Export Controls Support

TrustSource supports the management of exports controls with identification and alerting concerning  encryption. When scanning components using DeepScan, TrustSource will identify known crypto algorithms. With the export controls support, TrustSource allows its users to classify the algorithms by country and alert Compliance Managers, if encryption algorithms put on a list of critical algorithms are included with any of the assessed components. 

As usual, TrustSource supports the cascaded approach. Compliance Managers or Security Managers can modify the list on corporate level and thus, roll out the compliance across all projects managed through TrustSource. In addition, it is possible to enhance the requirements on project or module level, depending on the particular solution. 

To configure the corporate settings you will require the SuperUser role or any of the following { Compliance Manager, Corporate Security Manager, Portfolio Manager). To see or change settings, go to KNOWLEDGE > EXPORT CONTROLS.

In the following chapters you will get information on:

• What is relevant about export/import controls?
• Setting the scene - define the basics
• Assessing components using DeepScan
• Understanding impacts and mitigate critical algorithms (Compliance report)
• Organise a declaration (WIP)

PLEASE NOTE: Especially in times of high uncertainties policies may change. Each country manages its own regulations for import and export. It is absolutely essential that you will review and verify actuality and validity of given information. Make sure to identify the correct policies so that you may amend your declarations according to valid legal regulations. Find here a few important links, you may use for further investigation:

1. United States

• Export Administration Regulations (EAR):
  The EAR governs the export of dual-use items, including cryptographic technologies. The Commerce Control List (CCL) specifies the types of items subject to export controls.

  URL: U.S. Department of Commerce, Bureau of Industry and Security (BIS)

• International Traffic in Arms Regulations (ITAR):
  The ITAR governs the export of defense articles and services, including certain cryptographic technologies with military applications.

  URL: U.S. Department of State, Directorate of Defense Trade Controls (DDTC)

2. European Union

• EU Dual-Use Regulation:
  This regulation governs the export of dual-use items, including cryptographic technologies, within the European Union. It includes the EU Dual-Use List, which specifies the types of items subject to export controls.
  URL: EU Dual-Use Regulation

3. Canada

• Canadian Controlled Goods Program (CGP):
  The CGP governs the export of controlled goods, including cryptographic technologies. It includes the Controlled Goods List, which specifies the types of items subject to export controls.
  URL: Canadian Controlled Goods Program 

4. Australia

• Australian Defence Export Controls (DEC):
  The DEC governs the export of military and dual-use goods, including cryptographic technologies. It includes the Defence and Strategic Goods List (DSGL), which specifies the types of items subject to export controls.
  URL: Australian Defence Export Controls

5. Japan

• Foreign Exchange and Foreign Trade Act:
  This act governs the export and import of cryptographic technologies. The Foreign Exchange and Foreign Trade Control List specifies the types of items subject to export controls.
  URL: Japanese Ministry of Economy, Trade, and Industry (METI)
  Also a great introduction to the topic is provide by video. 

6. China

• Regulations on the Administration of the Export and Import of Military Products:
  This regulation governs the export and import of military and dual-use goods, including cryptographic technologies. The Military Products List specifies the types of items subject to export controls.
  URL: Chinese Ministry of Commerce