| Beth Peterson president, BPE beth@bpeglobal.com |  |
Back in June, the U.S. Commerce Department's Bureau of Industry and Security (BIS) published the long awaited Interim Final Rule on Encryption Export Controls. These changes were much anticipated and are the first step in the Obama administration's efforts to reform export controls.
If you think these changes don't affect you, think again. Almost every company uses and exports some form of encryption ' be it networking equipment for offices abroad, intellectual property protection of software or operating systems for products. These changes are important and will help streamline the classification process in some ways, but will also add burdens.
A very welcome regulation change is with respect to encryption products of lesser national security concern. No longer will you have to wait 30 days following the submission of an encryption review request. You can instead self-classify these items and receive immediate authorization to export and re-export most mass-market encryption products.
But there's a catch. To self classify you must obtain an Encryption Registration Number (ERN). BIS has created a new SNAP-R (Simplified Network Application Process Redesign) screen for encryption registrations. When an encryption registration is submitted via SNAP-R, it will issue an ERN (which will start with an 'R' followed by six digits, e.g., R123456). If you are not the producer of encryption items that you wish to self classify under immediate authorization, you can and should submit an encryption registration, which is required for most exports under License Exception ENC, and to be eligible for mass-market treatment.
Unfortunately, the encryption changes now require you to file a new annual self-classification report on items you self classify under License Exception ENC. BIS provides some relief by no longer requiring the semi-annual sales report for items that are ENC Unrestricted, with the exception of those items described under 740.17(b)(3)(iii). Reporting is still required for ENC Restricted items.
Maybe one of the best outcomes of the encryption changes is the fact that many items that incorporate or use cryptography have been completely removed from Encryption Controls if the item's primary function or set of functions is not 'information security,' computing, communications, storing information or networking, and if the cryptographic functionality is limited to supporting the primary function of the item. BIS previously called these items Ancillary Cryptography.
The primary function of an item is the obvious, or main, purpose of the item. The 'communications' and 'information storage' primary function does not include items that support entertainment, mass commercial broadcasts, digital rights management or medical records management. BIS provides a list with lots of examples of items that are now excluded from encryption items in the Interim Final Rule.
Encryption classification requests remain in effect for all 'encryption components,' including mass-market encryption components, and for encryption commodities, software that provide or perform 'non-standard cryptography,' including mass-market encryption commodities, software and components.
Encryption components are now classified in a new definition of 'non-standard cryptography.' Encryption components are:
' Chips.
' Chipsets.
' Electronic assemblies and field programmable logic devices.
' Cryptographic libraries.
' Modules.
' Development kits and toolkits, including operating systems and cryptographic service providers and application-specific hardware or software development kits implementing cryptography.
This rule updates the list of ENC Restricted items and creates a new specific list of additional sensitive items. These amendments are consistent with determinations that, for national security reasons, encryption commodities and software that provide penetration capabilities which can be used to attack, deny, disrupt or otherwise impair the use of cyber infrastructure or networks require a license in order to be exported to 'government end users' in countries other than the Supplement 3 countries.
This rule does provide quite a bit of relief for exporters, but the additional Encryption Registration and self-classification reports will place additional administrative burdens on exporters. Don't forget to register your company and review your existing products. Then establish a process to collect your self-classification report data and submit any comments you have to BIS on this Interim Final Rule.
Beth Peterson is the president of BPE, a global trade consulting and training firm, and can be reached at (415) 845-8967 or beth@bpeglobal.com.
