Misty Rutter Global Trade Business Engagement October 6, 2010 Encryption update Misty Rutter Global Trade Business Engagement October 6, 2010

HP at a glance Stanford University classmates Bill Hewlett and Dave Packard founded HP in 1939. The company's first product, built in a Palo Alto garage, was an audio oscillator. Fortune 9 U.S. Fortune 32 Global 304,000 employees $114.6 billion USD in revenue for FY09 Operates in approximately 170 countries worldwide headquartered in Palo Alto, CA HP is the largest IT company on the planet! Our new CEO Leo Apotheker joined HP on September 30, 2010

HP No other company offers as complete a technology product portfolio as HP. We provide infrastructure and business offerings that span from handheld devices to some of the world's most powerful supercomputer installations. HP's three business groups drive industry leadership in core technology areas: The Personal Systems Group: business and consumer PCs, mobile computing devices and workstations The Imaging and Printing Group: inkjet, LaserJet and commercial printing, printing supplies Enterprise Business: business products including storage and servers, enterprise services and software LET’S DO AMAZING

Encryption Rule Reform Interim final rule published in the Federal Register June 25, 2010 Made the most confusing part of the EAR even more confusing even if it did “simplify” some of the requirements!

What changed? Removed encryption review (CCATS) requirements for less sensitive encryption items Also removed post-export semi-annual reporting for these items Established new registration process for companies who export encryption without prior review, for cryptography items transferred under License Exception ENC and for mass market items Established an annual self-classification reporting requirement for items self-classified under the new company registration  Authorized transfers of most encryption technology to non-government end-users under License Exception ENC, except to D:1 and E:1 countries Decontrols so-called "ancillary cryptography" items (Note 4) – removed from Cat5 Part2 altogether. Now EAR99 unless another category applies  (includes encryption for copyright protection) Expanded ability export 5E002 technology

Registration/review/reporting Requirements Matrix Encryption Registration Annual Self-Classification Report 30 Day Review Semi-Annual Reporting ENC A ENC B1 X ENC B2 ENC B3 b3iii ENC B4 MMR B1 MMR B3 MMR B4

If you’re not sure your item meets B1: You can still submit a formal CCATs request. B1 items do not get forwarded to NSA Quicker turnaround If you are just doing proper “Bundling” without changing the manufacturer’s product, you do not have to register Self Classification also applies to Mass Market items except items listed in 742.15 B3 (Note items in 740.17 B2 and 740.17 B3 are not eligible for MM)

B2 and B3 Items – Still Require review B2 Items include: Network infrastructure products described in 740.17(b)(2)(i)(A); Encryption source code; No longer required to submit copy of source code with request Products designed, modified, adapted or customized for “government end-user(s)”; Commodities and software that provide penetration capabilities; Public safety / first responder radio (e.g., P25 or TETRA); 5E002 encryption technology Remember Dormant and Disabled encryption is still covered under Cat 5 Part 2 Added penetration testing software to B2

B2 and B3 Items – Still Require review B3 Items include: Chips, chipsets, electronic assemblies; Cryptographic libraries and modules; Development kits; Products with “non-standard cryptography”; Items that perform vulnerability analysis, network forensics, or computer forensics as described in 740.17(b)(3)(iii). Products that activate or enable encryption

How to file a ccats request Register for SNAP-R Go to the main SNAP-R screen and select Classification Request, then check the encryption checkbox Block 9 - pull-down list in the special purpose box, select License Exception ENC Block 14-15 Be sure the information in these blocks is complete and correct, because this is where the official response from BIS will be sent. If both blocks are filled in, the official response will be sent to the individual or entity identified in Block 15. Block 22(a) Enter 5A002 for hardware, 5D002 for software, or 5E002 for technology. Block 22(c) Enter the product name with model number, if available. Block 22(i) Enter the name of the manufacturer. If you will sell the product under your company's label, then enter the name of your company in the manufacturer block. Block 22(j) Provide a brief technical description including the basic purpose of the encryption item (e.g., XYZ is a PDA used for ...) and the type of encryption used in the software (e.g., 168-bit Triple DES for secure e-mail, 1024-bit RSA for key exchange). Comments such as ''see letter of explanation" or ''see brochure" are not sufficient. The information identified in this block is entered directly into the BIS license application database, and will be printed on the official response issued by BIS. A brief technical description is essential. All other blocks or block portions appropriate for review requests should be completed in accordance with Part 748 of the EAR. Block 24 Insert your most recent encryption registration number (ERN).

Supporting Documentation Prepare a PDF document containing the information and documentation described in Supplement No. 6 to Part 742 Create a Supp. 6 template for use on all CCATs – get engineering support to complete the template for new products (or changes in existing products) Letter of explanation – provide detailed description of items for classification and supporting argument for classification you believe applies Technical specifications, datasheets, brochures Submit in electronic (pdf) format

for hardware or software “encryption components” other than source code (1) Reference the application for which the components are used in, if known; (2) State if there is a general programming interface to the component; (3) State whether the component is constrained by function; and (4) Identify the encryption component and include the name of the manufacturer, component model number or other identifier.

For encryption source code (1) If applicable, reference the executable (object code) product that was previously classified by BIS or included in an encryption registration to BIS; (2) Include whether the source code has been modified, and the technical details on how the source code was modified; and (3) Upon request, include a copy of the sections of the source code that contain the encryption algorithm, key management routines and their related calls.

Mass Market requests Determine that the products are mass marketed encryption components (chips, electronic assemblies, crypto libraries), toolkits, development kits, and non-standard crypto items described in  742.15 (b)(3) of the EAR.   Additional Supporting Documents: Demonstrate that the commodities and software meet the criteria of the Cryptography Note [Note 3 of Category 5, Part 2, of the Commerce Control List (Supplement No. 1 to Part 774 of the EAR)]. Compare your product with the Cryptography Note criteria and state specifically where and how it is mass marketed.

CCATS Once you submit in SNAP-R you will receive a Case number beginning with “Z”. Refer to this number in any communications with BIS on your CCATs request. No longer have to mail copy of CCATs package to NSA Encryption Review Coordinator. NSA now has access to SNAP-R!

Reporting what’s changed? Semi-annual sales reporting (740.17(e) No longer need to report 740.17 b3 items (Unrestricted) other than B3iii Sales of items eligible for self classification under B1 are not required to be reported (see Annual Self-classification reporting requirements 742.17(c)) Submit electronically to both BIS and NSA at crypt@bis.doc.gov and enc@nsa.gov. 

Self Classification Reporting Submit Supplement 8 to Part 742 Remember: this report is just a list of products, not sales data CSV file format Can submit by email to BIS and NSA Zip file acceptable If not changes in the calendar year, can email statement “No changes” but recommend calling BIS to confirm receipt. Alternatively you can resubmit the prior year’s Supp. 8. You must file something every year if you exported. If no exports in the calendar year, no reporting required. Reference your “R” in the Subject Line of the email First report will cover 6/25/10 through 12/31/10.

Licensing ELA (Export License Arrangements) conditions are now standardized Least sensitive government end users – Biannual reporting More sensitive government end users Include military, police, prisons and intelligence services Require Pre-shipment notification and/or inspection

Biggest Impact for HP Dramatic reduction in number of transactions requiring semi-annual sales reporting (B3) Ability to self classify many items upon registration – impact to bottom line no more 30 day wait

Still to come The June 25 rule was published as an Interim Rule. Final Rule will incorporate some of the 6 comments received (see FOIA website) http://efoia.bis.doc.gov/pubcomm/records-of comments/record_of_comments_encryption.pdf BIS advised at Update 2010 they hope to remove publicly available software from the EAR Consistent with the administration export reform program, hope to turn Category 5 Part 2 into a “Positive” list Work ongoing with HK TID on items “self-classified” when HK requesting copy of CCATs.

BIS Encryption Team Contacts Randy Pratt Director Ph: 202-482- 5303 E-mail: cpratt@bis.doc.gov Michael Pender Senior Engineer Ph: 202-482-2458 E-mail: mpender@bis.doc.gov Anita Zinzuvadia Electrical Engineer Ph: 202-482-3772 E-mail: azinzuva@bis.doc.gov Sylvia Jimmison Export Policy Analyst Ph: 202-482-2342 E-mail: sjimmiso@bis.doc.gov Aaron Amundson Ph: 202-482-5299 E-mail: aamundso@bis.doc.gov Joe Young Ph: 202-482-4197 E-mail: jyoung@bis.doc.gov Judith Currie Senior Export Policy Analyst Ph: 202-482-5085 E-mail: jcurrie@bis.doc.gov

Q&A