Technology Control Plans
Technology Control Plans
Export Control Information for Technology Control Plans
If a project involves Export Controlled Information (which may include technical information, data, material, equipment, or software classified as export controlled information by the U.S. State Department’s International Traffic in Arms Regulations (ITAR), and/or the U.S. Department of Commerce’s Export Administration Regulations (EAR)), it may be unlawful to disclose, orally or visually. It may also be unlawful to transfer export-controlled information to certain foreign persons inside or outside the U.S. without an export license. A foreign person is anyone who is not a U.S. citizen or is a lawful permanent resident (green card holder), a protected individual, admitted refugee or person granted asylum. A Foreign Person also means any foreign corporation, business association, partnership or any other entity or group that is not incorporated to do business in the U.S. Foreign Persons may include international organizations, foreign governments and any agency or subdivision of foreign governments such as consulates. The law makes no exceptions for foreign graduate students.
Therefore, depending on the type of export controlled item and the type of ‘Use’ contemplated, it may be necessary to restrict the use and/or observation of certain items technical information, data, materials, equipment, or software by unlicensed foreign persons via a technology control plan (TCP).
Receipt of export controlled technical information, data, materials, equipment, or software referred to below as Export Controlled Information will usually require a TCP be developed by the Office of Sponsored Programs and Research Integrity (OSPRI) in coordination with the Information Security Officer (ISO) and the Investigator. The TCP may incorporate any of the security measures outlined below.
Before bringing Export Controlled Information on campus, please consult with OSPRI.
If you have questions or concerns related to safeguarding Export Controlled Information, contact the Information Security Officer (ISO) Tom Conley at firstname.lastname@example.org. All questions related to export control policies, procedures, regulations or technology control plans (TCPs) should be directed Mike Sanderson in the Office of Sponsored Programs and Research Integrity (OSPRI) at email@example.com. Security measures may include, but are not limited to the following:
TCP security measures may include, but are not limited to the following:
Do not access Export Controlled Information from shared, public computers such as kiosk computers in libraries, hotels, and business centers, or from computers that have no local access control. Do not access Export Controlled Information while traveling outside of the U.S. Visit the export control travel page for more information. Do not post Export Controlled Information on public websites or websites that rely solely on IP addresses for access control. Instead, secure access using individually assigned accounts requiring username/password, user certificates, or other user-specific authentication methods. Protect Export Controlled Information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control.
Use regularly updated malware protection software.
Keep computers hosting Export Controlled Information up to date on security patches and updates.
Export Controlled Information should not be stored on mobile computing devices such as laptops, PDA's and removable media such as thumb drives or CD/DVD. Review and approval by OSPRI and the ISO is required for projects of this nature, and a TCP should be in place. See additional notes below. Securely wipe electronic media containing Export Controlled Information in accordance with current best practices such as NIST 800-88, Guidelines for Media Sanitization.
Mobile computing devices:
In such cases where technical information, data, material, equipment, or software classified as export controlled may be stored on a mobile computing device (laptops, PDA's and removable media such as external hard drive), a TCP should be in place, which may include the following guidelines:
- The mobile device is not taken out of the U.S. without an export control analysis that is performed by OSPRI.
- The data should be stored on a single-user portable device in a volume using encryption with a unique decryption passphrase known only to the device's authorized primary user.
- The mobile device should be protected by a software firewall.
- The mobile device should have audit logging enabled and audit logs backed up.
- The mobile device should be accessed using a login account with a password of no less than 12 characters in length, a mixture of upper -and lower-case letters, numbers and symbols, subject to change no less frequently than annually, or when any possibility of password exposure is suspected.
- If data backup is required, the encrypted volume should be backed up intact, with encryption preserved.
- Export-Controlled technical information, data, material, equipment, or software classified as export controlled should be housed on University-owned devices.
- Other requirements, as determined to be necessary.
Transmission of Data:
Do not transmit or email Export Controlled Information unencrypted. Use a University provided system (i.e. File Locker) or a sponsor provided system designed to send secured material. If encryption is not available, data should be individually encrypted using at least application-provided mechanisms such as the password-based encryption provided in Microsoft Office Products. In addition to encryption, only send Export Controlled Information via File Locker or sponsored provided process. Note - to avoid an export control violation do not send or open Export Controlled Information outside the U.S.
Transmission of Export Controlled Information via voice or fax only to authorized persons identified on a TCP.
Wireless network access to Export Controlled Information should be encrypted, e.g., UCCS on-campus Wireless or VPN connection.
Note - to avoid an export control violation do not access Export Controlled Information while outside the U.S.
Provide monitoring and control over inbound and outbound network traffic. Include firewall blocking unauthorized ingress and egress.
Prevent unauthorized release of data to unauthorized persons using; for example, firewalls, router policies, intrusion prevention/detection systems, or host-based security services.
In such cases where Export-Controlled Information is a software executable or data that resides on any shared (multi-user) system, these guidelines may apply, as specified in a TCP:
- The directories containing the software shall be access controlled so that only its designated user(s) as approved by the PI will have read, write and execute permissions. All others shall have no access permissions.
- The shared system should have audit logging enabled, and the audit logs should be backed up.
- The shared system should be managed solely by U.S. Persons, as defined in the export regulations.
Personnel Identification: Individuals participating in the project are required to wear a badge, special card, or other similar device indicating their access to designated project areas.
Access logs: Physical movement into and out of a designated project area is logged.
Laboratory compartmentalization: Project operations are limited to secured laboratory areas physically shielded from access or observation by unauthorized individuals. These areas must remain locked at all times.
Time blocking: Project operations are restricted to secure time blocks when unauthorized individuals cannot observe or access.
Locked storage: Tangible items such as equipment, associated operating manuals, and schematic diagrams are stored in rooms with key-controlled access. Soft- and hard-copy data, lab notebooks, reports, and other research materials are stored in locked cabinets.
Shielding of material: Material is physically shielded from observation by unauthorized individuals by using the material in a secured space, or during secure time blocks when observation by unauthorized persons is prevented.
Facilities (For ITAR Controlled Projects or Equipment):
An approved ITAR designated room is used for storage of all ITAR controlled physical materials (hardware, software, files, printed documentation).
The ITAR room is clearly marked on the exterior door (ITAR/EAR Restricted Area - U.S. Persons only) and this approved technology control plan is posted clearly inside the room.
The ITAR room is access controlled, and the access process (room key or card) is managed by the department or the ISO and all access requests are made in writing by the project PI. Only approved personnel will be granted access.
Regular custodial, recycling and maintenance services should be provided by U.S. Persons or staff may need to be accompanied by project personnel. Facilities management will be consulted regarding best practices for serving controlled space.
The ITAR room should have a shredder or disposal container for export controlled printed matter.
Authorized persons: Typically, an authorized person is a citizen of the United States, a lawful permanent resident alien of the U.S. (a "Green Card" holder), a refugee or someone in the U.S. under political asylum protection or amnesty. The general rule is that only U.S. Persons are eligible to receive Export Controlled Information without first obtaining an export license from the appropriate agency unless a license exception or exclusion is available
Employee and student responsibilities: Authorized personnel who interface with foreign nationals should receive a copy of the TCP and should receive a briefing that addresses their export control responsibilities.
Supervisory responsibilities: Supervisors of cleared personnel should ensure that employees and visitors are aware of and knowledgeable about their export controls responsibilities.
Training: Export control training for all individuals associated with the project, e.g., PI, research staff, graduate students, and building maintenance is required.
Personnel additions: The supervisor is responsible for notifying OSPRI of new personnel before they can work on the project.
Personnel changes: Measures for collecting keys to project areas, removing access to project facilities, computers, and other electronic storage devices when personnel leave the project.
Additional Export Control Resources
- Information Technology - Information Security - Export Control
- NIST 800-88 Guidelines for Media Sanitization
- When to Contact OSPRI
- Training and Outreach
- Hiring and Visas (I-129)
- International Travel and Export Controls
- Cloud Computing and Export Controls
- Export Control FAQ
- Export Control Definitions
Questions? Contact the Office of Sponsored Programs and Research Integrity (OSPRI) at firstname.lastname@example.org for assistance with export control questions related to the development of technology control plans.