> [-] Mandatory access controls may be export controlled. Since I don't
> think we want to get into the export control mess, and we can achieve the
> security properties I think we need without providing full Orange Book
> B2/B3 mandatory access controls, we shouldn't go there.
Bill has a point, but let's be clear about the nature of the problem. As it happens, I've recently been looking into it.
The export of secure computer systems is controlled under section 5A002 of the commerce control list. The regs themselves may be found at http://w3.access.gpo.gov/bxa/ear/ear_data.html. There is a link at the bottom to the BXA home page. For those who want to do the cross-reference, the actual table of proscribed contries can be found at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=bxa&docid=f:738spir.pdf
I recommend the postscript version, as the table did not survive ascification.
An excerpted chunk of the relevant current commerce department export control rules is attached below my signature. The key points to note are:
Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 6576
Category 5 (Part 2) - Telecommunications and Infomation Security
Commerce Control List
Supplement No. 1 to Part 774
CATEGORY 5 - TELECOMMUNICATIONS AND "INFORMATION SECURITY"
Part 2 - "Information Security"
A. SYSTEMS, EQUIPMENT AND COMPONENTS
5A002 Systems, equipment, application specific "assemblies", modules or integrated circuits for "information security", and specially designed components therefor.
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country Chart NS applies to entire entry NS Column 1 AT applies to entire entry AT Column 1
EI applies to encryption items transferred from the U.S. Munitions List to the Commerce Control List consistent with E.O. 13026 of November 15, 1996 (61 FR 58767) and pursuant to the Presidential Memorandum of that date. Refer to §742.15 of this subchapter.
a.6. Designed or modified to provide certified or certifiable "multilevel security" or user isolation at a level exceeding Class B2 of the Trusted Computer System Evaluation Criteria (TCSEC) or equivalent;
D. Software
5D002 Information Security - "Software".
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country Chart NS applies to entire entry NS Column 1 AT applies to entire entry AT Column 1
EI applies to encryption items transferred from the U.S. Munitions List to the Commerce Control List consistent with E.O. 13026 of November 15, 1996 (61 FR 58767) and pursuant to the Presidential Memorandum of that date. Refer to §742.15 of the EAR.
c.1. "Software" having the characteristics, or performing or simulating the functions of the equipment controlled by 5A002 or 5B002;
c.2. "Software" to certify "software" controlled by 5D002.c.1.
5D992 "Information Security" "software" not controlled by 5D002.
License Requirements
Reason for Control: AT
Control(s) Country Chart AT applies to 5D992.a.1 AT Column 1and .b.1
AT applies to 5D992.a.2, AT Column 2 b.2 and c
c. "Software" designed or modified to protect against malicious computer damage, e.g., viruses.