Download:
pdf |
pdfSUPPORTING STATEMENT
U.S. Department of Commerce
Bureau of Industry and Security
Commercial Encryption Items under Commerce Jurisdiction
OMB Control No. 0694-0104
A. Justification
This is a request to extend the Office of Management and Budget approval.
1. Explain the circumstances that make the collection of information necessary.
This information collection is needed to implement certain export licensing-related requirements
under the Export Administration Regulations (EAR). The EAR was issued under authority of
Section 15(b) of the Export Administration Act of 1979 (as amended). The Export
Administration Act has expired. The regulations remain in force pursuant to Executive Order
13222 of August 17, 2001 and annual extensions of the national emergency declared in the
Executive Order under the International Emergency Economic Powers Act (IEEPA).
The collection is necessary to provide technical and end user information for encryption items
that are eligible for export under license exception or under licenses that authorize exports to
various destinations. The collection provides technical information to the National Security
Agency (NSA) for purposes of its programs related to encrypted communications.
2. Explain how, by whom, how frequently, and for what purpose the information will be
used. If the information collected will be disseminated to the public or used to support
information that will be disseminated to the public, then explain how the collection
complies with all applicable Information Quality Guidelines.
The information about encryption items that is collected under this collection is required to
protect the national security and foreign policy interests of the United States by identifying
products used to encrypt information in public and private networks worldwide. Many U.S.
encryption products are excepted from licensing requirements for export to government and nongovernment end-users alike (except sanctioned or embargoed destinations), on the basis of a onetime technical review of the encryption product (the information submission required for the preexport review of encryption items is subject to collection under OMB Control No. 0694-0088);
certain products require a license for export to government end users in all but 30 countries
following the technical review.
1
The U.S. Government has determined that technical review, pre-export notification and postexport reporting of encryption items are necessary for reasons of national security and foreign
policy. Through these channels, the U.S. Government can determine what specific types of
encryption products a foreign private or government end-user is installing or has installed in its
network. In addition, the U.S. Government may receive notification when encryption source
code is made publicly available in the United States and receives notification of key-length
increases in certain encryption products. Specifically, this collection comprises five
requirements for submission of information as follows:
1) Semi-annual reporting of certain exports of encryption items authorized under License
Exception ENC, as required by section 740.17(e)(1) of the EAR;
2) Semi-annual reporting of exports of encryption items authorized under license or under
encryption licensing arrangement (ELA), required by conditions placed on the license or ELA,
as referenced in section 742.15(a) of the EAR;
3) 15-day pre-shipment notification of encryption items authorized under license or under ELA,
required by conditions placed on the license or ELA, as referenced in section 742.15(a) of the
EAR.
4) Notification of the Internet location of the source code, or provision of a copy of the source
code, of encryption software made publicly available and authorized for export under License
Exception TSU, as required by section 740.13(e)(3) of the EAR; and
5) Notification of key length increases to commodities and software that have been reviewed and
authorized under License Exception ENC, as required by section 740.17(e)(2) of the EAR.
BIS use of the information collected: As discussed below, most of the information is collected
through submissions to two dedicated email accounts, one at BIS and one at NSA
([email protected] and [email protected]. BIS does not review or use the information collected for
any purpose associated with its licensing activities. BIS does not sort the information collected;
the information is simply stored in the dedicated email inbox. Because BIS does not review or
use the information collected, it does not audit exporters to determine if they are complying with
the reporting and notification requirements.
NSA use of the information: On a daily basis, NSA personnel use this information to gain
valuable insight into encryption product capabilities, specifications and design. The information
also provides disclosure of sales and distributions, unique trend data and the ability to anticipate
future requirements. It is estimated that NSA consults the semi-annual reports at least 30 times
per month. Most likely, this number is significantly higher, as the information is provided to
personnel via a searchable repository that does not track the amount of usage. The pre-shipment
2
notifications are utilized approximately 40 times per month or more precisely, every time a
notice is received. Similar to the semi-annual reports, both the TSU and key-length increase
notifications are conglomerated into a repository that does not have a tracking ability.
The information collected is not disseminated to the public or used to support information that
will be disseminated to the public.
3. Describe whether, and to what extent, the collection of information involves the use of
automated, electronic, mechanical, or other technological techniques or other forms of
information technology.
Semi-annual reporting requirements under License Exception ENC and under license/ELA
conditions may be submitted by email, on CD by mail, or in paper format. Pre-shipment
notifications, key-length increase notifications and source code notifications for License
Exception TSU are required by the EAR to be emailed to BIS and to NSA.
4. Describe efforts to identify duplication.
The Bureau of Industry and Security has identified significant duplication of the collection of
post-shipment reporting on exports under license exception and under licenses required under
sections 740.17(e) and 742.15(a) of the EAR. A large percentage of this information is already
collected by the U.S. Government through the Automated Export System (AES) administered by
the Bureau of the Census. AES reporting is collected immediately upon export; section
740.17(e) and 742.15(a) reporting is collected only semi-annually, up to eight months after an
export has taken place. BIS has suggested to NSA that it take steps to obtain access to AES
information. NSA did research on the feasibility to leverage the AES data, but found that it did
not provide the level of detail and/or specific information required for national security purposes.
5. If the collection of information involves small businesses or other small entities, describe
the methods used to minimize burden.
This collection of information may impose a burden on small businesses or other small entities.
There is anecdotal evidence that many small businesses are unaware of the regulatory
requirements and therefore do not comply with them. As the encryption products developed and
exported by small businesses and individual persons may have the same level of cryptographic
functionality as the products developed and exported by large businesses, there is not a practical
means to minimize burden on small businesses or entities.
3
6. Describe the consequences to the Federal program or policy activities if the collection is
not conducted or is conducted less frequently.
If the collection of post-shipment reports were not conducted or were conducted less frequently,
the U.S. Government would still have access to specific information because the regulations
require exporters to maintain records of their exports for five years following shipment;
therefore, the information is available upon request. In addition, comparable information on
most exports subject to the semi-annual post-shipment reporting requirement is available to the
U.S. Government through the AES system. The exception is the intangible (i.e., electronic)
export of software, which is not subject to AES reporting.
Pre-shipment notifications for exports under licenses and ELAs are collected as an alternative to
transaction-by-transaction licensing. A license application generally takes up to 30 days to
process. If collection of 15-day pre-shipment notifications were not conducted, the information
would be collected by licensing the individual export transactions. This would be a greater
burden on exporters and the U.S. Government.
The License Exception TSU notification is provided for in the EAR to inform the U.S.
Government when encryption source code is made publicly available for export from the United
States. However, there is no requirement for a person or company to notify the government
when it makes encryption source code publicly available. Therefore, it is unknown what
percentage of publicly available encryption source code is notified to the U.S. Government
through this requirement. In addition, encryption source code may be made publicly available
(e.g., posted on the Internet) in other countries, and would not be subject to the EAR. If this
collection were not conducted, the U.S. Government could search the Internet and published
materials for encryption source code.
The key length increase notification is provided for in the EAR as an alternative to requiring
review of a new version of an encryption item when the only change to the item is an increase in
the key length. Only 8 notifications of key length increases were received in 2008.
7. Explain any special circumstances that require the collection to be conducted in a
manner inconsistent with OMB guidelines.
There are no special circumstances that require the collection to be conducted in a manner
inconsistent with the guidelines in 5 CFR 1320.6.
4
8. Provide a copy of the PRA Federal Register notice that solicited public comments on the
information collection prior to this submission. Summarize the public comments received
in response to that notice and describe the actions taken by the agency in response to those
comments. Describe the efforts to consult with persons outside the agency to obtain their
views on the availability of data, frequency of collection, the clarity of instructions and
recordkeeping, disclosure, or reporting format (if any), and on the data elements to be
recorded, disclosed, or reported.
The notice requesting public comment was published in the Federal Register on June 17, 2009,
pp 286633-28664. No comments were received.
9. Explain any decisions to provide payments or gifts to respondents, other than
remuneration of contractors or grantees.
There is no plan to provide any payment or gift to respondents.
10. Describe any assurance of confidentiality provided to respondents and the basis for
assurance in statute, regulation, or agency policy.
Section 12(c) of the EAA provides for the confidentiality of export licensing information
submitted to the Department of Commerce.
11. Provide additional justification for any questions of a sensitive nature, such as sexual
behavior and attitudes, religious beliefs, and other matters that are commonly considered
private.
There are no questions of a sensitive nature.
12. Provide an estimate in hours of the burden of the collection of information.
The totals associated with this collection are 940 respondents, 8,090 burden hours and $242,688
in labor costs, as follows:
It is estimated that there will be a total of 400 post-shipment reports of exports of encryption
items under License Exception ENC and encryption licenses with reporting requirements, based
on the submission of 314 reports by email and 20 reports in hard copy for calendar year 2008
(for the reporting periods January–June 2008 and July–December 2008). The calendar year
2008
5
reports included approximate 300 reports of exports under License Exception ENC and 30
reports under ELAs and licenses. The number of post-shipment reports is expected to increase
as BIS has recently issued a number of very broad ELAs that will replace several hundred
individual transaction licenses. It is estimated that it will take 20 hours to complete each report,
for a total of 8,000 hours. The estimate of 20 hours is based on anecdotal reports from large
exporters that the compilation of the semi-annual reports of thousands of exports may take up to
80 hours of staff time, and on the receipt of reports of only one or two exports that would take
significantly less than 20 hours. At an hourly rate of $30/hour, the annual burden on the public
is $240,000.
The estimate for the annual number of pre-shipment notifications is 300, based on the
submission of 250 notifications in calendar year 2008. The number of pre-shipment notifications
is expected to increase as BIS is issuing more ELAs with the pre-shipment notification condition
imposed on them, in place of licenses for individual export transactions. These notifications
require approximately 10 minutes to prepare and submit, so the total burden hours would be
50 hours. At an hourly rate of $30/hour, the annual burden on the public is $1,500.
It is estimated that there will be approximately 230 notifications under License Exception TSU
for the export and reexport of unrestricted encryption source code, based on the submission of
this number notifications in calendar year 2008. It will take companies 10 minutes to complete
such notifications by submitting an email to two addressees (BIS and NSA); thus, at $30 an hour,
the burden on the public is (230 x 10 minutes = 38 hours) 38 hours x $30 = $1140.
It is estimated that there will be 10 email notifications reports for key length increases for
previously reviewed products under section 740.17(d)(3) of the EAR, based on the submission of
8 notifications in calendar year 2008. It will take companies 10 minutes to complete such
notifications; thus, at $30 an hour, the burden on the public is (10 x 10 minutes/each = 1.6 hours)
1.6 hours x $30 = $48.
Summary of burden hours/costs for respondents:
Activity
ENC/ELA semi-annual reports
Pre-shipment Notifications
TSU notifications
Key length increase notifications
TOTALS
6
Annual
Responses
400
300
230
10
940
Burden per
Response
20 hours
10 minutes
10 minutes
15 minutes.
Total
Hours
8000
50
38
2.5
8,090
Hourly
Rate
30
30
30
30
Cost ($)
240,000
1,500
1,140
48
242,688
13. Provide an estimate of the total annual cost burden to the respondents or recordkeepers resulting from the collection (excluding the value of the burden hours in #12
above).
There is no capitol equipment or startup costs associated with this collection.
14. Provide estimates of annualized cost to the Federal government.
BIS does not review the submissions for any regulatory purpose; however, BIS does spend time
explaining the collection requirements to exporters, totaling approximately 100 inquiries per
year. At a rate of $40 per hour, this totals an annual cost to BIS of $4,000.
NSA analysts review the reports and notifications submitted. It is estimated that NSA staff
spend 115 hours per month (1,380 hours per year) on the administration (e.g., sorting and
reformatting) of encryption reports and notifications submitted. At a rate of $40 per hour, this
totals an annual cost to NSA of approximately $55,200.
15. Explain the reasons for any program changes or adjustments.
There is an increase of 260 responses and 3,583 burden hours. This is an adjustment based upon
an increased number of reports and notifications received during calendar year 2008.
16. For collections whose results will be published, outline the plans for tabulation and
publication.
This collection will not be published.
17. If seeking approval to not display the expiration date for OMB approval of the
information collection, explain the reasons why display would be inappropriate.
Not applicable.
18. Explain each exception to the certification statement.
Not applicable.
7
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
Not applicable.
8
File Type | application/pdf |
Author | Larry Hall |
File Modified | 2009-10-13 |
File Created | 2009-10-13 |