Technology Control Plans for Cleared Defense Contractors Michael Miller University of Central Florida Agenda • TCP Essentials – What is a TCP? – Who needs to implement a TCP and when? – What are the critical elements of a TCP? • Regulatory Authorities and Agencies • Developing a TCP - Agency Expectations • Monitoring Effectiveness • Training • Violations What is a Technology Control Plan? • A Roadmap of how a company will control its technology. “How to do it” document that explains how the ITAR, EAR and NISPOM will be carried out. • Ensures classified defense information (“CI”) or controlled unclassified information (“CUI”) is not provided to a foreign person (employees, visitors, affiliates). • A protection plan to control access to and dissemination of CI and CUI – Includes information, items, articles and technical data • Ensures program team are informed, aware, and understand their obligations and responsibilities. • Not a replacement for traditional security programs (SPP), but an enhancement to existing practices. Core Principles • Multiple variations of the title “TCP”, content and layout • Based on corporate policy, federal laws and regulations and facility clearance requirements • Identifies the controlled “things” (e.g. CI, CUI, EAR, ITAR, materials, technical data, and services) • Proscribes access and dissemination controls of the “things” • Defines duties and responsibilities • A TCP is only as strong as the training you provide to the staff who must execute the plan. Three Main Parts 1. The Plan 2. Non-Disclosure Statement 3. Acknowledgement We will get into specific elements found in each section of the plan later. Types of TCPs • Facility type plan – Plan to possess export-controlled or other restricted information – Your personalized controls not specified in the NISPOM • Project specific plan – Implement a security bubble around elements of a program, i.e. access to various parts of a facility, or compartmentalization methods: • • • • Area quarantine Time blocking Locked storage and electronic security Communication security • Activity-related plan – Visits, IT systems, launch activities, shared services, etc. • Person specific plan – Foreign person employees – a plan for the work activities. Who Needs a TCP? • Cleared defense contractors – FOCI arrangements (in addition to SPP) – Cleared facilities with foreign persons on-site • Foreign employees • Short-term and long-term visitors – Foreign person export licenses - before transfer of hardware, software, tech data or defense services • Uncleared Defense Contractors, Manufacturers, Distributors, Brokers subject to ITAR/EAR – – – – – Registration Requirement w/ DDTC ITAR facilities w/ FN employees, visitors, plant visits, shared facilities Needed even for unlicensed foreign persons w/o access to anything Required for licensed foreign persons or other Government Approval Mandated by Proviso / license condition Who Needs a TCP? • Service Providers – Researchers, institutes, universities for unclassified export controlled information – Certain exports of Cat XV USML space projects and launch activity providers – Certain encryption technology providers – FMS Freight Forwarders EAR: “TCPs are a good practice for all holders of export controlled technology” Regulatory Authorities Export Controls Agencies • U.S. Department of State, Directorate of Defense Trade Controls – International Traffic in Arms Regulations • Department of Commerce, Bureau of Industry & Security – Export Administration Regulations Department of Defense Agencies • Department of Defense, Defense Security Service – National Industrial Security Program • Department of Defense, Defense Technology Security Administration – National Defense Authorization Act • Public Law 105-261, Title XV State Department Arms Export Control Act • International Traffic in Arms Regulations (“ITAR”) , 22 CFR Parts 120 – 130 • Part 126 “General Policies and Provisions” – 126.13(c) License applications for foreign person employees: TCP required when foreign persons are employed at or assigned to securitycleared facilities. – 126.18(c)(2) Exemptions for Intra-company transfer of unclassified defense articles to foreign person employees: TCP required as a condition to use exemption, in addition to complying with other ITAR requirement (126.1 country prohibition, NDA, screening for substantive contacts, travel, allegiance, business relationships, etc. – 126.5, Supplement 1, Note 14. Canadian Exemptions: (Revision to Prior TCP Requirement No specific TCP but rather a semi-annual report to state. Commerce Department Export Administration Act • Export Administration Regulations (“EAR”) , 15 CFR Parts 730 - 744 • Part 752.11, Internal Control Program Requirements – ICP is the basis for a TCP under the EAR, required for deemed export and technology exports licenses. – Essential elements: • Corporate commitment to export compliance • Physical security plan • Information security plan • Personnel screening procedures • Training and awareness program • Self evaluation program • References: – – http://www.bis.doc.gov/index.php/forms-documents/doc_download/387-intermediate-deemed-exports-pdf http://www.bis.doc.gov/images/pdfs/deemedexports/foreignationals.pdf Commerce Department • Part 734.2(b)(2)(ii) Deemed Exports – 734.2(b)(2)(ii) Deemed Export: Release of technology is deemed to be to the home country of the foreign national, e.g. tours, foreign national employees involved in certain R&D and manufacturing activities, foreign students/scholars, hosting foreign nationals at your facility. • Licensing of Deemed Exports: No specific EAR reference to TCP; however, license requires “safeguards to restrict access” i.e. TCP. – Required when foreign nationals are employed at or assigned to facilities that handle export-controlled items or information – BIS Licensing Guidance - Internal Technology Control Plan - Applicant should describe measures to prevent unauthorized access by foreign nationals to controlled technology or software. The measures may include the applicant’s internal control program to prevent unauthorized access to controlled technologies or software. Commerce Department • License Conditions – The applicant will establish procedures to ensure compliance with the conditions of this license, particularly those regarding limitations on access to technology by foreign nationals. The applicant's key export control management officials will ensure that the foreign national complies with conditions 1- 5. A copy of such procedures will be provided to DoC/BIS. – The applicant will ensure that the foreign national does not have access to any unlicensed controlled technology. – The transfer of controlled technology and software shall be limited to the minimum needed by the foreign national in his/her role as described in the license application. – http://www.bis.doc.gov/images/pdfs/deemedexports/foreignationals.pdf Defense Technology Security Administration Arms Export Control Act • International Traffic in Arms Regulations (“ITAR”) , 22 CFR Parts 120 – 130 • Part 124 “Agreements, Off-Shore Procurement, and Other Defense Services” – 124.15(a)(1) Special Export Controls for Defense Articles and Services Controlled Under Cat. XV “Space Systems and Space Launches”: Technology Transfer Control Plan (TTCP) and Encryption Technology Control Plan (ETCP) required for use of any exemption, government approval or for any export license related to Category XV. – Special processing procedure & rules. DTSA must monitor compliance for proliferation. – DTSA has a TTCP Development Guideline manual – Approved by DoD, DOS, DTSA, and NSA. Note Export Control Reform: Commercial satellites & related items transferring from the ITAR to the EAR. ITAR will retain primarily military, intelligence, and certain remote sensing satellites) and related ground systems, components, parts, software, and technical data and defense services. Services include assistance related to ANY satellite launch, satellite/launch vehicle integration, and satellite launch failure analysis. Defense Security Service • NISPOM 2-307 – Foreign Ownership, Control or Influence (FOCI) – A TCP shall be implemented by companies cleared under FOCI action plans that prescribes all security measures to reasonably foreclose the possibility of inadvertent access by non-U.S. citizen employees and visitors to information for which they are not authorized. – Referenced in 22 CFR 126.13(c) (ITAR) • NISPOM 10-509 – International Visits & Control of Foreign Nationals – A TCP is required to control access by foreign nationals assigned to, or employed by, cleared contractor facilities… The TCP shall contain procedures to control access for all export-controlled information. • DSS CDSE Webinar on Technology Control Plan under the NISPOM – http://www.cdse.edu/catalog/webinars/industrial-security/technology-control-plan.html FOCI Required Plans • Technology Control Plan • Affiliated Operations Plan – Shared Services, e.g. IT, banking, etc. • Electronic Communications Plan – IT Systems, Tele/video conferencing – Ensures no unallowable Technology Transfer • Visitations Plan – Foreign / U.S. company meetings • Facility Location Plan – Close proximity, shared, and co-located http://www.dss.mil/isp/foci/foci_info.html Developing a TCP – Agency Expectations • Write your own plan and tailor it to your specific situation • Know what needs to be protected and describe the things that are subject to agency controls – Ex. Information, articles, USML, CCL, Classification • Describe procedures for protection and controls – Controls should make sense – If it is in your plan, do it – Agency specific requirements (e.g. FOCI) • Designate & empower company officials – Technology Control Officer / Export Control Officer – Facility Security Officer • Educate personnel – critical. Standard Sections of the Plan • Introduction (scope, purpose, background, definitions) • Corporate policy • Identification of restricted technology • Protection guidelines – Physical security – Personnel security – Operational security** NSDD-298 – Signal security (if applicable) – Computer security – IT Network security **Deny adversaries export controlled or public info that are unclassified Standard Sections Cont. • Licensing Procedures (TAA, MLA, Foreign Person Employees) • Plant / Site visit • Foreign travel • International shipping • Training requirements • Recordkeeping • Accountability and violation penalties Optional Customized Sections • Unique facility elements – Identification of escorted areas – Unescorted areas – Segregated work areas • Identification of team members & responsibilities – Responsible Company Officials • Investigation procedures • Employee Separation Best Practice Examples Introductory information • Introduction, scope, purpose, background, definitions – Delineates and informs employees and visitors: • The existence and description of technology controls, • What areas of the company controls apply, i.e. “territories, divisions, units” etc. • Why they are necessary, i.e. “purpose” • Specific provisions applicable to your company’s defense trade function or facility clearance, i.e. “DTRADE Registration No.” • Definition of Terms as they relate to the TCP, i.e. “foreign persons” Introductory information Introduction This Technology Control Plan (“TCP”) delineates and informs employees and visitors of the controls necessary to ensure that no transfer of technical information or data or defense services occur unless authorized pursuant to federal regulations. Purpose and Scope The purpose of this plan is to describe the methods to 1) identify program activities that are subject to federal regulatory requirements; 2) identify security responsibilities and requirements of project personnel; 2) establish methods for the identification and handling of controlled unclassified information (“CUI”); 3) allowable and unallowable access to the program, data and equipment, monitoring and control protocols, physical and electronic measures for access, use, storage, transfer and destruction. The Technology Control Plan (“TCP”) provides guidance on the control of access to classified and unclassified export controlled information by foreign persons employed by, and long-term foreign national visitors assigned to, a cleared U.S. contractor facility pursuant to the International Traffic in Arms Regulations (“ITAR”) codified at 22 Code of Federal Regulations (CFR) §§ 120-130, and the Export Administration Regulations (“EAR”) codified at 15 Code of Federal Regulations (CFR) §§ 300 – 799 and the National Industrial Security program operating Manual (“NISPOM”). A TCP is a roadmap of how UCF will control restricted technology to ensure compliance with the ITAR, EAR and NISPOM. Statement of Commitment • Corporate Directive or policy – Reference to FCL, NISPOM, federal regulations and other commitments – Required by the ITAR – corporate commitment http://www.pmddtc.state.gov/compliance/documents/compliance_programs.pdf – TCP should reference the corporate directive – May include specific “foreign person” policy UCF Statement of Commitment The University will fully comply with U.S. export control laws while ensuring that, to the extent possible, university instruction and research is conducted openly and without restriction on participation or publication. As a cleared defense contractor, UCF is committed to educating its employees, professors, students, researchers or other collaborators on U.S. export control laws and regulations and their particular application within a university research setting. As part of the University’s ongoing commitment to export control compliance and education, the University has established a website at: http://www.research.ucf.edu/ExportControl/ that contains university export control policies, forms, training modules and reference materials. Identification of Technology • Identification and enumeration of restricted technology – Commodity Jurisdiction determines which regulatory regime and procedures will govern the activity. • Security Classification(s) • U.S. Munitions List Category and Subcategory • Export Control Classification Number (“ECCN”) Identification of Technology • U.S. Munitions List Category and Subcategory Export Control Jurisdiction, Classification and Categorization UCF will create, generate, require access, or receive technical data or defense articles regulated by the Arms Export Control Act (“AECA”) and subject to the federal restrictions specified in the ITAR in performance of this program. This TCP details the mitigation techniques UCF will implement to comply with the ITAR requirements. The Principal Investigator (PI) and Approved Project Personnel are required by law to conform to the minimum security requirements to ensure that controlled defense services, articles, and technical data or controlled commodities are adequately protected from disclosure. The applicable United States Munitions List (“USML”) Category and subcategory classifications are: Category IX: Military Training Equipment & Training, (a), (b), (d), (e) (a) Training equipment specifically designed, modified, configured or adapted for military purposes, including but not limited to weapons system trainers, radar trainers, gunnery training devices, antisubmarine warfare trainers, target equipment, armament training units, pilot-less aircraft trainers, navigation trainers and human-rated centrifuges. (b) Simulation devices for the items covered by this subchapter. (c) Tooling and equipment specifically designed or modified for the production of articles controlled by this category. (d) Components, parts, accessories, attachments, and associated equipment specifically designed, modified, configured, or adapted for the articles in paragraphs (a), (b) and (c) of this category. (e) Technical data (as defined in Sec. 120.10 of this subchapter) and defense services (as defined in Sec. 120.9 of this subchapter) directly related to the defense articles enumerated in paragraphs (a) through (d) of this category. (f) The following interpretations explain and amplify terms used in this category and elsewhere in this subchapter: (1) The weapons systems trainers in paragraph (a) of this category include individual crew stations and system specific trainers; (2) The articles in this category include any end item, components, accessory, part, firmware, software or system that has been designed or manufactured using technical data and defense services controlled by this category; (3) The defense services and related technical data in paragraph (f) of this category include software and associated databases that can be used to simulate trainers, battle management, test scenarios/models, and weapons effects. In any instance when the military training transferred to a foreign person does not use articles controlled by the U.S. Munitions List, the training may nevertheless be a defense service that requires authorization in accordance with this subchapter. See e.g., Sec. 120.9 and Sec. 124.1 of this subchapter for additional information on military training. Physical Security • Cross-reference with SPP if necessary • Facility layout with diagram • Physical barriers and separators – Building access – Locking requirements – Offices, doors, file cabinets – Production, lab, manufacturing areas – Visual access inhibitors • Badges and badging – Employee – Visitor – Foreign person – Contractor • Key control – log of who has what keys / electronic combinations Badges & Badging • Example Personnel Security • Written employee responsibilities – Can be broken down by function or division (general employee, supervisor, engineer, business development, security, HR, etc.) • Foreign person in-residence responsibilities – Licensing procedures – Indoctrination procedure – Monitoring – Separation • Third party responsibilities – Custodian, maintenance, delivery, building management • Random personnel inspections – Entering and exiting the facility – Bags, parcels, media, electronic devices – Notification posted on premises Example – Foreign Person Disclosure Example - Indoctrination Example - Responsibilities Access Control • Procedures for controlling and restricting access to: – Work areas – Information • Uncontrolled and public • Controlled • Classified • Proprietary • Derived information • Storage, destruction, transmission, dissemination “All information that needs to be protected must be appropriately marked or otherwise identifiable to all personnel” – Equipment, hardware, production facilities, etc. Example – Identification of Information Example - Hardware Access Controls Site Visits • Plant and site visit procedures – Pre-visit screening – In-processing, log, facility notification, badging & briefing – Host escort and acknowledgement Escorts • Escorts are responsible and must be trained • Must be able to control visitors at all times • Do not allow wandering, pictures, embarrassing incidents, unannounced changes, unannounced visitors, video crews, misinterpretations, multiple requests, etc. • Waiting room areas can be designated “safe harbor” • Lock-up restricted information / articles Escorts The PI and approved project personnel will ensure that foreign nationals are not present when measurement is taking place. All foreign persons must be are escorted within the lab area. Foreign nationals are not permitted independent, unescorted 24 hour access to a work area until such time as all export controlled activity has ceased. Computer & Network Security • Computer security – Use NIST standard as a baseline – User IDs, login, passwords, encryption, etc. – Company email only, no clouds • IT Network security – – – – Procedures to maintain control of networked systems Domain access restrictions Repository (fileserver) for restricted CUI, proprietary, trade secret Drawings, configuration management NDA TCP Acknowledgement TCP Acknowledgement SUBJECT: Attestation of Understanding and Compliance Agreement with the Technology Control Plan Section 1: To be completed after initial ITAR Training I, [Project Team Member], having read the subject Technology Control Plan, attest to my understanding of the following responsibilities: a. I will refrain from sharing the research project’s Critical Information (CI) with personnel who are not part of the contract or university research teams performing under contract Number [Number] b. I will notify my Principal Investigator (PI) of any inadvertent disclosures c. I will comply with the management controls and Te3chnology Control Plan countermeasures prescribed in the Plan. __________________________________ _______ [Project Team Member] ________ ___________________________________ Date Date Dr. [Name], Professor Section 2: To be completed upon exit from the research project I attest to my understanding that my obligation to protect the project’s Critical Information (CI) and Export Controlled technical data continues past my association with the project. I acknowledge that I am required to follow the same countermeasures to protect that information after my association with this project has concluded. __________________________________ _______ [Project Team Member] ________ ___________________________________ Date Date Dr. [Name], Professor Monitoring • Internal Self Assessment – Annual review of TCPs should be conducted – Checklist of items, measures and benchmarks that should be reviewed • Employee knowledge • Adherence to access procedures • Corrective action plan for findings uncovered • Penalties for violations must be enforced • Recurring Training – Personnel subject to TCP should be trained annually – Training should review policy, procedure, legal requirements and TCP protocols TCP Violations • Procedure for handling violations Investigation will consist of three phases: 1. Data preservation a. Notify necessary parties of the investigation b. Require parties to preserve all materials related to the subject matter c. Categorize and review the types of information and documents relevant to the investigation d. Demand strict compliance with data preservation e. Inform parties of how information should be preserved f. Designate a Point of Contact 2. Data collection and review a. Document preservation and collection interviews b. Collection and review of paper and electronic data 3. Interviews of relevant employees / participants a. Following collection, review and organization of data, interviews with all relevant parties will be conducted. b. A formal memo and summary of all interviews will be prepared Upon conclusion of data collection, interviews and evaluation, a formal report will be prepared. Facts developed during the course of the investigation are important for VSD purposes in addition to university decision-making. Contents of the report will include: 1. 2. 3. 4. 5. Description of the subject and scope of the investigation Description of each phase of the investigation, including all efforts A chronology of the facts developed via the investigation A description of remedial measures undertaken A description of proposed corrective/preventative actions Self-Disclosure • Regulatory Requirements 127.12(c)(2) (i) A precise description of the nature and extent of the violation (e.g., an unauthorized shipment, doing business with a party denied U.S. export privileges, etc.); (ii) The exact circumstances surrounding the violation (a thorough explanation of why, when, where, and how the violation occurred); (iii) The complete identities and addresses of all persons known or suspected to be involved in the activities giving rise to the violation (including mailing, shipping, and e-mail addresses; telephone and fax/facsimile numbers; and any other known identifying information); (iv) Department of State license numbers, exemption citation, or description of any other authorization, if applicable; (v) U.S. Munitions List category and subcategory, product description, quantity, and characteristics or technological capability of the hardware, technical data or defense service involved; (vi) A description of corrective actions already undertaken that clearly identifies the new compliance initiatives implemented to address the causes of the violations set forth in the voluntary disclosure and any internal disciplinary action taken; and how these corrective actions are designed to deter those particular violations from occurring again; (vii) The name and address of the person making the disclosure and a point of contact, if different, should further information be needed. Contact Information Mike Miller Assistant Director for Export Controls University of Central Florida EM: Michael.Miller@ucf.edu PH: 407-882-0660