Technology Control Plans

Certain work at Purdue involves sensitive information, equipment, or technology that is subject to U.S. export control regulations or national security-related contractual requirements. Sharing controlled information with a foreign person who is in the United States is deemed to be an export to that foreign person's country of citizenship. Remotely accessing controlled information from outside the United States may be considered an export of the data to the country from which the data is being accessed. Storing information in servers outside the United States (which may happen when using cloud-based platforms) may also be considered an export of the data to the country in which the server is located. As such, Purdue may require the use of a Technology Control Plan (TCP) ensuring that exports of controlled technology by Purdue are guided by RSEC to ensure compliance.

TCPs are tailored documents that outline who is authorized to have access to controlled items or information. They list where data is stored and used and how controlled data should be safeguarded. TCPs are created before controlled data is received or generated and are created within Purdue's PERA system. These plans are developed and monitored by Research Security and Export Controls (RSEC) and are a critical component of Purdue's institutional compliance program.

When a Technology Control Plan May Be Required

• Research including restrictions on foreign national participation or on researchers' ability to publish is not Fundamental Research and is subject to export controls at some level. If that information is also found on a control list, a TCP may be required.
• Work involving the receipt or generation of certain categories of Controlled Unclassified Information (CUI), like Covered Defense Information (CDI), typically requires that data be received, processed, and stored within systems that meet NIST SP 800-171 requirements as outlined in DFARS 252.204-7012 or similar contract requirements.
• Work involving equipment controlled for export, or its technology (e.g., information necessary to develop, produce, or reconfigure) it will likely require a Technology Control Plan.

The need for a Technology Control Plan (TCP) is identified through the RSEC review processes. Research Security and Export Controls (RSEC) is responsible for determining when a TCP is required based on the nature of the research, the regulatory framework, and the contractual terms associated with the data. TCP requirements are typically identified through one or more of the following review points:

• Sponsored research review – RSEC evaluates proposals, awards, and contracts for indicators such as publication restrictions, foreign researcher restrictions, and CUI handling requirements.
• Contract negotiation and acceptance – Agreements that include certain DFARS clauses, export control language, or restrictions on data access or dissemination may trigger the need for a TCP.
• Use of controlled equipment or sensitive data – TCPs may be required when highly controlled equipment, encryption technologies, or data subject to ITAR, EAR, or other federal requirements are used.

In all cases, RSEC works collaboratively with the Principal Investigator and other stakeholders to assess risk and determine whether a TCP is necessary. Early engagement with RSEC is encouraged to avoid delays and ensure proper safeguards are in place before controlled data is received or developed.

Onboarding

Because controlled work is outside of the norm at a university, it is important that all researchers are aware of their obligations under the Technology Control Plan. Research staff will be added during the TCP creation process, as RSEC works with the PI to develop the TCP. However, the needs of research often change, and research staff does too. People may be added mid-project whenever the PI sends a request to RSEC via a TDX Form. In either case, new team members will undergo a background check, will validate their citizenship, and will take several training courses that are crucial to project security.

Offboarding

As researchers end their work on a project, it is important for RSEC to be aware so that their names can be removed from the list of authorized personnel and so that user accounts can be updated. PIs, or their designee, should notify RSEC when anyone's work with controlled information concludes.

Training

Several forms of training will be necessary before people are granted access to controlled information. This may include Export Control training, Data Security Training, Controlled Unclassified Information Training, Insider Threat Training, and Operational Security Training. Some TCPs may require more or less training depending on the level of control. People needing access to export controlled information will receive a message from RSEC outlining what training they should take. They will not be added to a TCP or be granted access to IT environments where controlled information is stored until this training is completed.

Safeguarding Controlled Information

Safeguarding sensitive information isn't just about knowing who is performing the research. It's also about understanding who can access the research. Researchers should take care to secure their physical environment to ensure that unauthorized individuals are not able to observe the research or otherwise gain access to export controlled information. This may involve closing doors or blinds, using privacy screens, or using segregated work areas. Technology Control Plans will outline the appropriate safeguarding requirements for the controlled work researchers are performing.

Because cloud platforms can store data on servers located anywhere in the world, it is important to ensure that data is stored on servers located in the U.S. to prevent an export. Remotely accessing controlled technology from outside of the United States may also be considered an export of that data. As such, Purdue maintains secure environments for working with controlled information, like the Purdue Hybrid Agile System for Research (PHASR).

Who should I contact at Purdue with questions about Technology Control Plans?

For questions related to Technology Control Plans please contact RSEC.