You are viewing a plain text version of this content. The canonical link for it is here.

Posted to legal-discuss@apache.org by "Roy T. Fielding" <fi...@gbiv.com> on 2021/05/21 20:16:57 UTC

Revisiting Export Control Status of Apache Open Source Software

> On May 21, 2021, at 9:38 AM, Roy T. Fielding <fi...@gbiv.com> wrote:
> 
> You will have to ask the BIS
> 
>    https://www.bis.doc.gov/index.php/regulations/export-administration-regulations-ear <https://www.bis.doc.gov/index.php/regulations/export-administration-regulations-ear>
> 
> The regulations are not made by the ASF, nor do they conform to any sort of logic
> that we could interpret independently.
> 
> ....Roy

It is my personal opinion, based on the "March 29, 2021" EAR, not representing
the ASF and not being a lawyer and not being able to say anything on behalf of the BIS
(which has a cottage industry for making such opinions), that the EAR has changed
significantly since the ASF procedures were put in place. Hence, we don't have clear
guidance; the last time we sought an opinion from the BIS was over a decade ago.

It's important to note that, in order to understand the EAR, you have to read every
word and definition and cross-reference back to the source. It is not possible to
understand it otherwise. I've provided most of the relevant bits sections below.

For example, the entire section that defines "Published" is actually conditional on
a note in 734.3(b) that says

   However, notwithstanding § 734.3(b)(2), encryption source code in electronic form
   or media (e.g., computer diskette or CD ROM) remains subject to the EAR (see § 734.17)).
   Publicly available encryption object code “software” classified under ECCN 5D002
   is not subject to the EAR when the corresponding source code meets the criteria
   specified in § 742.15(b) of the EAR.

and this is repeated as

   § 734.7(b) Publicly available encryption source code “software” and corresponding
   object code are not subject to the EAR, when the encryption source code
   “software” meets the additional requirements in § 742.15(b) of the EAR.

[The additional requirements are listed below, but we should meet those requirements
as long as we are using a standard encryption library without non-standard crypto
implementation/additions.]

This would appear to say that most/all of our software distributions that used to be
classified as 5D002 are no longer subject to the EAR (i.e., do not require classification)
if they do not include the encryption product source code and merely use mass market
encryption products that have already been classified as 5A992 or 5D992 by their
own developers.

Alternatively, our software can be self-classified by us as 5D002 and, assuming our
product is either composed of 100% source code or the object code is based on
100% source code that has already been published, it can then be reclassified as
5D992 after that self-classification has been submitted.

§740.17 says:

   Note to paragraph (b) introductory text: Mass market encryption software that
   would be considered publicly available under §734.3(b)(3) of the EAR, and is
   authorized for export under this paragraph (b), remains subject to the EAR until
   all applicable classification or self-classification requirements set forth in
   this section are fulfilled.

Note that this is essentially the same process we have performed for years,
except that the terms have changed, the reporting format is very specific,
we no longer need license exceptions, and we can rely on classifications
made by third parties like openssl and bouncycastle.

I think we need to update the ECCN page and chair docs.

....Roy

====

§ 734.2 SUBJECT TO THE EAR

(a) Subject to the EAR - Definition

(1) “Subject to the EAR” is a term used in the EAR to describe those items and activities over which BIS exercises regulatory jurisdiction under the EAR. Conversely, items and activities that are not subject to the EAR are outside the regulatory jurisdiction of the EAR and are not affected by these regulations. The items and activities subject to the EAR are described in §734.2 through §734.5 of this part. You should review the Commerce Control List (CCL) and any applicable parts of the EAR to determine whether an item or activity is subject to the EAR. However, if you need help in determining whether an item or activity is subject to the EAR, see §734.6 of this part. Publicly available technology and software not subject to the EAR are described in §734.7 through §734.11 and Supplement No. 1 to this part.

(3) The term “subject to the EAR” should not be confused with licensing or other requirements imposed in other parts of the EAR. Just because an item or activity is subject to the EAR does not mean that a license or other requirement automatically applies. A license or other requirement applies only in those cases where other parts of the EAR impose a licensing or other requirement on such items or activities.

734.3(b) The following are not subject to the EAR: ...

(3) Information and “software” that:

(i) Are published, as described in § 734.7;

(ii) Arise during, or result from, fundamental research, as described in § 734.8;

(iii) Are released by instruction in a catalog course or associated teaching laboratory of an academic institution;

(iv) Appear in patents or open (published) patent applications available from or at any patent office, unless covered by an invention secrecy order, or are otherwise patent information as described in § 734.10;

(v) Are non-proprietary system descriptions; or

(vi) Are telemetry data as defined in Note 2 to Category 9, Product Group E (see Supplement No. 1 to part 774 of the EAR).

NOTE TO PARAGRAPHS (b)(2) AND (b)(3): A printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see § 734.3(b)(2)). However, notwithstanding § 734.3(b)(2), encryption source code in electronic form or media (e.g., computer diskette or CD ROM) remains subject to the EAR (see § 734.17)). Publicly available encryption object code “software” classified under ECCN 5D002 is not subject to the EAR when the corresponding source code meets the criteria specified in § 742.15(b) of the EAR.

====

§ 734.7 PUBLISHED

(a) Except as set forth in paragraphs (b) and (c) of this section, unclassified “technology” or “software” is “published,” and is thus not “technology” or “software” subject to the EAR, when it has been made available to the public without restrictions upon its further dissemination such as through any of the following:

(1) Subscriptions available without restriction to any individual who desires to obtain or purchase the published information;

(2) Libraries or other public collections that are open and available to the public, and from which the public can obtain tangible or intangible documents;

(3) Unlimited distribution at a conference, meeting, seminar, trade show, or exhibition, generally accessible to the interested public;

(4) Public dissemination (i.e., unlimited distribution) in any form (e.g., not necessarily in published form), including posting on the Internet on sites available to the public; or

(5) Submission of a written composition, manuscript, presentation, computer-readable dataset, formula, imagery, algorithms, or some other representation of knowledge with the intention that such information will be made publicly available if accepted for publication or presentation:

(i) To domestic or foreign co-authors, editors, or reviewers of journals, magazines, newspapers or trade publications;

(ii) To researchers conducting fundamental research; or

(iii) To organizers of open conferences or other open gatherings.

(b) Published encryption software classified under ECCN 5D002 remains subject to the EAR unless it is publicly available encryption object code software classified under ECCN 5D002 and the corresponding source code meets the criteria specified in § 742.15(b) of the EAR.

(c) The following remains subject to the EAR: “software” or “technology” for the production of a firearm, or firearm frame or receiver, controlled under ECCN 0A501, that is made available by posting on the internet in an electronic format, such as AMF or G-code, and is ready for insertion into a computer numerically controlled machine tool, additive manufacturing equipment, or any other equipment that makes use of the “software” or “technology” to produce the firearm frame or receiver or complete firearm.

====

§ 734.17 EXPORT OF ENCRYPTION SOURCE CODE AND OBJECT CODE SOFTWARE

(a) For purposes of the EAR, the Export of encryption source code and object code “software” means:

(1) An actual shipment, transfer, or transmission out of the United States (see also paragraph (b) of this section); or

(2) A transfer of such “software” in the United States to an embassy or affiliate of a foreign country.

(b) The export of encryption source code and object code “software” controlled for “EI” reasons under ECCN 5D002 on the Commerce Control List (see Supplement No. 1 to part 774 of the EAR) includes:

(1) Downloading, or causing the downloading of, such “software” to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the U.S., or

(2) Making such “software” available for transfer outside the United States, over wire, cable, radio, electromagnetic, photo optical, photoelectric or other comparable communications facilities accessible to persons outside the United States, including transfers from electronic bulletin boards, Internet file transfer protocol and World Wide Web sites, unless the person making the “software” available takes precautions adequate to prevent unauthorized transfer of such code. See § 742.15(b) of the EAR for additional requirements pursuant to which exports or reexports of encryption source code “software” are considered to be publicly available consistent with the provisions of § 734.3(b)(3). Publicly available encryption source code “software” and corresponding object code are not subject to the EAR, when the encryption source code “software” meets the additional requirements in § 742.15(b) of the EAR.

(c) Subject to the General Prohibitions described in part 736 of the EAR, such precautions for Internet transfers of products eligible for export under § 740.17(b)(2) of the EAR (encryption “software” products, certain encryption source code and general purpose encryption toolkits) shall include such measures as:

(1) The access control system, either through automated means or human intervention, checks the address of every system outside of the U.S. or Canada requesting or receiving a transfer and verifies such systems do not have a domain name or Internet address of a foreign government end- user (e.g., “.gov,” “.gouv,” “.mil” or similar addresses);

(2) The access control system provides every requesting or receiving party with notice that the transfer includes or would include cryptographic “software” subject to export controls under the Export Administration Regulations, and anyone receiving such a transfer cannot export the “software” without a license or other authorization; and

(3) Every party requesting or receiving a transfer of such “software” must acknowledge affirmatively that the “software” is not intended for use by a government end user, as defined in part 772 of the EAR, and he or she understands the cryptographic “software” is subject to export controls under the Export Administration Regulations and anyone receiving the transfer cannot export the “software” without a license or other authorization. BIS will consider acknowledgments in electronic form provided they are adequate to assure legal undertakings similar to written acknowledgments.

====

742.15(a)(1): Licensing requirements. A license is required to export or reexport encryption items (“EI”) classified under ECCN 5A002, 5A004, 5D002.a, .c.1 or .d (for equipment and “software” in ECCNs 5A002 or 5A004, 5D002.c.1); or 5E002 for “technology” for the “development,” “production,” or “use” of commodities or “software” controlled for EI reasons in ECCNs 5A002, 5A004 or 5D002, and “technology” classified under 5E002.b to all destinations, except Canada. Refer to part 740 of the EAR, for license exceptions that apply to certain encryption items, and to § 772.1 of the EAR for definitions of encryption items and terms. Most encryption items may be exported under the provisions of License Exception ENC set forth in §740.17 of the EAR. Following classification or self-classification, items that meet the criteria of Note 3 to Category 5 - Part 2 of the Commerce Control List (the “mass market” note), are classified ECCN 5A992.c or 5D992.c and are no longer subject to this Section (see § 740.17 of the EAR). Before submitting a license application, please review License Exception ENC to determine whether this license exception is available for your item or transaction. For exports, reexports, or transfers (in-country) of encryption items that are not eligible for a license exception, you must submit an application to obtain authorization under a license or an Encryption Licensing Arrangement.

742.15(b) Publicly available encryption source code

(1) Scope and eligibility. Subject to the notification requirements of paragraph (b)(2) of this section, publicly available (see § 734.3(b)(3) of the EAR) encryption source code classified under ECCN 5D002 is not subject to the EAR. Such source code is publicly available even if it is subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code.

(2) Notification requirement for “non-standard cryptography.” For publicly available encryption source code classified under ECCN 5D002 that provides or performs “non-standard cryptography” as defined in part 772 of the EAR, you must notify BIS and the ENC Encryption Request Coordinator via e-mail of the Internet location (e.g., URL or Internet address) of the source code or provide each of them a copy of the publicly available encryption source code. If you update or modify the source code, you must also provide additional copies to each of them each time the cryptographic functionality of the source code is updated or modified. In addition, if you posted the source code on the Internet, you must notify BIS and the ENC Encryption Request Coordinator each time the Internet location is changed, but you are not required to notify them of updates or modifications made to the encryption source code at the previously notified location. In all instances, submit the notification or copy to crypt@bis.doc.gov and to enc@nsa.gov.

772: "Non-standard cryptography". Means any implementation of “cryptography” involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body (e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published.

======

CCL5 D. “SOFTWARE”

5D002 “Software” as follows (see List of Items Controlled).

List of Items Controlled

Related Controls: After classification or self-classification in accordance with § 740.17(b) of the EAR, mass market encryption software that meets eligibility requirements is released from “EI” and “NS” controls. This software is designated as 5D992.c.

Related Definitions: 5D002.a controls “software” designed or modified to use “cryptography” employing digital or analog techniques to ensure “information security.”

Items:

a. “Software” “specially designed” or modified for the “development,” “production” or “use” of any of the following:

a.1. Equipment specified by 5A002 or “software” specified by 5D002.c.1;

a.2. Equipment specified by 5A003 or “software” specified by 5D002.c.2; or

a.3. Equipment or “software”, as follows:

a.3.a. Equipment specified by 5A004.a or “software” specified by 5D002.c.3.a;

a.3.b. Equipment specified by 5A004.b or “software” specified by 5D002.c.3.b;

b. “Software” having the characteristics of a ‘cryptographic activation token’ specified by 5A002.b;

c. “Software” having the characteristics of, or performing or simulating the functions of, any of the following:

c.1. Equipment specified by 5A002.a, .c, .d or .e;

Note: 5D002.c.1 does not apply to “software” limited to the tasks of “OAM” implementing only published or commercial cryptographic standards.

c.2. Equipment specified by 5A003; or

c.3. Equipment, as follows:
c.3.a. Equipment specified by 5A004.a; c.3.b. Equipment specified by 5A004.b.

Note: 5D002.c.3.b does not apply to “intrusion software”.

d. [Reserved]

N.B.: See 5D002.b for items formerly specified in 5D002.d.

5D992 “Information Security” “software” not controlled by 5D002 as follows (see List of Items Controlled).

List of Items Controlled

Related Controls: This entry does not control “software” designed or modified to protect against malicious computer damage, e.g., viruses, where the use of “cryptography” is limited to authentication, digital signature and/or the decryption of data or files. Related Definitions: N/A

Items:

a. [Reserved]

b. [Reserved]

c. “Software” classified as mass market encryption software in accordance with § 740.17(b) of the EAR.

====

§ 740.17 ENCRYPTION COMMODITIES, SOFTWARE AND TECHNOLOGY (ENC)

License Exception ENC authorizes export, reexport, and transfer (in-country) of systems, equipment, commodities, and components therefor that are classified under ECCNs 5A002, 5B002, equivalent or related software and technology therefor classified under 5D002 or 5E002, and “cryptanalytic items” classified under ECCNs 5A004, 5D002 or 5E002. This License Exception ENC does not authorize export or reexport to, transfer (in-country) in, or provision of any service in any country listed in Country Groups E:1 or E:2 in Supplement No. 1 to part 740 of the EAR, or release of source code or technology to any national of a country listed in Country Groups E:1 or E:2. Reexports and transfers (in-country) under License Exception ENC are subject to the criteria set forth in paragraph (c) of this section. Paragraphs (b) and (d) of this section set forth information about classifications required by this section. Items described in paragraphs (b)(1) and (b)(3)(i), (b)(3)(ii) or (b)(3)(iv) of this section that meet the criteria set forth in Note 3 to Category 5 - Part 2 of the Commerce Control List (the “mass market” note) are classified under ECCN 5A992.c or 5D992.c following self-classification or classification by BIS and are no longer subject to “EI” and “NS” controls. Paragraph (e) sets forth reporting required by this section. For items exported under paragraphs (b)(1), (b)(3)(i), (b)(3)(ii) or (b)(3)(iv) of this section and therefore excluded from paragraph (e) reporting requirements, exporters are reminded of the recordkeeping requirements in part 762 of the EAR and that they may be required to make such records available upon request. All classification requests, and reports submitted to BIS pursuant to this section for encryption items will be reviewed by the ENC Encryption Request Coordinator, Ft. Meade, MD.

(a) No classification request or reporting required

License Exception ENC authorizes the export, reexport, or transfer (in-country) to the end users and for the end uses set forth in paragraphs (a)(1), (a)(2), and (a)(3) of this section, without submission of a classification request, self- classification report or sales report to BIS.

(1) Certain exports, reexports, transfers (in- country) to ‘private sector end users.’

(i) Internal “development” or “production” of new products. License Exception ENC authorizes certain exports, reexports, and transfers (in-country) of items described in paragraph (a) of this section for the internal “development” or “production” of new products by ‘private sector end users,’ wherever located, that are headquartered in a country listed in Supplement No. 3 of this part. 

(ii) Certain exports, reexports, transfers (in- country) to related parties, not involving “development” or “production” of new products. For internal end uses among ‘private sector end users’ other than the “development” or “production” of new products, License Exception ENC authorizes exports, reexports, and transfers (in-country) of non-U.S.-origin items, described in paragraph (a) of this section, to ‘private sector end users’ wherever located provided that:

(A) That item became subject to the EAR after it was produced;

(B) All parties to the transaction are subsidiaries of the same parent company headquartered in a country listed in Supplement No. 3 of this part; and

(C) The characteristics or capabilities of the existing item are not enhanced, unless otherwise authorized by license or license exception.

Note to paragraph (a)(1): A ‘private sector end user’ is either: An individual who is not acting on behalf of any foreign government; or a commercial firm (including its subsidiary and parent firms, and other subsidiaries of the same parent) that is not wholly owned by, otherwise controlled by or acting on behalf of, any foreign government.

(2) Exports, reexports, transfers (in-country) to “U.S. Subsidiaries.” License Exception ENC authorizes export, reexport, and transfer (in- country) of items described in paragraph (a) of this section to any “U.S. subsidiary,” wherever located. License Exception ENC also authorizes export, reexport, transfer (in-country) of such items by a U.S. company and its subsidiaries to foreign nationals who are employees, individual contractors or interns of a U.S. company or its subsidiaries if the items are for internal company use, including the “development” or “production” of new products, without prior review by the U.S. Government.

Note to paragraph (a)(1) and (a)(2): All items produced or developed with items exported, reexported, or transferred (in-country) under paragraphs (a)(1) or (a)(2) of this section are subject to the EAR. These items may require the submission of a classification request before sale, reexport or transfer to non-“U.S. subsidiaries,” unless otherwise authorized by license or license exception.

(3) Reexports and transfers (in-country) of non-U.S. products developed with or incorporating U.S.-origin encryption source code, components, or toolkits. License Exception ENC authorizes the reexport and transfer (in-country) of non-U.S. products developed with or incorporating U.S.-origin encryption source code, components or toolkits that are subject to the EAR, provided that the U.S.-origin encryption items have previously been classified or reported and authorized by BIS and the cryptographic functionality has not been changed. Such products include non-U.S. developed products that are designed to operate with U.S. products through a cryptographic interface.

Note to paragraph (a)(3): This exception from classification and reporting requirements does not apply to non-U.S.-origin products exported from the United States.

(b) Classification request or self- classification

For certain products described in paragraph (b)(1) of this section that are self-classified, a self-classification report in accordance with paragraph (e)(3) of this section is required from specified exporters, reexporters and transferors; for products described in paragraph (b)(1) of this section that are classified by BIS via a CCATS, a self-classification report is not required. For products described in paragraphs (b)(2) and (b)(3) of this section, a thirty-day (30-day) classification request is required in accordance with paragraph (d) of this section. An exporter, reexporter, or transferor may rely on the producer’s self-classification (for products described in (b)(1), only) or CCATS for an encryption item eligible for export or reexport under License Exception ENC under paragraph (b)(1), (b)(2), or (b)(3) of this section. Exporters are still required to comply with semi-annual sales reporting requirements under paragraph (e)(1) or (2) of this section, even if relying on a CCATS issued to a producer for specified encryption items described in paragraphs (b)(2) and (b)(3)(iii) of this section.

Note to paragraph (b) introductory text: Mass market encryption software that would be considered publicly available under §734.3(b)(3) of the EAR, and is authorized for export under this paragraph (b), remains subject to the EAR until all applicable classification or self- classification requirements set forth in this section are fulfilled.

(1) Immediate authorization. This paragraph (b)(1) authorizes the exports, reexports, and transfers (in-country) of the associated commodities self-classified under ECCNs 5A002.a or 5B002, and equivalent or related software therefor classified under 5D002, except any such commodities, software, or components described in (b)(2) or (b)(3) of this section, subject to submission of a self-classification report in accordance with § 740.17(e)(3) of the EAR. Items described in this paragraph (b)(1) that meet the criteria set forth in Note 3 to Category 5 - Part 2 of the Commerce Control List (the “mass market” note) are classified as ECCN 5A992.c or 5D992.c following self-classification or classification by BIS and are removed from “EI” and “NS” controls.

(2) Classification request required. Thirty (30) days after the submission of a classification request with BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph under License Exception ENC authorizes certain exports, reexports, and transfers (in-country) of the items specified in paragraph (b)(2) and submitted for classification.

Note to introductory text of paragraph (b)(2): Immediately after the classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph also authorizes exports, reexports, and transfers (in-country) of:

1. All submitted encryption items described in this paragraph (b)(2), except “cryptanalytic items,” to any end user located or headquartered in a country listed in Supplement No. 3 to this part;

2. Encryption source code as described in paragraph (b)(2)(i)(B) to non-“government end users” in any country;

3. “Cryptanalytic items” to non-“government end users,” only, located or headquartered in a country listed in Supplement No. 3 to this part; and

4. Items described in paragraphs (b)(2)(iii) and (b)(2)(iv)(A) of this section, to specified destinations and end users.

(i) Cryptographic commodities, software, and components. License Exception ENC authorizes exports, reexports, and transfers (in- country) of the items in paragraph (b)(2)(i)(A) of this section to “less sensitive government end users” and non- “government end users” located or headquartered in a country not listed in Supplement No. 3 to this part, and the items in paragraphs (B) – (H) to non “government end users” located or headquartered in a country not listed in Supplement No. 3.  [...]

(ii) Cryptanalytic commodities and software. “Cryptanalytic items” classified in ECCN 5A004 or 5D002 to non- “government end users” located or headquartered in countries not listed in Supplement No. 3 to this part.

(iii) “Open cryptographic interface” items. Items that provide an “open cryptographic interface,” to any end user located or headquartered in a country listed in Supplement No. 3 to this part.

(iv) Specific encryption technology. Specific encryption technology as follows:

(A) Technology for “non-standard cryptography.” Encryption technology classified under ECCN 5E002 for “non-standard cryptography,” to any end user located or headquartered in a country listed in Supplement No. 3 to this part;

(B) Other technology. Encryption technology classified under ECCN 5E002 except technology for “cryptanalytic items,” “non-standard cryptography” or any “open cryptographic interface,” to any non-“government end user” located in a country not listed in Country Group D:1, E:1, or E:2 of Supplement No. 1 to part 740 of the EAR.

Note to paragraph (b)(2): Commodities, components, and software classified under ECCNs 5A002.b or 5D002.b, for the “cryptographic activation” of commodities or software specified by paragraph (b)(2) of this section are also controlled under paragraph (b)(2) of this section.

(3) Classification request required for specified commodities, software, and components. Thirty (30) days after a classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph authorizes exports, reexports, and transfers (in-country) of the items submitted for classification, as further described in this paragraph (b)(3), to any end user, provided the item does not perform the functions, or otherwise meet the specifications, of any item described in paragraph (b)(2) of this section. Items described in paragraph (b)(3)(ii) or (iv) of this section that meet the criteria set forth inNote3toCategory5-Part2oftheCCL(the “mass market” note) are classified under ECCN 5A992.c or 5D992.c following classification by BIS.

Note to introductory text of paragraph (b)(3):

Immediately after the classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph also authorizes exports, reexports, transfers (in-country) of the items described in this paragraph (b)(3) to any end user located or headquartered in a country listed in Supplement No. 3 to this part.

====

740(e)(3) Self-classification reporting for certain encryption commodities, software, and components. This paragraph (e)(3) sets forth requirements for self-classification reporting to BIS and the ENC Encryption Request Coordinator (Ft. Meade, MD) of certain encryption commodities, software, and components exported or reexported meeting the criteria specified in paragraph (b)(1) of this section. Specifically, this reporting requirement applies to “mass market” encryption components and ‘executable software’ that meet the criteria of the Cryptography Note - Note 3 to Category 5 - Part 2 of the CCL (“mass market” note) and are classified under ECCN 5A992.c or 5D992.c following self-classification, as well as to non- “mass market” encryption commodities and software that remain classified in ECCN 5A002, 5B002 or 5D002 following self-classification, provided these items are not further described by paragraph (b)(2) or (3) of this section.

Note to introductory text of paragraph (e)(3):

For the purposes of this paragraph (e)(3), ‘executable software’ means “software” in executable form, from an existing hardware component excluded from ECCN 5A002 by the Cryptography Note. ‘Executable software’ does not include complete binary images of the “software” running on an end item.

(i) When to report. Your self-classification report for applicable encryption commodities, software and components exported or reexported during a calendar year (January 1 through December 31) must be received by BIS and the ENC Encryption Request Coordinator no later than February 1 the following year.

(ii) How to report. Encryption self-classification reports must be sent to BIS and the ENC Encryption Request Coordinator via e-mail or regular mail. In your submission, specify the timeframe that your report spans and identify points of contact to whom questions or other inquiries pertaining to the report should be directed. Follow these instructions for your submissions:

(A) Submissions via e-mail. Submit your encryption self-classification report electronically to BIS at crypt-supp8@bis.doc.gov and to the ENC Encryption Request Coordinator at enc@nsa.gov, as an attachment to an e-mail. Identify your e-mail with subject “self-classification report.”

(B) Submissions on disks and CDs. The self-classification report may be sent to the following addresses, in lieu of e-mail:

(1) Department of Commerce, Bureau of Industry and Security, Office of National Security and Technology Transfer Controls, 14th Street and Pennsylvania Ave., NW, Room 2099B, Washington, DC 20230, Attn: Encryption Reports, and

(2) Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6940, Ft. Meade, MD 20755-6000.

(iii) Information to report. Your encryption self-classification report must include the information described in paragraph (a) of Supplement No. 8 to part 742 for each applicable encryption commodity, software and component made eligible for export or reexport under § 740.17(b)(1) of the EAR. Each product must be included in a report only one time. However, if no new products are made eligible for export or reexport during a calendar year, you must send an e-mail to the addresses listed in paragraph (e)(3)(ii)(A) of this section stating that nothing has changed since the previous report.

(iv) File format requirements. The information described in paragraph (a) of Supplement No. 8 to part 742 must be provided to BIS and the ENC Encryption Request Coordinator in tabular or spreadsheet form, as an electronic file in comma separated values format (.csv) adhering to the specifications set forth in paragraph (b) of Supplement No. 8 to part 742.

====

SUPPLEMENT NO. 8 TO PART 742 -- SELF-CLASSIFICATION REPORT FOR ENCRYPTION ITEMS

This supplement provides certain instructions and requirements for self-classification reporting to BIS and the ENC Encryption Request Coordinator (Ft. Meade, MD) of encryption commodities, software and components exported or reexported pursuant to §740.17(b)(1) of the EAR. See §740.17(e)(3) of the EAR for additional instructions and requirements pertaining to this supplement, including when to report and how to report.

(a) Information to report

The following information is required in the file format as described in paragraph (b) of this supplement, for each encryption item subject to the requirements of this supplement and §§ 740.17(b)(1) and 740.17(e)(3) of the EAR:

(1) Name of product (50 characters or less.)

(2) Model / series / part number (50 characters or less.) If necessary, enter ‘NONE’ or ‘N/A’.

(3) Primary manufacturer (50 characters or less.) Enter ‘SELF’ if you are the primary manufacturer of the item. If there are multiple manufacturers for the item but none is clearly primary, either enter the name of one of the manufacturers or else enter ‘MULTIPLE’. If necessary, enter ‘NONE’ or ‘N/A’.

(4) Export Control Classification Number (ECCN), selected from one of the following:

   (i) 5A002 (ii) 5B002 (iii) 5D002 (iv) 5A992 (v) 5D992

(5) Encryption authorization type identifier, selected from one of the following, which denote eligibility under License Exception ENC § 740.17(b)(1):

   (i) ENC
   (ii) MMKT

(6) Item type descriptor, selected from one of the following:

(i)     Accesspoint;
(ii)    Cellular;
(iii)   Computer or computing platforms;
(iv)   Computer forensics;
(v)    Cryptographic accelerator;
(vi)   Data backup and recovery;
(vii)  Database;
(viii) Disk / drive encryption;
(ix)   Distributed computing;
(x)    E-mail communications;
(xi)   Fax communications;
(xii)  File encryption;
(xiii) Firewall;
(xiv) Gateway;
(xv)  Intrusion detection;
(xvi) Identity management;
(xvii)  Key exchange;
(xviii)  Key management;
(xix)  Key storage;
(xx)  Link encryption;
(xxi)  Local area networking (LAN);
(xxii)  Metropolitan area networking (MAN);
(xxiii)  Mobility and mobile applications n.e.s.;
(xxiv)  Modem;
(xxv)  Multimedia n.e.s.;
(xxvi)  Network convergence or infrastructure n.e.s.;
(xxvii) Network forensics;
(xxviii) Network intelligence;
(xxix) Network or systems management (OAM / OAM&P);
(xxx) Network security monitoring;
(xxxi) Network vulnerability and penetration testing;
(xxxii) Operating System;
(xxxiii) Optical Networking;
(xxxiv) Radio Communications;
(xxxv)  Router;
(xxxvi) Satellite communications;
(xxxvii) Short range wireless n.e.s.;
(xxxviii) Storage Area Networking (SAN);
(xxxix) 3G / 4G / 5G / LTE / WiMAX;
(xl) Trusted computing;
(xli) Videoconferencing;
(xlii) Virtual private networking (VPN);
(xliii) Voice communications n.e.s.;
(xliv) Voice over Internet Protocol (VoIP);
(xlv) Wide Area Networking (WAN);
(xlvi) Wireless Local Area (WLAN);
(xlvii) Wireless Personal Area (WPAN);
(xlviii) Test equipment n.e.s.; or
(xlix) Other (please specify).

(7) Name of company or individual submitting the report (50 characters or less).

(8) Telephone number (50 characters or less).

(9) E-mail address (50 characters or less).

(10) Mailing address (50 characters or less).

(11) With respect to your company’s encryption products, do they incorporate encryption components produced or furnished by non-U.S. sources or vendors? Enter ‘YES’, ‘NO’, or if necessary, ‘N/A’ (250 characters or less).

(12) With respect to your company’s encryption products, are any of them manufactured in non-U.S. locations?” If yes, list the non-U.S. manufacturing locations by city and country. If necessary, enter ‘NONE’ or ‘N/A’ (250 characters or less).

(b) File format requirements.

(1) The information described in paragraph (a) of this supplement must be provided in tabular or spreadsheet form, as an electronic file in comma separated values format (.csv), only. No file formats other than .csv will be accepted, as your encryption self-classification report must be directly convertible to tabular or spreadsheet format, where each row (and all entries within a row) properly correspond to the appropriate encryption item.

Note to paragraph (b)(1): An encryption self-classification report data table created and stored in spreadsheet format (e.g., file extension .xls, .numbers, .qpw, .wb*, .wrk, and .wks) can be converted and saved into a comma delimited file format directly from the spreadsheet program. This .csv file is then ready for submission.

(2) Each line of your encryption self-classification report (.csv file) must consist of twelve entries as further described in this supplement.

(3) The first line of the .csv file must consist of the following twelve entries (i.e., match the following) without alteration or variation:
PRODUCT NAME, MODEL NUMBER, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM TYPE, SUBMITTER NAME, TELEPHONE NUMBER, E-MAIL ADDRESS, MAILING ADDRESS, NON-U.S. COMPONENTS, NON- U.S. MANUFACTURING LOCATIONS.

Note to paragraph (b)(3): These first twelve entries (i.e., first row) of an encryption self- classification report in .csv format correspond to the twelve column headers of a spreadsheet data file. The responses provided under column headers 7 through 12 (SUBMITTER NAME through NON-U.S. MANUFACTURING LOCATIONS) relate to the company as a whole, and thus should be entered the same for each product (i.e., only one point of contact, one ‘YES’ or ‘NO’ answer to whether any of the reported products incorporate non-U.S. sourced encryption components, and one list of non-U.S. manufacturing locations, is required for the report). However, even though the information is the same for each product, please duplicate this information into each row of the spreadsheet, leaving no entry blank, so each product has the same identifying company information.

(4)Each subsequent line of the .csv file must correspond to a single encryption item (or a distinguished series of products) as described in paragraph (c) of this supplement.

(5)Each line must consist of six entries as described in paragraph (a)(1), (a)(2), (a)(3), (a)(4), (a)(5), and (a)(6) of this supplement. No entries may be left blank. Each entry must be separated by a comma (,). Certain additional instructions are as follows:

(i) Line entries (a)(1) (‘PRODUCT NAME’) and (a)(4) (‘ECCN’) must be completed with relevant information.

(ii) For entries (a)(2) (‘MODEL NUMBER’) and (a)(3) (‘MANUFACTURER’), if these entries do not apply to your item or situation you may enter ‘NONE’ or ‘N/A’.

(iii) For entries (a)(5) (‘AUTHORIZATION TYPE’), if none of the provided choices apply to your situation, you may enter ‘OTHER’.

(6) Because of .csv file format requirements, the only permitted use of a comma is as the necessary separator between line entries. You may not use a comma for any other reason in your encryption self-classification report.

(c) Other instructions

(1) The information provided in accordance with this supplement and §§ 740.17(b)(1) and 740.17(e)(3) of the EAR must identify product offerings as they are typically distinguished in inventory, catalogs, marketing brochures and other promotional materials.

(2) For families of products where all the information described in paragraph (a) of this supplement is identical except for the model / series / part number (entry (a)(2)), you may list and describe these products with a single line in your .csv file using an appropriate model / series / part number identifier (e.g., ‘300’ or ‘3xx’) for entry (a)(2), provided each line in your .csv file corresponds to a single product series (or product type) within an overall product family.

(3) For example, if Company A produces, markets and sells both a ‘100' (‘1xx’) and a ‘300’ (‘3xx’) series of product, in its encryption self-classification report (.csv file) Company A must list the ‘100' product series in one line (with entry (a)(2) completed as ‘100’ or ‘1xx’) and the ‘300’ product series in another line (with entry (a)(2) completed as ‘300’ or ‘3xx’), even if the other required information is common to all products in the ‘100’ and ‘300’ series.

(4) Only products self-classified by the exporter or reexporter must be reported. Products submitted for classification by the Bureau of Industry and Security for which a CCATS is issued do not need to be reported.

====

Simple, amirite?

....Roy

Re: Revisiting Export Control Status of Apache Open Source Software

Posted by Dave Fisher <wa...@apache.org>.


> On May 22, 2021, at 4:25 PM, Justin Mclean <ju...@classsoftware.com> wrote:
> 
> Hi,
> 
>> Well, we have to bulk file -- that's part of the changes. It's now an annual spreadsheet.
>> But the contents of the spreadsheet have to be accurate, which means we need to
>> exclude products that are not 5D002 (software specifically designed to use encryption
>> software classified at 5A002) or 5A002 (software that implements encryption).
> 
> In hat list we have have a mix of:
> - Software that uses encryption APIs
> - Software whose binary releases contain encryption code
> - Software whose source code release contain encryption code

In the bulk filing is the report for all current software releases? Or is it for all possible?

If that’s the case then of a combination of 
- auditing of svn dist release
- asking PMCs for an ECCN file in the dist repos (or their project doap file.)

Procedure notice then becomes the:
- eccnmatrix is generated
- projects and podlings no longer update the eccnmatrix directly
- spreadsheet is created ad hoc
- vp, legal is the only one who sends bisnotice.

Regards,
Dave
> 
> Justin
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Revisiting Export Control Status of Apache Open Source Software

Posted by Justin Mclean <ju...@classsoftware.com>.

Hi,

> Well, we have to bulk file -- that's part of the changes. It's now an annual spreadsheet.
> But the contents of the spreadsheet have to be accurate, which means we need to
> exclude products that are not 5D002 (software specifically designed to use encryption
> software classified at 5A002) or 5A002 (software that implements encryption).

In hat list we have have a mix of:
- Software that uses encryption APIs
- Software whose binary releases contain encryption code
- Software whose source code release contain encryption code

Justin


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Revisiting Export Control Status of Apache Open Source Software

Posted by "Roy T. Fielding" <fi...@gbiv.com>.

> On May 21, 2021, at 9:13 PM, Roman Shaposhnik <ro...@shaposhnik.org> wrote:
> 
> Top-posting a meta point: FWIW I got heavily involved in a similar discussion
> with LF (wearing my official board member hat over there as well) and the
> takeaway was basically along the tl;dr; lines. Effectively, for *variety* of reasons
> LF legal team is now simply filing for every top-level subroject in pretty much
> a bulk fashion.  Again, FWIW: they still very much of the opinion that the act 
> of filing itself is needed.

Hmm, that's certainly true if the self-certification is 100% accurate. But if it isn't ...
the government can put someone in jail for a false filing. Of course, nobody reads
these reports, so they are probably right.

...

> What's the objective here? Or maybe to flip it -- if we're going to change it anyway -- why not do what LF does and bulk file? What's the downside of that? (the upside is clearly making the whole process super mechanical).

Well, we have to bulk file -- that's part of the changes. It's now an annual spreadsheet.
But the contents of the spreadsheet have to be accurate, which means we need to
exclude products that are not 5D002 (software specifically designed to use encryption
software classified at 5A002) or 5A002 (software that implements encryption).

But if the only reason we need to file is because our product uses a standard
encryption interface that is already classified as 5A992 (I have not checked),
then our product is not subject to the EAR (not classified at all) and filing an incorrect
self-certification is "not a good idea" because it causes work at BIS and creates
the same hazard for our downstream recipients.

....Roy

Re: Revisiting Export Control Status of Apache Open Source Software

Posted by Roman Shaposhnik <ro...@shaposhnik.org>.

Top-posting a meta point: FWIW I got heavily involved in a similar
discussion
with LF (wearing my official board member hat over there as well) and the
takeaway was basically along the tl;dr; lines. Effectively, for *variety*
of reasons
LF legal team is now simply filing for every top-level subroject in pretty
much
a bulk fashion.  Again, FWIW: they still very much of the opinion that the
act
of filing itself is needed.

On Fri, May 21, 2021 at 1:17 PM Roy T. Fielding <fi...@gbiv.com> wrote:

> On May 21, 2021, at 9:38 AM, Roy T. Fielding <fi...@gbiv.com> wrote:
>
> You will have to ask the BIS
>
>
> https://www.bis.doc.gov/index.php/regulations/export-administration-regulations-ear
>
> The regulations are not made by the ASF, nor do they conform to any sort
> of logic
> that we could interpret independently.
>
> ....Roy
>
>
> It is my personal opinion, based on the "March 29, 2021" EAR, not
> representing
> the ASF and not being a lawyer and not being able to say anything on
> behalf of the BIS
> (which has a cottage industry for making such opinions), that the EAR has
> changed
> significantly since the ASF procedures were put in place. Hence, we don't
> have clear
> guidance; the last time we sought an opinion from the BIS was over a
> decade ago.
>
> It's important to note that, in order to understand the EAR, you have to
> read every
> word and definition and cross-reference back to the source. It is not
> possible to
> understand it otherwise. I've provided most of the relevant bits sections
> below.
>
> For example, the entire section that defines "Published" is actually
> conditional on
> a note in 734.3(b) that says
>
>    However, notwithstanding § 734.3(b)(2), encryption source code in
> electronic form
>    or media (e.g., computer diskette or CD ROM) remains subject to the
> EAR (see § 734.17)).
>    Publicly available encryption object code “software” classified under
> ECCN 5D002
>    is not subject to the EAR when the corresponding source code meets the
> criteria
>    specified in § 742.15(b) of the EAR.
>
> and this is repeated as
>
>    § 734.7(b) Publicly available encryption source code “software”
> and corresponding
>    object code are not subject to the EAR, when the encryption source code
>    “software” meets the additional requirements in § 742.15(b) of the EAR.
>
> [The additional requirements are listed below, but we should meet those
> requirements
> as long as we are using a standard encryption library without non-standard
> crypto
> implementation/additions.]
>
> This would appear to say that most/all of our software distributions that
> used to be
> classified as 5D002 are no longer subject to the EAR (i.e., do not require
> classification)
> if they do not include the encryption product source code and merely use
> mass market
> encryption products that have already been classified as 5A992 or 5D992 by
> their
> own developers.
>
> Alternatively, our software can be self-classified by us as 5D002 and,
> assuming our
> product is either composed of 100% source code or the object code is based
> on
> 100% source code that has already been published, it can then be
> reclassified as
> 5D992 after that self-classification has been submitted.
>
> §740.17 says:
>
>    Note to paragraph (b) introductory text: Mass market encryption
> software that
>    would be considered publicly available under §734.3(b)(3) of the EAR,
> and is
>    authorized for export under this paragraph (b), remains subject to the
> EAR until
>    all applicable classification or self-classification requirements set
> forth in
>    this section are fulfilled.
>
> Note that this is essentially the same process we have performed for years,
> except that the terms have changed, the reporting format is very specific,
> we no longer need license exceptions, and we can rely on classifications
> made by third parties like openssl and bouncycastle.
>
> I think we need to update the ECCN page and chair docs.
>

What's the objective here? Or maybe to flip it -- if we're going to change
it anyway -- why not do what LF does and bulk file? What's the downside of
that? (the upside is clearly making the whole process super mechanical).

Thanks,
Roman.


>
> ....Roy
>
> ====
>
> § 734.2 SUBJECT TO THE EAR
>
> (a) Subject to the EAR - Definition
>
> (1) “Subject to the EAR” is a term used in the EAR to describe those items
> and activities over which BIS exercises regulatory jurisdiction under the
> EAR. Conversely, items and activities that are not subject to the EAR are
> outside the regulatory jurisdiction of the EAR and are not affected by
> these regulations. The items and activities subject to the EAR are
> described in §734.2 through §734.5 of this part. You should review
> the Commerce Control List (CCL) and any applicable parts of the EAR to
> determine whether an item or activity is subject to the EAR. However, if
> you need help in determining whether an item or activity is subject to the
> EAR, see §734.6 of this part. Publicly available technology
> and software not subject to the EAR are described in §734.7 through §734.11
> and Supplement No. 1 to this part.
>
> (3) The term “subject to the EAR” should not be confused with licensing or
> other requirements imposed in other parts of the EAR. Just because an item
> or activity is subject to the EAR does not mean that a license or other
> requirement automatically applies. A license or other requirement applies
> only in those cases where other parts of the EAR impose a licensing or
> other requirement on such items or activities.
>
> 734.3(b) The following are not subject to the EAR: ...
>
> (3) Information and “software” that:
>
> (i) Are published, as described in § 734.7;
>
> (ii) Arise during, or result from, fundamental research, as described in §
> 734.8;
>
> (iii) Are released by instruction in a catalog course or associated
> teaching laboratory of an academic institution;
>
> (iv) Appear in patents or open (published) patent applications available
> from or at any patent office, unless covered by an invention secrecy order,
> or are otherwise patent information as described in § 734.10;
>
> (v) Are non-proprietary system descriptions; or
>
> (vi) Are telemetry data as defined in Note 2 to Category 9, Product Group
> E (see Supplement No. 1 to part 774 of the EAR).
>
> NOTE TO PARAGRAPHS (b)(2) AND (b)(3): A printed book or other printed
> material setting forth encryption source code is not itself subject to the
> EAR (see § 734.3(b)(2)). However, notwithstanding § 734.3(b)(2), encryption
> source code in electronic form or media (e.g., computer diskette or CD ROM)
> remains subject to the EAR (see § 734.17)). Publicly available
> encryption object code “software” classified under ECCN 5D002 is not
> subject to the EAR when the corresponding source code meets the
> criteria specified in § 742.15(b) of the EAR.
>
> ====
>
> § 734.7 PUBLISHED
>
> (a) Except as set forth in paragraphs (b) and (c) of this section,
> unclassified “technology” or “software” is “published,” and is thus not
> “technology” or “software” subject to the EAR, when it has been made
> available to the public without restrictions upon its further dissemination
> such as through any of the following:
>
> (1) Subscriptions available without restriction to any individual who
> desires to obtain or purchase the published information;
>
> (2) Libraries or other public collections that are open and available to
> the public, and from which the public can obtain tangible or intangible
> documents;
>
> (3) Unlimited distribution at a conference, meeting, seminar, trade show,
> or exhibition, generally accessible to the interested public;
>
> (4) Public dissemination (i.e., unlimited distribution) in any form (e.g.,
> not necessarily in published form), including posting on the Internet on
> sites available to the public; or
>
> (5) Submission of a written composition, manuscript, presentation,
> computer-readable dataset, formula, imagery, algorithms, or some other
> representation of knowledge with the intention that such information will
> be made publicly available if accepted for publication or presentation:
>
> (i) To domestic or foreign co-authors, editors, or reviewers of journals,
> magazines, newspapers or trade publications;
>
> (ii) To researchers conducting fundamental research; or
>
> (iii) To organizers of open conferences or other open gatherings.
>
> (b) Published encryption software classified under ECCN 5D002 remains
> subject to the EAR unless it is publicly available encryption object code
> software classified under ECCN 5D002 and the corresponding source code
> meets the criteria specified in § 742.15(b) of the EAR.
>
> (c) The following remains subject to the EAR: “software” or “technology”
> for the production of a firearm, or firearm frame or receiver, controlled
> under ECCN 0A501, that is made available by posting on the internet in an
> electronic format, such as AMF or G-code, and is ready for insertion into a
> computer numerically controlled machine tool, additive manufacturing
> equipment, or any other equipment that makes use of the “software” or
> “technology” to produce the firearm frame or receiver or complete firearm.
>
> ====
>
> § 734.17 EXPORT OF ENCRYPTION SOURCE CODE AND OBJECT CODE SOFTWARE
>
> (a) For purposes of the EAR, the Export of encryption source code and
> object code “software” means:
>
> (1) An actual shipment, transfer, or transmission out of the United States
> (see also paragraph (b) of this section); or
>
> (2) A transfer of such “software” in the United States to an embassy or
> affiliate of a foreign country.
>
> (b) The export of encryption source code and object code “software”
> controlled for “EI” reasons under ECCN 5D002 on the Commerce Control List
> (see Supplement No. 1 to part 774 of the EAR) includes:
>
> (1) Downloading, or causing the downloading of, such “software” to
> locations (including electronic bulletin boards, Internet file transfer
> protocol, and World Wide Web sites) outside the U.S., or
>
> (2) Making such “software” available for transfer outside the United
> States, over wire, cable, radio, electromagnetic, photo
> optical, photoelectric or other comparable communications
> facilities accessible to persons outside the United States, including
> transfers from electronic bulletin boards, Internet file transfer protocol
> and World Wide Web sites, unless the person making the “software” available
> takes precautions adequate to prevent unauthorized transfer of such code.
> See § 742.15(b) of the EAR for additional requirements pursuant to which
> exports or reexports of encryption source code “software” are considered to
> be publicly available consistent with the provisions of § 734.3(b)(3).
> Publicly available encryption source code “software” and corresponding
> object code are not subject to the EAR, when the encryption source
> code “software” meets the additional requirements in § 742.15(b) of the EAR.
>
> (c) Subject to the General Prohibitions described in part 736 of the EAR,
> such precautions for Internet transfers of products eligible for
> export under § 740.17(b)(2) of the EAR (encryption “software” products,
> certain encryption source code and general purpose encryption
> toolkits) shall include such measures as:
>
> (1) The access control system, either through automated means or human
> intervention, checks the address of every system outside of the U.S.
> or Canada requesting or receiving a transfer and verifies such systems do
> not have a domain name or Internet address of a foreign government
> end- user (e.g., “.gov,” “.gouv,” “.mil” or similar addresses);
>
> (2) The access control system provides every requesting or receiving party
> with notice that the transfer includes or would include
> cryptographic “software” subject to export controls under the Export
> Administration Regulations, and anyone receiving such a transfer cannot
> export the “software” without a license or other authorization; and
>
> (3) Every party requesting or receiving a transfer of such “software” must
> acknowledge affirmatively that the “software” is not intended for use by a
> government end user, as defined in part 772 of the EAR, and he or she
> understands the cryptographic “software” is subject to export controls
> under the Export Administration Regulations and anyone receiving the
> transfer cannot export the “software” without a license or other
> authorization. BIS will consider acknowledgments in electronic form
> provided they are adequate to assure legal undertakings similar to written
> acknowledgments.
>
> ====
>
> 742.15(a)(1): Licensing requirements. A license is required to export or
> reexport encryption items (“EI”) classified under ECCN 5A002, 5A004,
> 5D002.a, .c.1 or .d (for equipment and “software” in ECCNs 5A002 or 5A004,
> 5D002.c.1); or 5E002 for “technology” for the “development,” “production,”
> or “use” of commodities or “software” controlled for EI reasons in ECCNs
> 5A002, 5A004 or 5D002, and “technology” classified under 5E002.b to all
> destinations, except Canada. Refer to part 740 of the EAR, for license
> exceptions that apply to certain encryption items, and to § 772.1 of the
> EAR for definitions of encryption items and terms. Most encryption items
> may be exported under the provisions of License Exception ENC set forth in
> §740.17 of the EAR. Following classification or self-classification, items
> that meet the criteria of Note 3 to Category 5 - Part 2 of the Commerce
> Control List (the “mass market” note), are classified ECCN 5A992.c or
> 5D992.c and are no longer subject to this Section (see § 740.17 of the
> EAR). Before submitting a license application, please review License
> Exception ENC to determine whether this license exception is available
> for your item or transaction. For exports, reexports, or transfers
> (in-country) of encryption items that are not eligible for a license
> exception, you must submit an application to obtain authorization under a
> license or an Encryption Licensing Arrangement.
>
> 742.15(b) Publicly available encryption source code
>
> (1) Scope and eligibility. Subject to the notification requirements of
> paragraph (b)(2) of this section, publicly available (see § 734.3(b)(3) of
> the EAR) encryption source code classified under ECCN 5D002 is not subject
> to the EAR. Such source code is publicly available even if it is subject to
> an express agreement for the payment of a licensing fee or royalty for
> commercial production or sale of any product developed using the source
> code.
>
> (2) Notification requirement for “non-standard cryptography.” For publicly
> available encryption source code classified under ECCN 5D002 that provides
> or performs “non-standard cryptography” as defined in part 772 of the EAR,
> you must notify BIS and the ENC Encryption Request Coordinator via e-mail
> of the Internet location (e.g., URL or Internet address) of the source code
> or provide each of them a copy of the publicly available encryption source
> code. If you update or modify the source code, you must also provide
> additional copies to each of them each time the cryptographic functionality
> of the source code is updated or modified. In addition, if you posted the
> source code on the Internet, you must notify BIS and the ENC Encryption
> Request Coordinator each time the Internet location is changed, but you are
> not required to notify them of updates or modifications made to the
> encryption source code at the previously notified location. In all
> instances, submit the notification or copy to crypt@bis.doc.gov and to
> enc@nsa.gov.
>
> 772: "Non-standard cryptography". Means any implementation of
> “cryptography” involving the incorporation or use of proprietary or
> unpublished cryptographic functionality, including encryption algorithms or
> protocols that have not been adopted or approved by a duly recognized
> international standards body (e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA,
> and GSMA) and have not otherwise been published.
>
> ======
>
> CCL5 D. “SOFTWARE”
>
> 5D002 “Software” as follows (see List of Items Controlled).
>
> List of Items Controlled
>
> Related Controls: After classification or self-classification in
> accordance with § 740.17(b) of the EAR, mass market
> encryption software that meets eligibility requirements is released from
> “EI” and “NS” controls. This software is designated as 5D992.c.
>
> Related Definitions: 5D002.a controls “software” designed or modified to
> use “cryptography” employing digital or analog techniques to ensure
> “information security.”
>
> Items:
>
> a. “Software” “specially designed” or modified for the “development,”
> “production” or “use” of any of the following:
>
> a.1. Equipment specified by 5A002 or “software” specified by 5D002.c.1;
>
> a.2. Equipment specified by 5A003 or “software” specified by 5D002.c.2; or
>
> a.3. Equipment or “software”, as follows:
>
> a.3.a. Equipment specified by 5A004.a or “software” specified by
> 5D002.c.3.a;
>
> a.3.b. Equipment specified by 5A004.b or “software” specified by
> 5D002.c.3.b;
>
> b. “Software” having the characteristics of a ‘cryptographic activation
> token’ specified by 5A002.b;
>
> c. “Software” having the characteristics of, or performing or simulating
> the functions of, any of the following:
>
> c.1. Equipment specified by 5A002.a, .c, .d or .e;
>
> Note: 5D002.c.1 does not apply to “software” limited to the tasks of
> “OAM” implementing only published or commercial cryptographic standards.
>
> c.2. Equipment specified by 5A003; or
>
> c.3. Equipment, as follows:
> c.3.a. Equipment specified by 5A004.a; c.3.b. Equipment specified by
> 5A004.b.
>
> Note: 5D002.c.3.b does not apply to “intrusion software”.
>
> d. [Reserved]
>
> N.B.: See 5D002.b for items formerly specified in 5D002.d.
>
> 5D992 “Information Security” “software” not controlled by 5D002 as follows
> (see List of Items Controlled).
>
> List of Items Controlled
>
> Related Controls: This entry does not control “software” designed or
> modified to protect against malicious computer damage, e.g., viruses, where
> the use of “cryptography” is limited to authentication, digital
> signature and/or the decryption of data or files. Related Definitions: N/A
>
> Items:
>
> a. [Reserved]
>
> b. [Reserved]
>
> c. “Software” classified as mass market encryption software in accordance
> with § 740.17(b) of the EAR.
>
> ====
>
> § 740.17 ENCRYPTION COMMODITIES, SOFTWARE AND TECHNOLOGY (ENC)
>
> License Exception ENC authorizes export, reexport, and transfer
> (in-country) of systems, equipment, commodities, and components therefor
> that are classified under ECCNs 5A002, 5B002, equivalent or related
> software and technology therefor classified under 5D002 or 5E002, and
> “cryptanalytic items” classified under ECCNs 5A004, 5D002 or 5E002. This
> License Exception ENC does not authorize export or reexport to, transfer
> (in-country) in, or provision of any service in any country listed in
> Country Groups E:1 or E:2 in Supplement No. 1 to part 740 of the EAR, or
> release of source code or technology to any national of a country listed
> in Country Groups E:1 or E:2. Reexports and transfers (in-country) under
> License Exception ENC are subject to the criteria set forth in paragraph
> (c) of this section. Paragraphs (b) and (d) of this section set
> forth information about classifications required by this section.
> Items described in paragraphs (b)(1) and (b)(3)(i), (b)(3)(ii) or
> (b)(3)(iv) of this section that meet the criteria set forth in Note 3 to
> Category 5 - Part 2 of the Commerce Control List (the “mass market” note)
> are classified under ECCN 5A992.c or 5D992.c following self-classification
> or classification by BIS and are no longer subject to “EI” and “NS”
> controls. Paragraph (e) sets forth reporting required by this section. For
> items exported under paragraphs (b)(1), (b)(3)(i), (b)(3)(ii) or (b)(3)(iv)
> of this section and therefore excluded from paragraph (e)
> reporting requirements, exporters are reminded of the recordkeeping
> requirements in part 762 of the EAR and that they may be required to make
> such records available upon request. All classification requests, and
> reports submitted to BIS pursuant to this section for encryption
> items will be reviewed by the ENC Encryption Request Coordinator, Ft.
> Meade, MD.
>
> (a) No classification request or reporting required
>
> License Exception ENC authorizes the export, reexport, or transfer
> (in-country) to the end users and for the end uses set forth in paragraphs
> (a)(1), (a)(2), and (a)(3) of this section, without submission of a
> classification request, self- classification report or sales report to BIS.
>
> (1) Certain exports, reexports, transfers (in- country) to ‘private sector
> end users.’
>
> (i) Internal “development” or “production” of new products. License
> Exception ENC authorizes certain exports, reexports, and transfers
> (in-country) of items described in paragraph (a) of this section for the
> internal “development” or “production” of new products by ‘private sector
> end users,’ wherever located, that are headquartered in a country listed
> in Supplement No. 3 of this part.
>
> (ii) Certain exports, reexports, transfers (in- country) to related
> parties, not involving “development” or “production” of new products. For
> internal end uses among ‘private sector end users’ other than the
> “development” or “production” of new products, License Exception ENC
> authorizes exports, reexports, and transfers (in-country) of
> non-U.S.-origin items, described in paragraph (a) of this section, to
> ‘private sector end users’ wherever located provided that:
>
> (A) That item became subject to the EAR after it was produced;
>
> (B) All parties to the transaction are subsidiaries of the same parent
> company headquartered in a country listed in Supplement No. 3 of this part;
> and
>
> (C) The characteristics or capabilities of the existing item are not
> enhanced, unless otherwise authorized by license or license exception.
>
> Note to paragraph (a)(1): A ‘private sector end user’ is either: An
> individual who is not acting on behalf of any foreign government; or a
> commercial firm (including its subsidiary and parent firms, and other
> subsidiaries of the same parent) that is not wholly owned by,
> otherwise controlled by or acting on behalf of, any foreign government.
>
> (2) Exports, reexports, transfers (in-country) to “U.S.
> Subsidiaries.” License Exception ENC authorizes export, reexport,
> and transfer (in- country) of items described in paragraph (a) of this
> section to any “U.S. subsidiary,” wherever located. License Exception ENC
> also authorizes export, reexport, transfer (in-country) of such items by a
> U.S. company and its subsidiaries to foreign nationals who are employees,
> individual contractors or interns of a U.S. company or its subsidiaries if
> the items are for internal company use, including the “development”
> or “production” of new products, without prior review by the
> U.S. Government.
>
> Note to paragraph (a)(1) and (a)(2): All items produced or developed with
> items exported, reexported, or transferred (in-country) under paragraphs
> (a)(1) or (a)(2) of this section are subject to the EAR. These items may
> require the submission of a classification request before sale, reexport or
> transfer to non-“U.S. subsidiaries,” unless otherwise authorized by license
> or license exception.
>
> (3) Reexports and transfers (in-country) of non-U.S. products developed
> with or incorporating U.S.-origin encryption source code, components, or
> toolkits. License Exception ENC authorizes the reexport and transfer
> (in-country) of non-U.S. products developed with or incorporating
> U.S.-origin encryption source code, components or toolkits that are subject
> to the EAR, provided that the U.S.-origin encryption items have
> previously been classified or reported and authorized by BIS and
> the cryptographic functionality has not been changed. Such products include
> non-U.S. developed products that are designed to operate with U.S. products
> through a cryptographic interface.
>
> Note to paragraph (a)(3): This exception from classification and reporting
> requirements does not apply to non-U.S.-origin products exported from the
> United States.
>
> (b) Classification request or self- classification
>
> For certain products described in paragraph (b)(1) of this section that
> are self-classified, a self-classification report in
> accordance with paragraph (e)(3) of this section is required from specified
> exporters, reexporters and transferors; for products described in paragraph
> (b)(1) of this section that are classified by BIS via a CCATS,
> a self-classification report is not required. For products described in
> paragraphs (b)(2) and (b)(3) of this section, a thirty-day
> (30-day) classification request is required in accordance with paragraph
> (d) of this section. An exporter, reexporter, or transferor may rely on
> the producer’s self-classification (for products described in (b)(1), only)
> or CCATS for an encryption item eligible for export or reexport under
> License Exception ENC under paragraph (b)(1), (b)(2), or (b)(3) of this
> section. Exporters are still required to comply with semi-annual sales
> reporting requirements under paragraph (e)(1) or (2) of this section, even
> if relying on a CCATS issued to a producer for specified encryption items
> described in paragraphs (b)(2) and (b)(3)(iii) of this section.
>
> Note to paragraph (b) introductory text: Mass market encryption software
> that would be considered publicly available under §734.3(b)(3) of the EAR,
> and is authorized for export under this paragraph (b), remains subject to
> the EAR until all applicable classification or self- classification
> requirements set forth in this section are fulfilled.
>
> (1) Immediate authorization. This paragraph (b)(1) authorizes the exports,
> reexports, and transfers (in-country) of the associated commodities
> self-classified under ECCNs 5A002.a or 5B002, and equivalent or
> related software therefor classified under 5D002, except any such
> commodities, software, or components described in (b)(2) or (b)(3) of this
> section, subject to submission of a self-classification report in
> accordance with § 740.17(e)(3) of the EAR. Items described in this
> paragraph (b)(1) that meet the criteria set forth in Note 3 to Category 5 -
> Part 2 of the Commerce Control List (the “mass market” note) are classified
> as ECCN 5A992.c or 5D992.c following self-classification or classification
> by BIS and are removed from “EI” and “NS” controls.
>
> (2) Classification request required. Thirty (30) days after the submission
> of a classification request with BIS in accordance with paragraph (d) of
> this section and subject to the reporting requirements in paragraph (e) of
> this section, this paragraph under License Exception ENC authorizes certain
> exports, reexports, and transfers (in-country) of the items specified
> in paragraph (b)(2) and submitted for classification.
>
> Note to introductory text of paragraph (b)(2): Immediately after the
> classification request is submitted to BIS in accordance with paragraph (d)
> of this section and subject to the reporting requirements in paragraph (e)
> of this section, this paragraph also authorizes exports, reexports, and
> transfers (in-country) of:
>
> 1. All submitted encryption items described in this paragraph (b)(2),
> except “cryptanalytic items,” to any end user located or headquartered in a
> country listed in Supplement No. 3 to this part;
>
> 2. Encryption source code as described in paragraph (b)(2)(i)(B) to
> non-“government end users” in any country;
>
> 3. “Cryptanalytic items” to non-“government end users,” only, located or
> headquartered in a country listed in Supplement No. 3 to this part; and
>
> 4. Items described in paragraphs (b)(2)(iii) and (b)(2)(iv)(A) of this
> section, to specified destinations and end users.
>
> (i) Cryptographic commodities, software, and components. License Exception
> ENC authorizes exports, reexports, and transfers (in- country) of the items
> in paragraph (b)(2)(i)(A) of this section to “less sensitive government
> end users” and non- “government end users” located or headquartered in a
> country not listed in Supplement No. 3 to this part, and the items
> in paragraphs (B) – (H) to non “government end users” located or
> headquartered in a country not listed in Supplement No. 3.  [...]
>
> (ii) Cryptanalytic commodities and software. “Cryptanalytic items”
> classified in ECCN 5A004 or 5D002 to non- “government end users” located or
> headquartered in countries not listed in Supplement No. 3 to this part.
>
> (iii) “Open cryptographic interface” items. Items that provide an “open
> cryptographic interface,” to any end user located or headquartered in a
> country listed in Supplement No. 3 to this part.
>
> (iv) Specific encryption technology. Specific encryption technology as
> follows:
>
> (A) Technology for “non-standard cryptography.” Encryption
> technology classified under ECCN 5E002 for “non-standard cryptography,” to
> any end user located or headquartered in a country listed in Supplement No.
> 3 to this part;
>
> (B) Other technology. Encryption technology classified under ECCN 5E002
> except technology for “cryptanalytic items,” “non-standard cryptography” or
> any “open cryptographic interface,” to any non-“government end user”
> located in a country not listed in Country Group D:1, E:1, or E:2
> of Supplement No. 1 to part 740 of the EAR.
>
> Note to paragraph (b)(2): Commodities, components, and software classified
> under ECCNs 5A002.b or 5D002.b, for the “cryptographic activation” of
> commodities or software specified by paragraph (b)(2) of this section are
> also controlled under paragraph (b)(2) of this section.
>
> (3) Classification request required for specified commodities, software,
> and components. Thirty (30) days after a classification request is
> submitted to BIS in accordance with paragraph (d) of this section
> and subject to the reporting requirements in paragraph (e) of this section,
> this paragraph authorizes exports, reexports, and transfers (in-country)
> of the items submitted for classification, as further described in this
> paragraph (b)(3), to any end user, provided the item does not perform
> the functions, or otherwise meet the specifications, of any item described
> in paragraph (b)(2) of this section. Items described in paragraph
> (b)(3)(ii) or (iv) of this section that meet the criteria set
> forth inNote3toCategory5-Part2oftheCCL(the “mass market” note) are
> classified under ECCN 5A992.c or 5D992.c following classification by BIS.
>
> Note to introductory text of paragraph (b)(3):
>
> Immediately after the classification request is submitted to BIS in
> accordance with paragraph (d) of this section and subject to
> the reporting requirements in paragraph (e) of this section, this paragraph
> also authorizes exports, reexports, transfers (in-country) of the items
> described in this paragraph (b)(3) to any end user located or headquartered
> in a country listed in Supplement No. 3 to this part.
>
> ====
>
> 740(e)(3) Self-classification reporting for certain encryption
> commodities, software, and components. This paragraph (e)(3) sets
> forth requirements for self-classification reporting to BIS and the ENC
> Encryption Request Coordinator (Ft. Meade, MD) of certain encryption
> commodities, software, and components exported or reexported meeting
> the criteria specified in paragraph (b)(1) of this section. Specifically,
> this reporting requirement applies to “mass market” encryption
> components and ‘executable software’ that meet the criteria of the
> Cryptography Note - Note 3 to Category 5 - Part 2 of the CCL (“mass market”
> note) and are classified under ECCN 5A992.c or 5D992.c following
> self-classification, as well as to non- “mass market” encryption
> commodities and software that remain classified in ECCN 5A002, 5B002 or
> 5D002 following self-classification, provided these items are not further
> described by paragraph (b)(2) or (3) of this section.
>
> Note to introductory text of paragraph (e)(3):
>
> For the purposes of this paragraph (e)(3), ‘executable software’ means
> “software” in executable form, from an existing hardware component excluded
> from ECCN 5A002 by the Cryptography Note. ‘Executable software’ does not
> include complete binary images of the “software” running on an end item.
>
> (i) When to report. Your self-classification report for applicable
> encryption commodities, software and components exported
> or reexported during a calendar year (January 1 through December 31) must
> be received by BIS and the ENC Encryption Request Coordinator no later than
> February 1 the following year.
>
> (ii) How to report. Encryption self-classification reports must be sent to
> BIS and the ENC Encryption Request Coordinator via e-mail or regular mail.
> In your submission, specify the timeframe that your report spans and
> identify points of contact to whom questions or other inquiries pertaining
> to the report should be directed. Follow these instructions for
> your submissions:
>
> (A) Submissions via e-mail. Submit your encryption self-classification
> report electronically to BIS at crypt-supp8@bis.doc.gov and to the ENC
> Encryption Request Coordinator at enc@nsa.gov, as an attachment to an
> e-mail. Identify your e-mail with subject “self-classification report.”
>
> (B) Submissions on disks and CDs. The self-classification report may be
> sent to the following addresses, in lieu of e-mail:
>
> (1) Department of Commerce, Bureau of Industry and Security, Office of
> National Security and Technology Transfer Controls, 14th Street and
> Pennsylvania Ave., NW, Room 2099B, Washington, DC 20230, Attn:
> Encryption Reports, and
>
> (2) Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite
> 6940, Ft. Meade, MD 20755-6000.
>
> (iii) Information to report. Your encryption self-classification report
> must include the information described in paragraph (a) of Supplement No. 8
> to part 742 for each applicable encryption commodity, software
> and component made eligible for export or reexport under § 740.17(b)(1) of
> the EAR. Each product must be included in a report only one time. However,
> if no new products are made eligible for export or reexport during a
> calendar year, you must send an e-mail to the addresses listed in paragraph
> (e)(3)(ii)(A) of this section stating that nothing has changed since the
> previous report.
>
> (iv) File format requirements. The information described in paragraph (a)
> of Supplement No. 8 to part 742 must be provided to BIS and the ENC
> Encryption Request Coordinator in tabular or spreadsheet form, as
> an electronic file in comma separated values format (.csv) adhering to the
> specifications set forth in paragraph (b) of Supplement No. 8 to part 742.
>
> ====
>
> SUPPLEMENT NO. 8 TO PART 742 -- SELF-CLASSIFICATION REPORT FOR ENCRYPTION
> ITEMS
>
> This supplement provides certain instructions and requirements for
> self-classification reporting to BIS and the ENC
> Encryption Request Coordinator (Ft. Meade, MD) of encryption commodities,
> software and components exported or reexported pursuant to §740.17(b)(1) of
> the EAR. See §740.17(e)(3) of the EAR for additional instructions and
> requirements pertaining to this supplement, including when to report and
> how to report.
>
> (a) Information to report
>
> The following information is required in the file format as described in
> paragraph (b) of this supplement, for each encryption item subject to the
> requirements of this supplement and §§ 740.17(b)(1) and 740.17(e)(3) of the
> EAR:
>
> (1) Name of product (50 characters or less.)
>
> (2) Model / series / part number (50 characters or less.) If necessary,
> enter ‘NONE’ or ‘N/A’.
>
> (3) Primary manufacturer (50 characters or less.) Enter ‘SELF’ if you are
> the primary manufacturer of the item. If there are multiple
> manufacturers for the item but none is clearly primary, either enter the
> name of one of the manufacturers or else enter ‘MULTIPLE’. If necessary,
> enter ‘NONE’ or ‘N/A’.
>
> (4) Export Control Classification Number (ECCN), selected from one of the
> following:
>
>    (i) 5A002 (ii) 5B002 (iii) 5D002 (iv) 5A992 (v) 5D992
>
> (5) Encryption authorization type identifier, selected from one of the
> following, which denote eligibility under License Exception ENC §
> 740.17(b)(1):
>
>    (i) ENC
>    (ii) MMKT
>
> (6) Item type descriptor, selected from one of the following:
>
> (i)     Accesspoint;
> (ii)    Cellular;
> (iii)   Computer or computing platforms;
> (iv)   Computer forensics;
> (v)    Cryptographic accelerator;
> (vi)   Data backup and recovery;
> (vii)  Database;
> (viii) Disk / drive encryption;
> (ix)   Distributed computing;
> (x)    E-mail communications;
> (xi)   Fax communications;
> (xii)  File encryption;
> (xiii) Firewall;
> (xiv) Gateway;
> (xv)  Intrusion detection;
> (xvi) Identity management;
> (xvii)  Key exchange;
> (xviii)  Key management;
> (xix)  Key storage;
> (xx)  Link encryption;
> (xxi)  Local area networking (LAN);
> (xxii)  Metropolitan area networking (MAN);
> (xxiii)  Mobility and mobile applications n.e.s.;
> (xxiv)  Modem;
> (xxv)  Multimedia n.e.s.;
> (xxvi)  Network convergence or infrastructure n.e.s.;
> (xxvii) Network forensics;
> (xxviii) Network intelligence;
> (xxix) Network or systems management (OAM / OAM&P);
> (xxx) Network security monitoring;
> (xxxi) Network vulnerability and penetration testing;
> (xxxii) Operating System;
> (xxxiii) Optical Networking;
> (xxxiv) Radio Communications;
> (xxxv)  Router;
> (xxxvi) Satellite communications;
> (xxxvii) Short range wireless n.e.s.;
> (xxxviii) Storage Area Networking (SAN);
> (xxxix) 3G / 4G / 5G / LTE / WiMAX;
> (xl) Trusted computing;
> (xli) Videoconferencing;
> (xlii) Virtual private networking (VPN);
> (xliii) Voice communications n.e.s.;
> (xliv) Voice over Internet Protocol (VoIP);
> (xlv) Wide Area Networking (WAN);
> (xlvi) Wireless Local Area (WLAN);
> (xlvii) Wireless Personal Area (WPAN);
> (xlviii) Test equipment n.e.s.; or
> (xlix) Other (please specify).
>
> (7) Name of company or individual submitting the report (50 characters or
> less).
>
> (8) Telephone number (50 characters or less).
>
> (9) E-mail address (50 characters or less).
>
> (10) Mailing address (50 characters or less).
>
> (11) With respect to your company’s encryption products, do they
> incorporate encryption components produced or furnished by non-U.S. sources
> or vendors? Enter ‘YES’, ‘NO’, or if necessary, ‘N/A’ (250 characters or
> less).
>
> (12) With respect to your company’s encryption products, are any of them
> manufactured in non-U.S. locations?” If yes, list the
> non-U.S. manufacturing locations by city and country. If necessary, enter
> ‘NONE’ or ‘N/A’ (250 characters or less).
>
> (b) File format requirements.
>
> (1) The information described in paragraph (a) of this supplement must be
> provided in tabular or spreadsheet form, as an electronic file in
> comma separated values format (.csv), only. No file formats other than .csv
> will be accepted, as your encryption self-classification report must
> be directly convertible to tabular or spreadsheet format, where each row
> (and all entries within a row) properly correspond to the
> appropriate encryption item.
>
> Note to paragraph (b)(1): An encryption self-classification report data
> table created and stored in spreadsheet format (e.g., file extension .xls,
> .numbers, .qpw, .wb*, .wrk, and .wks) can be converted and saved into a
> comma delimited file format directly from the spreadsheet program. This
> .csv file is then ready for submission.
>
> (2) Each line of your encryption self-classification report (.csv file)
> must consist of twelve entries as further described in this supplement.
>
> (3) The first line of the .csv file must consist of the following twelve
> entries (i.e., match the following) without alteration or variation:
> PRODUCT NAME, MODEL NUMBER, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM
> TYPE, SUBMITTER NAME, TELEPHONE NUMBER, E-MAIL ADDRESS, MAILING ADDRESS,
> NON-U.S. COMPONENTS, NON- U.S. MANUFACTURING LOCATIONS.
>
> Note to paragraph (b)(3): These first twelve entries (i.e., first row) of
> an encryption self- classification report in .csv format correspond to the
> twelve column headers of a spreadsheet data file. The responses provided
> under column headers 7 through 12 (SUBMITTER NAME through NON-U.S.
> MANUFACTURING LOCATIONS) relate to the company as a whole, and thus should
> be entered the same for each product (i.e., only one point of contact, one
> ‘YES’ or ‘NO’ answer to whether any of the reported products incorporate
> non-U.S. sourced encryption components, and one list of
> non-U.S. manufacturing locations, is required for the report). However,
> even though the information is the same for each product, please duplicate
> this information into each row of the spreadsheet, leaving no entry blank,
> so each product has the same identifying company information.
>
> (4)Each subsequent line of the .csv file must correspond to a single
> encryption item (or a distinguished series of products) as described
> in paragraph (c) of this supplement.
>
> (5)Each line must consist of six entries as described in paragraph (a)(1),
> (a)(2), (a)(3), (a)(4), (a)(5), and (a)(6) of this supplement. No entries
> may be left blank. Each entry must be separated by a comma (,). Certain
> additional instructions are as follows:
>
> (i) Line entries (a)(1) (‘PRODUCT NAME’) and (a)(4) (‘ECCN’) must be
> completed with relevant information.
>
> (ii) For entries (a)(2) (‘MODEL NUMBER’) and (a)(3) (‘MANUFACTURER’), if
> these entries do not apply to your item or situation you may enter ‘NONE’
> or ‘N/A’.
>
> (iii) For entries (a)(5) (‘AUTHORIZATION TYPE’), if none of the provided
> choices apply to your situation, you may enter ‘OTHER’.
>
> (6) Because of .csv file format requirements, the only permitted use of a
> comma is as the necessary separator between line entries. You may not use a
> comma for any other reason in your encryption self-classification report.
>
> (c) Other instructions
>
> (1) The information provided in accordance with this supplement and §§
> 740.17(b)(1) and 740.17(e)(3) of the EAR must identify product offerings as
> they are typically distinguished in inventory, catalogs, marketing
> brochures and other promotional materials.
>
> (2) For families of products where all the information described in
> paragraph (a) of this supplement is identical except for the model / series
> / part number (entry (a)(2)), you may list and describe these products with
> a single line in your .csv file using an appropriate model / series / part
> number identifier (e.g., ‘300’ or ‘3xx’) for entry (a)(2), provided each
> line in your .csv file corresponds to a single product series (or product
> type) within an overall product family.
>
> (3) For example, if Company A produces, markets and sells both a ‘100'
> (‘1xx’) and a ‘300’ (‘3xx’) series of product, in
> its encryption self-classification report (.csv file) Company A must list
> the ‘100' product series in one line (with entry (a)(2) completed as ‘100’
> or ‘1xx’) and the ‘300’ product series in another line (with entry (a)(2)
> completed as ‘300’ or ‘3xx’), even if the other required information is
> common to all products in the ‘100’ and ‘300’ series.
>
> (4) Only products self-classified by the exporter or reexporter must be
> reported. Products submitted for classification by the Bureau of Industry
> and Security for which a CCATS is issued do not need to be reported.
>
> ====
>
> Simple, amirite?
>
> ....Roy
>
>