[Federal Register: December 31, 1998 (Volume 63, Number 251)] [Rules and Regulations] [Page 72156-72167] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr31de98-18] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE Bureau of Export Administration 15 CFR Parts 740, 742, 743, 772 and 774 [Docket No. 9809-11233-8318-02] RIN 0694-AB80 Encryption Items AGENCY: Bureau of Export Administration, Commerce. ACTION: Interim rule; request for comments. ----------------------------------------------------------------------- SUMMARY: This interim rule amends the Export Administration Regulations (EAR) for exports and reexports of encryption commodities and software to U.S. subsidiaries, insurance companies, health and medical end- users, on-line merchants and foreign commercial firms. This rule implements the Administration's initiative to update it's encryption policy, and will streamline U.S. encryption export and reexport controls. DATES: This rule is effective: December 31, 1998. Comments must be received on or before March 1, 1999. ADDRESSES: Written comments on this rule should be sent to Nancy Crowe, Regulatory Policy Division, Bureau of Export Administration, Department of Commerce, P.O. Box 273, Washington, DC 20044. Express mail address: Nancy Crowe, Regulatory Policy Division, Bureau of Export Administration, Department of Commerce, 14th Street and Pennsylanvia Ave, N.W., Room 2705, Washington, DC 20230. FOR FURTHER INFORMATION CONTACT: James Lewis, Office of Strategic Trade and Foreign Policy Controls, Bureau of Export Administration, Telephone: (202) 482-0092. SUPPLEMENTARY INFORMATION: On September 16, 1998, the Administration announced a series of steps to update its encryption policy in a way that meets the full range of national interests. These steps will promote electronic commerce, support law enforcement and national security, and protect privacy. They also further streamline exports and reexports of key recovery products, and other recoverable encryption products, which allow for the recovery of plaintext, and permit exports and reexports of encryption of any key length (with or without key recovery) to several industry sectors. This interim rule amends the EAR for exports and reexports of encryption commodities and software to U.S. subsidiaries, insurance companies, health and medical end-users, on-line merchants and foreign commercial firms. Specifically, this rule amends the EAR in the following ways: 1. In Sec. 740.8, Key Management Infrastructure, removes the key recovery agent requirements for License Exception KMI eligibility for exports and reexports of recovery encryption commodities and software. Further, key recovery commitment plans and the six month progress reviews are eliminated and exporters are no longer required to name or submit to BXA additional information on a key recovery agent prior to export. The products may be exported or reexported under License Exception KMI after a technical review. Note also that 56-bit products supported by a KMI plan that have been classified after a technical review and are eligible under License Exception KMI are now eligible for export and reexport under License Exception ENC (see Sec. 740.17(a)(3) of the EAR). 2. Also in Sec. 740.8, removes and adds to newly created License Exception ENC the paragraphs concerning financial-specific encryption commodities and software and general purpose encryption commodities and software for banks and financial institutions. This transfer will simplify the use of License Exceptions for encryption commodities and software and creates no change in policy. 3. In part 740, creates new License Exception ENC by adding Sec. 740.17, Encryption commodities and software. This new License Exception is divided into two significant parts: a global [[Page 72157]] category including the use of License Exception ENC for exports and reexports of encryption commodities and software to all destinations, except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria; and a country specific category permitting the use of License Exception ENC for exports and reexports of encryption commodities and software to countries listed in Supplement No. 3 to part 740. This new License Exception allows the following exports and reexports of encryption commodities and software that are classified under ECCNs 5A002 and 5D002, after a technical review that considers the cryptographic functionality of the product: a. Exports and reexports of encryption commodities, software and technology, including source code of any key length are also eligible under this license exception to U.S. subsidiaries for internal company proprietary use to all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Encryption chips, integrated circuits, toolkits, executable or linkable modules, which can modify or enhance the cryptographic functionality (e.g., the confidentiality algorithm, key space and key exchange mechanism) or incorporate the cryptographic function in another item are eligible for license exception ENC only for export to U.S. subsidiaries. Note that exports to ``strategic partners'' of U.S. companies, such as subcontractors and joint ventures, will be considered favorably under a license when the end-use is for the protection of U.S. company proprietary information. For the purposes of this regulation, consideration as a ``strategic partner,'' as defined in part 772, should not be deemed to alter or affect any legal relationship that might otherwise exist between the relevant parties. b. Encryption commodities, including mass market and non-mass market, and non-mass market software incorporating symmetric algorithms with key lengths up to and including 56-bits, such as DES or equivalent (such as RC2, RC4, RC5 and CAST) to all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Encryption chips, integrated circuits, toolkits and executable or linkable modules are not authorized for export under License Exception ENC and will require a license or an Encryption Licensing Arrangement. Note that subsequent bundling, updates or releases may be exported and reexported under applicable provisions of the EAR without a separate technical review as long as the functional encryption capacity of the originally reviewed encryption commodities, including mass market and non-mass market, and non-mass market software has not been modified or enhanced. c. Authorizes insurance companies to receive general purpose encryption commodities and software of any key length that have been classified after a technical review. This change corresponds with the addition of insurance companies to the definition of financial institutions in part 772. With this change, exports and reexports of general purpose encryption commodities and software are eligible under License Exception ENC to financial institutions (including insurance companies) in all destinations listed in Supplement No. 3 to part 740, and to branches of these entities located worldwide except countries that support international terrorism (Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria). d. Encryption commodities and software of any key length to health and medical end-users in all destinations listed in Supplement No. 3 to part 740. Exports and reexports of such commodities and software are not eligible under License Exception ENC to non-U.S. biochemical and pharmaceutical manufacturers and non-U.S. military health and medical entities. Licenses for such entities will be considered on a case-by- case basis. e. Encryption commodities and software of any key length for on- line merchants in all destinations listed in Supplement No. 3 to part 740. Such commodities and software must be limited to client-server applications (e.g., Secure Socket Layer (SSL) based applications) or applications specially designed for on-line transactions. End-use is limited to the purchase or sale of goods and software; and services connected with the purchase or sale of goods and software, including interactions between purchasers and sellers necessary for ordering, payment and delivery of goods and software. No other end-uses or customer to customer communications or transactions are allowed. Foreign on-line merchants or their separate business units who are engaged in the manufacturing and distribution of items or services controlled on the U.S. Munitions List are excluded. Foreign government end-users also are excluded from this License Exception. Examples of permitted end-uses under License Exception ENC for on- line merchants include buying and selling goods and software through an electronic medium, which may involve the ordering of, and payment for goods and software; placing and receiving orders; pricing, configuration, validation and ordering of products; obtaining copies of invoices; reviewing shipping schedules; notification of shipments or changes; and placing reservations and purchasing airline tickets. It allows for contract manufacturers to directly access demand and inventory information; direct purchasing with trading partners; approval functions for requisitions which require approval; and on-line catalogue purchases, and the electronic exchange of purchase or sales information by multiple trading partners. It does not include such end- uses as general purpose messaging, collaborative research projects (e.g., collaborative engineering), data warehousing, remote computing services or electronic communications services. 4. In Supplement No. 3 to part 740, adds Czech Republic and United States to the list of countries to clarify that branches of Czech Republic and U.S. banks and financial institutions, located worldwide except in countries that support international terrorism (Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) may receive general purpose encryption commodities and software limited to secure business financial communications or transactions and financial communications or transactions between the bank and/or financial institution and its customers. Supplement No. 3 is also amended to reflect the licensing policy for exports and reexports of recoverable encryption commodities and software to commercial entities located in certain countries and subsidiaries of commercial entities headquartered in certain countries, wherever located, except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. 5. In Sec. 742.15, revises the licensing policy for exports and reexports of encryption items as follows: a. Removes the business and marketing plan requirement for exports of non-recovery 56-bit DES or equivalent encryption items. b. Authorizes upgrades of 40-bit mass-market encryption software that has already been classified after a technical review and released from EI controls. Such software may be upgraded to 56-bits for the confidentiality algorithm without an additional technical review. c. Makes certain encryption commodities eligible for mass-market treatment. d. For exports and reexports of general purpose encryption commodities and software of any key length that are not eligible under License Exception ENC, insurance companies are now eligible to receive [[Page 72158]] such products under an Encryption Licensing Arrangement. This is consistent with the addition of insurance companies to the definition of financial institutions in part 772. Such encryption commodities and software will receive favorable consideration when the end-use is limited to secure financial communications or transactions, provided that there are no concerns about the country or specific end-user. e. For exports and reexports of encryption commodities and software of any key length not eligible under License Exception ENC, such commodities and software will generally be approved under an Encryption Licensing Arrangement to all health and medical end-users, except non- U.S. biochemical and pharmaceutical manufacturers and non-U.S. military health and medical entities, in all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. f. For exports and reexports of encryption commodities and software of any key length not eligible under License Exception ENC, such commodities and software will generally be approved under an Encryption Licensing Arrangement to on-line merchants in all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. The end-use is limited to the purchase or sale of goods and software; and services connected with the purchase or sale of goods and software including interactions between purchasers and sellers necessary for ordering, payment and delivery of goods and software. No other end-uses or customer-to-customer communications or transactions are allowed. g. Exports and reexports of recoverable encryption commodities and software of any key length for use by commercial entities will generally be approved under an Encryption Licensing Arrangement to destinations listed in Supplement No. 3 to part 740 for the protection of company proprietary information. Such encryption commodities and software will also generally be approved for export and reexport to worldwide foreign subsidiaries of commercial firms headquartered in certain countries, except to subsidiaries located in Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Note that any country or end-user prohibited in the past from receiving encryption commodities and software under a specific Encryption Licensing Arrangement is reviewed on a case-by-case basis, and may be considered by BXA for eligibility under future Encryption Licensing Arrangement requests. All other exports and reexports of encryption items are reviewed on a case-by-case basis under a license application. 6. Also in Sec. 742.15, clarifies the reporting requirement for exports to certain end-users. 7. In part 772, revises the definition of financial institution to include the meaning of insurance company and adds definitions for business unit, health and medical end-user, on-line merchant, recoverable commodities and software, strategic partner (of a U.S. company), and U.S. subsidiary. Also clarifies that such definitions only apply to encryption items. BXA will in the near future update these regulations to reflect changes to encryption controls in the Wassenaar Arrangement and to address public comments on the September 22, 1998 rule (63 FR 50516) that implemented new licensing policies for banks and financial institutions. Rulemaking Requirements 1. This interim rule has been determined to be significant for purposes of E.O. 12866. 2. Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with a collection of information, subject to the requirements of the Paperwork Reduction Act, unless that collection of information displays a currently valid Office of Management and Budget Control Number. This rule contains collections of information subject to the Paperwork Reduction Act of 1980 (44 U.S.C. 3501 et seq.). These collections have been approved by the Office of Management and Budget under control numbers 0694-0088, ``Multi-Purpose Application,'' which carries a burden hour estimate of 52.5 minutes per submission; and 0694-0104, ``Commercial Encryption Items Transferred from the Department of State to the Department of Commerce.'' The Department has submitted to OMB an emergency request for approval of the changes to the collection of information under OMB control number 0694-0104. Comments on collection 0694-0104 will be accepted until March 1, 1999. It will take companies 15 minutes to complete each certification. It will take companies 15 minutes to complete notifications. For reporting under License Exception KMI, it will take companies 1 hour to complete KMI reporting. For reporting under License Exception ENC, it will take companies 4 hours to complete ENC reporting. 3. This rule does not contain policies with Federalism implications sufficient to warrant preparation of a Federalism assessment under E.O. 12612. 4. The provisions of the Administrative Procedure Act (5 U.S.C. 553) requiring notice of proposed rulemaking, the opportunity for public participation, and a delay in effective date, are inapplicable because this regulation involves a military and foreign affairs function of the United States (Sec. 5 U.S.C. 553(a)(1)). Further, no other law requires that a notice of proposed rulemaking and an opportunity for public comment be given for this interim final rule. Because a notice of proposed rulemaking and an opportunity for public comment are not required to be given for this rule under 5 U.S.C. or by any other law, the requirements of the Regulatory Flexibility Act (5 U.S.C. 601 et seq. ) are not applicable. However, because of the importance of the issues raised by these regulations, this rule is issued in interim form and comments will be considered in the development of final regulations. Accordingly, the Department of Commerce encourages interested persons who wish to comment to do so at the earliest possible time to permit the fullest consideration of their views. The period for submission of comments will close March 1, 1999. The Department will consider all comments received before the close of the comment period in developing final regulations. Comments received after the end of the comment period will be considered if possible, but their consideration cannot be assured. The Department will not accept public comments accompanied by a request that a part or all of the material be treated confidentially because of its business proprietary nature or for any other reason. The Department will return such comments and materials to the persons submitting the comments and will not consider them in the development of final regulations. All public comments on these regulations will be a matter of public record and will be available for public inspection and copying. In the interest of accuracy and completeness, the Department requires comments in written form. Comments should be provided with 5 copies. Oral comments must be followed by written memoranda, which will also be a matter of public record and will be available for public review and copying. The public record concerning these regulations will be maintained in the Bureau of Export Administration Freedom of Information Records [[Page 72159]] Inspection Facility, Room 4525, Department of Commerce, 14th Street and Pennsylvania Avenue, N.W., Washington, D.C. 20230. Records in this facility, including written public comments and memoranda summarizing the substance of oral communications, may be inspected and copied in accordance with regulations published in part 4 of Title 15 of the Code of Federal Regulations. Information about the inspection and copying of records at the facility may be obtained from Henry Gaston, Bureau of Export Administration Freedom of Information Officer, at the above address or by calling (202) 482-0500. The reporting burden for this collection is estimated to be approximately 815 hours, including the time for gathering and maintaining the data needed for completing and reviewing the collection of information. Comments are invited on: (a) whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility; (b) the accuracy of the agency's estimate of the burden of the proposed collection of information; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology. Comments regarding these burden estimates or any other aspect of the collection of information, including suggestions for reducing the burdens, should be forward to Nancy Crowe, Regulatory Policy Division, Office of Exporter Services, Bureau of Export Administration, Department of Commerce, P.O. Box 273, Washington, D.C. 20044, and David Rostker, Office of Management and Budget, OMB/OIRA, 725 17th Street, NW, NEOB Rm. 10202,Washington, D.C. 20503. List of Subjects 15 CFR Parts 740 and 743 Administrative practice and procedure, Exports, Foreign trade, Reporting and recordkeeping requirements. 15 CFR Parts 742, 772 and 774 Exports, foreign trade. Accordingly, 15 CFR Chapter 7, Subchapter C, is amended as follows: 1. The authority citation for 15 CFR parts 740 and 772 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; Executive Order 13026 (November 15, 1996, 61 FR 58767); Notice of August 17, 1998 (63 FR 55121, August 17, 1998). 2. The authority citation for 15 CFR part 742 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 18 U.S.C. 2510 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 3 CFR, 1993 Comp., p. 608; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; E.O. 12938, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 3 CFR, 1996 Comp. p. 219; E.O. 13026, 3 CFR, 1996 Comp., p. 228; Notice of August 17, 1998 (63 FR 55121, August 17, 1998). 3. The authority citation for 15 CFR part 743 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; Notice of August 17, 1998 (63 FR 55121, August 17, 1998). 4. The authority citation for 15 CFR part 774 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 10 U.S.C. 7420; 10 U.S.C. 7430(e); 18 U.S.C. 2510 et seq.; 22 U.S.C. 287c; 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; Sec. 201, Pub. L. 104- 58, 109 Stat. 557 (30 U.S.C. 185(s)); 30 U.S.C. 185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 46 U.S.C. app. 466c; 50 U.S.C. app. 5; E.O. 12924, 59 FR 43437, 3 CFR, 1994 Comp., p. 917; Executive Order 13026 (November 15, 1996, 61 FR 58767); Notice of August 17, 1998 (63 FR 55121, August 17, 1998). PART 740--[AMENDED] 5. Section 740.8 is amended: a. By revising the section title; b. By revising paragraph (b); c. By removing paragraph (d); and d. By redesignating paragraph (e) as paragraph (d) to read as follows: Sec. 740.8 Key management infrastructure (KMI) (a) * * * (b) Eligible commodities and software. (1) Recovery encryption commodities and software of any key length controlled under ECCNs 5A002 and 5D002 that have been classified after a technical review through a classification request. Key escrow and key recovery commodities and software must meet the criteria identified in Supplement No. 4 to part 742 of the EAR. (2) For such classification requests, indicate ``License Exception KMI'' in block 9 on Form BXA-748P. Submit the original request to BXA in accordance with Sec. 748.3 of the EAR and send a copy of the request to: Attn: KMI Encryption Request Coordinator, P.O. Box 246, Annapolis Junction, MD 20701-0246 * * * * * 6. Part 740 is amended by adding a new Sec. 740.17 to read as follows: Sec. 740.17 Encryption commodities and software (ENC). (a) Exports and reexports of encryption commodities and software to all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. (1) Financial-specific encryption commodities and software of any key length. (i) Scope. You may export and reexport financial-specific encryption commodities and software (which are not eligible under the provisions of License Exception TSU for mass market software such as SET or similar protocols) of any key length that are restricted by design (e.g., highly field-formatted with validation procedures, and not easily diverted to other end-uses) for financial applications to secure financial communications/transactions for end-uses such as financial transfers, or electronic commerce. (ii) Eligible commodities and software. Encryption commodities and software of any key length classified under ECCNs 5A002 and 5D002 after a technical review (see paragraph (c) of this section). These commodities and software must be specifically designed and limited for use in the processing of electronic financial (commerce) transactions, which implements cryptography in specifically delineated fields such as merchant's identification, the customer's identification and address, the merchandise purchased and the payment mechanism. It does not allow for encryption of data, text or other media except as directly related to these elements of the electronic transaction to support financial communications/transactions. Notwithstanding the provisions of paragraph (c)(2) of this section, financial-specific commodities and software that were made eligible for License Exception KMI after a technical review prior to December 31, 1998, are now eligible for export and reexport under License Exception ENC under the provisions of this paragraph (a)(1). (iii) Eligible destinations. Upon approval of your classification request, you may export and reexport under License Exception ENC financial-specific encryption commodities and software, as defined in this paragraph (a)(1), of any key length to all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. (iv) Reporting requirements. There are no reporting requirements. (2) Encryption commodities and software of any key length for U.S. subsidiaries. (i) Scope. You may export [[Page 72160]] and reexport encryption commodities and software of any key length under License Exception ENC to U.S. subsidiaries (as defined in part 772 of the EAR) subject to the conditions of this paragraph (a)(2). Note that distributors, resellers or other entities that are not manufacturers of the encryption commodities and software are permitted to use License Exception ENC for U.S. subsidiaries only in instances where the export or reexport meets the terms and conditions of this paragraph (a)(2). (ii) Eligible commodities and software. Encryption commodities, software and technology of any key length classified under ECCNs 5A002, 5D002 and 5E002 after a technical review (see paragraph (c) of this section). This includes encryption chips, integrated circuits, toolkits, executable or linkable modules, source code and technology to U.S. subsidiaries for internal company proprietary use, including the development of new products. (iii) Eligible destinations; retransfers. You may export and reexport under License Exception ENC encryption commodities, software and technology of any key length to U.S. subsidiaries for internal company proprietary use, including the development of new products, in all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. All items developed using U.S. encryption commodities, software and technology are subject to the EAR. For exports and reexports to strategic partners of U.S. companies (as defined in part 772) see Sec. 742.15(b)(8) of the EAR. Retransfers to other end-users or end- uses are prohibited without prior authorization. (iv) Reporting requirements. There are no reporting requirements. (3) Encryption commodities, including mass market and non-mass market, and non-mass market encryption software incorporating symmetric algorithms with key lengths up to and including 56-bits, such as DES or equivalent. (i) Scope. You may export and reexport encryption commodities, including mass market and non-mass market commodities, and non-mass market software with key lengths up to and including 56-bits, such as DES or equivalent, under License Exception ENC subject to the conditions of this paragraph (a)(3). For information concerning the technical review of encryption mass market commodities and mass market software refer to Sec. 742.15(b)(1) of the EAR. Note that encryption mass market software remains eligible under License Exception TSU. (ii) Eligible commodities and software. (A) Mass market and non- mass market encryption commodities and non-mass market software having symmetric algorithms with key lengths up to and including 56-bits, such as DES or equivalent (such as RC2, RC4, RC5, and CAST) which are classified as a result of a technical review (see paragraph (c) of this section). The commodity or software must not allow the alteration of the cryptographic functionality by the user or any other program. Encryption chips, integrated circuits, toolkits and executable or linkable modules are not authorized for export under the provisions of paragraph (a)(3). (B)(1) For mass market and non-mass market encryption commodities and non-mass market encryption software, exporters of 40-bit or less encryption commodities and software which have been made eligible for License Exception KMI or License Exception TSU or have been licensed for export under an Encryption Licensing Arrangement or a license prior to December 31, 1998, will be permitted to export and reexport these commodities and software under license exception ENC with increased key lengths up to and including 56-bits for the confidentiality algorithm, with key exchange mechanisms including symmetric algorithms with the same or double key length authorized for the confidentiality algorithm, and asymmetric algorithms for key exchange with key space of 512, 768 or up to and including 1024 bits without an additional technical review, provided that there is no other change in cryptographic functionality. Exporters must certify to BXA that the only change to the encryption is the increase in the key length for the confidentiality algorithm, the asymmetric or symmetric key exchange algorithms and that there is no other change in cryptographic functionality. Such certifications must be in the form of a letter from senior corporate management and include the original authorization number issued by BXA, the date of issuance and the information identified in paragraphs (a)(2) (iii) throught (v) of Supplement No. 6 to part 742 of the EAR. (If this information was submitted previously, then only identify the modifications.) BXA must receive such certification by March 31, 1999, and prior to any export of such upgraded product. (2) The certification should be sent to: Office of Strategic Trade and Foreign Policy Controls, Bureau of Export Administration, Department of Commerce, 14th Street and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230, Attn: Encryption Upgrade (3) A copy of the certification should be sent to: Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis Junction, MD 20701-0246 (C) After March 31, 1999, any increase (upgrade) in the confidentiality algorithm and the key exchange algorithm must be reviewed by BXA through a classification request (see Sec. 748.3 of the EAR). In Block 9 of form BXA-748P, indicate ``Key Length Upgrade.'' (iii) Eligible destinations. License Exception ENC is available for exports and reexports of encryption commodities and software with key length up to and including 56-bits, such as DES or equivalent to all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. (iv) Reporting requirements. See paragraph (d) of this section for reporting requirements. (b) Exports and reexports of certain encryption commodities and software to countries listed in Supplement No. 3 to part 740 of the EAR. (1) General purpose encryption commodities and software of any key length for use by banks/financial institutions. (i) Scope. You may export and reexport general purpose, non-voice encryption commodities and software of any key length to banks and financial institutions (as defined in part 772 of the EAR) in specified destinations, subject to the conditions of this paragraph (b)(1). Note that distributors, resellers or other entities who are not manufacturers of the encryption commodities and software are permitted to use License Exception ENC for banks and financial institutions only in instances where the export or reexport meets the terms and conditions of this paragraph (b)(1). (ii) Eligible commodities and software. General purpose, non-voice encryption commodities and software of any key length classified under ECCNs 5A002 and 5D002 after a technical review (see paragraph (c) of this section). Note that software and commodities that have already been approved under an Encryption Licensing Arrangement to banks and financial institutions in specified countries may now be exported or reexported to other banks and financial institutions in those countries under the same Encryption Licensing Arrangement. (iii) Eligible destinations; retransfers. Upon approval of your classification request, you may export and reexport [[Page 72161]] under License Exception ENC general purpose, non-voice encryption commodities and software, as defined in this paragraph (b)(1), of any key length to banks and financial institutions in all destinations listed in Supplement No. 3 to this part and to branches of such banks and financial institutions wherever established, except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. End-use is limited to secure business financial communications or transactions and financial communications/transactions between the bank and/or financial institution and its customers. No customer to customer communications or transactions are allowed. Retransfers to other end-users or end-uses are prohibited without prior authorization. (iv) Reporting requirements. There are no reporting requirements. (2) Health and medical end-users. (i) Scope. You may export and reexport encryption commodities and software of any key length under License Exception ENC to health and medical end-users (as defined in part 772 of the EAR) in specified destinations, subject to the conditions of this paragraph (b)(2). Note that distributors, resellers or other entities who are not manufacturers of the encryption commodities and software are permitted to use License Exception ENC for health and medical end-users only in instances where the export or reexport meets the terms and conditions of this paragraph (b)(2). (ii) Eligible commodities and software. Encryption commodities and software of any key length classified under ECCNs 5A002 and 5D002 after a technical review (see paragraph (c) of this section). (iii) Eligible destinations; retransfers. You may export and reexport under License Exception ENC encryption commodities and software of any key length to health and medical end-users in all destinations listed in Supplement No. 3 to this part. Non-U.S. biochemical and pharmaceutical manufacturers, and non-U.S. military health and medical entities are not eligible to receive encryption commodities and software under License Exception ENC (see Sec. 742.15 of the EAR for licensing information on these end-users, as well as additional countries). End-use is limited to securing health and medical transactions to health and medical end-users. No customer to customer communications or transactions are allowed. Retransfers to other end-users or end-uses are prohibited without prior authorization. (iv) Reporting requirements. See paragraph (d) of this section for reporting requirements for exports under this License Exception. (3) Encryption commodities and software of any key length for on- line merchants. (i) Scope. You may export and reexport encryption commodities and software of any key length under License Exception ENC to on-line merchants (as defined in part 772 of the EAR) in specified destinations, subject to the conditions of this paragraph (b)(3). End- use is limited to: the purchase or sale of goods and software; and services connected with the purchase or sale of goods and software including interactions between purchasers and sellers necessary for ordering, payment and delivery of goods and software. No other end-uses or customer to customer communications or transactions are allowed. Foreign on-line merchants or their separate business units (as defined in part 772 of the EAR) who are engaged in the manufacturing and distribution of items or services controlled on the U.S. Munitions List are excluded. Foreign government end-users are also excluded from this License Exception. Note that distributors, resellers or other entities who are not manufacturers of the encryption commodities and software are permitted to use License Exception ENC for on-line merchants only in instances where the export or reexport meets the terms and conditions of this paragraph (b)(3). (ii) Eligible commodities and software. Encryption commodities and software of any key length classified under ECCNs 5A002 and 5D002 after a technical review (see paragraph (c) of this section). Such commodities and software must be limited to client-server applications (e.g. Secure Socket Layer (SSL) based applications) or applications specially designed for on-line transactions for the purchase or sale of goods and software; and services connected with the purchase or sale of goods and software, including interactions between purchasers and sellers necessary for ordering, payment and delivery of goods and software. Notwithstanding the provisions of paragraph (c)(2) of this section, commodities and software that were eligible for export to on- line merchants under an Encryption Licensing Arrangement or license prior to December 31, 1998, are now eligible for export and reexport under License Exception ENC under the provisions of this paragraph (b)(3). (iii) Eligible destinations; retransfers. You may export and reexport encryption commodities and software under License Exception ENC to on-line merchants in all destinations listed in Supplement No. 3 to this part, except to foreign on-line merchants or their separate business units who are engaged in the manufacturing and distribution of items or services controlled on the U.S. Munitions List. Retransfers to other end-users or end-uses are prohibited without prior authorization. (iv) Reporting requirements. See paragraph (d) of this section for reporting requirements for exports under this License Exception. (c) Technical review to determine eligibility for License Exception ENC. (1) You may initiate a technical review required by paragraph (a) or (b) of this section by submitting a classification request for your product in accordance with the provisions of Sec. 748.3(b) of the EAR. Indicate ``License Exception ENC'' in Block 9: Special purpose, on form BXA-748P. Submit the original request to BXA in accordance with Sec. 748.3 of the EAR and send a copy of the request to: Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis Junction, MD 20701-0246 (2) Commodities and software that have been made eligible for License Exception TSU or KMI or which have been approved for export under an Encryption Licensing Arrangement or a license prior to December 31, 1998 are eligible for export and reexport under all paragraphs of License Exception ENC, except paragraphs (a)(1) and (b)(3) of this section, without an additional technical review, provided that the export or reexport meets all the terms and conditions of this License Exception. For all other commodities and software, a technical review will determine eligibility for License Exception ENC by reviewing the confidentiality algorithm, key space, and key exchange mechanism. (3) For export and reexport of encryption commodities and software under paragraph (a)(3) of this section, examples of eligible key exchange mechanisms include, but are not limited to, symmetric algorithms with the same or double the key length authorized for the confidentiality algorithm, asymmetric algorithms with key space of 512, 768 or up to and including 1024 bits, proprietary key exchange mechanisms, or others. (4) For export and reexport of encryption commodities and software under paragraph (b)(3) of the License Exception ENC, exporters, in order to expedite review of the classification, should submit, as applicable, the following types of information to support the classification request: [[Page 72162]] (i) Information describing how the product is limited to a client- server application or application specially designed or tailored to the conditions outlined in the License Exception; (ii) Information describing the end-user environment to which the application will be limited; (iii) Information explaining how the product will not permit customer-to-customer communications or transactions above 56-bits; (iv) Information on the process by which the merchant(s) or application will limit access to authorized users; or (v) Details of the encryption system, including how it is limited to the application or cannot be diverted to other end-uses. (d) Reporting requirements. (1) You must provide to BXA the names and addresses for exports to the following end-users: (i) All military and government end-users for non-mass market commodities and non-mass market software exports authorized under paragraph (a)(3) of this section; (ii) All health and medical end-users for exports authorized under paragraph (b)(2) of this section, and (iii) All foreign on-line merchants for exports authorized under paragraph (b)(3) of this section. (2) You must submit reports no later than February 1 and no later than August 1 of any given year. Specifically, the report must identify the end-user name and address and country of ultimate destination, as well as the classification or other authorization number. Send the report to the following address: Office of Strategic Trade and Foreign Policy Controls, Bureau of Export Administration, Department of Commerce, 14th Street and Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: Encryption Reports 7. Supplement No. 3 is revised to read as follows: Supplement No. 3 to Part 740--Countries Eligible To Receive General Purpose Encryption Commodities and Software *Commercial entities and their branches located in these countries or any country listed in this Supplement and designated with one or two asterisks are eligible to receive ``recoverable'' encryption commodities and software of any key length for internal company proprietary use. See Sec. 742.15(b)(7) of the EAR. **Commercial entities headquartered in these countries and their branches wherever located (except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) are eligible to receive ``recoverable'' encryption commodities and software of any key length for internal company proprietary use. See Sec. 742.15(b)(7) of the EAR. PART 742--[AMENDED] 8. Section 742.15 is amended: a. By revising the first sentence of paragraph (a); b. By revising the phrase ``Supplements No. 4, No. 5 and No. 7'' in the introductory paragraph (b) to read ``Supplement No. 4''; c. By revising the phrase ``encryption software'' in the title to paragraph (b)(1) to read ``encryption commodities and software''; d. By revising paragraph (b)(1)(i); e. By adding new paragraphs (b)(1)(iii) and (b)(1)(iv); f. By revising paragraph (b)(2); g. By removing paragraph (b)(3); h. By redesignating paragraphs (b)(4) and (5) as (b)(3) and (4); i. By revising newly redesignated paragraphs (b)(3); j. By revising the heading of newly redesignated paragraph (b)(4); k. By removing the phrase ``non-recoverable'' in the first sentence of newly redesignated paragraph (b)(4). l. By revising the phrase ``under License Exception KMI (see Sec. 740.8 of the EAR)'' in newly redesignated paragraph (b)(4) to read ``License Exception ENC (see Sec. 740.17(a)(1) of the EAR)''; m. By redesignating paragraph (b)(6) and (7) as (b)(8) and (9); n. By adding new paragraphs (b)(5), (6) and (7); and o. By adding a new paragraph (b)(8)(iii) to read as follows: Sec. 742.15 Encryption items. * * * * * (a) Licenses are required for exports and reexports to all destinations, except Canada, for items controlled under ECCNs having an ``EI'' (for ``encryption items'') under the ``Control(s)'' paragraph. * * * (b) * * * (1) * * * (i) Consistent with E.O. 13026 of November 15, 1996 (61 FR 58767), certain encryption software that was transferred from the U.S. Munitions List to the Commerce Control List pursuant to the Presidential Memorandum of November 15, 1996, may be released from EI controls and thereby made eligible for mass market treatment after a technical review. Further, certain encryption commodities may be released from EI controls and thereby made eligible for mass market treatment after a technical review. To determine eligibility for mass market treatment, exporters must submit a classification request to BXA. 56-bit mass market encryption commodities and software using RC2, RC4, RC5, DES or CAST, and key exchange mechanisms including, but not limited to, symmetric algorithms with the same or double the key length authorized for the confidentiality algorithm, asymmetric algorithms with key space of 512, 768 or up to and including 1024 bits, proprietary key exchange mechanisms, or others, may be eligible for a 7-day review process, and company proprietary commodities and software implementations may be eligible for 15-day processing. Refer to Supplement No. 6 to part 742 and Sec. 748.3(b)(3) of the EAR for additional information. Note that the technical review is for a determination to release encryption commodities and software in object code only unless otherwise specifically requested. Exporters requesting release of the source code should refer to paragraph (b)(3)(v)(E) of Supplement No. 6 to part 742. (ii) * * * (iii) If after a technical review, BXA determines that the encryption commodity is released from EI controls, the commodity is eligible for export under License Exception ENC and all provisions of the EAR applicable to other commodities. However, if BXA determines that the commodity is not released from EI controls, and no License Exception applies, a license is required for export and reexport to all destinations, except Canada, and license applications will be considered on a case-by-case basis. (iv) Mass-market encryption software that has already been classified after a technical review and that has been released from EI controls under the provisions of this paragraph (b)(1) will be permitted for export and reexport under license exception TSU with increases of 56-bits for the confidentiality algorithm, the same or double the key length authorized for the confidentiality algorithm for symmetric [[Page 72163]] algorithms for key exchange mechanisms and with key spaces of 512, 768 or up to and including 1024 bits for asymmetric algorithms for key exchange without an additional technical review, provided that there is no other change in the cryptographic functionality. Exporters must notify BXA in writing of the increase in the key length for the confidentiality algorithm, the asymmetric or symmetric key exchange algorithms, and include the original authorization number issued by BXA and the information identified in paragraphs (a)(2)(iii) through (v) of Supplement No. 6 to part 742 of the EAR (if this information was submitted previously, then only identify the modifications). BXA must receive such notification by March 31, 1999. (A) The notification should be sent to: Office of Strategic Trade and Foreign Policy Controls, Bureau of Export Administration, Department of Commerce, 14th Street and Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: Encryption Upgrade (B) A copy of the certification should be sent to: Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis Junction, MD 20701-0246 (2) Key escrow and key recovery encryption commodities and software. Certain recovery encryption commodities and software of any key length that are classified under ECCNs 5A002 and 5D002 after a technical review are eligible for export and reexport under License Exception KMI. See Sec. 740.8(b)(1) of the EAR for information on additional eligibility requirements. (3) General purpose encryption commodities and software of any key length for use by banks and financial institutions. (i) Commodities and software that were eligible for License Exception TSU or KMI or have been licensed for export or reexport under an Encryption Licensing Arrangement or a license prior to December 31, 1998, are now eligible for export and reexport under License Exception ENC under the provisions of Sec. 740.17(b)(1) of the EAR. (ii) For exports and reexports not eligible under a License Exception, exports and reexports of general purpose non-voice encryption commodities and software classified under ECCNs 5A002 and 5D002 of any key length will generally be approved under an Encryption Licensing Arrangement for use by banks and financial institutions (as defined in part 772 of the EAR) in all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Applications for such commodities and software will receive favorable consideration when the end-use is limited to secure business financial communications or transactions and financial communications/transactions between the bank and/or financial institution and its customers provided that there are no concerns about the country or end-user. No customer to customer communications or transactions are allowed. (iii) Note that any country or end-user prohibited in the past from receiving encryption commodities and software under a specific Encryption Licensing Arrangement will be reviewed on a case-by-case basis, and may be considered by BXA for eligibility under future Encryption Licensing Arrangement requests. (iv) Note that distributors, resellers or other entities who are not manufacturers of the encryption commodities and software are permitted to use an existing Encryption Licensing Arrangement for exports and reexports of these products only when Encryption Licensing Arrangement has been granted to the manufacturer and the export and reexport meets the terms and conditions of this paragraph (b)(3). (v) There are no reporting requirements for exports to banks and financial institutions. (4) Financial-specific encryption items of any key length.* * * (5) Encryption commodities and software of any key length for use by health and medical end-users. (i) Commodities and software that have been classified after a technical review through a classification request or have been licensed for export under an Encryption Licensing Arrangement or a license are eligible for export and reexport under License Exception ENC to health and medical end-users without an additional technical review, provided that the export or reexport meets all the terms and conditions of that License Exception. See Sec. 740.17 of the EAR. Commodities and software that were eligible for License Exception TSU or KMI or have been licensed for export or reexport under an Encryption Licensing Arrangement or a license prior to December 31, 1998, are now eligible for export and reexport under License Exception ENC under the provisions of Sec. 740.17(b)(2) of the EAR. (ii) For exports and reexports that are not eligible under License Exception ENC, exports and reexports of encryption commodities and software classified under ECCNs 5A002 and 5D002 of any key length will generally be approved under an Encryption Licensing Arrangement for use by health and medical end-users (as defined in part 772 of the EAR) in all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria except for non-U.S. biochemical and pharmaceutical manufacturers and non-U.S. military health and medical entities. No customer to customer communications or transactions are allowed. (iii) Note that any country or end-user prohibited in the past from receiving encryption commodities and software under a specific Encryption Licensing Arrangement will be reviewed on a case-by-case basis, and may be considered by BXA for eligibility under future Encryption Licensing Arrangement requests. (iv) Note that distributors, resellers or other entities who are not manufacturers of the encryption commodities and software are permitted to use an existing Encryption Licensing Arrangement for exports and reexports of these products only when Encryption Licensing Arrangement has been granted to the manufacturer and the export and reexport meets the terms and conditions of this paragraph (b)(5). (v) You must submit to BXA the name and address of the end-user. (6) Encryption commodities and software of any key length for on- line merchants. (i) Commodities and software that were eligible for export to on-line merchants under an Encryption Licensing Arrangement prior to December 31, 1998, are now eligible for export and reexport under License Exception ENC under the provisions of Sec. 740.17(b)(3). (ii) Exports and reexports of encryption commodities and software classified under ECCNs 5A002 and 5D002 of any key length which are limited to client-server applications (e.g., Secure Socket Layer (SSL) based applications) or applications specially designed for on-line transactions for the purchase or sale of goods and software will be permitted under an Export Licensing Arrangement in all destinations except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria for use by foreign on-line merchants as defined in part 772 of the EAR. End-use is limited to: the purchase or sale of goods and software; and services connected with the purchase or sale of goods and software, including interactions between purchasers and sellers necessary for ordering, payment and delivery of goods and software. No other end-uses or customer to customer communications or transactions are allowed. (iii) Applications for Encryption Licensing Arrangements for on- line [[Page 72164]] merchants will generally be approved, except for foreign on-line merchants or their separate business units (as defined in part 772 of the EAR) who are engaged in the manufacturing and distribution of items or services controlled on the U.S. Munitions List. Such end-users will be considered on a case-by-case basis. (iv) Note that any country or end-user prohibited in the past from receiving encryption commodities and software under a specific Encryption Licensing Arrangement will be reviewed on a case-by-case basis, and may be considered by BXA for eligibility under future Encryption Licensing Arrangement requests. (v) Note that distributors, resellers or other entities who are not manufacturers of the encryption commodities and software are permitted to use an existing Encryption Licensing Arrangement for exports and reexports of these products only when Encryption Licensing Arrangement has been granted to the manufacturer and the export and reexport meets the terms and conditions of this paragraph (b)(6). (v) You must submit to BXA the name and address of the end-user. (7) Recoverable encryption commodities and software of any key length for use by commercial entities. (i) Exports and reexports of recoverable encryption commodities and software (as defined in part 772 of the EAR) classified under ECCNs 5A002 and 5D002 of any key length will generally be approved under an Encryption Licensing Arrangement to destinations designated with a ``*'' or ``**'' in Supplement No. 3 to part 740 of the EAR to foreign commercial entities for internal company proprietary use. Such encryption commodities and software will generally be approved for export and reexport to foreign subsidiaries of commercial firms headquartered in countries designated with a ``**'' in Supplement No. 3 to part 740 of the EAR that are located in any destination except Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. Exports and reexports to telecommunication and internet service providers is permitted under this policy for internal company proprietary use. Use by service providers to provide service to customers is excluded from this policy, but exports may be possible under a license or an Encryption Licensing Arrangement on a case-by- case basis. This policy of approval excludes those foreign commercial firms or their separate business units (as defined in part 772 of the EAR) engaged in the manufacturing and distribution of items or services controlled by the U.S. Munitions List. (ii) Note that any country or end-user prohibited in the past from receiving encryption commodities and software under a specific Encryption Licensing Arrangement will be reviewed on a case-by-case basis, and may be considered by BXA for eligibility under future Encryption Licensing Arrangement requests. (iii) Note that distributors, resellers or other entities who are not manufacturers of the encryption commodities and software are permitted to use an existing Encryption Licensing Arrangement for exports and reexports of these products only when Encryption Licensing Arrangement has been granted to the manufacturer and the export and reexport meets the terms and conditions of this paragraph (b)(7). (iv) You must submit to BXA the name and address of the end-user. (8) All other encryption items. * * * (iii) Exports and reexports of encryption commodities and software of any key length to ``strategic partners'' of U.S. companies will receive favorable consideration when the end-use is for the protection of U.S. company proprietary information. * * * * * 9. Supplement No. 4 to part 742 is amended by revising paragraph (8) to read as follows: Supplement No. 4 to Part 742--Key Escrow or Key Recoverable Products Criteria * * * * * (8) The product's cryptographic function's key(s) or other material/information required to decrypt ciphertext shall be accessible to government officials under proper legal authority. 10. Part 742 is amended by removing and reserving Supplement No. 5 and Supplement No. 7. 11. Supplement No. 6 to part 742 is revised to read as follows: Supplement No. 6 to Part 742--Guidelines for Submitting a Classification Request for Mass Market Encryption Commodities and Software Classification requests for release of certain mass market encryption commodities and software from EI controls must be submitted on Form BXA-748P, in accordance with Sec. 748.3 of the EAR. To expedite review of the request, clearly mark the envelope ``Attn.: Mass Market Encryption (Commodity) or (Software) Classification Request''. In Block 9: Special Purpose of the Form BXA-748P, you must insert the phrase ``Mass Market Encryption (Commodity) or (Software). Failure to insert this phrase will delay processing. In addition, the Bureau of Export Administration recommends that such requests be delivered via courier service to: Bureau of Export Administration, Office of Exporter Services, Room 2705, 14th Street and Pennsylvania Ave., N.W., Washington, D.C. 20230. In addition, send a copy of the request and all supporting documents by Express Mail to: Attn: Mass Market Encryption Request Coordinator, P.O. Box 246, Annapolis Junction, MD 20701-0246. (a) Requests for mass market encryption commodities and software that meet the criteria in paragraph (a)(2) of this Supplement will be processed in seven (7) working days from receipt of a properly completed request. Those requests for mass market encryption commodities and software that meet the criteria of paragraph (a)(1) of this Supplement only will be processed in fifteen (15) working days from receipt of a properly completed request. When additional information is requested, the request will be processed within 15 working days of the receipt of the requested information. (1) A mass market product that meets the criteria established in this paragraph will be processed in fifteen (15) working days from receipt of the properly completed request: (i) The commodity or software must be mass market. Mass market commodities and software that are available to the public via sales from stock at retail selling points by means of over-the-counter transactions, mail order transactions, or telephone call transactions; (ii) The commodity or software must be designed for installation by the user without further substantial support by the supplier. Substantial support does not include telephone (voice only) help line services for installation or basic operation, or basic operation training provided by the supplier; and (iii) The commodity or software includes encryption for data confidentiality. (2) A mass market commodity or software product that meets all the criteria established in this paragraph will be processed in seven (7) working days from receipt of the properly completed request: (i) The commodity or software meets all the criteria established in paragraph (a)(1) (i) through (iii) of this Supplement; (ii) The confidentiality algorithm must be RC2, RC4, RC5, DES or CAST with a key space no longer than 56-bits. The RC2, RC4 and RC5 algorithms are proprietary to RSA Data Security, Inc. To ensure that the subject commodity or [[Page 72165]] software is properly licensed and correctly implemented, contact RSA Data Security, (415) 595-8782. The CAST algorithm is proprietary to Entrust Technologies, Inc. To ensure that the subject software is properly licensed and correctly implemented, contact Entrust Technologies, Inc., (972) 994-8000; (iii) If any combination of RC2, RC4, RC5, DES or CAST are used in the same commodity or software, their functionality must be separate. That is, no data can be operated sequentially on by both routines or multiply by either routine; (iv) The commodity or software must not allow the alteration of the confidentiality mechanism and its associated key spaces by the user or any other program; (v) The key exchange used in confidentiality must be: (A) A public key algorithm with a key space less than or equal to a 512-bit, 768-bit or up to and including 1024 bit modulus and/or; (B) A symmetric algorithm with a key space less than or equal to 112-bits; and (vi) The commodity or software must not allow the alteration of the key management mechanism and its associated key space by the user or any other program. (b)(1) To submit a classification request for a product that is eligible for the seven-day handling, you must provide the following information in a cover letter to the classification request. Send the original to the Bureau of Export Administration. Send a copy of the application and all supporting documentation by Express Mail to: Attn.: Mass Market Encryption Request Coordinator, P.O. Box 246, Annapolis Junction, MD 20701-0246 (2) Instructions for the preparation and submission of a classification request that is eligible for seven day handling are as follows: (3) If the commodity or software product meets the criteria in paragraph (a)(2) of this Supplement, you must call the Department of Commerce on (202) 482-0092 to obtain a test vector, or submit to BXA a copy of the encryption subsystem source code. The test vector or source code must be used in the classification process to confirm that the software has properly implemented the approved encryption algorithms. (4) Upon receipt of the test vector, the applicant must encrypt the test plain text input provided using the product's encryption routine (RC2, RC4, RC5, DES or CAST) with the given key value. The applicant should not pre-process the test vector by any compression or any other routine that changes its format. Place the resultant test cipher text output in hexadecimal format on an attachment to form BXA-748P. (5) You must provide the following information in a cover letter to the classification request: (i) Clearly state at the top of the page ``Mass Market Encryption (Commodity) (Software)--7 Day Expedited Review Requested''; (ii) State that you have reviewed and determined that the commodity or software subject to the classification request meets the criteria of paragraph (a)(2) of this Supplement; (iii) State the name of the single commodity or software product being submitted for review. A separate classification request is required for each product; (iv) State how the commodity or software has been written to preclude user modification of the encryption algorithm, key management mechanism, and key space; (v) Provide the following information for the commodity or software product: (A) Whether the commodity or software uses the RC2, RC4, RC5, DES or CAST algorithm and how the algorithm(s) is used. If any combination of these algorithms are used in the same product, and also state how the functionality of each is separated to assure that no data is operated by more than one algorithm; (B) Pre-processing information of plaintext data before encryption (e.g. the addition of clear text header information or compression of the data); (C) Post-processing information of cipher text data after encryption (e.g. the addition of clear text header information or packetization of the encrypted data); (D) Whether a public key algorithm or a symmetric key algorithm is used to encrypt keys and the applicable key space; (E) For classification requests regarding source code: (1) Reference the applicable executable product that has already received a technical review; (2) Include whether the source code has been modified by deleting the encryption algorithm, its associated key management routine(s), and all calls to the algorithm from the source code, or by providing the encryption algorithm and associated key management routine(s) in object code with all calls to the algorithm hidden. You must provide the technical details on how you have modified the source code; (3) Include a copy of the sections of the source code that contain the encryption algorithm, key management routines, and their related calls; and (F) Provide any additional information which you believe would assist in the review process. (c) Instructions for the preparation and submission of a classification request that is eligible for 15-day handling are as follows: (1) If the commodity or software product meets only the criteria in paragraph (a)(1) of this Supplement, you must prepare a classification request. Send the original to the Bureau of Export Administration. Send a copy of the application and all supporting documentation by Express Mail to: Attn.: Mass Market Encryption Request Coordinator, P.O. Box 246, Annapolis Junction, MD 20701-0246 (2) You must provide the following information in a cover letter to the classification request: (i) Clearly state at the top of the page ``Mass Market Encryption (Commodity)(Software)--15 Day Expedited Review Requested''; (ii) State that you have reviewed and determined that the commodity or software subject of the classification request, meets the criteria of paragraph (a)(1) of this Supplement; (iii) State the name of the single commodity or software product being submitted for review. A separate classification request is required for each product; (iv) State that a duplicate copy, in accordance with paragraph (c)(1) of this Supplement, has been sent to the 15-day Encryption Request Coordinator; and (v) Ensure that the information provided includes brochures or other documentation or specifications relating to the commodity or software, as well as any additional information which you believe would assist in the review process. (3) Contact the Bureau of Export Administration on (202) 482-0707 prior to submission of the classification to facilitate the submission of proper documentation. PART 743--[AMENDED] 12. Section 743.1 is amended: a. By revising the phrase ``GOV and KMI (under the provisions of Sec. 740.8(b)(2)(ii) and (iii) only)'' in paragraph (b) to read ``ENC''; and b. By removing the phrase '', 5A002, 5B002, 5D002, and 5E002'' in paragraph (c)(1)(v). PART 772--[AMENDED] 13. Part 772 is amended by revising the definition of ``Financial Institution'' and adding, in alphabetical order, new definitions for ``Business Unit'', [[Page 72166]] ``Health/medical end-user'', ``On-line merchant'', ``Recoverable commodities and software'', ``Strategic partner,'' and ``U.S. subsidiary''. * * * * * Business Unit. As applied to encryption items, means a unit of a business which, whether or not separately incorporated, has: (a) A distinct organizational structure which does not overlap with other business units of the same business; (b) A distinct set of accounts; and (c) Separate facilities for purchase, sale, delivery, and production of goods and services. * * * * * Financial Institution. As applied to encryption items, means any of the following: (a) A broker, dealer, government securities broker or dealer, self- regulatory organization, investment company or investment adviser, which is regulated or supervised by the Securities and Exchange Commission or a self-regulatory organization that is registered with the Securities and Exchange Commission; or (b) A broker, dealer, government securities broker or dealer, investment company, investment adviser, or entity that engages in securities activities that, if conducted in the United States, would be described by the definition of the term ``self-regulatory organization'' in the Securities Exchange Act of 1934, which is organized under the laws of a foreign country and regulated or supervised by a foreign securities authority; or (c) A U.S. board of trade that is designated as a contract market by the Commodity Futures Trading Commission or a futures commission merchant that is regulated or supervised by the Commodity Futures Trading Commission; or (d) A U.S. entity engaged primarily in the business of issuing a general purpose charge, debit, or stored value card, or a branch of, or affiliate controlled by, such an entity; or (e) A branch or affiliate of any of the entities listed in paragraphs (a), (b), or (c) of this definition regulated or supervised by the Securities and Exchange Commission, the Commodity Futures Trading Commission, or a foreign securities authority; or (f) An affiliate of any of the entities listed in paragraph (a), (b), (c), or (e), of this definition engaged solely in the business of providing data processing services to one or more bank or financial institutions, or a branch of such an affiliate; or (g) A company organized and regulated under the laws of any of the United States and its branches and affiliates whose primary and predominant business activity is the writing of insurance or the reinsuring of risks; or a company organized and regulated under the laws of a foreign country and its branches and affiliates whose primary and predominant business activity is the writing of insurance or the reinsuring of risks. * * * * * Health/medical end-user. As applied to encryption items, means any entity, including civilian government agencies, the primary purpose of which is the provision of medical or other health services. The term medical or other health services includes the following items or services: (a) Physicians' services and services and supplies furnished as an incident to a physician's professional service (such as laboratory services), of kinds which are commonly furnished in physicians' offices; services provided by a physician assistant or by a nurse practitioner; including services which would be physicians' services if furnished by a physician and which are performed by a physician assistant under the supervision of a physician, or services which would be physicians' services if furnished by a physician and which are performed by a nurse practitioner or clinical nurse specialist in collaboration with a physician; certified nurse-midwife services or services of a certified registered nurse anesthetist; (b) Hospital services incident to physicians services rendered to outpatients and hospitalization services incident to such services; ambulance services; (c) Psychologist services or clinical social worker services; or (d) Health cost reimbursers (e.g., health insurers, HMOs). * * * * * On-line merchant. As applied to encryption items, means an entity regularly engaged in lawful commerce that uses means of electronic communications (e.g., the Internet) to conduct commercial transactions. * * * * * Recoverable commodities and software. As applied to encryption items, means any of the following: (a) A stored data product containing a recovery feature that, when activated, allows recovery of the plaintext of encrypted data without the assistance of the end-user; or (b) A product or system designed such that a network administrator or other authorized persons who are removed from the end-user can provide law enforcement access to plaintext without the knowledge or assistance of the end-user. This includes, for example, products or systems where plaintext exists and is accessible at intermediate points in a network or infrastructure system, enterprise-controlled recovery systems, and products which permit recovery of plaintext at the server where a system administrator controls or can provide recovery of plaintext across an enterprise. Note to this definition: ``Plaintext'' indicates that data that is initially received by or presented to the recoverable product before encryption takes place. * * * * * Strategic partner (of a U.S. company). As applied to encryption items, means a foreign-based entity that: (a) Has a business need to share the proprietary information with one or more U.S. companies; and (b) Is contractually bound to the U.S. company (e.g., has an established pattern of continuing or recurring contractual relations). * * * * * U.S. subsidiary. As applied to encryption items, means (a) A foreign branch of a U.S. company; or (b) A foreign subsidiary or entity of a U.S. entity in which: (1) The U.S. entity beneficially owns or controls (whether directly or indirectly) 25 percent or more of the voting securities of the foreign subsidiary or entity, if no other persons owns or controls (whether directly or indirectly) an equal or larger percentage; or (2) The foreign entity is operated by the U.S. entity pursuant to the provisions of an exclusive management contract; or (3) A majority of the members of the board of directors of the foreign subsidiary or entity also are members of the comparable governing body of the U.S. entity; or (4) The U.S. entity has the authority to appoint the majority of the members of the board of directors of the foreign subsidiary or entity; or (5) The U.S. entity has the authority to appoint the chief operating officer of the foreign subsidiary or entity. PART 774--[AMENDED] 14. In Supplement No. 1 to part 774, Category 5--Telecommunications and Information Security is amended by revising the License Requirements section of ECCNs 5A002 and 5D002 to read as follows: 5A002 Systems, equipment, application specific ``assemblies'', modules or integrated circuits for ``information security'', and specially designed components therefor. [[Page 72167]] License Requirements Reason for Control: NS, AT, EI ------------------------------------------------------------------------ Control(s) Country chart ------------------------------------------------------------------------ NS applies to entire entry........... NS Column 1. AT applies to entire entry........... AT Column 1. ------------------------------------------------------------------------ EI applies to encryption items transferred from the U.S. Munitions List to the Commerce Control List consistent with E.O. 13026 of November 15, 1996 (61 FR 58767) and pursuant to the Presidential Memorandum of that date. Refer to Sec. 742.15 of this subchapter. * * * * * 5D002 Information Security--``Software''. License Requirements Reason for Control: NS, AT, EI ------------------------------------------------------------------------ Control(s) Country chart ------------------------------------------------------------------------ NS applies to entire entry........... NS Column 1. AT applies to entire entry........... AT Column 1. ------------------------------------------------------------------------ EI applies to encryption items transferred from the U.S. Munitions List to the Commerce Control List consistent with E.O. 13026 of November 15, 1996 (61 FR 58767) and pursuant to the Presidential Memorandum of that date. Refer to Sec. 742.15 of the EAR. Note: Encryption software is controlled because of its functional capacity, and not because of any informational value of such software; such software is not accorded the same treatment under the EAR as other ``software''; and for export licensing purposes, encryption software is treated under the EAR in the same manner as a commodity included in ECCN 5A002. License Exceptions for commodities are not applicable. Note: Encryption software controlled for EI reasons under this entry remains subject to the EAR even when made publicly available in accordance with part 734 of the EAR, and it is not eligible for the General Software Note (``mass market'' treatment under License Exception TSU for mass market software). After a technical review, certain encryption software may be released from EI controls and made eligible for the General Software Note treatment as well as other provisions of the EAR applicable to software. Refer to Sec. 742.15(b)(1) of the EAR, and Supplement No. 6 to part 742 of the EAR. * * * * * Dated: December 23, 1998. R. Roger Majak, Assistant Secretary for Export Administration. [FR Doc. 98-34669 Filed 12-30-98; 8:45 am] BILLING CODE 3510-33-P