Managing Regulated Research

Laws, U.S. Codes, and Regulation

There are numerous laws, U.S. Codes, and Regulations for each CUI type.

Develop a partnership with the Regulator Office. THEY are the experts on this subject.

The institution should map policies to regulatory requirements and address gaps.

Researchers should review the Acceptable Use Policy and the Incident Response Policy.

See CUI for more.

Identifying and Marking CUI

Look for DFARS 52.204.7012 in contracts/grants. If included, determine if CUI is being generated or received. It is possible to not receive, generate, or access CUI; this could be fundamental research.

When CUI is created, there is a responsibility for identifying and marking CUI when applicable.

Want to learn more about marking? See: Introduction to Marking.

Jurisdiction

Determine which contractor you are working with (e.g. ITAR vs EAR). Work within their rules and regulations.

  • Dissemination Limits?
  • Restrictions on Participants?
  • Publication Approvals?

The regulatory office should be reviewing these items and more.

Export Control

Export Controlled information is any information or data that is restricted from being shared outside of the United States. This would include, but is not limited to data for: ITAR, EAR, and OFAC.

Terms that might be useful while dealing with/learning about Export Control 
Term Definition
US Person
  • Any US Citizen, or Lawful Permanent Resident
  • Any corporationsociety, or other entity incorporated or organized to do business within the US.
  • Any federal, state, or local government entity within the US.
Foreign Person Everyone else, including foreign students on student visas(J and F) and foreign employees on H1-B or O visas
Export
  • ANY disclosure of information pertaining to US controlled technology, technical data, software/code, or equipment  whether written or oral to anyone outside of the US.
  • Disclosure through visual inspection or physical shipment of information pertaining to US controlled technology, technical data, software/code, or equipment
Technology(EAR) & Technical Data(ITAR) The terms used in regulations to mean controlled technical information.
Deemed Export

ANY disclosure of information or release of controlled technologies to a foreign person in the US is deemed to be an 'export' of that information or technology. 

Note: ANY method of disclosure would apply. Emails, texts, face to face, etc...

Jurisdiction and Classification
  • Jurisdiction is finding the relevant regulations (e.g. ITAR or EAR)
  • Classification is finding out if the item intended to be exported has a specific Export Control Classification Number(ECCN)

Setting up a Technology Control Plan(TCP) for Export Control

A TCP should provide clear guidelines and controls necessary to keep controlled technical data, information, and equipment that is subject to export control safe.

Things to consider while setting up a TCP:

  • How is the CUI being received and/or generated
  • How is the CUI being processed and/or stored
  • Who will need access to the CUI?
  • How will research results be shared with sponsors securely?

A TCP should additionally address

  • Authorized Personnel 
  • Dissemination/Publication rules
  • Physical Security

A TCP should at least be signed by the Principle Investigator and the projects team. It is also a good idea to have department heads and representatives from the regulatory office sign the TCP as well.

Export Control Regulations

The 3 most likely regulations to impact university activity are those of the State Department (ITAR), the Commerce Department (EAR), and the Treasury Department (OFAC). The following activities could be in scope:

  • Performing Controlled or Proprietary Research
  • Performing Research Outside the U.S.
  • Travelling outside the U.S.
  • Presenting at Conferences Outside the U.S.
  • Hosting International Visitors
  • Shipping Equipment, Software or Technical Information Internationally\
  • Engaging in International Collaborations or Partnerships
  • Paying Someone in Another Country for Items or Services
  • Advising Students from Countries Subject to U.S. Comprehensive Sanctions

Export Control regulations apply to technical information as well as physical items - and when controlled information is given to a Foreign Person it is considered to be an export to that person's country, even if it happens in the US, even if it happens on a university campus.

When collaborating with people in other countries, emails are exports. When travelling, you're exporting everything you take with you. And, of course, shipping an item outside the U.S. is exporting. These could all lead to export control violations with consequences.

Keeping a TCP Current

Amend a TCP to keep it current. Some examples of situations where a TCP might need to be updated would be:

  • Significant changes to the scope/project plan
  • Personnel additions or deletions
  • IT hardware additions or deletions
  • IT storage or software changes
  • Physical location change(office/lab changes)
  • Significant changes to physical security
  • Change to student thesis/dissertation committee or new plan of study submission

This work is supported by the National Science Foundation under Grant No. 1840043. Any opinions, recommendations, findings, or conclusions expressed are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.