EXPORT CONTROLS & SANCTIONS COMPLIANCE Basics & Clauses… David Brady Director and Facilities Security Officer Office of Export and Secure Research Compliance Virginia Tech Erica Kropp Office of Research Administration & Advancement University of Maryland Center for Environmental Science June 22, 2009 1 Beware The Traps Work your way through the FAR and other clauses and avoid the trap of export controls – don’t get ensnared. Ask questions early (internal routing forms). Look for clauses and other “red flags” in the scope of work, the RFP and/or BAA. Look for the same in the resulting T’s & C’s of the award. 2 What are Export Control Laws US laws that regulate the distribution to foreign nationals and foreign countries of strategically important products, services and information for reasons of foreign policy and national security. Export control laws apply to all activities – not just sponsored research projects. 3 US Export Control Responsible Agencies Most export controls and embargo issues fall under the jurisdiction of the following agencies: Department of State Department of Commerce Department of Treasury 4 Department of State International Traffic in Arms Regulations (ITAR) – 22 CFR Parts 120-130 Regulates military, space, or defenserelated articles, technologies, and services United States Munitions List (USML) Directorate of Defense Trade Controls (DDTC) 5 Department of Commerce Export Administration Regulations (EAR) – 15 CFR Parts 730-774 Regulates commercial and “dual use” products and technologies; primarily civil use Commerce Control List (CCL) Bureau of Industry and Security (BIS) 6 Department of Treasury Office of Foreign Assets Controls (OFAC) – 31 CFR Parts 500-599 Prohibits transactions with countries subject to trade sanctions and embargoes Administers and enforces economic and trade sanctions based on US foreign policy and national security goals Maintains the Specially Designated Nationals (SDN) and blocked persons list 7 Implications of Export & Sanctions Laws No effect on most university research Potential impact on Ability of foreign students or researchers to participate in research involving a controlled technology (mostly under ITAR) Ability to provide services (including training in the use of controlled equipment) to foreign persons (ITAR, EAR, OFAC) Ability to send controlled equipment to foreign countries (ITAR, EAR, and OFAC) 8 Implications of Export & Sanctions Laws Factor that can extend award negotiation time – may involve institutional decisions Factor to be considered if/when accepting another parties information Likely to require additional internal review processes Time and resources – can effect project schedules – even after the award PI’s need to be involved 9 University Strategy Protect the fundamental research exclusion by negotiating the elimination of all contractual clauses that restrict university control of publications or limit access to or participation in research. 10 Review of Proposals and Awards Add questions to internal proposal routing form Use an award review check list for research administrators Establish an internal process for both the determination of applicable exclusion or obtaining a license Develop/ find a dedicated resource Document all export determinations 11 Some Early Stage Red Flag Items Does the Project involve: Shipping equipment or biological materials to a foreign country? Collaborating with foreign colleagues in foreign countries? Foreign visitors to your labs? Training foreign nationals in using equipment? Working with a country subject to US sanctions? Traveling to a foreign country? 12 More Red Flag Items Use of another parties proprietary information? Is the sponsor a foreign entity? Do the terms of the RFP/BAA, etc. require: Sponsor approval rights over publications? Sponsor approval of the participation of foreign nationals? Is the RFP marked “Export Controlled”? 13 Potential Problem Clause Topics IP/Data Rights Publications/Information Dissemination Confidentiality Clauses/Agreements Export Control Security Restrictions on use of foreign nationals on research projects Deliverables 14 Problem Clause DFAR 252.204-7000 Disclosure of Information – requires APPROVAL When the Contractor will have access to or generate unclassified information that may be sensitive and inappropriate for public release , include the clause DFARS 252.204-7000. Destroys fundamental research exclusion 15 Problem Clause DISCLOSURE OF INFORMATION (Dec 1991) The Contractor shall not release to anyone outside the Contractor’s organization any unclassified information, regardless of medium (e.g., film, tape, document) pertaining to any part of this contract or any program related to this contract, unless— The Contracting Officer has given prior written approval; or The information is otherwise in the public domain before the date of release Requests for approval shall identify the specific information to be released, the medium to be used, and the purpose of the release. The Contractor shall submit its request to the Contracting Officer at least 45 days before the proposed date for release. 16 Problem Clause Often gets included by defaultmandatory flow-down clause Strategies for dealing with DFAR 252.204-7000 in flow-down contracts Satisfy the clause with Contracting Officer’s prior written authorization Inject self-destruct clause Insert “substantially similar” clause with no pub restriction for university subcontract Set up separate contract direct from government w/o clause 17 DoD Policy Memorandum on Contracted Fundamental Research (26 June 2008) Contracted fundamental research should not be restricted, however, some applied research may be restricted: In exceptional circumstances With approval of agency head Can be invoked to remove DFAR 252.2047000 Disclosure of Information clause if: Contracted fundamental research defined by: 6.1 funds (Basic Research) 6.2 funds (Applied Research) 18 New DFAR Export Clauses 252.204-7008 Requirements for Contracts Involving Export-Controlled Items. 252.204-7009 Requirements Regarding Potential Access to ExportControlled Items. 19 New DFAR Export Clauses DFAR 252.204-7009: If project goes export controlled, only Contracting Officer can terminate DFAR 252.204-7009 and DFARS 252.204-7000 Disc of Information in same contract - problematic! 20 New DFAR Clauses Shifts compliance burden to university Requires monitoring to know when notification is required if Contractor is expected to generate export controlled information, or materials are to be generated 21 NASA Export Clause NASAFAR 1852.225-70 Export Licenses (and Alternate I) Places export compliance burden on university Alternate I: authorizes export of technical data IAW ITAR license exemption 22 Problem Clause? ARL 52.004-4400 FOREIGN NATIONALS PERFORMING UNDER CONTRACT (Feb 2002) In accordance with Title 8 U.S.C. 1324a, local Foreign Disclosure Officers (FDOs) may approve access by foreign nationals working on unclassified public domain contracts for the duration of the contract, provided the foreign nationals have appropriate work authorization documentation. In those instances where foreign nationals are required to perform under any resultant contract and employment eligibility documentation was not submitted with an awardee’s proposal, the employment eligibility documentation specified at 8 CFR 24a.2 shall be submitted to the Contracting Officer at least two weeks prior to the foreign national’s performance for review and approval. Awardees not employing foreign nationals in performance of any resultant contract may disregard this clause. 23 Problem Clause? DARPA / IARPA BAA clause Publication Approval It is anticipated that much of the research funded under this Program will be unclassified contracted fundamental research. However, there is the possibility that some research results from this Program may require a prepublication review if it is determined that the release of such information may result in the disclosure of sensitive information. Any award resulting from such a determination may include a requirement to obtain IARPA's permission before publishing any information on the research. A determination will be made based on the proposed work and any necessary provisions will be reflected in contract negotiations. 24 Strategies Negotiate out – why in? Clarify in writing (add to clause?) that reason for list is verification of employment documents – NOT program reason for limited access Modify to just submission of names/info Modify to limit approval only when access to secured federal facility 25 Problem Clause AFRL 5327.9002 Provisions and clauses. (a) Insert the clause at 5352.227-9000, Export-Controlled Data Restrictions, substantially as written, in Section I when the acquisition involves export controlled data. This shows up if project involves export controlled or sensitive but unclassified information from DoD 26 Other Potentially Restrictive Clauses Rights in Data - Get the right alternate (e.g. FAR 52.227-14 Alt IV) Beware the “Special Works” – Need to specify/distinguish applicability Other Transaction Agreements – look for special language 27 Right in Data - FAR Rights in Data – General, FAR 52.22714 Use with Alternate IV – for contracts for basic or applied research to be performed solely by universities & colleges Allowable, but need permission if subcontractor from industry or we subcontract to industry 28 Beware “Special Works” What is it…Rights in Data-Special Works FAR 52.227-17 Government has unlimited rights to all technical data and software No copyright/ ownership to university Government permission to release any data first produced under the contract Requires indemnification 29 Beware “Special Works” Why is it there? Intended for production or compilation of data for the government’s internal use or need to limit distribution Inserted if software is a specific deliverable 30 Special Works Alternative Request deletion if no software deliverable. If there is, request deletion of Part (e) indemnification and, Add section that provides permission to use, release, reproduce, publish any data first produced in the performance of your contract. Distinguish applicability if 52.227-14 is included in the contract. 31 Other Transaction Agreements “OTA” is not a grant or a contract or a cooperative agreement Not subject to FAR or OMB Circulars! Do not require Bayh-Dole Act rights! Case by case negotiations 32 Homegrown Federal Clauses: Problem Phrases No foreign national may work on this project (with/or without prior approval). This project will generate export controlled technology. Foreign nationals may not have access without appropriate licenses from the State or Commerce Department. This project requires access to export controlled technology or controlled unclassified (CUI) information. 33 Strategies for nonDoD Federal Sponsors FAR 27.404-4 Contractor’s release, publication, and use of data. (a) In contracts for basic or applied research with universities or colleges, agencies shall not place any restrictions on the conduct of or reporting on the results of unclassified basic or applied research, except as provided in applicable U.S. statutes. However, agencies may restrict the release or disclosure of computer software that is or is intended to be developed to the point of practical application (including for agency distribution under established programs). This is not considered a restriction on the reporting of the results of basic or applied research. 34 Private Sponsor Clauses Beware Language that States the Project IS Export Controlled – Compliance with Export Control Laws OK Freedom to Publish is Key to Keeping Activity within the Fundamental Research Exclusion Confidentiality Agreements Include Notice to you of any Information Provided that Company deems Export Controlled Include Option to Refuse 35 Thinking of Accepting Export-Controlled Research? Think again Actions required: • • • • Red Flag Screening (EAR) Commodity Jurisdiction/Classification (EAR/ITAR) Project-specific Technology Control Plan (whether or not a foreign national is a participant in the project- a potential export control license situation exists) Training 36 Procedures: EAR Red Flag Screening http://www.bis.doc.gov/ExportManagementSystems/EMSGuidelines.html Element 1: Denied Persons Screen Element 2: Product/licensing Screen Sample Product/License Matrix Element 3: Diversion Risk Screen Element 4: Nuclear Screen Element 5: Missile Screen Element 6: CBW Screen Element 7: AntiBoycott Screen Element 8: Informed letter/Entity List Screen 37 Procedures: Project Specific Technology Control Plan (TCP) Required Elements Based on best practices, contains required elements from ITAR/EAR/AFAEA deemed export licenses • Commodity Jurisdiction and Classification • Physical Security Plan • Information Security Plan • Personnel Screening/ Training • Self Assessment 38 Institutional Commitment University-wide Export Compliance Management System or Technology Control Plan specifies the university’s commitment to comply with export control laws Procedures determine roles and responsibilities of Sponsored Programs, Research Compliance, Faculty, Purchasing, and the department and others in export controlled sponsored research 39 Commodity Jurisdiction and Classification Under what law is the project restricted? Commodity Jurisdiction ITAR/EAR/AFAEA/other What exactly in the project is restricted? Technology Classification (with Sponsor and and/or Commerce/Energy/State) Who can have access and who can’t? License/ license exception/exemption determination 40 Commodity Jurisdiction & Classification-ITAR 22 CFR§120.6 Is the research “inherently military in character” or for a uniquely military purpose? Is the research subject controlled on the Munitions List? Does the research involve spacecraft or satellite technology (including Y-code GPS, ground telemetry)? Will the research produce/modify a defense article (including software)? Will foreign nationals have access to a defense article in the research? 41 Commodity Jurisdiction & Classification-EAR 15 CFR§§734.2, 5, 744.6, 772 Is the research in WMD, missile, or encryption technologies? Will the research generate source code or “specific information necessary to develop, produce or use a product”? If yes, does that product or software listed on the Commerce Control List? 42 TCP Commodity Jurisdiction and Classification When in doubt- default to ITAR-controls 22 CFR§120.4 Resolve intellectual property issues Avoid “ITAR Contamination” If an invention becomes defined as an ITAR “defense article” , it may prevent or prevent unrestricted use in other civilian applications without government authorization 43 Physical Security Plan Minimum “One lock” principle- sometimes more Use NISPOM as a guide unless cost is prohibitive Restricted area Closed area Key control Visitor logs Escorts 44 Information Security Plan Minimum “One Lock” principle Server folder access, firewalls, passwords/ backup to US Persons only server or BU harddrive Clean desk policy, Central storage, locked storage container Security marking Data discard/destruction Secure email/ mail policy 45 Information Security Plan Securing data: Use secure web sites (https://) SSL (Secure Sockets Layer) Use available tools to encrypt controlled files: PGP (Pretty Good Privacy) Truecrypt Others Destroying data: NISPOM compliant (e.g, Eraser) 46 Screening and Training All personnel with access to controlled items: are screened for nationality and restricted party lists are required to attend export training Includes graduate students, undergraduate students, technicians, and IT managers 47 Procedures: Change of Export Status Coordinate with Sponsored Programs: Change of Project Scope Change of project personnel/parties (e.g., subcontractors, grad students) Foreign Travel Visiting foreign scientists/others Shipping export controlled equipment/materials/ software overseas Notification of a potential export control violation 48 Procedures: Export Control Violations If notified of/identify a potential export control violation: Remove foreign persons/foreign nationals from access Secure the export control restricted commodity, software, technology, or technical data Contact Sponsored Programs or Compliance 49 Procedures: Contact by an Enforcement Agency Ask to see a badge Cooperate with the investigator(s) Determine if the Facility Security Officer/ Legal Counsel has been notified, if not direct the agent to them Notify OSP of your contact You may need to establish more detailed guidance to deal with extra-regulatory requests for assistance 50 Self Assessment Internal procedures- post award Certifications Internal audit Enforcement agencies 51 Now You Get Questions May not always have immediate clear answers May need further assessment Usually requires you to ask questions in return May need to involve legal counsel… 52 Keep Discussions In Context There is a “Comfort Factor” with respect to Export Control Regulations & Compliance Remain Focused on Research Results Provide Assurances Regarding Regulatory Compliance Remember that maintaining the FRE requires deliberate efforts; It cannot be assumed based on organizational status 53 Additional Resources Look to the case studies of clauses in Council on Governmental Relations/COGR web publication www.cogr.edu/files/ExportControls.cfm Look to a report of the AAU/COGR Task Force: “Restrictions on Research Awards: TROUBLESOME CLAUSES” www.aau.edu/WorkArea/showcontent.aspx?id=1634&La ngType=1033 54 Questions? David Brady 540-231-3801 dbrady@vt.edu Erica Kropp 410-221-2015 ekropp@umces.edu June 22, 2009 55