A TCP is required when a research project, collaboration, or technical exchange involves export-controlled items, materials, software, technology, data, or information.

TCPs are most often needed for research sponsored by U.S. government agencies or industry partners when the terms and conditions of the agreement include national security or access restrictions, or when the scope of work involves the study, development, or use of export-controlled items, materials, software, or technology. Hence, TCPs are required when a research project is not eligible for the Fundamental Research Exclusion.

However, it’s important to note that federal export laws do not only apply to research carried out under a formal agreement. A TCP may be required for unfunded research projects when researchers independently develop or handle export-controlled technology, materials, software, or items.

Common national security restrictions in an agreement that require a TCP include:

• Sponsor approval for publication or dissemination of project results.
• Restrictions on project access by foreign nationals.
• Restrictions on hiring foreign nationals to work on the project.
• Use of existing export-controlled technology, items, materials, or software.
• Handling of Controlled Unclassified Information (CUI).

If any of the above apply, a TCP ensures proper protections are in place before research begins.

Export-controlled technical information, data, materials, software, or hardware must be secured to prevent unauthorized export, transfer, or dissemination. Violations of ITAR or EAR can result in severe civil and criminal penalties for both the researcher and the institution.

By establishing a TCP, you are:

• Documenting the safeguards that prevent unauthorized access or sharing.
• Ensuring that all project personnel understand and can perform their responsibilities.
• Protecting your research team and the university from compliance risks.

Note: Under export control regulations, transferring or sharing export-controlled information, data, or technology to a foreign national within the U.S. is treated the same as an export to a foreign country. Therefore, an export can occur without any physical shipment or item leaving the U.S. This is called a deemed export.

Yes, only the official TCP templates provided by the Office of Research Security & Ethics (ORSE) can be used. There are two templates available, depending on the situation:

• Research Project TCP: Used when a research project involves export-controlled items or technology.
• NDA TCP: Used when exchanging export-controlled information under a non-disclosure agreement.

The Principal Investigator is responsible for completing the TCP and maintaining compliance, including implementing the required security measures with support from UT Dallas IT staff, such as the PI’s departmental IT personnel or the Office of Information Technology (OIT). See below for a breakdown of Principal Investigator and Project Personnel responsibilities.

Principal Investigator TCP Responsibilities

1. Communicate with ORSE to help identify all information, technology, software, and items used or developed in the project.
2. Identify if foreign nationals will contribute to the project or will have access to prepublication data or results.
3. Write a TCP for the project and communicate the plan to all team members.
4. Complete training assigned by the Export Control Officer.
5. Control access to the project by following your TCP when performing and reporting the results of the project.
6. Request approval from the Export Control Officer before changing the personnel assigned to the project.
7. Report any significant changes in the project scope or agreement to the Export Control Officer.
8. Immediately report unauthorized access to the project data or results to the Export Control Officer.

Project Personnel TCP Responsibilities

1. Understand and comply with the TCP.
2. Complete training assigned by the Export Control Officer.
3. Support the PI in controlling access to the project by following your TCP when performing and reporting the results of the project.

Immediately report unauthorized access to the project data or results to the PI and the Export Control Officer.

Establishing and maintaining a TCP is a collaborative effort involving the Principal Investigator, project personnel, and ORSE. Depending on the type of TCP, additional support may be required from the Information Security Office (ISO), the PI’s departmental IT staff, or OIT. The TCP must be finalized and approved by ORSE before any project activities, collaborations, or exchanges begin. Because the security requirements and risk levels differ across projects or situations, each TCP type follows a distinct process tailored to its scope.

Research Project TCP Process

1. ORSE Identifies TCP Requirement
   • The PI receives an email from ORSE notifying the PI of the export control restrictions on the project, collaboration, or exchange, and requesting that the PI accept the restrictions.
   • PI responds with their acceptance of the restrictions to allow the project to begin, or the PI refuses the restrictions, and the project must be re-scoped or cancelled.
2. ORSE Requests TCP
   • The PI receives an email from ORSE requesting completion of a TCP for the project. The supporting departmental IT as well as ISO are CC’d.
   • The email contains a Box link to a prepared TCP template with key project details already entered (e.g., project information, sponsor details, and the reason the TCP is required).
3. PI Completes Draft of TCP
   • The PI must use the TCP provided to them via Box.
   • The PI completes the following sections of the TCP:
     • Project Personnel
     • Asset Inventory List
     • Physical Security
     • Information Security
   • The PI may complete this on their own or request a collaborative working session with ORSE.
   • The PI may involve department IT for assistance with technical configurations.
4. TCP Review
   • The PI notifies ORSE that the TCP is ready for review.
   • ORSE and ISO review the document for accuracy, completeness, and adequacy of safeguards.
5. TCP Revisions
   • If ORSE or ISO provide feedback, the PI addresses the comments and resubmits the updated TCP.
   • This review-revision cycle continues until the TCP sufficiently addresses all compliance requirements.
6. Final Approval
   • ORSE and ISO conduct a final review.
   • ORSE approves the completed TCP and initiates the signature process.
7. TCP Signatures
   • ORSE provides a TCP signature page, which must be signed by:
     • The PI
     • All authorized project personnel
     • The Export Control Officer
     • ISO representative
8. Training
   • ORSE schedules a training session with all authorized personnel listed on the TCP.
   • This training reviews the project-specific requirements and ensures all team members understand their responsibilities.
9. Ongoing TCP Updates
   • The PI must update the TCP whenever there are changes to:
   • Project personnel
   • Physical security measures
   • Information security measures
   • Assets used in the project
   • Scope of work
   • Updates are logged in the TCP’s “Revision and Change Log” section.
10. TCP Reviews
    • ORSE conducts a formal review every six months for TCPs with projects that are actively in progress.
    • This review includes a meeting with the PI and ISO to confirm that the TCP is current and effective.
    • ORSE conducts an annual review of projects that have ended and whose contracts have been terminated but still carry confidentiality obligations that extend beyond the contract period.
    • This review is an email to the PI to confirm the confidentiality status. Further review may be required if any changes are identified.
11. TCP Closeout
    • A TCP remains active even after a project ends if there is still a confidentiality obligation to safeguard controlled information, equipment, or data.
    • ORSE will formally close a TCP once all safeguarding requirements have expired, such as when the confidentiality period ends, export control restrictions no longer apply, or the sponsor releases the restrictions.

Establishing and maintaining a TCP is a collaborative effort involving the Principal Investigator, project personnel, and ORSE. Depending on the type of TCP, additional support may be required from the Information Security Office (ISO), the PI’s departmental IT staff, or OIT. The TCP must be finalized and approved by ORSE before any project activities, collaborations, or exchanges begin. Because the security requirements and risk levels differ across projects or situations, each TCP type follows a distinct process tailored to its scope.

1. ORSE Identifies TCP Requirement
   • The PI receives an email from ORSE notifying the PI of the export control restrictions on the exchange and requesting that the PI accept the restrictions.
   • PI responds with their acceptance of the restrictions to allow the exchange to begin, or the PI refuses the restrictions, and the exchange must be re-scoped or cancelled.
2. ORSE Requests TCP
   • The PI receives an email from ORSE requesting completion of a TCP for the exchange. The supporting departmental IT is CC’d for awareness.
   • The email contains a Box link to a prepared TCP template with key project details already entered.
   • Note that ISO is not typically involved with reviewing NDA TCPs.
3. PI Completes Draft of TCP
   • The PI must use the TCP provided to them via Box.
   • The PI completes the following sections of the TCP:
     • Information Security
   • The PI may complete this on their own or request a collaborative working session with ORSE.
   • The PI may involve department IT for assistance with technical configurations.
4. TCP Review
   • The PI notifies ORSE that the TCP is ready for review.
   • The NDA TCP contains an acknowledgment signature. The PI must sign this before the TCP can be approved. 
   • ORSE reviews the document for accuracy, completeness, and adequacy of safeguards.
5. TCP Revisions
   • If ORSE provides feedback, the PI addresses the comments and updates the TCP.
   • This review-revision cycle continues until the TCP sufficiently addresses all compliance requirements.
6. Final Approval
   • ORSE conducts a final review.
   • ORSE approves the completed TCP.
7. Ongoing TCP Updates
   • The PI must update the TCP whenever there are changes to:
     • Information security measures
     • Scope of work
8. TCP Review
   • ORSE contacts the PI every six months to determine whether the scope of information shared between the PI and the NDA sponsor has changed.
9. TCP Closeout
   • A TCP remains active even after a project ends if there is still an obligation to safeguard controlled information, equipment, or data.
   • ORSE will formally close the TCP once all safeguarding requirements have expired, such as when the confidentiality period ends, export control restrictions no longer apply, or the sponsor releases the restriction.