Apart from me not being a lawyer (so this does not constitute legal advice), the application of cryptography in general does not require you to contact the NSA – they would be swamped. The (explicit?) export of applications to/from listed countries that are considered threats is a different matter, as is the export of API’s that let others perform encryption/decryption. They are mainly afraid that they cannot read data from rogue states.

Of course, all this does not matter if you are not in the US, although other restrictions may apply (e.g. agreement of Wassenaar, apparently).

This could be a good starting point:

http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_States

You can also have a look at the distinction between java.security and javax.crypto. It’s there because of export control (javax is not considered part of the standard Java runtime, although it is meant for public access – it might however not be present on every Java platform). Signature, for instance, is in java.security.

For legal advice, contact a legal advisor or contact the institute within your country that deals with this.

[edit] Note that you should be careful not to expose an encryption function by accident, or you could still be required to contact the agency dealing with such matters.