On September 20, 2016, the U.S. Department of Commerce's Bureau of Industry and Security (BIS) amended the Export Administration Regulations (EARs) to incorporate the December 2015 changes to the Wassenaar Arrangement's List of Dual-Use Goods and Technologies (WA List) into the EAR (the "Rule"). This WSGR Alert focuses on the changes to the information-security-related provisions in the EAR. The amendments, which were effective on September 20, 2016, included both substantive changes to the information-security-related provisions and other technical and process-related changes.
Next week, please look for a WSGR Alert outlining amendments to the regulations related to transactions with—and travel to—Cuba. The regulations will be published on Monday, October 17, 2016.
Key Information-Security-Related Changes
- Two New Export Control Classification Numbers (ECCNs). The Rule added two new ECCNs to Category 5, Part 2 (C5P2)—ECCNs 5A003 and 5A004.
- ECCN 5A003 covers commodities, technology, and software (collectively "items") relating to non-cryptographic information security, including items to detect surreptitious intrusion.
- ECCN 5A004 covers items relating to defeating, weakening, or bypassing information security, including certain cryptanalytic items.
- C5P2 now has three sections: an initial section for cryptographic information security items covered by ECCNs 5X002 and 5X992 and the two new sections described above. This change facilitates the possible future imposition of separate controls on each section.
- Additional Encryption Items Moved to EAR99. Many low-level and limited-use encryption items previously classified under 5X992, including those with encryption limited to authentication, digital signature, password, and personal identification number (PIN) protection, are now classified as EAR99.
- Modest Changes to the Network Infrastructure Criteria. The definition of a network infrastructure item has been revised to clarify that it includes any "end item," commodity, or "software" for providing certain enumerated types of communications. These items are typically operated by or for telecommunications service providers, Internet service providers, governments, or medium- or large-sized businesses. The Rule clarifies that commodities, software, and components for the "cryptographic activation" of a network infrastructure item are also network infrastructure items. Finally, The Rule adds new criteria, eliminates others, such as the number of concurrent encrypted channels, and increases the throughput threshold to 250 Mbps from 90 Mbps and the number of end-points for encrypted signaling to 5,000 from 1,000.
- Relaxation of Licensing Requirement for Export of Network Infrastructure Items to Certain Government End-Users. Restricted network infrastructure items, namely those covered under Section 740.17(b)(2)(i)(A), can now be exported under License Exception ENC to "less sensitive government end users" in countries outside of Supplement 3 under License Exception ENC. Less sensitive government end users (defined in Part 772 of the EAR with various examples) include local, state, and provincial entities and civil national and federal entities, such as public works and public health.
- Removal of One-Time Company Registration Requirement. BIS no longer requires companies to obtain an Encryption Registration Number (ERN)—a requirement imposed by the June 2010 amendments to the EAR.
- Clarification of Encryption Reporting Requirements. Companies no longer need to include products that have been classified by BIS with a CCATS (a formal BIS classification ruling) in their annual encryption self-classification reports. Further, once an item has been included in a self-classification report, it no longer needs to be included in subsequent annual self-classification reports.
- Restructuring of Other Encryption Related Provisions. Notification of publicly available encryption source code, previously submitted to BIS under License Exception TSU, has now been moved to Section 742.15(b). Further, the Mass Market-related provisions have been modified and moved to Section 740.17.
Other Key Changes
The following other key changes may be of specific interest to our clients:
- The Foreign National Review requirement for License Exceptions CIV and APP for deemed exports has been removed.
- Adjusted peak performance (APP) for digital computers was raised from 8.0 to 12.5.
What Do I Need to Do?
- You are no longer required to obtain an ERN from BIS.
- If you have "restricted" network infrastructure products, review the new definition to ensure that they are still controlled as restricted items. Your products may be subject to a lower level of control.
- Some low-level encryption items and those that use limited encryption may have been removed from the Information Security Category. Their ECCN may now be EAR99, or they may fall under a different category. Review these items to determine the new ECCN.
- You may continue to use issued CCATS unless the encryption functionality of the product has changed. When the encryption functionality changes, you may need to submit a new request.
- When your next annual report is due, perform a review to determine if some items can be removed. Products that were self-classified under Section 740.17(b)(1) and have not been included in previous years' reports are still required to be included in this report.
- Encryption items still cannot be exported, reexported, or transferred without a license to Cuba, Iran, North Korea, Sudan, Syria, or the Crimea region of Ukraine.
Please contact Josephine Aiello LeBeau, 202-973-8813, email@example.com; Melissa Mannino, 202-973-8856, firstname.lastname@example.org; Anne Seymour, 202-973-8874, email@example.com; or any member of the export control and economic sanctions regulatory practice at Wilson Sonsini Goodrich & Rosati with any questions or to discuss the requirements governing the export of your information security commodities, software, and technology.