16 January 1998
Source: "Implementation of the Wassenaar Arrangement List of Dual-Use Items: Revisions to the Commerce Control List and Reporting Under the Wassenaar Arrangement; Rule."


Supplement No. 1 to Part 774--the Commerce Control List


Category 5--``Information Security'', Part II


Part 2--``Information Security''

    Note: The control status of ``information security'' equipment,
``software'', systems, application specific ``electronic
assemblies'', modules, integrated circuits, components, or functions
is determined in Category 5, Part 2 even if they are components or
``electronic assemblies'' of other equipment.

A. Systems, Equipment and Components

5A002   Systems, equipment, application specific ``assemblies'',
modules or integrated circuits for ``information security'', and
specially designed components therefor.

License Requirements

Reason for Control: NS, AT, EI


               Control(s)                         Country Chart

NS applies to entire entry.............  NS Column 1
AT applies to entire entry.............  AT Column 1


    EI applies to encryption items transferred from the U.S.
Munitions List to the Commerce Control List consistent with E.O.
13026 of November 15, 1996 (61 FR 58767) and pursuant to the
Presidential Memorandum of that date. Refer to Sec. 742.15 of the
EAR.

    License Requirement Notes: See Sec. 743.1 of the EAR for
reporting requirements for exports under License Exceptions.
License Exceptions

LVS: N/A
GBS: N/A
CIV: N/A

List of Items Controlled

Unit: $ value
Related Controls: See also 5A992. This entry does not control: (a)
``Personalized smart cards'' or specially designed components
therefor, with any of the following characteristics: (1) Not capable
of message traffic encryption or encryption of user-supplied data or
related key management functions therefor; or (2) When restricted
for use in equipment or systems excluded from control under the note
to 5A002.c, or under paragraphs b through h of this note. (b)
Equipment containing ``fixed'' data compression or coding
techniques; (c) Receiving equipment for radio broadcast, pay
television or similar restricted audience television of the consumer
type, without digital encryption and where digital decryption is
limited to the video, audio or management functions; (d) Portable or
mobile radiotelephones for civil use (e.g., for use with commercial
civil cellular radiocommunications systems) that are not capable of
end-to-end encryption; (e) Decryption functions specially designed
to allow the execution of copy-protected ``software'', provided the
decryption functions are not user-accessible; (f) Access control
equipment, such as automatic teller machines, self-service statement
printers or point of sale terminals, that protects password or
personal identification numbers (PIN) or similar data to prevent
unauthorized access to facilities but does not allow for encryption
of files or text, except as directly related to the password or PIN
protection; (g) Data authentication equipment that calculates a
Message Authentication Code (MAC) or similar result to ensure no
alteration of text has taken place, or to authenticate users, but
does not allow for encryption of data, text or other media other
than that needed for the authentication; (h) Cryptographic equipment
specially designed and limited for use in machines for banking or
money transactions, such as automatic teller machines, self-service
statement printers or point of sale terminals.
Related Definitions: For the control of global navigation satellite
systems receiving equipment containing or employing decryption
(i.e., GPS or GLONASS see 7A005)
Items: a. Systems, equipment, application specific ``assemblies'',
modules or integrated circuits for ``information security'', and
specially designed components therefor:
    a.1. Designed or modified to use ``cryptography'' employing
digital techniques to ensure ``information security'';
    a.2. Designed or modified to perform cryptoanalytic functions;
    a.3. Designed or modified to use ``cryptography'' employing
analog techniques to ensure ``information security'';

    Note: 5A002.a.3 does not control the following:

    1. Equipment using ``fixed'' band scrambling not exceeding 8
bands and in which the transpositions change not more frequently
than once every second;
    2. Equipment using ``fixed'' band scrambling exceeding 8 bands
and in which the transpositions change not more frequently than once
every ten seconds;

[[Page 2523]]

    3. Equipment using ``fixed'' frequency inversion and in which
the transpositions change not more frequently than once every
second;
    4. Facsimile equipment;
    5. Restricted audience broadcast equipment; and
    6. Civil television equipment;
    a.4. Designed or modified to suppress the compromising
emanations of information-bearing signals;

    Note: 5A002.a.4 does not control equipment specially designed to
suppress emanations for reasons of health and safety.

    a.5. Designed or modified to use cryptographic techniques to
generate the spreading code for ``spread spectrum'' or the hopping
code for ``frequency agility'' systems;
    a.6. Designed or modified to provide certified or certifiable
``multilevel security'' or user isolation at a level exceeding Class
B2 of the Trusted Computer System Evaluation Criteria (TCSEC) or
equivalent;
    a.7. Communications cable systems designed or modified using
mechanical, electrical or electronic means to detect surreptitious
intrusion.

5A992  ``Information security'' equipment, n.e.s.; (e.g.,
cryptographic, cryptoanalytic, and cryptologic equipment, n.e.s.), and
components therefor.

License Requirements

Reason for Control: AT


               Control(s)                         Country Chart

AT applies to entire entry.............  AT Column 1


License Exceptions

LVS: N/A
GBS: N/A
CIV: N/A

List of Items Controlled

Unit: $ value
Related Controls: N/A
Related Definitions: N/A
Items: The list of items controlled is contained in the ECCN
heading.

B. Test, Inspection and Production Equipment

5B002   Information Security--test, inspection and ``production''
equipment.

License Requirements

Reason for Control: NS, AT


               Control(s)                         Country Chart

NS applies to entire entry.............  NS Column 1
AT applies to entire entry.............  AT Column 1


    License Requirement Notes: See Sec. 743.1 of the EAR for
reporting requirements for exports under License Exceptions.

License Exceptions

LVS: N/A
GBS: N/A
CIV: N/A

List of Items Controlled

Unit: $ value
Related Controls: N/A
Related Definitions: N/A
Items: a. Equipment specially designed for:
    a.1. The ``development'' of equipment or functions controlled by
5A002, 5B002, 5D002 or 5E002, including measuring or test equipment;
    a.2. The ``production'' of equipment or functions controlled by
5A002, 5B002, 5D002, or 5E002, including measuring, test, repair or
production equipment;
    b. Measuring equipment specially designed to evaluate and
validate the ``information security'' functions controlled by 5A002
or 5D002.

C. Materials [Reserved]

D. Software

5D002   Information Security--``Software''.

License Requirements

Reason for Control: NS, AT, EI


               Control(s)                         Country Chart

NS applies to entire entry.............  NS Column 1
AT applies to entire entry.............  AT Column 1


    EI applies to encryption items transferred from the U.S.
Munitions List to the Commerce Control List consistent with E.O.
13026 of November 15, 1996 (61 FR 58767) and pursuant to the
Presidential Memorandum of that date. Refer to Sec. 742.15 of the
EAR.

    Note: Encryption software is controlled because of its
functional capacity, and not because of any informational value of
such software; such software is not accorded the same treatment
under the EAR as other ``software''; and for the export licensing
purposes encryption software is treated under the EAR in the same
manner as a commodity included in ECCN 5A002. License Exceptions for
commodities are not applicable.

    Note: Encryption software controlled for EI reasons under this
entry remains subject to the EAR even when made publicly available
in accordance with part 734 of the EAR, and it is not eligible for
the General Software Note (``mass market'' treatment under License
Exception TSU for mass market software). After a one-time BXA
review, certain encryption software may be released from EI controls
and made eligible for the General Software Note treatment as well as
other provisions of the EAR applicable to software. Refer to
Sec. 742.15(b)(1) of the EAR and Supplement No. 6 to part 742 of the
EAR.

    License Requirement Notes: See Sec. 743.1 of the EAR for
reporting requirements for exports under License Exceptions.

    License Exceptions

CIV: N/A
TSR: N/A

List of Items Controlled

Unit: $ value
Related Controls: See also 5D992. This entry does not control
``software'' ``required'' for the ``use'' of equipment excluded from
control under 5A002 or ``software'' providing any of the functions
of equipment excluded from control under 5A002
Related Definitions: N/A
Items: a. ``Software'' specially designed or modified for the
``development'', ``production'' or ``use'' of equipment or
``software'' controlled by 5A002, 5B002 or 5D002.
    b. ``Software'' specially designed or modified to support
``technology'' controlled by 5E002.
    c. Specific ``software'' as follows:
    c.1. ``Software'' having the characteristics, or performing or
simulating the functions of the equipment controlled by 5A002 or
5B002;
    c.2. ``Software'' to certify ``software'' controlled by
5D002.c.1.

5D992  ``Software'' not controlled by 5D002.

License Requirements

Reason for Control: AT


               Control(s)                         Country Chart

AT applies to 5D992.a and .b...........  AT Column 1
AT applies to 5D992.c..................  AT Column 2


License Exceptions

CIV: N/A
TSR: N/A

List of Items Controlled

Unit: $ value
Related Controls: N/A
Related Definitions: N/A
Items: a. ``Software'', specially designed or modified for the
``development'', ``production'', or ``use'' of information security
or cryptologic equipment (e.g., equipment controlled by 5A992)
    b. ``Software'' having the characteristics, or performing or
simulating the functions of the equipment controlled by 5A992.
    c. ``Software'' designed or modified to protect against
malicious computer damage, e.g., viruses.

E. Technology

5E002  ``Technology'' according to the General Technology Note for the
``development'', ``production'' or ``use'' of equipment controlled by
5A002 or 5B002 or ``software'' controlled by 5D002.

License Requirements

Reason for Control: NS, AT, EI


               Control(s)                         Country Chart

NS applies to entire entry.............  NS Column 1
AT applies to entire entry.............  AT Column 1


    EI applies to encryption items transferred from the U.S.
Munitions List to the Commerce Control List consistent with E.O.
13026 of November 15, 1996 (61 FR 58767) and pursuant to the
Presidential Memorandum of that date.

Refer to Sec. 742.15 of the EAR

    License Requirement Notes: See Sec. 743.1 of the EAR for
reporting requirements for exports under License Exceptions
License Exceptions

CIV: N/A
TSR: N/A

List of Items Controlled

Unit: N/A
Related Controls: See also 5E992

[[Page 2524]]

Related Definitions: N/A
Items: The list of items controlled is contained in the ECCN
heading.

5E992  ``Technology'', n.e.s., for the ``development'', ``production'',
or ``use'' of ``information security'' or cryptologic equipment (e.g.,
equipment controlled by 5A992), or ``software'' controlled by 5D992.

License Requirements

Reason for Control: AT


               Control(s)                         Country Chart

AT applies to entire entry.............  AT Column 1


License Exceptions

CIV: N/A
TSR: N/A

List of Items Controlled

Unit: N/A
Related Controls: N/A
Related Definitions: N/A
Items: The list of items controlled is contained in the ECCN
heading.

EAR99  Items subject to the EAR that are not elsewhere specified in
this CCL Category or in any other category in the CCL are designated by
the number EAR99.