One of the puzzling situations that are not explicitly answered by the Commerce Control List (CCL), or other part of the EAR, are the software/hardware bundles commonly exported overseas. Looking at the plain language of the CCL, one may reason that the hardware having encryption (PC or the server), typically under 4A994 category, must also be crosschecked pursuant to Category 4 Note 3 (“Computers, related equipment and ‘software’ performing cryptographic, cryptoanalytic, certifiable multi-level security or certifiable user isolation functions, or that limit electromagnetic compatibility [EMC], must also be evaluated against the performance characteristics in Category 5, Part 2 [‘Information Security’]). Category 5, Part 2 may tell you Category 5 applies in lieu of Category 4, but does not tell you what to do if both controls within Category 5 are applicable. Publicly available information, such as “Classification of computer preloaded with TSU-eligible encryption software” advisory opinion, is not very helpful because one may interpret it as limited to TSU exceptions only. Phone conversations with BIS team did not help much either, as I received conflicting answers (depending on the person I spoke with) regarding the reporting requirements – ranging from reporting of two ECCNs per one commodity to single ECCN…
Published February 6, 2009 by Yuri Starikov