Export Controls Training and Research Security Programs
Lead Author: Allen A. DiPalma, Senior Consultant at Traliance
Background: NSPM-33
Starting in January 2021 with the release of National Security Presidential Memorandum 33 (NSPM-33), the federal government set in motion a coordinated approach to improving research security within the U.S. research enterprise. The original NSPM-33 memo was directed at federal agencies and was augmented a year later through the release of implementation guidance issued by the National Science and Technology Council (NSTC) through its Joint Committee on the Research Environment (JCORE). The JCORE NSPM-33 Implementation document provides guidance to Federal departments and agencies regarding their application and implementation of NSPM-33 on National Security Strategy for U.S. Government-Supported Research and Development (R&D).
Research Security Program Application
Institutions receiving more than 50 million dollars per year in research funding from the federal government will be required to certify that they have established and maintain Research Security Programs as a condition of funding. As described in the implementation guidance, Research Security Programs are to include the following four elements:
- Cybersecurity
- Foreign Travel Security
- Research Security Training (to include insider threat awareness and identification)
- Export Control Training, as appropriate
The last element, Export Control Training as appropriate, raises several questions for schools including how export control training should be developed and implemented to comply with future research security program requirements. Based on this existing information, this article will address the following 3 questions:
- What exactly is R&D that is subject to export control restrictions?
- What steps should schools take to manage or mitigate risks inherent to export controlled?
- When and who should be trained on export controls risks?
Since there is currently no firm advice or requirements around the “how” export controls training should be offered, we will defer answering that question until the federal government releases further guidance.
Question #1: What exactly is R&D that is subject to export control restrictions?
In anticipation of a federal register notice announcing research security program requirements, current implementation guidance provides the following description for federal agencies on export controls training:
“Agencies should require that research organizations conducting R&D that is subject to export control restrictions provide training to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators and partnerships, and for ensuring compliance with Federal export control requirements and restricted entities lists.”
Looking more closely at this paragraph, “R&D that is subject to export control restrictions” could mean a few things. The most common interpretation in the university community would be R&D research that is not considered Fundamental Research, which is a term formally defined in the Department of Commerce Export Administration Regulations (EAR) 15 CFR Part 734.8(c) as, “…research in science, engineering, or mathematics, the results of which ordinarily are published and shared broadly within the research community, and for which the researchers have not accepted restrictions for proprietary or national security reasons.”
It is also important to understand the scope of Fundamental Research which is further defined in EAR 734.8(a) as, “Technology” or “Software” that arises during, or results from, fundamental research and is intended to be published is not subject to the EAR.”
Thus, only the results of research (Technology) in the form of data, designs, blueprints, graphs, charts etc. and some Software are included in the scope of “fundamental research” and not subject to the EAR. The Department of State International Traffic in Arms Regulations (ITAR) contains a similar definition and scope for fundamental research found in 22 CFR Part 120.34(8) (Public Domain). Physical commodities (such as scientific equipment) used in fundamental research are still subject to the EAR.
In many cases, fundamental research will involve export-controlled inputs. Examples of controlled inputs include third-party proprietary data sets, sponsor-defined technical specifications, sponsor-owned confidential or proprietary information, key personnel or collaborators that appear on a U.S. restricted party list, or a defense article or technical data that is subject to the ITAR. In these cases, it is possible to maintain a fundamental research designation provided that all applicable export control and dissemination controls are maintained for the controlled inputs.
So, a reasonable interpretation of the NSPM-33 implementation guidance for “R&D that is subject to export controls restrictions” would mean any research NOT meeting the definition and requirements of fundamental research, or any other inputs used in research that are subject to U.S. export and/or other third-party dissemination controls. This can include tangible commodities, technology, or software that is classified as EAR99 under the EAR.
Question #2: What steps should schools take to manage or mitigate risks inherent to export-controlled?
Two very effective practices universities use to manage the risks involved in export-controlled research and/or the receipt/use of other controlled inputs are the use of technology control plans (TCP) and restricted party screening processes. TCPs are internal management plans developed and implemented to manage restricted research projects or other situations containing elevated export control or related risk. TCPs typically are specific to individual research programs and include both physical and information technology control plans, as well as required training for all staff participating in the project. In many cases where the results of restricted research are expected to be classified as EAR99, or other controlled inputs carry similar low-grade controls, some schools prefer to use other management tools such as memos, Zoom calls, or abridged versions of TCPs to manage the risk.
Restricted party screening processes systematically utilize querying tools to screen individuals and entities against the ever-changing U.S. restricted party lists. Having a defined procedure and operational process to screen against these lists is paramount to identifying, evaluating, and correctly managing the risks associated with restricted parties.
Question #3: When and who should be trained on export controls risks?
Now that we have considered what “R&D that is subject to export control restrictions” means and some effective practices for managing or mitigating export control risk, the last part is to determine when and whom to involve in export controls training. A good first step is to identify processes that would act as trigger points for detecting export control restrictions. Based on defined processes, a school can determine whom to involve in export controls training. The majority of export controls risk at universities can be identified through the following 2 processes:
Award/Contract Reviews
The scope of this category can include many various types of agreements found in different offices. The most common agreement types include externally sponsored grants and contracts, material transfer agreements, data use agreements, non-disclosure (confidentiality) agreements, teaming agreements, consulting agreements, testing agreements, and specialized service agreements. At many institutions, the offices responsible for and/or involved with these agreement reviews are sponsored programs, technology transfer, research security, and general counsel.
Restricted party screening (RPS) Processes
RPS processes typically encompass many areas within an institution where export control regulations intersect with other existing operational processes. The most common areas where restricted party screening is systematically incorporated include sponsored programs (sponsors, collaborators), shipping and receiving (third-party customers), procurement (vendors), technology transfer (licenses, MTAs, CDAs), and international operations (non-research partnerships). An RPS process should define who owns the process, who conducts the screenings, an SOP for carrying out the actual screening, how suspected matches and associated risks are evaluated, options for managing or mitigating the risks for confirmed matches, and who makes the final “go/no go” decision for confirmed matches.
Based on the above categories, a school can then easily identify individuals (administrative staff and investigators) who would be subject to export-controlled R&D or involved in the process of obtaining or using controlled inputs for purposes of performing export controls training.
Key Take-Away
Export controls training is one of the 4 necessary elements universities must include in future Research Security Programs as described in the implementation guidance for NSPM-33. If your institution falls within the 50-million-dollar threshold described above, robust export controls training will be a critical element of your school’s Research Security Program. Leverage systematic sponsored program processes, technology control plans, and restricted party screening processes to begin to identify the important topics to cover and audiences to engage.
Comments
Check out the US government’s latest guidance on research security.
Hi, do you know that in Canada, july 12, 2021, National Security form should be filled and sent with each grant proposal (whatever the funding required) ? Part 1 is aimed at export controlled Part 2 as Due diligence on research partners. While Canada is way smaller than our US counterparts, Universities is way back in terms of export control and research security compliance/knowledge. A G7 group will try to harmonize some kind of best practices but it would be interesting that Export Controls and Research Security consultants, training institutes and Association such as SRA International would include us in their vision and training.