Closed sgnn7 closed 6 years ago
shawoods
commented
7 years ago @sgnn7 I don't mean to be ignoring this question, but ITAR is complicated. Just because the code is in support of DoD projects does not mean it is automatically considered a defense article. It depends on what the code is actually doing. A complete answer to the issue you raise will require some more research. Anyone more experienced in this area, please feel free to chime in.
johnmod3
commented
7 years ago ITAR is ultimately determined by the government - they can decide if an item or part of a code should be controlled or not. Since the penalties are so severe companies tend to over classify. We were able to get a majority of DDF (Distributed Data Framework - an open source, modular integration framework. http://ddf.codice.org) reclassified as a non-ITAR item and released as OSS. See: http://codice.org/ddf/ news articles here: http://www.af.mil/News/ArticleDisplay/tabid/223/Article/111051/warfighting-data-becoming-easier-to-find-and-retrieve.aspx
sgnn7
commented
7 years ago @shawoods No worries - I just wanted to put it on the radar for you :)
shawoods
commented
7 years ago @johnmod3 Thanks for getting the ball rolling and sharing this info.
shawoods
commented
7 years ago This looks very promising. I'm admittedly not very knowledgeable in ITAR/EAR, so I'm sure many of you already know this, but generally speaking information that is available to the public is excluded from export controls under ITAR or EAR. For the ITAR/EAR SMEs out there, feel free to chime in!
I will have to do some more digging to verify project hosted on Code.mil would comply with all of the definitions, terms, and conditions, but this seems promising.
marctjones
commented
7 years ago Don't forget to check out Part 742.15 of the FedReg
(b) Publicly available encryption source code—(1) Scope and eligibility. Subject to the notification requirements of paragraph (b)(2) of this section, publicly available (see §734.3(b)(3) of the EAR) encryption source code classified under ECCN 5D002 is not subject to the EAR. Such source code is publicly available even if it is subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code.
(2) Notification requirement. You must notify BIS and the ENC Encryption Request Coordinator via email of the Internet location (e.g., URL or Internet address) of the publicly available encryption source code classified under ECCN 5D002 or provide each of them a copy of the publicly available encryption source code. If you update or modify the source code, you must also provide additional copies to each of them each time the cryptographic functionality of the source code is updated or modified. In addition, if you posted the source code on the Internet, you must notify BIS and the ENC Encryption Request Coordinator each time the Internet location is changed, but you are not required to notify them of updates or modifications made to the encryption source code at the previously notified location. In all instances, submit the notification or copy to crypt@bis.doc.gov and to enc@nsa.gov.
And the all important Note 4
Note 4: Category 5 - Part 2 does not apply to items incorporating or using “cryptography” and meeting all of the following:
a. The primary function or set of functions is not any of the following:
- “Information security”;
- A computer, including operating systems, parts and components therefor;
- Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
- Networking (includes operation, administration, management and provisioning); b. The cryptographic functionality is limited to supporting their primary function or set of functions; and c. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs a. and b. above.
There is a lot going in ITAR for encryption and "publically available source code." Lots of defined terms and shifting classifications. So just reading these two sections is not enough to understand the regs.
It would probably be good to add some sort of link or explanation of ITAR restrictions in the document if project source might include things of that nature.