Features of creating products for the US market

We will continue the topic of practical aspects of the product manager. This material is useful to you if

• your company is registered in the United States, and you plan to work with the world,
• You want to sell your software (and not only) to the States,
• You are planning to work with companies located in the United States.

And also for those PM who plan to work for foreign companies.

Export controls

In the USA, everything connected with export and re-export to other countries is very closely controlled. If a product, no matter what, falls into a certain category, then a special license will be required for its export. Basically, of course, these are dual-use products and have enhanced features.

The classification process for export itself consists of four groups.

1. ECCN
2. Where the product goes
3. Who is the end user
4. Purpose of use

https://www.bis.doc.gov/index.php/licensing/commerce-control-list-classification


The product manager is faced with the first item ECCN - Export Control Classification Number . This number is assigned independently: the company does its own classification (most often), or upon request from the Bureau of Industry and Security (BIS).
For software, it will be 4D994, or EAR99. The latter means: “has no special classification,” that is, restrictions.

Number structure:


A complete list of room elements can be viewed on the BIS website.

Consider the 4D994 example in this issue:

• 4 - Computers
• D - Software
• 994 - literally means specially designed for production, production or use of equipment controlled by 4A994, 4B994 and materials controlled by 4C994. In short, for non-special-purpose computers.

When you might encounter this:

• When exporting from the USA. For example, the head office of your company in the United States, and the products are automatically under export control.
• When selling a component to an American company. For example, a set of components for development. And the company - the contractor can request this number from you. If you are not registered in the United States, then you do not need to have it. If not, then your counterparty will ask you to answer a few questions in order to independently perform the classification. Because, the ECCN of the entire product cannot be lower than the level of all incoming components.

What affects the ECCN.

• Authorization based on encryption algorithms.
• Strong encryption algorithms.
• Performance of operations with a certain productivity (supercomputer calculations).

The ability to use the product by people with disabilities

VPAT - Voluntary Product Accessibility Template , is a document that describes how a product, service, or technology meets the requirements of Section 508 of the US Rehabilitation Act of 1973, as amended (29 USC § 794 (d)).

In simple terms, this is a table that describes the requirement for supporting people with disabilities, and the compliance of your product with this requirement.

for example

302.2 With Limited Vision

Conformance level

Remarks

What is important to note. As the name Voluntary, this table is voluntary to fill out. Including you can determine the structure yourself. The second point, you only need to list compliance. Including indicate which of them the product does not match. For example, for audio processing software, you may not meet the criteria for “302.4 Without Hearing, 302.5 With Limited Hearing”. The table, as a rule, is quite large, since each criterion is divided into subtasks.

When may need. This document is specific to the United States. Useful if you sell the finished product to the States, and the company asks for it. Especially to improve the chances of buying. As a rule, require large companies and government agencies.

Description
Recommended Template

Compliance with the standard of medical data

HIPAA - Health Insurance Portability and Accountability Act , Privacy Policy for the Protection of Patient Physical and Mental Health Information. First describes the rules for processing medical data. But also compliance with these rules is often used to protect personal data in general. To a greater extent, this applies to workflows, physical access. But there are criteria for software.
As in the two previous cases, there is no uniform form for compliance with standards. In this case, the software is covered to a lesser extent, therefore, a checklist with a description is sufficient. For example.

_{https://www.hipaajournal.com/hipaa-compliance-checklist/}

Implementation Specification	Required or Addressable	Further Information
Implement a means of access control	Required	This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.
Introduce a mechanism to authenticate ePHI	Addressable	This mechanism is essential in order to comply with HIPAA regulations as it confirms whether ePHI has been altered or destroyed in an unauthorized manner.
Implement tools for encryption and decryption	Addressable	This guideline relates to the devices used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and decrypt those messages when they are received.
Introduce activity logs and audit controls	Required	It has been approved that it has received access to ePHI and has been accessed.
Facilitate automatic PCs and devices	Addressable	EPHI after a pre-defined period of time. This should not be left unattended.

Knowledge of these topics will help to more easily navigate the various requirements when working in the US market. And in the requirements not only for software, but also other products.