Confusion about USA export regulations regarding electronics

Question

I am an electronic hobbyist based in Canada. Recently I bought different Microcontroller development boards from Mouser.ca (a huge online electronics distributor based in Mansfield, Texas). This is mostly to satisfy my curiosity and to try out the different features offered by different companies and/or different model of microcontroller CPU cores.

Out of 12 dev boards I bought, only one was export regulated under the U.S Export Administration Regulation (EAR).

I did a bit of digging around and found that the listing for the product had an Export Control Classification Number (ECCN) attached to it.

The number in question is 5A002. I searched further and this correspond to:

“END ITEMS,” “EQUIPMENT,” “ACCESSORIES,” “ATTACHMENTS,” “PARTS,” “COMPONENTS,” AND “SYSTEMS” with CRYPTOGRAPHIC “INFORMATION SECURITY”

Source

Indeed this device does have some cryptographic capabilities. From what I can tell from the datasheet here are the security/Cryptography features:

Security and Encryption

• Arm® TrustZone®

1. Up to three regions for the code flash
2. Up to two regions for the data flash
3. Up to three regions for the SRAM
4. Individual secure or non-secure security attribution for each peripheral

Now this is an optional feature common to all microcontrollers with an ARM-Cortex M-33 core. So I checked Microcontrollers from other companies with an ARM-Cortex M-33 core and implementing Arm TrustZone and to my surprise these were not export regulated. In fact, most of them are listed with a ECCN number of 5A992.C, now if I go back to the above document this means:

Equipment not controlled by 5A002

• .c – Commodities classified Mass Market – 740.17(b)

Now for fun if I take 3 Microcontrollers from 3 different companies and compare them:

R7FA4E10D2CFM#AA0 (From Renesas based in Japan)

Cryptographic features

Security and Encryption Arm® TrustZone®

1. Up to three regions for the code flash
2. Up to two regions for the data flash
3. Up to three regions for the SRAM
4. Individual secure or non-secure security attribution for each peripheral

ECCN: 5A002 (Export Restricted)

Note: Most of Renesas Microcontroller Offering is export restricted under 5A002 for some reason.

ATSAMD51J20A-AUT (From Microchip based in the USA)

Cryptographic Features

1. One Advanced Encryption System (AES) with 256-bit key length and up to 2 MB/s data rate
2. Five confidential modes of operation (ECB, CBC, CFB, OFB, CTR)
3. Supports counter with CBC-MAC mode
4. Galois Counter Mode (GCM)
5. True Random Number Generator (TRNG)
6. Public Key Cryptography Controller (PUKCC) and associated Classical Public Key Cryptography Library (PUKCL)
7. RSA, DSA
8. Elliptic Curves Cryptography (ECC) ECC GF(2n), ECC GF(p)
9. Integrity Check Module (ICM) based on Secure Hash Algorithm (SHA1, SHA224, SHA256), DMA assisted

ECCN: 5A992.C (No export Control)

Note: Seems to give much more cryptographic features than the above chip yet is not export controlled.

LPC55S04JBD64E (From NXP based in the Netherlands)

Cryptographic Features

1. ARM TrustZone® enabled.
2. AES-256 encryption/decryption engine with keys fed directly from PUF or a software supplied key > 3. Secure Hash Algorithm (SHA2) module supports secure boot with dedicated DMA controller.
3. Physical Unclonable Function (PUF) using dedicated SRAM for silicon fingerprint. PUF can generate, store, and reconstruct key sizes from 64 to 4096 bits. Includes hardware for key extraction.
4. True Random Number Generator (TRNG).
5. 128 bit unique device serial number for identification (UUID).
6. Secure GPIO.
7. Code Watchdog for detecting code flow integrity.
8. CASPER Crypto co-processor is provided to enable hardware acceleration for various functions required for certain asymmetric cryptographic algorithms, such as, Elliptic Curve Cryptography (ECC).

ECCN: 5A992.C (No export Control)

Note: Notice how this one also implements trust zone and is not exported controlled. It goes as far as including a Crypto co-processor and is still not export controlled.

The question

Is this a lack of expertise/training/knowledge from the people classifying these products into export categories or is there a valid reason for the difference? What makes the difference between a product classified into the 5A992.C category and the 5A002 category. This is really confusing to me. Shouldn't all these products be classified into the 5A002 category?

Edit

Just wanted to point out that I also posted this question in the Electrical Engineering Stack Exchange because I wanted to get the opinion of both people with a background in US laws and people with a background in Electrical Engineering/Electronics Procurement

https://electronics.stackexchange.com/questions/630700/confusion-about-usa-export-restriction-regarding-electronics

Answer 1

It is hard to know with certainty why this distinction was made in this case.

There is a fair amount of gamesmanship that goes into having a device classified as an administrative matter in dealings with a regulatory agency, since the details are technical and the language of the regulations is subject to differing interpretations. This is why attorneys in this area get paid the big bucks.

I can't tell you precisely what went into each determination but the relevant regulations restated below, at least, gives you a sense of what the issues that can be fought over in those discussions can be.

I suspect that the arguments probably involve whether or not evidence was presented to the relevant regulators by the manufacturers that particular items were or were not sold as "mass market encryption commodities", perhaps based upon sales data or information about how the different items are marketed.

It could also be that the regulators a exercising discretion to "flex their regulatory muscles" less aggressively in the case of E.U. source products that could be sold directly outside of U.S. distributions channels anyway, entirely avoiding interfacing with the U..S. export control regime, in order to encourage commerce to be routed through U.S. companies instead. In contrast, the Japanese manufacturer may not have had the same direct distribution network available to it, or may not have had someone as skilled to advocate for it on this basis in the regulatory process.

Relevant Legal Authority

The legal authority that pertains to this question is set forth below, but even after reading all of it, it isn't manifestly clear why there is a difference so we are left to read between the lines as I have done above.

The primary regulation is found here (the first seven pages are the ones applicable to this question).

The introductory material for Category 5A002 states:

Related Controls:

(1) ECCN 5A002.a controls “components” providing the means or functions necessary for “information security.” All such “components” are presumptively “specially designed” and controlled by 5A002.a.

(2) See USML Categories XI (including XI(b)) and XIII(b) (including XIII(b)(2)) for controls on systems, equipment, and components described in 5A002.d or .e that are subject to the ITAR.

(3) For “satellite navigation system” receiving equipment containing or employing decryption see 7A005, and for related decryption “software” and “technology” see 7D005 and 7E001.

(4) Noting that items may be controlled elsewhere on the CCL, examples of items not controlled by ECCN 5A002.a.4 include the following:

(a) An automobile where the only ‘cryptography for data confidentiality’ having a ‘described security algorithm’ is performed by a Category 5 – Part 2 Note 3 eligible mobile telephone that is built into the car. In this case, secure phone communications support a non-primary function of the automobile but the mobile telephone (equipment), as a standalone item, is not controlled by ECCN 5A002 because it is excluded by the Cryptography Note (Note 3) (See ECCN 5A992.c).

(b) An exercise bike with an embedded Category 5 – Part 2 Note 3 eligible web browser, where the only controlled cryptography is performed by the web browser. In this case, secure web browsing supports a non-primary function of the exercise bike but the web browser (“software”), as a standalone item, is not controlled by ECCN 5D002 because it is excluded by the Cryptography Note (Note 3) (See ECCN 5D992.c).

(5) After classification or self-classification in accordance with § 740.17(b) of the EAR, mass market encryption commodities that meet eligibility requirements are released from “EI” and “NS” controls. These commodities are designated 5A992.c.

Category 5A992.c, meanwhile, means "Equipment not controlled by 5A002" because it is one of the "Commodities classified as mass market encryption commodities in accordance with § 740.17(b) of the EAR." This states:

(b) Classification request or self-classification. For certain products described in paragraph (b)(1) of this section that are self-classified, a self-classification report in accordance with paragraph (e)(3) of this section is required from specified exporters, reexporters and transferors; for products described in paragraph (b)(1) of this section that are classified by BIS via a CCATS, a self-classification report is not required. For products described in paragraphs (b)(2) and (3) of this section, a thirty-day (30-day) classification request is required in accordance with paragraph (d) of this section. An exporter, reexporter, or transferor may rely on the producer's self-classification (for products described in (b)(1), only) or CCATS for an encryption item eligible for export or reexport under License Exception ENC under paragraph (b)(1), (2), or (3) of this section. Exporters are still required to comply with semi-annual sales reporting requirements under paragraph (e)(1) or (2) of this section, even if relying on a CCATS issued to a producer for specified encryption items described in paragraphs (b)(2) and (b)(3)(iii) of this section.

Note to paragraph (b) introductory text:

Mass market encryption software that would be considered publicly available under § 734.3(b)(3) of the EAR, and is authorized for export under this paragraph (b), remains subject to the EAR until all applicable classification or self-classification requirements set forth in this section are fulfilled.

(1) Immediate authorization. This paragraph (b)(1) authorizes the exports, reexports, and transfers (in-country) of the associated commodities self-classified under ECCNs 5A002.a or 5B002, and equivalent or related software therefor classified under 5D002, except any such commodities, software, or components described in (b)(2) or (3) of this section, subject to submission of a self-classification report in accordance with § 740.17(e)(3) of the EAR. Items described in this paragraph (b)(1) that meet the criteria set forth in Note 3 to Category 5 - Part 2 of the Commerce Control List (the “mass market” note) are classified as ECCN 5A992.c or 5D992.c following self-classification or classification by BIS and are removed from “EI” and “NS” controls.

(2) Classification request required. Thirty (30) days after the submission of a classification request with BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph under License Exception ENC authorizes certain exports, reexports, and transfers (in-country) of the items specified in paragraph (b)(2) and submitted for classification.

Note to paragraph (b)(2) introductory text:

Immediately after the classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph also authorizes exports, reexports, and transfers (in-country) of:

1. All submitted encryption items described in this paragraph (b)(2), except “cryptanalytic items,” classified in ECCN 5A004.a, 5D002.a.3.a or c.3.a, or 5E002, to any end user located or headquartered in a country listed in supplement no. 3 to this part;

2. Encryption source code as described in paragraph (b)(2)(i)(B) to non-“government end users” in any country;

3. “Cryptanalytic items,” classified in ECCN 5A004.a, 5D002.a.3.a or c.3.a, or 5E002, to non-“government end users,” only, located or headquartered in a country listed in supplement no. 3 to this part; and

4. Items described in paragraphs (b)(2)(iii) and (b)(2)(iv)(A) of this section, to specified destinations and end users.

(i) Cryptographic commodities, software, and components. License Exception ENC authorizes exports, reexports, and transfers (in-country) of the items in paragraph (b)(2)(i)(A) of this section to “less sensitive government end users” and non- “government end users” located or headquartered in a country not listed in supplement no. 3 to this part, and the items in paragraphs (b)(2)(i)(B) through (H) to non “government end users” located or headquartered in a country not listed in supplement no. 3.

(A) 'Network Infrastructure.' ' Network infrastructure' commodities and software, and components therefor, meeting any of the following with key lengths exceeding 80-bits for symmetric algorithms:

(1) WAN, MAN, VPN, backhaul and long-haul. Aggregate encrypted WAN, MAN, VPN, backhaul or long-haul throughput (including communications through wireless network elements such as gateways, mobile switches, and controllers) equal to or greater than 250 Mbps;

(2) [Reserved]

(3) Satellite infrastructure. Transmission over satellite at data rates exceeding 10 Mbps;

(4) Media gateways and other unified communications (UC) infrastructure, including Voice-over-Internet Protocol (VoIP) services. Media (voice/video/data) encryption or encrypted signaling to more than 2,500 endpoints, including centralized key management therefor; or

(5) Terrestrial wireless infrastructure. Air interface coverage (e.g., through base stations, access points to mesh networks, and bridges) exceeding 1,000 meters, where any of the following applies:

(i) Maximum transmission data rates exceeding 10 Mbps (at operating ranges beyond 1,000 meters); or

(ii) Maximum number of concurrent full-duplex voice channels exceeding 30;

Notes to paragraph (b)(2)(i)(A):

1. The License Exception ENC eligibility restrictions of paragraphs (b)(2)(i)(A)(3) (satellite infrastructure) and (b)(2)(i)(A)(5) (terrestrial wireless infrastructure) do not apply to satellite terminals or modems meeting all of the following:

a. The encryption of data over satellite is exclusively from the user terminal to the gateway earth station, and limited to the air interface; and

b. The items meet the requirements of the Cryptography Note (Note 3) in Category 5 - Part 2 of the Commerce Control List.

2. 'Network infrastructure' (as applied to encryption items). A 'network infrastructure' commodity or software is any “end item,” commodity or “software” for providing one or more of the following types of communications:”

(a) Wide Area Network (WAN);

(b) Metropolitan Area Network (MAN);

(c) Virtual Private Network (VPN);

(d) Satellite;

(e) Digital packet telephony/media (voice, video, data) over Internet protocol;

(f) Cellular; or

(g) Trunked.

Note 1 to paragraph 2:

'Network infrastructure' end items are typically operated by, or for, one or more of the following types of end users:

(1) Medium- or large- sized businesses or enterprises;

(2) Governments;

(3) Telecommunications service providers; or

(4) Internet service providers.

Note 2 to paragraph 2:

Commodities, software, and components for the “cryptographic activation” of a 'network infrastructure' item are also considered 'network infrastructure' items.

(B) Certain “encryption source code.” “Encryption source code” that is not publicly available as that term is used in § 742.15(b) of the EAR;

(C) Customized items. Encryption software, commodities and components therefor, where any of the following applies:

(1) Customized for government end users or end uses. The item has been designed, modified, adapted, or customized for “government end user(s);” or

(2) Custom or changeable cryptography. The cryptographic functionality of the item has been designed or modified to customer specification or can be easily changed by the user;

(D) Quantum cryptography. ECCN 5A002.c or 5D002 “quantum cryptography” commodities or software;

(E) [Reserved]

(F) Network penetration tools. Encryption commodities and software that provide penetration capabilities that are capable of attacking, denying, disrupting or otherwise impairing the use of cyber infrastructure or networks;

(G) Public safety/first responder radio (private mobile radio (PMR)). Public safety/first responder radio (e.g., implementing Terrestrial Trunked Radio (TETRA) and/or Association of Public-Safety Communications Officials International (APCO) Project 25 (P25) standards);

(H) Specified cryptographic ultra-wideband and “spread spectrum” items. Encryption commodities and components therefor, classified under ECCNs 5A002.d or .e, and equivalent or related software therefor classified under ECCN 5D002.

(ii) Cryptanalytic commodities and software. “ Cryptanalytic items” classified in ECCN 5A004.a, 5D002.a.3.a, or 5D002.c.3.a, to non- “government end users” located or headquartered in countries not listed in supplement no. 3 to this part.

(iii) “Open cryptographic interface” items. Items that provide an “open cryptographic interface,” to any end user located or headquartered in a country listed in supplement no. 3 to this part.

(iv) Specific encryption technology. Specific encryption technology as follows:

(A) Technology for “non-standard cryptography.” Encryption technology classified under ECCN 5E002 for “non-standard cryptography,” to any end user located or headquartered in a country listed in supplement no. 3 to this part;

(B) Other technology. Encryption technology classified under ECCN 5E002 except technology for “cryptanalytic items” classified in ECCN 5A004.a, 5D002.a.3.a or 5D002.c.3.a, “non-standard cryptography” or any “open cryptographic interface,” to any non-“government end user” located in a country not listed in Country Group D:1, E:1, or E:2 of supplement no. 1 to part 740 of the EAR.

Note to paragraph (b)(2):

Commodities, components, and software classified under ECCNs 5A002.b or 5D002.b, for the “cryptographic activation” of commodities or software specified by this paragraph (b)(2) are also controlled under this paragraph (b)(2).

(3) Classification request required for specified commodities, software, and components. Thirty (30) days after a classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph authorizes exports, reexports, and transfers (in-country) of the items submitted for classification, as further described in this paragraph (b)(3), to any end user, provided the item does not perform the functions, or otherwise meet the specifications, of any item described in paragraph (b)(2) of this section. Items described in paragraph (b)(3)(ii) or (iv) of this section that meet the criteria set forth in Note 3 to Category 5 - Part 2 of the CCL (the “mass market” note) are classified under ECCN 5A992.c or 5D992.c following classification by BIS.

Note to introductory text of paragraph (b)(3):

Immediately after the classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph also authorizes exports, reexports, transfers (in-country) of the items described in this paragraph (b)(3) to any end user located or headquartered in a country listed in supplement no. 3 to this part.

(i) Non-“mass market” “components,” toolsets, and toolkits. Specified components classified under ECCN 5A002.a and equivalent or related software classified under ECCN 5D002 that do not meet the criteria set forth in Note 3 to Category 5 - Part 2 of the CCL (the “mass market” note) and are not described by paragraph (b)(2) or (b)(3)(ii) of this section, as follows:

(A) Chips, chipsets, electronic assemblies and field programmable logic devices;

(B) Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs).

(ii) “Non-standard cryptography” (by items not otherwise described in paragraph (b)(2) of this section.) Encryption commodities, software and components not described by paragraph (b)(2) of this section, that provide or perform “non-standard cryptography” as defined in part 772 of the EAR.

(iii) Advanced network vulnerability analysis and digital forensics. Encryption commodities and software not described by paragraph (b)(2) of this section, that provide or perform vulnerability analysis, network forensics, or computer forensics functions characterized by any of the following:

(A) Automated network vulnerability analysis and response. Automated network analysis, visualization, or packet inspection for profiling network flow, network user or client behavior, or network structure/topology and adapting in real-time to the operating environment; or

(B) Digital forensics and investigative tools. Items specified in ECCN 5A004.b, 5D002.a.3.b, or 5D002.c.3.b, see supplement no. 1 to part 774 Commerce Control List.

(iv) “Cryptographic activation” commodities, components, and software. Commodities, components, and software classified under ECCNs 5A002.b or 5D002.b where the product or cryptographic functionality is not otherwise described in paragraphs (b)(2) or (b)(3)(i) of this section.

The critical Note 3 is as follows:

Note 3 to Category 5, Part 2

Note 3: Cryptography Note: ECCNs 5A002, 5A003, 5A004 and 5D002, do not control items as follows:

a. Items meeting all of the following:

1. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:

a. Over-the-counter transactions;

b. Mail order transactions;

c. Electronic transactions; or

d. Telephone call transactions;

2. The cryptographic functionality cannot be easily changed by the user;

3. Designed for installation by the user without further substantial support by the supplier; and

4. [RESERVED]

5. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs 1. through 3. of this Note a.;

b. Hardware components or ‘executable software’, of existing items described in paragraph a. of this Note, that have been designed for these existing items, and meeting all of the following:

1. “Information security” is not the primary function or set of functions of the component or ‘executable software’;

2. The component or ‘executable software’ does not change any cryptographic functionality of the existing items, or add new cryptographic functionality to the existing items;

3. The feature set of the component or ‘executable software’ is fixed and is not designed or modified to customer specification; and

4. When necessary, as determined by the appropriate authority in the exporter’s country, details of the component or ‘executable software’, and details of relevant end-items are accessible and will be provided to the authority upon request, in order to ascertain compliance with conditions described above.

Technical Note: For the purpose of the Cryptography Note, ‘executable software’ means “software” in executable form, from an existing hardware component excluded from 5A002, 5A003 or 5A004 by the Cryptography Note.

Note: ‘Executable software’ does not include complete binary images of the “software” running on an end-item.

Note to the Cryptography Note:

1. To meet paragraph a. of Note 3, all of the following must apply:

a. The item is of potential interest to a wide range of individuals and businesses; and

b. The price and information about the main functionality of the item are available before purchase without the need to consult the vendor or supplier. A simple price inquiry is not considered to be a consultation.

2. In determining eligibility of paragraph a. of Note 3, BIS may take into account relevant factors such as quantity, price, required technical skill, existing sales channels, typical customers, typical use or any exclusionary practices of the supplier.

N.B. to Note 3 (Cryptography Note): You must submit a classification request or self-classification report to BIS for mass market encryption commodities and software eligible for the Cryptography Note employing a key length greater than 64 bits for the symmetric algorithm (or, for commodities and software not implementing any symmetric algorithms, employing a key length greater than 768 bits for asymmetric algorithms or greater than 128 bits for elliptic curve algorithms) in accordance with the requirements of § 740.17(b) of the EAR in order to be released from the “EI” and “NS” controls of ECCN 5A002 or 5D002.

Answer 2

@lexx32117 - I live in this classification space daily and can assure you a large % of 'items' (HW or SW) with cryptographic functionality that do not have 'Information Security' as a primary function/set of functions are eligible for 5A992/5D992 'Mass Market' self-classification.

In nearly all cases for products classified within Category 5 Part 2 (ECCN's 5A002 / 5D002 ) or those eligible for Note 3 to Category 5 Part 2 - the 'Mass Market Note' ***** 5A992/5D992) **** on the Commerce Controls List (CCL) a manufacturer can self-classify the ECCN/License Exception but are responsible for annual self-classification reporting found in 15 CFR 740.17(e)(3) for all 'self-classified' 'Mass Market' encryption components and 'executable software' as well as all non-“mass market” encryption 'items' (hardware, software, hardware with software) that are classified with a Category 5 Part 2 ECCN on the Commerce Controls List (CCL) like (5A002 = hardware, 5B002 = test, inspection or production equipment or 5D*002 = software) following self-classification, provided these items are not further described by paragraph (b)(2) or (3) of part 740.17

I'll share that during my career classifying products under Export Administration Regulation (EAR) jurisdiction, I've personally been involved with the classification of products that had Information Security as a primary function (i.e ECCN 5A002/5D002) but nearly everything else about the 'item' met all the Note 3 to Category 5 part 2 'Mass Market' requirements, but we could not justify Mass Market via self-classification for that reason so we submitted it to the Bureau of Industry and Security (BIS) for a CCR or Commodity Classification Request. We presented them with the product specifics with the hope they would agree to a Mass Market classification in their formal CCATS ruling and we received it.

To be clear, we presented a compelling story in our request. We explained we were looking to establish a level playing field in which our product could compete globally as we incorporated into our request a US competitors (subject to the same extra territorial Export Administration Regulation (EAR) Jurisdiction) product that they self-classified 'Mass Market' but I believe what ultimately sold them was when we explained their thumb on the scale was required to help keep us competitive not only with our US competitor(s), but more so with non-US competitor(s) that would never self-classify products for their global trade activities to a more restrictive ECCN like 5A002/5D002 that have 'Reasons for Control' ( AT - Anti-terrorism, NS - National Security, and EI (Encryption Items) that far exceed the controls that are placed for 5A992/5D992 'Mass Market' ECCN's which are only controlled for Anti-terrorism (AT)

Refer to the Commerce Country Chart found in Supplement No 1 to part 738 https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-738/appendix-Supplement%20No.%201%20to%20Part%20738 to see the Countries that items that have these 'reasons for control' (based off ECCN classification) that will require an export license to ship to if there are no eligible license exceptions (like ENC) which covers Encryption Commodities, Software and Technology

I hope this helped clarify how some of this plays out in real world implementation. I'll check back in here to see if you want me to clarify anything I've shared here.

** Late edit after originally posting I had to make before I could really step away from this **

To help tie this export classification controls/jargon etc together, take a few moments to read about the Multilateral Control Regimes the US participates in. The most important and well-known is the Wassenaar Arrangement which last time I looked is 42 participating countries with India being the last to join.

Wassenaar Arrangement

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, is one of four multilateral export control regimes in which the United States participates. The Arrangement's purpose is to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use (i.e. those having civil and military uses) goods and technologies to prevent destabilizing accumulations of those items. The Wassenaar Arrangement establishes lists of items for which member countries are to apply export controls. Member governments implement these controls to ensure that transfers of the controlled items do not contribute to the development or enhancement of military capabilities that undermine the goals of the Arrangement, and are not diverted to support such capabilities. In addition, the Wassenaar Arrangement imposes some reporting requirements on its member governments.