On April 10, 2024, DDTC issued guidance summarizing best practices and recommendations from DDTC’s visits to universities and research centers over the past few years (“the Guidance”). On September 8, 2023, DDTC published “Supplemental Compliance Risk Matrix for Universities” (“Universities Risk Matrix”), in addition to the “ITAR Compliance Risk Matrix”. The Universities Risk Matrix identifies points categories of ITAR risk and approaches to tailor a compliance program to address those risks. DDTC’s focus on universities and research center is in conjunction with BIS’s Academic Outreach Initiative released on June 28, 2022. The Academic Outreach Initiative is a four pronged approach by BIS to (1) strategically engage with universities that have higher risk profiles, (2) connect BIS Outreach Agents to universities, (3) provide background briefings to the universities to explain the national security risks, and (4) provide trainings to universities on compliance with the EAR to address these risks.

DDTC’s Compliance Risk Matrix for Universities

The Universities Risk Matrix outlines categories of ITAR exposure so that universities, research institutions, and laboratories can understand, review, and assess their ITAR compliance risks. It should be used with DDTC’s ITAR Compliance Risk Assessment Matrix (“ITAR Compliance Matrix”). The Universities Risk Matrix is organized by low, high, and medium risk in several categories, including type of research performed, foreign persons, international travel, international collaboration, information technology and security, publication restrictions, technology transfer/patents, classified work, media/public relations/filming requests, and access/release/operation of defense articles, technical data, and software controlled under the ITAR.

The ITAR Compliance Matrix provides organizations that engage in activities subject to the ITAR information organized by low, medium, and high risk to assess their level of ITAR compliance risk. The ITAR Compliance Matrix is organized into enterprise risks (risks applicable to the entire organization), organizational function risks (typically most applicable to function or group within identified responsibilities), and ITAR Compliance Program Risk Elements. The ITAR Compliance Program Risk Elements are organized in the same categories as DDTC’s Compliance Program Guidelines: Management Commitment; DDTC Registration, Jurisdiction & Classification, Authorizations, and other ITAR Activities; Recordkeeping; Detecting, Reporting, and Disclosing Violations; ITAR Training; Risk Assessment; Audits & Compliance Monitoring; and ITAR Compliance Manual.

DDTC’s “Best Practices” and Recommendations for Universities and Research Centers’ ITAR Compliance

The Guidance makes clear that DDTC expects universities and research centers to implement compliance programs that are tailored to the universities and research centers’ risk based on the type, scope, and volume of activities subject to the ITAR conducted by the universities and research centers. The Guidance is not only focused on screening, research and development, transfers of technology, and technology control plans. It also makes clear that universities and research centers need to understand and assess the involvement of foreign persons, including through foreign gifts, provision of defense services, and use of automated tools to improve compliance.

The Guidance is organized into several categories: export controls awareness/commitment; compliance approach; organizational structure; training; outreach/participation; fundamental/controlled research; foreign students/faculty; IT resources; travel; personnel resources; technology control plans; policies and procedures; physical security; technical data controls; and auditing/assessments.

Examples of best practices include:

• Demonstrating a strong commitment to ITAR compliance by university leadership with adequate resources and strong knowledge of ITAR compliance requirements in a research context;
• Instituting a risk-based compliance approach to allow the university to focus on high-risk departments, such as engineering and physics;
• Centralizing the compliance function and integrating export control functions into university functional areas;
• Issuing training materials and conducting training to reinforce topics such as identifying compliance responsibility risks, and consequences;
• Participating in the Association of University Export Control Officers (AUECO) to share compliance policies, procedures, and best practices with peers;
• Screening foreign gifts and funding sources, foreign-person students, scholars, and faculty for export control concerns and using restricted party screening tools generally; and
• Using a tool to track university suppliers and their compliance rules regarding sharing controlled information.

DDTC also issued recommendations to universities and research centers to improve their ITAR compliance programs. These recommendations include pursuing research projects that require DDTC authorization instead of being ITAR-risk averse and regular meetings with the Defense Technology Security Administration (DTSA) to provide an overview of research projects, discuss potential limitations, and communicate future licensing needs. Other recommendations include:

• Establish mandatory training for PIs involved in ITAR-controlled projects to identify such projects and research;
• Develop and document a tailored and routine training plan for department heads and scholars;
• Review all services university staff provide to foreign person researchers to confirm no unauthorized defense services are provided; maintain export control documentation, risk assessments, and project data within he same database;
• Expand technology protection process to track foreign person access to IT systems, rooms, offices, and labs,
• Segregate ITAR-controlled technical data to prevent unauthorized access; and
• Involve Engineering early when conducting jurisdiction classification of defense articles and technical data.

BIS Academic Outreach Initiatives

On June 28, 2022, BIS issued a memorandum, “Addressing the National Security Risk that Foreign Adversaries Pose to Academic Research Institutions.” This memorandum reiterated the concept that the majority of technology released in an academic setting is not subject to the Export Administration Regulations (EAR) through the fundamental research exception. However, proprietary research is often subject to the EAR. The memorandum also outlined the BIS’s Academic Outreach Initiative’s four pronged approach to address the national security threat to universities:

• BIS’s Office of Export Enforcement (OEE) strategically prioritizes academic research institutions with elevated risk profiles (i.e., institutions that possess ties to foreign universities on the Entity List, are involved in research and development for the U.S. Department of Defense, or conducting research in sensitive technologies subject to the EAR such as labs conducting proprietary research on emerging and foundational technology);
• OEE assigns Outreach Agents as points of contact for universities to establish long-term partnerships to meet with universities in person at least once a quarter and to help universities prevent unauthorized exports, unauthorized exports of technology or source code;
• Outreach Agents provide background briefings when appropriate to educate the universities on known national security risks associated with foreign persons; and
• Outreach Agents offer trainings on how export controls apply in academic settings and national security threats faced by universities.

On March 28, 2024, BIS’s Assistant Secretary for Export Enforcement, Matthew Axelrod, announced that the Academic Outreach Initiative has grown from 20 universities to 29 universities.

Next Steps

DDTC’s guidance highlights its increasing focus on universities and research institutions. Taken together with BIS’s Academic Outreach Initiative, the U.S. Government is prioritizing universities’ export control compliance and expects the universities and research centers to understand and respond to export control risks under the ITAR and EAR. DDTC’s Guidance and Universities Risk Matrix place universities on notice for known risks and best practices and recommendations to improve their compliance programs.