80 FR 28853 - Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items
DEPARTMENT OF COMMERCE
Bureau of Industry and Security Federal Register Volume 80, Issue 97 (May 20, 2015)
Bureau of Industry and Security
Federal Register Volume 80, Issue 97 (May 20, 2015)
| Page Range | 28853-28863 | |
| FR Document | 2015-11642 |
[Federal Register Volume 80, Number 97 (Wednesday, May 20, 2015)] [Proposed Rules] [Pages 28853-28863] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2015-11642] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE Bureau of Industry and Security 15 CFR Parts 740, 742, 748, 772, 774 [Docket No. 150304218-5218-01] RIN 0694-AG49 Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items AGENCY: Bureau of Industry and Security, Commerce. ACTION: Proposed rule, with request for comments. ----------------------------------------------------------------------- SUMMARY: The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor. BIS proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada. Although these cybersecurity capabilities were not previously designated for export control, many of these items have been controlled for their ``information security'' functionality, including encryption and cryptanalysis. This rule thus continues applicable Encryption Items (EI) registration and review requirements, while setting forth proposed license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items. BIS also proposes to add the definition of ``intrusion software'' to the definition section of the EAR pursuant to the WA 2013 agreements. DATES: Submit comments on or before July 20, 2015. ADDRESSES: Comments on this rule may be submitted to the Federal rulemaking [[Page 28854]] portal (www.regulations.gov). The regulations.gov ID for this rule is: BIS-2015-0011. Comments may also be submitted via email to [email protected] or on paper to Regulatory Policy Division, Bureau of Industry and Security, Room 2099B, U.S. Department of Commerce, 14th St. and Pennsylvania Ave. NW., Washington, DC 20230. Please refer to RIN 0694-AG49 in all comments and in the subject line of email comments. FOR FURTHER INFORMATION CONTACT: Catherine Wheeler, Director, Information Technology Control Division, Phone: (202) 482-0707 or by email at [email protected]. SUPPLEMENTARY INFORMATION: Background The Wassenaar Arrangement (WA) on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a group of 41 like-minded states committed to promoting responsibility and transparency in the global arms trade, and preventing destabilizing accumulations of arms. As a Participating State, the United States has committed to controlling for export all items on the WA control lists. The lists were first established in 1996 and have been revised annually thereafter. Proposals for changes to the WA control lists that achieve consensus are approved by Participating States at annual December Plenary meetings. Participating States are charged with implementing the agreed list changes as soon as possible after approval. Implementation of WA list changes ensures U.S. companies have a level playing field with their competitors in other WA member states. In 2013, WA agreed to add the following to their list of dual-use goods: systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor. BIS, the Departments of Defense and State, as well as other agencies have been discussing the best way to add these items, which we have named ``cybersecurity items,'' to the Commerce Control List (CCL) (Supplement No. 1 to part 774 of the Export Administration Regulations) without reducing encryption controls and while balancing the national security and foreign policy. For resource planning purposes, as well as license requirements, license exceptions, license submission requirements, and internal license reviews and processing planning purposes, this rule is published as a proposed rule. Scope of the New Entries Systems, equipment, components and software specially designed for the generation, operation or delivery of, or communication with, intrusion software include network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices. Certain penetration testing products are currently classified as encryption items due to their cryptographic and/or cryptanalytic functionality. Technology for the development of intrusion software includes proprietary research on the vulnerabilities and exploitation of computers and network-capable devices. The new entry on the CCL that would control Internet Protocol (IP) network communications surveillance systems or equipment is restricted to products that perform all of the functions listed; however, the Export Administration Regulations (EAR) also prohibits the export of equipment if the exporter intends it will be combined with other equipment to comprise a system described in the new entry. Addition of ECCNs 4A005 and 4D004 to the Commerce Control List This rule proposes to add Export Control Classification Number (ECCN) 4A005 (``systems,'' ``equipment,'' or ``components'' therefor, ``specially designed'' for the generation, operation or delivery of, or communication with, ``intrusion software'') and ECCN 4D004 (``software'' ``specially designed'' for the generation, operation or delivery of, or communication with, ``intrusion software'') to the CCL. These ECCNs are proposed to be controlled for national security (NS), regional stability (RS), and anti-terrorism (AT) reasons to all destinations, except Canada. No license exceptions would be available for these items, except certain provisions of License Exception GOV, e.g., exports to or on behalf of the United States Government pursuant to Sec. 740.11(b) of the EAR. This rule also proposes adding a License Requirement Note and a Note in the Related Controls paragraph for these ECCNs, to alert exporters to include all relevant information when submitting classification requests and licensing applications. ECCN 4D001 This rule also proposes to amend ECCN 4D001 by adding ECCN 4A005 to Items paragraph 4D001.a in order to add control of ``software'' ``specially designed'' or modified for the ``development'' or ``production,'' of equipment controlled by 4A005; adding an RS:1 license requirement paragraph for 4D001.a (as it applies to 4A005 or 4D004), removing License Exceptions TSR and STA eligibility; and adding the same explanatory License Requirement Note and Related Controls Note that would be added to ECCNs 4A005 and 4D004. As a technical correction, this rule proposes to remove from the ``Reason for control'' paragraph ``NP,'' and from the License Requirement section the two sentences, ``NP applies, unless a license exception is available. See Sec. 742.3(b) of the EAR for information on applicable licensing review policies.'' That text does not articulate any license requirement, and no nuclear non-proliferation license requirement for software classified as 4D001 is set forth elsewhere in the EAR. BIS's regular practice is to impose a license requirement for nuclear non-proliferation reasons on items that are specified on the ``List of Nuclear-Related Dual-Use Equipment, Materials, Software, and Related Technology'' by the Nuclear Suppliers Group. ECCN 4D001 software is not so specified. ECCN 4E001 This rule also proposes to amend ECCN 4E001 by adding a new Items paragraph 4E001.c to control ``technology'' ``required'' for the ``development'' of ``intrusion software.'' ECCN 4E001.a controls ````technology'' according to the General Technology Note, for the ``development,'' ``production,'' or ``use'' of equipment or ``software'' controlled by 4A (except 4A980 or 4A994) or 4D (except 4D980, 4D993 or 4D994).'' Therefore, ECCN 4E001.a would control ``technology'' for the newly added 4A005 and 4D004, as well as 4D001.a (for 4A005 and 4D004). This rule also proposes to add an RS:1 license requirement paragraph for 4E001.a ``technology'' (as it applies to 4A005, 4D001.a (as it applies to 4A005 or 4D004) or 4D004) and 4E001.c, which would require a license to export, reexport, and transfer (in- country) to all destinations, except Canada. BIS also proposes to remove License Exception Technology and Software Under [[Page 28855]] Restriction (TSR) and Strategic Trade Authorization (STA) eligibility and add the same explanatory License Requirement Note and Related Controls Note added to ECCNs 4A005, 4D001 and 4D004. Also, a reference to Sec. 772.1 is proposed to be added to ECCNs 4A005, 4D001 and 4E001 to point to the location of the ``intrusion software'' definition, as this rule may be of interest to many new exporters that would not otherwise know that double quoted terms in the EAR are defined in Sec. 772.1. Lastly, the same technical correction regarding the Nuclear Non- proliferation (NP) control is proposed for 4E001 as is proposed for 4D001, see explanation above. ECCN 5A001.j: Internet Protocol (IP) Network Communications Surveillance Systems or Equipment and Test, Inspection, Production Equipment, Specially Designed Components Therefor Network communication traffic analysis systems are becoming an increasingly sensitive issue, which is why WA agreed to add the control of these items to the WA dual-use list. These systems are using the process of intercepting and analyzing messages to produce personal, human and social information from the communications traffic. BIS proposes to add these items in paragraph 5A001.j and group them with cybersecurity items. The license requirements for these items are proposed to under NS Column 1, RS Column 1 and AT Column 1 on the Commerce Country Chart (Supplement No. 1 to part 738 of the EAR) and would require a license for export, reexport, and transfer (in-country) to all destinations, except Canada. Only certain provisions of License Exception GOV, e.g., exports to or on behalf of the United States Government pursuant to Sec. 740.11(b) of the EAR, would be available for these items. The same addition of a License Requirement Note and Related Control Note is proposed for ECCNs 5A001, 5D001, and 5E001 as is proposed for ECCNs 4A005, 4D001, 4D004 and 4E001 (see explanation under 4A005 and 4D005 above). Sec. 740.13--License Exception TSU BIS proposes to remove cybersecurity software from the mass market provision of License Exception TSU eligibility by adding a new paragraph (d)(2)(ii). This is consistent with the existing encryption exclusion. Cybersecurity Items That Are Designed or Modified To Use ``Cryptography'' or Cryptanalysis As previously introduced and explained in the preamble, this rule proposes to add a Related Control note to ECCNs 4A005, 4D004, 4E001, 5A001, 5A002, 5D002 and 5E002 that states that cybersecurity items are classified in cybersecurity ECCNs, even if the items are designed or modified to use ``cryptography'' or cryptanalysis; however, all such cybersecurity items using or incorporating encryption or other ``information security'' functionality classified under ECCNs 5A002, 5D002, 5A992.c, 5D992.c or 5E002, must also satisfy the registration, review and reporting requirements set forth in Sec. Sec. 740.17, 742.15(b) and 748.3(d) of the EAR, including submissions to the ENC Encryption Request Coordinator, Ft. Meade, MD. This note is added so that people will not be confused under which ECCN to classify their products and when a cybersecurity item is designed or modified to use ``cryptography'' or cryptanalysis, after the relevant Encryption Items (EI) requirements for registration and review have been separately satisfied. One effect this will have is that these cybersecurity items will not be eligible for License Exception ENC. However, BIS anticipates licensing broad authorizations to certain types of end users and destinations that will counterbalance the loss of the use of License Exception ENC. Information To Be Submitted With a License Application To Export, Reexport, or Transfer (In-Country) Cybersecurity Items In addition to the general information required by Sec. 748.3(b) of the EAR and the requirement that all encryption registration and review provisions must be separately satisfied with BIS and the ENC Encryption Request Coordinator, Ft. Meade, MD, this rule proposes to add a requirement to submit specific technical information in support of applications to export, reexport, or transfer (in-country) cybersecurity items. The specified technical information is set forth in newly added paragraph (z) of Supplement No. 2 to part 748 ``Unique application and submission requirements.'' The Commodity Classification Application Tracking System (CCATS) number(s) or license number(s) for the cyber security item(s) must be included in the license application. If no classification or license application has been done for the cybersecurity item, then the answers to three (3) questions are to be submitted in a letter of explanation. Also, this rule proposes that upon request from BIS, the applicant must include a copy of the sections of source code and other software (e.g., libraries and header files) that implement or invoke the controlled cybersecurity functionality. License Review Policy for Cybersecurity Items The license review policies for cybersecurity items controlled under NS and AT will not be revised. A new license review policy for cybersecurity items is proposed under Sec. 742.6(b) for regional stability. Cybersecurity items controlled for RS are proposed to be reviewed favorably if destined to a U.S. company or subsidiary not located in Country Group D:1 or E:1, foreign commercial partners located in Country Group A:5, government end users in Australia, Canada, New Zealand or the United Kingdom, and on a case-by-case basis to determine whether the transaction is contrary to the national security or foreign policy interests of the United States, including the foreign policy interest of promoting the observance of human rights throughout the world. Note that there is a policy of presumptive denial for items that have or support rootkit or zero-day exploit capabilities. The governments of Australia, Canada, New Zealand or the United Kingdom have partnered with the United States on cybersecurity policy and issues, which affords these countries with favorable treatment for license applications. A note that describes ``foreign commercial partner'' is proposed to be added to Sec. 742.6(b). Any ``information security'' functionality incorporated in the cybersecurity item will also receive a focused case-by-case review for reasons of Encryption Items (EI) control. Sec. 772.1 Definitions of Terms as Used in the EAR: Addition of Definition for ``Intrusion Software'' The WA-agreed definition for ``intrusion software'' is proposed to be added to Sec. 772.1 of the EAR. The definition also includes a Note that describes some items not included as ``intrusion software,'' e.g., hypervisors, debuggers or Software Reverse Engineering (SRE). Request for Comments BIS is seeking information about the effect of this rule and would appreciate the submission of comments, and especially answers to the following questions: [[Page 28856]] 1. How many additional license applications would your company be required to submit per year under the requirements of this proposed rule? If any, of those applications: a. How many additional applications would be for products that are currently eligible for license exceptions? b. How many additional applications would be for products that currently are classified EAR99? 2. How many deemed export, reexport or transfer (in-country) license applications would your company be required to submit per year under the requirements of this rule? 3. Would the rule have negative effects on your legitimate vulnerability research, audits, testing or screening and your company's ability to protect your own or your client's networks? If so, explain how. 4. How long would it take you to answer the questions in proposed paragraph (z) to Supplement No. 2 to part 748? Is this information you already have for your products? * The ADDRESSES section of this proposed rule includes information about how to submit comments. Rulemaking Requirements 1. Executive Orders 13563 and 12866 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This rule has been designated a ``significant regulatory action,'' under Executive Order 12866. 2. Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with a collection of information subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA), unless that collection of information displays a currently valid Office of Management and Budget (OMB) Control Number. This rule would involve one collection of information subject to the PRA. One of the collections has been approved by OMB under control number 0694- 0088, ``Multi-Purpose Application,'' and carries a burden hour estimate of 58 minutes for a manual or electronic submission. The additional information proposed to be required under Supplement No. 2 to part 748 paragraph (z) falls under the usual technical information that is submitted with applications to describe the abilities of the items on the license application. This information allows the licensing officer to verify the classification of the product and determine the effect it would have on U.S. national security and foreign policy. Send comments regarding these burden estimates or any other aspect of these collections of information, including suggestions for reducing the burden, to OMB Desk Officer, New Executive Office Building, Washington, DC 20503; and to Jasmeet Seehra, OMB Desk Officer, by email at [email protected] or by fax to (202) 395-7285; and to the Office of Administration, Bureau of Industry and Security, Department of Commerce, 1401 Constitution Ave. NW., Room 6622, Washington, DC 20230. 3. This rule does not contain policies with Federalism implications as that term is defined under Executive Order 13132. 4. The provisions of the Administrative Procedure Act (APA) (5 U.S.C. 553) requiring notice of proposed rulemaking, the opportunity for public participation, and a 30-day delay in effective date, are inapplicable because this regulation involves a military and foreign affairs function of the United States (5 U.S.C. 553(a)(1)). Nonetheless, BIS is providing the public with an opportunity to review and comment on this rule, despite its being exempted from that requirement of the APA. Because this rule is not required by the APA to undergo a period of notice and comment, the requirements of the Regulatory Flexibility Act, 5 U.S.C. 601 et seq., do not apply. Accordingly, no regulatory flexibility analysis is required, and none has been prepared. BIS is interested in the potential impacts to businesses of this rule. Because most of the items impacted by this rule have encryption capabilities, BIS believes they are already being controlled under Category 5 part 2 of the EAR. Even though most encryption items are eligible for License Exception ENC and these cybersecurity items will not be eligible for License Exception ENC, BIS anticipates issuing broad licenses for these items. The impact of this rule is unknown to BIS, therefore the implementation of the Wassenaar Arrangement agreement of 2013 with regard to cybersecurity items is issued as a proposed rule with request for comments concerning the impact of the rule. Comments should be submitted to Sharron Cook, Office of Exporter Services, Bureau of Industry and Security, Department of Commerce, 14th and Pennsylvania Ave. NW., Room 2099, Washington, DC 20230 or emailed to [email protected]. Please refer to RIN 0694-AG49 in all comments and in the subject line of email comments. List of Subjects 15 CFR Part 740 Administrative practice and procedure, Exports, Reporting and recordkeeping requirements. 15 CFR Part 742 Exports, Terrorism. 15 CFR Part 748 Administrative practice and procedure, Exports, Reporting and recordkeeping requirements. 15 CFR Part 772 Exports. 15 CFR Part 774 Exports, Reporting and recordkeeping requirements. Accordingly, parts 740, 742, 748, 772, and 774 of the Export Administration Regulations (15 CFR parts 730 through 774) are proposed to be amended as follows: PART 740 [AMENDED] 0 1. The authority citation for part 740 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 7, 2014, 79 FR 46959 (August 11, 2014). 0 2. Section 740.2 is amended by adding paragraph (a)(19) to read as follows: Sec. 740.2 Restrictions on all License Exceptions. (a) * * * (19) The item is a cybersecurity item, i.e., those controlled by ECCNs 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004 items), 4D004, 4E001.a (``required'' for 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004) or 4D004 items), 4E001.c, 5A001.j, 5B001.a (``specially designed'' for 5A001.j items), 5D001.a (``specially designed'' for 5A001.j items), 5D001.c (``specially designed'' for 5A001.j or 5B001.a items) or 5E001.a (``required'' for 5A001.j, 5B001.a, 5D001.a (for 5A001.j items) or 5D001.c (``specially designed'' for 5A001.j or 5B001.a items) and the export, reexport or transfer (in-country) is not authorized by Sec. 740.11(b)(2)(ii) (made by or consigned to a department or agency of the U.S. government), or [[Page 28857]] Sec. 740.11(b)(2)(iii) (made for or on behalf of a department or agency of the U.S. Government). * * * * * 0 3. Section 740.11 is amended by: 0 a. Adding paragraph (a)(2)(vi); 0 b. Removing the ``or'' from the end of paragraph (c)(3)(vi); 0 c. Removing the period from paragraph (c)(3)(vii) and adding a semicolon in its place; and 0 d. Adding paragraph (c)(3)(viii). The revisions and addition read as follows: Sec. 740.11 Governments, international organizations, international inspections under the Chemical Weapons Convention, and the International Space Station (GOV). (a) * * * (2) * * * (vi) Cybersecurity items, i.e., those controlled by ECCNs 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004 items), 4D004, 4E001.a (``required'' for 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004) or 4D004 items), 4E001.c, 5A001.j, 5B001.a (``specially designed'' for 5A001.j items), 5D001.a (``specially designed'' or modified for 5A001.j items), 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a items) or 5E001.a (``required'' for 5A001.j, 5B001.a, 5D001.a (``specially designed'' or modified for 5A001.j items) or 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a items). * * * * * (c) * * * (3) * * * (viii) Cybersecurity items, i.e., those controlled by ECCNs 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004 items), 4D004, 4E001.a (``required'' for 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004) or 4D004 items), 4E001.c, 5A001.j, 5B001.a (``specially designed'' for 5A001.j items), 5D001.a (``specially designed'' or modified for 5A001.j items), 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a items) or 5E001.a (``required'' for 5A001.j, 5B001.a, 5D001.a (``specially designed'' or modified for 5A001.j items) or 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a) items). * * * * * 0 4. Section 740.13 is amended by revising the section heading and paragraph (d)(2) to read as follows: Sec. 740.13 Technology and Software--Unrestricted (TSU). * * * * * (d) * * * (2) Exclusions--(i) Encryption software. The provisions of this paragraph (d) are not available for encryption software controlled for ``EI'' reasons under ECCN 5D002 or for encryption software with symmetric key length exceeding 64-bits that qualifies as mass market encryption software under the criteria in the Cryptography Note (Note 3) of Category 5, Part 2, of the Commerce Control List (Supplement No. 1 to part 774 of the EAR). (Once such mass market encryption software has been reviewed by BIS and released from ``EI'' and ``NS'' controls pursuant to Sec. 742.15(b) of the EAR, it is controlled under ECCN 5D992.c and is thus outside the scope of License Exception TSU.) See Sec. 742.15(b) of the EAR for exports and reexports of mass market encryption products controlled under ECCN 5D992.c. (ii) Cybersecurity software. The provisions of this paragraph (d) are not available for cybersecurity ``software'' that is classified under ECCNs 4D001.a (``specially designed'' or modified for 4A005 or 4D004 items), 4D004, or for ``software'' under ECCN 5D001.a or .c (``specially designed'' for ``production,'' ``development'' or ``use'' of 5A001.j equipment or systems, or providing the characteristics, functions or features of 5A001.j or 5B001.a equipment or systems). * * * * * 0 5. Section 740.17 is amended by revising paragraph (b)(3)(iii) introductory text to read as follows: Sec. 740.17 Encryption commodities, software and technology (ENC). * * * * * (b) * * * (3) * * * (iii) Encryption commodities and software not described by paragraph (b)(2) of this section, and not further controlled for NS and RS reasons under ECCNs 5A001.j, 5B001.a (``specially designed'' for 5A001.j), 5D001.a (``specially designed'' or modified for 5A001.j) or 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a), that provide or perform vulnerability analysis, network forensics, or computer forensics functions characterized by any of the following: * * * * * 0 6. Section 740.20 is amended by adding paragraph (b)(2)(ix) to read as follows: Sec. 740.20 License Exception Strategic Trade Authorization (STA). * * * * * (b) * * * (2) * * * (ix) License Exception STA may not be used for any cybersecurity items, i.e., those controlled by ECCNs 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004 items), 4D004, 4E001.a (``required'' for 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004 items) or 4D004 items), 4E001.c, 5A001.j, 5B001.a (``specially designed'' for 5A001.j items), 5D001.a (``specially designed'' or modified for 5A001.j items), 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a items) or 5E001.a (``required'' for 5A001.j, 5B001.a, 5D001.a (``specially designed'' or modified for 5A001.j items) or 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a items) items). * * * * * PART 742 [AMENDED] 0 7. The authority citation for part 742 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 3201 et seq.; 42 U.S.C. 2139a; 22 U.S.C. 7201 et seq.; 22 U.S.C. 7210; Sec. 1503, Pub. L. 108-11, 117 Stat. 559; E.O. 12058, 43 FR 20947, 3 CFR, 1978 Comp., p. 179; E.O. 12851, 58 FR 33181, 3 CFR, 1993 Comp., p. 608; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Presidential Determination 2003-23 of May 7, 2003, 68 FR 26459, May 16, 2003; Notice of August 7, 2014, 79 FR 46959 (August 11, 2014); Notice of November 7, 2014, 79 FR 67035 (November 12, 2014). 0 8. Section 742.6 is amended by adding paragraph (b)(5) to read as follows: Sec. 742.6 Regional stability. * * * * * (b) * * * (5) Licensing policy for cybersecurity items. Applications for exports, reexports and transfers of cybersecurity items, i.e., those controlled by ECCNs 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004 items), 4D004, 4E001.a (``required'' for 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004 items) or 4D004 items), 4E001.c, 5A001.j, 5B001.a (``specially designed'' for 5A001.j items), 5D001.a (``specially designed'' or modified for 5A001.j items), 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a items) or 5E001.a (``required'' for 5A001.j, 5B001.a, 5D001.a (``specially designed'' or modified for 5A001.j items) or 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a items) items), controlled for RS will be reviewed favorably if destined to a U.S. company or subsidiary not located in Country Group D:1 or E:1, `foreign commercial [[Page 28858]] partners' located in Country Group A:5, Government end users in Australia, Canada, New Zealand or United Kingdom and on a case-by-case basis to determine whether the transaction is contrary to the national security or foreign policy interests of the United States, including the foreign policy interest of promoting the observance of human rights throughout the world, except that there is a policy of presumptive denial for items that have or support rootkit or zero-day exploit capabilities. Any ``information security'' functionality incorporated in the cybersecurity item will also receive a focused case-by-case review for reasons of Encryption Items (EI) control. Note to paragraph (b)(5): A `foreign commercial partner' means a foreign-based non-governmental end-user that has a business need to share the proprietary information of the U.S. company and is contractually bound to the U.S. company (e.g., has an established pattern of continuing or recurring contractual relations). In addition to the information required in Sec. 748.3(c)(1), (c)(2) and paragraph (z) of Supplement No. 2 to part 748 of the EAR, you must explain in a letter of explanation how the end user meets the criteria of a `foreign commercial partner' and how the end user will safeguard the items from unauthorized transfers (in-country) and reexports. * * * * * PART 748--[AMENDED] 0 9. The authority citation for part 748 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 7, 2014, 79 FR 46959 (August 11, 2014). 0 10. Section 748.8 is amended by adding paragraph (z) to read as follows: Sec. 748.8 Unique application and submission requirements. * * * * * (z) Cybersecurity Items. 0 11. Supplement No. 2 is amended by adding paragraph (z) to read as follows: Supplement No. 2 to Part 748--Unique Application and Submission Requirements * * * * * (z) Cybersecurity items. For license applications to export, reexport, transfer (in-country) cybersecurity items, i.e., ECCNs 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004 items), 4D004, 4E001.a (``required'' for 4A005, 4D001.a (``specially designed'' or modified for 4A005 or 4D004) or 4D004 items), 4E001.c, 5A001.j, 5B001.a (``specially designed'' for 5A001.j items), 5D001.a (``specially designed'' or modified for 5A001.j items), 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a items) or 5E001.a (``required'' for 5A001.j, 5B001.a, 5D001.a (``specially designed'' or modified for 5A001.j items) or 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a items) items) you must follow the unique application requirements set forth in this paragraph (z). If the cybersecurity item has encryption or other ``information security'' functionality classified under ECCNs 5A002, 5D002, 5A992.c, 5D992.c or 5E002, all encryption registration and review requirements must be separately completed with BIS and the ENC Encryption Request Coordinator, Ft. Meade, MD, before license applications for a cybersecurity item will be considered, see Sec. Sec. 740.17 and 742.15 of the EAR. (1) In block 9 of the application (Special Purpose) indicate the phrase ``Cybersecurity Item.'' In addition to the information required by Sec. 748.3(b) of the EAR, submit the following information in a letter of explanation: (i) Whether the cybersecurity item has encryption or other ``information security'' functionality, Encryption Registration Number (ERN) and encryption Commodity Classification Application Tracking System (CCATS) number(s); (ii) Whether the cybersecurity item has been previously classified or included in a license application submitted on or after May 20, 2015 for which all requirements of this section (including the questions set forth in paragraph (z)(1)(iii) of this section) have been satisfied. If so, then provide the Commodity Classification Automated Tracking System (CCATS) number(s) or issued license number(s). (iii) If the cybersecurity item has not been previously classified or included in a license application, then: (A) Describe the cybersecurity functions and user interfaces (e.g., Application Programming Interfaces (APIs), Command Line Interfaces (CLIs) or Graphical User Interfaces (GUIs)) that are implemented and/or supported. Explain which are for internal use private to the developer of the product, and/or which are for use by the customer or other operator. (B) Describe the cybersecurity functionality (including as related to ``intrusion software'') that is provided by third-party frameworks, platforms, tools, modules or components (if any). Identify the manufacturers of the cybersecurity items, including specific part numbers and version information as needed to describe the item. As applicable, describe whether the third-party cybersecurity software is statically or dynamically linked. (C) For items related to ``intrusion software,'' describe how rootkit or zero-day exploit functionality is precluded from the item. Otherwise, for items that incorporate or otherwise support rootkit or zero-day exploit functionality, this must be explicitly stated in the application. (2) Upon request, include a copy of the sections of source code and other software (e.g., libraries and header files) that implement or invoke the controlled cybersecurity functionality. PART 772 [AMENDED] 0 12. The authority citation for part 772 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 7, 2014, 79 FR 46959 (August 11, 2014). 0 13. Section 772.1 is amended by adding the term ``Intrusion software'' in alphabetic order to read as follows: Sec. 772.1 Definitions of terms as used in the Export Administration Regulations (EAR). * * * * * Intrusion software. (Cat 4) ``Software'' ``specially designed'' or modified to avoid detection by `monitoring tools,' or to defeat `protective countermeasures,' of a computer or network-capable device, and performing any of the following: (a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions. Notes: 1. ``Intrusion software'' does not include any of the following: a. Hypervisors, debuggers or Software Reverse Engineering (SRE) tools; b. Digital Rights Management (DRM) ``software''; or c. ``Software'' designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery. 2. Network-capable devices include mobile devices and smart meters. Technical Notes: 1. `Monitoring tools': ``software'' or hardware devices, that monitor system behaviors or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls. 2. `Protective countermeasures': techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or sandboxing. * * * * * PART 774 [AMENDED] 0 14. The authority citation for part 774 continues to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 10 U.S.C. 7420; 10 U.S.C. 7430(e); 22 U.S.C. 287c, 22 U.S.C. 3201 et seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u); 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C. 1354; 15 U.S.C. 1824a; 50 U.S.C. app. 5; 22 [[Page 28859]] U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 7, 2014, 79 FR 46959 (August 11, 2014). Supplement No. 1 to Part 774--[Amended] 0 15. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4 is amended by adding ECCN 4A005 after ECCN 4A004 to read as follows: Supplement No. 1 to Part 774--The Commerce Control List * * * * * 4A005 ``Systems,'' ``equipment,'' or ``components'' therefor, ``specially designed'' or modified for the generation, operation or delivery of, or communication with, ``intrusion software''. License Requirements Reason for Control: NS, RS, AT Country chart (see supp. No. Control(s) 1 to part 738) NS applies to entire entry................ NS Column 1 RS applies to the entire entry............ RS Column 1 AT applies to entire entry................ AT Column 1 License Requirement Note: All license applications for 4A005 must include the information required in Supplement No. 2 to part 748 of the EAR, paragraph (z). Also, all such cybersecurity items using or incorporating encryption or other ``information security'' functionality classified under ECCNs 5A002, 5D002, 5A992.c, 5D992.c or 5E002, must also satisfy the registration, review and reporting requirements set forth in Sec. Sec. 740.17, 742.15(b) and 748.3(d) of the EAR, including submissions to the ENC Encryption Request Coordinator, Ft. Meade, MD prior to applying for a license. List Based License Exceptions (See Part 740 for a Description of All License Exceptions) LVS: N/A GBS: N/A CIV: N/A Special Conditions for STA STA: License Exception STA may not be used to export, reexport, or transfer (in-country) commodities controlled by ECCN 4A005 to any destination. List of Items Controlled Related Controls: (1) ``Systems'', ``equipment'' and ``components'' described under ECCN 4A005 are classified under this ECCN, even if the ``systems'', ``equipment'' or ``components'' are designed or modified to use ``cryptography'' or cryptanalysis. (2) See Categories XI(b) and XIII in the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120 through 130) and the U.S. Munitions List (22 CFR part 121). (3) See also ECCN 4D001.a (``development'' and ``production'' ``software''), 4D004 and 4E001.a and .c. Related Definitions: See Sec. 772.1 of this EAR for the definition of ``intrusion software.'' Items: The list of items controlled is contained in the ECCN heading. 0 16. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4, ECCN 4D001 is amended by: 0 a. Revising the Reason for Control paragraph in the License Requirements section; 0 b. Adding an entry for ``RS'' after the entry for ``NS'' in the table in the License Requirements section; 0 c. Removing the NP note after the table in the License Requirements section and adding in its place a License Requirement Note; 0 d. Revising the TSR paragraph in the List Based License Exceptions section; 0 e. Revising the Special Conditions for STA section; 0 f. Revising the Related Controls paragraph in the List of Items Controlled section; 0 g. Revising Items paragraph a. The revisions and addition read as follows: 4D001 ``Software'' as follows (see List of Items Controlled). License Requirements Reason for Control: NS, RS, CC, AT Country chart (see supp. No. Control(s) 1 to part 738) * * * * * RS applies to 4D001.a (if ``specially RS Column 1 designed'' or modified for 4A005 or 4D004). * * * * * License Requirement Note: All license applications for 4D001.a (if ``specially designed'' or modified for 4A005 or 4D004) must include the information required in Supplement No. 2 to part 748 of the EAR, paragraph (z). Also, all such cybersecurity items using or incorporating encryption or other ``information security'' functionality classified under ECCNs 5A002, 5D002, 5A992.c, 5D992.c or 5E002, must also satisfy the registration, review and reporting requirements set forth in Sec. Sec. 740.17, 742.15(b) and 748.3(d) of the EAR, including submissions to the ENC Encryption Request Coordinator, Ft. Meade, MD prior to applying for a license. * * * * * List Based License Exceptions (See Part 740 for a Description of All License Exceptions) * * * * * TSR: Yes, except for: (1) ``software'' ``specially designed'' or modified for the ``development'' or ``production'' of commodities with an ``Adjusted Peak Performance'' (``APP'') exceeding 1.0 WT; or (2) ``software'' if ``specially designed'' or modified for the ``development'' or ``production'' of commodities or ``software'' specified by ECCNs 4A005 or 4D004. * * * * * Special Conditions for STA STA: License Exception STA may not be used to: (1) Ship or transmit ``software'' ``specially designed'' or modified for the ``development'' or ``production'' of equipment specified by ECCN 4A001.a.2 or for the ``development'' or ``production'' of ``digital computers'' having an `Adjusted Peak Performance' (`APP') exceeding 1.0 Weighted TeraFLOPS (WT) to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR); or (2) ship or transmit ``software'' ``specially designed'' or modified for the ``production'' or ``development'' of commodities or ``software'' specified by ECCNs 4A005 or 4D004, to any destination. List of Items Controlled Related Controls: (1) ``Software'' described under ECCN 4D001 (if ``specially designed'' or modified for 4A005 or 4D004) is classified under this ECCN, even if the ``software'' is designed or modified to use ``cryptography'' or cryptanalysis. (2) See also the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120 through 130) and the U.S. Munitions List (22 CFR part 121). * * * * * Items: a. ``Software'' ``specially designed'' or modified for the ``development'' or ``production'', of equipment controlled by 4A001, 4A003, 4A004, 4A005 or ``software'' controlled by 4D (except 4D980, 4D993 or 4D994). * * * * * 0 17. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4 is amended by adding ECCN 4D004 after ECCN 4D002 to read as follows: 4D004 ``Software'' ``specially designed'' or modified for the generation, operation or delivery of, or communication with, ``intrusion software''. License Requirements Reason for Control: NS, RS, AT Country chart (see supp. Control(s) No.1 to part 738) NS applies to entire entry................ NS Column 1 RS applies to entire entry................ RS Column 1 AT applies to entire entry................ AT Column 1 License Requirement Note: All license applications for 4D004 must include the information required in Supplement No. 2 to part 748 of this EAR, paragraph (z). Also, all such cybersecurity items using or incorporating encryption or other [[Page 28860]] ``information security'' functionality classified under ECCNs 5A002, 5D002, 5A992.c, 5D992.c or 5E002, must also satisfy the registration, review and reporting requirements set forth in Sec. Sec. 740.17, 742.15(b) and 748.3(d) of the EAR, including submissions to the ENC Encryption Request Coordinator, Ft. Meade, MD prior to applying for a license. List Based License Exceptions (See Part 740 for a Description of All License Exceptions) CIV: N/A TSR: N/A Special Conditions for STA STA: License Exception STA may not be used to export, reexport, or transfer (in-country) ``software'' controlled by ECCN 4D004 to any destination. List of Items Controlled Related Controls: (1) ``Software'' described under ECCN 4D004 is classified under this ECCN, even if the ``software'' is designed or modified to use ``cryptography'' or cryptanalysis. (2) See also the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120 through 130) and the U.S. Munitions List (22 CFR part 121). (3) See also ECCN 4E001.a. Related Definitions: See Sec. 772.1 of the EAR for the definition of ``intrusion software.'' Items: The list of items controlled is contained in the ECCN heading. 0 18. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 4, ECCN 4E001 is amended by: 0 a. Revising the Reasons for Control paragraph in the License Requirements section; 0 b. Adding an entry for ``RS'' after the entry for ``MT'' in the table in the License Requirements section; 0 c. Removing the NP note after the table in the License Requirements section and adding in its place a License Requirement Note; 0 d. Revising the TSR paragraph in the List Based License Exceptions section; 0 e. Revising the Special Conditions for STA section; 0 f. Revising the Related Controls and Related Definitions paragraphs in the List of Items Controlled section; 0 g. Adding paragraph c to the Items paragraph of the List of Items Controlled section. The revisions and additions read as follows: 4E001 ``Technology'' as follows (see List of Items Controlled). License Requirements Reason for Control: NS, MT, RS, CC, AT Country chart (see supp. No. Control(s) 1 to part 738) * * * * * RS applies to 4E001.a ``technology'' (if RS Column 1 ``required'' for 4A005, 4D001.a (if ``specially designed'' or modified for 4A005 or 4D004) or 4D004) and if ``required'' for 4E001.c. * * * * * License Requirement Note: All license applications for 4E001.a ``technology'' (if ``required'' for 4A005, 4D001.a (if ``specially designed'' or modified for 4A005 or 4D004) or 4D004) and if ``required'' for 4E001.c must include the information required in Supplement No. 2 to part 748 of the EAR, paragraph (z). Also, all such cybersecurity items using or incorporating encryption or other ``information security'' functionality classified under ECCNs 5A002, 5D002, 5A992.c, 5D992.c or 5E002, must also satisfy the registration, review and reporting requirements set forth in Sec. Sec. 740.17, 742.15(b) and 748.3(d) of the EAR, including submissions to the ENC Encryption Request Coordinator, Ft. Meade, MD prior to applying for a license. * * * * * List Based License Exceptions (See Part 740 for a Description of All License Exceptions) * * * * * TSR: Yes, except for: ``technology'' for the ``development'' or ``production'' of ``commodities'' with an ``Adjusted Peak Performance'' (``APP'') exceeding 1.0 WT, ``commodities'' in 4A005 or ``software'' in 4D001.a (if ``specially designed'' or modified for 4A005 or 4D004) or ``required'' for 4D004; or ``technology'' specified by 4E001.c. * * * * * Special Conditions for STA STA: License Exception STA may not be used to ship or transmit ``technology'' according to the General Technology Note for the ``development'' or ``production'' of any of the following equipment or ``software'': a. Equipment specified by ECCN 4A001.a.2; b. ``Digital computers'' having an `Adjusted Peak Performance' (`APP') exceeding 1.0 Weighted TeraFLOPS (WT); or .c ``software'' specified in the License Exception STA paragraph found in the License Exception section of ECCN 4D001 to any of the destinations listed in Country Group A:6 (See Supplement No. 1 to part 740 of the EAR); or to ship any ``technology'' specified by 4E001.a ``required'' for ``commodities'' in 4A005 or ``software'' in 4D001.a (if ``specially designed'' or modified for 4A005 or 4D004), 4D004, or by 4E001.c, to any destination. List of Items Controlled Related Controls: (1) ``Technology'' described under ECCN 4E001.a (``required'' for equipment in 4A005 or ``software'' in 4D001.a (if ``specially designed'' or modified for 4A005 or 4D004) or 4D004) or 4E001.c is classified under this ECCN, even if it includes ``technology'' for the ``development'' or ``production'' of cryptographic or cryptanalytic items. (2) See also the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120 through 130) and the U.S. Munitions List (22 CFR part 121). Related Definitions: See Sec. 772.1 for the definition of ``intrusion software.'' Items:* * * c. ``Technology'' ``required'' for the ``development'' of ``intrusion software''. 0 19. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 5, ECCN 5A001 is amended by: 0 a. Revising the Reason for Control paragraph in the License Requirements section; 0 b. Revising the first entry in the table in the License Requirements section; 0 c. Adding an entry for ``RS'' after the second entry in the table in the License Requirements section; 0 d. Adding a License Requirement Note after the table in the License Requirements section; 0 e. Revising the List Based License Exceptions section; 0 f. Revising the Special Conditions for STA section; 0 g. Revising the Related Controls paragraph of the List of Items Controlled section; and 0 h. Adding paragraph .j to the Items paragraph of the List of Items Controlled section. The revisions and additions read as follows: 5A001 Telecommunications systems, equipment, ``components'' and ``accessories,'' as follows (see List of Items Controlled). License Requirements Reason for Control: NS, RS, SL, AT Country chart (see supp. No. Control(s) 1 to part 738) NS applies to 5A001.a, .e, .b.5, f.3, .h NS Column 1 and .j. * * * * * RS applies to 5A001.j..................... RS Column 1 * * * * * License Requirement Note: All license applications for cybersecurity items (5A001.j) must include the information required in Supplement No. 2 to part 748 of the EAR, paragraph (z). Also, all such cybersecurity items using or incorporating encryption or other ``information security'' functionality [[Page 28861]] classified under ECCNs 5A002, 5D002, 5A992.c, 5D992.c or 5E002, must also satisfy the registration, review and reporting requirements set forth in Sec. Sec. 740.17, 742.15(b) and 748.3(d) of the EAR, including submissions to the ENC Encryption Request Coordinator, Ft. Meade, MD prior to applying for a license. * * * * * List Based License Exceptions (See Part 740 for a Description of All License Exceptions) LVS: N/A for 5A001.a, .b.5, .e, .f, .h, and .j; $5000 for 5A001.b.1, .b.2, .b.3, .b.6, .d, and .g; $3000 for 5A001.c. GBS: Yes, except 5A001.a, .b.5, .e, .f, .h, and .j. CIV: Yes, except 5A001.a, .b.3, .b.5, .e, .f, .h, and .j. Special Conditions for STA STA: License Exception STA may not be used to ship any commodity in 5A001.b.3, .b.5, or .h to any of the destinations listed in Country Group A:6 (See Supplement No. 1 to part 740 of the EAR), or to ship any commodity in 5A001.j to any destination. List of Items Controlled Related Controls: (1) See USML Category XI for controls on direction-finding ``equipment'' including types of ``equipment'' in ECCN 5A001.e and any other military or intelligence electronic ``equipment'' that is ``subject to the ITAR.'' (2) See USML Category XI(a)(4)(iii) for controls on electronic attack and jamming ``equipment'' defined in 5A001.f and .h that are subject to the ITAR. (3) ``Systems,'' ``equipment'' and ``components'' described under ECCN 5A001.j are classified under this ECCN even if the ``systems,'' ``equipment'' or ``components'' are designed or modified to use ``cryptography'' or cryptanalysis. (4) ECCN 5A001.j includes a note that explicitly excludes equipment designed for marketing purposes, quality of service (QoS) or quality of experience (QoE) purposes. The intent of the entry is to capture only products that are not ``specially designed'' for legitimate network operator functions. The control has very specific parameters and includes only systems or equipment that perform all five of the capabilities listed in 5A001.j below. Equipment that is not described in the new ECCN 5A001.j entry because it does not have all five capabilities required is likely to be described in ECCNs 5A002 or 5A992 if it has encryption functionality, or ECCNs 5A991 or 4A994 if it does not. However, such equipment may not be sold separately with knowledge that it will be combined with other equipment to comprise a system described in new paragraph ECCN 5A001.j. (see Sec. 764.2(h) of the EAR) (5) See also 5A101, 5A980, and 5A991. * * * * * Items: * * * j. IP network communications surveillance ``systems'' or ``equipment'', and ``specially designed'' components therefor, having all of the following: j.1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone): j.1.a. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1)); j.1.b. Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and j.1.c. Indexing of extracted data; and j.2. Being ``specially designed'' to carry out all of the following: j.2.a. Execution of searches on the basis of `hard selectors'; and j.2.b. Mapping of the relational network of an individual or of a group of people. Note: 5A001.j does not apply to ``systems'' or ``equipment'', ``specially designed'' for any of the following: a. Marketing purpose; b. Network Quality of Service (QoS); or c. Quality of Experience (QoE). Technical Note: `Hard selectors': data or set of data, related to an individual (e.g., family name, given name, email or street address, phone number or group affiliations). 0 20. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 5, ECCN 5B001 is amended by: 0 a. Revising the Reasons for Control paragraph of the License Requirements section; 0 b. Revising the table in the License Requirements section; 0 c. Adding a License Requirement Note after the table in the License Requirements section; 0 d. Revising the List Based License Exceptions section; and 0 e. Revising the Special Conditions for STA section. The revisions and addition to read as follows: 5B001 Telecommunication test, inspection and production equipment, ``components'' and ``accessories,'' as follows (See List of Items Controlled). License Requirements Reason for Control: NS, RS, AT Country chart (see supp. Control(s) No. 1 to part 738) NS applies to 5B001.a equipment, NS Column 1 ``components'' and ``accessories'' ``specially designed'' for 5A001.j. NS applies to entire entry (except 5B001.a NS Column 2 for 5A001.j). RS applies to 5B001.a equipment, RS Column 1 ``components'' and ``accessories'' ``specially designed'' for 5A001.j. AT applies to entire entry................ AT Column 1 License Requirement Note: All license applications for cybersecurity items (5B001.a equipment, ``components'' and ``accessories'' ``specially designed'' for 5A001.j) must include the information required in Supplement No. 2 to part 748 of the EAR, paragraph (z). Also, all such cybersecurity items using or incorporating encryption or other ``information security'' functionality classified under ECCNs 5A002, 5D002, 5A992.c, 5D992.c or 5E002, must also satisfy the registration, review and reporting requirements set forth in Sec. Sec. 740.17, 742.15(b) and 748.3(d) of the EAR, including submissions to the ENC Encryption Request Coordinator, Ft. Meade, MD prior to applying for a license. * * * * * List Based License Exceptions (See Part 740 for a Description of All License Exceptions) LVS: $5000, except N/A for 5B001.a (for 5A001.f.1 or .j) GBS: Yes, except for 5B001.a (for 5A001.f.1 or .j) CIV: Yes, except for 5B001.a (for 5A001.f.1 or .j) Special Conditions for STA STA: License Exception STA may not be used to ship 5B001.a equipment and ``specially designed'' ``components'' or ``accessories'' therefor, ``specially designed'' for the ``development'' or ``production'' of equipment, functions or features specified by ECCN 5A001.b.3, .b.5 or .h to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR), or to ship any commodity in 5B001.a for equipment or systems specified by 5A001.f.1. or .j to any destination. * * * * * 0 21. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 5, ECCN 5D001 is amended by: 0 a. Revising the Reasons for Control paragraph in the License Requirements section; 0 b. Adding an entry for ``RS'' after the entry for ``NS'' in the table in the License Requirements section; 0 c. Adding a License Requirement Note after the table in the License Requirements section; 0 d. Revising the List Based License Exceptions section; 0 e. Revising the Special Conditions for STA section; and 0 f. Revising the Related Controls paragraph in the List of Items Controlled section. The revisions and additions read as follows: 5D001 ``Software'' as follows (see List of Items Controlled). [[Page 28862]] License Requirements Reason for Control: NS, RS, SL, AT Country chart (see supp. Control(s) No. 1 to part 738) * * * * * RS applies to 5D001.a ``software'' RS Column 1 ``specially designed'' or modified for 5A001.j, and 5D001.c ``software'' ``specially designed'' or modified for 5A001.j or 5B001.a. * * * * * License Requirement Note: All license applications for cybersecurity items (5D001.a ``software'' ``specially designed'' or modified for 5A001.j, and 5D001.c ``software'' ``specially designed'' or modified for 5A001.j or 5B001.a) must include the information required in Supplement No. 2 to part 748 of the EAR, paragraph (z). Also, all such cybersecurity items using or incorporating encryption or other ``information security'' functionality classified under ECCNs 5A002, 5D002, 5A992.c, 5D992.c or 5E002, must also satisfy the registration, review and reporting requirements set forth in Sec. Sec. 740.17, 742.15(b) and 748.3(d) of the EAR, including submissions to the ENC Encryption Request Coordinator, Ft. Meade, MD prior to applying for a license. * * * * * List Based License Exceptions (See Part 740 for a Description of All License Exceptions) CIV: Yes, except for ``software'' controlled by 5D001.a and ``specially designed'' or modified for the ``development'' or ``production'' of items controlled by 5A001.b.5, 5A001.f.1, 5A001.h and 5A001.j. TSR: Yes, except for exports and reexports to destinations outside of those countries listed in Country Group A:5 (See Supplement No. 1 to part 740 of the EAR) of ``software'' controlled by 5D001.a and ``specially designed'' or modified for items controlled by 5A001.b.5, 5A001.f.1, 5A001.h and 5A001.j. Special Conditions for STA STA: License Exception STA may not be used to ship or transmit 5D001.a ``software'' ``specially designed'' or modified for the ``development'' or ``production'' of equipment, functions or features, specified by ECCN 5A001.b.3, .b.5, .f.1, .h or .j; and for 5D001.b. for ``software'' ``specially designed'' or modified to support ``technology'' specified by the STA paragraph in the License Exception section of ECCN 5E001 to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR); and for 5D001.c. for ``software'' ``specially designed'' or modified to provide characteristics, functions or features of equipment or systems classified under ECCNs 5A001.f.1 or .j, or 5B001.a (for 5A001.f.1 or .j)). List of Items Controlled Related Controls: (1) ``Software'' described under ECCN 5D001.a or .c (if ``specially designed'' or modified for 5A001.j) is classified under this ECCN, even if the ``software'' is designed or modified to use ``cryptography'' or cryptanalysis. (2) See also 5D980 and 5D991. * * * * * 0 22. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 5, Part 1, ECCN 5E001 is amended by: 0 a. Revising the Reasons for Control paragraph in the License Requirements section; 0 b. Adding an entry for ``RS'' after the entry for ``NS'' in the table in the License Requirements section; 0 c. Adding a License Requirement Note after the table in the License Requirements section; 0 d. Revising the TSR paragraph in the List Based License Exceptions section; 0 e. Revising the Special Conditions for STA section; and 0 f. Adding paragraph (3) to the Related Control paragraph in the List of Items Controlled section. The revisions and additions read as follows: 5E001 ``Technology'' as follows (see List of Items Controlled). License Requirements Reason for Control: NS, RS, SL, AT Country chart (see supp. Control(s) No. 1 to part 738) * * * * * RS applies to 5E001.a for commodities RS Column 1 controlled under 5A001.j or ``software'' controlled under 5D001.a (if ``specially designed'' or modified for 5A001.j), and 5D001.c (if ``specially designed'' or modified for 5A001.j or 5B001.a) for RS reasons. * * * * * License Requirement Note: All license applications for cybersecurity items (5A001.j or ``software'' controlled under 5D001.a (if ``specially designed'' or modified for 5A001.j), and 5D001.c (if ``specially designed'' or modified for 5A001.j or 5B001.a)) must include the information required in Supplement No. 2 to part 748 of the EAR, paragraph (z). Also, all such cybersecurity items using or incorporating encryption or other ``information security'' functionality classified under ECCNs 5A002, 5D002, 5A992.c, 5D992.c or 5E002, must also satisfy the registration, review and reporting requirements set forth in Sec. Sec. 740.17, 742.15(b) and 748.3(d) of the EAR, including submissions to the ENC Encryption Request Coordinator, Ft. Meade, MD prior to applying for a license. * * * * * List Based License Exceptions (See Part 740 for a Description of All License Exceptions) * * * * * TSR: Yes, except: N/A for ``technology'' controlled by 5E001.a if ``required'' for the ``development'' or ``production'' of items controlled by 5A001.f.1. or .j, 5D001.a (if ``specially designed'' or modified for 5A001.f.1 or .j) or 5D001.c (if ``specially designed'' or modified for 5A001.j or 5B001.a) to any destination; or for exports or reexports to destinations outside of those countries listed in Country Group A:5 (See Supplement No. 1 to part 740 of the EAR) of ``technology'' controlled by 5E001.a for the ``development'' or ``production'' of the following: (1) Items controlled by 5A001.b.5 or 5A001.h; or (2) ``Software'' controlled by 5D001.a that is ``specially designed'' or modified for the ``development'' or ``production'' of equipment, functions or features controlled by 5A001.b.5 or 5A001.h. Special Conditions for STA STA: License Exception STA may not be used to ship or transmit ``technology'' according to the General Technology Note for the ``development'' or ``production'' of equipment, functions or features specified by 5A001.b.3, .b.5 or .h; or for ``software'' in 5D001.a that is specified in the STA paragraph in the License Exception section of ECCN 5D001 to any of the destinations listed in Country Group A:6 (See Supplement No.1 to part 740 of the EAR); or to ship any ``technology'' in 5E001.a if ``required'' for any commodity in 5A001.f.1 or .j, or if ``required'' for any ``software'' in 5D001.a or .c (``specially'' or modified designed for any commodity in 5A001.f.1 or .j or 5B001.a (``specially designed'' for 5A001.f.1 or .j)), to any destination. List of Items Controlled Related Controls: * * * (3) ``Technology'' described under ECCN 5E001.a if ``required'' for ``systems,'' ``equipment'' or ``components'' classified under 5A001.j or ``software'' classified under 5D001.a (``specially designed'' or modified for 5A001.j) or 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a) is classified under this ECCN even if it includes ``technology'' for the ``development'' or ``production'' of cryptographic or cryptanalytic items. * * * * * 0 23. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 5 Part 2, ECCN 5A002 is amended by adding paragraph (4) to the Related Controls paragraph in the List of Items Controlled section to read as follows: [[Page 28863]] 5A002 ``Information security'' systems, equipment ``components'' therefor, as follows (see List of Items Controlled). * * * * * List of Items Controlled Related Controls: * * * (4) ``Systems,'' ``equipment'' and ``components'' described under ECCNs 4A005 or 5A001.j are classified under ECCNs 4A005 or 5A001.j, even if the ``systems,'' ``equipment'' or ``components'' are designed or modified to use ``cryptography'' or cryptanalysis. * * * * * 0 24. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 5 Part 2, ECCN 5D002 is amended by adding paragraph (3) to the Related Controls paragraph in the List of Items Controlled section to read as follows: 5D002 ``Software'' as follows (see List of Items Controlled). * * * * * List of Items Controlled Related Controls: * * * (3) ``Software'' described under ECCN 4D001.a (``specially designed'' or modified for 4A005 or 4D004), 4D004, 5D001.a (``specially designed'' or modified for 5A001.j) or 5D001.c (``specially designed'' or modified for 5A001.j or 5B001.a) is classified under those ECCNs, even if the ``software'' is designed or modified to use ``cryptography'' or cryptanalysis. * * * * * 0 25. In Supplement No. 1 to Part 774 (the Commerce Control List), Category 5 Part 2, ECCN 5E002 is amended by revising the Related Controls paragraph in the List of Items Controlled section to read as follows: 5E002 ``Technology'' as follows (see List of Items Controlled). * * * * * List of Items Controlled Related Controls: (1) See also 5E992. This entry does not control ``technology'' ``required'' for the ``use'' of equipment excluded from control under the Related Controls paragraph or the Technical Notes in ECCN 5A002 or ``technology'' related to equipment excluded from control under ECCN 5A002. This ``technology'' is classified as ECCN 5E992. (2) ``Technology'' described under ECCN 4E001.a (``required'' for equipment in 4A005 or ``software'' in 4D004), 4E001.c, or 5E001.a (``required'' for 5A001.j or 5D001.a) that is designed or modified to use ``cryptography'' or cryptanalysis is classified under ECCNs 4E001.a or .c, or ECCN 5E001.a, respectively. * * * * * Dated: May 11, 2015. Kevin J. Wolf, Assistant Secretary for Export Administration. [FR Doc. 2015-11642 Filed 5-19-15; 8:45 am] BILLING CODE 3351-33-P
![Federal Register / Vol. 80, No. 97 / Wednesday, May 20, 2015 / Proposed Rules 28853
and/or RIN in the subject line of the Telephone: (202) 287–1692. Email: DEPARTMENT OF COMMERCE
message. Submit electronic comments residential_furnaces_and_boilers@
in Word Perfect, Microsoft Word, PDF, ee.doe.gov. Bureau of Industry and Security
or ASCII file format, and avoid the use Mr. Eric Stas, U.S. Department of
of special characters or any form on 15 CFR Parts 740, 742, 748, 772, 774
Energy, Office of the General Counsel,
encryption. [Docket No. 150304218–5218–01]
GC–33, 1000 Independence Avenue
3. Postal Mail: Ms. Brenda Edwards,
SW., Washington, DC 20585–0121. RIN 0694–AG49
U.S. Department of Energy, Building
Technologies Office, Mailstop EE–5B, Telephone: (202)-5869507. Email:
1000 Independence Avenue SW., Eric.Stas@hq.doe.gov. Wassenaar Arrangement 2013 Plenary
Washington, DC 20585–0121. If For information on how to submit or Agreements Implementation: Intrusion
possible, please submit all items on a review public comments and the docket, and Surveillance Items
compact disc (CD), in which case it is contact Ms. Brenda Edwards at (202) AGENCY: Bureau of Industry and
not necessary to include printed copies. 586–2945 or by email: Security, Commerce.
4. Hand Delivery/Courier: Ms. Brenda Brenda.Edwards@ee.doe.gov. ACTION: Proposed rule, with request for
Edwards, U.S. Department of Energy, comments.
Building Technologies Office, 950 SUPPLEMENTARY INFORMATION: DOE
L’Enfant Plaza SW., Suite 600, published a NOPR in the Federal SUMMARY: The Bureau of Industry and
Washington, DC 20024. Telephone: Register to make available and invite Security (BIS) proposes to implement
(202) 586–2945. If possible, please public comments on its analysis the agreements by the Wassenaar
submit all items on a CD, in which case regarding potential energy conservation Arrangement (WA) at the Plenary
it is not necessary to include printed standards for residential boilers. 80 FR meeting in December 2013 with regard
copies. 17222 (March 31, 2015). The document to systems, equipment or components
No telefacsimilies (faxes) will be set a deadline for the submission of specially designed for the generation,
accepted. For detailed instructions on written comments by June 1, 2015. The operation or delivery of, or
submitting comments and additional Air-Conditioning, Heating, and communication with, intrusion
information on the rulemaking process, Refrigeration Institute (AHRI) and the software; software specially designed or
see the ‘‘Public Participation’’ section of Oil Heat Manufacturers Association modified for the development or
the March 31, 2015 NOPR. 80 FR 17222. each requested an extension of the production of such systems, equipment
Docket: The docket, which includes public comment period, stating that or components; software specially
Federal Register notices, public meeting additional time is necessary to review designed for the generation, operation or
attendee lists and transcripts, the published analysis in order to delivery of, or communication with,
comments, and other supporting prepare and submit comments. After intrusion software; technology required
documents/materials, is available for careful consideration of these requests, for the development of intrusion
review at www.regulations.gov. All DOE has determined that extending the software; Internet Protocol (IP) network
documents in the docket are listed in comment period to allow additional communications surveillance systems or
the www.regulations.gov index. equipment and test, inspection,
time for interested parties to submit
However, not all documents listed in production equipment, specially
comments is appropriate based on the
the index may be publically available, designed components therefor, and
foregoing reason. DOE believes that
such as those containing information development and production software
extending the comment period by 30 and technology therefor. BIS proposes a
that is exempt from public disclosure.
A link to the docket Web page can be days will provide the public with license requirement for the export,
found at: http://www.regulations.gov/ sufficient time to submit comments reexport, or transfer (in-country) of
#!docketDetail;D=EERE-2012-BT-STD- responding to DOE’s analysis. these cybersecurity items to all
0047. This Web page contains a link to Accordingly, DOE is extending the destinations, except Canada. Although
the docket for this notice on the comment period to midnight of July 1, these cybersecurity capabilities were not
www.regulations.gov site. The 2015, and will deem any comments previously designated for export
www.regulations.gov Web page contains received (or postmarked) by that date to control, many of these items have been
simple instructions on how to access all be timely submitted. controlled for their ‘‘information
documents, including public comments, Issued in Washington, DC, on May 12, security’’ functionality, including
in the docket. See section VII, ‘‘Public 2015. encryption and cryptanalysis. This rule
Participation,’’ of the March 31, 2015 Kathleen B. Hogan,
thus continues applicable Encryption
NOPR for further information on how to Items (EI) registration and review
Deputy Assistant Secretary for Energy requirements, while setting forth
submit comments through
Efficiency and Renewable Energy.
www.regulations.gov. proposed license review policies and
[FR Doc. 2015–12219 Filed 5–19–15; 8:45 am] special submission requirements to
For further information on how to
submit a comment or review other BILLING CODE 6450–01–P address the new cybersecurity controls,
public comments and the docket, including submission of a letter of
contact Ms. Brenda Edwards at (202) explanation with regard to the technical
586–2945 or by email: capabilities of the cybersecurity items.
mstockstill on DSK4VPTVN1PROD with PROPOSALS
Brenda.Edwards@ee.doe.gov. BIS also proposes to add the
FOR FURTHER INFORMATION CONTACT: Mr. definition of ‘‘intrusion software’’ to the
John Cymbalsky, U.S. Department of definition section of the EAR pursuant
Energy, Office of Energy Efficiency and to the WA 2013 agreements.
Renewable Energy, Building DATES: Submit comments on or before
Technologies Office, EE–5B, 1000 July 20, 2015.
Independence Avenue SW., ADDRESSES: Comments on this rule may
Washington, DC 20585–0121. be submitted to the Federal rulemaking
VerDate Sep<11>2014 17:24 May 19, 2015 Jkt 235001 PO 00000 Frm 00004 Fmt 4702 Sfmt 4702 E:\FR\FM\20MYP1.SGM 20MYP1](https://thefederalregister.org/doc/80_FR_28950/page/1.svg)
![28856 Federal Register / Vol. 80, No. 97 / Wednesday, May 20, 2015 / Proposed Rules
1. How many additional license Supplement No. 2 to part 748 paragraph 14th and Pennsylvania Ave. NW., Room
applications would your company be (z) falls under the usual technical 2099, Washington, DC 20230 or emailed
required to submit per year under the information that is submitted with to publiccomments@bis.doc.gov. Please
requirements of this proposed rule? If applications to describe the abilities of refer to RIN 0694–AG49 in all comments
any, of those applications: the items on the license application. and in the subject line of email
a. How many additional applications This information allows the licensing comments.
would be for products that are currently officer to verify the classification of the
eligible for license exceptions? product and determine the effect it List of Subjects
b. How many additional applications would have on U.S. national security 15 CFR Part 740
would be for products that currently are and foreign policy. Send comments Administrative practice and
classified EAR99? regarding these burden estimates or any
2. How many deemed export, reexport procedure, Exports, Reporting and
other aspect of these collections of recordkeeping requirements.
or transfer (in-country) license information, including suggestions for
applications would your company be reducing the burden, to OMB Desk 15 CFR Part 742
required to submit per year under the Officer, New Executive Office Building, Exports, Terrorism.
requirements of this rule? Washington, DC 20503; and to Jasmeet
3. Would the rule have negative Seehra, OMB Desk Officer, by email at 15 CFR Part 748
effects on your legitimate vulnerability Jasmeet_K._Seehra@omb.eop.gov or by Administrative practice and
research, audits, testing or screening fax to (202) 395–7285; and to the Office procedure, Exports, Reporting and
and your company’s ability to protect of Administration, Bureau of Industry recordkeeping requirements.
your own or your client’s networks? If and Security, Department of Commerce,
so, explain how. 1401 Constitution Ave. NW., Room 15 CFR Part 772
4. How long would it take you to 6622, Washington, DC 20230. Exports.
answer the questions in proposed 3. This rule does not contain policies
paragraph (z) to Supplement No. 2 to with Federalism implications as that 15 CFR Part 774
part 748? Is this information you already term is defined under Executive Order Exports, Reporting and recordkeeping
have for your products? 13132. requirements.
* The ADDRESSES section of this 4. The provisions of the Accordingly, parts 740, 742, 748, 772,
proposed rule includes information Administrative Procedure Act (APA) (5 and 774 of the Export Administration
about how to submit comments. U.S.C. 553) requiring notice of proposed Regulations (15 CFR parts 730 through
Rulemaking Requirements rulemaking, the opportunity for public 774) are proposed to be amended as
participation, and a 30-day delay in follows:
1. Executive Orders 13563 and 12866 effective date, are inapplicable because
direct agencies to assess all costs and this regulation involves a military and PART 740 [AMENDED]
benefits of available regulatory foreign affairs function of the United
alternatives and, if regulation is States (5 U.S.C. 553(a)(1)). Nonetheless, ■ 1. The authority citation for part 740
necessary, to select regulatory BIS is providing the public with an continues to read as follows:
approaches that maximize net benefits opportunity to review and comment on Authority: 50 U.S.C. app. 2401 et seq.; 50
(including potential economic, this rule, despite its being exempted U.S.C. 1701 et seq.; 22 U.S.C. 7201 et seq.;
environmental, public health and safety from that requirement of the APA. E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp.,
effects, distributive impacts, and Because this rule is not required by the p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001
equity). Executive Order 13563 APA to undergo a period of notice and Comp., p. 783; Notice of August 7, 2014, 79
emphasizes the importance of comment, the requirements of the FR 46959 (August 11, 2014).
quantifying both costs and benefits, of Regulatory Flexibility Act, 5 U.S.C. 601 ■ 2. Section 740.2 is amended by adding
reducing costs, of harmonizing rules, et seq., do not apply. Accordingly, no paragraph (a)(19) to read as follows:
and of promoting flexibility. This rule regulatory flexibility analysis is
has been designated a ‘‘significant required, and none has been prepared. § 740.2 Restrictions on all License
regulatory action,’’ under Executive BIS is interested in the potential Exceptions.
Order 12866. impacts to businesses of this rule. (a) * * *
2. Notwithstanding any other Because most of the items impacted by (19) The item is a cybersecurity item,
provision of law, no person is required this rule have encryption capabilities, i.e., those controlled by ECCNs 4A005,
to respond to, nor shall any person be BIS believes they are already being 4D001.a (‘‘specially designed’’ or
subject to a penalty for failure to comply controlled under Category 5 part 2 of the modified for 4A005 or 4D004 items),
with a collection of information subject EAR. Even though most encryption 4D004, 4E001.a (‘‘required’’ for 4A005,
to the requirements of the Paperwork items are eligible for License Exception 4D001.a (‘‘specially designed’’ or
Reduction Act of 1995 (44 U.S.C. 3501 ENC and these cybersecurity items will modified for 4A005 or 4D004) or 4D004
et seq.) (PRA), unless that collection of not be eligible for License Exception items), 4E001.c, 5A001.j, 5B001.a
information displays a currently valid ENC, BIS anticipates issuing broad (‘‘specially designed’’ for 5A001.j
Office of Management and Budget licenses for these items. The impact of items), 5D001.a (‘‘specially designed’’
(OMB) Control Number. This rule this rule is unknown to BIS, therefore for 5A001.j items), 5D001.c (‘‘specially
would involve one collection of the implementation of the Wassenaar designed’’ for 5A001.j or 5B001.a items)
mstockstill on DSK4VPTVN1PROD with PROPOSALS
information subject to the PRA. One of Arrangement agreement of 2013 with or 5E001.a (‘‘required’’ for 5A001.j,
the collections has been approved by regard to cybersecurity items is issued 5B001.a, 5D001.a (for 5A001.j items) or
OMB under control number 0694–0088, as a proposed rule with request for 5D001.c (‘‘specially designed’’ for
‘‘Multi-Purpose Application,’’ and comments concerning the impact of the 5A001.j or 5B001.a items) and the
carries a burden hour estimate of 58 rule. Comments should be submitted to export, reexport or transfer (in-country)
minutes for a manual or electronic Sharron Cook, Office of Exporter is not authorized by § 740.11(b)(2)(ii)
submission. The additional information Services, Bureau of Industry and (made by or consigned to a department
proposed to be required under Security, Department of Commerce, or agency of the U.S. government), or
VerDate Sep<11>2014 17:24 May 19, 2015 Jkt 235001 PO 00000 Frm 00007 Fmt 4702 Sfmt 4702 E:\FR\FM\20MYP1.SGM 20MYP1](https://thefederalregister.org/doc/80_FR_28950/page/4.svg)
![Federal Register / Vol. 80, No. 97 / Wednesday, May 20, 2015 / Proposed Rules 28857
§ 740.11(b)(2)(iii) (made for or on behalf (2) Exclusions—(i) Encryption (ix) License Exception STA may not
of a department or agency of the U.S. software. The provisions of this be used for any cybersecurity items, i.e.,
Government). paragraph (d) are not available for those controlled by ECCNs 4A005,
* * * * * encryption software controlled for ‘‘EI’’ 4D001.a (‘‘specially designed’’ or
■ 3. Section 740.11 is amended by: reasons under ECCN 5D002 or for modified for 4A005 or 4D004 items),
■ a. Adding paragraph (a)(2)(vi); encryption software with symmetric key 4D004, 4E001.a (‘‘required’’ for 4A005,
■ b. Removing the ‘‘or’’ from the end of length exceeding 64-bits that qualifies as 4D001.a (‘‘specially designed’’ or
paragraph (c)(3)(vi); mass market encryption software under modified for 4A005 or 4D004 items) or
■ c. Removing the period from the criteria in the Cryptography Note 4D004 items), 4E001.c, 5A001.j, 5B001.a
paragraph (c)(3)(vii) and adding a (Note 3) of Category 5, Part 2, of the (‘‘specially designed’’ for 5A001.j
semicolon in its place; and Commerce Control List (Supplement items), 5D001.a (‘‘specially designed’’ or
■ d. Adding paragraph (c)(3)(viii). No. 1 to part 774 of the EAR). (Once modified for 5A001.j items), 5D001.c
The revisions and addition read as such mass market encryption software (‘‘specially designed’’ or modified for
follows: has been reviewed by BIS and released 5A001.j or 5B001.a items) or 5E001.a
from ‘‘EI’’ and ‘‘NS’’ controls pursuant (‘‘required’’ for 5A001.j, 5B001.a,
§ 740.11 Governments, international
organizations, international inspections
to § 742.15(b) of the EAR, it is controlled 5D001.a (‘‘specially designed’’ or
under the Chemical Weapons Convention, under ECCN 5D992.c and is thus modified for 5A001.j items) or 5D001.c
and the International Space Station (GOV). outside the scope of License Exception (‘‘specially designed’’ or modified for
(a) * * * TSU.) See § 742.15(b) of the EAR for 5A001.j or 5B001.a items) items).
(2) * * * exports and reexports of mass market * * * * *
(vi) Cybersecurity items, i.e., those encryption products controlled under
controlled by ECCNs 4A005, 4D001.a ECCN 5D992.c. PART 742 [AMENDED]
(‘‘specially designed’’ or modified for (ii) Cybersecurity software. The
provisions of this paragraph (d) are not ■ 7. The authority citation for part 742
4A005 or 4D004 items), 4D004, 4E001.a continues to read as follows:
(‘‘required’’ for 4A005, 4D001.a available for cybersecurity ‘‘software’’
that is classified under ECCNs 4D001.a Authority: 50 U.S.C. app. 2401 et seq.; 50
(‘‘specially designed’’ or modified for U.S.C. 1701 et seq.; 22 U.S.C. 3201 et seq.;
4A005 or 4D004) or 4D004 items), (‘‘specially designed’’ or modified for
4A005 or 4D004 items), 4D004, or for 42 U.S.C. 2139a; 22 U.S.C. 7201 et seq.; 22
4E001.c, 5A001.j, 5B001.a (‘‘specially U.S.C. 7210; Sec. 1503, Pub. L. 108–11, 117
designed’’ for 5A001.j items), 5D001.a ‘‘software’’ under ECCN 5D001.a or .c Stat. 559; E.O. 12058, 43 FR 20947, 3 CFR,
(‘‘specially designed’’ or modified for (‘‘specially designed’’ for ‘‘production,’’ 1978 Comp., p. 179; E.O. 12851, 58 FR 33181,
5A001.j items), 5D001.c (‘‘specially ‘‘development’’ or ‘‘use’’ of 5A001.j 3 CFR, 1993 Comp., p. 608; E.O. 12938, 59
designed’’ or modified for 5A001.j or equipment or systems, or providing the FR 59099, 3 CFR, 1994 Comp., p. 950; E.O.
5B001.a items) or 5E001.a (‘‘required’’ characteristics, functions or features of 13026, 61 FR 58767, 3 CFR, 1996 Comp., p.
5A001.j or 5B001.a equipment or 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001
for 5A001.j, 5B001.a, 5D001.a Comp., p. 783; Presidential Determination
(‘‘specially designed’’ or modified for systems).
2003–23 of May 7, 2003, 68 FR 26459, May
5A001.j items) or 5D001.c (‘‘specially * * * * * 16, 2003; Notice of August 7, 2014, 79 FR
designed’’ or modified for 5A001.j or ■ 5. Section 740.17 is amended by 46959 (August 11, 2014); Notice of November
5B001.a items). revising paragraph (b)(3)(iii) 7, 2014, 79 FR 67035 (November 12, 2014).
introductory text to read as follows:
* * * * * ■ 8. Section 742.6 is amended by adding
(c) * * * § 740.17 Encryption commodities, paragraph (b)(5) to read as follows:
(3) * * * software and technology (ENC).
(viii) Cybersecurity items, i.e., those § 742.6 Regional stability.
* * * * *
controlled by ECCNs 4A005, 4D001.a (b) * * * * * * * *
(‘‘specially designed’’ or modified for (3) * * * (b) * * *
4A005 or 4D004 items), 4D004, 4E001.a (iii) Encryption commodities and (5) Licensing policy for cybersecurity
(‘‘required’’ for 4A005, 4D001.a software not described by paragraph items. Applications for exports,
(‘‘specially designed’’ or modified for (b)(2) of this section, and not further reexports and transfers of cybersecurity
4A005 or 4D004) or 4D004 items), controlled for NS and RS reasons under items, i.e., those controlled by ECCNs
4E001.c, 5A001.j, 5B001.a (‘‘specially ECCNs 5A001.j, 5B001.a (‘‘specially 4A005, 4D001.a (‘‘specially designed’’
designed’’ for 5A001.j items), 5D001.a designed’’ for 5A001.j), 5D001.a or modified for 4A005 or 4D004 items),
(‘‘specially designed’’ or modified for (‘‘specially designed’’ or modified for 4D004, 4E001.a (‘‘required’’ for 4A005,
5A001.j items), 5D001.c (‘‘specially 5A001.j) or 5D001.c (‘‘specially 4D001.a (‘‘specially designed’’ or
designed’’ or modified for 5A001.j or designed’’ or modified for 5A001.j or modified for 4A005 or 4D004 items) or
5B001.a items) or 5E001.a (‘‘required’’ 5B001.a), that provide or perform 4D004 items), 4E001.c, 5A001.j, 5B001.a
for 5A001.j, 5B001.a, 5D001.a vulnerability analysis, network (‘‘specially designed’’ for 5A001.j
(‘‘specially designed’’ or modified for forensics, or computer forensics items), 5D001.a (‘‘specially designed’’ or
5A001.j items) or 5D001.c (‘‘specially functions characterized by any of the modified for 5A001.j items), 5D001.c
designed’’ or modified for 5A001.j or following: (‘‘specially designed’’ or modified for
5B001.a) items). 5A001.j or 5B001.a items) or 5E001.a
* * * * *
(‘‘required’’ for 5A001.j, 5B001.a,
mstockstill on DSK4VPTVN1PROD with PROPOSALS
* * * * * ■ 6. Section 740.20 is amended by
■ 4. Section 740.13 is amended by adding paragraph (b)(2)(ix) to read as 5D001.a (‘‘specially designed’’ or
revising the section heading and follows: modified for 5A001.j items) or 5D001.c
paragraph (d)(2) to read as follows: (‘‘specially designed’’ or modified for
§ 740.20 License Exception Strategic 5A001.j or 5B001.a items) items),
§ 740.13 Technology and Software— Trade Authorization (STA). controlled for RS will be reviewed
Unrestricted (TSU). * * * * * favorably if destined to a U.S. company
* * * * * (b) * * * or subsidiary not located in Country
(d) * * * (2) * * * Group D:1 or E:1, ‘foreign commercial
VerDate Sep<11>2014 17:24 May 19, 2015 Jkt 235001 PO 00000 Frm 00008 Fmt 4702 Sfmt 4702 E:\FR\FM\20MYP1.SGM 20MYP1](https://thefederalregister.org/doc/80_FR_28950/page/5.svg)
![28858 Federal Register / Vol. 80, No. 97 / Wednesday, May 20, 2015 / Proposed Rules
partners’ located in Country Group A:5, 5B001.a (‘‘specially designed’’ for 5A001.j PART 772 [AMENDED]
Government end users in Australia, items), 5D001.a (‘‘specially designed’’ or
Canada, New Zealand or United modified for 5A001.j items), 5D001.c ■ 12. The authority citation for part 772
(‘‘specially designed’’ or modified for 5A001.j continues to read as follows:
Kingdom and on a case-by-case basis to or 5B001.a items) or 5E001.a (‘‘required’’ for
determine whether the transaction is 5A001.j, 5B001.a, 5D001.a (‘‘specially Authority: 50 U.S.C. app. 2401 et seq.; 50
contrary to the national security or designed’’ or modified for 5A001.j items) or U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025,
foreign policy interests of the United 5D001.c (‘‘specially designed’’ or modified 3 CFR, 2001 Comp., p. 783; Notice of August
States, including the foreign policy for 5A001.j or 5B001.a items) items) you 7, 2014, 79 FR 46959 (August 11, 2014).
interest of promoting the observance of must follow the unique application ■ 13. Section 772.1 is amended by
human rights throughout the world, requirements set forth in this paragraph (z). adding the term ‘‘Intrusion software’’ in
If the cybersecurity item has encryption or
except that there is a policy of alphabetic order to read as follows:
other ‘‘information security’’ functionality
presumptive denial for items that have classified under ECCNs 5A002, 5D002,
or support rootkit or zero-day exploit § 772.1 Definitions of terms as used in the
5A992.c, 5D992.c or 5E002, all encryption Export Administration Regulations (EAR).
capabilities. Any ‘‘information security’’ registration and review requirements must be
functionality incorporated in the separately completed with BIS and the ENC * * * * *
cybersecurity item will also receive a Encryption Request Coordinator, Ft. Meade, Intrusion software. (Cat 4) ‘‘Software’’
focused case-by-case review for reasons MD, before license applications for a ‘‘specially designed’’ or modified to
of Encryption Items (EI) control. cybersecurity item will be considered, see avoid detection by ‘monitoring tools,’ or
§§ 740.17 and 742.15 of the EAR. to defeat ‘protective countermeasures,’
Note to paragraph (b)(5): A ‘foreign
(1) In block 9 of the application (Special
commercial partner’ means a foreign- of a computer or network-capable
Purpose) indicate the phrase ‘‘Cybersecurity
based non-governmental end-user that Item.’’ In addition to the information device, and performing any of the
has a business need to share the required by § 748.3(b) of the EAR, submit the following:
proprietary information of the U.S. following information in a letter of (a) The extraction of data or
company and is contractually bound to explanation: information, from a computer or
the U.S. company (e.g., has an (i) Whether the cybersecurity item has network-capable device, or the
established pattern of continuing or encryption or other ‘‘information security’’ modification of system or user data; or
functionality, Encryption Registration (b) The modification of the standard
recurring contractual relations). In Number (ERN) and encryption Commodity
addition to the information required in Classification Application Tracking System execution path of a program or process
§ 748.3(c)(1), (c)(2) and paragraph (z) of (CCATS) number(s); in order to allow the execution of
Supplement No. 2 to part 748 of the (ii) Whether the cybersecurity item has externally provided instructions.
EAR, you must explain in a letter of been previously classified or included in a Notes: 1. ‘‘Intrusion software’’ does
explanation how the end user meets the license application submitted on or after May not include any of the following:
criteria of a ‘foreign commercial partner’ 20, 2015 for which all requirements of this a. Hypervisors, debuggers or Software
section (including the questions set forth in Reverse Engineering (SRE) tools;
and how the end user will safeguard the
paragraph (z)(1)(iii) of this section) have been
items from unauthorized transfers (in- b. Digital Rights Management (DRM)
satisfied. If so, then provide the Commodity
country) and reexports. Classification Automated Tracking System ‘‘software’’; or
* * * * * (CCATS) number(s) or issued license c. ‘‘Software’’ designed to be installed
number(s). by manufacturers, administrators or
PART 748—[AMENDED] (iii) If the cybersecurity item has not been users, for the purposes of asset tracking
previously classified or included in a license or recovery.
■ 9. The authority citation for part 748 application, then: 2. Network-capable devices include
continues to read as follows: (A) Describe the cybersecurity functions mobile devices and smart meters.
Authority: 50 U.S.C. app. 2401 et seq.; 50 and user interfaces (e.g., Application
Technical Notes: 1. ‘Monitoring tools’:
U.S.C. 1701 et seq.; E.O. 13026, 61 FR 58767, Programming Interfaces (APIs), Command
Line Interfaces (CLIs) or Graphical User ‘‘software’’ or hardware devices, that
3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 monitor system behaviors or processes
FR 44025, 3 CFR, 2001 Comp., p. 783; Notice Interfaces (GUIs)) that are implemented and/
of August 7, 2014, 79 FR 46959 (August 11, or supported. Explain which are for internal running on a device. This includes
2014). use private to the developer of the product, antivirus (AV) products, end point
and/or which are for use by the customer or security products, Personal Security
■ 10. Section 748.8 is amended by other operator. Products (PSP), Intrusion Detection
adding paragraph (z) to read as follows: (B) Describe the cybersecurity functionality Systems (IDS), Intrusion Prevention
(including as related to ‘‘intrusion software’’)
§ 748.8 Unique application and Systems (IPS) or firewalls.
that is provided by third-party frameworks,
submission requirements. platforms, tools, modules or components (if 2. ‘Protective countermeasures’:
* * * * * any). Identify the manufacturers of the techniques designed to ensure the safe
(z) Cybersecurity Items. cybersecurity items, including specific part execution of code, such as Data
■ 11. Supplement No. 2 is amended by numbers and version information as needed Execution Prevention (DEP), Address
adding paragraph (z) to read as follows: to describe the item. As applicable, describe Space Layout Randomization (ASLR) or
whether the third-party cybersecurity sandboxing.
Supplement No. 2 to Part 748—Unique software is statically or dynamically linked.
Application and Submission (C) For items related to ‘‘intrusion
* * * * *
Requirements software,’’ describe how rootkit or zero-day
exploit functionality is precluded from the PART 774 [AMENDED]
mstockstill on DSK4VPTVN1PROD with PROPOSALS
* * * * * item. Otherwise, for items that incorporate or ■ 14. The authority citation for part 774
(z) Cybersecurity items. For license otherwise support rootkit or zero-day exploit
functionality, this must be explicitly stated in
continues to read as follows:
applications to export, reexport, transfer (in-
country) cybersecurity items, i.e., ECCNs the application. Authority: 50 U.S.C. app. 2401 et seq.; 50
4A005, 4D001.a (‘‘specially designed’’ or (2) Upon request, include a copy of the U.S.C. 1701 et seq.; 10 U.S.C. 7420; 10 U.S.C.
modified for 4A005 or 4D004 items), 4D004, sections of source code and other software 7430(e); 22 U.S.C. 287c, 22 U.S.C. 3201 et
4E001.a (‘‘required’’ for 4A005, 4D001.a (e.g., libraries and header files) that seq.; 22 U.S.C. 6004; 30 U.S.C. 185(s), 185(u);
(‘‘specially designed’’ or modified for 4A005 implement or invoke the controlled 42 U.S.C. 2139a; 42 U.S.C. 6212; 43 U.S.C.
or 4D004) or 4D004 items), 4E001.c, 5A001.j, cybersecurity functionality. 1354; 15 U.S.C. 1824a; 50 U.S.C. app. 5; 22
VerDate Sep<11>2014 17:24 May 19, 2015 Jkt 235001 PO 00000 Frm 00009 Fmt 4702 Sfmt 4702 E:\FR\FM\20MYP1.SGM 20MYP1](https://thefederalregister.org/doc/80_FR_28950/page/6.svg)
![Federal Register / Vol. 80, No. 97 / Wednesday, May 20, 2015 / Proposed Rules 28859
U.S.C. 7201 et seq.; 22 U.S.C. 7210; E.O. the U.S. Munitions List (22 CFR part 121). ‘‘development’’ or ‘‘production’’ of
13026, 61 FR 58767, 3 CFR, 1996 Comp., p. (3) See also ECCN 4D001.a (‘‘development’’ commodities with an ‘‘Adjusted Peak
228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 and ‘‘production’’ ‘‘software’’), 4D004 and Performance’’ (‘‘APP’’) exceeding 1.0 WT;
Comp., p. 783; Notice of August 7, 2014, 79 4E001.a and .c. or (2) ‘‘software’’ if ‘‘specially designed’’ or
FR 46959 (August 11, 2014). Related Definitions: See § 772.1 of this EAR modified for the ‘‘development’’ or
for the definition of ‘‘intrusion software.’’ ‘‘production’’ of commodities or
Supplement No. 1 to Part 774— Items: The list of items controlled is ‘‘software’’ specified by ECCNs 4A005 or
[Amended] contained in the ECCN heading. 4D004.
■ 15. In Supplement No. 1 to Part 774 ■ 16. In Supplement No. 1 to Part 774 * * * * *
(the Commerce Control List), Category 4 (the Commerce Control List), Category 4, Special Conditions for STA
is amended by adding ECCN 4A005 ECCN 4D001 is amended by: STA: License Exception STA may not be
after ECCN 4A004 to read as follows: ■ a. Revising the Reason for Control used to: (1) Ship or transmit ‘‘software’’
Supplement No. 1 to Part 774—The paragraph in the License Requirements ‘‘specially designed’’ or modified for the
Commerce Control List section; ‘‘development’’ or ‘‘production’’ of
■ b. Adding an entry for ‘‘RS’’ after the equipment specified by ECCN 4A001.a.2 or
* * * * * entry for ‘‘NS’’ in the table in the for the ‘‘development’’ or ‘‘production’’ of
4A005 ‘‘Systems,’’ ‘‘equipment,’’ or License Requirements section; ‘‘digital computers’’ having an ‘Adjusted
‘‘components’’ therefor, ‘‘specially ■ c. Removing the NP note after the Peak Performance’ (‘APP’) exceeding 1.0
designed’’ or modified for the table in the License Requirements Weighted TeraFLOPS (WT) to any of the
generation, operation or delivery of, or destinations listed in Country Group A:6
section and adding in its place a License (See Supplement No.1 to part 740 of the
communication with, ‘‘intrusion Requirement Note;
software’’. EAR); or (2) ship or transmit ‘‘software’’
■ d. Revising the TSR paragraph in the ‘‘specially designed’’ or modified for the
License Requirements List Based License Exceptions section; ‘‘production’’ or ‘‘development’’ of
■ e. Revising the Special Conditions for commodities or ‘‘software’’ specified by
Reason for Control: NS, RS, AT
STA section; ECCNs 4A005 or 4D004, to any destination.
Country chart ■ f. Revising the Related Controls
List of Items Controlled
Control(s) (see supp. No. 1 to paragraph in the List of Items Controlled
part 738) section; Related Controls: (1) ‘‘Software’’ described
■ g. Revising Items paragraph a. under ECCN 4D001 (if ‘‘specially
NS applies to entire NS Column 1 The revisions and addition read as designed’’ or modified for 4A005 or 4D004)
entry. is classified under this ECCN, even if the
follows: ‘‘software’’ is designed or modified to use
RS applies to the en- RS Column 1
tire entry. 4D001 ‘‘Software’’ as follows (see List of ‘‘cryptography’’ or cryptanalysis. (2) See
AT applies to entire AT Column 1 Items Controlled). also the International Traffic in Arms
entry. Regulations (ITAR) (22 CFR parts 120
License Requirements
through 130) and the U.S. Munitions List
License Requirement Note: All license Reason for Control: NS, RS, CC, AT (22 CFR part 121).
applications for 4A005 must include the
information required in Supplement No. 2 to * * * * *
Country chart Items: a. ‘‘Software’’ ‘‘specially designed’’ or
part 748 of the EAR, paragraph (z). Also, all Control(s) (see supp. No. 1 to
such cybersecurity items using or part 738) modified for the ‘‘development’’ or
incorporating encryption or other ‘‘production’’, of equipment controlled by
‘‘information security’’ functionality 4A001, 4A003, 4A004, 4A005 or
classified under ECCNs 5A002, 5D002, * * * * * ‘‘software’’ controlled by 4D (except
5A992.c, 5D992.c or 5E002, must also satisfy RS applies to RS Column 1 4D980, 4D993 or 4D994).
the registration, review and reporting 4D001.a (if ‘‘spe- * * * * *
requirements set forth in §§ 740.17, 742.15(b) cially designed’’ or ■ 17. In Supplement No. 1 to Part 774
and 748.3(d) of the EAR, including modified for 4A005 (the Commerce Control List), Category 4
submissions to the ENC Encryption Request or 4D004). is amended by adding ECCN 4D004 after
Coordinator, Ft. Meade, MD prior to applying ECCN 4D002 to read as follows:
for a license. * * * * *
4D004 ‘‘Software’’ ‘‘specially designed’’ or
List Based License Exceptions (See Part 740 License Requirement Note: All license modified for the generation, operation
for a Description of All License Exceptions) applications for 4D001.a (if ‘‘specially or delivery of, or communication with,
LVS: N/A designed’’ or modified for 4A005 or 4D004) ‘‘intrusion software’’.
GBS: N/A must include the information required in
Supplement No. 2 to part 748 of the EAR, License Requirements
CIV: N/A
paragraph (z). Also, all such cybersecurity Reason for Control: NS, RS, AT
Special Conditions for STA items using or incorporating encryption or
STA: License Exception STA may not be other ‘‘information security’’ functionality Country chart
used to export, reexport, or transfer (in- classified under ECCNs 5A002, 5D002, Control(s) (see supp. No.1 to
country) commodities controlled by ECCN 5A992.c, 5D992.c or 5E002, must also satisfy part 738)
4A005 to any destination. the registration, review and reporting
requirements set forth in §§ 740.17, 742.15(b) NS applies to entire NS Column 1
List of Items Controlled and 748.3(d) of the EAR, including entry.
Related Controls: (1) ‘‘Systems’’, submissions to the ENC Encryption Request RS applies to entire RS Column 1
mstockstill on DSK4VPTVN1PROD with PROPOSALS
‘‘equipment’’ and ‘‘components’’ described Coordinator, Ft. Meade, MD prior to applying entry.
under ECCN 4A005 are classified under for a license. AT applies to entire AT Column 1
this ECCN, even if the ‘‘systems’’, entry.
* * * * *
‘‘equipment’’ or ‘‘components’’ are License Requirement Note: All license
designed or modified to use List Based License Exceptions (See Part 740 applications for 4D004 must include the
‘‘cryptography’’ or cryptanalysis. (2) See for a Description of All License Exceptions) information required in Supplement No. 2 to
Categories XI(b) and XIII in the * * * * * part 748 of this EAR, paragraph (z). Also, all
International Traffic in Arms Regulations TSR: Yes, except for: (1) ‘‘software’’ such cybersecurity items using or
(ITAR) (22 CFR parts 120 through 130) and ‘‘specially designed’’ or modified for the incorporating encryption or other
VerDate Sep<11>2014 17:24 May 19, 2015 Jkt 235001 PO 00000 Frm 00010 Fmt 4702 Sfmt 4702 E:\FR\FM\20MYP1.SGM 20MYP1](https://thefederalregister.org/doc/80_FR_28950/page/7.svg)
![Federal Register / Vol. 80, No. 97 / Wednesday, May 20, 2015 / Proposed Rules 28863
5A002 ‘‘Information security’’ systems, DEPARTMENT OF HEALTH AND • Mail/Hand delivery/Courier (for
equipment ‘‘components’’ therefor, as HUMAN SERVICES paper submissions): Division of Dockets
follows (see List of Items Controlled). Management (HFA–305), Food and Drug
* * * * * Food and Drug Administration Administration, 5630 Fishers Lane, Rm.
List of Items Controlled 1061, Rockville, MD 20852.
21 CFR Part 514 Instructions: All submissions received
Related Controls: * * * (4) ‘‘Systems,’’
‘‘equipment’’ and ‘‘components’’ described [Docket No. FDA–2012–N–0447; 0910– must include the Docket No. FDA–
under ECCNs 4A005 or 5A001.j are AG45] 2012–N–0447 for this rulemaking. All
classified under ECCNs 4A005 or 5A001.j, comments received may be posted
even if the ‘‘systems,’’ ‘‘equipment’’ or Antimicrobial Animal Drug Sales and without change to http://
‘‘components’’ are designed or modified to Distribution Reporting www.regulations.gov, including any
use ‘‘cryptography’’ or cryptanalysis. personal information provided. For
* * * * * AGENCY: Food and Drug Administration,
additional information on submitting
■ 24. In Supplement No. 1 to Part 774 HHS.
comments, see the ‘‘Comments’’ heading
(the Commerce Control List), Category 5 ACTION: Proposed rule. of the SUPPLEMENTARY INFORMATION
Part 2, ECCN 5D002 is amended by section.
SUMMARY: The Animal Drug User Fee
adding paragraph (3) to the Related Docket: For access to the docket to
Amendments of 2008 (ADUFA)
Controls paragraph in the List of Items read background documents or
amended the Federal Food, Drug, and
Controlled section to read as follows: comments received, go to http://
Cosmetic Act (the FD&C Act) to require
5D002 ‘‘Software’’ as follows (see List of that sponsors of approved or www.regulations.gov and insert the
Items Controlled). conditionally approved applications for docket number, found in brackets in the
* * * * * new animal drugs containing an heading of this document, into the
antimicrobial active ingredient submit ‘‘Search’’ box and follow the prompts
List of Items Controlled
an annual report to the Food and Drug and/or go to the Division of Dockets
Related Controls: * * * (3) ‘‘Software’’ Management, 5630 Fishers Lane, Rm.
described under ECCN 4D001.a (‘‘specially Administration (FDA or Agency) on the
designed’’ or modified for 4A005 or amount of each such ingredient in the 1061, Rockville, MD 20852.
4D004), 4D004, 5D001.a (‘‘specially drug that is sold or distributed for use FOR FURTHER INFORMATION CONTACT: Neal
designed’’ or modified for 5A001.j) or in food-producing animals, and further Bataller, Center for Veterinary Medicine
5D001.c (‘‘specially designed’’ or modified requires FDA to publish annual (HFV–210), Food and Drug
for 5A001.j or 5B001.a) is classified under summary reports of the data it receives Administration, 7519 Standish Pl.,
those ECCNs, even if the ‘‘software’’ is from sponsors. At this time, FDA is Rockville, MD 20855, 240–276–9062,
designed or modified to use issuing proposed regulations for the
‘‘cryptography’’ or cryptanalysis. Neal.Bataller@fda.hhs.gov.
administrative practices and procedures
* * * * * SUPPLEMENTARY INFORMATION:
for animal drug sponsors who must
■ 25. In Supplement No. 1 to Part 774 report under this law. This proposal Executive Summary
(the Commerce Control List), Category 5 also includes an additional reporting
Part 2, ECCN 5E002 is amended by Purpose of Proposed Rule
provision intended to enhance FDA’s
revising the Related Controls paragraph understanding of antimicrobial animal Section 105 of ADUFA (ADUFA 105)
in the List of Items Controlled section to drug sales intended for use in specific amended section 512 of the FD&C Act
read as follows: food-producing animal species. (21 U.S.C. 360b) to require that sponsors
5E002 ‘‘Technology’’ as follows (see List of DATES: Submit either electronic or of approved or conditionally approved
Items Controlled). written comments on the proposed rule applications for new animal drugs
* * * * * by August 18, 2015. Submit comments containing an antimicrobial active
on information collection issues under ingredient submit an annual report to
List of Items Controlled
the Paperwork Reduction Act of 1995 FDA on the amount of each such
Related Controls: (1) See also 5E992. This ingredient in the drug that is sold or
entry does not control ‘‘technology’’
(the PRA) by June 19, 2015 (see the
‘‘Paperwork Reduction Act of 1995’’ distributed for use in food-producing
‘‘required’’ for the ‘‘use’’ of equipment animals. ADUFA 105 also requires FDA
excluded from control under the Related section of this document).
Controls paragraph or the Technical Notes ADDRESSES: You may submit comments
to publish annual summary reports of
in ECCN 5A002 or ‘‘technology’’ related to by any of the following methods, except the data it receives. In accordance with
equipment excluded from control under that comments on information the new law, sponsors of the affected
ECCN 5A002. This ‘‘technology’’ is collection issues under the PRA must be antimicrobial new animal drug products
classified as ECCN 5E992. (2)
submitted to the Office of Information began submitting their sales and
‘‘Technology’’ described under ECCN distribution data to FDA on an annual
4E001.a (‘‘required’’ for equipment in and Regulatory Affairs, Office of
Management and Budget (OMB) (see the basis, and FDA published summaries of
4A005 or ‘‘software’’ in 4D004), 4E001.c, or such data for each calendar year
5E001.a (‘‘required’’ for 5A001.j or ‘‘Paperwork Reduction Act of 1995’’
section). beginning with 2009. The purpose of
5D001.a) that is designed or modified to
use ‘‘cryptography’’ or cryptanalysis is
this rulemaking is to amend the
classified under ECCNs 4E001.a or .c, or Electronic Submissions Agency’s existing records and reports
regulation in part 514 (21 CFR part 514)
mstockstill on DSK4VPTVN1PROD with PROPOSALS
ECCN 5E001.a, respectively. Submit electronic comments in the
* * * * * following way: to incorporate the sales and distribution
• Federal eRulemaking Portal: http:// data reporting requirements specific to
Dated: May 11, 2015. antimicrobial new animal drugs that
www.regulations.gov. Follow the
Kevin J. Wolf, instructions for submitting comments. were added to the FD&C Act by ADUFA
Assistant Secretary for Export 105. This proposal also includes an
Administration. Written Submissions additional reporting provision intended
[FR Doc. 2015–11642 Filed 5–19–15; 8:45 am] Submit written submissions in the to further enhance FDA’s understanding
BILLING CODE 3351–33–P following way: of antimicrobial animal drug sales
VerDate Sep<11>2014 17:24 May 19, 2015 Jkt 235001 PO 00000 Frm 00014 Fmt 4702 Sfmt 4702 E:\FR\FM\20MYP1.SGM 20MYP1](https://thefederalregister.org/doc/80_FR_28950/page/11.svg)
Document Created: 2018-02-21 10:29:31
Document Modified: 2018-02-21 10:29:31
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Proposed Rules | |
| Action | Proposed rule, with request for comments. | |
| Dates | Submit comments on or before July 20, 2015. | |
| Contact | Catherine Wheeler, Director, Information Technology Control Division, Phone: (202) 482-0707 or by email at [email protected] | |
| FR Citation | 80 FR 28853 | |
| RIN Number | 0694-AG49 | |
| CFR Citation | 15
CFR
740 15 CFR 742 15 CFR 748 15 CFR 772 15 CFR 774 | |
| CFR Associated | Administrative Practice and Procedure; Exports; Reporting and Recordkeeping Requirements and Terrorism |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR