Presentation on theme: "Misty Rutter Global Trade Business Engagement October 6, 2010"— Presentation transcript:
1Misty Rutter Global Trade Business Engagement October 6, 2010 Encryption updateMisty RutterGlobal Trade Business EngagementOctober 6, 2010
2HP at a glanceStanford University classmates Bill Hewlett and Dave Packard founded HP in The company's first product, built in a Palo Alto garage, was an audio oscillator.Fortune 9 U.S.Fortune 32 Global304,000 employees$114.6 billion USD in revenue for FY09Operates in approximately 170 countries worldwide headquartered in Palo Alto, CAHP is the largest IT company on the planet!Our new CEO Leo Apotheker joined HP on September 30, 2010
3HPNo other company offers as complete a technology product portfolio as HP. We provide infrastructure and business offerings that span from handheld devices to some of the world's most powerful supercomputer installations.HP's three business groups drive industry leadership in core technology areas:The Personal Systems Group: business and consumer PCs, mobile computing devices and workstationsThe Imaging and Printing Group: inkjet, LaserJet and commercial printing, printing suppliesEnterprise Business: business products including storage and servers, enterprise services and softwareLET’S DO AMAZING
4Encryption Rule Reform Interim final rule published in the Federal Register June 25, 2010Made the most confusing part of the EAR even more confusing even if it did “simplify” some of the requirements!
5What changed?Removed encryption review (CCATS) requirements for less sensitive encryption itemsAlso removed post-export semi-annual reporting for these itemsEstablished new registration process for companies who export encryption without prior review, for cryptography items transferred under License Exception ENC and for mass market itemsEstablished an annual self-classification reporting requirement for items self-classified under the new company registration Authorized transfers of most encryption technology to non-government end-users under License Exception ENC, except to D:1 and E:1 countriesDecontrols so-called "ancillary cryptography" items (Note 4) – removed from Cat5 Part2 altogether. Now EAR99 unless another category applies (includes encryption for copyright protection)Expanded ability export 5E002 technology
7If you’re not sure your item meets B1: You can still submit a formal CCATs request.B1 items do not get forwarded to NSAQuicker turnaroundIf you are just doing proper “Bundling” without changing the manufacturer’s product, you do not have to registerSelf Classification also applies to Mass Market items except items listed in B3 (Note items in B2 and B3 are not eligible for MM)
8B2 and B3 Items – Still Require review B2 Items include:Network infrastructure products described in (b)(2)(i)(A);Encryption source code;No longer required to submit copy of source code with requestProducts designed, modified, adapted or customized for “government end-user(s)”;Commodities and software that provide penetration capabilities;Public safety / first responder radio (e.g., P25 or TETRA);5E002 encryption technologyRemember Dormant and Disabled encryption is still covered under Cat 5 Part 2Added penetration testing software to B2
9B2 and B3 Items – Still Require review B3 Items include:Chips, chipsets, electronic assemblies;Cryptographic libraries and modules;Development kits;Products with “non-standard cryptography”;Items that perform vulnerability analysis, network forensics, or computer forensics as described in (b)(3)(iii).Products that activate or enable encryption
10How to file a ccats request Register for SNAP-RGo to the main SNAP-R screen and select Classification Request, then check the encryption checkboxBlock 9 - pull-down list in the special purpose box, select License Exception ENCBlock Be sure the information in these blocks is complete and correct, because this is where the official response from BIS will be sent. If both blocks are filled in, the official response will be sent to the individual or entity identified in Block 15.Block 22(a) Enter 5A002 for hardware, 5D002 for software, or 5E002 for technology.Block 22(c) Enter the product name with model number, if available.Block 22(i) Enter the name of the manufacturer. If you will sell the product under your company's label, then enter the name of your company in the manufacturer block.Block 22(j) Provide a brief technical description including the basic purpose of the encryption item (e.g., XYZ is a PDA used for ...) and the type of encryption used in the software (e.g., 168-bit Triple DES for secure , 1024-bit RSA for key exchange). Comments such as ''see letter of explanation" or ''see brochure" are not sufficient. The information identified in this block is entered directly into the BIS license application database, and will be printed on the official response issued by BIS. A brief technical description is essential. All other blocks or block portions appropriate for review requests should be completed in accordance with Part 748 of the EAR.Block 24 Insert your most recent encryption registration number (ERN).
11Supporting Documentation Prepare a PDF document containing the information and documentation described in Supplement No. 6 to Part 742Create a Supp. 6 template for use on all CCATs – get engineering support to complete the template for new products (or changes in existing products)Letter of explanation – provide detailed description of items for classification and supporting argument for classification you believe appliesTechnical specifications, datasheets, brochuresSubmit in electronic (pdf) format
12for hardware or software “encryption components” other than source code (1) Reference the application for which the components are used in, if known;(2) State if there is a general programming interface to the component;(3) State whether the component is constrained by function; and(4) Identify the encryption component and include the name of the manufacturer, component model number or other identifier.
13For encryption source code (1) If applicable, reference the executable (object code) product that was previously classified by BIS or included in an encryption registration to BIS;(2) Include whether the source code has been modified, and the technical details on how the source code was modified; and(3) Upon request, include a copy of the sections of the source code that contain the encryption algorithm, key management routines and their related calls.
14Mass Market requestsDetermine that the products are mass marketed encryption components (chips, electronic assemblies, crypto libraries), toolkits, development kits, and non-standard crypto items described in (b)(3) of the EAR. Additional Supporting Documents:Demonstrate that the commodities and software meet the criteria of the Cryptography Note [Note 3 of Category 5, Part 2, of the Commerce Control List (Supplement No. 1 to Part 774 of the EAR)]. Compare your product with the Cryptography Note criteria and state specifically where and how it is mass marketed.
15CCATSOnce you submit in SNAP-R you will receive a Case number beginning with “Z”. Refer to this number in any communications with BIS on your CCATs request.No longer have to mail copy of CCATs package to NSA Encryption Review Coordinator. NSA now has access to SNAP-R!
16Reporting what’s changed? Semi-annual sales reporting (740.17(e)No longer need to report b3 items (Unrestricted) other than B3iiiSales of items eligible for self classification under B1 are not required to be reported (see Annual Self-classification reporting requirements (c))Submit electronically to both BIS and NSA at and
17Self Classification Reporting Submit Supplement 8 to Part 742Remember: this report is just a list of products, not sales dataCSV file formatCan submit by to BIS and NSAZip file acceptableIf not changes in the calendar year, can statement “No changes” but recommend calling BIS to confirm receipt. Alternatively you can resubmit the prior year’s Supp. 8. You must file something every year if you exported. If no exports in the calendar year, no reporting required.Reference your “R” in the Subject Line of theFirst report will cover 6/25/10 through 12/31/10.
18LicensingELA (Export License Arrangements) conditions are now standardizedLeast sensitive government end users – Biannual reportingMore sensitive government end usersInclude military, police, prisons and intelligence servicesRequire Pre-shipment notification and/or inspection
19Biggest Impact for HPDramatic reduction in number of transactions requiring semi-annual sales reporting (B3)Ability to self classify many items upon registration – impact to bottom line no more 30 day wait
20Still to comeThe June 25 rule was published as an Interim Rule. Final Rule will incorporate some of the 6 comments received (see FOIA website) comments/record_of_comments_encryption.pdfBIS advised at Update 2010 they hope to remove publicly available software from the EARConsistent with the administration export reform program, hope to turn Category 5 Part 2 into a “Positive” listWork ongoing with HK TID on items “self-classified” when HK requesting copy of CCATs.
21BIS Encryption Team Contacts Randy PrattDirectorPh:Michael PenderSenior EngineerPh:Anita ZinzuvadiaElectrical EngineerPh:Sylvia JimmisonExport Policy AnalystPh:Aaron AmundsonPh:Joe YoungPh:Judith CurrieSenior Export Policy AnalystPh: