BIS has published final rules implementing the Wassenaar Arrangement’s decision to re-write Category 5 Part 2, below is a list of updates. BIS will be updating their Encryption website soon to reflect these changes.
ECCN Changes to Category 5 Part 2
- Separates C5P2 into 3 subsections:
- Cryptographic information security
- Non-cryptographic information security – 5A003
- Defeating, Weakening, or bypassing information security – 5A004
- Deletes ECCNS 5A992/5D992 a&b, as well as 5E992.a
- Keeps mass market ECCNs 5A992/5D992.c and 5E992.b
- Decontrol notes (Note to 5A002.a) moved around to remove previously unused paragraphs
- Removes previous Note 1 to C5P2 – moved to a General Information Security Note (Supp. No. 2 to Part 774), removed all the pointers in the EAR to C5P2
- Adds a sentence to the Note to Note 3 saying that simple price inquiry is not a consultation
- Deletes 5A002 a.7 control on products above EAL-6
License Exception Changes
- License Exception TSU – Publicly available source code is no longer subject to the EAR once the email notification is sent. The Notification requirement that was previously under TSU §740.13(e) is moved to §742.15(b)
- License Exception TMP – 5E002 encryption technology now eligible for tools of the trade provisions under 740.9
- §742.15 – Encryption Mass market provisions are moved from §742.15 to §740.17
- License Exception ENC – §740.17
- Paragraph (a)(1) – Adds an exception for certain related parties transactions for companies headquartered in a Supp. 3 country
- §740.17(b)(4) – Deletes paragraph on short-range wireless items, paragraph on foreign made products is moved to paragraph (a)
- Encryption Registrations no longer required – some of the information from the registration now goes into the Supp. No. 8 to Part 742 report
- If an exporter submits a CCATS review for an item under §740.17(b)(1), it does NOT have to go on the self-classification report
- §740.17(b)(2) – updates performance parameters
- § Edits headers to make it clear that there should only be one parameter that applies to a product
- § Aggregate encrypted throughput increased from 90 Mbps to 250 Mbps
- § Deletes single channel input data rate
- § Deletes 250 concurrent encrypted data channels
- § Media parameter raised from 1,000 endpoints to 2,500
- § Carves out for mass market satellite modems that use end-to-end encryption between the modem and the hub
- § 5A002.d (channelizing codes) and 5A002.e (spread spectrum) moved to §740.17(b)(2)
- § New authorization for network infrastructure items to less-sensitive government end-users.
- Delets grandfathering provisions
- Adds Croatia added to Supp. No. 3 to Part 740
- Revises Supp. No. 6 to Part 742 questions
- Definition of government end-user states that government-owned public schools and universities are “government end-users” as defined in Section 772
- Adds definition of “More sensitive government end-users” and “Less-sensitive government end-users”
Note
Classifications issued for 5A992/5D992 a&b and 5E992.a prior to the elimination of these ECCNs may now be classified elsewhere (e.g., 5A991,) if applicable, or EAR99.
Mass market encryption authorizations issued under 742.15(b)(1) or (b)(3) prior to this rule change continue to be authorized under the newly located mass market encryption provisions found in 740.17(b)(1) and (b)(3), respectively. A new classification is NOT required merely because the item moved from 742.15 to 740.17.
Wassenaar Arrangement Ruling: https://www.federalregister.gov/documents/2016/09/20/2016-21544/wassenaar-arrangement-2015-plenary-agreements-implementation-removal-of-foreign-national-review
BIS Final Rule: http://www.bis.doc.gov/InformationSecurity2016-updates
