Technology Control Plans
A Technology Control Plan (TCP) is a living document that outlines the means in which export controlled information and technology will be protected. The purpose of a TCP is to outline the characteristics of the project and to define the controls necessary to ensure that the transfer of identified items to visitors, employees, and students during the performance of research activities or other university endeavors occurs in an authorized and approved manner.
How do I know if a TCP is needed for my research project or department?
Answer "Yes" or "No" to the following questions noted below. If you are unsure how to answer the question, contact NYU's Office of Compliance and Risk Management (OCRM) for assistance. DO NOT ASSUME the answer is "NO" if you do not know the answer with certainty.
- Does your contract or award contain an export control statement or clause?
- Does your contract or award contain a DFAR 252.204-7000 clause (federally funded research)?
- Does your contract or award contain foreign national participation restrictions?
- Is your project being funded by NASA, U.S. Department of Defense, U.S. Department of Energy, SERDP, Nuclear Regulatory Commission, or a branch of the U.S. military?
- Will the Sponsor or other entity identified receive or possibly receive items and/or information that are considered export controlled, confidential, restricted, proprietary or sensitive but unclassified?
- Will your project include working with software source code or object code (in whole or in part)?
- Will your project include software or equipment with encryption technologies?
- Will you be working with items that appear on the Commerce Control List (CCL) or the U.S. Munitions List (USML)? This information may be obtained from the manufacturer/vendor. You may also contact OCRM for assistance.
- Will any equipment need to be exported (physically) outside of the United States territory?
- Will the project require deployment and/or retrieval of equipment outside U.S. territorial waters or airspace?
- Will the project require the use of satellite images or data?
- Will you be working with select agents or toxins that are part of the Dual-Use Research of Concern (DURC) policy?
- Will the research / activity take place in an access controlled area (e.g., military base, specialized lab or research facility)?
If you answered "YES" to any one question above, a TCP is required.
Establishing a TCP is a multi-step process and a TCP takes time to develop, implement and maintain. While a TCP is benefical under any condition, it is mandatory before application for an export license can be submitted. If a license is required, the U.S. Government processing time for applications varies from as little as 6 weeks to more than 6 months. Therefore, it is vital that a TCP be thoroughly detailed with as much supporting documentation as can be provided in order to mitigate additional delays in the license application process.
What do I need to do first in developing a TCP?
The first step is for the Principle Investigator (PI) and/or department heads who will be overseeing the project to complete export compliance training.
NYU provides online training for export compliance through the Collaborative Institutional Training Initiative (CITI) Program. If you have not used CITI before, you will need to register and select New York University as your associated institution.
The required CITI Program Export Compliance modules for a TCP will be:
- "Introduction to Basic Export Compliance"
- "Export Compliance for Researchers, Part 1"
- "Export Compliance for Researchers, Part 2"
- "Export Compliance and Collaborations"
Other modules may be deemed appropriate depending on the nature of the project.
A TCP is project-specific. When the need for a TCP has been identified, the PI or department head will contact OCRM who will assist with development of a TCP that is appropriate to the project. When the terms of the project end, so does the associated TCP.
The TCP will include elements such as project information, personnel identification, technology and technical data, security, and international travel. More specifically, the TCP will include a thorough description of the information and/or items to be protected; specific measures to control access within the facility; procedures for control of access to equipment; and certification by all project personnel.
To fully understand the items being protected, documentation such as export classifications, equipment spec sheets, contracts / agreements, etc., may be needed to be included with the TCP as appendices. Other University departments, such as Campus Safety, may also need to be included, especially where area access controls are needed.
All personnel, regardless of citizenship, who are listed in the TCP as authorized for inclusion on the project form must undergo restricted party screening. This process will be conducted by OCRM. The reason for this screening is to comply with federal regulations ensuring that no person is debarred.
Once the TCP has been developed and approved by OCRM, it is the responsibility of the PI and/or department head to implement the security measures defined within the TCP. This includes diligence in overseeing employees so that they understand and follow the security measures and processes to be implemented.
In addition, all individuals affected by the TCP will undergo a live training session with OCRM as a group to discuss the developed TCP and export controls. This special session will be coordinated by the PI or department head prior to the start of the project.
Once the TCP is developed what else needs to be done?
The TCP is a living document, therefore, as changes within the project occur the TCP will need to be updated accordingly in order to maintain compliance. Changes that can affect the TCP could be: scope of work; additions/deletions of authorized personnel; equipment; work spaces; amendments to regulations; etc.
OCRM will conduct periodic reviews to ensure the TCP is being monitored and followed as defined within the documentation itself.
Because the TCP is a living document, a copy of the TCP will be maintained by the PI in the project binder through the duration of the project and be accessible to only those authorized. An official copy of the TCP will be maintained by the responsible department for five (5) years from project completion or from expiration of the license (as applicable). A copy of the TCP will remain on file with OCRM.
An electronic version of the TCP and its supporting documents is acceptable for record retention.