Frequently Asked Questions


Export Controls FAQ

An export is any oral, written, electronic or visual disclosure, shipment, transfer or transmission of commodities, technology, information, technical data, assistance or software codes to:

  • Anyone outside of the U.S.
  • A “foreign national” wherever they are (deemed export)
  • A foreign embassy or affiliate

Export controls are U.S. laws and regulations that regulate and restrict the release of critical technologies, information, and services to foreign nationals, within and outside of the United States, and foreign countries. U.S. export controls exist to protect the national security and foreign policy interests of the United States.  Faculty, staff and students may intersect with federal regulations that impose access, dissemination or participation restrictions on the transfer of items and information regulated for reasons of national security, foreign policy, anti-terrorism or non-proliferation.

Yes. International travel by employees or students is still subject to export control regulations. When traveling, be aware that taking information, technology, equipment or laptops out of the country because they may require an export license.

If you are traveling to a sanctioned or embargoed country to conduct university activities, or you are taking any of the following: encrypted software, export controlled items/information, unpublished research data or data not in the public domain – you must ensure you discuss your activities in advance of travel with the KU Export Compliance Officer or another GOS employee. Depending on the type of activity, it may be prohibited, or require licenses be obtained before being allowable.

A Foreign National is any person who is NOT:

  • A U.S. citizen 
  • Permanent resident alien (Green Card Holders)
  • Asylee 
  • Refugee
  • Temporary resident under amnesty provisions

The following are considered foreign nationals or foreign persons:

  • Foreign corporation, business association, partnership entity or group not incorporated in the U.S.
  • Person in the U.S. in non-immigrant status (such as international students or F1 visas, visiting scholars or any person in the U.S. on a visa to include employees on J1 or H1B visas.)

A deemed export is the release of technology or information to a foreign national in the U.S., including students, post-docs, faculty, visiting scientists or training fellows.

Deemed exports are the most common exports for the university as an export can happen when traveling abroad, or when hosting foreign nationals or persons.

It depends on the equipment. Operation of a defense article by foreign nationals is prohibited, unless a license is obtained prior to operating.

Operation of EAR/CCL items equipment by a foreign national in the U.S. is not controlled by the export regulations. In the U.S., any person (including foreign nationals) may purchase export-controlled commodities and the "deemed" export rule only applies to technical information about the controlled commodity. As such, while the operation of equipment inside the U.S. is not controlled, the transfer of technical information relating to the use (i.e., operation, installation, maintenance, repair, overhaul and refurbishing) of equipment may be controlled in certain circumstances.

For example, if the manufacturer of the equipment provided the University some confidential, proprietary information about the design or manufacture of the equipment, then the University might need a "deemed" export license to provide such proprietary information to a foreign national, especially if shipment of the item to the home country of the foreign national would require an export license.

The export regulations allow foreign students, researchers and visitors to operate (and receive information about how to operate) controlled equipment while conducting fundamental research on U.S. university campuses or while studying at the institution, as long as the technical information about the controlled equipment qualifies as "in the public domain" or "publicly available.”

Research is not subject to export controls if it qualifies for at least one of three exclusions:

Fundamental Research Exclusion is a broad-based general legal exclusion that helps to protect technical information (but not tangible items) involved in research from export controls. It is defined as basic and applied research in science and engineering conducted at accredited U.S. institutions of higher education where the resulting information is ordinarily published and shared broadly within the scientific community. Such research can be distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary reasons or specific national security reasons. Research qualifying as “fundamental research” is not subject to export controls.

University research will not qualify as fundamental research if the university or researcher accepts any restrictions on the publication of the information resulting from the research, other than limited prepublication reviews by research sponsors to prevent inadvertent divulging of proprietary information provided to the researcher by sponsor or to insure that publication will not compromise patent rights of the sponsor. There is no general fundamental research exclusion that applies to defense articles (as opposed to technical data) under the ITAR; however, there are exclusions that apply to specific articles under certain circumstances.

Fundamental research permits U.S. universities to allow foreign members of their communities (e.g., students, faculty, and visitors) to participate in research projects involving non-ITAR export-controlled technical information on campus in the U.S. without a deemed export license. Further, technical information resulting from fundamental research may be shared with foreign colleagues

Public Domain Exclusion applies to information that is published and that is generally accessible or available to the public: (1) through sales at newsstands and bookstores; (2) through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information; (3) through second class mailing privileges granted by the U.S. Government; (4) at libraries open to the public or from which the public can obtain documents; (5) through patents available at any patent office; (6) through unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States; (7) through public release (i.e., unlimited distribution) in any form (e.g., not necessarily in published form) after approval by the cognizant U.S. government department or agency; and (8) through fundamental research in science and engineering at accredited institutions of higher learning in the U.S. where the resulting information is ordinarily published and shared broadly in the scientific community.

ITAR/USML technical information already in the public domain qualifies for the Public Domain exclusion as long as it meets the requirements stipulated above.

Educational Information Exclusion covers general science, math or engineering commonly taught in courses listed in catalogues and associated teaching laboratories of academic institutions in the U.S. even if the information concerns EAR/CCL controlled commodities or items. ITAR/USML items do not qualify for the Educational Exclusion, as instruction is a “defense service.”

Please reach out to GOS if there is any concern about whether or not any of these exclusions apply to your research.

  • The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) administers the Export Administration Regulations (EAR) that govern the export of commercial and dual-use goods, software and technology, including hardware and software containing certain encryption algorithms. BIS also controls certain defense-related items, including certain parts and components for military aircraft and other military end-uses.
  • The U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) administers the International Traffic and Arms Regulations (ITAR) that govern the export of defense articles, defense services and ITAR controlled technical data.
  • The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)administers country-specific economic and trade sanctions that often include restrictions on most or all transactions with and exports to targeted countries and persons. In addition, both the Treasury and Commerce Departments administer anti-boycott laws, which are designed principally to counter Arab country boycotts of Israel and Israeli goods.
  • The U.S. Census Bureau – While not a formal export control agency, the Census Bureau’s Foreign Trade Division is responsible for maintaining and implementing the Foreign Trade Regulations (15 CFR Part 30) that govern the preparation and submission of Electronic Export Information (EEI) submitted prior to most exports from the United States.  The Census Bureau shares this export data with BIS, OFAC, DDTC, U.S. Customs and Border Protection and other regulatory and law enforcement agencies.
  • The U.S. Customs and Border Protection (CBP) – While primarily responsible for imports into the United States, CBP officers at various U.S. ports oversee a wide variety of export-related activities and have the authority to inspect, detain and seize export shipments if they are not in compliance with the laws and regulations issued by BIS, DDTC and OFAC.
  • Other U.S. Government agencies involved in export control-related issues include: Drug Enforcement Agency (DEA), Environmental Protection Agency (EPA), Department of Energy (DOE), Nuclear Regulatory Commission (NRC), Patent and Trademark Office (USPTO), Food and Drug Administration (FDA), and the Maritime Administration (MARAD)

    If you need assistance on export compliance related topics, send a message to gos@ku.edu, call one of our staff members, or submit a request webform.

Restricted Party Screening (RPS) is an essential component of the University of Kansas (KU) Export Compliance Program. The RPS checks persons or entities against various U.S. government lists of individuals, companies, and organizations, both foreign and domestic, where export regulations or sanctions block or restrict any export or prohibited transaction. Individuals on this list are “restricted parties”.

Regulators and enforcement authorities have made it clear that all organizations are obligated to conduct RPS on employees, contractors, vendors, business associates, and customers prior to any export or prohibited transaction.

KU has obligation to observe any red flags or indicators and potentially restrict or prohibit interacting with entities entirely.

A “red flag” is an anomaly or other indicator of a potential issue concerning U.S. laws or regulatory requirements. You may wish to visit Bureau of Industry and Security (BIS) page, "Know Your Customer Guidance."

They include the following:

  • The customer or its address is similar to one of the parties found on the Commerce Department's [BIS'] list of denied persons.
  • The customer or purchasing agent is reluctant to offer information about the end-use of the item.
  • The product's capabilities do not fit the buyer's line of business, such as an order for sophisticated computers for a small bakery.
  • The item ordered is incompatible with the technical level of the country to which it is being shipped, such as semiconductor manufacturing equipment being shipped to a country that has no electronics industry.
  • The customer is willing to pay cash for a very expensive item when the terms of sale would normally call for financing.
  • The customer has little or no business background.
  • The customer is unfamiliar with the product's performance characteristics but still wants the product.
  • Routine installation, training, or maintenance services are declined by the customer.
  • Delivery dates are vague, or deliveries are planned for out of the way destinations.
  • A freight forwarding firm is listed as the product's final destination.
  • The shipping route is abnormal for the product and destination.
  • Packaging is inconsistent with the stated method of shipment or destination.
  • When questioned, the buyer is evasive and especially unclear about whether the purchased product is for domestic use, for export, or for reexport.

Simply, a restricted party is an individual or entity (academic institutions, government, business, etc.) that the U.S. government prohibits or restricts transactions with. A prohibited transaction is broadly defined as “trade or financial transactions and other dealings in which U.S. persons may not engage.”  Because each program is based on different foreign policy and national security goals, prohibitions may vary between programs. A prohibited transaction may include the exchange of goods or services.

It is KU policy to ensure compliance with the regulations and laws, therefore KU will not engage in exports or transactions with such entities or their representatives, employees, or agents.

We are here to help you make this determination. GOS is happy to perform a restricted party screening on your behalf. The lists are constantly evolving with additions and removals. Below are the most notable, but not a fully exhaustive list.

U.S. Treasury Department/OFAC: Specially Designated Nationals And Blocked Persons List (SDN)

BIS List: 15 CFR chapter VII Part 744

International Trade Administration: Consolidated Screening List (CSL)

 

Office of Global Operations & Security Export 101 Presentation


Research Security FAQ

GOS can assist you with identifying and training research teams concerning Controlled Unclassified Information (CUI).

Controlled Unclassified Information is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

 

Executive Order 13556 “Controlled Unclassified Information” (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).

32 CFR Part 2002 “Controlled Unclassified Information” was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.

Proprietary research that is not funded by the federal government, even though it is subject to the U.S. export control regulations, is not CUI. Projects involving controlled information that is not CUI, may certainly be handled with the same safeguarding standards but should not be marked as CUI.   Non-contextualized Controlled Research Data – such data generated under a project with CUI safeguarding requirements is still controlled and should be handled in accordance with the relevant TCP, but it is not CUI. PIs and researchers should refer to the relevant TCP for safeguarding requirements.  Information that is otherwise in the public domain.

The National Industrial Security Program (NISP) is a partnership between the federal government, academia, and the private industry to safeguard classified information. Executive Order 12829, as amended, “National Industrial Security Program”, further amended by Section 6 of  E.O. 13691, was established to achieve cost savings and to ensure that industry safeguards the classified information with which it is entrusted while performing work on contracts, programs, bids, or research and development efforts while working for United States Government. The Order also calls for a single, integrated, cohesive system for safeguarding classified information in industry. Consistent with the goal of achieving greater uniformity in security requirements for classified contracts, the four major tenets of the NISP are:

  • achieving uniformity in security procedures;
  • implementing the reciprocity principle in security procedures, particularly with regard to facility and personnel clearances;
  • eliminating duplicative or unnecessary requirements, particularly agency inspection; and
  • achieving reductions in security costs.

The NISP affects all executive branch agencies. The major signatories of the program are the Department of Defense, the Department of Energy, the Department of Homeland Security, the Office of the Director of National Intelligence and the Nuclear Regulatory Commission.

GOS is responsible for leading and managing the NISP at KU. GOS manages the only facility and network authorized for use at KU. Prior to submitting a proposal to conduct classified research subject to the NISP, contact GOS immediately to discuss program requirements.

Additional information can be found at:

  • Code of Federal Regulations (CFR) Part 2002, Controlled Unclassified Information Program
  • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
  • DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
  • National Institute of Standards and Technology (NIST) Special Publication (SP) Rev. 2
  • DFARS 252.204-7021, Cybersecurity Maturity Model Certification (CMMC) Requirements

A Technology Control Plan (TCP) helps ensure that controlled materials will not be accessed by unauthorized persons. The need for a plan occurs whenever Controlled Unclassified Information (CUI), ITAR, CCL or other controlled items or data are present on campus. The most common use of a TCP is to identify controlled materials or data and describe how these items will be secured on campus. It includes plans for storage, processing, transmission of the information or items and procedures for guarding against unauthorized access by individuals or entities. 

Security management and planning is the identification of an organization's assets (including people, buildings, machines, systems and information assets), followed by the development, documentation, and implementation of policies and procedures for protecting these assets.

Understanding key export and security concepts will assist in securing intellectual property, resources, information, technology, and individuals on our campuses while protecting national security and reducing overall risk to KU.  Additionally, it facilitates collaboration and the exchange of information in a safe, efficient, and legal manner. Lastly, security planning assists employees and students in identifying risks and developing appropriate controls and countermeasures to provide a safe and secure work environment at all KU campuses.

There is a cost to protecting controlled materials so please keep this in mind when preparing a budget for a grant application or contract. GOS can assist you with developing potential equipment or devices to properly store, process, and transmit information or materials. Be sure your project sponsor is aware of the need for additional security measures related to the project.  If you are awarded a contract or grant and did not budget for the necessary security costs, funds will need to be identified from other sources to cover these required expenses. 

Collaboration with both international and domestic colleagues is a critical component of information sharing in an effort to advance education, research, science and technology here at KU. The U.S. Government has continued to see a sharp increase in the theft or illegal acquisition of information and technology resident at both companies and Universities nationwide.

To support the University’s interests in collaboration, while complying with laws and regulations, the University has published the University-wide Visitor Policy to help with protecting intellectual property, research data, research facilities, network access, and physical spaces.

The National Counterintelligence and Security Center (NCSC) "Protecting Your Organization's Secrets" brochure


International Engagement FAQ

All foreign travel involves risk. GOS works with individuals and departments to identify risk and provides countermeasures that can reduce that risk.  International Affairs (KU Lawrence) and the International Programs Office (KUMC) can further assist you with submitting appropriate paperwork for U.S. Department of State high-risk countries. 

“High-risk” locations are countries assessed by the U.S. Department of State as Level 3: Reconsider Travel or Level 4: Do Not Travel and/or by the Centers for Disease Control and Prevention as Warning Level 3: Avoid Non-Essential Travel, please see KUIA’s Travel to High-Risk Locations for more information and guidance.

KU follows recommendations by the U.S. State Department and the CDC. The State Department links can be found on their travel site, here. The CDC advisories can be found on their travel site, here. Additional safety and security information will be provided to you after you register your travel. You may also reach out to GOS (gos@ku.edu) to create a traveler security assessment.

Leaving your laptop and electronic devices behind that are not needed is an easy way to reduce and eliminate some risks. However, these devices are sometimes needed for successfully completing your goals and objectives for the trip. If a laptop is needed, it is recommended to borrow a temporary laptop that contains no information outside of the information needed for travel. If unable to do so, you should limit the amount of information on your laptop – this includes research, student records, personal health information (PHI), personal identifiable information (PII), and any sensitive or proprietary data.

If you have export controlled data on your laptop (i.e. proprietary data which is not the result of fundamental research), this would require a license, depending on its EAR or ITAR classification. In addition, the U.S. Government’s OFAC restrictions prohibit the export by any means of any article (including laptops or handheld electronic devices) to Cuba, Iran, Syria or Sudan without specific license authorization.

Additionally, you should check to ensure there are no restrictions with encrypting your device before you travel because some nations do not allow such devices and is a violation of their laws. If it is lawful to bring encrypted devices, you should encrypt it and any associated media. 

If in doubt, do not hesitate to reach out to GOS or IT Security.

GOS reviews travel as a service to identify individuals risks to violating export and sanction laws, and more importantly the safety of our employees and students. Individuals are subject to U.S. export and sanctions laws regardless of if you are in the United States or abroad.

Yes. International travel by employees or students is still subject to export control regulations. When traveling, be aware that taking information, technology, equipment or laptops out of the country because they may require an export license.

If you are traveling to a sanctioned or embargoed country to conduct university activities, or you are taking any of the following: encrypted software, export controlled items/information, unpublished research data or data not in the public domain – you must ensure you discuss your activities in advance of travel with the KU Export Compliance Officer or another GOS employee. Depending on the type of activity, it may be prohibited, or require licenses be obtained before being allowable.

A Foreign National is any person who is NOT:

  • A U.S. citizen 
  • Permanent resident alien (Green Card Holders)
  • Asylee 
  • Refugee
  • Temporary resident under amnesty provisions

The following are considered foreign nationals or foreign persons:

  • Foreign corporation, business association, partnership entity or group not incorporated in the U.S.
  • Person in the U.S. in non-immigrant status (such as international students or F1 visas, visiting scholars or any person in the U.S. on a visa to include employees on J1 or H1B visas.)

Please visit KU’s Conflicts of Interest Program website for instructions how to disclose outside activities to KU.

Please visit KU’s Conflicts of Interest Program website for instructions how to disclose outside activities to KU.

Please visit KU’s Conflicts of Interest Program website for instructions how to disclose outside activities to KU.