15 C.F.R. Supplement No. 6 to Part 742—Guidelines for Submitting Review Requests for Encryption Items
Title 15 - Commerce and Foreign Trade
Review requests for encryption items must be submitted on Form BIS-748P (Multipurpose Application), or its electronic equivalent, and supported by the documentation described in this Supplement, in accordance with the procedures described in §748.3 of the EAR. To ensure that your review request is properly routed, insert the phrase “Mass market encryption” or “License Exception ENC” (whichever is applicable) in Block 9 (Special Purpose) of the application form and place an “X” in the box marked “Classification Request” in Block 5 (Type of Application)—Block 5 does not provide a separate item to check for the submission of encryption review requests. Failure to properly complete these items may delay consideration of your review request. BIS recommends that review requests be delivered via courier service to: Bureau of Industry and Security, U.S. Department of Commerce, 14th Street and Pennsylvania Ave., NW., Room 2705, Washington, DC 20230. For electronic submissions via SNAP, you may fax a copy of the support documents to BIS at (202) 219–9179 or –9182 or you may send the documents to: Bureau of Industry and Security, Information Technology Controls Division, Room 2093, 14th Street and Pennsylvania Ave., NW., Washington, DC 20230. In addition, you must send a copy of your review request and all support documents to: Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6940, Fort Meade, MD 20755–6000. For all review requests of encryption items, you must provide brochures or other documentation or specifications related to the technology, commodity or software, relevant product descriptions, architecture specifications, and as necessary for the review, source code. You also must indicate whether there have been any prior reviews of the product, if such reviews are applicable to the current submission. In addition, you must provide the following information in a cover letter accompanying your review request: (a) State the name of the encryption item being submitted for review; (b) State that a duplicate copy has been sent to the ENC Encryption Request Coordinator; (c) For review requests for a commodity or software, provide the following information: (1) Description of all the symmetric and asymmetric encryption algorithms and key lengths and how the algorithms are used. Specify which encryption modes are supported (e.g., cipher feedback mode or cipher block chaining mode). (2) State the key management algorithms, including modulus sizes, that are supported. (3) For products with proprietary algorithms, include a textual description and the source code of the algorithm. (4) Describe the pre-processing methods (e.g., data compression or data interleaving) that are applied to the plaintext data prior to encryption. (5) Describe the post-processing methods (e.g., packetization, encapsulation) that are applied to the cipher text data after encryption. (6) State the communication protocols (e.g., X.25, Telnet or TCP) and encryption protocols (e.g., SSL, IPSEC or PKCS standards) that are supported. (7) Describe the encryption-related Application Programming Interfaces (APIs) that are implemented and/or supported. Explain which interfaces are for internal (private) and/or external (public) use. (8) Describe the cryptographic functionality that is provided by third-party hardware or software encryption components (if any). Identify the manufacturers of the hardware or software components, including specific part numbers and version information as needed to describe the product. Describe whether the encryption software components (if any) are statically or dynamically linked. (9) For commodities or software using Java byte code, describe the techniques (including obfuscation, private access modifiers or final classes) that are used to protect against decompilation and misuse. (10) State how the product is written to preclude user modification of the encryption algorithms, key management and key space. (11) For products that meet the requirements of §740.17(b)(3)—Encryption commodities, software and components available to both “government end-users” and to non-“government end-users”—describe how they are not restricted by the provisions of §740.17(b)(2). (12) For products which incorporate an open cryptographic interface as defined in part 772 of the EAR, describe the Open Cryptographic Interface. (d) For review requests regarding components, provide the following additional information: (1) Reference the application for which the components are used in, if known; (2) State if there is a general programming interface to the component; (3) State whether the component is constrained by function; and (4) Identify the encryption component and include the name of the manufacturer, component model number or other identifier. (e) For review requests for source code, provide the following information: (1) If applicable, reference the executable (object code) product that was previously reviewed; (2) Include whether the source code has been modified, and the technical details on how the source code was modified; and (3) Include a copy of the sections of the source code that contain the encryption algorithm, key management routines and their related calls. (f) For step-by-step instructions and guidance on submitting review requests for encryption items, visit our webpage at www.bis.doc.gov/Encryption and click on the navigation button labeled “Guidance”. [67 FR 38868, June 6, 2002, as amended at 69 FR 71363, Dec. 9, 2004; 70 FR 22249, Apr. 29, 2005]
Title 15: Commerce and Foreign Trade
PART 742—CONTROL POLICY—CCL BASED CONTROLS
Supplement No. 6 to Part 742—Guidelines for Submitting Review Requests for Encryption Items
