This supplement provides certain instructions and requirements for self-classification reporting to BIS and the ENC Encryption Request Coordinator (Ft. Meade, MD) of encryption commodities, software and components exported or reexported pursuant to §740.17(b)(1) of the EAR. See §740.17(e)(3) of the EAR for additional instructions and requirements pertaining to this supplement, including when to report and how to report.
(a) Information to report. The following information is required in the file format as described in paragraph (b) of this supplement, for each encryption item subject to the requirements of this supplement and §§740.17(b)(1) and 740.17(e)(3) of the EAR:
(1) Name of product (50 characters or less).
(2) Model/series/part number (50 characters or less.) If necessary, enter ‘NONE’ or ‘N/A’.
(3) Primary manufacturer (50 characters or less). Enter ‘SELF’ if you are the primary manufacturer of the item. If there are multiple manufacturers for the item but none is clearly primary, either enter the name of one of the manufacturers or else enter ‘MULTIPLE’. If necessary, enter ‘NONE’ or ‘N/A’.
(4) Export Control Classification Number (ECCN), selected from one of the following:
(i) 5A002
(ii) 5B002
(iii) 5D002
(iv) 5A992
(v) 5D992
(5) Encryption authorization type identifier, selected from one of the following, which denote eligibility under License Exception ENC §740.17(b)(1):
(i) ENC
(ii) MMKT
(6) Item type descriptor, selected from one of the following:
(i) Access point;
(ii) Cellular;
(iii) Computer or computing platforms;
(iv) Computer forensics;
(v) Cryptographic accelerator;
(vi) Data backup and recovery;
(vii) Database;
(viii) Disk/drive encryption;
(ix) Distributed computing;
(x) Email communications;
(xi) Fax communications;
(xii) File encryption;
(xiii) Firewall;
(xiv) Gateway;
(xv) Intrusion detection;
(xvi) Identity management;
(xvii) Key exchange;
(xviii) Key management;
(xix) Key storage;
(xx) Link encryption;
(xxi) Local area networking (LAN);
(xxii) Metropolitan area networking (MAN);
(xxiii) Mobility and mobile applications n.e.s.;
(xxiv) Modem;
(xxv) Multimedia n.e.s.;
(xxvi) Network convergence or infrastructure n.e.s.;
(xxvii) Network forensics;
(xxviii) Network intelligence;
(xxix) Network or systems management (OAM/OAM&P);
(xxx) Network security monitoring;
(xxxi) Network vulnerability and penetration testing;
(xxxii) Operating system;
(xxxiii) Optical networking;
(xxxiv) Radio communications;
(xxxv) Router;
(xxxvi) Satellite communications;
(xxxvii) Short range wireless n.e.s.;
(xxxviii) Storage Area Networking (SAN);
(xxxix) 3G/4G/5G/LTE/WiMAX;
(xl) Trusted computing;
(xli) Videoconferencing;
(xlii) Virtual private networking (VPN);
(xliii) Voice communications n.e.s.;
(xliv) Voice over Internet Protocol (VoIP);
(xlv) Wide Area Networking (WAN);
(xlvi) Wireless Local Area Networking (WLAN);
(xlvii) Wireless Personal Area Networking (WPAN);
(xlviii) Test equipment n.e.s.; or
(xlix) Other (please specify).
(7) Name of company or individual submitting the report (50 characters or less).
(8) Telephone number (50 characters or less).
(9) Email address (50 characters or less).
(10) Mailing address (50 characters or less).
(11) With respect to your company's encryption products, do they incorporate encryption components produced or furnished by non-U.S. sources or vendors? Enter 'YES', 'NO', or if necessary, 'N/A' (250 characters or less).
(12) With respect to your company's encryption products, are any of them manufactured in non-U.S. locations?” If yes, list the non-U.S. manufacturing locations by city and country. If necessary, enter 'NONE' or 'N/A' (250 characters or less).
(b) File format requirements.
(1) The information described in paragraph (a) of this supplement must be provided in tabular or spreadsheet form, as an electronic file in comma separated values format (.csv), only. No file formats other than .csv will be accepted, as your encryption self-classification report must be directly convertible to tabular or spreadsheet format, where each row (and all entries within a row) properly correspond to the appropriate encryption item.
Note to paragraph (b)(1): An encryption self-classification report data table created and stored in spreadsheet format (e.g., file extension .xls, .numbers, .qpw, .wb*, .wrk, and .wks) can be converted and saved into a comma delimited file format directly from the spreadsheet program. This .csv file is then ready for submission.
(2) Each line of your encryption self-classification report (.csv file) must consist of twelve entries as further described in this supplement.
(3) The first line of the .csv file must consist of the following twelve entries (i.e., match the following) without alteration or variation: PRODUCT NAME, MODEL NUMBER, MANUFACTURER, ECCN, AUTHORIZATION TYPE, ITEM TYPE, SUBMITTER NAME, TELEPHONE NUMBER, E-MAIL ADDRESS, MAILING ADDRESS, NON-U.S. COMPONENTS, NON-U.S. MANUFACTURING LOCATIONS.
Note to paragraph (b)(3): These first twelve entries (i.e., first row) of an encryption self-classification report in .csv format correspond to the twelve column headers of a spreadsheet data file. The responses provided under column headers 7 through 12 (SUBMITTER NAME through NON-U.S. MANUFACTURING LOCATIONS) relate to the company as a whole, and thus should be entered the same for each product (i.e., only one point of contact, one 'YES' or 'NO' answer to whether any of the reported products incorporate non-U.S. sourced encryption components, and one list of non-U.S. manufacturing locations, is required for the report). However, even though the information is the same for each product, please duplicate this information into each row of the spreadsheet, leaving no entry blank, so each product has the same identifying company information.
(4) Each subsequent line of the .csv file must correspond to a single encryption item (or a distinguished series of products) as described in paragraph (c) of this supplement.
(5) Each line must consist of six entries as described in paragraph (a)(1), (a)(2), (a)(3), (a)(4), (a)(5), and (a)(6) of this supplement. No entries may be left blank. Each entry must be separated by a comma (,). Certain additional instructions are as follows:
(i) Line entries (a)(1) (‘PRODUCT NAME’) and (a)(4) (‘ECCN’) must be completed with relevant information.
(ii) For entries (a)(2) (‘MODEL NUMBER’) and (a)(3) (‘MANUFACTURER’), if these entries do not apply to your item or situation you may enter ‘NONE’ or ‘N/A’.
(iii) For entries (a)(5) (‘AUTHORIZATION TYPE’), if none of the provided choices apply to your situation, you may enter ‘OTHER’.
(6) Because of .csv file format requirements, the only permitted use of a comma is as the necessary separator between line entries. You may not use a comma for any other reason in your encryption self-classification report.
(c) Other instructions.
(1) The information provided in accordance with this supplement and §§740.17(b)(1) and 740.17(e)(3) of the EAR must identify product offerings as they are typically distinguished in inventory, catalogs, marketing brochures and other promotional materials.
(2) For families of products where all the information described in paragraph (a) of this supplement is identical except for the model/series/part number (entry (a)(2)), you may list and describe these products with a single line in your .csv file using an appropriate model/series/part number identifier (e.g., ‘300’ or ‘3xx’) for entry (a)(2), provided each line in your .csv file corresponds to a single product series (or product type) within an overall product family.
(3) For example, if Company A produces, markets and sells both a ‘100’ (‘1xx’) and a ‘300’ (‘3xx’) series of product, in its encryption self-classification report (.csv file) Company A must list the ‘100’ product series in one line (with entry (a)(2) completed as ‘100’ or ‘1xx’) and the ‘300’ product series in another line (with entry (a)(2) completed as ‘300’ or ‘3xx’), even if the other required information is common to all products in the ‘100’ and ‘300’ series.
(4) Only products self-classified by the exporter or reexporter must be reported. Products submitted for classification by the Bureau of Industry and Security for which a CCATS is issued do not need to be reported.
[75 FR 36498, June 25, 2010, as amended at 81 FR 64675, Sept. 20, 2016]