PURPOSE OF THIS POLICY

The purpose of this Policy is to provide guidance and facilitate compliance with United States export control laws and regulations at Colorado State University; to establish the procedural framework for handling export control matters; and to clarify the responsibilities of certain departments and officials with respect to export controls.

APPLICATION OF THIS POLICY

This Policy applies to all persons employed by or acting on behalf of the University.

EXEMPTIONS FROM THIS POLICY

None. Exclusions from the applicability of certain export control laws and regulations are explained in this Policy and in guidance documents, but do not excuse any person from compliance with Policy requirements.

DEFINITIONS USED IN THIS POLICY

• Controlled country. The United States Department of Commerce publishes a list of each country and its particular export control status in Supplement 1 to Part 738 of the Export Administration Regulations (EAR). The degree of control determines which technologies the U.S. subjects to export control for that country. These lists change over time. The United States Department of the Treasury, Office of Foreign Assets Control (OFAC) publishes a list of Sanctions Programs and Country Information. The Directorate of Defense Trade Controls in the United States Department of State publishes a list of Country Policies. Exports of defense articles and defense services to these countries requires a license. (See CSU Secure and Global Research website).
• Deemed export. Exports are referred to as “deemed exports” when they involve the sharing of technology or source code with a foreign national within the United States. A deemed export takes place through an oral or written disclosure of information, or through visual inspection. Examples include, but are not limited to, foreign nationals participating in a research project; face-to-face communications such as meetings and seminars; email messages, telephone conversations, and publication of materials on a website; and visual encounters such as in a laboratory, whether or not the foreign person is authorized to be present in such areas.
• Empowered Official. The Empowered Official is the University employee specially designated in writing as having authority to act on the University’s behalf, with policy and management authority, in export control matters. The Empowered Official for CSU is the Vice President for Research.
• Export. An export includes any of the following: 1) actual shipment of any covered goods or items to a foreign destination; 2) the electronic or digital transmission of any covered technology, software, data, or other materials to anyone outside the United States, including U.S. citizens, or to a foreign entity, individual, embassy, or affiliate at any location; 3) any release or disclosure, including verbal disclosures or visual inspections, of any technology, software or technical data to any foreign national (a deemed export, see above); or 4) actual use or application of covered technology on behalf of, or for the benefit of, any foreign entity or person anywhere. Examples include (but are not limited to) export of unpublished research findings, entities or persons, biological specimens, microorganisms, toxins, electronics, computers, telecommunications, lasers, and sensors. Traveling with any of these items (e.g., bringing along a laptop with controlled software or data) is also an export even if the intent is to retain control of it while traveling.
• Export Control Administrator (ECA). The Export Control Administrator reports to the Empowered Official, and is responsible for monitoring and directing the University’s compliance with export control laws and regulations. The ECA serves as a liaison for University employees and those acting on behalf of the University to federal agencies regarding export control matters, including the preparation of any export license applications. The ECA is also the point of contact and liaison between any campus individual and the Empowered Official regarding export control matters.
• Export controls. Export controls are the federal laws and regulations governing the export of commodities, software, technology, goods and materials, and data. These laws and regulations include the EAR, OFAC sanctions programs, the U.S. State Department’s International Traffic in Arms Regulations (ITAR), and others.
• Export license. An export license is an express prior governmental approval for the export or deemed export of controlled technology or goods, issued by the controlling agency. An export license may be necessary, depending on the destination country or nationality of the persons involved, if University activities do not fall within the fundamental research exclusion (see below) or other exclusion. Licenses often require several weeks or months to acquire, and in some cases may be denied.
• Foreign national or foreign person. A foreign national (referred to under ITAR regulations as a “foreign person”) includes persons who have not been granted (i) permanent U.S. residence, as demonstrated by the issuance of a permanent residence card, i.e., a "Green Card"; (ii) U.S. citizenship; or (iii) status as a "protected person" under 8 U.S.C. 1324b(a)(3), e.g., political refugees, political asylum holders, etc. This includes all persons in the U.S. such as students, businesspeople, scholars, researchers, technical experts, etc. A foreign person also includes any foreign corporation, business association, partnership, trust, society or any other entity or group that is not incorporated or organized to do business in the U.S.; any international organization, foreign government and any agency or subdivision of a foreign government.
• Fundamental research. Fundamental research is defined by National Security Decision Directive 189 as “basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community.” Some export regulations expressly recognize fundamental research, and exclude its results from licensing or other authorization requirements. Research that involves restrictions on publication of or access to results, restrictions on foreign national participation, or any other dissemination restrictions will not qualify as fundamental research for export control purposes.
• Re-export. Re-export means an actual shipment or transmission of items subject to export regulations from one foreign country to another foreign country. Shipment or transmission may occur in any of the following ways: physical transfer, phone, e-mail, in person (e.g., lab tours, meetings), or electronic transmission of data. A re-export also occurs when there is a “release” of technology or software (source code) subject to regulation in one foreign country to a national of another foreign country. The export or re-export of items subject to export control that are intended for a recipient in, or will transit through, one country to another subsequent country are considered to be exports to the subsequent country. Any export regulations triggered by an export to the subsequent country must then be satisfied. Depending upon the item(s), the applicability of export controls may vary according to the destination country.
• Technology Control Plan (TCP). A technology control plan outlines how identified export controlled items will be handled and secured to prevent access by unapproved foreign persons. TCPs account for the acquisition, possession, and return or destruction of controlled items or information. TCPs address the physical security of labs, offices, and other work areas as well as the security of data on computers and computer networks. TCPs also require the identities of all persons accessing the controlled technology. A TCP template is available on the CSU Secure and Global Research website.

POLICY STATEMENT

A core value of Colorado State University is openness in research and the free dissemination and publication of research results and findings. It is the policy of Colorado State University to comply with all United States export control laws and regulations governing the transfer of controlled tangible items, software, technology, and information to a foreign national or to a foreign country. Research, scholarly, and other activities of the University are subject to these export controls. If a person seeks to export a controlled item or technical data, the person must first secure the appropriate license(s) or approvals in accordance with this policy and all procedures prescribed by the Office of Vice President for Research.

POLICY PROVISIONS

Responsibilities of the Empowered Official

The Empowered Official signs all export license applications and remains free from undue influence in all export control decisions. The Empowered Official directs the efforts of the Export Control Administrator.

Responsibilities of faculty and others acting on behalf of the University

All faculty members, administrators, and others employed by or acting on behalf of the University are required to comply with this policy. While export control issues often arise in the context of research, they are by no means limited to research activities. It is the responsibility of every person employed by or acting on behalf of the University to report any potentially controlled export to the ECA in advance of any travel with controlled items, data or technologies, electronic transfer, shipment, sharing of technology or data, hiring employees, admitting students, hosting international visitors, or other activity. Early consultation with the ECA will allow the greatest opportunity to avoid delay and any possible violation. Faculty, researchers, administrators, and students engaged in export-restricted activities must receive education and training related to risks and required precautions. Education and training should be arranged with the Secure and Global Research office by department or laboratory group, as appropriate.

Key offices and employees involved in coordination of export control procedures include, but are not limited to, principal investigators, research associate deans, department chairs, research integrity, general counsel, business and financial services, human resources, international programs, sponsored programs, admissions, environmental health services, risk management and insurance, facilities, and central receiving and mail services. All employees in these areas should be made aware of this policy and related guidance. The Empowered Official has administrative responsibility for handling export control matters, regardless of whether a sponsored research project is involved.

Responsibilities of the Export Control Administrator

Conduct outreach to the university community and provide professional development training to faculty and staff in export control. Support sponsored research by meeting with faculty and staff to establish TCPs where warranted, apply for licenses, identify applicable exemptions or exclusions, and provide export advice. Manage restricted party screening of potential employees and students. Advise faculty and staff, and review or sign visa petitions and material transfer or other agreements and contracts, as appropriate. Seek and receive notifications of international travel and provide export-related advice. Provide advice on personal computing and information security, as they relate to international travel and information systems. Maintain records in accordance with federal mandates.

If a controlled export is expected to occur, the ECA will be responsible for taking one of the following actions:

• Advise faculty and staff to prevent the unauthorized export of controlled technology to foreign nationals from countries subject to export restrictions or export to restricted individuals or entities;
• Work with faculty and staff to establish a TCP to avoid release of controlled technology;
• Apply for the appropriate license(s) for any controlled export(s); or
• Establish an exemption or exclusion for the export such that the potentially applicable control(s) do not apply.

Secure and Global Research Procedures (SGRP)

The ECA will create and maintain Secure and Global Research Procedures detailing the specific procedures and requirements necessary to implement this Policy. (See CSU Secure and Global Research Website). Because federal export laws and regulations frequently change, the Empowered Official and the ECA shall have the authority and responsibility to address any issues of export control not addressed in this policy as they arise, and to implement and apply changes to the SGRP in furtherance of the best interests of the University.

Licenses

The ECA is responsible for applying for the appropriate license in the event of a request for a controlled export. CSU must secure from the U.S. Department of Commerce an export license or an exemption from licensing requirements before any tangible item, software, or information contained in the Commerce Control List in the EAR may be exported or re-exported. Likewise, CSU must secure from the U.S. Department of State an export license or an exemption from licensing requirements for any items, software, or information contained in the U.S. Munitions List in the ITAR before such items may be exported or re-exported.

Foreign Shipments

The ECA is charged with determining whether or not an export license is required for the shipment of items, software, technology, and information outside of the United States. In order to determine if an export license is necessary, the individual preparing the shipment or transfer must provide the ECA with the following information:

1. Whether or not the item, software, technology, or information is proprietary or disclosure-restricted or otherwise possibly export controlled, and whether or not it resulted from fundamental research to which export controls do not apply;
2. The description of the tangible item, software, technology, or information;
3. The technical characteristics and specifications of the item, software, or information;
4. The intended end-use and end-user of the item, software, or information;
5. The destination.

If the ECA determines that a license is required for the shipment or transmission of the item, software, technology, or information, the ECA will prepare and apply for the appropriate license.

Certain overseas shipments or transmissions that are exported without a license will require documentation warranting and justifying the uncontrolled classification. The shipper should prepare such documentation in advance with the assistance of the ECA.

Disclosures or Transfers to Foreign Persons (Deemed Exports)

The ECA will determine whether or not an export license is required for the disclosure or transfer of controlled tangible items, software, technology, or information to foreign persons. An export may be deemed to occur, and a license may therefore be required, even though the transfer or disclosure occurs within the United States. In order to determine if an export license is necessary for items, software, technology, or information that is disclosed or transferred to foreign persons, the individual seeking the export must provide the ECA with the same types of information as for other exports.

Foreign Travel

While most foreign travel does not require a license, traveling to certain countries with export-controlled items, software, technology, or information may require an export license. It is the responsibility of CSU faculty, staff, and emeritus faculty traveling on CSU business to register with Business and Financial Services (BFS) through the Travel, Entertainment, and Moving module prior to departure in order to obtain the necessary insurance for the proposed travel. If a controlled export is involved, the traveler must also contact the ECA, who will work with the individual to determine whether approval or licenses are necessary.

Under the current system, the ECA has access to the Office of Risk Management and Insurance (RMI) international travel registration database. In addition, certain destinations are flagged to provide automatic notification to the ECA that a trip has been registered. As computer systems are updated and the Kuali Travel and Entertainment Module is adopted, CSU will ensure compliance with export control laws and regulations.

Research and Accepting Controlled Items or Data from Others

The results of fundamental research may proceed openly and be shared freely with foreign nationals in the U.S., without concern for export restrictions. However, export-controlled items, software, technology or information provided by a third party may not be openly shared with certain foreign nationals, even though such individuals may be important contributors to the output of fundamental research utilizing the controlled item. Since the determination of what constitutes “fundamental research” and what does not is a complex one, the responsibility and authority for that determination is granted to the Office of the Vice President for Research. Individual researchers, department heads, or others do not have the authority to make such determinations unilaterally.  

Before a researcher decides to accept export-controlled items, software code or information provided by a third party, the researcher must determine the nationality of individuals who will have access to the item, code, or information. The researcher must then work in conjunction with the ECA to determine each recipient's eligibility under export control regulations. This determination must be made before the export-controlled item, code, or information is shared with the recipient. If the proposed recipient is eligible to receive the export-controlled information, the researcher must work with the ECA to document the available license exclusion or license exception.

Recordkeeping Requirements

Export control regulations contain specific recordkeeping requirements that must be satisfied. Departments must retain copies of all export documentation, including financial records, shipping documentation, and appropriate certifications in their project file for a period of five years from the date of the export, re-export, or deemed export. Additionally, the ECA maintains a recordkeeping system in order to document the University’s commitment to, and compliance with, export control regulations.

Technology Control Plans

To ensure adequate protection of export-controlled tangible items, software, technology, and information, a TCP will be required for all research and other activities involving data, material, or technology that falls outside the fundamental research exclusion applicable under ITAR and EAR regulations or other specific exclusions from export controls. For example, the fundamental research exclusion may not apply due to contractual restrictions on the publication of research results. The ECA will assist university personnel in determining when a TCP is required and will monitor and document the TCP’s implementation and successful completion.

COMPLIANCE WITH THIS POLICY

Failure to secure the required licenses, or other failure to comply with this Policy, subjects the individual, and others involved, to potential criminal and civil penalties as well as University sanctions. Violations also subject the University to potentially serious sanctions, including loss of the ability to export, loss of federal funding, and monetary penalties.

REFERENCES

• CSU Policy: Information Technology Security
• CSU Policy: Building Access, Security and Keys
• CSU Policy: Aircraft on University Property/Unmanned Aircraft Systems (Drones)
• CSU Secure and Global Research Website
• Department of State International Traffic in Arms Regulations (ITAR)
• Department of Commerce, Export Administration Regulations (EAR)
• Department of the Treasury, Office of Foreign Assets Control (OFAC) Sanctions
• National Security Decision Directive 189: National Policy on the Transfer of Scientific, Technical and Engineering Information
• Board of Governors Signed Resolution - October 2012

APPROVALS

Approved by Anthony Frank, December 31, 2012

Approved by Lynn Johnson, September 1, 2015

Revision approved by Lynn Johnson, April 17, 2019