Technology Control Plans (TCP)
If a project or aspects of a project are export-controlled, the Office of Export Compliance (OEC) will work with the PI, project managers, and Export Control Team members as appropriate, to develop and implement a Technology Control Plan (TCP) to ensure the controlled technology is not inadvertently accessed by unauthorized Foreign Persons. TCP templates are available from the OEC and will typically include:
(a) a commitment to export controls compliance;
(b) identification of the relevant export control categories and controlled technologies;
(c) identification of the project’s sponsors;
(d) identification and nationality of each individual participating in the project;
(e) appropriate physical and informational security measures;
(f) personnel screening measures and training; and
(g) security measures for project duration and following project termination.
As part the necessary export compliance review once a contract is awarded, Principle investigators or project leads will provide OEC a list of all personnel assigned to the project. The Office of Export Control will screen personnel to include ascertaining their immigration status using acceptable documentation provided by Human Resources and International Programs and ensure all participants receive export awareness training. Export control staff working with project teams will ensure there is a proper mitigation plan in place to prevent inadvertent access by unauthorized personnel.
Appropriate Security Measures
The TCP will include physical and informational security measures appropriate to the export control categories involved on the project. Examples of security measures include, but are not limited to:
(a) Laboratory Compartmentalization.
Project operations may be limited to secured laboratory areas physically shielded from
access or observation by unauthorized individuals. These areas must remain locked at all times.
(b) Time Blocking.
Project operations may be restricted to secure time blocks when unauthorized individuals cannot observe or
Export-controlled information must be clearly identified and marked as export-controlled.
(d) Personnel Identification.
Individuals participating on the project may be required to wear a badge, special card, or other similar device indicating authority to access designated
project areas. Physical movement into and out of a designated project area may be logged.
(e) Locked Storage.
Tangible items such as equipment, associated operating manuals, and schematic diagrams should be stored in rooms with key-controlled access. Digital media and hardcopy data, lab notebooks, reports, and other research materials should be stored in locked cabinets.
(f) Electronic Security.
Project computers, networks, and electronic transmissions should be secured and monitored through User IDs, password controls, 128-bit Secure Sockets Layer encryption, or other federally approved encryption technology. Database access should be managed via a Virtual Private Network.
(g) Confidential Communications.
Discussions about the project must be limited to the identified and authorized project participants, and only in areas where unauthorized individuals are not present. Discussions with third party sub-contractors must occur only under signed agreements which fully respect the Foreign Person limitations for such disclosures