TCP Assessments
If you are currently engaging in research that requires a Technology Control Plan (TCP) to protect sensitive data, info, and or technology from being transfered to a foreign national, your TCP is subject to an annual onsite assessment. This assessment is a quality assurance tool intended to confirm that these controls put in place are being implemented in accordance to the TCP that the office of export controls helped design for your research project.
The TCP Assessment program aims to:
- Identify possibleÌýdeficiencies in training or procedures that can be rectified to improve the strength of the TCP.
- Provide support to research teams in assessing, implementing, and maintaining compliance to help avoid export violations.
- Assure the protection of sensitive technology, data, and information.
For the detailed TCP Assessment Procedure, CLICK HERE
For the detailed TCP Corrective Action Procedure, CLICK HERE
Ìý
Guidance on what to expect during a TCP Assessment
Prior to the Assessment:
Annually, your TCP will be assessed onsite. A few weeks before your expected assessment, CU's QA/QI Office will notify you that your TCP has been selected for review. Several dates will be provided for you to choose from for the assessment.The assessment will take approximately 1-3 hours to complete, all done in 1 day. See the Preparing for an On-Site Assessment webpage for how you can be best prepared for your assessment.
During the On-Site Assessment:
The Research Cybersecurity Program Manager (Scott Maize) and the Office of Research Integrity's QA Coordinator (Thomas Sawicki) will conduct the onsite assessment. The personnel responsible for the TCP's implementation will be interviewed on all the aspects of their TCP and how they are being implemented, including the cybersecurity and physical security parameters put in place. If requested, evidence of this implementation will be required to be presented to the assessment conductors.Ìý
After the On-Site Assessment:
If any findings of unanticipated noncompliance or failure to implement parts of a TCP are discovered during the on-site assessment, they will be brought to the office of export controls for consultation on how to administratively correct them. Then, these findings will be detailed in a preliminary report that will be hand-delivered in a meeting to the PI(s) responsible for the TCP. The report will describe what corrective action needs to be taken to resolve the noncompliance and the deadline in which it needs to be resolved. The PI(s) responsible will be required to resolve the finding(s) within the deadlines given, or risk facing the termination of their TCP. Since no export violation has occured in this instance, the findings will be handled internally (between the PI, the assessment conductors, and OEC). The goal of resolving these findings is to prevent an export violation from occuring in the future.
If a violation or disclosure of export controlled tech/info/data to a foreign national is discovered during the on-site assessment, the Office of Export Controls will be notified immediately and the 91¸£ÀûÉç's Reporting Violations Policy will be executed (See theÌýOffice of Export Controls websiteÌýfor details about this procedure).
If no findings are recorded during the assessment, a final report will be emailed to the PI responsible, effectively closing out the annual assessment.