It depends, under the Temporary Export Exemption, individuals traveling with technology or data that is routinely available from a commercial vendor will probably not require an export license as long as:
The item will be returned to the U.S. within one year of its export date; and
The item is a usual and reasonable type of tool of the trade for use in lawful research or education; and
You retain effective control at all times over the item while abroad by retaining physical possession of the item or securing the item in an environment such as a hotel safe; and
You accompany the item abroad, or the item is shipped within one month before your departure, or at any time after your departure; and
The item does not contain encryption software employing a key length greater than 80 bits for the symmetric algorithm; and
The equipment, software and technology are not of an inherently military nature and will not be put to a military use or be used in outer space; and
You will not place items in unaccompanied baggage; and
The items will not be sold or intended for sale
The Temporary Export Exemption does NOT apply, however, if you are traveling to an sanctioned/embargoed country i.e. Burma. If you are traveling to a sanctioned/embargoed country, you may need to apply for an export license before taking your laptop outside of U.S. borders.
Do export controls only apply to sponsored/funded research?
No. Export controls are U.S. laws that apply to all research and activities conducted at UCCS whether funded or not. Export controls may cross all academic fields including but not limited to engineering, psychology, biology, chemistry, and education to name a few.
How can the fundamental research exclusion be lost?
Fundamental research: Research that is NOT Restricted. Restrictions may include, but not limited to:
Limitation on participation by foreign nationals, which may include International collaborators, students, or faculty
Publication restrictions, etc.
Personnel restrictions, etc.
Material, technology, etc. classification by EAR or the ITAR
End use prohibitions, e.g. space
Is my UCCS research or activity subject to export controls?
It depends on many factors like type of research, participant's nationality, NDAs, acceptance of export controlled information, etc. To help you get an idea please review the Export Control Information Sheet
May a foreign national use equipment in my lab if the "fundamental research" exclusion applies to my research?
It depends. The transfer of controlled technology or source code of a controlled item may require a license even if the normal operation of the equipment does not. The use and or visual inspection of equipment controlled by the ITAR most likely will require a license.
What are sanctioned Countries?
Countries that are designated by OFAC as having limited or comprehensive trade sanctions imposed by the United States for reasons of anti-terrorism, non-proliferation, narcotics trafficking, or other reasons.
What is a dual Use item?
A dual use item may have both commercial and military applications, including those which were designed with no intrinsic military function but which may have a potential military application (i.e., computers, solar cells, optical instruments, light aircraft, etc.).
What is an Export?
An export occurs when someone sends or takes controlled tangible items, software or information out of the United States in any manner, transfers ownership or control of controlled tangible items, software or information to a foreign person, or to disclose information about controlled items, software or information to a Foreign Person.
Who is considered a foreign person?
A foreign person is anyone who is neither a lawful permanent resident (green card holder) nor a protected individual admitted refugee or person granted asylum. A Foreign Person also means any foreign corporation, business association, partnership or any other entity or group that is not incorporated to do business in the U.S. Foreign Persons may include international organizations, foreign governments and any agency or subdivision of foreign governments such as consulates.
What is Dual Use Research of Concern (DURC)?
DURC is life science research, based on current understanding, can be reasonably anticipated to provide knowledge, information, products or technology that could be directly misapplied to pose a significant threat with broad potential consequences to public health and safety, agricultural crops and other plants, animals, the environment, materiel, or national security. Please visit the Public Safety DURC page to learn more.
What is educational information? Can Classes/courses be subject to export controls?
A phrase used by the Department of Commerce in §734.9 of the EAR. "Educational information" is not subject to the EAR if it is released by instruction in catalog courses and associated teaching laboratories of academic institutions. Certain types of information related to encryption software cannot be considered "educational information" and therefore are subject to the EAR even if they are released "by instruction in catalog courses and associated teaching laboratories of academic institutions." For additional helpful information, Supplement No. 1 to 15 CFR Part 734 of the Export Administration (EAR) which contains additional questions and answers frequently raised by the regulations that apply to civilian or "dual use" technologies.
Items on the ITAR/USML are not covered under this exclusion; as such instruction qualifies as a defense service. The ITAR contains similar provisions, in which the following are excluded from the "technical data" definition:
general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities
information in the public domain as defined in § 120.11
basic marketing information on function or purpose
general system descriptions of defense articles
The Department of Energy Assistance to Foreign Atomic Energy Activities regulations consider information available in public libraries, public reading rooms, public document rooms, public archives, or public data banks, or in university courses to be public information not subject to its controls [10 CFR 810.3].
Education in the US is generally not affected by the Treasury Department's Office of Financial Assets Controls (OFAC) sanctions programs, although online education may. Export Controls may also affect some online education. Open courseware, in which the entire content of a course is freely available, is considered as public information and informational material and is therefore excluded from EAR and ITAR controls, and is generally authorized under the Treasury Department's Office of Financial Assets Control (OFAC) (no specific authorization required). Courses that are actively delivered, however, in forums which involve interaction among students and teachers, homework is assigned and evaluated, quizzes and tests are administered and graded, and evidence of successful completion is considered as providing a service, which is not generally authorized, and requires a specific authorization for students in/or ordinarily resident in Cuba, Iran, and Sudan, under OFAC's sanctions.
Can classes/courses be subject to export controls?
It depends, information taught in catalog-listed courses and associated teaching laboratories are not subject to export control, but there are exceptions (not limited to the following).
One exception to that general rule pertains to certain high-level encryption software.
Another exception relates to access to and instruction related to ITAR controlled defense articles as part of a university course if foreign nationals are involved; such activities may require a license. Even if no foreign nationals are associated with the class, it is important that all faculty, staff and students associated with the class understand the applicable export controls in order to prevent inadvertent violations.
Another exception relates to OFAC's guidance that delivering courses is providing a service, which is not generally authorized, and may require a specific authorization especially for individuals in Cuba, Iran, and Sudan.
Workshops and classes other than catalog-listed courses, for example those developed for a specific audience (e.g. an interest group, departmental seminar, government agency or private company) are not excluded from control under the export regulations. It is the responsibility of the instructor or presenter to ensure that their presentation doesn't violate US export controls by disclosing controlled technology of technical data or providing a defense service to a foreign person(s) without the appropriate license or other government approvals.
With this in mind, the practical effect is that most university courses are clearly excluded from export controls, enabling participation by international students and faculty. To be sure that a course dealing with advanced or sensitive technology qualifies for educational exclusion, please contact Mike Sanderson via email email@example.com or 719-255-3044.
What is Fundamental Research?
Fundamental research is basic and applied research in science, engineering, and mathematics, where the resulting information is to be shared broadly within the scientific community, as distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reasons. The conduct, products, and results of Fundamental Research are to proceed largely unfettered by deemed export restrictions, meaning the results will be published and made freely available to the scientific community. Research whose results carry dissemination or Foreign Person access restrictions will not qualify as Fundamental Research for purposes of the export control regulations. Because export regulations expressly recognize that Fundamental Research is excluded from deemed export controls or export licenses, other government approval is generally not needed before involving foreign nationals in Fundamental Research activity at UCCS. However, such research may give rise to export issues if the primary research is to be conducted outside of the U.S. or if it requires Foreign Person access to ITAR (International Traffic in Arms Regulations) export control-listed technical information or software code or confidential information provided by third parties such as corporations, commercial vendors, or government collaborators.
What is a DD2345 and when do I need one? aka Military Critical Technical Data Agreement
A DD2345 ( Military Critical Technical Data Agreement) is a form required by the Department of Defense to control when and to whom particular types of information are shared. It applies to:
unclassified technical data,
with military or space applications,
which are in possession of or under control of a DoD component, and
may not be exported lawfully without approval, authorization, or license under E. O. 12470.
These forms are often required while working on particular projects or when attending particular conferences where you may encounter the type of information described above. If you need one, you’ll probably be informed by the project lead or conference organizer.
If you encounter or are given a DD2345, do not sign the form yourself. You may put yourself at risk for violations of federal regulation. Instead, please reach out to Mike at Export Controls/OSPRI by emailing firstname.lastname@example.org or calling (719) 255-3044. We will be happy to help guide you through the rules and process of the DD2345 for UCCS.
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is defined by 32 CFR 2002 as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
CUI can be many different types of data. These include, but are not limited to, certain types of financial data, law enforcement or legal records, and private health or student records. The CUI registry is a searchable list of CUI categories and includes links to regulatory statues surrounding each of those categories
Regulations require that CUI be handled in a specific way, from when and how it is shared to how it is stored or destroyed. While doing research and other work within the university, you may encounter data that qualify as CUI. You are especially likely to encounter CUI while working a project sponsored by a government entity. If this is the case, you should familiarize yourself with the rules surrounding the handling of CUI and reach out to email@example.com for assistance to ensure you remain compliant with regulations.
Is there a difference between CUI Basic and CUI Specified?
The subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in 32 CFR 2002 and the CUI Registry. CUI Basic differs from CUI Specified (see definition for CUI Specified), and CUI Basic controls may apply whenever CUI Specified ones do not cover the involved CUI.
The subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. The CUI Registry indicates which laws, regulations, and Government-wide policies include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out the controls for CUI Specified information and does not for CUI Basic information. CUI Basic controls may apply to those aspects of CUI Specified where the authorizing laws, regulations, and Government-wide policies do not provide specific guidance.
UCCS information systems are not Federal Information Systems and do not meet the referenced requirements. Reach out to OIT at UCCS for guidance.
What is NOT controlled unclassified information (CUI)?
When reviewing the CUI Registry, it's easy to start thinking that everything is CUI, but that's not true. It's important to remember that the definition of CUI limits the scope to certain categories of federal information, essentially government information requiring safeguarding pursuant to government requirements.
Research data is likely to be CUI if 1) it is provided to you by the U.S. government (or another party on their behalf); or 2) it is developed by you during the performance of U.S. government sponsored research; and the contract or agreement specifies that the information is CUI. The following are illustrative examples of information that are not CUI:
Proprietary research that is not funded by the federal government is not CUI. This is true even when the background information provided by the sponsor and/or your research results are proprietary technical information subject to the US export control regulations.
Medical information and/or human subjects data subject to privacy protections (e.g., HIPAA or as part of informed consent representations) are not CUI.
Exception: Such data may be CUI when provided by the U.S. government (e.g., medical information about federal employees) to the University for use in research. Reach out to the UCCS HIPAA Privacy Officer for guidance when working with HIPAA data.
Student information subject to privacy protections (e.g., FERPA) is not CUI.
Exception: Such data may be CUI when collected by the U.S. government (e.g., certain financial information provided by students and/or parents in federal financial aid applications) which is then passed to the University for use in financial aid administration. Reach out to the UCCS Registrar for guidance when working with student data.
Information that is already ;in the public domain (e.g., published), including publicly available U.S. government data sets.
Non-contextualized research data (e.g., raw output collected for a CUI project that must be correlated with additional input from a person, application or second data source in scope of the CUI research project to have meaning or context) will generally not be considered CUI unless it bears identifying marks linking it to specific CUI project.
Note: Researchers are advised to discuss the possibility for designating certain output as "non-contextualized research data" with the UCCS export control officer when developing the technology control plan for the CUI project for which it will be collected.
It may be prudent to handle controlled information (e.g., export controlled, HIPAA, or FERPA data) that is not CUI with the same safeguarding standards but this information should not be marked as CUI.
Why should I be concerned about export controls?
The university campus is open to students and faculty from many different countries. Access to restricted or export controlled technology, commodities, defense articles and defense services by an unauthorized foreign person could result in severe criminal or civil penalties for the university and the university employee making the export. Prosecution of an export violation may result in fines of up to $1M and/or a prison sentence of up to 20 years.
What is Publicly Available/Public Domain Information?
The export control regulations include categories of information that are considered "publicly available" (under the EAR) or "public domain" (under the ITAR). Both categories of information are available to the public without restrictions; however, transferring information to certain places may still require a license (see “Is it okay to send publicly available/public domain information to any location?”). Each set of regulations (as well as the AFAEA) has its own definitions, below.
International Traffic in Arms Regulations (ITAR)
Not Subject to the ITAR, Public Domain (22 CFR § 120.11)
(a) Public domain means information which is published and which is generally accessible or available to the public:
(1) Through sales at newsstands and bookstores;
(2) Through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information;
(3) Through second class mailing privileges granted by the U.S. Government;
(4) At libraries open to the public or from which the public can obtain documents;
(5) Through patents available at any patent office;
(6) Through unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States;
(7) Through public release (i.e., unlimited distribution) in any form (e.g., not necessarily in published form) after approval by the cognizant U.S. government department or agency (see also §125.4(b)(13) of this subchapter);
(8) Through fundamental research in science and engineering at accredited institutions of higher learning in the U.S. where the resulting information is ordinarily published and shared broadly in the scientific community.
Export Administration Regulations (EAR)
Not Subject to the EAR (15 CFR § 734.3(b)(3))
Information and “software” that:
Are published* as described in (15 CFR § 734.7), see below
Arise during, or result from, fundamental research, as described in § 734.8
Are released by instruction in a catalog course or associated teaching laboratory of an academic institution
Appear in patents or open (published) patent applications available from any patent office, unless covered by an invention secrecy order, or are otherwise patent information at described in § 734.10
Are non-proprietary system descriptions
Are telemetry data as defined in Note 2 to Category 9, Product Group E.
Excludes certain encryption software – see ECCN 5D002
*Published 15 CFR § 734.7
(a) Unclassified technology and software is published - and therefore not technology or software subject to the EAR - when it has been made available to the public without restrictions upon its further dissemination such as through any of the following:
(1) Subscriptions available without restriction to any individual who desires to obtain or purchase the published information;
(2) Libraries or other public collections that are open and available to the public, and from which the public can obtain tangible or intangible documents;
(3) Unlimited distribution at a conference, meeting, seminar, trade show, or exhibition, generally accessible to the interested public;
(4) Public dissemination (i.e., unlimited distribution) in any form (e.g., not necessarily in published form), including posting on the Internet on sites available to the public; or
(5) Submission of a written composition, manuscript, presentation, computer-readable data set, formula, imagery, algorithms, or some other representation of knowledge with the intention that such information will be made publicly available if accepted for publication or presentation:
(i) To domestic or foreign co-authors, editors, or reviewers of journals, magazines, newspapers or trade publications;
(ii) To researchers conducting fundamental research; or
(iii) To organizers of open conferences or other open gatherings.
(b) Published encryption software classified under ECCN 5D002 remains subject to the EAR unless it is publicly available encryption object code software classified under ECCN 5D002 and the corresponding source code meets the criteria specified in § 740.13(e) of the EAR.
AFAEA: (10 CFR Part 810.2(c)(2))
Publicly available information, publicly available technology, and the results of fundamental research.
Definitions (10 CFR Part 810.3)
Publicly available information means information in any form that is generally accessible, without restriction, to the public.
Publicly available technology means technology that is already published or has been prepared for publication; arises during, or results from, fundamental research; or is included in an application filed with the U.S. Patent Office and eligible for foreign filing under 35 U.S.C. 184.
Fundamental research means basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, as distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reasons.
Please note that the fundamental research and public domain exclusions do not apply to tangible items that are being taken or shipped outside of the U.S. In such cases, those items must be analyzed to determine whether they are subject to export controls. For assistance with this process and with obtaining an export license if necessary, please contact OSPRI. The process of obtaining an export license from the government can be lengthy, so please plan accordingly.
Is publicly available/public domain information subject to the export control regulations?
No, publicly available/public domain information is not subject to the export control regulations (e.g., ITAR, EAR). However, some information, such as information made public against U.S. law, may still be export controlled. Additionally, under some circumstances, information that might normally be considered publicly available/public domain may actually be export controlled, such as when sharing information becomes a defense service. Please reach out to OSPRI with questions.
Is it okay to send publicly available/public domain information to any location?
No, it may be prohibited to send publicly available/public domain information to an embargoed/sanctioned country without a license.
Is information that I present at a conference or similar event considered "Publicly Available" or "Public Domain"?
Not necessarily. It is important to note that follow-on questions and discussions can go beyond public information and into practical implementation, which requires a specific license. Please see AFAEA FAQ item 8 for additional information and examples.
If you are planning on sharing information you believe is publicly available at a conference or similar event and have questions if the information is truly publicly available, please reach out to OSPRI to help ensure the information does not require a license.
Is UCCS registered with the Office of Defense Trade Controls Compliance (DTCC)?
Yes, UCCS is registered with the DTCC. Please get in touch with Mike Sanderson, the UCCS Export Control Officer, at firstname.lastname@example.org if you are asked about our DTCC registration to discuss your project and any needed export control reviews.