15 June 1997
Source: Documents Fedexed from BXA.

See related notice: http://jya.com/bxa060697.txt

Bureau of Export Administration

Washington, D.C 20230

[June 9, 1997]


From: Stephen Baker, Information Collection Officer, BXA
Subject: Request for copy of Information Collection Instruments & Instructions

Enclosed please find a copy of the Supporting Statement and the rule pertaining to this collection of information on Encryption.

If I can be of any other assistance, feel free to contact me at (202) 482-3673; FAX (202) 501-7989.

75 Years Stimulating America's Progress * 1913-1988

[No date] Supporting Statement Commercial Encryption Items Transferred from the Department of State to the Department of Commerce 1. This collection is required by Section 5(h) of the Export Administration Act of 1979, as amended (EAA), and authorized under Section 15(b) of the EAA. The Export Administration Act authorizes the President to control exports of U.S. goods and technology to all foreign destination, as necessary for the purposes of national security, foreign policy and short supply. Export control authority has been delegated by the President to the Secretary of Commerce and is administered by the Bureau of Export Administration (BXA). 2. The information required by this collection is required in support of applications to export or reexport encryption items. The regulation developed by the Bureau of Export Administration, in consultation with other agencies, carries out the President's announced encryption export control initiative. Specifically, it amends the Export Administration Regulations (EAR) by exercising jurisdiction over, and imposing new combined national security and foreign policy controls on encryption items removed from United States Munitions List. The regulation describes licensing policies for different categories of encryption items and establishes criteria for 1.) Key recovery or key escrow products; 2.) Key recovery or key escrow agents, and 3) Exporter key recovery or key escrow development plans. For software at or below 40-bits, the exporting company must submit a classification request for a one-time Department of Commerce review. Such requests must be supported by information describing whether the software meets certain specified criteria. The information collected in applications to export 40 bit encryption products is to conduct a one-time review to determine whether its export will or will not present and unacceptable risk to the national security and foreign policy of the United States. Such a review and determination must be made on a product-by- product basis, and such a review and determination cannot be made without the information collected on the application for an export license. This information will be used by BXA to determine eligibility for publicly available and mass-market treatment (i.e. eligibility for export without a license). For 56-bit and above encryption items without key recovery features, applicants must submit a plan specifying the steps the company will take to develop recoverable encryption products. The information collected is to determine whether the exporter has made an adequate commitment to develop or market a recovery substitute for the non-recovery encryption products. Without [1]
this information, such a determination cannot be made. One of the purposes of this rule is to provide exporters an incentive to develop encryption recovery products that are substitutes for currently exported non-recoverable encryption products. For certain 56-bit and above encryption items not supported by a marketing and development plan for recoverable encryption items, and that are approved for export under a license issued by the Bureau of Export Administration, licensees may be required to periodically report to BXA the exports of approved encryption items. Frequency and information to be included in such reports will be stated as a condition on the license, and such reporting requirements will be imposed on a case-by-case basis. For 56-bit and above recoverable encryption items, the applicant must provide information required by the collection for use by the U.S. Government in determining the suitability of the key holder, whether the key meets certain U.S. standards, and whether there are adequate procedures for safeguarding the key. This information also support the Administration's encryption policy. The information collected for all controlled encryption recovery products is to permit the U.S. Government authorized access for law enforcement reasons and national security reasons to clear text of previously encrypted information or communications, which information or communications is encrypted by the product authorized for export. The collected information will be used by the Federal Bureau of Investigation, other law enforcement agencies, and the Intelligence Community as authorized by other laws for the purpose of furthering their respective law enforcement and national security missions. Without the information to be provided, the essential reasons for the control cannot be achieved. The additional recordkeeping requirement. 3. As an attachment to Form BXA-748P, the information required by this collection may be sent to BXA via facsimile. 4. There is no duplication of collection of this information. 5. This collection does not impact small businesses. 6. The burden cannot be minimized for small businesses or other small entities. 7. If the collection were conducted less frequently, there would be violations of U.S. export regulations. Only complete collections will assure compliance with the EAA and export regulations. 8. The notice requesting public comment was published in the Federal Register on February 12, 1997, p.6515. During the comment [2]
period, Commerce received one letter from IBM Corporation. IBM suggested that Commerce's requirements be used for both the License Exception KMI and for those encryption items that are now under Commerce jurisdiction, but are being exported under the Distribution Arrangement that exporter previously had with the Department of State. Commerce agrees with this suggestion and will soon publish a revised encryption rule that will allow exporters to use the same Destination Control Statement and the same Shipper's Export Declaration information whether they are using License Exception KMI or the Distribution Arrangement. IBM also suggested that Commerce eliminate KMI reporting requirements for commercial 56-bit DES products or, at least, reduce reporting requirements to QUANTITY, ECCN, and COUNTRY. That is not possible. The government has determined that the requirement of reporting and the information asked for are necessary for security reasons and for enforcement reasons. These requirements will not change at this time. Although IBM prefers to report annually, the United States must report encryption items to the Wassenaar Arrangement semiannually. Until that requirement changes, Commerce will continue to ask exporters to report. As required by OMB, BXA contacted applicants for commodity classification requests for 56-bit and over encryption items without key recovery plans. These applicants must submit a plan specifying the steps the company will take to develop recoverable encryption products, and the estimate provided in the original 6 month authorization was 40 hours per submission. Comments received to date from two industry respondents on this estimate indicate that while initial submissions are requiring 40 to 120 hours to assemble the required documentation, subsequent submissions will only require 40 hours as originally projected. Individuals and their organizations consulted in 1997 included: Gradient Technologies, Inc. - Arnold Adelman, VP - (508) 624-9600 Information Security Corp. - Marnie Euteneuer - (847) 405-0500 9. There is no decision to provide any payment or gift to respondents. 10. Pursuant to section 12(c) of the Export Administration Act (EAA), as amended, information obtained my this collection which is deemed confidential, or with reference to which a request for confidential treatment is made by the person furnishing such information, shall be exempt from disclosure under section 552 of title 5, United States Code, and such information shall not be published or disclosed unless the Secretary determines that the withholding thereof is contrary to the national interest. Although the Export Administration Act (EAA) expired on August 20, 1994, the President invoked the International Emergency Economic Powers Act and continued in effect, to the extent [3]
permitted by law, the provisions of the EAA and the EAR in Executive Order 12924 of August 19, 1994, notice of August 15, 1995 (60 FR 42767), and notice of August 14, 1996 (60 FR 42527). 11. This collection does not require information of a sensitive nature. 12. There are 7,720 public burden hours associated with this new collection of information. It is estimated that there will be 100 applications for 56-bit encryption supported by a marketing plan; 2,600 applications for 56-bit encryption not supported by a marketing plan; and 300 applications for recoverable encryption items. The hours associated with preparing a marketing plan for the development of recoverable substitutes for non-recoverable encryption items is 40 hours for each of the 100 submissions, or 4,000 hours annually. It is estimated that the hours associated with each of the 100 six month updates is 8 hours for each submission for a maximum of 1,600 per year not to exceed two years(8 hours x 2/year x 100 = 1,600 hours). It is estimated that 5 exporters will need 8 hours each (for a total of 40 hours) to ensure that encryption software is not exported from the Internet or BBS's Therefore, the total burden associated with the marketing plans is 5,640 hours. It is estimated that the amount of time required to comply with the safeguard procedures described in Supplement No. 5 to part 742 is 4 hours, plus an additional 2 hours to allow agents to comply to comply with recordkeeping requirements for each of the 300 submissions received annually to export recoverable encryption software, for a total of 1,800 hours(4 hours + 2 hours = 6 hours x 300 submissions = 1,800 hours). It is estimated there will be 80 instances of annual reporting (whether as a result of an approved license or eligibility for license exception), and that it will take 4 hours to complete each report, for a total of 320 hours. At an hourly rate of $30/hour, the cost to the public of completing license applications, providing the specific required information for classification requests, completing the safeguard procedures, preparing and submitting annual reports, and complying with agent's record keeping requirements is $149,850 (2,625 hours for license applications + 250 hours for commodity classifications + 1,800 hours for safeguard procedures and agent's recordkeeping + 320 for annual reports = 4,995 x $30/hr.). At an hourly rate of $50/hour, the cost to the public of preparing the submitting the marketing plans and ensuring that encryption software is not exported from the Internet or BBS's is $282,000 (5,600 hours + 40 = 5,640 x $50/hr.). Therefore, the [4]
total annualized cost of the burden hours is $431,850. 13. Because this is an existing collection of information, there is no change in the burden hours. 14. It is estimated there will be 10 new exporters of encryption products that will not have developed a database or procedures to remain in compliance with this new regulation. The total annual startup cost burden of new respondents is $160,000. Based on cost estimates of consultant services for similar database applications, the total annual capital and startup cost to have such a system developed is approximately $10,000 each, or $100,000 for 10 exporters. This is based on a total cost of $30,000 with a useful life of three years. The total operation and maintenance costs for these same 10 exporters is $60,000. This is based on the 10 firms dedicating 10 percent of the salary of a person earning $40,000 annually ($40,000 x 10~ = $4,000) to maintain and use the system, and $2,000 annually to provide for the maintenance of the hardware ($4,000 + $2,000 = 6,000 x 10 firms = $60,000). See attached cost/benefit analysis for cost to the Federal Government. 15. There were no program changes or adjustments. 16. This collection will not be published. 17. The form used to apply for an encryption export license and classification (for BXA-748P) will be the same form other export license applications are submitted on to BXA. Since Form BXA- 748P was already approved to omit the expiration date in order to prevent applicants from around the world needlessly replacing and ordering new forms, BXA wishes to extend that approval to include this new collection. 18. There are no requests for exceptions to the certification statement.

The second document sent is a 54-page typeset version of the Federal Register notice of Encryption Items Transferred from the U.S. Munitions List to the Commerce Control List at: