UNIVERSITY OF CHICAGO
EXPORT CONTROL GUIDANCE & PROCEDURES
Jurisdiction and Classification Requests
All exports need to be classified prior to shipment/delivery in order to determine which control requirements apply to the item(s); in certain cases, laboratory access by certain foreign nationals for whom particular items are restricted, may also apply.
Commodity Jurisdiction Requests
COMMODITY JURISDICTION DETERMINATION REQUESTS
As ITAR determinations govern licensing and authorization requirements for foreign national access, as well as transfers and exports, UChicago must ensure that all “defense articles” (equipment, materials, technical data and software that appear on the United States Munitions List) are properly identified and treated as such. The process of determining whether an item is controlled as a defense article under the USML is called “jurisdictional determination,” because it is a process of determining whether they are controlled under the jurisdiction of the Department of State’s Directorate of Defense Trade Controls (DDTC’s), International Traffic in Arms Regulations (ITAR). Items may not be exported by any means, including access by foreign nationals within the U.S., until jurisdictional determination is confirmed.
When a clear jurisdictional determination cannot be made from the facts at hand (i.e., there is an ambiguity as to whether the item may be alternatively controlled by the Department of Commerce as “dual use” or not controlled at all), UChicago will apply for a Commodity Jurisdiction (“CJ”) from DDTC. A CJ is a letter to DDTC requesting that the agency opine on the proper jurisdiction of an item, i.e. whether it is covered under the USML (and if so, under which Category) or falls under Commerce Department control. CJs are potentially complex documents that require significant preparation, the results of which can have significant implications for Chicago’s current and future endeavors.
USML CATEGORIZATIONS
Once an item has been determined to fall under ITAR jurisdiction, its USML category must be identified. A defense article’s categorization has important implications for Chicago in terms of potential licensing requirements or export restrictions, so categorizations must be performed precisely. For example, an asterisk next to a category’s subparagraph denotes Significant Military Equipment (SME) which carries special licensing provisions and/or reporting.
ECCN CATEGORIZATIONS
Items which do not fall under ITAR jurisdiction are controlled by the Department of Commerce (DOC), Bureau of Industry and Security (BIS), under the Export Administration Regulations (EAR). These items require EAR classification prior to export.
EAR classification is the exercise of understanding where an item or technology falls in the Commerce Control List (CCL). The CCL describes “dual-use” items as those items that may be considered for commercial or military use. A classification will determine whether an export license is required based on the destination of the item or technology.
There are three ways to classify an item:
- UChicago may self-classify;
- use a classification provided by a manufacturer, if available/applicable;
- or seek a formal classification from BIS.
For self-classifications of items that are under the jurisdiction of BIS, the employee would locate an Export Classification Number (ECCN) on the CCL. The employee would first review categories 0 through 9 on the CCL which cover areas such as electronics, lasers, computers, sensors, aviation and marine applications, encryption, telecommunications, etc. Categories are then further divided into product groups A through E such as components, test equipment, materials, software, and technology. Once the category and product group have been determined, one may determine which ECCN heading and subheading will apply to the item by reviewing the characteristics of the item being classified. The ECCN will explain possible related export controls, possible license exceptions, and the reason for control. The reason for control in combination with the destination of the item will determine licensing requirements.
For assistance with Jurisdiction Determinations, ITAR Categorization, or EAR Classification, please contact the Export Control Office at exportcontrol@lists.uchicago.edu.
Denied Party Screening
A denied party is defined by federal agencies, including the U.S. Departments of State, Commerce, and Treasury, as any individual person, business, research institution, university, government and private organization, and other types of legal persons who are prohibited from receiving export-controlled items, information, or technologies.
Such prohibitions could include restrictions on research collaborations, and may require specific licensing for interactions, even for educational exchange. These prohibitions are specified on several federally maintained restrictive lists. It is important to review these lists and understand compliance responsibilities and limitations before collaborating, or sponsoring an employee or visiting scholar of a university listed therein.
Thus, UChicago utilizies Visual Compliance™ to expedite screening of the restrictive party lists. You may request a denied Party Screening by contacting the Export Control Office at exportcontrol@uchicago.edu
Examples of when to request a prior Denied Party screening from the ECO include:
- Receiving a request to give a talk at a foreign institution
- Receiving an invitation to tour an international facility
- Shipping items/equipment to a foreign destination for fieldwork
- Sending export-controlled samples or data to international collaborators
License Application Requests
EAR LICENSING
Under the EAR, exports of controlled items that do not meet certain license exceptions require prior authorization (licensing) from the Bureau of Industry and Security (BIS), before export.
This requirement applies to outbound shipments of items or data; reexports of items or data; and export of a non-controlled item to a person or entity identified on one of the Government’s Denied Party/Restricted Entity lists. As with the ITAR, there are several different types of BIS licenses required (e.g., individual licenses, deemed export license, etc.) depending on the type of transaction. However, all license templates may be found in the BIS SNAP-R licensing system, which will specify the required range of data necessary to each application type. It is essential that UChicago capture all such data and verify its accuracy prior to submitting a license application package.
Please contact the Export Control Office as soon as possible to initiate a license request, as it may take months to receive a response from the government once the request is submitted.
ITAR LICENSING
Items and activities controlled under the ITAR may require licensing or other authorization from the Directorate of Defense Trade Controls (DDTC). Unless otherwise authorized, ITAR items of any kind must not be exported without proper licensing or authorization from the Department of State. The specific type of license or authorization required depends on the type of export transaction subject to control; for example, temporary versus permanent export licenses. ITAR authorizations also include Technical Assistance Agreements (TAAs) and Manufacturing License Agreements (MLAs).
Note: Each type of license requires its own specific set of data points that DDTC collects through its DTrade application process and associated documentation, such as Transmittal Letters. A Transmittal Letter describes the transaction in detail, including end use, end user profile, ultimate disposition of the item, etc. Therefore, data requirements are specific to the type of license/authorization being used. Before UChicago applies for an ITAR license, it must comply with all DDTC requirements pertaining to registration as an ITAR exporter, Empowered Official (EO) designation and DTrade User status.
For assistance with ITAR and/or EAR licensing, please contact the Export Control Office at exportcontrol@lists.uchicago.edu.
Technology Control Plans (TCPs)
It may be necessary to develop and implement a Technology Control Plan (TCP) as required to restrict laboratory access of certain items and data from foreign nationals for whom the item is controlled, and would otherwise require an export license to access.
TCP Overview
The TCP is a documented set of procedures that generally includes but is not limited to the following areas: responsible parties for implementing the TCP; physical controls (laboratory security); IT controls (data file/computer access security); deemed export license requirements (as potentially applicable to foreign nationals who Chicago believes should have authorized access but for whom the items are otherwise restricted); protocols for sharing and transferring the items with other authorized parties outside the scope of Chicago’s laboratories; and any other requirements concerning screening, personnel authorization, labeling of items as controlled and time frame for which the TCP is applicable.
Note that in cases where a U.S. Government agency wishes to review a TCP as part of a licensing procedure or as part of an audit process, the PI and/or administrator in charge of implementing the TCP shall notify the Export Control Office of such a request so that appropriate oversight is in place.
TCP Components
A TCP may include:
- A commitment to export control compliance;
- Identification of the applicable export controls and items or technologies subject to the controls;
- Identification and nationality of each individual who will have access to the controlled item or technology;
- Training and awareness for all authorized personnel, certified by each person;
- Project Description;
- Personnel screening measures for granting access to the controlled item/technology;
- Appropriate security measures for disposal of the item/technology when use is complete;
- A description of the agreed upon security measures to control the item/technology, including as appropriate:
- Personnel Identification: Individuals participating in the project may be required to wear a badge, special card, or other similar device indicating their access to designated project areas. Physical movement into and out of a designated project area may be logged.
- Electronic Security: Project computers, networks, and electronic transmissions should be secured and monitored through User Ids, password controls, 128-bit Secure Sockets Layer encryption or other federally approved encryption technology. Database access should be managed via a Virtual Private Network.
- Laboratory Compartmentalization: Project operation may be limited to secured laboratory areas physically shielded from access or observation by unauthorized individuals.
- Time Blocking: Project operation may be restricted to secure time blocks when unauthorized individuals cannot observe or access the controlled equipment, data, or technology
- Marking: Export controlled equipment, data, or technology must be clearly identified and marked as export-controlled.
- Physical Security/Locked Storage: Tangible items accompanying controlled equipment, data, or technology, such as equipment, associated operating manuals, and schematic diagrams should be stored in rooms with key-controlled access. Soft and hardcopy data, lab notebooks, reports, and other research materials should be stored in rooms with key-controlled access. The controlled equipment, data, or technology, itself should be stored in rooms with key-controlled access.
- Confidential Communications: discussions about the project must be limited to the identified and authorized project participants, and only in areas where unauthorized individuals are not present. Discussions with third party sub-contractors must occur only under signed agreements which fully respect the non-U.S. citizen limitations for such disclosures.
For assistance with initiating a TCP please, contact the Export Control Office at exportcontrol@lists.uchicago.edu.
Procurement
U.S. export control regulations restrict the access of certain sensitive materials and their associated data and technologies by certain foreign people and by people who have previously engaged in prohibited conduct. In accordance with these regulations, The University of Chicago (“UChicago”) must identify and track all controlled data, material, and technologies that it procures.
Whenever possible, UChicago prefers to rely on manufacturers and/or vendors to provide the export control status of items and software being obtained through a procurement activity. UChicago’s Supplement to Purchase Order (“STOP”) now includes a term requiring vendors to notify the university if procured material is controlled and to provide the Export Control Classification Number (“ECCN”) or US Munitions List (“USML”) prior to delivery. Regardless of the purchasing mechanism, purchasers are required to request the category ECCN number or USML Category for any material, data, or technology they are procuring, if they have reason to believe the items will be subsequently exported.
Once the vendor has identified an item controlled by the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR), or should an export control notice be included with a procured item, please secure the identified material appropriately so that affected foreign persons may not have access to it. Then, forward the documentation to the Export Control Office (“ECO”) for guidance and clearance.
In cases where the vendor does not know the export control status of an item, or refuses to provide export control information to UChicago, contact the ECO before proceeding with the purchase so that an analysis can be performed to definitively establish the status of the material.
Please contact the ECO for guidance and evaluation with any questions or concerns, regarding purchases with export control issues. The ECO will provide support for any UChicago purchase, including:
- reviewing export control language in purchasing contracts;
- screening vendors against federal watch-lists;
- determining if purchased material is controlled;
- determining whether an export license is required;
- determining whether a license exception applies;
- filing a license application; and
- maintaining appropriate records.
Working with the ECO well ahead of your purchase helps to ensure that the procurement will not run afoul of export control laws and/or regulations.
Software & Data
U.S. export control regulations define “export” as both a physical shipment of a tangible item out of the U.S. as well as the transmission of software and export controlled information/data via electronic communications.
Software:
Software Licensing Transactions
When an online supplier’s server is located in the U.S., an export of a software application occurs whenever that software application is downloaded by a customer to a location outside of the U.S. or if the software is downloaded by a foreign person. In these instances, the on-line supplier is treated as the "exporter.”
With either software licenses or applications, the following compliance issues must be assessed before transmitting the software from the supplier to the recipient:
- ensure that the recipient is not located in, and will not transfer the software to any person or entity, located in, an embargoed or sanctioned country;
- screen the recipient (and any other party to the software licensing transaction) against the various lists of prohibited and restricted parties; and
- obtain an “end-use” statement from the recipient (ie. what is their intended use of the software).
Much software, including open source software, is freely available for download without restriction from the internet. Such freely available software may be excluded from the export controls, where there are exceptions available. Please consult the Export Control Office to see if any options are available for your software when you might export.
Licensed Software Programs
Certain software products may be identified by the licensor or vendor as “export controlled.” In such cases, it is necessary to determine whether the control notification is a general notification for purposes of alerting the user against exporting to OFAC-restricted countries, or whether a more specific control is applicable (as may be the case with cryptographic functionality, or ITAR-governed software).
Where the software is flagged for general purposes, it is no different than any other item which UChicago might, in turn, export: restrictions against exporting to the so-called “T4” countries apply under both OFAC and EAR regulations. However, where the item is more specifically controlled (e.g. due to cryptographic functionality or as an ITAR defense article), UChicago may be required to implement a Technology Control Plan (TCP) and evaluate the article for export licensing when outbound export is contemplated.
For assistance in making these determinations, please contact the Export Control team at exportcontrol@lists.uchicago.edu.
DATA
Export controlled data and information must be transmitted in a safe and consistent manner. Electronic communications and databases managed by UChicago are managed via a type of Virtual Private Network (“VPN”), specifically a Secure Socket layer (“SSL”) which limits access to authorized users only and facilitates exchanges between those authorized users while encrypting (128 bit encryption) any data sent via Internet.
Helpful Tips
When transmitting export controlled data electronically, please consider the following:
- Password protect, encrypt, or remove all controlled data from any communications before transmitting
- Only transmit controlled data via voice or fax where there is reasonable assurance that access is limited to authorized persons;
- Detect exfiltration of data using firewalls, router policies, intrusion prevention/detection systems, or host-based security services;
- Transfer controlled information only on a need to know basis; and
- Ensure that anti-virus, anti-spyware, and personal firewall software is properly installed and activated
E-Storage and Cloud Computing
Under U.S. export control regulations an “export” can include the transmission of export controlled data via electronic communication. Improperly using devices/systems such as cloud servers, shared databases, or online databases to store data may result in an export violation.
Mobile Devices
Storage of export controlled materials on laptops or removable storage devices such as USB drives, external portable hard drives, CDs/DVDs, etc. should be avoided, in lieu of storage on isolated UChicago servers. However, if you must use these storage devices, it is imperative to maintain the integrity of those devices so that prohibited persons cannot gain access to the controlled data stored on them.
All export-controlled information must be encrypted if stored on any mobile storage device. Preferred encryption tools are PGP or GPG although WinZip or 7-Zip may also be used, if a strong password is used, and that the password is transmitted securely and independently from the transmission of the export-controlled data.
Additionally, if you plan to take your laptop to a foreign country, it is best to ensure that there is no export controlled data saved to the hard drive. Alternatively, ask your department if it can provide you with a “clean” laptop and leave your controlled research data in the U.S. If you are unsure if your data may be export controlled, please contact the Export Control Office.
Cloud Computing
Cloud computing or the use of virtual clouds involves the use or sharing of computers, hardware, software, servers, storage facilities, and/or computational functionalities virtually linked by and through the internet. Storage of export controlled data on virtual clouds should be avoided; all such materials should be stored on isolated UChicago servers.
With cloud services, the user may not know the physical location of the server, through which countries the data is routed before getting to the server, or whether any other deemed exports are occurring while the data is with the cloud service provider (“CSP”). Despite their actions with a customer’s data, CSPs are not the "exporter" of that data. The customer is ultimately responsible for export control compliance of any such data because the customer receives the primary benefit of the transaction.
Before entering into an agreement with a CSP, first check with the Information Technology Services department to see what resources are already available. If no other resources are available to meet your needs, before entering into an agreement with the CSP, ask the following:
- where are the servers and routers located;
- what measures does the CSP have in place to prevent unauthorized foreign nationals from accessing controlled technology and software wherever located;
- does or will the CSP employ foreign nationals for account maintenance; and
- will data ever be transferred out of the country?
Shared Databases
Storing export controlled data in shared files or shared databases (multi-user) in lieu of isolated UChicago servers should be avoided. In such cases where controlled data will be run on a shared/multi-user system, the following additional guidelines apply:
- the directories containing the software shall be access controlled so that only its designated user(s) as approved by the PI will have read, write and execute permissions. All others shall have no access permissions;
- the shared system shall have audit logging enabled, and the audit logs shall be backed up;
- the shared system shall be managed solely by U.S. Persons, as defined in the export regulations. All users with privileges must be U.S. Persons; and
- only U.S. Persons shall have unescorted physical access to the shared system.
Working with the Export Control Office before using any of the above mechanism to store export controlled data is the best way to ensure that you will not run afoul of export control laws and/or regulations.
For any assistance in making determinations, please contact the Export Control Office at exportcontrol@lists.uchicago.edu.
Biosafety
BIOLOGICAL MATERIALS
Risk management protocols require that the transfer of biological materials by Chicago to another institution strictly adhere to UChicago’s protocols. In certain cases, such materials may be export controlled under the EAR (and in rare cases under the ITAR). As such, the exporter shall work directly with the Biosafety Officer and Export Control Office to determine whether export control requirements are being met, and what/if any special arrangements (including export licensing, destination control statements, and end user agreements) shall be affected pursuant to such transfers.
See also export control requirements contained within the IBC Protocol. More on Biosafety may be found at: https://researchsafety.uchicago.edu/programs/biological-safety/
H1 Visa I-129 Certifications
As part of its H-1B Visa Application process, the U.S. Immigration and Citizenship Service (USCIS) requires a certification as to whether the Beneficiary will require an export license to access export controlled technology or technical data during the course of his/her professional position. If a license is required, the Certification also requires the Petitioner to state that it will prevent access or disclosure through a control plan until a license is approved by the Department of Commerce or State. Note that in certain cases, the U.S. Government might not issue a license for particular sensitive control reasons.
As a result, in advance of the H-1B visa petition being submitted to USCIS, it is critical to evaluate whether access will require an export license; the likelihood of obtaining a license; or the need for an interim or permanent Technology Control Plan. UChicago must assess precisely what controlled technology or technical data it has or plans to have which could be accessed by an H-1B employee.
Toward this objective, HR in concert with the pertinent faculty members and administrators shall complete UChicago’s Form I-129 Certification Compliance Questionnaire and return the form to the Office of International Affairs during the recruitment process. The I-129 Certification Compliance Questionnaire may be found here: https://internationalaffairs.uchicago.edu/page/prospective-and-new-h-1b-employees
Violation Reporting
This Section addresses the process for confidentially reporting suspected export control violations.
UChicago must make every effort to identify suspected or actual violations that occur in conjunction with its export activities. All known or suspected export compliance problems should be documented as soon as possible. Every instance of a suspected violation should be reviewed by the Export Control Compliance Manager.
All export shipments and releases of technical data related to the suspected issue must be placed on hold until otherwise authorized. The Export Control Administrator shall escalate compliance issues to the Office of General Counsel as appropriate and consider Voluntary Disclosure to the relevant agency (agencies) as applicable.
Timeliness of reporting is a key issue, since export violations are evaluated not only in terms of their content, but also frequency of occurrence, and system-wide implication. Consideration should be given to how and when the Office of General Counsel authorizes an investigative process to ensure Attorney Client Privilege.
Please contact the Export Control Office directly with any suspected violations or simple questions at exportcontrol@lists.euchicago.edu.
Additionally, UChicago maintains a range of reporting options, including a telephone hotline (1-800-971-4317), and an online Web Reporting Hotline System for confidential reporting of concerns about compliance with applicable laws, rules, regulations, and policies at the university.