Archive for the ‘Wassenaar’ Category

EAR CCL Category 5 Part 2 Update List


By: Danielle McClellan

BIS has published final rules implementing the Wassenaar Arrangement’s decision to re-write Category 5 Part 2, below is a list of updates. BIS will be updating their Encryption website soon to reflect these changes.

ECCN Changes to Category 5 Part 2

  • Separates C5P2 into 3 subsections:
    • Cryptographic information security
    • Non-cryptographic information security – 5A003
    • Defeating, Weakening, or bypassing information security – 5A004
  • Deletes ECCNS 5A992/5D992 a&b, as well as 5E992.a
  • Keeps mass market ECCNs 5A992/5D992.c and 5E992.b
  • Decontrol notes (Note to 5A002.a) moved around to remove previously unused paragraphs
  • Removes previous Note 1 to C5P2 – moved to a General Information Security Note (Supp. No. 2 to Part 774), removed all the pointers in the EAR to C5P2
  • Adds a sentence to the Note to Note 3 saying that simple price inquiry is not a consultation
  • Deletes 5A002 a.7 control on products above EAL-6

License Exception Changes

  • License Exception TSU – Publicly available source code is no longer subject to the EAR once the email notification is sent. The Notification requirement that was previously under TSU §740.13(e) is moved to §742.15(b)
  • License Exception TMP – 5E002 encryption technology now eligible for tools of the trade provisions under 740.9
  • §742.15 – Encryption Mass market provisions are moved from §742.15 to §740.17
  • License Exception ENC – §740.17
    • Paragraph (a)(1) – Adds an exception for certain related parties transactions for companies headquartered in a Supp. 3 country
    • §740.17(b)(4) – Deletes paragraph on short-range wireless items, paragraph on foreign made products is moved to paragraph (a)
    • Encryption Registrations no longer required – some of the information from the registration now goes into the Supp. No. 8 to Part 742 report
    • If an exporter submits a CCATS review for an item under §740.17(b)(1), it does NOT have to go on the self-classification report
    • §740.17(b)(2) – updates performance parameters
  • § Edits headers to make it clear that there should only be one parameter that applies to a product
  • § Aggregate encrypted throughput increased from 90 Mbps to 250 Mbps
  • § Deletes single channel input data rate
  • § Deletes 250 concurrent encrypted data channels
  • § Media parameter raised from 1,000 endpoints to 2,500
  • § Carves out for mass market satellite modems that use end-to-end encryption between the modem and the hub
  • § 5A002.d (channelizing codes) and 5A002.e (spread spectrum) moved to §740.17(b)(2)
  • § New authorization for network infrastructure items to less-sensitive government end-users.
  • Delets grandfathering provisions
  • Adds Croatia added to Supp. No. 3 to Part 740
  • Revises Supp. No. 6 to Part 742 questions
  • Definition of government end-user states that government-owned public schools and universities are “government end-users” as defined in Section 772
  • Adds definition of “More sensitive government end-users” and “Less-sensitive government end-users”


Classifications issued for 5A992/5D992 a&b and 5E992.a prior to the elimination of these ECCNs may now be classified elsewhere (e.g., 5A991,) if applicable, or EAR99.

Mass market encryption authorizations issued under 742.15(b)(1) or (b)(3) prior to this rule change continue to be authorized under the newly located mass market encryption provisions found in 740.17(b)(1) and (b)(3), respectively. A new classification is NOT required merely because the item moved from 742.15 to 740.17.

Wassenaar Arrangement Ruling:

BIS Final Rule:

BIS Posts Letter from Secretary Pritzker Regarding Implementation of Wassenaar Controls Concerning “Intrusion Software”


(Source: Commerce/BIS)

Dear Sir or Madam,
Thank you for your letter to Secretaries Kerry, Johnson, and me regarding implementation of the Wassenaar Arrangement “intrusion software” and surveillance technology provisions.
Since the publication of our proposed regulation last May to implement these controls, we have received substantial commentary from Congress, the private sector, academia, civil society, and others on potential unintended consequences of the 2013 Wassenaar controls, as well as on our proposal to implement them in U.S. regulation.

In response to these concerns, and as a result of extensive outreach efforts and further U.S. Government review, the United States has proposed in this year’s Wassenaar Arrangement to eliminate the controls on technology required for the development of “intrusion software.” We will also continue discussions both domestically and at Wassenaar aimed at resolving the serious scope and implementation issues raised by the cybersecurity community concerning remaining controls on software and hardware tools for the command and delivery of “intrusion software.”

These discussions will include significant consultations with other Wassenaar members and those in the U.S. government, private sector, and academic cybersecurity communities. The goals of these discussions will be materially address the concerns raised during the rulemaking process. They will also give the Administration a chance to share with our counterparts in other countries the U.S. cybersecurity communities’ concerns regarding the unintended consequences such controls could have.

Because changes in Wassenaar controls must be approved by all 41 members, we cannot predict the outcome of these discussions and negotiations. The Department of Commerce and our Federal partners, however, will continue to consult with the cybersecurity communities during the negotiations and we commit that we will not implement domestically any regulations on these specific controls without first giving the public an opportunity to participate through the notice and comment process of a proposed rule.

President Obama has identified cybersecurity as one of the greatest national security challenges we face as a Nation. Cognizant of this, we commit to ensuring that the benefits of controlling the export of the purpose-built tools at issue outweigh the harm to effective U.S. cybersecurity operations and research. We will also continue to analyze the role that appropriately scoped export controls could play within the larger strategy of countering the growing capability of malicious actors to cause harm through cyberspace.

Thank you again for your letter, and we look forward to working with your associations and your membership on this critical issue.

Penny Pritzker

BIS Amends Country Chart and Various Missing Wassenaar Changes


By: Danielle McClellan

BIS released the following amendments and revisions that were inadvertently omitted from the Wassenaar Arrangement 2014 Plenary Agreements Implementation and Country Policy Amendments. A rule was published on May 21, 2015 but the following revisions were absent in that notice and will be implemented now:


  • Supplement No. 1 to Part 738: Commerce Country Chart
    • This rule would remove the X, i.e., license requirement, in the NS:2 Column for South Africa, as well as remove the X in the RS:2 Column for Argentina and South Africa
  • Part 740: Country Groups
    • This rule removes Fiji from Country Group D:5 ‘‘U.S. Arms Embargoed Countries,’’ and from Country Group D in Supplement No. 1 to part 740 of the EAR (This correction is not the result of a Wassenaar Arrangement agreement, but rather of a final rule published by the Department of State on May 29, 2015)
  • Section 743.3: Thermal Imaging Camera Reporting
    • BIS inadvertently removed a thermal imaging camera reporting requirement exemption for Canada in the May 21 rule. The reporting requirements for thermal imaging cameras are corrected by exempting Canada from the reporting requirements, as was the policy prior to the publication of the May 21, 2015, Wassenaar rule. The exception is added to paragraph (b) of § 743.3 of the EAR.
  • Part 772: Definitions
    • This rule removes a reference for ‘‘signal analyzer (dynamic).  .  .’’ that was inadvertently not removed when the definition for ‘‘dynamic signal analyzer’’ was removed from this part.
  • Supplement No. 1 to Part 774: Commerce Control List ECCN 8A620 Submersible Vessels, Oceanographic and Associated Commodities
    • Replaces paragraph .f with a new paragraph containing two subparagraphs: Subparagraph f.1 for self-contained diving rebreathers, closed or semi-closed circuit; and subparagraph f.2 for underwater swimming apparatus ‘‘specially designed’’ for use with equipment specified in paragraph f.1. Paragraph f.1 narrows the scope by adding the ‘‘self- contained’’ parameter, while f.2 is an expansion of controls.
  • ECCN 9A004 Space Launch Vehicles and ‘‘Spacecraft’’
    • The range of reference in the License Requirement Note is corrected to read ‘‘9A004.b through .f.’’ Also, Note 3 in the Related Controls is revised for clarity.
  • 9A010  ‘‘Specially Designed’’ ‘‘Parts,’’ ‘‘Components,’’ Systems and Structures, for Launch Vehicles, Launch Vehicle Propulsion Systems or ‘‘Spacecraft’’
    • The Heading to ECCN 9A010 is corrected by removing the reference to the ITAR for jurisdiction over these items and instead referring to the newly added Related Controls paragraph.

Federal Register Notice:

CCL Revisions from Wassenaar Meeting


By: Danielle McClellan

The Bureau of Industry and Security (BIS) issued a final rule on May 21, 2015 that revises the Commerce Control List (CCL) to implement changes made to the Wassenaar Arrangement’s List of Dual-Use Goods and Technologies.

Wassenaar Participating States agreed to new controls on spacecraft equipment and technology for fly-by-wire/flight-by-light systems and revised the text for the controls of machine tools and military utility and finber laser components in optical equipment. Changes involving the deletion of obsolete controls relating to vessels and UAVs have also occurred. The new rule revises 42 ECCNs and adds one ECCN while removing another. The General Technology Note was also amended as well as adding License Exception CIV to 3 ECCNs for Anisotropic plasma dry etching equipment and related software and technology.


  • Revises:  0A606, 1A613, 1C002, 1C007, 1C008, 1C010, 1E002, 2B001, 3A001, 3A002, 3A991, 3B001, 4D001, 4E001, 5D001, 5E001, 5A002, 6A001, 6A003, 6A004, 6A005, 6C005, 6D003, 7A003, 7D004, 7E004, 7E001, 8A001, 8A002, 8A620, 8E002, 9A001, 9A003, 9D003, 9A004, 9A010, 9A012, 9B001, 9B010, 9D003, 9D004, and 9E0032
  • Adjusts 0D521 and 0E521 controls on flight controls
  • Adds  9D005
  • Removes 4D002
  • Revises because of the Foreign Availability Assessment: 3B001, 3D001, and 3E001

FOR FURTHER INFORMATION CONTACT: Sharron Cook, Office of Exporter Services, Bureau of Industry and Security, U.S. Department of Commerce at 202-482-2440 or by email:


For technical questions contact:

  • Categories 0, 1 & 2: Michael Rithmire at 202-482-6105
  • Category 3: Brian Baker at 202-482-5534
  • Categories 4 & 5: ITCD staff 202-482-0707
  • Category 5 (Satellites): Mark Jaso at 202-482-0987 or Reynaldo Garcia at 202-482-3462
  • Category 6 (optics): Chris Costanzo at 202-482-0718
  • Category 6 (lasers): Mark Jaso at 202-482-0987
  • Category 6 (sensors and cameras): John Varesi 202-482-1114
  • Category 8: Darrell Spires 202-482-1954
  • Categories 7 & 9: Daniel Squire 202-482-3710 or Reynaldo Garcia 202-482-3462

BIS Adapts December 2013 Wassenaar List Changes


By: Brooke Driver

BIS announced on the 25th of July that it was making changes to the CCL to incorporate revisions to the Wassenaar Arrangement’s List of Dual-Use Goods and Technologies that took place at the plenary meeting last December. This rule harmonizes the CCL with the changes made to the WA List by revising ECCNs controlled for national security reasons in each category of the CCL, amending the General Technology Note, WA reporting requirements and definitions section in the EAR. BIS stated that it intends to publish a separate rule this month regarding changes to the Commerce Control List related to WA agreements for cybersecurity. The rule came into effect August 4.

Wassenaar Arrangement Modifies Controls on Electronic Surveillance Tools


By: Brooke Driver

At its annual plenary meeting in Austria December 3-4, 2013, the Wassenaar Arrangement, a group of 41 countries including the U.S., Russia, the U.K. and most E.U. states, focused on export controls for conventional arms and dual-use goods and technology, agreed on new harsher export controls on cybersecurity technologies, recognizing their great potential for terrorism. Each participating country must now implement these changed policies, one major area of which is surveillance and intelligence gathering tools, including malware and rootkits, which governments can use to bypass security features on electronic devices in order to attain supposedly protected data. Internet protocol network surveillance systems or equipment are also now subject to revised export controls, which include technologies used to screen for malware, viruses and surveillance programs. These technologies are subject to new controls, because representatives of the 41 countries believed that they could be used to both block cyber attacks and grant foreign persons dangerous insight into Western screening systems, increasing the potential for hacks. The agreement also places stricter controls on intelligence gathering technologies that analyze individuals’ or groups’ relational networks and activities, although there will be exceptions for companies using such software for marketing or consumer-monitoring purposes.

Click here for details of these changes and others decided upon at this year’s Wassenaar plenary meeting:

BIS Amends EAR and CCL to Implement Wassenaar Arrangement 2012 Plenary Agreements


By: Brooke Driver and John Black

The Bureau of Industry and Security has taken steps to implement changes to the Commerce Control List of the Export Administration Regulations discussed at the Plenary Meeting in 2012. This final rule revises the CCL to implement changes made to the Wassenaar Arrangement’s List of Dual-Use Goods and Technologies, agreed to by participants of the Plenary Meeting. The rule revises ECCNs in every category of the CCL except category 8.  In addition, BIS changed the EAR Part 743 Wassenaar Arrangement (WA) reporting requirements for certain license exception exports of items in 2D001, 2E001, and 2E002.
For aerospace companies, the rule makes important relaxations to what some people view as the antiquated 7E004 controls on technology.  BIS added a new ECCN to control source code related to 7E004:

7D004 “Source code” incorporating “development” “technology” specified by 7E004.a or 7E004.b, for any of the following: (see List of Items Controlled).

BIS also adjusted the ECCN 9E003.a.5 controls on technology for cooled turbine blades, vanes or tip shrouds to bring those controls more in line with other controls.  BIS added this new software ECCN:

2D003 “Software”, designed or modified for the operation of equipment specified by 2B002, that converts optical design, workpiece measurements and material removal functions into “numerical control” commands to achieve the desired workpiece form.

BIS made WA based changes to these other ECCNs 1A004, 1C001, 2B001, 2B006, 2D001, 2D002, 3A001, 3A002, 3B001, 3C002, 4D001, 5A001, 5B001, 5E001, 5A002, 5E002, 6A001, 6A002, 6A005, 6C004, 6C005, 7A001, 7D003, 7E001, 9A001, and 9A018.
For the details, visit:

BIS Clarifies Controls on Crew Protection Kits



By: Danielle McClellan

BIS amended the EAR to clarify that crew protection kits are on the Wassenaar Arrangement Munitions List (WAML) and are correctly classified on the CCL under the entry regarding “construction equipment built to military specifications.” Crew protection kits are items used as protective cabs on construction equipment to help protect crews operating in a military or otherwise hostile environment.

The phrase “crew protection kits” will be added to ECCN 0A018.a, this ECCN is used to control items listed on the WAML. BIS believes that this will further clarify that the all items listed are considered to be “construction equipment built to military specifications” and that all are controlled by that ECCN.

This amendment will not create any new export controls for crew protection kits.

More information:

Federal Register – September 5, 2008

US Announces New Export and Reexport Controls for North Korea



By: John Black

Bottom Line:

This new export licensing requirement that the United States is implementing consistent with a United Nations decision is good for a laugh. Now that North Korean Government officials can’t get I-Pods and stereos, they most certainly will end their nuclear weapons program. (OK, I am not so naïve as to think this new requirement will keep Kim Il Jung from getting an I-Pod.) Seems like the United Nations is developing a taste for useless symbolic export controls so long favored by the United States just because it’s better to do something that doesn’t help than to do nothing.

Due to the flagrant and defiant actions of North Korea over the past year relating to missile testing and the detonation of a nuclear device, the United States is imposing new export and reexport controls on North Korea. This new rule is in accordance with UN Security Council Resolution 1718 which prohibits the direct or indirect sale of arms and other specified items to North Korea by UN Member States.


Wassenaar Arrangement Implementation Roundup



By: Scott Gearity

On July 15, the Bureau of Industry and Security published a massive final rule implementing the decisions made at the December 2004 plenary meeting of the Wassenaar Arrangement. Other Wassenaar participants have already taken similar steps to codify the group’s changes at a national level or will do so in the near future. In addition to the Wassenaar-conforming revisions to Commerce Control List Categories 1-9, BIS also took this opportunity to add or expand some unilateral US controls.