Government agencies have significantly increased their enforcement of export control compliance to now include universities and research institutions. Compliance audits by the agencies elevate enforcement visibility. In response, the most important “risk minimization” step being taken by concerned major institutions, including CUNY, and endorsed by enforcement officials is designated oversight of export-controlled activities. The objective of this oversight is to help PIs and administrators proactively manage compliance through well-documented processes and ongoing awareness trainings. Read More
Exports are defined, principally, in three ways:
(1) Physical shipment of covered items or data from the United States to a foreign destination by cargo shipments, hand carried articles or courier.
(2) Electronic or digital transmission of any covered items or data from the United States to a foreign destination, including via email, or fax.
(3) Release or disclosure by visual inspections, spoken communications, or computer access to export controlled items, technology or technical data (hard or soft copy) to foreign persons  of certain countries validly in the U.S. on temporary student or employment visas, but who are neither U.S. citizens nor Permanent Residents; such export is deemed to occur upon the foreign national’s return to his/her home country.
For purposes of both (1) and (2) above, technical data is defined as follows: blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape read-only memories; oral communication about any data contained therein.
The export control regulations govern laboratory instruments, equipment, materials, software, technology and technical data that can be transferred out of the country by any means (e.g. cargo shipment, hand-carried laptop content, courier, email, and spoken communication) as well as that can be accessed by foreign nationals present at our laboratories for whom certain export restrictions apply. In certain cases, these situations require prior authorization (an export license) from one of the applicable governing agencies. These agencies include the Departments of Commerce, State, Treasury, Defense, Energy, and the Nuclear Regulatory Commission.
Based on the foregoing definitions of export, controls are primarily implemented through three regulatory regimes, as follows:
(1) Export Administration Regulations (EAR): These are the Commerce Department’s dual-use controls under Title 15 CFR 700-799 governing hardware, materials, equipment, software, technology and technical data that Commerce defines as dual use i.e., having civilian and inherent military or defense application. Commerce places destination (country) and end-use/user-based controls by requiring prior authorization (license) prior to export. Not all items on the Commerce Control List (CCL) are controlled for all countries. For example, the type of control such as “National Security,” “Nuclear Proliferation,” or “Biological/Chemical” (among other types of controls), determines what types of items are controlled for particular countries and end uses based on the item specifications, capability and use.
(2) International Traffic in Arms Regulations (ITAR): These are the State Department’s defense-based controls under Title 22 CFR 120-129 governing defense articles and activities. Defense articles are defined generally as hardware, materials, equipment, software, technology and technical data specifically designed or modified for defense or military application, without a civil performance or use equivalent. The ITAR governs many types of commercially available items built to military specifications commonly used in research activities, including but not limited to the Engineering, Biological, Information, and Space sciences. Unlike the EAR’s dual-use universe, exports of ITAR items are subject to licensing regardless of destination or end user/use, unless a specific license exception is met. In other words, all destinations potentially require licenses. Further, unlike the EAR, certain countries, such as China, are per se prohibited destinations under ITAR, and for these countries, no licenses will be issued.
In addition, the ITAR also regulates a category of activities defined as “defense services.” Essentially these are activities which either involve disclosing ITAR technical data to foreign nationals (or data related to a defense article) even in the pursuit of fundamental research; or disclosing any technical data (including that which is not-controlled, dual use controlled or already in the public domain) to a foreign national or related organization affiliated with a military purpose. Activity that meets one or more of these definitions likewise triggers a licensing requirement.
Please refer to the USML for a list of ITAR controlled items.
(3) Office of Foreign Assets Controls (OFAC): These are the Treasury Department’s economic embargo controls under Title 31 CFR 500-598 governing which types of transactions are restricted with certain countries which OFAC defines as terrorist-sponsoring nations. Exports constitute only one of many types of restricted transactions that OFAC defines as providing a restricted service. While OFAC maintains economic embargoes with numerous countries, the only countries that directly impact exports (outbound and laboratory access) for our purposes are Cuba, Iran, Syria, and Sudan. Similar to the EAR and ITAR, transactions with these countries require licenses, which may or may not be authorized depending on the country and nature of transaction.
Outbound shipments or transfer by any means (cargo shipment, courier, hand carried, electronic) of export controlled commodities (hardware, laboratory equipment, materials, research samples) or technical data (software, blue prints, schematics, manuals, information in any form) may be specifically controlled by the regimes discussed above (EAR, ITAR, and OFAC). Hence, it is necessary to consult these regulations to determine whether a license is required. See above-referenced links to relevant regulatory sections.
Because a license can take at least 30 days to obtain, it is critical to address a potential export requirement as soon as possible to allow for sufficient processing time. The type of license, scope and duration will depend on which authorizing agency (Commerce, State, OFAC) has jurisdiction over the license application or authorization. This rule applies even where the purpose of exporting the item is to advance fundamental research abroad, for example, as part of fieldwork to be conducted in another country or to facilitate an international collaboration.
It is important to note that even where an item (commodity) is created in the laboratory from commercially available components and data, or through technical know-how that is publicly available, the item itself may still require a license to export.
Laboratory access to controlled equipment and technical data
(1) Dual-use (EAR-governed) inventory and technical data
Since CUNY conducts its research activities under FRE, access to dual use laboratory equipment and technical data remains unrestricted, subject to three exceptions. These exceptions are noted below.
Exception #1: where a PI has received proprietary technology or source code (“data”) from a sponsor (federal or industrial) as background information or a research tool by which to conduct fundamental research, and this data is export controlled, then access to this data falls outside the FRE; the PI (likely a U.S. person as required by the NDA through which the data is received) is responsible for not sharing it with foreign national members of the research team. Where it is recognized as necessary to share such data and this is contemplated by the NDA, a deemed export license may be required in order for the foreign national to access the data.
Exception #2: where the proprietary technology specifically concerns technology for the development of advanced cryptography or source code containing advanced cryptography, then a deemed export license will be required prior to access by foreign nationals from Iran, Cuba, Syria, North Korea, and Sudan. Again, please note that such technology, if self-invented at CUNY, does not require a license for access by this category of foreign nationals, assuming the technology or code is intended for publication.
Exception # 3: Where CUNY rents or otherwise hosts laboratory space to external or third party users for their own proprietary, commercial purposes and not to conduct the fundamental research, the FRE does not apply to that party’s access to controlled equipment and process technology. In this case, CUNY must determine whether a deemed export license is required.
(2) Defense (ITAR-governed) inventory and technical data
Like the EAR, the ITAR recognizes fundamental research subject to the same framework of not accepting publication or citizenship restrictions, and requiring that all research be intended for the “public domain.” Hence, acceptance of any citizenship or publication restriction by a sponsor automatically triggers ITAR disclosure restrictions to research results classified as ITAR. Again, CUNY adheres to a strict policy of not accepting restricted funding from a government or industry sponsor (and regardless of whether CUNY is a prime or subcontractor) so that all research results are intended for the public domain. However, even where no restrictions are accepted from a sponsor as to the dissemination of research results, ITAR controls still apply to any ITAR item or data that CUNY receives either from the sponsor or a collaborating institution, or procures commercially for purposes of conducting the research. Whereas the FRE (with only certain exceptions) allows access to equipment and data used during the course of fundamental research by foreign national faculty and researchers, ITAR restricts access to equipment and data where using it in any capacity discloses the inherent design, operation, or know-how that renders it ITAR controlled. In this case, where a PI wants to provide access to a foreign national researcher, either CUNY will have to obtain an export license prior to access, or the PI will need to create a Technology Control Plan (TCP) to secure the item. The TCP is used to allow physical access to a commodity or virtual or physical access to technical data only to U.S. persons. The only exception to this rule is the situation where the foreign researcher qualifies as a full time CUNY employee and where certain other regulatory criteria are met. Even were this exception is met, the foreign researcher cannot transfer the ITAR-controlled data to any other foreign national, whether or not on the research team.
As noted, separate from the restrictive access provisions under the ITAR, ITAR also requires licensing of foreign nationals when the research activity constitutes a “defense service” as defined above.
(3) OFAC-governed transactions pertaining to Cuba, Iran, Syria and Sudan
OFAC does not per se regulate access to specific laboratory equipment, technical data and research results the way that the EAR and ITAR do. Rather, OFAC regulates transactions involving certain embargoed countries. For example, research collaboration with an institution in Cuba or Iran may require an OFAC license, even if only data and no commodity were being transferred to one of those countries. Transferring any tangible materials to the OFAC-restricted countries or importing any item from them likewise requires a license. Providing editorial comment directly to a foreign national located in one of the OFAC restricted countries as part of a journal or peer review requires review on a case-by-case basis. However, this restriction should be distinguished from those situations where research results are made publicly available by posting them on the Internet or through a professional website that anyone can access. In that case, the fact that an Iranian researcher or institution downloads the item does not constitute an OFAC violation. However, at the point at which the Iranian institution seeks specific guidance from CUNY pertaining to publicly available information or seeks technical assistance of any kind, this activity may trigger a license requirement.
Separate from the licensing requirements triggered by exporting dual use and ITAR items, or engaging in OFAC-restricted transactions, all three agencies require that no transaction occurs that results in an unauthorized export to a restricted or prohibited end user of an item or data, regardless of whether or not it is EAR or ITAR controlled and regardless of the country in which the end user/recipient is located. In order to satisfy this requirement, CUNY is required to screen end users and recipients of export transactions, largely in the context of international collaborations where we send items or data abroad, or where we host foreign visitors to our laboratories and these visitors are accessing controlled equipment or data. If this screening indicates that a potential research partner is a restricted end user, this may trigger a license requirement.
Teaching/Lecturing Abroad and Participating in International Conferences
Teaching standard curriculum abroad or presenting research findings at international conferences or meetings do not present export controlled issues, provided that the following items are not exported in connection with these activities: a) samples or instruments requiring a license; b) controlled ITAR or EAR technology that is not the result of fundamental research; c) disclosure of data triggering an ITAR defense service; and d) data received under an NDA. Hence, engaging in a sidebar conversation that contains the kind of data described in b) – d) may trigger an export license requirement. As noted earlier, exporting any commodity abroad, even if to advance fundamental research, requires prior license review.
Traveling abroad with hand carried items such as laptops, jump drives, hand-held GPS devices, and prototypes or samples that happen to be portable can trigger export control regulations. In most cases, there is no license requirement for travelling with laptops and handheld communication and direction-finding devices. However, as noted earlier, laptops loaded with proprietary export controlled information may require prior authorization from the appropriate government agency. Travel to Cuba, depending on the purposes and circumstances, may require OFAC authorization. Shipping laboratory instruments abroad in support of research-related travel may most definitely require prior export authorization, depending on the item, destination, use and users.
Hosting Foreign National Visitors (non-U.S. Permanent Residents)
Depending on the level of laboratory access and purpose of the visit, it may be necessary to screen such visitors against the U.S. Government watch lists prior to their intended visits. Once approved, it may likewise be necessary to restrict such persons from export controlled instruments and data, where such items are controlled. This is particularly true where the visit is not for fundamental research purposes, but proprietary commercial purposes.
Research Activities Not Covered by the FRE
As noted, it is CUNY’s policy not to accept sponsored agreements or engage in contracts that contain publication or research restrictions (although as noted earlier, certain proprietary data subject to an NDA may be accepted strictly as background information necessary to conduct otherwise unrestricted fundamental research). To the extent that a potential award or contract opportunity may contain language restricting research results, the Office of Sponsored Research at the respective College in conjunction with the Research Foundation will negotiate out such provisions, or where not possible to do so, decline the opportunity. Because some preliminary discussions with federal agencies or industry partners may require a PI to preliminarily or informally agree to receive export controlled data in order to participate in the proposal process, PIs should be aware of such situations and contact the Office of Sponsored Research at the respective College and the Research Foundation to determine an appropriate solution.
Likewise, the acceptance of “side agreements” or scope extensions to previously reviewed and accepted agreements could also trigger controls to the extent they add publication or citizenship conditions. PIs should likewise discuss such situations with Sponsored Research and Research Foundation to resolve the situation.
Where a CUNY PI or administrator has spun-off a separately chartered company to perform services unrelated to his/her staff position at CUNY, it is necessary to ensure that any export controlled activity conducted by the spin-off does not occur using CUNY physical or human resources. In such situations, it is necessary for the PI/Administrator to seek separate counsel pertaining to export control compliance obligations.
Where a CUNY PI or other personnel engages in a private consulting relationship with an external party, the PI or personnel is solely and legally responsible for export control compliance resulting from the consulting relationship and does not bind CUNY. This applies to potential deemed exports involving controlled foreign nationals as well as outbound exports and re-exports. Under CUNY policy, CUNY is not liable for activity that is not conducted under its own auspices and for its own purposes.
 By definition, fundamental research means that no publication or citizenship restrictions are accepted from any sponsor (industry or government agency) by any means (prime contract or flow-down), explicitly or unofficially. A publication restriction is one in which a sponsor requires withholding of research results for any reason other than a) to make sure that no proprietary data provided to the PI is disclosed in the published research results or; b) the time necessary to file a patent application. A sponsor’s general requirement that publication be withheld “pending review” or review for a period of time beyond what is reasonably required to filter out proprietary data would constitute a publication restriction and disqualify CUNY from FRE protection. A citizenship restriction limits research participation to U.S. persons or reserves the right to determine which nationality among researchers can participate. Hence, in order to maintain as open a research environment as possible, CUNY strictly adheres to its policy of only conducting fundamental research, and not accepting any restrictions from a sponsor that would compromise the FRE.
Information becomes “published” or considered as “ordinarily published” when it is generally accessible to the interested public through a variety of ways. This includes publication in periodicals, books, print, electronic or any other media available for general distribution to any member of the public or to those that would be interested in the material in a scientific or engineering discipline. Published or ordinarily published material also includes the following: readily available at libraries open to the public; issued patents; and releases at an open conference, meeting, seminar, trade show, or other open gathering. A conference is considered “open” if all technically qualified members of the public are eligible to attend and attendees are permitted to take notes or otherwise make a personal record (but not necessarily a recording) of the proceedings and presentations.
 The definition of foreign persons includes companies not incorporated in the U.S., foreign governments, and international organizations.
 CUNY University Information Security Office can assist in determining what qualifies as advanced cryptography for this exception.
 Also, as noted earlier, providing laboratory space for external proprietary purposes could, likewise, trigger the export control regulations with regard to foreign national access to controlled instruments and data.