Date: Fri, 26 Mar 93 15:37:40 PST From: tien@toad.com (Lee Tien) To: gnu@cygnus.com, gnu@toad.com Subject: CJR kit [export commodity jurisdiction request] United States Department of State Bureau of Politico-Military Affairs Office of Defense Trade Controls 17 Sep 92 Washington, D.C. 20522-0602 *GUIDELINES FOR PREPARING COMMODITY JURISDICTION (CJ) REQUESTS* *Purpose.* The purpose of a commodity jurisdiction request is to determine whether an item requires a Department of State license for export. If you are not completely sure of the export licensing jurisdiction of an item, you should request a CJ determination. You can also use a CJ request to ask that a State controlled item be moved to the licensing jurisdiction of the Department of Commerce. Anyone can request a CJ determination on any item. Remember, a CJ determination only determines the proper licensing authority for an item and is not a license or approval to export. *The CJ Process.* A CJ request should be submitted to the Office of Defense Trade Controls (DTC) in the form of a letter and supporting documents. Once received, a CJ request is assigned a CJ case number. Copies of the request are staffed to appropriate U.S. Government agencies for review. To avoid delays in the interagency coordination process, we request you send *nine complete sets* of the letter and any attachments. Upon receipt of these comments from reviewing agencies, DTC makes a jurisdictional determination and then notifies the applicant of this decision by letter. *Preparing the CJ Package.* Use the following guidelines in preparing the CJ letter and attachments: 1. _Subject Line_. On the subject line identify the letter as a "Commodity Jurisdiction Request for (state the item or items)." Be as specific as possible, including the manufacturer, the model and/or part number, and the name of the item. If this is request for reconsideration of a previous CJ, reference the previous CJ case number. 2. _Description_. State what the item is, what it is a component of, what it does, how it works, and any other information that explains the item. 3. _Origin of Commodity_. State what the item was originally designed for and/or why the item was created. State whether the item was designed or modified specifically for military use, for commercial use, or for both commercial and military use. Give examples of these uses. If the item was developed for any U.S. Government agency or with any U.S. Government funding, state so and identify the agency. A brief product history is also useful. 4. _Current use_. Describe all current uses of the item and state whether or not the uses have changed significantly over time. Include only what the item "*is used for*", rather than what it "*can be used for*." Indicate whether most of the product market is military or commercial. 5. _Special Characteristics_. State any military standards or military specifications that the item is designed to meet. Describe any special characteristics of the item, including radiation-hardening, ballistic protection, hard points, TEMPEST capability, thermal or infrared signature reduction capability, and surveillance or intelligence gathering capability. If the item uses image intensification tubes, give the level of technology (Gen II, Gen III, etc). If the item uses encryption algorithms state what the encryption is for and describe the algorithm. Check with the CJ staff before submitting a CJ request for mass market software containing encryption. 6. _Other Information_. Provide any other information in the letter that would be helpful in making a jurisdictional determination. If a jurisdiction recommendation is applicable, recommend the U.S. Government agency (State or Commerce), the United States Munitions List category or export control classification number, and the reasons for the recommendation. 7. _Attachments_. Include any brochure, specification sheet, marketing literature, technical data, or any other document that will assist in the determination. *Getting Your Request to DTC*. When sending your CJ request to DTC be careful to address it correctly. When sending it through the U.S. Postal Service system (other than Express Mail) use the following address: Office of Defense Trade Controls PM/DTC SA-6 Room 200 U.S. Department of State Washington, D.C. 20522-0602 When sending it via courier or Express Mail use the following address: Office of Defense Trade Controls PM/DTC SA-6 Room 200 U.S. Department of State Arlington, VA 22209-3113 *Processing Time.* A CJ case normally takes 40 work days (60 calendar days) to complete. This includes the time it takes to initially review and staff the case, to receive all agency recommendation replies, to resolve conflicting agency recommendations, to prepare the response letter, and to complete the internal review process. Processing times vary depending on the complexity of the case. *Status.* Seven to ten days after submitting a CJ case an applicant should call the CJ staff to obtain the case number. With this case number status on a CJ case can be obtained by calling the automated license status line (ALISS), at (703) 875-7374. Applicants that subscribe to the Remote On-line Bulletin Board (ROBB) can obtain status via computer on (703) 875-6652, Monday through Friday, 9-12am and 2-5pm. *Requests for Reconsideration.* If an applicant disagrees with a DTC determination or if a change in export regulations cause a transfer of jurisdiction, a request for reconsideration can be submitted. In either case the format is identical to an original CJ request. Remember to reference the previous CJ case number in the subject line. Additionally, state why you disagree with the DTC ruling, and provide appropriate justification and/or information. *Points of Contact.* Points of contact for commodity jurisdictions are: Major Gary Oncale (703) 875-5655 Christopher Elder (703) 875-7041 PM/DTC/ALD FAX (703) 875-6647 31 Jul 92 ===== Note: Asterisks surrounding text (*foo*) indicate emboldening. Underlines surrounding text (_bar_) indicate underlining. ============================================================================== United States Department of State Bureau of Politico-Military Affairs Office of Defense Trade Controls Washington, D.C. 20522-0602 PROCEDURE FOR SUBMITTING A COMMODITY JURISDICTION REQUEST FOR A MASS MARKET SOFTWARE PRODUCT THAT CONTAINS ENCRYPTION On April 27, 1992, as the result of public comments on proposed rule changes regarding the area of cryptographic devices covered by the USML, the Department of State (DOS) published a revised USML which clarified the cryptographic devices and technology that are subject to USML controls. Additionally, on July 20, 1992, the DOS published an interim final rule that announced a procedure to facilitate the expeditious transfer to the Department of Commerce's Control List (CCL) of mass market software products with encryption. All commodity jurisdiction (CJ) requests for mass market software products with encryption will be reviewed in one of the following manners: - Those requests for products which meet the specified criteria established in paragraphs 1 and 2 of the attached "Criteria for Determining Eligibility of A Mass Market Software Product for Expedited Handling", will be processed in seven working days from receipt of a properly completed request. - Those requests for products which meet only paragraph 1 of the attached "Criteria for Determining Eligibility of A Mass Market Software Product for Expedited Handling", will be processed in fifteen working days of the receipt of a properly completed request. When additional information is requested, the request will be processed within fifteen working days of the receipt of the requested information. - Those software products that do not meet the specified criteria above are not eligible for expeditious handling, and must be submitted using the normal CJ procedures as described in CFR 22 Part 120.5. If an applicant wants an expedited CJ on an entire product line, then a separate CJ request must be submitted on each product. However, a mass market software commodity that runs on multiple operating systems can be submitted as a single CJ request. 1. *The instructions for the preparation and submission of a CJ request that is eligible for seven day handling are as follows:* a. If the software product _meets paragraphs 1 and 2_ of the attached "Criteria for Determining Eligibility of A Mass Market Software Product for Expedited Handling," you must call the Office of Defense Trade Controls (ODTC), Maj Gary Oncale at (703) 875-5655 or Chris Elder at (703) 875-7041, to obtain a test vector included on the "Supplemental Form for Mass Market Software Expedited Review." This test vector must be used in the CJ review process to confirm that the software has properly implemented the approved encryption algorithm(s). b. Upon receipt of the test vector, the applicant must encrypt the test plain text input provided using the commodity's encryption routine (RC2 and/or RC4) with the given key value. Do not pre-process the test vector by any compression or any other routine that changes its format. Place the resultant test cipher text output in hexadecimal format on the "Supplemental Form for Mass Market Software Expedited Review," and submit the form with the CJ request. c. The applicant must provide the following information in the CJ request letter: (i) clearly mark in the subject line "Mass Market Software with Encryption - 7 Day Expedited Review Requested." (ii) state your Defense Trade Controls (DTC) registration code if you are registered with the Department of State as a manufacturer and/or exporter of defense articles or furnisher of defense services. (iii) state that you have reviewed and determined that the software, which is the subject of the CJ request, meets paragraphs 1 and 2 of the attached "Criteria for Determining Eligibility of A Mass Market Software Product for Expedited Handling." (iv) state the name of the single software product being submitted for review. Remember, a separate CJ request must be submitted on each product. (v) state how the software has been written to preclude user modification of the encryption algorithm, key management mechanism, and key space. (vi) The following information must be provided on each software product: - whether the software uses the RC2 and/or the RC4 algorithm and how the algorithm(s) is used. If both of these algorithms are used in the same product, also state how the functionality of each is separated to assure that no data is operated on by both algorithms. - pre-processing information of plain text data before encryption (e.g., the addition of header information or compression of the data). - post-processing information of cipher text data after encryption (e.g., the addition of clear text header information or packetization of the encrypted data). - whether or not a public key algorithm or a symmetric key algorithm is used to encrypt keys and the applicable key space. (vii) Additional Information On Source Code Requests: A CJ request to transfer the source code of a mass market software product that meets the specified criteria established in paragraphs 1 and 2 of the attached "Criteria for Determining Eligibility of A Mass Market Software Product for Expedited Handling", must also: - reference the applicable executable product that was transferred to Commerce. - include whether or not the source code has been modified by deleting the encryption algorithm, it's associated key management routine(s), and all calls to the algorithm from the source code, or by providing the encryption algorithm and associated key management routine(s) in object code with all calls to the algorithm hidden. The applicant must provide the technical details on how they have modified the source code. - include a copy of the sections of the source code that contain the encryption algorithm, key management routines, and their related calls. (viii) provide any additional information which you believe would assist in the review process. d. Address the CJ request letter to the Office of Defense Trade Controls (ODTC) using the mailing instructions in paragraph 3 below. 2. *The instructions for the preparation and submission of a CJ request that is eligible for 15 day handling are as follows: a. If the software product _meets only paragraph 1_ of the attached "Criteria for Determining Eligibility of A Mass Market Software Product for Expedited Handling," then you will need to prepare two copies of the CJ request. The first copy must be sent to the Office of Defense Trade Controls (ODTC), using the mailing instructions in paragraph 3 below, and the second copy must be sent by Express Mail to: P.O. Box 246 Annapolis Junction, Maryland 20701-0246 Attn: 15 Day CJ Request Coordinator b. The applicant must provide the following information in the CJ request letter: (i) clearly mark in the subject line "Mass Market Software with Encryption - 15 Day Expedited Review Requested." (ii) state your Defense Trade Controls (DTC) registration code if you are registered with the Department of State as a manufacturer and/or exporter of defense articles or furnisher of defense services. (iii) state that you have reviewed and determined that the software, which is the subject of the CJ request, meets paragraphs 1 of the attached "Criteria for Determining Eligibility of A Mass Market Software Product for Expedited Handling." (iv) state the name of the single software product being submitted for review. Remember, a separate CJ request must be submitted on each product. (v) state that a duplicate copy, in accordance with paragraph 2a above, has been sent to the 15 Day CJ Request Coordinator. (vi) ensure that the information provided includes brochures or other documentation or specifications relating to the software, as well as any additional information which you believe would assist in the review process. c. ODTC recommends that Major Gary Oncale be contacted prior to submission to facilitate the submission of proper documentation. 3. Although ODTC can and will accept expedited CJ requests via Fax, courier, or overnight mail, ODTC recommends the Fax to ensure that no time delays are incurred due to in-house processing of the mail. Send one copy of the CJ request to ODTC either by FAX, courier, or by overnight mail. Address the CJ request as follows: When sending it via _courier or overnight mail_ use the following address: ATTN: Maj Gary Oncale - (insert 7 or 15) Day CJ Request U.S. Department of State Office of Defense Trade Controls PM/DTC SA-6 Room 200 1701 N. Fort Myer Drive Arlington, VA 22209-3113 When sending it via _FAX_ use the following number: (703) 875-5845 and state in the cover letter, "ATTN: Maj Gary Oncale - (insert 7 or 15) Day CJ Request." 4. Finally, ODTC suggests that you call either Maj Oncale or Chris Elder one day after transmitting your CJ request to ensure ODTC received your CJ request and to obtain the assigned CJ case number for future reference. CRITERIA FOR DETERMINING ELIGIBILITY OF A MASS MARKET SOFTWARE PRODUCT FOR EXPEDITED HANDLING 1. In accordance with the Note in 22 CFR 121.1 Category XIII(b)(1), published on July 20, 1992, a mass market software product that meets _all_ the criteria established in this paragraph will be processed in fifteen working days from receipt of the properly completed request: a. The commodity must be mass market software. Mass market software is computer software that is available to the public via sales from stock at retail selling points by means of over-the-counter transactions. mail order transactions, or telephone call transactions. b. The software must be designed for installation by the user without further substantial support by the supplier. Substantial support does not include telephone (voice only) help line services for installation or basic operation, or basic operation training provided by the supplier. c. The software includes encryption for data confidentiality. 2. In accordance with the Note in 22 CFR 121.1 Category XIII(b)(1), published on July 20, 1992, a mass market software product that meets _all_ the criteria established in this paragraph will be processed in seven working days from receipt of the properly completed request: a. The software meets _all_ the criteria established in paragraph 1(a), (b), and (c) above. b. The data encryption algorithm must be RC4 and/or RC2 with a key space of 40 bits. The RC4 and RC2 algorithms are proprietary to RSA Data Security, Inc. To ensure that the subject software is properly licensed and correctly implemented, contact RSA Data Security, (415) 595-8782. c. If both RC4 and RC2 are used in the same software, their functionality must be separate, That is, no data can be operated on by both routines. d. The software must not allow the alteration of the data encryption mechanism and its associated key spaces by the user or any other program. e. The key exchange used in the data encryption must be: (i) a public key algorithm with a key space less than or equal to a 512 bit modulus and/or (ii) a symmetrical algorithm with a key space less than or equal to 64 bits. f. The software must not allow the alteration of the key management mechanism and its associated key space by the user or any other program. SEPTEMBER 1992 ===== Note: Asterisks surrounding text (*foo*) indicate emboldening. Underlines surrounding text (_bar_) indicate underlining. ============================================================================== -30- Lee