On May 21, 2015, the Department of Commerce’s Bureau of Industry and Security (BIS) issued a final rule amending the Export Administration Regulations (EAR) to implement changes agreed to in December 2014 by members of the Wassenaar Arrangement, a group of countries committed to ensuring effective export controls on strategic items to improve regional and international security and stability.

The new rule makes a number of technical changes to the EAR’s Commerce Control List (CCL), revising 42 Export Control Classification Number (ECCN) entries, adding one ECCN, and subtracting another. Many of the technical corrections and updates to ECCN entries are intended to recognize industry standards or terms and/or advances in technology.

Among other changes, BIS made several revisions to its encryption controls.  These revisions include the following amendments to a regulatory note excluding certain items from ECCN 5A002, which controls strong encryption items:

  • Equipment where all cryptographic capability cannot be used or can only be made usable by means of “cryptographic activation” is not controlled under 5A002. To eliminate a prior loophole, BIS now explicitly requires that a mechanism for cryptographic activation be uniquely bound to a single instance of the item or to one customer, for multiple instances of the item. Cryptographic activation does not include changing the controlled encryption of a previously exported item or using a single license key or digitally signed certificate to activate multiple types of products.
  • BIS added an exclusion for routers, switches, or relays where the information security functionality is limited to the tasks of “Operations, Administration or Maintenance” (OAM) implementing only published or commercial cryptographic standards. OAM is defined as performing one or more of the following tasks: (1) establishing or managing accounts or privileges of users or administrators, settings of an item, or authentication data in support of the foregoing tasks; (2) monitoring or managing the operating condition or performance of an item; or (3) managing logs or audit data in support of any of the foregoing tasks.
  • Additionally, BIS added an exclusion for general purpose computing equipment or servers having standard information security functionality from their embedded mass market microprocessors (CPUs) or operating systems or that is limited to OAM of the equipment.

Given the sheer number of technical revisions made to the CCL, exporters are encouraged to carefully review the rule to assess its impact on their products and technologies.