A cloud service provider's receipt of effectively encrypted technical data uploaded by the U.S. owner, stored and managed on a cloud service network consisting of only U.S.-based servers, administered only by U.S. persons, and appropriately configured to enable the U.S. technical data owner to control access to such data does not constitute an export under the ITAR. Per Institute Policy, ONLY GT provided Cloud resources may be used for storing or processing Institute data. Not all GT Cloud services are ITAR compliant. Please check with OIT and/or your CSR before using any cloud provider for ITAR controlled data or other export controlled data.

The Military Critical Technical Data Agreement (DD2345) is the form required to register in the Joint Certification Program (JCP). Through the JCP, U.S. and Canadian defense contractors to apply for access to U.S. Department of Defense (DoD) or Canadian Department of National Defense (DND) unclassified export controlled technical data/critical technology on an equally favorable basis. The Joint Certification Office is staffed by DoD and DND staff that review and certify contractor applications submitted on the DD2345.

The DD 2345 is unique to each Cage Code so the certification number is not the same for all activities at Georgia Tech. Georgia Institute of Technology, Georgia Tech Research Corporation, Georgia Tech Applied Research Corporation and our Field Office locations all have a different certification number and expiration date.

Under the JCP, data is sent to the recipient's Data Custodian named on the DD2345 who is then responsible for ensuring that appropriate safeguards (controls) are put in place to prevent unauthorized disclosures and exports before releasing it to the end user (i.e., researcher). Given that the purpose of the JCP is to facilitate the exchange of export controlled technical data, the Office of Export Controls is responsible for administering the certification under the oversight of Data Custodian.

To identify the correct DD 2345 certification number for your activity or to have a DD 2345 signed please contact Al Concord, director of Research Security and Facility Security Officer (FSO). Once prepared, the DD2345 will be signed by the FSO or one of the Empowered Officials below.

Export Empowered Officials:

Georgia Tech Research Corporation / Georgia Tech Applied Research Corporation

Sheila Cranman, Assistant Chief Counsel, Export and Trade — 404.326.9383

Lacee Harris, Manager Export Control & Trade - 404.354.0549

Georgia Institute of Technology

Sheila Cranman, Assistant Chief Counsel, Export and Trade — 404.326.9383

Lacee Harris, Manager Export Control & Trade - 404.354.0549

Darryl Lunon, Deputy General Counsel and Chief Ethics and Compliance Officer — 404.385.1608 (office)

References:

GTRC/GTARC website

Georgia Institute of Technology Affiliated Organizations

Board of Regents Policy Manual, Section 6.17 - Cooperative Organizations

All Institute travel must be authorized according to Institute Travel Authorization Procedures. This should be completed no less than 30 days prior to all international travel. On the Travel Authority Request, please list the equipment that you will need to take with you to complete the research. This request will be reviewed by Export Control team within the Office of General Counsel (OGC) to assess if an export authorization is required to export the equipment lawfully. If the equipment is to be shipped rather than carried by the researcher, an international shipping request must be submitted. For more details and instructions on international shipping requests, please visit here.

The student contributed to development of the funding proposal and is central to conduct of the project. Why does Georgia Tech now disallow his work on the project?

In most cases, DoD SBIR programs use funding authorized by Congress for system development and integration, so-called “6.3 money,” which requires that certain restrictive clauses be included in the awards. When federal Contracting Officers apply a publication restriction, such as the “7000 clause,” the project is rendered ineligible for the fundamental research exclusion from export controls. Without the exclusion, the project’s results are potentially export controlled and must be screened prior to release to any non-U.S. persons, including thesis committee members.

All seminars, poster presentations, and such may have to be cleared by the sponsoring agency and will certainly have to be screened if foreign nationals (including other students, postdocs, etc.) will be present. The program official is not responsible for publication reviews; those are reviewed by a separate DoD office. Because of these significant restrictions, students (including U.S. citizens) should not be included in proposals for such awards at all. This does not a student cannot be successful on such a project. In the event an award is made by the agency using funds that do not require restrictive publication or other export control clauses, an exception may be made at the time of the award. However, if the restrictions are included in the award, it is rare that a student would be approved to work on the project.

There’s only a publication restriction. Why is my research subject to export controls?

Of all the export review conditions, publication restrictions are the most puzzling and the most common reasons for referral of projects for export review.

Not all publication restrictions are created equal. A sponsor requirement to pre-review a publication (to check for erroneously included proprietary information, for example) is a temporary delay and does not really constitute a restriction. If the sponsor will not allow publication at all, clearly that’s a restriction, as is a requirement not to publish for an extended period of time. ANY restriction of Georgia Tech’s right to publish research results removes the fundamental research exclusion.

Faculty should know that any “side agreement” with a sponsor to delay publication or to allow sponsor pre-approval, also negates the fundamental research exclusion and violates Georgia Tech policy. Publication restrictions remove the fundamental research exclusion and render the project subject to export controls including both actual export and “deemed export,” which forbids sharing of certain controlled information or technologies with foreign nationals and other non-U.S. persons in the United States.

Most of the research at Georgia Tech qualifies for the fundamental research exclusion as defined by the National Security Decision Directive 189 (NSDD 189): “Fundamental Research means basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, as distinguished from proprietary research and industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reasons.”

Not only does this exclusion provide for products of fundamental research to remain unrestricted, NSDD 189 further provides that, when control of information generated by federally funded, fundamental research at colleges and universities is necessitated by national security concerns, the mechanism for control is classification.

The results of projects that are conducted under the fundamental research exclusion, that is, with the intent to publish the results and in the absence of any other contractual restrictions, are generally excluded from export controls.

Shouldn't all classified awards (contracts, delivery orders, task orders, etc.) automatically require a Technology Control Plan?

By their very nature, classified contracts offer protective measures far surpassing those required for unclassified export controlled information. The National Industrial Security Program Operating Manual (NISPOM) specifies the following Technology Control Plan (TCP) requirements for organizations conducting classified work: A TCP is required to control access by foreign nationals assigned to, or employed by, cleared contractor facilities unless the CSA determines that procedures already in place at the contractor’s facility are adequate. The TCP shall contain procedures to control access for all export-controlled information. A sample of a TCP may be obtained from the CSA.

In the classified arena, TCPs have a much broader scope and are almost completely devoted to the organization versus the specific contract.

It takes a minimum of 60-90 days to obtain an export license. The process can take six months to a year. Remember that no transfer can occur until a license is in place. Involve the Office of General Counsel (OGC) staff as soon as you know there may be an issue. Plan ahead to avoid problems.

A deemed export is the transfer of technology or software to a foreign national within the United States.

The Council on Governmental Relations has produced an excellent brochure that details the unique challenges universities face in complying with export control laws. Export Controls and Universities: Information and Case Studies includes information to help academic researchers and administrators identify how and when export control issues may arise.

DO NOT:

• Discuss non-public domain technology with foreign companies and foreign nationals without completing an export review with the Office of Research Integrity Assurance expert review staff.
• Take controlled technology out of the United States without completing an export review.
• Take foreign nationals on lab tours without notifying the Office of Legal Affairs.

Contact the Office of General Counsel (OGC) Export team at export@gatech.edu. This office provides assistance with:

• Research reviews
• Licensing
• Compliance
• Education

Georgia Institute of Technology

GTRC and GTARC are 501(c)(3) organizations that serve as the contracting entities and supporting organizations for research at Georgia Institute of Technology (Georgia Tech). While GTRC (or GTARC) serves as the contracting party, the performance of the research is by Georgia Tech faculty, staff, and students (per formal agreement). Purchases for such research activities are purchases made by Georgia Tech (not GTRC nor GTARC). As such, items/equipment purchased are the property of Georgia Tech – even when the purchase was made using Sponsored Research funds.

When purchasing an item/materials for use on Sponsored Research – the purchase must, at minimum, comply with Georgia Tech / USG procurement policies. If you need to transfer that property to another party (in this example, your collaborator in France), Georgia Tech would be the party transferring the property. GTRC would not be the entity transferring the property as GTRC does not own the property.

All international shipments are reviewed by the Export Control and Trade team within the Office of General Counsel (OGC) to ensure compliance with export regulations. It is important to remember that the Fundamental Research Exclusion (FRE) only applies to the informational results of the research — not the tangible goods you wish to ship. Thus, all international exports of equipment and materials (even if developed under fundamental research) must be reviewed to ensure that any required export authorizations are obtained.

An item is an export if shipped or hand-carried internationally.

To ship an item abroad, start with the International Shipping page for guidelines and the International Shipping Review Form. For hazardous or dangerous goods, please consult the Environmental Health & Safety (EH&S) website for specific instructions and to initiate the shipping process: https://www.ehs.gatech.edu/shipping. 

Please note that the Export Control team within the Office of General Counsel (OGC) conducts an export review as a part of the international shipping process.

Under the definitions of the U.S. State Department's International Traffic in Arms Regulation (ITAR), a U.S. citizen is a U.S. person, but a U.S. person is not always a U.S. citizen. A U.S. person can be:

• A citizen of the United States.
• A lawful permanent resident alien of the United States (green card holder).
• A documented refugee or other protected political asylum recipient

A non-U.S. person is anyone who is not a U.S. person. The law makes no exceptions for foreign graduate students. A non-U.S. person, also referred to as a foreign person, includes any foreign corporation, business association, partnership trust, society, or any other entity that is not incorporated or organized to do business in the United States. This definition includes international organizations, foreign governments, and any agency or subdivision of foreign governments (e.g., diplomatic missions).

Currently, all visiting scholars are typically onboarded via the Administrative Services Center (ASC) as GT Affiliates. To onboard visiting scholars at Georgia Tech as GT Affiliates, please coordinate with your department's Human Resources (HR) representative to initiate the process via the Administrative Services Center (ASC).

During the onboarding process, the ASC will use iStart to submit Hiring & Hosting Eligibility Determination e-forms. iStart, a comprehensive system for case management, assist with compliance with the Student and Exchange Visitor Information System (SEVIS), which monitors nonimmigrant students and exchange visitors in the U.S. An export review, conducted by the Export Control team within the Office of General Counsel (OGC), is integrated into the iStart onboarding process.

Additionally, visiting scholars must complete the online GT Affiliate Onboarding Form, which includes terms similar to the previous Visiting Scholar Agreement (VSA).

For more details on GT Affiliates and Hiring & Hosting Foreign Nationals, visit: https://careers.gatech.edu/affiliates & Hiring a Foreign National ASC Knowledge Article.

To initiate the process via ASC Service Request, please visit https://gatech.service-now.com/asc or call 404-385-1111.

Do not engage in the activity until an export review has determined whether the activity is subject to control and an export license is obtained.

To request an export review, complete the Export Review Form and submit it along with a material description to the Office of General Counsel (OGC) Export team at export@gatech.edu.

If you answer YES to any of these questions, contact the Office of General Counsel (OGC) export team for assistance.

Does your activity involve:

• A foreign company, whether in the United States or abroad?
• A non-U.S. person (including faculty, postdocs, students, visiting scholars, collaborators) using equipment on the Georgia Tech campus?
• A foreign government sponsor, whether conducted in the United States or abroad?
• A control with a U.S. company or the U.S. government that has a publication restriction or an associated NDA or proprietary rights agreement?
• Taking equipment out of the United States?

Exports include:

• Transfer of controlled physical items to foreign countries or to non-U.S. persons in or out of the United States.
• Transfer or disclosure of information or technical data (even visual disclosure through observation) to foreign countries or non-U.S. persons in the United States or abroad.
• Provision of services outside the United States or to entities outside the United States.

Laws and regulations apply to items (including software, supercomputers, commodities, and technologies) as well as information. Because you, as an individual, and Georgia Tech can be held liable for improperly transferring controlled technology, review these federal regulations and contact the ORIA export review staff for additional information and assistance with specific activities.

This guidance has recently changed and applies to all who have export controlled information.

Checking email and accessing the information on cloud services while traveling internationally

Receiving or accessing export controlled information while abroad may incur export violations. If you have reason to access controlled information beyond the guidelines below, contact the Office of Research Integrity Assurance for further direction. These guidelines will assist in avoiding export violations for any information received via email or cloud services.

Additional travel security tips are available from OIT. Travelers should check with the export office for any questions concerning the guidelines below.

Georgia Tech email and cloud services may be accessed under the following conditions:

Prior to travel:

• Purge email folders of export controlled information, especially anything controlled to your destination, which includes all information covered by the ITAR. In general, it is a good practice to use cloud options, not email, for extended storage. GT has approved cloud services available.
• Remove any email clients or any other option using IMAP/POP related to Georgia Tech from devices. These clients include Outlook, Thunderbird, etc. and may automatically download emails in violation of export regulations. Clients may remain on the devices if all connections to GT email are removed and the client is not controlled to your destination.
• Confirm you are using Office 365 for Georgia Tech email.
• Take “clean” devices (e.g. laptops, tablets, phones) that do not contain export controlled information or software.
• All devices must be encrypted. The only GT information on the devices should be necessary for the trip.
• If you are traveling to a 126.1 country, D5 country or the Russian federation, contact the Office of Research Integrity Assurance for further information.

During travel:

• Use only the web interface to check email. Mobile devices may be used to connect via webmail, if AirWatch is installed for security.
• If you receive an email that you believe contains export controlled information, do not open this email.
  • If the email is opened:
    • Make sure that no foreign nationals are able to view the information on your screen.
    • If it contains ITAR information, contact export@gatech.edu. ITAR Information accessed in a non-126.1 country is acceptable if documented appropriately.
    • If it contains EAR information and the device is not encrypted, contact the Office of Research Integrity Assurance for further information.

Both the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) have identified certain countries of greater concern and limit certain types of transactions. ITAR prohibits exports and sales to certain countries under 22 CFR 126.1. It is the policy of the United States to deny licenses and other approvals (such as exemptions) for exports and imports of defense articles and defense services to these countries. The email procedures (see the next FAQ) to check email when traveling to these countries may be different and should be reviewed by the Office of Research Integrity Assurance prior to travel.

Both the ITAR and the EAR have listed the same countries as of 17 July 2019:
(check the ITAR 22 CFR 126.1 and the EAR Supplement No. 1 to Part 738) for the most current information)

• Afghanistan
• Belarus
• Burma/Myanmar
• Cambodia
• Central African Republic
• China 
• Democratic Republic of the Congo
• Cuba
• Cyprus
• Eritrea
• Haiti
• Iran
• Iraq
• Lebanon
• Libya
• North Korea (Democratic People’s Republic of  Korea)
• Somalia
• South Sudan 
• Sudan
• Syria
• Venezuela
• Zimbabwe

Always check the OIT web pages for the most up-to-date information.

GT: GT Data Categorization (Protected vs. Public)

GT: Approved Cloud Storage Options

GT: Video Collaboration Comparison Chart

GTRI: Where Do I Store Data?

GTRI: Which Collaboration and Communication Tools Are Approved?

Yes, with appropriate security measures as outlined in your TCP.

Many are working remotely to continue research during the current situation. The Office of Research Integrity Assurance – Export Compliance wants to remind you of your responsibilities to safeguard export controlled information that may be in your possession.

Remote working is possible with export controlled projects as long as the same security standards are met as outlined in your TCP to prohibit access by foreign nationals.

In order to prohibit access by unauthorized individuals:

• Be aware of your surroundings and prohibit visual access by others in your area.
• Access export controlled information through approved GT VPN or SSH or approved cloud services. Do not use any third party services that are not GT accounts.
• Do not store export controlled information on any device that does not meet the appropriate security standard.
• If there is a need to access work from outside of the United States, contact our office immediately for specific guidance.

As always, security is of great importance. Physical security must meet the standards of the TCP — keep all information and devices locked when not in use. Information security will need to meet the standards as described in your TCP, as outlined:

Department IT support or the Cybersecurity Governance, Risk, and Compliance (GRC) team should address questions regarding information security. The GRC team will contact you with guidance to maintain security controls and how to request exceptions for your research environment to maintain compliance with federal regulations for all current SSPs.

The Export Control program at Georgia Tech is quite large and involves many offices. Knowing which office to contact is important to get the quick service and support you need. The Export Control program has moved to the Office of General Counsel (OGC).

OGC-Export is the primary contact for all export questions.

Export webpage: export.gatech.edu

Export Email: export@gatech.edu

Import Email: import@gatech.edu

OGC main webpage: generalcounsel.gatech.edu and legal.gatech.edu

Global HR is the primary contact for International assignments and employment.

Web: hr.gatech.edu/global-human-resources

Cyber Security is the primary contact for IT security including Controlled Unclassified Information (CUI)

Web: cui.gatech.edu

Email: cui@gatech.edu

Research Security is the primary contact for questions about the Insider Threat Program or classified activities.

Email: Dannie.Lyvers@gtri.gatech.edu

Web: webwise.gtri.gatech.edu/research-security-department/rsd-faq/insider-threats and https://webwise.gtri.gatech.edu/research-security