Guidance for ECCN 3A981 with respect to controls on fingerprint analysis equipment

The intent of ECCN 3A981 is to control automated fingerprint identification and retrieval systems and equipment specifically configured to support it. Automated fingerprint identification is the process of automatically matching one or many unknown fingerprints against a database of known and unknown prints. In practice, these systems enable police or law enforcement customers to capture fingerprints electronically, encode prints into searchable files, and accurately compare a set of fingerprints to a database containing potentially millions of prints in seconds.

Thus this ECCN is aimed at entire systems and support equipment that would be useful for large scale identification systems, which include devices such as fingerprint scanning and booking stations that electronically capture single or multiple fingerprints. These capture stations can be fixed or portable. Scanners that convert paper finger print records into a digital form are not controlled in this ECCN unless they have been specifically modified or configured for the scanning of fingerprints and are not general purpose scanners even if marketed for fingerprinting. Cameras for photographing fingerprints (either recorded or latent) are not controlled by this ECCN unless they have been specifically modified or configured to photograph fingerprints. Also controlled in this ECCN would be parts and accessories that are unique to the above equipment.

The intent of this entry is not to control automated fingerprint verification equipment which is a closely-related technique used in applications such as attendance and access control systems. This equipment matches fingerprints against a known limited database or compares or verifies a claimed identity. For example, an intruder might claim to be an employee by presenting his PIN or ID card and the system would seek to verify his identity using his fingerprint, and based on that result grant or not grant access. Examples of this type of equipment, which are not controlled in this ECCN, include door locks and portal entries, thumb readers on laptop computers, or a finger print reader incorporated into industrial equipment or vehicles to assure only approved users can operate the equipment.

Additionally, this entry does not control general purpose equipment such as optical comparators, magnifying glasses, or stereoscopic microscopes. For sensors/readers that, depending on the end user, may be incorporated into a laptop, a door lock, or a scanner for an automated finger print identification system, an official commodity classification (see Section 748.3 of the EAR) is recommended.

For Immediate Release
July 1, 1999

BIS Public Affairs
(202) 482-2721

Office of the Press Secretary

Export Controls on Computers

The President today announced an update of U.S. export controls on computers that will promote our national security, enhance the effectiveness of our export control system, and ease unnecessary regulatory burdens on both government and industry.

Today's announcement is President Clinton's third revision to U.S. export control parameters since 1993. Today's announcement reflects this Administration's efforts to ensure effective controls on militarily sensitive technology while taking into account the increased availability of commodity products, such as servers and workstations, of which millions are manufactured and sold worldwide every year.

When controls were last revised in 1995, we knew computer technology would continue to advance rapidly -- and that we would need to update control levels periodically. Accordingly, for the past year, the Administration has conducted a review of our computer export controls that took into account (1) the rapid advance of computing technology since 1995, (2) our security, nonproliferation and other national security interests, and (3) the need for a policy that would remain effective for at least six months.

The Administration's computer export controls are designed to permit the government to calibrate control levels and licensing conditions depending upon the national security or proliferation risk posed at a specific destination, and to enhance U.S. national security and preserve the technological lead of the U.S. computer industrial base by ensuring controls on computer exports are effective and do not unnecessarily impede legitimate computer exports.

This review found that advances in the power and capabilities of widely available computing systems have more than exceeded our 1995 control levels. In fact, during the coming months, industry analysts estimate that systems designated as "high performance computers" in 1995 (2,000 MTOPS (Millions of Theoretical Operation per Second, a computer performance metric for export control purposes)) will be available in the tens of thousands. This reflects the exponential growth in individual microprocessor speeds that has occurred since 1995. We fully expect this growth to continue - U.S. companies plan commercial sales of individual "chips" rated over 2000 MTOPS by late 1999/early 2000. Moreover, while there are military applications across a range of MTOPS levels, the national security agencies have determined that there is no definitive line that separates levels of computing power on the basis of their usefulness for military applications. In light of this finding, the advances in basic computing technologies, and the problems inherent in trying to control commodity level items, it is clear our control limits needed to be raised. The Administration has determined that widespread commercial availability makes computers with a performance of 6,500 MTOPS or less uncontrollable.

The Revised Controls

The revised controls announced by the President maintain the four country groups announced in 1995, but amends the countries in, and control levels for, those groups as follows:

Tier I (Western Europe, Japan, Canada, Mexico, Australia, New Zealand): General license for all computers (i.e. no prior government review, but companies must keep records on higher performance shipments that will be provided to the U.S. government as directed).

  • The President's decision today will move Hungary, Poland, the Czech Republic and Brazil from Tier 2 to Tier 1. In addition, the Administration will consider moving additional countries into Tier 1 in the future.

Tier II (South America, South Korea, ASEAN, Slovenia, South Africa): General license up to 10,000 MTOPS with record-keeping and reporting as directed; individual license (requiring prior government review) above 10,000 MTOPS.

  • Today's decision will raise the individual licensing level from 10,000 MTOPS to 20,000 MTOPS immediately. In addition, the Administration will review this level in six months, with the expectation of raising it to the 32,000-36,000 MTOPS range. The Administration will continue to review this level every six months to determine if further adjustments are warranted.

Tier III (India, Pakistan, all Middle East/Maghreb, the former Soviet Union, China, Vietnam, Central Europe): Current regulations permit general license exports up to 2000 MTOPS, and require individual licenses for military end-uses and end-users above that figure. General license exports are permitted for civil end-users between 2000 MTOPS and 7000 MTOPS, with exporter record keeping and reporting as directed. Individual license for all end-users above 7000 MTOPS.

  • The President's decision today will maintain the current two-level system for civilian and military/proliferation end-users, and will raise the individual licensing levels for both classes of end-users, from 2000 to 6500 MTOPS for military end-users and from 7000 to 12,300 MTOPS for civilian end-users. The Commerce Department will immediately raise the license level for civilian end-users, and will raise the license level for military end-users in six months, at the same time as it adjusts the level that triggers the NDAA notification requirement, which is discussed below.
  • The 1998 National Defense Authorization Act (NDAA), P.L. 105-85, imposed a requirement for companies to provide the Commerce Department with prior notice of exports for systems above 2,000 MTOPS to all Tier 3 end-users. U.S. export control agencies have 10 days to inform the company if it must apply for a license.
  • The President's decision today will raise the NDAA notification level from 2,000 MTOPS to 6,500 MTOPS. The President has advised the appropriate Congressional committees of his decision to raise the NDAA notification level. By law, Congress has six months to review this decision, at which time the change to NDAA notification level will go into effect (February, 2000).
  • The Administration will continue to review the licensing levels and the NDAA notification level every six months to determine if further adjustments are warranted.

Tier IV (Iraq, Iran, Libya, North Korea, Cuba, Sudan, and Syria): There are no planned changes for Tier IV; current policies continue to apply (i.e. the United States will maintain a virtual embargo on computer exports).

For all these groups, reexport and retransfer provisions continue to apply. The revised controls will become effective when they are implemented in formal Commerce Department regulations.

We will continue to implement the Enhanced Proliferation Control Initiative (EPCI), which provides authority for the government to block exports of computers of any level in cases involving exports to end-uses or end-users of proliferation concern or risks of diversion to proliferation activities. Criminal as well as civil penalties apply to violators of the EPCI. In addition, the Department of Commerce will continue to add to its list of published entities of concern as a means of informing exporters of potential proliferation and other security risks. The Department will remind exporters of their duty to check suspicious circumstances and inquire about end-uses and end-users. Exporters will be advised to contact the Department of Commerce if they have any concern with the identity or activities of the end-users.

The Commerce Department also will work to expand its efforts -- through public seminars and consultations with companies -- to keep industry regularly informed regarding problem end-users and programs of proliferation concern.

Microprocessor Controls. In addition to revising computer export controls, controls on general-purpose microprocessors will be revised immediately, from the current control level of 1200 MTOPS to 1900 MTOPS. Export control agencies are in agreement that general purpose or so-called "mass market" microprocessors are not controllable because they are used in virtually all consumer and business personal computers, are highly portable, and are sold in very large quantities through multiple distribution channels worldwide. Given the continuing increases in microprocessor technology, the Administration likely will adjust microprocessor control levels again in the Fall, 1999. We will continue to maintain controls on higher performance, general-purpose microprocessors that are sold in small quantities for high-end computer and other applications, and those application-specific microprocessors that have military applications and are sold in relatively small quantities.

Legislative Proposal. Per the National Defense Authorization Act of 1998, Congress requires a six-month notice period if the President decides to raise the level that triggers the 10-day pre-export notification requirement for Tier 3 exports. Congress also requires a four-month notice if the President decides to move a country out of Tier 3. The six-month notice period in particular limits our ability to respond quickly to rapid changes in technology. We will work with Congress to change both waiting periods to one month, in conjunction with the formal notification to Congress of the President's decision to raise the current NDAA notification level from 2,000 MTOPS to 6,500 MTOPS.

On a longer-term basis, we intend to work with Congress to adopt an approach that does not rely on ad hoc judgments about appropriate levels of control, but rather keys our export controls to recognize the practical impossibility of controlling items so widely available that they amount to commodity items, like computers and microprocessors which are sold by the hundreds of thousands and even millions.

Multilateral Coordination: The Administration is consulting with other nations in the context of our common controls on high performance computers, and with the members of the Wassenaar Arrangement -- the multilateral successor to COCOM, to ensure that they understand the basis for the changes in controls. We are committed to working closely with them to adjust multilateral controls to reflect technological advances and collective security concerns. Our controls are consistent with the basic foundations and principles of the Wassenaar Arrangement -- to deny arms and sensitive dual-use technologies to countries of proliferation concern, and to develop mechanisms for information sharing among the partners as a way to harmonize our export control practices and policies.


In April of 2002 the Bureau of Export Administration (BXA) changed its name to the Bureau of Industry and Security (BIS). For historical purposes we have not changed the references to BXA in the legacy documents found in the Archived Press and Public Information.

I. Introduction

The following guidance has been prepared for exporters to use in submitting export license applications involving High Performance Computers (HPCs). You are encouraged to follow these guidelines to assist us in processing your application more efficiently. It is in your best interest to provide all the necessary information when the application is first submitted so that we can properly analyze the transaction and refer it to the appropriate U.S. Government agencies.

II. SNAP-R Export License Application Work Item form

This section is a clarification of instructions for license application. Please refer to Part 748 of the Export Administration Regulations for additional guidance.

Blocks 1-3: Name and numbers of a contact person able to answer technical questions

Block 4: Date application submitted

Block 5: Mark "Export" or "Reexport"

Block 6: Mark applicable blocks - at a minimum, applicant must submit a letter of explanation and technical specifications; Import/end-user certificate if applicable.

Block 7: Mark applicable blocks

Block 8: N/A

Block 9: Type: "High-Perf. Computer"

Block 10: Provide only if applicable

Block 11: Provide only if applicable

Block 12: N/A

Block 13: Provide for only those countries requiring import/end-user certificates.

Block 14: Applicant

Block 15: Provide only if applicable

Block 16: Purchaser name and address

Block 17: Provide only if applicable

Block 18: This block must contain the "installation address" for the HPC

Block 19: May be same as Block 18, or used for 2 or more systems at different locations

Block 20: Provide only if a re-export

Block 21: Provide specific end-use information

Block 22a: Provide ECCN of the item(s) (e.g., 4A003.b, 4A001)

Block 22b: Provide the final WT value of the computer system. For example, if the end user already has received a HPC and this export is upgrading the current system, provide the value of the final system with the upgrade.

Block 22c: Model Number

Block 22d: Provide only if applicable

Block 22e: Number of systems or CPUs for an upgrade

Block 22f: "Each"

Block 22g: Unit price

Block 22h: Total price of all units

Block 22i: Manufacturer

Block 22j: Provide number of CPUs, GHz, WT value , whether a system upgrade or cluster. The following is a good example:

  • (Model # or name) with 64 IBM Power4 processors operating at 3 GHZ (0.50 WT, shipped under License Exception "APP"), is being upgraded with additional 64 IBM Power4 processors operating at 3.0 GHZ for a final configuration of 128 Power4 processors at 1.0 WT.

Block 23: Dollar value of all items listed on the application

Block 24: Provide a short description in 2 important areas: 1) State whether or not there will be remote access end-users. If there are remote access end-users, identify the type of computational access; 2) Status of relevant support documents.

Block 25: Signature

III. Support Documents

Insufficient information or lack of proper support documents will delay the license application or lead to the application being returned without action (RWA). To avoid such delays, please submit the following documents with your license application.

Letter of Explanation

In addition to the required support documents, a letter of explanation should accompany each license application. The letter should contain the following information (for electronic submissions, this information may be submitted in the additional information block, but if you intend to send extra information please inform us in the additional information block that this information is forthcoming):

  1. Identify name, location, type of business of the end-user.
  2. Identify the specific end-use/s of the HPC and, if known, the types of software applications that will be loaded on the HPC.
  3. Discuss configuration of the HPC: Number of CPUs, MHZ, WT value of each CPU , and total WT value of the computer system. Identify whether this transaction is an upgrade to the existing system, an upgraded swap-out of an old system, a cluster or aggregation of machines, etc. Diagrams of system configurations are often useful tools to explain your systems.
  4. Identify the presence and location(s) of remote access end-users and the extent and nature of the remote access end-user(s) computational access (full vs. limited).

Technical Specifications

Additional technical specifications are not required if the exporter submits all the above information on the license application itself or in the letter of explanation. However, if BIS has not reviewed the product before, the exporter must submit adequate product literature and technical specifications for a complete technical determination.

Import/End-User Certificates and BIS-711's

The applicant must reference the IC# in the license application (Block 13). BIS will begin processing a license application without an IC, however, the exporter may not ship the product until they have received the IC from the importing country. BIS will begin processing a license application without a BIS-711, but the exporter may not ship the product until they have received the BIS-711 from the end user (fax copy).

A BIS-711 is required for any Computer Tier 3 country identified in Section 748.11 of the Export Administration Regulations (EAR). The applicant must keep this form on file and provide an end-use statement on behalf of the end user in the letter of explanation or, if submitting the license electronically, type the end-use statement in Block 21 of the 748P.

End-User Statements

Per paragraph (c) of Supplement 2 to Part 748 of the EAR, if the end user is in Country Group D:1 (see Supplement 1 to Part 740 of the EAR), the applicant is required to furnish a signed statement by a responsible representative of the end user or importing agency describing the end use and certifying:

  1. The computers or related equipment: a) will be used only for civil applications; and b) will not be reexported or otherwise disposed of without prior written authorization from BIS;
  2. A full description of the equipment and its intended application and workload; and
  3. A complete identification of all end-users and their activities.

IV. Special Considerations

  • Inform us as to whether the order is an actual or competing order. If you are facing international/domestic competition for a contract, please inform BIS in the letter of explanation.
  • If the WT value is unusually high for the intended application, please provide a thorough explanation regarding the types of applications for which the HPC will be used and justification for the WT value.

V. Application Checklist

  • Have you reviewed the application thoroughly to ensure that all information required in Section II is correct?
  • Does your letter of explanation contain a thorough description of the criteria listed in Section II?
  • Have you included (if applicable) the IC and BIS-711 or end-user statement? If you have not yet obtained an IC or a BIS-711, but are in the process of doing so, have you noted this in your application in Block 24?
  • Does the APP reflect the final APP level of the systems?
  • Did you include an item appendix for each system or upgrade?
  • Did you include remote access end-user computational ability Information?

[Note: The EAR amendment of April 24, 2006 removed Supplement 3 to Part 742 of the Export Administration Regulations, which previously set forth the requirements for SSPs for HPCs). The April 24, 2006 amendment added the requirement for SSPs to paragraph (c)(2) of Supplement No. 2 to part 748 (“Unique Application and Submission Requirements”) of the EAR.]

The United States requires security safeguards for exports of HPCs to ensure that they are used for peaceful purposes. The level and type of security safeguards reflect our broad proliferation and security concerns. Whether to require an SSP for a particular transaction is generally based on the country destination and Composite Theoretical Performance of the computer.

Following interagency review of an HPC license application, BIS will instruct the exporter to submit a Security Safeguard Plan (SSP) signed by the ultimate consignee. See the sample 'Standard' SSP for formatting information. The SSP must indicate that the ultimate consignee agrees to implement those safeguards required by BIS as a condition of issuing the license. BIS will inform the exporter which safeguard requirements will be imposed in the SSP. All license applications for exports and reexports to Tier III countries will require an SSP.

The following SSP provisions represent the standard set that will be used on HPC licenses to Tier III end-users. For most commercial end-users, the SSP will require end-user certification only. However, agencies retain the right to impose further conditions or SSP provisions if a particular license application poses a greater level of risk due to the type of end-user or the computing capability of the HPC.

Exporters may obtain a signed SSP from the end-user during the initial processing of a license application; this may substantially reduce the application processing time. However, if BIS requires additional safeguards after a full review of the license application, the exporter will have to make an addendum to the previously signed SSP.

'Standard' SSP Requirements

  1. This Security Safeguard Plan certifies that the end-user will not use the item subject to this license for any of the unauthorized activities listed below and will adhere to the safeguard conditions as they appear herein:
  2. The computer system will only be used for those activities approved by the U.S. Department of Commerce, Bureau of Industry and Security (BIS).
  3. No use of the item subject to this license is authorized for any of the activities listed below:
    1. National security work not authorized by the government of the exporting country.
    2. The design, development, production or use of:
      1. Any nuclear explosive device, including any component or subsystem specially designed for such a device.
      2. Complete rocket systems or unmanned air vehicle systems capable of delivering weapons of mass destruction, including any specially designed component or subsystem of such devices. A delivery system for weapons of mass destruction is defined to include any complete rocket system (including ballistic missiles, space launch vehicles, and sounding rockets) or unmanned air vehicle system (including cruise missile systems, target drones, and reconnaissance drones) that is intended to deliver nuclear, chemical, or biological weapons.
    3. The design, development, production, use or maintenance of:
    4. A nuclear fuel cycle facility (including facilities engaged in nuclear propulsion and related activities) or heavy water production plant in a country not party to the Nuclear Non-proliferation Treaty.
    5. Any facility for the production of chemical or biological weapons.
  4. There will be no reexport or intra-country transfer of the computer without prior written authorization from the U.S. Department of Commerce, Bureau of Industry and Security (BIS).
  5. No change (aggregation or upgrade) may be made to this equipment that would further increase the Weighted TeraFLOPS (WT) value without prior BIS authorization.
  6. The end-user will ensure that the appropriate security measures are implemented and the computer system will be housed in a secure facility and protected against theft and unauthorized entry at all times.
  7. The computer will run the necessary software to: permit access to authorized personnel only; detect attempts to gain unauthorized access; set and maintain limits on usage; establish accountability for usage; and generate logs and other records of usage. The software will also maintain the integrity of data and program files, the accounting and audit system, the password or computational access control system, and the operating system itself.
  8. The security personnel will undertake and be responsible for the following measures:
    1. Ensuring the establishment of a system to ensure round-the-clock monitoring for computer security;
    2. Ensuring the inspection, as necessary, of any program to determine whether the program conforms with the conditions of the license. If not, the security personnel shall remove the program from the system;
    3. Ensuring the inspection of usage logs to the extent necessary to ensure conformity with the conditions to the license [and the retention of records of these logs for at least two years.
    4. Establishing the acceptability of all users in conformity with authorized end-uses.
    5. Supervising the following key tasks:
      1. Establishment of new accounts and the assignment of passwords
      2. Changing the passwords for individuals frequently and at unpredictable intervals, and ensuring the right to deny passwords to anyone. ( Passwords will be denied to anyone whose activity does not conform to the conditions of the license. Misuse of passwords by users will result in denial of further access to the computer.)
    6. Maintaining the integrity and security of tapes and data files containing archived user files, log data, or system backups.
  9. Computers may not be accessed either physically or computationally without prior authorization by the U.S. Government by nationals of Cuba , Iran , , Libya , N. Korea , Sudan , Syria . However, commercial consignees as described in Supplement 3 to Part 742 of the EAR are prohibited only from giving such nationals user-accessible programmability.
  10. "Remote Computational access" to the computer systems is not permitted unless authorized by the U.S. Department of Commerce, Bureau of Industry and Security (BIS). (Note: If "remote computational access" is permitted, the end-user must take appropriate steps to protect the computer system and to maintain audit trails of all users.)
  11. " Computational access" is the ability to create, load, or execute a program. This function includes any system administration capabilities. Computational access does not include the ability to retrieve stored data or the ability to enter and receive transactional data to an approved program (e.g., banking transactions).
  12. The end-user must immediately report any security breaches or suspected security breaches to the exporter's representatives.
  13. The end-user will cooperate with any post-shipment inquiries or inspections by the U.S. Government or exporting company officials to verify the disposition and/or use of the computer. Security personnel will maintain data on the computational access usage of the computer (as required by provision 7c) and security related events. Such data will be retrievable and available for review by BIS and will contain data covering at least two years prior to the receipt of any review request.
  14. The end-user will cooperate with the U.S. Government concerning the physical inspection of the computer using facility on short notice and will provide access to all data relevant to computational access usage. This inspection will include:
    1. Analyzing any programs or software run on the computer to ensure that all usage complies with the authorized end-uses on the license;
    2. Checking current and archived computational access usage logs for conformity with the authorized end-uses and the restrictions imposed by the license; and
    3. Verifying the acceptability of all computer users in conformity with the authorized end-uses and the restrictions imposed by the license.
  15. This is to certify that [End-user's name] [ (if applicable) and all the remote access end-users] will not use the [product name] for the unauthorized activities listed above, and will adhere to the safeguard conditions and perform the undertakings as prescribed in this security plan.

The following process represents a typical life cycle of an HPC license application. This is meant as guidance only and not as a comprehensive description. For more complete information on license processing and HPC policy guidance, please refer to sections 740.7, 748.8, 750.4 and Supplement 2 to Part 748 of the Export Administration Regulations (EAR).

Submission and Referral

Upon submission, a license application is assigned to a BIS licensing officer (LO). From the date of receipt into the database, the LO has nine days to analyze the information provided and either refer the license application (with a case analysis) to the other agencies for review, place the application on hold without action (HWA) or return the license to the applicant without action (RWA).

If the license application is complete, the LO will refer the application for review to other agencies.

If the license application is missing information, the LO will call the applicant and request additional information. When an LO calls the applicant with a request for information, the application will be placed on HWA for 10 calendar days while the LO is waiting for the information. If the applicant does not provide this information after 10 days or does not inform BIS of the extenuating circumstances preventing the timely submission of the requested information, the application will be RWA'd.

Interagency Review

Reviewing agencies have 30 calendar days to review an application from the day it is referred by the LO, per Executive Order 12981.

If an agency determines that additional information is necessary to make a decision, it will provide an information request to BIS and the application will be placed on HWA for 10 days. If the applicant does not provide the additional information, an agency can request that the application be RWA'd or rejected.

If the application contains complete information, the agencies, including BIS, will either recommend ‘approve with conditions' or ‘reject' (only a small number of HPC license applications have been rejected.).

Sign-off Processing

Once all interagency positions are received, the LO checks the positions to determine whether the interagency group is in agreement on the disposition of the license application. The LO will attempt to resolve any disagreement among the interagency positions. If agreement cannot be reached within five days, the application will be escalated to the Operating Committee for resolution.

If the agencies agree on the disposition of the license application and the safeguard requirements, the LO will inform the applicant of the safeguard requirements to be applied to the license. The license application will then be placed on HWA until the signed SSP is provided by the end-user.

For most Computer Tier III license applications, a "Standard" SSP will be applied. The exporter may obtain the end-user certified Standard SSP (if the exporter believes the end-user will qualify for the Standard SSP) during the initial processing of the license. This will substantially expedite the issuance of the license application. If an agency later requests additional requirements, a separate end-user certified addendum also must be forwarded to BIS.

After 30 days, if BIS has not received the SSP and the applicant has not provided BIS with a valid reason for the delay, the license application may be RWA'd. If the applicant remains in contact with the LO and provides valid information regarding the delay in procuring the SSP and the Division Director concurs, BIS will keep the license application on HWA, pending receipt of the information.

Once a properly signed/certified SSP is returned to BIS and the other necessary support documents are provided, the LO will complete the application and forward it to the Division Director for final management review. An export license will be issued to the applicant once the Division Director approves issuance of the license.

© BIS 2020