Export compliance documentation for encryption

I am building iOS apps that use Bluetooth LE via CoreBluetooth and make calls over ATS/HTTPS, both of which make use of encryption, which requires a declaration in AppStoreConnect.


AppStoreConect then links to this document:

https://help.apple.com/app-store-connect/#/devc3f64248f

which states that for ATS/HTTPS or "encryption limited to that within the Apple operating system" (the latter should be applicable for Bluetooth), "No documentation required in App Store Connect.", but I should "Submit a Self Classification Report to the U.S. Bureau of Industry and Security (BIS) directly."


So I end up with "App Uses Non-Exempt Encryption : No" and tried to create such a report, which basically consists of a simple spreadsheet listing some product details, but now I am totally lost trying to figure out what to use for these three colums, in particular the first one:


ECCNAUTHORIZATION TYPEITEM TYPE


There are documents that discuss possible values for these entries, but they are harder to decypher than the crypto in question here...😕


Is there a simple table or official statement which tells what to use for the very basic case of an app that is exclusively using HTTPS and other built-in crypto, such as Bluetooth, Wifi, etc.?


Has anyone ever figured out the proper entries for this common case?

I researched this question and concluded that my app (which like yours, uses iOS Bluetooth and HTTPS/TLS, both directly and via Firebase's underlying BoringSSL library) should be classified "Mass Market" and ECCN = 5D992 (some say 5D992.c, but others say the report should not include the trailing letter).

The references I used include:
  official government site regarding the annual report from bis.doc.gov/index.php:
/policy-guidance/encryption/4-reports-and-reviews/a-annual-self-classification

  official government site regarding “mass market” from bis.doc.gov/index.php:
/policy-guidance/encryption/3-license-exception-enc-and-mass-market/a-mass-market

  from SuperTop.co's blog (blog.supertop.co):
/post/162562874252/reporting-app-encryption-use-to-the-us-government 
(use Authorization Type = MMKT, ECCN = 5D992.c)

  stack overflow discussion: https://stackoverflow.com/questions/48462206/annual-self-classification-report 
(suggests using ECCN = 5D992)

  government explanation of report fields, from ecfr.gov:
/cgi-bin/retrieveECFR?gp=1&SID=4150cfbf028e9a85574385383a581f47&h=L&mc=true&n=pt15.2.742&r=PART&ty=HTML#ap15.2.742_119.6 

Docebo.com's guidance page:
/knowledge-base/export-compliance-and-self-classification-report-for-encryption-items/

(sorry the forum won't let me paste complete URLs, but they should be reconstructable from the above)
Export compliance documentation for encryption
 
 
Q