Top 10 Questions to Ask Before Exporting Software Containing Encryption

Similar documents
Introduction To Commerce Department. Export Controls U.S. DEPARTMENT OF COMMERCE BUREAU OF INDUSTRY AND SECURITY OFFICE OF EXPORTER SERVICES

Harvard Export Control Compliance Policy Statement

Encryption Export Controls: A Comparative Analysis between the EU and the US

United States Export Controls on Internet Software Transactions. John F. McKenzie Partner, Baker & McKenzie LLP

Rules and Regulations

US Export Regulations Compliance. Presented by Larry Disenhof Cadence Design Systems, Inc.

COMPUTER & INTERNET. Westlaw Journal. Expert Analysis Software Development and U.S. Export Controls

Audit Module: Self-Assessment Tool

Managing Open Source Code Best Practices

GOODMAN GLOBAL GROUP, INC. EXPORT CONTROL AND SANCTIONS COMPLIANCE POLICY

Export Controls. How to Comply with Export Controls. By Kimberly Marshall

Export Control Compliance Procedure Guide June 8, 2012

Export Control Training

U.S. Department of Commerce Bureau of Industry and Security. How to Classify Your Item

Export Controls: What are they? Why do we care?


Introduction to Braumiller Schulz LLP Why Trade Compliance? Establishing an Internal Compliance Program (ICP) Contracting Services to Outside Experts

University of Louisiana System

Mastering Global Trade Compliance for Growth Through Export. Track 1 Session 3

RSA. Frequently Asked Questions. RSA Data Security, Inc. About Cryptography Export Laws. Answers to THE KEYS TO PRIVACY AND AUTHENTICATION

Table of Contents INTRODUCTION (CCL) STRUCTURE

Export Control Laws Training Presentation FLORIDA INSTITUTE OF TECHNOLOGY

Evaluation, Development and Demonstration Software License Agreement

Deemed Exports and the Export Control Reform Initiative. Bernard Kritzer Director Office of Exporter Services. July 24, 2013.

3. Designed for installation by the user without further substantial support by the supplier; and

Second Annual Impact of Export Controls on Higher Education & Scientific Institutions

Export Controls and Cloud Computing: Legal Risks

A Primer on U.S. Export Controls

CLOUD COMPUTING, EXPORT CONTROLS AND SANCTIONS. By Richard Tauwhare, Dechert LLP i

Export Control Management System

Remember To Comment On BIS' New Cybersecurity Export Rule

EXPORT COMPLIANCE MANUAL

Implementing Catch All Controls A Risk Assessment-based Approach Toward Nonproliferation

Table of Contents INTRODUCTION INTRODUCTION IMPORTANT EAR TERMS AND PRINCIPLES ITEMS SUBJECT TO THE EAR..

Middle Tennessee State University. Office of Research Services

SYSTEM OF HIGHER EDUCATION PROCEDURES AND GUIDELINES MANUAL CHAPTER 16 EXPORT CONTROL AND ECONOMIC SANCTIONS POLICY

Encryption Simplification and the October 3 rd rule. Michael Pender Senior Engineer Information Technology Controls Division

Policy on Export of Physical and Intellectual Property Export Controls

Export Compliance Program Policies and Procedures Manual. Office of Research and Economic Development University of Wyoming

US EXPORT CONTROLS & MARGARET M. GATTI, ESQ. LOUIS K. ROTHBERG, ESQ. FEBRUARY 23,

TRADE CONTROL POLICY FEBRUARY 2014

Policy and Procedures Date:

EXPORT CONTROLS The Challenge for U.S. Universities. Julie T. Norris (ret.) Office of Sponsored Programs Massachusetts Institute of Technology

This Policy supersedes the Terex Corporation Policy on Transactions in Iran, dated June 7, 2013.

COMPLIANCE GUIDELINES: HOW TO DEVELOP AN EFFECTIVE EXPORT MANAGEMENT AND COMPLIANCE PROGRAM AND MANUAL

TC QSign. Symantec Limited Ballycoolin Business Park, Blanchardstown Dublin 15 Ireland Phone: Fax

SYMANTEC SOFTWARE SERVICE LICENSE AGREEMENT Norton 360

SI/SAO Export Compliance Training 1/9/2014

Export Control Compliance Program Guidelines January 2012

EXPORT COMPLIANCE PROGRAM MANUAL. University of Delaware

Credit Application and Agreement - Supplement Your Business Future

Secure . SOFTWAR INC. PO Box 325 Manquin, VA Information Security

Export Controls Compliance

EXPORT CONTROLS COMPLIANCE

EXEDE (R) ANALYTICS APPLICATION END USER LICENSE AGREEMENT

Source and Object Code Software License Agreement

EXPORT CONTROLS AND RESEARCH AT WPI TRAINING PRESENTATION

Louisiana State University A&M Campus Export Control Compliance Manual October 2013

University of Maryland Export Compliance Program

CHINA S EXPORT CONTROLS AND ENCRYPTION REGULATIONS

U.S. Census Bureau Electronic Export Information Requirements When Sending Shipments Internationally

FREIGHT FORWARDER GUIDANCE

Office of Export Enforcement Bureau of Industry and Security (BIS) U.S. Department of Commerce

OFAC Compliance Overview and Recent Trends

Best Practices in Export Compliance: Five Key Issues in Canadian Trade Control Compliance and Enforcement

How To Control Cybersecurity In The Eo

Table of Contents SCOPE RECORDS TO BE RETAINED

Export Controls and Cloud Computing: Complying with ITAR, EAR and Sanctions Laws

INTANGIBLE TRANSFER OF TECHNOLOGY (ITT) : Regulatory Perspective. Presented by Hjh Nuraffiza Ahmad Strategic Trade Division SKMM

Expanding Internationally with Confidence by Ensuring Global Trade Compliance

ROCHESTER INSTITUTE OF TECHNOLOGY EXPORT COMPLIANCE PROGRAM

Export Control Basics

NORTON ONLINE SOFTWARE SERVICE LICENSE AGREEMENT Norton 360 Online

UNIVERSITY OF CHICAGO/EXPORT CONTROL PROCEDURES. 1. Background. 2. Export Control Oversight: Who Is Responsible. 3. Jurisdiction and Classification

Processing of Deemed Export License Application. Robert Juste Electronics and Materials Division

Export Controls on Intrusion Software. Collin Anderson Tom Cross

Insights and Commentary from Dentons

Welcome to Esri's Software Export Control Classification Number (ECCN) Matrix

Managing the Relationship Between Canadian and U.S. Export Controls and Economic Sanctions: Compliance and Enforcement Issues

EXPORT COMPLIANCE OFFICE (ECO) MANUAL

Protecting the Value of Your Transaction y

Security Export Control System in Japan. Ministry of Economy, Trade and Industry, Japan

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

OSS LOGISTICS: DRIVING INNOVATIVE SOFTWARE FROM DEVELOPER TO CUSTOMER Alex Bigmore Senior Architect & Open Source Governance Programme Manager SITA

i. The enclosed software and knowledge base together are defined as the "Software".

Dual use export controls

758.1 THE SHIPPER S EXPORT DECLARATION (SED) OR AUTOMATED EXPORT SYSTEM (AES) RECORD

Regulatory Compliance and Trade

Symantec Limited Ballycoolin Business Park, Blanchardstown Dublin 15 Ireland Phone: Fax

Since the events of September 11,

How to Send and Receive an With the Choctaw

TECHNOLOGY CHECKLIST FOR COMPANY MANAGERS AND COUNSEL

University of Virginia Export Compliance Management Program Manual

Phil Marshall Black Duck Software ISACA Webinar Program ISACA. All rights reserved.

HG2 Series Product Brief

Fundamentals of International Trade Transactions & International Trade Compliance

Code Composer Studio 5.1 Software License Agreement

Vanderbilt University

Trade Compliance & Exports

National Security Agency Perspective on Key Management

Transcription:

Top 10 Questions to Ask Before Exporting Software Containing Encryption January 14, 2009

Agenda Introduction FOSSBazaar Top Ten Questions Before Exporting Encryption Questions & Answers

Speakers Eran Strod Director of Product Marketing Black Duck Software Phil Robb General Manager, FOSSBazaar.org Director - Open Source Program Office, Hewlett Packard

What is FOSSBazaar? A community to develop and share best practices for open source governance in the enterprise FOSSBazaar is a Working Group of the Linux Foundation

Complex Software Sourcing External sources of code Open source Outsourcing Insourcing Undocumented reuse Software dependencies Dormant code

Mixed Code Risks Loss of Intellectual Property License Rights and Restrictions Export Regulations Software Defects Injunctions Contractual Obligations Security Vulnerabilities Escalating Support Costs

Question 1 Where is the item being exported? Wassenaar Arrangement 40-country agreement controlling export of weapons and of dual-use goods (military and civil) like cryptography United States Controls Under US Department of Commerce Bureau of Industry and Security, (BIS) Export Administration Regulations ("EAR") BIS Key areas of concern: Terrorist supporting and embargoed countries: Cuba, Iran, North Korea, Sudan, Syria Terrorist organizations: Al Qaeda, Hamas, and others Denied Persons List, (DPL): Maintained by the BIS - updated frequently China specific export restrictions EU+ and Canada are less restricted ITAR

Documented Legal Actions Northrop Grumman $400K civil penalty FMC Technologies $610,000 civil penalty DHL $9.4M civil penalty LogicaCMG $50,000 criminal fine $90,000 administrative penalty Neopoint $95,000 civil penalty China May Company Prison sentence Technical Integration Group (TIGS) Prison sentence $1.1M fine Realtek Semiconductor $44,000 penalty Two year denial of export privileges

Defining Export Common methods Shipping / postal mail Hand-carried Email Upload/download to internet site Conversation (technology) Transmit to foreign nationals in US Per US Department of Commerce BIS

Question 2 What is being exported? ECCN 5D992 Cryptologic equipment, software for the development, production or use of Not covered by 5D002 Information security equipment, software for the development, production or use of Not covered by 5D002 Virus Protection Software (No Longer Covered) NLR to all but Country Group E ECCN 5D002 Information security software (unless decontrolled) Encryption Software (unless decontrolled) License Required to All Countries Except Canada Unless a License Exception Applies (ENC, TSU, etc.)

Question 3 Is the item controlled? Source: BIS Category 5 (Part 2) - Information Security

Question 4 Where is it going? Source: BIS Supplement No. 1 to Part 738, Commerce Country Chart

Question 5 Who will receive the item? Commercial enterprise Government Individual Organization Denied Person s List

Question 6 How will the item be used? Controlled Nuclear, chemical, and biological weapons, Related systems Missile delivery systems Certain rocket systems Unmanned air vehicles in destinations listed in Part 744 of the regulations. See License Exceptions

Question 7 Does the software have encryption content? Yes, but Fixed crytography See if more sensitive CCL restrictions apply Limited crypto functionality Access control, authentication except communications Decontrolled crypto functionality Weak cryptography 5D992 (SW) without BIS notification or review

Question 8 - Is the software publicly available? Publicly available software Cost of reproduction or Freely downloadable Notification to BIS and NSA http://www.bis.doc.gov/encryption/pubavailencsourcecodenof ify.html Examples Commercial use of OSS Source: http://www.apache.org/dev/crypto.html

Encryption Algorithms in OSS 14,000 projects contain encryption ~4,000 require BIS filing Over 3,900 projects require review OSS projects may use license exception TSU Source: Black Duck KnowledgeBase, October 2009

Question 9 How strong is the encryption? Weak encryption 56-bit or Less Symmetrical 64-bit or Less Symmetrical and Mass Market 512-bit or Less Asymmetrical 112-bit or Less Elliptic Curve Semi-strong 80-bit or Less Symmetrical 1024-bit or Less Asymmetrical 160-bit or Less Elliptic Curve Strong File for license, review, notification or classification Remove crypto?

Question 10 Can an exception be used? Specific functions or ancillary encryption Foreign products US Subsidiary License Free Zone Companies Mass market Others

Recommended process for compliance Written policies / procedures Training and tools Bill-of-Materials Code audit Discovery of open source (and other external) software Inbound approval process Outbound approval process BIS notifications/filings Record keeping

Questions & Answers 22

Encryption Compliance Management Find cryptographic code embedded in complex software Improve compliance with export and other government regulations Streamline compliance processes Developers KnowledgeBase Report Compliance

Resources Webinar How to Comply with Current U.S. Encryption Export Controls Unlocking Software Export Classifications www.blackducksoftware.com/resources White Papers Software Encryption Export Considerations A Guide to Software Encryption Export Compliance Black Duck Export Product Page www.blackducksoftware.com/export Export and Reexport Compliance Guide Available from Black Duck

Questions and Answers Please type your question into the chat box (right side) For more information Eran Strod - estrod@blackducksoftware.com To learn more about Black Duck Export - Encryption Export Compliance Management: www.blackducksoftware.com/export or send email to: info@blackducksoftware.com To follow up with FossBazaar: feedback@fossbazaar.org

Thank You For Attending Until next time. 26

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information