Export Controls & Controlled Unclassified Information (CUI)

Export Controls

Northeastern University engages in research and educational activities that may involve the development or use of products, goods, hardware, software, materials, or technology that may be subject to U.S. export control laws and regulations. The U.S. government increasingly is focused on the compliance of universities with these laws and regulations. Northeastern is committed to complying with all applicable export controls, as established by the applicable federal regulations. It is critical that everyone in the Northeastern community understands the rules and complies with them fully. This web page is intended to be used by faculty, staff, and students as a reference.

Fundamental Research

Research in basic or applied sciences or engineering where the resulting information is intended to be published and broadly shared in the community; and which has no national security restrictions imposed on the research.​

Fundamental research does not cover:

  • Export Controlled Activities – “defense services”​
  • Research involving the creation or use of certain encryption source code
  • ​Development or export of tangible items such as hardware
  • ​Export controlled technology or technical data received from a sponsor
  • ​Transactions involving embargoed or sanctioned countries, individuals, or entities, must be reviewed independent from Fundamental Research for license requirements​

For more information on Fundamental Research, please click here.

Export License Inquiry Decision Tree

U.S. export controls exist to protect U.S. national security, economic and foreign policy interests. Export controls govern the shipment, transmission, or transfer of certain regulated items, information or software to foreign persons or entities. Export control regulations apply, when shipping or transferring regulated (“controlled”) items, including physical items, such as biological materials, data or software outside of the U.S.  Such shipments or transfers may require approval from the U.S. Government in the form of an export license.

For more information on export control licenses and to complete the Decision Tree Form, please click here.

Export Controls Triggers in Research & Critical Technologies

There are certain types of research and contractual requirements that can trigger export controls or additional security requirements to safeguarding CUI/CDI.

  • Types of Research​
    • Military or Defense Articles and Services​
    • High Performance Computing  or Encryption Technology​
    • Dual Use Technologies ​
    • Missiles & Missile Technology​
    • Chemical/Biological Weapons​
    • Nuclear Technology​
    • Select Agents & Toxins ​
    • Space Technology & Satellites​
  • Funding Source (DOD, DOE, Private Industry)​
  • Publication & Dissemination Restrictions​
  • Research Restricted to US Persons​
  • Extreme IT Security Requirements​
  • Receiving, Storing or Generating CUI (CDI, Nuclear, Intelligence, etc.) 
Critical Technologies

These technologies were previously referred to as Emerging and Foundational Technologies. The “Critical Technologies” name change took place under the Export Control Reform Act, allowing the agency to streamline the review, whereas previously they were trying to decide which were foundational and which were emerging. Government agencies monitor these technologies and as they see fit, they will impose controls on the technologies. The controls placed on these technologies are related U.S. economic interest, and national security reasons, including misuse of these technologies such as weapons of mass destruction (WMD) or human rights violations. The full list of “Critical and Emerging Technologies” can be found here.

The following is a list of Critical Technologies, the topics in bold are current research areas at Northeastern.

  • Advance Computing Technology
  • Advance Engineering Materials
  • Advance Surveillance
  • Artificial Intelligence
  • Advance Nuclear Energy Technology​
  • Autonomous Systems & Robotics
  • Biotechnology​
  • Communication & Networking Technology ​
  • Data Analytics Technology​
  • Logistics  Technology​
  • Brain Computing Interface
  • Directed Energy ​
  • Human-Machine Interfaces​
  • Hypersonic​
  • Quantum Information Technology 
  • Renewable Energy Generation & Storage
  • Semiconductors and Microelectronics​
  • Space Technology and Systems​
  • Position, Navigation & Timing (PNT) Technology​
  • Microprocessor Technology ​
  • Additive Manufacturing 
Technology Control Plans (TCPs)

A Technology Control Plan (TCP) is a customized document that outlines the appropriate access and handling procedures to protect export-controlled items and certain types of Controlled Unclassified Information (CUI).

For more information on TCPs please click here.

Regulatory Agencies

U.S. Department of State, DDTC

U.S. Department of Commerce, BIS

U.S. Department of the Treasury

For more information on the export control regulations, please click here.

International Shipping

All shipments of tangible items to a foreign country (including Canada) are subject to export controls. Sometimes the university must obtain an export license from the Commerce Department or State Department for the shipment. In some instances specific documentation must also be filed with the government before a shipment can be made. As the exporter you bear the responsibility to ensure compliance, failure to do so may constitute an export violation that could result in severe fines and/or other penalties. If you are planning an international shipment or if you have any questions on international shipping, please contact the Export Compliance Office exportcontrol@northeastern.edu.

Information required for review international shipments and determine license requirements

  • What are you shipping?
  • Where is it shipping to?
  • Who is receiving the shipment (end-user)?
  • What is the intended use (end-use)?
  • Is it a temporary export?
  • What is the value of the shipment?
  • Is the shipment linked to sponsored research? If so, who is the sponsor?
Shipping Process and Future Solutions

Currently at NU, international shipping reviews take place through processes developed with other departments, such as OARS and NU-RES, as well as creating awareness through training for faculty and staff. However, these are just short-term solutions, we are looking at more powerful and consistent ways to protect our faculty and staff by investing in a centralized shipping solution, which would provide visibility for ALL international shipments at NU. The shipping platform we are exploring as a long-term solution is eShipGlobal, which is a global shipping compliance software used by over 900 academic institutions across the U.S. This shipping platform provides the ability to house all major shipping carriers in one system (FedEx, UPS, DHL), as well as automate compliance checks for both export controls, as well as environmental health and safety. 

Imports & Customs Clearance

Please contact Dolliff & Co., Inc. for assistance with import issues. They hold a Customs Power of Attorney for Northeastern and can help with any of your shipments.

Contacts:

DOLLIFF & CO., INC.
U.S. Customs Brokers / Foreign Freight Forwarders
World-Net-Associates/BOSTON
128 EASTERN AVENUE, CHELSEA, MA 02150
T:  617-561-0900 X-107 // F: 617-561-0181
MOBILE: 617-921-0782

Call Regina Minichello – 617-373-2157 . To save time, when you are ordering internationally, instruct the shipper to do these three things: (1) consign the shipment to Northeastern University; (2) notify Doliff & Co.; and (3) fax copies of shipping documents to Doliff & Co. You will be subject to fees associate with Customs Entry processing, generally a $125 entry fee, local delivery charges, and airline terminal charges. In some cases, there will need to be a bond (if the item is valued >$2000).Regina Minichello can help with all of that. Note that you will need to use a Northeastern Purchase Order for your transaction. This process is only available for university-approved business.

Related Policies
Related Tools & Resources

Related Definitions

Export Controls
  • U.S. laws and their implementing regulations that govern the distribution of strategically important technology, services and sensitive information for reasons of foreign policy, national security or U.S. economic interests. ​​
  • Licenses from the Department of State (ITAR) or Department of Commerce (EAR) may be required to export certain items. ​
Export

Any shipment, transmission, or transfer of from the U.S. to a foreign destination:

  • Commodities​
  • Software ​
  • Technology​
EAR99

Products, services and technology that are not specifically controlled for export by the Export Administration Regulations (EAR) are classified as EAR99. They fall under the U.S. Department of Commerce jurisdiction and are no listed on the Commerce Control List (CCL).

EAR99 items generally consist of low-technology consumer goods and do not require a license in most situations.

Deemed Export

An export of “controlled” technology or source code is “deemed” to take place when it is released to a foreign person in the U.S.

DFARS Clause

DFARS Clause: The Defense Federal Acquisition Regulation Supplement (DFARS) is administered by the Department of Defense (DoD). The DFARS implements and supports the FAR. DFARS applies to all Department of Defense issued contracts.  All Federal agencies have their own supplemental regulations, such as the Department of Energy Acquisition Regulations (DEAR) and the Department of Homeland Security Acquisition Regulation (HSAR).

DOD Distribution Statements

DOD Distribution Statements: Distribution statements are assigned to technical documents by the controlling DoD office that sponsors the work, to assign responsibilities and describe procedures for marking and managing technical documents, and to denote the extent to which they are available for secondary distribution, release, and dissemination without additional approvals or authorization. The presence of a distribution statement B-F requires Northeastern to safeguard the technical documentation related to the project until it is cleared for release.  In most cases, distribution statements will appear when other restrictive clauses, mentioned below, are also present.  

ECCN

Export Control Classification Number (ECCN) is an alpha-numeric code, e.g., 3A001 that is made up of the item category, its product group, and primary reason for control.

The ECCN entry describes the item and specifies licensing requirements. All ECCNs are listed in the Commerce Control List (CCL)
(Supplement No. 1 to Part 774 of the EAR) which is available here.

The CCL is divided into ten broad categories, and each category is further subdivided into five product groups:

Commerce Control List Categories
0 = Nuclear materials, facilities, and equipment (and miscellaneous items)
1 = Special Materials and Related Equipment, Chemicals, “Microorganisms,” and “Toxins”
2 = Materials Processing
3 = Electronics
4 = Computers
5 = Telecommunications and “Information Security”
6 = Sensors and Lasers
7 = Navigation and Avionics
8 = Marine
9 = Aerospace and Propulsion

FAR Clause

FAR Clause: The Federal Acquisition Regulation (FAR) is the primary regulation used by all executive agencies in their acquisition of supplies and services with appropriated funds.  The FAR is used for federal contracts, which are considered procurement mechanisms.  When the government utilizes a federal contract, they are procuring something for government use.  When the government utilizes 2 CFR 200 (Uniform Guidance), they are funding cooperative agreements or grants that are intended for public good and benefit.

U.S. Munitions List (USML)

The articles, services, and related technical data designated as defense articles or defense services pursuant to sections 38 and 47(7) of the Arms Export Control Act appear in part 121 of this subchapter and constitute the U.S. Munitions List (USML). Changes in designations are published in the Federal Register.

USML description and definitions

Additional Resources


Controlled Unclassified Information (CUI)

This website provides a general overview of capabilities to appropriately safeguard controlled unclassified information (CUI) at Northeastern. KRI, LLC at Northeastern University has separate processes related to CUI and computing security procedures. Those working with or at KRI will receive instructions from KRI.

The Office of Under Secretary of Defense for Acquisition and Sustainment, Department of Defense (DOD), is requiring contractors receiving DOD contracts to undergo an assessment to determine their cybersecurity maturity. The assessment will be performed by a 3rd party and will result in a Cybersecurity Maturity Model Certification (CMMC). Northeastern is currently working to meet CMMC level 2 certification requirements. New information will be added to this webpage as it becomes available.

Types of Research
Classified

Classified research takes place only at KRI, LLC.

If you have questions regarding classified research, please contact the ISO, Matthew Cawley.

CUI/CDI, Export Controlled (ITAR, EAR Dual-Use)

CUI: Controlled Unclassified Information (CUI) is  information that the US gov’t creates or possesses or that a non-federal entity (such as Northeastern) receives, possesses, or creates for or on behalf of the US gov’t, that requires certain information security controls to safeguard. ​

CDI/CTI: Covered Defense Information (CDI)/Covered Technical Information (CTI) is information that requires protection under DFARS Clause 252.204-7000 & 7012. CDI and subcategories are specific to DoD contracts. ​

ITAR: International Traffic in Arms Regulations (ITAR) establishes controls regarding the export and import of defense-related items and services that appear on the United States Munitions List (USML). ITAR is meant to limit access to specific technologies and their associated data resources.​

EAR dual use: Export Administration Regulation (EAR) A “dual-use” item is one that has civil applications as well as terrorism and military or weapons of mass destruction (WMD)-related applications.

Export Controlled EAR: EAR99 & Low Dual-Use (NLR)

Fundamental Research

What is CUI?
  • Controlled unclassified information (CUI) U.S. Government-owned information or that a non-federal entity (such as Northeastern) can:​
    • Receives​
    • Possesses ​
    • Created ​
    • On behalf of the U.S. Government ​
  • There are different categories of CUI. ​The complete list from NARA can be found here.
  • ALL categories of CUI require protection, but not all CUI require some level of protection. ​
  • Not all levels of CUI require NIST SP 800-171/CMMC​
  • DFARS 252.204.7012 Safeguarding CDI & Cyber Incident Reporting: this clause is incorporated in DOD contracts, it outlines the requirements of safeguarding CDI (category of CUI) and reporting breaches. ​
What is CUI vs. not CUI

CUI Incident Reporting

A CUI/CDI incident is a real or imminent violation of security, policy, or practice. ​

An incident could cause loss or damage to hardware, software, networks, or data (electronic or hard copy), or could affect personnel. ​

CUI/CDI incidents include but are not limited to: ​

  • Improper storage of CUI/CDI ​
  • Actual or suspected mishandling of CUI/CDI ​
  • When unauthorized individuals gain access to CUI/CDI (physical or electronic) ​
  • Unauthorized release of CUI/CDI (to public facing websites or to unauthorized individuals) ​
  • Suspicious behavior from the workforce (Insider Threats) ​
  • General disregard for security procedures ​
  • Seeking access to information outside the scope of current responsibilities ​
  • Attempting to enter or access sensitive areas (where CUI/CDI is stored, discussed, or processed)

Reporting logistics:

Report any incidents of CUI/CDI or export control material mishandling to: ​

CMMC_Program_Office@northeastern.edu

CUI@northeastern.edu

  • Do not email potential instances of CUI/CDI or export-controlled data when reporting an incident to the above email accounts
  • Only include a notification that a potential incident has occurred​
  • Documents containing CUI/CDI markings should only be shared through GCC high email accounts​

Employees are required to report:

  • Any actual or suspected mishandling of CUI/CDI or export-controlled items;​
  • Any suspicious behaviors among the workforce that could potentially compromise security; or  ​
  • Lead to the misuse of CUI/CDI or export-controlled materials​
  • As soon as possible after discovery​

When in doubt, report it!

What kind of research may involve CUI?

Who can recieve or interact with CUI/CDI?

ONLY NU persons with active GCC high email accounts​

​CUI cannot be transmitted, nor can it live in:​

  • General NU email account (i.e., john.doe@northeastern.edu) ​
  • Personal email account (Gmail, Yahoo, Hotmail, etc.)​
  • External hard-drive 
GCC High Accounts

GCC High accounts are requested by NU-RES Research Compliance for faculty and students who are participating in research that is export controlled and/or CUI. GCC High accounts requested by Research Compliance will be tied to a Technology Control Plan (TCP).

What:

  • Microsoft 365 Government Community Cloud High (GCC High) is a cloud platform developed by Microsoft for cleared personnel and organizations supporting the DoD ​
  • Same features as the standard Microsoft (email, Teams, SharePoint, OneDrive) but in a secure online environment.​

Requirements:

  • Restricted Party Screening: Visual Compliance; citizenship/immigration status ​
  • Training: CMMC & Security Awareness​
  • Laptop: Windows Professional or Enterprise (compatible with the GCC High image); must be a separate laptop with Intune software that is managed by NU​
    • Faculty are encouraged to budget for this during the proposal stage.

KB articles:

Master’s Theses/Dissertations

If you are planning on utilizing controlled information in your master’s thesis, please make sure to review the Guidelines on Student Theses/Dissertations Involving Controlled Research. ​

Review the controlled research requirements (i.e., publications restrictions) closely with your faculty advisor to ensure complete understanding on how they will impact your ability to complete the project and meet academic or graduation requirements. ​

Key areas to consider: ​

  • Publication/Foreign National Restrictions ​
  • Formatting/CUI Marking ​
  • Thesis Submittal Repository ​
  • Committees/Presentations ​
  • Archive/Storage Location ​
  • Authentication​
Related Tools & Resources

If you have any questions regarding CUI and/or export controls, or believe that export controls may apply to your research project please contact researchcompliance@northeastern.edu to arrange a consultation.

last updated 11.15.2023