Export Control Frequently Asked Questions (FAQ)

There is no external funding supporting my activities. Do export controls apply?

​​​​​​Yes, export controls apply to all international activities regardless of funding status or source.

What is a deemed export?

​​​​A deemed export refers to the release or transmission of information or technology to any foreign national in the U.S., including students, post-docs, faculty, visiting scientists, or training fellows. A deemed export is treated as an export to that person’s home country. Deemed exports are a primary area of export control exposure for the university.

I am doing basic research in collaboration with a foreign lab. Do export controls apply?

​​​​​Yes, export controls apply to all international research activities. In general, basic research conducted at the university is not subject to export controls under the Fundamental Research Exclusion as long as it is not in an export restricted area and there are no restrictions on publication or access by foreign nationals. However, in cases where research involves collaborations with foreign nationals, the university must perform a review of the research and document that the Fundamental Research Exclusion or other exclusion does or does not apply.

Are there cases where foreign nationals can work on projects restricted to U.S. persons?

Yes. There is an exemption called the Full-Time Employee Exemption (FTEE). The non-U.S. person must be critical to the success of the controlled project. They must be on a H1B visa, must have residence in the United States throughout the year, must be a full-time employee (students do not qualify) and they must be from a non-126.1 country. Foreign nationals from 126.1 countries are prohibited from working on projects restricted to U.S. persons (see question 15 for 126.1 list).

What is the Fundamental Research Exclusion (FRE)?

Fundamental Research is defined by the National Security Decision Directive 189 (NSDD189) as “any basic or applied research in science and engineering, the results of which are ordinarily published and shared broadly within the scientific community…” In order to qualify as Fundamental Research, the research must be conducted free of any publication restrictions and without any access or dissemination restrictions. Research that qualifies as Fundamental Research is NOT subject to export controls as provided for under the federal regulations (15 CFR§734.8). It is critical to note that the Fundamental Research Exclusion will be lost if a researcher agrees to any “side-deals” allowing sponsors the ability to review and approve publications or to control access to the project or project results. Loss of the Fundamental Research Exclusion can quickly put your research in jeopardy of non-compliance with export controls.

What is the Educational Information Exclusion?

Information that is normally taught or released by the university as part of the normal instruction in a catalog course or in an associated teaching laboratory is considered Educational Information and, as provided for under the federal regulations (15 CFR§734.3(b)(iii)), is NOT subject to export controls.

What kinds of activities can trigger the need for an export license?

The following are examples of the types of university activities that may trigger the need for an export license or deemed export license:

• Research in controlled or restricted areas (e.g., defense items or services, missiles, nuclear technology, satellites, chemical/biological weapons, encryption)
• Research involving the use of export restricted information obtained from external sources
• Research involving collaborations with foreign nationals in the United States or overseas
• Research involving travel or field work done overseas
• Research involving the transfer or shipment of tangible items or equipment overseas
• Presentations at meetings or conferences of unpublished information not protected under the Fundamental Research or Educational Information exclusions
• Research involving the provision of financial support or services outside the U.S.

In what activities may I need to take precautions?

• International travel or collaboration
• Sending information or items to foreign countries
• Working with any sensitive or export-controlled technologies, including those related to military or space uses
• Conducting work under service agreements
• Hiring or working with foreign students or visiting faculty
• Using foreign sponsors or vendors
• Conducting work which has personnel or publication restrictions

What happens if a project is export-controlled?

If a project is reviewed and found to be subject to export control regulations, the first thing is the Export Control Officer must ascertain what part(s) of the project is being controlled under what export control regulation(s). Second, the Principal Investigator (P.I.) must work with the Export Control Officer to come up with a technology control plan (TCP), which details what is being controlled and how the P.I. and his cleared team will protect all technology and data going along with this project. The P.I. and all members of their team must sign the TCP to work on the project. 

How does the Department of Commerce treat personnel with dual citizenship?

​​​​​Their standard procedure is they recognize an individual’s most recent country of citizenship or permanent residency as his or her home country for licensing requirements.

What is the Department of State’s definition of a foreign national? (Mississippi State uses the term "non-U.S. person")

The United States Department of State defines a “foreign national” as anyone who is not a “U.S. person.” A “U.S. person” is any one of the following: U.S. citizen; Lawful permanent resident (green card holder); and “Protected Person” i.e. political asylum holder.

How does the Department of State define a dual national?

The United States Department of State defines a dual national as anyone who holds citizenship or permanent residency in more than one country other than the U.S. Such individuals may also be referred to as “third country nationals” when their citizenship does not match the country of the transaction in question.

What is the difference, between how the EAR and ITAR define foreign nationals for access purposes?

The key difference is that ITAR generally requires licensing for each country of citizenship. ITAR takes into account a person’s country of origin in addition to current residency/citizenship in determining citizenship status. For example, a German citizen born in Germany and present at a university conference will be considered German for ITAR purposes; access restrictions will then follow from how ITAR restricts Germany. However, a Canadian Permanent Resident born in France should be considered both Canadian and French for ITAR licensing purposes. In such cases, unless the country of birth is proscribed under 22 CFR 126.11, this does not present a problem.

So if I wish to grant ITAR access to a French foreign national located in a research institution in Spain, what countries must my license apply for?

​​​​​​France and Spain. The license would set forth the circumstances of both the foreign person’s nationality (France) as well where (in which country) the foreign national will be accessing controlled data (Spain).

What if the person is a foreign national working at MSU and in the process of obtaining Permanent Residency in the U.S.?

​​​​​​For ITAR purposes, this person will still be considered a foreign national from whom ITAR articles and data would still have to be restricted unless they are eligible for a Full-time Employee Exemption.

Are foreign nationals who are citizens of Cuba, Iran, Syria, North Korea, and Sudan subject to any special OFAC definitions concerning foreign nationality?

No. There is no special OFAC definition of foreign nationality; the EAR and ITAR definitions cited above apply (see question 11). However, the particular types of transactions and access for which these foreign nationals can be involved are, in some cases, specially determined by the EAR and ITAR regulations. For example, China, Cuba, Iran, Syria, North Korea, and Sudan are all 126.1 prohibited countries. Therefore, access to ITAR equipment or data here or abroad is prohibited and a license would not be granted.

What countries are currently under some form of embargo, sanctions, and restrictions?

The lists of countries under some form of U.S. embargo, sanctions, and restrictions are updated constantly. See here and here.

The current lists consist of:

• • • Afghanistan
    • Belarus
    • Burma (Myanmar)
    • Cambodia
    • Central African Republic
    • Congo
    • Côte d'Ivoire (Ivory Coast)
    • Cuba
    • Cyprus
    • Democratic People’s Republic of Korea (North Korea)
    • Democratic Republic of the Congo
    • Eritrea
    • Haiti
    • Iraq
    • Iran
    • Lebanon
    • Liberia
    • Libya
    • People’s Republic of China
    • Russian Federation
    • Somalia
    • Sri Lanka
    • Syria
    • Ukraine (Russian-controlled regions)
    • Venezuela
    • Yemen
    • Zimbabwe

What is the DFARS 252.204-7012 clause?

DFARS 252.204-7012 is a contracting clause that is part of the U.S. Department of Defense's Defense Federal Acquisition Regulation Supplement (DFARS). This specific clause has a wide range of cybersecurity requirements that contractors must follow when the clause is incorporated into contracts. These requirements include cloud security provisions, specific incident handling and reporting requirements, and the requirement to implement the security controls outlined in NIST Special Publication 800-171 in all "covered contractor information systems." The most commonly associated security requirements with the DFARS 252.204-7012 are those 110 security controls outlined in NIST SP 800-171. However, it is important to note that there are a number of other requirements in the DFARS 252.204-7012 clause itself that must be considered when a contractor has a project with this clause incorporated in it.

What is NIST SP 800-171?

NIST SP 800-171 is a publication of the National Institute of Standards and Technology (NIST) that governs the protection of Controlled Unclassified Information (CUI) in "nonfederal systems and organizations." The 110 security controls that are enumerated in NIST SP 800-171 primarily are geared towards protecting the confidentiality of CUI in nonfederal systems. These 110 security controls are organized into 14 control families that span from administrative to technical control measures.

What is a covered contractor information system?

According to DFARS 252.204-7012 a "covered contractor information system" means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information is defined in 32 CFR Part 2002 as information the [Federal] Government creates or possesses, or that an entity creates or possesses for or on behalf of the [Federal] Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. It is important to note that CUI is unique term for federal information. CUI spans a wide range of different CUI "categories" which can be found on the National Archives and Records Administration's Information Security Oversight Office website. CUI does NOT include classified national security information or proprietary information owned by or created for a private sector entity.

What is Covered Defense Information (CDI)?

CDI is a term, specific to the Department of Defense, defined in DFARS clause 252.204-7012 as unclassified controlled technical information or other information, as defined in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is: 1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or 2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

What is Federal Contract Information (FCI)?

FAR 52.204-21 defines Federal Contract Information as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the [Federal] Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Are there any contractual cybersecurity requirements associated with FCI?

Yes. These requirements can be incorporated via FAR 52.204-21 from a variety of federal sponsor agencies. There are 15 specific cybersecurity controls that must be in place in order to be in compliance with this FAR clause. You can read more about these requirements by clicking here.

What is the Cybersecurity Model Certification (CMMC)?

CMMC is a cybersecurity standard conceived by the U.S. Department of Defense to protect the Defense Industrial Base (DIB) from ubiquitous and pervasive cyber threats posed by a range of malicious actors. This new standard is intended to independently verify a DoD contractor's compliance status against the CMMC model and is set to replace the NIST SP 800-171 requirements. It is comprised of five different levels of cybersecurity maturity and is primarily designed to protect CDI, CUI, and FCI in "covered contractor information systems." Organizations seeking certification (OSC's) are required to obtain a certification from a third-party, private company known as Certified Third-Party Assessor Organization (C3PAO). These organizations must come on-sight to the requesting contractor's location and assess the contractor against the CMMC standard. Once the assessment is complete, the C3PAO then submits their assessment findings and observations to the CMMC Accreditation Body (CMMC-AB) for review and a final determination on the OSC's certification disposition. Organizations must recertify every three years.

When should I expect to see CMMC in contracts?

The CMMC is currently in the "pilot" phase and is being rolled out over a five year period that began in November 2020. Each year the number of contracts that the DoD is incorporating CMMC requirements into will increase until full rollout in 2025. After 2025, all DoD contracts will have, at a minimum, a CMMC Level 1 certification requirement.

Does CMMC only apply to contracts with the U.S. Department of Defense (DoD)?

Currently, the DoD is the only agency that has implemented CMMC. Other federal agencies have indicated that they are interested in incorporating the CMMC standard into their contracting processes but have not formally done so at this time.

Will fundamental research be exempt from these CMMC requirements?

Current DoD messaging has indicated that fundamental research will not be exempt from CMMC requirements.