The Ultimate Guide to Technology Control Plans (TCP)

LEGAL DISCLAIMER: This article provides general, informational content for educational purposes only. It is not a substitute for professional legal advice from a qualified attorney. Always consult with a lawyer for guidance on your specific legal situation.

Imagine you run a small, innovative tech company. You’ve just hired a brilliant engineer from Germany to help develop your next-generation drone stabilization software. One afternoon, she asks for access to the core schematics on your company's server. You grant her access, proud of your collaborative, international team. A few months later, your company receives a terrifying letter from the U.S. Department of State, followed by a visit from federal agents. You are now under investigation for an illegal export of controlled defense technology, facing fines that could bankrupt your company and even potential jail time. But how? The engineer never left the country; the data never left your server in Ohio. This nightmare scenario is caused by a legal minefield called a “deemed export.” In the eyes of U.S. law, sharing controlled technical information with a foreign national, even on U.S. soil, is considered an “export” to that person's home country. A Technology Control Plan (TCP) is the legally required rulebook and security system your organization must create to prevent this from ever happening. It is your shield, your compliance map, and the documented proof that you are responsibly protecting sensitive U.S. technology.

• Key Takeaways At-a-Glance:
  • A Technology Control Plan (TCP) is a formal, written security plan that details the specific policies and procedures an organization uses to safeguard controlled technology from being accessed by unauthorized foreign persons.
  • The primary purpose of a Technology Control Plan (TCP) is to prevent the illegal deemed_export of sensitive technical data, which is governed by strict federal regulations like ITAR and the EAR.
  • Your business, university, or research lab almost certainly needs a Technology Control Plan (TCP) if you handle technology with military or strategic applications and have employees, students, or partners who are not U.S. persons.

The concept of controlling technology didn't begin with the internet. Its roots are firmly planted in the 20th century's geopolitical struggles, most notably the Cold War. The United States and its allies were locked in a high-stakes technological race with the Soviet Union. The fear was simple and profound: what if a U.S. company sold advanced jet engine technology or missile guidance systems to an adversary? To prevent this, Congress passed foundational laws like the arms_export_control_act, which gave the President the authority to control the import and export of defense articles and services. This legislation gave birth to the International Traffic in Arms Regulations (ITAR), a set of rules designed to be an iron-clad fence around America's most sensitive military technology. Simultaneously, policymakers recognized that some technologies weren't strictly military but could still pose a threat if they fell into the wrong hands. Think of high-performance computers, advanced encryption software, or specialized materials. These are called “dual-use” items. To govern these, the Department of Commerce created the Export Administration Regulations (EAR). For decades, “export” meant physically shipping a product to another country. But as the world became more interconnected and information became digital, the government realized the biggest risk wasn't a box on a boat—it was a file on a server or a conversation in a lab. This led to the formalization of the deemed_export rule, which cemented the need for a documented, internal security protocol: the Technology Control Plan.

A TCP is not a single law but a compliance document required by two massive, complex sets of federal regulations. Understanding the difference between them is the first step to compliance.

• International Traffic in Arms Regulations (ITAR):
  • Who's in Charge? The U.S. Department of State, through the directorate_of_defense_trade_controls (DDTC).
  • What Does it Cover? Items, services, and related technical data designed specifically for military, defense, or intelligence purposes. This is all listed on the United States Munitions List (USML). If an item is on the USML, it is governed by ITAR.
  • Key Language: Under ITAR (22 CFR § 120.17), an “export” includes “disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad.” This is the legal basis for requiring a TCP to manage access by foreign national employees.
• Export Administration Regulations (EAR):
  • Who's in Charge? The U.S. Department of Commerce, through the bureau_of_industry_and_security (BIS).
  • What Does it Cover? “Dual-use” items—commercial products and technologies that also have potential military or strategic applications. It also covers purely commercial items that are being exported for a concerning end-use (like to a sanctioned entity). These items are categorized on the Commerce Control List (CCL) using an Export Control Classification Number (eccn).
  • Key Language: The EAR (15 CFR § 734.13(b)) defines a deemed_export as the release of “technology” or “source code” subject to the EAR to a foreign national within the United States. Such a release is “deemed” to be an export to the home country or countries of the foreign national.

Navigating export controls means knowing which agency to talk to. A mistake here can lead to significant delays and legal trouble. The primary distinction is between military and dual-use technology.

What this means for you: Before you can even start writing a TCP, you must determine if your technology or product is on the USML (making it ITAR-controlled) or the CCL (making it EAR-controlled). This classification is the bedrock of your entire compliance effort.

A TCP is not a generic security policy. It is a detailed, customized document that reflects your specific technology, facilities, personnel, and projects. While no two plans are identical, a robust and legally defensible TCP will always include the following core components.

This is the “what.” You cannot protect something if you don't know what it is. This section must explicitly identify the specific hardware, software, technical data, schematics, source code, or processes that are subject to itar or ear controls. For example, it might state, “The 'Project Atlas' source code for our drone guidance system, classified under USML Category VIII(h), and all related engineering diagrams stored on the 'ATLAS_PROJ' network drive.” Vague descriptions are a red flag for auditors.

This is the “who.” The plan must detail the procedures for identifying and managing all personnel, especially foreign persons.

• Screening: How do you verify the citizenship and legal status of every employee, contractor, and visitor who might come near the controlled tech? This often involves working with human_resources to review passports, visas, and permanent resident cards.
• Training: A TCP is useless if employees don't know it exists. This section outlines a mandatory training program. The training must cover the basics of export control laws, the definition of a deemed_export, an employee's specific responsibilities under the TCP, and the severe penalties for non-compliance. These training sessions must be documented with attendance records.

This is the “where.” It outlines how you will physically prevent unauthorized access to the technology. Think of it as a blueprint for your facility's security.

• Controlled Areas: Designating specific labs, server rooms, or office areas as “Controlled Access Areas.”
• Access Controls: Procedures for entering these areas, such as key cards, biometric scanners, or sign-in logs for all visitors.
• Storage: Mandating that controlled documents and hardware be stored in locked cabinets or safes when not in use.
• Clean Desk/Screen Policy: Rules requiring employees to secure sensitive documents and lock their computers when they step away from their desks.

In the digital age, this is often the most critical and complex part of the TCP. It details how you protect controlled technical data on your computer systems.

• Network Segregation: Creating a separate, firewalled network segment for all controlled data, completely isolated from the general company network and the public internet.
• Access Management: Implementing strict user-based access controls. An employee should only have access to the specific files and folders they absolutely need to do their job. Access for foreign nationals to these servers is typically denied by default unless a specific export license is obtained.
• Encryption: Requiring that all controlled data be encrypted, both “at rest” (on the hard drive) and “in transit” (when sent over a network). This includes encrypting laptops and removable media like USB drives.
• Auditing and Monitoring: Maintaining detailed logs of who accessed what data, and when. These logs are crucial for investigating any potential security breaches.

To ensure everyone understands the core risk, many TCPs include a dedicated section that explains the deemed_export rule in plain English, using company-specific examples.

• Relatable Example: “Discussing the technical specifications of our 'Hydra' sensor project with our visiting researcher from India in the breakroom constitutes a deemed export. Sharing the 'Hydra' project files with him via email is also a deemed export. A TCP prevents this by ensuring he is never given access to the project's secure server and that all U.S. employees are trained not to discuss technical details with him.”

This section explains how you will prove your compliance. Federal agencies operate on the principle of “if it isn't documented, it didn't happen.” Your TCP must specify what records will be kept, where they will be stored, and for how long (typically a minimum of five years). This includes training logs, visitor logs, data access logs, and copies of technology classification analyses.

• Empowered Official (EO): A term specific to itar. This must be a U.S. person, in a position of authority, who is legally empowered by the company to sign export license applications. They bear significant personal liability for compliance.
• Export Compliance Officer (ECO): A more general term, common for both ITAR and EAR. This person is responsible for the day-to-day management of the TCP, conducting training, and classifying technology.
• Principal Investigator (PI): In a university setting, the lead researcher on a project. The PI is often responsible for implementing the specific TCP for their lab and their grant-funded research.
• IT Department: The team responsible for implementing the technical controls—setting up firewalls, managing user access, and monitoring network activity as dictated by the TCP.
• Human Resources (HR): HR plays a critical role in the “personnel” part of the plan, from screening new hires and verifying citizenship to ensuring all employees complete mandatory export control training.
• Government Auditors: Investigators from the BIS or the DDTC who can show up at your facility to audit your compliance with your TCP and federal regulations.

Creating your first Technology Control Plan can feel overwhelming. Follow these steps to break the process down into manageable tasks.

Before you write a single word, you need to answer a fundamental question: does your organization handle controlled technology or technical data?

1. Ask these questions:
   • Was our technology or product specifically designed or developed for a military purpose? (If yes, you likely fall under itar).
   • Do we have U.S. government contracts, particularly with the Department of Defense? (If yes, you almost certainly need a TCP).
   • Is our technology listed on the Commerce Control List (CCL)? Does it have an eccn other than EAR99? (If yes, you likely fall under the ear).
   • Do we employ, or plan to employ, individuals who are not U.S. citizens or permanent residents?
2. If you answer “yes” to any of the technology questions AND the personnel question, you need a TCP.

This is the most challenging and highest-stakes part of the process. You must officially determine the export jurisdiction and classification of your technology.

1. For ITAR: Carefully review the United States Munitions List (USML). If your item is described in one of its 21 categories, it is ITAR-controlled. There is no ambiguity.
2. For EAR: Review the Commerce Control List (CCL) to find the correct eccn. This can be complex, and many companies hire consultants or legal experts for this step. If your item is not described by any ECCN, it is designated EAR99, which is the lowest level of control and generally does not require a TCP unless it's going to a sanctioned country or end-user.

Under both ITAR and EAR, a foreign_person is anyone who is not a u.s._person.

1. A U.S. Person is:
   • A U.S. Citizen.
   • A Lawful Permanent Resident (i.e., a “Green Card” holder).
   • A refugee or individual granted political asylum.
2. Everyone else is a Foreign Person. This includes individuals on H-1B, F-1, or L-1 visas. You must have a clear roster of which employees, contractors, and long-term visitors fall into this category.

Start with a high-quality template from a university export compliance office or a legal firm, but you must customize it extensively. Your plan should reflect your reality. Address all the core elements described in Part 2, detailing your specific procedures for physical, IT, and personnel security.

A TCP on a shelf is worthless. You must put it into action.

1. Implementation: Set up the segregated server. Install the new locks. Update the visitor sign-in sheet.
2. Training: Conduct an initial, mandatory training session for all current employees. Make this training a required part of the onboarding process for all new hires. Document everything.

Designate one person to be the ultimate owner of the plan. This individual should have the authority and resources to enforce the TCP across the entire organization. For ITAR-controlled companies, this formal appointment of an Empowered Official must be documented in writing.

Your TCP is a living document. It should be reviewed at least annually, or anytime there is a significant change, such as:

1. You begin working on a new controlled project.
2. You hire new foreign national employees.
3. You change your IT infrastructure or office layout.

• The TCP Document Itself: This is the master document outlining all policies and procedures. It should be version-controlled and signed by senior management.
• Technology Classification Worksheet: A formal, internal record that documents your analysis of why a specific piece of technology was classified under a certain USML category or eccn. This shows auditors you did your due diligence.
• Employee Non-Disclosure and TCP Acknowledgement Form: A form signed by every employee stating that they have received a copy of the TCP, completed the required training, and understand their personal responsibilities and the legal penalties for violations.

The penalties for export control violations are not trivial. They can include civil fines up to $1 million per violation, criminal penalties of up to 20 years in prison, and “debarment,” which means your company is banned from doing business with the U.S. government.

• The Backstory: A former professor at the University of Tennessee was involved in a research project for the U.S. Air Force involving drone technology. The professor allowed two foreign national graduate students to access ITAR-controlled technical data related to the project without an export license.
• The Violation: This was a classic deemed_export. The university had a TCP in place, but it was not adequately implemented or enforced by the professor.
• The Consequence: The professor was sentenced to four years in federal prison. The case sent shockwaves through the academic research community, highlighting that individuals, not just institutions, can face severe consequences. A properly enforced TCP, which would have firewalled the students from the ITAR data, would have prevented this entire situation.

• The Backstory: Darling Industries, an Arizona-based company, manufactured firearm components. They routinely allowed foreign national employees to participate in the manufacturing and testing of parts that were controlled under itar.
• The Violation: The company had no meaningful export compliance program and no Technology Control Plan. They failed to screen employees and allowed widespread, unauthorized access to ITAR technical data.
• The Consequence: The company was fined $10 million by the Department of State. The president and the compliance officer of the company were also individually and criminally indicted. This case demonstrates that willful ignorance is not a defense.

• The Backstory: FLIR, a major producer of thermal imaging cameras, transferred ITAR-controlled data to dual-national employees who were working for the company in the U.S. They incorrectly believed that since the employees were also U.S. citizens, there was no issue.
• The Violation: The State Department clarified that a transfer of ITAR data to a dual national is a transfer to that person's other country of citizenship, requiring a license. Furthermore, FLIR's foreign subsidiaries re-exported products in violation of U.S. law.
• The Consequence: FLIR agreed to a $30 million settlement with the Department of State. This case underscores the complexity of managing compliance in a global company and the need for a TCP to address nuanced issues like dual nationality.

The world of export controls is in constant flux, driven by geopolitical tensions and technological advancement.

• U.S.-China Technology Competition: The most significant driver of recent export control changes is the strategic competition between the U.S. and China. The BIS has added numerous Chinese technology companies to its “Entity List,” severely restricting their access to U.S. technology. This has forced thousands of U.S. companies to strengthen their TCPs to ensure no technology leaks to these restricted entities.
• Fundamental Research Exclusion (FRE): In a university setting, the FRE allows research that is ordinarily published and shared broadly to be exempt from export controls. However, the line between “fundamental” basic research and “controlled” applied research is often blurry, creating a major compliance headache for universities and their PIs.
• Economic Impact vs. National Security: There is a constant debate between the tech industry, which thrives on global collaboration and sales, and the national security community, which seeks to tighten controls. Every new regulation represents a balancing act between these competing interests.

• Cloud Computing: What happens when you store ITAR-controlled data on a third-party cloud server? If that server is physically located in Ireland, is that an export? Regulators have issued guidance requiring specific security measures like end-to-end encryption, but this remains a highly complex area. Your TCP must now have a dedicated “Cloud Computing” policy.
• Remote Work: The rise of remote work presents a massive TCP challenge. If you have a foreign national employee working from their home in the U.S. and accessing your server, how do you ensure a family member or roommate doesn't see their screen? How do you secure their home network? Future TCPs will need detailed remote work security protocols.
• Emerging Technologies: The government is scrambling to determine how to control next-generation technologies like Artificial Intelligence (AI), quantum computing, and advanced biotechnologies. We can expect to see these areas added to the control lists, requiring thousands of new companies in these fields to develop robust TCPs for the first time.

• Bureau of Industry and Security (BIS): The agency within the Department of Commerce that administers the EAR.
• Commerce Control List (CCL): A list of dual-use items that are subject to the regulatory authority of the EAR.
• deemed_export: The release or transfer of controlled technology or source code to a foreign person within the United States.
• Directorate of Defense Trade Controls (DDTC): The agency within the Department of State that administers ITAR.
• dual-use_technology: Technology that has both commercial and military or proliferation applications.
• Export Control Classification Number (ECCN): An alphanumeric code used on the CCL to categorize a specific type of technology.
• empowered_official: A senior U.S. person in a company who has the legal authority and responsibility for ITAR export compliance.
• Export Administration Regulations (EAR): The set of federal regulations governing the export of most commercial and dual-use items.
• foreign_person: Anyone who is not a U.S. person (i.e., not a citizen, permanent resident, or asylee).
• Fundamental Research Exclusion (FRE): An exemption from EAR and ITAR for basic and applied research in science and engineering where the resulting information is ordinarily published.
• International Traffic in Arms Regulations (ITAR): The set of federal regulations governing the export of military and defense-related items.
• technical_data: A specific ITAR term for information required for the design, development, production, or use of defense articles.
• United States Munitions List (USML): A list of defense articles, services, and related technical data that are subject to ITAR.
• u.s._person: A U.S. citizen, lawful permanent resident (“Green Card” holder), or a person granted refugee/asylee status.

• deemed_export
• export_administration_regulations
• international_traffic_in_arms_regulations
• corporate_compliance
• national_security_law
• intellectual_property
• government_contracts