Technology Control Plan (TCP)

A TCP describes the way in which a research team will protect confidential or controlled information and/or items. A TCP is required when there is export controlled: 1) information (e.g. information not subject to the fundamental research exclusion) and/or 2) physical items involved in the project.

Contents of a TCP

A TCP includes a description of:

the export controlled information/items;
a physical security plan;
a cybersecurity plan;
a conversation security plan;
how the information and/or items will be disposed of at the end of the project;
personnel screening; and
training.

The specifics of the TCP depend on the nature of the export controls (i.e. whether it is controlled under the ITAR, EAR, or both regulations), whether there is specialized equipment or software being used for the project, how the researchers will receive the controlled information or item(s), and other factors.

Procedure for a TCP

It is the PI's responsibility to ensure a TCP is completed, reviewed, and approved prior to receiving or creating any export controlled information or items. Further, it is the PI's responsibility to ensure a TCP is followed by all research team members.

The PI should use the TCP template and provide appropriate information in each section. The PI may reach out to IT and/or ORA for assistance with any of the sections. Note that there are specific methods of storage and destruction of data that must be used in order to be compliant. IT can provide guidance on that topic. ORA will conduct the personnel screening and provide training based on the details in the TCP.

The PI should share a draft TCP with IT and ORA for review. If there are any questions or concerns, IT and/or ORA will contact the PI to adjust the plan to ensure compliance. In the case where it is not possible to be compliant with the relevant security standard, ORA will work with the PI to request a deviation to the terms of the research agreement.

The TCP must be finalized with signatures by the Chief Information Security Officer and the Vice President for Research prior to work with controlled information or items. Approved TCPs will be reviewed at least annually.

FAQS

If I have an TCP, can I involve foreign students in the research?

Typically, a TCP is in place to ensure no items or information will be exported to foreign nationals. Thus, there is likely a restriction on the involvement of foreign students (who would likely be considered a foreign national). However, even though there are restrictions on who may participate in the research, you can still apply for an export license to get permission for the foreign national to be involved.

My research is fundamental research and I am permitted to publish the work. Why do I need a TCP?

There are several reasons why a TCP may still be required for fundamental research:

If you are receiving controlled items or information for the research, those items or information are still subject to export controls and therefore require a TCP;
Contractually, you may be required to have a TCP;
There may be publishing restrictions. Even though you may be permitted to publish the research, if the agreement gives authority to the sponsor to limit publication, a TCP is still required;
There are restrictions in the research agreement, either for foreign national participation or regarding proprietary information (e.g. a requirement to sign an NDA);
The research itself may be fundamental, but it may not be subject to the fundamental research exclusion, for some of the reasons described above.

Are there costs associated with having a TCP?

Typically, yes. UA maintains a secure environment for protecting information, which costs the University funds and personnel time to maintain. Further, each research project that interacts with controlled information must have a secure space setup in the larger environment. The cost of that project-by-project space must be paid by the researcher. The costs of the cyberspace include:

An annual license fee for each user. The license fee includes standard cloud-based storage and use of Microsoft Office products (e.g. Teams, Word, Excel, etc.);
Costs for compute resources. If you do not need any special resources, the base cost for this line item is ~$250/month. Costs go up with requests for high RAM compute, GPU compute, or other non-standard needs; and
Any software licenses (if not already purchased) for deploying the analysis software in the secured environment.

Sponsored Programs, Pre-Award, include a line item in the budget template, to assist in calculating the costs as you apply for grants. IT can assist with a more in depth discussion of the compute time and power costs.

Additional costs may include:

Costs of additional hardware (e.g. encrypted hard drives for moving data from unique equipment to the cuber environment);
Costs to secure any tangible items that are export controlled, such as a safe, new locks for the physical space, or other physical security devices; and/or

It is best to determine these costs during the application or contract negotiation phase, so you can ensure you have the funds to pay for them. The PI is typically repsonsible for costs that are directly and specifically needed for the project.

Some of the work I do uses shared equipment. How can I write a TCP if using shared equipment?

When research involving export controlled information is conducted on shared equipment, additional safeguards must be put in place. These safeguards are made on a project-by-project basis. Some safeguards may be:

Reserving the shared equipment and working with it when no other personnel are around;
Removing the export controlled information from the shared equipment computer and putting it on an encrypted external drive; and
Performing a "secure wipe" of the hard drive sectors where controlled information was used or created, for each session and before the researcher leaves the shared equipment, thereby permitting access by other researchers;