Technology Control Plan
A Technology Control Plan (TCP) is the formalization of the processes and procedures the University project personnel will use to ensure that any subject items and information are not disclosed to unauthorized personnel or otherwise exported without the necessary US government authorization. The Office of Export Controls (OEC) has created a template TCP to serve as a starting point, with the intention that it be adapted to, first and foremost, comply with the specific regulatory requirements and secondly to accommodate the needs and structure of the related University project or program.
Please send the completed TCP to firstname.lastname@example.org for review and comment BEFORE collecting the required signatures on the TCP Acknowledgement. Once OEC has approved the safeguards and confirmed the eligibility of the identified users the PI will be notified. At that point the PI will need to distribute the TCP to the authorized users, confirm that they have completed the required training, and have them sign the TCP Acknowledgement. Once all of the user signatures have been obtained the signed form(s) must be returned to OEC for final approval.
It is the responsibility of the Principal Investigator or program leader to develop, manage and enforce compliance with the terms of the TCP. The Office of Export Controls will assist with development and determine whether or not it is sufficient to adequately protect the subject items and information from unauthorized access and export. The TCP will include the following:
- a commitment to export controls compliance;
- identification of the relevant export control categories and controlled technologies;
- identification of the project’s sponsor(s);
- identification and nationality of each individual participating in the project;
- physical and information security measures appropriate to the subject items and information;
- personnel screening measures; and
- instructions pertaining to disposition of subject items and information (hard copy and electronic) at the end of the project or program.
OEC will also conduct post-approval compliance monitoring periodically, randomly or for cause (when a concern is raised regarding potential non-compliance).
The physical and information security measures to prevent unauthorized access and export must be included in the TCP. Examples of security measures include, but are not limited to, the following:
- Compartmentalization. Project operation may be limited to laboratory areas that are physically shielded from access or observation by unauthorized individuals. Such areas must remain secured at all times when subject items or information are in use.
- Time Blocking. Project operation may be restricted to specific time blocks when access will be limited to authorized personnel. Unauthorized individuals shall not be permitted to observe project operations or have access to the space during this time.
- Marking. Export controlled information must be clearly identified and marked.
- Personnel Identification. Authorized individuals may be required to wear a badge, special card, or similar device indicating their permission to access project areas. Physical movement into and out of designated project area may be logged or otherwise monitored.
- Secure Storage.
- Tangible items should be stored in controlled access rooms or storage devices that prevent visual disclosure as well as physical access. Access keys or cards may only be issued to authorized personnel.
- Soft and hardcopy data, laboratory notebooks, reports, and other research materials should be stored in locked storage devices. Keys may only be issued to authorized personnel.
- Electronic Security.
- Project computers, networks, and electronic files should be secured and monitored through User Ids, password controls, and encryption technology (128‐bit or better). Database access should be managed via a Virtual Private Network.
- Electronic communications (email, text and instant messaging) containing controlled information should be either explicitly prohibited or specifically addressed in the TCP procedures.
- Project Communications. Discussions about the project must be limited to the individuals identified and authorized under the TCP and occur only in areas where unauthorized individuals are not present and cannot reasonably overhear. Discussions with non‐UVA parties must occur only under signed agreements which fully respect non‐U.S. person limitations for such disclosures.
Before any individual may have access to items or information under a TCP, he or she must complete the initial training requirement, be informed of the procedures authorized under and receive a copy of the TCP, certify his or her agreement to comply with all security measures contained in the TCP, and be authorized by the Office of Export Controls.
Personnel Change Requests
All requests to change the personnel list should be made by submitting a revised TCP to OEC (email@example.com); an initial review of all change requests will be completed within 2 business days.
OEC will perform an initial review of any request to add new personnel within two business days.
Addition of New Personnel
OEC will review each request to determine if the individual(s) is eligible to be added to the TCP and whether or not a license or other authorization is required. The following must occur before an individual is allowed access to the controlled technology or information:
- any required license or other authorization has been obtained;
- the individual has complete the required export control training program;
- the PI has provide the individual a copy of the approved TCP; and
- the individual has signed the TCP Acknowledgement and the PI has provided a copy to OEC (pdf preferred).
If a US government license or other authorization will be required OEC will assist in the preparation and submission of the request but cannot guarantee that any such request will be granted or how long it will take to receive a response.
Removal of Personnel
It is the PI's responsibility to ensure that all access to controlled technology is prevented once an individual is removed from the TCP (electronic access permissions removed, combinations are changed, keys are returned, etc.). Requests to remove personnel do not require OEC approval.