Last month, we presented a webinar on University Export Controls and received an overwhelming positive response on an area of compliance that is sometimes overlooked, especially when it comes to the collaboration between a school, the private sector, and the government. It seems our webinar was timely, given the recent congressional report issued in early May on the government’s review of various agency guidance on universities’ security practices and export controls. This is of particular interest, not only to institutions of higher learning, but for the companies that work with these institutions, especially under Small Business Innovation Research (SBIR) grants and similar vehicles, meant to promote private sector, university, and government collaboration.
This article is meant to address the nuances of university controls, from both a practical and operational perspective, but in addition, it’s meant to bring attention to the private sector players who have just as much, if not more, of a stake in ensuring the company and its employees, fully understand their affirmative obligations when it comes to this area. This includes advising university recipients of any export controlled information they may be providing these research and development departments within universities (and vice-versa). In addition, and often overlooked by both companies and universities, is the issue of complying with NIST800-171 and its impact on controlled unclassified information and controlled defense information under the Department of Defense cybersecurity regulations—these controls usually run in tandem with other U.S. export controls.
Let’s first address, at a high level, this month’s congressional findings which identified “university-specific” compliance issues, on how schools handle export control requirements under the various regulations, including Commerce/BIS, for dual-use items, and Dept. of State/DDTC for ITAR. The report found that without additional guidance on issues such as risk assessments, training, handling of deemed exports, internal audits, export compliance policies, cybersecurity controls, and clearly defining fundamental research, universities may fail to align their export compliance programs with the State and Commerce departments’ guidelines. Thus, as one can see, nearly the same issues challenging universities are the same found in corporations today.
So, what can “we” (universities, companies, and DoD officers, herein, “parties”) do, to assist in ensuring our U.S. technologies are properly controlled in joint projects involving all three parties, given the huge contributions universities have given to U.S. national security and technological advances? First, we need to understand that not all parties are as experienced, trained, and budgeted, as some private sector companies are. Universities today are facing the same budgetary restraints as companies, if not more; some government offices are facing similar restraints or may not have the level of training/awareness as a private sector company has. Collaboration and sharing of best-practices with each party is imperative, especially when it comes to operational aspects of dealing with export controlled programs. Some basic recommendations, in order to improve operations with all parties, would be:
- Understand what the DoD or Federal proposal is asking. Identify whether there are any export control requirements, including cybersecurity protocols that must be followed. It’s helpful when the DoD officer in charge of overseeing the relationship between the university and their office is aware of export controls and prepared to ask schools the appropriate questions.
- Schools, and small businesses, should take an “inventory” of what export controls they have today. This should be a joint effort involving the Dean, Legal, IT, Facilities and any Principal Investigators (head of research lab/department) who are interested in pursuing DoD programs, such as SBIR and STTR grants. At a minimum, identify the following:
- Any Foreign Nationals working within the department seeking the grant and/or proposal
- IT/Server infrastructure: Who has access, where are the servers located, where do back-up systems reside (inside the U.S. or outside), what technology controls are in place, and what procedures are there to ensure only U.S. persons have access to export-controlled information
- Physical security: Facilities should carefully review the physical security (i.e. badge access) surrounding the research lab(s) and departments which will be active in proposals involving the DoD and/or private sector, in order to restrict access to sensitive and export-controlled information, documents, lab results, etc.
- Legal Department’s involvement: The Legal department must have at least a basic understanding of export controls related to these programs and should seek outside assistance if needed. It’s the responsibility of the legal department to ensure that all the terms, conditions, and grant requirements are met, including compliance with all laws. At a minimum, the legal department should have a say in the export compliance manuals and policies, as well as, in any technology control plans that are being drafted.
Addressing the above, along with conducting risk assessments, training, auditing and ensuring all parties involved in university and government programs are on the same page, is imperative. Just as important, are the reciprocal controls that private sector companies must have, including advising universities of how their operations are conducted, whether any foreign nationals work within their own premises, where their servers reside, and any other pertinent information which would relate to ensuring compliance with U.S. export laws, and the conditions of the DoD and other U.S. agencies who issue similar SBIR awards to small businesses and universities.
If you’re interested in learning more on export controls, cybersecurity and other areas impacting both universities and companies, please join us on June 18th for a live webinar, where subject-matter-expert, Jerry Leishman of the CORTAC Group, and myself will be speaking. If you would like a copy of the entire congressional report, feel free to email me (firstname.lastname@example.org). You can also register for our webinar at: https://conta.cc/2TESgGa