CCLME.ORG - 15 CFR PART 742—CONTROL POLICY—CCL BASED CONTROLS
Loading (50 kb)...'
(continued) ill be kept in an area accessible only to the exporter's representatives. These representatives will maintain a strict audit system to account for all spare parts.

(26) No development or production technology on the computer system will be sent with the computer to the ultimate consignee.

(27) The end-user must immediately report any suspicions or facts concerning possible violations of the safeguards to the exporter and to the export control authorities of the importing country.

(28) The exporter must immediately report any information concerning possible violations of the safeguards to BIS. A violation of the safeguards might constitute grounds for suspension or termination of the license, preventing the shipment of unshipped spare parts, or the denial of additional licenses for spare parts, etc.

(29) The end-user will be audited quarterly by an independent consultant who has been approved by the export control authorities of the importing and exporting countries, but is employed at the expense of the end-user. The consultant will audit the computer usage and the implementation of the safeguards.

(30) The installation and operation of the computer will be coordinated and controlled by the following management structure:

(i) Steering Committee. The Steering Committee will comprise nationals of the importing country who will oversee the management and operation of the computer.

(ii) Security Staff. The Security Staff will be selected by the end-user or the government of the importing country to ensure that the required safeguards are implemented. This staff will be responsible for conducting an annual audit to evaluate physical security, administrative procedures, and technical controls.

(iii) Technical Consultative Committee. This committee will comprise technical experts from the importing country and the exporting company who will provide guidance in operating and maintaining the computer. At least one member of the committee will be an employee of the exporter. The committee will approve all accounts and maintain an accurate list of all users. In addition, the committee will advise the Steering Committee and the Security Staff concerning the security measures needed to ensure compliance with the safeguards required by the license.

(31) An ultimate consignee who is a multiple-purpose end-user, such as a university, will establish a peer review group comprising experts who represent each department or application area authorized for use on the computer under the conditions of the license. This group shall have the following responsibilities:

(i) Review all requests for computer usage and make recommendations concerning the acceptability of all projects and users;

(ii) Submit these recommendations to the Security Staff and Technical Consultative Committee for review and approval (see paragraph (a)(28) of this supplement);

(iii) Establish acceptable computer resource parameters for each project and review the results to verify their conformity with the authorized end-uses, restrictions, and parameters; and

(iv) Prepare monthly reports that would include a description of any runs exceeding the established parameters and submit them to the security staff.

(32) The end-user will also cooperate with any post-shipment inquiries or inspections by the U.S. Government or exporting company officials to verify the disposition and/or use of the computer, including access to the following:

(i) Usage logs, which should include, at a minimum, computer users, dates, times of use, and amount of system time used;

(ii) Computer access authorization logs, which should include, at a minimum, computer users, project names, and purpose of projects.

(33) The end-user will also cooperate with the U.S. Government or exporting company officials concerning the physical inspection of the computer using facility, on short notice, at least once a year and will provide access to all data relevant to computer usage. This inspection will include:

(i) Analyzing any programs or software run on the computer to ensure that all usage complies with the authorized end-uses on the license. This will be done by examining user files (e.g., source codes, machine codes, input/output data) that are either on-line at the time of the inspection or that have been previously sampled and securely stored.

(ii) Checking current and archived usage logs for conformity with the authorized end-uses and the restrictions imposed by the license.

(iii) Verifying the acceptability of all computer users in conformity with the authorized end-uses and the restrictions imposed by the license.

(34) Usage requests that exceed the quantity of monthly CPU time specified on the license shall not be approved without prior written authorization from the BIS. Requests for computational access approval shall include a description of the intended purpose for which access is sought.

(35) In addition to, or in lieu of, the normal access by on-site exporting company staff or its representatives, the company, when required by the exporting government, will provide a separate remote electronic access capability to the computer for the purposes of maintenance, troubleshooting, inspection of work in progress, and auditing of all work performed on the computer. On-site and central exporting company hardware and software maintenance facilities, at the direction of the exporting company staff or its representatives, to gather information such as:

(i) Statistical profiles of production jobs;

(ii) Logs of jobs run in both production and development mode;

(iii) Logs and reports of security related events.

If such method is used, the remote maintenance facilities will be considered part of the operating system and protected accordingly, and will be available only to exporting company operational staff or its representatives. The maintenance hardware and software and associated communication links will be protected to ensure the integrity and authenticity of data and programs and to prevent tampering with hardware.

(36) The export company staff or its representatives will be required to provide personnel for a specified period of time at the computer facility for management, operation, and safeguarding of the computer.

(b) Certification by export control authorities of importing country. (1) The following importing government certification may be required under §742.12 of this part:

This is to certify that (name of ultimate consignee) has declared to (name of appropriate foreign government agency) that the computer (model name) will be used only for the purposes specified in the end-use statement and that the ultimate consignee will establish and adhere to all the safeguard conditions and perform all other undertakings described in the end-use statement.

The (name of appropriate foreign government agency) will advise the United States Government of any evidence that might reasonably indicate the existence of circumstances (e.g., transfer of ownership) that could affect the objectives of the security safeguard conditions.

(2) Other importing government assurances regarding prohibited activities may also be required on a case-by-case basis.

(c) Commercial consignees. Exports or reexports of computers that are solely dedicated to the following non-scientific and non-technical commercial business uses will usually be eligible for a reduced set of security safeguard conditions:

(1) Financial services (e.g., banking, securities and commodity exchanges);

(2) Insurance;

(3) Reservation systems;

(4) Point-of-sales systems;

(5) Mailing list maintenance for marketing purposes;

(6) Inventory control for retail/wholesale distribution.

Supplement No. 4 to Part 742—Key Escrow or Key Recovery Products Criteria
top
Key Recoverable Feature

(1) The key(s) or other material/information required to decrypt ciphertext shall be accessible through a key recoverable feature.

(2) The product's cryptographic functions shall be inoperable until the key(s) or other material/information required to decrypt ciphertext is recoverable by government officials under proper legal authority and without the cooperation or knowledge of the user.

(3) The output of the product shall automatically include, in an accessible format and with a frequency of at least once every three hours, the identity of the key recovery agent(s) and information sufficient for the key recovery agent(s) to identify the key(s) or other material/information required to decrypt the ciphertext.

(4) The product's key recoverable functions shall allow access to the key(s) or other material/information needed to decrypt the ciphertext regardless of whether the product generated or received the ciphertext.

(5) The product's key recoverable functions shall allow for the recovery of all required decryption key(s) or other material/information required to decrypt ciphertext during a period of authorized access without requiring repeated presentations of access authorization to the key recovery agent(s).

Interoperability Feature

(6) The product's cryptographic functions may:

(i) Interoperate with other key recoverable products that meet these criteria, and shall not interoperate with products whose key recovery feature has been altered, bypassed, disabled, or otherwise rendered inoperative;

(ii) Send information to non-key recoverable products only when assured access is permitted to the key(s) or other material/information needed to decrypt ciphertext generated by the key recoverable product. Otherwise, key length is restricted to less than or equal to 56-bit DES or equivalent.

(iii) Receive information from non-key recoverable products with a key length restricted to less than or equal to 56-bit DES or equivalent.

Design, Implementation and Operational Assurance

(7) The product shall be resistant to efforts to disable or circumvent the attributes described in criteria one through six.

(8) The product's cryptographic function's key(s) or other material/information required to decrypt ciphertext shall be accessible to government officials under proper legal authority.

[63 FR 50523, Sept. 22, 1998, as amended at 63 FR 72164, Dec. 31, 1998]

Supplement No. 5 to Part 742—Checklist on Encryption and Other “Information Security” Functions
top
1. Does your product perform “cryptography”, or otherwise contain any parts or components that are capable of performing any of the following “information security” functions?

(Mark with an “X” all that apply)

a. __ encryption

b. __ decryption only (no encryption)

c. __ key management/public key infrastructure (PKI)

d. __ authentication (e.g., password protection, digital signatures)

e. __ copy protection

f. __ anti-virus protection

g. __ other (please

explain) :__________

h. __ NONE/NOT APPLICABLE

2. For items with encryption, decryption and/or key management functions (1.a, 1.b, 1.c above):

a. What symmetric algorithms and key lengths (e.g., 56-bit DES, 112/168-bit Triple-DES, 128/256-bit AES/Rijndael) are implemented or supported?

b. What asymmetric algorithms and key lengths (e.g., 512-bit RSA/Diffie-Hellman, 1024/2048-bit RSA/Diffie-Hellman) are implemented or supported?

c. What encryption protocols (e.g., SSL, SSH, IPSEC or PKCS standards) are implemented or supported?

d. What type of data is encrypted?

3. For products that contain an “encryption component”, can this encryption component be easily used by another product, or else accessed/re-transferred by the end-user for cryptographic use?

[68 FR 35785, June 17, 2003]

Supplement No. 6 to Part 742—Guidelines for Submitting Review Requests for Encryption Items
top
Review requests for encryption items must be submitted on Form BIS-748P (Multipurpose Application), or its electronic equivalent, and supported by the documentation described in this Supplement, in accordance with the procedures described in §748.3 of the EAR. To ensure that your review request is properly routed, insert the phrase “Mass market encryption” or “License Exception ENC” (whichever is applicable) in Block 9 (Special Purpose) of the application form and place an “X” in the box marked “Classification Request” in Block 5 (Type of Application)—Block 5 does not provide a separate item to check for the submission of encryption review requests. Failure to properly complete these items may delay consideration of your review request. BIS recommends that review requests be delivered via courier service to: Bureau of Industry and Security, U.S. Department of Commerce, 14th Street and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230. For electronic submissions via SNAP, you may fax a copy of the support documents to BIS at (202) 219–9179 or –9182 or you may send the documents to: Bureau of Industry and Security, Information Technology Controls Division, Room 2093, 14th Street and Pennsylvania Ave., NW., Washington, DC 20230. In addition, you must send a copy of your review request and all support documents to: Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6940, Fort Meade, MD 20755–6000. For all review requests of encryption items, you must provide brochures or other documentation or specifications related to the technology, commodity or software, relevant product descriptions, architecture specifications, and as necessary for the review, source code. You also must indicate whether there have been any prior reviews of the product, if such reviews are applicable to the current submission. In addition, you must provide the following information in a cover letter accompanying your review request:

(a) State the name of the encryption item being submitted for review;

(b) State that a duplicate copy has been sent to the ENC Encryption Request Coordinator;

(c) For review requests for a commodity or software, provide the following information:

(1) Description of all the symmetric and asymmetric encryption algorithms and key lengths and how the algorithms are used. Specify which encryption modes are supported (e.g., cipher feedback mode or cipher block chaining mode).

(2) State the key management algorithms, including modulus sizes, that are supported.

(3) For products with proprietary algorithms, include a textual description and the source code of the algorithm.

(4) Describe the pre-processing methods (e.g., data compression or data interleaving) that are applied to the plaintext data prior to encryption.

(5) Describe the post-processing methods (e.g., packetization, encapsulation) that are applied to the cipher text data after encryption.

(6) State the communication protocols (e.g., X.25, Telnet or TCP) and encryption protocols (e.g., SSL, IPSEC or PKCS standards) that are supported.

(7) Describe the encryption-related Application Programming Interfaces (APIs) that are implemented and/or supported. Explain which interfaces are for internal (private) and/or external (public) use.

(8) Describe the cryptographic functionality that is provided by third-party hardware or software encryption components (if any). Identify the manufacturers of the hardware or software components, including specific part numbers and version information as needed to describe the product. Describe whether the encryption software components (if any) are statically or dynamically linked.

(9) For commodities or software using Java byte code, describe the techniques (including obfuscation, private access modifiers or final classes) that are used to protect against decompilation and misuse.

(10) State how the product is written to preclude user modification of the encryption algorithms, key management and key space.

(11) For products that meet the requirements of §740.17(b)(3)—Encryption commodities, software and components available to both “government end-users” and to non-“government end-users”—describe how they are not restricted by the provisions of §740.17(b)(2).

(12) For products which incorporate an open cryptographic interface as defined in part 772 of the EAR, describe the Open Cryptographic Interface.

(d) For review requests regarding components, provide the following additional information:

(1) Reference the application for which the components are used in, if known;

(2) State if there is a general programming interface to the component;

(3) State whether the component is constrained by function; and

(4) Identify the encryption component and include the name of the manufacturer, component model number or other identifier.

(e) For review requests for source code, provide the following information:

(1) If applicable, reference the executable (object code) product that was previously reviewed;

(2) Include whether the source code has been modified, and the technical details on how the source code was modified; and

(3) Include a copy of the sections of the source code that contain the encryption algorithm, key management routines and their related calls.

(f) For step-by-step instructions and guidance on submitting review requests for encryption items, visit our webpage at www.bis.doc.gov/Encryption and click on the navigation button labeled “Guidance”.

[67 FR 38868, June 6, 2002, as amended at 69 FR 71363, Dec. 9, 2004; 70 FR 22249, Apr. 29, 2005]

Supplement No. 7 to Part 742 [Reserved]