BIS Loosens Controls on Less Sensitive, Mass Market Encryption Items and Publicly Available Encryption Source Code

The export controls on encryption items — those items subject to Category 5, Part 2 of the  EAR — are more complex than the controls on most other commodities. Encryption items require a license to be exported to most locations for national security reasons, but export is broadly authorized without a license under license exception ENC, in some cases with pre- or post-export filing conditions. 

Prior to these amendments, some retail items were subject to pre-export review to be eligible for license exception ENC, and BIS required advance notification prior to making encryption source code publicly available — even for software that used only standard (published or nonproprietary) cryptography.

Now, “mass market” “components” (including “mass market” chips, chipsets, electronic assemblies and field programmable logic devices), “executable software,” toolsets, and toolkits are no longer subject to pre-export review.  As a result of this change:

1. Exporters may self-classify ECCN 5A992.c components and ECCN 5D992.c “executable software” of “mass market” products. Items containing “non-standard cryptography” and cryptographic libraries and modules are still subject to pre-export review by BIS. Self-classified mass market components and executable software will require an annual post-export report.
2. Exporters may self-classify mass market toolsets and toolkits, with no annual post-export reporting, as long as they are stand-alone products (e.g., not “components” or “executable software” of another “mass market” product). This change is expected to materially reduce exporters’ reporting obligations.

Additionally, BIS has eliminated the requirement that exporters notify BIS in advance of the first export of, or on modification of, “publicly available” encryption source code and beta test encryption software categorized under 5D002, unless that software implements “non-standard cryptography” (in which case prior notice is still required).² BIS estimates that this revision will “produce an 80% reduction in notifications regarding publicly available encryption software.” Correspondingly, BIS has narrowed the scope of the notification requirement for beta test encryption software under license exception TMP to apply only to beta test encryption software implementing “non-standard cryptography.”

Finally, BIS has modified the scope of encryption-related controls under ECCN 5A002 by clarifying controls on cryptographic activation, eliminating controls on personal area networks, and reducing controls on network gateways where their “information security” functionality is limited to “Operations, Administration or Maintenance” and they implement only published or commercial cryptographic standards.

If you have questions about how your business may benefit from these changes, please contact your Sidley point of contact or one of the attorneys listed below.

¹ 86 FR 16482, Final Rule, published Mar. 26, 2021 (effective Mar. 29, 2021), https://www.federalregister.gov/documents/2021/03/29/2021-05481/export-administration-regulations-implementation-of-wassenaar-arrangement-2019-plenary-decisions.

² Nonstandard cryptography “[m]eans any implementation of “cryptography” involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body (e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published. 15 CFR § 772.