Fundamental Considerations

Proper classification of research and technology is essential to ensure compliance. Misclassification or a lack of awareness can lead to violations, penalties, and restrictions on future research.

Types of Research

Research is generally classified into three categories under export control frameworks:

1. Fundamental Research: Defined as basic and applied research where the results are shared broadly within the scientific community. Under the Fundamental Research Exclusion (FRE) is excluded from export controls as long as there are no restrictions on publication or participation by foreign nationals. Examples include research published in peer-reviewed journals or presented at open conferences.
2. Basic Research: Involves exploring fundamental principles and theories, often without immediate commercial application. May be subject to export controls if it involves restricted technologies, equipment, or collaborations with embargoed entities.
3. Applied Research: Focuses on developing practical solutions to real-world problems, with potential for commercial, industrial, or military applications. Frequently falls under export controls, particularly if it involves proprietary or classified data, controlled hardware, or dual-use technologies.

Types of Information

The classification process also extends to identifying the type of information involved in research:

1. Technical Data: Includes blueprints, schematics, manuals, and instructions related to controlled technologies. May be subject to the ITAR or EAR if it pertains to controlled items, especially those with military or dual-use applications.
2. Published Information: Information already in the public domain, such as articles, patents, and presentations. Is generally exempt from export controls unless modified to include proprietary or sensitive details.
3. Educational Information: Information conveyed in course materials or classroom settings. Is typically excluded from export controls, provided it aligns with the FRE and does not involve restricted technologies.
4. Proprietary Information: Includes data protected by intellectual property laws or designated as confidential. It is often subject to export controls, especially if shared with foreign nationals or international collaborators.
5. Software and Algorithms: Includes source code, executable files, or algorithms used in research or development. It may fall under export controls if they involve encryption, emerging technologies, or military applications.

Dual-use technologies refer to items, software, and information that can be used for both civilian and military purposes. These technologies are regulated under the EAR and, in certain cases, the ITAR to prevent their misuse or diversion to activities that may pose risks to national security or global stability. Research involving dual-use technologies often requires heightened scrutiny due to their potential sensitivity.

Examples of Dual-Use Technologies include:

• Artificial Intelligence (AI): Autonomous weapons, cybersecurity, surveillance, or decision-making military strategy.
• Advanced Computing: Computing systems supporting encryption, missile guidance, or nuclear simulation.
• Biotechnology: Genetic engineering, synthetic biology, or CRISPR technologies with potential applications in bioterrorism or bioenhancement.
• Unmanned Aerial Vehicles (UAVs): Drones used for military reconnaissance, surveillance, or weapon delivery.
• Remotely Operated Vehicles (ROVs): Underwater or aerial systems used in deep-sea exploration, which can be adapted for mine detection, military surveillance, or other defense-related purposes.
• Marine Technology: Underwater systems, sonar technologies, or autonomous maritime vehicles that could aid military submarines or maritime security operations.
• Materials Science: Advanced materials with high durability, stealth properties, or heat resistance for applications in aerospace, defense, or weapon systems.
• Quantum Computing: Technologies in cryptography, secure communications, or codebreaking.
• Cybersecurity Tools: Encryption software, systems, or network protection that could be adapted for cyber warfare.
• Satellite Technologies: Communication systems or surveillance with military applications.
• 3D Printing (Manufacturing): Capabilities to create components for weapons, drones, or other military equipment.
• Energy Technologies: Nuclear energy systems or battery tech with potential military use, such as powering advanced weapon systems.
• Robotics: Semi/autonomous robots with potential applications in battlefield operations, bomb disposal, or surveillance.
• Laser Technologies: High-energy lasers for use in targeting, missile defense, or disabling adversary technologies.

Key Challenges

1. Identification: Emerging technologies may not be explicitly listed under existing export control categories but can fall under catch-all provisions based on their potential dual-use applications. Determining whether a technology qualifies as dual-use may require consultation with the Office of General Counsel (OGC).
2. Collaboration Risks: Collaborative projects with international entities, particularly from restricted or embargoed countries, may unintentionally expose dual-use technologies. Proper vetting and compliance checks are essential.
3. Licensing Complexity: Export licenses are often required for transferring dual-use technologies, including deemed exports (transfer to foreign nationals within the U.S.).
4. Rapid Evolution: The fast-paced development of emerging technologies, such as AI or quantum computing, can outpace regulatory updates, which can create gaps in regulatory oversight.
5. Overlapping Regulatory Jurisdictions: Technologies may be subject to both EAR and ITAR, as well as international agreements like the Wassenaar Arrangement, which governs export controls for conventional arms and dual-use goods. Recognize that many emerging technologies may also qualify as dual use under EAR and require additional scrutiny.
6. Ethical Concerns: The potential for misuse of dual-use technologies, particularly in biotechnology or AI, raises ethical questions that complicate regulatory and research decisions.

1. Identification and Classification of Controlled Activities:

To ensure compliance with export control regulations, the following steps should be taken to identify and classify controlled activities: 

• Understand the Scope of the Project: Define the objectives and intended use of the work, including potential applications with military, dual-use, or sensitive implications. Review funding sources for any restrictions on publication, dissemination, or personnel participation.
• Assess Personnel Involvement: Identify all personnel and any foreign nationals on the research team and their roles. Check for affiliations with sanctioned or embargoed countries among collaborators, institutions, or companies.
• Analyze Technology and Materials: Clarify whether work involves dual-use, critical, creation or emerging technologies listed on EAR CCL or the ITAR USML. Verify the involvement of regulated commodities, software, technology, or materials (e.g., encryption software, biological agents, defense-related items).
• Evaluate Export Control Applicability: Determine whether the project qualifies for the Fundamental Research Exemption (open dissemination with no restrictions) or another exclusion. Identify any export-controlled materials, regulations, terms, or proprietary restrictions that disqualify the project from this exemption.
• Complete the Export Intake Questionnaire: Address key compliance questions about objectives, personnel, technology, and potential ITAR applicability using the Export Control Intake Questionnaire.

2. Consultation and Review:

Effective consultation and review ensure proper classification and compliance with regulations:

• Submit Documentation: Provide the completed export intake questionnaire and supporting materials to the DIEC for review to determine applicable regulations (EAR, ITAR, or OFAC).
• Develop a Technology Control Plan (TCP): If export controls or restrictions apply, create a TCP specifying measures for safeguarding controlled technology and data, including access restrictions and monitoring procedures.
• Licensing Requirements: Identify whether an export license is required for any materials, technology, or data. Collaborate with the DIEC to prepare and submit license applications to the appropriate federal agency.

3. Implementation of TCP:

Once activities are identified as export-controlled, specific controls must be implemented such as:

• Training: Ensure all research personnel complete required CITI Training on export control regulations.
• Access Restriction: Limit access to authorized personnel only. Secure project data and equipment with card-access rooms or camera monitoring as needed.
• Compliance Monitoring: Conduct regular audits to ensure adherence to the TCP and export control regulations. Maintain detailed records of access, transfers, and dissemination of controlled technology and data.

4. Data Management, Sharing, and Transfer:

To properly handle data and minimizes risks of noncompliance:

• Data Classification: Clearly label data as "Export-Controlled" and handle it according to required protocols.
• Internal Transfers: Securely transfer controlled data within the institution using encrypted methods and avoid unsecured methods (e.g., email).
• External Transfers: Obtain necessary export licenses before sharing controlled data with external collaborators. Use secure transmission methods, such as encrypted file transfer protocols (FTP). Consult with CITS, as necessary.

5. Research with International Collaborators:

Collaboration with international researchers requires additional precautions:

• Collaborator Screening: Consult with DIEC to verify international collaborators are not subject to restrictions. Ensure foreign nationals do not access controlled technologies without appropriate licenses.
• Collaboration Agreements: Include export control requirements in agreements with international collaborators to address expectations with technology transfer, data sharing, and sensitive material handling to ensure compliance.

6. Reporting and Oversight:

Ensuring ongoing compliance requires robust reporting and oversight mechanisms:

• Incident Reporting: Immediately report potential violations or breeches to the OIEC.
• Documentation: Maintain records of all activities subject to export controls, including intake questionnaires, TCPs, training logs, and export licenses.
• Periodic Review: Engage in periodic reviews with the DIEC to address changes, as necessary.

7. Disposal of Export-Controlled Technologies and Data:

To ensure secure disposal procedures and prevent unauthorized access to controlled technologies and data:

• Physical Components: Destroy or decommission export-controlled equipment following secure procedures (e.g., shredding documents, degaussing hard drives, dismantling sensitive equipment).
• Digital Data Disposal: Use certified data-wiping software to securely delete digital data.

Handling of Export-Controlled Data & Information

It is unlawful under the ITAR to send or take export-controlled information out of the U.S.; disclose, orally or visually, or transfer export-controlled information to a foreign person inside or outside the U.S. without proper authorization. Security measures will be appropriate to the classification involved. Examples of security measures are:

1. Project personnel – are clearly identified.
2. Laboratory – Place project data and/or materials in secured laboratory spaces, physically shielded from observation by unauthorized individuals, or during secure time blocks when observation by unauthorized persons is prevented.
3. Label export-controlled information - Export-controlled information is clearly identified and labeled.
4. Work products – store soft and hardcopy data, lab notebooks, reports, and research materials in locked cabinets; preferably located in rooms with key-controlled access.
5. Equipment or internal components – Such tangible items and associated operating manuals and schematic diagrams containing identified “export-controlled” technology are to be physically secured from unauthorized access.
6. Electronic communications and databases – take appropriate measures to secure controlled electronic information. For example: User IDs; password controls; SSL or other approved encryption technology; database access management via a Virtual Private Network (VPN); finally, only authorized users can access the site and all transmissions of data over the internet will be encrypted using 128-bit Secure Sockets Layer (SSL) or other advanced, federally approved encryption technology.
7. Conversations – Limit discussions about the project or work products to the identified contributing investigators and hold discussions only in areas where unauthorized personnel are not present. Discussions with third party sub-contractors are only to be conducted undersigned agreements that fully respect the non-U.S. citizen limitations for such disclosures.

Notice: UMass Dartmouth does not have the facilities, resources, or approval to conduct ITAR-restricted research. Any project involving ITAR-controlled technology will not be allowed on the UMass Dartmouth campus.

Restricted Party Screening (RPS) is a compliance process designed to prevent US from engaging with specific restricted entities. These laws prohibit U.S. persons and institutions from engaging in certain transactions with restricted parties, including foreign individuals, governments, organizations, and companies. Violating these regulations can lead to significant legal consequences for both UMassD and individuals involved. RPS is essential for identifying entities and individuals that appear on U.S. government "restricted party" lists, ensuring that UMassD complies with export control regulations before entering into international collaborations, hosting visitors, or engaging in other activities that could involve restricted parties. UMassD implements proactive RPS approach to help mitigate the risk of inadvertently engaging with restricted parties and ensure UMassD remains in compliance with U.S. export control laws.

Key Screening Lists Include:

1. EAR Denied Persons List (DPL): Individuals or entities whose export privileges have been revoked or suspended by the Bureau of Industry and Security (BIS).
2. EAR Entity List: Foreign entities involved in activities that pose a threat to national security or foreign policy interests, such as the proliferation of weapons technologies. These entities require a license for certain transactions.
3. Specially Designated Nationals and Blocked Persons (SDN) List: Maintained by the Office of Foreign Assets Control (OFAC), this list includes individuals and entities involved in terrorism, narcotics trafficking, human rights abuses, or other activities subject to U.S. sanctions.
4. Arms Export Control Act (AECA) Debarred Parties: Entities barred from engaging in the export of defense articles and services regulated under the International Traffic in Arms Regulations (ITAR).
5. Unverified List (UVL): Foreign persons or entities for which the Department of Commerce has been unable to verify their bona fides. Transactions with these parties require enhanced due diligence.
6. Military End User (MEU) List: Entities associated with military applications in countries of concern, requiring export licenses for certain transactions under the EAR.
7. Foreign Sanctions Evaders (FSE) List: Foreign individuals and entities who have violated or attempted to evade U.S. sanctions, primarily related to Syria and Iran.
8. Sectoral Sanctions Identifications (SSI) List: Foreign entities involved in restricted sectors of the Russian economy (e.g., energy, finance, and defense) as identified by OFAC.
9. List of Statutorily Debarred Parties: Individuals or entities debarred under statutes like the AECA or ITAR for violations related to defense exports.
10. Non-SDN Palestinian Legislative Council (NS-PLC) List: Individuals or entities affiliated with the Palestinian Legislative Council who are subject to U.S. sanctions.
11. Excluded Parties List System (EPLS): Managed by the General Services Administration (GSA), this list includes entities excluded from receiving federal contracts, subcontracts, or other federal assistance due to violations.
12. Denied Order List (DOL): Managed by BIS, this list includes individuals or entities that have been denied export privileges due to noncompliance with U.S. export laws and regulations.

When Restricted Party Screening is Needed

1. International Collaborations – Before engaging in any research collaboration with international partners, all entities must be screened.
2. Teaching Abroad or Online – If UMassD faculty or staff plan to teach a course abroad or through international online platforms, students, and host institutions must be screened.
3. Conference Participation – Before presenting at international conferences or collaborating with international sponsors, the conference organizers and sponsors must be screened.
4. Hosting International Visitors – All international visitors must be screened before coming to UMassD.
5. Exchange of Personnel, Materials, Data, Technical Information, or Money – Any transfer of research-related materials, data, personnel, or financial transactions with international entities requires screening.

What Information is Needed for RPS

To conduct an effective restricted party screening, UMassD requires detailed information about the individuals and entities involved in the transaction or collaboration, including:

• Names: Full names of individuals or organizations.
• Affiliations: The organizations or institutions with which the individuals are associated.
• Contact Information: Basic contact details such as phone numbers, email addresses, and physical addresses. 
• Purpose of Collaboration or Exchange: A brief description of the activity or project, including the nature of the data, materials, or personnel being exchanged.
• Country of Origin/Residence: Information about the country in which the entity or individual is located or originates from, as some sanctions and controls are country specific.

Key Challenges:

The key challenges lie in the complexity of managing relationships with international collaborators, evolving nature of U.S. sanctions, and potential for individuals or entities to appear on these lists without clear prior notice poses significant compliance challenges. Investigators with international collaborations must be mindful of these complexities.

Collaboration and Oversight

Restricted party screening is a key component of UMassD’s overall research compliance framework. If a match is found during the screening, the information is reviewed by UMassD’s DIEC and CRO. In consultation with the Office of General Counsel (OGC), they will determine whether the collaboration or transaction can proceed, whether a license is required to engage with the restricted party, or if modifications are needed to comply with U.S. law.

UMassD is committed to compliance with U.S. federal laws regulating exports to sanctioned countries. The U.S. government, through the OFAC and other agencies, imposes sanctions on specific countries, restricting the transfer of goods, technology, services, and information to those regions.

Comprehensively Sanctioned Countries:

The following countries/regions are subject to comprehensive sanctions, meaning most transactions, exports, and dealings are prohibited unless authorized by an OFAC license:

• Cuba
• Iran
• North Korea
• Russia
• Syria
• The Crimea region of Ukraine (Note: these restrictions apply to both Crimea and parts of eastern Ukraine.)

Notice: Transactions, including those involving persons "ordinarily resident" in these countries, require an OFAC License.

Other Countries Subject to OFAC Sanctions:

The U.S. imposes targeted sanctions on the following countries, regions, and groups. These sanctions typically involve individuals, entities, or sectors rather than a blanket embargo:

• Afghanistan
• Balkans
• Belarus
• Burma (Myanmar)
• Central African Republic
• Congo, Democratic Republic of
• Ethiopia
• Hong Kong
• Iraq
• Lebanon
• Libya
• Mali
• Nicaragua
• Somalia
• South Sudan
• Sudan
• Venezuela
• Yemen

Sectoral Sanctions:

Some countries, while not fully sanctioned, are subject to sectoral sanctions that limit activity in specific industries, such as energy, defense, or technology. These sanctions often include prohibitions on funding, export of specific items, and collaborative research in the restricted sectors. These restrictions can apply to certain industries (e.g., finance, energy, or advanced technology) and transactions involving entities or individuals tied to those sectors. For example, Russia and Belarus face sectoral sanctions restricting energy, financial services, and defense-related activities. Even if a country is not directly sanctioned, engaging with organizations or entities that conduct business with sanctioned countries could result in penalties under secondary sanctions. For example, a U.S.-based researcher collaborating with an international partner involved in activities with Iran may face compliance risks.

For more information, please see OFAC’s Sanctions Programs and Country Information.

Countries Subject to Military-Embargoes:

The U.S. imposes additional restrictions on exports, re-exports, and transfers of defense-related items and technologies to certain military-embargoed countries. The following countries are designated as military-embargoed:

• Afghanistan
• Belarus
• Burma (Myanmar)
• Central African Republic
• China
• Cuba
• Congo, Democratic Republic of
• Eritrea
• Iran
• Iraq
• Lebanon
• Libya
• North Korea
• Russia
• Somalia
• South Sudan
• Sudan
• Syria
• Venezuela
• Zimbabwe

Key Considerations:

• Any research activity involving a country on the sanctions list requires careful review. This includes research collaborations, export of goods or technology, and any form of information exchange.
• The U.S. government may require a specific license or other authorization before any transfer of materials, technologies, or services can occur with entities or individuals in sanctioned countries.
• Before initiating research that could involve a sanctioned country, review the parties and locations involved. If there is any possibility that the research involves a sanctioned country or entity, the DIEC must be notified to assess whether a license or authorization is required. Do not engage in any export or transaction without the appropriate governmental approvals, as required.
• Ensure all required licenses are obtained and keep thorough records of all communications and approvals related to sanctioned countries.

For export purposes, a license is the relevant U.S. government department's grant of permission for the transfer, release, transmission, or export of goods, technologies, data, or services. The U.S. government departments of Commerce, State, and Treasury issue licenses for specific transactions—defining which commodities, technologies, data, or services may be exported to specific end-users, for specified end-uses, and to particular countries. No matter how "benign" an item may appear, it still may require a license for export or release of related technology to foreign nationals. Additionally, some destinations and persons (individuals or groups) are subject to comprehensive export controls, especially those targeting U.S. sanctions programs. This is particularly relevant for exports to U.S. Treasury Department Office of Foreign Assets Control (OFAC) comprehensively sanctioned countries and regions, such as Iran, North Korea, Cuba, Syria, Crimea, Donetsk, and Luhansk. A license may also be required to "re-export" an item that was produced or originated in the United States. A "re-export" refers to the shipment or transmission of an item from one foreign country to another foreign country. Similarly, "release" of technology or software (such as source code) in one foreign country to a national of another foreign country may also constitute a re-export.

• The Commerce Department handles licensing for dual-use items and “low-level” military items. Regulations regarding the export of these goods and associated technologies are found in the CCL (15 CFR 774, Supplement 1).
• The State Department is responsible for licensing items with military applications, typically governed by the USML.
• The Treasury Department manages the licensing of services and financial transactions under its sanctions regulations.

Note: In some cases, multiple department licenses may be required.

To determine if a license is needed, consider the following general questions:

1. Is the person a U.S. citizen, permanent resident (green card holder), or a protected individual as defined by 8 U.S.C. § 1324b(a)(3) (e.g., foreign nationals such as refugees and asylees who are protected persons and considered U.S. persons for export control purposes)?
2. Is the information already published?
3. Is it educational information covered in a course catalog?
4. Is the technology disclosed in a published patent application or an issued patent?
5. Is the research considered fundamental research that will be published?
6. What is the jurisdiction and classification of the product – is it EAR99, or something else?
7. Do the results of restricted party screening raise any flags?
8. Is the destination subject to a comprehensive sanction or embargo?
9. Does a license exclusion or exemption apply?
10. If none of the above apply, a license may be required.

If the activity is controlled under export regulations, then a license or other approval is needed from the relevant oversight agency, unless an exemption or exception applies.

Examples of activities that often require a license:

• Research involving defense, military, weapons, or space technologies.
• Exporting a commodity or good outside of the U.S.
• Attending a conference outside of the United States and sharing controlled information.
• Activities where export control exceptions do not apply.
• Transfer of technical data regarding controlled technologies to foreign nationals in or outside the U.S.
• Providing anything of value to a person from a sanctioned country or on a restricted party list.

When exclusions or exceptions do not apply, or if the transaction involves dealing with a sanctioned entity or country, a license must be obtained for any export, deemed export, or re-export prior to the transfer of any commodity, data, or, in the case of sanctions, the provision of any service or financial value.

Physical Exports

When a physical export of controlled items, technology, or data is necessary, a sequential analysis is essential to ensure compliance with U.S. export control laws. The exporter is required to know the customer and evaluate how the export will be used. The researcher is typically the best person to assist with the determination of the classification of the item. All physical exports must be reviewed by OIEC, end users must be identified and screened to evaluate whether a license is required, or if any exceptions may apply.

1. Jurisdiction Determination:
   • ITAR: Covers defense articles, technical data, and defense services listed on the USML. Exports under ITAR typically require a license, regardless of the destination.
   • EAR: Covers dual-use items (commercial items with potential military applications) listed in the CCL. The need for a license depends on the item’s ECCN, the destination, end-user, and end-use. For shipment of items subject to the EAR, you must check whether General Prohibitions 4- 10 apply (15 CFR 736).
2. Classification:
   • USML Items (ITAR): Determine if an item is listed as a defense article or includes controlled technical data.
   • CCL and ECCN (EAR): Determine the ECCN for dual-use items.
   • EAR99: For items not on the CCL, exports are unrestricted unless destined for embargoed countries or prohibited entities.
3. Restricted Party Screening: All physical exports must be screened against restricted or denied party lists and evaluated for any "red flags," such as suspicious end-uses or connections to embargoed countries. The OIEC will conduct restricted party screenings and evaluate license needs. Transactions with unresolved red flags or involving controlled items for sensitive destinations may require a license. If any “red flags” are present, the concerns must be addressed satisfactorily, or the shipment should be aborted.
4. License Requirements and Documentation: In some instances, license exceptions may apply. OIEC conducts classification, screening, and licensing determinations, to verify compliance.
   • ITAR-Controlled Items: Require a license for export to nearly all destinations.
   • EAR-Controlled Items: Licensing depends on the item's classification, destination, and parties involved. Exceptions may apply in specific cases (e.g., low-control countries).
   • Forms and Procedures:
     • End User Certification Form: Confirms the user’s identity and intent.
     • Request to Ship/Carry Equipment/Materials Form: Submitted to OIEC for review and approval before shipment clarifying information about the destination, end user, and intended use.
     • Automated Export System (AES) Filing: Required for shipments valued at $2,500+ or those requiring a license. Filing must be completed with the U.S. Census Bureau.
5. Timeframe for Licensing: Licensing and government reviews can take up to 6 months.
6. Administrative Controls: Maintain records of invoicing, shipping documentation, and export declarations to ensure compliance.

Deemed Exports

While exports are commonly associated with the physical shipment of materials across a U.S. border, export controls are much broader. They also include the transfer of technology, software, technical data, or the performance of defense services to foreign nationals, even when the transfer takes place within the U.S. This transfer is "deemed" to be an export. The issue of deemed exports is particularly relevant for university environments where students and faculty from every corner of the globe engage in teaching and research activities together. In many instances, the requirements of the export control laws can be appropriately satisfied through reliance on available exclusions from export controls, such as exclusions for educational information, public domain information, or the fundamental research exclusion.

Examples of Deemed Exports in Academia

To understand how deemed exports might occur in university settings, consider the following scenarios:

• Lab Demonstrations: A foreign national Ph.D. student observes and interacts with restricted lab equipment or processes, such as laser systems or select agents subject to export controls.
• Research Discussions: A professor shares unpublished research findings with a foreign national during a seminar or casual discussion.
• Digital Collaboration: Controlled technical data or software is shared with foreign nationals via email, cloud storage, or collaborative platforms, such as shared research drives.
• Laboratory Access: Foreign nationals participating in lab tours or projects gain access to restricted technical data or equipment, even without formal documentation or disclosure.
• Collaboration on Software Development: A research team develops custom software for advanced simulations. Sharing the source code or technical details with a foreign national collaborator, even within the university, may constitute a deemed export if the software is controlled under export regulations.
• Joint Research Projects with Industry: A university researcher collaborates with a private company on defense-related technology. Sharing technical data or prototypes with a foreign national student or postdoc on the project could trigger export controls.
• Use of Controlled Equipment: A foreign visiting scholar operates specialized lab equipment (e.g., high-speed computers, advanced imaging systems, or fabrication tools) whose technical specifications are controlled under the EAR or ITAR. Allowing access without proper licensing could lead to a violation.
• Technical Assistance in Fieldwork: A faculty member advises a foreign national student on using controlled drones or sensors for field research, providing technical know-how that could qualify as a defense service under ITAR.
• Internships or Sponsored Research: A foreign national graduate student working on an industry-sponsored project gains access to proprietary designs, schematics, or data for controlled technologies; may require an export license.
• Data Sharing in Global Research Networks: A university participates in an international research network and shares encrypted data files with collaborators, some of whom are foreign nationals within the U.S. If the data pertains to controlled technology, it may be subject to export control laws.
• Access to Classified or Restricted Libraries: A foreign researcher accesses a university's restricted digital or physical library containing blueprints, technical manuals, or unpublished data related to controlled technology; may constitute a deemed export.
• Workshops or Training Sessions: A professor conducts a workshop on using specialized software or equipment, involving foreign nationals. If the session covers non-public technical data or processes related to controlled items, it may trigger deemed export rules.
• Cloud Storage Access: A foreign national postdoc gains access to a university’s cloud repository containing controlled technical data or proprietary research materials, even if the access occurs entirely within the U.S.
• Defense-Related Research Publications: Sharing draft versions of research manuscripts with foreign national co-authors may qualify as a deemed export if the drafts contain unpublished technical data subject to ITAR.

Regulations for Deemed Exports:

EAR: Involves transfer of technology related to the development, production, or use of controlled goods to a foreign national. Deemed exports can occur through such means as a demonstration, oral briefing, or lab visit, as well as the electronic transmission of non-public information or software. Specific reference must be made to the relevant ECCN, because what constitutes “technology” can vary. For example, in the case of select agents, “technology” includes information about disposal of the materials under ECCN 1E351. Technology and software that are not subject to the EAR would be excluded from these export regulations, such as publicly available technology.

ITAR: Disclosure of technical data to foreign nationals, even within the U.S., is considered an export. This includes information not publicly available, such as defense-related research data (22 CFR 120.32 and 120.56). By proactively identifying and managing deemed export risks, researchers and faculty can ensure compliance while continuing to advance academic and research goals.

International collaborations in research present significant opportunities to advance scientific knowledge and foster global partnerships. However, such collaborations also come with specific regulatory considerations, especially when involving foreign nationals or international partners. One of the most critical aspects of these collaborations is ensuring compliance with U.S. export control laws. These laws are designed to prevent the unauthorized transfer of sensitive technologies, data, and materials across borders, protecting national security, intellectual property, and research integrity. In addition to export controls, successful international collaborations require careful planning and clear agreements to outline the roles and responsibilities of each party involved understand their legal obligations and the expectations for compliance.

International Export Control Agreements

To manage the risks associated with international collaborations and foreign nationals, it is essential to integrate export control requirements into the formal agreements governing the collaboration.

• Material Transfer Agreements (MTAs): MTAs are used when materials, such as biological samples, chemicals, or technologies, are transferred between institutions or countries. If any materials involved in the collaboration are subject to export controls, this must be clearly identified in the MTA. The agreement should outline the restrictions on the use, dissemination, and transfer of the materials. It must include language that ensures compliance with EAR and ITAR where applicable. If materials are subject to export control regulations, the MTA should specify the procedure for obtaining any required export licenses. These agreements must outline the restrictions on the use and dissemination of materials.
• Data Use and Sharing Agreements (DUSAs): When research data is shared across borders, a DUSA is critical to define the terms under which research data, including sensitive or proprietary information, can be shared with international collaborators. If the data being shared contains controlled information, the DUSA must explicitly state restrictions and clarify steps necessary to obtain export licenses before sharing sensitive data with foreign nationals or institutions. The DUSA should establish clear guidelines on how the data can be used by the recipient and whether it can be further disseminated, ensuring no unauthorized transfers occur.
• End User Agreements (EUAs): EUAs clearly identify the items being shared, specify their intended use, define how a recipient can use these items and prohibit unauthorized use or transfer, aim to ensure compliance with U.S. export control laws, and should outline the need for licenses when required. Recipients must agree not to share the materials with third parties without prior approval and acknowledge their responsibilities under export control regulations. The agreements also outline the consequences of noncompliance, such as legal action or termination of the collaboration, and specify documentation requirements to ensure compliance.
• Collaboration and Partnership Agreements: These agreements outline the general terms for cooperation between parties, especially when international partners are involved. The agreement should include specific clauses that mandate compliance with U.S. laws; outline the obligations of each party regarding the transfer of controlled materials, technologies, or data; define the responsibilities of each party, particularly in relation to the handling, sharing, and protection of controlled technologies or data; outline the procedures for addressing noncompliance; and responsibility and consequences of noncompliance.
• Certification of Compliance: To ensure all parties involved in the collaboration are aware of and committed to complying with U.S. regulations, institutions may require Certification of Compliance from foreign nationals or international collaborators. Collaborators must acknowledge they understand the legal requirements governing the transfer of controlled technologies, materials, and data. By obtaining certifications, institutions help mitigate the risk of unauthorized transfers and ensure that collaborators are legally bound to follow export control laws. These certifications help ensure that all parties are aware of the export control requirements and will not engage in unauthorized transfers.

University Travel

University Travel, regardless of the funding source, includes but is not limited to any travel:

• Associated with employment or recruiting.
• Bearing credit or necessary for meeting a course or degree requirement, including graduate research.
• Funded with University funding, grants, scholarships, or sponsorship.
• Sponsored, arranged, endorsed, promoted, or administered by the University, Faculty, or Staff.
• Related to a University-sponsored grant or contract.
• Involving physical transport of University Property.
• To an International Travel Destination when the Traveler will be performing any university-related work remotely on a regular basis.
• This includes Personal Travel when traveling with a University Device or Data.

For more information, please refer to: University Travel Policy Guidance.

Export Control Regulations for International Travel

When traveling abroad, it is the responsibility of UMassD faculty, staff, and students to comply with US export control regulations. PIs must ensure any information they discuss or items they take outside of the U.S. are not export-controlled, or if they are controlled, that the proper license(s) are obtained. Both individual researchers and UMassD as an institution can be held liable for improperly transferring controlled technology or exporting controlled items. Therefore, it is crucial to review and understand the federal export control requirements before travel.

Restricted and Embargoed Countries

Countries subject to U.S. OFAC sanctions or export restrictions may require special licenses or may be entirely restricted for travel and shipments. UMassD personnel must verify that the country they are visiting is not subject to U.S. sanctions and, if it is, determine the appropriate licensing requirements. This includes countries with restrictions on the export or use of encryption software. Travel to embargoed or restricted countries (such as those on the OFAC list) will require a license, and faculty should consult with OIEC before planning any such trips.

Exclusions and Exceptions

Prior to discussing technology or presenting information while traveling, verify that the technology, information, and/or commodity qualifies for an exclusion under these regulations. Please note, exclusions do not apply when controlled equipment or biological samples are hand-carried or shipped abroad.

Handling Biological Materials

For international travel, biological materials should not be handled individually but should always be shipped. Biological samples should never be transferred without prior authorization from the OIEC to ensure compliance with regulations governing the movement of biological samples, especially those that are classified as controlled. Researchers must secure prior authorization for the shipment of any biological materials abroad. Please contact OTCV before proceeding with any with any international agreements.

Best Practices for International Travel

Before initiating travel, faculty, staff, and students should consider the following questions to assess whether export control regulations apply:

1. Do you plan to take any controlled information or technology?
2. Do you plan to travel to a high risk, sanctioned, embargoed, or restricted destination?
3. Are you taking any biological materials? If so, identify the materials.
4. Are you taking any equipment or materials that are not classified as "Tools of the Trade" under export regulations?

If the answer to any of these questions is "yes," faculty, staff, and students must contact OIEC for guidance and to ensure compliance with the appropriate licensing processes.

Travel Authorization Process

All UMassD travel requires submission of a Travel Authorization via the concur at least five business days prior to travel. This system is used for compliance checks, and any travel involving university-issued devices or data must be documented. Foreign travel requires prior approval for eligibility for international travel insurance and expense reimbursement.

Special Considerations for Export-Controlled Items

If traveling with special-purpose or encryption software, these items may be subject to seizure, customs duties, or security risks if stolen. Export reviews should be performed, and if necessary, a license obtained well in advance of travel. This ensures compliance with both U.S. export control regulations and the protection of sensitive university data.

Countries That Restrict Encryption and Require Import Licenses

The following nations have restrictions on encryption, require a government-issued import license, and do not recognize any "personal use exemption": Belarus, Burma, Cuba, Hungary, Iran, Isreal, Kazakhstan, Moldova, Morocco, Russia, Saudi Arabia, Tunisia, and Ukraine.

Countries that restrict VPN:

The following countries are known for regulating or restricting VPN usage, with varying levels of enforcement: Belarus, China, Egypt, India, Iran, Iraq, Kazakhstan, North Korea, Oman, Russia, Saudi Arbia, Turkey, Turkmenistan, United Arab Emirates, and Uganda.

A Security Plan is a detailed framework developed to safeguard sensitive information, technologies, and assets which outlines controls, processes, and procedures for export-controlled projects and data. It defines the operational and procedural measures designed to prevent unauthorized access, use, or dissemination of sensitive data. Access Control Plans (ACPs) and Technology Control Plans (TCPs) are the two primary components of security plans for safeguarding controlled information, technologies, and materials, ensuring compliance with relevant regulations, such as export control laws and institutional policies. In export-controlled research, the TCP or ACP are key documents that detail security measures to protect controlled data and technologies. These plans must be approved by the OIEC before the initiation of any research project.

Requirements for Researchers

Before beginning work with export-controlled data, systems, or materials, researchers must ensure:

1. TCPs are put in place to safeguard controlled data, technology, and materials.
2. Personnel involved must have completed export compliance training.
3. Research adheres to all applicable laws and regulations governing export controls.

Technical data is defined under the ITAR at 22 CFR § 120.33, and CCL controlled technology is defined under the relevant ECCNs. For projects requiring the use of technical data, TCPs outline various security controls for personnel, computer systems, technology, materials, data, and data transmission. Before researchers are authorized to begin such a project, the TCP must be approved by the OIEC, be operational, and all personnel working on the project must complete export compliance training. All personnel assigned to the project must be briefed on the controls under the TCP and sign certification of their agreement to the TCP before any work is initiated or controlled materials are accepted.

Physical Controls

Physical controls are required for all export-controlled activities or materials governed by the ITAR, EAR, or other regulations or agreement which requires the protection/restriction of items/technology from unauthorized access. Controls are implemented through the development of TCPs and ACPs, which may condition approval on the implementation of specific requirements, such as:

• Hardware to secure areas
• Electronic key card access
• Signage to limit access
• Security badges
• Locked cabinets, etc.

Additionally, systems that store and process technical data must be located in a physically secure location (e.g., a managed data center or locked office space). Specific terms for data transmission are outlined in the TCP. Physical access to rooms where export-controlled activities take place is monitored and subject to periodic review of access logs to ensure that only authorized personnel enter these areas.

Technical Data Controls

The technical data for the export-controlled project must be protected during storage, processing, and transmission. These controls apply to:

• The original technical data received from governmental agencies or research sponsors.
• Copies made of the technical data.
• New technical data derived from the original data.
• Any new technical data generated for the project.

Controlled technical data should only be transmitted and stored using approved encryption/security. If contract clauses dictate IT security standards (e.g., DFARs clause 252.204-7012), UMassD CITS must assist staff in establishing necessary TCP measures to ensure compliance. Unencrypted email is prohibited for transmitting controlled data. UMassD has an email encryption service that can be utilized for certain controlled data transmissions. The following guidance applies for all technical data usage and transmission:

• Servers and devices storing technical data must be under the administrative control of the University and reside on the University network. The UMassD OneDrive platform may sometimes be used for such storage, if appropriate.
• Technical data stored on servers shall be encrypted using industry-standard file and folder encryption when appropriate.
• Full-disk encryption shall be used for technical data stored on any electronic devices—laptops, desktops, portable/removable storage.
• Principal Investigators (PIs) are advised that technical data is not permitted on mobile devices (e.g., tablets, smartphones).
• PIs are also advised that the use of unencrypted email is prohibited for the transmission of any export-controlled data.
• Electronic and physical media storing technical data shall be disposed of securely when no longer needed (e.g., cross-cut shredding paper documents, degaussing, securely wiping, or physically destroying magnetic and flash media) or returned to the sponsor in a secure manner.
• When data security controls are required by a specific contract clause (e.g., DFARs 252.204-7012), the controls specified under such a clause must be followed.

Computer Controls

Computer systems storing, processing, and transmitting technical data shall be compliant with the University Information Security Policy (BoT Doc. T10-089), as well as any other controls imposed by contract clauses or other requirements. Controls are evaluated and implemented on a case-by-case basis by OIEC and UMassD IT Security personnel (as appropriate). UMassD CITS shall be responsible for sponsor-required compliance representations and certifications. The controls shall include, but are not limited to the following:

Identification of Systems

• An inventory of computer systems that store, access, and/or process controlled technical data must be maintained.
• Systems not identified for the export-controlled project are prohibited from accessing the export-controlled systems and data. These include mobile devices (smartphones, tablets), personal laptops, unsecured servers, and other unmanaged computer systems.

Network Security Controls

Separate from any controls mandated by contract clauses or other requirements, any systems connected to the network and possibly handling controlled data shall have some or all of the following network security controls implemented, depending upon the nature of the project:

• Connect only to the University wired or secure wireless network (i.e., eduroam). If connecting to a wireless network, 802.1.x protocol must be used.
• A host-based firewall shall be configured to block all connections to the system other than the specific connections needed to perform the approved research.
• Periodic network-based vulnerability scans and network penetration tests shall be performed at least annually by CITS.
• Reside on the Campus network protected by the IPS (Intrusion Prevention System).
• Authorized users, as identified in the TCP, must be on the campus central authentication systems (Active Directory/LDAP) using campus-issued user IDs to log in to the secure systems.
• Each user shall have an individual login ID. Shared login IDs are prohibited.
• Default system and user/guest accounts shall be disabled on the systems.
• Passwords must meet the documented University password complexity criteria.
• Administrative access shall only be granted to U.S. citizens and permanent residents with a business need for elevated privileges.
• Users shall log in with restricted rights. Administrative rights will be revised as necessary on a case-by-case basis when certain restrictions apply.
• Systems shall be configured with a login inactivity timeout (e.g., 10 minutes) and with an account lockout mechanism that locks the account after more than 5 failed login attempts in a 15-minute period.
• Administrative access and functions on the servers or applications that access the confidential information must be logged. The logs should include the identity of the user, the date/time, and the operations performed.
• Systems and application logs shall be retained for 90 days.
• Anti-virus software with centralized management shall be installed on all systems (Windows and Macintosh).
• The anti-virus software shall be configured to update daily, scan files “On Access” and when removable media is installed and shall be scheduled to scan fixed disks at least weekly.
• Systems shall be running a supported version of their respective operating system.
• Operating system and application patches must be installed in a timely manner, with critical patches installed within 48 hours of their release.
• Discovered vulnerabilities shall be remediated in a timely manner, with critical vulnerabilities fixed within 48 hours of notification.
• System backup media shall be stored in physically secure and locked facilities.
• Login accounts shall be removed or disabled once they are no longer needed (e.g., when a user leaves the project).
• System time shall be synced with accurate Network Time Protocol clock sources.
• Network and system services and processes that are not required for the specific research shall be shut down and disabled.
• Administrative access to the systems shall only be granted to administrators who are U.S. persons under the ITAR at 22 CFR 120.62.

Monitoring

System log and access shall be routinely monitored for unauthorized users or unauthorized access to technical data by UMassD CITS or the System Administrator. In certain situations, computers involved in export-controlled projects may be disconnected from the network. This is determined on a case-by-case basis and outlined in the TCP. Systems not on the network will not be monitored but will be evaluated by OIEC and CITS personnel during the required periodic audit of the TCP.

Citizenship Verification

Status as a “U.S. person” under the export regulations is one of many qualifications that must be met by persons proposing to participate in export-controlled projects, because foreign persons are prohibited from accessing materials, systems, and/or technical data (unless expressly authorized under a lawful exemption or valid license). All persons who may be assigned to work on an export-controlled project must provide proof of status as an authorized “U.S. person”, as defined under the applicable export regulations, or authorized under another category, and be cleared through the OIEC and listed on the TCP. All persons assigned to a controlled project are required to sign a agreement confirming they will not export any controlled data, technology, materials, or information to any foreign persons, including foreign nationals working on the project.

A Technology Control Pan (TCP) is designed to safeguard controlled technologies and/or research data which is either subject to export control laws, institutional confidentiality policies, or other terms of restriction. TCPs outline the procedures to ensure technologies and data are protected from unauthorized access, use, or dissemination by outlining what measures will be taken to regulate access to physical and digital spaces and includes protocols for restricting access to sensitive or controlled areas, both physically (e.g., laboratories, data centers) and virtually (e.g., restricted networks or databases).

Elements of TCPs:

The UMassD TCP provides a comprehensive framework to ensure the security and compliance of information technology.

1. Identification of Controlled Technologies: Technologies subject to export controls (e.g., ITAR, EAR) are identified and cataloged, ensuring that compliance measures are clearly documented. Regular reviews of all technologies to verify their classification under relevant export control regulations.
2. Physical Security Measures: Locked doors, security badges, biometric identification, and surveillance cameras are used to prevent unauthorized physical access to controlled areas. Specific measures for high-security environments, such as restricted labs or storage spaces. Outlines measures to ensure the physical protection of sensitive information and technology. This includes secure storage of physical devices, restricting access to certain areas, and implementing controlled access protocols for sensitive environments where research and technology may be used or stored.
3. Personnel Identification & Screening: Lists all personnel handling sensitive information or technology for DIEC to conduct restricted party screening for all personnel with access. Personnel must be authorized based on specific roles, responsibilities, and eligibility (e.g., security clearances, citizenship verification). Only authorized individuals may access controlled spaces or technologies.
4. Information Security: Outlines protocols to protect both digital and physical data from unauthorized access, alteration, or destruction. This includes encryption standards, secure data transmission methods, and protocols to prevent breaches, ensuring that sensitive information remains protected throughout its lifecycle. If necessary, data encryption, multi-factor authentication, and restricted access to sensitive digital data or systems. Role-based access control (RBAC) ensures that only individuals with a need to know can access specific data or systems.
5. Restrictions: Outline restrictions on the sharing or transfer of controlled technologies within or outside the institution, including restrictions on international collaboration. Detail deemed export control measures to ensure that foreign nationals within the U.S. do not gain access to sensitive technologies without authorization.
6. Training: All individuals working with controlled technologies must be trained on export control compliance, procedures, and the potential risks involved. Training available via www.citiprogram.org.
7. Audit and Monitoring: Plan to regularly monitor personnel movements, access logs, and other security-related activities. Plan to continuously audit logs to detect unauthorized attempts to access restricted spaces or data.
8. Reporting and Corrective Actions: Defined protocols for reporting security breaches or unauthorized access to controlled technologies. Clear steps for corrective action to mitigate the impact of any breaches, including updates to the TCP and enhanced security measures.

Implementing and Maintaining Security Plans

TCPs must be developed and implemented collaboratively, involving input from the DIEC, CITS, and researchers handling controlled materials. These plans should be tailored to the institution, considering the types of technologies or research being conducted, regulatory requirements, and the potential risks associated with unauthorized access.

1. Development Process: The OIEC works with faculty to develop TCPs that align with both institutional needs and regulatory requirements. Plans should be comprehensive, addressing all relevant risks, and include clear definitions of roles, responsibilities, and procedures.
2. Regular Review and Updates: TCPs should be reviewed annually or whenever there is a change in research activities, personnel, technology, or regulatory requirements.
3. Compliance Documentation and Auditing: Maintain comprehensive records of all activities related to access control and technology protection, including personnel access logs, audit results, and training documentation. Regular internal and external audits help ensure security measures are being followed and any deficiencies identified are corrected.
4. Incident Response and Corrective Measures: In the event of a security breach, the researchers must have clear protocols for investigation, reporting, and mitigating the breach. Corrective actions should include revising access controls, updating training programs, and enhancing security measures as needed to prevent future occurrences.

Data Management & Storage

Proper management and storage of export-controlled data are essential for ensuring compliance with export regulations, as well as protecting sensitive technologies and information. These practices minimize the risk of unauthorized access or dissemination and ensure that all data handling complies with UMassD’s policies and federal export control laws.

Data Classification and Identification: Export-controlled data must be clearly identified and classified according to its level of sensitivity. The TCP should include specific procedures for labeling and marking export-controlled data to ensure that it is easily distinguishable from other data types.

• Labeling Requirements: Data must be marked as "Export-Controlled" when applicable, both physically and digitally. The label should specify the export control regulations (e.g., ITAR, EAR) governing the data.
• Data Inventory: An inventory of all export-controlled data must be maintained, including the type, source, and status of the data (e.g., active, archived, or destroyed).

2. Data Storage Requirements: Export-controlled data must be stored securely to prevent unauthorized access, loss, or theft. The storage method depends on the data format (physical or digital) and must meet the following criteria:

• Physical Storage: Export-controlled physical materials, such as documents or equipment, should be stored in locked cabinets or secure rooms with access restricted to authorized personnel only.
• Digital Storage: Export-controlled digital data should be stored on secure servers, preferably within UMassD's network, which are protected by firewalls, access controls, and encryption. Data should be stored in encrypted formats to prevent unauthorized access, especially for sensitive or classified data.

3. Network Security and Cybersecurity Considerations: To safeguard export-controlled data during storage, access, and transmission, cybersecurity measures are critical.

• Encryption & Secure Transmission: All export-controlled data must be encrypted both at rest (stored data) and in transit (during transmission) using strong encryption methods (e.g., AES-256 for storage and TLS for transmission).
• Virtual Private Networks (VPNs): Remote access to export-controlled data must be routed through UMassD-approved VPNs to ensure secure data transmission.
• Network Segmentation: If possible, export-controlled data should be stored on a dedicated, isolated network segment with restricted access to minimize exposure.
• Firewalls & Intrusion Detection Systems (IDS): Systems containing export-controlled data must be protected by firewalls and continuously monitored by IDS to detect any unauthorized access attempts or threats.

4. Data Access Control: Access to export-controlled data must be strictly managed and monitored. Only authorized personnel who meet export control compliance requirements (e.g., U.S. persons, as defined by ITAR) should be granted access.

• User Authentication: Systems that house export-controlled data must require secure authentication (e.g., passwords, multi-factor authentication) for user access.
• Access Control Lists (ACLs): Access to export-controlled data must be managed using ACLs to ensure that only authorized users can read, modify, or delete the data. Access permissions should be reviewed regularly.
• Monitoring: Access logs should be monitored regularly to detect unauthorized access attempts, with any violations triggering an immediate investigation.

Data Transfer and Transmission: Strict protocols must be followed when transferring or transmitting export-controlled data to ensure it remains secure and compliant with export control regulations.

• Internal Transfers: Export-controlled data should only be transferred within the institution using secure, encrypted channels (e.g., UMassD’s secure servers). Unencrypted methods, such as email, must be avoided.
• External Transfers: If data needs to be transferred to external parties (e.g., collaborators, contractors), export licenses must be obtained, where applicable, before sharing the data. Secure transmission methods, such as encrypted file transfer protocols (FTP), must be used.

6. Agreements and Legal Compliance: All external collaborations or data transfers must comply with export control regulations, and the following agreements should be used:

• Material Transfer Agreements (MTAs): For any transfer of export-controlled materials, an MTA should be in place specifying compliance with export control laws and the restrictions on data/material sharing.
• Non-Disclosure Agreements (NDAs): NDAs must be used to protect the confidentiality of export-controlled data when collaborating with external parties.
• Data Use Agreements (DUAs): If export-controlled data is shared with external researchers, DUAs should be executed outlining data security measures and restrictions on its use.

Compliance clauses should be included in all agreements with collaborators, and third-party systems handling export-controlled data, requiring regular compliance audits.

7. Data Retention and Disposal: Export-controlled data must be retained only for as long as necessary and disposed of securely when no longer required.

• Retention: Data should be retained according to its classification and the requirements of the contract, sponsor, or relevant regulations. Retention periods for each type of data must be tracked.
• Disposal: When export-controlled data is no longer required, it must be disposed of securely. This includes physical destruction of materials (e.g., shredding documents) or secure deletion of electronic files (e.g., using data-wiping software).

8. Cybersecurity and Compliance Audits: Regular audits of systems storing and managing export-controlled data must be conducted to ensure compliance with cybersecurity protocols and export control laws.

• Security Audits: Perform regular audits on systems managing export-controlled data to assess adherence to security measures and identify vulnerabilities.
• Incident Response Plan: Establish an incident response plan that outlines steps for addressing data breaches, unauthorized access, or other security incidents, including reporting to authorities as required.

Proper management and storage of export-controlled data are essential for ensuring compliance with export regulations, as well as protecting sensitive technologies and information. These practices minimize the risk of unauthorized access or dissemination and ensure that all data handling complies with UMassD’s policies and federal export control laws.

Data Classification and Identification: Export-controlled data must be clearly identified and classified according to its level of sensitivity. The TCP should include specific procedures for labeling and marking export-controlled data to ensure that it is easily distinguishable from other data types.

• Labeling Requirements: Data must be marked as "Export-Controlled" when applicable, both physically and digitally. The label should specify the export control regulations (e.g., ITAR, EAR) governing the data.
• Data Inventory: An inventory of all export-controlled data must be maintained, including the type, source, and status of the data (e.g., active, archived, or destroyed).

2. Data Storage Requirements: Export-controlled data must be stored securely to prevent unauthorized access, loss, or theft. The storage method depends on the data format (physical or digital) and must meet the following criteria:

• Physical Storage: Export-controlled physical materials, such as documents or equipment, should be stored in locked cabinets or secure rooms with access restricted to authorized personnel only.
• Digital Storage: Export-controlled digital data should be stored on secure servers, preferably within UMassD's network, which are protected by firewalls, access controls, and encryption. Data should be stored in encrypted formats to prevent unauthorized access, especially for sensitive or classified data.

3. Network Security and Cybersecurity Considerations: To safeguard export-controlled data during storage, access, and transmission, cybersecurity measures are critical.

• Encryption & Secure Transmission: All export-controlled data must be encrypted both at rest (stored data) and in transit (during transmission) using strong encryption methods (e.g., AES-256 for storage and TLS for transmission).
• Virtual Private Networks (VPNs): Remote access to export-controlled data must be routed through UMassD-approved VPNs to ensure secure data transmission.
• Network Segmentation: If possible, export-controlled data should be stored on a dedicated, isolated network segment with restricted access to minimize exposure.
• Firewalls & Intrusion Detection Systems (IDS): Systems containing export-controlled data must be protected by firewalls and continuously monitored by IDS to detect any unauthorized access attempts or threats.

4. Data Access Control: Access to export-controlled data must be strictly managed and monitored. Only authorized personnel who meet export control compliance requirements (e.g., U.S. persons, as defined by ITAR) should be granted access.

• User Authentication: Systems that house export-controlled data must require secure authentication (e.g., passwords, multi-factor authentication) for user access.
• Access Control Lists (ACLs): Access to export-controlled data must be managed using ACLs to ensure that only authorized users can read, modify, or delete the data. Access permissions should be reviewed regularly.
• Monitoring: Access logs should be monitored regularly to detect unauthorized access attempts, with any violations triggering an immediate investigation.

Data Transfer and Transmission: Strict protocols must be followed when transferring or transmitting export-controlled data to ensure it remains secure and compliant with export control regulations.

• Internal Transfers: Export-controlled data should only be transferred within the institution using secure, encrypted channels (e.g., UMassD’s secure servers). Unencrypted methods, such as email, must be avoided.
• External Transfers: If data needs to be transferred to external parties (e.g., collaborators, contractors), export licenses must be obtained, where applicable, before sharing the data. Secure transmission methods, such as encrypted file transfer protocols (FTP), must be used.

6. Agreements and Legal Compliance: All external collaborations or data transfers must comply with export control regulations, and the following agreements should be used:

• Material Transfer Agreements (MTAs): For any transfer of export-controlled materials, an MTA should be in place specifying compliance with export control laws and the restrictions on data/material sharing.
• Non-Disclosure Agreements (NDAs): NDAs must be used to protect the confidentiality of export-controlled data when collaborating with external parties.
• Data Use Agreements (DUAs): If export-controlled data is shared with external researchers, DUAs should be executed outlining data security measures and restrictions on its use.

Compliance clauses should be included in all agreements with collaborators, and third-party systems handling export-controlled data, requiring regular compliance audits.

7. Data Retention and Disposal: Export-controlled data must be retained only for as long as necessary and disposed of securely when no longer required.

• Retention: Data should be retained according to its classification and the requirements of the contract, sponsor, or relevant regulations. Retention periods for each type of data must be tracked.
• Disposal: When export-controlled data is no longer required, it must be disposed of securely. This includes physical destruction of materials (e.g., shredding documents) or secure deletion of electronic files (e.g., using data-wiping software).

8. Cybersecurity and Compliance Audits: Regular audits of systems storing and managing export-controlled data must be conducted to ensure compliance with cybersecurity protocols and export control laws.

• Security Audits: Perform regular audits on systems managing export-controlled data to assess adherence to security measures and identify vulnerabilities.
• Incident Response Plan: Establish an incident response plan that outlines steps for addressing data breaches, unauthorized access, or other security incidents, including reporting to authorities as required.

Federal departments and agencies that fund research and development have long been concerned with the potential for foreign entities, both private companies and government institutions, to inappropriately interfere with U.S. Government-supported research. To address this, many institutions of higher education, including UMass, encourage a robust disclosure of international research collaborations. 

Any researchers involved in international collaborations should disclose collaborations in advance in their Annual  Disclosure, which includes specific questions about foreign engagements. Following this disclosure, staff from the Office of Research Compliance will review the anticipated international activities for the potential application of export control regulations or other state or Federal regulations or requirements and provide guidance as necessary.

CITI training in Research Security is available to everyone with an active UMassD affiliated account.

• Department of Defense (DOD) — Academic Research Security (Office of the Under Secretary of Defense for Research & Engineering): This site is a resource for the actions that the Department and the inter-agency are taking to ensure the integrity of fundamental research in academia as well as steps that the academic community has taken. 
• Department of Defense (DOD) Research and Engineering: Countering Unwanted Foreign Influence in Department-Funded Research at Institutions of Higher Education. Memorandum on the policy for Risk-Based Security Reviews of Fundamental Research mandated by section 1286 of the National Defense Authorization Act for FY 2019 and NSPM-33.
• Department of Energy (DOE)— DOE Current and Pending Support Disclosure Requirements for Financial Assistance (FAL 2022-04): response to NSPM-33.
• Director of National Security (ODNI) — National Counterintelligence & Security Center (Office of the Director of National Intelligence): a collection of Research Security reference documents compiled by the National Science Foundation’s (NSF) Office of the Chief of Research Security Strategy and Policy (OCRSSP) regarding best practices in research security for the academic community.
• National Aeronautics and Space Administration (NASA) —  Proposers Guide: Section 2.16 (Current and Pending Support) contains specific guidance regarding disclosure of current and pending support with China.
• National Institutes of Health (NIH) — Foreign Interference (NIH Central Resource for Grants and Funding Information): Includes  an overview of NIH's  principles, case studies, explanations about U.S. government concerns regarding foreign influence, requirements for disclosure of Other Support, Foreign Components, and Conflicts of Interest.
• National Science Foundation (NSF) — Research Security at the National Science Foundation (the NSF Office of the Chief of Research Security Strategy and Policy): Includes a comprehensive overview of Research Security at NSF, including policies, foreign influence and risk mitigation, the benefits of international collaboration, and the Research on Research Security program (RRSP).

The University of Massachusetts encourages international collaborations and recognizes that foreign influence concerns must not stifle its academic and research goals and missions, discriminate against national origin or ethnicity (or any other protected classes), or inhibit academic or speech freedoms. The Creating Helpful Incentives to Produce Semiconductors (CHIPS) and Science Act of 2022, 15 U.S.C. 4651 et seq. prohibits federal employees, contractors, and awardees from participating in Malign Foreign Talent Recruitment Programs (MFTRPs) after August 9, 2024. The National Science Foundation (effective May 20, 2024), National Institutes of Health, Department of Defense (effective August 9, 2024), and other agencies issued MFTRP policies in 2023 and 2024. The Department of Energy has tightly restricted talent program participation since 2019 with DoE Order 486.1A. These efforts align with and are in furtherance of National Security Presidential Memorandum-33, issued January 14, 2021, implementing national security strategies for US Government supported research and development.

It is the Policy of the University of Massachusetts to comply with NSF, NIH, DoD, DoE and any other agencies’ or federal departments’ MFTRP requirements. Therefore, in accordance with federal research sponsor requirements (Section 10638(4)(a)(i-ix) of the CHIPS and Science Act of 2022), Covered Individuals who engage in federally funded research are prohibited from participating in MFTRPs.  For further details, see the University of Massachusetts Policy Statement on Malign Foreign Government Talent Recruitment Programs.

For reference, see the list of Foreign Institutions engaging in problematic activity as described in Section 1286 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019, updated annually.

NSF has just released a series of four Research Security training modules, free to researchers and institutions throughout the U.S. They are "designed to facilitate principled international collaboration in an open, transparent, and secure environment that safeguards the nation's research ecosystem" (NSF News, 1/30/2024).

Under federal export control regulations, U.S. persons and entities are prohibited from engaging with certain domestic and international individuals, institutions, governments, companies, or entities. Various U.S. government agencies, primarily the Departments of State, Commerce, and Treasury, maintain lists of individuals, companies, or entities known as restricted parties, barred or restricted from certain transactions with U.S. individuals, corporations, and organizations. Failure to comply with these regulations can result in civil penalties for UMassD and civil or criminal penalties for individuals involved in the transactions.

Pre-screening is crucial for identifying ineligible recipients and potential licensing requirements, minimizing risks before investing time or resources. Implementing Restricted Party Screening (RPS) helps identify and mitigate risks by preventing unauthorized entities from accessing sensitive technologies, information, or resources for malicious purposes.

UMassD implements a comprehensive Restricted Party Screening (RPS) process, emphasizing the importance of gathering detailed information to enhance accuracy and reduce false-positive 'hits,' thereby improving the effectiveness of the screening procedure.

UMassD utilizes Descartes Visual Compliance, a web-based software, for prompt screenings against federal lists. This proactive approach ensures compliance standards with regulations, includes automated periodic re-screening and provides documentation for audit purposes.

UMassD screens all potential collaborators against restricted parties lists before engaging in:

• International collaborations (screening collaborators)
• Teaching courses abroad or online (screening students and host institutions)
• Presenting at conferences (screening conference sponsors)
• Hosting international visitors (screening visitors)
• Exchange of personnel, materials, data, technical information, or money (screening recipients or sponsors)