Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 58 / Monday, March 29, 2021 / Rules and Regulations 2. For the purpose of 3E002.c, fixed-point refers to a fixed-width real number with both an integer component and a fractional component, and which does not include integer-only formats.

28. In supplement no. 1 to part 774, Category 5 Part 2 is amended by revising the Nota Bene to Note 3 Cryptography Note to read as follows:

Category 5Telecommunications and Information Security Part 2Information Security

Note 3:
N.B. to Note 3 Cryptography Note:
You must submit a classification request or self-classification report to BIS for certain mass market encryption commodities and software eligible for the Cryptography Note employing a key length greater than 64 bits for the symmetric algorithm or, for commodities and software not implementing any symmetric algorithms, employing a key length greater than 768 bits for asymmetric algorithms described by Technical note 2.b to 5A002.a or greater than 128 bits for elliptic curve algorithms, or any asymmetric algorithm described by Technical Note 2.c to 5A002.a in accordance with the requirements of 740.17b of the EAR in order to be released from the EI and NS
controls of ECCN 5A002 or 5D002. For mass market commodities and software that do not require a self-classification report pursuant to 740.17b and e3 of the EAR, such items are also released from EI and NS
controls and controlled under ECCN 5A992.c or 5D992.c.

28. In supplement no. 1 to part 774, Category 5 Part 2, ECCN 5A002 is revised to read as follows:

5A002 Information security systems, equipment and components, as follows see List of Items Controlled.
License Requirements Reason for Control: NS, AT, EI
Controls NS applies to entire entry.
AT applies to entire entry.
EI applies to entire entry.

Country Chart See Supp. No. 1 to part 738
NS Column 1
AT Column 1
Refer to 742.15 of the EAR

License Requirements Note: See 744.17 of the EAR for additional license requirements for microprocessors having a processing speed of 5 GFLOPS or more and an arithmetic logic unit with an access width of 32 bit or more, including those incorporating information security functionality, and associated software and technology for the production or development of such microprocessors.

VerDate Sep<11>2014

18:05 Mar 26, 2021

Jkt 253001

List Based License Exceptions See Part 740
for a Description of All License Exceptions LVS: Yes: $500 for components. N/A for systems and equipment.
GBS: N/A
ENC: Yes for certain EI controlled commodities, see 740.17 of the EAR for eligibility.
List of Items Controlled Related Controls: 1 ECCN 5A002.a controls components providing the means or functions necessary for information security. All such components are presumptively specially designed and controlled by 5A002.a. 2 See USML
Categories XI including XIb and XIIIb including XIIIb2 for controls on systems, equipment, and components described in 5A002.d or .e that are subject to the ITAR. 3 For satellite navigation system receiving equipment containing or employing decryption see 7A005, and for related decryption software and technology see 7D005 and 7E001. 4
Noting that items may be controlled elsewhere on the CCL, examples of items not controlled by ECCN 5A002.a.4 include the following: a An automobile where the only cryptography for data confidentiality having a described security algorithm is performed by a Category 5Part 2 Note 3
eligible mobile telephone that is built into the car. In this case, secure phone communications support a non-primary function of the automobile but the mobile telephone equipment, as a standalone item, is not controlled by ECCN 5A002
because it is excluded by the Cryptography Note Note 3 See ECCN 5A992.c. b An exercise bike with an embedded Category 5Part 2 Note 3 eligible web browser, where the only controlled cryptography is performed by the web browser. In this case, secure web browsing supports a nonprimary function of the exercise bike but the web browser software, as a standalone item, is not controlled by ECCN
5D002 because it is excluded by the Cryptography Note Note 3 See ECCN
5D992.c. 5 After classification or selfclassification in accordance with 740.17b of the EAR, mass market encryption commodities that meet eligibility requirements are released from EI and NS controls. These commodities are designated 5A992.c.
Related Definitions: N/A
Items:
a. Designed or modified to use cryptography for data confidentiality having a described security algorithm, where that cryptographic capability is usable, has been activated, or can be activated by any means other than secure cryptographic activation, as follows:
a.1. Items having information security as a primary function;
a.2. Digital communication or networking systems, equipment or components, not specified in paragraph 5A002.a.1;
a.3. Computers, other items having information storage or processing as a primary function, and components therefor, not specified in paragraphs 5A002.a.1 or .a.2;

PO 00000

Frm 00017

Fmt 4701

Sfmt 4700

16497

N.B.: For operating systems see also 5D002.a.1 and .c.1.
a.4. Items, not specified in paragraphs 5A002.a.1 to a.3, where the cryptography for data confidentiality having a described security algorithm meets all of the following:
a.4.a. It supports a non-primary function of the item; and a.4.b. It is performed by incorporated equipment or software that would, as a standalone item, be specified by ECCNs 5A002, 5A003, 5A004, 5B002 or 5D002.
N.B. to paragraph a.4: See Related Control Paragraph 4 of this ECCN 5A002 for examples of items not controlled by 5A002.a.4.
Technical Notes:
1. For the purposes of 5A002.a, cryptography for data confidentiality means cryptography that employs digital techniques and performs any cryptographic function other than any of the following:
1.a. Authentication;
1.b. Digital signature;
1.c. Data integrity;
1.d. Non-repudiation;
1.e. Digital rights management, including the execution of copy-protected software;
1.f. Encryption or decryption in support of entertainment, mass commercial broadcasts or medical records management; or 1.g. Key management in support of any function described in paragraphs 1.a to 1.f of this Technical Note paragraph 1.
2. For the purposes of 5A002.a, described security algorithm means any of the following:
2.a. A symmetric algorithm employing a key length in excess of 56 bits, not including parity bits;
2.b. An asymmetric algorithm where the security of the algorithm is based on any of the following:
2.b.1. Factorization of integers in excess of 512 bits e.g., RSA;
2.b.2. Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits e.g., Diffie-Hellman over Z/pZ; or 2.b.3. Discrete logarithms in a group other than mentioned in paragraph 2.b.2 of this Technical Note in excess of 112 bits e.g., Diffie-Hellman over an elliptic curve; or 2.c. An asymmetric algorithm where the security of the algorithm is based on any of the following:
2.c.1. Shortest vector or closest vector problems associated with lattices e.g., NewHope, Frodo, NTRUEncrypt, Kyber, Titanium;
2.c.2. Finding isogenies between Supersingular elliptic curves e.g., Supersingular Isogeny Key Encapsulation; or 2.c.3. Decoding random codes e.g., McEliece, Niederreiter.
Technical Note: An algorithm described by Technical Note 2.c. may be referred to as being post-quantum, quantum-safe or quantum-resistant.
Note 1: Details of items must be accessible and provided upon request, in order to establish any of the following:
a. Whether the item meets the criteria of 5A002.a.1 to a.4; or
E:FRFM29MRR3.SGM

29MRR3