Export Control: Technology Control Plan

Guidance

A Technology Control Plan (TCP) is a customized management plan that outlines the procedures in place to prevent unauthorized exportation of protected items, products, information, or technology deemed to be sensitive to national security or economic interests. The Technology Control Plan is a critical component of the University’s export control compliance program.

A TCP is not exclusive to “technology” but may also be required for equipment, software, data, materials, services, or payments. The specific terms of the TCP will depend upon the nature of the technology and available safeguards.

The TCP will typically include:

  • the relevant control category
  • a description of the export-controlled item or information
  • the project sponsors
  • a physical and informational security plan, identifying project participants
  • personnel screening
  • training
  • a monitoring plan which includes personnel changes
  • information on disposition of items or information at the end of the project.

Usually all project personnel will be required to read, understand, and sign the TCP prior to working on the project. In addition, export control training is almost always required.

In the event that a piece of equipment, technology, or technical data is identified as export controlled, contact the Export Control Office to receive assistance in creating a new detailed Technology Control Plan or for maintaining an existing TCP to ensure compliance.


Examples of procedures that could be in a TCP:

  • The physical and information security measures to prevent unauthorized access and export must be included in the TCP. Examples of security measures include, but are not limited to, the following:
  • Project activity may be limited to laboratory areas that are physically isolated from access or observation by unauthorized individuals. These areas must remain secured at all times when TCP items or information are in use.
  • Project activity may be limited to specific time blocks when access will be restricted to authorized personnel. Unauthorized individuals will not be permitted to observe project activities or have access to the activity location during this specified time.
  • Export controlled information must be clearly identified and marked.
  • Authorized individuals may be required to wear a badge, special card, or similar device indicating their permission to access project areas. Physical movement into and out of designated project areas may be logged or otherwise monitored.
  • Tangible items should be stored in access controlled rooms or storage devices that prevent visual disclosure as well as physical access. Access keys or cards may only be issued to authorized personnel.
  • Soft and hardcopy data, laboratory notebooks, reports, and other research materials must be stored in locked storage devices. Keys may only be issued to authorized personnel.
  • Project computers, networks, and electronic files should be secured and monitored through User IDs, password controls, and encryption technology (128‐bit or better). Database access should be managed via a Virtual Private Network.
  • Electronic communications (email, text, and instant messaging) containing controlled information should be either explicitly prohibited or specifically addressed in the TCP procedures.
  • Discussions about the project must be limited to the individuals identified and authorized under the TCP and occur only in areas where unauthorized individuals are not present and cannot reasonably overhear. Discussions with non‐UCB parties must occur only under signed agreements which fully respect non‐U.S. person limitations for such disclosures.

The specific terms of the TCP will depend upon the nature of the technology, software, data, materials, services, payments, and available safeguards.