No. ECCN 5A002 was restructured in 2017 for readability. Because of the change in structure to 5A002.a, BIS is now issuing classifications under 5A002.a instead of 5A002.a.1. Previous classifications issued under 5A002.a.1 remain valid under the new structure. Those classifications can be understood to be under 5A002.a now.

Similar to the dormant encryption decontrol note, Note 4 was moved to 5A002.a and stated in a positive manner. Instead of saying what is not controlled in Category 5 Part 2, 5A002.a now specifies that, to be controlled, the item must have “information security” as a primary function, it must be a digital communications or networking system, or it must be a computer or have information storage or processing as a primary function. This change does not impact the scope of Note 4.

Yes, Note (j) part 2.a and b can apply to single board computers (SBC) where the cryptography is integral to (within) a mass market (Note 3 to Category 5 Part 2) processor on the SBC (e.g., processor with hardware accelerated encryption primitives); or integral to (within) an operating system that is not in 5D002 (e.g., mass market OS). Part 2.c of the Decontrol note (j) makes reference to OAM. See #8 above for OAM.

Before the Wassenaar 2016 rule, Note (g) to 5A002.a released products where the encryption functionality could not be used or could only be made useable by “cryptographic activation.” This decontrol note has been moved to 5A002.a and stated in a more positive manner. It now says that 5A002.a controls products “where that cryptographic capability is usable without “cryptographic activation” or has been activated.” This change does not impact the scope of what was released under Note (g).

Universities are “less-sensitive government end users” while government research institutes are “more sensitive government end users.” If a university has a government research institute, BIS considers exports to the university itself to be an export to a “less-sensitive government end user.” Exports directly to a government research institute within the university, for use by a government research institute within the university, would be considered an export to a “more sensitive government end user.” If you are unsure about how a particular transaction should be treated, please seek guidan

The grandfathering provision is no longer required. The September 20, 2016 rule eliminated requirements for the encryption registration and self-classification report when the exporter has obtained a CCATS from BIS for the item. As a result, CCATS issued prior to June 25, 2010 are still valid without submission of an encryption registration or self-classification report unless the encryption functionality of the item changes.

Prior to the September 20, 2016 updates, licenses were required to “government end users” outside the countries listed in Supplement No. 3 to part 740. Now, “less sensitive government end users” worldwide (except to AT-controlled countries) are eligible for ENC. Licenses previously submitted for these end users who are now eligible for ENC may use ENC without any further submissions to BIS. These exports were subject to a semi-annual sales reporting license condition. The semi-annual sales report still remains for these exports per 740.17(e) of ENC.

No. The definition of “OAM” includes “monitoring or managing the operation condition or performance of an item.” BIS does not consider network security monitoring or network forensics functions to be part of monitoring or managing operation condition or performance.