Cyber Security and Export Controls: You Need to Know More Than You - - PowerPoint PPT Presentation

• Cyber Security and Export

Controls: You Need to Know More Than You Already Do

AnnaLisa Nash Export Control Officer, NDSU

Why Should You Care About Export Controls?

…so you can avoid HERE.

When Should You Care?

• NOW. U.S. export control regulations affect many

activities within academia, government, and industry, including:

• Employee Hiring & Payroll
• R&D
• Purchasing/Procurement
• Classifying/licensing items/data
• International Travel
• Shipping
• Tech Transfer/IP
• Grants, Contracts, etc.
• Licensed Software Agreements
• Cyber Security/Controlled Info.

Key Issues:

• Overview of Export Controls
• Exports and Deemed Exports
• ITAR, EAR, OFAC
• “High Risk” Areas
• International Travel & Activities, UAS
• IT, “Controlled Information,” and Cyber Security
• Access Controls
• System Management
• Transmission of Data
• Shared Systems
• Mobile Computing Devices
• Technology Control Plans (TCPs)
• Penalties
• Compliance Programs and Red Flags

What are export controls?

ü Federal statutes and regulations that govern the transfer of certain goods, technologies, services, data, and money to non-U.S. persons and locations. ü Export controls generally restrict the export of items/services based on the type

• f item, its end use, and the destination of

the export.

Why do we have export controls?

U.S. export control system: shaped by our national security, economic interests, and foreign policy.

ü Advance foreign policy goals ü Restrict export of goods and technology that might contribute to the military expertise of adversaries ü Prevent the proliferation of Weapons of Mass Destruction (WMD) ü Fulfill international obligations (e.g., treaties) ü Prevent terrorism ü Etc.

What are exports?

• physical shipment or hand-carried item(s) out of U.S.
• electronic and voice transmissions out of the U.S. (emails
• r phone calls to a colleague at a foreign institution, or

remotely accessing certain documents while traveling internationally) Includes:

• tangible (physical) items – software,

biological materials, chemicals equipment (etc.)

• intangibles – information, research

data, technologies, engineering designs, ideas (etc.)

“But – I don’t ship anything anywhere!”

That seems easy enough… but wait!

Exports also include – DEEMED EXPOR DEEMED EXPORTS TS:

• the release of data/technology/source code to foreign

nationals within the U.S.;

• the provision of training or services involving controlled

equipment to foreign nationals in the U.S. or abroad; and

• providing services to, or engaging in transactions with,

entities and individuals who are on embargo or restricted parties’ lists.

• Definition: U.S. Persons (U.S. citizens and PRs/Green

Card Holders) and Foreign Persons (non-U.S. Persons)

Deemed Exports

(= same effect as an actual export)

In other words, you can “export” controlled data or information to a foreign person without ever leaving your office or workplace, in violation of Federal export laws, through a simple conversation with an international colleague, or by sending an email to an international colleague within your building.

We welcome our international population! However, export control laws are specific to certain international members

• f our community.

Deemed Exports

Examples:

• Visual inspection by foreign persons
• f U.S.-origin equipment and facilities;
• Oral exchanges of information; or
• Access to a computer

that possesses export controlled information and/or technology.

What laws are we talking about?

We primarily are concerned with three sets of export control regulations:

• 1. the International T

International Traffic in A raffic in Arms Regulations rms Regulations (ITAR) (ITAR), administered by the Department of State

• 2. the Export Administration Regulations (EAR)

Export Administration Regulations (EAR), administered by the Department of Commerce

• 3. the Office of F

Office of Foreign A

• reign Assets Control (OFAC)

ssets Control (OFAC), administered by the Department of Treasury

The ITAR:

• “Inherently military in nature”
• Covers military items found on

the United States M nited States Munitions unitions List (USML) List (USML) – munitions and defense articles

• Includes most space-related

technologies because of application to missile technology

• Includes technical data related

to defense articles and services

• ITAR items virtually ALWAYS

require an export license; policy of denial for exports to certain countries

The EAR:

• Covers “dual-use” items –

found on Commerce Control Commerce Control List (CCL) List (CCL)

• Regulates items designed for

commercial purposes that also have military applications (computers, pathogens, civilian aircraft, etc.)

• Covers goods, test equipment,

materials, and the software and technology

• Each item has an Export

Export Controls Classification Controls Classification Number (ECCN) umber (ECCN)

Classification & Licensing: EAR and ITAR

• Classification is the exercise of understanding where an item or

technology falls on the USML or CCL. Can be complicated!

• EAR/CCL much more extensive list than the ITAR/USML. Controls

are based on the type of item, the end use/user, and the destination

• country. Not all items are controlled for all countries. Must analyze

a combination of item and recipient/destination country, with 4-5 places to look (EAR regs, country charts, restricted lists, etc.) – some ECCNs need a license for every end-user country in the world, and some only need a license for one country.

• Most exports (90%+) under EAR jurisdiction may be made without

Most exports (90%+) under EAR jurisdiction may be made without an export license an export license. N . Nearly all exports under ITAR require a license early all exports under ITAR require a license.

• Can take weeks to obtain a license; specific only to that transaction!
• Exempt: information that is publicly available/in public domain…

OFAC:

• Restricted parties’ lists
• Economic sanctions focus on

end-user or country, and may limit transfer of technologies and assistance to OFAC’s list of sanctioned countries

• OFAC has a “Specially

Designated Nationals and Blocked Persons List”

• Prohibits payments or

providing “value” to nationals

• f sanctioned countries and

certain entities – or could require an export license

Screenings: OFAC

There are over 250 published restricted parties’ lists – and each can contain thousands of entities, and can change daily and without warning. Manual screening is labor-intensive, inefficient, and prone to error (errors can be detrimental/costly). First and most basic layer of export control compliance.

Screenings: Shipping, Vendors, Collaborations

• Shipping equipment, technology, software, computers, goods outside the

U.S. may require a license

• Payment to foreign individuals/entities outside the U.S. should raise a

red flag!

• OFAC has regulations regarding payments to sanctioned

countries – Iran and Cuba the most restrictive

• Payments to entities/persons on restricted parties’ lists could

result in fines

• International collaborations, international visitors (tour groups) and

international visiting scholars/researchers/guest speakers, international travel, etc.

• Customers, suppliers, vendors, trading partners, students, workers, etc.

“High Risk” Areas

• Advanced Computer Sciences/

Microelectronic Technology

• Biotechnology and Biomedical

Engineering – Including Biological Agents and Toxins

• Chemical Engineering
• Encryption/Encrypted Software
• Information Security
• Materials Technology
• Navigation Systems/GPS
• Nuclear Technology
• Remote Sensing, Imaging, and

Reconnaissance

• Robotics
• Sensors and Sensor Technology
• Space Sciences
• Telecommunications/Networking
• UAS

***not an exhaustive list! ***don’t forget international travel and

• ther concerns

International T International Travel and ravel and International Research/Activities: International Research/Activities:

1. 1. International T International Travel ravel

• hand-carrying export-controlled items: GPS, prototypes, laptops,

software, etc.

• taking controlled technical data or encryption items: unpublished

research, blueprints, engineering designs, etc.

• to or through: Cuba, Iran, North Korea, Syria, Sudan
• presentations or attendance at closed conferences abroad

2. 2. Shipping/Carrying Any Item to a F Shipping/Carrying Any Item to a Foreign Country:

• reign Country:
• requires documented export review

3. 3. Transactions with Restricted Persons or Entities: ransactions with Restricted Persons or Entities:

• restricted parties’ screenings

International Travel:

Departments of Commerce and State Departments of Commerce and State have regulations that affect: have regulations that affect:

• Physically taking items with you on a trip, such as
• Laptop
• Encryption products on your laptop
• PDAs/smartphones
• Data/technology/source code
• Blueprints, drawings, schematics
• Other “tools of the trade”
• Giving controlled technology/data/source code to a

foreign person outside the U.S.

International Travel/Activities: Some Export-Controlled Items

• Certain Laptops,

Smartphones, PDAs, GPS

• Software (even some

Microsoft products)

• Anything with higher

encryption technology

• Prototypes
• Materials,

components, hardware, samples

• Research/technical

data not yet published

International Travel:

And, Office of F And, Office of Foreign A

• reign Assets Control (OFAC) has

ssets Control (OFAC) has regulations that affect: regulations that affect:

• Money transactions and the exchange of goods and

services in certain countries (providing “value”)

• Travel to sanctioned countries:
• Balkans, Belarus, Burma, Central African Republic, Cote

d’Ivoire, Cuba, Democratic Republic of the Congo, Iran, Iraq, Lebanon, Former Liberian Regime of Charles Taylor, Libya, North Korea, Somalia, Sudan, Syria, Ukraine, Yemen, and Zimbabwe

• Doing business with certain people or entities
• Again: Commerce, State, and OFAC have “lists”

International Travel:

Other Countries of Concern

No financial transactions or exports:

• financial transactions or exports:

Comprehensive Sanctions Comprehensive Sanctions

Cuba, Iran, Sudan*

»»»stay tuned for changes regarding Cuban travel!

Limited Sanctions Limited Sanctions

Burma (Myanmar), Cote D’Ivoire* (Ivory Coast), North Korea, Syria

List-Based Sanctions List-Based Sanctions Balkan countries (Serbia, Albania, Bosnia, Croatia, Macedonia, including Kosovo), Belarus, Congo – Democratic Republic of*, Liberia, Libya*, Iraq*, Zimbabwe*

ITAR Proscribed ( ITAR Proscribed (no export of no export of ITAR defense articles or data): ITAR defense articles or data): Afghanistan*, China (PRC – including Hong Kong), Cyprus*, Eritrea, Fiji*, Guinea*, Haiti*, Indonesia*, Lebanon, Niger*, Palestine/ Hamas*, Sierra Leone, Somalia, Sri Lanka*, Thailand, Venezuela, Vietnam*, Yemen*

*licenses may be granted on a very limited, case-by-case basis

International Travel Export Review Questions

WHO: WHO: With whom or which organizations will you be meeting or working? WHA WHAT: What non-personal items will you take with you? Laptop, PDAs/smartphones, GPS, prototypes, hardware, software, materials, samples…? WHY: WHY: Research, conference, demonstration, sponsor or colleague meeting? WHERE: WHERE: To which countries will you be travelling? WHEN: WHEN: When will you be leaving? When return?

International Travel:

BAD NEWS:

Ø An export license could be required depending on what you are taking with you, and the country to which you are traveling Ø A license or technical assistance agreement (TAA) would be required if you were providing a “defense service” to a foreign person (in the U.S. or abroad)

• A defense service means the furnishing of assistance

(including training) to a foreign person relative to a defense article. It also includes furnishing any technical data relative to a defense article. Ø There are consequences if you violate the regulations!

International Travel:

GOOD NEWS:

Ø Travel to most countries usually does NOT ravel to most countries usually does NOT constitute an export control problem constitute an export control problem Ø Taking a laptop with only Microsoft Office Suite, Internet Explorer, etc. =

• kay to most countries = no license required (except: Cuba, Syria, Iran, North

Korea, or Sudan). But – don’t forget about controlled data/technology on that laptop (particularly ITAR)! Ø In many cases, if you are taking or need to work with export-controlled In many cases, if you are taking or need to work with export-controlled information abroad, license exception/exemption available information abroad, license exception/exemption available

• exception/exemption NOT needed if you are taking a “clean” laptop

abroad (excepting Cuba, Syria, Iran, North Korea, Sudan)

• you can take some items that are export-controlled but don’t require a

license to most countries (e.g., no exception required)

• items/software should be evaluated BEFORE travel

Ø “T “Tools of the T

• ols of the Trade” exemption

rade” exemption: materials/equipment to perform job

International Travel: Best Advice

• 1. If you don’t need it, don’t take it with you.
• 2. Avoid taking unpublished research/technical data.
• 3. Keep items and technology in your effective/physical

control.

• 4. Attend or present only at

“open” conferences.

• 5. Take export documentation

with you from your workplace when hand-carrying items. It helps going to/from (customs).

• 6. And, follow general cyber security

guidelines wherever you are…

Unmanned Aircraft/Aerial Systems (UAS)

• Export controlled? YES. MAYBE. SORT OF.
• Unfortunately, not complete regulatory

clarification at present…

Export Controls & IT

• Data subject to

ITAR or EAR export control restrictions is referred to collectively as “Controlled Information.”

Export Controls & IT

“I don’t think you understand the concept of cyber security.”

Export Controls & IT

Goal:

The GOAL of your security measures regarding controlled information is to be able to answer the following questions in the affirmative:

• Can you trace with precision who is working on the project?
• How do you know with whom you can share the work? How do

you track/ensure this?

• Do you have appropriate physical and electronic precautions in

place?

• To prevent unauthorized access?
• To restrict access to project data only to authorized

individuals?

Export Controls & IT

Means of transferring controlled information:

Means of Information Transfer Verbal (or somehow exposed to it) Printed (paper) Documents Electronic Information Be aware of export requirements Use again? Encrypt or place in a password-protected folder Send to librarian Shred

Export Controls & IT

Access Controls:

• Do not access Controlled Information

from shared, public computers such as kiosk computers in libraries, hotels, and business centers, or from computers that have no local access control.

• Do not post Controlled Information on public websites or websites

that rely solely on IP addresses for access control. Instead, secure access using individually-assigned accounts requiring username/ password, user certificates, or other user-specific authentication methods.

• Protect Controlled Information by at least one physical or electronic

barrier (e.g., locked container or room, login and password) when not under direct individual control.

Export Controls & IT

System Management:

• Use regularly-updated malware protection software.
• Keep computers hosting Controlled Information up-to-

date on security patches and updates.

• All Controlled Information must be encrypted if stored
• n mobile computing devices such as laptops, PDAs, and

removable media such as thumb drives or CD/DVD.

• Wipe electronic media,

as applicable (and allowable).

Export Controls & IT

Transmission of Data:

• Do not transmit or email Controlled Information
• unencrypted. If encryption is not available, data must be

individually encrypted using at least application-provided mechanisms such as the password-based encryption provided in Microsoft Office 2007 and above.

• Transmit Controlled Information via voice or fax only

where there is reasonable assurance that access is limited to authorized persons.

• Wireless network access to Controlled Information must

be encrypted using VPN or other wireless network encryption.

Export Controls & IT

Transmission of Data (con’t):

• Provide monitoring and control over inbound and outbound

network traffic. Include blocking unauthorized ingress and egress.

• Detect exfiltration of data using firewalls, router policies,

intrusion prevention and detection systems, or host-based security services.

• Transfer controlled information only to those subcontractors

with a need to know. Subcontractors must adhere to these same data protection requirements. Include these data protection requirements (specifically this requirement) in all subcontracts if access to/generation of controlled data will

• ccur.

Export Controls & IT

Shared Systems:

In such cases where the Controlled Information is a software executable that will be run on a shared (multi-user) system such as a computer cluster, the following additional guidelines apply:

• The directories containing the software shall be access-controlled so that
• nly its designated user(s) (as approved by the PI) will have read, write, and

execute permissions. All others shall have no access permissions.

• The shared system shall have audit logging enabled, and the audit logs shall

be backed up.

• The shared system shall be managed solely by U.S. Persons, as defined in the

export regulations. All users with root or sudo privileges must be U.S. Persons.

• Only U.S. Persons shall have unescorted physical access to the shared

system.

Export Controls & IT

Mobile Computing Devices:

In such cases where data must be stored locally on a mobile device:

• The data must be stored on a single-user portable device in a volume

using strong encryption with a unique decryption passphrase known

• nly to the device’s authorized primary user.
• Where feasible (e.g., if the mobile device is a laptop computer), the

mobile device must be protected by a software firewall.

• Where feasible (e.g., if the mobile

device is a laptop computer), the mobile device must have audit logging enabled and audit logs backed up.

Export Controls & IT

Mobile Computing Devices:

In such cases where data must be stored locally on a mobile device:

• Where feasible (e.g., if the mobile device is a laptop computer), the

mobile device must be accessed using a login account with a password of no less than 8 characters in length, a mixture of upper - and lower-case letters, numbers and symbols, subject to change no less frequently than annually, or when any possibility of password exposure is suspected.

• Inbound remote login to any mobile device containing export-

controlled data should be prohibited by policy.

• If data backup is required, the encrypted volume must be backed up

intact, with encryption preserved.

License or Technology Control Plan (TCP)?

• In some situations it is possible to put a TCP in place instead of

applying for a license

• A TCP is simply a plan that outlines the procedures to secure

controlled technology (e.g., technical information, data, materials, software, or hardware) from use and observation by unlicensed non- U.S. citizens

• If this is not possible, then a license or

technical assistance agreement would be needed

When Do You Need a TCP?

• In conjunction with a Technical Assistance Agreement

(TAA) – Department of State

• In conjunction with a Deemed Export license –

Department of Commerce

• In conjunction with an agreement that does not allow

foreign nationals

• In conjunction with an agreement that involves

controlled data or technology (includes NDAs)

• …Or in conjunction with ANY project that involves

controlled data or technology!

Again, Why Should I Care About Export Controls?

…so you can avoid HERE.

Penalties

Exporting a controlled item: Exporting a controlled item:

• without prior a

without prior authorization, uthorization,

• or in violation of the terms
• r in violation of the terms
• f a license
• f a license

= = PENAL PENALTIES TIES. Both criminal and civil penalties: millions of dollars in fines, jail time, revocation

• f exporting privileges

(impacting research, teaching, career, etc.)

Recent Enforcement Cases:

• Raytheon – $8m (2013)
• United Technologies Corporation –

$55m (2012)

• DHL – $9.4m (2009)
• Lockheed Martin – $3m (2008)
• Breaking news: global financial

institution HQ’ed in Germany, and its NY branch – $1.45b (March 2015)

Recent Enforcement Cases:

September 2014:

§ OFAC fined Citigroup $217,841 – processing certain transactions involving Iran, and one involving Syria § Citibank screened Syrian entity, Higher Institute for Applied Science and Technology (“HIAST”) § Government’s Specially Designated Nationals and Blocked Persons List (the “SDN List”) had incorrect name: Higher Institute of Applied Science and Technology § When Citibank ran a computer program to screen the name “Higher Institute for Applied Science and Technology,” it didn’t pick up the “Higher Institute of Applied Science and Technology” because not exact match…

Enforcement Cases …Even at Universities

• J. Reece Roth, 72 – Professor Emeritus at the

University of Tennessee. Sentenced in 2009 to four years in prison (term starting in 2012) and two years of supervised release.

• Dr. Roth passed sensitive information to two

graduate students. He also took sensitive documents on his laptop on a trip to China. Convicted of export violations even though he did not open or otherwise access those documents while he was in China! Good news?? Willful, intentional behavior.

Enforcement Cases …Even at Universities

• Dr. Thomas Butler, MD, at Texas Tech

(2003):

• Chief of Infectious Diseases Division
• physical export (missing vials) of

bacteria related to bubonic plague

• Convicted of 47 out of 69 charges; spent

two years in jail and $37,400 civil penalty

• denial of export privileges for 10 years

(now on the Denied Persons List)

• Bad news?? Seemingly unintentional
• behavior. Many groups of scientists

disagreed with Government over this case (National Academy of Sciences, Federation of American Scientists, etc.).

What Can I Do to Stay Compliant with Export Regulations?

EDUCATE YOURSELF about export controls. You don’t have to become an expert, but you need to have a fundamental understanding of the subject to know when to raise questions and alert your institution or workplace to possible export controls issues.

• Compliance Program – meeting core elements
• Trainings – simple, targeted, relevant
• Screenings – perhaps the first and easiest layer of compliance
• Red flags – KNOW THEM!

Preventing Violations: Compliance Programs

Risk-Based (Risk Management) Approach:

• Recommended by government agencies
• “Occasional” lack of clarity in regulations
• Best ways to serve the mission and goals of your

institution, and to maximize limited resources

Preventing Violations: Compliance Programs

Steps to Risk-Based Approach:

• Consider the context of your organization
• Internal context: nature of your institution, its mission/goals
• External context: risk events, enforcement
• Assess the risks that arise in your

academic, governmental, business,

• r other operations
• Reasonable efforts – place resources

where most impactful

Preventing Violations: Compliance Programs

Dual Purpose:

• Establish processes and procedures to prevent

violations

• Demonstrate to regulators that your business/
• ffice/workplace/institution:
• Understands the rules
• Has taken affirmative steps to comply

Core Elements of a Compliance Program

• 1. management commitment
• 2. continuous risk assessment
• 3. formal written program
• 4. training and awareness
• 5. “cradle to grave” security
• 6. recordkeeping requirements
• 7. internal monitoring and periodic audits
• 8. internal program for handling problems/reporting
• 9. corrective actions in response to violations

Core Elements of a Compliance Program

• 1. management commitment

a. written compliance standards b. sufficient resources for the program c. appropriate and senior/executive oversight

• 2. continuous risk assessment of the export program

a. likelihood of a violation b. ramifications of violation c. sensitivity of the technologies and countries

• 3. formal written export management and compliance

program

a. effective implementation b. adherence to written policies and operational procedures

• 4. ongoing compliance training and awareness

a. what levels of training? b. who gets trained? c. how often? d. sign-in sheets, certifications, attestations, etc.

• 5. “cradle to grave” export compliance security – from the

sales pitch, to post-sales activities (etc.)

a. Implement compliance safeguards throughout the export life cycle

• 6. adherence to recordkeeping regulatory requirements

a. legally required! b. 5-7 years c. includes emails, other electronic data

Core Elements of a Compliance Program

• 7. verify compliance commitment and effectiveness

a. verify compliance commitment and effectiveness

i. Audits = cornerstone of compliance program. If you don’t have someone audit your program, you will never know if it is working. ii. Auditors should be external, and understand the rules iii. If outside audit not an option, do a self-audit!

• 8. internal program for handling compliance problems,

including reporting export violations

a. prevent, detect, report

• 9. completing appropriate corrective actions in response to

export violations

a. do you implement what you say you will to fix it?

Core Elements of a Compliance Program

Preventing Violations: Compliance Systems

Tips:

• Establishing a culture
• Program should evolve
• Targeted to your risks
• Integrated into business procedures
• Smart auditing and monitoring
• Empowered and knowledgeable employees, colleagues,

workers, managers/executives

• And always remember: DON’T PANIC!

RED FLAGS!

Red flag = something suspicious that indicates that an illegal activity might

• ccur…

Ask yourself: does it smell fishy? sk yourself: does it smell fishy?

If there are red flags, you must investig If there are red flags, you must investigate ate and clear them before proceeding with the and clear them before proceeding with the export( export(s). Document s). Document in writing in writing efforts to efforts to investig investigate red flags and show responsible ate red flags and show responsible action has been taken! action has been taken!

RED FLAGS!

Contract/Agreement or Project/Activity: Contract/Agreement or Project/Activity:

references U.S. export control regulations (ITAR, EAR, OFAC), beyond a mere/general statement to comply; restricts access or participation based on country of origin (e.g., participants limited to U.S. citizens only); involves export-controlled information, technology, or equipment; involves military, security, or intelligence applications – or classified, secured,

• r top secret materials – or dual civilian or military applications;

involves, in any way, certain countries/foreign nationals, including Afghanistan, China, Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria, etc. involves international travel, shipping, or work performed outside of the U.S.; includes or involves foreign sponsors or collaborators; and/or

• r is funded by the Department of Defense, the Department of Energy,

the Army, the Air Force, the Naval Office, NASA, the National Reconnaissance Office, or other U.S. Government agencies.

RED FLAGS (con’t.)

Know Y Know Your Client/Customer:

• ur Client/Customer:

customer/address similar to one found on a restricted parties’ list; customer/purchasing agent reluctant to offer information about end-use of item; product’s capabilities don’t fit buyer’s line of business (HPC to a small bakery); item ordered is incompatible with technical level of destination country (semiconductor manufacturing equipment shipped to country with no electronics industry); customer willing to pay cash for a very expensive item when terms of sale would normally call for financing; customer has little/no business background; customer unfamiliar with product’s performance characteristics, but still wants product; routine installation, training, or maintenance services declined by customer; delivery dates vague, or deliveries planned for out-of-the-way destinations; freight forwarding firm is listed as the product’s final destination; packaging is inconsistent with the stated method of shipment or destination; shipping route is abnormal for the product and destination; and/or when questioned, buyer is evasive and especially unclear about whether the purchased product is for domestic use, for export, or for reexport.

Export Controls:

• can arise in a variety of surprising circumstances
• are not always intuitive
• laws are complex and fact-specific
• IT/cyber security issues can be tricky
• regulations, rules, and lists for specifying who or what is

considered export-sensitive – and where export controls apply – are always subject to change!

… can leave you teetering … can leave you teetering

• n the edge of the compliance
• n the edge of the compliance

cliff! cliff!

Given this complexity…

Be Your Own Compliance Advocate/Best Friend!

Export ¡Controls ¡Made ¡Simple… ¡

Questions?

AnnaLisa Nash, J.D.

Export Control Officer, NDSU

www www.ndsu.edu/research/ .ndsu.edu/research/ integrity_compliance integrity_compliance/export_controls export_controls/ annalisa.nash@ndsu.edu annalisa.nash@ndsu.edu 701-231-6455

This PowerPoint presentation attempts to provide a very brief

• utline of basic export control information and how it affects

various academic/research/business/governmental enterprises. Export control laws are complex and fact-specific. Regulations, rules, and lists for specifying who or what is considered export- sensitive – and where export controls apply – are subject to

• change. This material should not be taken as formal legal advice,

and NDSU/this presenter cannot – and do not – warrant the legal sufficiency of the information contained herein.