Latest Posts
Search for:

BIS Updates Reporting Requirements Relating to Mass-Market Encryption Items and Publicly Available Software, and also Updates Certain Classifications

By , and 4 Mins Read

On March 29, 2021, the US Department of Commerce’s Bureau of Industry and Security (“BIS”) published a final rule  (“Final Rule”) implementing changes to the Export Administration Regulations (“EAR”) that were agreed to at the December 2019 Wassenaar Arrangement Plenary meeting.  Specifically, the Final Rule modified the reporting and self-classification requirements for exports of most mass-market encryption items and the email notification requirement for exports of publicly available encryption source code and beta test software. The final rule also revised the Export Control Classification Number (“ECCN”) entries of twenty-two items on the EAR’s Commerce Control List (“CCL”), which generally narrows the scope of the controls or provides clarification on the existing entries.

Relaxation of Controls on Certain Encryption Items

The Final Rule implemented three major changes to EAR provisions regarding encryption items identified in Category 5, Part 2 of the CCL in Supplement No. 1 to Part 774 of the EAR.

  • First, the Final Rule moved mass-market encryption components (including chipsets, chips, electronic assemblies, and field-programmable logic devices), the executable software related to such encryption components, toolsets, and toolkits from EAR Section 740.17(b)(3) to 740.17(b)(1).  Whereas previously these items could only have been exported under License Exception ENC after the submission of a mandatory classification request to BIS, they now can be self-classified under Export Control Classification Numbers (“ECCN”) 5A992.c. or 5D992.c. as mass-market items.  BIS notes that most cryptographic libraries and modules will remain Section 740.17(b)(3) items.
  • Second, the Final Rule amended Section 740.17(e) of the EAR such that mass-market development kits (toolsets) and toolkits that are stand-alone products (e.g., are not components or executable software) that fall under Section 740.17(b)(1) of the EAR no longer require submission of an annual self-classification report.  Mass market components and their executable software that are self-classified under ECCN 5A992.c or 5D992.c, however, are subject to the annual self-classification reporting requirements.
  • Third, the Final Rule eliminated the requirement previously included in EAR Section 742.15(b) to submit email notifications to BIS and the ENC Encryption Coordinator as a condition for publicly available encryption source code to be released from control under the EAR.  Prior to this change, an email notification was required that provided the Internet location (e.g., URL or internet address) or a copy of the publicly available encryption source code before such source code could be considered not subject to the EAR.

Importantly, none of the above changes affect any of the License Exception ENC requirements for any non-mass market encryption item or any encryption item (mass market or not) that implements “nonstandard cryptography.”

This Final Rule also implemented other changes that are unrelated to mass-market encryption items. Specifically, the Final Rule:

  • eliminated the reporting requirement under EAR Section 740.9(c)(8) for beta test encryption software under license exception TMP, as long as the product does not implement nonstandard cryptography;
  • expanded an exclusion in the encryption controls for wireless personal area network functionality by eliminating the range limitations such that items using only published or commercial cryptographic standards, where the information security functionality is limited to personal area network functionality, now fall outside of EAR’s encryption controls;
  • added gateways to an existing carve-out from the encryption controls for certain items (e.g.,
    routers, switches, relays) that are limited to the tasks of Operations, Administration, or Maintenance
    (OAM).

Other Non-Encryption Related Changes

Apart from the aforementioned encryption-related changes, the Final Rule also revised the ECCN entries of twenty-two items in Categories 0, 1, 2, 3, 5, 6, and 9 of the CCL to align with decisions made at the December 2019 Wassenaar plenary meeting. Items impacted by these revisions include body armor, metal alloys, optical sensors, and spacecraft-related software. Most of the changes either narrow the scope of the controls or provide clarification on existing entries. These changes follow BIS’s October 2020 rule implementing revisions to the EAR related to emerging technologies, which also were agreed upon at the 2019 Wassenaar plenary meeting.

Categories:
Author

Mr. McMillan's practice involves compliance counseling; compliance programs; licensing; compliance reviews; internal investigations; voluntary disclosures; administrative enforcement actions; criminal investigations; customs inquiries, audits, detentions, and seizures; and trade-compliance due diligence and post-acquisition integration in mergers and acquisitions. His practice includes matters that implicate the US International Traffic in Arms Regulations (ITAR), US Export Administration Regulations (EAR), US National Industrial Security Program (NISP), the US Committee on Foreign Investment in the United States (CFIUS), and equivalent non-US laws. Mr. McMillan regularly advises on and represents clients in matters involving technology, including its control, protection, accidental disclosure, diversion, or unauthorized collection. Mr. McMillan has extensive experience working with companies in the aerospace and defense industry, as well as companies in the Middle East and other parts of Asia.

Author

Meg's practice involves assisting multinational companies with export compliance related matters, specifically trade sanctions and export control classifications. Additionally, she assists companies with respect to customs laws, anti-boycott laws and other trade regulation issues in the US and abroad. She also helps obtain authorizations from the US government for activities subject to sanctions regulations and US export control regulations, including the Export Administration Regulations and the International Traffic in Arms Regulations. Meg's practice extends to assistance in internal compliance reviews as well as enforcement actions and disclosures necessitated by US government action.

Author

Iris's practice involves assisting multinational companies with a wide range of trade matters including export controls, sanctions, internal investigations and risk assessments. She also assists companies with respect to customs laws and other trade regulation issues in the US and abroad. Iris's practice extends to assistance in internal compliance reviews as well as enforcement actions and disclosures necessitated by US government action.

Related Posts