-classification report) must be submitted to both BIS and the ENC Encryption Request Coordinator.

An annual self-classification report is required for producers of encryption items described by paragraphs 740.17(b)(1) and 742.15(b)(1) of the EAR. The information required and instruction for this report is provided in Supplement No. 8 to Part 742-Self-Classification Report for Encryption Items. Reports are submitted to BIS and the Encryption Request Coordinator in February of each year for items exported or reexported during the previous calendar year (i.e., January 1 through December 31) pursuant to the encryption registration and applicable sections740.17(b)(1) or 742.15(b)(1) of the EAR. Annual self-classification reports are to be submitted to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it..

Semi-annual sales reporting is required for exports to all destinations other than Canada, and for reexports from Canada for items described under paragraphs (b)(2) and (b)(3)(iii) of section 740.17. Paragraph 740.17(e)(1(iii) contains certain exclusions from this reporting requirement. Paragraphs 740.17(e)(1)(i) and (e)(1)(ii) contains the information required and instructions for submitted the semi-annual sales reports. The first report is due no later than August 1 for sales occurring between January 1 and June 30 of the year, and the second report is due no later than February of the following year for sales occurring between July 1 and December 31 of the year. Semi-annual sales reports continue to be submitted to: This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it..

7. Can I export encryption technology under License Exception ENC?

Yes, License Exception ENC is available for transfer of encryption technology. Specifically, paragraph 740.17(b)(2)(iv) has been amended to permit exports and reexports of encryption technology as follows:

(A) Technology for "non-standard cryptography". Encryption technology classified under ECCN 5E002 for "non-standard cryptography", to any end-user located or headquartered in a country listed in Supplement No. 3 to this part;

(B) Other technology. Encryption technology classified under ECCN 5E002 except technology for "cryptanalytic items", "non-standard cryptography" or any "open cryptographic interface," to any non-"government end-user" located in a country not listed in Country Group D:1 or E:1 of Supplement No. 1 to part 740 of the EAR.

8. What is non-standard cryptography?

Non-standard cryptography, defined in Part 772 Definition of Terms, means any implementation of cryptography involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body (e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published.

9. How do I complete Supplement No. 5 if I am a law firm or consultant filing on behalf of a producer or exporter of encryption items?

The information in Supplement No. 5 to Part 742must pertain to the registered company, not to the submitter. Specifically, the point of contact information must be for the registered company, not a law firm or consultant filing on behalf of the registered company.

10. What if you are not the producer of the item or filing directly on behalf of the producer (e.g., law firm/consultant)?

You may answer questions 4 and 7 in Supplement No. 5 to part 742as not applicable if your company is not the producer of the encryption item. An answer must be give for all other questions. An explanation is required when you are unsure.

11. What do I need to submit with an encryption commodity classification request in SNAP-R?

Encryption commodity classification determinations should be submitted through SNAP-R. Before entering SNAP-R, you should prepare the following supporting documents:

After accessing SNAP-R, fill-in a commodity classification determination request and upload the supporting documents into SNAP-R.

12. Is Supplement No. 6 to part 742 required for paragraph 740.17(b)(1) authorization?

If you are requesting a classification of an item is described in paragraph 740.17(b)(1) (in other words, the item is not described in either Section 740.17(b)(2) or (b)(3)), a Supplement No. 6questionnaire is not required as a supporting document. Provide sufficient information about the item (e.g., technical data sheet and/or other explanation in a separate letter of explanation) for BIS to determine that the item is described in paragraph 740.17(b)(1). If you are not sure that your product is authorized as 740.17(b)(1) and you want BIS to confirm that it is authorized under 740.17(b)(1), providing answers to the questions set forth in Supplement No. 6 to part 742 with your request should provide BIS with sufficient information to make this determination.

13. How do I submit a Supplement No. 8 Self Classification Report for Encryption Items?

The annual self-classification report must be submitted as an attachment to an e-mail to BIS and the ENC Encryption Request Coordinator. Reports to BIS must be submitted to a newly created e-mail address for these reports (This email address is being protected from spambots. You need JavaScript enabled to view it.). Reports to the ENC Encryption Request Coordinator must be submitted to its existing e-mail address (This email address is being protected from spambots. You need JavaScript enabled to view it.). The information in the report must be provided in tabular or spreadsheet form, as an electronic file in comma separated values format (CSV), only. In lieu of email, submissions of disks and CDs may be mailed to BIS and the ENC Encryption Request Coordinator.

14. When do I file Supplement No. 8 Self-Classification Report for Encryption Items?

An annual self-classification report for applicable encryption commodities, software and components exported or reexported during a calendar year (January 1 through December 31) must be received by BIS and the ENC Encryption Request Coordinator no later than February 1 the following year. If no information has changed since the previous report, an email must be sent stating that nothing has changed since the previous report or a copy of the previously submitted report must be submitted.

15. What is Note 4?

Note 4 to Category 5, Part 2 in the Commerce Control List (Supplement No. 1 to part 774) excludes an item that incorporates or uses cryptography from Category 5, Part 2 controls if the items primary function or set of functions is not information security, computing, communications, storing information, or networking, andif the cryptographic functionality is limited to supporting such primary function or set of functions. The primary function is the obvious, or main, purpose of the item. It is the function which is not there to support other functions. The communications and information storage primary function does not include items that support entertainment, mass commercial broadcasts, digital rights management or medical records management.

Examples of items that are excluded from Category 5, Part 2 by Note 4 include, but are not limited to, the following:

16. I have an item that was reviewed and classified by BIS and made eligible for export under paragraph (b)(3) of License Exception ENC in 2009. The encryption functionality of the item has not changed. This item is now eligible for self-classification under paragraph (b)(1) of License Exception ENC. What are my responsibilities under the new rule?

Your item meets the grandfathering provisions set forth in section 740.17(f)(1) of the EAR. You do not need to submit an encryption registration (Supplement No. 5), an annual self-classification report (Supplement No. 8), or semi-annual sales reports for the item.

17. When do I need a deemed export license for encryption technology and source code?

A license may be required in certain circumstances for both deemed exports and deemed reexports. For encryption items, the deemed export rules apply only to deemed exports of technology and to deemed reexports of technology and source code. There are no deemed export rules for transfers of encryption source code to foreign nationals in the United States. This is because of the way that section 734.2 defines exports and reexports for encryption items.

For transfers of encryption technology within the United States, section 740.17(a)(2) of license exception ENC authorizes the export and reexport of encryption technology by a U.S. company and its subsidiaries to foreign nationals who are employees, contractors, or interns of a U.S. company . . . There is no definition of U.S. company in the EAR, however, BIS has interpreted this to apply to any company operating in the United States. This means that deemed export licenses are generally not required for the transfer of encryption technology by a company in the U.S. to its foreign national employees. A deemed export license may be required if, for example, a company operating in the U.S. were to transfer encryption technology to a foreign national who is not an employee, contractor, or intern of a company in the United States. License exception ENC does not authorize deemed exports or reexports to any national of a country listed in Country Group E:1.

For deemed reexports, the end-user would have to be an employee, contractor, or intern of a U.S. Subsidiary for 740.17(a)(2) to apply, or a private sector end-user headquartered in a Supplement 3 country for 740.17(a)(1) to apply. The term contractor in this context means a contract employee (i.e., a human person). License exception ENC does not authorize deemed exports or reexports to any national of a country listed in Country Group E:1.

Also note that as of June 25, 2010, encryption technology (except technology for cryptanalytic items, Open Cryptographic Interface items, and non-standard cryptography) that has been reviewed is eligible for license exception ENC to any non-government end user located outside of Country Group D:1. Also, encryption source code that has been reviewed by BIS and made eligible for license exception ENC under 740.17(b)(2) is eligible for export and reexport to any non-government end-user. Thus encryption technology and source code that have been reviewed are eligible for export and reexport to a broader range of end-users than 740.17(a) allows. Again, section 740.17 does not authorize deemed exports or reexports to any national of a country listed in Country Group E:1.

18. Does the EAR definition of "OAM" include using encryption in performing network security monitoring functions?

No. The definition of "OAM" includes "monitoring or managing the operating condition or performance of an item." BIS does not consider network security monitoring or network forensics functions to be part of monitoring or managing operating condition or performance.

The phrase "monitoring or managing the operating condition or performance of an item" is meant to include all the activities associated with keeping a computer or network-capable device in proper operating condition, including: configuring the item; checking or updating its software; monitoring device error or fault indicators; testing, diagnosing or troubleshooting the item; measuring bandwidth, speed, available storage (e.g. free disk space) and processor / memory / power utilization; logging uptime / downtime; and capturing or measuring quality of service (QoS) indicators and Service Level Agreement-related data.

However, the "OAM" definition does not apply to cryptographic functions performed on the forwarding or data plane, such as: decrypting network traffic to reveal or analyze content (e.g., packet inspection and IP proxy services); encrypting cybersecurity-relevant data (e.g., activity signatures, indicators or event data extracted from monitored network traffic) over the forwarding plane; or securing the re-transmission of captured network activity.

Thus, products that use encryption for such network security monitoring or forensics operations, or to provision these cryptographic services, would not be released by the OAM decontrol notes (l) or (m), or the Note to 5D002.c.

Similarly, the "OAM" decontrol does not apply to security operations directed against data traversing the network, such as capturing, profiling, tracking or mapping potentially malicious network activity, or "hacking back" against such activity.

Back to top

See the original post:
Encryption FAQs - Bureau of Industry and Security

Related Posts
This entry was posted in $1$s. Bookmark the permalink.