Technology Control Plans

A Technology Control Plan ("TCP") is a living document that outlines the means by which export-controlled information and technology will be protected. The purpose of a TCP is to outline the characteristics of the project and to define the controls necessary to ensure that the transfer of identified tangible or intangible items to visitors, employees, and students during the performance of research activities or other University endeavors occurs in an authorized and approved manner.

Contact the NYU Office of Ethics and Compliance ("OEC") to determine whether a TCP is required.

How do I know if a TCP is needed for my research project or department?

Answer "Yes" or "No" to the following questions noted below. If you are unsure how to answer the question, contact OEC for assistance. DO NOT ASSUME the answer is "NO" if you do not know the answer with certainty.

Does your contract or award contain an export control statement or clause?
Does your contract or award contain a DFAR 252.204-7000 clause (federally funded research)?
Does your contract or award contain foreign national participation restrictions?
Is your project being funded by NASA, U.S. Department of Defense, U.S. Department of Energy, SERDP, Nuclear Regulatory Commission, or a branch of the U.S. military?
Will the sponsor or other entity identified receive or possibly receive items and/or information that are considered export-controlled, confidential, restricted, proprietary, classified, or controlled but unclassified?
Will you be working with items that appear on the Commerce Control List ("CCL") or the U.S. Munitions List ("USML")? This information may be obtained from the manufacturer/vendor. You may also contact OEC for assistance.
Will any equipment need to be physically exported outside of the U.S.?
Will the project require deployment and/or retrieval of equipment outside the U.S. territorial waters or airspace?
Will the project require the use of satellite images or data?
Will you be working with select agents or toxins that are part of the Dual-Use Research of Concern ("DURC") policy?
Will the research/activity take place in an access controlled area (e.g., military base, specialized lab or research facility)?

If you answered "YES" to any one question above, a TCP is likely required.

Establishing a TCP is a multi-step process and a TCP takes time to develop, implement and maintain. While a TCP is benefical under any condition, it is mandatory before application for an export license can be submitted. If a license is required, the U.S. Government processing time for applications varies and can take several months or longer, with a possibility of denial. Therefore, it is vital that a TCP be thoroughly detailed with as much supporting documentation as can be provided in order to mitigate additional delays in the license application process.

A TCP is project-specific. When the need for a TCP has been identified, the PI/department will work with OEC and other relevant University organizations to develop a TCP that is appropriate to the project. When the terms of the project end, so does the associated TCP.

The TCP will include elements such as project information, personnel identification, technology and technical data, security, and international travel. More specifically, the TCP will include a thorough description of the information and/or items to be protected; specific measures to control access within the facility; procedures for control of access to equipment; and certification by all project personnel.

To fully understand the items being protected, documentation such as export classifications, equipment spec sheets, contracts/agreements etc., may be needed to be included with the TCP as appendices.

Once the TCP has been developed and approved by OEC, it is the responsibility of the PI/department to implement the security measures defined within the TCP. This includes diligence in overseeing employees so that they understand and follow the security measures and processes to be implemented.

In addition, all individuals affected by the TCP will undergo training with OEC to discuss the developed TCP and applicable export controls prior to the start of the project.

Once the TCP is developed what else needs to be done?

The TCP is a living document, therefore, as changes within the project occur the TCP will need to be updated accordingly in order to maintain compliance. Changes that can affect the TCP include: scope of work revisions; addition/removal of authorized personnel; new equipment, information, or work spaces; amendments to applicable regulations etc.

OEC will conduct periodic reviews to ensure the TCP is being monitored and followed as defined within the documentation itself.

Because the TCP is a living document, a copy of the TCP will be maintained by the PI in the project binder through the duration of the project and be accessible to only those authorized. An official copy of the TCP will be maintained by the responsible department for five (5) years from the project completion or expiration of the license, as applicable. A copy of the TCP will remain on file with OEC.

An electronic version of the TCP and its supporting documents is acceptable for record retention.