EXPORT CONTROL FOR
UNIVERSITIES & RESEARCH
INSTITUTIONS
Why Has Export Control Compliance Become So Critical?
The State, Defense and Commerce Departments are paying close attention to export
compliance within the university research environment:
• Result of heightened national security concerns around access to sensitive
technology, at a time when international exposure and collaboration is
increasing.
Of concern are transfers of or access to controlled equipment and technologies here and
abroad, particularly where the institution’s activities fall outside the coverage of the
Fundamental Research Exclusion (FRE) or related exclusions (see below).
Universities and research institutions are obligated to comply with all relevant export
control regulations:
• Export Administration Regulations (EAR)
• International Traffic in Arms Regulations (ITAR)
• Office of Foreign Assets Control (OFAC) regulations.
Recent government enforcement activity has resulted in a number of audit findings with
civil liability consequences, including monetary penalties, as well as criminal
prosecution: individual and institutional liability.
What Triggers the Need for a Compliance Program?
Sponsored Research
•
Faculty-Sponsored Research
•
International Campuses and Collaborations
Distance Learning
•
Core Elements of a Compliance Program
Export Management System
A documented set of policies, procedures, desk-top instructions and
checklists (distributed and/or posted to website) that address all necessary
elements of compliance including, but not limited to the following:
Policy statement reflecting commitment to export control
Overview of Regulations: EAR, ITAR, OFAC
Responsible Parties/Empowered Officials - ITAR
Proper Use of
• Fundamental Research Exclusion – EAR
• Public Availability Exclusion – EAR
• Public Domain Exclusion – ITAR
• Educational Information Exclusion EAR/ITAR
• Employment Exclusion - ITAR
Nondisclosure Agreements EAR/ITAR
Prohibited party/entity screening EAR/ITAR
Jurisdiction determination – ITAR
Defense Services – ITAR
Classification for dual use destination controls - EAR
Core Elements of a Compliance Program continued…
Deemed Exports to controlled foreign nationals – EAR/ITAR
Licensing/export authorizations and exemptions – EAR/ITAR
Technical Data Transfer – EAR/ITAR
Procurement – EAR/ITAR
Collaborations: research institutions/corporations – EAR/ITAR
• International
• Domestic
Technology Control Plan (IT access, physical security, visitor, travel,
courier, hand-carried) – EAR/ITAR
Re-exports and retransfers- EAR/ITAR
Shipping hardware/AES compliance – EAR/ITAR
Encryption management – EAR/ITAR
Timely problem notification – EAR/ITAR
Internal audit – EAR/ITAR
Training – EAR/ITAR
OFAC prohibitions.
Export Management Infrastructure
Office or Director of Sponsored Research or Programs may not have sufficient
visibility.
Requires a broader cooperative effort among numerous offices and
departments throughout the university: Counsel, IT, Admissions, IP or
Material Transfer, Academic Deans, PI’s, Research Directors, Distance
Learning, Procurement, International Programs
Network of “Export Control Coordinators (ECC)” or “facilitators” is critical:
• Embedded in the academic and research environment, and trained to
identify export control issues and either field them (preliminarily or
for resolution) or make sure the issues are routed to the lead export
control professional.
Compliance payoff: research administrators, PI’s, departmental directors –
anyone confronting a potential export control issue - will likely perceive the
export compliance program as a passport or enabler toward timely moving the
process forward, rather than an impeding factor or unnecessary hindrance to be
ignored.
Key Questions to Help Identify Issues
Have export control priorities been identified and, if so, addressed?
Is institutional leadership sufficiently aware of the compliance obligation
and enforcement penalties; if so, are there sufficient tools and resources to
meet the compliance obligation?
Does Sponsored Research have sufficient visibility into research and
academic activities such that export controls issues are proactively
managed?
Where control procedures exist, are they comprehensive enough to
address the proper use and maintenance of the FRE, related exclusions
and/or specific export controls?
Where there is an overseas campus or collaboration, does the control
program protect the university’s activities abroad?
Choosing the Right Compliance-Building Tool
The key is to develop a program that is:
priority-driven
proportionate to the needs of faculty and
administrators
accomplishable within a reasonable period of
time
transparent to its users
cost effective
Export Risk Assessment
Identifying compliance priorities: areas likely to present
the most serious and immediate exposure.
A high-level export risk assessment and resulting report enables
the export control administrator to:
• Methodically evaluate key points of exposure throughout the
university
• Understand who potential process owners might be for
remedial purposes
• Understand how data necessary for compliance is best
collected through IT and manual solutions
• Develop the level of procedural safeguards appropriate to the
circumstances
Development of Export Management Systems (EMS) and
Technology Control Plans (TCP)
Once compliance priorities are identified, it becomes easier to
develop the necessary processes and procedures to address
controls, through a well-documented and transparent EMS and/or
TCP.
EMS: broad coverage over all aspects of an export program
including proper use of the FRE and related exclusions
TCP narrow or broad as necessary: might apply only to one
particular program (addressing data segregation, identity
management for access purposes, file back up and storage, etc);
or, cover a significant number of projects or programs governed
under ITAR or the EAR.
Extension of Export Controls Internationally
Assess how your existing export control program can be leveraged
and extended to protect curriculum and research activity abroad.
Develop a global Technology Control Plan that addresses a
particular off shore project or collaboration, but that is flexible
enough to extend to other locations and programs with minor
adjustment as needed.
Because international expansion also triggers Intellectual Property
(IP) and “permanent establishment” income tax concerns, ensure
that the means and objectives of the export program are consistent
with IP and tax objectives as well.
Development of Export Control Coordinators (ECC)
and supportive infrastructure
Develop a cadre of trained, accessible internal coordinators to
provide export control guidance to their respective departments and
data collection to the lead export control function.
Key Selection criteria:
• Available and willing
• Sufficiently objective about compliance responsibility
• Technically connected enough to the academic or
research area so as to support practical solutions.
Leadership Briefings and Departmental Trainings
Securing the commitment of institutional leadership is critical by
providing a cogent, high level briefing on potential exposure and
enforcement penalties.
Focus on what export control issues and procedures are particularly
relevant; how to manage compliance proactively; and internal
resources.
Train. Train. Train!
Export Control Help Desk – Compliance with all EAR,
ITAR, and OFAC regulations
FRE and related exclusion analysis, one-off or multiple ECCN
classifications, encryption notification and review, screening tools,
commodity jurisdictions, license applications/reviews, guidance on
OFAC, shipping questions, voluntary disclosures, internal audit
templates, IT-related aspects of control plans, Intellectual Property
transfers and control implications, and procedural support.
Contact:
Fischer & Associates
Dfischer56@aol.com
415-987-4039
Export Controls – Enforcement
Against Universities and UC
Compliance Responses
UC Compliance and Audit Symposium
February 3, 2009
16
Prior Export Criminal
Enforcement Against
University Professor
• Thomas Butler
– chief of Infectious
Disease Division at
Texas Tech’s
Department of Internal
Medicine
• Select Agent violations,
accounting fraud
• One count for transfer of
plague sample to
Tanzania
J. Reece Roth
• Professor
Emeritus of U. of
Tennessee,
Knoxville
• 18-count
indictment for
technology
transfer to foreign
nationals
UT Not Indicted
• UT was “victimized by the conspirators” and
cooperated throughout with the FBI
• UT’s Code of Conduct specifically prohibited
employee activities that violated federal
securities laws
• UT policies required employees to report
violations of state or federal laws.
• UT policies required employees to
– Understand any export control requirements that
related to employee’s work
– Ensure that no exports were made contrary to
requirements
Conspiracy Charge
• AGT subcontracted to Roth
• Roth employed foreign grad students,
including China and Iran
• Roth and AGT falsely stated to AFRL that
no foreign nationals would be used
• Roth directed foreign nationals to work on
the project
– AGT assigned PRC national to work on
project in task order to Roth
– Roth sent letter to PRC national asking him to
work on project
Export Violations
• AGT exported restricted technical data to foreign
national
– Final report
– Progress reports
• Roth exported restricted technical data in travel
to PRC and delivery of 30-pp DARPA proposal
containing plasma actuator technology for
specific USAF aviation munitions project
• Roth directed PRC student to transmit data to
PRC contact
• Roth allowed access to restricted equipment and
data to Iranian student
Trial
• Roth:
– Didn’t believe he had broken the law
– Research hadn’t produced anything
tangible
– Received only $6,000 from contract
• US:
– Roth knew information was restricted
– Initially kept restricted information with
U.S. student but eventually shared with
foreign nationals
Conviction
• Guilty on all 18 counts
• Jurors deliberated 6 hours
• Roth faces 160 years and $1.5M in
fines
• Verdict “should serve as a warning
to anyone who knowingly discloses
restricted U.S. military data to
foreign nationals.” – Patrick Rowan,
Acting Asst. AG for National Security
UC Export Control
Compliance Plan
• Use of
Fundamental
Research
Exclusion
• Basic Do’s and
Don’ts
National Security Decision
Directive 189
• To the maximum extent possible, the products of fundamental
research should remain unrestricted.
• Where the national security requires control, the mechanism for
control of information generated during Federally-funded
fundamental research in science, technology, and engineering at
colleges, universities, and laboratories is classification.
• No restriction may be placed upon the conduct or reporting of
Federally-funded fundamental research that has not received
national security classification, except as provided in applicable
U.S. statutes.
• President Bush’s National Security Advisor, Condoleezza Rice,
reaffirmed NSDD-189 in November 2001.
UC Policy on Publication
• “It is a long-standing University policy that
freedom to publish or disseminate results is a
major criterion of the appropriateness of a
sponsored project, and particularly of a research
project.” - UC Contract and Grant Manual
section 1-410
UC Policy on Citizenship
Restrictions
• “. . . it is contrary to University policy to accept
provisions in sponsored projects or gifts which
require discrimination in employment, including
discrimination based on citizenship.” -- Council
of Chancellors, June 17, 1988
What is „Fundamental Research‟?
• The export regulations, both EAR & ITAR,
define fundamental research as:
– Basic and applied research in science
and engineering conducted at US
universities, the results of which
ordinarily are published and shared
broadly within the scientific community.
– See Supplement No. 1 to Part 734 for
extensive explanatory questions and
answer regarding what is not subject to
the EAR in the context of university and
research laboratory activities.
What is Not Fundamental Research?
• Given this definition of fundamental research, university
research will not qualify as fundamental research if
– The university or research institution accepts any
restrictions on the publication of the information resulting
from the research, other than limited prepublication
reviews by research sponsors to prevent inadvertent
divulging of proprietary information provided to the
research by the sponsor or to ensure that publication will
not compromise patent rights of the sponsor; or
– The research is Federally-funded and specific access and
dissemination controls regarding the resulting information
have been accepted by the university or researcher.
Do‟s and Don‟ts – Shipping
• Do NOT ship any item outside the U.S. without
first checking the ITAR and EAR lists to determine
if the item is controlled.
• Secure license approval or verify license
exception PRIOR to shipment for all controlled
items.
Do‟s and Don‟ts – Restricted
Information
• Do NOT enter into secrecy agreements or
otherwise agree to withhold results in project
conducted at the University or that involve
University facilities, students or staff.
• Do NOT accept proprietary information from
another that is marked “Export
Controlled”. Review any Confidentiality/
Non-Disclosure Agreements to insure that
UC and you are not assuming the burden of
restricting dissemination based on
citizenship status or securing licenses.
Do‟s and Don‟ts – Citizenship
Restrictions
• Do NOT provide citizenship, nationality, or visa
status information for project staff to others or
include such information in proposals.
• Do NOT agree to background checks or other
arrangements where the external sponsor
screens, clears, or otherwise approves project
staff.
• Do NOT attend meetings where foreign nationals
are prohibited from attending. Do not sign the
DD2345, Militarily Critical Technical Data
Agreement, as a condition of attending a
conference or receiving materials from the
government.
Do‟s and Don‟ts - Travel
• Do NOT travel to Cuba, Iran, North
Korea, Sudan, or Syria for research or
educational activities without first
contacting the campus Office of
Research to secure a license from the
Office of Foreign Assets Control.
• Do review equipment that you will be
taking with you against export controls.
A license may be required.