BIS Eases License Requirements for Exports of Many Encryption Products

June 25, 2010

On June 25, 2010, the Commerce Department’s Bureaus of Industry and Security (BIS) published an interim final rule easing export controls on encryption products. As an interim final rule, the rule enters into effect immediately, as the first major accomplishment of the Obama administration’s efforts to expand exports, but is subject to a 60-day public comment period that could result in further changes.

The new rule provides for conditional immediate authorization to export less sensitive encryption items under License Exception ENC or as mass market encryption items. Under these new procedures, exporters will no longer have to submit an application to BIS and wait through the 30-day technical review period for less sensitive items. Instead, companies will have to complete a one-time registration with BIS and send BIS an updated product list yearly. Less sensitive encryption products now eligible for these types of licenses now fall into a new category CFR 740.17(b)(1).

However, the under the new rule “encryption components,” which includes chips, chipsets, electronic assemblies and field programmable logic devices, cryptographic libraries, modules, development kits and toolkits, remain in category CFR 740.17(b)(3) and will still be subject to a 30-day review period. Items in category CFR 740.17(b)(4), such as source code, will also still require a 30-day review period. (b)(3) items differ from (b)(2) items in that licenses for (b)(3) items are required only for shipments to embargoed countries, whereas (b)(2) items require licenses for all shipments except those to close U.S. allies.

Additionally, the new rule inserts a new definition for “non-standard cryptography” is inserted in the Export Administration Regulations (EAR) at part 772, as “any implementation of cryptography involving the incorporation or use of proprietary or unpublished cryptographic functionality, including, encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body (e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published.”

The new rule does not formalize a September 2009 advisory opinion suggesting that it is not a violation of U.S. export controls if an individual in an embargoed country downloads free software from the internet as many hoped it would. However, that suggestion is under a separate interagency review.   Finally, the rule also implements the 2009 Wassenaar Arrangement decision to decontrol “ancillary cryptography.”

To view the entire rule, as published by BIS, click here. For more information on how your company can benefit from the revised licensing provisions, please contact a Barnes/Richardson attorney.