Activities Subject to Export Controls
Your research may be subject to export controls if you:
In addition to any environmental and biosafety guidelines, all shipments of tangible items to foreign countries are subject to export controls. Sometimes the university must obtain an export license from the Commerce Department or State Department for the shipment. Certain documentation must also be filed with the government before any shipments can be made. Failure to do so may constitute an export violation that could result in severe fine and other penalties. Please contact the Export Control Staff prior to negotiating any material transfer agreements (MTAs) or packing any materials for international shipments. The Export Control Staff can help you be certain your shipment is in compliance with export and sanction laws. Click here for an example of the shipping invoice
When traveling abroad, faculty, staff and students at UNL should be familiar with the impact of export control regulations. Researchers need to make sure that any information discussed or items taken out of the U.S. are either not controlled, or if controlled, the proper licenses are in place. Researchers, as individuals can be held liable for improperly transferring controlled technology. Thus, it is important to review and understand that federal requirements are civil and criminal sanctions, with the ability to assess fines and/or invoke prison sentences for individuals violating the export control and embargo laws. These fines or sentencing consequences are substantial and apply to university personnel as well as the University as an institution.
To ensure you do not run the risk of exporting sensitive information or technology when traveling abroad, or dealing with sanctioned countries, entities or individuals, keep in mind that presentations and discussions must be limited to topics that are not related to controlled items or technologies, unless that information is already published or otherwise in the public domain.
Before sharing technology or information, verify that it falls into one or more of the following categories prior to traveling:
- Research that qualifies for the fundamental research exclusion
- Published information
- Publicly available software
- Educational information
- Patent applications
Depending on your international destination(s), an export license or other government approval may be required for your laptop computer, software or other equipment. There are exceptions for “tools of the trade,” but these exceptions depend on the equipment and the country of your destination. Encryption software in particular is subject to special regulations and more stringent license requirements.
Fortunately, most international travel does not raise any export control concerns. However, there are denied entities in almost every country. The checklist is designed to provide UNL travelers information on applicable export control regulations they will need to follow based on the nature of their activities while traveling as well as verifying any export control restrictions for your foreign destination.
For additional information, please visit our FAQ and caution information page.
International Travel Services
For travel outside the U.S., UNL requires all international travelers to file an electronic travel authorization and use Travel & Transport for flight arrangements. Please visit the UNL travel services website for additional information and for details about foreign travel policies, definitions, and an online currency converter.
UNL faculty and staff traveling abroad can use the International Engagement Visa Support Webpage to find details about how to secure a visa, and enroll in the US State Department Smart Traveler Enrollment Program (STEP).
Evacuation Coverage for UNL Personnel Traveling Abroad
On February 1, 2015, the University of Nebraska – Lincoln secured blanket international travel coverage for all faculty and staff who travel outside the country on UNL business with the correct visa. Faculty and staff no longer need to purchase this insurance individually. Additional information can be found on the UNL travel services website.
Participation in Research by Foreign Nationals
Foreign nationals are persons who are not U.S. citizens or lawful permanent residents (those who have green cards). A foreign national also means any foreign corporation, business association, partnership or any other entity or group that is not incorporated to do business in the U.S.
The university campus is open to students and faculty from many different countries. Access to restricted or export-controlled technology, commodities, defense articles and defense services by an unauthorized foreign person could result in severe criminal or civil penalties for the university and the university employee making the export.
When planning research involving foreign countries or foreign nationals (including graduate research assistants), the principal investigator (PI) should understand that, depending upon the nature of the research and the status of the foreign country, obtaining export licenses can take several months. Therefore, the PI must identify any possible export control restrictions in the early planning stages of a proposal and contact the Export Control Staff for assistance in complying with applicable laws.
While UNL strives to maintain an open campus that fosters collaboration between students and faculty from many different countries, allowing unauthorized foreign persons to access controlled items or information, such as export controlled technology, commodities, defense articles, and/or defense services, can constitute a violation of one or more export control regulations. Prosecution of an export violation may result in fines of up to $1 million and/or a prison sentence of up to 20 years.
Restrictions on Publication
Certain contract terms might prevent a project from qualifying for the fundamental research exclusion. These include terms that:
- grant the sponsor pre-approval rights over publication of research results or
- allow the sponsor to claim resulting research information as proprietary or trade secret
- otherwise restrict the publication or other dissemination of research results from a given project.
The information generated by such a project would therefore be controlled under export regulations. Such controls generally would result in restrictions on the participation of certain foreign nationals and likely require licensing. Also, contractual restrictions on participation by foreign nationals might be interpreted to imply restrictions on publication, with a potential loss of the fundamental research exclusion.
Military or Space Related Research and CDI/CUI
International Traffic in Arms Regulations (ITAR) are administered by the U.S. Department of State. ITAR places strict controls on the export of “defense articles” and “defense services.” Defense articles include any item, software or technical data on the United States Munitions List (USML). Defense services include assistance (including training) or any technical data associated with a defense article furnished to foreign persons, whether or not in the United States. Any defense article, service or related technical data found to be on the USML requires an export license before it can be exported – that is, given to a foreign person, whether or not in the United States. Some license exemptions are available under specific circumstances, but in general you should expect to obtain an export license.
ITAR controls exports that are:
- Predominantly items of military nature
- Modified or specifically designed for military use
- “Space” related items and technology
- Controlled for national security reasons
Because spacecraft and satellites are subject to export controls, UNL policy requires a technology control plan (TCP) for almost every research project that studies the design or operation of these items. Certain projects funded by NASA also prohibit the participation of certain foreign entity. Contact the Export Control Staff for more information.
Research into military technologies also generally requires the implementation of a TCP. This includes studies into the design and operation of weapons, defense systems, military vehicles, and protective gear. Almost all military research projects require government approval, so please be sure to contact the Export Control Staff when applying for funding from the Defense Department or the Department of Homeland Security.
Controlled Unclassified Information and Covered Defense Information /Office 365 US Government
This information is intended to provide guidance to the UNL campus regarding applicability of Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) in research and securing controlled information via Office 365 US Government.
CUI is federal non-classified information the U.S. Government creates or possesses, or that a non-federal entity (i.e. the University of Nebraska-Lincoln) receives, possesses, or creates for, or on behalf of, the U.S Government, that requires information security controls to safeguard or disseminate.
CDI is used to describe information that requires protection under the DFARS Clause 252.204-7012. It is defined as unclassified controlled technical information (CTI) or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, that resides on the contractor’s information system, government wide policy, and is:
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
These controls must be compliant with the below federal regulations:
CUI – 32 CFR Part 2002: Issued by the Federal Information Security Oversight Office (ISOO) to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.
CDI – DFARS 252.204.7012 Safeguarding Covered Defense Information & Cyber Incident Reporting. This clause is found in DOD Contracts, which addresses the requirements of safeguarding CUI and other sensitive information and reporting breaches. This clause defines CDI to include four different categories: (1) covered technical information (“CTI”); (2) operations security; (3) export controlled information; and (4) any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies.
CUI/CDI – NIST SP 800-171: “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
-NIST SP 800-171 identifies 110 unique requirements that apply to University information systems that process, store, or transmit CUI. The 110 requirements are organized into the following 14 families: access control (22 controls); awareness and training (3 controls); audit and accountability (9 controls); configuration management (9 controls); identification and authentication (11 controls); incident response (3 controls); maintenance (6 controls); media protection (9 controls); personnel security (2 controls); physical security (6 controls); risk assessment (3 controls); security assessment (4 controls); system and communications protection (16 controls); and system and information integrity (7 controls).
CUI is divided into multiple organizational groups and categories, please reference the full list here. The following is provided as an example of some of the organizational groups and categories that may be applicable at UNL.
Please be sure to reference the full list linked above to view all of the organizational groups and categories.
|Organizational Index Group||CUI Categories|
|Export Control||Export Controlled|
|Export Controlled Research|
|Organizational Index Group||CUI Categories|
|Health Information (HIPAA)|
|Student Records (FERPA)|
- While CUI encompasses multiple areas of information, University researchers will typically encounter CUI requirements included in sponsor contracts (FAR/DFAR (252.204-7008, 7009, 7012 clauses) or in regulations governing the type of data they are receiving/collecting/storing (e.g. HIPAA).
- Information, as defined by the federal CUI Program, may include research data and other project information that a research team receives, possesses, or creates in the performance of a sponsored contract.
- This means that a research project at the University of Nebraska-Lincoln (UNL) may require the implementation of CUI or CDI information security controls when the federal contract/award contains language/clauses (FAR, DFAR) requiring those controls.
- The Offices of Research Compliance Services (RCS) and Sponsored Programs (OSP) review research contracts and awards to determine the applicability of the clauses in negotiation with the sponsor.
- A research project may also include CUI if it is using data acquired under a Data Use/Transfer Agreement (DUA/DTA) and the data (e.g. HIPAA/PHI) is categorized by the government as CUI.
- In order to meet some of the CUI security requirements, UNL has implemented Office 365 US Government. This is a Microsoft Office (Word, Excel), email (Outlook) and storage platform that meets U.S. Government security standards. The below list of security features does not include everything covered by this platform, but some of the main features allow UNL researchers to:
- Store content in the continental United States.
- Support covered defense information and export-controlled data.
- Support protected health information with HIPAA business associate agreements.
If your project requires adherence to CUI or CDI requirements, please be aware that there is a cost associated with receiving access to use the secure Microsoft 365 US Government platform. Please ensure you are consulting with RCS/OSP/ITS regarding planning for this cost during the proposal stage if your research project will require this type of security.
If CUI or CDI compliance is required for a research project, RCS and/or OSP will work with the Principal Investigator and Information Technology Services (ITS) to:
- Verify that the research project will receive, possess, and/or create CUI or CDI.
- Identify, with assistance from ITS, the appropriate information security system/technology solution to use to secure and store the information.
- Appropriate system solutions may include Microsoft Office 365 US Government or use of encrypted/secure email and storage.
- Communicate an appropriate information security plan for the research project. This plan outlines the policies and procedures the research team will follow (e.g., information access restrictions, laboratory security, etc.) to comply with the CUI or CDI requirements.
Questions to Consider:
- Does your research project receive funding from the Department of Defense (DoD) or a DoD-funded prime contractor?
- Does the contract contain DFARS 252.204.7008, 7009 and 7012 clauses, on safeguarding covered defense information and cyber incident reporting? The following is an example/part of a clause that could be contained in a contract:
The covered contractor’s information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet at http://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer.
- Have you been informed that you have a project funded by a non-DoD sponsor subject to NIST 800-171?
- Does your project involve funding from DoD’s Small Business Innovation Research (SBIR) or Strategic Technology Transfer Research (STTR) programs?
- Does the project result in storage, processing, or transmission of CUI/CDI?
Research related to nuclear, chemical, biological weaponry; missiles; or unmanned vehicles
Exports of special nuclear material (including Pu, 233U, and 235U) are governed by the Nuclear Regulatory Commission.
Technologies related to the production and use of nuclear material for peaceful purposes, like nuclear energy, are regulated under the Export Administration Regulations and specific items can be found in Category 0 of the Commerce Control List.
Technologies related to the military use of nuclear energy, including weapons systems, are regulated under the International Traffic in Arms Regulations. Specific controlled technologies can be found in Category XVI of the United States Munitions List (USML).
The Department of Commerce regulates and restricts the transfer and export of “dual use” technologies which are technologies or items having both commercial and military or proliferation applications. These can be found listed on the Commerce Control List (CCL).
Some examples of this research:
- Nuclear technologies associated with production and use of nuclear material for both peaceful and military applications, including certain associated technologies related to nuclear physics and/or nuclear engineering.
- Rocket system technologies that contribute to ballistic missile systems, space launch vehicles and sounding rockets and unmanned air vehicles (UAV). They also include navigation, avionics and flight control useable in rocket systems and unmanned air vehicles.
- Chemical, biotechnology and biomedical engineering technologies that could be applied to develop and produce chemical and biological weapons.
- Remote sensing, imaging and reconnaissance technologies related to satellite and aircraft remote sensing that can be used for civilian imagery projects or for military and intelligence reconnaissance activities.
- Advanced computer/microelectronic technology that can play a useful (but not necessarily critical) role in the development and deployment of missiles and missile systems and in the development and production of nuclear weapons.
- Certain materials technologies related to structural functions in aircraft, spacecraft, missiles, undersea vehicles and propulsion devices.
- Information security technologies associated with cryptography and cryptographic systems that help ensure secrecy for communications, video, data and related software.
- Laser and directed energy systems technologies that have critical military applications, including incorporation in guided ordinance such as laser guided bombs and ranging devices.
- Sensors and sensor technologies that provide real-time information and data and could provide a significant military advantage in a conflict.
- Marine technologies used in propulsion systems designed for undersea use and navigation and quieting systems associated with reducing detectability and enhancing operations survivability.
Research related to encryption technologies
Sharing, shipping, transmission or transfer of almost all encryption software in either source code or object code is subject to U.S. export regulations. Even most publicly available “dual-use” encryption code requires a license or license exception to ship outside the U.S.
In addition, U.S. persons are prohibited, without prior authorization, from providing technical assistance (instruction, skills training, working knowledge and consulting services) to a foreign national with the intent to help in the overseas development or manufacture of encryption software subject to U.S. Government notification or authorization. This prohibition does NOT limit university personnel from teaching or discussing general information about cryptography or developing or sharing encryption code within the United States that arises during, or results from, fundamental research.
Source code for most strong encryption software is subject to export controls. Projects that require access to such source code (either for the purposes of study or development) must implement a technology control plan that specifically details information security procedures.
Research Involving Select Agents or Other Pathogens
Both the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) have provisions for the control of pathogens and toxins. The control level depends on which regulations apply to the item.
Inside the United States any person, including foreign nationals, may purchase and use EAR export controlled pathogens and toxins for fundamental research. However, the “deemed” export rule applies to technical information about the controlled item or to the development or production of technology associated with the controlled item. For example, if a PI receives confidential, proprietary or export controlled information about the development or production of an EAR controlled biological, the PI may need a “deemed” export license to provide such information to a foreign national on campus.
Select agent regulations are separate from export control regulations, any given research project may be subject to either or both sets of regulations. This means that labs handling select agents may be required to complete both an IBC protocol and in some cases a technology control plan may be required.
If a PI wishes to ship controlled pathogens or toxins outside the U.S. please Contact the Export Control Staff as an export license may be required.