Technology Control Plan (TCP)

Development

If the ECO determines a project is ITAR controlled, the ECO will work with the Principal Investigator to develop and implement a Technology Control Plan (TCP) to secure the controlled technology from access by unlicensed non-U.S. citizens. The TCP will include:

  •  a commitment to export controls compliance;
  • identification of the relevant export control categories and controlled technologies;
  • identification of the project’s sponsors;
  • identification and nationality of each individual participating in the project;
  • appropriate physical and informational security measures;
  • personnel screening measures; and
  • appropriate security measures for and following project termination.

Appropriate Security Measures

The TCP will include physical and informational security measures appropriate to the export control categories involved in the project. Examples of security measures include but are not limited to:

  • Laboratory Compartmentalization. Project operation may be limited to secured laboratory areas physically shielded from access or observation by unauthorized individuals. These areas must always remain locked.
  • Time Blocking. Project operation may be restricted to secure time blocks when unauthorized individuals cannot observe or access.
  • Marking. Export controlled information must be clearly identified and marked as export controlled.
  • Personnel Identification. Individuals participating in the project may be required to wear a badge, special card, or other similar device indicating their access to designated project areas. Physical movement into and out of a designated project area must be logged.
  • Locked Storage. Tangible items such as equipment, associated operating manuals, and schematic diagrams should be stored in rooms with key-controlled access. Soft and hardcopy data, lab notebooks, reports, and other research materials should be stored in locked cabinets.
  • Electronic Security. Project computers, networks, and electronic transmissions should be secured and monitored through user IDs, password controls, 128-bit Secure Sockets Layer (“SSL”) encryption or 29 other federally approved encryption technology. Database access should be managed via a Virtual Private Network (“VPN”).
  • Confidential Communications. Discussions about the project must be limited to the identified and authorized project participants, and only in areas where unauthorized individuals are not present. Discussions with third party sub-contractors must occur only under a signed agreement which fully respects the non-U.S. citizen limitations for such disclosures.

Training and Certification

Before any project member may observe or access the export-controlled technology, the PI assigned to the project must brief the project members on the procedures authorized under the fully executed TCP.