“Export laws require that products containing encryption be properly authorized for export. Failure to comply could result in severe penalties.”
Anyone who has developed an iPhone application will recognize that quote from the first screen of the App Store submission page. If an application is using encryption technology then it’s necessary to provide documentation to Apple that demonstrates review by the Department of Commerce (DOC) Bureau of Industry and Security (BIS) and classification of the application a mass market encryption item.
What does that really mean? For starters, your company is required to document and submit details of your application, including the specific ways it is using encryption, to the DOC and the “ENC Encryption Request Coordinator” (the NSA) for review. Your submission will be used to determine whether it meets the US government’s Export Administration Regulation (EAR) criteria for a mass market encryption item.
More practically, it means that you have a pile of paperwork to complete. A typical submission will require review of several EAR guidelines, completion of multiple online forms, and preparation of 7-10 pages of supporting documentation. You could spend days navigating the maze of information on the BIS site. Oh, and the review can take 30 days or more to complete, so get started early!
The good news is that this article will save you most of the headache by walking through the entire process from start to finish. We’ve created stepwise instructions and even prepared templates for critical supporting documentation.
Step 1. CIN and PIN Request
There are two ways to submit an application to the DOC, either using a snail mail submission or electronically. For the purpose of this discussion we will cover electronic filing only because its faster for repeat filings.
The first step is to apply for a PIN to access the DOC Simplified Network Application Process – Redesign system (henceforth referred to as SNAP-R). Head over to the PIN request page, where you’ll find a PIN request template. The DOC expects the template to be printed on your “company letterhead”, so copy and paste the text into a word document that includes your company logo, address information, etc.
Take care to fill out each of the fields with correct information, especially the table at the bottom of the document. You’ll need to fill out one row in the table for each individual requiring a PIN. Each person should sign and date their individual row, and an officer of the company must sign and date the document as a whole.
Print off a copy and create a cover that includes your contact information (the DOC processors will call you if they have questions) and make sure the subject reads something like “Company Certification Letter for SNAP-R”. Fax the document over to to the number listed at the bottom of the PIN request page.
It will take one or two weeks for the DOC to process each PIN request. A coordinator will make contact once the approval is complete to communicate the Company Identification Number (CIN) and Personal Identification Number.
Step 2. Create a SNAP-R account
The CIN and PIN alone are not sufficient to access the SNAP-R site. Navigate over the the Login ID And Password Setup Page and enter the required values, along with a username and password of your choice, to create a SNAP-R account.
Step 3. Online Application
With a SNAP-R username and password in hand online we can begin the application process. Start at the SNAP-R login screen and enter the username and password created in the previous step along with the CIN number assigned in Step 1.
Click Create Work Item on the main SNAP-R screen to start a new application.
Select Commodity Classification Request from the Type select box. Then enter a reference number of your choice into the next field. The reference identifier should be seven characters long, consisting of three letters followed by 4 numbers. It’s usually a good choice to use the first three letters of your company name, followed by an incrementing sequence, for example, ZET0001.
The following commodity classification request screen is divided into six sections. Start by filling in the contact information for the application.
In the second License Information section enter the at Special Purpose of “Mass Market Encryption”. It’s absolutely critical that the special purpose contain that exact value or it won’t be routed properly for approval and the request may be delayed.
The bulk of the Applicant information section will be pre-filled based on the CIN request data from Step 1. Populate the Employer Identification Number (EIN) field if this submission is on behalf of a US company.
The Export Item section is of the critical importance:
- Select the “5D992” code for the ECCN. This code corresponds to mass market software.
- Leave APP blank
- Enter the software application name into the Product / Model Number as it would appear in the App store, for instance “STRIP”
- Leave CCATS Number blank, unless requesting an update to a previously approved application
- Enter your company name as the Manufacturer
Finally, a short technical description is required. This exact text will be printed on the final approval documentation so it must include details of the software including it’s purpose, algorithms used, etc. The description should be brief, as the description is limited to 250 characters. Here is an example we used in a submission for STRIP:
STRIP is a secure database application for the iPhone/iPod touch that can store sensitive personal data like passwords and financial information. Strip uses a password based key and AES-256 to encrypt data before it is written to it’s database.
Click the Add Export Item button to attach it to the request.
The Additional Information section must include the final details of the submission, including descriptions of the supporting documents that will be prepared and attached in the following steps. The description should clearly point out how each document addresses the relevant EAR requirements, for instance:
This submission includes three attachments.
The first is a letter of explanation and a request for Mass Market Encryption certification. This letter directly addresses Note 3 requirements for Supplement 1 of Part 774.
The second attachments is a technical specification for the product and directly addresses all items under Supplement 6 to Part 742.
The final attachment is a screen capture of our product website that we will be using for marketing purposes.
Save the application as a draft after completing the additional application section. We’ll revisit it after preparing the supporting documentation.
Step 4. Document Preparation
The online application is just a high level summary for the DOC. The real content and application descriptions must be prepared in separate supporting documents.
The exact requirements are spelled out in parts, 742, 744, and 748 of the EAR. The requirements are buried within about 250 pages of regulations, but we’ve done most of the hard work by creating document templates based on our previous submissions to meet the requirements:
- Introduction Letter addressing Note 3 requirements for Supplement 1 of Part 774
- Technical specification addressing Supplement 6 to Part 742
These documents are intended to provide a foundation and outline for submissions. They also contain specific language for applications built using our SQLCipher encrypted database library. If you’re not using SQLCipher and OpenSSL you’ll need to modify the appropriate section.
Carefully read each document, section, and question. Make changes as necessary to ensure the response addresses the details of your application specifically and accurately. While we’ve successfully had previous applications approved using similar documents, your mileage may vary. DO NOT JUST SEARCH AND REPLACE THE APPLICATION NAME AND SUMBIT THE RESULT – it is YOUR RESPONSIBILITY to make sure the supporting documents are correct. Make sure you answer all questions accurately and make truthful statements. For instance, don’t answer ‘no’ if the user actually can alter the method of encryption just to get approval. Bad things can happen.
The DOC also wants to review applicable marketing materials as part of the classification process. Screenshots of the product website or App Store page can be used as supporting documents to meet this requirement.
Once all of the supporting documents are completed and reviewed for accuracy the should be uploaded into the SNAP-R. Note that the system requires that all documents be converted to PDF before submission. Open up the draft work item and click View and Manage Supporting Documents.
Convert each document to PDF and upload it to the system. Each document should be assigned a descriptive title, author, publication date, and docuent types such as “Letter of Explanation”, “Technical Specification”, or “Other” respectively.
When you are finished the work item form will list out all of the attachments.
Step 5. Submission
Take one final pass through the Work Item to make sure all items are complete. Click Check For Errors and if everything is fine then Preview Work Item to Submit. Review the final application document and then submit.
Finally,fill out the electronic signature information on the next screen to finalize the submission.
All most done!
Step 6. Hardcopy!
Unfortunately, the online forms aren’t sufficient to complete a submission. The final step is to make hard copies of all application materials and mail them to the ENC Encryption Request Coordinator at Ft. Meade. Astute readers will recognized the address as NSA headquarters.
First, print off a copy of the online work item application from SNAP-R. Then print each of the supporting documents and the screenshots or marketing materials. Paperclip each document together.
Within 2-3 hours of submission SNAP-R will have assigned an Application Control Number (ACN). Each document must also have this ACN written on the top of it. Log back into SNAP-R and click List Work Items from the left navigation. Look for the ACN column of the work item list. It should contain an identifier starting with ‘Z’, like “Z234567”. If the column is blank wait a bit longer, or call the DOC coordinators for a status. Take the Z-number and write it on the top of each document, like so:
Reference ACN: Z234567
Package up the application form, supporting documents, and marketing material printouts. Take them to the Post office and send them via overnight mail to the Encryption Request Coordinator address at the bottom of this DOC page, currently:
Attn: ENC Encryption Request Coordinator
9800 Savage Road, Suite 6940
Ft. Meade, MD 20755-6000
These documents must go out via overnight express mail the same day the application is submitted to the DOC or the the application could be delayed or rejected.
Step 7. Patience…
The approval process will take between 30 and 45 days to complete. If everything goes well the DOC will send out an email indicating the approval of the application and will mail you a classification document containing the CCATS number.
Step 8. Submit to Apple
If you’re lucky at this point it’s been about 40-50 days since starting the application process. Now it’s time to submit the software to Apple for review.
Log into iTunes Connect and start an application submission. On the first screen will ask 4 questions related to the software’s encryption.
Answer yes to each, and then click “Choose File”. Upload a high resolution scan of the commodity classification document and continue with your application upload. This will flag the iPhone application for additional scrutiny by Apple’s export team. Expect an an additional delay of 3-4 on top of the normal application review period.
Conclusion & Disclaimer
We have successfully used this process to submit multiple applications to the DOC for review. However, we must caution that your experience may be different. Every application is reviewed and approved on an individual basis.
If you have trouble there are a number of other resources at your disposal. There are detailed instructions online and a dedicated helpdesk for SNAP-R. BIS Export Counselors are available to answer questions about the review process and specific EAR requirements. They really are very helpful. You can also consult an attorney that specializes in export law.
One final reminder – we aren’t attorneys or export control experts. We are just a company who had to figure out this complex process to sell our own software. We decided to document it to save you the trouble, but we are providing this information AS IS, with no warranty whatsoever. Use this information at your own discretion and consult an expert if you need guidance. If you follow these steps but still end up inside a federal penitentiary, or worse, Guantanamo Bay, don’t come crying to us!