Technology Control Plan Questionnaire

TECHNOLOGY CONTROL PLAN QUESTIONNAIRE

AND PROCEDURES

The purpose of a Technology Control Plan (TCP) is to control access (visual, physical, electronic) by unauthorized non-U.S. persons to certain export controlled information, data, materials, software and equipment. The TCP must be in place before the project starts.

The TCP template should be completed by the Project Director and approved by the University Export Control Program (UECP). Before export controlled work begins, all project personnel must complete the mandatory online export control training (www.orcr.arizona.edu/ec/training) and receive a TCP briefing by UECP. Only U.S. citizens or Permanent Residents—i.e. “green card” holders—may work on an export controlled project covered by a TCP without prior government export authorization (i.e., license or license exemption).

The body of the TCP Template contains basic procedures that should be followed. The UECP recognizes each project is unique; therefore, if additional security measures are needed that are not listed in the template, those measures should be added to the TCP.

Answers to the following questions should be incorporated into the appropriate area of the TCP template.

Commitment:

1.  Who is the person (project director, if applicable) responsible for managing the TCP and in what College and department/unit?

2.  Who are the PIs responsible for this project?

Description:

1.  What is the scope and background of the project? Provide a detailed description.

a.  Is there technical data, export controlled equipment, software, or other items that need to be protected? Describe the item(s).

b.  Will a “defense service” be provided? The current definition of a defense service is: the furnishing of assistance or training to foreign persons in the design, development engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation demilitarization, destruction, or processing or use of defense articles; also includes providing controlled technical data to a non-U.S. person and military training of foreign units and forces. Explain if applicable.

2.  Is there a Technical Assistance Agreement (TAA) or other license associated with the project? If yes, include the license number or TAA number. If this is not applicable, there is no need to answer within the TCP.

Bona Fide Full-time Employee Exemption (for non-U.S. persons):

1.  Does a full-time regular employee (not applicable for grad/undergrad students) who is a non-U.S. person need to have access (oral, visual, electronic, physical, etc.) to ITAR data or equipment? There is an exemption for non-U.S. persons from certain countries that allows them to work on an ITAR project once the paperwork (NDA) is signed by the employee, PI and UECP. The UECP will provide the NDA for signature if applicable (must be re-signed yearly).

Physical Security:

1.  Where will the activity be conducted? Provide specific building and room numbers/labs in Attachment I.

2.  Who will have keys, codes, or card-swipe access (other than maintenance, UA police, and fire departments) to the rooms involved? Key-holders should be included in TCP.

3.  If the room has multiple uses, how will the work areas be segregated to ensure there are no inadvertent transfers of project information? If a fundamental research project and an export controlled project will be conducted in the same room, the projects cannot be conducted at the same time. A time-block, sign-in sheet and/or other measures should be implemented to prevent access to export controlled information by foreign persons.

4.  If ITAR equipment is involved, how will the equipment be secured and where? How will visual and physical access to the equipment be prevented?

5.  How will hard-copies of export controlled information be secured and where?

6.  Will backup hard drives/flash drives be used and how will these items be secured and where?

7.  Will export controlled equipment, documents, or materials be transported across campus or locally? How will it be secured?

8.  If this is a facility-wide TCP, describe relevant security systems such as badging, escorts, visitor logs, and other types of building access restrictions.

Information Security:

1.  Will export controlled data/information need to be transmitted via email to individuals outside of UA or within UA? Transmission via email is highly discouraged and ENCRYPTION IS REQUIRED! NOTE: Catmail, gmail, yahoo, etc. cannot be used.

2.  Will the export controlled data and information be stored on a desktop/laptop computer or other memory storage device? If yes, the export controlled information must be stored in encrypted files or folders.

3.  Will the export controlled data and information be stored on a secure server? Non-U.S. persons cannot have access to the server if ITAR controlled data and information is stored on the server.

4.  Is the computer(s) connected to a network? Please describe. If export controlled data is stored on computers connected to a server, only U.S. persons or permanent residents should have access to the network server.

5.  Will export controlled data or documents be transported across campus or locally? How will it be secured?

6.  Will you need to export controlled technical data outside the U.S.? If YES, is there an export license in place? EXPORT OF ITAR TECHNICAL DATA WILL REQUIRE A LICENSE. CONTACT UECP FOR INFORMATION AND INSTRUCTIONS. How will it be secured?

7.  Describe any additional measures that will be taken to protect the project data that are pertinent to this particular project.

Procurement:

1.  Do you need to have ITAR parts or equipment made?

2.  If yes, has the vendor been notified the information the vendor will receive is ITAR controlled and no non-U.S. persons can have access? Has the vendor completed a Vendor Certification Form? (UECP can provide a template letter - it is also available on the T-drive for Liaisons.)

3.  Has a restricted party screening been completed on the vendor?

Shipping/Transporting:

1.  Do items need to be shipped or taken outside the U.S.? If yes, CONTACT UECP – AN EXPORT LICENSE WILL BE REQUIRED FOR ITAR CONTROLLED ITEMS.

2.  Do ITAR items need to be transported/shipped within the U.S.? If yes, is the recipient a U.S. person and has the recipient been notified that the items are ITAR controlled? Are the ITAR items boxed, crated, or otherwise protected from view? Has the inner packaging box been marked as ITAR-controlled – no non-U.S. person access?

Personnel and Training:

1.  Have all project personnel been screened against U.S. government denied parties lists via Visual Compliance?

2.  Have all UA project personnel taken the required online export control training? Training must be completed before work on the project begins.

3.  Have all project personnel received a TCP briefing by UECP and signed the TCP? Personnel must attend briefing and sign TCP before project work begins.

1 | Page

Rev 09/27/2015

TECHNOLOGY CONTROL PLAN

(Name of Research Project)

UA Account No. / Sponsor Award No.
Sponsor: / Lead PI
Project Start Date: / PI Phone: / 502 /
Project End Date: / PI UA Email:
Applicable Export Classifications
ITAR – USML Category:
EAR – CCL ECCN:

This Technology Control Plan describes the procedures necessary to protect certain export-controlled equipment, software, materials, and technology/technical data from inadvertent transfer and access (oral, visual, electronic, physical, etc.) by unauthorized personnel, including non-U.S. persons as defined within the export regulations. These procedures include physical and information security, procurement, shipping/transporting, personnel screening, training and awareness, and compliance assessment. This plan will also be used to control the disposition of research project equipment, software, materials, and technical data when the project is terminated.

I.  COMMITMENT:

It is the policy of The University of Arizona to comply with all United States export control laws and regulations, including the Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), and the Office of Foreign Assets Control (OFAC). The University Export Control Program (UECP) is responsible for the implementation and monitoring of technology control plans as applicable. Kay Ellis, Director, University Export Control Program, is a UA Empowered Official for export controls.

The individual(s) responsible for and committed to implementing and ensuring compliance with this TCP is/are: ______.

II. DESCRIPTION:

(INSERT: Provide a detailed description of the scope of the project and clearly define the ITAR technical data, hardware, and/or defense services).

Note: Changes to I and II above will require an amendment to the existing TCP.

III.  PHYSICAL SECURITY:

University of Arizona policy requires all researchers to ensure that ITAR-controlled equipment, materials, software and technology/technical data are appropriately protected. Each individual identified within this TCP is responsible for the secure maintenance and protection of ALL ITAR-controlled equipment, materials, software, and technology/technical data as follows:

·  Doors to individual offices and research facilities will not be propped or left open and “Export Control Restricted: Unauthorized Non-U.S. Persons Not Permitted” signs will be posted at the entrance to research facilities listed in Attachment 1 during times that ITAR-controlled items and information are visible on the desk or workspace.

·  Doors will be locked and a clean desk policy in effect whenever these rooms or facilities are left unattended and ITAR-controlled items and information are visible on the desk or workspace.

·  ITAR-controlled equipment (if any) shall be labeled as such by suitable means and shielded from unauthorized visual access at all times. Non-U.S. persons will not be allowed entry to offices or research facilities when ITAR controlled items are visible and/or in use, unless prior licensing approval has been obtained or an ITAR exemption is applicable.

·  Hard copies of ITAR-controlled information will be stored in a secure location (locked drawer or cabinet) listed in Attachment 1 when not in use. Only individuals authorized by this TCP will have access.

·  UA-generated documents containing ITAR-controlled technical data shall be marked “ITAR-controlled – do not distribute to non-U.S. Persons.”

·  When/If it is necessary to print ITAR-controlled technical data, the printer must be located in an area identified in Attachment 1 and retrieved immediately. Any ITAR-controlled technical data that is printed shall be marked “ITAR Controlled: Do Not Distribute to non-U.S. Persons.”

·  When/If it is necessary to transport hard-copy ITAR controlled data, documents, or equipment across or off UA premises, the hard-copy data, documents, or equipment will at all times be in the possession of the individual(s) listed in this TCP, and

o  be secured in the individual’s briefcase (or other secure storage device), locked in a car and/or a hotel safe; or

o  be kept in a secure location in the individual’s residence to prevent access by unauthorized non-U.S. persons.

·  Printed matter containing ITAR-controlled data will be disposed of by crosscut shredding prior to disposal or recycling.

·  [INSERT: If there are physical security measures not described above that are needed to secure ITAR project information such as badging, escorts, visitor logs, time block, and other types of building access restrictions, insert here.]

·  Research activity locations (offices, labs, buildings) are listed in Attachment 1.

·  Travel outside the U.S. with hard copy ITAR documents is prohibited without authorization (license) from the U.S. Department of State.

IV.  INFORMATION SECURITY:

University of Arizona policy requires all researchers to ensure that certain export-controlled sensitive digital research data is appropriately protected. Each individual identified within this TCP is responsible for the secure maintenance and protection of all export-controlled technical data and information. Export-controlled data/information will be protected as follows:

·  Desktop/Laptop computers (along with flash drives and back-up hard drives) will have encrypted folders, encrypted files, or encrypted hard drives for working with and storing export controlled technical data.

·  Export-controlled files will be password protected and encrypted.

·  All computers that contain export-controlled technical data will be locked and password protected when unattended.

·  All devices that contain export-controlled data/information will be clearly labeled as containing ITAR-controlled data/information (e.g., flash drives, laptops, computers, back-up hard drives).

·  If removable storage devices are used for ITAR data back-up, those devices will be encrypted at a FIPS 140-2 standard.

o  When not in use, back-up hard drives and flash drives that contain ITAR-controlled data or information will be stored in a secure location (secured drawer or cabinet) to prevent unauthorized access.

o  Only the individuals authorized by this TCP will have access to back-up hard drives and flash drives that contain project ITAR-controlled data and information, and specifically the individual who is the owner of the hard-drive/flash drive will have access to the key/lock of its secured location.

·  ITAR-controlled technical data will not be distributed or received via email.

·  If it is necessary to transport electronic export controlled data or documents, the electronic data or documents will at all times be in the possession of the individual(s) listed in this TCP, and:

o  be stored as encrypted files or in encrypted folders on devices such as a laptop or flash drive;

o  be secured in the individual’s briefcase (or other secure storage device), locked in a car and/or a hotel safe; or

o  be kept in a secure location in the individual’s residence to prevent access by unauthorized non-U.S. persons.

·  Travel outside the U.S. with ITAR controlled documents, equipment, or data will not occur without authorization (license) from Department of State.

·  ITAR data will not be disclosed to or discussed with any persons other than authorized project personnel and should be distributed via secure means.

·  Disposal of computer floppy drives, compact discs, jump drives, and portable digital media devices that contain ITAR-controlled technical materials will be coordinated with the UECP.

·  [INSERT: If additional measures not listed above are needed to ensure the project’s information security, insert here]

·  Research activity locations (offices, labs, buildings) are listed in Attachment 1.

Please Note: Discussions and/or meetings involving ITAR-controlled technical data may be conducted occasionally by and with team members and/or sponsor representatives in locations other than those identified herein (conference rooms, not in hallways). Care will be taken to ensure conversations are not overheard by unauthorized non-U.S. persons, and ITAR technical data will be protected as outlined in Sections III and IV of this TCP.