National Academies Press: OpenBook

Cryptography's Role in Securing the Information Society (1996)

Chapter: N - Laws, Regulations, and Documents Relevant to Cryptography

« Previous: M - Federal Information Processing Standards
Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 489

N Laws, Documents, and Regulations, Relevant to Cryptography

N.1 STATUTES

N.1.1 Wire and Electronic Communications Interception and Interception of Oral Communications (U.S. Code, Title 18, Chapter 119)
Sec. 2510. Definitions.

As used in this chapter:

(1) 'wire communication' means any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception (including the use of such connection in a switching station) furnished or operated by any person engaged in providing or operating such facilities for the transmission of interstate or foreign communications or communications affecting interstate or foreign commerce and such term includes any electronic storage of such communication;

NOTE: The material presented in this appendix has been reprinted from electronic files available on the Internet and is intended for use as a general reference, and not for legal research or other work requiring authenticated primary sources.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 490

(2) 'oral communication' means any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation, but such term does not include any electronic communication;

(3) 'State' means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States;

(4) 'intercept' means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device;

(5) 'electronic, mechanical, or other device means any device or apparatus which can be used to intercept a wire, oral, or electronic communication other than—
(a)  any telephone or telegraph instrument, equipment or facility, or any component thereof, (i) furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user in the ordinary course of its business or furnished by such subscriber or user for connection to the facilities of such service and used in the ordinary course of its business; or (ii) being used by a provider of wire or electronic communication service in the ordinary course of its business, or by an investigative or law enforcement officer in the ordinary course of his duties;
(b)  a hearing aid or similar device being used to correct subnormal hearing to not better than normal;

(6) 'person' means any employee, or agent of the United States or any State or political subdivision thereof, and any individual, partnership, association, joint stock company, trust, or corporation;

(7) 'Investigative or law enforcement officer' means any officer of the United States or of a State or political subdivision thereof, who is empowered by law to conduct investigations of or to make arrests for offenses enumerated in this chapter, and any attorney authorized by law to prosecute or participate in the prosecution of such offenses;

(8) 'contents', when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication;

(9) 'Judge of competent jurisdiction' means—
(a) a judge of a United States district court or a United States court of appeals; and
(b) a judge of any court of general criminal jurisdiction of a State who is authorized by a statute of that State to enter orders authorizing interceptions of wire, oral, or electronic communications;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 491

(10) 'communication common carrier' shall have the same meaning which is given the term 'common carrier' by section 153(h) of title 47 of the United States Code;

(11) 'aggrieved person' means a person who was a party to any intercepted wire, oral, or electronic communication or a person against whom the interception was directed;

(12) 'electronic communication' means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include—
(a) any wire or oral communication;
(b) any communication made through a tone-only paging device; or
(c) any communication from a tracking device (as defined in section 3117 of this title);

(13) 'user' means any person or entity who—
(a) uses an electronic communication service; and
(b) is duly authorized by the provider of such service to engage in such use;

(14) 'electronic communications system' means any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications;

(15) 'electronic communication service' means any service which provides to users thereof the ability to send or receive wire or electronic communications;

(16) 'readily accessible to the general public' means, with respect to a radio communication, that such communication is not—
(a) scrambled or encrypted;
(b) transmitted using modulation techniques whose essential parameters have been withheld from the public with the intention of preserving the privacy of such communication;
(c) carried on a subcarrier or other signal subsidiary to a radio transmission;
(d) transmitted over a communication system provided by a common carrier, unless the communication is a tone only paging system communication;
(e) transmitted on frequencies allocated under part 25, subpart D, E, or F of part 74, or part 94 of the Rules of the Federal Communications Commission, unless, in the case of a communication transmitted on a frequency allocated under part 74 that is not exclusively allocated to broadcast auxiliary services, the communication is a two-way voice communication by radio; or
(f) an electronic communication;

(17) 'electronic storage' means—
(a) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 492

(b) any storage of such communication by an electronic communication service for purposes of backup protection of such communication; and

(18) 'aural transfer' means a transfer containing the human voice at any point between and including the point of origin and the point of reception.

Sec. 2511. Interception and disclosure of wire, oral, or electronic communications prohibited.

(1) Except as otherwise specifically provided in this chapter any person who—
(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;
(b) intentionally uses, endeavors to use, or procures any other person to use or endeavor to use any electronic, mechanical, or other device to intercept any oral communication when—
(i) such device is affixed to, or otherwise transmits a signal through, a wire, cable, or other like connection used in wire communication; or
(ii) such device transmits communications by radio, or interferes with the transmission of such communication; or
(iii) such person knows, or has reason to know, that such device or any component thereof has been sent through the mail or transported in interstate or foreign commerce; or
(iv) such use or endeavor to use
(A) takes place on the premises of any business or other commercial establishment the operations of which affect interstate or foreign commerce; or
(B) obtains or is for the purpose of obtaining information relating to the operations of any business or other commercial establishment the operations of which affect interstate or foreign commerce; or
(v) such person acts in the District of Columbia, the Commonwealth of Puerto Rico, or any territory or possession of the United States; and
(A) intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; or
(B) intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection;

shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5).

(2)(a)(i) It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 493

normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.
(ii) Notwithstanding any other law, providers of wire or electronic communication service, their officers, employees, and agents, landlords, custodians, or other persons, are authorized to provide information, facilities, or technical assistance to persons authorized by law to intercept wire, oral, or electronic communications or to conduct electronic surveillance, as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, if such provider, its officers, employees, or agents, landlord, custodian, or other specified person, has been provided with—
(A) a court order directing such assistance signed by the authorizing judge, or
(B) a certification in writing by a person specified in section 2518(7) of this title or the Attorney General of the United States that no warrant or court order is required by law, that all statutory requirements have been met, and that the specified assistance is required, setting forth the period of time during which the provision of the information, facilities, or technical assistance is authorized and specifying the information, facilities, or technical assistance required. No provider of wire or electronic communication service, officer, employee, or agent thereof, or landlord, custodian, or other specified person shall disclose the existence of any interception or surveillance or the device used to accomplish the interception or surveillance with respect to which the person has been furnished a court order or certification under this chapter, except as may otherwise be required by legal process and then only after prior notification to the Attorney General or to the principal prosecuting attorney of a State or any political subdivision of a State, as may be appropriate. Any such disclosure, shall render such person liable for the civil damages provided for in section 2520. No cause of action shall lie in any court against any provider of wire or electronic communication service, its officers, employees, or agents, landlord, custodian, or other specified person for providing information, facilities, or assistance in accordance with the terms of a court order or certification under this chapter.
(b) It shall not be unlawful under this chapter for an officer, employee, or agent of the Federal Communications Commission, in the normal course of his employment and in discharge of the monitoring responsibilities exercised by the Commission in the enforcement of chapter 5 of title 47 of the United States Code, to intercept a wire or electronic communication, or oral communication transmitted by radio, or to disclose or use the information thereby obtained.
(c) It shall not be unlawful under this chapter for a person acting under color of law to intercept a wire, oral, or electronic communication, where such person is a party to the communication or one of the parties to the communication has given prior consent to such interception.
(d) It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 494

is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.
(e) Notwithstanding any other provision of this title or section 705 or 706 of the Communications Act of 1934, it shall not be unlawful for an officer, employee, or agent of the United States in the normal course of his official duty to conduct electronic surveillance, as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, as authorized by that Act.
(f) Nothing contained in this chapter or chapter 121, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, and procedures in this chapter or chapter 121 and the Foreign Intelligence Surveillance Act of 1978 shall be the exclusive means by which electronic surveillance, as defined in section 101 of such Act, and the interception of domestic wire and oral communications may be conducted.
(g) It shall not be unlawful under this chapter or chapter 121 of this title for any person—
(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;
(ii) to intercept any radio communication which is transmitted—
(I) by any station for the use of the general public, or that relates to ships, aircraft, vehicles, or persons in distress;
(II) by any governmental, law enforcement, civil defense, private land mobile, or public safety communications system, including police and fire, readily accessible to the general public;
(III) by a station operating on an authorized frequency within the bands allocated to the amateur, citizens band, or general mobile radio services; or
(IV) by any marine or aeronautical communications system;
(iii) to engage in any conduct which—
(I) is prohibited by section 633 of the Communications Act of 1934; or
(II) is excepted from the application of section 705(a) of the Communications Act of 1934 by section 705(b) of that Act;
(iv) to intercept any wire or electronic communication the transmission of which is causing harmful interference to any lawfully operating station or consumer electronic equipment, to the extent necessary to identify the source of such interference; or
(v) for other users of the same frequency to intercept any radio communication made through a system that utilizes frequencies monitored by individuals engaged in the provision or the use of such system, if such communication is not scrambled or encrypted.
(h) It shall not be unlawful under this chapter—
(i) to use a pen register or a trap and trace device (as those terms are defined for

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 495

the purposes of chapter 206 (relating to pen registers and trap and trace devices) of this title); or
(ii) for a provider of electronic communication service to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire or electronic communication, or a user of that service, from fraudulent, unlawful or abusive use of such service.

(3)(a) Except as provided in paragraph (b) of this subsection, a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communication (other than one to such person or entity, or an agent thereof) while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication or an agent of such addressee or intended recipient.
(b) A person or entity providing electronic communication service to the public may divulge the contents of any such communication-
(i) as otherwise authorized in section 2511(2)(a) or 2517 of this title;
(ii) with the lawful consent of the originator or any addressee or intended recipient of such communication;
(iii) to a person employed or authorized, or whose facilities are used, to forward such communication to its destination; or
(iv) which were inadvertently obtained by the service provider and which appear to pertain to the commission of a crime, if such divulgence is made to a law enforcement agency.

(4)(a) Except as provided in paragraph (b) of this subsection or in subsection (5), whoever violates subsection (1) of this section shall be fined under this title or imprisoned not more than five years, or both.
(b) If the offense is a first offense under paragraph (a) of this subsection and is not for a tortious or illegal purpose or for purposes of direct or indirect commercial advantage or private commercial gain, and the wire or electronic communication with respect to which the offense under paragraph (a) is a radio communication that is not scrambled, encrypted, or transmitted using modulation techniques the essential parameters of which have been withheld from the public with the intention of preserving the privacy of such communication, then
(i) if the communication is not the radio portion of a cellular telephone communication, a cordless telephone communication that is transmitted between the cordless telephone handset and the base unit, a public land mobile radio service communication or a paging service communication, and the conduct is not that described in subsection (5), the offender shall be fined under this title or imprisoned not more than one year, or both; and
(ii) if the communication is the radio portion of a cellular telephone communication, a cordless telephone communication that is transmitted between the cordless telephone handset and the base unit, a public land mobile radio service communication or a paging service communication, the offender shall be fined not more than $500.
(c) Conduct otherwise an offense under this subsection that consists of or re-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 496

lates to the interception of a satellite transmission that is not encrypted or scrambled and that is transmitted—

(i) to a broadcasting station for purposes of retransmission to the general public; or
(ii) as an audio subcarrier intended for redistribution to facilities open to the public, but not including data transmissions or telephone calls,

is not an offense under this subsection unless the conduct is for the purposes of direct or indirect commercial advantage or private financial gain.

(5)(a)(i) If the communication is—

(A) a private satellite video communication that is not scrambled or encrypted and the conduct in violation of this chapter is the private viewing of that communication and is not for a tortious or illegal purpose or for purposes of direct or indirect commercial advantage or private commercial gain; or
(B) a radio communication that is transmitted on frequencies allocated under subpart D of part 74 of the rules of the Federal Communications Commission that is not scrambled or encrypted and the conduct in violation of this chapter is not for a tortious or illegal purpose or for purposes of direct or indirect commercial advantage or private commercial gain,

then the person who engages in such conduct shall be subject to suit by the Federal Government in a court of competent jurisdiction.
(ii)  In an action under this subsection—
(A) if the violation of this chapter is a first offense for the person under paragraph (a) of subsection (4) and such person has not been found liable in a civil action under section 2520 of this title, the Federal Government shall be entitled to appropriate injunctive relief; and
(B) if the violation of this chapter is a second or subsequent offense under paragraph (a) of subsection (4) or such person has been found liable in any prior civil action under section 2520, the person shall be subject to a mandatory $500 civil fine.
(b) The court may use any means within its authority to enforce an injunction issued under paragraph (ii)(A), and shall impose a civil fine of not less than $500 for each violation of such an injunction.

Sec. 2512. Manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices prohibited.

(1) Except as otherwise specifically provided in this chapter, any person who intentionally—

(a) sends through the mail, or sends or carries in interstate or foreign commerce, any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications;
(b) manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 497

thereof has been or will be sent through the mail or transported in interstate or foreign commerce; or
(c)  places in any newspaper, magazine, handbill, or other publication any advertisement of—
(i)  any electronic, mechanical, or other device knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications; or
(ii)  any other electronic, mechanical, or other device, where such advertisement promotes the use of such device for the purpose of the surreptitious interception of wire, oral, or electronic communications, knowing or having reason to know that such advertisement will be sent through the mail or transported in interstate or foreign commerce,

shall be fined not more than $10,000 or imprisoned not more than five years, or both.

(2) It shall not be unlawful under this section for—

(a)  a provider of wire or electronic communication service or an officer, agent, or employee of, or a person under contract with, such a provider, in the normal course of the business of providing that wire or electronic communication service; or
(b)  an officer, agent, or employee of, or a person under contract with, the United States, a State, or a political subdivision thereof, in the normal course of the activities of the United States, a State, or a political subdivision thereof,

to send through the mail, send or carry in interstate or foreign commerce, or manufacture, assemble, possess, or sell any electronic, mechanical, or other device knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications.

Sec. 2513. Confiscation of wire, oral, or electronic communication intercepting devices.

Any electronic, mechanical, or other device used, sent, carried, manufactured, assembled, possessed, sold, or advertised in violation of section 2511 or section 2512 of this chapter may be seized and forfeited to the United States. All provisions of law relating to (1) the seizure, summary and judicial forfeiture, and condemnation of vessels, vehicles, merchandise, and baggage for violations of the customs laws contained in title 19 of the United States Code, (2) the disposition of such vessels, vehicles, merchandise, and baggage or the proceeds from the sale thereof, (3) the remission or mitigation of such forfeiture, (4) the compromise of claims, and (5) the award of compensation to informers in respect of such forfeitures, shall apply to seizures and forfeitures incurred, or alleged to have been incurred, under the provisions of this section, insofar as applicable and not incon-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 498

sistent with the provisions of this section; except that such duties as are imposed upon the collector of customs or any other person with respect to the seizure and forfeiture of vessels, vehicles, merchandise, and baggage under the provisions of the customs laws contained in title 19 of the United States Code shall be performed with respect to seizure and forfeiture of electronic, mechanical, or other intercepting devices under this section by such officers, agents, or other persons as may be authorized or designated for that purpose by the Attorney General.

Sec. 2514. Repealed.
Sec. 2515. Prohibition of use as evidence of intercepted wire or oral communications.

Whenever any wire or oral communication has been intercepted, no part of the contents of such communication and no evidence derived therefrom may be received in evidence in any trial, hearing, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the United States, a State, or a political subdivision thereof if the disclosure of that information would be in violation of this chapter.

Sec. 2516. Authorization for interception of wire, oral, or electronic communications.

(1) The Attorney General, Deputy Attorney General, Associate Attorney General,' or any Assistant Attorney General, any acting Assistant Attorney General, or any Deputy Assistant Attorney General or acting Deputy Assistant Attorney General in the Criminal Division specially designated by the Attorney General, may authorize an application to a Federal judge of competent jurisdiction for, and such judge may grant in conformity with section 2518 of this chapter an order authorizing or approving the interception of wire or oral communications by the Federal Bureau of Investigation, or a Federal agency having responsibility for the investigation of the offense as to which the application is made, when such interception may provide or has provided evidence of—
(a) any offense punishable by death or by imprisonment for more than one year under sections 2274 through 2277 of title 42 of the United States Code (relating to the enforcement of the Atomic Energy Act of 1954), section 2284 of title 42 of the United States Code (relating to sabotage of nuclear facilities or fuel), or under the following chapters of this title: chapter 37 (relating to espionage), chapter 105 (relating to sabotage), chapter 115 (relating to treason), chapter 102 (relating to riots), chapter 65 (relating to malicious mischief), chapter 111 (relating to destruction of vessels), or chapter 81 (relating to piracy);

1 See 1984 Amendment note below.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 499

(b) a violation of section 186 or section 501(c) of title 29, United States Code (dealing with restrictions on payments and loans to labor organizations), or any offense which involves murder, kidnapping, robbery, or extortion, and which is punishable under this title;
(c) any offense which is punishable under the following sections of this title: section 201 (bribery of public officials and witnesses), section 215 (relating to bribery of bank officials), section 224 (bribery in sporting contests), subsection (d), (e), (f), (g), (h), or (i) of section 844 (unlawful use of explosives), section 1032 (relating to concealment of assets), section 1084 (transmission of wagering information), section 751 (relating to escape), section 1014 (relating to loans and credit applications generally; renewals and discounts), sections 1503, 1512, and 1513 (influencing or injuring an officer, juror, or witness generally), section 1510 (obstruction of criminal investigations), section 1511 (obstruction of State or local law enforcement), section 1751 (Presidential and Presidential staff assassination, kidnaping, and assault), section 1951 (interference with commerce by threats or violence), section 1952 (interstate and foreign travel or transportation in aid of racketeering enterprises), section 1958 (relating to use of interstate commerce facilities in the commission of murder for hire), section 1959 (relating to violent crimes in aid of racketeering activity), section 1954 (offer, acceptance, or solicitation to influence operations of employee benefit plan), section 1955 (prohibition of business enterprises of gambling), section 1956 (laundering of monetary instruments), section 1957 (relating to engaging in monetary transactions in property derived from specified unlawful activity), section 659 (theft from interstate shipment), section 664 (embezzlement from pension and welfare funds), section 1343 (fraud by wire, radio, or television), section 1344 (relating to bank fraud), sections 2251 and 2252 (sexual exploitation of children), sections 2312, 2313, 2314, and 2315 (interstate transportation of stolen property), section 2321 (relating to trafficking in certain motor vehicles or motor vehicle parts), section 1203 (relating to hostage taking), section 1029 (relating to fraud and related activity in connection with access devices), section 3146 (relating to penalty for failure to appear), section 3521(b)(3) (relating to witness relocation and assistance), section 32 (relating to destruction of aircraft or aircraft facilities), section 1963 (violations with respect to racketeer influenced and corrupt organizations), section 115 (relating to threatening or retaliating against a Federal official), and section 1341 (relating to mail fraud), section 351 (violations with respect to congressional, Cabinet, or Supreme Court assassinations, kidnaping, and assault), section 831 (relating to prohibited transactions involving nuclear materials), section 33 (relating to destruction of motor vehicles or motor vehicle facilities), section 175 (relating to biological weapons), or section 1992 (relating to wrecking trains);
(d) any offense involving counterfeiting punishable under section 471, 472, or 473 of this title;
(e) any offense involving fraud connected with a case under title 11 or the manufacture, importation, receiving, concealment, buying, selling, or otherwise dealing in narcotic drugs, marihuana, or other dangerous drugs, punishable under any law of the United States;
(f) any offense including extortionate credit transactions under sections 892, 893, or 894 of this title;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 500

(g) a violation of section 5322 of title 31, United States Code (dealing with the reporting of currency transactions);
(h ) any felony violation of sections 2511 and 2512 (relating to interception and disclosure of certain communications and to certain intercepting devices) of this title;
(i) any felony violation of chapter 71 (relating to obscenity) of this title;
(j) any violation of section 11(c)(2) of the Natural Gas Pipeline Safety Act of 1968 (relating to destruction of a natural gas pipeline) or subsection (i) or (n) of section 902 of the Federal Aviation Act of 1958 (relating to aircraft piracy);
(k) any criminal violation of section 2778 of title 22 (relating to the Arms Export Control Act);
(1) the location of any fugitive from justice from an offense described in this section; or2
(m) any felony violation of sections 922 and 924 of title 18, United States Code (relating to firearms);
(n) any violation of section 5861 of the Internal Revenue Code of 1986 (relating to firearms); and3
(o) any conspiracy to commit any offense described in any subparagraph of this paragraph.

(2) The principal prosecuting attorney of any State, or the principal prosecuting attorney of any political subdivision thereof, if such attorney is authorized by a statute of that State to make application to a State court judge of competent jurisdiction for an order authorizing or approving the interception of wire, oral, or electronic communications, may apply to such judge for, and such judge may grant in conformity with section 2518 of this chapter and with the applicable State statute an order authorizing, or approving the interception of wire, oral, or electronic communications by investigative or law enforcement officers having responsibility for the investigation of the offense as to which the application is made, when such interception may provide or has provided evidence of the commission of the offense of murder, kidnapping, gambling, robbery, bribery, extortion, or dealing in narcotic drugs, marihuana or other dangerous drugs, or other crime dangerous to life, limb, or property, and punishable by imprisonment for more than one year, designated in any applicable State statute authorizing such interception, or any conspiracy to commit any of the foregoing offenses.

(3) Any attorney for the Government (as such term is defined for the purposes of the Federal Rules of Criminal Procedure) may authorize an application to a Federal judge of competent jurisdiction for, and such judge may grant, in conformity with section 2518 of this title, an order authorizing or approving the interception of electronic communications by an investigative or law enforcement officer having responsibility for the investigation of the offense as to which the application is made, when such interception may provide or has provided evidence of any Federal felony.

2 So in original. The word 'or' probably should not appear.

3 So in original. Probably should be 'or'.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 501

Sec. 2517. Authorization for disclosure and use of intercepted wire, oral, or electronic communications.

(1) Any investigative or law enforcement officer who, by any means authorized by this chapter, has obtained knowledge of the contents of any wire, oral, or electronic communication, or evidence derived therefrom, may disclose such contents to another investigative or law enforcement officer to the extent that such disclosure is appropriate to the proper performance of the official duties of the officer making or receiving the disclosure.

(2) Any investigative or law enforcement officer who, by any means authorized by this chapter, has obtained knowledge of the contents of any wire, oral, or electronic communication or evidence derived therefrom may use such contents to the extent such use is appropriate to the proper performance of his official duties.

(3) Any person who has received, by any means authorized by this chapter, any information concerning a wire, oral, or electronic communication, or evidence derived therefrom intercepted in accordance with the provisions of this chapter may disclose the contents of that communication or such derivative evidence while giving testimony under oath or affirmation in any proceeding held under the authority of the United States or of any State or political subdivision thereof.

(4) No otherwise privileged wire, oral, or electronic communication intercepted in accordance with, or in violation of, the provisions of this chapter shall lose its privileged character.

(5) When an investigative or law enforcement officer, while engaged in intercepting wire, oral, or electronic communications in the manner authorized herein, intercepts wire, oral, or electronic communications relating to offenses other than those specified in the order of authorization or approval, the contents thereof, and evidence derived therefrom, may be disclosed or used as provided in subsections (1) and (2) of this section. Such contents and any evidence derived therefrom may be used under subsection (3) of this section when authorized or approved by a judge of competent jurisdiction where such judge finds on subsequent application that the contents were otherwise intercepted in accordance with the provisions of this chapter. Such application shall be made as soon as practicable.

Sec. 2518. Procedure for interception of wire, oral, or electronic communications.

(1) Each application for an order authorizing or approving the interception of a wire, oral, or electronic communication under this chapter shall be made in writing upon oath or affirmation to a judge of competent jurisdiction and shall

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 502

state the applicant's authority to make such application. Each application shall include the following information:
(a)  the identity of the investigative or law enforcement officer making the application, and the officer authorizing the application;
(b)  a full and complete statement of the facts and circumstances relied upon by the applicant, to justify his belief that an order should be issued, including (i) details as to the particular offense that has been, is being, or is about to be committed, (ii) except as provided in subsection (11), a particular description of the nature and location of the facilities from which or the place where the communication is to be intercepted, (iii) a particular description of the type of communications sought to be intercepted, (iv) the identity of the person, if known, committing the offense and whose communications are to be intercepted;
(c)  a full and complete statement as to whether or not other investigative procedures have been tried and failed or why they reasonably appear to be unlikely to succeed if tried or to be too dangerous;
(d)  a statement of the period of time for which the interception is required to be maintained. If the nature of the investigation is such that the authorization for interception should not automatically terminate when the described type of communication has been first obtained, a particular description of facts establishing probable cause to believe that additional communications of the same type will occur thereafter;
(e) a full and complete statement of the facts concerning all previous applications known to the individual authorizing and making the application, made to any judge for authorization to intercept, or for approval of interceptions of, wire, oral, or electronic communications involving any of the same persons, facilities or places specified in the application, and the action taken by the judge on each such application; and
(f) where the application is for the extension of an order, a statement setting forth the results thus far obtained from the interception, or a reasonable explanation of the failure to obtain such results.

(2) The judge may require the applicant to furnish additional testimony or documentary evidence in support of the application.

(3) Upon such application the judge may enter an ex parte order, as requested or as modified, authorizing or approving interception of wire, oral, or electronic communications within the territorial jurisdiction of the court in which the judge is sitting (and outside that jurisdiction but within the United States in the case of a mobile interception device authorized by a Federal court within such jurisdiction), if the judge determines on the basis of the facts submitted by the applicant that—
(a) there is probable cause for belief that an individual is committing, has committed, or is about to commit a particular offense enumerated in section 2516 of this chapter;
(b) there is probable cause for belief that particular communications concerning that offense will be obtained through such interception;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 503

(c) normal investigative procedures have been tried and have failed or reasonably appear to be unlikely to succeed if tried or to be too dangerous;
(d) except as provided in subsection (11), there is probable cause for belief that the facilities from which, or the place where, the wire, oral, or electronic communications are to be intercepted are being used, or are about to be used, in connection with the commission of such offense, or are leased to, listed in the name of, or commonly used by such person.

(4) Each order authorizing or approving the interception of any wire, oral, or electronic communication under this chapter shall specify—
(a) the identity of the person, if known, whose communications are to be intercepted;
(b) the nature and location of the communications facilities as to which, or the place where, authority to intercept is granted;
(c) a particular description of the type of communication sought to be intercepted, and a statement of the particular offense to which it relates;
(d) the identity of the agency authorized to intercept the communications, and of the person authorizing the application; and
(e) the period of time during which such interception is authorized, including a statement as to whether or not the interception shall automatically terminate when the described communication has been first obtained. An order authorizing the interception of a wire, oral, or electronic communication under this chapter shall, upon request of the applicant, direct that a provider of wire or electronic communication service, landlord, custodian or other person shall furnish the applicant forthwith all information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference with the services that such service provider, landlord, custodian, or person is according the person whose communications are to be intercepted. Any provider of wire or electronic communication service, landlord, custodian or other person furnishing such facilities or technical assistance shall be compensated therefor by the applicant for reasonable expenses incurred in providing such facilities or assistance.

Pursuant to section 2522 of this chapter, an order may also be issued to enforce the assistance capability and capacity requirements under the Communications Assistance for Law Enforcement Act.

(5) No order entered under this section may authorize or approve the interception of any wire, oral, or electronic communication for any period longer than is necessary to achieve the objective of the authorization, nor in any event longer than thirty days. Such thirty-day period begins on the earlier of the day on which the investigative or law enforcement officer first begins to conduct an interception under the order or ten days after the order is entered. Extensions of an order may be granted, but only upon application for an extension made in accordance with subsection (1) of this section and the court making the findings required by subsection (3) of this section. The period of extension shall be no longer than the authorizing judge deems necessary to achieve the purposes for

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 504

which it was granted and in no event for longer than thirty days. Every order and extension thereof shall contain a provision that the authorization to intercept shall be executed as soon as practicable, shall be conducted in such a way as to minimize the interception of communications not otherwise subject to interception under this chapter, and must terminate upon attainment of the authorized objective, or in any event in thirty days. In the event the intercepted communication is in a code or foreign language, and an expert in that foreign language or code is not reasonably available during the interception period, minimization may be accomplished as soon as practicable after such interception. An interception under this chapter may be conducted in whole or in part by Government personnel, or by an individual operating under a contract with the Government, acting under the supervision of an investigative or law enforcement officer authorized to conduct the interception.

(6) Whenever an order authorizing interception is entered pursuant to this chapter, the order may require reports to be made to the judge who issued the order showing what progress has been made toward achievement of the authorized objective and the need for continued interception. Such reports shall be made at such intervals as the judge may require.

(7) Notwithstanding any other provision of this chapter, any investigative or law enforcement officer, specially designated by the Attorney General, the Deputy Attorney General, the Associate Attorney General, or by the principal prosecuting attorney of any State or subdivision thereof acting pursuant to a statute of that State, who reasonably determines that—

(a) an emergency situation exists that involves—
(i) immediate danger of death or serious physical injury to any person,
(ii) conspiratorial activities threatening the national security interest, or
(iii) conspiratorial activities characteristic of organized crime, that requires a wire, oral, or electronic communication to be intercepted before an order authorizing such interception can, with due diligence, be obtained, and
(b) there are grounds upon which an order could be entered under this chapter to authorize such interception,

may intercept such wire, oral, or electronic communication if an application for an order approving the interception is made in accordance with this section within forty-eight hours after the interception has occurred, or begins to occur. In the absence of an order, such interception shall immediately terminate when the communication sought is obtained or when the application for the order is denied, whichever is earlier. In the event such application for approval is denied, or in any other case where the interception is terminated without an order having been issued, the contents of any wire, oral, or electronic communication intercepted shall be treated as having been obtained in violation of this chapter, and an inventory shall be served as provided for in subsection (d) of this section on the person named in the application.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 505

(8)(a) The contents of any wire, oral, or electronic communication intercepted by any means authorized by this chapter shall, if possible, be recorded on tape or wire or other comparable device. The recording of the contents of any wire, oral, or electronic communication under this subsection shall be done in such a way as will protect the recording from editing or other alterations. Immediately upon the expiration of the period of the order, or extensions thereof, such recordings shall be made available to the judge issuing such order and sealed under his directions. Custody of the recordings shall be wherever the judge orders. They shall not be destroyed except upon an order of the issuing or denying judge and in any event shall be kept for ten years. Duplicate recordings may be made for use or disclosure pursuant to the provisions of subsections (1) and (2) of section 2517 of this chapter for investigations. The presence of the seal provided for by this subsection, or a satisfactory explanation for the absence thereof, shall be a prerequisite for the use or disclosure of the contents of any wire, oral, or electronic communication or evidence derived therefrom under subsection (3) of section 2517.
(b) Applications made and orders granted under this chapter shall be sealed by the judge. Custody of the applications and orders shall be wherever the judge directs. Such applications and orders shall be disclosed only upon a showing of good cause before a judge of competent jurisdiction and shall not be destroyed except on order of the issuing or denying judge, and in any event shall be kept for ten years.
(c) Any violation of the provisions of this subsection may be punished as contempt of the issuing or denying judge.
(d) Within a reasonable time but not later than ninety days after the filing of an application for an order of approval under section 2518(7)(b) which is denied or the termination of the period of an order or extensions thereof, the issuing or denying judge shall cause to be served, on the persons named in the order or the application, and such other parties to intercepted communications as the judge may determine in his discretion that is in the interest of justice, an inventory which shall include notice of—

(1) the fact of the entry of the order or the application;
(2) the date of the entry and the period of authorized, approved or disapproved interception, or the denial of the application; and
(3) the fact that during the period wire, oral, or electronic communications were or were not intercepted.

The judge, upon the filing of a motion, may in his discretion make available to such person or his counsel for inspection such portions of the intercepted communications, applications and orders as the judge determines to be in the interest of justice. On an ex parte showing of good cause to a judge of competent jurisdiction the serving of the inventory required by this subsection may be postponed.

(9) The contents of any wire, oral, or electronic communication intercepted pursuant to this chapter or evidence derived therefrom shall not be received in evidence or otherwise disclosed in any trial, hearing, or other proceeding in a Federal or State court unless each party, not less than ten days before the trial,

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 506

hearing, or proceeding, has been furnished with a copy of the court order, and accompanying application, under which the interception was authorized or approved. This ten-day period may be waived by the judge if he finds that it was not possible to furnish the party with the above information ten days before the trial, hearing, or proceeding and that the party will not be prejudiced by the delay in receiving such information.

(10)(a) Any aggrieved person in any trial, hearing, or proceeding in or before any court, department, officer, agency, regulatory body, or other authority of the United States, a State, or a political subdivision thereof, may move to suppress the contents of any wire or oral communication intercepted pursuant to this chapter, or evidence derived therefrom, on the grounds that—

(i)  the communication was unlawfully intercepted;
(ii) the order of authorization or approval under which it was intercepted is insufficient on its face; or
(iii) the interception was not made in conformity with the order of authorization or approval.

Such motion shall be made before the trial, hearing, or proceeding unless there was no opportunity to make such motion or the person was not aware of the grounds of the motion. If the motion is granted, the contents of the intercepted wire or oral communication, or evidence derived therefrom, shall be treated as having been obtained in violation of this chapter. The judge, upon the filing of such motion by the aggrieved person, may in his discretion make available to the aggrieved person or his counsel for inspection such portions of the intercepted communication or evidence derived therefrom as the judge determines to be in the interests of justice.
(b) In addition to any other right to appeal, the United States shall have the right to appeal from an order granting a motion to suppress made under paragraph (a) of this subsection, or the denial of an application for an order of approval, if the United States attorney shall certify to the judge or other official granting such motion or denying such application that the appeal is not taken for purposes of delay. Such appeal shall be taken within thirty days after the date the order was entered and shall be diligently prosecuted.
(c) The remedies and sanctions described in this chapter with respect to the interception of electronic communications are the only judicial remedies and sanctions for nonconstitutional violations of this chapter involving such communications.

(11) The requirements of subsections (1)(b)(ii) and (3)(d) of this section relating to the specification of the facilities from which, or the place where, the communication is to be intercepted do not apply if—
(a) in the case of an application with respect to the interception of an oral communication—
(i) the application is by a Federal investigative or law enforcement officer and is approved by the Attorney General, the Deputy Attorney General, the Associate

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 507

Attorney General, an Assistant Attorney General, or an acting Assistant Attorney General;
(ii) the application contains a full and complete statement as to why such specification is not practical and identifies the person committing the offense and whose communications are to be intercepted; and
(iii) the judge finds that such specification is not practical; and
(b)  in the case of an application with respect to a wire or electronic communication—
(i)  the application is by a Federal investigative or law enforcement officer and is approved by the Attorney General, the Deputy Attorney General, the Associate Attorney General, an Assistant Attorney General, or an acting Assistant Attorney General;
(ii) the application identifies the person believed to be committing the offense and whose communications are to be intercepted and the applicant makes a showing of a purpose, on the part of that person, to thwart interception by changing facilities; and
(iii) the judge finds that such purpose has been adequately shown.

(12) An interception of a communication under an order with respect to which the requirements of subsections (1)(b)(ii) and (3)(d) of this section do not apply by reason of subsection (11) shall not begin until the facilities from which, or the place where, the communication is to be intercepted is ascertained by the person implementing the interception order. A provider of wire or electronic communications service that has received an order as provided for in subsection (11)(b) may move the court to modify or quash the order on the ground that its assistance with respect to the interception cannot be performed in a timely or reasonable fashion. The court, upon notice to the government, shall decide such a motion expeditiously.

Sec. 2519. Reports concerning intercepted wire, oral, or electronic communications.

(1) Within thirty days after the expiration of an order (or each extension thereof) entered under section 2518, or the denial of an order approving an interception, the issuing or denying judge shall report to the Administrative Office of the United States Courts—
(a) the fact that an order or extension was applied for;
(b) the kind of order or extension applied for (including whether or not the order was an order with respect to which the requirements of sections 2518(1)(b)(ii) and 2518(3)(d) of this title did not apply by reason of section 2518(11) of this title);
(c) the fact that the order or extension was granted as applied for, was modified, or was denied;
(d) the period of interceptions authorized by the order, and the number and duration of any extensions of the order;
(e) the offense specified in the order or application, or extension of an order;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 508

(f) the identity of the applying investigative or law enforcement officer and agency making the application and the person authorizing the application; and
(g) the nature of the facilities from which or the place where communications were to be intercepted.

(2) In January of each year the Attorney General, an Assistant Attorney General specially designated by the Attorney General, or the principal prosecuting attorney of a State, or the principal prosecuting attorney for any political subdivision of a State, shall report to the Administrative Office of the United States Courts—
(a) the information required by paragraphs (a) through (g) of subsection (1) of this section with respect to each application for an order or extension made during the preceding calendar year;
(b) a general description of the interceptions made under such order or extension, including (i) the approximate nature and frequency of incriminating communications intercepted, (ii) the approximate nature and frequency of other communications intercepted, (iii) the approximate number of persons whose communications were intercepted, and (iv) the approximate nature, amount, and cost of the manpower and other resources used in the interceptions;
(c) the number of arrests resulting from interceptions made under such order or extension, and the offenses for which arrests were made;
(d) the number of trials resulting from such interceptions;
(e) the number of motions to suppress made with respect to such interceptions, and the number granted or denied;
(f) the number of convictions resulting from such interceptions and the offenses for which the convictions were obtained and a general assessment of the importance of the interceptions; and
(g) the information required by paragraphs (b) through (f) of this subsection with respect to orders or extensions obtained in a preceding calendar year.

(3) In April of each year the Director of the Administrative Office of the United States Courts shall transmit to the Congress a full and complete report concerning the number of applications for orders authorizing or approving the interception of wire, oral, or electronic communications pursuant to this chapter and the number of orders and extensions granted or denied pursuant to this chapter during the preceding calendar year. Such report shall include a summary and analysis of the data required to be filed with the Administrative Office by subsections (1) and (2) of this section. The Director of the Administrative Office of the United States Courts is authorized to issue binding regulations dealing with the content and form of the reports required to be filed by subsections (1) and (2) of this section.

Sec. 2520. Recovery of civil damages authorized.

(a) In General.—Except as provided in section 2511(2)(a)(ii), any person whose wire, oral, or electronic communication is intercepted, disclosed, or inten-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 509

tionally used in violation of this chapter may in a civil action recover from the person or entity which engaged in that violation such relief as may be appropriate.

(b) Relief.—In an action under this section, appropriate relief includes—
(1) such preliminary and other equitable or declaratory relief as may be appropriate;
(2) damages under subsection (c) and punitive damages in appropriate cases; and
(3) a reasonable attorney's fee and other litigation costs reasonably incurred.

(c) Computation of Damages.—(1) In an action under this section, if the conduct in violation of this chapter is the private viewing of a private satellite video communication that is not scrambled or encrypted or if the communication is a radio communication that is transmitted on frequencies allocated under subpart D of part 74 of the rules of the Federal Communications Commission that is not scrambled or encrypted and the conduct is not for a tortious or illegal purpose or for purposes of direct or indirect commercial advantage or private commercial gain, then the court shall assess damages as follows:
(A) If the person who engaged in that conduct has not previously been enjoined under section 2511(5) and has not been found liable in a prior civil action under this section, the court shall assess the greater of the sum of actual damages suffered by the plaintiff, or statutory damages of not less than $50 and not more than $500.
(B) If, on one prior occasion, the person who engaged in that conduct has been enjoined under section 2511(5) or has been found liable in a civil action under this section, the court shall assess the greater of the sum of actual damages suffered by the plaintiff, or statutory damages of not less than $100 and not more than $1000.
(2) In any other action under this section, the court may assess as damages whichever is the greater of—
(A) the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation; or
(B) statutory damages of whichever is the greater of $100 a day for each day of violation or $10,000.

(d) Defense.—A good faith reliance on—

(1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization;
(2) a request of an investigative or law enforcement officer under section 2518(7) of this title; or
(3) a good faith determination that section 2511(3) of this title permitted the conduct complained of;

is a complete defense against any civil or criminal action brought under this chapter or any other law.

(e) Limitation.—A civil action under this section may not be commenced

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 510

later than two years after the date upon which the claimant first has a reasonable opportunity to discover the violation.

Sec. 2521. Injunction against illegal interception.

Whenever it shall appear that any person is engaged or is about to engage in any act which constitutes or will constitute a felony violation of this chapter, the Attorney General may initiate a civil action in a district court of the United States to enjoin such violation. The court shall proceed as soon as practicable to the hearing and determination of such an action, and may, at any time before final determination, enter such a restraining order or prohibition, or take such other action, as is warranted to prevent a continuing and substantial injury to the United States or to any person or class of persons for whose protection the action is brought. A proceeding under this section is governed by the Federal Rules of Civil Procedure, except that, if an indictment has been returned against the respondent, discovery is governed by the Federal Rules of Criminal Procedure.

Sec. 2522. Enforcement of the Communications Assistance for Law Enforcement Act.

(a) Enforcement by Court Issuing Surveillance Order.—If a court authorizing an interception under this chapter, a State statute, or the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or authorizing use of a pen register or a trap and trace device under chapter 206 or a State statute finds that a telecommunications carrier has failed to comply with the requirements of the Communications Assistance for Law Enforcement Act, the court may, in accordance with section 108 of such Act, direct that the carrier comply forthwith and may direct that a provider of support services to the carrier or the manufacturer of the carrier's transmission or switching equipment furnish forthwith modifications necessary for the carrier to comply.

(b) Enforcement Upon Application by Attorney General.—The Attorney General may, in a civil action in the appropriate United States district court, obtain an order, in accordance with section 108 of the Communications Assistance for Law Enforcement Act, directing that a telecommunications carrier, a manufacturer of telecommunications transmission or switching equipment, or a provider of telecommunications support services comply with such Act.

(c) Civil Penalty.—
(1) In General.—A court issuing an order under this section against a telecommunications carrier, a manufacturer of telecommunications transmission or switching equipment, or a provider of telecommunications support services may

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 511

impose a civil penalty of up to $10,000 per day for each day in violation after the issuance of the order or after such future date as the court may specify.
(2) Considerations.—In determining whether to impose a civil penalty and in determining its amount, the court shall take into account—
(A) the nature, circumstances, and extent of the violation;
(B)  the violator's ability to pay, the violator's good faith efforts to comply in a timely manner, any effect on the violator's ability to continue to do business, the degree of culpability, and the length of any delay in undertaking efforts to comply; and
(C) such other matters as justice may require.

(d) Definitions.—As used in this section, the terms defined in section 102 of the Communications Assistance for Law Enforcement Act have the meanings provided, respectively, in such section.

N.1.2 Foreign Intelligence Surveillance (U.S. Code, Title 50, Chapter 36)
Sec. 1801. Definitions.

As used in this chapter:

(a) 'Foreign power' means—

(1) a foreign government or any component thereof, whether or not recognized by the United States;
(2) a faction of a foreign nation or nations, not substantially composed of United States persons;
(3) an entity that is openly acknowledged by a foreign government or governments to be directed and controlled by such foreign government or governments;
(4) a group engaged in international terrorism or activities in preparation therefor;
(5) a foreign-based political organization, not substantially composed of United States persons; or
(6) an entity that is directed and controlled by a foreign government or governments.

(b) 'Agent of a foreign power' means—
(1) any person other than a United States person, who—
(A) acts in the United States as an officer or employee of a foreign power, or as a member of a foreign power as defined in subsection (a)(4) of this section;
(B) acts for or on behalf of a foreign power which engages in clandestine intelligence activities in the United States contrary to the interests of the United States, when the circumstances of such person's presence in the United States indicate that such person may engage in such activities in the United States, or when such person knowingly aids or abets any person in the conduct of such activities or knowingly conspires with any person to engage in such activities; or
(2) any person who—

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 512

(A) knowingly engages in clandestine intelligence gathering activities for or on behalf of a foreign power, which activities involve or may involve a violation of the criminal statutes of the United States;
(B) pursuant to the direction of an intelligence service or network of a foreign power, knowingly engages in any other clandestine intelligence activities for or on behalf of such foreign power, which activities involve or are about to involve a violation of the criminal statutes of the United States;
(C) knowingly engages in sabotage or international terrorism, or activities that are in preparation therefor, for or on behalf of a foreign power; or
(D) knowingly aids or abets any person in the conduct of activities described in subparagraph (A), (B), or (C) or knowingly conspires with any person to engage in activities described in subparagraph (A), (B), or (C).

(c) 'International terrorism' means activities that—
(1) involve violent acts or acts dangerous to human life that are a violation of the criminal laws of the United States or of any State, or that would be a criminal violation if committed within the jurisdiction of the United States or any State;
(2) appear to be intended—
(A) to intimidate or coerce a civilian population;
(B) to influence the policy of a government by intimidation or coercion; or
(C) to affect the conduct of a government by assassination or kidnapping; and
(3) occur totally outside the United States, or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to coerce or intimidate, or the locale in which their perpetrators operate or seek asylum.

(d) 'Sabotage' means activities that involve a violation of chapter 105 of title 18, or that would involve such a violation if committed against the United States.

(e) 'Foreign intelligence information' means—
(1) information that relates to, and if concerning a United States person is necessary to, the ability of the United States to protect against—
(A) actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power;
(B) sabotage or international terrorism by a foreign power or an agent of a foreign power; or
(C) clandestine intelligence activities by an intelligence service or network of a foreign power or by an agent of a foreign power; or
(2) information with respect to a foreign power or foreign territory that relates to, and if concerning a United States person is necessary to—
(A) the national defense or the security of the United States; or
(B) the conduct of the foreign affairs of the United States.

(f) 'Electronic surveillance' means—
(1) the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire or radio communication sent by or intended to be re-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 513

ceived by a particular, known United States person who is in the United States, if the contents are acquired by intentionally targeting that United States person, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes;
(2) the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication to or from a person in the United States, without the consent of any party thereto, if such acquisition occurs in the United States;
(3) the intentional acquisition by an electronic, mechanical, or other surveillance device of the contents of any radio communication, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes, and if both the sender and all intended recipients are located within the United States; or
(4) the installation or use of an electronic, mechanical, or other surveillance device in the United States for monitoring to acquire information, other than from a wire or radio communication, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes.

(g) 'Attorney General' means the Attorney General of the United States (or Acting Attorney General) or the Deputy Attorney General.

(h) 'Minimization procedures', with respect to electronic surveillance, means—
(1) specific procedures, which shall be adopted by the Attorney General, that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;
(2) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in subsection (e)(1) of this section, shall not be disseminated in a manner that identifies any United States person, without such person's consent, unless such person's identity is necessary to understand foreign intelligence information or assess its importance;
(3) notwithstanding paragraphs (1) and (2), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes; and
(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802(a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than twenty-four hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.

(i) 'United States person' means a citizen of the United States, an alien

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 514

lawfully admitted for permanent residence (as defined in section 1101(a)(20) of title 8), an unincorporated association a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence, or a corporation which is incorporated in the United States, but does not include a corporation or an association which is a foreign power, as defined in subsection (a)(1), (2), or (3) of this section.

(j) 'United States', when used in a geographic sense, means all areas under the territorial sovereignty of the United States and the Trust Territory of the Pacific Islands.

(k) 'Aggrieved person' means a person who is the target of an electronic surveillance or any other person whose communications or activities were subject to electronic surveillance.

(1) 'Wire communication' means any communication while it is being carried by a wire, cable, or other like connection furnished or operated by any person engaged as a common carrier in providing or operating such facilities for the transmission of interstate or foreign communications.

(m) 'Person' means any individual, including any officer or employee of the Federal Government, or any group, entity, association, corporation, or foreign power.

(n) 'Contents', when used with respect to a communication, includes any information concerning the identity of the parties to such communication or the existence, substance, purport, or meaning of that communication.

(o) 'State' means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Trust Territory of the Pacific Islands, and any territory or possession of the United States.

Sec. 1802. Electronic surveillance authorization without court order; certification by Attorney General; reports to Congressional committees; transmittal under seal; duties and compensation of communication common carrier; applications; jurisdiction of court.

(a)(1) Notwithstanding any other law, the President, through the Attorney General, may authorize electronic surveillance without a court order under this chapter to acquire foreign intelligence information for periods of up to one year if the Attorney General certifies in writing under oath that—

(A) the electronic surveillance is solely directed at—
(i) the acquisition of the contents of communications transmitted by means of communications used exclusively between or among foreign powers, as defined in section 1801(a)(1), (2), or (3) of this title; or
(ii) the acquisition of technical intelligence, other than the spoken communica-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 515

tions of individuals, from property or premises under the open and exclusive control of a foreign power, as defined in section 1801(a)(1), (2), or (3) of this title;
(B) there is no substantial likelihood that the surveillance will acquire the contents of any communication to which a United States person is a party; and
(C) the proposed minimization procedures with respect to such surveillance meet the definition of minimization procedures under section 1801(h) of this title;

and if the Attorney General reports such minimization procedures and any changes thereto to the House Permanent Select Committee on Intelligence and the Senate Select Committee on Intelligence at least thirty days prior to their effective date, unless the Attorney General determines immediate action is required and notifies the committees immediately of such minimization procedures and the reason for their becoming effective immediately.

(a)(2) An electronic surveillance authorized by this subsection may be conducted only in accordance with the Attorney General's certification and the minimization procedures adopted by him. The Attorney General shall assess compliance with such procedures and shall report such assessments to the House Permanent Select Committee on Intelligence and the Senate Select Committee on Intelligence under the provisions of section 1808(a) of this title.
(a)(3) The Attorney General shall immediately transmit under seal to the court established under section 1803(a) of this title a copy of his certification. Such certification shall be maintained under security measures established by the Chief Justice with the concurrence of the Attorney General, in consultation with the Director of Central Intelligence, and shall remain sealed unless—
(A) an application for a court order with respect to the surveillance is made under sections 1801(h)(4) and 1804 of this title; or
(B)  the certification is necessary to determine the legality of the surveillance under section 1806(f) of this title.
(a)(4) With respect to electronic surveillance authorized by this subsection, the Attorney General may direct a specified communication common carrier to—
(A) furnish all information, facilities, or technical assistance necessary to accomplish the electronic surveillance in such a manner as will protect its secrecy and produce a minimum of interference with the services that such carrier is providing its customers; and
(B) maintain under security procedures approved by the Attorney General and the Director of Central Intelligence any records concerning the surveillance or the aid furnished which such carrier wishes to retain. The Government shall compensate, at the prevailing rate, such carrier for furnishing such aid.

(b) Applications for a court order under this chapter are authorized if the President has, by written authorization, empowered the Attorney General to approve applications to the court having jurisdiction under section 1803 of this title, and a judge to whom an application is made may, notwithstanding any other law, grant an order, in conformity with section 1805 of this title, approving electronic surveillance of a foreign power or an agent of a foreign power for the purpose of obtaining foreign intelligence information, except that the court shall not have jurisdiction to grant any order approving electronic surveillance directed solely as

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 516

described in paragraph (1)(A) of subsection (a) of this section unless such surveillance may involve the acquisition of communications of any United States person.

Sec. 1803. Designation of judges.

(a) Court to hear applications and grant orders; record of denial; transmittal to court of review.—The Chief Justice of the United States shall publicly designate seven district court judges from seven of the United States judicial circuits who shall constitute a court which shall have jurisdiction to hear applications for and grant orders approving electronic surveillance anywhere within the United States under the procedures set forth in this Act, except that no judge designated under this subsection shall hear the same application for electronic surveillance under this Act which has been denied previously by another judge designated under this subsection. If any judge so designated denies an application for an order authorizing electronic surveillance under this Act, such judge shall provide immediately for the record a written statement of each reason of his decision and, on motion of the United States, the record shall be transmitted, under seal, to the court of review established in subsection (b) of this section.

(b) Court of review; record, transmittal to Supreme Court;—The Chief Justice shall publicly designate three judges, one of whom shall be publicly designated as the presiding judge, from the United States district courts or courts of appeals who together shall comprise a court of review which shall have jurisdiction to review the denial of any application made under this Act. If such court determines that the application was properly denied, the court shall immediately provide for the record a written statement of each reason for its decision and, on petition of the United States for a writ of certiorari, the record shall be transmitted under seal to the Supreme Court, which shall have jurisdiction to review such decision.

(c) Expeditious conduct of proceedings; security measures for maintenance of records.—Proceedings under this Act shall be conducted as expeditiously as possible. The record of proceedings under this Act, including applications made and orders granted, shall be maintained under security measures established by the Chief Justice in consultation with the Attorney General and the Director of Central Intelligence.

(d) Tenure;—Each judge designated under this section shall so serve for a maximum of seven years and shall not be eligible for redesignation, except that the judges first designated under subsection (a) of this section shall be designated for terms of from one to seven years so that one term expires each year, and that judges first designated under subsection (b) of this section shall be designated for terms of three, five, and seven years.

Sec. 1804. Applications for court orders.

(a) Submission by Federal officer; approval of Attorney General; con-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 517

tents.—Each application for an order approving electronic surveillance under this chapter shall be made by a Federal officer in writing upon oath or affirmation to a judge having jurisdiction under section 1803 of this title. Each application shall require the approval of the Attorney General based upon his finding that it satisfies the criteria and requirements of such application as set forth in this chapter. It shall include—
(1) the identity of the Federal officer making the application;
(2) the authority conferred on the Attorney General by the President of the United States and the approval of the Attorney General to make the application;
(3) the identity, if known, or a description of the target of the electronic surveillance;
(4) a statement of the facts and circumstances relied upon by the applicant to justify his belief that—
(A) the target of the electronic surveillance is a foreign power or an agent of a foreign power; and
(B) each of the facilities or places at which the electronic surveillance is directed is being used, or is about to be used, by a foreign power or an agent of a foreign power;
(5) a statement of the proposed minimization procedures;
(6) a detailed description of the nature of the information sought and the type of communications or activities to be subjected to the surveillance;
(7) a certification or certifications by the Assistant to the President for National Security Affairs or an executive branch official or officials designated by the President from among those executive officers employed in the area of national security or defense and appointed by the President with the advice and consent of the Senate—
(A) that the certifying official deems the information sought to be foreign intelligence information;
(B) that the purpose of the surveillance is to obtain foreign intelligence information;
(C) that such information cannot reasonably be obtained by normal investigative techniques;
(D) that designates the type of foreign intelligence information being sought according to the categories described in section 1801(e) of this title; and
(E) including a statement of the basis for the certification that—
(i) the information sought is the type of foreign intelligence information designated; and
(ii) such information cannot reasonably be obtained by normal investigative techniques;
(8) a statement of the means by which the surveillance will be effected and a statement whether physical entry is required to effect the surveillance;
(9) a statement of the facts concerning all previous applications that have been made to any judge under this chapter involving any of the persons, facilities, or places specified in the application, and the action taken on each previous application;
(10) a statement of the period of time for which the electronic surveillance is required to be maintained, and if the nature of the intelligence gathering is such that the approval of the use of electronic surveillance under this chapter should

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 518

not automatically terminate when the described type of information has first been obtained, a description of facts supporting the belief that additional information of the same type will be obtained thereafter; and
(11) whenever more than one electronic, mechanical or other surveillance device is to be used with respect to a particular proposed electronic surveillance, the coverage of the devices involved and what minimization procedures apply to information acquired by each device.

(b) Exclusion of certain information respecting foreign power targets.—Whenever the target of the electronic surveillance is a foreign power, as defined in section 1801(a)(1), (2), or (3) of this title, and each of the facilities or places at which the surveillance is directed is owned, leased, or exclusively used by that foreign power, the application need not contain the information required by paragraphs (6), (7)(E), (8), and (11) of subsection (a) of this section, but shall state whether physical entry is required to effect the surveillance and shall contain such information about the surveillance techniques and communications or other information concerning United States persons likely to be obtained as may be necessary to assess the proposed minimization procedures.

(c) Additional affidavits or certifications.—The Attorney General may require any other affidavit or certification from any other officer in connection with the application.

(d) Additional information.—The judge may require the applicant to furnish such other information as may be necessary to make the determinations required by section 1805 of this title.

Sec. 1805. Issuance of order.

(a) Necessary findings.—Upon an application made pursuant to section 1804 of this title, the judge shall enter an ex parte order as requested or as modified approving the electronic surveillance if he finds that—
(1) the President has authorized the Attorney General to approve applications for electronic surveillance for foreign intelligence information;
(2) the application has been made by a Federal officer and approved by the Attorney General;
(3) on the basis of the facts submitted by the applicant there is probable cause to believe that—
(A) the target of the electronic surveillance is a foreign power or an agent of a foreign power: Provided, That no United States person may be considered a foreign power or an agent of a foreign power solely upon the basis of activities protected by the first amendment to the Constitution of the United States; and
(B) each of the facilities or places at which the electronic surveillance is directed is being used, or is about to be used, by a foreign power or an agent of a foreign power;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 519

(4) the proposed minimization procedures meet the definition of minimization procedures under section 1804(h) of this title; and
(5) the application which has been filed contains all statements and certifications required by section 1804 of this title and, if the target is a United States person, the certification or certifications are not clearly erroneous on the basis of the statement made under section 1804(a)(7)(E) of this title and any other information furnished under section 1804(d) of this title.

(b) Specifications and directions of orders.—An order approving an electronic surveillance under this section shall—
(1) specify—
(A) the identity, if known, or a description of the target of the electronic surveillance;
(B) the nature and location of each of the facilities or places at which the electronic surveillance will be directed;
(C) the type of information sought to be acquired and the type of communications or activities to be subjected to the surveillance;
(D) the means by which the electronic surveillance will be effected and whether physical entry will be used to effect the surveillance;
(E) the period of time during which the electronic surveillance is approved; and
(F) whenever more than one electronic, mechanical, or other surveillance device is to be used under the order, the authorized coverage of the devices involved and what minimization procedures shall apply to information subject to acquisition by each device; and
(2) direct—
(A) that the minimization procedures be followed;
(B) that, upon the request of the applicant, a specified communication or other common carrier, landlord, custodian, or other specified person furnish the applicant forthwith all information, facilities, or technical assistance necessary to accomplish the electronic surveillance in such a manner as will protect its secrecy and produce a minimum of interference with the services that such carrier, landlord, custodian, or other person is providing that target of electronic surveillance;
(C) that such carrier, landlord, custodian, or other person maintain under security procedures approved by the Attorney General and the Director of Central Intelligence any records concerning the surveillance or the aid furnished that such person wishes to retain; and
(D) that the applicant compensate, at the prevailing rate, such carrier, landlord, custodian, or other person for furnishing such aid.

(c) Exclusion of certain information respecting foreign power targets.— Whenever the target of the electronic surveillance is a foreign power, as defined in section 1801(a)(1), (2), or (3) of this title, and each of the facilities or places at which the surveillance is directed is owned, leased, or exclusively used by that foreign power, the order need not contain the information required by subparagraphs (C), (D), and (F) of subsection (b)(1) of this section, but shall generally describe the information sought, the communications or activities to be subjected to the sur-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 520

veillance, and the type of electronic surveillance involved, including whether physical entry is required.

(d) Duration of order; extensions; review of circumstances under which information was acquired, retained or disseminated.
(1) An order issued under this section may approve an electronic surveillance for the period necessary to achieve its purpose, or for ninety days, whichever is less, except that an order under this section shall approve an electronic surveillance targeted against a foreign power, as defined in section 1801(a)(1), (2), or (3) of this title, for the period specified in the application or for one year, whichever is less.
(2) Extensions of an order issued under this chapter may be granted on the same basis as an original order upon an application for an extension and new findings made in the same manner as required for an original order, except that an extension of an order under this Act for a surveillance targeted against a foreign power, as defined in section 1801(a)(5) or (6) of this title, or against a foreign power as defined in section 1801(a)(4) of this title that is not a United States person, may be for a period not to exceed one year if the judge finds probable cause to believe that no communication of any individual United States person will be acquired during the period.
(3) At or before the end of the period of time for which electronic surveillance is approved by an order or an extension, the judge may assess compliance with the minimization procedures by reviewing the circumstances under which information concerning United States persons was acquired, retained, or disseminated.

(e) Emergency orders.—Notwithstanding any other provision of this chapter, when the Attorney General reasonably determines that—

(1) an emergency situation exists with respect to the employment of electronic surveillance to obtain foreign intelligence information before an order authorizing such surveillance can with due diligence be obtained; and
(2) the factual basis for issuance of an order under this chapter to approve such surveillance exists;

he may authorize the emergency employment of electronic surveillance if a judge having jurisdiction under section 1803 of this title is informed by the Attorney General or his designee at the time of such authorization that the decision has been made to employ emergency electronic surveillance and if an application in accordance with this chapter is made to that judge as soon as practicable, but not more than twenty-four hours after the Attorney General authorizes such surveillance. If the Attorney General authorizes such emergency employment of electronic surveillance, he shall require that the minimization procedures required by this chapter for the issuance of a judicial order be followed. In the absence of a judicial order approving such electronic surveillance, the surveillance shall terminate when the information sought is obtained, when the application for the order is denied, or after the expiration of twenty-four hours from the time of authorization by the Attorney General, whichever is earliest. In the event that such application for approval is denied, or in any other case where the electronic surveillance is terminated and no order is issued approving the surveillance, no information

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 521

obtained or evidence derived from such surveillance shall be received in evidence or otherwise disclosed in any trial, hearing, or other proceeding in or before any court, grand jury, department, office, agency, regulatory body, legislative committee, or other authority of the United States, a State, or political subdivision thereof, and no information concerning any United States person acquired from such surveillance shall subsequently be used or disclosed in any other manner by Federal officers or employees without the consent of such person, except with the approval of the Attorney General if the information indicates a threat of death or serious bodily harm to any person. A denial of the application made under this subsection may be reviewed as provided in section 1803 of this title.

(f) Testing of electronic equipment; discovering unauthorized electronic surveillance; training of intelligence personnel.—Notwithstanding any other provision of this chapter, officers, employees, or agents of the United States are authorized in the normal course of their official duties to conduct electronic surveillance not targeted against the communications of any particular person or persons, under procedures approved by the Attorney General, solely to—
(1) test the capability of electronic equipment, if—
(A) it is not reasonable to obtain the consent of the persons incidentally subjected to the surveillance;
(B)  the test is limited in extent and duration to that necessary to determine the capability of the equipment;
(C) the contents of any communication acquired are retained and used only for the purpose of determining the capability of the equipment, are disclosed only to test personnel, and are destroyed before or immediately upon completion of the test; and:
(D) Provided, That the test may exceed ninety days only with the prior approval of the Attorney General;
(2) determine the existence and capability of electronic surveillance equipment being used by persons not authorized to conduct electronic surveillance, if—
(A) it is not reasonable to obtain the consent of persons incidentally subjected to the surveillance;
(B) such electronic surveillance is limited in extent and duration to that necessary to determine the existence and capability of such equipment; and
(C) any information acquired by such surveillance is used only to enforce chapter 119 of title 18, or section 605 of title 47, or to protect information from unauthorized surveillance; or
(3) train intelligence personnel in the use of electronic surveillance equipment, if—
(A) it is not reasonable to—
(i) obtain the consent of the persons incidentally subjected to the surveillance;
(ii) train persons in the course of surveillances otherwise authorized by this chapter; or
(iii) train persons in the use of such equipment without engaging in electronic surveillance;
(B) such electronic surveillance is limited in extent and duration to that necessary to train the personnel in the use of the equipment; and
(C) no contents of any communication acquired are retained or disseminated

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 522

for any purpose, but are destroyed as soon as reasonably possible.

(g) Retention of certifications, applications and orders.—Certifications made by the Attorney General pursuant to section 1802(a) of this title and applications made and orders granted under this chapter shall be retained for a period of at least ten years from the date of the certification or application.

Sec. 1806. Use of information.

(a) Compliance with minimization procedures; privileged communications; lawful purposes.—Information acquired from an electronic surveillance conducted pursuant to this chapter concerning any United States person may be used and disclosed by Federal officers and employees without the consent of the United States person only in accordance with the minimization procedures required by this chapter. No otherwise privileged communication obtained in accordance with, or in violation of, the provisions of this chapter shall lose its privileged character. No information acquired from an electronic surveillance pursuant to this chapter may be used or disclosed by Federal officers or employees except for lawful purposes.

(b) Statement for disclosure.—No information acquired pursuant to this chapter shall be disclosed for law enforcement purposes unless such disclosure is accompanied by a statement that such information, or any information derived therefrom, may only be used in a criminal proceeding with the advance authorization of the Attorney General.

(c) Notification by United States.—Whenever the Government intends to enter into evidence or otherwise use or disclose in any trial, hearing, or other proceeding in or before any court, department, officer, agency, regulatory body, or other authority of the United States, against an aggrieved person, any information obtained or derived from an electronic surveillance of that aggrieved person pursuant to the authority of this chapter, the Government shall, prior to the trial, hearing, or other proceeding or at a reasonable time prior to an effort to so disclose or so use that information or submit it in evidence, notify the aggrieved person and the court or other authority in which the information is to be disclosed or used that the Government intends to so disclose or so use such information.

(d) Notification by States or political subdivisions.—Whenever any State or political subdivision thereof intends to enter into evidence or otherwise use or disclose in any trial, hearing, or other proceeding in or before any court, department, officer, agency, regulatory body, or other authority of a State or a political subdivision thereof, against an aggrieved person any information obtained or derived from an electronic surveillance of that aggrieved person pursuant to the authority of this chapter, the State or political subdivision thereof shall notify the aggrieved person, the court or other authority in which the information is to be

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 523

disclosed or used, and the Attorney General that the State or political subdivision thereof intends to so disclose or so use such information.

(e) Motion to suppress.—Any person against whom evidence obtained or derived from an electronic surveillance to which he is an aggrieved person is to be, or has been, introduced or otherwise used or disclosed in any trial, hearing, or other proceeding in or before any court, department, officer, agency, regulatory body, or other authority of the United States, a State, or a political subdivision thereof, may move to suppress the evidence obtained or derived from such electronic surveillance on the grounds that—

(1) the information was unlawfully acquired; or
(2) the surveillance was not made in conformity with an order of authorization or approval.

Such a motion shall be made before the trial, hearing, or other proceeding unless there was no opportunity to make such a motion or the person was not aware of the grounds of the motion.

(f) In camera and ex parte review by district court.—Whenever a court or other authority is notified pursuant to subsection (c) or (d) of this section, or whenever a motion is made pursuant to subsection (e) of this section, or whenever any motion or request is made by an aggrieved person pursuant to any other statute or rule of the United States or any State before any court or other authority of the United States or any State to discover or obtain applications or orders or other materials relating to electronic surveillance or to discover, obtain, or suppress evidence or information obtained or derived from electronic surveillance under this Act, the United States district court or, where the motion is made before another authority, the United States district court in the same district as the authority, shall, notwithstanding any other law, if the Attorney General files an affidavit under oath that disclosure or an adversary hearing would harm the national security of the United States, review in camera and ex parte the application, order, and such other materials relating to the surveillance as may be necessary to determine whether the surveillance of the aggrieved person was lawfully authorized and conducted. In making this determination, the court may disclose to the aggrieved person, under appropriate security procedures and protective orders, portions of the application, order, or other materials relating to the surveillance only where such disclosure is necessary to make an accurate determination of the legality of the surveillance.

(g) Suppression of evidence; denial of motion.—If the United States district court pursuant to subsection (f) of this section determines that the surveillance was not lawfully authorized or conducted, it shall, in accordance with the requirements of law, suppress the evidence which was unlawfully obtained or derived from electronic surveillance of the aggrieved person or otherwise grant the motion of the aggrieved person. If the court determines that the surveillance was lawfully authorized and conducted, it shall deny the motion of the aggrieved person except to the extent that due process requires discovery or disclosure.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 524

(h) Finality of orders.—Orders granting motions or requests under subsection (g) of this section, decisions under this section that electronic surveillance was not lawfully authorized or conducted, and orders of the United States district court requiring review or granting disclosure of applications, orders, or other materials relating to a surveillance shall be final orders and binding upon all courts of the United States and the several States except a United States court of appeals and the Supreme Court.

(i) Destruction of unintentionally acquired information.—In circumstances involving the unintentional acquisition by an electronic, mechanical, or other surveillance device of the contents of any radio communication, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes, and if both the sender and all intended recipients are located within the United States, such contents shall be destroyed upon recognition, unless the Attorney General determines that the contents indicate a threat of death or serious bodily harm to any person.

(j) Notification of emergency employment of electronic surveillance; contents; postponement, suspension or elimination.—If an emergency employment of electronic surveillance is authorized under section 1805(e) of this title and a subsequent order approving the surveillance is not obtained, the judge shall cause to be served on any United States person named in the application and on such other United States persons subject to electronic surveillance as the judge may determine in his discretion it is in the interest of justice to serve, notice of—

(1) the fact of the application;
(2) the period of the surveillance; and
(3) the fact that during the period information was or was not obtained.

On an ex parte showing of good cause to the judge the serving of the notice required by this subsection may be postponed or suspended for a period not to exceed ninety days. Thereafter, on a further ex parte showing of good cause, the court shall forego ordering the serving of the notice required under this subsection.

Sec. 1807. Report to Administrative Office of the United States Court and to Congress.

In April of each year, the Attorney General shall transmit to the Administrative Office of the United States Court and to Congress a report setting forth with respect to the preceding calendar year—

(a) the total number of applications made for orders and extensions of orders approving electronic surveillance under this chapter; and

(b) the total number of such orders and extensions either granted, modified, or denied.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 525

Sec. 1808. Report of Attorney General to Congressional committees; limitation on authority or responsibility of information gathering activities of Congressional committees; report of Congressional committees to Congress.

(a) On a semiannual basis the Attorney General shall fully inform the House Permanent Select Committee on Intelligence and the Senate Select Committee on Intelligence concerning all electronic surveillance under this chapter. Nothing in this chapter shall be deemed to limit the authority and responsibility of the appropriate committees of each House of Congress to obtain such information as they may need to carry out their respective functions and duties.

(b) On or before one year after October 25, 1978, and on the same day each year for four years thereafter, the Permanent Select Committee on Intelligence and the Senate Select Committee on Intelligence shall report respectively to the House of Representatives and the Senate, concerning the implementation of this Act. Said reports shall include but not be limited to an analysis and recommendations concerning whether this Act should be
(1) amended,
(2) repealed, or
(3) permitted to continue in effect without amendment.

Sec. 1809. Criminal sanctions.

(a) Prohibited activities A person is guilty of an offense if he intentionally—
(1) engages in electronic surveillance under color of law except as authorized by statute; or
(2) discloses or uses information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized by statute.

(b) Defense It is a defense to a prosecution under subsection (a) of this section that the defendant was a law enforcement or investigative officer engaged in the course of his official duties and the electronic surveillance was authorized by and conducted pursuant to a search warrant or court order of a court of competent jurisdiction.

(c) Penalties An offense described in this section is punishable by a fine of not more than $10,000 or imprisonment for not more than five years, or both.

(d) Federal jurisdiction There is Federal jurisdiction over an offense under this section if the person committing the offense was an officer or employee of the United States at the time the offense was committed.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 526

Sec. 1810. Civil liability.

An aggrieved person, other than a foreign power or an agent of a foreign power, as defined in section 1801(a) or (b)(1)(A) of this title, respectively, who has been subjected to an electronic surveillance or about whom information obtained by electronic surveillance of such person has been disclosed or used in violation of section 1809 of this title shall have a cause of action against any person who committed such violation and shall be entitled to recover—
(a) actual damages, but not less than liquidated damages of $1,000 or $100 per day for each day of violation, whichever is greater;
(b) punitive damages; and
(c) reasonable attorney's fees and other investigation and litigation costs reasonably incurred.

Sec. 1811. Authorization during time of war.

Notwithstanding any other law, the President, through the Attorney General, may authorize electronic surveillance without a court order under this chapter to acquire foreign intelligence information for a period not to exceed fifteen calendar days following a declaration of war by the Congress.

N.1.3 Pen Register and Traffic Analysis (U.S. Code, Title 18, Chapters 121 and 206)
Chapter 121
Sec. 2701. Unlawful access to stored communications.

(a) Offense.—Except as provided in subsection (c) of this section whoever—

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

(b) Punishment.— The punishment for an offense under subsection (a) of this section is—
(1) if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain—
(A) a fine of not more than $250,000 or imprisonment for not more than one year, or both, in the case of a first offense under this subparagraph; and

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 527

(B) a fine under this title or imprisonment for not more than two years, or both, for any subsequent offense under this subparagraph; and
(2) a fine of not more than $5,000 or imprisonment for not more than six months, or both, in any other case.

(c) Exceptions.— Subsection (a) of this section does not apply with respect to conduct authorized—
(1) by the person or entity providing a wire or electronic communications service;
(2) by a user of that service with respect to a communication of or intended for that user; or
(3) in section 2703, 2704 or 2518 of this title.

Sec. 2702. Disclosure of contents.

(a) Prohibitions.—Except as provided in subsection (b)—
(1) a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; and
(2) a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service—
(A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such service; and
(B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing.

(b) Exceptions.—A person or entity may divulge the contents of a communication—
(1) to an addressee or intended recipient of such communication or an agent of such addressee or intended recipient;
(2) as otherwise authorized in section 2517, 2511(2)(a), or 2703 of this title;
(3) with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service;
(4) to a person employed or authorized or whose facilities are used to forward such communication to its destination;
(5) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service; or (6)  to a law enforcement agency, if such contents—
(A) were inadvertently obtained by the service provider; and
(B) appear to pertain to the commission of a crime.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 528

Sec. 2703. Requirements for governmental access.

(a) Contents of Electronic Communications in Electronic Storage.—A governmental entity may require the disclosure by a provider of electronic communication service of the contents of an electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued under the Federal Rules of Criminal Procedure or equivalent State warrant. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of an electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

(b) Contents of Electronic Communications in a Remote Computing Service.—
(1) A governmental entity may require a provider of remote computing service to disclose the contents of any electronic communication to which this paragraph is made applicable by paragraph (2) of this subsection—
(A) without required notice to the subscriber or customer, if the governmental entity obtains a warrant issued under the Federal Rules of Criminal Procedure or equivalent State warrant; or (B) with prior notice from the governmental entity to the subscriber or customer if the governmental entity—
(i) uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena; or
(ii) obtains a court order for such disclosure under subsection (d) of this section; except that delayed notice may be given pursuant to section 2705 of this title.
(2) Paragraph one is applicable with respect to any electronic communication that is held or maintained on that service—
(A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such remote computing service; and
(B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing.

(c) Records Concerning Electronic Communication Service or Remote Computing Service.—
(1)(A) Except as provided in subparagraph (B), a provider of electronic communication service or remote service may disclose a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by subsection (a) or (b) of this section) to any person other than a governmental entity.
(B) A provider of electronic communication service or remote computing service shall disclose a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 529

by subsection (a) or (b) of this section) to a governmental entity only when the governmental entity—
(i) obtains a warrant issued under the Federal Rules of Criminal Procedure or equivalent State warrant;
(ii) obtains a court order for such disclosure under subsection (d) of this section; or
(iii) has the consent of the subscriber or customer to such disclosure.
(C) A provider of electronic communication service or remote computing service shall disclose to a governmental entity the name, address, telephone toll billing records, telephone number or other subscriber number or identity, and length of service of a subscriber to or customer of such service and the types of services the subscriber or customer utilized, when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena or any means available under subparagraph (B).
(2) A governmental entity receiving records or information under this subsection is not required to provide notice to a subscriber or customer.

(d) Requirements for Court Order.—A court order for disclosure under subsection (b) or (c) may be issued by any court that is a court of competent jurisdiction described in section 3126(2)(A) and shall issue only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation. In the case of a State governmental authority, such a court order shall not issue if prohibited by the law of such State. A court issuing an order pursuant to this section, on a motion made promptly by the service provider, may quash or modify such order, if the information or records requested are unusually voluminous in nature or compliance with such order otherwise would cause an undue burden on such provider.

(e) No Cause of Action Against a Provider Disclosing Information Under This Chapter.—No cause of action shall lie in any court against any provider of wire or electronic communication service, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with the terms of a court order, warrant, subpoena, or certification under this chapter.

Sec. 2704. Backup preservation.

(a) Backup Preservation.—
(1) A governmental entity acting under section 2703(b)(2) may include in its subpoena or court order a requirement that the service provider to whom the request is directed create a backup copy of the contents of the electronic communications sought in order to preserve those communications.
Without notifying the subscriber or customer of such subpoena or court order, such service provider shall create such backup copy as soon as practicable

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 530

consistent with its regular business practices and shall confirm to the governmental entity that such backup copy has been made. Such backup copy shall be created within two business days after receipt by the service provider of the subpoena or court order.
(2) Notice to the subscriber or customer shall be made by the governmental entity within three days after receipt of such confirmation, unless such notice is delayed pursuant to section 2705(a).
(3) The service provider shall not destroy such backup copy until the later of—
(A) the delivery of the information; or
(B) the resolution of any proceedings (including appeals of any proceeding) concerning the government's subpoena or court order.
(4) The service provider shall release such backup copy to the requesting governmental entity no sooner than fourteen days after the governmental entity's notice to the subscriber or customer if such service provider—
(A) has not received notice from the subscriber or customer that the subscriber or customer has challenged the governmental entity's request; and
(B) has not initiated proceedings to challenge the request of the governmental entity.
(5) A governmental entity may seek to require the creation of a backup copy under subsection (a)(1) of this section if in its sole discretion such entity determines that there is reason to believe that notification under section 2703 of this title of the existence of the subpoena or court order may result in destruction of or tampering with evidence. This determination is not subject to challenge by the subscriber or customer or service provider.

(b) Customer Challenges.—
(1) Within fourteen days after notice by the governmental entity to the subscriber or customer under subsection (a)(2) of this section, such subscriber or customer may file a motion to quash such subpoena or vacate such court order, with copies served upon the governmental entity and with written notice of such challenge to the service provider. A motion to vacate a court order shall be filed in the court which issued such order. A motion to quash a subpoena shall be filed in the appropriate United States district court or State court. Such motion or application shall contain an affidavit or sworn statement—
(A) stating that the applicant is a customer or subscriber to the service from which the contents of electronic communications maintained for him have been sought; and
(B) stating the applicant's reasons for believing that the records sought are not relevant to a legitimate law enforcement inquiry or that there has not been substantial compliance with the provisions of this chapter in some other respect.
(2) Service shall be made under this section upon a governmental entity by delivering or mailing by registered or certified mail a copy of the papers to the person, office, or department specified in the notice which the customer has received pursuant to this chapter. For the purposes of this section, the term 'delivery' has the meaning given that term in the Federal Rules of Civil Procedure.
(3) If the court finds that the customer has complied with paragraphs (1) and (2) of this subsection, the court shall order the governmental entity to file a sworn

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 531

response, which may be filed in camera if the governmental entity includes in its response the reasons which make in camera review appropriate. If the court is unable to determine the motion or application on the basis of the parties' initial allegations and response, the court may conduct such additional proceedings as it deems appropriate. All such proceedings shall be completed and the motion or application decided as soon as practicable after the filing of the governmental entity's response.
(4) If the court finds that the applicant is not the subscriber or customer for whom the communications sought by the governmental entity are maintained, or that there is a reason to believe that the law enforcement inquiry is legitimate and that the communications sought are relevant to that inquiry, it shall deny the motion or application and order such process enforced. If the court finds that the applicant is the subscriber or customer for whom the communications sought by the governmental entity are maintained, and that there is not a reason to believe that the communications sought are relevant to a legitimate law enforcement inquiry, or that there has not been substantial compliance with the provisions of this chapter, it shall order the process quashed.
(5) A court order denying a motion or application under this section shall not be deemed a final order and no interlocutory appeal may be taken therefrom by the customer.

Sec. 2705. Delayed notice.

(a) Delay of Notification.—
(1) A governmental entity acting under section 2703(b) of this title may—
(A) where a court order is sought, include in the application a request, which the court shall grant, for an order delaying the notification required under section 2703(b) of this title for a period not to exceed ninety days, if the court determines that there is reason to believe that notification of the existence of the court order may have an adverse result described in paragraph (2) of this subsection; or
(B) where an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury subpoena is obtained, delay the notification required under section 2703(b) of this title for a period not to exceed ninety days upon the execution of a written certification of a supervisory official that there is reason to believe that notification of the existence of the subpoena may have an adverse result described in paragraph (2) of this subsection.
(2) An adverse result for the purposes of paragraph (1) of this subsection is—
(A) endangering the life or physical safety of an individual;
(B) flight from prosecution;
(C) destruction of or tampering with evidence;
(D) intimidation of potential witnesses; or
(E) otherwise seriously jeopardizing an investigation or unduly delaying a trial.
(3) The governmental entity shall maintain a true copy of certification under paragraph (1)(B).
(4) Extensions of the delay of notification provided in section 2703 of up to ninety

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 532

days each may be granted by the court upon application, or by certification by a governmental entity, but only in accordance with subsection (b) of this section.
(5) Upon expiration of the period of delay of notification under paragraph (1) or (4) of this subsection, the governmental entity shall serve upon, or deliver by registered or first-class mail to, the customer or subscriber a copy of the process or request together with notice that—
(A) states with reasonable specificity the nature of the law enforcement inquiry; and
(B) informs such customer or subscriber—
(i) that information maintained for such customer or subscriber by the service provider named in such process or request was supplied to or requested by that governmental authority and the date on which the supplying or request took place;
(ii) that notification of such customer or subscriber was delayed;
(iii) what governmental entity or court made the certification or determination pursuant to which that delay was made; and
(iv) which provision of this chapter allowed such delay.
(6) As used in this subsection, the term 'supervisory official' means the investigative agent in charge or assistant investigative agent in charge or an equivalent of an investigating agency's headquarters or regional office, or the chief prosecuting attorney or the first assistant prosecuting attorney or an equivalent of a prosecuting attorney's headquarters or regional office.

(b) Preclusion of Notice to Subject of Governmental Access.—A governmental entity acting under section 2703, when it is not required to notify the subscriber or customer under section 2703(b)(1), or to the extent that it may delay such notice pursuant to subsection (a) of this section, may apply to a court for an order commanding a provider of electronic communications service or remote computing service to whom a warrant, subpoena, or court order is directed, for such period as the court deems appropriate, not to notify any other person of the existence of the warrant, subpoena, or court order. The court shall enter such an order if it determines that there is reason to believe that notification of the existence of the warrant, subpoena, or court order will result in—
(1) endangering the life or physical safety of an individual;
(2) flight from prosecution;
(3) destruction of or tampering with evidence;
(4) intimidation of potential witnesses; or
(5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

Sec. 2706. Cost reimbursement.

(a) Payment.—Except as otherwise provided in subsection (c), a governmental entity obtaining the contents of communications, records, or other information under section 2702, 2703, or 2704 of this title shall pay to the person or entity assembling or providing such information a fee for reimbursement for such costs as are reasonably necessary and which have been directly incurred in search-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 533

ing for, assembling, reproducing, or otherwise providing such information. Such reimbursable costs shall include any costs due to necessary disruption of normal operations of any electronic communication service or remote computing service in which such information may be stored.

(b) Amount.—The amount of the fee provided by subsection (a) shall be as mutually agreed by the governmental entity and the person or entity providing the information, or, in the absence of agreement, shall be as determined by the court which issued the order for production of such information (or the court before which a criminal prosecution relating to such information would be brought, if no court order was issued for production of the information).

(c) Exception.—The requirement of subsection (a) of this section does not apply with respect to records or other information maintained by a communications common carrier that relate to telephone toll records and telephone listings obtained under section 2703 of this title. The court may, however, order a payment as described in subsection (a) if the court determines the information required is unusually voluminous in nature or otherwise caused an undue burden on the provider.

Sec. 2707. Civil action.

(a) Cause of Action.—Except as provided in section 2703(e), any provider of electronic communication service, subscriber, or customer aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity which engaged in that violation such relief as may be appropriate.

(b) Relief.—In a civil action under this section, appropriate relief includes—
(1) such preliminary and other equitable or declaratory relief as may be appropriate;
(2) damages under subsection (c); and
(3) a reasonable attorney's fee and other litigation costs reasonably incurred.

(c) Damages.—The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000.

(d) Defense.—A good faith reliance on—
(1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization;
(2) a request of an investigative or law enforcement officer under section 2518(7) of this title; or
(3) a good faith determination that section 2511(3) of this title permitted the

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 534

conduct complained of; is a complete defense to any civil or criminal action brought under this chapter or any other law.

(e) Limitation.—A civil action under this section may not be commenced later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.

Sec. 2708. Exclusivity of remedies.

The remedies and sanctions described in this chapter are the only judicial remedies and sanctions for nonconstitutional violations of this chapter.

Sec. 2709. Counterintelligence access to telephone toll and transactional records.

(a) Duty to Provide.—A wire or electronic communication service provider shall comply with a request for subscriber information and toll billing records information, or electronic communication transactional records in its custody or possession made by the Director of the Federal Bureau of Investigation under subsection (b) of this section.

(b) Required Certification.—The Director of the Federal Bureau of Investigation (or an individual within the Federal Bureau of Investigation designated for this purpose by the Director) may request any such information and records if the Director (or the Director's designee) certifies in writing to the wire or electronic communication service provider to which the request is made that—
(1) the information sought is relevant to an authorized foreign counterintelligence investigation; and
(2) there are specific and articulable facts giving reason to believe that the person or entity to whom the information sought pertains is a foreign power or an agent of a foreign power as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

(c) Prohibition of Certain Disclosure.—No wire or electronic communication service provider, or officer, employee, or agent thereof, shall disclose to any person that the Federal Bureau of Investigation has sought or obtained access to information or records under this section.

(d) Dissemination by Bureau.—The Federal Bureau of Investigation may disseminate information and records obtained under this section only as provided in guidelines approved by the Attorney General for foreign intelligence collection and foreign counterintelligence investigations conducted by the Federal Bureau of Investigation, and, with respect to dissemination to an agency of the United States, only if such information is clearly relevant to the authorized responsibilities of such agency.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 535

(e) Requirement That Certain Congressional Bodies Be Informed.—On a semiannual basis the Director of the Federal Bureau of Investigation shall fully inform the Permanent Select Committee on Intelligence of the House of Representatives and the Select Committee on Intelligence of the Senate concerning all requests made under subsection (b) of this section.

Sec. 2710. Wrongful disclosure of video tape rental or sale records....
Sec. 2711. Definitions for chapter.

As used in this chapter—
(1) the terms defined in section 2510 of this title have, respectively, the definitions given such terms in that section; and
(2) the term 'remote computing service' means the provision to the public of computer storage or processing services by means of an electronic communications system.

Chapter 206
Sec. 3121. General prohibition on pen register and trap and trace device use; exception.

(a) In General.—Except as provided in this section, no person may install or use a pen register or a trap and trace device without first obtaining a court order under section 3123 of this title or under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).

(b) Exception.—The prohibition of subsection (a) does not apply with respect to the use of a pen register or a trap and trace device by a provider of electronic or wire communication service—
(1)  relating to the operation, maintenance, and testing of a wire or electronic communication service or to the protection of the rights or property of such provider, or to the protection of users of that service from abuse of service or unlawful use of service; or
(2) to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire communication, or a user of that service, from fraudulent, unlawful or abusive use of service; or
(3) where the consent of the user of that service has been obtained.

(c) Limitation.—A government agency authorized to install and use a pen register under this chapter or under State law shall use technology reasonably available to it that restricts the recording or decoding of electronic or other impulses to the dialing and signaling information utilized in call processing.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 536

(d) Penalty.—Whoever knowingly violates subsection (a) shall be fined under this title or imprisoned not more than one year, or both.

Sec. 3122. Application for an order for a pen register or a trap and trace device.

(a) Application.—(1) An attorney for the Government may make application for an order or an extension of an order under section 3123 of this title authorizing or approving the installation and use of a pen register or a trap and trace device under this chapter, in writing under oath or equivalent affirmation, to a court of competent jurisdiction.
(2) Unless prohibited by State law, a State investigative or law enforcement officer may make application for an order or an extension of an order under section 3123 of this title authorizing or approving the installation and use of a pen register or a trap and trace device under this chapter, in writing under oath or equivalent affirmation, to a court of competent jurisdiction of such State.

(b) Contents of Application.—An application under subsection (a) of this section shall include—
(1) the identity of the attorney for the Government or the State law enforcement or investigative officer making the application and the identity of the law enforcement agency conducting the investigation; and
(2) a certification by the applicant that the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by that agency.

Sec. 3123. Issuance of an order for a pen register or a trap and trace device.

(a) In General.—Upon an application made under section 3122 of this title, the court shall enter an ex parte order authorizing the installation and use of a pen register or a trap and trace device within the jurisdiction of the court if the court finds that the attorney for the Government or the State law enforcement or investigative officer has certified to the court that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation.

(b) Contents of Order.—An order issued under this section—
(1) shall specify—
(A) the identity, if known, of the person to whom is leased or in whose name is listed the telephone line to which the pen register or trap and trace device is to be attached;
(B) the identity, if known, of the person who is the subject of the criminal investigation;
(C) the number and, if known, physical location of the telephone line to which the pen register or trap and trace device is to be attached and, in the case of a trap and trace device, the geographic limits of the trap and trace order; and

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 537

(D) a statement of the offense to which the information likely to be obtained by the pen register or trap and trace device relates; and
(2) shall direct, upon the request of the applicant, the furnishing of information, facilities, and technical assistance necessary to accomplish the installation of the pen register or trap and trace device under section 3124 of this title.

(c) Time Period and Extensions.—
(1) An order issued under this section shall authorize the installation and use of a pen register or a trap and trace device for a period not to exceed sixty days.
(2) Extensions of such an order may be granted, but only upon an application for an order under section 3122 of this title and upon the judicial finding required by subsection (a) of this section. The period of extension shall be for a period not to exceed sixty days.

(d) Nondisclosure of Existence of Pen Register or a Trap and Trace Device.—An order authorizing or approving the installation and use of a pen register or a trap and trace device shall direct that—
(1) the order be sealed until otherwise ordered by the court; and
(2) the person owning or leasing the line to which the pen register or a trap and trace device is attached, or who has been ordered by the court to provide assistance to the applicant, not disclose the existence of the pen register or trap and trace device or the existence of the investigation to the listed subscriber, or to any other person, unless or until otherwise ordered by the court.

Sec. 3124. Assistance in installation and use of a pen register or a trap and trace device.

(a) Pen Registers.—Upon the request of an attorney for the Government or an officer of a law enforcement agency authorized to install and use a pen register under this chapter, a provider of wire or electronic communication service, landlord, custodian, or other person shall furnish such investigative or law enforcement officer forthwith all information, facilities, and technical assistance necessary to accomplish the installation of the pen register unobtrusively and with a minimum of interference with the services that the person so ordered by the court accords the party with respect to whom the installation and use is to take place, if such assistance is directed by a court order as provided in section 3123(b)(2) of this title.

(b) Trap and Trace Device.—Upon the request of an attorney for the Government or an officer of a law enforcement agency authorized to receive the results of a trap and trace device under this chapter, a provider of a wire or electronic communication service, landlord, custodian, or other person shall install such device forthwith on the appropriate line and shall furnish such investigative or law enforcement officer all additional information, facilities and techni-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 538

cal assistance including installation and operation of the device unobtrusively and with a minimum of interference with the services that the person so ordered by the court accords the party with respect to whom the installation and use is to take place, if such installation and assistance is directed by a court order as provided in section 3123(b)(2) of this title. Unless otherwise ordered by the court, the results of the trap and trace device shall be furnished, pursuant to section 3123(b) or section 3125 of this title, to the officer of a law enforcement agency, designated in the court order, at reasonable intervals during regular business hours for the duration of the order.

(c) Compensation.—A provider of a wire or electronic communication service, landlord, custodian, or other person who furnishes facilities or technical assistance pursuant to this section shall be reasonably compensated for such reasonable expenses incurred in providing such facilities and assistance.

(d) No Cause of Action Against a Provider Disclosing Information Under This Chapter.—No cause of action shall lie in any court against any provider of a wire or electronic communication service, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with the terms of a court order under this chapter or request pursuant to section 3125 of this title.

(e) Defense.—A good faith reliance on a court order under this chapter, a request pursuant to section 3125 of this title, a legislative authorization, or a statutory authorization is a complete defense against any civil or criminal action brought under this chapter or any other law.

Sec. 3125. Emergency pen register and trap and trace device installation.

(a) Notwithstanding any other provision of this chapter, any investigative or law enforcement officer, specially designated by the Attorney General, the Deputy Attorney General, the Associate Attorney General, any Assistant Attorney General, any acting Assistant Attorney General, or any Deputy Assistant Attorney General, or by the principal prosecuting attorney of any State or subdivision thereof acting pursuant to a statute of that State, who reasonably determines that—
(1) an emergency situation exists that involves—

(A) immediate danger of death or serious bodily injury to any person; or
(B) conspiratorial activities characteristic of organized crime,

that requires the installation and use of a pen register or a trap and trace device before an order authorizing such installation and use can, with due diligence, be obtained, and

(2) there are grounds upon which an order could be entered under this chapter to authorize such installation and use ''1 may have installed and use a pen register

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 539

or trap and trace device if, within forty-eight hours after the installation has occurred, or begins to occur, an order approving the installation or use is issued in accordance with section 3123 of this title."4

(b) In the absence of an authorizing order, such use shall immediately terminate when the information sought is obtained, when the application for the order is denied or when forty-eight hours have lapsed since the installation of the pen register or trap and trace device, whichever is earlier.

(c) The knowing installation or use by any investigative or law enforcement officer of a pen register or trap and trace device pursuant to subsection (a) without application for the authorizing order within forty-eight hours of the installation shall constitute a violation of this chapter.

(d) A provider for a wire or electronic service, landlord, custodian, or other person who furnished facilities or technical assistance pursuant to this section shall be reasonably compensated for such reasonable expenses incurred in providing such facilities and assistance.

Sec. 3126. Reports concerning pen registers and trap and trace devices.

The Attorney General shall annually report to Congress on the number of pen register orders and orders for trap and trace devices applied for by law enforcement agencies of the Department of Justice.

Sec. 3127. Definitions for chapter.

As used in this chapter-

(1) the terms "wire communication", "electronic communication", and ''electronic communication service" have the meanings set forth for such terms in section 2510 of this title;

(2) the term "court of competent jurisdiction" means-
(A) a district court of the United States (including a magistrate of such a court) or a United States Court of Appeals; or
(B) a court of general criminal jurisdiction of a State authorized by the law of that State to enter orders authorizing the use of a pen register or a trap and trace device;

4 So in original. A comma probably should appear after the word "use", the quotation marks probably should not appear, and the words beginning with "may" probably should appear flush left.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 540

(3) the term "pen register" means a device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached, but such term does not include any device used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business;

(4) the term "trap and trace device" means a device which captures the incoming electronic or other impulses which identify the originating number of an instrument or device from which a wire or electronic communication was transmitted;

(5) the term "attorney for the Government" has the meaning given such term for the purposes of the Federal Rules of Criminal Procedure; and

(6) the term "State" means a State, the District of Columbia, Puerto Rico, and any other possession or territory of the United States.

N.1.4 Communications Assistance for Law Enforcement Act of 1995
Title I—Interception of Digital and Other Communications
Sec. 101. Short title.

This title may be cited as the "Communications Assistance for Law Enforcement Act".

Sec. 102. Definitions.

For purposes of this title—

(1) The terms defined in section 2510 of title 18, United States Code, have, respectively, the meanings stated in that section.

(2) The term "call-identifying information" means dialing or signaling information that identifies the origin, direction, destination, or termination of each communication generated or received by a subscriber by means of any equipment, facility, or service of a telecommunications carrier.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 541

(3) The term "Commission" means the Federal Communications Commission.

(4) The term "electronic messaging services" means software-based services that enable the sharing of data, images, sound, writing, or other information among computing devices controlled by the senders or recipients of the messages.

(5) The term "government" means the government of the United States and any agency or instrumentality thereof, the District of Columbia, any commonwealth, territory, or possession of the United States, and any State or political subdivision thereof authorized by law to conduct electronic surveillance.

(6) The term "information services"—
(A) means the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications; and
(B) includes—
(i) a service that permits a customer to retrieve stored information from, or file information for storage in, information storage facilities;
(ii) electronic publishing; and
(iii) electronic messaging services; but
(C) does not include any capability for a telecommunications carrier's internal management, control, or operation of its telecommunications network.

(7) The term "telecommunications support services" means a product, software, or service used by a telecommunications carrier for the internal signaling or switching functions of its telecommunications network.

(8) The term "telecommunications carrier"—
(A) means a person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; and
(B) includes—
(i) a person or entity engaged in providing commercial mobile service (as defined in section 332(d) of the Communications Act of 1934 (47 U.S.C. 332(d))); or
(ii) a person or entity engaged in providing wire or electronic communication switching or transmission service to the extent that the Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of this title; but
(C) does not include—
(i) persons or entities insofar as they are engaged in providing information services; and
(ii) any class or category of telecommunications carriers that the Commission exempts by rule after consultation with the Attorney General.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 542

Sec. 103. Assistance capability requirements.

(a) Capability Requirements.—Except as provided in subsections (b), (c), and (d) of this section and sections 108(a) and 109(b) and (d), a telecommunications carrier shall ensure that its equipment, facilities, or services that provide a customer or subscriber with the ability to originate, terminate, or direct communications are capable of—
(1) expeditiously isolating and enabling the government, pursuant to a court order or other lawful authorization, to intercept, to the exclusion of any other communications, all wire and electronic communications carried by the carrier within a service area to or from equipment, facilities, or services of a subscriber of such carrier concurrently with their transmission to or from the subscriber's equipment, facility, or service, or at such later time as may be acceptable to the government;
(2) expeditiously isolating and enabling the government, pursuant to a court order or other lawful authorization, to access call-identifying information that is reasonably available to the carrier—
(A) before, during, or immediately after the transmission of a wire or electronic communication (or at such later time as may be acceptable to the government); and
(B) in a manner that allows it to be associated with the communication to which it pertains, except that, with regard to information acquired solely pursuant to the authority for pen registers and trap and trace devices (as defined in section 3127 of title 18, United States Code), such call-identifying information shall not include any information that may disclose the physical location of the subscriber (except to the extent that the location may be determined from the telephone number);
(3) delivering intercepted communications and call-identifying information to the government, pursuant to a court order or other lawful authorization, in a format such that they may be transmitted by means of equipment, facilities, or services procured by the government to a location other than the premises of the carrier; and
(4) facilitating authorized communications interceptions and access to call-identifying information unobtrusively and with a minimum of interference with any subscriber's telecommunications service and in a manner that protects—
(A) the privacy and security of communications and call-identifying information not authorized to be intercepted; and
(B) information regarding the government's interception of communications and access to call-identifying information.

(b) Limitations.—
(1) Design of features and systems configurations.—This title does not authorize any law enforcement agency or officer—
(A) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services; or

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 543

(B) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.
(2) Information services; private networks and interconnection services and facilities.—The requirements of subsection (a) do not apply to—
(A) information services; or
(B) equipment, facilities, or services that support the transport or switching of communications for private networks or for the sole purpose of interconnecting telecommunications carriers.
(3) Encryption.—A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

(c) Emergency or Exigent Circumstances.—In emergency or exigent circumstances (including those described in sections 2518 (7) or (11)(b) and 3125 of title 18, United States Code, and section 1805(e) of title 50 of such Code), a carrier at its discretion may comply with subsection (a)(3) by allowing monitoring at its premises if that is the only means of accomplishing the interception or access.

(d) Mobile Service Assistance Requirements.—A telecommunications carrier that is a provider of commercial mobile service (as defined in section 332(d) of the Communications Act of 1934) offering a feature or service that allows subscribers to redirect, hand off, or assign their wire or electronic communications to another service area or another service provider or to utilize facilities in another service area or of another service provider shall ensure that, when the carrier that had been providing assistance for the interception of wire or electronic communications or access to call-identifying information pursuant to a court order or lawful authorization no longer has access to the content of such communications or call-identifying information within the service area in which interception has been occurring as a result of the subscriber's use of such a feature or service, information is made available to the government (before, during, or immediately after the transfer of such communications) identifying the provider of wire or electronic communication service that has acquired access to the communications.

Sec. 104. Notices of capacity requirements.

(a) Notices of Maximum and Actual Capacity Requirements.— 
(1) In general.—Not later than 1 year after the date of enactment of this title, after consulting with State and local law enforcement agencies, telecommunications carriers, providers of telecommunications support services, and manufacturers of telecommunications equipment, and after notice and comment, the Attorney General shall publish in the Federal Register and provide to appropriate telecommunications industry associations and standard-setting organizations—

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 544

(A) notice of the actual number of communication interceptions, pen registers, and trap and trace devices, representing a portion of the maximum capacity set forth under subparagraph (B), that the Attorney General estimates that government agencies authorized to conduct electronic surveillance may conduct and use simultaneously by the date that is 4 years after the date of enactment of this title; and
(B) notice of the maximum capacity required to accommodate all of the communication interceptions, pen registers, and trap and trace devices that the Attorney General estimates that government agencies authorized to conduct electronic surveillance may conduct and use simultaneously after the date that is 4 years after the date of enactment of this title.
(2) Basis of notices.—The notices issued under paragraph (1)—
(A) may be based upon the type of equipment, type of service, number of subscribers, type or size or carrier, nature of service area, or any other measure; and
(B) shall identify, to the maximum extent practicable, the capacity required at specific geographic locations.

(b) Compliance With Capacity Notices.—
(1) Initial capacity.—Within 3 years after the publication by the Attorney General of a notice of capacity requirements or within 4 years after the date of enactment of this title, whichever is longer, a telecommunications carrier shall, subject to subsection (e), ensure that its systems are capable of—
(A) accommodating simultaneously the number of interceptions, pen registers, and trap and trace devices set forth in the notice under subsection (a)(1)(A); and
(B) expanding to the maximum capacity set forth in the notice under subsection (a)(1)(B).
(2) Expansion to maximum capacity.—After the date described in paragraph
(1), a telecommunications carrier shall, subject to subsection (e), ensure that it can accommodate expeditiously any increase in the actual number of communication interceptions, pen registers, and trap and trace devices that authorized agencies may seek to conduct and use, up to the maximum capacity requirement set forth in the notice under subsection (a)(1)(B).

(c) Notices of Increased Maximum Capacity Requirements.—
(1) Notice.—The Attorney General shall periodically publish in the Federal Register, after notice and comment, notice of any necessary increases in the maximum capacity requirement set forth in the notice under subsection (a)(1)(B).
(2) Compliance.—Within 3 years after notice of increased maximum capacity requirements is published under paragraph (1), or within such longer time period as the Attorney General may specify, a telecommunications carrier shall, subject to subsection (e), ensure that its systems are capable of expanding to the increased maximum capacity set forth in the notice.

(d) Carrier Statement.—Within 180 days after the publication by the Attorney General of a notice of capacity requirements pursuant to subsection (a) or (c), a telecommunications carrier shall submit to the Attorney General a statement identifying any of its systems or services that do not have the capacity to accom-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 545

modate simultaneously the number of interceptions, pen registers, and trap and trace devices set forth in the notice under such subsection.

(e) Reimbursement Required for Compliance.—The Attorney General shall review the statements submitted under subsection (d) and may, subject to the availability of appropriations, agree to reimburse a telecommunications carrier for costs directly associated with modifications to attain such capacity requirement that are determined to be reasonable in accordance with section 109(e). Until the Attorney General agrees to reimburse such carrier for such modification, such carrier shall be considered to be in compliance with the capacity notices under subsection (a) or (c).

Sec. 105. Systems security and integrity.

A telecommunications carrier shall ensure that any interception of communications or access to call-identifying information effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of an individual officer or employee of the carrier acting in accordance with regulations prescribed by the Commission.

Sec. 106. Cooperation of equipment manufacturers and providers of telecommunications support services.

(a) Consultation.—A telecommunications carrier shall consult, as necessary, in a timely fashion with manufacturers of its telecommunications transmission and switching equipment and its providers of telecommunications support services for the purpose of ensuring that current and planned equipment, facilities, and services comply with the capability requirements of section 103 and the capacity requirements identified by the Attorney General under section 104.

(b) Cooperation.—Subject to sections 104(e), 108(a), and 109(b) and (d), a manufacturer of telecommunications transmission or switching equipment and a provider of telecommunications support services shall, on a reasonably timely basis and at a reasonable charge, make available to the telecommunications carriers using its equipment, facilities, or services such features or modifications as are necessary to permit such carriers to comply with the capability requirements of section 103 and the capacity requirements identified by the Attorney General under section 104.

Sec. 107. Technical requirements and standards; extension of compliance date.

(a) Safe Harbor.—
(1)  Consultation.—To ensure the efficient and industry-wide implementation

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 546

of the assistance capability requirements under section 103, the Attorney General, in coordination with other Federal, State, and local law enforcement agencies, shall consult with appropriate associations and standard-setting organizations of the telecommunications industry, with representatives of users of telecommunications equipment, facilities, and services, and with State utility commissions.
(2) Compliance under accepted standards.—A telecommunications carrier shall be found to be in compliance with the assistance capability requirements under section 103, and a manufacturer of telecommunications transmission or switching equipment or a provider of telecommunications support services shall be found to be in compliance with section 106, if the carrier, manufacturer, or support service provider is in compliance with publicly available technical requirements or standards adopted by an industry association or standard-setting organization, or by the Commission under subsection (b), to meet the requirements of section 103.
(3) Absence of standards.—The absence of technical requirements or standards for implementing the assistance capability requirements of section 103 shall not—
(A) preclude a telecommunications carrier, manufacturer, or telecommunications support services provider from deploying a technology or service; or
(B) relieve a carrier, manufacturer, or telecommunications support services provider of the obligations imposed by section 103 or 106, as applicable.

(b) Commission Authority.—If industry associations or standard-setting organizations fail to issue technical requirements or standards or if a government agency or any other person believes that such requirements or standards are deficient, the agency or person may petition the Commission to establish, by rule, technical requirements or standards that—
(1) meet the assistance capability requirements of section 103 by cost-effective methods;
(2) protect the privacy and security of communications not authorized to be intercepted;
(3) minimize the cost of such compliance on residential ratepayers;
(4) serve the policy of the United States to encourage the provision of new technologies and services to the public; and
(5) provide a reasonable time and conditions for compliance with and the transition to any new standard, including defining the obligations of telecommunications carriers under section 103 during any transition period.

(c) Extension of Compliance Date for Equipment, Facilities, and Services.—
(1) Petition.—A telecommunications carrier proposing to install or deploy, or having installed or deployed, any equipment, facility, or service prior to the effective date of section 103 may petition the Commission for 1 or more extensions of the deadline for complying with the assistance capability requirements under section 103.
(2) Grounds for extension.—The Commission may, after consultation with the Attorney General, grant an extension under this subsection, if the Commission determines that compliance with the assistance capability requirements under section 103 is not reasonably achievable through application of technology available within the compliance period.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 547

(3) Length of extension.—An extension under this subsection shall extend for no longer than the earlier of—
(A) the date determined by the Commission as necessary for the carrier to comply with the assistance capability requirements under section 103; or
(B) the date that is 2 years after the date on which the extension is granted.
(4) Applicability of extension.—An extension under this subsection shall apply to only that part of the carrier's business on which the new equipment, facility, or service is used.

Sec. 108. Enforcement orders.

(a) Grounds for Issuance.—A court shall issue an order enforcing this title under section 2522 of title 18, United States Code, only if the court finds that—
(1) alternative technologies or capabilities or the facilities of another carrier are not reasonably available to law enforcement for implementing the interception of communications or access to call-identifying information; and
(2) compliance with the requirements of this title is reasonably achievable through the application of available technology to the equipment, facility, or service at issue or would have been reasonably achievable if timely action had been taken.

(b) Time for Compliance.—Upon issuing an order enforcing this title, the court shall specify a reasonable time and conditions for complying with its order, considering the good faith efforts to comply in a timely manner, any effect on the carrier's, manufacturer's, or service provider's ability to continue to do business, the degree of culpability or delay in undertaking efforts to comply, and such other matters as justice may require.

(c) Limitations.—An order enforcing this title may not—
(1) require a telecommunications carrier to meet the government's demand for interception of communications and acquisition of call-identifying information to any extent in excess of the capacity for which the Attorney General has agreed to reimburse such carrier;
(2) require any telecommunications carrier to comply with assistance capability requirement of section 103 if the Commission has determined (pursuant to section 109(b)(1)) that compliance is not reasonably achievable, unless the Attorney General has agreed (pursuant to section 109(b)(2)) to pay the costs described in section 109(b)(2)(A); or
(3) require a telecommunications carrier to modify, for the purpose of complying with the assistance capability requirements of section 103, any equipment, facility, or service deployed on or before January 1, 1995, unless—
(A) the Attorney General has agreed to pay the telecommunications carrier for all reasonable costs directly associated with modifications necessary to bring the equipment, facility, or service into compliance with those requirements; or
(B) the equipment, facility, or service has been replaced or significantly upgraded or otherwise undergoes major modification.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 548

Sec. 109. Payment of costs of telecommunications carriers to comply with capability requirements.

(a) Equipment, Facilities, and Services Deployed on or Before January 1, 1995.—The Attorney General may, subject to the availability of appropriations, agree to pay telecommunications carriers for all reasonable costs directly associated with the modifications performed by carriers in connection with equipment, facilities, and services installed or deployed on or before January 1, 1995, to establish the capabilities necessary to comply with section 103.

(b) Equipment, Facilities, and Services Deployed After January 1, 1995.—
(1) Determinations of reasonably achievable.—The Commission, on petition from a telecommunications carrier or any other interested person, and after notice to the Attorney General, shall determine whether compliance with the assistance capability requirements of section 103 is reasonably achievable with respect to any equipment, facility, or service installed or deployed after January 1, 1995. The Commission shall make such determination within 1 year after the date such petition is filed. In making such determination, the Commission shall determine whether compliance would impose significant difficulty or expense on the carrier or on the users of the carrier's systems and shall consider the following factors:
(A) The effect on public safety and national security.
(B) The effect on rates for basic residential telephone service.
(C) The need to protect the privacy and security of communications not authorized to be intercepted.
(D) The need to achieve the capability assistance requirements of section 103 by cost-effective methods.
(E) The effect on the nature and cost of the equipment, facility, or service at issue.
(F) The effect on the operation of the equipment, facility, or service at issue.
(G) The policy of the United States to encourage the provision of new technologies and services to the public.
(H) The financial resources of the telecommunications carrier.
(I) The effect on competition in the provision of telecommunications services.
(J) The extent to which the design and development of the equipment, facility, or service was initiated before January 1, 1995.
(K) Such other factors as the Commission determines are appropriate.
(2) Compensation.—If compliance with the assistance capability requirements of section 103 is not reasonably achievable with respect to equipment, facilities, or services deployed after January 1, 1995—
(A) the Attorney General, on application of a telecommunications carrier, may agree, subject to the availability of appropriations, to pay the telecommunications carrier for the additional reasonable costs of making compliance with such assistance capability requirements reasonably achievable; and
(B) if the Attorney General does not agree to pay such costs, the telecommunications carrier shall be deemed to be in compliance with such capability requirements.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 549

(c) Allocation of Funds for Payment.—The Attorney General shall allocate funds appropriated to carry out this title in accordance with law enforcement priorities determined by the Attorney General.

(d) Failure To Make Payment With Respect To Equipment, Facilities, and Services Deployed on or Before January 1, 1995.—If a carrier has requested payment in accordance with procedures promulgated pursuant to subsection (e), and the Attorney General has not agreed to pay the telecommunications carrier for all reasonable costs directly associated with modifications necessary to bring any equipment, facility, or service deployed on or before January 1, 1995, into compliance with the assistance capability requirements of section 103, such equipment, facility, or service shall be considered to be in compliance with the assistance capability requirements of section 103 until the equipment, facility, or service is replaced or significantly upgraded or otherwise undergoes major modification.

(e) Cost Control Regulations.—
(1) In general.—The Attorney General shall, after notice and comment, establish regulations necessary to effectuate timely and cost-efficient payment to telecommunications carriers under this title, under chapters 119 and 121 of title 18, United States Code, and under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).
(2) Contents of regulations.—The Attorney General, after consultation with the Commission, shall prescribe regulations for purposes of determining reasonable costs under this title. Such regulations shall seek to minimize the cost to the Federal Government and shall—
(A) permit recovery from the Federal Government of—
(i) the direct costs of developing the modifications described in subsection (a), of providing the capabilities requested under subsection (b)(2), or of providing the capacities requested under section 104(e), but only to the extent that such costs have not been recovered from any other governmental or nongovernmental entity;
(ii) the costs of training personnel in the use of such capabilities or capacities; and
(iii) the direct costs of deploying or installing such capabilities or capacities;
(B) in the case of any modification that may be used for any purpose other than lawfully authorized electronic surveillance by a law enforcement agency of a government, permit recovery of only the incremental cost of making the modification suitable for such law enforcement purposes; and
(C) maintain the confidentiality of trade secrets.
(3) Submission of claims.—Such regulations shall require any telecommunications carrier that the Attorney General has agreed to pay for modifications pursuant to this section and that has installed or deployed such modification to submit to the Attorney General a claim for payment that contains or is accompanied by such information as the Attorney General may require.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 550

Sec. 110. Authorization of appropriations.

There are authorized to be appropriated to carry out this title a total of $500,000,000 for fiscal years 1995, 1996, 1997, and 1998. Such sums are authorized to remain available until expended.

Sec. 111. Effective date.

(a) In General.—Except as provided in subsection (b), this title shall take effect on the date of enactment of this Act.

(b) Assistance Capability and Systems Security and Integrity Requirements.—Sections 103 and 105 of this title shall take effect on the date that is 4 years after the date of enactment of this Act.

Sec. 112. Reports.

(a) Reports by the Attorney General.—
(1) In general.—On or before November 30, 1995, and on or before November 30 of each year thereafter, the Attorney General shall submit to Congress and make available to the public a report on the amounts paid during the preceding fiscal year to telecommunications carriers under sections 104(e) and 109.
(2) Contents.—A report under paragraph (1) shall include—
(A) a detailed accounting of the amounts paid to each carrier and the equipment, facility, or service for which the amounts were paid; and
(B) projections of the amounts expected to be paid in the current fiscal year, the carriers to which payment is expected to be made, and the equipment, facilities, or services for which payment is expected to be made.

(b) Reports by the Comptroller General.—
(1) Payments for modifications.—On or before April 1, 1996, and every 2 years thereafter, the Comptroller General of the United States, after consultation with the Attorney General and the telecommunications industry, shall submit to the Congress a report—
(A) describing the type of equipment, facilities, and services that have been brought into compliance under this title; and
(B) reflecting its analysis of the reasonableness and cost-effectiveness of the payments made by the Attorney General to telecommunications carriers for modifications necessary to ensure compliance with this title.
(2) Compliance cost estimates.—A report under paragraph (1) shall include the findings and conclusions of the Comptroller General on the costs to be incurred by telecommunications carriers to comply with the assistance capability requirements of section 103 after the effective date of such section 103, including projections of the amounts expected to be incurred and a description of the equipment, facilities, or services for which they are expected to be incurred.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 551

N.1.5  Computer Security Act of 1987
Sec. 1. Short Title.

The Act may be cited as the ''Computer Security Act of 1987".

Sec. 2. Purpose.

(a) IN GENERAL.—The Congress declares that improving the security and privacy of sensitive information in Federal computer systems is in the public interest, and hereby creates a means for establishing minimum acceptable security practices for such systems, without limiting the scope of security measures already planned or in use.

(b) SPECIFIC PURPOSES.—The purposes of this Act are—
(1)  by amending the Act of March 3, 1901, to assign to theNational Bureau of Standards responsibility for developing standards and guidelines for Federal computer systems, including responsibility for developing standards and guidelines needed to assure the cost-effective security and privacy of sensitive information in Federal computer systems, drawing on the technical advice and assistance (including work products) of the National Security Agency, where appropriate;
(2)  to provide for promulgation of such standards and guidelines by amending section 111(d) of the Federal Property and Administrative Services Act of 1949;
(3)  to require establishment of security plans by all operators of Federal computer systems that contain sensitive information; and
(4)  to require mandatory periodic training for all persons involved in management, use, or operation of Federal computer systems that contain sensitive information.

Sec. 3. Establishment of computer standards program.

The Act of March 3, 1901, (15 U.S.C. 271-278h), is amended—

(1) in section 2(f), by striking out "and" at the end of paragraph (18), by striking out the period at the end of paragraph (19) and inserting in lieu thereof: "; and", and by inserting after such paragraph the following: "

(20) the study of computer systems (as that term is defined in section 20(d) of this Act) and their use to control machinery and processes.";

(2) by redesignating section 20 as section 22, and by inserting after section 19 the following new sections:

"SEC. 20. (a) The National Bureau of Standards shall—
"(1) have the mission of developing standards, guidelines, and associated methods and techniques for computer systems;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 552

"(2) except as described in paragraph (3) of this subsection (relating to security standards), develop uniform standards and guidelines for Federal computer systems, except those systems excluded by section 2315 of title 10, United States Code, or section 3502(2) of title 44, United States Code.
"(3) have responsibility within the Federal Government for developing technical, management, physical, and administrative standards and guidelines for the costeffective security and privacy of sensitive information in Federal computer systems except—
"(A) those systems excluded by section 2315 of title 10, United States Code, or section 3502(2) of title 44, United States Code; and
"(B) those systems which are protected at all times by procedures established for information which has been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy, the primary purpose of which standards and guidelines shall be to control loss and unauthorized modification or disclosure of sensitive information in such systems and to prevent computer-related fraud and misuse;
"(4) submit standards and guidelines developed pursuant to paragraphs (2) and (3) of this subsection, along with recommendations as to the extent to which these should be made compulsory and binding, to the Secretary of Commerce for promulgation under section 111(d) of the Federal Property and Administrative Services Act of 1949;
"(5) develop guidelines for use by operators of Federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice, as required by section 5 of the Computer Security Act of 1987; and
''(6) develop validation procedures for, and evaluate the effectiveness of, standards and guidelines developed pursuant to paragraphs (1), (2), and (3) of this subsection through research and liaison with other government and private agencies.

"(b) In fulfilling subsection (a) of this section, the National Bureau of Standards is authorized—
"(1) to assist the private sector, upon request, in using and applying the results of the programs and activities under this section;
"(2) to make recommendations, as appropriate, to the Administrator of General Services on policies and regulations proposed pursuant to section 111(d) of the Federal Property and Administrative Services Act of 1949;
"(3) as requested, to provide to operators of Federal computer systems technical assistance in implementing the standards and guidelines promulgated pursuant to section 111(d) of the Federal Property and Administrative Services Act of 1949;
"(4) to assist, as appropriate, the Office of Personnel Management in developing regulations pertaining to training, as required by section 5 of the Computer Security Act of 1987;
"(5) to perform research and to conduct studies, as needed, to determine the nature and extent of the vulnerabilities of, and to devise techniques for the cost

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 553

effective security and privacy of sensitive information in Federal computer systems; and
"(6) to coordinate closely with other agencies and offices (including, but not limited to, the Departments of Defense and Energy, the National Security Agency, the General Accounting Office, the Office of Technology Assessment, and the Office of Management and Budget)—
"(A) to assure maximum use of all existing and planned programs, materials, studies, and reports relating to computer systems security and privacy, in order to avoid unnecessary and costly duplication of effort; and
"(B) to assure, to the maximum extent feasible, that standards developed pursuant to subsection (a) (3) and (5) are consistent and compatible with standards and procedures developed for the protection of information in Federal computer systems which is authorized under criteria established by Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.

"(c) For the purposes of—
"(1) developing standards and guidelines for the protection of sensitive information in Federal computer systems under subsections (a)(1) and (a)(3), and
"(2) performing research and conducting studies under subsection (b)(5), the National Bureau of Standards shall draw upon computer system technical security guidelines developed by the National Security Agency to the extent that the National Bureau of Standards determines that such guidelines are consistent with the requirements for protecting sensitive information in Federal computer systems.

"(d) As used in this section—
"(1) the term 'computer system'—
"(A) means any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception, of data or information; and
"(B) includes—
"(i) computers;
''(ii) ancillary equipment;
"(iii) software, firmware, and similar procedures;
"(iv) services, including support services; and
"(v) related resources as defined by regulations issued by the Administrator for General Services pursuant to section 111 of the Federal Property and Administrative Services Act of 1949;
"(2) the term 'Federal computer system'—
"(A) means a computer system operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information (using a computer system) on behalf of the Federal Government to accomplish a Federal function; and
"(B) includes automatic data processing equipment as that term is defined in section 111(a)(2) of the Federal Property and Administrative Services Act of 1949;
"(3) the term 'operator of a Federal computer system' means a Federal agency, contractor of a Federal agency, or other organization that processes information

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 554

using a computer system on behalf of the Federal Government to accomplish a Federal function;
"(4) the term 'sensitive information' means any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy; and
"(5) the term 'Federal agency' has the meaning given such term by section 3(b) of the Federal Property and Administrative Services Act of 1949.

"SEC. 21. (a) There is hereby established a Computer System Security and Privacy Advisory Board within the Department of Commerce. The Secretary of Commerce shall appoint the chairman of the Board. The Board shall be composed of twelve additional members appointed by the Secretary of Commerce as follows:
"(1) four members from outside the Federal Government who are eminent in the computer or telecommunications industry, at least one of whom is representative of small or medium sized companies in such industries;
"(2) four members from outside the Federal Government who are eminent in the fields of computer or telecommunications technology, or related disciplines, but who are not employed by or representative of a producer of computer or telecommunications equipment; and
"(3) four members from the Federal Government who have computer systems management experience, including experience in computer systems security and privacy, at least one of whom shall be from the National Security Agency.

"(b) The duties of the Board shall be—
"(1) to identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy;
"(2) to advise the Bureau of Standards and the Secretary of Commerce on security and privacy issues pertaining to Federal computer systems; and
"(3) to report its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency, and the appropriate Committees of the Congress.

"(c) The term of office of each member of the Board shall be four years, except that—
"(1) of the initial members, three shall be appointed for terms of one year, three shall be appointed for terms of two years, three shall be appointed for terms of three years, and three shall be appointed for terms of four years; and
"(2) any member appointed to fill a vacancy in the Board shall serve for the remainder of the term for which his predecessor was appointed.

"(d) The Board shall not act in the absence of a quorum, which shall consist of seven members.

"(e) Members of the Board, other than full-time employees of the Federal Government while attending meetings of such committees or while otherwise perform-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 555

ing duties at the request of the Board Chairman while away from their homes or a regular place of business, may be allowed travel expenses in accordance with subchapter I of chapter 57 of title 5, United States Code.

"(f) To provide the staff services necessary to assist the Board in carrying out its functions, the Board may utilize personnel from the National Bureau of Standards or any other agency of the Federal Government with the consent of the head of the agency.

"(g) As used in this section, the terms 'computer system' and 'Federal computer system' have the meanings given in section 20(d) of this Act."; and

(3) by adding at the end thereof the following new section:

"SEC. 23. This Act may be cited as the National Bureau of Standards Act."

Sec. 4. Amendment to Brooks Act.

Section 111(d) of the Federal Property and Administrative Services Act of 1949 (40 U.S.C. 759(d)) is amended to read as follows: "

(d)(1) The Secretary of Commerce shall, on the basis of standards and guidelines developed by the National Bureau of Standards pursuant to section 20(a) (2) and (3) of the National Bureau of Standards Act, promulgate standards and guidelines pertaining to Federal computer systems, making such standards compulsory and binding to the extent to which the Secretary determines necessary to improve the efficiency of operation or security and privacy of Federal computer systems. The President may disapprove or modify such standards and guidelines if he determines such action to be in the public interest. The President's authority to disapprove or modify such standards and guidelines may not be delegated. Notice of such disapproval or modification shall be submitted promptly to the Committee on Government Operations of the House of Representatives and the Committee on Governmental Affairs of the Senate and shall be published promptly in the Federal Register. Upon receiving notice of such disapproval or modification, the Secretary of Commerce shall immediately rescind or modify such standards or guidelines as directed by the President.

"(2) The head of a Federal agency may employ standards for the cost effective security and privacy of sensitive information in a Federal computer system within or under the supervision of that agency that are more stringent than the standards promulgated by the Secretary of Commerce, if such standards contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Secretary of Commerce.

"(3) The standards determined to be compulsory and binding may be waived by the Secretary of Commerce in writing upon a determination that compliance would adversely affect the accomplishment of the mission of an operator of a Federal computer system, or cause a major adverse financial impact on the operator which is not offset by government-wide savings. The Secretary may delegate

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 556

to the head of one or more Federal agencies authority to waive such standards to the extent to which the Secretary determines such action to be necessary and desirable to allow for timely and effective implementation of Federal computer systems standards. The head of such agency may redelegate such authority only to a senior official designated pursuant to section 3506(b) of title 44, United States Code. Notice of each such waiver and delegation shall be transmitted promptly to the Committee on Government Operations of the House of Representatives and the Committee on Governmental Affairs of the Senate and shall be published promptly in the Federal Register.

"(4) The Administrator shall revise the Federal information resources management regulations (41 CFR ch. 201) to be consistent with the standards and guidelines promulgated by the Secretary of Commerce under this subsection.

"(5) As used in this subsection, the terms 'Federal computer system' and 'operator of a Federal computer system' have the meanings given in section 20(d) of the National Bureau of Standards Act.".

Sec. 5. Federal computer system security training.

(a) In General.—Each Federal agency shall provide for the mandatory periodic training in computer security awareness and accepted computer security practice of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency. Such training shall be—
(1) provided in accordance with the guidelines developed pursuant to section 20(a)(5) of the National Bureau of Standards Act (as added by section 3 of this Act), and in accordance with the regulations issued under subsection (c) of this section for Federal civilian employees; or
(2) provided by an alternative training program approved by the head of that agency on the basis of a determination that the alternative training program is at least as effective in accomplishing the objectives of such guidelines and regulations.

(b) Training Objectives.—Training under this section shall be started within 60 days after the issuance of the regulations described in subsection (c). Such training shall be designed—
(1) to enhance employees' awareness of the threats to and vulnerability of computer systems; and
(2) to encourage the use of improved computer security practices.

(c) Regulations.—Within six months after the date of the enactment of this Act, the Director of the Office of Personnel Management shall issue regulations prescribing the procedures and scope of the training to be provided Federal civilian employees under subsection (a) and the manner in which such training is to be carried out.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 557

Sec. 6. Additional responsibilities for computer systems security and privacy.

(a) Identification of systems that contain sensitive information—Within 6 months after the date of enactment of this Act, each Federal agency shall identify each Federal computer system, and system under development, which is within or under the supervision of that agency and which contains sensitive information.

(b) Security Plan.—Within one year after the date of enactment of this Act, each such agency shall, consistent with the standards, guidelines, policies, and regulations prescribed pursuant to section 111(d) of the Federal Property and Administrative Services Act of 1949, establish a plan for the security and privacy of each Federal computer system identified by that agency pursuant to subsection (a) that is commensurate with the risk and magnitude or the harm resulting from the loss, misuse, or unauthorized access to or modification of the information contained in such system. Copies of each such plan shall be transmitted to the National Bureau of Standards and the National Security Agency for advice and comment. A summary of such plan shall be included in the agency's five-year plan required by section 3505 of title 44, United States Code. Such plan shall be subject to disapproval by the Director of the Office of Management and Budget. Such plan shall be revised annually as necessary.

Sec. 7. Definitions.

As used in this Act, the terms "computer system", "Federal computer system", "operator of a Federal computer system", "sensitive information", and "Federal agency'' have the meanings given in section 20(d) of the National Bureau of Standards Act (as added by section 3 of this Act).

Sec. 8. Rules of construction of act.

Nothing in this Act, or in any amendment made by this Act, shallbe construed—

(1) to constitute authority to withhold information sought pursuant to section 552 of title 5, United States Code; or

(2) to authorize any Federal agency to limit, restrict, regulate, or control the collection, maintenance, disclosure, use, transfer, or sale of any information (regardless of the medium in which the information may be maintained) that is—
(A) privately-owned information;
(B)  disclosable under section 552 of title 5, United  States Code, orother law requiring or authorizing the public disclosure of information; or
(C) public domain information.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 558

N.1.6 Arms Export Control Act (U.S. Code, Title 22, Chapter 39)
Sec. 2751. Need for international defense cooperation and military export controls; Presidential waiver; report to Congress; arms sales policy.

As declared by the Congress in the Arms Control and Disarmament Act (22 U.S.C. 2551 et seq.), an ultimate goal of the United States continues to be a world which is free from the scourge of war and the dangers and burdens of armaments; in which the use of force has been subordinated to the rule of law; and in which international adjustments to a changing world are achieved peacefully. In furtherance of that goal, it remains the policy of the United States to encourage regional arms control and disarmament agreements and to discourage arms races.

The Congress recognizes, however, that the United States and other free and independent countries continue to have valid requirements for effective and mutually beneficial defense relationships in order to maintain and foster the environment of international peace and security essential to social, economic, and political progress. Because of the growing cost and complexity of defense equipment, it is increasingly difficult and uneconomic for any country, particularly a developing country, to fill all of its legitimate defense requirements from its own design and production base. The need for international defense cooperation among the United States and those friendly countries to which it is allied by mutual defense treaties is especially important, since the effectiveness of their armed forces to act in concert to deter or defeat aggression is directly related to the operational compatibility of their defense equipment.

Accordingly, it remains the policy of the United States to facilitate the common defense by entering into international arrangements with friendly countries which further the objective of applying agreed resources of each country to programs and projects of cooperative exchange of data, research, development, production, procurement, and logistics support to achieve specific national defense requirements and objectives of mutual concern. To this end, this chapter authorizes sales by the United States Government to friendly countries having sufficient wealth to maintain and equip their own military forces at adequate strength, or to assume progressively larger shares of the costs thereof, without undue burden to their economies, in accordance with the restraints and control measures specified herein and in furtherance of the security objectives of the United States and of the purposes and principles of the United Nations Charter.

It is the sense of the Congress that all such sales be approved only when they are consistent with the foreign policy interests of the United States, the purposes of the foreign assistance program of the United States as embodied in the Foreign Assistance Act of 1961, as amended (22 U.S.C. 2151 et seq.), the extent and character of the military requirement, and the economic and financial capability of the recipient country, with particular regard being given, where appropriate, to proper balance among such sales, grant military assistance, and economic assistance as well as to the impact of the sales on programs of social and economic development and on existing or incipient arms races.

It shall be the policy of the United States to exert leadership in the world

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 559

community to bring about arrangements for reducing the international trade in implements of war and to lessen the danger of outbreak of regional conflict and the burdens of armaments. United States programs for or procedures governing the export, sale, and grant of defense articles and defense services to foreign countries and international organizations shall be administered in a manner which will carry out this policy.

It is the sense of the Congress that the President should seek to initiate multilateral discussions for the purpose of reaching agreements among the principal arms suppliers and arms purchasers and other countries with respect to the control of the international trade in armaments. It is further the sense of Congress that the President should work actively with all nations to check and control the international sale and distribution of conventional weapons of death and destruction and to encourage regional arms control arrangements. In furtherance of this policy, the President should undertake a concerted effort to convene an international conference of major arms-supplying and arms-purchasing nations which shall consider measures to limit conventional arms transfers in the interest of international peace and stability.

It is the sense of the Congress that the aggregate value of defense articles and defense services—

(1) which are sold under section 2761 or section 2762 of this title; or

(2) which are licensed or approved for export under section 2778 of this title to, for the use, or for benefit of the armed forces, police, intelligence, or other internal security forces of a foreign country or international organization under a commercial sales contract;

in any fiscal year should not exceed current levels.

It is the sense of the Congress that the President maintain adherence to a policy of restraint in conventional arms transfers and that, in implementing this policy worldwide, a balanced approach should be taken and full regard given to the security interests of the United States in all regions of the world and that particular attention should be paid to controlling the flow of conventional arms to the nations of the developing world. To this end, the President is encouraged to continue discussions with other arms suppliers in order to restrain the flow of conventional arms to less developed countries.

Sec. 2752. Coordination with foreign policy.

(a) Noninfringement of powers or functions of Secretary of State. Nothing contained in this chapter shall be construed to infringe upon the powers or functions of the Secretary of State.

(b) Responsibility for supervision and direction of sales, leases, financing, cooperative projects, and exports. Under the direction of the President, the Secretary of State (taking into account other United States activities abroad, such as military assistance, economic assistance, and the food for peace program) shall be

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 560

responsible for the continuous supervision and general direction of sales, leases, financing, cooperative projects, and exports under this chapter, including, but not limited to, determining—

(1) whether there will be a sale to or financing for a country and the amount thereof;
(2) whether there will be a lease to a country;
(3) whether there will be a cooperative project and the scope thereof; and
(4) whether there will be delivery or other performance under such sale, lease, cooperative project, or export,

to the end that sales, financing, leases, cooperative projects, and exports will be integrated with other United States activities and to the end that the foreign policy of the United States would be best served thereby.

(c) Coordination among representatives of the United States. The President shall prescribe appropriate procedures to assure coordination among representatives of the United States Government in each country, under the leadership of the Chief of the United States Diplomatic Mission. The Chief of the diplomatic mission shall make sure that recommendations of such representatives pertaining to sales are coordinated with political and economic considerations, and his comments shall accompany such recommendations if he so desires.

Sec. 2753. Eligibility for defense services or defense articles.

(a) Prerequisites for consent by President; report to Congress. No defense article or defense service shall be sold or leased by the United States Government under this chapter to any country or international organization, and no agreement shall be entered into for a cooperative project (as defined in section 2767 of this title), unless—
(1) the President finds that the furnishing of defense articles and defense services to such country or international organization will strengthen the security of the United States and promote world peace;
(2) the country or international organization shall have agreed not to transfer title to, or possession of, any defense article or related training or other defense service so furnished to it, or produced in a cooperative project (as defined in section 2767 of this title), to anyone not an officer, employee, or agent of that country or international organization (or the North Atlantic Treaty Organization or the specified member countries (other than the United States) in the case of a cooperative project) and not to use or permit the use of such article or related training or other defense service for purposes other than those for which furnished unless the consent of the President has first been obtained:
(3) the country or international organization shall have agreed that it will maintain the security of such article or service and will provide substantially the same degree of security protection afforded to such article or service by the United States Government; and

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 561

(4)  the country or international organization is otherwise eligible to purchase or lease defense articles or defense services.

In considering a request for approval of any transfer of any weapon, weapons system, munitions, aircraft, military boat, military vessel, or other implement of war to another country, the President shall not give his consent under paragraph (2) to the transfer unless the United States itself would transfer the defense article under consideration to that country. In addition, the President shall not give his consent under paragraph (2) to the transfer of any significant defense articles on the United States Munitions List unless the foreign country requesting consent to transfer agrees to demilitarize such defense articles prior to transfer, or the proposed recipient foreign country provides a commitment in writing to the United States Government that it will not transfer such defense articles, if not demilitarized, to any other foreign country or person without first obtaining the consent of the President. The President shall promptly submit a report to the Speaker of the House of Representatives and to the Committee on Foreign Relations of the Senate on the implementation of each agreement entered into pursuant to clause (2) of this subsection....

Sec. 2754. Purposes for which military sales or leases by the United States are authorized; report to Congress.

Defense articles and defense services shall be sold or leased by the United States Government under this chapter to friendly countries solely for internal security, for legitimate self-defense, to permit the recipient country to participate in regional or collective arrangements or measures consistent with the Charter of the United Nations, or otherwise to permit the recipient country to participate in collective measures requested by the United Nations for the purpose of maintaining or restoring international peace and security, or for the purpose of enabling foreign military forces in less developed friendly countries to construct public works and to engage in other activities helpful to the economic and social development of such friendly countries. It is the sense of the Congress that such foreign military forces should not be maintained or established solely for civic action activities and that such civic action activities not significantly detract from the capability of the military forces to perform their military missions and be coordinated with and form part of the total economic and social development effort: Provided, That none of the funds contained in this authorization shall be used to guarantee, or extend credit, or participate in an extension of credit in connection with any sale of sophisticated weapons systems, such as missile systems and jet aircraft for military purposes, to any underdeveloped country other than Greece, Turkey, Iran, Israel, the Republic of China, the Philippines and Korea unless the President determines that such financing is important to the national security of the United States and reports within thirty days each such determination to the Congress....

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 562

Sec. 2770. General authority.

(a) Sale of defense articles and services by the President to United States companies; restriction on performance of services; reimbursement credited to selling agency. Subject to the conditions specified in subsection (b) of this section, the President may, on a negotiated contract basis, under cash terms (1) sell defense articles at not less than their estimated replacement cost (or actual cost in the case of services), or (2) procure or manufacture and sell defense articles at not less than their contract or manufacturing cost to the United States Government, to any United States company for incorporation into end items (and for concurrent or follow-on support) to be sold by such a company either (i) on a direct commercial basis to a friendly foreign country or international organization pursuant to an export license or approval under section 2778 of this title or (ii) in the case of ammunition parts subject to subsection (b) of this section, using commercial practices which restrict actual delivery directly to a friendly foreign country or international organization pursuant to approval under section 2778 of this title. The President may also sell defense services in support of such sales of defense articles, subject to the requirements of this chapter: Provided, however, That such services may be performed only in the United States. The amount of reimbursement received from such sales shall be credited to the current applicable appropriation, fund, or account of the selling agency of the United States Government.

(b) Conditions of sale. Defense articles and defense services may be sold, procured and sold, or manufactured and sold, pursuant to subsection (a) of this section only if (1) the end item to which the articles apply is to be procured for the armed forces of a friendly country or international organization, (2) the articles would be supplied to the prime contractor as government-furnished equipment or materials if the end item were being procured for the use of the United States Armed Forces, and (3) the articles and services are available only from United States Government sources or are not available to the prime contractor directly from United States commercial sources at such times as may be required to meet the prime contractor's delivery schedule.

(c) 'Defense articles' and 'defense services' defined. For the purpose of this section, the terms 'defense articles' and 'defense services' mean defense articles and defense services as defined in section 2794(3) and (4) of this title....

Sec. 2778. Control of arms exports and imports.

(a) Presidential control of exports and imports of defense articles and services, guidance of policy, etc.; designation of United States Munitions List; issuance of export licenses; condition for export; negotiations information.
(1)  In furtherance of world peace and the security and foreign policy of the United States, the President is authorized to control the import and the export of defense articles and defense services and to provide foreign policy guidance to persons of the United States involved in the export and import of such articles and

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 563

services. The President is authorized to designate those items which shall be considered as defense articles and defense services for the purposes of this section and to promulgate regulations for the import and export of such articles and services. The items so designated shall constitute the United States Munitions List.
(2)  Decisions on issuing export licenses under this section shall be made in coordination with the Director of the United States Arms Control and Disarmament Agency and shall take into account the Director's opinion as to whether the export of an article will contribute to an arms race, support international terrorism, increase the possibility of outbreak or escalation of conflict, or prejudice the development of bilateral or multilateral arms control arrangements.
(3)  In exercising the authorities conferred by this section, the President may require that any defense article or defense service be sold under this chapter as a condition of its eligibility for export, and may require that persons engaged in the negotiation for the export of defense articles and services keep the President fully and currently informed of the progress and future prospects of such negotiations.

(b) Registration and licensing requirements for manufacturers, exporters, or importers of designated defense articles and defense services. (1)(A) As prescribed in regulations issued under this section, every person (other than an officer or employee of the United States Government acting in an official capacity) who engages in the business of manufacturing, exporting, or importing any defense articles or defense services designated by the President under subsection (a)(1) of this section shall register with the United States Government agency charged with the administration of this section, and shall pay a registration fee which shall be prescribed by such regulations. Such regulations shall prohibit the return to the United States for sale in the United States (other than for the Armed Forces of the United States and its allies or for any State or local law enforcement agency) of any military firearms or ammunition of United States manufacture furnished to foreign governments by the United States under this chapter or any other foreign assistance or sales program of the United States, whether or not enhanced in value or improved in condition in a foreign country. This prohibition shall not extend to similar firearms that have been so substantially transformed as to become, in effect, articles of foreign manufacture.
(B)  The prohibition under such regulations required by the second sentence of subparagraph (A) shall not extend to any military firearms (or ammunition, components, parts, accessories, and attachments for such firearms) of United States manufacture furnished to any foreign government by the United States under this chapter or any other foreign assistance or sales program of the United States if—
(i)  such firearms are among those firearms that the Secretary of the Treasury is, or was at any time, required to authorize the importation of by reason of the provisions of section 925(e) of title 18 (including the requirement for the listing of such firearms as curios or relics under section 921(a)(13) of that title); and
(ii)  such foreign government certifies to the United States Government that such firearms are owned by such foreign government.
(C)  A copy of each registration made under this paragraph shall be transmitted

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 564

to the Secretary of the Treasury for review regarding law enforcement concerns. The Secretary shall report to the President regarding such concerns as necessary. (2)  Except as otherwise specifically provided in regulations issued under subsection (a)(1) of this section, no defense articles or defense services designated by the President under subsection (a)(1) of this section may be exported or imported without a license for such export or import, issued in accordance with this chapter and regulations issued under this chapter, except that no license shall be required for exports or imports made by or for an agency of the United States Government
(A)  for official use by a department or agency of the United States Government, or
(B)  for carrying out any foreign assistance or sales program authorized by law and subject to the control of the President by other means. (3)(A) For each of the fiscal years 1988 and 1989, $250,000 of registration fees collected pursuant to paragraph (1) shall be credited to a Department of State account, to be available without fiscal year limitation. Fees credited to that account shall be available only for the payment of expenses incurred for—
(i)  contract personnel to assist in the evaluation of munitions control license applications, reduce processing time for license applications, and improve monitoring of compliance with the terms of licenses; and
(ii)  the automation of munitions control functions and the processing of munitions control license applications, including the development, procurement, and utilization of computer equipment and related software.
(B)  The authority of this paragraph may be exercised only to such extent or in such amounts as are provided in advance in appropriation Acts.

(c) Criminal violations; punishment. Any person who willfully violates any provision of this section or section 2779 of this title, or any rule or regulation issued under either section, or who willfully, in a registration or license application or required report, makes any untrue statement of a material fact or omits to state a material fact required to be stated therein or necessary to make the statements therein not misleading, shall upon conviction be fined for each violation not more than $1,000,000 or imprisoned not more than ten years, or both.

(d) Repealed. Pub. L. 96-70, title III, Sec. 3303(a)(4), Sept. 27, 1979,93 Stat. 499.

(e) Enforcement powers of President. In carrying out functions under this section with respect to the export of defense articles and defense services, the President is authorized to exercise the same powers concerning violations and enforcement which are conferred upon departments, agencies and officials by subsections (c), (d), (e), and (g) of section 11 of the Export Administration Act of 1979 (50 App. U.S.C. 2410(c), (d), (e), and (g)), and by subsections (a) and (c) of section 12 of such Act (50 App. U.S.C. 2411(a) and (c)), subject to the same terms and conditions as are applicable to such powers under such Act (50 App. U.S.C. 2401 et seq.). Nothing in this subsection shall be construed as authorizing the withholding of information from the Congress. Notwithstanding section 11(c) of the Export Administration Act of 1979, the civil penalty for each violation involving controls imposed on the export of defense articles and defense services under this section may not exceed $500,000.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 565

(f) Periodic review of items on Munitions List. The President shall periodically review the items on the United States Munitions List to determine what items, if any, no longer warrant export controls under this section. The results of such reviews shall be reported to the Speaker of the House of Representatives and to the Committee on Foreign Relations and the Committee on Banking, Housing, and Urban Affairs of the Senate. Such a report shall be submitted at least 30 days before any item is removed from the Munitions List and shall describe the nature of any controls to be imposed on that item under the Export Administration Act of 1979 (50 App. U.S.C. 2401 et seq.).

(g) Identification of persons convicted or subject to indictment for violations of certain provisions.
(1)  The President shall develop appropriate mechanisms to identify, in connection with the export licensing process under this section—
(A)  persons who are the subject of an indictment for, or have been convicted of, a violation under—
(i)  this section,
(ii)  section 11 of the Export Administration Act of 1979 (50 U.S.C. App. 2410),
(iii)  section 793, 794, or 798 of title 18 (relating to espionage involving defense or classified information),
(iv)  section 16 of the Trading with the Enemy Act (50 U.S.C. App. 16),
(v)  section 206 of the International Emergency Economic Powers Act (relating to foreign assets controls; 50 U.S.C. App. 1705) (50 U.S.C. 1705),
(vi)  section 30A of the Securities Exchange Act of 1934 (15 U.S.C. 78dd-1) or section 104 of the Foreign Corrupt Practices Act (15 U.S.C. 78dd-2),
(vii)  chapter 105 of title 18 (relating to sabotage),
(viii)  section 4(b) of the Internal Security Act of 1950 (relating to communication of classified information; 50 U.S.C. 783(b)),
(ix) section 57, 92, 101, 104, 222, 224, 225, or 226 of the Atomic Energy Act of 1954 (42 U.S.C. 2077, 2122, 2131, 2134, 2272, 2274, 2275, and 2276),
(x)  section 601 of the National Security Act of 1947 (relating to intelligence identities protection; 50 U.S.C. 421), or
(xi) section 603(b) or (c) of the Comprehensive Anti-Apartheid Act of 1986 (22 U.S.C. 5113(b) and (c));
(B)  persons who are the subject of an indictment or have been convicted under section 371 of title 18 for conspiracy to violate any of the statutes cited in subparagraph (A); and
(C) persons who are ineligible—
(i)  to contract with,
(ii)  to receive a license or other form of authorization to export from, or
(iii)  to receive a license or other form of authorization to import defense articles or defense services from, any agency of the United States Government.
(2)  The President shall require that each applicant for a license to export an item on the United States Munitions List identify in the application all consignees and freight forwarders involved in the proposed export.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 566

(3)  If the President determines—
(A)  that an applicant for a license to export under this section is the subject of an indictment for a violation of any of the statutes cited in paragraph (1),
(B)  that there is reasonable cause to believe that an applicant for a license to export under this section has violated any of the statutes cited in paragraph (1), or
(C)  that an applicant for a license to export under this section is ineligible to contract with, or to receive a license or other form of authorization to import defense articles or defense services from, any agency of the United States Government,
the President may disapprove the application. The President shall consider requests by the Secretary of the Treasury to disapprove any export license application based on these criteria.
(4)  A license to export an item on the United States Munitions List may not be issued to a person—
(A) if that person, or any party to the export, has been convicted of violating a statute cited in paragraph (1), or
(B)  if that person, or any party to the export, is at the time of the license review ineligible to receive export licenses (or other forms of authorization to export) from any agency of the United States Government, except as may be determined on a case-by-case basis by the President, after consultation with the Secretary of the Treasury, after a thorough review of the circumstances surrounding the conviction or ineligibility to export and a finding by the President that appropriate steps have been taken to mitigate any law enforcement concerns.
(5)   A license to export an item on the United States Munitions List may not be issued to a foreign person (other than a foreign government).
(6)  The President may require a license (or other form of authorization) before any item on the United States Munitions List is sold or otherwise transferred to the control or possession of a foreign person or a person acting on behalf of a foreign person.
(7)  The President shall, in coordination with law enforcement and national security agencies, develop standards for identifying high-risk exports for regular end-use verification. These standards shall be published in the Federal Register and the initial standards shall be published not later than October 1, 1988.
(8)  Upon request of the Secretary of State, the Secretary of Defense and the Secretary of the Treasury shall detail to the office primarily responsible for export licensing functions under this section, on a nonreimbursable basis, personnel with appropriate expertise to assist in the initial screening of applications for export licenses under this section in order to determine the need for further review of those applications for foreign policy, national security, and law enforcement concerns.
(9)  For purposes of this subsection—
(A) the term 'foreign corporation' means a corporation that is not incorporated in the United States;
(B)  the term 'foreign government' includes any agency or subdivision of a foreign government, including an official mission of a foreign government;
(C) the term 'foreign person' means any person who is not a citizen or national

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 567

of the United States or lawfully admitted to the United States for permanent residence under the Immigration and Nationality Act (8 U.S.C. 1101 et seq.), and includes foreign corporations, international organizations, and foreign governments;
(D)  the term 'party to the export' means—
(i)  the president, the chief executive officer, and other senior officers of the license applicant;
(ii)  the freight forwarders or designated exporting agent of the license application; and
(iii)  any consignee or end user of any item to be exported; and
(E)  the term 'person' means a natural person as well as a corporation, business association, partnership, society, trust, or any other entity, organization, or group, including governmental entities.

(h) Judicial review of designation of items as defense articles or services. The designation by the President (or by an official to whom the President's functions under subsection (a) of this section have been duly delegated), in regulations issued under this section, of items as defense articles or defense services for purposes of this section shall not be subject to judicial review....

Sec. 2780. Transactions with countries supporting acts of international terrorism.

(a) Prohibited transactions by United States Government. The following transactions by the United States Government are prohibited:

(1)  Exporting or otherwise providing (by sale, lease or loan, grant, or other means), directly or indirectly, any munitions item to a country described in subsection (d) of this section under the authority of this chapter, the Foreign Assistance Act of 1961 (22 U.S.C. 2151 et seq.), or any other law (except as provided in subsection (h) of this section). In implementing this paragraph, the United States Government—
(A)  shall suspend delivery to such country of any such item pursuant to any such transaction which has not been completed at the time the Secretary of State makes the determination described in subsection (d) of this section, and
(B)  shall terminate any lease or loan to such country of any such item which is in effect at the time the Secretary of State makes that determination.
(2)  Providing credits, guarantees, or other financial assistance under the authority of this chapter, the Foreign Assistance Act of 1961 (22 U.S.C. 2151 et seq.), or any other law (except as provided in subsection (h) of this section), with respect to the acquisition of any munitions item by a country described in subsection (d) of this section. In implementing this paragraph, the United States Government shall suspend expenditures pursuant to any such assistance obligated before the Secretary of State makes the determination described in subsection (d) of this section. The President may authorize expenditures otherwise required to be suspended pursuant to the preceding sentence if the President has determined, and

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 568

reported to the Congress, that suspension of those expenditures causes undue financial hardship to a supplier, shipper, or similar person and allowing the expenditure will not result in any munitions item being made available for use by such country.
(3)  Consenting under section 2753(a) of this title, under section 505(a) of the Foreign Assistance Act of 1961 (22 U.S.C. 2314(a)), under the regulations issued to carry out section 2778 of this title, or under any other law (except as provided in subsection (h) of this section), to any transfer of any munitions item to a country described in subsection (d) of this section. In implementing this paragraph, the United States Government shall withdraw any such consent which is in effect at the time the Secretary of State makes the determination described in subsection (d) of this section, except that this sentence does not apply with respect to any item that has already been transferred to such country.
(4)  Providing any license or other approval under section 2778 of this title for any export or other transfer (including by means of a technical assistance agreement, manufacturing licensing agreement, or coproduction agreement) of any munitions item to a country described in subsection (d) of this section. In implementing this paragraph, the United States Government shall suspend any such license or other approval which is in effect at the time the Secretary of State makes the determination described in subsection (d) of this section, except that this sentence does not apply with respect to any item that has already been exported or otherwise transferred to such country.
(5)  Otherwise facilitating the acquisition of any munitions item by a country described in subsection (d) of this section. This paragraph applies with respect to activities undertaken—
(A) by any department, agency, or other instrumentality of the Government,
(B)  by any officer or employee of the Government (including members of the United States Armed Forces), or
(C) by any other person at the request or on behalf of the Government.

The Secretary of State may waive the requirements of the second sentence of paragraph (1), the second sentence of paragraph (3), and the second sentence of paragraph (4) to the extent that the Secretary determines, after consultation with the Congress, that unusual and compelling circumstances require that the United States Government not take the actions specified in that sentence.

(b) Prohibited transactions by United States persons.
(1)  In general. A United States person may not take any of the following actions:
(A) Exporting any munitions item to any country described in subsection (d) of this section.
(B) Selling, leasing, loaning, granting, or otherwise providing any munitions item to any country described in subsection (d) of this section.
(C) Selling, leasing, loaning, granting, or otherwise providing any munitions item to any recipient which is not the government of or a person in a country described in subsection (d) of this section if the United States person has reason to

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 569

know that the munitions item will be made available to any country described in subsection (d) of this section.
(D)  Taking any other action which would facilitate the acquisition, directly or indirectly, of any munitions item by the government of any country described in subsection (d) of this section, or any person acting on behalf of that government, if the United States person has reason to know that that action will facilitate the acquisition of that item by such a government or person.
(2)  Liability for actions of foreign subsidiaries, etc. A United States person violates this subsection if a corporation or other person that is controlled in fact by that United States person (as determined under regulations, which the President shall issue) takes an action described in paragraph (1) outside the United States.
(3)  Applicability to actions outside the United States. Paragraph (1) applies with respect to actions described in that paragraph which are taken either within or outside the United States by a United States person described in subsection (1)(3)(A) or (B) of this section. To the extent provided in regulations issued under subsection (1)(3)(D) of this section, paragraph (1) applies with respect to actions described in that paragraph which are taken outside the United States by a person designated as a United States person in those regulations.

(c) Transfers to governments and persons covered. This section applies with respect to—
(1)  the acquisition of munitions items by the government of a country described in subsection (d) of this section; and
(2)  the acquisition of munitions items by any individual, group, or other person within a country described in subsection (d) of this section, except to the extent that subparagraph (D) of subsection (b)(1) of this section provides otherwise.

(d) Countries covered by prohibition. The prohibitions contained in this section apply with respect to a country if the Secretary of State determines that the government of that country has repeatedly provided support for acts of international terrorism.

(e) Publication of determinations. Each determination of the Secretary of State under subsection (d) of this section shall be published in the Federal Register.

(f) Rescission.
(1)  A determination made by the Secretary of State under subsection (d) of this section may not be rescinded unless the President submits to the Speaker of the House of Representatives and the chairman of the Committee on Foreign Relations of the Senate—
(A)  before the proposed rescission would take effect, a report certifying that-
(i)  there has been a fundamental change in the leadership and policies of the government of the country concerned;
(ii)  that government is not supporting acts of international terrorism; and
(iii)  that government has provided assurances that it will not support acts of international terrorism in the future; or

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 570

(B)  at least 45 days before the proposed rescission would take effect, a report justifying the rescission and certifying that—
(i)  the government concerned has not provided any support for international terrorism during the preceding 6-month period; and
(ii) the government concerned has provided assurances that it will not support acts of international terrorism in the future.
(2)(A) No rescission under paragraph (1)(B) of a determination under subsection (d) of this section may be made if the Congress, within 45 days after receipt of a report under paragraph (1)(B), enacts a joint resolution the matter after the resolving clause of which is as follows: 'That the proposed rescission of the determination under section 40(d) of the Arms Export Control Act pursuant to the report submitted to the Congress on XXXXXXXXX is hereby prohibited.', the blank to be completed with the appropriate date.
(B)  A joint resolution described in subparagraph (A) and introduced within the appropriate 45-day period shall be considered in the Senate and the House of Representatives in accordance with paragraphs (3) through (7) of section 8066(c) of the Department of Defense Appropriations Act (as contained in Public Law 98473), except that references in such paragraphs to the Committees on Appropriations of the House of Representatives and the Senate shall be deemed to be references to the Committee on Foreign Affairs of the House of Representatives and the Committee on Foreign Relations of the Senate, respectively.

(g) Waiver. The President may waive the prohibitions contained in this section with respect to a specific transaction if—

(1)  the President determines that the transaction is essential to the national security interests of the United States; and
(2)  not less than 15 days prior to the proposed transaction, the President—
(A) consults with the Committee on Foreign Affairs of the House of Representatives and the Committee on Foreign Relations of the Senate; and
(B)  submits to the Speaker of the House of Representatives and the chairman of the Committee on Foreign Relations of the Senate a report containing—
(i)  the name of any country involved in the proposed transaction, the identity of any recipient of the items to be provided pursuant to the proposed transaction, and the anticipated use of those items;
(ii) a description of the munitions items involved in the proposed transaction (including their market value) and the actual sale price at each step in the transaction (or if the items are transferred by other than sale, the manner in which they will be provided);
(iii) the reasons why the proposed transaction is essential to the national security interests of the United States and the justification for such proposed transaction;
(iv) the date on which the proposed transaction is expected to occur; and
(v)  the name of every United States Government department, agency, or other entity involved in the proposed transaction, every foreign government involved in the proposed transaction, and every private party with significant participation in the proposed transaction.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 571

To the extent possible, the information specified in subparagraph (B) of paragraph (2) shall be provided in unclassified form, with any classified information provided in an addendum to the report.

(h) Exemption for transactions subject to National Security Act reporting requirements. The prohibitions contained in this section do not apply with respect to any transaction subject to reporting requirements under title V of the National Security Act of 1947 (50 U.S.C. 413 et seq.; relating to congressional oversight of intelligence activities).

(i) Relation to other laws.
(1)  In general. With regard to munitions items controlled pursuant to this chapter, the provisions of this section shall apply notwithstanding any other provision of law, other than section 614(a) of the Foreign Assistance Act of 1961 (22 U.S.C. 2364(a)).
(2)  Section 614(a) waiver authority. If the authority of section 614(a) of the Foreign Assistance Act of 1961 (22 U.S.C. 2364(a)) is used to permit a transaction under that Act (22 U.S.C. 2151 et seq.) or this chapter which is otherwise prohibited by this section, the written policy justification required by that section shall include the information specified in subsection (g)(2)(B) of this section.

(j) Criminal penalty. Any person who willfully violates this section shall be fined for each violation not more than $1,000,000, imprisoned not more than 10 years, or both.

(k) Civil penalties; enforcement. In the enforcement of this section, the President is authorized to exercise the same powers concerning violations and enforcement which are conferred upon departments, agencies, and officials by sections 11(c), 11(e), 11(g), and 12(a) of the Export Administration Act of 1979 (50 App. U.S.C. 2410(c), (e), (g), 2411(a)) (subject to the same terms and conditions as are applicable to such powers under that Act (50 App. U.S.C. 2401 et seq.)), except that, notwithstanding section 11(c) of that Act, the civil penalty for each violation of this section may not exceed $500,000.

(l) Definitions. As used in this section—
(1)  the term 'munitions item' means any item enumerated on the United States Munitions List (without regard to whether the item is imported into or exported from the United States);
(2)  the term 'United States', when used geographically, means the several States, the District of Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern Mariana Islands, and any territory or possession of the United States; and
(3)  the term 'United States person' means—
(A)  any citizen or permanent resident alien of the United States;
(B)  any sole proprietorship, partnership, company, association, or corporation having its principal place of business within the United States or organized under the laws of the United States, any State, the District of Columbia, the Common-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 572

wealth of Puerto Rico, the Commonwealth of the Northern Mariana Islands, or any territory or possession of the United States;
(C)  any other person with respect to that person's actions while in the United States; and
(D) to the extent provided in regulations issued by the Secretary of State, any person that is not described in subparagraph (A), (B), or (C) but—
(i)  is a foreign subsidiary or affiliate of a United States person described in subparagraph (B) and is controlled in fact by that United States person (as determined in accordance with those regulations), or
(ii) is otherwise subject to the jurisdiction of the United States, with respect to that person's actions while outside the United States....

Sec. 2794. Definitions.

For purposes of this chapter, the term—

(1) ''excess defense article" has the meaning provided by section 2403(g) of this title;

(2) "value" means, in the case of an excess defense article, except as otherwise provided in section 2761(a) of this title, not less than the greater of—
(A) the gross cost incurred by the United States Government in repairing, rehabilitating, or modifying such article, plus the scrap value; or
(B)  the market value, if ascertainable;

(3) "defense article", except as provided in paragraph (7) of this section, includes—

(A)  any weapon, weapons system, munition, aircraft, vessel, boat, or other implement of war,
(B)  any property, installation, commodity, material, equipment, supply, or goods used for the purposes of making military sales,
(C)  any machinery, facility, tool, material, supply, or other item necessary for the manufacture, production, processing, repair, servicing, storage, construction, transportation, operation, or use of any article listed in this paragraph, and
(D)  any component or part of any article listed in this paragraph,

but does not include merchant vessels or (as defined by the Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.)) source material (except uranium depleted in the isotope 235 which is incorporated in defense articles solely to take advantage of high density or pyrophoric characteristics unrelated to radioactivity), byproduct material, special nuclear material, production facilities, utilization facilities, or atomic weapons or articles involving Restricted Data;

(4) "defense service", except as provided in paragraph (7) of this section, includes any service, test, inspection, repair, training, publication, technical or other assistance, or defense information (as defined in section 2403(e) of this title),

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 573

used for the purposes of making military sales, but does not include design and construction services under section 2769 of this title;

(5) "training" includes formal or informal instruction of foreign students in the United States or overseas by officers or employees of the United States, contract technicians, or contractors (including instruction at civilian institutions), or by correspondence courses, technical, educational, or information publications and media of all kinds, training aid, orientation, training exercise, and military advice to foreign military units and forces;

(6) "major defense equipment" means any item of significant military equipment on the United States Munitions List having a nonrecurring research and development cost of more than $50,000,000 or a total production cost of more than $200,000,000;

(7) "defense articles and defense services" means, with respect to commercial exports subject to the provisions of section 2778 of this title, those items designated by the President pursuant to subsection (a)(1) of such section; and

(8) "design and construction services" means, with respect to sales under section 2769 of this title, the design and construction of real property facilities, including necessary construction equipment and materials, engineering services, construction contract management services relating thereto, and technical advisory assistance in the operation and maintenance of real property facilities provided or performed by any department or agency of the Department of Defense or by a contractor pursuant to a contract with such department or agency.

N.2 EXECUTIVE ORDERS

N.2.1 Executive Order 12333 (U.S. Intelligence Activities)

Timely and accurate information about the activities, capabilities, plans, and intentions of foreign powers, organizations, and persons and their agents, is essential to the national security of the United States. All reasonable and lawful means must be used to ensure that the United States will receive the best intelligence available. For that purpose, by virtue of the authority vested in me by the Constitution and statutes of the United States of America, including the National Security Act of 1947, as amended, and as President of the United States of America, in order to provide for the effective conduct of United States intelligence activities and the protection of constitutional rights, it is hereby ordered as follows:

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 574

Part 1
Goals, Direction, Duties and Responsibilities With Respect to the National Intelligence Effort

1.1   Goals. The United States intelligence effort shall provide the President and the National Security Council with the necessary information on which to base decisions concerning the conduct and development of foreign, defense and economic policy, and the protection of United States national interests from foreign security threats. All departments and agencies shall cooperate fully to fulfill this goal.
     (a)  Maximum emphasis should be given to fostering analytical competition among appropriate elements of the Intelligence Community.
     (b) All means, consistent with applicable United States law and this Order, and with full consideration of the rights of United States persons, shall be used to develop intelligence information for the President and the National Security Council. A balanced approach between technical collection efforts and other means should be maintained and encouraged.
     (c) Special emphasis should be given to detecting and countering espionage and other threats and activities directed by foreign intelligence services against the United States Government, or United States corporations, establishments, or persons.
     (d) To the greatest extent possible consistent with applicable United States law and this Order, and with full consideration of the rights of United States persons, all agencies and departments should seek to ensure full and free exchange of information in order to derive maximum benefit from the United States intelligence effort.

1.2   The National Security Council.
     (a) Purpose. The National Security Council (NSC) was established by the National Security Act of 1947 to advise the President with respect to the integration of domestic, foreign and military policies relating to the national security. The NSC shall act as the highest Executive Branch entity that provides review of, guidance for and direction to the conduct of all national foreign intelligence, counterintelligence, and special activities, and attendant policies and programs.
     (b)  Committees. The NSC shall establish such committees as may be necessary to carry out its functions and responsibilities under this Order. The NSC, or a committee established by it, shall consider and submit to the President a policy recommendation, including all dissents, on each special activity and shall review proposals for other sensitive intelligence operations.

1.3   National Foreign Intelligence Advisory Groups.
     (a) Establishment and Duties. The Director of Central Intelligence shall establish such boards, councils, or groups as required for the purpose of obtaining advice from within the Intelligence Community concerning:
          (1) Production, review and coordination of national foreign intelligence;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 575

          (2) Priorities for the National Foreign Intelligence Program budget;
          (3) Interagency exchanges of foreign intelligence information;
          (4) Arrangements with foreign governments on intelligence matters;
          (5) Protection of intelligence sources and methods;
          (6) Activities of common concern; and
          (7) Such other matters as may be referred by the Director of Central Intelligence.
     (b)  Membership. Advisory groups established pursuant to this section shall be chaired by the Director of Central Intelligence or his designated representative and shall consist of senior representatives from organizations within the Intelligence Community and from departments or agencies containing such organizations, as designated by the Director of Central Intelligence. Groups for consideration of substantive intelligence matters will include representatives of organizations involved in the collection, processing and analysis of intelligence. A senior representative of the Secretary of Commerce, the Attorney General, the Assistant to the President for National Security Affairs, and the Office of the Secretary of Defense shall be invited to participate in any group which deals with other than substantive intelligence matters.

1.4   The Intelligence Community. The agencies within the Intelligence Community shall, in accordance with applicable United States law and with the other provisions of this Order, conduct intelligence activities necessary for the conduct of foreign relations and the protection of the national security of the United States, including:
     (a) Collection of information needed by the President, the National Security Council, the Secretaries of State and Defense, and other Executive Branch officials for the performance of their duties and responsibilities;
     (b) Production and dissemination of intelligence;
     (c) Collection of information concerning, and the conduct of activities to protect against, intelligence activities directed against the United States, international terrorist and international narcotics activities, and other hostile activities directed against the United States by foreign powers, organizations, persons, and their agents;
     (d) Special activities;
     (e) Administrative and support activities within the United States and abroad necessary for the performance of authorized activities; and
     (f) Such other intelligence activities as the President may direct from time to time.

1.5   Director of Central Intelligence. In order to discharge the duties and responsibilities prescribed by law, the Director of Central Intelligence shall be responsible directly to the President and the NSC and shall:
     (a) Act as the primary adviser to the President and the NSC on national foreign intelligence and provide the President and other officials in the Executive Branch with national foreign intelligence;
     (b) Develop such objectives and guidance for the Intelligence Community

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 576

as will enhance capabilities for responding to expected future needs for national foreign intelligence;
     (c)  Promote the development and maintenance of services of common concern by designated intelligence organizations on behalf of the Intelligence Community;
     (d) Ensure implementation of special activities;
     (e) Formulate policies concerning foreign intelligence and counterintelligence arrangements with foreign governments, coordinate foreign intelligence and counterintelligence relationships between agencies of the Intelligence Community and the intelligence or internal security services of foreign governments, and establish procedures governing the conduct of liaison by any department or agency with such services on narcotics activities;
     (f) Participate in the development of procedures approved by the Attorney General governing criminal narcotics intelligence activities abroad to ensure that these activities are consistent with foreign intelligence programs;
     (g) Ensure the establishment by the Intelligence Community of common security and access standards for managing and handling foreign intelligence systems, information, and products;
     (h) Ensure that programs are developed which protect intelligence sources, methods, and analytical procedures;
     (i) Establish uniform criteria for the determination of relative priorities for the transmission of critical national foreign intelligence, and advise the Secretary of Defense concerning the communications requirements of the Intelligence Community for the transmission of such intelligence;
     (j) Establish appropriate staffs, committees, or other advisory groups to assist in the execution of the Director's responsibilities;
     (k) Have full responsibility for production and dissemination of national foreign intelligence, and authority to levy analytic tasks on departmental intelligence production organizations, in consultation with those organizations, ensuring that appropriate mechanisms for competitive analysis are developed so that diverse points of view are considered fully and differences of judgment within the Intelligence Community are brought to the attention of national policymakers;
     (l) Ensure the timely exploitation and dissemination of data gathered by national foreign intelligence collection means, and ensure that the resulting intelligence is disseminated immediately to appropriate government entities and military commands;
     (m) Establish mechanisms which translate national foreign intelligence objectives and priorities approved by the NSC into specific guidance for the Intelligence Community, resolve conflicts in tasking priority, provide to departments and agencies having information collection capabilities that are not part of the National Foreign Intelligence Program advisory tasking concerning collection of national foreign intelligence, and provide for the development of plans and arrangements for transfer of required collection tasking authority to the Secretary of Defense when directed by the President;
     (n) Develop, with the advice of the program managers and departments and agencies concerned, the consolidated National Foreign Intelligence Program budget, and present it to the President and the Congress;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 577

     (o) Review and approve all requests for reprogramming National Foreign Intelligence Program funds, in accordance with guidelines established by the Office of Management and Budget;
     (p) Monitor National Foreign Intelligence Program implementation, and, as necessary, conduct program and performance audits and evaluations;
     (q) Together with the Secretary of Defense, ensure that there is no unnecessary overlap between national foreign intelligence programs and Department of Defense intelligence programs consistent with the requirement to develop competitive analysis, and provide to and obtain from the Secretary of Defense all information necessary for this purpose;
     (r) In accordance with law and relevant procedures approved by the Attorney General under this Order, give the heads of the departments and agencies access to all intelligence, developed by the CIA or the staff elements of the Director of Central Intelligence, relevant to the national intelligence needs of the departments and agencies; and
     (s) Facilitate the use of national foreign intelligence products by Congress in a secure manner.

1.6   Duties and Responsibilities of the Heads of Executive Branch Departments and Agencies.
     (a) The heads of all Executive Branch departments and agencies shall, in accordance with law and relevant procedures approved by the Attorney General under this Order, give the Director of Central Intelligence access to all information relevant to the national intelligence needs of the United States, and shall give due consideration to the requests from the Director of Central Intelligence for appropriate support for Intelligence Community activities.
     (b) The heads of departments and agencies involved in the National Foreign Intelligence Program shall ensure timely development and submission to the Director of Central Intelligence by the program managers and heads of component activities of proposed national programs and budgets in the format designated by the Director of Central Intelligence, and shall also ensure that the Director of Central Intelligence is provided, in a timely and responsive manner, all information necessary to perform the Director's program and budget responsibilities.
     (c) The heads of departments and agencies involved in the National Foreign Intelligence Program may appeal to the President decisions by the Director of Central Intelligence on budget or reprogramming matters of the National Foreign Intelligence Program.

1.7  Senior Officials of the Intelligence Community. The heads of departments and agencies with organizations in the Intelligence Community or the heads of such organizations, as appropriate, shall:
     (a) Report to the Attorney General possible violations of federal criminal laws by employees and of specified federal criminal laws by any other person as provided in procedures agreed upon by the Attorney General and the head of the department or agency concerned, in a manner consistent with the protection of intelligence sources and methods, as specified in those procedures;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 578

     (b) In any case involving serious or continuing breaches of security, recommend to the Attorney General that the case be referred to the FBI for further investigation;
     (c) Furnish the Director of Central Intelligence and the NSC, in accordance with applicable law and procedures approved by the Attorney General under this Order, the information required for the performance of their respective duties;
     (d) Report to the Intelligence Oversight Board, and keep the Director of Central Intelligence appropriately informed, concerning any intelligence activities of their organizations that they have reason to believe may be unlawful or contrary to Executive order or Presidential directive;
     (e) Protect intelligence and intelligence sources and methods from unauthorized disclosure consistent with guidance from the Director of Central Intelligence;
     (f) Disseminate intelligence to cooperating foreign governments under arrangements established or agreed to by the Director of Central Intelligence;
     (g) Participate in the development of procedures approved by the Attorney General governing production and dissemination of intelligence resulting from criminal narcotics intelligence activities abroad if their departments, agencies, or organizations have intelligence responsibilities for foreign or domestic narcotics production and trafficking;
     (h) Instruct their employees to cooperate fully with the Intelligence Oversight Board; and
     (i) Ensure that the Inspectors General and General Counsels for their organizations have access to any information necessary to perform their duties assigned by this Order.

1.8   The Central Intelligence Agency. All duties and responsibilities of the CIA shall be related to the intelligence functions set out below. As authorized by this Order; the National Security Act of 1947, as amended; the CIA Act of 1949, as amended; appropriate directives or other applicable law, the CIA shall:
     (a) Collect, produce and disseminate foreign intelligence and counterintelligence, including information not otherwise obtainable. The collection of foreign intelligence or counterintelligence within the United States shall be coordinated with the FBI as required by procedures agreed upon by the Director of Central Intelligence and the Attorney General;
     (b) Collect, produce and disseminate intelligence on foreign aspects of narcotics production and trafficking;
     (c) Conduct counterintelligence activities outside the United States and, without assuming or performing any internal security functions, conduct counterintelligence activities within the United States in coordination with the FBI as required by procedures agreed upon by the Director of Central Intelligence and the Attorney General;
     (d) Coordinate counterintelligence activities and the collection of information not otherwise obtainable when conducted outside the United States by other departments and agencies;
     (e) Conduct special activities approved by the President. No agency ex-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 579

cept the CIA (or the Armed Forces of the United States in time of war declared by Congress or during any period covered by a report from the President to the Congress under the War Powers Resolution (87 Stat. 855))* may conduct any special activity unless the President determines that another agency is more likely to achieve a particular objective;
     (f)  Conduct services of common concern for the Intelligence Community as directed by the NSC;
     (g) Carry out or contract for research, development and procurement of technical systems and devices relating to authorized functions;
     (h) Protect the security of its installations, activities, information, property, and employees by appropriate means, including such investigations of applicants, employees, contractors, and other persons with similar associations with the CIA as are necessary; and
     (i) Conduct such administrative and technical support activities within and outside the United States as are necessary to perform the functions described in sections (a) through (h) above, including procurement and essential cover and proprietary arrangements.

1.9   The Department of State. The Secretary of State shall:
     (a) Overtly collect information relevant to United States foreign policy concerns;
     (b) Produce and disseminate foreign intelligence relating to United States foreign policy as required for the execution of the Secretary's responsibilities;
     (c) Disseminate, as appropriate, reports received from United States diplomatic and consular posts;
     (d) Transmit reporting requirements of the Intelligence Community to the Chiefs of United States Missions abroad; and
     (e) Support Chiefs of Missions in discharging their statutory responsibilities for direction and coordination of mission activities.

1.10  The Department of the Treasury. The Secretary of the Treasury shall:
     (a) Overtly collect foreign financial and monetary information;
     (b) Participate with the Department of State in the overt collection of general foreign economic information;
     (c) Produce and disseminate foreign intelligence relating to United States economic policy as required for the execution of the Secretary's responsibilities; and
     (d) Conduct, through the United States Secret Service, activities to determine the existence and capability of surveillance equipment being used against the President of the United States, the Executive Office of the President, and, as authorized by the Secretary of the Treasury or the President, other Secret Service protectees and United States officials. No information shall be acquired intentionally through such activities except to protect against such surveillance, and those activities shall be conducted pursuant to procedures agreed upon by the Secretary of the Treasury and the Attorney General.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 580

1.11  The Department of Defense. The Secretary of Defense shall:
     (a) Collect national foreign intelligence and be responsive to collection tasking by the Director of Central Intelligence;
     (b) Collect, produce and disseminate military and military-related foreign intelligence and counterintelligence as required for execution of the Secretary's responsibilities;
     (c)  Conduct programs and missions necessary to fulfill national, departmental and tactical foreign intelligence requirements;
     (d) Conduct counterintelligence activities in support of Department of Defense components outside the United States in coordination with the CIA, and within the United States in coordination with the FBI pursuant to procedures agreed upon by the Secretary of Defense and the Attorney General;
     (e) Conduct, as the executive agent of the United States Government, signals intelligence and communications security activities, except as otherwise directed by the NSC;
     (f)  for the timely transmission of critical intelligence, as defined by the Director of Central Intelligence, within the United States Government;
     (g) Carry out or contract for research, development and procurement of technical systems and devices relating to authorized intelligence functions;
     (h) Protect the security of Department of Defense installations, activities, property, information, and employees by appropriate means, including such investigations of applicants, employees, contractors, and other persons with similar associations with the Department of Defense as are necessary;
     (i)  Establish and maintain military intelligence relationships and military intelligence exchange programs with selected cooperative foreign defense establishments and international organizations, and ensure that such relationships and programs are in accordance with policies formulated by the Director of Central Intelligence;
     (j)  Direct, operate, control and provide fiscal management for the National Security Agency and for defense and military intelligence and national reconnaissance entities; and
     (k) Conduct such administrative and technical support activities within and outside the United States as are necessary to perform the functions described in sections (a) through (j) above.

1.12 Intelligence Components Utilized by the Secretary of Defense. In carrying out the responsibilities assigned in section 1.11, the Secretary of Defense is authorized to utilize the following:
     (a) Defense Intelligence Agency, whose responsibilities shall include;
          (1) Collection, production, or, through tasking and coordination, provision of military and military-related intelligence for the Secretary of Defense, the Joint Chiefs of Staff, other Defense components, and, as appropriate, non-Defense agencies;
          (2) Collection and provision of military intelligence for national foreign intelligence and counterintelligence products;
          (3) Coordination of all Department of Defense intelligence collection requirements;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 581

          (4) Management of the Defense Attache system; and
          (5) Provision of foreign intelligence and counterintelligence staff support as directed by the Joint Chiefs of Staff.
     (b) National Security Agency, whose responsibilities shall include:
          (1) Establishment and operation of an effective unified organization for signals intelligence activities, except for the delegation of operational control over certain operations that are conducted through other elements of the Intelligence Community. No other department or agency may engage in signals intelligence activities except pursuant to a delegation by the Secretary of Defense;
          (2) Control of signals intelligence collection and processing activities, including assignment of resources to an appropriate agent for such periods and tasks as required for the direct support of military commanders;
          (3) Collection of signals intelligence information for national foreign intelligence purposes in accordance with guidance from the Director of Central Intelligence;
          (4) Processing of signals intelligence data for national foreign intelligence purposes in accordance with guidance from the Director of Central Intelligence;
          (5) Dissemination of signals intelligence information for national foreign intelligence purposes to authorized elements of the Government, including the military services, in accordance with guidance from the Director of Central Intelligence;
          (6) Collection, processing and dissemination of signals intelligence information for counterintelligence purposes;
          (7) Provision of signals intelligence support for the conduct of military operations in accordance with tasking, priorities, and standards of timeliness assigned by the Secretary of Defense. If provision of such support requires use of national collection systems, these systems will be tasked within existing guidance from the Director of Central Intelligence;
          (8) Executing the responsibilities of the Secretary of Defense as executive agent for the communications security of the United States Government;
          (9) Conduct of research and development to meet the needs of the United States for signals intelligence and communications security;
          (10) Protection of the security of its installations, activities, property, information, and employees by appropriate means, including such investigations of applicants, employees, contractors, and other persons with similar associations with the NSA as are necessary;
          (11) Prescribing, within its field of authorized operations, security regulations covering operating practices, including the transmission, handling and distribution of signals intelligence and communications security material within and among the elements under control of the Director of the NSA, and exercising the necessary supervisory control to ensure compliance with the regulations;
          (12) Conduct of foreign cryptologic liaison relationships, with liaison for intelligence purposes conducted in accordance with policies formulated by the Director of Central Intelligence; and
          (13) Conduct of such administrative and technical support activities

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 582

within and outside the United States as are necessary to perform the functions described in sections (1) through (12) above, including procurement.
     (c) Offices for the collection of specialized intelligence through reconnaissance programs, whose responsibilities shall include:
          (1) Carrying out consolidated reconnaissance programs for specialized intelligence;
          (2) Responding to tasking in accordance with procedures established by the Director of Central Intelligence; and
          (3) Delegating authority to the various departments and agencies for research, development, procurement, and operation of designated means of collection.
     (d) The foreign intelligence and counterintelligence elements of the Army, Navy, Air Force, and Marine Corps, whose responsibilities shall include:
          (1) Collection, production and dissemination of military and military-related foreign intelligence and counterintelligence, and information on the foreign aspects of narcotics production and trafficking. When collection is conducted in response to national foreign intelligence requirements, it will be conducted in accordance with guidance from the Director of Central Intelligence. Collection of national foreign intelligence, not otherwise obtainable, outside the United States shall be coordinated with the CIA, and such collection within the United States shall be coordinated with the FBI;
          (2) Conduct of counterintelligence activities outside the United States in coordination with the CIA, and within the United States in coordination with the FBI; and
          (3) Monitoring of the development, procurement and management of tactical intelligence systems and equipment and conducting related research, development, and test and evaluation activities.
     (e) Other offices within the Department of Defense appropriate for conduct of the intelligence missions and responsibilities assigned to the Secretary of Defense. If such other offices are used for intelligence purposes, the provisions of Part 2 of this Order shall apply to those offices when used for those purposes.

1.13  The Department of Energy. The Secretary of Energy shall:
     (a) Participate with the Department of State in overtly collecting information with respect to foreign energy matters;
     (b) Produce and disseminate foreign intelligence necessary for the Secretary's responsibilities;
     (c) Participate in formulating intelligence collection and analysis requirements where the special expert capability of the Department can contribute; and
     (d) Provide expert technical, analytical and research capability to other agencies within the Intelligence Community.

1.14  The Federal Bureau of Investigation. Under the supervision of the Attorney General and pursuant to such regulations as the Attorney General may establish, the Director of the FBI shall:
     (a) Within the United States conduct counterintelligence and coordinate counterintelligence activities of other agencies within the Intelligence Commu-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 583

nity. When a counterintelligence activity of the FBI involves military or civilian personnel of the Department of Defense, the FBI shall coordinate with the Department of Defense;
     (b) Conduct counterintelligence activities outside the United States in coordination with the CIA as required by procedures agreed upon by the Director of Central Intelligence and the Attorney General;
     (c) Conduct within the United States, when requested by officials of the Intelligence Community designated by the President, activities undertaken to collect foreign intelligence or support foreign intelligence collection requirements of other agencies within the Intelligence Community, or, when requested by the Director of the National Security Agency, to support the communications security activities of the United States Government;
     (d) Produce and disseminate foreign intelligence and counterintelligence; and
     (e) Carry out or contract for research, development and procurement of technical systems and devices relating to the functions authorized above.

Part 2
Conduct of Intelligence Activities

2.1   Need. Accurate and timely information about the capabilities, intentions and activities of foreign powers, organizations, or persons and their agents is essential to informed decisionmaking in the areas of national defense and foreign relations. Collection of such information is a priority objective and will be pursued in a vigorous, innovative and responsible manner that is consistent with the Constitution and applicable law and respectful of the principles upon which the United States was founded.

2.2   Purpose. This Order is intended to enhance human and technical collection techniques, especially those undertaken abroad, and the acquisition of significant foreign intelligence, as well as the detection and countering of international terrorist activities and espionage conducted by foreign powers. Set forth below are certain general principles that, in addition to and consistent with applicable laws, are intended to achieve the proper balance between the acquisition of essential information and protection of individual interests. Nothing in this Order shall be construed to apply to or interfere with any authorized civil or criminal law enforcement responsibility of any department or agency.

2.3   Collection of Information. Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order. Those procedures shall permit collection, retention and dissemination of the following types of information:

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 584

     (a) Information that is publicly available or collected with the consent of the person concerned;
     (b) Information constituting foreign intelligence or counterintelligence, including such information concerning corporations or other commercial organizations. Collection within the United States of foreign intelligence not otherwise obtainable shall be undertaken by the FBI or, when significant foreign intelligence is sought, by other authorized agencies of the Intelligence Community, provided that no foreign intelligence collection by such agencies may be undertaken for the purpose of acquiring information concerning the domestic activities of United States persons;
     (c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation;
     (d) Information needed to protect the safety of any persons or organizations, including those who are targets, victims or hostages of international terrorist organizations;
     (e) Information needed to protect foreign intelligence or counterintelligence sources or methods from unauthorized disclosure. Collection within the United States shall be undertaken by the FBI except that other agencies of the Intelligence Community may also collect such information concerning present or former employees, present or former intelligence agency contractors or their present or former employees, or applicants for any such employment or contracting;
     (f)  Information concerning persons who are reasonably believed to be potential sources or contacts for the purpose of determining their suitability or credibility;
     (g) Information arising out of a lawful personnel, physical or communications security investigation;
     (h) Information acquired by overhead reconnaissance not directed at specific United States persons;
     (i) Incidentally obtained information that may indicate involvement in activities that may violate federal, state, local or foreign laws; and
     (j) Information necessary for administrative purposes. In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

2.4   Collection Techniques. Agencies within the Intelligence Community shall use the least intrusive collection techniques feasible within the United States or directed against United States persons abroad. Agencies are not authorized to use such techniques as electronic surveillance, unconsented physical search, mail surveillance, physical surveillance, or monitoring devices unless they are in accordance with procedures established by the head of the agency concerned and approved by the Attorney General. Such procedures shall protect constitutional

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 585

and other legal rights and limit use of such information to lawful governmental purposes. These procedures shall not authorize:
     (a) The CIA to engage in electronic surveillance within the United States except for the purpose of training, testing, or conducting countermeasures to hostile electronic surveillance;
     (b) Unconsented physical searches in the United States by agencies other than the FBI, except for:
          (1) Searches by counterintelligence elements of the military services directed against military personnel within the United States or abroad for intelligence purposes, when authorized by a military commander empowered to approve physical searches for law enforcement purposes, based upon a finding of probable cause to believe that such persons are acting as agents of foreign powers; and
          (2) Searches by CIA of personal property of non-United States persons lawfully in its possession.
     (c) Physical surveillance of a United States person in the United States by agencies other than the FBI, except for:
          (1) Physical surveillance of present or former employees, present or former intelligence agency contractors or their present of former employees, or applicants for any such employment or contracting; and
          (2) Physical surveillance of a military person employed by a nonintelligence element of a military service.
     (d) Physical surveillance of a United States person abroad to collect foreign intelligence, except to obtain significant information that cannot reasonably be acquired by other means.

2.5   Attorney General Approval. The Attorney General hereby is delegated the power to approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes, provided that such techniques shall not be undertaken unless the Attorney General has determined in each case that there is probable cause to believe that the technique is directed against a foreign power or an agent of a foreign power. Electronic surveillance, as defined in the Foreign Intelligence Surveillance Act of 1978, shall be conducted in accordance with that Act, as well as this Order.

2.6   Assistance to Law Enforcement Authorities. Agencies within the Intelligence Community are authorized to:
     (a) Cooperate with appropriate law enforcement agencies for the purpose of protecting the employees, information, property and facilities of any agency within the Intelligence Community;
     (b) Unless otherwise precluded by law or this Order, participate in law enforcement activities to investigate or prevent clandestine intelligence activities by foreign powers, or international terrorist or narcotics activities;
     (c) Provide specialized equipment, technical knowledge, or assistance of expert personnel for use by any department or agency, or, when lives are endangered, to support local law enforcement agencies. Provision of assistance by ex-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 586

pert personnel shall be approved in each case by the General Counsel of the providing agency; and
     (d) Render any other assistance and cooperation to law enforcement authorities not precluded by applicable law.

2.7   Contracting. Agencies within the Intelligence Community are authorized to enter into contracts or arrangements for the provision of goods or services with private companies or institutions in the United States and need not reveal the sponsorship of such contracts or arrangements for authorized intelligence purposes. Contracts or arrangements with academic institutions may be undertaken only with the contract of appropriate officials of the institution.

2.8   Consistency With Other Laws. Nothing in this Order shall be construed to authorize any activity in violation of the Constitution or statutes of the United States.

2.9   Undisclosed Participation in Organizations Within the United States. No one acting on behalf of agencies within the Intelligence Community may join or otherwise participate in any organization in the United States on behalf of any agency within the Intelligence Community without disclosing his intelligence affiliation to appropriate officials of the organization, except in accordance with procedures established by the head of the agency concerned and approved by the Attorney General. Such participation shall be authorized only if it is essential to achieving lawful purposes as determined by the agency head or designee. No such participation may be undertaken for the purpose of influencing the activity of the organization or its members except in cases where:
     (a) The participation is undertaken on behalf of the FBI in the course of a lawful investigation; or
     (b) The organization concerned is composed primarily of individuals who are not United States persons and is reasonably believed to be acting on behalf of a foreign power.

2.10  Human Experimentation. No agency within the Intelligence Community shall sponsor, contract for or conduct research on human subjects except in accordance with guidelines issued by the Department of Health and Human Services. The subject's informed consent shall be documented as required by those guidelines.

2.11 Prohibition on Assassination. No person employed by or acting on behalf of the United States Government shall engage in, or conspire to engage in, assassination.

2.12 Indirect Participation. No agency of the Intelligence Community shall participate in or request any person to undertake activities forbidden by this Order.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 587

Part 3
General Provisions

3.1   Congressional Oversight. The duties and responsibilities of the Director of Central Intelligence and the heads of other departments, agencies, and entities engaged in intelligence activities to cooperate with the Congress in the conduct of its responsibilities for oversight of intelligence activities shall be as provided in title 50, United States Code, section 413. The requirements of section 662 of the Foreign Assistance Act of 1961, as amended (22 U.S.C. 2422), and section 501 of the National Security Act of 1947, as amended (50 U.S.C. 413), shall apply to all special activities as defined in this Order.

3.2  Implementation. The NSC, the Secretary of Defense, the Attorney General, and the Director of Central Intelligence shall issue such appropriate directives and procedures as are necessary to implement this Order. Heads of agencies within the Intelligence Community shall issue appropriate supplementary directives and procedures consistent with this Order. The Attorney General shall provide a statement of reasons for not approving any procedures established by the head of an agency in the Intelligence Community other than the FBI. The National Security Council may establish procedures in instances where the agency head and the Attorney General are unable to reach agreement on other than constitutional or other legal grounds.

3.3   Procedures. Until the procedures required by this Order have been established, the activities herein authorized which require procedures shall be conducted in accordance with existing procedures or requirements established under Executive Order No. 12036. Procedures required by this Order shall be established as expeditiously as possible. All procedures promulgated pursuant to this Order shall be made available to the congressional intelligence committees.

3.4   Definitions. For the purposes of this Order, the following terms shall have these meanings:
     (a) Counterintelligence means information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations or persons, or international terrorist activities, but not including personnel, physical, document or communications security programs.
     (b) Electronic surveillance means acquisitions of a nonpublic communication by electronic means without the consent of a person who is a party to an electronic communication or, in the case of a nonelectronic communication, without the consent of a person who is visably present at the place of communication, but not including the use of radio direction-finding equipment solely to determine the location of a transmitter.
     (c)  Employee means a person employed by, assigned to or acting for an agency within the Intelligence Community.
     (d) Foreign intelligence means information relating to the capabilities, in-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 588

tentions and activities of foreign powers, organizations or persons, but not including counterintelligence except for information on international terrorist activities.
     (e) Intelligence activities means all activities that agencies within the Intelligence Community are authorized to conduct pursuant to this Order.
     (f) Intelligence Community and agencies within the Intelligence Community refer to the following agencies or organizations:
          (1) The Central Intelligence Agency (CIA);
          (2) The National Security Agency (NSA);
          (3) The Defense Intelligence Agency (DIA);
          (4) The offices within the Department of Defense for the collection of specialized national foreign intelligence through reconnaissance programs;
          (5) The Bureau of Intelligence and Research of the Department of State;
          (6) The intelligence elements of the Army, Navy, Air Force, and Marine Corps, the Federal Bureau of Investigation (FBI), the Department of the Treasury, and the Department of Energy; and
          (7) The staff elements of the Director of Central Intelligence.
     (g) The National Foreign Intelligence Program includes the programs listed below, but its composition shall be subject to review by the National Security Council and modification by the President:
          (1) The programs of the CIA;
          (2) The Consolidated Cryptologic Program, the General Defense Intelligence Program, and the programs of the offices within the Department of Defense for the collection of specialized national foreign intelligence through reconnaissance, except such elements as the Director of Central Intelligence and the Secretary of Defense agree should be excluded;
          (3) Other programs of agencies within the Intelligence Community designated jointly by the Director of Central Intelligence and the head of the department or by the President as national foreign intelligence or counterintelligence activities;
          (4) Activities of the staff elements of the Director of Central Intelligence;
          (5) Activities to acquire the intelligence required for the planning and conduct of tactical operations by the United States military forces are not included in the National Foreign Intelligence Program.
     (h) Special activities means activities conducted in support of national foreign policy objectives abroad which are planned and executed so that the role of the United States Government is not apparent or acknowledged publicly, and functions in support of such activities, but which are not intended to influence United States political processes, public opinion, policies, or media and do not include diplomatic activities or the collection and production of intelligence or related support functions.
     (i) United States person means a United States citizen, an alien known by the intelligence agency concerned to be a permanent resident alien, an unincorporated association substantially composed of United States citizens or permanent resident aliens, or a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 589

3.5  Purpose and Effect. This Order is intended to control and provide direction and guidance to the Intelligence Community. Nothing contained herein or in any procedures promulgated hereunder is intended to confer any substantive or procedural right or privilege on any person or organization.

3.6  Revocation. Executive Order No. 12036 of January 24, 1978, as amended, entitled 'United States Intelligence Activities,' is revoked.

RONALD REAGAN, THE WHITE HOUSE, December 4, 1981.

N.2.2 Executive Order 12958 (Classified National Security Information)

This order prescribes a uniform system for classifying, safeguarding, and declassifying national security information. Our democratic principles require that the American people be informed of the activities of their Government. Also, our Nation's progress depends on the free flow of information. Nevertheless, throughout our history, the national interest has required that certain information be maintained in confidence in order to protect our citizens, our democratic institutions, and our participation within the community of nations. Protecting information critical to our Nation's security remains a priority. In recent years, however, dramatic changes have altered, although not eliminated, the national security threats that we confront. These changes provide a greater opportunity to emphasize our commitment to open Government.

NOW, THEREFORE, by the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Part 1
Original Classification

Section 1.1. Definitions. For purposes of this order:
     (a) ''National security" means the national defense or foreign relations of the United States.
     (b) "Information" means any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, that is owned by, produced by or for, or is under the control of the United States Government. "Control" means the authority of the agency that originates information, or its successor in function, to regulate access to the information.
     (c) "Classified national security information" (hereafter "classified information") means information that has been determined pursuant to this order or

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 590

any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.
     (d) "Foreign Government Information" means:
          (1) information provided to the United States Government by a foreign government or governments, an international organization of governments, or any element thereof, with the expectation that the information, the source of the information, or both, are to be held in confidence;
          (2) information produced by the United States pursuant to or as a result of a joint arrangement with a foreign government or governments, or an international organization of governments, or any element thereof, requiring that the information, the arrangement, or both, are to be held in confidence; or
          (3) information received and treated as "Foreign Government Information" under the terms of a predecessor order.
     (e) "Classification'' means the act or process by which information is determined to be classified information.
     (f)  "Original classification" means an initial determination that information requires, in the interest of national security, protection against unauthorized disclosure.
     (g) "Original classification authority" means an individual authorized in writing, either by the President, or by agency heads or other officials designated by the President, to classify information in the first instance.
     (h) "Unauthorized disclosure" means a communication or physical transfer of classified information to an unauthorized recipient.
     (i)  "Agency" means any "Executive agency," as defined in 5 U.S.C. 105, and any other entity within the executive branch that comes into the possession of classified information.
     (j) "Senior agency official" means the official designated by the agency head under section 5.6(c) of this order to direct and administer the agency's program under which information is classified, safeguarded, and declassified.
     (k) "Confidential source" means any individual or organization that has provided, or that may reasonably be expected to provide, information to the United States on matters pertaining to the national security with the expectation that the information or relationship, or both, are to be held in confidence.
     (l)  "Damage to the national security" means harm to the national defense or foreign relations of the United States from the unauthorized disclosure of information, to include the sensitivity, value, and utility of that information.

Sec. 1.2. Classification Standards.
     (a) Information may be originally classified under the terms of this order only if all of the following conditions are met:
          (1) an original classification authority is classifying the information;
          (2) the information is owned by, produced by or for, or is under the control of the United States Government;
          (3) the information falls within one or more of the categories of information listed in section 1.5 of this order; and
          (4) the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 591

damage to the national security and the original classification authority is able to identify or describe the damage.
     (b) If there is significant doubt about the need to classify information, it shall not be classified. This provision does not:
          (1) amplify or modify the substantive criteria or procedures for classification; or
          (2) create any substantive or procedural rights subject to judicial review.
     (c) Classified information shall not be declassified automatically as a result of any unauthorized disclosure of identical or similar information.

Sec. 1.3. Classification Levels.
     (a) Information may be classified at one of the following three levels:
          (1) "Top Secret" shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.
          (2) "Secret" shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.
          (3) "Confidential" shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.
     (b) Except as otherwise provided by statute, no other terms shall be used to identify United States classified information.
     (c) If there is significant doubt about the appropriate level of classification, it shall be classified at the lower level.

Sec. 1.4. Classification Authority.
     (a) The authority to classify information originally may be exercised only by:
          (1) the President;
          (2) agency heads and officials designated by the President in the Federal Register; or
          (3) United States Government officials delegated this authority pursuant to paragraph (c), below.
     (b) Officials authorized to classify information at a specified level are also authorized to classify information at a lower level.
     (c) Delegation of original classification authority.
          (1) Delegations of original classification authority shall be limited to the minimum required to administer this order. Agency heads are responsible for ensuring that designated subordinate officials have a demonstrable and continuing need to exercise this authority.
          (2) "Top Secret" original classification authority may be delegated only by the President or by an agency head or official designated pursuant to paragraph (a)(2), above.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 592

          (3) "Secret" or "Confidential" original classification authority may be delegated only by the President; an agency head or official designated pursuant to paragraph (a)(2), above; or the senior agency official, provided that official has been delegated "Top Secret" original classification authority by the agency head.
          (4) Each delegation of original classification authority shall be in writing and the authority shall not be redelegated except as provided in this order. Each delegation shall identify the official by name or position title.
     (d) Original classification authorities must receive training in original classification as provided in this order and its implementing directives.
     (e) Exceptional cases. When an employee, contractor, licensee, certificate holder, or grantee of an agency that does not have original classification authority originates information believed by that person to require classification, the information shall be protected in a manner consistent with this order and its implementing directives. The information shall be transmitted promptly as provided under this order or its implementing directives to the agency that has appropriate subject matter interest and classification authority with respect to this information. That agency shall decide within 30 days whether to classify this information. If it is not clear which agency has classification responsibility for this information, it shall be sent to the Director of the Information Security Oversight Office. The Director shall determine the agency having primary subject matter interest and forward the information, with appropriate recommendations, to that agency for a classification determination.

Sec. 1.5. Classification Categories. Information may not be considered for classification unless it concerns:
     (a) military plans, weapons systems, or operations;
     (b) foreign government information;
     (c) intelligence activities (including special activities), intelligence sources or methods, or cryptology;
     (d) foreign relations or foreign activities of the United States, including confidential sources;
     (e) scientific, technological, or economic matters relating to the national security;
     (f) United States Government programs for safeguarding nuclear materials or facilities; or
     (g) vulnerabilities or capabilities of systems, installations, projects or plans relating to the national security.

Sec. 1.6. Duration of Classification.
     (a) At the time of original classification, the original classification authority shall attempt to establish a specific date or event for declassification based upon the duration of the national security sensitivity of the information. The date or event shall not exceed the time frame in paragraph (b), below.
     (b) If the original classification authority cannot determine an earlier specific date or event for declassification, information shall be marked for declassi-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 593

fication 10 years from the date of the original decision, except as provided in paragraph (d), below.
     (c) An original classification authority may extend the duration of classification or reclassify specific information for successive periods not to exceed 10 years at a time if such action is consistent with the standards and procedures established under this order. This provision does not apply to information contained in records that are more than 25 years old and have been determined to have permanent historical value under title 44, United States Code.
     (d) At the time of original classification, the original classification authority may exempt from declassification within 10 years specific information, the unauthorized disclosure of which could reasonably be expected to cause damage to the national security for a period greater than that provided in paragraph (b), above, and the release of which could reasonably be expected to:
          (1) reveal an intelligence source, method, or activity, or a cryptologic system or activity;
          (2) reveal information that would assist in the development or use of weapons of mass destruction;
          (3) reveal information that would impair the development or use of technology within a United States weapons system;
          (4) reveal United States military plans, or national security emergency preparedness plans;
          (5) reveal foreign government information;
          (6) damage relations between the United States and a foreign government, reveal a confidential source, or seriously undermine diplomatic activities that are reasonably expected to be ongoing for a period greater than that provided in paragraph (b), above;
          (7) impair the ability of responsible United States Government officials to protect the President, the Vice President, and other individuals for whom protection services, in the interest of national security, are authorized; or
          (8) violate a statute, treaty, or international agreement.
     (e) Information marked for an indefinite duration of classification under predecessor orders, for example, "Originating Agency's Determination Required," or  information  classified  under  predecessor  orders  that contains  no declassification instructions shall be declassified in accordance with part 3 of this order.

Sec. 1.7. Identification and Markings.
     (a) At the time of original classification, the following shall appear on the face of each classified document, or shall be applied to other classified media in an appropriate manner:
          (1) one of the three classification levels defined in section 1.3 of this order;
          (2) the identity, by name or personal identifier and position, of the original classification authority;
          (3) the agency and office of origin, if not otherwise evident;
          (4) declassification instructions, which shall indicate one of the following:

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 594

               (A) the date or event for declassification, as prescribed in section 1.6(a) or section 1.6(c); or
               (B) the date that is 10 years from the date of original classification, as prescribed in section 1.6(b); or
               (C) the exemption category from classification, as prescribed in section 1.6(d); and
          (5) a concise reason for classification which, at a minimum, cites the applicable classification categories in section 1.5 of this order.
     (b) Specific information contained in paragraph (a), above, may be excluded if it would reveal additional classified information.
     (c) Each classified document shall, by marking or other means, indicate which portions are classified, with the applicable classification level, which portions are exempt from declassification under section 1.6(d) of this order, and which portions are unclassified. In accordance with standards prescribed in directives issued under this order, the Director of the Information Security Oversight Office may grant waivers of this requirement for specified classes of documents or information. The Director shall revoke any waiver upon a finding of abuse.
     (d) Markings implementing the provisions of this order, including abbreviations and requirements to safeguard classified working papers, shall conform to the standards prescribed in implementing directives issued pursuant to this order.
     (e) Foreign government information shall retain its original classification markings or shall be assigned a U.S. classification that provides a degree of protection at least equivalent to that required by the entity that furnished the information.
     (f) Information assigned a level of classification under this or predecessor orders shall be considered as classified at that level of classification despite the omission of other required markings. Whenever such information is used in the derivative classification process or is reviewed for possible declassification, holders of such information shall coordinate with an appropriate classification authority for the application of omitted markings.
     (g) The classification authority shall, whenever practicable, use a classified addendum whenever classified information constitutes a small portion of an otherwise unclassified document.

Sec. 1.8. Classification Prohibitions and Limitations.
     (a) In no case shall information be classified in order to:
          (1) conceal violations of law, inefficiency, or administrative error;
          (2) prevent embarrassment to a person, organization, or agency;
          (3) restrain competition; or
          (4) prevent or delay the release of information that does not require protection in the interest of national security.
     (b) Basic scientific research information not clearly related to the national security may not be classified.
     (c) Information may not be reclassified after it has been declassified and released to the public under proper authority.
     (d) Information that has not previously been disclosed to the public under

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 595

proper authority may be classified or reclassified after an agency has received a request for it under the Freedom of Information Act (5 U.S.C. 552) or the Privacy Act of 1974 (5 U.S.C. 552a), or the mandatory review provisions of section 3.6 of this order only if such classification meets the requirements of this order and is accomplished on a document-by-document basis with the personal participation or under the direction of the agency head, the deputy agency head, or the senior agency official designated under section 5.6 of this order. This provision does not apply to classified information contained in records that are more than 25 years old and have been determined to have permanent historical value under title 44, United States Code.
     (e) Compilations of items of information which are individually unclassified may be classified if the compiled information reveals an additional association or relationship that:
          (1) meets the standards for classification under this order; and
          (2) is not otherwise revealed in the individual items of information.
As used in this order, "compilation" means an aggregation of pre-existing unclassified items of information.

Sec. 1.9. Classification Challenges.
     (a) Authorized holders of information who, in good faith, believe that its classification status is improper are encouraged and expected to challenge the classification status of the information in accordance with agency procedures established under paragraph (b), below.
     (b) In accordance with implementing directives issued pursuant to this order, an agency head or senior agency official shall establish procedures under which authorized holders of information are encouraged and expected to challenge the classification of information that they believe is improperly classified or unclassified. These procedures shall assure that:
          (1) individuals are not subject to retribution for bringing such actions;
          (2) an opportunity is provided for review by an impartial official or panel; and
          (3) individuals are advised of their right to appeal agency decisions to the Interagency Security Classification Appeals Panel established by section 5.4 of this order.

Part 2
Derivative Classification

Sec. 2.1. Definitions. For purposes of this order:
     (a) "Derivative classification" means the incorporating, paraphrasing, restating or generating in new form information that is already classified, and marking the newly developed material consistent with the classification markings that apply to the source information. Derivative classification includes the classification of information based on classification guidance. The duplication or reproduction of existing classified information is not derivative classification.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 596

     (b) "Classification guidance" means any instruction or source that prescribes the classification of specific information.
     (c) "Classification guide" means a documentary form  of classification guidance issued by an original classification authority that identifies the elements of information regarding a specific subject that must be classified and establishes the level and duration of classification for each such element.
     (d) "Source document" means an existing document that contains classified information that is incorporated, paraphrased, restated, or generated in new form into a new document.
     (e) "Multiple sources" means two or more source documents, classification guides, or a combination of both.

Sec. 2.2. Use of Derivative Classification.
     (a) Persons who only reproduce, extract, or summarize classified information, or who only apply classification markings derived from source material or as directed by a classification guide, need not possess original classification authority.
     (b) Persons who apply derivative classification markings shall:
          (1) observe and respect original classification decisions; and
          (2) carry forward to any newly created documents the pertinent classification markings.
For information derivatively classified based on multiple sources, the derivative classifier shall carry forward:
               (A) the date or event for declassification that corresponds to the longest period of classification among the sources; and
               (B) a listing of these sources on or attached to the official file or record copy.

Sec. 2.3. Classification Guides.
     (a) Agencies with original classification authority shall prepare classification guides to facilitate the proper and uniform derivative classification of information. These guides shall conform to standards contained in directives issued under this order.
     (b) Each guide shall be approved personally and in writing by an official who:
          (1) has program or supervisory responsibility over the information or is the senior agency official; and
          (2) is authorized to classify information originally at the highest level of classification prescribed in the guide.
     (c) Agencies shall establish procedures to assure that classification guides are reviewed and updated as provided in directives issued under this order.

Part 3
Declassification and Downgrading

Sec. 3.1. Definitions. For purposes of this order:

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 597

     (a) "Declassification" means the authorized change in the status of information from classified information to unclassified information.
     (b) "Automatic declassification" means the declassification of information based solely upon:
          (1) the occurrence of a specific date or event as determined by the original classification authority; or
          (2) the expiration of a maximum time frame for duration of classification established under this order.
     (c) "Declassification authority" means:
          (1) the official who authorized the original classification, if that official is still serving in the same position;
          (2) the originator's current successor in function;
          (3) a supervisory official of either; or
          (4) officials delegated declassification authority in writing by the agency head or the senior agency official.
     (d) "Mandatory declassification review" means the review for declassification of classified information in response to a request for declassification that meets the requirements under section 3.6 of this order.
     (e) "Systematic declassification review'' means the review for declassification of classified information contained in records that have been determined by the Archivist of the United States ("Archivist") to have permanent historical value in accordance with chapter 33 of title 44, United States Code.
     (f) "Declassification guide" means written instructions issued by a declassification authority that describes the elements of information regarding a specific subject that may be declassified and the elements that must remain classified.
     (g) "Downgrading" means a determination by a declassification authority that information classified and safeguarded at a specified level shall be classified and safeguarded at a lower level.
     (h) "File series" means documentary material, regardless of its physical form or characteristics, that is arranged in accordance with a filing system or maintained as a unit because it pertains to the same function or activity.

Sec. 3.2. Authority for Declassification.
     (a) Information shall be declassified as soon as it no longer meets the standards for classification under this order.
     (b) It is presumed that information that continues to meet the classification requirements under this order requires continued protection. In some exceptional cases, however, the need to protect such information may be outweighed by the public interest in disclosure of the information, and in these cases the information should be declassified. When such questions arise, they shall be referred to the agency head or the senior agency official. That official will determine, as an exercise of discretion, whether the public interest in disclosure outweighs the damage to national security that might reasonably be expected from disclosure. This provision does not:
          (1) amplify or modify the substantive criteria or procedures for classification; or

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 598

          (2) create any substantive or procedural rights subject to judicial review.
     (c) If the Director of the Information Security Oversight Office determines that information is classified in violation of this order, the Director may require the information to be declassified by the agency that originated the classification. Any such decision by the Director may be appealed to the President through the Assistant to the President for National Security Affairs. The information shall remain classified pending a prompt decision on the appeal.
     (d) The provisions of this section shall also apply to agencies that, under the terms of this order, do not have original classification authority, but had such authority under predecessor orders.

Sec. 3.3. Transferred Information.
     (a) In the case of classified information transferred in conjunction with a transfer of functions, and not merely for storage purposes, the receiving agency shall be deemed to be the originating agency for purposes of this order.
     (b) In the case of classified information that is not officially transferred as described in paragraph (a), above, but that originated in an agency that has ceased to exist and for which there is no successor agency, each agency in possession of such information shall be deemed to be the originating agency for purposes of this order. Such information may be declassified or downgraded by the agency in possession after consultation with any other agency that has an interest in the subject matter of the information.
     (c) Classified information accessioned into the National Archives and Records Administration ("National Archives") as of the effective date of this order shall be declassified or downgraded by the Archivist in accordance with this order, the directives issued pursuant to this order, agency declassification guides, and any existing procedural agreement between the Archivist and the relevant agency head.
     (d) The originating agency shall take all reasonable steps to declassify classified information contained in records determined to have permanent historical value before they are accessioned into the National Archives. However, the Archivist may  require that records containing classified  information  be accessioned into the National Archives when necessary to comply with the provisions of the Federal Records Act. This provision does not apply to information being transferred to the Archivist pursuant to section 2203 of title 44, United States Code, or information for which the National Archives and Records Administration serves as the custodian of the records of an agency or organization that goes out of existence.
     (e) To the extent practicable, agencies shall adopt a system of records management that will facilitate the public release of documents at the time such documents are declassified pursuant to the provisions for automatic declassification in sections 1.6 and 3.4 of this order.

Sec. 3.4. Automatic Declassification.
     (a) Subject to paragraph (b), below, within 5 years from the date of this order, all classified information contained in records that (1) are more than 25 years old, and (2) have been determined to have permanent historical value under

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 599

title 44, United States Code, shall be automatically declassified whether or not the records have been reviewed. Subsequently, all classified information in such records shall be automatically declassified no longer than 25 years from the date of its original classification, except as provided in paragraph (b), below.
     (b) An agency head may exempt from automatic declassification under paragraph (a), above, specific information, the release of which should be expected to:
          (1) reveal the identity of a confidential human source, or reveal information about the application of an intelligence source or method, or reveal the identity of a human intelligence source when the unauthorized disclosure of that source would clearly and demonstrably damage the national security interests of the United States;
          (2) reveal information that would assist in the development or use of weapons of mass destruction;
          (3) reveal information that would impair U.S. cryptologic systems or activities;
          (4) reveal information that would impair the application of state of the art technology within a U.S. weapon system;
          (5) reveal actual U.S. military war plans that remain in effect;
          (6) reveal information that would seriously and demonstrably impair relations between the United States and a foreign government, or seriously and demonstrably undermine ongoing diplomatic activities of the United States;
          (7) reveal information that would clearly and demonstrably impair the current ability of United States Government officials to protect the President, Vice President, and other officials for whom protection services, in the interest of national security, are authorized;
          (8) reveal information that would seriously and demonstrably impair current national security emergency preparedness plans; or
          (9) violate a statute, treaty, or international agreement.
     (c) No later than the effective date of this order, an agency head shall notify the President through the Assistant to the President for National Security Affairs of any specific file series of records for which a review or assessment has determined that the information within those file series almost invariably falls within one or more of the exemption categories listed in paragraph (b), above, and which the agency proposes to exempt from automatic declassification. The notification shall include:
          (1) a description of the file series;
          (2) an explanation of why the information within the file series is almost invariably exempt from automatic declassification and why the information must remain classified for a longer period of time; and
          (3) except for the identity of a confidential human source or a human intelligence source, as provided in paragraph (b), above, a specific date or event for declassification of the information.
The President may direct the agency head not to exempt the file series or to declassify the information within that series at an earlier date than recommended.
     (d) At least 180 days before information is automatically declassified under this section, an agency head or senior agency official shall notify the Director

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 600

of the Information Security Oversight Office, serving as Executive Secretary of the Interagency Security Classification Appeals Panel, of any specific information beyond that included in a notification to the President under paragraph (c), above, that the agency proposes to exempt from automatic declassification. The notification shall include:
          (1) a description of the information;
          (2) an explanation of why the information is exempt from automatic declassification and must remain classified for a longer period of time; and
          (3) except for the identity of a confidential human source or a human intelligence source, as provided in paragraph (b), above, a specific date or event for declassification of the information. The Panel may direct the agency not to exempt the information or to declassify it at an earlier date than recommended. The agency head may appeal such a decision to the President through the Assistant to the President for National Security Affairs. The information will remain classified while such an appeal is pending.
     (e) No later than the effective date of this order, the agency head or senior agency official shall provide the Director of the Information Security Oversight Office with a plan for compliance with the requirements of this section, including the establishment of interim target dates. Each such plan shall include the requirement that the agency declassify at least 15 percent of the records affected by this section no later than 1 year from the effective date of this order, and similar commitments for subsequent years until the effective date for automatic declassification.
     (f) Information exempted from automatic declassification under this section shall remain subject to the mandatory and systematic declassification review provisions of this order.
     (g) The Secretary of State shall determine when the United States should commence negotiations with the appropriate officials of a foreign government or international organization of governments to modify any treaty or international agreement that requires the classification of information contained in records affected by this section for a period longer than 25 years from the date of its creation, unless the treaty or international agreement pertains to information that may otherwise remain classified beyond 25 years under this section.

Sec. 3.5. Systematic Declassification Review.
     (a) Each agency that has originated classified information under this order or its predecessors shall establish and conduct a program for systematic declassification review. This program shall apply to historically valuable records exempted from automatic declassification under section 3.4 of this order. Agencies shall prioritize the systematic review of records based upon:
          (1) recommendations of the Information Security Policy Advisory Council, established in section 5.5 of this order, on specific subject areas for systematic review concentration; or
          (2) the degree of researcher interest and  the likelihood  of declassification upon review.
     (b) The Archivist shall conduct a systematic declassification review program for classified information:

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 601

          (1) accessioned into the National Archives as of the effective date of this order;
          (2) information transferred to the Archivist pursuant to section 2203 of title 44, United States Code; and
          (3) information for which the National Archives and Records Administration serves as the custodian of the records of an agency or organization that has gone out of existence.
This program shall apply to pertinent records no later than 25 years from the date of their creation. The Archivist shall establish priorities for the systematic review of these records based upon the recommendations of the Information Security Policy Advisory Council; or the degree of researcher interest and the likelihood of declassification upon review. These records shall be reviewed in accordance with the standards of this order, its implementing directives, and declassification guides provided to the Archivist by each agency that originated the records. The Director of the Information Security Oversight Office shall assure that agencies provide the Archivist with adequate and current declassification guides.
     (c) After consultation with affected agencies, the Secretary of Defense may establish special procedures for systematic review for declassification of classified cryptologic information, and the Director of Central Intelligence may establish special procedures for systematic review for declassification of classified information pertaining to intelligence activities (including special activities), or intelligence sources or methods.

Sec. 3.6. Mandatory Declassification Review.
     (a) Except as provided in paragraph (b), below, all information classified under this order or predecessor orders shall be subject to a review  for declassification by the originating agency if:
          (1) the request for a review describes the document or material containing the information with sufficient specificity to enable the agency to locate it with a reasonable amount of effort;
          (2) the information is not exempted from search and review under the Central Intelligence Agency Information Act; and
          (3) the information has not been reviewed for declassification within the past 2 years.
If the agency has reviewed the information within the past 2 years, or the information is the subject of pending litigation, the agency shall inform the requester of this fact and of the requester's appeal rights.
     (b) Information originated by:
          (1) the incumbent President;
          (2) the incumbent President's White House Staff;
          (3) committees, commissions, or boards appointed by the incumbent President; or
          (4) other entities within the Executive Office of the President that solely advise and assist the incumbent President is exempted from the provisions of paragraph (a), above. However, the Archivist shall have the authority to review, downgrade, and declassify information of former Presidents under the control of the Archivist pursuant to sections 2107, 2111, 2111 note, or 2203 of title 44,

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 602

United States Code. Review procedures developed by the Archivist shall provide for consultation with agencies having primary subject matter interest and shall be consistent with the provisions of applicable laws or lawful agreements that pertain to the respective Presidential papers or records. Agencies with primary subject matter interest shall be notified promptly of the Archivist's decision. Any final decision by the Archivist may be appealed by the requester or an agency to the Interagency Security Classification Appeals Panel. The information shall remain classified pending a prompt decision on the appeal.
     (c) Agencies conducting a mandatory review  for declassification shall declassify information that no longer meets the standards for classification under this order. They shall release this information unless withholding is otherwise authorized and warranted under applicable law.
     (d) In accordance with directives issued pursuant to this order, agency heads shall develop procedures to process requests for the mandatory review of classified information. These procedures shall apply to information classified under this or predecessor orders. They also shall provide a means for administratively appealing a denial of a mandatory review request, and for notifying the requester of the right to appeal a final agency decision to the Interagency Security Classification Appeals Panel.
     (e) After consultation with affected agencies, the Secretary of Defense shall develop special procedures for the review of cryptologic information, the Director of Central Intelligence shall develop special procedures for the review of information pertaining to intelligence activities (including special activities), or intelligence sources or methods, and the Archivist shall develop special procedures for the review of information accessioned into the National Archives.

Sec. 3.7. Processing Requests and Reviews. In response to a request for information under the Freedom of Information Act, the Privacy Act of 1974, or the mandatory review provisions of this order, or pursuant to the automatic declassification or systematic review provisions of this order:
     (a) An agency may refuse to confirm or deny the existence or nonexistence of requested information whenever the fact of its existence or nonexistence is itself classified under this order.
     (b) When an agency receives any request for documents in its custody that contain information that was originally classified by another agency, or comes across such documents in the process of the automatic declassification or systematic review provisions of this order, it shall refer copies of any request and the pertinent documents to the originating agency for processing, and may, after consultation with the originating agency, inform any requester of the referral unless such association is itself classified under this order. In cases in which the originating agency determines in writing that a response under paragraph (a), above, is required, the referring agency shall respond to the requester in accordance with that paragraph.

Sec. 3.8. Declassification Database.
     (a) The Archivist in conjunction with the Director of the Information Security Oversight Office and those agencies that originate classified information,

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 603

shall establish a Governmentwide database of information that has been declassified. The Archivist shall also explore other possible uses of technology to facilitate the declassification process.
     (b) Agency heads shall fully cooperate with the Archivist in these efforts.
     (c) Except as otherwise authorized and warranted by law, all declassified information contained within the database established under paragraph (a), above, shall be available to the public.

Part 4
Safeguarding

Sec. 4.1. Definitions. For purposes of this order:
     (a) "Safeguarding" means measures and controls that are prescribed to protect classified information.
     (b) "Access" means the ability or opportunity to gain knowledge of classified information.
     (c) "Need-to-know" means a determination made by an authorized holder of classified information that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.
     (d) "Automated information system'' means an assembly of computer hardware, software, or firmware configured to collect, create, communicate, compute, disseminate, process, store, or control data or information.
     (e) "Integrity" means the state that exists when information is unchanged from its source and has not been accidentally or intentionally modified, altered, or destroyed.
     (f) "Network" means a system of two or more computers that can exchange data or information.
     (g) "Telecommunications" means the preparation, transmission, or communication of information by electronic means.
     (h) "Special access program" means a program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.

Sec. 4.2. General Restrictions on Access.
     (a) A person may have access to classified information provided that:
          (1) a favorable determination of eligibility for access has been made by an agency head or the agency head's designee;
          (2) the person has signed an approved nondisclosure agreement; and
          (3) the person has a need-to-know the information.
     (b) Classified information shall remain under the control of the originating agency or its successor in function. An agency shall not disclose information originally classified by another agency without its authorization. An official or

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 604

employee leaving agency service may not remove classified information from the agency's control.
     (c) Classified information may not be removed from official premises without proper authorization.
     (d) Persons authorized to disseminate classified information outside the executive branch shall assure the protection of the information in a manner equivalent to that provided within the executive branch.
     (e) Consistent with law, directives, and regulation, an agency head or senior agency official shall establish uniform procedures to ensure that automated information systems, including networks and telecommunications systems, that collect, create, communicate, compute, disseminate, process, or store classified information have controls that:
          (1) prevent access by unauthorized persons; and
          (2) ensure the integrity of the information.
     (f) Consistent with law, directives, and regulation, each agency head or senior agency official shall establish controls to ensure that classified information is used, processed, stored, reproduced, transmitted, and destroyed under conditions that provide adequate protection and prevent access by unauthorized persons.
     (g) Consistent with directives issued pursuant to this order, an agency shall safeguard foreign government information under standards that provide a degree of protection at least equivalent to that required by the government or international organization of governments that furnished the information. When adequate to achieve equivalency, these standards may be less restrictive than the safeguarding standards that ordinarily apply to United States "Confidential" information, including allowing access to individuals with a need-to-know who have not otherwise been cleared for access to classified information or executed an approved nondisclosure agreement.
     (h) Except as provided by statute or directives issued pursuant to this order, classified information originating in one agency may not be disseminated outside any other agency to which it has been made available without the consent of the originating agency. An agency head or senior agency official may waive this requirement for specific information originated within that agency. For purposes of this section, the Department of Defense shall be considered one agency.

Sec. 4.3. Distribution Controls.
     (a) Each agency shall establish controls over the distribution of classified information to assure that it is distributed only to organizations or individuals eligible for access who also have a need-to-know the information.
     (b) Each agency shall update, at least annually, the automatic, routine, or recurring distribution of classified information that they distribute. Recipients shall cooperate fully with distributors who are updating distribution lists and shall notify distributors whenever a relevant change in status occurs.

Sec. 4.4. Special Access Programs.
     (a) Establishment of special access programs. Unless otherwise authorized by the President, only the Secretaries of State, Defense and Energy, and the

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 605

Director of Central Intelligence, or the principal deputy of each, may create a special access program. For special access programs pertaining to intelligence activities (including special activities, but not including military operational, strategic and tactical programs), or intelligence sources or methods, this function will be exercised by the Director of Central Intelligence. These officials shall keep the number of these programs at an absolute minimum, and shall establish them only upon a specific finding that:
          (1) the vulnerability of, or threat to, specific information is exceptional; and
          (2) the normal criteria for determining eligibility for access applicable to information classified at the same level are not deemed sufficient to protect the information from unauthorized disclosure; or
          (3) the program is required by statute.
     (b) Requirements and Limitations.
          (1) Special access programs shall be limited to programs in which the number of persons who will have access ordinarily will be reasonably small and commensurate with the objective of providing enhanced protection for the information involved.
          (2) Each agency head shall establish and maintain a system of accounting for special access programs consistent with directives issued pursuant to this order.
          (3) Special access programs shall be subject to the oversight program established under section 5.6(c) of this order. In addition, the Director of the Information Security Oversight Office shall be afforded access to these programs, in accordance with the security requirements of each program, in order to perform the functions assigned to the Information Security Oversight Office under this order. An agency head may limit access to a special access program to the Director and no more than one other employee of the Information Security Oversight Office; or, for special access programs that are extraordinarily sensitive and vulnerable, to the Director only.
          (4) The agency head or principal deputy shall review annually each special access program to determine whether it continues to meet the requirements of this order.
          (5) Upon request, an agency shall brief the Assistant to the President for National Security Affairs, or his or her designee, on any or all of the agency's special access programs.
     (c) Within 180 days after the effective date of this order, each agency head or principal deputy shall review all existing special access programs under the agency's jurisdiction. These officials shall terminate any special access programs that do not clearly meet the provisions of this order. Each existing special access program that an agency head or principal deputy validates shall be treated as if it were established on the effective date of this order.
     (d) Nothing in this order shall supersede any requirement made by or under 10 U.S.C. 119.

Sec. 4.5. Access by Historical Researchers and Former Presidential Appointees.
     (a) The requirement in section 4.2(a)(3) of this order that access to classi-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 606

fied information may be granted only to individuals who have a need-to-know the information may be waived for persons who:
          (1) are engaged in historical research projects; or
          (2) previously have occupied policy-making positions to which they were appointed by the President.
     (b) Waivers under this section may be granted only if the agency head or senior agency official of the originating agency:
          (1) determines in writing that access is consistent with the interest of national security;
          (2) takes appropriate steps to protect classified information from unauthorized disclosure or compromise, and ensures that the information is safeguarded in a manner consistent with this order; and
          (3) limits the access granted to former Presidential appointees to items that the person originated, reviewed, signed, or received while serving as a Presidential appointee.

Part 5
Implementation and Review

Sec. 5.1. Definitions. For purposes of this order:
     (a) "Self-inspection" means the internal review and evaluation of individual agency activities and the agency as a whole with respect to the implementation of the program established under this order and its implementing directives.
     (b) "Violation" means:
          (1) any knowing, willful, or negligent action that could reasonably be expected to result in an unauthorized disclosure of classified information;
          (2) any knowing, willful, or negligent action to classify or continue the classification of information contrary to the requirements of this order or its implementing directives; or
          (3) any knowing, willful, or negligent action to create or continue a special access program contrary to the requirements of this order.
     (c) "Infraction" means any knowing, willful, or negligent action contrary to the requirements of this order or its implementing directives that does not comprise a "violation,"as defined above.

Sec. 5.2. Program Direction.
     (a) The Director of the Office of Management and Budget, in consultation with the Assistant to the President for National Security Affairs and the co-chairs of the Security Policy Board, shall issue such directives as are necessary to implement this order. These directives shall be binding upon the agencies. Directives issued by the Director of the Office of Management and Budget shall establish standards for:
          (1) classification and marking principles;
          (2) agency security education and training programs;
          (3) agency self-inspection programs; and
          (4) classification and declassification guides.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 607

     (b) The Director of the Office of Management and Budget shall delegate the implementation and monitorship functions of this program to the Director of the Information Security Oversight Office.
     (c) The Security Policy Board, established by a Presidential Decision Directive, shall make a recommendation to the President through the Assistant to the President for National Security Affairs with respect to the issuance of a Presidential directive on safeguarding classified information. The Presidential directive shall pertain to the handling, storage, distribution, transmittal, and destruction of and accounting for classified information.

Sec. 5.3. Information Security Oversight Office.
     (a) There is established within the Office of Management and Budget an Information Security Oversight Office. The Director of the Office of Management and Budget shall appoint the Director of the Information Security Oversight Office, subject to the approval of the President.
     (b) Under the direction of the Director of the Office of Management and Budget acting in consultation with the Assistant to the President for National Security Affairs, the Director of the Information Security Oversight Office shall:
          (1) develop directives for the implementation of this order;
          (2) oversee agency actions to ensure compliance with this order and its implementing directives;
          (3) review  and approve agency implementing regulations and agency guides for systematic declassification review prior to their issuance by the agency;
          (4) have the authority to conduct on-site reviews of each agency's program established under this order, and to require of each agency those reports, information, and other cooperation that may be necessary to fulfill its responsibilities. If granting access to specific categories of classified information would pose an exceptional national security risk, the affected agency head or the senior agency official shall submit a written justification recommending the denial of access to the Director of the Office of Management and Budget within 60 days of the request for access. Access shall be denied pending a prompt decision by the Director of the Office of Management and Budget, who shall consult on this decision with the Assistant to the President for National Security Affairs;
          (5) review requests for original classification authority from agencies or officials not granted original classification authority and, if deemed appropriate, recommend Presidential approval through the Director of the Office of Management and Budget;
          (6) consider and take action on complaints and suggestions from persons within or outside the Government with respect to the administration of the program established under this order;
          (7) have the authority to prescribe, after consultation with affected agencies, standardization of forms or procedures that will promote the implementation of the program established under this order;
          (8) report at least annually to the President on the implementation of this order; and

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 608

          (9) convene and chair interagency meetings to discuss matters pertaining to the program established by this order.

Sec. 5.4. Interagency Security Classification Appeals Panel.
     (a) Establishment and Administration.
          (1) There is established an Interagency Security Classification Appeals Panel ("Panel"). The Secretaries of State and Defense, the Attorney General, the Director of Central Intelligence, the Archivist of the United States, and the Assistant to the President for National Security Affairs shall each appoint a senior level representative to serve as a member of the Panel. The President shall select the Chair of the Panel from among the Panel members.
          (2) A vacancy on the Panel shall be filled as quickly as possible as provided in paragraph (1), above.
          (3) The Director of the Information Security Oversight Office shall serve as the Executive Secretary. The staff of the Information Security Oversight Office shall provide program and administrative support for the Panel.
          (4) The members and staff of the Panel shall be required to meet eligibility for access standards in order to fulfill the Panel's functions.
          (5) The Panel shall meet at the call of the Chair. The Chair shall schedule meetings as may be necessary for the Panel to fulfill its functions in a timely manner.
          (6) The Information Security Oversight Office shall include in its reports to the President a summary of the Panel's activities.
     (b) Functions. The Panel shall:
          (1) decide on appeals by persons who have filed classification challenges under section 1.9 of this order;
          (2) approve, deny, or amend agency exemptions from automatic declassification as provided in section 3.4 of this order; and
          (3) decide on appeals by persons or entities who have filed requests for mandatory declassification review under section 3.6 of this order.
     (c) Rules and Procedures. The Panel shall issue bylaws, which shall be published in the Federal Register no later than 120 days from the effective date of this order. The bylaws shall establish the rules and procedures that the Panel will follow in accepting, considering, and issuing decisions on appeals. The rules and procedures of the Panel shall provide that the Panel will consider appeals only on actions in which:
          (1) the appellant has exhausted his or her administrative remedies within th responsible agency;
          (2) there is no current action pending on the issue within the federal courts; and
          (3) the information has not been the subject of review by the federal courts or the Panel within the past 2 years.
     (d) Agency heads will cooperate fully with the Panel so that it can fulfill its functions in a timely and fully informed manner. An agency head may appeal a decision of the Panel to the President through the Assistant to the President for National Security Affairs. The Panel will report to the President through the As-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 609

sistant to the President for National Security Affairs any instance in which it believes that an agency head is not cooperating fully with the Panel.
     (e) The Appeals Panel is established for the sole purpose of advising and assisting the President in the discharge of his constitutional and discretionary authority to protect the national security of the United States. Panel decisions are committed to the discretion of the Panel, unless reversed by the President.

Sec. 5.5. Information Security Policy Advisory Council.
     (a) Establishment. There is established an Information Security Policy Advisory Council ("Council"). The Council shall be composed of seven members appointed by the President for staggered terms not to exceed 4 years, from among persons who have demonstrated interest and expertise in an area related to the subject matter of this order and are not otherwise employees of the Federal Government. The President shall appoint the Council Chair from among the members. The Council shall comply with the Federal Advisory Committee Act, as amended, 5 U.S.C. App. 2.
     (b) Functions. The Council shall:
          (1) advise the President, the Assistant to the President for National Security Affairs, the Director of the Office of Management and Budget, or such other executive branch officials as it deems appropriate, on policies established under this order or its implementing directives, including recommended changes to those policies;
          (2) provide recommendations to agency heads for specific subject areas for systematic declassification review; and
          (3) serve as a forum to discuss policy issues in dispute.
     (c) Meetings. The Council shall meet at least twice each calendar year, and as determined by the Assistant to the President for National Security Affairs or the Director of the Office of Management and Budget.
     (d) Administration.
          (1) Each Council member may be compensated at a rate of pay not to exceed the daily equivalent of the annual rate of basic pay in effect for grade GS-18 of the general schedule under section 5376 of title 5, United States Code, for each day during which that member is engaged in the actual performance of the duties of the Council.
          (2) While away from their homes or regular place of business in the actual performance of the duties of the Council, members may be allowed travel expenses, including per diem in lieu of subsistence, as authorized by law for persons serving intermittently in the Government service (5 U.S.C. 5703(b)).
          (3) To the extent permitted by law and subject to the availability of funds, the Information Security Oversight Office shall provide the Council with administrative services, facilities, staff, and other support services necessary for the performance of its functions.
          (4) Notwithstanding any other Executive order, the functions of the President under the Federal Advisory Committee Act, as amended, that are applicable to the Council, except that of reporting to the Congress, shall be performed by the Director of the Information Security Oversight Office in accordance with

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 610

the guidelines and procedures established by the General Services Administration.

Sec. 5.6. General Responsibilities. Heads of agencies that originate or handle classified information shall:
     (a) demonstrate personal commitment and commit senior management to the successful implementation of the program established under this order;
     (b) commit necessary resources to the effective implementation of the program established under this order; and
     (c) designate a senior agency official to direct and administer the program, whose responsibilities shall include:
          (1) overseeing the agency's program established under this order, provided, an agency head may designate a separate official to oversee special access programs authorized under this order. This official shall provide a full accounting of the agency's special access programs at least annually;
          (2) promulgating implementing regulations, which shall be published in the Federal Register to the extent that they affect members of the public;
          (3) establishing and maintaining security education and training programs;
          (4) establishing and maintaining an ongoing self-inspection program, which shall include the periodic review and assessment of the agency's classified product;
          (5) establishing procedures to prevent unnecessary access to classified information, including procedures that: (i) require that a need for access to classified information is established before initiating administrative clearance procedures; and (ii) ensure that the number of persons granted access to classified information is limited to the minimum consistent with operational and security requirements and needs;
          (6) developing special contingency plans for the safeguarding of classified information used in or near hostile or potentially hostile areas;
          (7) assuring that the performance contract or other system used to rate civilian or military personnel performance includes the management of classified information as a critical element or item to be evaluated in the rating of: (i) original classification authorities; (ii) security managers or security specialists; and (iii) all other personnel whose duties significantly involve the creation or handling of classified information;
          (8) accounting for the costs associated with the implementation of this order, which shall be reported to the Director of the Information Security Oversight Office for publication; and
          (9) assigning in a prompt manner agency personnel to respond to any request, appeal, challenge, complaint, or suggestion arising out of this order that pertains to classified information that originated in a component of the agency that no longer exists and for which there is no clear successor in function.

Sec. 5.7. Sanctions.
     (a) If the Director of the Information Security Oversight Office finds that a violation of this order or its implementing directives may have occurred, the

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 611

Director shall make a report to the head of the agency or to the senior agency official so that corrective steps, if appropriate, may be taken.
     (b) Officers and employees of the United States Government, and its contractors, licensees, certificate holders, and grantees shall be subject to appropriate sanctions if they knowingly, willfully, or negligently:
          (1) disclose to unauthorized persons information properly classified under this order or predecessor orders;
          (2) classify or continue the classification of information in violation of this order or any implementing directive;
          (3) create or continue a special access program contrary to the requirements of this order; or
          (4) contravene any other provision of this order or its implementing directives.
     (c) Sanctions may include reprimand, suspension without pay, removal, termination of classification authority, loss or denial of access to classified information, or other sanctions in accordance with applicable law and agency regulation.
     (d) The agency head, senior agency official, or other supervisory official shall, at a minimum, promptly remove the classification authority of any individual who demonstrates reckless disregard or a pattern of error in applying the classification standards of this order.
     (e) The agency head or senior agency official shall:
          (1) take appropriate and prompt corrective action when a violation or infraction under paragraph (b), above, occurs; and
          (2) notify the Director of the Information Security Oversight Office when a violation under paragraph (b)(1), (2) or (3), above, occurs.

Part 6
General Provisions

Sec. 6.1. General Provisions.
     (a) Nothing in this order shall supersede any requirement made by or under the Atomic Energy Act of 1954, as amended, or the National Security Act of 1947, as amended. "Restricted Data" and "Formerly Restricted Data" shall be handled, protected, classified, downgraded, and declassified in conformity with the provisions of the Atomic Energy Act of 1954, as amended, and regulations issued under that Act.
     (b) The Attorney General, upon request by the head of an agency or the Director of the Information Security Oversight Office, shall render an interpretation of this order with respect to any question arising in the course of its administration.
     (c) Nothing in this order limits the protection afforded any information by other provisions of law, including the exemptions to the Freedom of Information Act, the Privacy Act, and the National Security Act of 1947, as amended. This order is not intended, and should not be construed, to create any right or benefit, substantive or procedural, enforceable at law by a party against the United States,

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 612

its agencies, its officers, or its employees. The foregoing is in addition to the specific provisos set forth in sections 1.2(b), 3.2(b) and 5.4(e) of this order.
     (d) Executive Order No. 12356 of April 6, 1982, is revoked as of the effective date of this order.

Sec. 6.2. Effective Date. This order shall become effective 180 days from the date of this order.

WILLIAM J. CLINTON, THE WHITE HOUSE, April 17, 1995.

N.2.3 Executive Order 12472 (Assignment of National Security and Emergency Preparedness Telecommunications Functions)

By the authority vested in me as President by the Constitution and laws of the United States of America, including the Communications Act of 1934, as amended (47 U.S.C. 151), the National Security Act of 1947, as amended, the Defense Production Act of 1950, as amended (50 U.S.C. App. 2061), the Federal Civil Defense Act of 1950, as amended (50 U.S.C. App. 2251), the Disaster Relief Act of 1974 (42 U.S.C. 5121), Section 5 of Reorganization Plan No. 1 of 1977 (3 C.F.R. 197, 1978 Comp.), and Section 203 of Reorganization Plan No. 3 of 1978 (3 C.F.R. 389, 1978 Comp.), and in order to provide for the consolidation of assignment and responsibility for improved execution of national security and emergency preparedness telecommunications functions, it is hereby ordered as follows:

Sec. 1. The National Communications System.
     (a) There is hereby established the National Communications System (NCS). The NCS shall consist of the telecommunications assets of the entities represented on the NCS Committee of Principals and an administrative structure consisting of the Executive Agent, the NCS Committee of Principals and the Manager. The NCS Committee of Principals shall consist of representatives from those Federal departments, agencies or entities, designated by the President, which lease or own telecommunications facilities or services of significance to national security or emergency preparedness, and, to the extent permitted by law, other Executive entities which bear policy, regulatory or enforcement responsibilities of importance to national security or emergency preparedness telecommunications capabilities.
     (b) The mission of the NCS shall be to assist the President, the National Security Council, the Director of the Office of Science and Technology Policy and the Director of the Office of Management and Budget in:
          (1) the exercise of the telecommunications functions and responsibilities set forth in Section 2 of this Order; and
          (2) the coordination of the planning for and provision of national security and emergency preparedness communications for the Federal govern-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 613

ment under all circumstances, including crisis or emergency, attack, recovery and reconstitution.
     (c) The NCS shall seek to ensure that a national telecommunications infrastructure is developed which:
          (1) Is responsive to the national security and emergency preparedness needs of the President and the Federal departments, agencies and other entities, including telecommunications in support of national security leadership and continuity of government;
          (2) Is capable of satisfying priority telecommunications requirements under all circumstances through use of commercial, government and privately owned telecommunications resources;
          (3) Incorporates the necessary combination of hardness, redundancy, mobility, connectivity, interoperability, restorability and security to obtain, to the maximum extent practicable, the survivability of national security and emergency preparedness telecommunications in all circumstances, including conditions of crisis or emergency; and
          (4) Is consistent, to the maximum extent practicable, with other national telecommunications policies.
     (d) To assist in accomplishing its mission, the NCS shall:
          (1) serve as a focal point for joint industry-government national security and emergency preparedness telecommunications planning; and
          (2) establish a joint industry-government National Coordinating Center which is capable of assisting in the initiation, coordination, restoration and reconstitution of national security or emergency preparedness telecommunications services or facilities under all conditions of crisis or emergency.
     (e) The Secretary of Defense is designated as the Executive Agent for the NCS. The Executive Agent shall:
          (1) Designate the Manager of the NCS;
          (2) Ensure that the NCS conducts unified planning and operations, in order to coordinate the development and maintenance of an effective and responsive capability for meeting the domestic and international national security and emergency preparedness telecommunications needs of the Federal government;
          (3) Ensure that the activities of the NCS are conducted in conjunction with the emergency management activities of the Federal Emergency Management Agency;
          (4) Recommend, in consultation with the NCS Committee of Principals, to the National Security Council, the Director of the Office of Science and Technology Policy, or the Director of the Office of Management and Budget, as appropriate:
               a. The assignment of implementation or other responsibilities to NCS member entities;
               b. New initiatives to assist in the exercise of the functions specified in Section 2; and
               c. Changes in the composition or structure of the NCS;
(5) Oversee the activities of and provide personnel and administrative support to the Manager of the NCS;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 614

          (6) Provide staff support and technical assistance to the National Security Telecommunications Advisory Committee established by Executive Order No. 12382, as amended; and
          (7) Perform such other duties as are from time to time assigned by the President or his authorized designee.
     (f)  The NCS Committee of Principals shall:
          (1) Serve as the forum in which each member of the Committee may review, evaluate, and present views, information and recommendations concerning ongoing or prospective national security or emergency preparedness telecommunications programs or activities of the NCS and the entities represented on the Committee;
          (2) Serve as the forum in which each member of the Committee shall report on and explain ongoing or prospective telecommunications plans and programs developed or designed to achieve national security or emergency preparedness telecommunications objectives;
          (3) Provide comments or recommendations, as appropriate, to the National Security Council, the Director of the Office of Science and Technology Policy, the Director of the Office of Management and Budget, the Executive Agent, or the Manager of the NCS, regarding ongoing or prospective activities of the NCS; and
          (4) Perform such other duties as are from time to time assigned by the President or his authorized designee.
     (g) The Manager of the NCS shall:
          (1) Develop for consideration by the NCS Committee of Principals and the Executive Agent:
               a.  A recommended evolutionary telecommunications architecture designed to meet current and future Federal government national security and emergency preparedness telecommunications requirements;
               b.  Plans and procedures for the management, allocation and use, including the establishment of priorities or preferences, of Federally owned or leased telecommunications assets under all conditions of crisis or emergency;
               c.  Plans, procedures and standards for minimizing or removing technical impediments to the interoperability of government-owned and/or commercially-provided telecommunications systems;
               d.  Test and exercise programs and procedures for the evaluation of the capability of the Nation's telecommunications resources to meet national security or emergency preparedness telecommunications requirements; and
               e.  Alternative mechanisms for funding, through the budget review process, national security or emergency preparedness telecommunications initiatives which benefit multiple Federal departments, agencies, or entities. Those mechanisms recommended by the NCS Committee of Principals and the Executive Agent shall be submittted to the Director of the Office of Management and Budget.
          (2) Implement and administer any approved plans or programs as assigned, including any system of priorities and preferences for the provision of communications service, in consultation with the NCS Committee of Principals

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 615

and the Federal Communications Commission, to the extent practicable or otherwise required by law or regulation;
          (3) Chair the NCS Committee of Principals and provide staff support and technical assistance thereto;
          (4) Serve as a focal point for joint industry-government planning, including the dissemination of technical information, concerning the national security or emergency perparedness telecommunications requirements of the Federal government;
          (5) Conduct technical studies or analyses, and examine research and development programs, for the purpose of identifying, for consideration by the NCS Committee of Principals and the Executive Agent, improved approaches which may assist Federal entities in fulfilling national security or emergency preparedness telecommunications objectives;
          (6) Pursuant to the Federal Standardization Program of the General Services Administration, and in consultation with other appropriate entities of the Federal government including the NCS Committee of Principals, manage the Federal Telecommunications Standards Program, ensuring wherever feasible that existing or evolving industry, national, and international standards are used as the basis for Federal telecommunications standards; and
          (7) Provide such reports and perform such other duties as are from time to time assigned by the President or his authorized designee, the Executive Agent, or the NCS Committee of Principals. Any such assignments of responsibility to, or reports made by, the Manager shall be transmitted through the Executive Agent.

Sec. 2. Executive Office Responsibilities.
     (a) Wartime Emergency Functions.
          (1) The National Security Council shall provide policy direction for the exercise of the war power functions of the President under Section 606 of the Communications Act of 1934, as amended (47 U.S.C. 606), should the President issue implementing instructions in accordance with the National Emergencies Act (50 U.S.C. 1601).
          (2) The Director of the Office of Science and Technology Policy shall direct the exercise of the war power functions of the President under Section 606 (a), (c)-(e), of the Communications Act of 1934, as amended (47 U.S.C. 606), should the President issue implementing instructions in accordance with the National Emergencies Act (50 U.S.C. 1601).
     (b) Non-Wartime Emergency Functions.
          (1) The National Security Council shall:
               a. Advise and assist the President in coordinating the development of policy, plans, programs and standards within the Federal government for the identification, allocation, and use of the Nation's telecommunications resources by the Federal government, and by State and local governments, private industry and volunteer organizations upon request, to the extent practicable and otherwise consistent with law, during those crises or emergencies in which the exercise of the President's war power functions is not required or permitted by law; and

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 616

               b. Provide policy direction for the exercise of the President's non-wartime emergency telecommunications functions, should the President so instruct.
          (2) The Director of the Office of Science and Technology Policy shall provide information, advice, guidance and assistance, as appropriate, to the President and to those Federal departments and agencies with responsibilities for the provision, management, or allocation of telecommunications resources, during those crises or emergencies in which the exercise of the President's war power functions is not required or permitted by law;
          (3) The Director of the Office of Science and Technology Policy shall establish a Joint Telecommunications Resources Board (JTRB) to assist him in the exercise of the functions specified in this subsection. The Director of the Office of Science and Technology Policy shall serve as chairman of the JTRB; select those Federal departments, agencies, or entities which shall be members of the JTRB; and specify the functions it shall perform.
     (c) Planning and Oversight Responsibilities.
          (1) The National Security Council shall advise and assist the President in:
               a.  Coordinating the development of policy, plans, programs and standards for the mobilization and use of the Nation's commercial, government, and privately owned telecommunications resources, in order to meet national security or emergency preparedness requirements;
               b.  Providing policy oversight and direction of the activities of the NCS; and
               c.  Providing policy oversight and guidance for the execution of the responsibilities assigned to the Federal departments and agencies by this Order.
          (2) The Director of the Office of Science and Technology Policy shall make recommendations to the President with respect to the test, exercise and evaluation of the capability of existing and planned communications systems, networks or facilities to meet national security or emergency preparedness requirements and report the results of any such tests or evaluations and any recommended remedial actions to the President and to the National Security Council;
          (3) The Director of the Office of Science and Technology Policy or his designee shall advise and assist the President in the administration of a system of radio spectrum priorities for those spectrum dependent telecommunications resources of the Federal government which support national security or emergency preparedness functions. The Director also shall certify or approve priorities for radio spectrum use by the Federal government, including the resolution of any conflicts in or among priorities, under all conditions of crisis or emergency; and
          (4) The National Security Council, the Director of the Office of Science and Technology Policy and the Director of the Office of Management and Budget shall, in consultation with the Executive Agent for the NCS and the NCS Committee of Principals, determine what constitutes national security and emergency preparedness telecommunications requirements.
     (d) Consultation with Federal Departments and Agencies. In performing the functions assigned under this Order, the National Security Council and the

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 617

Director of the Office of Science and Technology Policy, in consultation with each other, shall:
          (1) Consult, as appropriate, with the Director of the Office of Management and Budget; the Director of the Federal Emergency Management Agency with respect to the emergency management responsibilities assigned pursuant to Executive Order No. 12148, as amended; the Secretary of Commerce, with respect to responsibilities assigned pursuant to Executive Order No. 12046; the Secretary of Defense, with respect to communications security responsibilities assigned pursuant to Executive Order No. 12333; and the Chairman of the Federal Communications Commission or his authorized designee; and
          (2) Establish arrangements for consultation among all interested Federal departments, agencies or entities to ensure that the national security and emergency preparedness communications needs of all Federal government entities are identified; that mechanisms to address such needs are incorporated into pertinent plans and procedures; and that such needs are met in a manner consistent, to the maximum extent practicable, with other national telecommunications policies.
     (e) Budgetary Guidelines. The Director of the Office of Management and Budget, in consultation with the National Security Council and the NCS, will prescribe general guidelines and procedures for reviewing the financing of the NCS within the budgetary process and for preparation of budget estimates by participating agencies. These guidelines and procedures may provide for mechanisms for funding, through the budget review process, national security and emergency preparedness telecommunications initiatives which benefit multiple Federal departments, agencies, or entities.

Sec. 3. Assignment of Responsibilities to Other Departments and Agencies. In order to support and enhance the capability to satisfy the national security and emergency preparedness telecommunications needs of the Federal government, State and local governments, private industry and volunteer organizations, under all circumstances including those of crisis or emergency, the Federal departments and agencies shall perform the following functions:
     (a) Department of Commerce. The Secretary of Commerce shall, for all conditions of crisis or emergency:
          (1) Develop plans and procedures concerning radio spectrum assignments, priorities and allocations for use by Federal departments, agencies and entities; and
          (2) Develop, maintain and publish policy, plans, and procedures for the control and allocation of frequency assignments, including the authority to amend, modify or revoke such assignments, in those parts of the electromagnetic spectrum assigned to the Federal government.
     (b) Federal Emergency Management Agency. The Director of the Federal Emergency Management Agency shall:
          (1) Plan for and provide, operate and maintain telecommunications services and facilities, as part of its National Emergency Management System, adequate to support its assigned emergency management responsibilities;
          (2) Advise and assist State and local governments and volunteer

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 618

organizations, upon request and to the extent consistent with law, in developing plans and procedures for identifying and satisfying their national security or emergency preparedness telecommunications requirements;
          (3) Ensure, to the maximum extent practicable, that national security and emergency preparedness telecommunications planning by State and local governments and volunteer organizations is mutually supportive and consistent with the planning of the Federal government; and
          (4) Develop, upon request and to the extent consistent with law and in consonance with regulations promulgated by and agreements with the Federal Communications Commission, plans and capabilities for, and provide policy and management oversight of, the Emergency Broadcast System, and advise and assist private radio licensees of the Commission in developing emergency communications plans, procedures and capabilities.
     (c) Department of State. The Secretary of State, in accordance with assigned responsibilities within the Diplomatic Telecommunications System, shall plan for and provide, operate and maintain rapid, reliable and secure telecommunications services to those Federal entities represented at United States diplomatic missions and consular offices overseas. This responsibility shall include the provision and operation of domestic telecommunications in support of assigned national security or emergency preparedness responsibilities.
     (d) Department of Defense. In addition to the other responsibilities assigned by this Order, the Secretary of Defense shall:
          (1) Plan for and provide, operate and maintain telecommunications services and facilities adequate to support the National Command Authorities and to execute the responsibilities assigned by Executive Order No. 12333; and
          (2) Ensure that the Director of the National Security Agency provides the technical support necessary to develop and maintain plans adequate to provide for the security and protection of national security and emergency preparedness telecommunications.
     (e) Department of Justice. The Attorney General shall, as necessary, review for legal sufficiency, including consistency with the antitrust laws, all policies, plans or procedures developed pursuant to responsibilities assigned by this Order.
     (f) Central Intelligence Agency. The Director of Central Intelligence shall plan for and provide, operate, and maintain telecommunications services adequate to support its assigned responsibilities, including the dissemination of intelligence within the Federal government.
     (g) General Services Administration. Except as otherwise assigned by this Order, the Administrator of General Services, consistent with policy guidance provided by the Director of the Office of Management and Budget, shall ensure that Federally owned or managed domestic communications facilities and services meet the national security and emergency preparedness requirements of the Federal civilian departments, agencies and entities.
     (h) Federal Communications Commission. The Federal Communications Commission shall, consistent with Section 4(c) of this Order:
     (l) Review the policies, plans and procedures of all entities licensed or regulated by the Commission that are developed to provide national security

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 619

or emergency preparedness communications services, in order to ensure that such policies, plans and procedures are consistent with the public interest, convenience and necessity;
          (2) Perform such functions as required by law with respect to all entities licensed or regulated by the Commission, including (but not limited to) the extension, discontinuance or reduction of common carrier facilities or services; the control of common carrier rates, charges, practices and classifications; the construction, authorization, activation, deactivation or closing of radio stations, services and facilities; the assignment of radio frequencies to Commission licensees; the investigation of violations of pertinent law and regulation; and the initiation of apppropriate enforcement actions;
          (3) Develop policy, plans and procedures adequate to execute the responsibilities assigned in this Order under all conditions of crisis or emergency; and
          (4) Consult as appropriate with the Executive Agent for the NCS and the NCS Committee of Principals to ensure continued coordination of their respective national security and emergency preparedness activities.
     (i) All Federal departments and agencies, to the extent consistent with law (including those authorities and responsibilities set forth in Section 4(c) of this Order), shall:
          (1) Determine their national security and emergency preparedness telecommunications requirements, and provide information regarding such requirements to the Manager of the NCS;
          (2) Prepare policies, plans and procedures concerning telecommunications facilities, services or equipment under their management or operational control to maximize their capability of responding to the national security or emergency preparedness needs of the Federal government;
          (3) Provide, after consultation with the Director of the Office of Management and Budget, resources to support their respective requirements for national security and emergency preparedness telecommunications; and provide personnel and staff support to the Manager of the NCS as required by the President;
          (4) Make information available to, and consult with, the Manager of the NCS regarding agency telecommunications activities in support of national security or emergency preparedness;
          (5) Consult, consistent with the provisions of Executive Order No. 12046, as amended, and in conjunction with the Manager of the NCS, with the Federal Communications Commission regarding execution of responsibilities assigned by this Order;
          (6) Submit reports annually, or as otherwise requested, to the Manager of the NCS, regarding agency national security or emergency preparedness telecommunications activities; and
          (7) Cooperate with and assist the Executive Agent for the NCS, the NCS Committee of Principals, the Manager of the NCS, and other departments and agencies in the execution of the functions set forth in this Order, furnishing them such information, support and assistance as may be required.
     (j) Each Federal department or agency shall execute the responsibilities assigned by this Order in conjunction with the emergency management activities

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 620

of the Federal Emergency Management Agency, and in regular consultation with the Executive Agent for the NCS and the NCS Committee of Principals to ensure continued coordination of NCS and individual agency telecommunications activities.

Sec. 4. General Provisions.
     (a) All Executive departments and agencies may issue such rules and regulations as may be necessary to carry out the functions assigned under this Order.
     (b) In order to reflect the assignments of responsibility provided by this Order,
          (1) Sections 2-414, 4-102, 4-103, 4-202, 4-302, 5-3, and 6-101 of Executive Order No. 12046, as amended, are revoked;
          (2) The Presidential Memorandum of August 21, 1963, as amended, entitled ''Establishment of the National Communications System", is hereby superseded; and
          (3) Section 2-411 of Executive Order No. 12046, as amended, is further amended by deleting the period and inserting ", except as otherwise provided by Executive Order No. " and inserting the number assigned to this Order.
     (c) Nothing in this Order shall be deemed to affect the authorities or responsibilities of the Director of the Office of Management and Budget, or any Office or official thereof; or reassign any function assigned any agency under the Federal Property and Administrative Services Act of 1949, as amended; or under any other law; or any function vested by law in the Federal Communications Commission.

Sec. 5. This Order shall be effective upon publication in the Federal Register.

RONALD REAGAN, THE WHITE HOUSE, April 3, 1984.

N.2.4 National Security Directive 425 (National Policy for the Security of National Security Telecommunications and Information Systems)

Continuing advances in microelectronics technology have stimulated an unprecedented growth in the demand for and supply of telecommunications and information processing services within the government and throughout the private sector. As new technologies have been applied, traditional distinctions between telecommunications and information systems have begun to disappear.

5 The text presented was released to Marc Rotenberg, Electronic Privacy Information Center, under the Freedom  of Information Act and is available on-line at http:// snyside.sunnyside.com/cpsr/privacy/computer_security/nsd_42.txt.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 621

Although this trend promises greatly improved efficiency and effectiveness, it also poses significant security challenges.
Telecommunications and information processing systems are highly susceptible to interception, unauthorized electronic access, and related forms of technical exploitation, as well as other dimensions of the foreign intelligence threat. The technology to exploit these electronic systems is widespread and is used extensively by foreign nations and can be employed, as well, by terrorist groups and criminal elements. A comprehensive and coordinated approach must be taken to protect the government's national security telecommunications and information systems (national security systems) against current and projected threats. This approach must include mechanisms for formulating policy, overseeing systems security resources programs, and coordinating and executing technical activities.
This Directive establishes initial objectives of policies, and an organizational structure to guide the conduct of activities to secure national security systems from exploitation; establishes a mechanism for policy development and dissemination; and assigns responsibilities for implementation. It is intended to ensure full participation and cooperation among the various existing centers of technical expertise throughout the Executive branch, and to promote a coherent and coordinated defense against the foreign intelligence threat to these systems. This Directive recognizes the special requirements for protection of intelligence sources and methods.

1. Objectives. Ensuring the security of national security systems is vitally important to the operational effectiveness of the national security activities of the government and to military combat readiness. I therefore, direct that the government's capabilities for securing national security systems against technical exploitation threats be maintained or, if inadequate, improved to provide for:
     a.  Reliable and continuing assessment of threats and vulnerabilities, and implementation of appropriate effective countermeasures;
     b.  A technical base within the U.S. Government to achieve this security, and initiatives with the private sector to maintain, complement, or enhance that government technical base and to ensure information systems security products are available to secure national security systems; and;
     c.   Effective and efficient application of U.S. Government resources.

2. Policies. In support of these objectives the following policies are established:
     a.  U.S. Government national security systems shall be secured by such means as are necessary to prevent compromises denials or exploitation;
     b.  Federal agencies shall require that national security systems operated and maintained by U.S. Government contractors likewise be secured.

3. Implementation. This Directive establishes an NSC Policy Coordinating Committee for National Security Telecommunications and Information Systems, an interagency group at the operating level, an executive agent and a national manager to implement these objectives and policies.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 622

4. National Security Council/Policy Coordinating Committee for National Security Telecommunications and Information Systems.

The National Security Council/Policy Coordinating Committee (PCC) for National Security Telecommunications, chaired by the Department of Defense, under the authority of National Security Directives I and 10f assumed the responsibility for the National Security Telecommunications NSDD 97 Steering Group. By authority of this Directive, the PCC for National Security Telecommunications is renamed the PCC for National Security Telecommunications and Information Systems, and shall expand its authority to include the responsibilities to protect the government's national security telecommunications and information systems. When addressing issues concerning the security of national security telecommunications and information systems, the membership of the PCC shall be expanded to include representatives of the Secretary Of State, the Secretary of the Treasury, the Attorney General, the Secretary of Energy, the Secretary of Commerce, and the Director of Central Intelligence. The National Manager for National Security Telecommunications and Information Systems Security shall be invited as an observer. The Policy Coordinating Committee shall:
     a. Oversee the implementation of this Directive;
     b. Develop Policy recommendations and provide guidance to the operating level National Security Telecommunications and Information Systems Security Committee (NSTISSC);
     c. Review and resolve matters referred to it by the NSTISSC in fulfilling the responsibilities outlined in paragraph 5, below; -
     d. Be subject to the policies of the Director of Central Intelligence on matters pertaining to the protection of intelligence sources and methods; and,
     e. Recommend for Presidential approval additions or revisions to this Directive as national interests may require.

5. The National Security Telecommunications and Information Systems Security Committee.

     a. The NSTISSC is established to consider technical matters and develop operating policies, procedures, guidelines, instructions, and standards as necessary to implement provisions of this Directive. The Committee shall be chaired by the Assistant Secretary of Defense (Command, Control, Communications and Intelligence) and shall be composed of a voting representative of each of the following:

The Secretary of State
The Secretary of the Treasury
The Secretary of Defense
The Attorney General
The Secretary of Commerce
The Secretary of Transportation
The Secretary of Energy
Director, Office of Management and Budget
Assistant to the President for National Security Affairs

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 623

Director of Central Intelligence
Chairman of the Joint Chiefs of Staff
Director, Federal Bureau of Investigation
Director, Federal Emergency Management Agency
Administrator, General Services Administration
The Chief of Staff, United States Army
The Chief of Naval Operations
The Chief of Staff, United States Air Force
Commandant, United States Marine Corps
Director, National Security Agency
Manager, National Communications System
Director, Defense Intelligence Agency

     b. The NSTISSC shall:
          (1) Develop such specific operating policies, procedures, guidelines, instructions, standards, objectives, and priorities as may be required to implement this Directive;
          (2) Provide systems security guidance for national security systems to Executive departments and agencies;
          (3) Submit annually to the Executive Agent an evaluation of the security status of national security systems with respect to established objectives and priorities;
          (4) Approve the release of cryptologic national security systems technical security material, information, and techniques to foreign governments or international organizations. The concurrence of the Director of Central Intelligence shall be obtained with respect to those activities which he manages;
          (5) Establish and maintain a national system for promulgating the operating policies, instructions, directives, and guidancet which may be issued pursuant to this Directive;
          (6) Establish permanent and temporary subcommittees as necessary to discharge its responsibilities;
          (7) Make recommendations to the PCC for NSTISSC membership and establish criteria and procedures for permanent observers from other departments or agencies affected by specific matters under deliberation, who may attend meetings upon invitation of the Chairman; and,
          (8) Interact, as necessary, with the National Communications System Committee of Principals established by Executive Order 12472 to ensure the coordinated execution of assigned responsibilities.
     c. The Committee shall have two subcommittees, one focusing on telecommunications security and one focusing an information systems security. The two subcommittees shall coordinate their actions and recommendations concerning implementation of protective measures, which shall combine and coordinate both areas where appropriate.
     d. The Committee shall have a permanent secretariat composed of personnel of the National Security Agency and such other personnel from Executive departments and agencies represented on the Committee as are requested by the Chairman. The National Security Agency shall provide facilities and support as

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 624

required. Other Executive departments and agencies shall provide facilities and support as requested by the Chairman.

6. The Executive Agent of the Government for National Security Telecommunications and Information Systems Security.
     
a. Consistent with the authority for communications security given the Secretary of Defense in Executive Order 12333, the Secretary of Defense shall serve as Executive Agent of the Government for National Security Telecommunications and Information Systems Security and shall be responsible for implementing, under his signature, policies and procedures to:
          (1) Ensure the development, in conjunction with Committee member departments and agencies of plans and programs to fulfill the objectives of this Directive, including the development of necessary security architectures;
          (2) Procure for and provide to Executive departments and agencies and, where appropriate, to government contractors and foreign governments, consistent with the laws of the United States such technical security material, other technical assistance, and other related services of common concern as required to accomplish the objectives of this Directive;
          (3) Approve and provide minimum security standards and doctrine for systems subject to this Directive; (U)
          (4) Conduct, approve, or endorse research and development of techniques and equipment to secure national security systems; and,
          (5) Operate, or coordinate the efforts, of U.S. Government technical centers related to national security telecommunications and information systems security.
     b. The Executive Agent shall review and assess the National Manager's recommendations on the proposed national security telecommunications and information systems security programs and budgets for the Executive departments and agencies. Where appropriate, alternative systems security recommendations will be provided to agency heads, to National Security Council Committees and to the OMB. In addition, the Executive Agent shall submit, annually, the security status of national security systems with respect to established objectives and priorities through the National Security Council to the President.

7. The National Manager for National Security Telecommunnications and Information Systems Security.

The Director, National Security Agency, is designated the National Manager for National Security Telecommunications and Information Systems Security and is responsible to the Secretary of Defense as Executive Agent for carrying out the foregoing responsibilities. In fulfilling these responsibilities the National Manager shall:
     a. Examine U.S. Government national security systems and evaluate their vulnerability to foreign interception and exploitation. Any such activities, including those involving monitoring of official telecommunications, shall be conducted in strict compliance with law, Executive Order and implementing procedures,

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 625

and applicable Presidential directive. No monitoring shall be performed without advising the heads of the agencies, departments, or services concerned;
     b. Act as the U.S. Government focal point for cryptography, telecommunications systems security, and information systems security for national security systems;
     c. Conduct, approve, or endorse research and development of techniques and equipment to secure national security systems;
     d. Review and approve all standards, techniques, systems, and equipment related to the security of national security systems;
     e. Conduct foreign computer security and communications security liaison, including entering into agreements with foreign governments and with international and private organizations regarding national security systems, except for those foreign intelligence relationships conducted for intelligence purposes by the Director of Central Intelligence. Any such agreements shall be coordinated with affected departments and agencies;
     f. Operate such printing and fabrication facilities as may be required to perform critical functions related to the provisions of cryptographic and other technical security material or services;
     g. Assess the overall security posture of and disseminate information on threats to and vulnerabilities of national security systems;
     h. Operate a central technical center to evaluate and certify the security of national security telecommunications and information systems;
     i. Prescribe the minimum standards, methods and procedures for protecting cryptographic and other technical security material, techniques, and information related to national security systems;
     j. Review and assess annually the national security telecommunications systems security programs and budgets of Executive departments and agencies of the U.S. Government, and recommend alternatives, where appropriate, for the Executive Agent;
     k. Review annually the aggregated national security information systems security program and budget recommendations of the Executive depart-
ments and agencies of the U.S. Government for the Executive Agent;
     l. Request from the heads of Executive departments and agencies such information and technical support as may be needed to discharge the responsibilities assigned herein;
     m. Coordinate with the National Institute for Standards and Technology in accordance with the provisions of the Computer Security Act of 1987 (P.L. 100235); and
     n. Enter into agreements for the procurement of technical-security material and other equipment, and their provision to Executive departments and agencies, where appropriate, to government contractors, and foreign governments.

8. The Heads of Executive Departments and Agencies shall:

     a. Be responsible for achieving and maintaining secure national security systems within their departments or agencies;
     b. Ensure that policies, procedures, guidelines, instructions, and stan-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 626

dards issued pursuant to this Directive are implemented within their departments or agencies; and
     c. Provide to the NSTISSC, the Executive Agent, and the National Manager, as appropriate, such information as may be required to discharge responsibilities assigned herein, consistent with relevant law, Executive Order, and Presidential directive.

9. Additional Responsibilities. The Director, Office of Management and Budget, shall:
     a. Specify data to be provided during the annual budget review by Executive departments and agencies on program and budgets relating to security of their national security systems;
     b. Consolidate and provide such data to the National Manager via the Executive Agent; and
     c. Review for consistency with this Directive, and amend as appropriate, OMB policies and regulations which may pertain to the subject matter herein.

10. Nothing in this Directive shall:
     
a. Alter or supersede the existing authorities of the Director of Central Intelligence;
     b. Authorize the Committee, the Executive Agent, or the National Manager authority to examine the facilities of other Executive departments and agencies without approval of the head of such department or agency, nor to request or collect information concerning their operation for any purpose not provided for herein;
     c. Amend or contravene the provisions of existing law, Executive Order, or Presidential directive which pertain to the protection of sensitive information, to the protection of national security information, to the privacy aspects or financial management of information systems or to the administrative requirements for safeguarding such resources against fraud, waste, and abuse;
     d. Provide authority to issue policies, procedure, guidelines, instructions, standards, or priorities or operate programs concerning security of systems other than national security systems;
     e. Be intended to establish additional review processes for the procurement of information processing systems;
     f. Alter or rescind policies or programs begun under PD-24 or NSDD145 that may be pertinent to national security systems. Policies or programs retained pursuant to this provision shall not be construed to apply to systems within the purview of the Computer Security Act of 1987 (PL100-235); or

[NOTE: In documents received, approximately two paragraphs of material deleted by redaction of text in this place.]

11. For the purposes of this Directive the following terms shall have the meanings indicated:
     
a. Telecommunicications means the preparation transmission, communica-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 627

tions or related processing of information (writing, images, sounds or other data) by electrical, electromagnetic, electromechanical, electro-optical, or electronic means;
     b. Information Systems means any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition storage manipulation, management, movement, control, display, switching interchange, transmission, or reception of data and includes computer software, firmware, and hardware;
     c. Telecommunications and Information Systems Security means protection afforded to telecommunications and information systems in order to prevent exploitation through interception, unauthorized electronic access, or related technical intelligence threats, and to ensure authenticity. Such protection results from the application of security measures (including cryptosecurity, transmission security, emission security, and computer security) to systems which generate, store process transfer, or communicate information of use to an adversary, and also includes the physical protection of technical security material and technical security information;
     d. Technical security material means equipment components, devices, and associated documentation or other media which pertain to cryptographic or to the securing of telecommunications and information systems;
     e. National security systems are those telecommunications and information systems operated by the U.S. Government, its contractors, or agents that contain classified information or, as set forth in 10 U.S.C. Section 2315, that involves intelligence activities involves cryptologic activities related to national security, involves command and control Of military forces, involves equipment that is an integral part of a weapon or weapon system, or involves equipment that is critical to the direct fulfillment of military or intelligence missions.

12. Except for ongoing telecommunications protection activities mandated by and pursuant to PD-24 and NSDD-145, NSDD-145 is hereby rescinded.

July 5, 1990

N.3 MEMORANDUMS OF UNDERSTANDING (MOU) AND AGREEMENT (MOA)

N.3.1 National Security Agency/National Institute of Standards and Technology MOU

Memorandum of Understanding Between the Director of the National Institute of Standards and Technology and the Director of the National Security Agency Concerning the Implementation of Public Law 100-235

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 628

Recognizing that:

     A.  Under Section 2 of the Computer Security Act of 1987 (Public Law 100235), (the Act), the National Institute of Standards and Technology (NIST) has the responsibility within the Federal Government for:
          1. Developing technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in Federal computer systems as defined in the Act; and,
          2. Drawing on the computer system technical security guidelines of the National Security Agency (NSA) in this regard where appropriate.
     B.  Under Section 3 of the Act, the NIST is to coordinate closely with other agencies and offices, including the NSA, to assure:
          1. Maximum use of all existing and planned programs, materials, studies, and reports relating to computer systems security and privacy, in order to avoid unnecessary and costly duplication of effort; and,
          2. To the maximum extent feasible, that standards developed by the NIST under the Act are consistent and compatible with standards and procedures developed for the protection of classified information in Federal computer systems.
     C.  Under the Act, the Secretary of Commerce has the responsibility, which he has delegated to the Director of NIST, for appointing the members of the Computer System Security and Privacy Advisory Board, at least one of whom shall be from the NSA.

Therefore, in furtherance of the purposes of this MOU, the Director of the NIST and the Director of the NSA hereby agree as follows:

I.  The NIST will:
          1. Appoint to the Computer Security and Privacy Advisory Board at least one representative nominated by the Director of the NSA.
          2. Draw upon computer system technical security guidelines developed by the NSA to the extent that the NIST determines that such guidelines are consistent with the requirements for protecting sensitive information in Federal computer systems.
          3. Recognize the NSA-certified rating of evaluated trusted systems under the Trusted Computer Security Evaluation Criteria Program without requiring additional evaluation.
          4. Develop telecommunications security standards for protecting sensitive unclassified computer data, drawing upon the expertise and products of the National Security Agency, to the greatest extent possible, in meeting these responsibilities in a timely and cost effective manner.
          5. Avoid duplication where possible in entering into mutually agreeable arrangements with the NSA for the NSA support.
          6. Request the NSA's assistance on all matters related to cryptographic algorithms and cryptographic techniques including but not limited to research, development, evaluation, or endorsement.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 629

     II.  The NSA will:
          1. Provide the NIST with technical guidelines in trusted technology, telecommunications security, and personal identification that may be used in cost-effective systems for protecting sensitive computer data.
          2. Conduct or initiate research and development programs in trusted technology, telecommunications security, cryptographic techniques and personal identification methods.
          3. Be responsive to the NIST's requests for assistance in respect to all matters related to cryptographic algorithms and cryptographic techniques including but not limited to research, development, evaluation, or endorsement.
          4. Establish the standards and endorse products for application to secure systems covered in 10 USC Section 2315 (the Warner Amendment).
          5. Upon request by Federal agencies, their contractors, and other government-sponsored entities, conduct assessments of the hostile intelligence threat to federal information systems, and provide technical assistance and recommend endorsed products for application to secure systems against that threat.
     III. The NIST and the NSA shall:
          1. Jointly review agency plans for the security and privacy of computer systems submitted to NIST and NSA pursuant to section 6(b) of the Act.
          2. Exchange technical standards and guidelines as necessary to achieve the purposes of the Act.
          3. Work together to achieve the purposes of this memorandum with the greatest efficiency possible, avoiding unnecessary duplication of effort.
          4. Maintain an ongoing, open dialogue to ensure that each organization remains abreast of emerging technologies and issues affecting automated information system security in computer-based systems.
          5. Establish a Technical Working Group to review and analyze issues of mutual interest pertinent to protection of systems that process sensitive or other unclassified information. The Group shall be composed of six federal employees, three each selected by NIST and NSA and to be augmented as necessary by representatives of other agencies. Issues may be referred to the group by either the NSA Deputy Director for Information Security or the NIST Deputy Director or may be generated and addressed by the group upon approval by the NSA DDI or NIST Deputy Director. Within days of the referral of an issue to the Group by either the NSA Deputy Director for Information Security or the NIST Deputy Director, the Group will respond with a progress report and plan for further analysis, if any.
          6. Exchange work plans on an annual basis on all research and development projects pertinent to protection of systems that process sensitive or other unclassified information, including trusted technology, for protecting the integrity and availability of data, telecommunications security and personal identification methods. Project updates will be exchanged quarterly, and project reviews will be provided by either party upon request of the other party.
          7. Ensure the Technical Working Group reviews prior to public disclosure all matters regarding technical systems security techniques to be developed for use in protecting sensitive information in federal computer systems to ensure they are consistent with the national security of the United States. If NIST

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 630

and NSA are unable to resolve such an issue within 60 days, either agency may elect to raise the issue to the Secretary of Defense and the Secretary of Commerce. It is recognized that such an issue may be referred to the President through the NSC for resolution. No action shall be taken on such an issue until it is resolved.
          8. Specify additional operational agreements in annexes to this MOU as they are agreed to by NSA and NIST.
     IV. Either party may elect to terminate this MOU upon six months written notice. This MOU is effective upon approval of both signatories.

RAYMOND G. KAMMER, Acting Director, National Institute of Standards and Technology, 24 March 1989

W.O. STUDEMAN, Vice Admiral, U.S. Navy; Director, National Security Agency, 23 March 1989

N.3.2 National Security Agency/ Federal Bureau of Investigation MOU

Memorandum of Understanding Between Federal Bureau of Investigation and National Security Agency

(u) 1. Purpose. This Memorandum of Understanding (MOU) implements those portions of the Department of Defense E.O. 12036 replaced by 12333 (see 12333 para. 3.6) procedures that regulate the provision by NSA of specialized equipment, technical knowledge, and expert personnel to the FBI. (The applicable procedures are attached.)

(u) 2. Background. The National Security Agency possesses unique skills and equipment developed to support its cryptologic mission. In the past, the Federal Bureau of Investigation has requested, and NSA has provided, assistance related to these skills and equipment for both the Bureau's intelligence and law enforcement functions. Section 2-309(c) of E.O. 12036 permits NSA to continue providing such assistance.

(u) 3. Agreement. The undersigned parties, representing their respective agencies, hereby agree to the following procedures for requesting and providing such assistance in the future:
     a.  When the FBI determines that the assistance of NSA is needed to accomplish its lawful functions, the FBI shall:
          (1) determine whether the requested assistance involves the Bureau's intelligence of law enforcement missions. Since a counterintelligence or counterterrorism intelligence investigation can develop into a law enforcement investigation, the following guidelines will be used to determine which type of investigation the FBI is conducting. A counterintelligence or counterterrorism investigation which is undertaken to protect against espionage and other clandestine intelligence activities, sabotage, international terrorist activities or assas-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 631

inations conducted for or on behalf of foreign powers does not have a law enforcement purpose until such time as the focus of the investigation shifts from intelligence gathering to prosecution.
          (2) coordinate with the appropriate NSA element to determine whether NSA is capable of providing the assistance;
          (3) notify the Office of General Counsel, NSA, that a request for assistance is being considered; and
          (4) if NSA is able to provide the assistance, provide a certification to the General Counsel, NSA, that the assistance is necessary to accomplish one or more of the FBI's lawful functions. In normal circumstances, this certification shall be in writing and signed by an Assistant Director or more senior official. If the assistance involves provision of expert personnel and is for a law enforcement purpose, the certification must be signed by the Director, FBI, and shall include affirmation of the facts necessary to establish the provisions of Section 4.A., Procedure 16, DoD Regulation 5240.1-R. In an emergency, the certification may be oral, but it shall be subsequently confirmed in writing. If the assistance requested is for the support of an activitiy that may only be conducted pursuant to court order or Attorney General authorization, the certification shall include a copy of the order or authorization. If the requested assistance is to support an intelligence investigation which subsequently develops into a law enforcement investigation, the FBI shall provide the additional supporting data required by Procedure 16.
     b.  When the FBI requests assistance from NSA, NSA shall:
          (1) determine whether it is capable of providing the requested assistance;
          (2) determine whether the assistance is consistent with NSA policy, including protection of sources and methods;
          (3) agree to provide assistance within its capabilities and when consistent with NSA policy after receipt of the certification discussed in a.(4) above; and
          (4) if the assistance requires the detailing of expert personnel, observe the administrative requirements of Procedures 16 and 17, DoD regulation 5240.1-R.

(u) 4. Effective Date. This MOU is effective upon signature by the parties below. It remains in effect until superseded by a new MOU or until Section 2-309(c) of E.O. 12036 is revised. Changes to this MOU may be made by joint agreement of the undersigned or their successors.

WILLIAM H. WEBSTER, Director, Federal Bureau of Investigation

B.R. INMAN, Vice Admiral, U.S. Navy, Director, NSA/Chief, CSS

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 632

N.3.3 National Security Agency/Advanced Research Projects Agency/Defense Information Systems Agency MOA

Information Systems Security Research Joint Technology Office Memorandum of Agreement Between The Advanced Research Projects Agency, The Defense Information Systems Agency, and The National Security Agency Concerning The Information Systems Security Research Joint Technology Office

Purpose

The Advanced Research Projects Agency (ARPA), the Defense Information Systems Agency (DISA), and the National Security Agency (NSA) agree to the establishment of the Information System Security Research Joint Technology Office (ISSR-JTO) as a joint activity. The ISSR-JTO is being established to coordinate the information systems security research programs of ARPA and NSA. The ISSR-JTO will work to optimize use of the limited research funds available, and strengthen the responsiveness of the programs to DISA, expediting delivery of technologies that meet DISA's requirements to safeguard the confidentiality, integrity, authenticity, and availability of data in Department of Defense information systems, provide a robust first line of defense for defensive information warfare, and permit electronic commerce between the Department of Defense and its contractors.

Background

In recent years, exponential growth in government and private sector use of networked systems to produce and communicate information has given rise to a shared interest by NSA and ARPA in focusing government R&D on information systems security technologies. NSA and its primary network security customer, DISA, have become increasingly reliant upon commercial information technologies and services to build the Defense Information Infrastructure, and the inherent security of these technologies and services has become a vital concern. From ARPA'S perspective, it has become increasingly apparent that security is critical to the success of key ARPA information technology initiatives. ARPA's role in fostering the development of advanced information technologies now requires close attention to the security of these technologies.

NSA's security technology plan envisions maximum use of commercial technology for sensitive but unclassified applications, and, to the extent possible, for classified applications as well. A key element of this plan is the transfer of highly reliable government-developed technology and techniques to industry for integration into commercial off-the-shelf products, making quality-tested security components available not only to DoD but to the full spectrum of government and private sector users as well. ARPA is working with its contractor community to fully integrate security into next generation computing technologies being developed in all its programs, and working with the research community to develop strategic relationships with industry so that industry will develop modular security technologies with the capability of exchanging appropriate elements to meet various levels of required security.

NSA and ARPA now share a strong interest in promoting the develop-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 633

ment and integration of security technology for advanced information systems applications. The challenge at hand is to guide the efforts of the two agencies in a way that optimizes use of the limited research funds available and maximizes support to DISA in building the Defense Information Infrastructure.

NSA acts as the U.S. Government's focal point for cryptography, telecommunications security, and information systems security for national security systems. It conducts, approves, or endorses research and development of techniques and equipment to secure national security systems. NSA reviews and approves all standards, techniques, systems, and equipment related to the security of national security systems. NSA's primary focus is to provide information systems security products, services, and standards in the near term to help its customers protect classified and national security-related sensitive but unclassified information. It develops and assesses new security technology in the areas of cryptography, technical security, and authentication technology; endorses cryptographic systems protecting national security information; develops infrastructure support technologies; evaluates and rates trusted computer and network products; and provides information security standards for DoD. Much of the work in these areas is conducted in a classified environment, and the balancing of national security and law enforcement equities has been a significant constraint.

ARPA's mission is to perform research and development that helps the Department of Defense to maintain U.S. technological superiority over potential adversaries. At the core of the ARPA mission is the goal to develop and demonstrate revolutionary technologies that will fundamentally enhance the capability of the military. ARPA's role in fostering the development of advanced computing and communications technologies for use by the DoD requires that long term solutions to increasing the security of these systems be developed. ARPA is interested in commercial or dual-use technology, and usually technology that provides revolutionary rather than evolutionary enhancements to capabilities. ARPA is working with industry and academia to develop technologies that will enable industry to provide system design methodologies and secure computer, operating system, and networking technologies. NSA and ARPA research interests have been converging in these areas, particularly with regard to protocol development involving key, token, and certificate exchanges and processes.

One of the key differences between ARPA's work and NSA's is that ARPA's is performed in unclassified environments, often in university settings. This enables ARPA to access talent and pursue research strategies normally closed to NSA due to security considerations. Another difference is that while NSA's research is generally built around developing and using specific cryptographic algorithms, ARPA's approach is to pursue solutions that are independent of the algorithm used and allow for modularly replaceable cryptography. ARPA will, to the greatest extent possible, allow its contractor community to use cryptography developed at NSA, and needs solutions from NSA on an expedited basis so as not to hold up its research program.

DISA functions as the Department of Defense's information utility. Its requirements for information systems security extend beyond confidentiality to include protection of data from tampering or destruction and assurance that data exchanges are originated and received by valid participants. DISA is the first line

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 634

of defense for information warfare, and needs quality technology for detecting and responding to network penetrations. The growing vulnerability of the Defense information infrastructure to unauthorized access and use, demonstrated in the penetration of hundreds of DoD computer systems during 1994, makes delivery of enabling security technologies to DISA a matter of urgency.

The Information Systems Security Research Joint Technology Office

This MOA authorizes the ISSR-JTO as a joint undertaking of ARPA, DISA, and NSA. It will perform those functions jointly agreed to by these agencies. Each agency shall delegate to the ISSO-JTO such authority and responsibility as is necessary to carry out its agreed functions. Participation in the joint program does not relieve ARPA, DISA, or NSA of their respective individual charter responsibilities, or diminish their respective authorities.

A Joint Management Plan will be developed to provide a detailed definition of the focus, objectives, operation, and costs of the Joint Technology Office. The ISSR-JTO will be jointly staffed by ARPA, DISA, and NSA, with respective staffing levels to be agreed upon by the three parties. Employees assigned to the JTO will remain on the billets of their respective agency. Personnel support for employees assigned to the JTO will be provided by their home organization. The ISSR-JTO will be housed within both ARPA and NSA, except as agreed otherwise by the three parties. To the greatest extent possible, it will function as a virtual office, using electronic connectivity to minimize the need for constant physical colocation. Physical security support will be provided by the party responsible for the specific facilities occupied. Assignment of the ISSR-JTO Director, Deputy Director, and management of other office elements will be made by mutual agreement among the Directors of ARPA, DISA, and NSA upon recommendation of their staffs.

Functions

By mutual agreement of ARPA, DISA, and NSA, the ISSR-JTO will perform the following joint functions:

· Review and coordinate all Information System Security Research programs at ARPA and NSA to ensure that there is no unnecessary duplication, that the programs are technically sound, that they are focused on customer requirements where available, and that long term research is aimed at revolutionary increases in DoD security capabilities.

·  Support ARPA and NSA in evaluating proposals and managing projects arising from their information systems security efforts, and maintain a channel for the exchange of technical expertise to support their information systems security research programs.

· Provide long range strategic planning for information systems security research. Provide concepts of future architectures which include security as an integral component and a road map for the products that need to be developed to fit the architectures, taking into account anticipated DoD information systems security research needs for command and control, intelligence, support functions, and

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 635

electronic commerce. The long range security program will explore technologies which extend security research boundaries.

·  Develop measures of the effectiveness of the information systems security research programs in reducing vulnerabilities.

·  Work with DISA, other defense organizations, academic, and industrial organizations to take new information systems security research concepts and apply them to selected prototype systems and testbed projects.

·  Encourage the U.S. industrial base to develop commercial products with built-in security to be used in DoD systems. Develop alliances with industry to raise the level of security in all U.S. systems. Bring together private sector leaders in information systems security research to advise the JTO and build consensus for the resulting programs.

·  Identify areas for which standards need to be developed for information systems security.

·  Facilitate the availability and use of NSA certified cryptography within information systems security research programs.

·  Proactively provide a coherent, integrated joint vision of the program in internal and public communications.

Program Oversight and Revisions

The Director, ISSR-JTO, has a joint reporting responsibility to the Directors of ARPA, DISA, and NSA. The Director, ISSR-JTO, will conduct a formal Program Status Review for the Directors of ARPA, DISA, and NSA on an annual basis, and will submit mid-year progress reports between formal reviews. Specific reporting procedures and practices of the JTO to ARPA, DISA, and NSA will be detailed in the Joint Technology Management Plan. This MOA will be reviewed at least annually, and may be revised at any time, based on the mutual consent of ARPA, DISA, and NSA, to assure the effective execution of the joint initiative. Any of the parties may withdraw from participation in the MOA upon six months written notice. The MOA is effective 2 April 1995.

Dr. Gary L. Denman, Director, ARPA
LtGen Albert J. Edmonds, Director, DISA
VADM John M. McConnell, Director, NSA
Dr. Anita K. Jones, Director, DDR&E
Emmett Paige, Jr., Assistant Secretary of Defense for Command, Control, Communications and Intelligence

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 636

N.4 REGULATIONS

N.4.1 International Traffic in Arms Regulations (22 CFR, Excerpts from Parts 120-123, 125, and 126)
Part 120 Purpose and Definitions
Sec. 120.1—General authorities and eligibility.

(a) Section 38 of the Arms Export Control Act (22 U.S.C. 2778) authorizes the President to control the export and import of defense articles and defense services. The statutory authority of the President to promulgate regulations with respect to exports of defense articles and defense services was delegated to the Secretary of State by Executive Order 11958, as amended (42 FR 4311). This subchapter implements that authority. By virtue of delegations of authority by the Secretary of State, these regulations are primarily administered by the Director of the Office of Defense Trade Controls, Bureau of Politico-Military Affairs, Department of State.

(b) Authorized Officials. All authorities conferred upon the Director of the Office of Defense Trade Controls by this subchapter may be exercised at any time by the Under Secretary of State for International Security Affairs, the Assistant Secretary of State for Politico-Military Affairs, or the Deputy Assistant Secretary of State for Politico-Military Affairs responsible for supervising the Office of Defense Trade Controls unless the Legal Adviser or the Assistant Legal Adviser for Politico-Military Affairs of the Department of State determines that any specific exercise of this authority under this subsection may be inappropriate.

(c) Eligibility. Only U.S. persons (as defined in Sec. 120.15) and foreign governmental entities in the United States may be granted licenses or other approvals (other than retransfer approvals sought pursuant to this subchapter). Foreign persons (as defined in Sec. 120.16) other than governments are not eligible. U.S. persons who have been convicted of violating the criminal statutes enumerated in Sec. 120.27, who have been debarred pursuant to part 127 or 128 of this subchapter, who are the subject of an indictment involving the criminal statutes enumerated in Sec. 120.27, who are ineligible to contract with, or to receive a license or other form of authorization to import defense articles or defense services from any agency of the U.S. Government, who are ineligible to receive export licenses (or other forms of authorization to export) from any agency of the U.S. Government, who are subject to Department of State Suspension/Revocation under Sec. 126.7 (a)(1)-(a)(7) of this subchapter, or who are ineligible under Sec. 127.6(c) of this subchapter are generally ineligible. Applications for licenses or other approvals will be considered only if the applicant has registered with the Office of Defense Trade Controls pursuant to part 122 of this subchapter. All

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 637

applications and requests for approval must be signed by a U.S. person who has been empowered by the registrant to sign such documents....

Sec. 120.3—Policy on designating and determining defense articles and services.

An article or service may be designated or determined in the future to be a defense article (see Sec. 120.6) or defense service (see Sec. 120.9) if it:

     (a) Is specifically designed, developed, configured, adapted, or modified for a military application, and
(i) Does not have predominant civil applications, and
(ii) Does not have performance equivalent (defined by form, fit and function) to those of an article or service used for civil applications; or
     (b) Is specifically designed, developed, configured, adapted, or modified for a military application, and has significant military or intelligence applicability such that control under this subchapter is necessary.

The intended use of the article or service after its export (i.e., for a military or civilian purpose) is not relevant in determining whether the article or service is subject to the controls of this subchapter. Any item covered by the U.S. Munitions List must be within the categories of the U.S. Munitions List. The scope of the U.S. Munitions List shall be changed only by amendments made pursuant to section 38 of the Arms Export Control Act (22 U.S.C. 2778).

Sec. 120.4—Commodity jurisdiction.

(a) The commodity jurisdiction procedure is used with the U.S. Government if doubt exists as to whether an article or service is covered by the U.S. Munitions List. It may also be used for consideration of a redesignation of an article or service currently covered by the U.S. Munitions List. The Department must submit a report to Congress at least 30 days before any item is removed from the U.S. Munitions List. Upon written request, the Office of Defense Trade Controls shall provide a determination of whether a particular article or service is covered by the U.S. Munitions List. The determination, consistent with Secs. 120.2, 120.3, and 120.4, entails consultation among the Departments of State, Defense, Commerce and other U.S. Government agencies and industry in appropriate cases.

(b) Registration with the Office of Defense Trade Controls as defined in part 122 of this subchapter is not required prior to submission of a commodity jurisdiction request. If it is determined that the commodity is a defense article or service covered by the U.S. Munitions List, registration is required for exporters, manufacturers, and furnishers of defense articles and defense services (see part 122 of this subchapter).

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 638

(c) Requests shall identify the article or service, and include a history of the product's design, development and use. Brochures, specifications and any other documentation related to the article or service shall be submitted in seven collated sets.

     (d)(1) A determination that an article or service does not have predominant civil applications shall be made by the Department of State, in accordance with this subchapter, on a case-by-case basis, taking into account:
(i) The number, variety and predominance of civil applications;
(ii) The nature, function and capability of the civil applications; and
(iii) The nature, function and capability of the military applications.
(2) A determination that an article does not have the performance equivalent, defined by form, fit and function, to those used for civil applications shall be made by the Department of State, in accordance with this subchapter, on a case-by-case basis, taking into account:
(i) The nature, function, and capability of the article;
(ii) Whether the components used in the defense article are identical to those components originally developed for civil use.

Note: The form of the item is its defined configuration, including the geometrically measured configuration, density, and weight or other visual parameters which uniquely characterize the item, component or assembly. For software, form denotes language, language level and media. The fit of the item is its ability to physically interface or interconnect with or become an integral part of another item. The function of the item is the action or actions it is designed to perform.

(3) A determination that an article has significant military or intelligence applications such that it is necessary to control its export as a defense article shall be made, in accordance with this subchapter, on a case-by-case basis, taking into account:
(i) The nature, function, and capability of the article;
(ii) The nature of controls imposed by other nations on such items (including COCOM and other multilateral controls), and
(iii) That items described on the COCOM Industrial List shall not be designated defense articles or defense services unless the failure to control such items on the U.S. Munitions List would jeopardize significant national security or foreign policy interests.

(e) The Office of Defense Trade Controls will provide a preliminary response within 10 working days of receipt of a complete request for commodity jurisdiction. If after 45 days the Office of Defense Trade Controls has not provided a final commodity jurisdiction determination, the applicant may request in writing to the Director, Center for Defense Trade that this determination be given expedited processing.

(f) State, Defense and Commerce will resolve commodity jurisdiction disputes in accordance with established procedures. State shall notify Defense and Commerce of the initiation and conclusion of each case.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 639

(g) A person may appeal a commodity jurisdiction determination by submitting a written request for reconsideration to the Director of the Center for Defense Trade. The Center for Defense Trade will provide a written response of the Director's determination within 30 days of receipt of the appeal. If desired, an appeal of the Director's decision can then be made directly to the Assistant Secretary for Politico-Military Affairs....

Sec. 120.6—Defense article.

Defense article means any item or technical data designated in Sec. 121.1 of this subchapter. The policy described in Sec. 120.3 is applicable to designations of additional items. This term includes technical data recorded or stored in any physical form, models, mockups or other items that reveal technical data directly relating to items designated in Sec. 121.1 of this subchapter. It does not include basic marketing information on function or purpose or general system descriptions....

Sec. 120.9—Defense service.

Defense service means:

     (1) The furnishing of assistance (including training) to foreign persons, whether in the United States or abroad in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles; or
     (2) The furnishing to foreign persons of any technical data controlled under this subchapter (see Sec. 120.10), whether in the United States or abroad.

Sec. 120.10—Technical data.

Technical data means, for purposes of this subchapter:

     (1) Information, other than software as defined in Sec. 120.10(d), which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions and documentation.
     (2) Classified information relating to defense articles and defense services;
     (3) Information covered by an invention secrecy order;
     (4) Software as defined in Sec. 121.8(f) of this subchapter directly related to defense articles;
     (5) This definition does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain as defined in Sec.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 640

120.11. It also does not include basic marketing information on function or purpose or general system descriptions of defense articles.

Sec. 120.11—Public domain.

Public domain means information which is published and which is generally accessible or available to the public:

     (1) Through sales at newsstands and bookstores;
     (2) Through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information;
     (3) Through second class mailing privileges granted by the U.S. Government;
     
(4) At libraries open to the public or from which the public can obtain documents;
     (5) Through patents available at any patent office;
     (6) Through unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States;
     (7) Through public release (i.e., unlimited distribution) in any form (e.g., not necessarily in published form) after approval by the cognizant U.S. government department or agency (see also Sec. 125.4(b)(13) of this subchapter);
     (8) Through fundamental research in science and engineering at accredited institutions of higher learning in the U.S. where the resulting information is ordinarily published and shared broadly in the scientific community. Fundamental research is defined to mean basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community, as distinguished from research the results of which are restricted for proprietary reasons or specific U.S. Government access and dissemination controls. University research will not be considered fundamental research if:

(i)  The University or its researchers accept other restrictions on publication of scientific and technical information resulting from the project or activity, or
(ii)  The research is funded by the U.S. Government and specific access and dissemination controls protecting information resulting from the research are applicable. ...

Sec. 120.14—Person.

Person means a natural person as well as a corporation, business association, partnership, society, trust, or any other entity, organization or group, including governmental entities. If a provision in this subchapter does not refer exclusively to a foreign person ( Sec. 120.16) or U.S. person (Sec. 120.15), then it refers to both.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 641

Sec. 120.15—U.S. person.

U.S. person means a person (as defined in Sec. 120.14 of this part) who is a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any corporation, business association, partnership, society, trust or any other entity, organization or group that is incorporated to do business in the United States. It also includes any governmental (federal, state or local) entity. It does not include any foreign person as defined in Sec. 120.16 of this part.

Sec. 120.16—Foreign person.

Foreign person means any natural person who is not a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any foreign corporation, business association, partnership, trust, society or any other entity or group that is not incorporated or organized to do business in the United States, as well as international organizations, foreign governments and any agency or subdivision of foreign governments (e.g., diplomatic missions).

Sec. 120.17—Export.

Export means:

     (1) Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes technical data; or
     (2) Transferring registration, control or ownership to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the United States or abroad; or
     (3) Disclosing (including oral or visual disclosure) or transferring in the United States any defense article to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or
     (4) Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or
     (5) Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad....

Sec. 120.18—Temporary import.

Temporary import means bringing into the United States from a foreign country any defense article that is to be returned to the country from which it was shipped or taken, or any defense article that is in transit to another foreign desti-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 642

nation. Temporary import includes withdrawal of a defense article from a customs bonded warehouse or foreign trade zone for the purpose of returning it to the country of origin or country from which it was shipped or for shipment to another foreign destination. Permanent imports are regulated by the Department of the Treasury (see 27 CFR parts 47, 178 and 179).

Sec. 120.19—Reexport or retransfer.

Reexport or retransfer means the transfer of defense articles or defense services to an end use, end user or destination not previously authorized.

Sec. 120.20—License.

License means a document bearing the word license issued by the Director, Office of Defense Trade Controls or his authorized designee which permits the export or temporary import of a specific defense article or defense service controlled by this subchapter.

Sec. 120.21—Manufacturing license agreement.

An agreement (e.g., contract) whereby a U.S. person grants a foreign person an authorization to manufacture defense articles abroad and which involves or contemplates:

(a) The export of technical data (as defined in Sec. 120.10) or defense articles or the performance of a defense service; or

(b) The use by the foreign person of technical data or defense articles previously exported by the U.S. person. (See part 124 of this subchapter.)

Sec. 120.22—Technical assistance agreement.

An agreement (e.g., contract) for the performance of a defense service(s) or the disclosure of technical data, as opposed to an agreement granting a right or license to manufacture defense articles. Assembly of defense articles is included under this section, provided production rights or manufacturing know-how are not conveyed. Should such rights be transferred, Sec. 120.21 is applicable. (See part 124 of this subchapter.)

Sec. 120.23—Distribution agreement.

An agreement (e.g., a contract) to establish a warehouse or distribution

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 643

point abroad for defense articles exported from the United States for subsequent distribution to entities in an approved sales territory (see part 124 of this subchapter) ...

Part 121 The United States Munitions List
Sec. 121.1—General. The United States Munitions List.

     (a) The following articles, services and related technical data are designated as defense articles and defense services pursuant to sections 38 and 47(7) of the Arms Export Control Act (22 U.S.C. 2778 and 2794(7)). Changes in designations will be published in the Federal Register. Information and clarifications on whether specific items are defense articles and services under this subchapter may appear periodically in the Defense Trade News published by the Center for Defense Trade....

Category XIII Auxiliary Military Equipment....

     (b) Information Security Systems and equipment, cryptographic devices, software, and components specifically designed or modified therefor, including:
(1)  Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems, except cryptographic equipment and software as follows:
(i)   Restricted to decryption functions specifically designed to allow the execution of copy protected software, provided the decryption functions are not useraccessible.
(ii) Specially designed, developed or modified for use in machines for banking or money transactions, and restricted to use only in such transactions. Machines for banking or money transactions include automatic teller machines, self-service statement printers, point of sale terminals or equipment for the encryption of interbanking transactions.
(iii) Employing only analog techniques to provide the cryptographic processing that ensures information security in the following applications:
(A) Fixed (defined below) band scrambling not exceeding 8 bands and in which the transpositions change not more frequently than once every second;
(B) Fixed (defined below) band scrambling exceeding 8 bands and in which the transpositions change not more frequently than once every ten seconds;
(C) Fixed (defined below) frequency inversion and in which the transpositions change not more frequently than once every second;
(D) Facsimile equipment;
(E) Restricted audience broadcast equipment;
(F) Civil television equipment.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 644

Note: Special Definition. For purposes of this subparagraph, fixed means that the coding or compression algorithm cannot accept externally supplied parameters (e.g., cryptographic or key variables) and cannot be modified by the user.

(iv) Personalized smart cards using cryptography restricted for use only in equipment or systems exempted from the controls of the USML.
(v) Limited to access control, such as automatic teller machines, self-service statement printers or point of sale terminals, which protects password or personal identification numbers (PIN) or similar data to prevent unauthorized access to facilities but does not allow for encryption of files or text, except as directly related to the password of PIN protection.
(vi) Limited to data authentication which calculates a Message Authentication Code (MAC) or similar result to ensure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for the authentication.
(vii) Restricted to fixed data compression or coding techniques.
(viii) Limited to receiving for radio broadcast, pay television or similar restricted audience television of the consumer type, without digital encryption and where digital decryption is limited to the video, audio or management functions.
(ix) Software designed or modified to protect against malicious computer damage (e.g., viruses).

Note: A procedure has been established to facilitate the expeditious transfer to the Commodity Control List of mass market software products with encryption that meet specified criteria regarding encryption for the privacy of data and the associated key management. Requests to transfer commodity jurisdiction of mass market software products designed to meet the specified criteria may be submitted in accordance with the commodity jurisdiction provisions of Sec. 120.4. Questions regarding the specified criteria or the commodity jurisdiction process should be addressed to the Office of Defense Trade Controls. All mass market software products with cryptography that were previously granted transfers of commodity jurisdiction will remain under Department of Commerce control. Mass market software governed by this note is software that is generally available to the public by being sold from stock at retail selling points, without restriction, by means of over the counter transactions, mail order transactions, or telephone call transactions; and designed for installation by the user without further substantial support by the supplier.

(2)  Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software which have the capability of generating spreading or hopping codes for spread spectrum systems or equipment.
(3)  Cryptanalytic systems, equipment, assemblies, modules, integrated circuits, components or software.
(4)  Systems, equipment, assemblies, modules, integrated circuits, components or software providing certified or certifiable multi-level security or user isolation

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 645

exceeding class B2 of the Trusted Computer System Evaluation Criteria (TCSEC) and software to certify such systems, equipment or software. (5)  Ancillary equipment specifically designed or modified for paragraphs (b) (1), (2), (3), (4) and (5) of this category; ...

Category XXI Miscellaneous Articles

     (a) Any article not specifically enumerated in the other categories of the U.S. Munitions List which has substantial military applicability and which has been specifically designed or modified for military purposes. The decision on whether any article may be included in this category shall be made by the Director of the Office of Defense Trade Controls.

     (b) Technical data (as defined in Sec. 120.21 of this subchapter) and defense services (as defined in Sec. 120.8 of this subchapter) directly related to the defense articles enumerated in paragraphs (a) of this category....

Part 122 Registration of Manufacturers and Exporters
Sec. 122.1—Registration requirements.

     (a) Any person who engages in the United States in the business of either manufacturing or exporting defense articles or furnishing defense services is required to register with the Office of Defense Trade Controls. Manufacturers who do not engage in exporting must nevertheless register.

     (b) Exemptions. Registration is not required for:
(1)  Officers and employees of the United States Government acting in an official capacity.
(2)   Persons whose pertinent business activity is confined to the production of unclassified technical data only.
(3)  Persons all of whose manufacturing and export activities are licensed under the Atomic Energy Act of 1954, as amended.
(4)  Persons who engage only in the fabrication of articles for experimental or scientific purpose, including research and development.

     (c) Purpose. Registration is primarily a means to provide the U.S. Government with necessary information on who is involved in certain manufacturing and exporting activities. Registration does not confer any export rights or privileges. It is generally a precondition to the issuance of any license or other approval under this subchapter.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 646

Sec. 122.2—Submission of registration statement.

     (a) General. The Department of State Form DSP-9 (Registration Statement) and the transmittal letter required by paragraph (b) of this section must be submitted by an intended registrant with a payment by check or money order payable to the Department of State of one of the fees prescribed in Sec. 122.3(a) of this subchapter. The Registration Statement and transmittal letter must be signed by a senior officer who has been empowered by the intended registrant to sign such documents. The intended registrant shall also submit documentation that demonstrates that it is incorporated or otherwise authorized to do business in the United States. The Office of Defense Trade Controls will return to the sender any Registration Statement that is incomplete, or that is not accompanied by the required letter or payment of the proper registration fee.

     (b) Transmittal letter. A letter of transmittal, signed by an authorized senior officer of the intended registrant, shall accompany each Registration Statement.
(1)   The letter shall state whether the intended registrant, chief executive officer, president, vice-presidents, other senior officers or officials (e.g. comptroller, treasurer, general counsel) or any member of the board of directors:
(i)   Has ever been indicted for or convicted of violating any of the U.S. criminal statutes enumerated in Sec. 120.27 of this subchapter; or
(ii)  Is ineligible to contract with, or to receive a license or other approval to import defense articles or defense services from, or to receive an export license or other approval from, any agency of the U.S. Government.
(2)   The letter shall also declare whether the intended registrant is owned or controlled by foreign persons (as defined in Sec. 120.16 of this subchapter). If the intended registrant is owned or controlled by foreign persons, the letter shall also state whether the intended registrant is incorporated or otherwise authorized to engage in business in the United States.

(c) Definition. For purposes of this section, ownership means that more than 50 percent of the outstanding voting securities of the firm are owned by one or more foreign persons. Control means that one or more foreign persons have the authority or ability to establish or direct the general policies or day-to-day operations of the firm. Control is presumed to exist where foreign persons own 25 percent or more of the outstanding voting securities if no U.S. persons control an equal or larger percentage. The standards for control specified in 22 CFR 60.2(c) also provide guidance in determining whether control in fact exists....

Part 123 Licenses for the Export of Defense Articles
Sec. 123.7—Exports to warehouses or distribution points outside the United States.
Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 647

Unless the exemption under Sec. 123.16(b)(1) is used, a license is required to export defense articles to a warehouse or distribution point outside the United States for subsequent resale and will normally be granted only if an agreement has been approved pursuant to Sec. 124.14 of this subchapter...

Sec. 123.9—Country of ultimate destination and approval of reexports or retransfers.

     (a) The country designated as the country of ultimate destination on an application for an export license, or on a Shipper's Export Declaration where an exemption is claimed under this subchapter, must be the country of ultimate enduse. The written approval of the Office of Defense Trade Controls must be obtained before reselling, transferring, transshipping, or disposing of a defense article to any end user, end use or destination other than as stated on the export license, or on the Shipper's Export Declaration in cases where an exemption is claimed under this subchapter. Exporters must ascertain the specific end-user and end-use prior to submitting an application to the Office of Defense Trade Controls or claiming an exemption under this subchapter.

     (b) The exporter shall incorporate the following statement as an integral part of the bill of lading, and the invoice whenever defense articles on the U.S. Munitions List are to be exported:
These commodities are authorized by the U.S. Government for export only to country of ultimate destination for use by end-user. They may not be transferred, transshipped on a non-continuous voyage, or otherwise be disposed of in any other country, either in their original form or after being incorporated into other end-items, without the prior written approval of the U.S. Department of State.''

     (c) A U.S. person or a foreign person requesting approval for the reexport or retransfer, or change in end-use, of a defense article shall submit a written request which shall be subject to all the documentation required for a permanent export license (see Sec. 123.1) and shall contain the following:
(1) The license number under which the defense article was previously authorized for export from the United States;
(2) A precise description, quantity and value of the defense article;
(3) A description of the new end-use; and
(4) Identification of the new end-user.

     (d) The written approval of the Office of Defense Trade Controls must be obtained before reselling, transferring, transshipping on a non-continuous voyage, or disposing of a defense article in any country other than the country of ultimate destination, or anyone other than the authorized end-user, as stated on the Shipper's Export Declaration in cases where an exemption is claimed under this subchapter.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 648

     (e) Reexports or retransfers of U.S.-origin components incorporated into a foreign defense article to a government of a NATO country, or the governments of Australia or Japan, are authorized without the prior written approval of the Office of Defense Trade Controls, provided:
(1)  The U.S.-origin components were previously authorized for export from the United States, either by a license or an exemption;
(2)  The U.S.-origin components are not significant military equipment, the items are not major defense equipment sold under a contract in the amount of $14,000,000 ($14 million) or more; the articles are not defense articles or defense services sold under a contract in the amount of $50,000,000 ($50 million) or more; and are not identified in part 121 of this subchapter as Missile Technology Control Regime (MTCR) items; and
(3)  The person reexporting the defense article must provide written notification to the Office of Defense Trade Controls of the retransfer not later than 30 days following the reexport. The notification must state the articles being reexported and the recipient government.
(4)  In certain cases, the Director, Office of Defense Trade Controls, may place retransfer restrictions on a license prohibiting use of this exemption.

Sec. 123.10—Non transfer and use assurances.

(a) A nontransfer and use certificate (Form DSP-83) is required for the export of significant military equipment and classified articles including classified technical data. A license will not be issued until a completed Form DSP-83 has been received by the Office of Defense Trade Controls. This form is to be executed by the foreign consignee, foreign end-user, and the applicant. The certificate stipulates that, except as specifically authorized by prior written approval of the Department of State, the foreign consignee and foreign end-user will not reexport, resell or otherwise dispose of the significant military equipment enumerated in the application outside the country named as the location of the foreign end-use or to any other person.

(b) The Office of Defense Trade Controls may also require a DSP-83 for the export of any other defense articles or defense services.

(c) When a DSP-83 is required for an export of any defense article or defense service to a non-governmental foreign end-user, the Office of Defense Trade Controls may require as a condition of issuing the license that the appropriate authority of the government of the country of ultimate destination also execute the certificate....

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 649

Part 125 Licenses for the Export of Technical Data and Classified Defense Articles
Sec. 125.1—Exports subject to this part.

     (a) The controls of this part apply to the export of technical data and the export of classified defense articles. Information which is in the public domain (see Sec. 120.11 of this subchapter and Sec. 125.4(b)(13)) is not subject to the controls of this subchapter.

     (b) A license for the export of technical data and the exemptions in Sec. 125.4 may not be used for foreign production purposes or for technical assistance unless the approval of the Office of Defense Trade Controls has been obtained. Such approval is generally provided only pursuant to the procedures specified in part 124 of this subchapter.

     (c) Technical data authorized for export may not be reexported, transferred or diverted from the country of ultimate end-use or from the authorized foreign end-user (as designated in the license or approval for export) or disclosed to a national of another country without the prior written approval of the Office of Defense Trade Controls.

     (d) The controls of this part apply to the exports referred to in paragraph (a) of this section regardless of whether the person who intends to export the technical data produces or manufactures defense articles if the technical data is determined by the Office of Defense Trade Controls to be subject to the controls of this subchapter.

     (e) The provisions of this subchapter do not apply to technical data related to articles in Category VI(e) and Category XVI. The export of such data is controlled by the Department of Energy and the Nuclear Regulatory Commission pursuant to the Atomic Energy Act of 1954, as amended, and the Nuclear NonProliferation Act of 1978.

Sec. 125.2—Exports of unclassified technical data.

     (a) A license (DSP-5) is required for the export of unclassified technical data unless the export is exempt from  the licensing requirements of this subchapter. In the case of a plant visit, details of the proposed discussions must be transmitted to the Office of Defense Trade Controls for an appraisal of the technical data. Seven copies of the technical data or the details of the discussion must be provided.

     (b) Patents. A license issued by the Office of Defense Trade Controls is required for the export of technical data whenever the data exceeds that which is

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 650

used to support a domestic filing of a patent application or to support a foreign filing of a patent application whenever no domestic application has been filed. Requests for the filing of patent applications in a foreign country, and requests for the filing of amendments, modifications or supplements to such patents, should follow the regulations of the U.S. Patent and Trademark Office in accordance with 37 CFR part 5. The export of technical data to support the filing and processing of patent applications in foreign countries is subject to regulations issued by the U.S. Patent and Trademark Office pursuant to 35 U.S.C. 184.

     (c) Disclosures. Unless otherwise expressly exempted in this subchapter, a license is required for the oral, visual or documentary disclosure of technical data by U.S. persons to foreign persons. A license is required regardless of the manner in which the technical data is transmitted (e.g., in person, by telephone, correspondence, electronic means, etc.). A license is required for such disclosures by U.S. persons in connection with visits to foreign diplomatic missions and consular offices ...

Sec. 125.4—Exemptions of general applicability.

     (a) The following exemptions apply to exports of unclassified technical data for which approval is not needed from the Office of Defense Trade Controls. These exemptions, except for paragraph (b)(13) of this section, do not apply to exports to proscribed destinations under Sec. 126.1 of this subchapter or for persons considered generally ineligible under Sec. 120.1(c) of this subchapter. The exemptions are also not applicable for purposes of establishing offshore procurement arrangements. If Sec. 126.8 of this subchapter requirements are applicable, they must be met before an exemption under this section may be used. Transmission of classified information must comply with the requirements of the Department of Defense Industrial Security Manual and the exporter must certify to the transmittal authority that the technical data does not exceed the technical limitation of the authorized export.

     (b) The following exports are exempt from the licensing requirements of this subchapter.
(1)  Technical data, including classified information, to be disclosed pursuant to an official written request or directive from the U.S. Department of Defense;
(2)  Technical data, including classified information, in furtherance of a manufacturing license or technical assistance agreement approved by the Department of State under part 124 of this subchapter and which meet the requirements of Sec. 124.3 of this subchapter;
(3)  Technical data, including classified information, in furtherance of a contract between the exporter and an agency of the U.S. Government, if the contract provides for the export of the data and such data does not disclose the details of design, development, production, or manufacture of any defense article;
(4)  Copies of technical data, including classified information, previously authorized for export to the same recipient. Revised copies of such technical data are

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 651

also exempt if they pertain to the identical defense article, and if the revisions are solely editorial and do not add to the content of technology previously exported or authorized for export to the same recipient;
(5)  Technical data, including classified information, in the form of basic operations, maintenance, and training information relating to a defense article lawfully exported or authorized for export to the same recipient. Intermediate or depotlevel repair and maintenance information may be exported only under a license or agreement approved specifically for that purpose;
(6)  Technical data, including classified information, related to firearms not in excess of caliber .50 and ammunition for such weapons, except detailed design, development, production or manufacturing information;
(7)  Technical data, including classified information, being returned to the original source of import;
(8)  Technical data directly related to classified information which has been previously exported or authorized for export in accordance with this part to the same recipient, and which does not disclose the details of the design, development, production, or manufacture of any defense article;
(9)  Technical data, including classified information, sent by a U.S. corporation to a U.S. person employed by that corporation overseas or to a U.S. Government agency. This exemption is subject to the limitations of Sec. 125.1(b) and may be used only if:
(i)  The technical data is to be used overseas solely by U.S. persons;
(ii) If the U.S. person overseas is an employee of the U.S. Government or is directly employed by the U.S. corporation and not by a foreign subsidiary; and
(iii) The classified information is sent overseas in accordance with the requirements of the Department of Defense Industrial Security Manual.
(10) Disclosures of unclassified technical data in the U.S. by U.S. institutions of higher learning to foreign persons who are their bona fide and full time regular employees. This exemption is available only if:
(i)  The employee's permanent abode throughout the period of employment is in the United States;
(ii) The employee is not a national of a country to which exports are prohibited pursuant to Sec. 126.1 of this subchapter; and
(iii) The institution informs the individual in writing that the technical data may not be transferred to other foreign persons without the prior written approval of the Office of Defense Trade Controls;
(11) Technical data, including classified information, for which the exporter, pursuant to an arrangement with the Department of Defense, Department of Energy or NASA which requires such exports, has been granted an exemption in writing from the licensing provisions of this part by the Office of Defense Trade Controls. Such an exemption will normally be granted only if the arrangement directly implements an international agreement to which the United States is a party and if multiple exports are contemplated. The Office of Defense Trade Controls, in consultation with the relevant U.S. Government agencies, will determine whether the interests of the United States Government are best served by expediting exports under an arrangement through an exemption (see also paragraph (b)(3) of this section for a related exemption);

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 652

(12) Technical data which is specifically exempt under part 126 of this subchapter; or
(13) Technical data approved for public release (i.e., unlimited distribution) by the cognizant U.S. Government department or agency or Directorate for Freedom of Information and Security Review. This exemption is applicable to information approved by the cognizant U.S. Government department or agency for public release in any form. It does not require that the information be published in order to qualify for the exemption....

Sec. 125.8—Filing of licenses for exports of unclassified technical data.

     (a) Licenses for the export of unclassified technical data must be presented to the appropriate District Director of Customs or Postmaster at the time of shipment or mailing. The District Director of Customs or Postmaster will endorse and transmit the licenses to the Office of Defense Trade Controls in accordance with the instructions contained on the reverse side of the license.

     (b) If a license for the export of unclassified technical data is used but not endorsed by U.S. Customs or a Postmaster for whatever reason (e.g., electronic transmission, unavailability of Customs officer or Postmaster, etc.), the person exporting the data must self-endorse the license, showing when and how the export took place. Every license must be returned to the Office of Defense Trade Controls when the total value authorized has been shipped or when the date of expiration has been reached, whichever occurs first....

Part 126 General Policies and Provisions
Sec. 126.1—Prohibited exports and sales to certain countries.

     (a) It is the policy of the United States to deny licenses, other approvals, exports and imports of defense articles and defense services, destined for or originating in certain countries. This policy applies to: Albania, Armenia, Azerbaijan, Bulgaria, Byelarus, Cambodia, Cuba, Estonia, Georgia, Iran, Iraq, Libya, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Mongolia, North Korea, Romania, Russia, South Africa, Syria, Tajikistan, Turkmenistan, Ukraine, Uzbekistan and Vietnam. This policy also applies to countries with respect to which the United States maintains an arms embargo (e.g., Burma, China, Liberia, Somalia, the Sudan, the former Yugoslavia, and Zaire) or for whenever an export would not otherwise be in furtherance of world peace and the security and foreign policy of the United States. Comprehensive arms embargoes are normally the subject of a State Department notice published in the Federal Register. The exemptions provided in the regulations in this subchapter, except Secs. 123.17 and

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 653

125.4(b)(13) of this subchapter, do not apply with respect to articles originating in or for export to any proscribed countries or areas.

     (b) Shipments. A defense article licensed for export under this subchapter may not be shipped on a vessel, aircraft or other means of conveyance which is owned or operated by, or leased to or from, any of the proscribed countries or areas.

     (c) South Africa. South Africa is subject to an arms embargo and thus to the policy specified in paragraph (a) of this section. Exceptions may be made to this policy only if the Assistant Secretary for Politico-Military Affairs determines that:
(1)  The item is not covered by United Nations Security Council Resolution 418 of November 4, 1977; and
(2)  The item is to be exported solely for commercial purposes and not for use by the armed forces, police, or other security forces of South Africa or for any other similar purpose.

     (d) Terrorism. Exports to countries which the Secretary of State has determined to have repeatedly provided support for acts of international terrorism are contrary to the foreign policy of the United States and are thus subject to the policy specified in paragraph (a) of this section and the requirements of section 40 of the Arms Export Control Act (22 U.S.C. 2780) and the Omnibus Diplomatic Security and Anti-Terrorism Act of 1986 (22 U.S.C. 4801, note). The countries in this category are: Cuba, Iran, Iraq, Libya, North Korea and Syria. The same countries are identified pursuant to section 6(j) of the Export Administration Act, as amended (50U.S.C. App. 2405(j)).

     (e) Proposed sales. No sale or transfer and no proposal to sell or transfer any defense articles, defense services or technical data subject to this subchapter may be made to any country referred to in this section (including the embassies or consulates of such a country), or to any person acting on its behalf, whether in the United States or abroad, without first obtaining a license or written approval of the Office of Defense Trade Controls. However, in accordance with paragraph (a) of this section, it is the policy of the Department of State to deny licenses and approvals in such cases. Any person who knows or has reason to know of such a proposed or actual sale, or transfer, of such articles, services or data must immediately inform the Office of Defense Trade Controls....

Sec. 126.5—Canadian exemptions.

     (a) District Directors of Customs and postmasters shall permit the export or temporary import without a license of any unclassified defense article or any unclassified technical data to Canada for end-use in Canada by Canadian citizens or return to the United States, or from Canada for end-use in the United States or

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 654

return to a Canadian citizen in Canada, with the exception of the articles or related technical data listed in paragraph (b) of this section.

     (b) Exceptions. The exemptions of this section do not apply to the following articles and related technical data....
(7) Technical data for use by a foreign national other than a Canadian.
(8) Unclassified technical data directly related to a classified defense article....

Sec. 126.7—Denial, revocation, suspension, or amendment of licenses and other approvals.

     (a) Policy. Licenses or approvals shall be denied or revoked whenever required by any statute of the United States (see Secs. 127.6 and 127.10 of this subchapter). Any application for an export license or other approval under this subchapter may be disapproved, and any license or other approval or exemption granted under this subchapter may be revoked, suspended, or amended without prior notice whenever:
(1)  The Department of State deems such action to be in furtherance of world peace, the national security or the foreign policy of the United States, or is otherwise advisable; or
(2)  The Department of State believes that 22 U.S.C. 2778, any regulation contained in this subchapter, or the terms of any U.S. Government export authorization (including the terms of a manufacturing license or technical assistance agreement, or export authorization granted pursuant to the Export Administration Act, as amended) has been violated by any party to the export or other person having significant interest in the transaction; or ....

     (b) Notification. The Office of Defense Trade Controls will notify applicants or licensees or other appropriate United States persons of actions taken pursuant to paragraph (a) of this section. The reasons for the action will be stated as specifically as security and foreign policy considerations permit....

Sec. 126.9—Advisory opinions.

Any person desiring information as to whether the Office of Defense Trade Controls would be likely to grant a license or other approval for the export of a particular defense article or defense service to a particular country may request an advisory opinion from the Office of Defense Trade Controls. These opinions are not binding on the Department of State and are revocable. A request for an advisory opinion must be made in writing and must outline in detail the equipment, its usage, the security classification (if any) of the articles or related technical data, and the country or countries involved. An original and seven copies of the letter must be provided along with seven copies of suitable descriptive information concerning the defense article or defense service....

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 655

N.4.2 Export Administration Regulations
Part 779 
Technical Data
Sec. 779.1 Definitions.6

     (a) Technology, technical data, technical assistance, and software.7 These terms are defined in Supplement No. 3 to Sec. 799.1 of this subchapter. The terminology used in this part 779 will be changed in the future to conform to the terms and definitions used in Supplement No. 3 to part Sec. 799.1 of this subchapter and in other parts of this subchapter. In the interim, the term "technical data" as used in this part 779, is understood to include both "technology" (i.e., technical data and technical assistance) and "software''. If the term "software" is cited separately, the term refers only to software as defined in Supplement No. 3 to Sec. 799.1 of this subchapter.

     (b) Export of technical data8,9
(1) Export of technical data. "Export of technical data" means
(i) An actual shipment or transmission of technical data out of the United States;10
(ii) Any release of technical data in the United States with the knowledge or intent that the data will be shipped or transmitted from the United States to a foreign country; or
(iii) Any release of technical data of U.S.-origin in a foreign country.
(2) Release of technical data. Technical data may be released for export through:
(i) Visual inspection by foreign nationals of U.S.-origin equipment and facilities;

6 See Sec. 770.2 for definitions of other terms used in this part.

7 The provisions of part 779 do not apply to "classified" technical data, i.e., technical data that have been officially assigned a security classification (e.g., "top secret", "secret", or "confidential") by an officer or agency of the U.S. Government. The export of classified technical data is controlled by the Center for Defense Trade of the U.S. Department of State or the U.S. Nuclear Regulatory Commission, Washington, DC.

8 License applications for, or questions about, the export of technical data relating to commodities which are licensed by U.S. Government agencies other than the U.S. Department of Commerce shall be referred to such other appropriate U.S. Government agency for consideration (see Sec. 770.10 of this subchapter).

9 Patent attorneys and others are advised to consult the U.S. Patent Office, U.S. Department of Commerce, Washington, DC 20231, regarding the U.S. Patent Office regulations concerning the filing of patent applications or amendments in foreign countries. In addition to the regulations issued by the U.S. Patent Office, technical data contained in or related to inventions made in foreign countries or in the United States, are also subject to the U.S. Department of Commerce regulations covering the export of technical data, in the same manner as the export of other types of technical data.

10 As used in this Part 779, the United States includes its possessions and territories.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 656

(ii)  Oral exchanges of information in the United States or abroad; and (iii) The application to situations abroad of personal knowledge or technical experience acquired in the United States.

     (c) Reexport of technical data. "Reexport of technical data" means an actual shipment or transmission from one foreign country to another, or any release of technical data of U.S. origin in a foreign country with the knowledge or intent that the data will be shipped or transmitted to another foreign country. Technical data may be released for reexport through:
(1) Visual inspection of U.S.-origin equipment and facilities abroad;
(2) Oral exchanges of information abroad; and
(3) The application to situations abroad of personal knowledge or technical experience acquired in the United States.

     (d) Direct product. The term "direct product" means the immediate product (including processes and services) produced directly by the use of technical data.

Sec. 779.2 Licenses to export.

Except as provided in Sec. 770.3(a) of this subchapter, an export of technical data must be made under either a U.S. Department of Commerce general license or a validated export license. (See Secs. 771.1 and 772.2 of this subchapter for definitions of "general" and "validated" licenses.) General Licenses GTDA and GTDR (see Secs. 779.3 and 779.4) apply to specific types of exports of technical data. A validated license is required for any export of technical data where these general licenses do not apply, except in the case of certain exports to Canada.11,12

Sec. 779.3 General License GTDA: Technical data available to all destinations.

Note: In this Sec. 779.3 the word information means "technical data" as used in this part (i.e., "technology" and ''software" as defined in Supplement No. 3 to Sec. 799.1 of this subchapter).

11 An export of technical data to Canada may be made without either a validated or general license, unless a validated license is required to Canada by a specific subcategory D or E ECCN on the CCL.

12 Although the Bureau of Export Administration may provide general information on licensing policies regarding the prospects of approval of various types of export control actions, including actions with respect to technical data, normally it will give a formal judgement respecting a specific request for an action only upon the actual submission of a formal application or request setting forth all of the facts relevant to the export transaction and supported by all required documentation. Advice is always available, however, regarding any questions as to the applicability of a general license. Such questions should be submitted by letter to the U.S. Department of Commerce, Bureau of Export Administration, P.O. Box 273, Washington, DC 20044.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 657

     (a) Establishment of general license. A General License GTDA is hereby established authorizing:
(1) Unrestricted export to any destination of information that is already publicly available or will be made publicly available as described in paragraph (b) of this section;
(2) Unrestricted export to any destination of information arising during or resulting from fundamental research, as described in paragraph (c) of this section;

Note: Paragraphs (a)(1) and (a)(2) of this section do not authorize the export of data contained in a patent application for purposes of filing and/or publishing for opposition abroad. Such exports are controlled by the U.S. Patent and Trademark Office and must be licensed by that office. See EAR Sec. 770.10(j).

(3) Release of educational information, as described in paragraph (d) of this section; and

(4) Export of information in connection with certain patent applications, as described in paragraph (e) of this section.

Note 1: See paragraph (f) regarding Government sponsored research covered by contractual national security controls and the note following this section regarding consulting and training. Use of General License GTDA is subject to the prohibitions of Sec. 771.2(c) (1), (4), and (9), but not to the other prohibitions of Sec. 771.2(c).

Note 2: Supplement No. 5 to part 779 contains explanatory questions and answers about the use of General License GTDA. Certain paragraphs of this Sec. 779.3 are followed by references to relevant questions and answers in supplement No. 5.

     (b) Publicly available. Information is made public and so becomes "publicly available" when it becomes generally accessible to the interested public in any form, including:
(1)  Publication in periodicals, books, print, electronic, or any other media available for general distribution to any member of the public or to a community of persons, such as those in a scientific or engineering discipline, interested in the subject matter either free or at a price that does not exceed the cost of reproduction and distribution (see Questions A(1) through A(6));
(2) Ready availability at libraries open to the public or at university libraries (see Question A(6));
(3) Patents available at any patent office; and
(4) Release at an open conference, meeting, seminar, trade show, or other open gathering.
(i) A conference or other gathering is "open" if all technically qualified members of the public are eligible to attend and attendees are permitted to take notes or otherwise make a personal record (not necessarily a recording) of the proceedings and presentations.
(ii) All technically qualified members of the public may be considered eligible to attend a conference or other gathering notwithstanding:

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 658

(A)  A registration fee reasonably related to costs and reflecting an intention that all interested and technically qualified persons be able to attend, or
(B)  A limitation on actual attendance, as long as attendees either are the first who have applied or are selected on the basis of relevant scientific or technical competence, experience, or responsibility (see Questions B(1) through B(6)).

This General License GTDA authorizes submission of papers to domestic or foreign editors or reviewers of journals, or to organizers of open conferences or other open gatherings, with the understanding that the papers will be made publicly available if favorably received. (See Questions A(1) and A(3).)

     (c) Information resulting from fundamental research-
(1)  Fundamental research. Paragraphs (c)(2) through (c)(4) and paragraph (f) of this section provide specific operational rules that will be used to determine whether research in particular institutional contexts qualifies as "fundamental research." The intent behind those operational rules is to identify as "fundamental research" basic and applied research in science and engineering, where the resulting information is ordinarily published and shared broadly within the scientific community. Such research can be distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary reasons or specific national security reasons as defined in Sec. 779.3(f). (See Question D(8).)
(2) University-based research.
(i) Research conducted by scientists, engineers, or students at a university normally will be considered fundamental research, as described below. ("University" means any accredited institution of higher education located in the United States.)
(ii) Prepublication review by a sponsor of university research solely to ensure that publication would not inadvertently divulge proprietary information that the sponsor has furnished to the researchers does not change the rule described in paragraph (c)(2)(i) of this section. However, General License GTDA does not authorize the release of information from a corporate sponsor to university researchers where the research results are subject to prepublication review. See other sections in this part 779 for provisions that may authorize such releases without a validated license. (See Questions D(7), D(9), and D(10).)
(iii) Prepublication review by a sponsor of university research solely to ensure that publication would not compromise patent rights does not change the rule described in paragraph (c)(2)(i) of this section, so long as the review causes no more than a temporary delay in publication of the research results.
(iv)  However, General License GTDA does not authorize the initial transfer of information from an industry sponsor to university researchers where the parties have agreed that the sponsor may withhold from publication some or all of the information so provided. (See Question D(2).)
(v)  University based research is not considered "fundamental research" if the university or its researchers accept (at the request, for example, of an industrial sponsor) other restrictions on publication of scientific and technical information resulting from the project or activity. Scientific and technical information resulting from the research will nonetheless become subject to General License GTDA

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 659

once all such restrictions have expired or have been removed. (See Questions D(7) and D(9).)
(vi) The provisions of paragraph (f) of this section will apply if a university or its researchers accept specific national security controls (as defined in paragraph (f) of this section) on a research project or activity sponsored by the U.S. Government. (See Questions E(1) and E(2).)
(3)  Research based at Federal agencies or FFRDCs. Research conducted by scientists or engineers working for a Federal agency or a Federally Funded Research and Development Center (FFRDC) may be designated as "fundamental research" within any appropriate system controlling release of information by such scientists and engineers devised by the agency or the FFRDC. (See Questions D(8) and D(11).)
(4) Corporate research.
(i) Research conducted by scientists or engineers working for a business entity will be considered "fundamental research" at such time and to the extent that the researchers are free to make scientific and technical information resulting from the research publicly available without restriction or delay based on proprietary concerns or specific national security controls as defined in paragraph (f) of this section.
(ii) Prepublication review by the company solely to ensure that the publication would compromise no proprietary information provided by the company to the researchers is not considered to be a proprietary restriction under paragraph (c)(4)(i) of this section. However General License GTDA does not authorize the release of information to university researchers where the research results are subject to prepublication review. See other sections in this part 779 for provisions that may authorize such releases without a validated license. (See Questions D(8), D(9), and D(10).)
(iii) Prepublication review by the company solely to ensure that prepublication would compromise no patent rights will not be considered a proprietary restriction for this purpose, so long as the review causes no more than a temporary delay in publication of the research results.
(iv)  However, General License GTDA does not authorize the initial transfer of information from a business entity to researchers where the parties have agreed that the business entity may withhold from publication some or all of the information so provided.
(5)  Research based elsewhere. Research conducted by scientists or engineers who are not working for any of the institutions described in paragraphs (c)(2) through (c)(4) of this section will be treated as corporate research, as described in paragraph (c)(4) of this section. (See Question D(8)).

     (d) Educational information. The release of "educational information" referred to in paragraph (a)(3) of this section is release by instruction in catalog courses and associated teaching laboratories of academic institutions. Dissertation research is treated in paragraph (c)(2) of this section. (See Question C(1) through C(6).)

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 660

     (e) Patent applications. The information referred to in paragraph (a)(4) of this section is:
(1)  Information contained in a patent application prepared wholly from foreign-origin technical data where the application is being sent to the foreign inventor to be executed and returned to the United States for subsequent filing in the U.S. Patent and Trademark Office;
(2)  Information contained in a patent application, or an amendment, modification, supplement, or division of an application, and authorized for filing in a foreign country in accordance with the regulations of the Patent and Trademark Office, 37 CFR part 5 (see Sec. 770.10(j)); or
(3)  Information contained in a patent application when sent to a foreign country before or within six months after the filing of a United States patent application for the purpose of obtaining the signature of an inventor who was in the United States when the invention was made or who is a co-inventor with a person residing in the United States.

     (f) Government-sponsored research covered by contract controls.
(1)  If research is funded by the U.S. Government, and specific national security controls are agreed on to protect information resulting from the research, paragraph (a)(2) of this section will not apply to any export of such information in violation of such controls. General License GTDA as described in paragraph (a)(2) of this section is nonetheless available for any export of information resulting from the research that is consistent with the specific controls.
(2)  Examples of "specific national security controls" include requirements for prepublication review by the Government, with right to withhold permission for publication; restrictions on prepublication dissemination of information to nonU.S. citizens or other categories of persons; or restrictions on participation of nonU.S. citizens or other categories of persons in the research. A general reference to one or more export control laws or regulations or a general reminder that the Government retains the right to classify is not a "specific national security control". (See Questions E(1) and E(2).)

     (g) Advice concerning uncontrolled information. Persons may be concerned that an export of uncontrolled information could adversely affect U.S. national security interests. Exporters who wish advice before exporting such information can contact the appropriate Government scientific or technical personnel by calling the Bureau of Export Administration at (202) 377-4811.

Note: Consulting and training. Technical data can be inadvertently exported in various ways. Consulting and training are especially effective mechanisms of technology transfer. The exporter should be aware that the Department of Commerce maintains controls on exports of technical data that do not qualify for General License GTDA as described in paragraphs (a)(1) through (a)(3) of this section, including application abroad of personal knowledge or technical experience acquired in the United States. (See also paragraph (g) of this section and Question F(1).)

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 661

Sec. 779.4 General license GTDR: Technical data under restriction.

A general license designated GTDR is hereby established authorizing the export of technical data that are not exportable under the provisions of General License GTDA, subject to the provisions, restrictions, exclusions, and exceptions set forth below and subject to the written assurance requirement set forth in paragraph (f) of this section.

     (a) Country restrictions. General License GTDR with written assurance may not be used for exports to Country Groups QWYS and Z, the People's Republic of China, Iran, or Syria. General License GTDR without written assurance (GTDU) may not be used for exports to Country Groups S and Z, Iran or Syria of software available at retail outlets as described in the General Software Note.13 General License GTDR without written assurance (GTDU) as described in any entry on the Commerce Control List (Supplement No. 1 to Sec. 799.1 of this subchapter) may not be used for exports to Country Groups S and Z. This General License is subject to the prohibitions described in Sec. 771.2(c) of this subchapter, including the prohibition on any export to the South African military or police.

     (b) General License GTDR without written assurance authorizes the following exports-
(1) Operation technical data.
(i) For definitions and conditions for use of General License GTDR without written assurance for operation technical data, refer to the third paragraph of the General Technology Note as listed in Supplement No. 2 to Sec. 799.1 of this subchapter. As defined in that Note, "operation technical data" is the minimum

13 The General Software Note (GSN) is contained in Supplement No. 2 to Sec. 799.1 of Subchapter C, Chapter VII, Title 15, Code of Federal Regulations. The text of the GSN is as follows:

General License GTDR, without written assurance, is available for release of software that is generally available to the public by being:
a. Sold from stock at retail selling points without restriction by means of:
     1. Over the counter transactions;
     2. Mail order transactions, or
     3. Telephone call transactions; and
b. Designed for installation by the user without further substantial support by the supplier.

General license GTDA is available for software that is publicly available.

The General Software Note does not apply to exports of "software" controlled by other agencies of the U.S. Government.
The phrase "without restriction" clarifies that software is not "generally available to the public" if it is to be sold only with bundled hardware generally available to the public. Software that is both bundled with hardware and "generally available to the public" does qualify for General License GTDR without a written assurance.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 662

necessary for the installation, operations,14 maintenance (checking), and repair of those products that are eligible for general licenses, or that are exported under a validated export license. The "minimum necessary" excludes from operation technical data development or production technical data and includes use technology only to the extent required to ensure safe and efficient use of the product. Individual entries in the software and technology subcategories of the CCL may further restrict export of "minimum necessary" technical data. (See Supplement Nos. 2 and 3 to Sec. 799.1 of this subchapter for further information and definitions of the terms "development", "production", "use'', and "required".)
(ii) Operation software may be exported under GTDR, without assurance, provided that:
(A) The operation software is the minimum necessary to operate the equipment authorized for export; and
(B) The operation software is in object code.
(2) Sales technical data.
(i) "Sales technical data" is defined as data supporting a prospective or actual quotation, bid, or offer to sell, lease, or otherwise supply any item controlled by the EAR.
(ii) Sales technical data may be exported under GTDR, without written assurances, provided that:
(A) The technical data is a type customarily transmitted with a prospective or actual quotation, bid, or offer in accordance with established business practice; and
(B) The export will not disclose the detailed design, production, or manufacture, or the means of reconstruction, of either the quoted item or its product. The purpose of this limitation is to prevent disclosure of technical data so detailed that the consignee could use the technical data in production.

Note: Neither this authorization nor its use means that the U.S. Government intends, or is committed, to approve an export license application for any commodity, plant, or technical data that may be the subject of the transaction to which such quotation, bid, or offer relates. Exporters are advised to include in any quotations, bids, or offers, and in any contracts entered into pursuant to such quotations, bids, or offers, a provision relieving themselves of liability in the event that an export license (when required) is not approved by the Bureau of Export Administration.

(3)  Software updates. Software updates that are intended for and are limited to correction of errors ("fixes" to "bugs" that have been identified) qualify for export under General License GTDR, without written assurance, provided the updates are being exported to the same consignee and do not enhance the functional capacities of the initial software package.
(4)  Technical data described in the Commerce Control List. Certain other tech-

14 Exporters of digital computer equipment must describe on their license applications any software, including that shipped under General License GTDR, to be used with the equipment.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 663

nical data may be exported under GTDR without written assurance. Such technical data is identified in the "Requirements" section of the ECCN under the heading "GTDU". The designations "GTDU: Yes" or "GTDU: Yes except ...'' indicate that General License GTDR without written assurance is available subject to any applicable exceptions. The designation "GTDU: No" indicates that General License GTDR without written assurance is not available. However, the designation "GTDU: No" does not restrict exports under paragraphs (b)(1), (b)(2), or (b)(3) of this section. Exporters have the option of using the term "GTDU" to describe General License GTDR without written assurance for all purposes, including information requirements on the Shipper's Export Declaration.

     (c)-(d) [Reserved]

     (e) Restrictions applicable to the Republic of South Africa—
(1)  General prohibition. Except as provided in Sec. 779.4 (b)(1), (b)(2), and (b)(3), no technical data may be exported or reexported to the Republic of South Africa under this General License GTDR where the exporter or reexporter knows or has reason to know that the data or the direct product of the data are for delivery, directly or indirectly, to or for use by or for military or police entities in South Africa or for use in servicing equipment owned, controlled, or used by or for such entities. In addition, no technical data relating to the commodities listed in Supplement No. 2 to this Part 779 may be exported or reexported under General License GTDR to any consignee in the Republic of South Africa.
(2)  Written assurances. In addition to any written assurances that may or may not be required by paragraph (f) of this section, no export or reexport of technical data may be made to the Republic of South Africa under General License GTDR until the exporter has received written assurance from the importer that neither the technical data nor the direct product of the data will be made available to or for use by or for military or police entities of the Republic of South Africa.

     (f) General License GTDR with written assurances. Except as provided in Sec. 779.4(b) and (f)(5), no export of technical data described in this Sec. 779.4(f) may be made under General License GTDR:
(1)  Until the U.S. exporter has received a written assurance from the foreign importer that, unless prior authorization is obtained from the Office of Export Licensing, the importer will not knowingly:
(i)  Reexport, directly or indirectly, to Country Group Q, S, W,15 Y, or Z, or the

15 Effective April 26, 1971, Country Group W no longer included Romania. Assurances executed prior to April 26, 1971, that refer to Country Group W continue to apply to Romania as well as Poland. Effective April 25, 1991, Czechoslovakia was added to Country Group W. Assurances executed on or after April 25, 1991, that refer to Country Group W apply to Czechoslovakia as well as Poland. On May 8, 1992, Hungary was removed from Country Group W. Assurances are no longer applicable to Hungary. On January 1, 1993, Czechoslovakia became two separate countries called the Czech Republic and the Slovak Republic. Assurances executed prior to January 1, 1993, that refer to Czechoslovakia continue to apply to the Czech Republic and the Slovak Republic.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 664

People's Republic of China any technical data relating to commodities controlled to Country Group W  as described in the paragraph titled "Validated License Required" of any entry of the Commerce Control List;
(ii) Export, directly or indirectly, to Country Group Z any direct product of the technical data if such direct product is controlled to Country Group "W" in the paragraph of any entry on the Commerce Control List titled "Validated License Required"; or
(iii) Export, directly or indirectly, to any destination in Country Group Q, S, W, Y, or the People's Republic of China, any direct product of the technical data if such direct product is identified by the code letter "A" following the Export Control Classification Number on the Commerce Control List.
(2)  If the direct product of any technical data is a complete plant or any major component of a plant that is capable of producing a commodity controlled to Country Group ''W" in the paragraph of any entry on the Commerce Control List titled "Validated License Required" or appears on the U.S. Munitions List, a written assurance by the person who is or will be in control of the distribution of the products of the plant (whether or not such person is the importer) shall be obtained by the U.S. exporter (via the foreign importer), stating that, unless prior authorization is obtained from the Office of Export Licensing, such person will not knowingly:
(i)  Reexport, directly or indirectly, to Country Group Q, S, W, Y, or Z, or the People's Republic of China, the technical data relating to the plant or the major component of a plant;
(ii) Export, directly or indirectly, to Country Group Z, the plant or the major component of a plant (depending upon which is the direct product of the technical data) or any product of such plant or of such major component, if such product is identified by the symbol "W" in the paragraph of any entry on the Commerce Control List titled "Validated License Required" or appears on the U.S. Munitions List; or
(iii) Export, directly or indirectly, to any destination in Country Group Q, S, W, Y, or the People's Republic of China, the plant or the major component of a plant (depending upon which is the direct product of the technical data) or any product of such plant or of such major component, if such product is identified by the code letter "A" following the Export Control Classification Number on the Commerce Control List or appears on the U.S. Munitions List.

Note: Effective April 1, 1964, Sec. 779.4(f)(2)(ii) and (f)(2)(iii) required certain written assurances relating to the disposition of the products of a complete plant or major component of a plant that is the direct product of unpublished technical data of U.S. origin exported under General License GTDR. Except as to commodities identified by the code letter "A" following the Export Control Classification Number on the Commerce Control List, and items on the U.S. Munitions List, the effective date of the written assurance requirements for plant products as a condition of using General License GTDR for export of this type of technical data is hereby deferred until further notice, subject to the following limitations:
     1. The exporter shall, at least two weeks before the initial export of the technical data, notify the Office of Export Licensing, by letter, of the facts required

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 665

to be disclosed in an application for a validated export license covering such technical data; and
     2. The exporter shall obtain from the person who is or will be in control of the distribution of the products of the plant (whether or not such person is the importer) a written commitment that he will notify the U.S. Government, directly or through the exporter, whenever he enters into negotiations to export any product of the plant to any destination covered by Sec. 779.4(f)(2)(ii), when such product is not identified by the code letter "A" following the Export Control Classification Number on the Commerce Control List and requires a validated license for export to Country Group W by the information set forth in the applicable CCL entry in the paragraph titled "Validated License Required". The notification should state the product, quantity, country of destination, and the estimated date of the shipment.

Moreover, during the period of deferment, the remaining written assurance requirements of Sec. 779.4 (f)(2)(ii) and (f)(2)(iii) as to plant products that are identified by the code letter "A" following the Export Control Classification Number on the Commerce Control List, or are on the U.S. Munitions List, will be waived if the plant is located in one of the following COCOM countries: Australia, Belgium, Canada, Denmark, the Federal Republic of Germany, France, Greece, Italy, Japan, Luxembourg, the Netherlands, Norway, Portugal, Spain, Turkey, and the United Kingdom. This deferment applies to exports of technical data pursuant to any type of contract or arrangement, including licensing agreements, regardless of whether entered into before or after April 1, 1964.

(3)  The required assurance may be made in the form of a letter or other written communication from the importer or, if applicable, the person in control of the distribution of the products of a plant; or the assurance may be incorporated into a licensing agreement that restricts disclosure of the technical data to be used only in authorized destinations, and prohibits shipment of the direct product thereof by the licensee to any unauthorized destination. An assurance included in a licensing agreement will be acceptable for all exports made during the life of the agreement, provided that the obligations of the importer set forth in the assurances survive any termination of the licensing agreement. If such assurance is not received, this general license is not applicable and a validated export license is required. An application for validated license shall include an explanatory statement setting forth the reasons why such assurance cannot be obtained.
(4)  In addition, this general license is not applicable to any export of technical data of the kind described in this Sec. 779.4(f), if at the time of export of the technical data from the United States, the exporter knows or has reason to believe that the direct product to be manufactured abroad by use of the technical data is intended to be exported directly or indirectly to any unauthorized destination.
(5)  The limitations in this Sec. 779.4(f) do not apply to the export of technical data included in an application for the foreign filing of a patent, provided such filing is in accordance with the regulations of the U.S. Patent Office.

     (g) Additional restrictions applicable to chemical or biological weapons. In

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 666

addition to any other restrictions in Sec. 779.4, the use of General License GTDR is further restricted by Sec. 778.8(a)(5) of this subchapter.

Sec. 779.5 Validated license applications.

     (a) General. No technical data, other than that exportable without license to Canada or under general license to other destinations, may be exported from the United States without a validated export license. Such validated export licenses are issued by the Office of Export Licensing upon receipt of an appropriate export application or reexport request. An application for a technical data license shall consist of:
(1) Form BXA-622P, Application for Export License, accompanied by;
(2) A letter of explanation described in Sec. 779.5(d) for technology or description of the capabilities of the software; and
(3)  For shipments to the Czech Republic, Hungary, Poland, and the Slovak Republic, an Import Certificate issued by the appropriate national government. (See Sec. 775.8 and supplement No. 1 to part 775 of this subchapter.)

     (b) Application Form. Form ITA-622P shall be completed as provided in Sec. 772.4, except that Items 9(a) and 11 shall be left blank. In Item 9(b), "Description of Commodity or Technical Data," enter a general statement which specifies the technical data (e.g., blueprints, manuals, etc.). In Purpose."

     (c) [Reserved]

     (d) Letter of explanation. Each application shall be supported by a comprehensive letter of explanation in duplicate. This letter shall set forth all the facts required to present to the Office of Export Licensing a complete disclosure of the transaction including, if applicable, the following:
(1) The identification of all parties to the transaction;
(2) The exact project location where the technical data will be used;
(3) The type of technical data to be exported;
(4) The form in which the export will be made;
(5) The uses for which the data will be employed;
(6) An explanation of the process, product, size, and output capacity of the plant or equipment, if applicable, or other description that delineates, defines, and limits the data to be transmitted (the "technical scope");
(7) The availability abroad of comparable foreign technical data.

     (e) Special provisions—
(1)  Maritime nuclear propulsion plants and related commodities.16 These special provisions are applicable to technical data relating to maritime (civil) nuclear propulsion plants, their land prototypes, and special facilities for their construc-

16 See Sec. 779.8(a) which sets forth provisions prohibiting exports and reexports of certain technical data and products manufactured therefrom.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 667

tion, support, or maintenance, including any machinery, device, component, or equipment specifically developed or designed for use in such plants or facilities. Every application for license to export technical data relating to any of these commodities shall include the following:
(i) A description of the foreign project for which the technical data will be furnished;
(ii) A description of the scope of the proposed services to be offered by the applicant, his consultant(s), and his subcontractor(s), including all the design data which will be disclosed;
(iii) The names, addresses and titles of all personnel of the applicant, his consultant(s) and his subcontractor(s) who will discuss or disclose the technical data or be involved in the design or development of the technical data;
(iv) The beginning and termination dates of the period of time during which the technical data will be discussed or disclosed and a proposed time schedule of the reports which the applicant will submit to the U.S. Department of Commerce, detailing the technical data discussed or disclosed during the period of the license;
(v)  The following certification:

I (We) certify that if this application is approved, I (we) and any consultants, subcontractors, or other persons employed or retained by us in connection with the project thereby licensed will not discuss with or disclose to others, directly or indirectly, any technical data relating to U.S. naval nuclear propulsion plants. I (We) further certify that I (we) will furnish to the U.S. Department of Commerce all reports and information which it may require concerning specific transmittals or disclosures of technical data pursuant to any license granted as a result of this application;

(vi) A statement of the steps which the applicant will take to assure that personnel of the applicant, his consultant(s) and his subcontractor(s) will not discuss or disclose to others technical data relating to U.S. naval nuclear propulsion plants; and
(vii) A written statement of assurance from the foreign importer that unless prior authorization is obtained from the Office of Export Licensing, the importer will not knowingly export directly or indirectly to Country Group Q, S, W, Y, or Z, or the People's Republic of China, the direct product of the technical data. However, if the U.S. exporter is not able to obtain this statement from the foreign importer, the U.S. exporter shall attach an explanatory statement to his license application setting forth the reasons why such an assurance cannot be obtained.
(2)  Other license applications. For all other license applications to export technical data identified in an entry with an ECCN ending in the code letter "A" to any destination, other than Country Group Q, S, W, Y, or Z, or the People's Republic of China, an applicant shall attach to the license application a written statement from his foreign importer assuring that, unless prior authorization is obtained from the Office of Export Licensing, the importer will not knowingly reexport the technical data to any destination, or export any national security controlled direct product of the technical data, directly or indirectly, to Country Group Q, S, W, Y, or Z, or the People's Republic of China. However, if the U.S. exporter is not able to obtain the required statement from his importer, the ex-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 668

porter shall attach an explanatory statement to his license setting forth the reasons why such an assurance cannot be obtained.

     (f) Validity period and extension-
(1)  Initial validity. Validated licenses covering exports of technical data will generally be issued for a validity period of 24 months. Upon request, a validity period exceeding 24 months may be granted where the facts of the transaction warrant it and the Office of Export Licensing determines that such action would be consistent with the objectives of the applicable U.S. export control program. Justification for a validity period exceeding 24 months should be provided in accordance with the procedures set forth in Sec. 772.9(d)(2) for requesting an extended validity period with a license application. The Office of Export Licensing will make the final decision on what validity beyond 24 months, if any, should be authorized in each case.
(2)  Extensions. A request to extend the validity period of a technical data license shall be made on Form ITA-685P in accordance with the procedures set forth in Sec. 772.12(a). The request shall include on Form ITA-685P, in the space entitled "Amend License to Read as Follows," whether the license has been previously extended and the date(s) and duration of such extension(s). The Office of Export Licensing will make the final decision on what extension beyond 24 months, if any, should be authorized in each case. (See Sec. 779.8(c)(1) for validity period extensions for reexports of technical data.)

Sec. 779.6 Exports under a validated license.

     (a) Use of validated licenses—
(1)  Retention of license. The validated technical data license need not be presented to the customs office or post office but shall be retained and made available for inspection in accordance with the provisions of Sec. 787.13 of this subchapter.
(2)  Return of revoked or suspended technical data licenses. If the Office of Export Licensing revokes or suspends a technical data license, the licensee shall return the license immediately to the Office of Export Licensing in accordance with the instructions in Sec. 786.2(d) of this subchapter.

     (b) Records. Any person to whom a validated technical data license has been issued shall retain the license and maintain complete records in accordance with Sec. 786.2(d) of this subchapter, including any export licenses (whether used or unused, valid or expired) and all supporting documents and shipping records.

Sec. 779.7 Amendments.

Requests for amendments shall be made in accordance with the provisions of Sec. 772.11. Changes requiring amendment include any expansion or upgrade of the technical scope that was described in the letter of explanation, as approved or modified on the export license.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 669

Sec. 779.8 Reexports of technical data and exports of the product manufactured abroad by use of United States technical data.

     (a) Prohibited exports and reexports. Unless specifically authorized by the Office of Export Licensing, or otherwise authorized under the provisions of paragraph (b) of this section, no person in the United States or in a foreign country may:
(1)  Reexport any technical data imported from the United States, directly or indirectly, in whole or in part, from the authorized country(ies) of ultimate destination;
(2)  Export any technical data from the United States with the knowledge that it is to be reexported, directly or indirectly, in whole or in part, from the authorized country(ies) of ultimate destination; or
(3)  Export or reexport to Country Group Q, S, W, Y or Z, the People's Republic of China or Afghanistan any foreign produced direct product of U.S. technical data, or any commodity produced by any plant or major component thereof that is a direct product of U.S. technical data, if such direct product or commodity is covered by the provisions of Sec. 779.4(f) or Sec. 779.5(e)(1); or

     (b) Permissive reexports—
(1)  Exportable under General License GTDA or GTDR. Any technical data which have been exported from the United States may be reexported from any destination to any other destination provided that, at the time of reexport, the technical data may be exported directly from the United States to the new country of destination under General License GTDA or GTDR and provided that all of the
requirements and conditions for use of these general licenses have been met.
(2)  COCOM authorization. Separate specific authorization by the Office of Export Licensing to reexport any U.S. origin technical data is not required if all of the following conditions are met:
(i)  The data being exported are identified by the suffix "A" on the CCL;
(ii)  The export or reexport is from a COCOM participating country, i.e., Australia, Belgium, Canada, Denmark, France, the Federal Republic of Germany, Greece, Italy, Japan, Luxembourg, the Netherlands, Norway, Portugal, Spain, Turkey, or the United Kingdom;
(iii) The export or reexport is made in accordance with the conditions of the licensing authorization issued by the applicable COCOM participating country; and
(iv) The export or reexport is to a country in Country Group Q, W, or Y or the People's Republic of China.
(3)  Direct product. Separate specific authorization by the Office of Export Licensing to export or reexport the direct product of U.S. origin technical data is not required if the direct product, were it of U.S. origin, could be shipped under any of the permissive reexport provisions of Sec. 774.2 of this subchapter.
(4)  People's Republic of China. Separate specific authorization by the Office of Export Licensing is not required to reexport software from a COCOM participating country, Austria, Finland, Hong Kong, Ireland, New Zealand, Sweden, or Switzerland to the People's Republic of China that meets the requirements set forth in Advisory Notes for the People's Republic of China or for Country Groups

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 670

Q, W, Y in the Commerce Control List (Supplement No. 1 to Sec. 799.1 of this subchapter) and are licensed for shipment by the country from which reexported.

     (c) Specific authorization to reexport-
(1) Submission of request for reexport authorization. Requests for specific authorization to reexport technical data or to export any product thereof, as applicable, shall be submitted on Form ITA-699P, Request To Dispose of Commodities or Technical Data Previously Exported (OMB approval No. 0625-0009), to: Office of Export Licensing, P.O. Box 273, Washington, DC 20044.

(See Supplement No. 1 to Part 774 for instructions on completing the form.) If Form ITA-699P is not readily available, a request for specific authorization to reexport technical data or to export any product thereof, as applicable, may be submitted by letter. The letter shall bear the words "Technical Data Reexport Request" immediately below the heading or letterhead and contain all the information required by Sec. 779.5(d). Authorization to reexport technical data or to export the product thereof, if granted, will generally be issued with a validity period of 24 months on Form ITA- 699P, or by means of a letter from the Office of Export Licensing. Any request for extension of the validity period shall be requested in accordance with Sec. 774.5(b), and shall specify the period for which additional validity is required. The Office of Export Licensing will make the final decision on what validity beyond 24 months, if any, should be authorized in each case.

(2) Return of reexport authorization. If the Office of Export Licensing revokes or suspends a reexport authorization, the licensee shall return the reexport authorization immediately to the Office of Export Licensing.
(3)  Records. Any person to whom a reexport authorization has been issued shall retain and make available for inspection records in accordance with the provisions of Sec. 787.13 of this subchapter, including any reexport authorizations (whether used or unused, valid or expired) and all supporting documents and shipping records.

     (d) Effect of foreign laws. No authority granted by the U.S. Office of Export Licensing, or under the provisions of the U.S. Export Administration Regulations, to reexport technical data or export a product thereof shall in any way relieve any person from his responsibility to comply fully with the laws, rules, and regulations of the country from which the reexport or export is to be made or of any other country having authority over any phase of the transaction. Conversely, no foreign law, rule, regulation, or authorization in any way relieves any person from his responsibility to obtain such authorization from the U.S. Office of Export Licensing as may be required by the U.S. Export Administration Regulations.

Sec. 779.9 Commercial agreements with certain countries.

Pursuant to section 5(j) of the Export Administration Amendments Act of 1979, as amended, any non-governmental U.S. person or firm that enters into an

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 671

agreement with any agency of the government of a controlled country (Country Groups Q, W, Y, and the People's Republic of China), which agreement encourages technical cooperation and is intended to result in the export from the U.S. to the other party of U.S.-origin technical data (except under General License GTDA or General License GTDR as provided under the provisions of Sec. 779.4(b)), shall submit those portions of the agreement that include the statement of work and describe the anticipated exports of data to the Office of Technology and Policy Analysis, Room 4054, P.O. Box 273, Washington, DC 20044. This material shall be submitted no later than 30 days after the final signature on the agreement.

     (a) This requirement does not apply to colleges, universities and other educational institutions.

     (b) The submission required by this section does not relieve the exporter from the licensing requirements for controlled technical data and goods.

     (c) Acceptance of a submission does not represent a judgment as to whether Export Administration will or will not issue any authorization for export of technical data.

Sec. 779.10 Other applicable provisions.

As far as may be consistent with the provisions of this part, all of the other provisions of the Export Administration Regulations shall apply equally to exports of technical data and to applications for licenses and licenses issued under this part.

Supplement No. 1 to Part 779—Technical Data Interpretations

     1. Technology based on U.S.-origin technical data. U.S.-origin technical data does not lose its U.S.-origin when it is redrawn, used, consulted, or otherwise commingled abroad in any respect with other technical data of any other origin. Therefore, any subsequent or similar technical data prepared or engineered abroad for the design, construction, operation, or maintenance of any plant or equipment, or part thereof, which is based on or utilizes any U.S.-origin technical data, is subject to the same U.S. Export Administration Regulations that are applicable to the original U.S.-origin technical data, including the requirement for obtaining Office of Export Licensing authorization prior to reexportation.
     2. Distinction between General and Validated License requirements for shipment to QWY destinations of technical data and replacement parts.
A number of exporters have recently asked where the line is drawn between general license and validated license exports to PQWY destinations of technical data related to equipment exports.
The export of technical data under validated license is authorized only to the extent specifically indicated on the face of the license. The only data related to equipment exports that can be provided under general license is the publicly

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 672

available data authorized by General License GTDA, or the assembly, installation, maintenance, repair, and operation data authorized by General License GTDR.

771.20 General License GLX; exports to Country Groups QWY and the People's Republic of China.

     (a) Scope. A general license designated GLX is established, authorizing exports to civil end-users in Country Group QWY and the People's Republic of China (PRC) of certain specified items.

     (b) Eligible exports. The items eligible for this general license are those described in the Advisory Notes in the CCL that indicate likelihood of approval for "Country Groups QWY and the PRC," except items described in the notes to ECCNs 1C18A and 2B18A. Likelihood of approval notes that apply only to the PRC, or to specified destinations in Country Group Y also qualify for this general license to eligible destinations (however, those notes indicating Country Group Q or W only, are specifically not eligible). In addition, those entries and sub-entires listed in Supplement No. 1 to this Part 771 are eligible to export under this general license. However, this general license is not available for items that are also subject to missile technology (MT), nuclear nonproliferation (NP), or foreign policy (FP) controls to the recipient country.

     (c) Eligible consignees. This general license is available only for exports to civil end-users for civil end-uses. Exports under this general license may not be made to military end-users or to known military uses. Such exports will continue to require an individual validated license and be considered on a case-by-case basis. In addition to conventional military activities, military uses include any proliferation activities described in Part 778 of this subchapter. Retransfers to military end-users or end-uses in eligible countries are strictly prohibited, without prior authorization.

The relevant part of the Commerce Control List is the "Information Security" category, as described below (taken from Supplement Number 1 to Section 799.1 of the Code of Federal Regulations).

II. "Information Security"

NOTE: The control status of "information security" equipment, "software", systems, application specific "assemblies", modules, integrated circuits, components, technology or functions is defined in the ''information security" entries in this Category even if they are components or "assemblies" of other equipment.

NOTE: "Information security" equipment, "software", systems, application specific "assemblies", modules, integrated circuits, components, technology or functions that are excepted from control, not controlled, or eligible for licensing under an Advisory Note are under the licensing jurisdiction of the Department of Commerce. For all other, exporters requesting a validated license from the De-

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 673

partment of Commerce must provide a statement from the Department of State, Office of Defense Trade Control, verifying that the equipment intended for export is under the licensing jurisdiction of the Department of Commerce.

A. Equipment, Assemblies and Components

5A11A Systems, equipment, application specific "assemblies", modules or integrated circuits for "information security", as described in this entry, and other specially designed components therefor.

List of Items Controlled

Systems, equipment, application specific "assemblies", modules or integrated circuits for "information security," as follows, and other specially designed components therefor:
     a. Designed or modified to use "cryptography" employing digital techniques to ensure "information security'';
     b. Designed or modified to perform cryptanalytic functions;
     c. Designed or modified to use "cryptography" employing analog techniques to ensure "information security", except:
     
c.1. Equipment using "fixed" band scrambling not exceeding 8 bands and in which the transpositions change not more frequently than once very second;
     c.2. Equipment, using "fixed" band scrambling exceeding 8 bands and in which the transpositions change not more frequently than once every ten seconds;
     c.3. Equipment using "fixed" frequency inversion and in which the transpositions change not more frequently than once every second;
     c.4. Facsimile equipment;
     c.5. Restricted audience broadcast equipment;
     c.6. Civil television equipment;
     d.  Designed or modified to suppress the compromising emanations of information-bearing signals;

NOTE: 5A11.d does not control equipment specially designed to suppress emanations for health and safety reasons.

     e. Designed or modified to use cryptographic techniques to generate the spreading code for "spread spectrum" or hopping code for "frequency agility" systems;
     f. Designed or modified to provide certified or certifiable "multilevel security" or user isolation at a level exceeding Class B2 of the Trusted Computer System Evaluation Criteria (TCSEC) or equivalent;
     g. Communications cable systems designed or modified using mechanical, electrical or electronic means to detect surreptitious intrusion.

5B11A Equipment specially designed for the development of equipment or functions controlled by the "information security" entries in this Category, including measuring or test equipment.

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 674

5B12A Equipment specially designed for the production of equipment or functions controlled by the "information security" entries in this Category, including measuring, test, repair or production equipment.

5B13A Measuring equipment specially designed to evaluate and validate the "information security" functions controlled by the "information security" entries in 5A or 5D.

C. Materials [Reserved]

D. "Software"

5D11A "Software" specially designed or modified for the "development", "production", or "use" of equipment controlled by "information security'' entries 5A11, 5B11, 5B12, or 5B13 or "software" controlled by "information security" entries 5D11, 5D12, or 5D13.

5D12A "Software" specially designed or modified to support technology controlled by "information security" entry 5E11.

5D13A Specific "software" as follows.

NOTE: Exporter must have determined that the software is not controlled by the Office of Defense Trade Control, Department of State, before using this general license.

List of Items Controlled

     a. "Software" having the characteristics, or performing or simulating the functions of the equipment controlled by the "information security" entries in 5A or 5B.
     b. "Software" to certify "software" controlled by 5D13.a;
     c. "Software" designed or modified to protect against malicious computer damage, e.g., viruses.

E. Technology

5E11A Technology according to the General Technology Note for the "development", "production", or "use" of equipment controlled by "Information Security" entries 5A11, 5B11, 5B12, or 5B13 or "software" controlled by "information security" entries 5D11, 5D12, or 5D13.

NOTES for "Information Security":

NOTE 1: "Information security" entries in this Category do not control:
     a. "Personalized smart cards" using "cryptography" restricted for use only in equipment or systems released from control under 5A11.c.1 to c.6, by this Note or as described in "Information Security" Advisory Notes 3 and 4 below;

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 675

     b. Equipment containing "fixed" data compression or coding techniques;
     c. Receiving equipment for radio broadcast, pay television or similar restricted audience television of the consumer type, without digital encryption and where digital decryption is limited to the video, audio or management functions;
     d. Portable (personal) or mobile radio-telephones for civil use; e.g., for use with commercial civil cellular radiocommunications systems, containing encryption, when accompanying their users;
     e. Decryption functions specially designed to allow the execution of copy-protected "software", provided that the decryption functions are not user-accessible.

NOTE 2: "Information Security" entries in this Category do not control:
     a.  "Software" ''required" for the "use" of equipment released by "Information Security" Note 1;
     b. "Software" providing any of the functions of equipment released by "Information Security" Note 1;

ADVISORY NOTE 3: Licenses are likely to be approved, as administrative exceptions, for exports to Country Group W or cellular radio equipment or systems specially designed for cryptographic operation, provided any message traffic encryption capability that is within the scope of the control of the "information security" entries in Category 5 and that is contained in such equipment or systems is irreversibly disabled.

N.B.: Provided message traffic encryption is not possible within such a system, the export of mobile or portable cellular radio subscriber equipment containing cryptographic capabilities is permitted under this Advisory Note.

ADVISORY NOTE 4: Licenses are likely to be approved, as administrative exceptions, for exports to satisfactory end-users in Country Groups QWY and the PRC of the following cryptographic equipment, provided that the equipment is intended for civil use:
     a. Access control equipment, such as automatic teller machines, self-service statement printers or point of sale terminals, that protects password or personal identification numbers (PIN) or similar data to prevent unauthorized access to facilities, but does not allow for encryption of files or text, except as directly related to the password of PIN protection;
     b. Data authentication equipment that calculates a Message Authentication Code (MAC) or similar result to ensure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for the authentication;
     c.  Cryptographic equipment specially designed, developed or modified for use in machines for banking or money transactions, such as automatic teller machines, self-service statement printers, point of sale terminals or equipment for the encryption of interbanking transactions, and intended for use only in such applications.

ADVISORY NOTE 5: (Eligible for GTDR). Licenses are likely to be approved as administrative exceptions, for exports to satisfactory end-users in Country Groups QWY and the PRC of the following cryptographic "software";
     a. "Software" required for the "use" of equipment eligible for administrative exceptions treatment under Advisory Notes 3 and 4 in the Notes for "Information Security" (Category 5);
     b.  "Software" providing any of the functions of equipment eligible for administrative exceptions treatment under Advisory Notes 3 and 4 in the Notes for "Information Security" (Category 5). [End of Notes for "Information Security."]

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 676

III. Other Equipment, Materials, "Software" and Technology

A. Equipment, Assemblies and Components

5A20B Telemetering and telecontrol equipment usable as launch support equipment for unmanned air vehicles or rocket systems.

5A80D Communications intercepting devices; and parts and accessories therefor. (Specify by name.) (Also see S776.13 of this subchapter.)

NOTES:  1. These items are subject to the United Nations Security Council arms embargo against Rwanda described in S785.4 (a) of this subchapter.
          2. Controls on this equipment are maintained in accordance with the Omnibus Crime Control and Safe Streets Act of 1968 (Pub. L. 90-351).

Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 489
Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 490
Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 491
Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 492
Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 493
Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 494
Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 495
Suggested Citation:"N - Laws, Regulations, and Documents Relevant to Cryptography." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×