EL-MF880-01 11-May-2015 HP Global Trade – Classification Compliance Supplier’s Declaration 3rd Party Products – Export Classification Data Collection Form **** To be completed by the Manufacturer/Supplier of the 3rd Party Product **** Owner Global Trade Responsible Group Classification Team Document Identifier EL-MF880-01 Revision and Date D. 11-May-2015 Abstract This questionnaire provides information about third-party products that HP intends to export. This information assists HP’s Global Trade Classification team to determine the proper export classification. Applicability This questionnaire is applicable to third-party manufacturers or vendors who provide products to HP that HP intends to export. Status Approved © Copyright 2013- 2014 Hewlett-Packard Development Company, L.P. This is an uncontrolled copy when in printed form. 1.1 Introduction The following is a list of questions/requests will help HP collect the needed classification information for 3rd party products that HP intends to export. Please obtain the following information from the 3rd party manufacturer or vendor in order to assist our HP Global Trade Classification team in determining the proper export classification for each product: Product Questions Please respond to the following set of questions for each product. These questions will help to collect the needed classification information. If the product data is available in an electronic file please provide a copy or allow access. Primary Product Detail(s) and Contact Name(s) Date: Name of Product: HP Product Number: Manufacturer/Vendor Product Number: HP Contact Name & Phone Number: Manufacturer Contact Name & Phone Number: Name and Phone Number of person completing this form: 1. Export Commodity Classification Numbers /Control List numbers (ECCN) and HTS Please confirm with your Export compliance department if the product is subject to U.S. and/or other national government export regulations (dual use, military etc.) and insert all control list numbers applicable for the product: U.S. ECCN: [ ] Page 1 EL-MF880-01 EU (European Union) ECCN: [ National country______ ECCN: [ 11-May-2015 ] ] Please provide the Harmonized Tariff Schedule Number (HTS) used by the manufacturer of the product: [ ] 2. Please provide technical specs or a product data sheet or a technical description that provides a functional overview of the product. 3. What is the overall design function and characteristics of the product? 4. Specify the related system software and/or hardware this product will interoperate or interface with. 5. If this product is a module or subcomponent of a higher product, identify this product and provide the main product number if available. 6. If software, is this software available as freeware? ___Yes ___No 7. Does this product use cryptography to provide for password protection, authentication, access control or digital signature of the user? ___Yes ___No 8. Does this product contain encryption/decryption for any data privacy purposes, such as for information security over virtual private network or public networks, or for data storage, etc.? ___Yes ___No 9. Does this product contain a cryptographic application program interface (i.e. APIs specially designed to allow the plug-in or implementation of specific crypto capabilities)? ___Yes ___No 10. If software, what type of media is the software loaded on? ___CD/DCD ___ Tape ___ Floppy Disk explain: ___ Electronic Download____other please 11. Please provide the Harmonized Tariff Schedule Number (HTS) used by the manufacturer of the product. 12. Please provide the Adjusted Peak Performance (APP) for computer based products. 13. If this product is a 'graphics accelerator' or 'graphics coprocessor', classified under ECCN 4A994.g, then please provide the 3D vector rate for the product. 14. Please provide the US export commodity classification number (ECCN) used by the manufacturer for the product. 15. Was this product self-classified or was an official export classification decision obtained from the US Dept of Commerce? 16. If an official export classification decision was obtained from the US Dept of Commerce, please provide a copy of the classification decision documents, or provide the case review (CCATS) number and the results of the review including any ‘Comments from Licensing Officer’ stated on the CCATS document and associated with this product. 17. Does the product fall under the U.S. Government International Traffic in Arms Regulations (ITAR), or any other local government regulations which uniquely control the product for military or encryption reasons? If YES, please provide the regulatory citation: 18. Is this product specially designed or intended primarily for military, defense or government use? If ‘yes’ please explain. Page 2 EL-MF880-01 11-May-2015 19. If this product has been classified for export in any country other than the US please identify the country, provide the classification, explain the justification/basis for the classification and provide references to any government issued documents supporting the classification. 20. If the product was not developed or manufactured in the US then please identify the country where the product was developed and/or manufactured, and explain what local country export requirements, export control and export classification applies to this product. 21. Is this product specially designed and limited for banking use, financial transaction use or for money transaction use? 22. If response was positive for questions 6, 7 or 8 then please answer the remaining questions in order to provide further details regarding the use of cryptography in the product: 23. Please indicate if this product uses cryptography functionality (i.e., incorporates or uses encryption or decryption code, techniques or a cryptography application programming interface) for any purpose, including but not limited to access control, user/data authentication, message/data privacy, data storage security, network communications security or general purpose use? If yes please identify all uses of crypto: 24. Please describe in detail the type of data that is encrypted for example general purpose user data/files, general user communications, limited financial data, data limited to systems and/or network management (Operations, Administration, Maintenance and Provisioning): 25. Please provide the following technical details regarding the implementation of cryptography in the product: a) the type of algorithm(s) b) where the crypto was sourced from, c) key lengths, d) method of key management including key size, e) identify crypto functions/parameters exposed to applications, f) purpose or use of the crypto, g) identify if the product contains any cryptographic application programming interfaces (i.e., APIs specially designed to allow the plug-in or implementation of specific crypto capability(ies)) 26. If the product contains cryptography please indicate if a one-time cryptography product review and French import approval was requested from the French ANSSI (formerly referred to as DCSSI) agency and provide the results of the review. 27. If this product is exempted from the one-time cryptography product review in France please explain the basis for the exempt status. 28. Does this product provide: secure Wide Area Network (WAN), Metropolitan Area Network (MAN), Virtual Private Network (VPN)? If YES, please answer the following 4 questions: a) Is the aggregate encrypted WAN, MAN, VPN or backhaul throughput (includes communications through wireless network elements such as gateways, mobile switches, controllers, etc.) greater than 90 Mbps? b) Does the wire (line), cable or fiber optic WAN, MAN or VPN single channel input data rate exceed 154 Mbps? Page 3 EL-MF880-01 11-May-2015 c) Does the media (voice/video/data) encryption or centralized key management support more than 250 concurrent encrypted data channels, or support encrypted signaling to more than 1,000 endpoints, for digital packet telephony/media (voice/video/data) over internet protocol communications? d) Does the air interface coverage (e.g., through base stations, access points to mesh networks, bridges, etc.) exceed 1,000 meters, where any of the following applies? i. Maximum data rates exceed 10 Mbps (at operating ranges beyond 1,000 meters); or ii. Maximum number of concurrent full duplex voice channels exceed 30; or iii. Substantial support is required for installation or use 29. Is this product generally available to the public by being sold or freely distributed, without restriction, from stock at retail selling points such as through over-the-counter, mail order, electronic (e.g. over the Internet) or telephone transactions? If yes, please respond to the following 6 questions: a) Please explain/provide examples of how the product is generally available to the public. b) Can the user easily change the product or cryptography functionality beyond the features of the product? If yes please explain. c) Is the product designed for installation by the user without further substantial support by the supplier? d) If requested by a government authority, can details of the product be accessible and provided, to the appropriate government authority in order to ascertain compliance with questions a,b and c above? e) Is this product of potential interest to a wide range of individuals and/or businesses? If NO please explain. f) Is the price and information about the main functionality of the product available before purchase without the need to consult the vendor or supplier? 30. Import to Russia: Please indicate if a technical product import review has been done by the FSB or by a Russian technical laboratory and if a Russian import license has been obtained from the Ministry of Industry and Technology (MIT) or if an import notification request has been filed with the FSB, and provide the results of any reviews, import license or notification requests? 31. Import to China: If the product contains cryptography please indicate if any China import license request has been filed with the Chinese government and provide the results of any China government reviews or import license request? 32. Is this is an open source code product which contains cryptography and no formal export classification decision was obtained from the US govt (see questions 14 and 15 above)? If YES, then please: Identify the URL where the source code can be obtained without cost, and Confirm if written notification of the internet posting has been sent to the US Department of Commerce, Bureau of Industry and Security in accordance with US exports regulations. Page 4 EL-MF880-01 1.2 11-May-2015 Additional Evaluation Questions to Determine if Product is Subject to US Govt Cryptography Review 1. Does the product provide penetration capabilities that are capable of attacking, denying, disrupting or otherwise impairing the use of cyber infrastructure or networks? 2. Does the product provide or perform vulnerability analysis, network forensics, or computer forensics functions characterized by any of the following?: a) Automated network analysis, visualization, or packet inspection for profiling network flow, network user or client behavior, or network structure/topology and adapting in real-time to the operating environment; or b) Investigation of data leakage, network breaches, and other malicious intrusion activities through triage of captured digital forensic data for law enforcement purposes or in a similarly rigorous evidentiary manner. 3. Does the product provide or perform "non-standard cryptography" as defined below? a) Definition of Non-standard cryptography: b) Non-standard cryptography. Means any c) Implementation of "cryptography" involving the d) Incorporation or use of proprietary or unpublished e) Cryptographic functionality, including encryption f) Algorithms or protocols that have not been g) Adopted or approved by a duly recognized h) International standards body (e.g., IEEE, IETF, i) ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and j) have not otherwise been published. k) Reserved. 4. Does the product include encryption source code? If yes please identify the source code and confirm if the source code is open source or proprietary? 5. Does the product have any of the following: a) Been designed, modified, adapted or customized for "government end-user(s)"; b) Cryptographic functionality that has been modified or customized to customer specification; or c) Cryptographic functionality or "encryption component" that is user-accessible and can be easily changed by the user; d) Encryption commodities and software that provide functions necessary for quantum cryptography; e) Encryption commodities and software that have been modified or customized for computers classified under ECCN 4A003 (high performance computers); f) Public safety / first responder radio (e.g. Implementing Terrestrial Trunked Radio (TETRA) and/or Association of Public-Safety Communications Officials International (APCO) Project 25 (P25) standards); Page 5 EL-MF880-01 11-May-2015 g) Cryptanalytic functionality h) "Open cryptographic interface" i) Can the product be characterized as chips, chipsets, electronic assemblies or a field programmable logic device? j) Can the product be described as cryptographic libraries, modules, development kits or toolkits, including for operating systems and cryptographic service providers (CSPs)? k) Can the product be described as an application-specific hardware or software development kit implementing cryptography? End of Questionnaire Please send the completed form with requested information to exportclass@hp.com Revision History: Revision, Brief Description of change Date, Change Number A. 10-Jan-2007 Initial release of reformatted questionnaire dated 31-May-2006. B. 11-Mar-2013, DCN -03163 Revised document C. 25-Jun-2014 Revised document, contact email changed to exportclass@hp.com D. 11-May-2015 Revised document that includes some formatting changes. Page 6