New BIS Rule Restructures and Somewhat Eases Export Controls on Encryption Items

By: Olga Torres and Matt Fogarty
Date: 11/09/2016

On September 20, the Department of Commerce's Bureau of Industry and Security ("BIS") issued a lengthy Federal Register notice implementing a number of updates from the 2015 Wassenaar Arrangement meeting and making certain other changes to the Export Administration Regulations ("EAR").[1] Most notably, BIS substantially restructured and, to some extent, eased EAR controls applicable to hardware and software that use encryption. While the encryption-related changes generally do not alter the scope of items controlled under the EAR, they do require U.S. manufacturers and exporters to reclassify some of the more commonly exported encryption items.

Provided below is a brief summary of the September 20 changes to the EAR's encryption regulations.

Consolidation of Encryption Registration and Semi-Annual Reporting for License Exception ENC

In addition to the new and revised ECCNs discussed below, BIS combined the annual registration and semi-annual reporting required under License Exception ENC. Previously, manufacturers and exporters of most 5X002 encryption products[2] were required to register with BIS in order to be able to use License Exception ENC. The registration statement requested a number of details regarding the registrant, and BIS, in return, provided an Encryption Registration Number ("ERN") that effectively served as proof of the registrant's ability to self-classify its products. These companies were also required to submit a semi-annual report listing all of the products the company had self-classified during the six-month period. The September 20 rule consolidates these two requirements by deleting the registration requirement (and the ERN) and incorporating certain of the registration questions into the information required in the semi-annual report.

In general, this is a positive change insofar as it somewhat reduces the burden on manufacturers and exporters. However, it could present a challenge; whereas previously an exporter could rely on a manufacturer's ERN as some evidence that the manufacturer was familiar with and in compliance with the encryption regulations. Now, it is particularly important for exporters to ensure that manufacturers are sufficiently familiar with the EAR before relying on their self-classification, as well as to retain any classification-related communications with manufacturers.

Deletion of 5X992 for Authentication-Only Products

Further, the September 20 rule removes a number of encryption products from Category 5, Part II of the CCL. In particular, 5X992 previously captured mass market encryption products and products that use encryption only for password protection, authentication, or digital signature. While mass market items remain classified in 5X992, the latter class of products—products that use encryption for limited purposes—are no longer classified under 5X992. Rather, these products are now classified either in some other category on the CCL or, if not described in any other ECCN, as EAR99.

This change should not significantly alter the licensing requirements applicable to authentication-only encryption products. Products captured in 5X992 are controlled only for anti-terrorism reasons and may be exported to most destinations outside of countries and regions subject to U.S. economic sanctions (namely Cuba, Iran, North Korea, Sudan, Syria, and the Crimea region of the Ukraine). Similarly, products classified as EAR99 would, in most cases, require a license for export to a sanctioned destination. However, as a practical matter, this change could be burdensome for manufacturers and exporters that deal with large numbers of items under the 5X992 classification and now need to review these items against other categories on the CCL and reclassify them accordingly.

Restructuring of ECCN 5X002 / Creation of 5X003 and 5X004

The September 20 rule restructures controls under ECCN 5X002 by moving certain items previously controlled under that ECCN to newly established ECCNs 5X003 and 5X004. Specifically, while most hardware and software that use strong encryption (and related technology) remain covered under 5X002, the new ECCNs now capture other items previously caught in 5X002, as follows:

  • 5X003—This new ECCN captures items that employ non-cryptographic information security. More specifically, the ECCN captures two types of items: communications cable systems that use mechanical, electrical, or electronic means to detect surreptitious intrusion; and certain items specially designed or modified to reduce compromising emanations of information-bearing signals.
  • 5X004—This ECCN captures items for defeating, weakening, or bypassing information security, including cryptanalysis tools designed to defeat encryption and other cryptographic mechanisms to derive, for example, clear text, passwords, and encryption keys.

As with the removal of items from 5X992, this restructuring does not generally alter the scope of items controlled under the EAR, nor does it substantially alter the licensing requirements applicable to items that were formerly 5X002. However, again, as a practical matter, the change does mean that manufacturers and exporters of items that use non-cryptographic means for information security or items intended to defeat, weaken, or bypass information security must now review and reclassify their products.

We would be pleased to provide additional information regarding these changes and the EAR's encryption regulations, in general, upon request.


[1]    "Wassenaar Arrangement 2015 Plenary Agreements Implementation, Removal of Foreign National Review Requirements, and Information Security Updates," 81 Fed.Reg. 64,656 (Sept. 20, 2016).

[2]    Note that we use "X" within the ECCN to indicate that changes apply to all types of encryption products—hardware (5A002), software (5D002), and technology (5E002).