Export Controls on Software: 6 Secrets You Need to Know
Okay. They aren’t really secrets. The Export Administration Regulations (EAR) administered by the Bureau of Industry and Security (BIS) – and the “sister” set of regulations called the International Traffic in Arms Regulations (ITAR) administered by the Directorate of Defense Trade Controls (DDTC) – are available for anyone to read. The electronic Code of Federal Regulations (e-CFR) is a click away. And, fortunately, there are general principles that you can rely on when analyzing these core U.S. export controls regulations. BUT…the software-related regulations are sometimes different.
The export compliance requirements on sending software overseas or sharing it with foreign nationals in the U.S. tend to be…well, unique. In particular, there are aspects of the EAR that do not follow the same norms as tangible goods and technology. These nuances relate to core steps for understanding your compliance requirements. Those core steps are: 1) determine the export control classification number (ECCN) and 2) determine export licensing requirements for your items.
Before you tackle your encryption export or deemed export, read our 6 tips to help you navigate the world of software export controls.
TIP #1: Handling Encryption Source Code? Remember Format Matters.
Typically, the format of “technology” (i.e., technical data or information) does not matter under the EAR. Sharing electronic copies in the cloud? Favoring printed hard copies? The requirements for sharing or exporting that controlled technology are identical. This is often a core message in export control training about deemed exports. BUT…the rules for encryption source code are different!
Printed encryption source code and electronic encryption source code are not equally regulated under the EAR.
- PRINTED books and other printed material containing encryption source code is not subject to the EAR.
- ELECTRONIC encryption source code, such as on a flash drive or in a cloud drive, are subject to the EAR.
Check out 15 CFR 734.3(b)(3) “Note to Paragraph b(2) and b(3)” for the full context in the Export Administration Regulations.
TIP #2: Want to Use License Exception ENC? Might Need to Submit a Classification Report or Sales Report to BIS.
While BIS does offer the ability for companies or universities to submit for a “Commodity Classification Request” (i.e., BIS will determine the classification for you through a CCATS), the agency generally encourages organizations to “self-classify” (i.e., do it yourself). Typically, when an organization self-classifies their goods, technology, or software, BIS does not need to be notified. And to use many license exceptions under the EAR, BIS does not require a formal request or report to be submitted. BUT…the rules for encryption commodities, software, and technology are different!
Annual Self-Classification Reports
If you are using License Exception ENC, you must submit an annual self-classification report to BIS, unless a CCATS has already been submitted for the item.
Semi-Annual Sales Report
Exporting to a country other than Canada? For exporting specific items spelled out 15 CFR Part 730.17(b)(2) and (b)(3)(iii), you will need to submit Semi-Annual Sales Reports.
TIP #3: Unique EAR Definitions and Terms for Encryption and Code
Not all programming code is the same. The terms “software”, “source code,” and “object code” are separately defined terms under the EAR. For object code, think O’s and 1’s. Did you also know that items with encryption functionality are separately defined?
Definitions in the EAR adjust to encompass the encryption aspect of software/source code. For example, “software” versus “encryption software”.
- “Encryption Software” – Computer programs that provide the capability of encryption functions or confidentiality of information or information systems. Such software includes source code, object code, applications software, or system software.
- “Software” – A collection of one or more “programs” or “microprograms” fixed in any tangible medium of expression.
A great resource to bookmark is the “Definitions of Terms” section in 15 CFR Part 772 in the Export Administration Regulations. (However, keep in mind that defined terms are also embedded within the Commerce Control List or CCL.)
TIP #4: Manufacturers Provide Helpful Classification Information
Sometimes manufacturers provide their product classification information to the public. Why not obtain the export control classification number directly from the source? This may allow you to avoid the process of self-classification. Even better…the vendors sometimes provide Schedule B or HTS Codes as well. And for encryption software…BIS states that if the manufacturer has already submitted a classification request to use License Exception ENC, you can export based on the manufacturer’s classification and ENC authorization for the product.
We’ve provided links to export classifications from industry leaders below. Considering referencing the classifications they have determined in your own export classification documentation.
3 Must Have Export Compliance Templates to Strengthen Your Compliance Program
Do you need help keeping track of all your export classifications, export licenses, and export compliance risks?
Use our easy-to-use templates to create a management system that’s perfect for universities and small to medium sized companies.
Where Should We Send Your Templates?
TIP #5: Encryption Licensing Arrangements Can be Established
Normal BIS export licenses, when issued, are for a specified quantity of products to a specific end user. However, an Encryption Licensing Arrangement is available for unlimited quantities of products and multiple end users. Is that something your organization can benefit from? Maybe. Usually, a Semi-Annual Sales Report is needed, so you’ll want to factor that into your broader export compliance management program. Check out this BIS encryption export controls webinar transcript for more information.
TIP #6: Going Public with Encryption Source Code? Email BIS First
The general notion is that if the software (or technology) is publicly available, then it is not subject to the EAR. This concept is spelled out in 15 CFR Part 734.7. An example would be a product data sheet downloadable from a company’s public website or technical data in a peer-reviewed scientific journal. Furthermore, BIS does not require you to ask for permission before publishing. BUT…encryption is different!
Encryption Source Code
Publicly available encryption source code is no longer subject to the EAR – after you properly notify BIS and the ENC Encryption Request Coordinator. Open source encryption source code that is available for free online is an example. Want to learn more about how, when, and exactly who to notify? Check out 15 CFR Part 742.15(b) for more details.
There’s More to It
We’ve scratched the surface in walking through 6 tips that can help you with your software export compliance. Encryption, in particular, is tricky. You can learn more from the BIS Encryption Policy Guidance and bookmarks. Or you can seek help from export control experts.