Export Control Regulations

Several agencies of the federal government have published regulations restricting the “export” of certain types of information from the United States without first obtaining an appropriate export license. An “export” occurs when controlled technical data is shipped, transmitted or shared in any form or format, including oral, written, physical observation, email, phone, fax, etc., to persons in foreign countries or foreign nationals in the United States. Controlled technical data may include engineering designs, blueprints, photographs, schematics or any other “how to” information that reveals or releases controlled technology.  Export controlled data may require a government approval or export license before sharing with any non-US person wherever located. The reach of these regulations is quite broad and cover activities that one may not normally consider to be an export. For example, a faculty member’s oral disclosure or demonstration of newly developed research technology to a non-US person in a Carnegie Mellon laboratory may be deemed an export and could require an export license prior to the disclosure of the technology or technical data.  

Roles and Responsibilities

The Office of Sponsored Programs, under the guidance of the Export Compliance Officer, is responsible for coordinating Carnegie Mellon University's compliance with export control regulations. Receipt of export controlled data will usually require a Technology Control Plan ("TCP") that the PI develops with the Export Compliance Officer. The TCP provides detailed safeguards to be implemented to restrict access to only authorized and cleared users.

With respect to information security roles and responsibilities, the Principal Investigator (PI) should serve as the Data Steward for any research data that is subject to export control regulations. Depending on the circumstances of the research, the role of Data Custodian may be fulfilled by the PI, a member of the PI’s research team, one or more members of a local IT staff or members of Computing Services. The PI should consult with the Export Compliance Officer (under Export Controls) to ensure that anyone performing these responsibilities and duties is authorized to access the relevant export controlled materials.

Data Classification

As defined in the Guidelines for Data Classification, export controlled materials are classified as Restricted data due, in part, to the fact that unauthorized access to export controlled materials could potentially create a significant level of risk for the PI and Carnegie Mellon. For example, civil penalties for a violation of EAR can be as much as $250,000 per violation and criminal penalties can be as much as $1,000,000 per violation and even lead to imprisonment. While penalties of this nature likely occur in the most severe of circumstances, lesser violations could result in the loss of sponsorship or funding for research at Carnegie Mellon.

Data Protection

Export controlled materials should be safeguarded in a manner that is consistent with the Guidelines for Data Protection published by the Information Security Office ("ISO"). The following is supplemental guidance to assist with implementation of the Guidelines for Data Protection.

• To ease implementation of safeguards, export controlled materials should be stored on a server that can be placed in an isolated network and physically secured. 

• Storage of export controlled materials on laptop computers or removable storage devices (e.g. USB drives, CDs, DVDs, etc.) should be avoided.  If storage on a laptop or removed storage device is unavoidable, encryption should be employed (e.g. full-disk, volume or file-based encryption).

• Remote access to the export controlled materials should be avoided. If accessing export controlled materials remotely is unavoidable, a VPN or some other form of secure communication (e.g. SSH or IPSec) should be employed.

• When export controlled materials are no longer needed, they should be disposed of in a manner that is consistent with the Guidelines for Data Protection - Media Sanitization and Disposal and any contractual obligations that may exist.

• If a security breach is suspected, following the Procedure for Responding to a Compromised Computer and then contact the Export Compliance Office in the Office of Research Integrity and Compliance.

In addition to the ISO’s guidance, the Council on Government Relations (COGR) has published best practices for export control compliance in a research institution.  COGR is an association of research institutions that includes Carnegie Mellon. The following bullets are an excerpt from these best practices that should be used as a supplement.

• A laboratory space (as minimal as possible to accomplish the aspect of research that is export-controlled) should be designated as an area in which special procedures must be followed.  To that end, the research project as a whole should be reviewed to isolate those individual tasks within the research project that need to be subject to control.

• Logs should be maintained for managing access into and movement out of this designated laboratory space.

• Locks on any entry into this designated laboratory space should be installed or changed so that only personnel permitted on a project can gain access.  [Note: if it is determined that the above measures are required, it is imperative to assure that janitorial, maintenance, locksmiths, policy, and delivery/courier individuals with access to the space are included in this process. Most likely, institutional processes will need to be adjusted.]

• Computers must be secured and/or monitored so that export-controlled information is not inadvertently made available to individuals not permitted to receive it.  The information systems staff should be engaged to identify the least burdensome but most effective use of passwords, certificates, or other means of securing computers used in a project that may contain export-controlled material, particularly when they are networked into the institution.

• Where students are engaged in a project, their identity, nationality, and level of access must be continually monitored during the course of the project, as the needs for these management measures may change when individuals they are intended to cover for compliance with the export control laws either leave or join the project.

Revision History