An official website of the United States government

Skip to main content

Encryption

Quick links

On March 29, 2021, the Implementation of Wassenaar Arrangement 2019 Plenary Decisions was published in the Federal Register. This rule included changes to license exception ENC Section 740.17 of the EAR. Here is a summary of the changes made to license exception ENC by this rule. 

The U.S. Commerce Control List (CCL) is broken into 10 Categories 0 – 9 (see Supplement No. 1 to part 774 of the EAR).  Encryption items fall under Category 5, Part 2 for Information Security. Cat. 5, Part 2 covers: 

  1. Cryptographic Information Security; (e.g., items that use cryptography)
  2. Non-cryptographic Information Security (5A003); and
  3. Defeating, Weakening of Bypassing Information Security (5A004) 

You can find a Quick Reference Guide to Cat. 5, Part 2 here. 
 
The controls in Cat. 5, Part 2 include multilateral and unilateral controls. The multilateral controls in Cat. 5, Part 2 of the EAR (e.g., 5A002, 5A003, 5A004, 5B002, 5D002, 5E002) come from the Wassenaar Arrangement List of Dual Use Goods and Technologies. Changes to the multilateral controls are agreed upon by the participating members of the Wassenaar Arrangement. Unilateral controls in Cat. 5, Part 2 (e.g., 5A992.c, 5D992.c, 5E992.b) of the EAR are decided on by the United States. 
  
The main license exception that is used for items in Cat. 5, Part 2 is License Exception ENC (Section 740.17). License exception ENC provides a broad set of authorizations for encryption products (items that implement cryptography) that vary depending on the item, the end-user, the end-use, and the destination. There is no "unexportable" level of encryption under license exception ENC. Most encryption products can be exported to most destinations under license exception ENC, once the exporter has complied with applicable reporting and classification requirements. Some items going to some destinations require licenses. 
 
This guidance does not apply to items subject to the exclusive jurisdiction of another agency. For example, ITAR USML Categories XI(b),(d), and XIII(b), (l) control software, technical data, and other items specially designed for military or intelligence applications. 

 

Flowcharts

The following 2 flowcharts lay out the analysis to follow for determining if and how the EAR and Cat.5 Part 2 apply to a product incorporating cryptography: 

  • Flowchart 1: Items Designed to Use Cryptography Including Items NOT controlled under Category 5 Part 2 of the EAR

  • Flowchart 2: Classified in Category 5, Part 2 of the EAR

Outline