Andreas Teuchert, Arrow Central Europe GmbH Munich, 21st January, 2014 Encryption Export Controls.

Slides:

Advertisements

Similar presentations

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

Advertisements

Principles of Central Sales

Empowering healthier lives Vitaco Health (NZ) Ltd.

Export Control Overview John R. Murphy Business Development Manager Sartomer Company October 4, 2004 Boston, MA.

NATIONAL IMPORT AND EXPORT REGULATION Topics for Discussion in Chapter Import Regulation Assessment of Duties Marking Standards Exceptions Export Regulation.

Misty Rutter Global Trade Business Engagement October 6, 2010

Secure Systems Research Group - FAU Process Standards (and Process Improvement)

1 Encryption Update Ken Delaporta, Director of Operations and Export Compliance.

Page 1 AT&T Billing Solutions Anti-Cramming Policy Overview May 11, 2011.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

e-DMAS Consumer Web Order Entry (WEBOE8) An Enhancement For iSeries 400 DMAS from  Copyright I/O International, 2003, 2004, 2005 Skip Intro.

Electronic payment Methods: Defined: It is alternative payment mechanism for electronic transactions instead of traditional payment methods like cheque,cash,

EXPORT ADMINISTRATION REGULATIONS (EAR) Research and Economic Development MAY 28, 2013 John Jacobs.

2000 U.S. Census Bureau Foreign Trade Statistics Regulations 15 CFR Part 30 **** U.S. Principal Party in Interest and Forwarding Agent Responsibilities,

Principles of Information Security, 2nd edition1 Cryptography.

Carnegie Mellon Export Controls & Universities. Carnegie Mellon Introduction  Federal laws restricting the exports of goods and technology have been.

How to Determine If You Need a Commerce Export License Relatively small percentage of total U.S. exports require a Validated License Most products are.

---Confidential 1 Order Management Training. ---Confidential 2 Introduction Three cycles in Oracle Applications Plan to make. Order to cash Procure to.

LECTURE. FORMATION OF PRICE FOR THE COMPANIES PRODUCT Plan lectures 1. Price and types of prices 2. Classification prices 3. Pricing policy of the enterprise.

Do You Need an Export License? Purpose of Export Controls To serve the national security, foreign policy, nonproliferation, and short.

Michael Pender U.S. Department of Commerce December 14, 2011.

Key Management in Cryptography

Presented by: George Howe Executive Vice President Business Development & OEM Accounts.

LEVY AND COMPUTATION OF TAX (SEC. 9) 1. LEVIED BY CENTRAL GOVERNMENT AND COLLECTED BY STATE GOVERNMENT: The tax payable by any dealer on sales effected.

Deemed Exports Erin Golsen Export Policy Analyst Office of Nonproliferation Controls and Treaty Compliance.

U.S. Department of Commerce Export Assistance Services Southern Tier Opportunity Coalition September 20, 2010.

Introduction to Software Quality Assurance (SQA)

Modernizing Export Controls ABA International Law Section Matthew S. Borman Acting Assistant Secretary for Export Administration Bureau of Industry and.

Export Controls: General Overview

1 August 15, 2012 Export Compliance Export Compliance Cross Border Traffic Joseph “JOE” Tosto, Jr. Export Administration Specialist WMTAaug

Unit 4 Introducing the business letter.  Printed stationery  Presentation: fully blocked layout  Other parts of a business letter  Open punctuation.

Deemed Exports Overview and the Inspector General’s Report Presentation for : Office of National Security and Technology Transfer Controls Bureau of Industry.

International Marketing Chapter 15

WORKING EFFECTIVELY IN AN INFORMATION TECHNOLOGY ENVIRONMENT

Exporting and Logistics: Special Issues for Business Chapter 15 McGraw-Hill/Irwin© 2005 The McGraw-Hill Companies, Inc. All rights reserved.

1 PRESENTATION ON TENDERING REQUIREMENTS Presented by Kenya National Highways Authority (KeNHA) Team.

Deemed Exports by Margaret Jones Hopson September 16, 2008.

© 2004 Giovanna M. Cinelli DO U.S. EXPORT LAWS AFFECT YOUR PRACTICE OF PATENT LAW? HOW MANY VIOLATIONS CAN YOU COUNT? March 2, 2004 Giovanna M. Cinelli.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

PAR and CSD for P802.1Qxx WG January PAR (1) 1.1 Project Number: P802.1Qxx 1.2 Type of Document: Standard 1.3 Life Cycle: Full Use 2.1 Title:

Illicit hardware Neil Ichiki 14 July 07. Agenda Quick background Overview of the global counterfeit market Illicit products defined & how to protect yourself.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

1 CS 501 Spring 2003 CS 501: Software Engineering Lecture 7 Business Aspects of Software Engineering.

Department of Commerce (DOC) Department of Commerce (DOC) Bureau of Industry and Security (BIS) Bureau of Industry and Security (BIS) George H. Loh George.

 Manufacturer or exporter sells directly to an importer or buyer located in the foreign market area.  Exporter take a more direct approach to exporting.

1 September 18, 2006 Commercial Space Launch Vehicles Lessons Learned Needs Workshop Ken Hodgdon Export Control and Interagency Liaison Division Office.

Dealing with Commercial Entities: Selected Export Control Issues 2003 ECCO Training Seminar June 4, 2003 Peter L. FlanaganEric D. Brown

Best Practices for CCATS & CJs October 25, 2012 Cindy Hollohan Sr. Manager, Empowered Official Corporate Trade Compliance.

1 6/3/2003 IEEE Link Security Study Group, June 2003, Ottawa, Canada Secure Frame Format PAR: 5 Criteria.

Chapter 13: Marketing Channels 1 Copyright Cengage Learning 2013 All Rights Reserved.

AES Seminar Compliance with the Export Administration Regulations (EAR) in AES EEI Filings.

Welcome Deep Dive IP Office – part II

Chapter 23 Purchasing Section 23.1 The Role of the Buyer Section 23.2 The Purchasing Function Section 23.1 The Role of the Buyer Section 23.2 The Purchasing.

Overview of Strategic Trade Control (STC) Concepts and Issues Jay P. Nash Research Fellow, Center for Policy Research (CPR) University at Albany, State.

FM: 2.03 Understand fashion merchandise buying

Overview of Department of Commerce Export Controls for Chemical and Biological Items.

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Service Tools Overview for Partners Ludmila Davidova Cisco Services CPO team.

Export Control Reform Implementation: Status and Non-U.S. Party Considerations 1.

Principles of Central Sales [Section 3,4 & 5]. Introduction The Central Sales Tax Act, 1956 was enacted to formulate principles for determining when a.

Classification of Items on the Commerce Control List

Microsoft Hardware Through Distribution Government, Education, and Medical Program (GEM) July 1st, 2012 through June 30th 2013.

Chapter 18 Automatic Account Assignment

Canadian and US Export Controls and Economic Sanctions: Key Steps for Mitigating Risk for Software and Technology Companies October 24, 2017 IT.Can Annual.

Chapter 8: Selecting an appropriate price level

Course Title: BCM Crediting and Transfer of Feature Entitlements –

Microsoft Hardware Through Distribution Reseller Volume Price Program (VPP) July 1st 2012 through June 30th 2013.

COMPLETE BUSINESS TEXTING SOLUTION

Presentation transcript:

Andreas Teuchert, Arrow Central Europe GmbH Munich, 21st January, 2014 Encryption Export Controls

2 Encryption Export Controls Agenda –Introduction to Encryption Controls –Items in Category 5 Part 2 –When you can Export Without a Registration –License Exception ENC –Mass Market –Registration, Classification, and Reporting –Encryption Licenses

3 Introduction to Encryption Controls –Encryption items were transferred from the USML to CCL in –Controls are based on registration, classification, reporting, and licensing. –Almost all encryption items can be exported if you comply with these controls.

4 Category 5, Part 2 –Encryption items –Includes some non-encryption items –Low electro-magnetic emission (5A002.a.4) –Cross domain security (5A002.a.7) –Surreptitious intrusion (5A002.a.8)

5 Items exempt from encryption registration, classification and reporting requirements –Items limited to low-strength crypto –Note 3 Mass Market items not exceeding 64 bits symmetric –Note 1 N.B. items (medical) –Note 2 exports (TMP and BAG) Note 4 items –Items described in ECCN 5A002 decontrol notes –Where encryption is limited to authentication only –Publicly available items not subject to the EAR –Items exported to certain end-users or for certain end-uses under license exception ENC

6 § License Exception ENC *Self-classification report required ** Supp 3 means end-users headquartered in Supp 3 *** License also required for cryptanalytic to gov’t end users in Supp 3; for any end user outside Supp 3 for OCI items and for special (OCI, non-std, cryptanalytic) technology and for std (other) technology to D-1 countries. **** All products developed are subject to the EAR.

7 License Exception ENC –No Registration or Classification by BIS Required ECCN 5A002/5D002  Section (a)(1)  Internal “development” or “production” of new product  Section (a)(2)  “U.S. Subsidiaries”  Section (b)(4)  Short–range wireless items

8 License Exception ENC Registration and Classification Required – Section (b)(2) ENC “Restricted” and Section (b)(3) ENC “Unrestricted”

9 License Exception ENC Registration and Self-classification Required Section (b)(1) ENC “Unrestricted”

10 Mass Market Encryption Definition

11 Cryptography Note –Note 3 to Category 5 – Part 2 has two parts: –Part a for mass marketed end-products –Part b for components of mass market products

12 Cryptography Note Part A a.Items meeting all of the following: 1.Generally available to the public by being sold, without restriction, from stock retail selling points by means of any of the following: a.Over-the counter transactions; b.Mail order transactions; c.Electronic transactions; or d.Telephone call transactions; 2.The cryptographic functionality cannot be easily changed by the user; 3.Designed for installation by the user without further substantial support by the supplier; and 4.When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described above.

13 –Origins in the General Software Note – GSN –Items so widely distributed that export control is not realistic –Cryptography Note is GSN for encryption –Low strength mass marketed products may be self-classified as 5x992 –Key lengths not exceeding 64 symmetric; 768 asymmetric; or 112 elliptic curve –No registration or Supplement 8 reporting required –Higher strength mass market products require registration –Before self-classification or classification – classified 5A002 or 5D002 –After self-classification or classification as mass market – 5A992 or 5D002 –Mass Market products in (b)(3) require BIS classification –Other (not B3) self-classified under (b)(1) with Supplement 8 What is Mass Market?

14 What is Mass Market? Note to the Cryptography Note: 1.To meet paragraph a. of Note 3, all of the following must apply: a.The item is of potential interest to a wide range of individuals and businesses; and b.The price and information about the main functionality of item are available before purchase without the need to consult the vendor or supplier. 2.In determining eligibility of paragraph a. of Note 3, BIS may take into account relevant factors such as quantity, price, required technical skill, existing sales channels, typical customers, typical use or any exclusionary practices of the supplier. What is Mass Market? (continued)

Cryptography Note Part B b.Hardware components of existing items described in paragraph a. of this Note, that have designed for these existing items, meeting all of the following: 1.“Information security” is not the primary function or set of functions of the component; 2.The component does not change any cryptographic functionality of the existing items, or add new cryptographic functionality to the existing items; 3.The feature set of the component is fixed and is not designed or modified to customer specification; and 4.When necessary, as determined by the appropriate authority in the exporter’s country, details of the component and relevant end-items are accessible and will be provided to the authority upon request, in order to ascertain compliance with conditions described above.

16 Cryptography Note Part B Requirements  End-product must first be established as Mass Market (MM)  Primary function(s) NOT “information security”  Cannot introduce new or enhance existing cryptographic functionality of MM products  Cannot transform to a non-consumer type item  Cannot provide custom/substitute cryptography (even if same algorithm)

17 Cryptography Note Part B Grandfathering –If a Paragraph b. component has been previously classified under ECCN 5A002 pursuant to section (b)(3) or section (b)(1): –a new classification by BIS is NOT required –may be self-classified as (b)(3) or (b)(1) but must be included as such in a self-classification report submitted to BIS in January 2014 Note: Previous (b)(1) products that are also Paragraph b. components would be self-classified under §742.15(b)(1), not (b)(3).

18 Mass Market Classifications Two types of support documentation are needed  Marketing information—Demonstrate generally available to the public Who buys it, why and how is it marketed What each product does Ballpark pricing and number of sales to different user Why the general public would use it Be sure to include brochures or web advertisement Discuss how product is installed and used without support  Technical information—Show that the B2 criteria do not apply Items described in (b)(2) are not mass market Provide brochures/tech specs Citation to previous or similar reviews Required Supp 6 encryption technical information State no source code (source code is easily user modifiable)

19 Encryption Registration Encryption Registration Number (ERNs)  Attach pdf of Supplement 5 to Part 742 information to the new Encryption Registration work item in SNAP-R  System automatically responds with an ERN in about an hour  ERN is required before export of items self-classified under –740.17(b)(1) or –742.15(b)(1) –Encryption registration number (ERN) must be placed in Additional Information block when submitting classification requests under –740.17(b)(2) and (b)(3) –742.15(b)(3)

20 Classification Required –Classification by BIS/NSA Required –“Restricted” items under ENC (b)(2) –“Unrestricted” items under ENC (b)(3) –Listed mass market items (b)(3) –Must have an ERN before processing the application.

21 Classification Required - Process –Upon registration of a classification request, products may be exported and reexported immediately to Supplement 3 countries & Canada except for cryptanalytic items which require a license to all government end users. –After 30 days, eligible “(b)(2)” and “(b)(3)” products may be exported and reexported as stated in the regulations except Country Group E:1

22 CCATS Application –Required: –ERN in the additional information block in SNAP-R, if applicable. –Supplement 6, to part 742 information – Product data sheet –Not required, but helpful: –Cover letter/summary explaining what outcome you expect for each product –Brief overview of the product and what it’s designed to do with particular regard to its security functions. –Best guess at the ECCN (for each product) and how item will be authorized. –For hardware, and especially for components, a picture of the item.

23 Supplement 6 to part 742 –Describe specific use of encryption –Authentication communication (wired/wireless), data confidentiality, “Operations, Administration, Maintenance and Provisioning” (OAM&P), copy/license protection, etc. –Describe type(s) of encryption used –Algorithms, protocols, key lengths –Describe third-party provided cryptography –Describe how product does or does not meet requirements of (b)(2)

24 Semi-annual Reporting (§740.17)(e)) –Now applies only to B2 and B3iii –Product name, quantity and recipient(s) –Distributors or other resellers –Direct sales –Information on foreign products developed from U.S.-origin encryption components, toolkits, source code and technology –Reports to both BIS and the ENC Encryption Request Coordinator –Key length increases –Exemptions from reporting –See §740.17(e)(1)(iii) for a complete list

25 Annual Report of Exported Products (“Supplement 8 Report”) –All B1 items (items self-classified under (b)(1) and (b)(1) –Submitted by to NSA and BIS –CSV (comma separated values) format –Six specified data fields: name of product, model number, manufacturer, ECCN, ENC or mass market, item type (of 49 listed) –Items classified under B2 or B3 should not be listed (740.17(b)(2/3) and (b)(3)

26 Encryption Licensing –“Restricted” items to government end users in non-Supplement No. 3 countries –Encryption technology for development/manufacture abroad –Other situations including export to E-1 countries –Denials are very rare

27 Encryption Licenses (§742.15(a) of the EAR) Most products in (b)(2) require a license to government end-users outside the Supplement 3 countries, except as follows: –Cryptanalytic commodities and software require a license to any government end-user anywhere except Canada; –“Open cryptographic interface” items require a license to any end-user not located or headquartered in a Supplement 3 country; and –Encryption technology as follows: –Technology for “non-standard cryptography” requires a license to any end-user not located or headquartered in a Supplement 3 country; –Other technology – requires a license to: –Any government end-user outside the Supplement 3 countries; and –Any end-user in country group D:1 In addition, a license is required for: –Any export to Country Group E:1 destinations –A transaction that requires a registration or classification but those have not been done.

28 License Exception ENC (740.17) * Developed products are subject to the EAR

Questions?