Export Control Decision Tree
This material is adapted from the basic design and content of Stanford University’s Decision Tree. We appreciate Stanford in granting us permission to use its content for the benefit of UAB.
For reasons of national security and trade protection, the United States has enacted export control laws to govern the transfer of certain information, items, or technologies to foreign countries and foreign persons. These laws apply to items that have a military application, as well as to commercial items that may have a potential military application or pose a foreign policy or national security concern. Therefore, UAB and its employees are required to exercise due diligence in evaluating whether a particular transfer of items, information, software, or technology requires an export license before it may occur.
The flowchart below walks you through a series of "Yes" or "No" questions, leading to a determination of whether an export license may be applicable to your situation. Before completing the decision tree, there are some terms that you will need to understand, particularly “deemed export”, “export”, “item”, and “foreign national”. Please refer to the definitions in the UAB Export Control Policy prior to answering the questions below. If you answer "Yes" to any of the eight (8) questions below, please contact the University Compliance Office immediately. Violations of these export control regulations can lead to significant civil and criminal penalties for individuals as well as institutions.
Decision Tree Question #1:
Are you sharing, transmitting, or transferring UAB-developed, non-commercial encryption software(1) in source code or object code(2) (including travel outside the country with such software)?
(1)The sharing, shipping, transmission or transfer of almost all encryption software in either source code or object code is subject to US export regulations. (Please contact the University Compliance Office to discuss requirements associated with transmissions or transfers of UAB-generated encryption code outside of the US.)
Even most publicly available "dual-use" encryption code captured by the Export Administration Regulations (EAR) requires the availability of a License Exception. A License Exception under the EAR is an authorization based on a set of criteria, which when met, allows the exporter to circumvent export licensing requirements. The release of publicly available encryption code under the EAR is generally authorized by License Exception TSU (Technology and Software - Unrestricted) whereby the exporter provides the US Government with a "one-time" notification of the location of the publicly available encryption code prior to or at the time the code is placed in the public domain. Notification after transmission of the code outside the US is an export control violation.
In addition, US persons are prohibited without prior authorization from providing technical assistance (i.e., instruction, skills training, working knowledge, consulting services) to a foreign person with the intent to assist in the overseas development or manufacture of encryption software that is subject to US Government notification or authorization. This prohibition does NOT limit UAB personnel from teaching or discussing general information about cryptography or developing or sharing encryption code within the United States that arises during, or results from, fundamental research.
Two License Exceptions are available for the UAB community when the tangible export of items and software containing encryption code is necessary for travel or relocation:
- License Exception TMP (Temporary Exports) allows those departing from the US on university business to take with them as "tools of the trade" UAB-owned or controlled, retail-level encryption items such as laptops, personal digital assistants (PDAs), and cell phones and encryption software in source or object code to all countries except Sudan and Cuba, as long as the items and software will remain under their "effective control" overseas and are returned to the US within 12 months or are consumed or destroyed abroad;
- License Exception BAG (Baggage) allows individuals departing the US either temporarily (travel) or longer-term (relocation) to take with them as personal baggage family-owned retail-level encryption items including laptops, personal digital assistants (PDAs), and cell phones and encryption software in source or object code. The encryption items and software must be for their personal use in private or professional activities. Citizens and permanent resident aliens of all countries except Cuba, Libya, Syria, Sudan, North Korea and Iran may take with them as personal baggage non-retail "strong" encryption items and software to all locations except embargoed or otherwise restricted locations.
(2)Source code is generally understood to mean programming statements that are created by a programmer with a text editor or a visual programming tool and then saved in a file. Object code generally refers to the output, a compiled file, which is produced when the Source Code is compiled with a C compiler. The object code file contains a sequence of machine-readable instructions that is processed by the CPU in a computer. Operating system or application software is usually in the form of compiled object code.
Decision Tree Question #2:
Do you know or have any reason to believe that the item, information, or software to be shared, shipped, transmitted, or transferred will support the design, development, production, stockpiling, or use of nuclear explosive device, chemical or biological weapons, or missiles(3)?
(3)US persons are specifically prohibited from engaging in activities, either directly or indirectly, that support the proliferation of nuclear explosive devices and missiles to certain countries and their nationals without an export license. Furthermore, US persons are specifically prohibited from knowingly engaging in activities that support the proliferation of chemical or biological weapons to any country and its nationals without an export license. Prohibited activities include direct support (through sharing, shipping, transmission, or transfer), or indirect support (through financing, contracting, servicing, transportation, support, or employment) that a US person knows will facilitate the proliferation of these weapons of mass destruction (WMD) in or by those countries. In addition, an individual or organization is prohibited from proceeding with a shipment, transmission, or transfer of equipment or software, or from a disclosure of information, with the knowledge that an export control violation has, or is about to, occur.
Certain chemical and biological weapons agents and precursors are listed on the US Munitions List (USML) at Category XIV and on the Commerce Control List (CCL) in Category 1 at 1C350 through 1C360.
Decision Tree Question #3:
Is the item, information or software provided under a Non-Disclosure Agreement (NDA) or a Confidentiality Agreement(4) central to the research program and/or do the disclosure restrictions affect the ability to publish the research results?
(4)Research carrying publication and dissemination restrictions may violate principles of openness in research and preclude characterization of the effort as "fundamental research." As a result, you may be facing prohibitions limiting the participation of foreign persons.
"Fundamental research" is defined as basic or applied research in science or engineering, the results of which are intended to be shared with the interested scientific community or otherwise placed in the public domain. Fundamental research, by definition, is free of access, participation, or dissemination restrictions.
Fundamental research is granted special status by US export regulations, such that participation by foreign persons in such research does not require export licenses to be obtained. If the research is other than "fundamental," then the conduct and results of that research may be subject to the full array of export control restrictions.
Decision Tree Question #4:
Did an external sponsor, vendor, collaborator or other third party provide, under a Non-Disclosure Agreement or a Confidentiality Agreement(5), the item, information, or software to be shared, shipped, transmitted, or transferred?
(5)A reminder about NDAs and similar confidentiality agreements:
UAB faculty may be asked to accept confidential, proprietary, or export controlled data or material as part of a research project subject to a Non-Disclosure Agreement signed by both the discloser and the recipient. NDAs may include licensing agreements which limit or prohibit the disclosure or transfer of the licensed data or materials.
In addition, if you accept confidential or proprietary information subject to a Confidentiality or Non-Disclosure Agreement, and the disclosure restrictions affect your ability to publish research results, the research itself will lose its characterization as "fundamental research" for export control purposes. Should the research entail information or software identified on US export control lists, and you wish to have foreign nationals participate in the research, you may be required to obtain an export license.
Of course, if the confidential data pertains to such information as personal health, income, or other demographic data that does not have a strategic significance (and is thus not identified on US export control lists), then export control restrictions on foreign national participation would not apply. However, other restrictions may apply.
Decision Tree Question #5:
Is the item being shared, shipped, transmitted, or transferred a defense article(6) other than information or software on the ITAR’s US Munition List (USML)?
(6)A defense article:
- Is specifically designed, developed, configured, adapted, or modified for a military application, and
- does not have predominant civil applications, and
- does not have performance equivalent (defined by form, fit, and function) to those of an article or service used for civil applications;
- Is specifically designed, developed, configured, adapted, or modified for a military application, and has significant military or intelligence applicability (examples are satellites, spacecraft and their subsystems, fully field-deployable systems for military use, and space-qualified for radiation hardened microcircuits); or
- Is on the US Munitions List (USML, the US State Department ITAR list).
Decision Tree Question #6:
Is the information or software being shared, shipped, transmitted, or transferred technical data(7) on the ITAR’s US Munition List (USML)?
(7)Technical data means:
- Information, other than software, which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions, and documentation.
- Classified information relating to defense articles and defense services.
- Information covered by an invention secrecy order.
- Software directly related to defense articles.
"Technical data" does NOT include information concerning general scientific, mathematical, or engineering principles commonly taught in schools, colleges and universities, information in the public domain, or information generated in the course of performing "fundamental research."
Decision Tree Question #7:
Are you shipping or transferring items(8) on the Commerce Control List (CCL)(9) of the Export Administration Regulations (EAR)?
(8)The Commerce Control List (CCL) is maintained by the Bureau of Industry and Security (part of the US Department of Commerce) as part of the Export Administration Regulations (EAR). This list is sometimes called the "dual use" list, as the items on it may have either a military or commercial application.
(9)Items on the Commerce Control List are generally designated by categories represented by the letters "A", "B", and "C" following the initial digit in an Export Control Commodity Number (ECCN). Examples are ECCNs such as 4A994, 5B001, and 1C351.
- "A" category = Systems, Equipment and Components
- "B" category = Test, Inspection and Production Equipment
- "C" category = Materials
Decision Tree Question #8:
Are you sharing, transmitting, or transferring technology (information)(10) or software code(11) on the Commerce Control List (CCL)?
(10)The EAR defines "technology" as:
- Specific information necessary for the "development", "production", or "use" of equipment or software. Technology includes information subject to the EAR released in the form of technical assistance or technical data.
- Technical assistance includes instruction, skills training, working knowledge, and consulting services. Technical assistance may involve transfer of export controlled information.
- Technical data includes blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals, and instructions written or recorded on other media or devices such as disk, tape, or read-only memories.
Information that is, or will be, placed in the public domain, such as that generated by "fundamental research," is not subject to the EAR and is exempt from export control regulations.
(11)The EAR defines software code as a collection of one or more programs or microprograms fixed in any tangible medium of expression. Software code comprises source code or object code:
Source Code: A convenient expression of one or more processes that may be turned by a programming system into equipment executable form ("object code" or object language).
Object Code: An equipment-executable form of a convenient expression of one or more processes ("source code" or source language) that has been converted by a programming system.
If you have answered "Yes" to any of the questions above, an export license may be required before you ship, transmit, or transfer the item or information. Please contact the University Compliance Office immediately to further assess the proposed export and proceed with a license application.
If you have answered "No" to all of the questions above, you do not need to obtain an export license. Just two more steps are required before you can complete the transfer:
- Conduct a restricted-party screen to confirm and document that both the recipient and his or her organization are not identified on a US government restricted-party list. This screening can be completed quickly and easily through a software called Visual Compliance. If you do not have access to Visual Compliance, contact the University Compliance Office.
- Document in writing that you have reviewed the proposed transfer in light of applicable export control regulations and have determined and justified that no export license is necessary. Retain your documentation should it be requested by the University Compliance Office in the future.