Export Compliance and Risk Mitigation Documents
Northwestern's Export Control Policy sometimes requires a Technology Control Plan (TCP) or a Risk Mitigation Plan (RMP) to manage certain export control and research security risks for research activities at the university. The ECIC office also issues Export Compliance Letters (ECLs) in scenarios that do not strictly require a TCP, but that pose certain export control compliance risks.
Technology Control Plans and Risk Mitigation Plans
What is a TCP? A TCP is an internal written document that provides the policies and procedures to protect potentially controlled, sensitive, or proprietary information at Northwestern. TCPs help NU, PIs and research project participants stay compliant with federal export controls and research security regulations.
What is an RMP? An RMP is an internal written document that provides the policies and procedures to mitigate research security risks, when a sponsoring agency or the terms of a sponsored research agreement or award so require. It contains compliance guidelines/resources and helps keep a record of Northwestern due diligence and restricted party screenings. Compliance letters do not require administrator or Chair/Dean approvals.
When is a TCP or RMP required? A TCP or RMP may be required in the following instances:
- Compliance with federal sponsor requirements to preserve the fundamental research exclusion or to mitigate research security risks. Not all sponsored agreements require a TCP or RMP.
- Working with controlled equipment, substance, or technology, to ensure adequate screening and export licensing determinations.
- Hosting a visitor from an entity on a US restricted list, to ensure the individual only works on fundamental research and to avoid exporting any items to a restricted entity. Note: Northwestern will not routinely sponsor Research Visitors from restricted entities. There is a limited appeal/waiver process for certain instances. See Restricted Parties Research Visitors.
- Resources: Restricted Party Screenings, Visitor Screening Process.
What measures should I expect to find in a TCP or RMP? All plans require the PI and project participants to complete onboarding and certify that they will comply with the measures outlined in the plan. The plan will also be certified by the Department Chair, the Research Dean, and the ECIC office. TCP/RMP measures vary depending on the plan type. Some measures include, but are not limited to:
- Physical security of the lab or equipment.
- Information security measures.
- Sponsor notification or approval of foreign person participants, when applicable.
- Restricted party screenings of project participants and international collaborators.
- Reporting of international travel, when required by the federal agency sponsor.
- Conflict of interest disclosures through the COI Office.
- Export controls training available on MyHR Learn.
Export Compliance Letters
What is an ECL? These are letters issued by the ECIC office to Northwestern researches providing compliance guidelines and resources for scenarios that do not strictly require a TCP, but that pose certain export control compliance risks.
When are ECLs required? The ECIC office issues Compliance Letters to Northwestern researchers when they access information under agreements involving confidential or proprietary technical data (e.g. non-disclosure agreements) in a critical technology area (e.g. semiconductors) designated EAR99 (low controlled) that is subject to export control regulations.
What measures should I expect to find in an ECL? Compliance letters require the PI and project participants accessing EAR99 confidential or proprietary technology to follow certain compliance guidelines, including:
- Request restricted party screenings from ECIC for all project participants who will access confidential technology before they are granted access.
- Coordinate with ECIC before accepting controlled technology or software. Request ECCN information or ITAR category from the disclosing party before new CI is shared.
- Manage confidential information according to NDA terms.
- Request an export control review before shipping items internationally.
- Contact the ECIC office if foreign national participation is denied.
Compliance letters are not subject to the same onboarding and auditing requirements as TCPs and RMPs, as they cover lower risk scenarios for EAR99 technology as described above. They also do not require department administrator or Chair/Dean approvals. The PI is primarily responsible for monitoring technology access restrictions as required by the underlying agreement and for following the above guidelines.
Resources and Related Documentation
Northwestern Policy
Export Controls Compliance Policy
Policy on Discrimination, Harassment and Sexual Misconduct
Policy on Conflict of Interest in Research
ECIC Manual, Checklists, and Forms
CERES Export Control Ancillary Review Checklist for AWARDS
Export Controls & International Compliance Manual
ECIC Guidance
Export Controls Federal Regulations
Research Security Policies & Guidance