The Wayback Machine - https://web.archive.org/web/20170714055251/https://www.bis.doc.gov/index.php/policy-guidance/encryption/encryption-items-subject-to-the-ear/a-not-in-cat-5-part-2/decontrol

Decontrol Notes

 

2a.iii. Decontrol notes

 

Decontrol notes: Items or specially designed components are not classified in Cat. 5 Part 2 if encryption is limited to any of the following:

  1. Smart cards and smart card ‘readers/writers’ as follows:

    1. A smart card or an electronically readable personal document (e.g., token coin, e-passport) that meets any of the following:

      1. The cryptographic capability is restricted for use in equipment or systems, excluded from 5A002, 5A003 or 5A004 by Note 4 in Category 5 - Part 2 or entries (b) to (i) of this Note, and cannot be reprogrammed for any other use; or

      2. Having all of the following:

        1. It is specially designed and limited to allow protection of 'personal data' stored within;

        2. Has been, or can only be, personalized for public or commercial transactions or individual identification; and

        3. Where the cryptographic capability is not user-accessible;

Technical Note: 'Personal data' includes any data specific to a particular person or entity, such as the amount of money stored and data necessary for authentication.

(2). 'Readers/writers' specially designed or modified, and limited, for items specified by (a)(1) of this Note;

Technical Note: 'Readers/writers' include equipment that communicates with smart cards or electronically readable documents through a network.
 

(b) Cryptographic equipment specially designed and limited for banking use or 'money transactions'; Technical Note: 'Money transactions' in 5A002 Note (b) includes the collection and settlement of fares or credit functions.
 

(c) Portable or mobile radiotelephones for civil use (e.g., for use with commercial civil cellular radio communication systems) that are not capable of transmitting encrypted data directly to another radiotelephone or equipment (other than Radio Access Network (RAN) equipment), nor of passing encrypted data through RAN equipment (e.g., Radio Network Controller (RNC) or Base Station Controller (BSC));
 

(d) Cordless telephone equipment not capable of end-to-end encryption where the maximum effective range of unboosted cordless operation (i.e., a single, unrelayed hop between terminal and home base station) is less than 400 meters according to the manufacturer's specifications;
 

(e) Portable or mobile radiotelephones and similar client wireless devices for civil use, that implement only published or commercial cryptographic standards (except for anti-piracy functions, which may be non-published) and also meet the provisions of paragraphs a.2. to a.5. of the Cryptography Note (Note 3 in Category 5 – Part 2), that have been customized for a specific civil industry application with features that do not affect the cryptographic functionality of these original non-customized devices;
 

(f) Wireless "personal area network" equipment that implement only published or commercial cryptographic standards and where the cryptographic capability is limited to a nominal operating range not exceeding 30 meters according to the manufacturer’s specifications, or not exceeding 100 meters according to the manufacturer’s specifications for equipment that cannot interconnect with more than seven devices;
 

(g) Equipment meeting all of the following:

  1. All cryptographic capability specified by 5A002.a meets any of the following:

    1. It cannot be used; or

    2. It can only be made useable by means of “cryptographic activation;” and

2. When necessary as determined by the appropriate authority in the exporter’s country, details of the equipment are accessible and will be provided to the authority upon request, in order to ascertain compliance with conditions described above;

N.B.1: See 5A002.a for equipment that has undergone “cryptographic activation.”

N.B.2: See also 5A002.b, 5D002.d and 5E002.b.

Things to note:

“Cryptographic activation” (Cat 5P2) Any technique that activates or enables cryptographic capability of an item, by means of a secure mechanism implemented by the manufacturer of the item, where this mechanism is uniquely bound to any of the following:

  1. A single instance of the item; or

  2. One customer, for multiple instances of the item.

Technical Notes to definition of “Cryptographic activation”:

  1. “Cryptographic activation” techniques and mechanisms may be implemented as hardware, “software” or “technology”.

  2. Mechanisms for “cryptographic activation” can, for example, be serial number-based license keys or authentication instruments such as digitally signed certificates.
 

(h) Mobile telecommunications Radio Access Network (RAN) equipment designed for civil use, which also meet the provisions 2. to 5. of part a. of the Cryptography Note (Note 3 in Category 5 – Part 2), having an RF output power limited to 0.1W (20 dBm) or less, and supporting 16 or fewer concurrent users;
 

(i)Routers, switches or relays, where the "information security" functionality is limited to tasks of "Operations, Administration or Maintenance" ("OAM") implementing only published or commercial cryptographic standards; (Software limited to the tasks of OAM is also not in Cat. 5 part 2, See Note under 5D002.c )

“Operations, Administration or Maintenance” (“OAM”) (Cat 5P2) Means performing one or more of the following tasks:

  1. Establishing or managing any of the following:

    1. Accounts or privileges of users or administrators;

    2. Settings of an item; or

    3. Authentication data in support of the tasks described in paragraphs a.1 or a.2;

  1. Monitoring or managing the operating condition or performance of an item; or

  2. Managing logs or audit data in support of any of the tasks described in paragraphs a. or b.

Note: “OAM” does not include any of the following

tasks or their associated key management functions:

a. Provisioning or upgrading any cryptographic functionality that is not directly related to establishing or managing authentication data in support of the tasks described in paragraphs a.1 or

a.2 above; or

b. Performing any cryptographic functionality on the forwarding or data plane of an item.

See also FAQ #9

 
 

(j) General purpose computing equipment or servers, where the “information security” functionality meets all of the following:

  1. Uses only published or commercial cryptographic standards; and

  2. Is any of the following:

    1. Integral to a CPU that meets the provisions of Note 3 in Category 5 - Part 2;

    2. Integral to an operating system that is not specified by 5D002; or

    3. Limited to “OAM” of the equipment.

 

See FAQ #13

 

The chart above outlines the decontrol text found in the Commerce Control List under the entry for 5A002. For some entries the chart above includes a right hand column with corresponding definitions from Part 772 of the EAR and/or additional points to note.

If the encryption is limited to that described above in the table, then Cat. 5 Part 2 does not apply. In that case you should review other Categories on the CCL (e.g., Cat. 4 or Cat. 5, Part 1). If it is not described in any other Category then it can be classified as EAR99.

   
© BIS 2016