SUPPORTING STATEMENT
U.S. DEPARTMENT OF COMMERCE
Bureau of Industry and Security
Commercial Encryption Items under Commerce Jurisdiction
OMB Control No. 0694-0104
A. Justification
This is an emergency request to revise an existing collection by adding two new IC's that are necessary to implement President Obama’s new policy on exports of commercial encryption items. The new IC's are designed to reduce the annual burdens by substituting a company registration requirement for an export reporting requirement. DOC/BIS is requesting approval from OMB by May 14, 2010.
1. Explain the circumstances that make the collection of information necessary.
President Obama announced changes to the export controls on commercial encryption items in his remarks at the Export-Import Bank's Annual Conference on March 11, 2010. The following text is an excerpt from the President's remarks.
"Finally, we’re working to reform our Export Control System for our strategic, high-tech industries, which will strengthen our national security. What we want to do is concentrate our efforts on enforcing controls on the export of our most critical technologies, making America safer while enhancing the competitiveness of key American industries. We’ve conducted a broad review of the Export Control System, and Secretary Gates will outline our reform proposal within the next couple of weeks. But today, I’d like to announce two steps that we’re prepared to take.
First, we’re going to streamline the process certain companies need to go through to get their products to market -- products with encryption capabilities like cell phone and network storage devices. Right now, they endure a technical review that can take between 30 and 60 days, and that puts that company at a distinct disadvantage to foreign competitors who don’t face those same delays. So a new one-time online process will shorten that review time from 30 days to 30 minutes, and that makes it quicker and easier for our businesses to compete while meeting our national security requirements."
The interim final rule "Encryption Export Controls: Revision of License Exception ENC Eligibility, Submission Procedures, Reporting Requirements, License Application Requirements, and Adding Note 4 to Category 5 Part 2 " implements this new policy by amending the requirements of License Exception ENC and certain license application requirements for encryption items. This rule replaces most encryption "product by product" reviews that required a thirty (30)-day pre-export waiting period and semi-annual post-export reporting, with immediate authorization to export or reexport upon submission of an encryption registration to BIS of these items and self-classification report.
This information collection is needed to implement certain export licensing-related requirements under the Export Administration Regulations (EAR). The EAR was issued under authority of Section 15(b) of the Export Administration Act of 1979 (as amended). The Export Administration Act has expired. The regulations remain in force pursuant to Executive Order 13222 of August 17, 2001 and annual extensions of the national emergency declared in the Executive Order under the International Emergency Economic Powers Act (IEEPA).
The collection is necessary to provide technical and end user information for encryption items that are eligible for export under license exception or under licenses that authorize exports to various destinations. The collection also provides technical information to the National Security Agency (NSA) for purposes of its programs related to encrypted communications.
BIS proposes revision of the collection by adding two new IC's needed to implement changes in the EAR. The new IC's are designed to reduce the annual burdens imposed by this information collection and OMB Control No. 0694-0088.
2. Explain how, by whom, how frequently, and for what purpose the information will be used. If the information collected will be disseminated to the public or used to support information that will be disseminated to the public, then explain how the collection complies with all applicable Information Quality Guidelines.
The two new proposed IC's are as follows:
1) Encryption Registration is registration of a company using the BIS Simple Network Application Process (SNAP) system. The following information is provided as a PDF document:
a) Point of contact information; b) Company overview description; c) Identification of categories for your company’s products; d) Whether the products incorporate or use proprietary, unpublished or non-standard cryptographic functionality; e) Whether your company will export “encryption source code”; f) Whether the products incorporate encryption components produced or furnished by non-U.S. sources or vendors; and
g) If the products are manufactured outside the United States. The company will also be required to update any changes on an annual basis.
2) Annual Self-Classification Report contains six (6) questions that must be answered for each encryption item subject to the requirements of §§ 740.17(b)(1) and 742.15(b)(1) of the EAR.
a) Name of product; b) Model/series/part number; c) Primary manufacturer; d) ECCN (5A002, 5B002, 5D002, 5A992, or 5D992); e) Encryption Authorization (ENC or MMKT); and f) Type descriptor (chose one from a list of 49 options).
There are currently four IC's in the existing collection:
1) ENC/ELA Semi-annual Reports of certain exports of encryption items authorized under License Exception are required by section 740.17 of the EAR;
2) Pre-shipment Notification of encryption items authorized under license or under ELA, required by conditions placed on the license or ELA, is required by section 742.15(a) of the EAR.
3) TSU Notification of the Internet location of the source code, or provision of a copy of the source code, of encryption software made publicly available and authorized for export under License Exception TSU is required by section 740.13(e)(3) of the EAR; and
4) Key Length Increase Notifications of key length increases to commodities and software that have been reviewed and authorized under License Exception ENC, are required by section 740.17(e)(2) of the EAR.
BIS use of the information collected: As discussed below, most of the information is collected through submissions to two dedicated email accounts, one at BIS and one at NSA ([email protected] and [email protected]). BIS does not review or use the information collected for any purpose associated with its licensing activities. BIS does not sort the information collected; the information is simply stored in the dedicated email inbox. Because BIS does not review or use the information collected, it does not audit exporters to determine if they are complying with the reporting and notification requirements.
NSA use of the information: On a daily basis, NSA personnel use this information to gain valuable insight into encryption product capabilities, specifications and design. The information also provides disclosure of sales and distributions, unique trend data and the ability to anticipate future requirements. It is estimated that NSA consults the semi-annual reports at least 30 times per month. Most likely, this number is significantly higher, as the information is provided to personnel via a searchable repository that does not track the amount of usage. The pre-shipment notifications are utilized approximately 40 times per month or more precisely, every time a notice is received. Similar to the semi-annual reports, both the TSU and key-length increase notifications are conglomerated into a repository that does not have a tracking ability.
The information collected is not disseminated to the public or used to support information that will be disseminated to the public.
3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological techniques or other forms of information technology.
The Encryption Registrations are submitted electronically via the SNAP system and the Annual Self-Classification Reports are submitted via e-mail. The Semi-annual reporting requirements under License Exception ENC and under license/ELA conditions may be submitted by email, on CD by mail, or in paper format. Pre-shipment notifications, key-length increase notifications and source code notifications for License Exception TSU are required by the EAR to be emailed to BIS and to NSA.
4. Describe efforts to identify duplication.
The Bureau of Industry and Security has identified significant duplication of the collection of post-shipment reporting on exports under license exception and under licenses required under sections 740.17(e) and 742.15(a) of the EAR. A large percentage of this information is already collected by the U.S. Government through the Automated Export System (AES) administered by the Bureau of the Census. AES reporting is collected immediately upon export; section 740.17(e) and 742.15(a) reporting is collected only semi-annually, up to eight months after an export has taken place. BIS has suggested to NSA that it take steps to obtain access to AES information. NSA did research on the feasibility to leverage the AES data, but found that it did not provide the level of detail and/or specific information required for national security purposes.
5. If the collection of information involves small businesses or other small entities, describe the methods used to minimize burden.
This collection of information may impose a burden on small businesses or other small entities. There is anecdotal evidence that many small businesses are unaware of the regulatory requirements and therefore do not comply with them. As the encryption products developed and exported by small businesses and individual persons may have the same level of cryptographic functionality as the products developed and exported by large businesses, there is not a practical means to minimize burden on small businesses or entities.
6. Describe the consequences to the Federal program or policy activities if the collection is not conducted or is conducted less frequently.
If the collection of Encryption Registrations and Annual Self-Classification Reports were not conducted or were conducted less frequently, BIS would be unable to comply with the President’s new export policy.
7. Explain any special circumstances that require the collection to be conducted in a manner inconsistent with OMB guidelines.
There are no special circumstances that require the collection to be conducted in a manner inconsistent with the guidelines in 5 CFR 1320.6.
8. Provide a copy of the PRA Federal Register notice that solicited public comments on the information collection prior to this submission. Summarize the public comments received in response to that notice and describe the actions taken by the agency in response to those comments. Describe the efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.
Since this is an emergency request, the notice soliciting public comment will be published as part of the interim final rule (RIN 0694-AE89, Encryption Export Controls: Revision of License Exception ENC Eligibility, Submission Procedures, Reporting Requirements, License Application Requirements, and Adding Note 4 to Category 5
Part 2).
9. Explain any decisions to provide payments or gifts to respondents, other than remuneration of contractors or grantees.
Not applicable.
10. Describe any assurance of confidentiality provided to respondents and the basis for assurance in statute, regulation, or agency policy.
Section 12(c) of the EAA provides for the confidentiality of export licensing information submitted to the Department of Commerce.
11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.
There are no questions of a sensitive nature.
12. Provide an estimate in hours of the burden of the collection of information.
The total burdens associated with this collection are 1,756 respondents, 3,243 burden hours and $97,290 in labor costs, as follows:
It is estimated that 700 Encryption Registration will be received in the first year and 200 per year in subsequent years. Registration will require 20 minutes. This results in an annual hourly burden estimate, averaged over 3 years of:
[(700 x 20 mins) + (200 x 20 mins) + (200 x 20 mins)] / 3 = 122 hours
It is estimated that BIS will receive 750 Annual Self-Classification Reports. These reports will require from 30 minutes to 4 hours to complete. In the first year, approximately 5% of the reports will require only 30 minutes to complete. The rest will require an average of 2 hours to complete. During subsequent years, 60% of the reports will require 30 minutes to complete and the others an average of 2 hours. This results in a 3 year average burden of:
[(.05 x 750 x .5) + (.95 x 750 x 2) + (.60 x 750 x .5) + (.40 x 750 x 2) + (.60 x 750 x .5) + (.40 x 750 x 2)] / 3 = [18.75 + 1425 + 225 + 600 + 225 + 600] /3 = 1,031 hours
It is estimated that there will be a decrease from 400 to 100 post-shipment reports of exports of encryption items under License Exception ENC and encryption licenses with reporting requirements. It is estimated that it will take 20 hours to complete each report, for a total of 2,000 hours.
The estimate for the annual number of pre-shipment notifications is 300, based on the submission of 250 notifications in calendar year 2008. The number of pre-shipment notifications is expected to increase as BIS is issuing more ELAs with the pre-shipment notification condition imposed on them, in place of licenses for individual export transactions. These notifications require approximately 10 minutes to prepare and submit, so the total burden hours would be
50 hours.
The following ICs did not change as a result of this revision:
It is estimated that there will be approximately 230 notifications under License Exception TSU for the export and reexport of unrestricted encryption source code, based on the submission of this number notifications in calendar year 2008. It will take companies
10 minutes to complete such notifications by submitting an email to two addressees (BIS and NSA); thus, the burden on the public is 230 x 10 minutes = 38 hours.
It is estimated that there will be 10 email notifications reports for key length increases for previously reviewed products under section 740.17(d)(3) of the EAR, based on the submission of 8 notifications in calendar year 2008. It will take companies 10 minutes to complete such notifications; thus, the burden on the public is 10 x 10 minutes/each = 1.6 hours = 2 hours.
The following table summarizes the estimated burden:
IC Name |
Burden/ Response |
Year 1 # |
Year 2, 3 # |
Mean # |
Mean Hours |
Hour Burden |
Encryption Registration |
20 min |
700 |
200 |
366 |
0.3333 |
122 |
Annual Self-Classification Report |
.5-4 hr |
750 |
750 |
750 |
1.3746 |
1031 |
ENC/ELA Reporting |
20 hrs |
100 |
100 |
100 |
20 |
2,000 |
Pre-shipment Notification |
10 min. |
300 |
300 |
300 |
0.1666 |
50 |
TSU Notifications |
10 min. |
230 |
230 |
230 |
0.1666 |
38 |
Key Length Notifications |
10 min |
10 |
10 |
10 |
0.1666 |
2 |
Total |
|
|
|
1,756 |
|
3,243 |
Note: It is also estimated that the number of commodity classifications for encryption products will decrease by 50% to 1,163 classifications annually. This will result in an estimated burden reduction of 107 minutes per classification or 2,074 hours in collection OMB Control No. 0694-0088 "Simple Network Application Process and Multipurpose Application form."
The cost to the public is estimated to be $97,290. This is based on 3,243 hours at a rate of $30 per hour.
13. Provide an estimate of the total annual cost burden to the respondents or record-keepers resulting from the collection (excluding the value of the burden hours in Question 12 above).
There is no capitol equipment or startup costs associated with this collection.
14. Provide estimates of annualized cost to the Federal government.
BIS does not review the submissions for any regulatory purpose; however, BIS does spend time explaining the collection requirements to exporters, totaling approximately 100 inquiries per year. At a rate of $40 per hour, this totals an annual cost to BIS of $4,000.
NSA analysts review the reports and notifications submitted. It is estimated that NSA staff spend 115 hours per month (1,380 hours per year) on the administration (e.g., sorting and reformatting) of encryption reports and notifications submitted. At a rate of $40 per hour, this totals an annual cost to NSA of approximately $55,200.
15. Explain the reasons for any program changes or adjustments.
There is an increase in the number of responses from 940 to 1,756. There is a decrease in the estimated annual burden hours from 8,909 to 3,243. Both changes are the result of the program change described in this request.
16. For collections whose results will be published, outline the plans for tabulation and publication.
The information will not be published.
17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons why display would be inappropriate.
This information collection does not involve forms except for the BIS-742P (OMB Control No. 0694-0088) which displays the expiration date.
18. Explain each exception to the certification statement.
Not applicable.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
Not applicable.
| File Type | application/msword |
| File Title | SUPPORTING STATEMENT |
| Author | Current User |
| File Modified | 2010-04-30 |
| File Created | 2010-04-29 |