Encryption Simplification, 57495-57512 [E8-23201]

Agencies

• DEPARTMENT OF COMMERCE
• Bureau of Industry and Security
• Industry and Security Bureau

[Federal Register Volume 73, Number 193 (Friday, October 3, 2008)]
[Rules and Regulations]
[Pages 57495-57512]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-23201]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Parts 732, 734, 738, 740, 742, 744, 746, 748, 750, 762, 770, 
772, and 774

[Docket No. 080211163-81224-01]
RIN 0694-AE18


Encryption Simplification

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Interim final rule.

-----------------------------------------------------------------------

SUMMARY: This interim final rule amends the Export Administration 
Regulations (EAR) to make the treatment of encryption items more 
consistent with the treatment of other items subject to the EAR, as 
well as to simplify and clarify regulations pertaining to encryption 
items. The restrictions pertaining to technical assistance by U.S. 
persons with respect to encryption items are removed, because the 
current export and reexport restrictions set forth in the EAR for 
technology already include technical assistance. This rule also removes 
License Exception KMI as it has become obsolete because of developments 
in uses of encryption. In addition, this rule removes notification 
requirements for items classified as 5A992, 5D992, and 5E992. This rule 
also increases certain parameters under License Exception ENC, which is 
intended to reflect advances in technology. This rule adds two new 
review and reporting requirement exclusion paragraphs under License 
Exception ENC for wireless ``personal area network'' items and for 
``ancillary cryptography'' items. This rule also adds Bulgaria, Canada, 
Iceland, Romania, and Turkey to the list of countries that receive 
favorable treatment under License Exception ENC. Commodities and 
software pending mass market review may no longer be exported under 
ECCNs 5A992 and 5D992 using No License Required (NLR). However, once 
the mass market review has been received by BIS, then such commodities 
and software may be exported using License Exception ENC under ECCNs 
5A002 and 5D002. This rule will reduce the paperwork burden on the 
public by 9% (annual dollar amount savings of approximately $14,000 to 
the public and $5,000 to the U.S. Government), because of the removal 
of certain notification requirements, addition of countries to the list 
of those receiving favorable treatment under License Exception ENC, and 
the increase of reporting and review requirement exclusions. The 
Departments of Commerce, State and Defense will continue to review 
export control, license review policies, and license exceptions for 
encryption items in the EAR.

DATES: Effective Date: This rule is effective October 3, 2008.

ADDRESSES: Written comments on this interim final rule may be sent by 
e-mail to publiccomments@bis.doc.gov. Include ``Encryption rule'' in 
the subject line of the message. Comments may also be submitted by mail 
or hand delivery to Sharron Cook, Office of Exporter Services, 
Regulatory Policy Division, Bureau of Industry and Security, Department 
of Commerce, 14th St. & Pennsylvania Avenue, NW., Room 2705, 
Washington, DC 20230, ATTN: Encryption rule; or by fax to (202) 482-
3355.

FOR FURTHER INFORMATION CONTACT: For questions of a general nature 
contact Sharron Cook, Office of Exporter Services, Regulatory Policy 
Division at (202) 482-2440 or E-Mail: scook@bis.doc.gov.
    For questions of a technical nature contact: The Information 
Technology Division, Office of National Security and Technology 
Transfer Controls at 202-482-0707 or E-Mail: C. Randall Pratt at 
cpratt@bis.doc.gov.

SUPPLEMENTARY INFORMATION: 

Background

Steps Regarding Scope of the EAR

    This rule revises paragraph 732.2(b) of the EAR, which sets forth 
instructions on how to determine if your technology or software is 
publicly available, by adding mass market encryption software with 
symmetric key length exceeding 64-bits classified under ECCN 5D992. The 
addition of this phrase harmonizes with the scope of publicly available 
encryption software that is considered to be subject to the EAR because 
of the criteria set forth in Sec.  734.3(b)(3) of the EAR.

[[Page 57496]]

Items Subject to the EAR

    This rule adds a note to paragraph 734.3(a)(4) of the EAR, which 
sets forth the items that are subject to the EAR. The note reminds 
readers that certain foreign-manufactured items are subject to the EAR 
when developed or produced from U.S.-origin encryption items that were 
exported pursuant to Sec.  740.17(a) of License Exception ENC.

Clarification of Text

    This rule replaces the phrase ``encryption software (including 
source code) transferred from the U.S. Munitions List to the Commerce 
Control List consistent with E.O. 13026 of November 15, 1996 (61 FR 
58767) and pursuant to the Presidential Memorandum of that date'' with 
``software controlled for ``EI'' reasons under ECCN 5D002 on the 
Commerce Control List'' to clarify which software this sentence is 
referring to in the introductory paragraph of Supplement No. 1 to part 
734 ``Questions and Answers--Technology and Software subject to the 
EAR.''

Determining Whether a License Is Required

    This rule clarifies text in Sec.  738.4(a)(1) of the EAR that not 
all license requirements set forth under the ``License Requirements'' 
section of an ECCN refer to the Commerce Country Chart, but in some 
cases this section will contain references to a specific section in the 
EAR that contain license requirements for that particular ECCN. In such 
cases, you could not determine whether a license is required based on 
the ECCN and Country Chart alone and section Sec.  738.4(a)(1) of the 
EAR would not apply. For example, ``EI'' controls are not included in 
the Country Chart; however licensing requirements for ``EI'' controlled 
items are included in Sec.  742.15(a) of the EAR. In addition, this 
rule removes the reference in Sec.  738.4(a)(2)(ii)(B) to notification 
requirements described in paragraph 742.15(b) for items classified 
under ECCNs 5A992, 5D992, and 5E992, because this rule removes 
notification requirements for these items. This rule also clarifies the 
reminder about the review requirements for certain mass market 
encryption items under ECCNs 5A992 and 5D992, by removing the reference 
to 5E992 and harmonizing the citation reference with the changes in 
this rule.

License Exception LVS

    This rule revises Sec.  740.3(d)(5) to clarify that not only 
exports, but reexports of encryption components or spare parts are 
subject to the special restriction in this paragraph. In addition, the 
term ``item'' has been replaced by correct terminology.

License Exception KMI

    This rule removes Sec.  740.8 of the EAR ``License Exception KMI'' 
as it has become obsolete because of the developments in the use of 
encryption. A consequential revision is also made to Sec.  746.3(c) of 
the EAR, where License Exception KMI was listed. Products previously 
eligible for License Exception KMI will be accorded equivalent 
treatment under license or license exception. As a result of this 
change, this rule also removes Supplement No. 4 to part 742 ``Key 
Escrow or Key Recovery Products Criteria.''

License Exception TSU

    In Sec.  740.13(d) of the EAR, this rule removes the quotation 
marks around the term ``mass market'' in the title to paragraph (d), 
paragraph (d)(1), footnote 1, paragraph (d)(3)(i) and paragraph 
(d)(3)(ii), because in the EAR double quotation marks around a term 
indicate that the word is defined in part 772 of the EAR, and mass 
market is not a defined term in part 772 of the EAR.

License Exception ENC

    This rule revises Sec.  740.17 of the EAR by reformatting 
paragraphs, removing redundant text, and clarifying text as needed. 
This rule revises the title of this section to indicate that this 
license exception also authorizes technology. The introductory 
paragraph to Sec.  740.17 of the EAR is condensed to set forth the 
scope of Sec.  740.17 of the EAR and include information not found 
elsewhere in Sec.  740.17 of the EAR.
    While this rule reformats the paragraphs in Sec.  740.17 of the 
EAR, it was BIS's goal to minimize revisions to the enumeration of 
paragraphs used to classify encryption items in the past, so as to 
alleviate confusion about previous classifications provided by BIS that 
reference specific paragraphs and to reduce the number of revisions to 
industry's current product matrices. That being said, the paragraph 
titles have been revised to reflect review request requirements instead 
of destinations, end-uses, or types of end-users.
    This rule removes paragraphs 740.17(a)(2) and (b)(2)(i) that 
exempted commodities and software from review requirements based on a 
previous review by the U.S. Government prior to October 19, 2000. These 
commodities and software remain exempt from review requirements, and 
BIS did not see the necessity of retaining such text in the Export 
Administration Regulations.
    Paragraph 740.17(a) now describes exports and reexports authorized 
by License Exception ENC that do not require prior government review or 
post export reporting. The former paragraph (a)(2) ``Items previously 
reviewed by the U.S. Government'' is removed by this rule, as this 
paragraph is no longer necessary because of the passage of time. Former 
paragraph (a)(3) for end-uses other than internal development is moved 
to new paragraph (b)(1), because a review request submission is 
required for eligibility under this paragraph. Former paragraph (b)(1) 
for U.S. subsidiaries is moved to (a)(2), because authorization under 
this paragraph does not require prior review. In addition, this rule 
amends former paragraph (b)(4)(i)(A) (exempting encryption items not 
exceeding certain key lengths from the 30 day waiting period) by moving 
it to (b)(1)(ii)(A).

Section 740.17(a)(1)

    This rule removes references in paragraph Sec.  740.17(a)(1) to 
``technical assistance described in Sec.  744.9 of the EAR,'' because 
this rule removes 744.9, see explanation set forth below under ``Sec.  
744.9.'' This rule clarifies text in paragraph (a)(1) so that it is 
understood that License Exception ENC can be used for not only internal 
development, but also internal production of new products.

Section 740.17(a)(2)

    Paragraph 740.17(a)(2) is former paragraph (b)(1).

Section 740.17(b)

    Paragraph 740.17(b) now sets forth those items authorized under 
License Exception ENC that require prior review by the U.S. Government. 
This paragraph also sets forth the ``open cryptographic interface'' 
restriction that applies to all paragraphs in 740.17(b), except for 
paragraph Sec.  740.17(b)(1)(i). This introductory paragraph also sets 
forth the restriction to export or reexport cryptanalytic items to any 
``government end-user.'' There is also a reference in this paragraph to 
paragraph (e) ``reporting requirements'' for exports and reexports 
under Sec.  740.17(b).

Section 740.17(b)(1)

    The new paragraph 740.17(b)(1) of the EAR authorizes exports and 
reexports under License Exception ENC that require prior government 
review, but allows the export or reexport to take place immediately 
upon registration of the review request with BIS.

[[Page 57497]]

    Paragraph (b)(1)(i) authorizes the export and reexport of 
encryption items, including EI controlled commodities or software 
(excluding source code) that are pending review for mass market 
treatment (under Sec.  742.15(b) of the EAR), to ``government end-
users'' and non-``government end-users'' located in the countries 
listed in Supplement 3 of part 740, as well as to foreign subsidiaries 
or offices of firms, organizations and governments headquartered in 
countries listed in Supplement 3 of part 740. This rule adds 
authorization under License Exception ENC for items pending mass market 
review, because it was not logical to temporarily classify commodities 
and software under ECCNs 5A992 or 5D992 that were pending mass market 
review under paragraph 742.15(b) and authorize export or reexport under 
the designation of ``No License Required (NLR)'' when the possible 
outcome of the BIS classification of the commodities and software could 
be ECCN 5A002 or 5D002.
    New paragraph 740.17(b)(1)(ii) authorizes exports and reexports of 
specified encryption commodities and software to countries not listed 
in Supplement No. 3 to part 740. This rule revises the format of the 
parameters in this section from a range to an upper limit in paragraph 
(b)(1)(ii)(A), former paragraph (b)(4)(i)(A). In addition, the upper 
limit for symmetric algorithms has been raised from ``key lengths not 
exceeding 64 bits'' to ``key lengths not exceeding 80 bits.'' After 
review has been completed on these commodities or software, BIS will 
issue a CCATS that will indicate authorization is under paragraph 
(b)(2) or (b)(3) of Sec.  740.17 of the EAR, whichever paragraph is 
appropriate.
    Paragraph (b)(1)(ii)(B), former paragraph (b)(4)(i)(B), authorizes 
exports and reexports of encryption source code that would not be 
eligible for export or reexport under License Exception TSU, provided 
that a copy of the source code is included in the review request, to 
non-``government end-users'' located in any country except a country 
listed in Country Group E:1 of Supplement No. 1 to part 740 of the EAR. 
After the review has been completed, BIS will issue a CCATS that will 
indicate authorization is under paragraph 740.17(b)(2) of the EAR. The 
text is clarified by replacing the phrase ``considered publicly 
available'' with ``eligible'' in order to avoid confusion about the 
scope of encryption source code eligible under this paragraph.

Section 740.17(b)(2)

    Paragraph (b)(2) of License Exception ENC authorizes exports and 
reexports to non-``government end-users'' located in a country not 
listed in Supplement No. 3 to this part or Country Group E:1 that 
require a prior review and 30 day waiting period. Pursuant to the new 
scope paragraph 740.17(b), this rule expands the scope of (b)(2) to 
include ECCN 5B002 to be consistent with commodities and software 
eligible for License Exception ENC under paragraphs (b)(1) and (b)(3) 
of the EAR. In addition, former paragraph (b)(2)(i) concerning 
transactions previously reviewed prior to October 19, 2000 by the U.S. 
Government is removed as the passage of time has made this paragraph 
unnecessary. Former paragraph (b)(2)(ii) that set forth the review 
request requirement is removed, as the review request requirement has 
been moved to the introductory text of paragraph (b)(2). Former 
paragraph (b)(2)(iii) is replaced by the introductory text of paragraph 
(b)(2).
    This rule revises new paragraph (b)(2)(i), (Network infrastructure 
software and commodities) by adding ``digital packet telephony/media 
(voice/video/data) over internet protocol'' to the list of capabilities 
described.
    Also in this new paragraph (b)(2)(i), the former paragraph 
(b)(2)(iii)(A) reference to ``64 bits for symmetric algorithms'' is 
changed to ``80 bits for symmetric algorithms'', commensurate with the 
key length change in new paragraph (b)(1)(ii)(B). (Note: Regarding key 
length with respect to the authorizations and restrictions set forth in 
both the current and former versions of License Exception ENC Sec.  
740.17(b)(2), only `network infrastructure' commodities and software 
(sub-paragraph (i) in this rule) are distinguished by key length. All 
encryption commodities and software now enumerated in sub-paragraphs 
(ii)-(vi) (former sub-paragraphs (iiii)(B)-(iii)(F)) of License 
Exception ENC paragraph (b)(2) are controlled to ``government end-
users'' as described, regardless of key length.)
    Former paragraph (b)(2)(iii)(A)(1), new paragraph Sec.  
740.17(b)(2)(i)(A) is clarified by this rule to add quotes around the 
term ``government end-user(s)'' and now reads as follows, ``Been 
designed, modified, adapted or customized for ``government end-
user(s)'' or government end-use (e.g., to secure police, state 
security, or emergency response communications).''
    This rule further revises former paragraph (b)(2)(iii)(A)(1), new 
paragraph (b)(2)(i)(A), which addresses aggregate encrypted WAN, MAN, 
VPN or backhaul throughput, by increasing the parameter from 44 Mbps to 
90 Mbps.
    This rule further revises former paragraph (b)(2)(iii)(A)(2), new 
paragraph (b)(2)(i)(B). The Wire (line), cable or fiber optic WAN, MAN 
or VPN single-channel input data rate is revised from ``44 Mbps'' to 
``154 Mbps.''
    These revisions are not expected to result in a decrease in the 
number of license applications submitted for exports and reexports of 
items described in paragraph (b)(2) to government end-users. Most 
network infrastructure items currently being exported to government 
end-uses exceed these performance parameters. However, BIS has 
determined that the parameters should be adjusted in recognition of 
technology advances, and to avoid maintaining controls on legacy 
systems.
    This rule replaces the ``Maximum number of concurrent encrypted 
data tunnels or channels * * *'' parameter in former paragraph 
(b)(2)(iii)(A)(3), new paragraph (b)(2)(i)(C) with ``Media (voice/
video/data) encryption or centralized key management supporting more 
than 250 concurrent encrypted data channels, or encrypted signaling to 
more than 1,000 endpoints, for digital packet telephony/media (voice/
video/data) over internet protocol communications.'' These amendments 
update these provisions of License Exception ENC to reflect advances in 
encryption technology. Specifically, these amendments address 
cryptographic developments in Datagram Transport Layer Security 
(DTLS)--Secure Real-Time Transport Protocol (SRTP), and encrypted 
communications signaling, for large Voice over Internet Protocol (VoIP) 
network infrastructures.
    This rule also revises former paragraph (b)(2)(iii)(A)(4)(i), new 
paragraph (b)(2)(i)(D)(1), which addresses Air-interface coverage 
capabilities, by changing ``maximum data rates'' to ``maximum 
transmission data rates'' and changing the parameter from ``5 Mbps'' to 
``10 Mbps.'' By limiting this License Exception ENC provision to the 
transmit (upstream) data rates and doubling the licensing threshold, 
these amendments reflect technology developments for certain satellite 
and other long-range wireless devices.
    Former paragraph (b)(2)(iii)(B) that addressed encryption source 
code that would not be eligible for export or reexport under License 
Exception TSU is moved to new paragraph (b)(2)(ii), but also appears in 
new paragraph (b)(1)(ii)(B) for review requests that include a copy of 
the source code, and

[[Page 57498]]

may be exported or reexported without a waiting period under License 
Exception ENC when the review request is registered with BIS.
    Former paragraph (b)(2)(iii)(C), new paragraph (b)(2)(iii) is 
revised by removing the reference to the open cryptographic interface 
restriction, because this restriction is now placed in the introductory 
text of paragraph 740.17(b).
    Former paragraph (b)(2)(iii)(C)(1), new paragraph (b)(2)(iii)(A) is 
amended by revising the phrase ``Been modified or customized for'' to 
read ``been designed, modified, adapted or customized for.'' Quotes 
have been added around the term ``government end-user(s)'' to indicate 
that this term is defined in part 772 of the EAR.
    This rule also revises the phrase ``to secure departmental, police, 
state security, or emergency response communications'' to read ``to 
secure police, state, security, or emergency response communications, 
including encryption commodities and software for external Security 
Operations Center (SOC)/Network Operations Center (NOC) command and 
infrastructure, and digital forensics/computer forensics.'' With this 
clarification, this rule provides examples of three such systems that 
are controlled for their inherent government end-use: External Security 
Operations Center (SOC)/Network Operations Center (NOC) command and 
infrastructure; public safety radio (e.g., implementing Terrestrial 
Trunked Radio (TETRA) and/or Association of Public-Safety 
Communications Officials International (APCO) Project 25 (P25) 
standards); and digital forensics/computer forensics.

    Note: Regarding the use of encryption by a computer forensics/
digital forensics commodity or software (e.g., for securing the 
collection, examination, and/or reporting of data or metadata on an 
investigated computer), such digital/computer forensics tools would 
not be considered ``cryptanalytic items'' if the only use of 
``cryptography'' is for encryption. However, such tools that also 
perform ``cryptanalysis'' (e.g., cracking passwords or employing 
other cryptanalytic techniques to derive user-encrypted data or 
metadata from a computer or network) would be controlled as 
``cryptanalytic items.''

    Former paragraph (b)(2)(iii)(E), new paragraph (b)(2)(v) is revised 
by adding a clarifying phrase after the term ``quantum cryptography'' 
to read ``as defined in ECCN 5A002 of the Commerce Control List.''
    Former paragraph (b)(2)(iii)(F), new paragraph (b)(2)(vi) is 
revised by replacing the term ``controlled'' with ``classified under'' 
to clarify the scope of computers in this paragraph.

Section 740.17(b)(3)

    This rule revises paragraph Sec.  740.17(b)(3) of the EAR for 
export or reexport of commodities and software not listed in Sec.  
740.17(b)(2) of the EAR by both ``government end-users'' and non-
``government end-users'' by removing the redundant former paragraph 
(b)(3)(ii)(B) that explained the review procedures and instead 
inserting a reference to paragraph Sec.  740.17(d) that sets forth 
these procedures. In addition, former paragraph (b)(3)(ii)(A) 
concerning transactions previously reviewed by the U.S. Government is 
removed as the passage of time has made this paragraph unnecessary. 
Former paragraph (b)(3)(i)(A) that set forth the ineligibility of 
commodities and software that provide an ``open cryptographic 
interface'' is removed because this restriction is set forth in the 
introductory text of paragraph 740.17(b). This rule adds text that 
clarifies the eligible locations of the end-users, because 740.17(a) 
addresses all exports to Supplement No. 3 countries. This rule 
relocates the restriction in former paragraph (f)(1) concerning 
``cryptanalytic items'' to the introductory text of paragraph (b)(3).

Section 740.17(b)(4)

    Former paragraph 740.17(b)(4)(i), setting forth commodities and 
software that are eligible for export immediately upon registration of 
a review request, is moved to new paragraph (b)(1)(ii). In addition, 
previous paragraph 740.17(b)(4)(ii), setting forth exclusions from 
review requirements for certain items, is reformatted as paragraph 
740.17(b)(4).
    Former paragraph (b)(4)(ii)(A) for short-range wireless encryption 
is now in new paragraph (b)(4)(i). This rule adds examples to this 
paragraph of short-range wireless commodities and software. An 
informative sentence is also added to notify the reader that certain 
items excluded by this paragraph may also be excluded from review under 
(b)(4)(iii) (personal area networks) or (b)(4)(iv) (commodities and 
software that provide ``ancillary cryptography'').
    Former paragraph (b)(4)(ii)(B) is replaced by the third, fourth, 
and fifth sentences of former paragraph (c), which pertains to foreign 
products developed with or incorporating U.S.-origin encryption source 
code, components, or toolkits.
    This rule adds two new review requirement exclusion paragraphs. The 
first new paragraph (b)(4)(iii) is for wireless ``personal area 
network'' items. This rule adds the term ``personal area network'' and 
definition, as well as examples to part 772. The other new exclusion 
paragraph (b)(4)(iv) is for ``ancillary cryptography,'' which is also a 
newly added term/definition in part 772. The term/definition includes 
examples of ``ancillary cryptography.'' The U.S. Government has 
determined that it is not necessary to review the encryption 
functionality of such items.

Reexports and Transfers

    This rule clarifies the second sentence in Sec.  740.17(c) of the 
EAR (restricted transfers) by adding quotes around the term 
``government end-users'' for consistency. The third and fourth 
sentences in this section concerning foreign products developed with or 
incorporating U.S.-origin encryption products are moved to new 
paragraph (b)(4)(ii), because it was misplaced and redundant to text 
already included in another paragraph of License Exception ENC.

Review Request Procedures

    This rule removes former paragraph (d)(1) ``Instructions for 
requesting review'' because these instructions were redundant and 
inconsistent with the instructions for submissions on Form BIS-748P 
(Multipurpose Application) found in Part 748 of the EAR. Instructions 
for such submissions belong in Part 748 of the EAR.
    This rule reformats former paragraph (d)(2) ``Action by BIS'' 
because this paragraph was entirely too long and needed to be divided 
by subject matter. The new subparagraph titles are: (i) Notification; 
(ii) After 30 days; and (iii) Hold Without Action (HWA).
    This rule moves former paragraph (d)(3), ``key length increases,'' 
to the reporting requirement section under new paragraph (e)(2), 
because this requirement is in actuality a reporting requirement and 
not a review requirement. This report is required for commodities and 
software that, after having been reviewed and authorized for License 
Exception ENC by BIS, are modified only to upgrade the key length used 
for confidentiality or key exchange algorithms. This rule also makes 
the new key length a required element of the report.

Reporting Requirements

    The reporting requirements for License Exception ENC are now split 
into two sections: Semiannual reporting requirement and reporting key 
length increases. This rule clarifies that the Commodity Classification 
Automated Tracking System (CCATS) number is a required element of the 
report. This rule removes former paragraph (e)(2)(iv),

[[Page 57499]]

which required a report for exports of ECCN 5E002 items to be used for 
technical assistance that are not released by 744.9, because this rule 
removed section 744.9 of the EAR. This rule also clarifies the purpose 
and scope of paragraph (e)(3), regarding reportable information on 
foreign manufacturers and products that use encryption items in 
countries not listed in Supplement No. 3 to part 740.

Reporting Exclusions

    This rule revises the exclusion set forth in former paragraph 
(e)(4)(i), new paragraph (e)(1)(iii)(A), by removing the reference to 
paragraph (b)(1), because (b)(1) did not require prior review or post 
export reporting, therefore this rule moved (b)(1) to new paragraph 
(a)(2).
    In new paragraph (e)(1)(iii)(F), this rule expands the exclusion 
that was in former paragraph (e)(4)(vi) for components limited to 
providing short-range wireless encryption functions, by making the 
reporting exclusion apply to all of the items in the new paragraph 
(b)(4), which are those items that are excluded from review 
requirements (certain commodities and software that provide short-range 
wireless; foreign products developed with or incorporating U.S.-origin 
encryption source code (that have not entered United States for 
subsequent export), components, or toolkits; wireless ``personal area 
network'' items; and ``ancillary cryptography'' commodities and 
software).
    Lastly, in new paragraph (e)(1)(iii)(J), this rule adds a new 
provision to exclude from reporting requirements exports of items that 
have been determined, on a case-by-case basis do not require the burden 
of semi-annual reporting. Certain exports of items that do not qualify 
for mass market treatment, but are authorized under License Exception 
ENC are not of interest for national security reasons, therefore do not 
warrant reporting requirements. Exporters will be notified of this 
exclusion on issued Commodity Classification Automated Tracking System 
(CCATS) documents.

Restrictions

    Former paragraph Sec.  740.17(f) ``Restrictions'' is removed, 
because the restrictions that were in this paragraph are integrated 
into the introductory paragraph to Sec.  740.17 or specific paragraphs 
for which they apply.

Supplement No. 3 to Part 740

    This rule revises the title of Supplement No. 3 to part 740 to read 
``License Exception ENC Favorable Treatment Countries,'' because the 
former title of ``Countries Eligible for the Provisions of Sec.  
740.17(a)'' is no longer correct, as these countries are now eligible 
for provisions of Sec.  740.17(b)(1) of the EAR. This rule adds 
Bulgaria, Canada, Iceland, Romania, and Turkey to the list of countries 
in Supplement No. 3 to part 740 of the EAR. Bulgaria and Romania joined 
the European Union by accession on January 1, 2007. The addition of 
Canada is simply for clarity, as licenses are not required to Canada 
for Encryption Items (pursuant to Sec.  742.15(a)(1)) and License 
Exception ENC has been available for subsidiaries and offices of the 
Canadian government and private-sector end-users (along with the 
previous Supplement No. 3 to part 740 list of countries). Turkey and 
Iceland are added because they are members of the North Atlantic Treaty 
Organization (NATO). This will increase eligibility under License 
Exception ENC under new paragraphs Sec.  740.17(a)(1) and (b)(1) of the 
EAR, which will decrease the necessity for submitting license 
applications, review requests, and semiannual reports.
    This revision will reduce the number of license applications 
submitted to BIS for the export or reexport of encryption products 
classified under ECCNs 5A002 and 5D002 to Bulgaria, Iceland, Romania, 
and Turkey by 95 percent (approximately $37 million in exports and 
reexports for CY 2007). This revision will not change the amount of 
license applications received by BIS for the export or reexport of 
encryption products to Canada, because Canada, while not included in 
the list of countries that received favorable treatment under License 
Exception ENC, already received such benefits.

Section 742.15 ``Encryption Items''

    Paragraph 742.15(a) is revised by more specifically describing what 
is EI controlled under ECCNs 5A002, 5D002, and 5E002. This revision 
harmonizes with changes this rule makes to the license requirements 
paragraphs of these ECCNs. In addition, a sentence is added that 
advises exporters to review License Exception ENC prior to submitting a 
license to BIS. Also, the phrase ``on a computer system'' is removed 
from the introductory text of Sec.  742.15 in order to be more 
consistent with the first Note in the License Requirement section of 
ECCN 5D002.

Section 742.15(a)(2) License Requirements and Review Policy for ECCNS 
5A992, 5D992, and 5E992

    This rule removes former paragraph 742.15(a)(2), which explained 
license requirements and review policy for items classified under ECCNS 
5A992, 5D992, and 5E992, because the purpose of Sec.  742.15 is to set 
forth the license requirements and review policies for items controlled 
for encryption item (EI) reasons and these items are controlled for 
anti-terrorism (AT) reasons only. The license requirements and review 
policy for these items are found under appropriate anti-terrorism 
sections of part 742.
    This rule removes the second sentence of 742.15(a)(2), because the 
indefinite language did not add to the transparency of licensing 
policy. The sentence stated, ``Exports and reexports of encryption 
items to governments, or to Internet and telecommunications service 
providers for the provision of services specific to governments, may be 
favorably considered.'' This rule removes the extraneous phrase 
``including those which authorize exports and reexports of encryption 
technology to strategic partners (as defined in Sec.  772.1 of the EAR) 
of U.S. companies.'' To be more transparent, this rule adds the phrase 
``or pre-shipment notification'' to explain that ELAs may require pre-
shipment notification. This rule adds a note to paragraph (a)(2) to 
remind exporters that once mass market encryption commodities and 
software have been reviewed by BIS and the ENC Encryption Request 
Coordinator (Ft. Meade, MD) and released from ``EI'' and ``NS'' 
controls pursuant to Sec.  742.15(b) of the EAR, they are classified 
under ECCN 5A992 and 5D992 respectively, and are thereafter outside the 
scope of this section.
    This rule removes the notification and review requirements for 
items classified under ECCNs 5A992, 5D992, and 5E992, which were set 
forth in former paragraphs Sec.  742.15(b) introductory paragraph and 
Sec.  742.15 (b)(1) of the EAR.
    This rule adds a reference to the ENC Encryption Request 
Coordinator (FT. Meade, MD) with regard to the requirement for review 
of mass market encryption commodities and software.
    Specific instructions for how to fill out form 748P (multipurpose 
application) for submission of a review request has been removed, 
because these instructions were redundant and inconsistent with the 
instructions found in paragraph (r) of Supplement No. 2 to part 748 of 
the EAR. Instead, a reference to this paragraph (r) is added to new 
paragraph 742.15(b)(1) ``Procedures for requesting review.''
    This rule removes former paragraph (b)(2)(iii) that provided 
authorization under the designation of ``no license required (NLR)'' 
for exports and reexports of encryption commodities

[[Page 57500]]

and software pending mass market treatment review by BIS to government 
and non-government end-users located in countries listed in Supp. No. 3 
to part 740 of the EAR or for internal use of foreign subsidiaries or 
offices of firms, organizations and governments headquartered in Canada 
or in countries listed in Supp. No. 3 to part 740 of the EAR. This 
authorization was based on a temporary classification under ECCNs 5A992 
and 5D992, which is inconsistent with the way other items are 
classified in the EAR, therefore this provision is removed. Instead, 
encryption commodities and software will remain under the 
classification of ECCN 5A002 and 5D002 until 30 days have passed since 
registration of the submitted review request or BIS issues a 
classification under ECCN 5A992 or 5D992. However, this rule creates a 
new authorization under License Exception ENC for such commodities and 
software pending a decision by BIS concerning mass market treatment 
under new paragraph 740.17(b)(1) of the EAR. This rule adds explanatory 
text about this new procedure in (b)(2) ``Action by BIS.''

Section 742.15(b)(3) Exclusions for Notification and Review 
Requirements

    This rule removes the former exclusion paragraphs, because it is no 
longer applicable and is replaced by new exclusion paragraphs from mass 
market review requirements under Sec.  742.15(b). There are three new 
exclusions: Certain short range wireless commodities and software, 
wireless ``personal area network'' items, and ``ancillary 
cryptography'' commodities and software.

Section 742.15(b)(4) Dormant Encryption and Enabling Software and 
Commodities

    This rule condenses this paragraph to remove text that pertained to 
ECCNs 5A992 and 5D992.

Section 742.15(b)(5) Examples of Mass Market Software

    The phrase ``designed for, bundled with, or pre-loaded on single 
CPU computes'' is revised to read ``designed for computers classified 
as ECCN 4A994 or EAR99.'' This phrase was changed to remove outdated 
and confusing text related to computers. This rule also removes the 
last phrase ``and commodities and software exported via free or 
anonymous downloads.'' This phrase was removed because it confused the 
public, in that it led people to believe that if they incorporated free 
encryption software or open source encryption into their products that 
it was not subject to the EAR, which is not the case.

Supplement No. 6 to Part 742 ``Guidelines for Submitting Review 
Requests for Encryption Items''

    The option to fax support documents is removed, because that method 
has been replaced by either e-mailing the document in PDF or sending 
the document by mail. A requirement to obtain express mail 
certification of the mailing of support documentation is added for 
those that intend to rely on the 30 day registration provisions of the 
EAR.
    Paragraph (a) is divided into 5 subparagraphs that clarify existing 
review requirements and procedures. Former paragraph (a) is now new 
subparagraph (a)(1), and is revised to add a requirement to include a 
brief non-technical description of the type of product being submitted, 
e.g., routers, disk drives, cell phones, chips, etc. Part of the 
introductory paragraph to Supp. No. 6 that addressed prior reviews is 
moved to a new subparagraph (a)(2), and is revised to add a 
requirement, for products with minor changes in encryption 
functionality, to include a cover sheet with complete reference to the 
previous review (CCATS, Application Control Number (ACN), 
ECCN, authorization paragraph) along with a clear description of the 
changes. New subparagraph (a)(3) requires a description of how 
encryption is used in the product and the categories of encrypted data 
(i.e., stored data, communications, management data, internal data, 
etc.). New subparagraph (a)(4) requires, for mass market reviews, a 
specific description of who will be receiving the product and how the 
product is being marketed, as well as how this method of marketing and 
other relevant information (e.g., cost of product and volume of sales) 
is described by the Cryptography Note (Note 3 to Category 5, Part 2). 
New subparagraph (a)(5) clarifies information about any encryption 
source code being used.
    Subparagraph (c)(1) is amended by adding the phrase ``including 
relevant parameters, inputs and settings'' to the end of the first 
sentence. Subparagraph (c)(6) is amended by adding more examples of 
communication and cryptographic functions, as well as replacing the 
term ``encryption protocols'' with a more accurate term ``cryptographic 
protocols and methods.'' An additional requirement is added to (c)(6) 
to describe how the protocols that are supported are used. The text of 
(c)(11) is revised to more clearly describe the information that would 
assist BIS.
    The introductory text for paragraphs (d) and (e) is clarified.

Section 744.9 ``Restrictions on Technical Assistance by U.S. Persons 
With Respect to Encryption Items''

    This rule removes Sec.  744.9 of the EAR that required 
authorization from BIS for U.S. persons to provide technical assistance 
(including training) to foreign persons with the intent to aid a 
foreign person in the development or manufacture outside the United 
States of encryption commodities or software that, if of U.S.-origin, 
would be ``EI'' controlled under ECCNs 5A002 or 5D002. Section 744.9 
was added to the EAR in 1996 when jurisdiction over dual-use encryption 
items was transferred from the Department of State to the Department of 
Commerce. Technical assistance is treated differently under the 
International Trade in Arms Regulations (ITAR) than it is in EAR. 
Technical assistance is considered a form of ``technology'' under the 
definition of ``technology'' in section 772.1 of the EAR. The EAR 
states that technical assistance ``may take forms such as instruction, 
skills training, working knowledge, consulting services'' and that it 
``may involve transfer of `technical data.' '' When a person performs 
technical assistance, which draws upon ``development,'' ``production,'' 
or ``use'' ``technology'' obtained in the United States or that is of 
U.S.-origin, then a release of ``technology'' takes place, which is 
considered an export or reexport and may require authorization under 
the EAR. BIS has observed that there is rarely an application for a 
license submitted under the requirements of section 744.9; however, 
requests for authorization under section 744.9 are often included in 
license applications for export of ECCN 5E002 Technology. This has led 
BIS to conclude that people are submitting license applications for 
technology exports and reexports when involved in technical assistance. 
Therefore, to harmonize the understanding of technical assistance as it 
is understood in the EAR with the practical application of it by the 
public, BIS is removing section 744.9. This removal does not remove any 
license requirements for controlled encryption technology released 
while performing technical assistance. This amendment does not affect 
the scope of the note in former 744.9 in that the mere teaching or 
discussion of information about cryptography, including, for example, 
in an academic setting or in the work of groups or bodies engaged in 
standards

[[Page 57501]]

development, by itself would not establish a license requirement under 
ECCN 5E002, even where foreign persons are present. Section 744.9 is 
replaced by a ``license requirement'' note in ECCN 5E002 on the 
Commerce Control List.

Supplement No. 2 to Part 748 ``Unique Application and Submission 
Requirements''

    This rule adds a sentence instructing applicants to place an ``X'' 
in the box marked ``classification request'' in Block 5 (Type of 
Application) of Form BIS-748P or select ``Commodity Classification'' if 
filing electronically, because neither the electronic nor paper forms 
provide a separate Block to check for submission of encryption review 
requests.

Section 750.3 Review of License Application by BIS and Other Government 
Agencies and Departments

    This rule makes an editorial correction by removing paragraph 
(b)(2)(iv) and redesignating (b)(2)(v) as (b)(2)(iv). This paragraph 
referred to the Arms Control and Disarmament Agency (ACDA), which no 
longer exists. However, ACDA's personnel and functions were absorbed by 
the Department of State in 1999. Therefore, this rule revises paragraph 
(b)(2)(iii) by adding national security and nuclear nonproliferation to 
the description of State Department's concerns. Missile technology is 
also added as a State Department concern because the State Department 
chairs the Missile Technology Export control interagency working group.

Section 750.7 Issuance of Licenses

    This rule removes paragraph (c)(2), which explained how to amend 
your Encryption License Agreement (ELA) by letter. BIS has observed a 
trend that industry has been submitting license applications for 
replacement or new ELAs when they want a change. In addition, it is 
more efficient for applicants to apply and track applications than 
letters, because of BIS' electronic application system. It is also 
easier for BIS to process and track submissions of applications than 
letters for the same reason. Therefore, this provision is removed.
    This rule removes the third and fourth sentences in the 
introductory text of paragraph (d) that pertain to the responsibilities 
of a licensee with regard to ELAs. These sentences are removed, because 
a licensee may not transfer its license responsibilities.

Section 762.2 Records To Be Retained

    This rule removes paragraph (b)(8), which referred to records 
related to key escrow encryption items under License Exception KMI. 
This rule removes License Exception KMI and Supplement No. 4 to part 
742 ``Key Escrow or Key Recovery Products Criteria,'' therefore this 
recordkeeping requirement no longer exists.

Section 770.2 Item Interpretations

    This rule moves paragraph (n) ``Interpretation 14: Encryption 
commodity and software reviews,'' to a new note under paragraphs 
740.17(b) and 742.15(b), so that exporters do not miss this important 
information about when to submit a new product review when a change has 
occurred in the encryption product. The text of this paragraph is also 
revised for clarity. The note explains that a new product review is not 
required when a change involves: the subsequent bundling, patches, 
upgrades or releases of a product; name changes; or changes to a 
previously reviewed encryption product limited to updates in an 
encryption software component (e.g., version updates of an encryption 
library that is called by a product to provide encryption functionality 
where the encryption library has either already been reviewed or did 
not require prior review.)

Section 772.1 Definition of terms as used in the Export Administration 
Regulations (EAR)

    This rule removes the definition of ``strategic partner'' as this 
term is not used in the control or licensing of encryption items. This 
rule also adds definitions for two new terms ``ancillary cryptography'' 
and ``personal area network,'' which are associated with new review and 
reporting exclusions in License Exception ENC.

Commerce Control List--Supplement No. 1 to Part 774

    This rule revises the Nota Bene to the Cryptography Note at the 
beginning of Category 5 Part 2 in order to harmonize it with the 
revisions in this rule.
    This rule clarifies what is controlled for ``EI'' reasons in ECCNs 
5A002, 5D002, and 5E002 by replacing the text ``EI applies to 
encryption items transferred from the U.S. Munitions List to the 
Commerce Control List consistent with E.O.13026 of November 15, 1996 
(61 FR 58767) and pursuant to the Presidential Memorandum of that date. 
Refer to Sec.  742.15 of this subchapter.'' with appropriate text that 
refers to specific paragraphs within those ECCNs for which EI applies. 
For ECCN 5A002, the new EI control reads ``EI applies to 5A002.a.1, 
a.2, a.5, a.6 and a.9. Refer to Sec.  742.15 of the EAR.'' For ECCN 
5D002, the new EI control reads, ``EI applies to ``software'' in 
5D002.a or c.1 for equipment controlled for EI reasons in ECCN 5A002. 
Refer to Sec.  742.15 of the EAR.'' For ECCN 5E002, the new EI control 
reads, ``EI applies to ``technology'' for the ``development,'' 
``production,'' or ``use'' of commodities or ``software'' controlled 
for EI reasons in ECCNs 5A002 or 5D002. Refer to Sec.  742.15 of the 
EAR.'' In addition, License Exception ENC is added to the License 
Exception section of each of these ECCNs, because it is the principal 
license exception for EI controlled items.

ECCN 5A002

    This rule removes the license requirement notes section from ECCN 
5A002, because there is no Wassenaar reporting requirement for this 
ECCN. In addition, this rule makes editorial corrections to the Related 
Controls paragraph by replacing the use of the term ``items'' with 
commodities when referring to ECCN 5A002 and 5A992. Moreover, this rule 
clarifies that if commodities are listed in paragraphs (a) through (f) 
in the Note to 5A002, and therefore the commodities are classified 
under ECCN 5A992, then the related software and technology are 
classified under ECCNs 5D992 and 5E992, respectively. This rule also 
revises Related Controls note 2 to be consistent with the mass market 
review procedures of Sec.  742.15 of the EAR. This note now reads ``2) 
After a review and classification by BIS, mass market encryption 
commodities that meet eligibility requirements are released from ``EI'' 
and ``NS'' controls. These commodities are classified under ECCN 
5A992.c. See Sec.  742.15(b) of the EAR.''

ECCN 5A992

    This rule revises the anti-terrorism (AT) controls for ECCN 5A992, 
by placing the entire entry under AT Column 1 controls, for ease of 
understanding and compliance. This rule adds a new paragraph 5A992.c. 
This new paragraph clarifies that a mass market commodity is classified 
under ECCN 5A992 upon completion of Government review of a commodity in 
accordance with paragraph 742.15(b) of the EAR, when that review 
determines that the commodity meets the requirements for mass market 
treatment. Encryption items are no longer presumed eligible for mass 
market treatment while pending Government review.

[[Page 57502]]

ECCN 5D002

    This rule removes the third note in the License Requirement 
section, because the information in it does not harmonize with the 
revision made in this rule. In addition, this rule adds another note to 
the Related Controls paragraph to inform the public about the review 
and classification of mass market software.

ECCN 5D992

    This rule revises the anti-terrorism (AT) controls for ECCN 5D992, 
by placing the entire entry under AT Column 1 controls, for ease of 
understanding and compliance. Paragraphs 5D992.a.1 and a.2, and 
5D992.b.1 and b.2, are combined as 5D992.a and 5D992.b, respectively, 
in order to simplify the entry. This rule also removes paragraph 
5D992.c (``software'' designed or modified to protect against malicious 
computer damage, e.g., viruses) from ECCN 5D992, while adding a note in 
the Related Control stating, ``This entry does not control ``software'' 
designed or modified to protect against malicious computer damage, 
e.g., viruses, where the use of ``cryptography'' is limited to 
authentication, digital signature and/or the decryption of data or 
files.'' Certain software for protection against malicious damage that 
meet the criteria of the Related Control note are thus now decontrolled 
and classified as EAR99, unless the software performs functions that 
are controlled under other ECCNs (whether under Category 5, part 2 or 
elsewhere in the Commerce Control List). Such software remains subject 
to the EAR and may be classified under ECCN 5D002 or 5D992 if it 
performs cryptographic functionality controlled by these Category 5, 
part 2 ECCNs (e.g., data or file encryption, including of user or 
system data under Secure Socket Layer (SSL) encryption, even if the 
cryptographic functionality is not directly user accessible.) Examples 
of software decontrolled by this change include certain firewall and 
other software for the screening of digital content and the detection 
and removal of viruses, spyware and unsolicited commercial e-mail.
    This rule also adds a new paragraph 5D992.c. This paragraph 
clarifies that mass market software is classified under ECCN 5D992.c 
upon completion of Government review of the software in accord with 
Sec.  742.15 of the EAR when that review determines that the software 
meets the requirements for mass market treatment. Encryption software 
is no longer presumed eligible for mass market treatment.

ECCN 5E002

    This rule adds a License Requirement Note to remind people to 
consider the possibility of the release of technology when performing 
technical assistance; the note reads, ``When a person performs or 
provides technical assistance that incorporates, or otherwise draws 
upon, ``technology'' that was either obtained in the United States or 
is of U.S.-origin, then a release of the ``technology'' takes place. 
Such technical assistance, when rendered with the intent to aid in the 
``development'' or ``production'' of encryption commodities or software 
that would be controlled for ``EI'' reasons under ECCN 5A002 or 5D002, 
may require authorization under the EAR even if the underlying 
encryption algorithm to be implemented is from the public domain or is 
not of U.S. origin.'' In addition, in order to harmonize with the 
revisions in this rule and for consistency, this rule adds text to the 
Related Controls paragraph of the List of Items Controlled section to 
read ``This entry does not control ``technology'' ``required'' for the 
``use'' of equipment excluded from control under the Related Controls 
paragraph or the Technical Notes in ECCN 5A002 or ``technology'' 
related to equipment excluded from control under ECCN 5A002. This 
``technology'' is classified as ECCN 5E992.''

ECCN 5E992

    This rule revises the anti-terrorism (AT) controls for ECCN 5E992, 
by placing the entire entry under AT Column 1 controls, for ease of 
understanding and compliance. This rule revises the references in 
5E992.a and .b to conform to revisions included in this rule.
    Although the Export Administration Act expired on August 20, 2001, 
the President, through Executive Order 13222 of August 17, 2001, 3 CFR, 
2001 Comp., p. 783 (2002), as extended by the Notice of July 23, 2008, 
73 FR 43603 (July 25, 2008), has continued the Export Administration 
Regulations in effect under the International Emergency Economic Powers 
Act.

Rulemaking Requirements

    1. This interim final rule has been determined to be not 
significant for purposes of Executive Order 12866.
    2. Notwithstanding any other provision of law, no person is 
required to respond to, nor shall any person be subject to a penalty 
for failure to comply with a collection of information subject to the 
requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et. 
seq.) (PRA), unless that collection of information displays a currently 
valid Office of Management and Budget (OMB) Control Number. This rule 
involves two collections of information subject to the PRA. One of the 
collections has been approved by OMB under control number 0694-0088, 
``Multi Purpose Application,'' and carries a burden hour estimate of 58 
minutes for a manual or electronic submission. The other collection has 
been approved by OMB under control number 0694-0104, ``Commercial 
Encryption Items Under the Jurisdiction of the Department of 
Commerce,'' and carries a burden hour estimate of 7 hours for a manual 
or electronic submission. Send comments regarding these burden 
estimates or any other aspect of these collections of information, 
including suggestions for reducing the burden, to Jasmeet Seehra, OMB 
Desk Officer, by e-mail at jseehra@omb.eop.gov or by fax to (202) 395-
7285; and to the Office of Administration, Bureau of Industry and 
Security, Department of Commerce, 14th and Pennsylvania Avenue, NW., 
Room 6622, Washington, DC 20230.
    3. This rule does not contain policies with Federalism implications 
as that term is defined under Executive Order 13132.
    4. The provisions of the Administrative Procedure Act (5 U.S.C. 
553) requiring notice of proposed rulemaking, the opportunity for 
public participation, and a delay in effective date, are inapplicable 
because this regulation involves a military and foreign affairs 
function of the United States (5 U.S.C. 553(a)(1)). Further, no other 
law requires that a notice of proposed rulemaking and an opportunity 
for public comment be given for this interim final rule. Because a 
notice of proposed rulemaking and an opportunity for public comment are 
not required to be given for this rule under the Administrative 
Procedure Act or by any other law, the analytical requirements of the 
Regulatory Flexibility Act (5 U.S.C. 601 et. seq.) are not applicable. 
Therefore, this regulation is issued in interim final form. Although 
there is no formal comment period, public comments on this regulation 
are welcome on a continuing basis. Comments should be submitted to 
Sharron Cook, Office of Exporter Services, Bureau of Industry and 
Security, Department of Commerce, 14th and Pennsylvania Ave., NW., Room 
2705, Washington, DC 20230.

[[Page 57503]]

List of Subjects

15 CFR Parts 732, 740, 748 and 750

    Administrative practice and procedure, Exports, Reporting and 
recordkeeping requirements.

15 CFR Parts 738, 770 and 772

    Exports.

15 CFR Part 744

    Exports, Reporting and recordkeeping requirements, Terrorism.

15 CFR Part 742

    Exports, Terrorism.

15 CFR Part 746

    Exports, Reporting and recordkeeping requirements.

15 CFR Part 762

    Administrative practice and procedure, Business and industry, 
Confidential business information, Exports, Reporting and recordkeeping 
requirements.

15 CFR Part 774

    Exports, Reporting and recordkeeping requirements.

0
Accordingly, parts 732, 734, 738, 740, 742, 744, 746, 748, 750, 762, 
770, 772 and 774 of the Export Administration Regulations (15 CFR parts 
730-774) are amended as follows:

PART 732--[AMENDED]

0
1. The authority citation for part 732 is revised to read as follows:

    Authority: 50 U.S.C. app. 2401 et. seq.; 50 U.S.C. 1701 et. 
seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 
13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 
2008, 73 FR 43603 (July 25, 2008).


0
2. Section 732.2 is amended by revising paragraph (b) to read as 
follows:


Sec.  732.2  Steps Regarding Scope of the EAR

* * * * *
    (b) Step 2: Publicly available technology and software. This step 
is relevant for both exports and reexports. Determine if your 
technology or software is publicly available as defined and explained 
at part 734 of the EAR. Supplement No. 1 to part 734 of the EAR 
contains several practical examples describing publicly available 
technology and software that are outside the scope of the EAR. The 
examples are illustrative, not comprehensive. Note that encryption 
software controlled for EI reasons under ECCN 5D002 on the Commerce 
Control List (refer to Supplement No.1 to Part 774 of the EAR) and mass 
market encryption software with symmetric key length exceeding 64-bits 
classified under ECCN 5D992 shall be subject to the EAR even if 
publicly available. Accordingly, the provisions of the EAR concerning 
the public availability of items are not applicable to encryption items 
controlled for ``EI'' reasons under ECCN 5D002 and mass market 
encryption software with symmetric key length exceeding 64-bits 
classified under ECCN 5D992.
* * * * *

PART 734--[AMENDED]

0
3. The authority citation for part 734 is revised to read as follows:

    Authority: 50 U.S.C. app. 2401 et. seq.; 50 U.S.C. 1701 et. 
seq.; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 
13020, 61 FR 54079, 3 CFR, 1996 Comp. p. 219; E.O. 13026, 61 FR 
58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 
2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 
2008); Notice of November 8, 2007, 72 FR 63963 (November 13, 2007).


0
4. Section 734.3 is amended by adding a note to paragraph (a)(4) to 
read as follows:


Sec.  734.3  Items Subject to the EAR

    (a) * * *
    (4) * * *

    Note to paragraph (a)(4): Certain foreign-manufactured items 
developed or produced from U.S.-origin encryption items exported 
pursuant to License Exception ENC are subject to the EAR. See 
sections 740.17(a) and 740.17(b)(4)(ii) of the EAR.



0
5. Supplement No. 1 to part 734 is amended by revising the introductory 
paragraph to read as follows:

Supplement No. 1 to Part 734--Questions and Answers--Technology and 
Software Subject to the EAR

    This Supplement No. 1 contains explanatory questions and answers 
relating to technology and software that is subject to the EAR. It is 
intended to give the public guidance in understanding how BIS 
interprets this part, but is only illustrative, not comprehensive. In 
addition, facts or circumstances that differ in any material way from 
those set forth in the questions or answers will be considered under 
the applicable provisions of the EAR. Exporters should note that the 
provisions of this supplement do not apply to encryption software 
classified under ECCN 5D002 for ``EI'' reasons on the Commerce Control 
List or to mass market encryption software with symmetric key length 
exceeding 64-bits classified under ECCN 5D992. This Supplement is 
divided into nine sections according to topic as follows:
* * * * *

PART 738--[AMENDED]

0
6. The authority citation for part 738 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c; 22 U.S.C. 3201 et 
seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42 
U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5; 
22 U.S.C. 7201 et. seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3 
CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., 
p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008).


0
7. Section 738.4 is amended by revising paragraphs (a)(1) and 
(a)(2)(ii)(B) to read as follows:


Sec.  738.4  Determining Whether a License Is Required

    (a) * * *
    (1) Overview. Once you have determined that your item is classified 
under a specific ECCN, you must use information contained in the 
``License Requirements'' section of that ECCN in combination with the 
Country Chart to decide whether a license is required. Note that not 
all license requirements set forth under the ``License Requirements'' 
section of an ECCN refer you to the Commerce Country Chart, but in some 
cases this section will contain references to a specific section in the 
EAR for license requirements. In such cases, this section would not 
apply.
    (2) * * *
    (ii) * * *
    (B) If no, a license is not required based on the particular Reason 
for Control and destination. Provided that General Prohibitions Four 
through Ten do not apply to your proposed transaction and that any 
applicable review requirements described in Sec.  742.15(b) of the EAR 
have been met for certain mass market encryption items controlled under 
ECCNs 5A992 or 5D992, you may effect your shipment using the symbol 
``NLR.'' Proceed to parts 758 and 762 of the EAR for information on 
export clearance procedures and recordkeeping requirements. Note that 
although you may stop after determining a license is required based on 
the first Reason for Control, it is best to work through each 
applicable Reason for Control. A full analysis of every possible 
licensing requirement based on each applicable Reason for Control is 
required to determine the most advantageous License Exception available 
for your particular transaction and, if a license is

[[Page 57504]]

required, ascertain the scope of review conducted by BIS on your 
license application.
* * * * *

PART 740--[AMENDED]

0
8. The authority citation for part 740 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., 
p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice 
of July 23, 2008, 73 FR 43603 (July 25, 2008).


0
9. Section 740.3 is amended by revising paragraph (d)(5) to read as 
follows:


Sec.  740.3  Shipments of Limited Value (LVS)

* * * * *
    (d) * * *
    (5) Exports and reexports of encryption components or spare parts. 
For components or spare parts controlled for ``EI'' reasons under ECCN 
5A002, exports and reexports under this License Exception must be 
destined to support a commodity previously authorized for export or 
reexport.
* * * * *

Sec.  740.8  [Removed]

0
10. Remove and reserve Sec.  740.8.

Sec.  740.13  [Amended]

0
11. Section 740.13 is amended by removing the quotation marks around 
the term ``mass market'' in paragraph (d) heading, paragraph (d)(1), 
footnote 1, paragraph (d)(3)(i) and paragraph (d)(3)(ii).


0
12. Section 740.17 is revised to read as follows:


Sec.  740.17  Encryption Commodities, Software and Technology (ENC).

    License Exception ENC authorizes export and reexport of software 
and commodities and components therefor that are classified under ECCNs 
5A002.a.1, a.2, a.5, a.6 or a.9, 5B002, 5D002, and technology that is 
classified under ECCN 5E002. This License Exception ENC does not 
authorize export or reexport to, or provision of any service in any 
country listed in Country Group E:1 in Supplement No. 1 to part 740 of 
the EAR, or release of source code or technology to any national of a 
country listed in Country Group E:1. Reexports and transfers under 
License Exception ENC are subject to the criteria set forth in 
paragraph (c) of this section. Paragraph (d) of this section sets forth 
information about review requests required by this section. Paragraph 
(e) sets forth reporting required by this section.
    (a) No prior review or post export reporting required--(1) Internal 
``development'' or ``production'' of new products. License Exception 
ENC authorizes exports and reexports of items described in paragraph 
(a)(1)(i) of this section, to end-users described in paragraph 
(a)(1)(ii) of this section, for the intended end-use described in 
paragraph (a)(1)(iii) of this section without prior review by the U.S. 
Government.
    (i) Eligible items. Eligible items are those classified under ECCNs 
5A002.a.1, .a.2, .a.5, .a.6, or .a.9, 5B002, 5D002, or 5E002.
    (ii) Eligible end-users. Eligible end-users are ``private sector 
end-users'' wherever located, except to countries listed in Country 
Group E:1 (see Supplement No. 1 to part 740 of the EAR) that are 
headquartered in a country listed in Supplement No. 3 of this part.

    Note to paragraph (a)(1)(ii): A ``private sector end-user'' is: