Upload
christiana-blake
View
216
Download
2
Tags:
Embed Size (px)
Citation preview
What are encryption items that require authorization to export?
When is authorization required for exporting encryption items?
What kinds of export authorization are available?
How to apply for authorization to export an encryption item
Differences between a “review request” and a ‘notification’
Differences between ‘restricted’, ‘unrestricted’ and “mass market” encryption items
Any item exported from the United States
Reexports of U.S. origin items
Foreign-made products incorporating greater than de minimis U.S. controlled content
Certain foreign-made direct product of U.S. technology
Remote access to a system Encrypted data Music/video/multimedia (we control the
software and equipment that encrypts/decrypts, not the content)
Compression Coding techniques for reliable transmission
(e.g. CDMA, parity bits) Medical devices
Note 4 adopted by Wassenaar Encryption used for “primary function” that is NOT
computing, networking, communications, information security
Examples: ◦ Piracy and theft prevention for software, music, etc.◦ Household utilities and appliances◦ Printing, reproduction, imaging and video recording or
playback—not videoconferencing◦ Business process modeling and automation (e.g., supply
chain management, inventory, scheduling and delivery)◦ Industrial, manufacturing or mechanical systems (e.g.,
robotics, heavy equipment, facilities systems such as fire alarm, HVAC)
◦ Automotive, aviation, and other transportation systems
Considerations:
◦ General purpose vs. application specific
◦ “Primary function” of the product Results in an EAR99 classification or classification
under a different category of the control list Other reasons for decontrol result in classification of
5A992/5D992 (5A002 decontrol notes/ authentication only)
◦ Use of encryption
Items that are identified in Category 5, Part 2 of the Commerce Control List
Items designed or modified to use cryptography whose primary function is:◦ “Information security”◦ Computing◦ Communications◦ Networking
Not ‘fixed’ coding or other schemes for ensuring reliable transmission of information that don’t involve hidden or obscured information
Controlled for EI, NS and AT reasons (Wassenaar):◦ 5A002 : hardware◦ 5D002 : software◦ 5E002 : technology
Controlled for NS and AT reasons (Wassenaar):◦ 5B002: test equipment
Controlled for AT reasons only (U.S. unilateral):◦ 5A992 : hardware◦ 5D992 : software◦ 5E992 : technology
License exception TSU – EAR part 740.13◦ Used for “publicly available” items ◦ Required ‘notification’
License exception ENC – EAR part 740.17◦ Registration◦ Self-Classification◦ Encryption Review
Mass Market Review – EAR part 742.15 Other license exceptions
◦ TMP – EAR part 740.9◦ GOV – EAR part 740.11◦ BAG – EAR part 740.14
The source code must be available to the general public◦ available at no charge or◦ available at a charge that does not exceed the cost
of reproduction and distribution◦ no limitations on further distribution
Required notifications ◦ Described in 740.13(e)◦ email to crypt @bis.doc.gov and [email protected]
License Exception ENC◦ ‘restricted’ items (740.17(b)(2))◦ ‘unrestricted’ items (740.17(b)(3))◦ “self-classifiable” items (740.17(b)(1))
Terms like ‘retail’ are not used anymore.
Described in EAR part 742.15(b)
◦ Items that are not listed in 740.17(b)(2) or (b)(3)(iii) ◦ Meets the criteria in Note 3 to Category 5, part II
Generally available to the public by being sold, without restriction, from stock at retail selling points…
The cryptographic functionality cannot be easily changed by the user;
Designed for installation without further substantial support by the supplier; and
When necessary, details are available…
Classification by BIS/NSA Required ◦ “Restricted” and “unrestricted” items under ENC
and listed mass market items (740.17(b)(2)/(b)(3) and 742.15(b)(3))
Self-classification Permitted◦ “Other” items (740.17(b)(1) and 742.15(b)(1)
Company registration required for 5A002/5D002/E002 items and mass market items
One registration per company, not per product
Exporters may rely on manufacturer’s registration/product classification…but BIS won’t provide that information
All “other” (740.17 (b)(1) and 742.15 (b)(1)items
Submitted by email to NSA and BIS Submitted in .cvs (comma separated
values) format Six specified data fields: name of product,
model number, manufacturer, ECCN, ENC or mass market, item type (of 49 listed)
Individual validated licenses (IVLs)◦ Specific transactions involving identified parties
receiving specific goods and for a specific purpose◦ Typically have a 2 year validity period
Encryption Licensing Arrangements (ELAs)◦ Generally involves unlimited sales of specific
goods to government end users in a certain country or group of countries
◦ Typically have a 4 year validity period No License Required (NLR) transactions
◦ Sometimes a license is still required…
Broad authorization for exports not eligible for License Exception ENC (most “restricted” items to government end users in non- “ENC favorable treatment” countries)
“Less sensitive” government end users - “worldwide” ELAs
“More sensitive” government end users – “single country” ELAs
4-year validity Semi-annual sales reporting
May include self-classified items
5A992, 5D992, 5E992
No License Required (NLR)
Controlled to AT countries: Cuba, Sudan, Syria, North Korea and Iran
No review by BIS is required