Export Control FAQs

Not finding what you're looking for? Try searching all research-related FAQs.

Export Control in a University Environment

  • Publication, access, and dissemination restrictions in the sponsored research agreement
  • Foreign party restrictions stated in the sponsored agreement
  • International travel to countries subject to U.S. embargoes and sanctions
  • Sponsor is providing export-controlled technology, technical data, or equipment
  • Non-U.S. students or visiting scholars participating in a restricted project
  • Project is sponsored by the federal government or defense contractor
  • Project is military, space-related, or has other implications to national security
  • Project will be conducted abroad or with a foreign sponsor or collaborator
  • Sponsor /entity/research/collaborator is in Cuba, Iran, North Korea, Sudan, or Syria
  • Any shipment of goods, services, information, or technology abroad

If export controls are applicable, the project could require a TCP (Technology Control Plan) and/or an export license prior to commencement of activity. If you need an export control review please contact us. For sponsored projects, please complete the EC checklist.

 

 

Yes, unfunded research may be subject to export controls, particularly international collaborations.

Export control laws and regulations affect various University activities including, but not limited to conducting research (sponsored and unsponsored), international travel, publishing research, procurement, hiring non-U.S. persons, sponsoring foreign persons (e.g., visiting scholars), collaborations with non-U.S. individuals or entities, international shipments, non-disclosure agreements, and certain services to embargoed or sanctioned countries.

Export controls are federal laws that govern the transmission of controlled items and associated technical data to foreign nationals. There are also federal regulations regarding providing services, traveling to, or working with individuals or entities from sanctioned or embargoed countries. These federal regulations not only affect items that are utilized by UA personnel, but can also affect whom the UA engages with on campus as well as around the world.

There are three primary agencies which govern export control laws and regulations: the U.S. Department of State Directorate of Defense Trade Controls; the U.S. Department of Commerce Bureau of Industry and Security; and the U.S. Department of Treasury Office of Foreign Assets Control.

Key terms and definitions

Technical data is a term defined in the International Traffic in Arms Regulations (ITAR) as information, which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles and software directly related to defense articles.  
 
Technology is defined by the Export Administration Regulations (EAR) as specific information necessary for the “development”, “production”, or “use” of a product.
 
Technical data and technology may take the form of blueprints, drawings, manuals, models, specifications, tables, formulas, plans, instructions, or documentation.
Defense articles are all items, data specifically designed, developed, configured, adapted, or modified for a military application.  Defense articles are listed on the U.S. Munitions List (22 CFR Section 121.1).
A defense service is furnishing of assistance to foreign persons, whether in the United States or abroad in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles; or  the furnishing to foreign persons of any technical data controlled whether in the United States or abroad.
These are items and associated technologies that are commercially available and also have a military or proliferation applications. Items determined to have a dual capability are enumerated in the Commerce Control List.
A TCP is a protocol that outlines the procedures to secure certain export-controlled items (technical data, materials, software, or hardware) from unauthorized use, access, and observation by non-U.S. persons. The Export Control staff, with assistance from the Principal Investigator (PI), will develop a TCP that is designed for the specific project. The PI is the ultimate responsible party for adherence to the TCP by project personnel. All project personnel listed on the TCP are required to complete export control training every two years. The TCP remains in effect for as long as UA retains the export- controlled data or item, even if the project is over. Export Control will conduct an annual audit to ensure compliance with the TCP.
An individual with U.S. citizenship, Permanent resident alien (Green Card holder) or protected individual status such as refugees and asylees. Corporations or organizations incorporated in the United States are
U.S. Persons for purposes of the ITAR and EAR. It is also any business entity incorporated to do business in the United States.
A foreign entity is any corporation, business association, partnership, trust, society or any other entity or group that is not incorporated or organized to do business in the United States, as well as international organizations, foreign governments and any agency or subdivision of foreign governments. A person (even a U.S. citizen) is considered a foreign person if they work for or represent a foreign entity.
Export control regulations exempt disclosures of unclassified technical data in the United States by U.S. universities to foreign nationals where:
(1) the foreign national is the University’s bona fide full-time regular employee;
(2) the employee’s permanent abode throughout the period of employment is in the United States;
(3) the employee is not a national of an embargoed country; and
(4) the University informs the employee in writing that information disclosed may not be disclosed to other foreign nationals without governmental approval.
For University research, there are three ways that technical information may qualify for an exclusion from the deemed export rule. Information is excluded if it:
  • Is published or disseminated in the Public Domain
  • Arises during, or results from, fundamental research
  • Is educational information released by instruction in catalog courses or associated teaching laboratories of academic institutions.

It depends on the equipment and its classification; contact export control for further review.

A deemed export is the release or transmission in any form of export-controlled technology or software code within the U.S to anyone who is not a U.S. Person.

An export is the transfer of export-controlled data, items, equipment, materials, and software or providing a defense service to a non-U.S. Person or entity. An export can occur in a number of ways, such as; a physical shipment, hand-carrying an item out of the U.S., email transmission of data, presentations, discussions, or visually accessing export-controlled data.

Export Control Exclusions and Implications

The Fundamental research exclusion is a broad-based general legal exclusion to protect technical information (but not tangible items) involved in research from being controlled by export controls. In other words, research qualifying as “fundamental research” is not subject to export controls.

  • The EAR definition of Fundamental Research means research in science, engineering, or mathematics, the results of which ordinarily are published and shared broadly within the research community, and for which the researchers have not accepted restrictions for proprietary or national security reasons.
  • The ITAR defines Fundamental Research as basic and applied research in science and engineering conducted at accredited U.S. institutions of higher education where the resulting information is ordinarily published and shared broadly within the scientific community. Such research can be distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary reasons or specific national security reasons.
  • University research will not qualify as fundamental research if the university or researcher accepts any restrictions on the publication of the information resulting from the research, other than limited prepublication reviews by research sponsors to prevent inadvertent divulging of proprietary information provided to the researcher by sponsor or to ensure that publication will not compromise patent rights of the sponsor.

The public domain exclusion applies to information that is published and that is generally accessible or available to the public through:

  • sales at newsstands and bookstores;
  • subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information;
  • libraries open to the public or from which the public can obtain documents;
  • patents available at any patent office;
  • unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States;
  • public release (i.e., unlimited distribution) in any form (e.g., not necessarily in published form) after approval by the cognizant U.S. government department or agency.

The educational information exclusion covers commonly taught in courses listed in catalogues and associated teaching laboratories of academic institutions in the United States.

If the U.S. Government funds research and specific controls are agreed on to protect information resulting from the research, then information resulting from the project will not be considered fundamental research. Such controls are usually contained in contractual clauses. Examples of "specific controls" include requirements for prepublication “approval” by the Government; restrictions on dissemination of information to non-U.S. citizens or other categories of persons; or restrictions on participation of non-U.S. citizens or other categories of persons in the research.

No, this kind of review, even when requested, is considered a courtesy rather than a restriction. If the award required "review and approval" it is considered a restriction as this language implies the potential of denying approval to publish or requiring changes to the report, presentation, or article prior to publication. A publication approval requirement would nullify the fundamental research exclusion.

This action is an indication that the direction of the research or some other factor has changed the project in some way to render the export control regulations applicable to this project and that, more than likely, the researcher’s work will now be export controlled.  Contact Export Control before continuing work on the project to re-evaluate for export control protocols.

Research is not subject to export controls if it qualifies for at least one of three exclusions:

(1) Fundamental research exclusion;

(2) Public domain exclusion; and

(3) Education Information Exclusion.

International Activities

The research that occurs at the University of Arizona is innovative and often of high value and needs protecting even if it is not subject to export control restrictions. Take steps to protect your information, access to university systems, and report to your department administration any concerns or peculiarities that emerge. Steps to secure your research include:
  • limiting what you take abroad;
  • keeping information in your possession or locked in a secure location;
  • using a “clean” laptop – with minimal information;
  • using the university VPN if you need to access data;
  • encrypting your device; and
  • screening collaborators in advance.

Yes. See the following link for detailed guidance on purchases and shipping. Depending on the item, export control laws and regulations may require security protocols (such as a TCP) to be in place before the item arrives on campus or is released for use. Items intended to be shipped outside the U.S. must be evaluated and coordinated by Export Control. If a license to export the item is required, Export Control will apply for such government authorizations. A customs broker may need to be involved in international shipments and purchases.

Prior to travel, to avoid collaborating with a prohibited party, foreign parties should be screened using the Restricted Party Screening tool. Export Control or your Department Administrator can assist with conducting screenings. 

Depending on your destination(s), authorization from the U.S. Treasury’s Office of Foreign Assets Control (OFAC) may be required. Travel to an embargoed/sanctioned country (e.g.,  Cuba, Iran) may require prior authorization in the form of a license. If travel to an embargoed country is for personal reasons, no University equipment may be taken, and no University business should be conducted without prior authorization. Most activities involving Iran (even remotely) will require a license.

The purpose of the OFAC regulations is to enforce embargoes and economic sanctions. In general, the OFAC regulations prohibit exports to certain sanctioned/embargoed countries such as Iran, Cuba, Sudan, North Korea, and Syria.

OFAC considers providing anything of value or a service to Iran or the government of Iran would require prior government approval. For example, giving a professional presentation, even if it does not contain materials controlled under ITAR or EAR, is deemed under OFAC to be a “service” and “something of value” provided to the recipient audience. 

In addition to the points listed above there are other considerations which vary by country:

  • Attending a conference in Iran (OFAC considers this to be an “import”) or speaking at a conference in Iran (providing a service or something of value) requires a license. An OFAC license for Iran generally takes six to nine months (or longer) to process once submitted.
  • Participating in certain online courses abroad requires an OFAC license, if the student is ordinarily a resident of sanctioned country (Cuba, Iran, Syria, or the Crimea Region of the Ukraine).
  • Any technical discussions, formal or informal, could require a license and would be prohibited prior to the receipt of the necessary license(s).
  • Travel to Cuba has special considerations.  For information on Cuba travel, see http://www.treasury.gov/resource-center/sanctions/Programs/Pages/cuba.aspx.
  • The University of Arizona will NOT apply for an OFAC License for activities in or with Syria - no University travel to Syria will be approved. Travel to Iran will be approved on a case-by-case basis and only upon receipt of any required OFAC or other government licenses.

If an employee travels to any sanctioned country on their own time, the individual may not take or send anything university-owned such as equipment, software, technology, or data, or represent the university in any capacity.

Sanctioned Countries are designated by the U.S. Government as having limited or comprehensive trade sanctions and embargoes imposed for reasons of anti-terrorism, non-proliferation, narcotics trafficking, or other reasons. Sanctions are prohibitions on transactions (e.g., financial exchanges, providing or receiving services of value) with designated countries, entities, or individuals.

It depends on the country and the item. The U.S. government has export restrictions on certain items. Consult with Export Control to determine if your equipment, materials, data, or software is subject to these restrictions. Export Control will obtain licenses, exceptions or assist with other requirements to facilitate your travels, if required. Traveling with a “clean” laptop is recommended.

Travel outside the United States can trigger the need for a federally issued license(s), depending on the proposed destination, what you plan on taking with you, the nature of the project associated with the travel, and with whom you work.
 

UA faculty, staff, and students traveling internationally on behalf of UA for business, research, or other purposes are required to register well in advance of their departure (travel.arizona.edu). In addition to obtaining UA approval, the traveler may require a license, license exception/exemption, or other guidance to hand-carry items abroad, access data, interact with certain persons, speak at a conference, conduct research, provide training or other services, or engage in other UA related activities.

See the Export Control resource on international activities for additional guidance.

Other Considerations

A recent regulatory change was made to DOE Order 142.3A (December 13, 2019). The clause may be in DOE agreements awarded after December 2019 as well older DOE agreements that are being amended by DOE to include this revision. The revised 142.3A requires prior approval of Foreign Nationals working on DOE projects (including U.S. Permanent Residents). Contact Export Control for assistance with navigating this process.

The federal government is identifying emerging technologies essential to US national security and placing new or additional export controls on these technologies. Starting in 2019, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) published export controls on several emerging technologies. Please review this summary of emerging technologies and let the Export Control team (export@arizona.edu) know if you have any research or projects in these areas so we can work with you to ensure compliance.

Penalties

Penalties for export control violations are substantial, including significant fines, debarment from participation in federal contracting, loss of export privileges, and in some cases imprisonment.

In addition to these severe penalties, the potential reputational damage to an institution from violation of these laws could be difficult to repair, possibly resulting in lost opportunities for attracting world-class researchers and/or decreased access to research funding.

Liaison Program

Export Control works closely with various Liaisons across campus. Export Control established a liaison toolkit (checklists, forms, and procedures to determine if export control concerns exist). Examples of “red flags” include publication restrictions, foreign person restrictions, and projects related to military and space. Liaisons enable the University to be proactive in identifying/resolving issues. If you are interested in becoming a liaison contact Export Control.

CUI Overview

Disclosure of Information restricts the release of information unless the information is already in the public domain, the Prime Contracting Officer has given prior written approval, or the results during the performance of the project involved no covered defense information and has been determined by the Prime Contracting Officer to be fundamental research.

This clause requires the university to implement security measures as outlined in the NIST 800-171. In the event of a cybersecurity incident, the university’s responsibility under DFARS  252.204-7012 is to report the incident to the DoD within 72 hours. The university should preserve and protect images of all known affected information systems identified in this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report.

NIST 800-171 Rev. 2:  The National Institute of Standards and Technology Special Publication 800-171 provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when resident in Non-Federal Information Systems and Organizations. There are over one hundred security requirements in the NIST; this document is summary in nature and not an exhaustive list. See the NIST for complete details.

Executive Order 13556 “Controlled Unclassified Information,” (the Order), issued on November 4, 2010, established the CUI program, which standardizes and simplifies the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. The National Archives and Records Administration (NARA) serves as the Executive Agent to implement this order and oversee agency actions to ensure compliance.

 

 

Identifying CUI

Once a project is determined to be CUI it is managed under a security plan. The University of Arizona Export Control office worked closely with the IT-CUI team to develop “The Plan,” a joint Technology Control Plan and System Security Plan. This plan outlines the security measures researchers and staff must follow in order to protect the CUI data.

If both the 7000 and 7012 clauses are in an agreement we can go back to the prime contracting officer and ask if the University of Arizona’s portion on the work is fundamental in nature. If we receive confirmation in writing from the prime contracting officer that the university’s work in fundamental it nullifies the CUI clauses.

The University of Arizona’s Export Control team works closely with the Contracting Office to identify contracts with NIST requirements or clauses with publication restrictions (e.g., DFARS 252.204-7012 and 252.204-7000). Export Control is also alerted when there are similar safeguards/restriction clauses in contracts that are not sponsored by Department of Defense (NASA contracts often have similar clauses). 

An export control checklist is used in the evaluation process. The three-part checklist must be completed by the PI, Contracting Office, and Export Control. The checklist highlights DFARs clauses in addition to potential export control red flags.