Encryption
There are specific regulatory, classification, licensing, and record keeping provisions associated with the export of encryption items.
Guidance articles
-
Encryption and Export Administration Regulations (EAR)
On March 29, 2021 the Implementation of Wassenaar Arrangement 2019 Plenary Decisions was published in the Federal Register.
-
Crypto for data confidentiality
Learn more about encryption items that fall under Category 5, Part 2 in the U.S. Commerce Control List (CCL), including cryptographic, non-cryptographic and other types of information security for encryption.
Encryption FAQs
Any party who exports certain U.S.-origin encryption products may be required to submit a classification request and/or self-classification report; however, if a manufacturer has self-classified relevant items and/or had items classified by BIS, and has made the classifications available to other parties such as resellers and other exporters/reexporters, such other parties are not required to submit a classification request or to submit an annual self-classification report.
Exporters or reexporters that are not producers of the encryption items can rely on the self-classification or CCATS that is published by the producer when exporting or reexporting the classified encryption item. Separate commodity classification request or self-classification report to BIS is NOT required.
If you are not the producer and are unable to obtain the producer’s information or if the producer has not submitted a self-classification report or commodity classification for his/her products to BIS, then you are responsible for properly classifying the item and obtaining the proper authorization. This may require you to submit a self-classification report or classification request.
No. The classification of your item does not depend on the classification of the encryption you are incorporating. Your product should be classified separately as a standalone item.
Only items listed in 740.17(b)(2) and (b)(3) require a classification. For those items, a new classification is required when the cryptographic functionality changes or other technical characteristics affecting license exception ENC eligibility – e.g., encrypted throughput. New classifications are not required for other changes, including patches, upgrades or releases, name changes. Items described in 740.17(b)(1) do not require a classification to be eligible for ENC.
If you are requesting a classification of an item described in paragraph 740.(b)(2) or (b)(3), then a classification request is required. If you are requesting a classification of an item described in paragraph 740.17(b)(1) (in other words, the item is not described in either Section 740.17(b)(2) or (b)(3)), a Supplement No. 6 questionnaire is not required as a supporting document. Provide sufficient information about the item (e.g., technical data sheet and/or other explanation in a separate letter of explanation) for BIS to determine that the item is described in paragraph 740.17(b)(1). If you are not sure that your product is authorized as 740.17(b)(1) and you want BIS to confirm that it is authorized under 740.17(b)(1), providing answers to the questions set forth in Supplement No. 6 to part 742 with your request should provide BIS with sufficient information to make this determination.
Classifications issued for ECCNs 5A992/5D992.a and b, and 5E002.a prior to the elimination of these ECCNs may now be classified elsewhere (e.g., 5A991) if applicable or designated EAR99. A new CCATS is not required.