• What kind of document markings (e.g., the footer on this message) is considered necessary? Some of our viewgraphs only say "ITAR Restricted," is that sufficient?
• What level of security is appropriate on our files, computer databases and web pages?
• We have heard that SAO might be classifiable as an educational institution of the purposes of ITAR and therefore be relieved from some of the strictures of the process. Has that happened?
• What are the ITAR/EAR general restrictions on the use of e-mail and other communications?
• Is there any cutoff date for ITAR/EAR applicability?
• What defines data that is in the public domain and therefore sharable?
• FAQ from other official sources

A: There is no clearly reliable bright-line definition of information in the public domain for the purposes of the export control regulations.

If information has been published or made available on a publicly accessible website, is ordinarily communicated to students in the course of instruction, is general and theoretical as opposed to specific and technical, etc., there is a more persuasive case that it is in the public domain.

The following are not restricted:

• Publicly available technical data and software via literature, library, patent, or seminar
• Fundamental basic and applied research where the resulting information is ordinarily published and shared broadly within the scientific community without non-proprietary restrictions on publication of the information
• Education information taught in catalog courses
• Patent application information not subject to 37 CFR Part 5 secrecy orders
• Basic marketing information on function, purpose, or general system descriptions that the producer would make available to its closest competitors

The better aproach to this issue is to go back to your sponsor. When they respond, review and assess if their response is reasonable. Feel free to contact the Export Compliance Officerto assist you in making a determination if your data or research is export controlled.

You must secure both your research and your sponsor's research if it has restrictions about publication, foreign person restrictions, or is related to instruments or technology on the Commerce Control List or US Munitions List. This is particularly important when traveling with information on mobile devices, see our Mobile Device Policy.

HOWEVER, there are notorious cases where the communication of information that is generally accepted as in the public domain is nevertheless held subject to export control regulation due to the fact that it was related to instrumentation and hardware controlled on the control lists or it was restricted to the nationality of the part/end-user to whom it is to be communicated.

Return to top

A: PROPOSED MARKINGS:
"This communication [may] contain(s) information subject to United States export control regulation under [the International Traffic in Arms Regulations (ITAR), 22 CFR Parts 121, of the United States Department of State or the Export Administration Regulations (EAR), 15 CFR Part 774, of the United States Department of Commerce]. Export of this information to non-US persons, entities, or countries is subject to prior license or exemption by the applicable agency and must be delivered in encrypted form."

SUGGESTION:
Perhaps the presentation materials can have "U.S. EXPORT (ITAR/EAR) CONTROLLED." While, at the start of presentations, in handouts, etc. the above statement can be prominently inserted or read.

Return to top

A: The regulations concerning ITAR and EAR controlled data prescribe no specific level of security, however, best practices of Technology Control Plans emphasize that non-US persons may not have access to controlled materials. Controlled data should be maintained securely on a separate drive, if possible, from where non-US persons will be accessing. SI administers ever-evoloving IT requirements; these are communicated in SD-931.

As a subcontractor to the US Government, we could have a clasue that requires us to safeguard information and report breaches, which means we need to have systems in place to detect unauthorized intrusion.

Where materials are controlled subject to these regulations, the materials should be subject to security standards for sensitive data, same as personal information.

Return to top

A: We have applied to the State Department for a ruling about whether we can take advantage of the exemptions available for institutions of higher learning. We have received written approval that we can take advantage of such exemptions, which include the ability to transfer data to our full-time employees who reside in the U.S. as long as they are not from a proscribed country (as listed in 126.1 of the ITAR). We may not extend this exemption to their use of ITAR-controlled instruments in the lab. We need to apply for a license.

Return to top

A: Any transfer of information covered by the U. S. Munitions List (USML) or the Commerce Control List (CCL) to any person, either within or outside the U. S., with knowledge or intent that the information will be transferred outside of the U. S., is restricted and requires a license. Any email of export controlled information should be transferred in encrypted form or should be uploaded using secure file transfer.

Return to top

A: The statute of limitations under ITAR/EAR is five years from the export or five years from the expiration of an export license, which is valid for four years, so the time perid could be nine years. There is a standard records retention requirement of five (5) years from the expiration of a State Department (ITAR) license, or other governmental approval, in effect.

Return to top

• Bureau of Industry and Security FAQ about Fundamental Research and Biological Research -- goes to BIS web page
• NASA FAQs about China and Chinese involvement -- goes to NASA web page
• US Department of the Treasury Frequently Asked Questions Related to Cuba .pdf
• Frequently Asked Questions about Encryption

Return to top

If you have further questions, please contact the Export Compliance Officer.