An official website of the United States government

Skip to main content

iv. 5A002 a.1-a.5

To be controlled in 5A002.a, an item must have “information security” as a primary function; be digital communications or networking systems; or be computers or other items having information storage or processing as a primary function. Below we further describe what types of products are covered under 5A002.a.1-a.4. 

 

1. "Information Security” 

  •  Items whose primary function is “Information Security”
  • “Information Security” as defined in 772 of the EAR — All the means and functions ensuring the accessibility, confidentiality, or integrity of information or communications, excluding the means and function intended to safeguard against malfunctions.
  • Information Security can include computer security, network security, and information assurance. These are often interrelated and share the common goals of protecting information and information systems and networks, and communications including confidentiality, integrity, and availability of information and communications. 

  • Examples of items whose primary function is “information security” may include, but are not limited to: firewalls, intrusion detection systems, cryptanalytic tools, computer/network/digital forensics, cryptographic accelerators, file encryption, key exchange, key management, key storage, link encryption, network forensics, network intelligence, network security monitoring, network vulnerability and penetration testing, trusted computing, and cryptographic libraries (including application programming interfaces (APIs) and other cryptographic interfaces). 

     

2. Digital communication or networking systems, equipment, or components 

  • This includes items that are communications systems for sending or receiving information
  • Examples of items that may include but are not limited to, email systems; voice communication systems; video conferencing; fax, file/disk encryption (including applications, session, transport and storage encryption); cellular, mobility applications, SMS, instant messaging, chat, radio communications, satellite, communications, 3G/4G/LTE/WiMAX, GSM, voice over Internet protocol (VoIP)
  • Items that are used for computer networking and/or are equipment or components of networking systems
  • This may include things such as routers, switches, base stations, trunked radio, wireless access points, bridges/repeaters, hubs, gateways, access points, modems, voice over Internet protocol (VoIP) servers and endpoints
  • More examples may include: network management, provisioning and monitoring, security operations center (SOC)/network operations center (NOC) tools, distributed computing, optical networking, short-range wireless, storage area networking (SAN), virtual private networking (VPN), wide area networking (WAN), wireless local area networking (WLAN), wireless personal area networking (WPAN), local area networking (LAN), metropolitan area networking (MAN)
  • See decontrol note (h) and (i) for Operations Administration and Maintenance items and see also Note to 5D002 for OAM software
  • See decontrol note (f) for WPAN items 
     

3. Computer, including OS, parts, and components therefor 

  • Items that are computers, or having information storage or processing as a primary function, and components therefor.
  • Examples may include general purpose hardware such as computers, mobile, and handheld computers, processor chips, system on chips, boards, assemblies or other components of computers implementing cryptographic primitives or other “information security” functionality
  • Other examples include computer or computing platforms, data backup and recovery, database, disk/drive encryption, operating systems for computers and/or security appliances, firmware that are used to operate a computer or processor, cryptographic co-processors and/or accelerators, toolkits and software development kits (SDKs), computer/network test equipment. 
     

5A002 a.4 also controls items if the cryptography supports a non-primary function of the item AND the cryptographic functionality is performed by incorporated equipment or software that would as a standalone item be specified by Cat. 5 Part 2. 

Examples: (a) An automobile where the only ‘cryptography for data confidentiality’ ‘in excess of 56 bits of symmetric key length, or equivalent’ is performed by a Category 5 – Part 2 Note 3 eligible mobile telephone that is built into the car. In this case, secure phone communications support a non-primary function of the automobile but the mobile telephone (equipment), as a standalone item, is not controlled by ECCN 5A002 because it is excluded by the Cryptography Note (Note 3) (See ECCN 5A992.c). (b) An exercise bike with an embedded Category 5 – Part 2 Note 3 eligible web browser, where the only controlled cryptography is performed by the web browser. In this case, secure web browsing supports a non-primary function of the exercise bike but the web browser (“software”), as a standalone item, is not controlled by ECCN 5D002 because it is excluded by the Cryptography Note (Note 3) (See ECCN 5D992.c). 
 

Examples of reviewing an item in 5A002 a.1- a.4 

Example 1: Vending machine 

  • In this example a vending machine can send encrypted communications in order to report that it has run out of soda. The main purpose of this item is to sell drinks, and the cryptographic functionality is there purely to enable it to fulfill this main purpose more efficiently. Such an item would be considered outside of 5A002 a.1 – a.4.
  • In this case the primary function is the obvious or main purpose of the item. It can also be thought of as the function which is not there to support other functions.
  • In this analysis you would look at the main purpose that the vending machine would be used for. The vending machine is not mainly for “information security”, digital communications or networking, and/or computing; and the cryptographic functionality of the item is just to support the main purpose of vending sodas, so the item would not be in Cat. 5, Part 2, 5A002 a.1 - a.4. 
     

Example 2: Learning laptop 

  • A child’s laptop that access the internet securely and only to a specified site for literacy based learning would be considered outside of 5A002 a.1- a.4. Its primary function is specific to literacy training and would not be considered a computing item like a general purpose laptop would. A general purpose computer that implements cryptography such as a laptop or desktop computer would be in Cat. 5, Part 2 because its main function is to provide general purpose computing.
  • A general purpose laptop or desktop computer may be used in multiple applications and provides a general set of features, whereas the learning laptop is an application specific item specifically designed with a set of functions targeted to a certain end use (literacy training). The cryptography is limited to secure communication for supporting literacy based learning. 
     

Example 3: Wireless chip 

  • Another example is a communications chip that implements cryptography for secure Wi-Fi connections within a cell phone. This item would be in Cat. 5, Part 2 because it is a general purpose communications chip. However, a chip designed for a utility meter with features that allow it to wirelessly interface securely only with specific utility meter readers could be outside of Cat. 5, Part 2, 5A002 a.1- a.4 because it provides specific communication between a meter and reader. 
     

Example 4: App 

  • Yet another example could be an app on a phone used for chatting or instant messaging using text, images and video. An app such as this would be in Cat. 5, Part 2 because it provides communications. However, an app designed for your local car shop to securely communicate between you and your mechanic about the status of your vehicle repair or maintenance would be considered outside of Cat. 5, Part 2, 5A002 a.1 – a.4. The app is using communications only in the context of vehicle repair. 
     

Some examples of items that are not Cat. 5, Part 2, 5A002 a.1-a.4 

Research/scientific/analytical 

  • Business process management (BPM) — business process abstraction and modeling
  • Scientific visualization/simulations/co-simulations (excluding such tools for computing, networking, cryptanalysis, etc.)
  • Data synthesis tools for social, economic, and political sciences (e.g. economic, populations, global climate change, public opinion polling, etc. Forecasting and modeling) 
     

Business/systems applications: systems operations, integration, and control 

  • Business process automation (BPA) — process planning and scheduling, supply chain management, inventory and delivery
  • Transportation — safety and maintenance, systems monitoring and on-board controllers (including aviation, railway, and commercial automotive systems), ‘smart highway’ technologies, public transit operations and fare collection, etc.
  • Industrial, manufacturing or mechanical systems — including robotics, plant safety, utilities, factory or other heavy equipment, facilities systems controllers such as fire alarms and HVAC
  • Medical/clinical — including diagnostic applications
  • Academic instruction and testing/online training — tools and software
  • Applied geosciences — mining/drilling, atmospheric sampling/weather monitoring, mapping/surveying, dams/hydrology