EXPORT CONTROLS & SANCTIONS COMPLIANCE Basics & Clauses… David Brady

advertisement
EXPORT CONTROLS &
SANCTIONS COMPLIANCE
Basics & Clauses…
David Brady
Director and Facilities Security Officer
Office of Export and Secure Research Compliance
Virginia Tech
Erica Kropp
Office of Research Administration & Advancement
University of Maryland Center for Environmental Science
June 22, 2009
1
Beware The Traps
Work your way through the FAR and other
clauses and avoid the trap of export
controls – don’t get ensnared.



Ask questions early (internal routing forms).
Look for clauses and other “red flags” in the
scope of work, the RFP and/or BAA.
Look for the same in the resulting T’s & C’s of
the award.
2
What are Export Control Laws
US laws that regulate the distribution to
foreign nationals and foreign countries of
strategically important products, services
and information for reasons of foreign policy
and national security.
Export control laws apply to all activities
– not just sponsored research projects.
3
US Export Control Responsible Agencies

Most export controls and embargo
issues fall under the jurisdiction of
the following agencies:



Department of State
Department of Commerce
Department of Treasury
4
Department of State

International Traffic in Arms
Regulations (ITAR) – 22 CFR
Parts 120-130



Regulates military, space, or defenserelated articles, technologies, and
services
United States Munitions List (USML)
Directorate of Defense Trade Controls
(DDTC)
5
Department of Commerce

Export Administration
Regulations (EAR) – 15 CFR
Parts 730-774



Regulates commercial and “dual use”
products and technologies; primarily
civil use
Commerce Control List (CCL)
Bureau of Industry and Security (BIS)
6
Department of Treasury

Office of Foreign Assets Controls
(OFAC) – 31 CFR Parts 500-599



Prohibits transactions with countries subject to
trade sanctions and embargoes
Administers and enforces economic and trade
sanctions based on US foreign policy and
national security goals
Maintains the Specially Designated Nationals
(SDN) and blocked persons list
7
Implications of Export & Sanctions Laws


No effect on most university research
Potential impact on



Ability of foreign students or researchers to
participate in research involving a
controlled technology (mostly under ITAR)
Ability to provide services (including
training in the use of controlled equipment)
to foreign persons (ITAR, EAR, OFAC)
Ability to send controlled equipment to
foreign countries (ITAR, EAR, and OFAC)
8
Implications of Export & Sanctions Laws





Factor that can extend award negotiation
time – may involve institutional decisions
Factor to be considered if/when accepting
another parties information
Likely to require additional internal review
processes
Time and resources – can effect project
schedules – even after the award
PI’s need to be involved
9
University Strategy
Protect the fundamental research
exclusion by negotiating the
elimination of all contractual clauses
that restrict university control of
publications or limit access to or
participation in research.
10
Review of Proposals and Awards
 Add
questions to internal proposal routing
form
 Use an award review check list for research
administrators
 Establish an internal process for both the
determination of applicable exclusion or
obtaining a license
 Develop/ find a dedicated resource
 Document all export determinations
11
Some Early Stage Red Flag Items
Does the Project involve:






Shipping equipment or biological
materials to a foreign country?
Collaborating with foreign colleagues in
foreign countries?
Foreign visitors to your labs?
Training foreign nationals in using
equipment?
Working with a country subject to US
sanctions?
Traveling to a foreign country?
12
More Red Flag Items




Use of another parties proprietary
information?
Is the sponsor a foreign entity?
Do the terms of the RFP/BAA, etc. require:
 Sponsor approval rights over publications?
 Sponsor approval of the participation of
foreign nationals?
Is the RFP marked “Export Controlled”?
13
Potential Problem Clause Topics







IP/Data Rights
Publications/Information Dissemination
Confidentiality Clauses/Agreements
Export Control
Security
Restrictions on use of foreign nationals on
research projects
Deliverables
14
Problem Clause



DFAR 252.204-7000 Disclosure of
Information – requires APPROVAL
When the Contractor will have access to or
generate unclassified information that may
be sensitive and inappropriate for public
release , include the clause DFARS
252.204-7000.
Destroys fundamental research exclusion
15
Problem Clause
DISCLOSURE OF INFORMATION (Dec 1991)


The Contractor shall not release to anyone outside the
Contractor’s organization any unclassified information,
regardless of medium (e.g., film, tape, document)
pertaining to any part of this contract or any program
related to this contract, unless—
 The Contracting Officer has given prior written
approval; or
 The information is otherwise in the public domain
before the date of release
Requests for approval shall identify the specific
information to be released, the medium to be used, and
the purpose of the release. The Contractor shall submit
its request to the Contracting Officer at least 45 days
before the proposed date for release.
16
Problem Clause


Often gets included by defaultmandatory flow-down clause
Strategies for dealing with DFAR
252.204-7000 in flow-down contracts




Satisfy the clause with Contracting
Officer’s prior written authorization
Inject self-destruct clause
Insert “substantially similar” clause with
no pub restriction for university
subcontract
Set up separate contract direct from
government w/o clause
17
DoD Policy Memorandum on Contracted
Fundamental Research (26 June 2008)

Contracted fundamental research should not
be restricted, however, some applied research
may be restricted:




In exceptional circumstances
With approval of agency head
Can be invoked to remove DFAR 252.2047000 Disclosure of Information clause if:
Contracted fundamental research defined by:


6.1 funds (Basic Research)
6.2 funds (Applied Research)
18
New DFAR Export Clauses


252.204-7008 Requirements for
Contracts Involving Export-Controlled
Items.
252.204-7009 Requirements
Regarding Potential Access to ExportControlled Items.
19
New DFAR Export Clauses


DFAR 252.204-7009: If project goes
export controlled, only Contracting
Officer can terminate
DFAR 252.204-7009 and DFARS
252.204-7000 Disc of Information in
same contract - problematic!
20
New DFAR Clauses


Shifts compliance burden to
university
Requires monitoring to know when
notification is required if Contractor
is expected to generate export
controlled information, or materials
are to be generated
21
NASA Export Clause
NASAFAR 1852.225-70 Export
Licenses (and Alternate I)


Places export compliance burden on
university
Alternate I: authorizes export of
technical data IAW ITAR license
exemption
22
Problem Clause?
ARL 52.004-4400 FOREIGN NATIONALS PERFORMING UNDER
CONTRACT (Feb 2002)
In accordance with Title 8 U.S.C. 1324a, local Foreign Disclosure
Officers (FDOs) may approve access by foreign nationals working
on unclassified public domain contracts for the duration of the
contract, provided the foreign nationals have appropriate work
authorization documentation.
In those instances where foreign nationals are required to perform
under any resultant contract and employment eligibility
documentation was not submitted with an awardee’s proposal, the
employment eligibility documentation specified at 8 CFR 24a.2
shall be submitted to the Contracting Officer at least two weeks
prior to the foreign national’s performance for review and
approval. Awardees not employing foreign nationals in
performance of any resultant contract may disregard this clause.
23
Problem Clause?
DARPA / IARPA BAA clause
Publication Approval
It is anticipated that much of the research funded under this
Program will be unclassified contracted fundamental
research. However, there is the possibility that some
research results from this Program may require a prepublication review if it is determined that the release of such
information may result in the disclosure of sensitive
information. Any award resulting from such a determination
may include a requirement to obtain IARPA's permission
before publishing any information on the research. A
determination will be made based on the proposed work and
any necessary provisions will be reflected in contract
negotiations.
24
Strategies




Negotiate out – why in?
Clarify in writing (add to clause?) that
reason for list is verification of
employment documents – NOT
program reason for limited access
Modify to just submission of names/info
Modify to limit approval only when
access to secured federal facility
25
Problem Clause


AFRL 5327.9002 Provisions and clauses.
(a) Insert the clause at 5352.227-9000,
Export-Controlled Data Restrictions,
substantially as written, in Section I
when the acquisition involves export
controlled data.
This shows up if project involves export
controlled or sensitive but unclassified
information from DoD
26
Other Potentially Restrictive Clauses



Rights in Data - Get the right alternate
(e.g. FAR 52.227-14 Alt IV)
Beware the “Special Works” – Need to
specify/distinguish applicability
Other Transaction Agreements – look for
special language
27
Right in Data - FAR



Rights in Data – General, FAR 52.22714
Use with Alternate IV – for contracts
for basic or applied research to be
performed solely by universities &
colleges
Allowable, but need permission if
subcontractor from industry or we
subcontract to industry
28
Beware “Special Works”
What is it…Rights in Data-Special Works
FAR 52.227-17




Government has unlimited rights to all
technical data and software
No copyright/ ownership to university
Government permission to release any data
first produced under the contract
Requires indemnification
29
Beware “Special Works”
Why is it there?


Intended for production or compilation of
data for the government’s internal use or
need to limit distribution
Inserted if software is a specific deliverable
30
Special Works Alternative




Request deletion if no software
deliverable.
If there is, request deletion of Part (e)
indemnification and,
Add section that provides permission
to use, release, reproduce, publish
any data first produced in the
performance of your contract.
Distinguish applicability if 52.227-14
is included in the contract.
31
Other Transaction Agreements




“OTA” is not a grant or a contract or a
cooperative agreement
Not subject to FAR or OMB Circulars!
Do not require Bayh-Dole Act rights!
Case by case negotiations
32
Homegrown Federal Clauses:
Problem Phrases



No foreign national may work on this
project (with/or without prior
approval).
This project will generate export
controlled technology. Foreign
nationals may not have access
without appropriate licenses from the
State or Commerce Department.
This project requires access to export
controlled technology or controlled
unclassified (CUI) information.
33
Strategies for nonDoD Federal
Sponsors

FAR 27.404-4 Contractor’s release,
publication, and use of data.

(a) In contracts for basic or applied research with
universities or colleges, agencies shall not place any
restrictions on the conduct of or reporting on the
results of unclassified basic or applied research,
except as provided in applicable U.S. statutes.
However, agencies may restrict the release or
disclosure of computer software that is or is
intended to be developed to the point of practical
application (including for agency distribution under
established programs). This is not considered a
restriction on the reporting of the results of basic or
applied research.
34
Private Sponsor Clauses



Beware Language that States the Project
IS Export Controlled – Compliance with
Export Control Laws OK
Freedom to Publish is Key to Keeping
Activity within the Fundamental Research
Exclusion
Confidentiality Agreements


Include Notice to you of any Information
Provided that Company deems Export
Controlled
Include Option to Refuse
35
Thinking of Accepting Export-Controlled
Research?


Think again
Actions required:
•
•
•
•
Red Flag Screening (EAR)
Commodity Jurisdiction/Classification
(EAR/ITAR)
Project-specific Technology Control Plan
(whether or not a foreign national is a
participant in the project- a potential
export control license situation exists)
Training
36
Procedures: EAR Red Flag Screening
http://www.bis.doc.gov/ExportManagementSystems/EMSGuidelines.html
Element 1: Denied Persons Screen
Element 2: Product/licensing Screen
Sample Product/License Matrix
Element 3: Diversion Risk Screen
Element 4: Nuclear Screen
Element 5: Missile Screen
Element 6: CBW Screen
Element 7: AntiBoycott Screen
Element 8: Informed letter/Entity List
Screen
37
Procedures: Project Specific Technology
Control Plan (TCP)
Required Elements
Based on best practices, contains required
elements from ITAR/EAR/AFAEA deemed
export licenses
• Commodity Jurisdiction and
Classification
• Physical Security Plan
• Information Security Plan
• Personnel Screening/ Training
• Self Assessment
38
Institutional Commitment


University-wide Export Compliance
Management System or Technology Control
Plan specifies the university’s commitment
to comply with export control laws
Procedures determine roles and
responsibilities of Sponsored Programs,
Research Compliance, Faculty, Purchasing,
and the department and others in export
controlled sponsored research
39
Commodity Jurisdiction and
Classification



Under what law is the project restricted?
 Commodity Jurisdiction
ITAR/EAR/AFAEA/other
What exactly in the project is restricted?
 Technology Classification (with Sponsor
and and/or Commerce/Energy/State)
Who can have access and who can’t?
 License/ license exception/exemption
determination
40
Commodity Jurisdiction & Classification-ITAR
22 CFR§120.6





Is the research “inherently military in
character” or for a uniquely military purpose?
Is the research subject controlled on the
Munitions List?
Does the research involve spacecraft or
satellite technology (including Y-code GPS,
ground telemetry)?
Will the research produce/modify a defense
article (including software)?
Will foreign nationals have access to a defense
article in the research?
41
Commodity Jurisdiction & Classification-EAR
15 CFR§§734.2, 5, 744.6, 772



Is the research in WMD, missile, or
encryption technologies?
Will the research generate source code or
“specific information necessary to develop,
produce or use a product”?
If yes, does that product or software listed
on the Commerce Control List?
42
TCP Commodity Jurisdiction and Classification



When in doubt- default to ITAR-controls 22 CFR§120.4
Resolve intellectual property issues
Avoid “ITAR Contamination”
 If an invention becomes defined as an ITAR
“defense article” , it may prevent or prevent
unrestricted use in other civilian applications
without government authorization
43
Physical Security Plan


Minimum “One lock” principle- sometimes
more
Use NISPOM as a guide unless cost is
prohibitive





Restricted area
Closed area
Key control
Visitor logs
Escorts
44
Information Security Plan






Minimum “One Lock” principle
Server folder access, firewalls, passwords/
backup to US Persons only server or BU
harddrive
Clean desk policy, Central storage, locked
storage container
Security marking
Data discard/destruction
Secure email/ mail policy
45
Information Security Plan
Securing data:
 Use secure web sites (https://)


SSL (Secure Sockets Layer)
Use available tools to encrypt controlled
files:
PGP (Pretty Good Privacy)
 Truecrypt
 Others

Destroying data:
 NISPOM compliant (e.g, Eraser)
46
Screening and Training

All personnel with access to controlled
items:


are screened for nationality and restricted party
lists
are required to attend export training
Includes graduate students, undergraduate
students, technicians, and IT managers
47
Procedures: Change of Export Status

Coordinate with Sponsored Programs:






Change of Project Scope
Change of project personnel/parties (e.g.,
subcontractors, grad students)
Foreign Travel
Visiting foreign scientists/others
Shipping export controlled
equipment/materials/ software overseas
Notification of a potential export control
violation
48
Procedures: Export Control Violations

If notified of/identify a potential
export control violation:



Remove foreign persons/foreign
nationals from access
Secure the export control restricted
commodity, software, technology, or
technical data
Contact Sponsored Programs or
Compliance
49
Procedures: Contact by an
Enforcement Agency




Ask to see a badge
Cooperate with the investigator(s)
Determine if the Facility Security Officer/ Legal
Counsel has been notified, if not direct the
agent to them
Notify OSP of your contact
You may need to establish more detailed
guidance to deal with extra-regulatory
requests for assistance
50
Self Assessment

Internal procedures- post award

Certifications

Internal audit

Enforcement agencies
51
Now You Get Questions




May not always have immediate clear
answers
May need further assessment
Usually requires you to ask questions
in return
May need to involve legal counsel…
52
Keep Discussions In Context




There is a “Comfort Factor” with respect
to Export Control Regulations &
Compliance
Remain Focused on Research Results
Provide Assurances Regarding Regulatory
Compliance
Remember that maintaining the FRE
requires deliberate efforts; It cannot be
assumed based on organizational status
53
Additional Resources


Look to the case studies of clauses in Council on
Governmental Relations/COGR web publication www.cogr.edu/files/ExportControls.cfm
Look to a report of the AAU/COGR Task Force:
“Restrictions on Research Awards: TROUBLESOME
CLAUSES” www.aau.edu/WorkArea/showcontent.aspx?id=1634&La
ngType=1033
54
Questions?
David Brady
540-231-3801
dbrady@vt.edu
Erica Kropp
410-221-2015
ekropp@umces.edu
June 22, 2009
55
Download