Complying With US Encryption Controls Compared to UK Controls€¦ · mass-market treatment? Cat....
Transcript of Complying With US Encryption Controls Compared to UK Controls€¦ · mass-market treatment? Cat....
George N. GrammasPartnerChair, International Trade / Global Import and Export ComplianceSquire Patton [email protected] | squirepattonboggs.com
2550 M Street, NWWashington, DC 20037United StatesT +1 202 626 6234M +1 240 606 7026
Complying With US Encryption ControlsCompared to UK Controls
7 Devonshire SquareLondonEC2M 4YHEnglandT +44 20 7655 1301
AGENDA
• Encryption Control ListInterpretations (US)
• Compliance DocumentationBased on Classification
• ENC ComplianceDocumentation
3squirepattonboggs.com
Items Designed to Use Encryption NOTControlled Under Category 5—Part 2
Is item designed to usecryptography or does itcontain cryptography?
Is item described inNote 4 (formerly,
“ancillary” crypto.)?
Ite
mis
no
tc
on
tro
lle
du
nd
er
Ca
teg
ory
5—
Pa
rt2
of
the
CC
L
No
Yes
Yes
Yes
NoIs item described in adecontrol note in
5A002?
No
No
4squirepattonboggs.com
Note 4 to Category 5—Part 2
a. The primary function or set of functions is not any of the following:
1. “Information security”;
2. A computer, including operating systems, parts and components therefor;
3. Sending, receiving or storing information (except in support of entertainment,
mass commercial broadcasts, digital rights management or medical records
management); or
4. Networking (includes operation, administration, management and provisioning);
b. The cryptographic functionality is limited to supporting their primaryfunction or set of functions; and
c. When necessary, details of the items are accessible and will be provided,upon request, to the appropriate authority in the exporter's country in order toascertain compliance with conditions described in paragraphs a. and b.above.
5squirepattonboggs.com
Note 4 to Category 5—Part 2, in Application
For some items, test can be subjective
When in doubt, CCATS
Self-classification analysis must be documented, particularly for EAR99determinations
Note 4, paragraph c.: “details of the items are accessible and will be provided, upon
request”
Recent CCATS responses suggest that IoT devices and software usingencryption for communications of status reports, configuration commands,etc. are excluded from Cat.5—Part 2 under Note 4.
These items do engage in “sending, receiving or storing information”
Assumptions: 1. The product contains or uses encryption (key length > 56 bits symmetric, 512bits asymmetric, or 112 bits elliptic curve)
2. The product is not specifically designed for medical use3. The product is not a smart card or smart card reader4. The product is not specifically designed for banking use or money transactions
Does Product meet ancillary encryption test?Cat. 5, Part II, Note 4.
Is Product a radiotelephone w/o end-to-end encryption?ECCN 5A002, Note (c).
Is Product a radiotelephone customized for specific industry?ECCN 5A002, Note (e).
Is Product cordless telephone w/ range limited to 400 meters?ECCN 5A002, Note (d).
Is Product wireless net. equip. w/ range limited to 30 meters?ECCN 5A002, Note (f).
Is the encryption dormant or not activated?ECCN 5A002, Note (g).
Is Product equip. where encryption is used only for authentication, digitalsignature, or execution of copy-protected software?
ECCN 5A002(a)(1).
Is Product software where encryption is only for OAM and uses onlypublished or commercial encryption standards?
ECCN 5D002.c.
Is Product civil mobile telecom. Radio Access Network (RAN) equipment?ECCN 5A002, Note (h).
Is Product a router, switch or relay where encryption Is for only OAM?ECCN 5A002, Note (i).
Is Product general purpose computing equip. or server where encryption isintegral to OS or CPU, or limited to OAM?
ECCN 5A002, Note (j).
Does Product qualify formass-market treatment?
Cat. 5—Part 2, Note 3.
After encryption self-classification, Productunder ECCN 5A992(hardware) or 5D992(software). NLR to all
destinations except Cuba,Iran, Syria, Sudan and
North Korea.
Product is classifiedunder ECCN 5A002(hardware) or 5D002
(software). Consider useof License Exceptions
ENC and TSR.
ClassifyProduct on
CCL orEAR99 (notin Cat. 5—
Part 2)._______
Note: Itemspreviously5A992.a or
.b nowremoved
fromCategory5—Part 2.Classify
under otherECCN orEAR99
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
no
no
no
no
no
no
no
no
no
no
no
no
7squirepattonboggs.com
Items Designed to Use Encryption Controlledunder Category 5—Part 2
Does the item meetcriteria for Mass
Market, in Note 3?
Classify under 5A992.cor 5D992.c, or 5E992.b
• Determine if item can beself-classified or if BISclassification is required,under ENC 740.17(b) (i.e.,(b)(3)(i), (ii), or (iv) item?)
• Document self-classification (if applicable)
• File annual reports onself-classified mass marketitems
Yes
No
Classify in 5A002, 5D002, or5E002
• Determine ENC eligibility anddocument analysis
• Determine if item can be self-classified or if BIS classification isrequired (i.e., (b)(2) or (b)(3))
• File annual report on self-classifieditems or semi-annual sales reports for(b)(2) or (b)(3)(iii) items
8squirepattonboggs.com
Mass Market Documentation: CryptographyNote, Note 3 to Category 5—Part 2
Encryption Registration Numbers no longer used
Compliance documentation for mass-market self-classification
Exporter must have documented self-classification, including all information set forth
in Technical Questionnaire at Supplement No. 6 to EAR Part 742
• Exporter “may be required to provide BIS this supplement no. 6 to part 742 information onan as-needed bases, upon request by BIS” (EAR § 740.17(d)(1)(ii))
• Document that the item is not under ENC (b)(2) or (b)(3)
“When necessary, details of the items are accessible and will be provided, upon
request…” (Note 3, paragraph a.5)
Document compliance with Note 3
New self-classification or classification request may be required if encryptionchanges or if used in a different item to be exported
Annual self-classification reports for encryption items that were exportedduring the previous year
9squirepattonboggs.com
ENC Compliance: Para (a)
Section 740.17(a) of the EAR – no (b)(2)/(b)(3) review and no reporting:
(a)(1)(i): internal development
• ECCN of 5A002 or 5D002
• Private sector end users, wherever located, that are headquartered in a country listed inSupplement 3
• Product must be used for internal development or production of new products by that user
(a)(1)(ii): internal uses other than development for non US-origin items
• Private sector end users, wherever located, if parties are subs of same parent in a countrylisted in Supplement 3
• Items became subject to EAR after produced; capabilities not enhanced (unlessauthorized)
(a)(2): exports to U.S. subsidiaries
• ECCN of 5A002 or 5D002
• Export must be made to a U.S. subsidiary, or foreign nationals who are employees,contractors, or interns of a U.S. company or its subsidiaries
• Must be for internal company use, including development or production of new products
(a)(3): foreign-made products developed with or incorporating U.S. encryption
source code, components or toolkits
• Item must have prior classification or reporting and authorization by BIS
10squirepattonboggs.com
ENC Compliance: Para (b)
Two levels of control: “restricted” and “unrestricted”
“Restricted” – Section 740.17(b)(2)
• License required for government end-users located in any country other than the“Supplement No. 3” countries; license NOT required for non-government end-users
• Authorizes exports, reexports, and transfers (in-country) of ‘‘network infrastructure’’ items to‘‘less sensitive government end users’’ in all countries except Country Group E:1 and E:2
• Requires BIS/NSA classification determination (with 30-day waiting period)
• Semi-annual export reporting
• Items described in Section 740.17(b)(2), including network infrastructure items; sourcecode; cryptanalytic items; open cryptographic interface items; and public safety items
“Unrestricted” – Sections 740.17(b)(1) and (b)(3)
• License NOT required for government or non-government end-users
• Items described in Section 740.17(b)(3)
- Requires BIS/NSA classification determination (with 30-day waiting period)
- Some items subject to semi-annual export reporting requirement
- Examples: chips and chipsets; “non-standard” cryptography; cryptographic libraries, modules anddevelopment kits; application-specific development kits; and network and computer forensics items
• Items described in Section 740.17(b)(1)
- Requires annual self-classification reporting
- Items not covered by 740.17(b)(2) or (b)(3)
11squirepattonboggs.com
ENC Compliance for 5x002 Items: Summary
Analyze and document ENC eligibility for items
Self-classification or CCATS
On a case-by-case basis, determine ENC applicability to country ofdestination, end-use, and end-user
Annual self-classification reports
Items eligible for self-classification but submitted for CCATS not required in annual
reports
Semi-annual reporting for exports of (b)(2) and (b)(3)(iii) items
George N. GrammasPartnerChair, International Trade / Global Import and Export ComplianceSquire Patton [email protected] | squirepattonboggs.com
2550 M Street, NWWashington, DC 20037United StatesT +1 202 626 6234M +1 240 606 7026
Complying With US Encryption ControlsCompared to UK Controls
7 Devonshire SquareLondonEC2M 4YHEnglandT +44 20 7655 1301