Export control laws and regulations affect various University activities including, but not limited to conducting research (sponsored and unsponsored), international travel, publishing research, procurement, hiring non-U.S. persons, sponsoring foreign persons (e.g., visiting scholars), collaborations with non-U.S. individuals or entities, international shipments, non-disclosure agreements, and certain services to embargoed or sanctioned countries.
Export Control FAQs
Not finding what you're looking for? Try searching all research-related FAQs.
Export Control in a University Environment
Export controls are federal laws that govern the transmission of controlled items and associated technical data to foreign nationals. There are also federal regulations regarding providing services, traveling to, or working with individuals or entities from sanctioned or embargoed countries. These federal regulations not only affect items that are utilized by UA personnel, but can also affect whom the UA engages with on campus as well as around the world.
There are three primary agencies which govern export control laws and regulations: the U.S. Department of State Directorate of Defense Trade Controls; the U.S. Department of Commerce Bureau of Industry and Security; and the U.S. Department of Treasury Office of Foreign Assets Control.
- Publication, access, and dissemination restrictions in the sponsored research agreement
- Foreign party restrictions stated in the sponsored agreement
- International travel to countries subject to U.S. embargoes and sanctions
- Sponsor is providing export-controlled technology, technical data, or equipment
- Non-U.S. students or visiting scholars participating in a restricted project
- Project is sponsored by the federal government or defense contractor
- Project is military, space-related, or has other implications to national security
- Project will be conducted abroad or with a foreign sponsor or collaborator
- Sponsor /entity/research/collaborator is in Cuba, Iran, North Korea, Sudan, or Syria
- Any shipment of goods, services, information, or technology abroad
If export controls are applicable, the project could require a TCP (Technology Control Plan) and/or an export license prior to commencement of activity. If you need an export control review please contact us. For sponsored projects, please complete the EC checklist.
Yes, unfunded research may be subject to export controls, particularly international collaborations.
Key terms and definitions
- Is published or disseminated in the Public Domain
- Arises during, or results from, fundamental research
- Is educational information released by instruction in catalog courses or associated teaching laboratories of academic institutions.
It depends on the equipment and its classification; contact export control for further review.
A deemed export is the release or transmission in any form of export-controlled technology or software code within the U.S to anyone who is not a U.S. Person.
An export is the transfer of export-controlled data, items, equipment, materials, and software or providing a defense service to a non-U.S. Person or entity. An export can occur in a number of ways, such as; a physical shipment, hand-carrying an item out of the U.S., email transmission of data, presentations, discussions, or visually accessing export-controlled data.
Export Control Exclusions and Implications
Research is not subject to export controls if it qualifies for at least one of three exclusions:
(1) Fundamental research exclusion;
(2) Public domain exclusion; and
(3) Education Information Exclusion.
The Fundamental research exclusion is a broad-based general legal exclusion to protect technical information (but not tangible items) involved in research from being controlled by export controls. In other words, research qualifying as “fundamental research” is not subject to export controls.
- The EAR definition of Fundamental Research means research in science, engineering, or mathematics, the results of which ordinarily are published and shared broadly within the research community, and for which the researchers have not accepted restrictions for proprietary or national security reasons.
- The ITAR defines Fundamental Research as basic and applied research in science and engineering conducted at accredited U.S. institutions of higher education where the resulting information is ordinarily published and shared broadly within the scientific community. Such research can be distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary reasons or specific national security reasons.
- University research will not qualify as fundamental research if the university or researcher accepts any restrictions on the publication of the information resulting from the research, other than limited prepublication reviews by research sponsors to prevent inadvertent divulging of proprietary information provided to the researcher by sponsor or to ensure that publication will not compromise patent rights of the sponsor.
The public domain exclusion applies to information that is published and that is generally accessible or available to the public through:
- sales at newsstands and bookstores;
- subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information;
- libraries open to the public or from which the public can obtain documents;
- patents available at any patent office;
- unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States;
- public release (i.e., unlimited distribution) in any form (e.g., not necessarily in published form) after approval by the cognizant U.S. government department or agency.
The educational information exclusion covers commonly taught in courses listed in catalogues and associated teaching laboratories of academic institutions in the United States.
If the U.S. Government funds research and specific controls are agreed on to protect information resulting from the research, then information resulting from the project will not be considered fundamental research. Such controls are usually contained in contractual clauses. Examples of "specific controls" include requirements for prepublication “approval” by the Government; restrictions on dissemination of information to non-U.S. citizens or other categories of persons; or restrictions on participation of non-U.S. citizens or other categories of persons in the research.
This action is an indication that the direction of the research or some other factor has changed the project in some way to render the export control regulations applicable to this project and that, more than likely, the researcher’s work will now be export controlled. Contact Export Control before continuing work on the project to re-evaluate for export control protocols.
Prior to travel, to avoid collaborating with a prohibited party, foreign parties should be screened using the Restricted Party Screening tool. Export Control or your Department Administrator can assist with conducting screenings.
Depending on your destination(s), authorization from the U.S. Treasury’s Office of Foreign Assets Control (OFAC) may be required. Travel to an embargoed/sanctioned country (e.g., Cuba, Iran) may require prior authorization in the form of a license. If travel to an embargoed country is for personal reasons, no University equipment may be taken, and no University business should be conducted without prior authorization. Most activities involving Iran (even remotely) will require a license.
The purpose of the OFAC regulations is to enforce embargoes and economic sanctions. In general, the OFAC regulations prohibit exports to certain sanctioned/embargoed countries such as Iran, Cuba, Sudan, North Korea, and Syria.
OFAC considers providing anything of value or a service to Iran or the government of Iran would require prior government approval. For example, giving a professional presentation, even if it does not contain materials controlled under ITAR or EAR, is deemed under OFAC to be a “service” and “something of value” provided to the recipient audience.
In addition to the points listed above there are other considerations which vary by country:
- Attending a conference in Iran (OFAC considers this to be an “import”) or speaking at a conference in Iran (providing a service or something of value) requires a license. An OFAC license for Iran generally takes six to nine months (or longer) to process once submitted.
- Participating in certain online courses abroad requires an OFAC license, if the student is ordinarily a resident of sanctioned country (Cuba, Iran, Syria, or the Crimea Region of the Ukraine).
- Any technical discussions, formal or informal, could require a license and would be prohibited prior to the receipt of the necessary license(s).
- Travel to Cuba has special considerations. For information on Cuba travel, see http://www.treasury.gov/resource-center/sanctions/Programs/Pages/cuba.aspx.
- The University of Arizona will NOT apply for an OFAC License for activities in or with Syria - no University travel to Syria will be approved. Travel to Iran will be approved on a case-by-case basis and only upon receipt of any required OFAC or other government licenses.
If an employee travels to any sanctioned country on their own time, the individual may not take or send anything university-owned such as equipment, software, technology, or data, or represent the university in any capacity.
Sanctioned Countries are designated by the U.S. Government as having limited or comprehensive trade sanctions and embargoes imposed for reasons of anti-terrorism, non-proliferation, narcotics trafficking, or other reasons. Sanctions are prohibitions on transactions (e.g., financial exchanges, providing or receiving services of value) with designated countries, entities, or individuals.
It depends on the country and the item. The U.S. government has export restrictions on certain items. Consult with Export Control to determine if your equipment, materials, data, or software is subject to these restrictions. Export Control will obtain licenses, exceptions or assist with other requirements to facilitate your travels, if required. Traveling with a “clean” laptop is recommended.
UA faculty, staff, and students traveling internationally on behalf of UA for business, research, or other purposes are required to register well in advance of their departure (travel.arizona.edu). In addition to obtaining UA approval, the traveler may require a license, license exception/exemption, or other guidance to hand-carry items abroad, access data, interact with certain persons, speak at a conference, conduct research, provide training or other services, or engage in other UA related activities.
See the Export Control resource on international activities for additional guidance.
limiting what you take abroad;
keeping information in your possession or locked in a secure location;
using a “clean” laptop – with minimal information;
using the university VPN if you need to access data;
encrypting your device; and
screening collaborators in advance.
Yes. See the following link for detailed guidance on purchases and shipping. Depending on the item, export control laws and regulations may require security protocols (such as a TCP) to be in place before the item arrives on campus or is released for use. Items intended to be shipped outside the U.S. must be evaluated and coordinated by Export Control. If a license to export the item is required, Export Control will apply for such government authorizations. A customs broker may need to be involved in international shipments and purchases.
The federal government is identifying emerging technologies essential to US national security and placing new or additional export controls on these technologies. Starting in 2019, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) published export controls on several emerging technologies. Please review this summary of emerging technologies and let the Export Control team (firstname.lastname@example.org) know if you have any research or projects in these areas so we can work with you to ensure compliance.
Penalties for export control violations are substantial, including significant fines, debarment from participation in federal contracting, loss of export privileges, and in some cases imprisonment.
In addition to these severe penalties, the potential reputational damage to an institution from violation of these laws could be difficult to repair, possibly resulting in lost opportunities for attracting world-class researchers and/or decreased access to research funding.
Export Control works closely with various Liaisons across campus. Export Control established a liaison toolkit (checklists, forms, and procedures to determine if export control concerns exist). Examples of “red flags” include publication restrictions, foreign person restrictions, and projects related to military and space. Liaisons enable the University to be proactive in identifying/resolving issues. If you are interested in becoming a liaison contact Export Control.
Executive Order 13556 “Controlled Unclassified Information,” (the Order), issued on November 4, 2010, established the CUI program, which standardizes and simplifies the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. The National Archives and Records Administration (NARA) serves as the Executive Agent to implement this order and oversee agency actions to ensure compliance.
Disclosure of Information restricts the release of information unless the information is already in the public domain, the Prime Contracting Officer has given prior written approval, or the results during the performance of the project involved no covered defense information and has been determined by the Prime Contracting Officer to be fundamental research.
This clause requires the university to implement security measures as outlined in the NIST 800-171. In the event of a cybersecurity incident, the university’s responsibility under DFARS 252.204-7012 is to report the incident to the DoD within 72 hours. The university should preserve and protect images of all known affected information systems identified in this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report.
NIST 800-171 Rev. 2: The National Institute of Standards and Technology Special Publication 800-171 provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when resident in Non-Federal Information Systems and Organizations. There are over one hundred security requirements in the NIST; this document is summary in nature and not an exhaustive list. See the NIST for complete details.
Once a project is determined to be CUI it is managed under a security plan. The University of Arizona Export Control office worked closely with the IT-CUI team to develop “The Plan,” a joint Technology Control Plan and System Security Plan. This plan outlines the security measures researchers and staff must follow in order to protect the CUI data.
If both the 7000 and 7012 clauses are in an agreement we can go back to the prime contracting officer and ask if the University of Arizona’s portion on the work is fundamental in nature. If we receive confirmation in writing from the prime contracting officer that the university’s work in fundamental it nullifies the CUI clauses.
The University of Arizona’s Export Control team works closely with the Contracting Office to identify contracts with NIST requirements or clauses with publication restrictions (e.g., DFARS 252.204-7012 and 252.204-7000). Export Control is also alerted when there are similar safeguards/restriction clauses in contracts that are not sponsored by Department of Defense (NASA contracts often have similar clauses).
An export control checklist is used in the evaluation process. The three-part checklist must be completed by the PI, Contracting Office, and Export Control. The checklist highlights DFARs clauses in addition to potential export control red flags.