Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andreas Teuchert, Arrow Central Europe GmbH Munich, 21st January, 2014 Encryption Export Controls.

Published byRolf Potter Modified over 8 years ago

Similar presentations

Presentation on theme: "Andreas Teuchert, Arrow Central Europe GmbH Munich, 21st January, 2014 Encryption Export Controls."— Presentation transcript:

1 Andreas Teuchert, Arrow Central Europe GmbH Munich, 21st January, 2014 Encryption Export Controls

2 2 Encryption Export Controls Agenda –Introduction to Encryption Controls –Items in Category 5 Part 2 –When you can Export Without a Registration –License Exception ENC –Mass Market –Registration, Classification, and Reporting –Encryption Licenses

3 3 Introduction to Encryption Controls –Encryption items were transferred from the USML to CCL in 1996. –Controls are based on registration, classification, reporting, and licensing. –Almost all encryption items can be exported if you comply with these controls.

4 4 Category 5, Part 2 –Encryption items –Includes some non-encryption items –Low electro-magnetic emission (5A002.a.4) –Cross domain security (5A002.a.7) –Surreptitious intrusion (5A002.a.8)

5 5 Items exempt from encryption registration, classification and reporting requirements –Items limited to low-strength crypto –Note 3 Mass Market items not exceeding 64 bits symmetric –Note 1 N.B. items (medical) –Note 2 exports (TMP and BAG) Note 4 items –Items described in ECCN 5A002 decontrol notes –Where encryption is limited to authentication only –Publicly available items not subject to the EAR –Items exported to certain end-users or for certain end-uses under license exception ENC

6 6 § 740.17 License Exception ENC *Self-classification report required ** Supp 3 means end-users headquartered in Supp 3 *** License also required for cryptanalytic to gov’t end users in Supp 3; for any end user outside Supp 3 for OCI items and for special (OCI, non-std, cryptanalytic) technology and for std (other) technology to D-1 countries. **** All products developed are subject to the EAR.

7 7 License Exception ENC –No Registration or Classification by BIS Required ECCN 5A002/5D002  Section 740.17 (a)(1)  Internal “development” or “production” of new product  Section 740.17 (a)(2)  “U.S. Subsidiaries”  Section 740.17 (b)(4)  Short–range wireless items

8 8 License Exception ENC Registration and Classification Required – Section 740.17(b)(2) ENC “Restricted” and Section 740.17(b)(3) ENC “Unrestricted”

9 9 License Exception ENC Registration and Self-classification Required Section 740.17(b)(1) ENC “Unrestricted”

10 10 Mass Market Encryption Definition

11 11 Cryptography Note –Note 3 to Category 5 – Part 2 has two parts: –Part a for mass marketed end-products –Part b for components of mass market products

12 12 Cryptography Note Part A a.Items meeting all of the following: 1.Generally available to the public by being sold, without restriction, from stock retail selling points by means of any of the following: a.Over-the counter transactions; b.Mail order transactions; c.Electronic transactions; or d.Telephone call transactions; 2.The cryptographic functionality cannot be easily changed by the user; 3.Designed for installation by the user without further substantial support by the supplier; and 4.When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described above.

13 13 –Origins in the General Software Note – GSN –Items so widely distributed that export control is not realistic –Cryptography Note is GSN for encryption –Low strength mass marketed products may be self-classified as 5x992 –Key lengths not exceeding 64 symmetric; 768 asymmetric; or 112 elliptic curve –No registration or Supplement 8 reporting required –Higher strength mass market products require registration –Before self-classification or classification – classified 5A002 or 5D002 –After self-classification or classification as mass market – 5A992 or 5D002 –Mass Market products in 742.15(b)(3) require BIS classification –Other (not B3) self-classified under 742.15(b)(1) with Supplement 8 What is Mass Market?

14 14 What is Mass Market? Note to the Cryptography Note: 1.To meet paragraph a. of Note 3, all of the following must apply: a.The item is of potential interest to a wide range of individuals and businesses; and b.The price and information about the main functionality of item are available before purchase without the need to consult the vendor or supplier. 2.In determining eligibility of paragraph a. of Note 3, BIS may take into account relevant factors such as quantity, price, required technical skill, existing sales channels, typical customers, typical use or any exclusionary practices of the supplier. What is Mass Market? (continued)

15 Cryptography Note Part B b.Hardware components of existing items described in paragraph a. of this Note, that have designed for these existing items, meeting all of the following: 1.“Information security” is not the primary function or set of functions of the component; 2.The component does not change any cryptographic functionality of the existing items, or add new cryptographic functionality to the existing items; 3.The feature set of the component is fixed and is not designed or modified to customer specification; and 4.When necessary, as determined by the appropriate authority in the exporter’s country, details of the component and relevant end-items are accessible and will be provided to the authority upon request, in order to ascertain compliance with conditions described above.

16 16 Cryptography Note Part B Requirements  End-product must first be established as Mass Market (MM)  Primary function(s) NOT “information security”  Cannot introduce new or enhance existing cryptographic functionality of MM products  Cannot transform to a non-consumer type item  Cannot provide custom/substitute cryptography (even if same algorithm)

17 17 Cryptography Note Part B Grandfathering –If a Paragraph b. component has been previously classified under ECCN 5A002 pursuant to section 740.17(b)(3) or section 740.17(b)(1): –a new classification by BIS is NOT required –may be self-classified as 742.15(b)(3) or 742.15(b)(1) but must be included as such in a self-classification report submitted to BIS in January 2014 Note: Previous 740.17(b)(1) products that are also Paragraph b. components would be self-classified under §742.15(b)(1), not (b)(3).

18 18 Mass Market Classifications Two types of support documentation are needed  Marketing information—Demonstrate generally available to the public Who buys it, why and how is it marketed What each product does Ballpark pricing and number of sales to different user Why the general public would use it Be sure to include brochures or web advertisement Discuss how product is installed and used without support  Technical information—Show that the B2 criteria do not apply Items described in 740.17(b)(2) are not mass market Provide brochures/tech specs Citation to previous or similar reviews Required Supp 6 encryption technical information State no source code (source code is easily user modifiable)

19 19 Encryption Registration Encryption Registration Number (ERNs)  Attach pdf of Supplement 5 to Part 742 information to the new Encryption Registration work item in SNAP-R  System automatically responds with an ERN in about an hour  ERN is required before export of items self-classified under –740.17(b)(1) or –742.15(b)(1) –Encryption registration number (ERN) must be placed in Additional Information block when submitting classification requests under –740.17(b)(2) and 740.17(b)(3) –742.15(b)(3)

20 20 Classification Required –Classification by BIS/NSA Required –“Restricted” items under ENC 740.17(b)(2) –“Unrestricted” items under ENC 740.17(b)(3) –Listed mass market items 742.15(b)(3) –Must have an ERN before processing the application.

21 21 Classification Required - Process –Upon registration of a classification request, products may be exported and reexported immediately to Supplement 3 countries & Canada except for cryptanalytic items which require a license to all government end users. –After 30 days, eligible “(b)(2)” and “(b)(3)” products may be exported and reexported as stated in the regulations except Country Group E:1

22 22 CCATS Application –Required: –ERN in the additional information block in SNAP-R, if applicable. –Supplement 6, to part 742 information – Product data sheet –Not required, but helpful: –Cover letter/summary explaining what outcome you expect for each product –Brief overview of the product and what it’s designed to do with particular regard to its security functions. –Best guess at the ECCN (for each product) and how item will be authorized. –For hardware, and especially for components, a picture of the item.

23 23 Supplement 6 to part 742 –Describe specific use of encryption –Authentication communication (wired/wireless), data confidentiality, “Operations, Administration, Maintenance and Provisioning” (OAM&P), copy/license protection, etc. –Describe type(s) of encryption used –Algorithms, protocols, key lengths –Describe third-party provided cryptography –Describe how product does or does not meet requirements of 740.17(b)(2)

24 24 Semi-annual Reporting (§740.17)(e)) –Now applies only to B2 and B3iii –Product name, quantity and recipient(s) –Distributors or other resellers –Direct sales –Information on foreign products developed from U.S.-origin encryption components, toolkits, source code and technology –Reports to both BIS and the ENC Encryption Request Coordinator –Key length increases –Exemptions from reporting –See §740.17(e)(1)(iii) for a complete list

25 25 Annual Report of Exported Products (“Supplement 8 Report”) –All B1 items (items self-classified under 740.17(b)(1) and 742.15(b)(1) –Submitted by email to NSA and BIS –CSV (comma separated values) format –Six specified data fields: name of product, model number, manufacturer, ECCN, ENC or mass market, item type (of 49 listed) –Items classified under B2 or B3 should not be listed (740.17(b)(2/3) and 742.15(b)(3)

26 26 Encryption Licensing –“Restricted” items to government end users in non-Supplement No. 3 countries –Encryption technology for development/manufacture abroad –Other situations including export to E-1 countries –Denials are very rare

27 27 Encryption Licenses (§742.15(a) of the EAR) Most products in 740.17(b)(2) require a license to government end-users outside the Supplement 3 countries, except as follows: –Cryptanalytic commodities and software require a license to any government end-user anywhere except Canada; –“Open cryptographic interface” items require a license to any end-user not located or headquartered in a Supplement 3 country; and –Encryption technology as follows: –Technology for “non-standard cryptography” requires a license to any end-user not located or headquartered in a Supplement 3 country; –Other technology – requires a license to: –Any government end-user outside the Supplement 3 countries; and –Any end-user in country group D:1 In addition, a license is required for: –Any export to Country Group E:1 destinations –A transaction that requires a registration or classification but those have not been done.

28 28 License Exception ENC (740.17) * Developed products are subject to the EAR

29 Questions?

Download ppt "Andreas Teuchert, Arrow Central Europe GmbH Munich, 21st January, 2014 Encryption Export Controls."

Similar presentations

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Principles of Central Sales

Principles of Central Sales
Empowering healthier lives Vitaco Health (NZ) Ltd.

Empowering healthier lives Vitaco Health (NZ) Ltd.
Export Control Overview John R. Murphy Business Development Manager Sartomer Company October 4, 2004 Boston, MA.

Export Control Overview John R. Murphy Business Development Manager Sartomer Company October 4, 2004 Boston, MA.
NATIONAL IMPORT AND EXPORT REGULATION Topics for Discussion in Chapter Import Regulation Assessment of Duties Marking Standards Exceptions Export Regulation.

NATIONAL IMPORT AND EXPORT REGULATION Topics for Discussion in Chapter Import Regulation Assessment of Duties Marking Standards Exceptions Export Regulation.
Misty Rutter Global Trade Business Engagement October 6, 2010

Misty Rutter Global Trade Business Engagement October 6, 2010
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
1 Encryption Update Ken Delaporta, Director of Operations and Export Compliance.

1 Encryption Update Ken Delaporta, Director of Operations and Export Compliance.
Page 1 AT&T Billing Solutions Anti-Cramming Policy Overview May 11, 2011.

Page 1 AT&T Billing Solutions Anti-Cramming Policy Overview May 11, 2011.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
e-DMAS Consumer Web Order Entry (WEBOE8) An Enhancement For iSeries 400 DMAS from  Copyright I/O International, 2003, 2004, 2005 Skip Intro.

e-DMAS Consumer Web Order Entry (WEBOE8) An Enhancement For iSeries 400 DMAS from  Copyright I/O International, 2003, 2004, 2005 Skip Intro.
Electronic payment Methods: Defined: It is alternative payment mechanism for electronic transactions instead of traditional payment methods like cheque,cash,

Electronic payment Methods: Defined: It is alternative payment mechanism for electronic transactions instead of traditional payment methods like cheque,cash,
EXPORT ADMINISTRATION REGULATIONS (EAR) Research and Economic Development MAY 28, 2013 John Jacobs.

EXPORT ADMINISTRATION REGULATIONS (EAR) Research and Economic Development MAY 28, 2013 John Jacobs.
2000 U.S. Census Bureau Foreign Trade Statistics Regulations 15 CFR Part 30 **** U.S. Principal Party in Interest and Forwarding Agent Responsibilities,

2000 U.S. Census Bureau Foreign Trade Statistics Regulations 15 CFR Part 30 **** U.S. Principal Party in Interest and Forwarding Agent Responsibilities,
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Carnegie Mellon Export Controls & Universities. Carnegie Mellon Introduction  Federal laws restricting the exports of goods and technology have been.

Carnegie Mellon Export Controls & Universities. Carnegie Mellon Introduction  Federal laws restricting the exports of goods and technology have been.
How to Determine If You Need a Commerce Export License Relatively small percentage of total U.S. exports require a Validated License Most products are.

How to Determine If You Need a Commerce Export License Relatively small percentage of total U.S. exports require a Validated License Most products are.
---Confidential 1 Order Management Training. ---Confidential 2 Introduction Three cycles in Oracle Applications Plan to make. Order to cash Procure to.

---Confidential 1 Order Management Training. ---Confidential 2 Introduction Three cycles in Oracle Applications Plan to make. Order to cash Procure to.
LECTURE. FORMATION OF PRICE FOR THE COMPANIES PRODUCT Plan lectures 1. Price and types of prices 2. Classification prices 3. Pricing policy of the enterprise.

LECTURE. FORMATION OF PRICE FOR THE COMPANIES PRODUCT Plan lectures 1. Price and types of prices 2. Classification prices 3. Pricing policy of the enterprise.
Do You Need an Export License? www.bis.doc.gov. Purpose of Export Controls To serve the national security, foreign policy, nonproliferation, and short.

Do You Need an Export License? Purpose of Export Controls To serve the national security, foreign policy, nonproliferation, and short.

Similar presentations

Ads by Google