Datasheet
Export Compliance Guide and Q&A
All contents are Copyright © 1992–2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 11
Q. What makes a Cisco ASA 5500 Series Edition bundle a restricted or unrestricted
bundle?
A. All Cisco ASA 5500 Series Edition bundles that ship with the base encryption license are
unrestricted and have a ‘K8’ in their product part number. Similarly, Cisco ASA 5500 Series
Edition bundles that ship with the strong encryption license are restricted and have a ‘K9’ in
their product part number.
Q. Can a product with strong encryption and a K9 part number be unrestricted?
A. Yes. As shown in Table 2, if a product uses strong encryption solely for securing network
management data, it can be classified as unrestricted encryption with a K9 part number. The
product part numbers for the base and strong encryption licenses are listed in Table 3.
Table 3. Export Encryption Classification for Cisco ASA 5500 Series Platform Encryption Licenses
Product Name Part Number Product Description Encryption Classification
ASA5500-ENCR-K8 Cisco ASA 5500 Base Encryption
License with DES
Unrestricted Cisco ASA 5500 Series
Platform Encryption
License
ASA5500-ENCR-K9 Cisco ASA 5500 Strong Encryption
License with 3DES/AES
Restricted
Q. Can a Cisco ASA 5500 Series Edition bundle that is unrestricted (K8 bundle) with base
encryption be upgraded to support strong encryption (K9 bundle)?
A. Yes. A bundle with base encryption can be upgraded to support strong 3DES/AES encryption
at:
http://www.cisco.com/go/license. This upgrade is available to customers at zero cost.
Q. How can a K9 part number be a subcomponent of a K8 bundle that is unrestricted?
A. For a K9 part number to be a subcomponent of a K8 bundle, it has to be classified as
unrestricted encryption. For instance, Cisco ASA 5500 Series Security Services Modules
listed in Table 5 are K9-designated and have unrestricted encryption designation. This
enables the modules to be subcomponents of Cisco ASA 5500 Series Edition bundles with K8
designators. Other examples include Cisco SSL VPN Client and Cisco Secure Desktop
software, listed in Table 6.
Q. What does it mean for an order to be on an export hold?
A. An order can be on an export hold if one or more of the following is true:
●
The order contains restricted encryption products
●
The end user is in embargoed/restricted territory
●
A party to the transaction is an entity on the U.S. government’s Denied Parties List
Restricted encryption products are systemically placed on export hold at order entry
regardless of destination, including the U.S. and Canada. All orders are screened against the
U.S. government’s Denied Parties List. Each transaction is screened to ensure compliance
with U.S. and local export requirements. All line items in orders destined for embargoed
territories, sanctioned entities, or end users that pose proliferation concern are placed on
export hold.
Q. What are the export requirements that an order must comply with before being released
from export hold?
A. The export requirements that an order must comply with before being released from export
hold are outlined on the Cisco Regulatory Affairs Website.