[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Commerce department Requrinments Munitions
- Date: Tue, 31 Dec 1996 03:01:33 +0000
- From: Jeff Williams <jwkckid1@ix.netcom.com>
- Subject: Commerce department Requrinments Munitions
David and all,
As I stated earlier. 56 bit AUTHENTICATION also applies
to munitions ITAR requrinments. See attached.
Regards,
--
Jeffrey A. Williams
DIR. Internet Network Eng/SR. Java Development Eng.
Information Eng. Group.
Phone :972-447-1878
E-Mail jwkckid1@ix.netcom.com
DEPARTMENT OF COMMERCE
Bureau of Export Administration
15 CFR Parts 730, 732, 734, 736, 738, 740, 742, 744, 748, 750, 768,
772, and 774
[Docket No. 960918265-6366-03]
RIN 0694-AB09
Encryption Items Transferred From the U.S. Munitions List to the
Commerce Control List
AGENCY: Bureau of Export Administration, Commerce.
ACTION: Interim rule.
-----------------------------------------------------------------------
SUMMARY: This interim rule amends the Export Administration Regulations
(EAR) by exercising jurisdiction over, and imposing new combined
national security and foreign policy controls on, certain encryption
items that were on the United States Munitions List,
[[Page 68573]]
consistent with Executive Order 13026 and pursuant to the Presidential
Memorandum of that date, both issued by President Clinton on November
15, 1996.
On October 1, 1996, the Administration announced a plan to make it
easier for Americans to use stronger encryption products to protect
their privacy, intellectual property and other valuable information.
The plan envisions a worldwide key management infrastructure with the
use of key escrow and key recovery encryption items to promote
electronic commerce and secure communications while protecting national
security and public safety. To provide for a transition period for the
development of this key management infrastructure, this rule permits
the export and reexport of 56-bit key length DES or equivalent strength
encryption items under the authority of a License Exception, if an
exporter makes satisfactory commitments to build and/or market
recoverable encryption items and to help build the supporting
international infrastructure. This policy will apply to hardware and
software.
DATES: Effective Date: This rule is effective December 30, 1996.
Comment Date: February 13, 1997.
ADDRESSES: Written comments (six copies) should be sent to: Nancy
Crowe, Regulatory Policy Division, Bureau of Export Administration,
Department of Commerce, 14th Street and Pennsylvania Ave., N.W., Room
2705, Washington, D.C. 20230.
FOR FURTHER INFORMATION CONTACT: James A. Lewis, Office of Strategic
Trade and Foreign Policy Controls, Telephone: (202) 482-0092.
SUPPLEMENTARY INFORMATION:
Background
Following upon the Administration's October 1 announcement, on
November 15, 1996, the President issued the Memorandum directing that
all encryption items controlled on the U.S. Munitions List, except
those specifically designed, developed, configured, adapted, or
modified for military applications, be transferred to the Commerce
Control List. The Memorandum and Executive Order 13026 (November 15,
1996, 61 FR 58767) also set forth certain additional provisions with
respect to controls on such encryption items to be imposed by the
Department of Commerce. The Executive Order also provides for
appropriate controls on the export and foreign dissemination of
encryption items controlled on the U.S. Munitions List that are placed
on the Commerce Control List. In issuing the Memorandum the President
stated:
Encryption products, when used outside the United States, can
jeopardize our foreign policy and national security interests.
Moreover, such products, when used by international criminal
organizations, can threaten the safety of U.S. citizens here and
abroad, as well as the safety of the citizens of other countries.
The exportation of encryption products must be controlled to further
U.S. foreign policy objectives, and promote our national security,
including the protection of the safety of U.S. citizens abroad.
This initiative will support the growth of electronic commerce;
increase the security of the global information infrastructure; protect
privacy, intellectual property and other valuable information; and
sustain the economic competitiveness of U.S. encryption product
manufacturers during the transition to a key management infrastructure.
Under this initiative, non-recoverable encryption items up to 56-bit
key length DES or equivalent strength will be permitted for export and
reexport after a one-time review of the strength of the item and if the
exporter makes satisfactory commitments to build and/or market
recoverable encryption items, to support an international key
management infrastructure. This policy will apply to hardware and
software and will last through December 31, 1998.
The initiative addresses important foreign policy and national
security concerns identified by the President. Export controls on
cryptographic items are essential to controlling the spread abroad of
powerful encryption products which could be harmful to critical U.S.
national security, foreign policy and law enforcement interests. This
initiative will preserve such controls and foster the development of a
key management infrastructure necessary to protect important national
security, foreign policy and law enforcement concerns.
Encryption software can be used to maintain the secrecy of
information, and thereby may be used by persons abroad to harm national
security, foreign policy and law enforcement interests. As the
President indicated in E.O. 13026 and in his Memorandum of November 15,
1996, export of encryption software, like export of encryption
hardware, is controlled because of this functional capacity to encrypt
information on a computer system, and not because of any informational
or theoretical value that such software may reflect, contain, or
represent, or that its export may convey to others abroad. For this
reason, export controls on encryption software are distinguished from
other software regulated under the EAR.
The government recognizes that several factors, including the
development of common international encryption policies, the need for
an international key recovery infrastructure, and technological change,
will influence market development in key recovery products. At the same
time, the government is committed to a two-year transition period. The
government will continually evaluate progress towards key recovery
throughout and beyond the two-year period and will tailor the
implementation of its policies in consultation with the public.
This interim rule implements the Administration's policy on
encryption exports and reexports. This rule amends the Export
Administration Regulations (EAR) by imposing national security and
foreign policy controls (``EI'' for Encryption Items) on certain
information security systems and equipment, cryptographic devices,
software and components specifically designed or modified therefor, and
related technology (``encryption items'). ``Encryption items'' subject
to the EAR do not include encryption items specifically designed,
developed, configured, adapted or modified for military applications
(including command, control and intelligence applications). Such items
remain on the U.S. Munitions List, and continue to be controlled by the
Department of State, Office of Defense Trade Controls. EI controls
apply to encryption software transferred from the U.S. Munitions List
to the Commerce Control List consistent with E.O. 13026 of November 15,
1996 (61 FR 58767) and pursuant to the Presidential Memorandum of the
same date.
This interim rule also amends the Export Administration Regulations
by requiring a license for exports and reexports to all destinations,
except Canada, of certain encryption items controlled for EI reasons.
Except as otherwise noted, applications will be reviewed on a case-by-
case basis by BXA in conjunction with other agencies to determine
whether the export or reexport is consistent with U.S. national
security and foreign policy interests. Exporters should allow 40 days
for the processing of licenses, consistent with E.O. 12981. The
licensing policy is as follows:
(1) Certain mass-market encryption software. Certain encryption
software that was transferred from the U.S. Munitions List to the
Commerce Control List consistent with E.O. 13026 of November 15, 1996
(61 FR 58767) and
[[Page 68574]]
pursuant to the Presidential Memorandum of that date may be released
from ``EI'' controls and thereby made eligible for mass market
treatment after a one-time BXA review. To determine eligibility for
mass market treatment, exporters must submit a classification request
to BXA. 40-bit mass market encryption software may be eligible for a 7-
day review process, and company proprietary software may be eligible
for 15-day processing. See new Supplement No. 6 to part 742 and
Sec. 748.3(b)(3) for additional information. Note that the one-time
review is for a determination to release encryption software in object
code only. Exporters requesting release of the source code should refer
to paragraph (b)(3)(v)(E) of Supplement No. 6 to part 742. If, after a
one-time review, BXA determines that the software is released from EI
controls, such software is eligible for all provisions of the EAR
applicable to other software, such as License Exception TSU for mass-
market software. If BXA determines that the software is not released
from EI controls, a license is required for export and reexport to all
destinations, except Canada, and license applications will be
considered on a case-by-case basis.
(2) Key Escrow, Key Recovery and Recoverable encryption software
and commodities. Recovery encryption software and equipment controlled
for EI reasons under ECCN 5D002 or under ECCN 5A002, including
encryption equipment designed or modified to use recovery encryption
software, may be made eligible for License Exception KMI after a one-
time BXA review. License Exception KMI is available for all
destinations except Cuba, Iran, Iraq, Libya, North Korea, Syria and
Sudan. To determine eligibility, exporters must submit a classification
request to BXA. Requests for one-time review of key escrow and key
recovery encryption products will receive favorable consideration
provided that, prior to the export or reexport, a key recovery agent
satisfactory to BXA has been identified (refer to new Supplement No. 5
to part 742) and security policies for safeguarding the key(s) or other
material/information required to decrypt ciphertext as described in
Supplement No. 5 to part 742 are established to the satisfaction of BXA
and are maintained after export or reexport as required by the EAR. If
the exporter or reexporter intends to be the key recovery agent, then
the exporter or reexporter must meet all of the requirements of a key
recovery agent identified in Supplement No. 5 to part 742. In addition,
the key escrow or key recovery system must meet the criteria identified
in Supplement No. 4 to part 742. Note that eligibility is dependent on
continued fulfilment of the requirements of a key recovery agent
identified in Supplement No. 5 to part 742. Since the establishment of
a key management infrastructure and key recovery agents may take some
time, BXA will, while the infrastructure is being built, consider
exports of key recovery encryption products which facilitate
establishment of the key management infrastructure before a key
recovery agent is named, consistent with national security and foreign
policy. When BXA approves such cases, exporters of products described
in Supplement No. 4 to part 742 are required to furnish the name of an
agent by December 31, 1998. Requests for one-time review of recoverable
products which allow government officials to obtain, under proper legal
authority and without the cooperation or knowledge of the user, the
plaintext of the encrypted data and communications will also receive
favorable consideration.
(3) Non-recovery encryption items up to 56-bit key length DES or
equivalent strength supported by a satisfactory business and marketing
plan for exporting recoverable items and services. Manufacturers of
non-recovery encryption items up to 56-bit key length DES or equivalent
strength will be permitted to export and reexport under the authority
of License Exception KMI, provided that the requirements and conditions
of the License Exception are met. Exporters must submit a
classification request for an initial BXA review of the item and a
satisfactory business and marketing plan that explains in detail the
steps the applicant will take during the two-year transition period
beginning January 1, 1997 to develop, produce, and/or market encryption
items and services with recoverable features. Producers would commit to
produce key recovery products. Others would commit to incorporate such
products into their own products or services. Plans will be evaluated
in consideration of good faith efforts by the exporter to promote key
recovery products and infrastructure. Such efforts can include: the
scale of key recovery research and development, product development,
and marketing plans; significant steps to reflect potential customer
demand for key recovery products in the firm's encryption-related
business; and how soon a key recovery agent will be identified. Note
that BXA will accept requests for classification of non-recoverable
encryption items up to 56-bit key length DES or equivalent strength
under this paragraph from distributors, re-sellers, integrators, and
other entities that are not manufacturers of the encryption items. The
use of License Exception KMI is not automatic; eligibility must be
renewed every six months. Renewal after each six-month period will
depend on the applicant's adherence to explicit benchmarks and
milestones as set forth in the plan approved with the initial
classification request and amendments as approved by BXA. This
relaxation of controls and use of License Exception KMI will last
through December 31, 1998. The plan submitted with classification
requests for the export of non-recoverable encryption items up to 56-
bit key length DES or equivalent strength must include the elements in
new Supplement No. 7 to part 742. Note that distributors, re-sellers,
integrators, and other entities that are not manufacturers of the
encryption items are permitted to use License Exception KMI for exports
and reexports of such items only in instances where a classification
has been granted to the manufacturer of the encryption items. The
authority to so export or reexport will be for a time period ending on
the same day the producer's authority to export or reexport ends.
Exporters authorized to export 56-bit DES or equivalent strength
non-key recovery products in exchange for commitments to key recovery
will be allowed to service and support the customers of those products
during and after the two-year period. Support and service includes
maintenance or replacement of products to correct defects or maintain
existing functionality. It also includes upgrades that do not increase
the strength of the encryption in the product.
Exporters authorized to export 56-bit DES or equivalent strength
non-key recovery products during the interim period may also export
under a license additional quantities of those 56-bit DES or equivalent
strength non-key recovery products after the two-year period to
existing customers. Such sales may be made to the customers of any
exporter that was authorized to export such products in exchange for
key recovery commitments during the two-year period. The additional
quantities sold may not be disproportionate to the customer's embedded
base.
(4) All other encryption items--(i) Encryption licensing
arrangement. This is intended to continue without change the regulatory
treatment of the distribution and warehouse arrangements currently
permitted under
[[Page 68575]]
the International Traffic in Arms Regulations. Applicants may submit
license applications for exports and reexports of certain encryption
commodities and software in unlimited quantities for all destinations
except Cuba, Iran, Iraq, Libya, North Korea, Syria, and Sudan.
Applications will be reviewed on a case-by-case basis. Encryption
licensing arrangements may be approved with extended validity periods
specified by the applicant in block #24 on Form BXA-748P. In addition,
the applicant must specify the sales territory and classes of end-
users. Such licenses may require the license holder to report to BXA
certain information such as item description, quantity, value, and end-
user name and address.
(ii) Applications for encryption items not authorized under an
encryption licensing arrangement. Applications for the export and
reexport of all other encryption items will be considered on a case-by-
case basis.
(5) Applications for encryption technology. Applications for the
export and reexport of encryption technology will be considered on a
case-by-case basis.
Note that all ``EI'' encryption items are not subject to any
mandatory foreign availability procedures of the EAA or the EAR. In
section 1(a) of Executive Order 13026, the President states:
I have determined that the export of encryption products
described in this section may harm national security and foreign
policy interests even where comparable products are or appear to be
available from sources outside the United States, and that facts and
questions concerning the foreign availability of such encryption
products cannot be subject to public disclosure or judicial review
without revealing or implicating classified information that could
harm United States national security and foreign policy interests.
Accordingly, section 4(c) and 6(h)(2)-(4) of the Export
Administration Act of 1979 (``the EAA'') * * *, all other analogous
provisions of the EAA relating to foreign availability, and the
regulations in the EAR relating to such EAA provisions, shall not be
applicable with respect to export controls on such encryption
products.
This interim rule amends part 768, Foreign Availability, to make
clear that the provisions of that part do not apply to encryption items
transferred to the Commerce Control List.
This interim rule also amends part 734 to exclude encryption items
transferred from the U.S. Munitions List to the Commerce Control List
consistent with E.O. 13026 (61 FR 58767, November 15, 1996) and
pursuant to the Presidential Memorandum of that date from the de
minimis provisions for items exported from abroad. This rule also
amends part 734 of the EAR to reflect that encryption software
controlled for EI reasons under ECCN 5D002 that has been transferred to
the Department of Commerce from the Department of State by Presidential
Memorandum will be subject to the EAR even when publicly available. A
printed book or other printed material setting forth encryption source
code is not itself subject to the EAR (see Sec. 734.3(b)(2)). However,
notwithstanding Sec. 734.3(b)(2), encryption source code in electronic
form or media (e.g., computer diskette or CD ROM) remains subject to
the EAR (see Sec. 734.3(b)(3)). The administration continues to review
whether and to what extent scannable encryption source or object code
in printed form should be subject to the EAR and reserves the option to
impose export controls on such software for national security and
foreign policy reasons. Note that there is a new definition of ``export
of encryption source code and object code software'' (see
Sec. 734.2(b)(9)).
This rule creates a new License Exception KMI for exports of
certain encryption software and equipment. This rule also amends part
740 and Supplement No. 2 to part 774 to reflect that encryption
software will not be eligible for ``mass market'' treatment under the
General Software Note or for export as beta-test software under License
Exception BETA unless released from EI controls through a one-time BXA
review (refer to new Supplement No. 6 to part 742). Encryption items
transferred from the USML to the CCL prior to November 15, 1996 are not
controlled for EI reasons. Note that License Exception TMP is available
for temporary exports and reexports of encryption items except under
the provisions for beta-test software. License Exceptions TMP and BAG
effectively replace the Department of State's personal use exemption.
Software and technology that was controlled by the Department of
Commerce prior to December 30, 1996 are not affected by this rule and
will continue to be eligible for the publicly available treatment.
Software controlled by the Department of Commerce prior to December 30,
1996 will continue to be eligible for mass market treatment under the
General Software Note, and License Exception TSU for mass-market
software.
For purposes of this rule, ``recovery encryption products'' refers
to encryption products (including software) that allow government
officials to obtain under proper legal authority and without the
cooperation or knowledge of the user, the plaintext of encrypted data
and communications. Such products fulfill the objectives of the
Administration's encryption policy. Other approaches to access and
recovery may be defined in the future.
This interim rule also amends part 742 to reflect the new combined
national security and foreign policy controls imposed by this rule, and
adds a new Supplement No. 4 titled ``Key Escrow or Key Recovery
Products Criteria'' that includes product criteria, a new Supplement
No. 5 titled ``Key Escrow or Key Recovery Agent Criteria, Security
Policies, and Key Escrow or Key Recovery Procedures'' that includes
interim requirements for key recovery agents, a new Supplement No. 6
titled ``Guidelines for Submitting a Classification Request for a Mass
Market Software Product that contains Encryption'' that includes the
criteria for the one-time review of classification requests for release
of certain encryption software from EI controls, and a new Supplement
No. 7 titled ``Review Criteria for Exporter Key Escrow or Key Recovery
Development Plans.''
This interim rule also amends part 744 to add a general prohibition
in Sec. 744.9 with respect to technical assistance in the development
or manufacture abroad of encryption commodities and software controlled
for EI reasons and makes conforming changes throughout the EAR.