Features of creating products for the US market

We will continue the topic of the practical aspects of the work of the product manager. This material is useful to you if

• your company is registered in the United States, and you plan to work with the world,
• You want to sell your software (and not only) to the States,
• You are planning to work with companies located in the United States.

And also for those PM who plan to work for foreign companies.

Export controls

In the USA, everything connected with export and re-export to other countries is very closely controlled. If a product, no matter what, falls into a certain category, then a special license will be required for its export. Basically, of course, these are dual-use products and have enhanced features.

The classification process for export itself consists of four groups.

1. ECCN
2. Where the product goes
3. Who is the end user
4. Purpose of use

https://www.bis.doc.gov/index.php/licensing/commerce-control-list-classification


The product manager is faced with the first item ECCN - Export Control Classification Number . This number is assigned independently: the company does its own classification (most often), or upon request from the Bureau of Industry and Security (BIS).
For software, it will be 4D994, or EAR99. The latter means: “has no special classification,” that is, restrictions.

Number structure:


A complete list of room elements can be viewed on the BIS website.

Consider the 4D994 example in this issue:

• 4 - Computers
• D - Software
• 994 - literally means specially designed for production, production or use of equipment controlled by 4A994, 4B994 and materials controlled by 4C994. In short, for non-special-purpose computers.

When you might encounter this:

• When exporting from the USA. For example, the head office of your company in the United States, and the products are automatically under export control.
• When selling a component to an American company. For example, a set of components for development. And the company - the contractor can request this number from you. If you are not registered in the United States, then you do not need to have it. If not, then your counterparty will ask you to answer a few questions in order to independently perform the classification. Because, the ECCN of the entire product cannot be lower than the level of all incoming components.

What affects the ECCN.

• Authorization based on encryption algorithms.
• Strong encryption algorithms.
• Performance of operations with a certain productivity (supercomputer calculations).

The ability to use the product by people with disabilities

VPAT - Voluntary Product Accessibility Template , is a document that describes how a product, service, or technology meets the requirements of Section 508 of the US Rehabilitation Act of 1973, as amended (29 USC § 794 (d)).

In simple terms, this is a table that describes the requirement for supporting people with disabilities, and the compliance of your product with this requirement.

for example

302.2 With Limited Vision

Conformance level

Remarks

What is important to note. As the name Voluntary, this table is voluntary to fill out. Including you can determine the structure yourself. The second point, you only need to list compliance. Including indicate which of them the product does not match. For example, for audio processing software, you may not meet the criteria for “302.4 Without Hearing, 302.5 With Limited Hearing”. The table, as a rule, is quite large, since each criterion is divided into subtasks.

When may need. This document is specific to the United States. Useful if you sell the finished product to the States, and the company asks for it. Especially to improve the chances of buying. As a rule, require large companies and government agencies.

Description
Recommended Template

Compliance with the standard of medical data

HIPAA - Health Insurance Portability and Accountability Act , Privacy Policy for the Protection of Patient Physical and Mental Health Information. First describes the rules for processing medical data. But also compliance with these rules is often used to protect personal data in general. To a greater extent, this applies to workflows, physical access. But there are criteria for software.
As in the two previous cases, there is no uniform form for compliance with standards. In this case, the software is covered to a lesser extent, therefore, a checklist with a description is sufficient. For example.

_{https://www.hipaajournal.com/hipaa-compliance-checklist/}

Implementation Specification	Required or Addressable	Further information
Implement a means of access control	Required	This is not only a method of assigning a card for each user during the emergency.
Introduce a mechanism to authenticate ePHI	Addressable	This is a mechanism that has been approved in order to comply with ePHI regulations.
Implement tools for encryption and decryption	Addressable	This is a guideline for users who have been signed.
Introduce activity logs and audit controls	Required	It has been recorded and has been accessed.
Facilitate automatic PCs and devices	Addressable	EPHI after a pre-defined period of time. This should not be left unattended.

Knowledge of these topics will help to more easily navigate the various requirements when working in the US market. And in the requirements not only for software, but also other products.