1 Using Technology Control Plans in Export Compliance Mary Beran, Georgia Tech David Brady, Virginia Tech
2 What is a Technology Control Plan (TCP)? The purpose of a TCP is to control the access and dissemination of export controlled information, materials, technology, data, etc. in accordance with federal export regulations. TCP ensures that everyone working on project understand their obligations under the export control laws and regulations.
3 Authority: TCP Required The National Industrial Security Program Operating Manual (NISPOM) specifies: A Technology Control Plan is required to control access by foreign nationals assigned to, or employed by, cleared contractor facilities unless the CSA [Cognizant Security Agency] determines that procedures already in place at the contractor s facility are adequate. The TCP shall contain procedures to control access for all export-controlled information. (Emphasis Added) International Traffic in Arms Regulations (ITAR) 22CFR (c) also encourages use of a Technology Control Plan (TCP): In cases when foreign nationals are employed at or assigned to securitycleared facilities, provision by the applicant of a Technology Control Plan (available from the Defense Investigative Service) will facilitate processing.
4 Authority continued US Department of Commerce - Export Administration Act (EAA) and EAR Commerce Control List (CCL) -15 CFR US Department of Energy & Nuclear Regulatory Commission regulations -10 CFR 810, 110, 205 US Department of the Treasury - Office of Foreign Assets Control (OFAC) International Export Regulations & Requirements Institutional Policy Requirements
5 Elements of a Technology Control Plan Institutional Commitment Commodity jurisdiction and classification Physical security Information security Project personnel requirements
6 Elements of a Technology Control Plan Inspections Restricted research training Accountability Recordkeeping Violations and investigations Student and Publication Issues
7 Institutional Commitment Required in ITAR Registration Required in Voluntary Disclosure submissions Recommended key element of Export Compliance Management Plan
8 Commodity Jurisdiction and Classification Determine with sponsor, investigators what is controlled and what is not? Determine who has jurisdiction? Obtain a CJ if there is doubt Document export jurisdiction and classification clearly in the TCP
9 Commodity Jurisdiction and Classification Best Practices If doubt exists-obtain the CJ ITAR until proven innocent If self classifying: Review USML and Review contract Discuss with sponsor and PI If not ITAR/DoE, review the CCL
10 Physical Security
11 Physical Security Best Practices One lock principle Restricted work area Open/closed storage Access control and key custody Visitor control/ lab tours Available guidance
12 One Lock Principle There are no regulations specifying required security controls for unclassified export controlled items Design physical and IT security to be a minimum of one lock away from an inadvertent export without license Passwords, keys, etc. May need multiple locks depending on the items controlled and the foreign persons who may obtain unauthorized access
13 Restricted Work Area When it is necessary to control access to export controlled material in an open area during working hours, a restricted area may be established. A restricted area will normally become necessary when it is impractical or impossible to protect export controlled material because of its size, quantity or other unusual characteristic. The restricted area shall have a clearly defined perimeter, but physical barriers are not required. Personnel within the area shall be responsible for challenging all persons who may lack appropriate access authority. [modified from NISPOM 5-305]
14 Open vs. Closed Storage Closed storage: the items can be locked in a secure container (cabinet, safe, drawer) preferred (two locks- door and container) Open storage: the items cannot be stored in a secure container when not in use Less preferred, greater risk of inadvertent violation More security precautions necessary
15 Access Control and Key Custody Access log Key control Manual Electronic (preferred) No piggyback policy! Visitor control Login/logout Escorted Third party access control (e.g., custodians, maintenance, building mgt) Inspection of bags and parcels, electronic storage media
16 Visit Control and Lab Tours No visual or oral disclosure of controlled items If items cannot be secured during visit- policy of denial when: Deemed export/ defense service risk Not approved by contract or sponsor No need to know DoDI Security of Unclassified DoD Information on Non-DoD Information Systems (June 12, 2012) Proposed DFAR Safeguarding Unclassified Information Rule (June 29, 2011) Restricted party & nationality screen Include CV/ Visa review Acknowledge TCP and sign NDA
17 Available Guidance National Industrial Security Program Operating Manual (NISPOM DoD M Feb 2006) DDTC Compliance Program Guidelines BIS Deemed Exports Webinar DoDI Security of Unclassified DoD Information on Non-DoD Information Systems (June 12, 2012) Proposed DFAR Safeguarding Unclassified Information Rule (June 29, 2011)
18 Information Security
19 Information Security Best Practices NO data storage on personal computers!!! NO cloud exchange or file servers NO data storage or backup on shared servers unless approved by Research Security NO use of unsecured file sharing programs (sharepoints) unless approved by Research Security
20 Information Security Best Practices Greater security measures for networked machines Request that your department IT administrator review the TCP and help setup computers and data storage devices, Research Security can advise Basic safeguarding checklist: e.g., antivirus checks, firewall enabled, session lock, audit logs, file encryption Strong Passwords: #id
21 Information Security Best Practices Must have dedicated data storage devices (computers/portable hard drives/etc.), these will be wiped or dispositioned at conclusion of project Solid state ( flash ) drives must be destroyed, cannot be wiped If portable, must encrypt s of technical data must be encrypted (PGP, VT Soft Certificate, etc.) PI must maintain a list of computers and data storage devices used in the restricted research project, these machines will get higher level security monitoring
22 Available Guidance National Industrial Security Program Operating Manual (NISPOM DoD M Feb 2006) DoDI Security of Unclassified DoD Information on Non-DoD Information Systems (June 12, 2012) Proposed DFAR Safeguarding Unclassified Information Rule (June 29, 2011) NIST Special Publications: Recommended Security Controls for Federal Information Systems and Organizations Guidelines for Media Sanitization
23 Recordkeeping Regulatory requirement vs Institutional Policy: Whichever is longer Must be secure storage Coordinate with records management Electronic vs paper? ITAR Library
24 Foreign Person Participation Must comply with license provisos or terms of license exception/exemption Best practices: Make license part of TCP Train all participants (including foreign person) on proviso terms Disclosure of foreign travel
25 Inspections Kickoff: Lab or facility inspections are often needed to draft a TCP. Post-award monitoring: Lab or facility may be inspected as Post Approval Monitoring (PAM) or as part of annual reviews In person vs. via certification by PI Closeout: Lab or facility may be inspected as part of project closeout to ensure proper removal or destruction of materials
26 Personnel Screening Restricted Persons Screening (RPS) of all personnel with access to controlled items Includes graduate students, undergraduate students, technicians, and IT managers Screen individuals and companies Many companies offer RPS screening software Dynamic screen State license
27 Training and Education Train all project personnel with access to export controlled items, software or technical data on TCP procedures Train all personnel on reporting requirements and possible penalties for noncompliance Frequency and type of training may vary: Initial Training vs Refresher In person vs. Online Lab specific vs. Mixed groups Overview (FRE) vs. Specific (EC)
28 Accountability: Violations & Penalties Failure to comply with U.S. export control laws can result in severe penalties, both for the individual and institution: Criminal Penalties Fines: $1,000,000 per violation and imprisonment of up to 10 years. Civil Fines: $250,000 per violation, or twice the monetary amount of the underlying transaction, which ever is greater If ITAR=$500,000 per violation Debarment Negative Publicity 1. ITAR, EAR and OFAC all impose criminal and civil penalties, although the ranges of the penalties vary.
29 Accountability Who is responsible for export compliance under TCP? Best Department/PI sign Business manager or IT person for department All persons under the TCP having access to controlled items are required: To take restricted research training sign TCP acknowledgement/ NDA Who pays for an export investigation?
30 Violations and Investigations
31 Violations and Investigations Put procedures in place before a violation occurs Specify roles and responsibilities: Legal counsel (inside/outside) Attorney client privilege vs. work product Empowered official(s) Senior management IT support team Faculty, Staff, Students, others involved Other company or institution involved?
32 Violations and Investigations Investigative team Two-person rule Other company or Institution involved? Heads up and joint VSD FOIA issues (state institutions) FERPA issues (students) Available guidance: SIA Voluntary Disclosure Handbook (May 2010)
33 Student and Publication Issues Issues with student involvement with export controlled items & restricted research: Student record privacy issues FERPA FOIA Risk to student graduation (thesis/dissertation restrictions) Student disciplinary procedures
U.S. DEPARTMENT OF COMMERCE BUREAU OF INDUSTRY AND SECURITY OFFICE OF EXPORTER SERVICES EXPORT MANAGEMENT AND COMPLIANCE DIVISION COMPLIANCE GUIDELINES: HOW TO DEVELOP AN EFFECTIVE EXPORT MANAGEMENT AND
EXPORT CONTROLS AND RESEARCH AT WPI TRAINING PRESENTATION EXPORT CONTROL LAWS WHAT ARE EXPORT CONTROLS? U.S. laws and their implementing regulations that govern the distribution to foreign nationals and
LAWS AND REGULATIONS GOVERNING THE PROTECTION OF SENSITIVE BUT UNCLASSIFIED INFORMATION A Report Prepared by the Federal Research Division, Library of Congress under an Interagency Agreement with the NASA
DoD 5220.22-M NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL February 28, 2006 February 28, 2006 FOREWORD As required by Executive Order 12829 and under the authority of DoD Directive 5220.22, National
Summary of Changes Handbook AS-353, Guide to Privacy, the Freedom of Information Act, and Records Management Handbook AS-353, Guide to Privacy, the Freedom of Information Act, and Records Management, has
U.S. Department of Energy Washington, D.C. SUBJECT: OFFICIAL FOREIGN TRAVEL ORDER DOE O 551.1D Approved: 1. OBJECTIVE. a. To establish Department of Energy (DOE) requirements and responsibilities governing
What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Table of Contents What is a privacy breach?...1
United States Government Accountability Office Report to Congressional Requesters April 2014 INFORMATION SECURITY Agencies Need to Improve Cyber Incident Response Practices GAO-14-354 April 2014 INFORMATION
FIRST Site Visit Requirements and Assessment Document originally produced by CERT Program at the Software Engineering Institute at Carnegie Mellon University And Cisco Systems PSIRT Revision When Who What
INTERNATIONAL STANDARD ON QUALITY CONTROL 1 QUALITY CONTROL FOR FIRMS THAT PERFORM AUDITS AND REVIEWS OF FINANCIAL STATEMENTS, AND OTHER ASSURANCE AND RELATED SERVICES ENGAGEMENTS (Effective as of December
CCE-FCR Comptroller of the Currency Administrator of National Banks Fair Credit Reporting Comptroller s Handbook October 1996 CCE Consumer Compliance Examination Fair Credit Reporting Table of Contents
South Dakota Parental Rights and Procedural Safeguards Special Education Programs Revised July 2011 Prior Written Notice... 1 Definition of Parental Consent... 3 Definition of a Parent... 3 Parental Consent...
OSHKOSH CORPORATION The Oshkosh Way A Corporate Code of Ethics & Standards of Conduct The Oshkosh Way Dear fellow employee: We exist to serve and delight our customers and shareholders. That s our mission.
Department of State Questions 1. Why do I need to get the U.S. Government s approval to export and import defense articles and defense services? Because Section 38 of the Arms Exports Control Acts (AECA)
Data breach notification guide: A guide to handling personal information security breaches August 2014 The Office of the Australian Information Commissioner (OAIC) was established on 1 November 2010 by
Data Breach Response Guide By Experian Data Breach Resolution 2013-2014 Edition Trust the Power of Experience. 2013 ConsumerInfo.com, Inc. Table of Contents Introduction 3... Data Breach Preparedness 4...
Audit Manual PART TWO SYSTEM BASED AUDIT Table of content 1. Introduction...3 2. Systems based audit...4 2.1. Preparing for & planning the audit assignment...5 2.2. Ascertaining and recording the system...7
APPENDIX I ELEMENT FINANCIAL CORPORATION CODE OF BUSINESS CONDUCT AND ETHICS As of December 14, 2011 1. Introduction This Code of Business Conduct and Ethics ( Code ) has been adopted by our Board of Directors
United States Government Accountability Office Report to the Subcommittee on the Legislative Branch, Committee on Appropriations, U. S. Senate March 2015 INFORMATION TECHNOLOGY Copyright Office Needs to
28 CFR Part 23 CRIMINAL INTELLIGENCE SYSTEMS OPERATING POLICIES Executive Order 12291 1998 Policy Clarification 1993 Revision and Commentary 28 CFR Part 23 Executive Order 12291 These regulations are not
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
UNDER SECRETARY OF DEFENSE 5000 DEFENSE PENTAGON WASHINGTON, D.C. 20301-5000 INTELLIGENCE December 8, 2009 Incorporating Change 5, Effective March 3, 2015 MEMORANDUM FOR SEE DISTRIBUTION SUBJECT: Directive-Type
Yahoo s Code of Ethics Winning with Integrity Winning with Integrity Yahoos, Yahoo is the place where millions of people go to see what is happening with the people and the things that matter to them most.
Acceptable Use Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
ICS 700-1 INTELLIGENCE COMMUNITY STANDARD NUMBER 700-1 GLOSSARY OF SECURITY TERMS, DEFINITIONS, AND ACRONYMS (EFFECTIVE DATE REMAINS: 4 APRIL 2008) NOTICE: RENUMBERING OF INTELLIGENCE COMMUNITY STANDARD
51880 Federal Register / Vol. 70, No. 168 / Wednesday, August 31, 2005 / Rules and Regulations E.O.s 12549 (3 CFR, 1986 Comp., p. 189) and 12689 (3 CFR, 1989 Comp., p. 235), Debarment and Suspension. The