Technology Control Plan Template

Template instructions:

1. BLUE TEXT provides guidance. Please REPLACE the blue text with information or DELETE it, as appropriate.

2. Describe your research in Section 1 to support thisproposed exception to MIT’s open research policy.

3. In Section 2, documenthow you propose to manage the controlled items/technology to ensure MIT compliance.

4. Please update the footer and change all text color to Black or Automatic.

Request for Exception to Open Research Policy

and TechnologyControl Plan

Responsible Individual / Replace with your name
Project / Replace with project name
Sponsor / Replace with sponsor name
Controls / Specify type (EAR/ITAR/DoE/DD-2345) and category/classification number
Controlled Item / Specify the controlled item
References / Current proposal number, previous related research, statement of work (link/attach)

Section 1: Request for Exception to Open Research Policy

MIT’s Policy 14.2 states that “open research and free interchange of information among scholars is essential to MIT's institutional responsibility and to the interests of the nation as a whole”, and that “foreign faculty, students, and scholars not be singled out for restriction”. Exceptions to this policy are made “only in those very rare instances where the area of work is crucially important to MIT's educational mission and the exception is demonstrably necessary for the national good.”

Proposed research

Describe the project: name, goals, scientific value, summary, research to date.

Describe the controlled items (technology, technical data, software, equipment or materials) you propose to use, and their controls.

What contribution do the controlled items make to the research?

What would be the impact of not using the controlled items?

Describe and evaluate alternatives you have considered.

Is it possible for non-academic staff to work with the restricted items, leaving academic work unrestricted?

Where will the project will be conducted?

Section 2: Technology Control Plan

It is MIT policy to comply with all U.S. export control laws and regulations, including the Department of Commerce Export Administration Regulations (EAR), the Department of State International Traffic in Arms Regulations (ITAR), and the U.S. Department of the Office of Foreign Assets Control (OFAC).

The Responsible Individual designated above accepts responsibility to ensure that controlled items are managed in compliance with U.S. government export control laws and regulations while minimizing the exception to MIT research policy represented by their use. This Technology Control Plan describes how this will be accomplished.

Fundamental research

Note: the following may be more easily described with a diagram and accompanying text.

Describe the elements of your research that will be open to all, not requiring the restricted items.

Describe the elements of your research that will be restricted to individuals named below, requiring the restricted items.

Security

Howwill restricted items be shielded from physical access by unauthorized persons (badging, escorts, visitor logs)?

How will restricted items be shielded from electronic access by unauthorized persons (access control, firewalls, encryption).

Employees with ITAR exemption access

The following individuals qualify for the ITAR §125.4(b)(10) exemption, have provided a signed ITAR MIT Employee Non-Disclosure Statement, and will have access to the controlled information:

Name / Org / Title / Role / Nationality
TBD

Personnel with unrestricted access

The following individuals are not restricted by export control regulations and will have access to the controlled information:

Name / Org / Title / Role / Nationality
TBD

Training and awareness(choose one)

Option 1: The Responsible Individual affirms that the personnel listed above have read and understand this Project Technology Control plan. The Responsible Individual accepts responsibility for ensuring that each such individual participates in timely training conducted by the Export Control Officer, and for documenting completion of that training.

Option 2: The Responsible Individual affirms that the personnel listed above have read and understand the “Briefing and Certification on the Handling of Export-Controlled Information” (Attachment 1). Additional export control training for this project may be conducted by the Export Control Officer. OSP also provides training resources on the OSP website as well as periodic training sessions to members of the MIT community.

Project duration

Security measures, as deemed appropriate, will remain in effect after the project has ended in order to protect the Material unless earlier terminated when the information has been destroyed or determined to be no longer export-controlled.

State how long the restricted items will be needed (duration, end date)

Describe how they will be retired from use: how will tangible items be returned, destroyed, or disposed of? how will electronic items be returned or destroyed? how will computer systems used to host restricted items be sanitized?

Updates

The Responsible Individual will inform the Export Control Officer of any changes to the information in this Plan.

The Responsible Individual will provide written confirmation to the Empowered Official and Export Control Officer when the controlled items have been uninstalled and media returned or destroyed.

Compliance assessment

The Responsible Individual will report any breach of this plan to the Export Controls Officer at (617-253-2762)immediately upon discovery of the breach.

The Responsible Individual is responsible for conducting annual self-evaluations to assure continued compliance with this Plan, reporting any findings to the Export Controls Officer, or to the Empowered Official for export controls (617-324-9022).

The Export Control Officer may also conduct periodic evaluations and/or training to monitor compliance of the TCP procedures. Any changes to the approved procedures or personnel having access to controlled information covered under this TCP will be cleared in advance by the Export Control Officer or the Empowered Official for export controls.

Signatures

Responsible Individual

This represents my request for an exception to the open research policy, and my commitment to ensure compliance with U.S. export. I understand and agree to follow the procedures outlined in the TCP and Briefing. I will consult with the Export Control Officer in the case of any uncertainties. I understand that I could be held personally liable if I unlawfully discloseExport-Controlled Information to unauthorized persons.

<name>
<title>
<department> / Date

Head of Department, Lab, or Center Endorsement

I am aware that use of this restricted information represents an exception to MIT research policy, and endorse the exception and the suitability of the Technology Control Plan.

<name>
Professor, Department Head
<department > / Date

MIT Acceptance

I accept this Technology Control Plan on behalf of the Institute

Michelle D. Christy
Director, Office of Sponsored Programs
Empowered Official for Export Controls / Date

Attachment 1:

BRIEFING: HANDLINGOF EXPORT-CONTROLLED INFORMATION

This project involves the use of export-controlled information, which may include:

• The International Traffic in Arms Regulations (ITAR) under the jurisdiction of the Department of State
• The Export Administration Regulations (EAR) under the jurisdiction of the Department of Commerce
• Assistance to Foreign Atomic Energy Activities (10 CFR 810) under the jurisdiction of the Department of Energy
• A Militarily Critical Technical Data Agreement (DD-2345) with the Department of Defense

Research (): OSP reviews sponsored research to assure that the conduct and results of campus research qualify as fundamental research, which is excluded from export controls.

Restricted items and technology (): However, items and technologydeveloped outside MIT — including the restricted items described in this TCP — are subject to export controls, and remain subject to these controls even if used in fundamental research.Export-controlled information involved in the project should be clearly identified. Research results may becomeexport-controlled by incorporating export-controlled information, and would need to be labeled and managed as such. If there are any questions about what information is subject to control, please consult the Export Control Officer. Sharing export-controlled information withpersons other than U.S. citizens and permanent residents is considered to be the same as exporting the information to that person’s country (“deemed export”), even if it happens in the U.S., and may require an export license or Technical Assistance Agreement.

It’s considered possible for a non-US person to acquire export-controlled information about export-controlled items, particularly ITAR-controlled items, through visual inspection, and any such transfer may require an export license or Technical Assistance Agreement.

Furnishing assistance (including training) to non-US persons in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of items subject to the ITAR, or furnishing ITAR-controlled technical data to non-US persons, whether in the United States or abroad, is considered a defense service and may require an export license or Technical Assistance Agreement.

Technology Control Plan: you should understand this Technology Control Plan and carefully follow its provisions. If you have any questions, ask the Responsible Individual or MIT’s Export Control Officer. Avoid unintended violations by exercising care in using and sharing export-controlled information with others. Technical information, data, materials, software, or hardware, i.e.; technology generated from this project, must be secured from use and observation by unauthorizedforeign persons. Discussions about the project or work products should be limited to the identified contributing investigators and held only in areas where unauthorized personnel are not present. Discussions with third party sub-contractors should only to be conducted under signed agreements that fully respect the non-U.S. citizen limitations for such disclosures.

Consequences:

• You may be subject to civil and criminal penalties may for unlawful export and disclosure of export-controlled information.
• If the results of the research become entangled with export-controlled information, it could delay or prevent publication of the results, and could result in loss of fundamental research qualification, which could result in additional restrictions and violations.

ITAR/EAR Export Controlled Data

ITAR or EAR Export-controlled information, referred to as Controlled Information in this document, stored at MIT should be managed in accordance with the following guidelines.

IS&T Services

IS&T provides several services at no-cost that may help individuals responsible for Controlled Information to secure its storage, access, and destruction. Please contact for more information.

• Security software, including Sophos Antivirus and Crowdstrike Falcon, a cloud-based anti-malware platform monitored in real-time by trained security professionals.

• Membership in the IS&T-managed active directory domain, providing Kerberos authentication, regular security patches, and two-factor authentication where appropriate.

• A managed hosting environment, providing domain membership as well as a managed system to hold Controlled Information in a secure and monitored environment.

Data Access

Controlled Information should not be accessed from shared or public computers such as kiosk computers in libraries, hotels, and business centers.

Systems with access to Controlled Information should be well-maintained (patched/updated regularly) and run security software to detection malware or compromise.

Access to Controlled Information should be provided to individuals on a “need to know” basis and in accordance with rules governing who is restricted from access (nationality, etc).

Protect Controlled Information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control.

Data Storage

Controlled Information must be stored on Institute-owned devices and access controlled with individually-assigned accounts requiring username/password or user certificates. Two-factor authentication should be enforced for access to highly sensitive data.

All Controlled Information must be encrypted if stored on laptops, mobile devices (smartphones, tablets), or removable media (USB drives, CD/DVD). Cloud-based storage platforms, such as Dropbox or OneDrive, may be acceptable for some forms of Controlled Information with Export Office approval.

MITnet is an open network and frequently targeted by attackers. It is essential that systems storing Controlled Information be well-maintained (patched/updated regularly) and properly secured against unauthorized access. If your team lacks this expertise, please contact for assistance.

Data Destruction

Electronic media holding Controlled Information should be wiped in accordance with NIST 800–88, Guidelines for Media Sanitization. If destruction of media is desired, IS&T has relationships with several data destruction vendors and can offer assistance. Please contact for more information.

Data Transmission

Transmission of Controlled Information should be encrypted. Access to Controlled Information over WiFi must be encrypted using VPN or by using an encrypted wireless network (“MIT SECURE” or “eduroam”). If Controlled Information is sent via email, message encryption – such as PGP or S/MIME – should be used to encrypt message content. If message encryption is not possible, encryption of attachment data – such as using native Microsoft Office encryption - is permissible.

Transmission of Controlled Information via voice or fax is permissible only when there is reasonable assurance that access is limited to authorized persons.

Property Options for Disposal of Restricted Items

(once restricted material is disposed of, notify the Export Control Officer, )

1. You own something, it doesn't work and you want to destroy it meeting Gov standards for disposal of restricted items. Please check with on ownership and title of the equipment in question. The Property Office will give direction with regard to the proper method of disposal.
2. You own something. It works, but, you don't need it--

a)You want to sell it:Only MIT titled equipment can be sold to the general public. The MIT Property Office will assist with finding a buyer through the use of secondary market equipment brokers. Please contact

b)You want to donate it to an outside of MIT entity. Please check with on ownership and title of the equipment in question prior to donation.

c)You want to transfer it to another MIT entity.Please forward the MIT equipment tag number along with new Responsible Person/PI and new location to

1. Material was bought with sponsor (contract ) funds and

a)you want to return it to them,Please notify the MIT Property Office and forward the MIT Asset Tag information

b)you want to dispose of it: Please contact to deactivate the equipment record in the MIT Property Equipment Database. The Property Office will assist with the most cost-effective way to handle disposal.

c)sponsor doesn't want it back) Please contact for Surplus Equipment options.

1. It was on formal loan to you (MIT). You want to return it.

Please notify the MIT Property Office at

Please update: TCP <Project> <Responsible individual> DDMMMYYYY1