Encryption Export Controls: International Traffic in Arms Regulations (ITAR)


ITAR encryption controls are located in three primary Categories on the US Munitions List (USML).

Category XI - Military Electronics

Subparagraph (b) - Encryption software designed or modified to:

  • Generate spreading code for spread spectrum or hopping code for frequency agility (does not include fixed code techniques);
  • Use "burst" (time compression) techniques;
  • Use "burst" (time compression) techniques;
  • Suppress compromising emanations of information bearing signals.

Category XIII - Auxiliary Military Equipment

Subparagraph (b) - Encryption software designed or modified for:

  • Military information security systems (including key management);
  • Tracking, Telemetry and Control (TT&C) including decryption;
  • Generating spreading or hopping codes for military spread spectrum systems or equipment;
  • Military cryptanalytic systems;
  • Military information systems providing certified or certifiable multi-level security or user isolation exceeding class B2 of TCSEC.

Category XV - Spacecraft Systems and Associated Equipment

Subparagraph (b) - Encryption software designed or modified for

  • Ground control stations for telemetry, tracking and control of spacecraft or satellites.

Subparagraph (c) - Global Positioning System (GPS) receiving equipment:

  • Designed for encryption or decryption (i.e. Y-Code) of GPS precise position service (PPS) signals.

NOTE: The citations provided above are intended as general summaries and are not authoritative. Researchers are responsible for consulting the USML for encryption software specifically designed or developed for a military, intelligence or space application.

Stanford Researcher Action Required: ITAR Encryption Compliance

Stanford researchers generating ITAR-related encryption software must upload the code onto a publicly available website immediately to demonstrate that the software has been published.

The Stanford-developed encryption software must be freely downloadable by all interested members of the scientific community at no charge and without Stanford's knowledge by whom or from where the data is being downloaded. This means no login requirement or other password or other authentication procedures. The government could view a login or other authentification requirement as an access control, and such a requirement could destroy the university's ability to characterize the generated software as unrestricted fundamental research excluded from export controls.