Export Control Frequently Asked Questions

Research security refers to the policies and practices that protect the U.S. research enterprise from threats such as foreign interference, intellectual property theft, and unauthorized access to sensitive information. It ensures that research is conducted ethically, transparently, and in compliance with federal, state, and institutional requirements. This concept is central to National Security Presidential Memorandum-33 (NSPM-33), which outlines expectations for safeguarding federally funded research.

Universities like Purdue will be required to certify they have implemented a formal research security program which includes cybersecurity, foreign travel security, research security training, and export control compliance. Purdue is actively building and maintaining these capabilities through its RSEC office and institutional policies to meet federal requirements and support secure, collaborative research.

While classified and export-controlled research have long been subject to federal regulations, recent federal guidance, including NSPM-33 and the CHIPS and Science Act of 2022, expanded the focus to include fundamental research, which is basic or applied research intended for broad dissemination and not subject to restrictions on who performs the research based on citizenship for national security reasons. Purdue’s research security program is primarily designed to support and safeguard this type of unclassified, fundamental research, ensuring it remains open, collaborative, and compliant with evolving federal expectations. Activities covered include international collaborations, foreign travel, hosting visiting scholars, disclosing outside activities, and managing research data and intellectual property.

Yes. Purdue University’s Research Security Program is a comprehensive, institution-wide initiative led by the Research Security and Export Controls (RSEC) team. In collaboration with units responsible for conflicts of interest and commitment (COI/COC), cybersecurity, IT, international travel, sponsored programs, and risk management, RSEC works to embed security controls throughout Purdue’s research infrastructure. The program is built on federal guidance, including the CHIPS and Science Act of 2022, National Security Presidential Memorandum-33 (NSPM-33), the OSTP Guidelines for Research Security Programs at Covered Institutions, and modeled on NIST IR 8484 to safeguard research from foreign interference. Core components include research security training, cybersecurity, foreign travel security, export control training, and review of foreign talent recruitment program participation. The program also includes screening for restricted parties and foreign adversary entities and the disclosure and review of COIs and COCs. Disclosures are reviewed to ensure compliance and reduce vulnerabilities.

Is there an official Purdue list of Foreign Countries of Concern (FCOCs) or Foreign Adversary Nations that faculty should reference when planning international research collaborations?

Purdue does not maintain a separate institutional list of “Foreign Countries of Concern” (FCOCs). Instead, the University aligns with federal and state designations. Federally, China (including Hong Kong and Macau), Iran, North Korea, and Russia are identified as FCOCs under the CHIPS and Science Act of 2022. With Indiana’s Executive Order 25-64, the Governor expanded this list to include Cuba and Venezuela, designating all of these as “Foreign Adversary Nations.”

Purdue employees should refer to the University’s Foreign Adversary Nations Policy (III.B.7) for guidance on how State of Indiana rules impact research, collaboration, and funding.

Yes. Trips to Canada and Mexico are considered international travel and must be disclosed and authorized prior to travel.

Federal research security requirements related to international travel are still evolving. Please review our international travel webpage for the most up-to-date information regarding regulations, instititional policy, and best practices.

Purdue faculty, staff, and other affiliated travelers are required to obtain approval for University Business travel in accordance with University Travel Regulations and department procedures. Check with your department administrator on standard practice in your area.

Most Purdue employees are only required to report personal travel when it is combined with University Business travel. However, some employees may have additional reporting obligations due to contractual requirements associated with sponsored projects. If you are unsure if this applies to you, contact RSEC.

It depends. Travel to countries designated by the State of Indiana or U.S. government as “foreign adversaries”must be reviewed and approved prior to traveling. Purdue employees should request approval through standard university processes such as the outside activity pre-approval request process through PERA or the international travel approval process through Concur. If you are involved in any sponsored projects, then check whether any restrictions or limitations related to travel exist. If you are unsure, then contact Sponsored Program Services (SPS).

Professional travel or engagement that includes any form of payment from a foreign adversary nation, or an entity in a foreign adversary nation, including travel expenses, is generally not allowable. Travel to an entity listed on a U.S. restricted party list such as BIS Entity List or OFAC’s Specially Designated Nationals List is prohibited.

It depends. Teaching or conducting university activities from outside the United States may be subject to U.S. export control and sanctions regulations. There are also research security and other regulatory requirements that must be considered. You may not teach, present, or provide instruction while physically located in, or to individuals located in, a comprehensively sanctioned country or foreign adversary nation without prior authorization. Teaching activities should involve approved educational materials that are publicly available because publicly available information is generally exempt from export controls; however, U.S. sanctions rules still apply. Information security must always be maintained. Only use Purdue-approved platforms such as Zoom or Teams with institutional accounts, and avoid accessing or sharing sensitive or controlled information from unsecured networks or devices.

The National Institute of Standards and Technology (NIST) defines an FTRP as an effort organized, managed, or funded by a foreign government or a foreign government entity to recruit science and technology professonals or students.

As a state educational institution in Indiana, Purdue University prohibits any employee from participating in any foreign recruitment programs funded or organized by a 'foreign adversary nation,' in accordance with Indiana Executive Order 25-64 and university policy.

The CHIPS and Scince Act of 2022 requires disclosure of participation in all Foreign Talent Recruitment Programs (FTRPs), regardless of country, and prohibits recipients of federal funding from participating in Malign Foreign Talent Recruitment Programs (MFTRPs).

Malign Foreign Talent Recruitment Programs (MFTRPs) are defined in the CHIPS and Science Act of 2022 as foreign talent recruitment programs that: 1) are sponsored by a Foreign Country of Concern or an an entity listed under Section 1286(c) of the John S. McCain National Defense Authorization Act; 2) involve any form of compensation or remuneration; and 3) include problematic obligations or activities.

Participation in a MFTRP is prohibited by law and policy, and the consequence for violations can include both civil and criminal penalties resulting in fines or even jail time. More about what separates an FTRP from a MFTRP can be found here. Given the complex nature of these programs, it is recommended you reach out to Research Security and Export Controls (RSEC) with questions or for consultation. RSEC determines whether something meets the definition of a MFTRP and advises on the appropriate response.

If you have participated in a FTRP in the past, please consult with RSEC to determine whether additional mitigation measures or disclosures are necessary.

The prohibition of participation in FTRPs or MFTRPs, as outlined in the CHIPS and Science Act of 2022, applies primarily to current or ongoing involvement. However, prior participation must still be disclosed to federal sponsor in accordance with their specific disclosure requirements.

Federal agencies are actively conducting risk assessments prior to funding awards. Continued engagement with institutions affiliated with such programs, or maintaining ongoing connections with indivduals affiliated with a program increases your risk profile. As a result, some agencies may require enhanced risk mitigation measures as a condition of funding, or may choose not to issue awards based on these risk factors. USDA has recently indicated that they will not issue funding to anyone who has been engaged in a MFTRP at any point over the prior 10 years.

Yes! International collaboration continues to be a valued and encouraged part of U.S. research policy. While recent legislation and global tensions have introduced new research security requirements, these measures are not intended to discourage international engagement. Rather, they are designed to help researchers manage risk responsibly.

Effective research security policies emphasize awareness, transparency, and risk mitigaton. At Purdue, researchers are encouraged to engage in international collaborations while following established procedures for managing those partnerships. RSEC supports this effort by assessing risks related to international engagements, providing training and educational resources to help mitigate risk, and collaborating with campus partners to ensure compliance and to protect the integrity of Purdue’s research enterprise.

It is important to note that collaboration with any organization or individual listed on a U.S. restricted party list, such as the BIS Entity List, OFAC Sanctions List, and DOD 1286 list, is prohibited under Purdue’s Research Security Program Policy (I.A.6). Additionally, engagements involving entities in or affiliated with Foreign Adversary Nations require review by RSEC, along with other relevant University units, to ensure compliance with federal and state regulations as well as Purdue policies.

Prior affiliation with a flagged institution does not automatically disqualify someone from being hired or engaged in research activities. However, Purdue’s Research Security and Export Control (RSEC) team may need to review the situation to assess any potential risks, especially if the institution is located in a Foreign Adversary Nation or appears on a U.S. restricted party list (e.g., BIS Entity List, OFAC’s SDN List, or DoD Section 1286 List). Purdue partners with the International Scholars Services office to conduct screenings on visiting scholars and potential hires receiving sponsorship from Purdue as well as for students from comprehensively sanctioned countries.

As individuals join Purdue, it is important that they be aware on Purdue’s Standard for Authoriship of Scholarly Works (S-24) which highlights that author affiliation should represent the institution(s) where the research was conducted, supported, and/or approved rather than the institution an author is affiliated with at the time of publication.

It is important that prospective faculty, staff, students, and visiting scholars understand our commitment to research security. By committing to Purdue, they are committing to follow established university procedures and are prohibited from engaging with individuals or organizations on U.S. restricted party lists.

There are several U.S. government-maintained lists that identify restricted parties, and it's important to understand that these lists are frequently updated, especially during periods of regulatory or geopolitical change. For reference, two key lists include the Entity List in Supplement No. 4 to Part 744 of the Export Administration Regulations (EAR) and the Department of Defense’s Section 1286 list.

Given the dynamic nature of these lists, it is essential to verify the status of any foreign institution, particularly those from a “Foreign Adversary Nation” before initiating new collaborations. At Purdue, this verification is built into standard approval workflows. The University uses screening software to check individuals and entities against restricted party lists, and this system also alerts RSEC if a party is added to a list after an initial review.

Follow standard university procedures to submit your sabbatical and travel plans for approval. RSEC is dovetailed into this existing process and will reach out to you if there are any risks that need discussed.

This requires a review of the activity. The participation must be submitted as an Outside Activity via the Outside Activity Disclosure Form. If the participation does not present a conflict of interest/commitment, is recommended for approval by RSEC, and approved by the OA Officer, Dept Head and Dean, then participation is allowed.

Yes. Some restrictions may apply depending on what is being presented and who is involved. Be sure to apply for approval through standard university processes such as the outside activity pre-approval request process through PERA , if you are receiving any type of compensation. Be sure to include the conference title, website, and invitation information. Check with your department administrator for guidance on how to obtain approval or contact RSEC for additional guidance.

Yes. RSEC screens international collaborations for restricted entities and any additional, unforeseen risks related to collaboration. However, if you are engaged in an activity with a collaborator which has routed through another university office like Sponsored Programs or Finance, a restricted party screening would already have been conducted.

Depending on the project, some sponsors may require a risk mitigation plan to ensure appropriate controls are in place to protect research data and intellectual property.

If you have not been contacted by either SPS or RSEC, then reach out to RSEC immediately via rsec@purdue.edu. Research Security and Export Controls (RSEC) will work with you to develop a risk mitigation plan. After collaborating to develop the risk mitigation plan, RSEC will route the risk mitigation plan to Sponsored Programs Services (SPS) for submission back to the sponsor.

Each agency (DOE, DoD, NSF, etc.) has a different approach when reviewing proposals for funding opportunities, however, the following activities generally trigger extra scrutiny by all agencies:

• Participation in a foreign talent recruitment program
• Affiliation with entities on U.S. restricted party list(s) such as BIS Entity List or OFAC’s SDN List.
• Foreign funding or patents filed outside the United States.

No. They must be shared with Purdue. All current outside activities must be reported in accordance with Purdue Policy III.B.1 and III.B.2 and via the Outside Activity Disclosure Form.

All faculty and eligible PIs as well as staff, students, and other involved in research-related activities are required to take the training. Waivers can only be authorized by the EVPR, if requested by your Dean. Please check with your department head to determine if a waiver request is appropriate.

All faculty, regardless of whether they are actively engaged in research, are required to complete Research Security training. While certain aspects of the training may be more applicable to specific faculty or disciplines, the research security training addresses critical topics related to international travel, cybersecurity, and insider threats, as well as new disclosure requirements - both within Purdue and for federal sponsors. These issues are broadly relevant to faculty and ensure institutional compliance with federal regulations.

Yes. PhD students involved in research-related activities are required to take the annual Research Security training.

Upon completion of the Research Security Training at Purdue course in BrightSpace you will receive an email confirming your completion. You may also login to BrightSpace> click on your name in the top right corner> select “Profile” > select “View My Awards” under “Awards Showcase” section where you should see a badge for your completion of the course.

You can also check by logging into the WebCert Course Catalog under the Office of Research subheading.

Please review the FAQs at the top of the WebCert Course Catalog page for general troubleshooting. For any technical issues, then contact webcert@purdue.edu.

I am having trouble navigating the training and it skips modules.

When navigating the training, be sure to watch videos in their entirety, then select next within the frame. People often click the arrows outside the frame near the title of the course. Selecting these arrows will skip modules and cause you to lose your place.

Given the interdisciplinary nature of research and the changes to key personnel on research, the Research Security training is applicable to all Purdue faculty, not only those involved in research. This ensures Purdue University remains compliant with federal requirements and offers protection of Purdue’s research environment.

The training is mandatory for all Purdue faculty and eligible PIs as well as staff, students and others involved in any research-related activities.

If you completed the training, search your Outlook for a message from BrightSpace. If you find the notification of award for course, then forward to rsec@purdue.edu explaining you completed the course. If you do not find the notification, then refer to WebCerts to view course progress. You may have forgotten to complete a module successfully or may have forgotten to complete the attestation at the end of the course.

Research Security training must be completed on an annual basis.

Research Security training is mandatory for all Purdue faculty and eligible PIs as well as staff, students and others involved in research-related activities. If you do not believe this includes you, but received an email, please contact rsec@purdue.edu.

Purdue’s Research Security training must be completed annually for all federally funded research. Additional training is required depending on the type of research you do and the requirements outlined in your project contract. For a general list of training requirements, review the Researcher Training page available through the Office of Research. If you are involved in controlled research, additional export control training is required and any training mentioned in an RMP is required respectively.

Export Controls

What services does RSEC offer for exports?

Below are some of the export-related activities RSEC can help you with:

• Regulatory compliance with export-controlled and other export-related policy
• Acquiring an export license
• Developing a technology control plan (TCP)
• International shipping to ensure your shipments are compliant with export control regulations
• Reviewing research contracts and agreements for controlled research and respective restrictions, including Controlled Unclassified Information (CUI), and setting up proper controls
• Training required for controlled research

Research that includes restrictions on publication, participation, or the use of controlled inputs (e.g., technical data, software, or materials). Such projects may require a technology control plan (TCP). Anytime the University is handling information that is not already in the public domain and that we do not plan or are not permitted to release into the public domain, it may be subject to export control regulations.

U.S. regulations that restrict the transfer of certain items, technology, or software to foreign countries or foreign persons. These apply to research, shipments, collaborations, travel, and other university activities.

Information arising during or resulting from basic and applied research at universities which is intended to be published and broadly shared with the academic community is considered fundamental research and is not subject to export control regulations. This is distinguished from proprietary research and from industrial development, design, production, and product utilization. The results of all of these are ordinarily are restricted for proprietary or national security reasons. When Purdue accepts either of the following, the research cannot be considered fundamental research and may be subject to export control regulations:

• Dissemination restrictions: Sponsors may review and comment on publications, but if they have approval authority over our ability to publish, it is considered a publication restriction.
• Access restrictions: While it is not uncommon to report project staff to a sponsor, it is uncommon for a sponsor to have approval authority over foreign person research staff or for a sponsor to prohibit foreign persons from participating in the research. Such restrictions are considered access restrictions.

Prior to issuing an award, federal sponsors assess the proposed research to identify whether the research should be fundamental research or whether the research should be restricted. The awards are then scoped appropriately to either: A) allow the research to remain unrestricted; or B) to apply access and/or dissemination restrictions to the award, causing the research to be controlled. According to National Security Decision Directive 189, it is the policy of our federal sponsors that, “to the maximum extent possible, the products of fundamental research remain unrestricted.”

Restricted Parties are entities the U.S. government has designated as acting contrary to the national security or foreign policy objectives of the United States. Restricted Parties may be foreign or domestic and they may be people, companies, universities, organizations, etc. Parties may be added to a restricted party list because they have engaged in terrorism, because they have violated export control regulations, for polictical reasons, etc.

Publicly available lists of individuals or entities that are subject to restrictions because of government or NGO sanctions, denials, or debarments. This includes U.S. government lists (e.g., Entity List, SDN List, Debarred List) as well as certain non-U.S. and NGO lists. Purdue screens potential collaborators, vendors, and visitors against these lists using the hosted service Visual ComplianceTM. This hosted service also continually re-screens parties against changes to restricted party lists and will flag RSEC if a previously screened party is added to a restricted party list. It is Purdue policy not to engage with parties on U.S. government-issued restricted party lists.

All international shipments are exports and should be processed through eShipGlobal. Research Security and Export Controls (RSEC) reviews international shipments through eShipGlobal to ensure compliance with licensing, destination, and end-use restrictions.

If you are receiving materials from outside the United States, this is considered an import, not an export. You should contact Purdue’s Materials Management and Distribution Center (MMDC) for assistance with import procedures, customs documentation, and delivery. Purdue cannot act as the exporter of record from a foreign country. The party providing the item is responsible for complying with all export and customs requirements in their country. If the shipment documentation references export controls or licensing conditions, you may notify the RSEC team for awareness, but questions regarding import handling should be directed to MMDC.

A non-disclosure agreement, or NDA, is a legally binding contract between two or more parties that outlines confidential information, knowledge, or material that the parties wish to share with one another for certain purposes, but wish to restrict from wider use or disclosure. If you are approached with an NDA, contact Sponsored Programs Services (SPS) since they are authorized signatories for Purdue. They will route the NDA for an RSEC review prior to executing the agreement.

Within the Purdue Excellence Research Administration (PERA) application, SPS sends ancillary reviews to RSEC for certain submitted proposals, agreements. This allows RSEC to identify whether there are any export control or research security concerns that need addressed in the NDA and whether any mitigation steps need taken by Purdue.

Contact Sponsored Programs Services for processing your subaward. If there are research security or export controls concerns, they will send an ancillary review to RSEC for further review and analysis.

Participation in export controlled research depends on the specific project and its applicable regulations. Individuals may participate only if they meet the eligibility requirements established under the relevant technology control plan (TCP). This generally includes completing applicable training and, for certain Department of Defense (DoD)–sponsored or higher-security projects, undergoing a background check. All participants must be approved by RSEC prior to being given access to export controlled articles, software, or technology. If a foreign person needs to access export controlled information, RSEC will also determine whether any export licenses are required and will apply for those on behalf of the University.

Interns may participate in export controlled research if they meet the same eligibility and training requirements as other project personnel. Their participation must be authorized under the applicable technology control plan (TCP), and they must follow all access and handling requirements established for the project.

Students who have theses/dissertations must submit their documents through Research Security and Export Controls (RSEC). There are many steps involved when submitting a controlled thesis that can be found here.

Keep in mind, access may be limited to U.S. persons only. Also, RSEC must review and approve anyone invited to participate in the student’s preliminary exam/defense. Participation in the presentation of the thesis/dissertation may be limited to U.S. persons. RSEC requires the participant list, including the thesis committee members, at least five business days in advance of the presentation. Submit the participant list to rsec@purdue.edu along with the associated TCP number.

If you require an extension for an embargo on your dissertation, then contact the Thesis and Dissertation Office.

Access to a controlled thesis may be limited to U.S. persons only. For access, contact RSEC via rsec@purdue.edu.

Depending on the activities you are involved in, your training may vary. Check here for a list of potentially required training.

Yes. Anyone working on controlled research is required to undergo a background check prior to working on project. See Purdue’s Policy on Background Checks (VI.F.6).

Research Security and Export Controls (RSEC) provides tailored training to interested departments, centers or groups to give you and your unit basic understanding of export control regulations and safeguarding best practices. To schedule a training, please contact rsec@purdue.edu.

Any software/technology subject to U.S. export control regulations is considered “controlled software” and requires safeguarding to prevent unauthorized access.

Any controlled software must not be installed until a full review has been conducted by Research Security and Export Controls (RSEC). A technology control plan (TCP) will also detail specific handling measures related to controlled software.

The Electronic Thesis Acceptance Form (ETAF) Form 9 is a mandatory form that graduates must complete after successfully defending their thesis or dissertation. It serves as the official record of approval from the student's advisory committee and department. Contact Nicole Moody (nbarr@purdue.edu) for guidance on completing the iThenticate section on the Electronic Thesis Acceptance Form (Form 9).

Important: If your thesis contains controlled data that is subject to EAR, ITAR, or other federal regulations, then you must follow a separate process for submitting your thesis. Those instructions can be found here.

Contact Research Security and Export Controls (RSEC) for help with preparing and submitting an application to the agency involved. RSEC will also help manage communication between all parties. Be sure to contact RSEC as soon as possible since licenses can take anywhere between weeks or several months depending on multiple factors.

A Technology Control Plans (TCP) is a formal document that is often required when performing controlled research and addresses who is allowed to work on the project, any dissemination/publication rules, physical and electronic security of related data and materials. RSEC works directly with the PIs to develop and monitor TCPs. Click here for more information.

Any additions of personnel to a project with a technology control plan is considered an amendment to that plan and must be communicated to RSEC prior to adding anyone to your project. Submit your request to RSEC by clicking here. RSEC will facilitate onboarding activities for new project participants including requesting background checks, notification of relevant trainings, restricted party screenings, etc. Once all onboarding activities are complete, RSEC will also communicate with IT to ensure that new individuals are set up with access to the appropriate environments in which to work with export controlled information.

Any presentations that contain controlled data must meet required safeguards (secure space, encryption, etc.) to ensure unauthorized access doesn’t occur, and must be reviewed by RSEC prior to presenting. Alternatively, you may follow contractual requirements to obtain approval to publicly release the information. Generally, this involves obtaining approval from the federal sponsor.

There are several control lists within export control regulations, and where an item, software, or technology is found on those lists is its export classification.

The International Traffic in Arms Regulations (ITAR) are administered by the Department of State. Within the ITAR is the U.S. Munitions List (USML) which describes defense articles and their related software and technical data.

The Export Administration Regulations (EAR) are administered by the Department of Commerce. Within the EAR is the Commerce Control List (CCL) which describes dual-use articles and their related software and technology.

Things not found on the USML or CCL are generally considered EAR99. Export licensince requirements for exports designated as EAR99 default to end-user, end-use, and sanctions controls.

Controlled Unclassified Information (CUI) is information the U.S. Government creates or possesses—or that an entity creates or possesses for or on behalf of the government—that requires safeguarding or dissemination controls in accordance with applicable laws, regulations, and government-wide policies.

CUI is not classified, but it must still be protected from unauthorized access or disclosure.

Established by Executive Order 13556 and codified in 32 CFR 2002.4(h), Controlled Unclassified Information (CUI) is information the U.S. government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information that a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.

Most of the CUI the university works with is also subject to U.S. export control regulations and is, therefore, subject to multiple regulatory schemes.

What must I do to handle CUI?

Like all controlled research projects, individuals must do the following to be able to work with Controlled Unclassified Information (CUI):

• Take the appropriate training
• Have a completed Background Check on file with Human Resources - see Purdue’s Policy on Background Checks (VI.F.6)
• Note: Consistent with Purdue’s Policy, if a pre-employment background check was not completed, one will be required before someone is authorized to work on a controlled Research Project
• Be screened against U.S. Government Restricted Party Lists

Principal Investigators of Controlled Research Projects are responsible to ensure all controlled research is restricted from unauthorized individuals and to notify RSEC if new individuals need to access the CUI. RSEC will work with project personnel to ensure they have completed appropriate onboarding steps and will facilitate getting onboarded individuals access to appropriate systems where CUI is safeguarded.

CUI may only be presented in secure, approved locations and only to individuals with a “need to know”.

If for some reason CUI appears in your project later, then you are still responsible for managing it appropriately. Contact RSEC immediately.

Controlled Unclassified Information (CUI) must be protected during transmission in accordance with the requirements of the applicable technology control plan (TCP). CUI may only be transmitted using approved encrypted methods—such as Purdue’s secure file transfer systems or authorized environments like Luna—and only to recipients who are eligible and approved under the TCP. CUI must never be sent through standard email, unencrypted storage media, or personal cloud accounts. When physically transferring CUI, it must remain under continuous control, be securely packaged, and use a tracked delivery method.

Covered Defense Information (CDI) is a subset of CUI related to Department of Defense (DoD) contracts. It includes information that requires protection under DFARS clause 252.204-7012 and may include technical data or other information subject to safeguarding requirements.

CDI is a specific subset of CUI. While all CDI is CUI, not all CUI is CDI. The distinction is based on the contract and the federal agency that controls the information.

Export controlled information—such as technical data controlled under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR)—may also be designated as CUI, depending on the agency. However, export controlled information is governed by separate statutory and regulatory frameworks and must be protected regardless of whether it is also labeled as CUI.

Researchers should be aware that handling CUI may require safeguarding according to both CUI requirements and export control regulations.

Federal contracts and agreements—especially with defense or national security agencies—may include requirements for handling CUI or CDI. These obligations affect how research data must be secured and shared, and non-compliance can jeopardize funding or result in legal liability.

Purdue is required to implement appropriate controls when research or contract activity involves CUI or CDI. These may include:

• Secure data storage (physical and electronic)
• Network and system protections compliant with NIST SP 800-171
• Access controls and personnel screening
• Required training for researchers and staff
• Incident reporting protocols

NIST Special Publication 800-171 outlines the cybersecurity requirements for protecting CUI in non-federal information systems. It is often incorporated into federal contracts through flow-down clauses and serves as a benchmark for compliance.

Purdue’s information security teams and Research Security and Export Controls (RSEC) can help determine whether a project requires NIST SP 800-171 compliance and can guide implementation.

Purdue has institutional processes to evaluate and manage projects involving CUI or CDI. These include:

• Contract review and negotiation by Sponsored Program Services to identify CUI/CDI clauses
• Export control review by RSEC
• Cybersecurity compliance assessments coordinated with Purdue Systems Security (PSS)
• Development of technology control plans and secure computing environments when required

Researchers should notify RSEC as early as possible when CUI or CDI may be involved. Purdue will determine whether additional safeguards or approvals are necessary before the work begins.

Not all federally funded research involves CUI or CDI, but certain types of activities are more likely to trigger these requirements. Examples include:

• Research funded by the Department of Defense (DoD)—especially under contracts or agreements that reference DFARS 252.204-7012 or specify CUI categories
• Projects involving technical data or defense-related technology, including prototypes, system designs, or testing results
• Collaborations with federal agencies or contractors where information is marked as CUI or protected under specific safeguarding clauses
• Work involving export-controlled information, such as EAR- or ITAR-regulated technologies, which may also be designated as CUI by the sponsoring agency
• Efforts involving access to government-furnished information, proprietary data, or restricted datasets

Researchers are encouraged to consult with RSEC and Sponsored Program Services during the proposal and award stage to assess whether CUI or CDI may be involved.

Failure to properly safeguard CUI or CDI can result in significant consequences for both individuals and the institution. These may include:

• Breach of contract and termination of funding
• Loss of future federal contracting opportunities
• Fines, penalties, or legal liability
• Federal investigations or audits
• Damage to Purdue’s reputation and research standing

Purdue has processes in place to support compliance and reduce institutional risk. Researchers play a key role by understanding their responsibilities and seeking guidance early in the project lifecycle.

By definition, fundamental research is intended to be published and broadly shared, and it is not subject to dissemination controls or access restrictions.

However, if a federal contract or agreement imposes restrictions on the release or handling of information—such as CUI marking or DFARS safeguarding clauses— the project may no longer qualify as fundamental research.

In such cases:

• Purdue will assess the project during contract negotiation
• The university may negotiate to preserve the fundamental research status, or
• If restrictions remain, the project will be subject to CUI/CDI compliance requirements, and additional controls (e.g., secure environments) may be necessary

Researchers should contact RSEC before accepting any restrictions that may conflict with open publication or participation by foreign persons.

Researchers are responsible for ensuring that CUI or CDI is handled in accordance with applicable regulational policies. Key responsibilities include:

• Reviewing contract documents to identify CUI/CDI clauses
• Consulting RSEC when in doubt
• Completing required training on CUI/CDI handling
• Using approved secure systems for storing and transmitting CUI/CDI
• Restricting access to authorized personnel only
• Reporting any suspected data breaches or policy violations

If a project involves or may involve CUI/CDI, early coordination with Sponsored Program Services and RSEC is essential to determine the appropriate safeguards and support structures.

All individuals traveling international to attend a conference or event hosted at Purdue require screening. Additionally, all sponosors, speakers, or attendees affiliated with an institution or business that is owned by or operated in a foreign country requires screening. If the conference or event involves controlled research or controlled spaces, then domestic participants, except Purdue and government employees with proof of eligiblity are also screened.

Screening determines if a participant’s name or affiliated insitution listed on a U.S. restricted party or high risk entity list.

Because prohibitions and penalties for engaging with restricted parties are mandated by U.S. regulations, it is essential that we screen participants against these lists. Per University Policy I.A.6, Research Security and Export Control (RSEC) is responsible for ensuring that appropriate measures are in place to evaluate both existing and proposed engagements with foreign entities. These measures help identify potential risks and guide the University in determining the appropriate response. Under the same policy, covered individuals are required to refrain from engaging with parties listed on U.S. government restricted party lists. RSEC will conduct screenings of international participants to support compliance with this requirement.

Screening occurs at certain times during registration process and often in bulk. It is not triggered by or in reaction to a specific registration.

How do I know if an issue is found?

RSEC will notify you after each screening and inform you whether any issues were identified or more information is needed.

If screening results in denial, then RSEC will contact the faculty host and coordinate communication of denial.

You can appeal a denial to the Foreign Engagement Review Advisory Council. When you submit an appeal, please provide your reasoning why the denial should be appealed and include the importance of the individual’s participation.

RSEC can work with the host to screen participants prior to registration via ConfTool or ExOrdo to notify you of any issues early on. All participants are still screened during actual registration.

A foreign participant requires an invitation letter to start their visa process. Do they have to wait for screening to occur?

Foreign participants can begin their visa process through offering proof of registration for the conference. An invitation letter is not required until the time of the interview with the consular officer.

Note: if you have a pre-existing B visa or ESTA approval, and you do not feel you need to present conference-specific invitation or documentation during pre-flight or post-arrival inspection, then you do not need to request an invitation letter.

The conference host or contact is responsible for the issuance of invitation letters. However, invitation letters cannot be sent prior to RSEC approval.

Purdue University and most conferences will not refund registration fees after the registration cut-off date if the request stems from an individual's inability to obtain a visa, ESTA approval, or admission to the US. Purdue University will not intervene on behalf of the invitees with the Embassy or U.S. Consulate, or with the US Customs and Border Protection office.

RSEC has endorsed the following language for stakeholders to use when describing the screening process to attendees:

To ensure compliance with federal and state regulations and to promote a safe environment, Purdue University conducts screenings of all international conference attendees. This process is initiated based on your registration or your intent to register (i.e., submission of an abstract). Screenings are conducted in bulk following abstract submission and again at the conference registration deadline. Individuals impacted by the screening will be notified via email. Please note that Purdue University will not provide explanations of decisions if a denial occurs. Additional information regarding for international conference attendees can be found here.

Export shipments, hand-carried items, and other cross-border transfers of physical items—whether temporary or permanent—are subject to a variety of U.S. laws and international regulations.

These activities may involve U.S. export control and sanctions regulations, as well as other trade compliance requirements. Research Security and Export Controls (RSEC) is responsible for ensuring that all Purdue-related exports comply with applicable U.S. laws and regulations. Additional compliance requirements may also apply depending on the destination, item, intended end use, and parties involved.

Common examples include:

• Shipping research equipment or samples outside the United States
• Sending items abroad for demonstration, testing, or repair
• Hand-carrying devices, prototypes, or materials across borders

All Purdue faculty and staff involved in exports of physical items are expected to coordinate with RSEC in advance. Purdue’s eShipGlobal system must be used for all outbound export shipments and shipments involving regulated or hazardous materials, and careful planning is essential to avoid compliance violations, delays, or unnecessary costs.

The FAQs below provide guidance on when and how to engage RSEC , what information is required, and how to handle specific scenarios. ntry, its governmen

Physical exports may be regulated under multiple legal frameworks, including:

• Export control regulations (e.g., EAR, ITAR)
• U.S. economic sanctions (e.g., OFAC restrictions)
• Customs and trade regulations

RSEC’s role is to ensure that exports from Purdue comply with applicable U.S. sanctions, export control, and related trade regulations.

You should request a review before physically moving any tangible items across an international border—whether shipping through a courier service or hand-carrying items during travel. Early review ensures compliance with export control, sanctions, and related trade regulations.

To begin the shipping process, Purdue faculty and staff should submit their request through the eShipGlobal system. eShipGlobal helps:

• Route the request to appropriate campus reviewers (e.g., RSEC, EHS)
• Ensure carrier selection and shipping documentation are compliant
• Facilitate customs clearance and handling of regulated materials

All requests for outbound export shipments are expected to be processed through eShipGlobal. This centralized process helps ensure institutional compliance and proper coordination with all applicable university and regulatory requirements.

Yes. Physically transporting items such as carrying a device, prototype, or biological sample outside of the U.S. in your luggage is considered an export. These transfers are subject to the same compliance requirements as items shipped by courier or freight.

Before hand-carrying anything internationally, you must contact RSEC to:

• Determine whether a license or license exception is required
• Ensure documentation is prepared for customs
• Confirm that the transfer does not violate export control or sanctions regulations

Hand-carried items should not include:

• Items that are export-controlled
• Items subject to additional regulations (e.g., biological materials, hazardous chemicals, radioactive sources)
• High-value items

Hand-carried items are still subject to export control, customs, trade, and other international regulations. The traveler is personally responsible for ensuring compliance with all such requirements and may also be responsible for payment of import duties or value-added taxes (VAT) imposed by the destination country.

Advance coordination with RSEC is strongly recommended to avoid compliance issues, travel disruptions, or unexpected costs.

When initiating a cross-border shipment request through eShipGlobal, the system will guide you through a questionnaire designed to collect the necessary information for compliance review. This information must be provided for each distinct item in the shipment and includes:

• What the item is – A detailed, complete, and thorough description
• Where the item is being shipped – Destination country and full shipping address
• To whom the item is being shipped – Name, organization, country, and contact information
• Why the item is being shipped – Purpose of the transfer or activity
• Whether the shipment is associated with sponsored research
• Name of the PI or responsible individual
• Approximate gross weight of the item or package
• Number of distinct items or packages
• Net value in USD
• Purpose of the shipment, selected from a dropdown list in eShipGlobal

Some fields—such as the country of origin, Harmonized Tariff Schedule (HTS) number, and Export Control Classification Number (ECCN)—are optional and may be completed during RSEC’s compliance review if not initially provided.

Providing accurate, item-specific information up front helps prevent delays and ensures timely processing of your shipment.

Yes. Certain export shipments require formal reporting to the U.S. government through the Automated Export System (AES), which is managed by U.S. Customs and Border Protection (CBP) and the Census Bureau. This reporting is done by submitting Electronic Export Information (EEI) prior to export.

An EEI filing is required when:

• The value of a single commodity in the shipment exceeds $2,500 (USD)
• The shipment is subject to an export license or a license exception that requires filing
• The item is subject to the International Traffic in Arms Regulations (ITAR)
• The shipment is destined for certain sanctioned or embargoed countries
• The shipment includes regulated or strategic items, even if under $2,500

This requirement may also apply to hand-carried items, not just those sent by courier or freight. Travelers carrying equipment, prototypes, or materials across a border may need to comply with EEI filing requirements depending on the nature and value of the item(s).

Purdue’s eShipGlobal system routes relevant export information to RSEC, which will determine whether EEI filing is required and ensure that it is completed correctly. EEI filings are subject to strict accuracy requirements, and false or omitted filings can result in civil and criminal penalties.

Note: EEI filing must occur prior to export, and failure to file when required can lead to delays, seizure of goods, or compliance violations.

If you are planning to send equipment or materials abroad for servicing, repair, calibration, or return to the manufacturer, thought must be given to both the outbound and return shipments. These transactions involve both export and import compliance obligations and should be reviewed in advance to avoid delays, violations, or unexpected costs.

Even if the item will be returned to Purdue, the outbound shipment is considered an export, and the return shipment is considered an import—each with distinct regulatory and logistical requirements.

Roles and responsibilities should be clearly understood:

• Purdue is the exporter for the outbound shipment
• The foreign recipient (e.g., vendor or service provider) must be both the importer into their country and the exporter for the return shipment Purdue’s Materials Management and Distribution Center (MMDC) is available to help with import questions
• Purdue is the importer for the return shipment into the United States

These roles have implications for:

• Export control licensing and documentation (e.g., License Exception TMP)
• Customs declarations and valuation
• Duties, taxes (VAT), and brokerage fees
• Responsibility for insurance and risk of loss

To initiate the shipment, submit the request through eShipGlobal. RSEC will work with you to ensure proper classification, licensing (if required), and documentation for both outbound and return shipments.

If you are sending an item to a foreign country for demonstration, exhibition, evaluation, or testing—and it is not being sold, serviced, or repaired—you are still making an export, and regulatory review is required prior to shipment.

These types of shipments may qualify as temporary exports, but that status must be properly documented to avoid unnecessary duties, taxes, or customs complications.

One recommended option is to obtain an ATA Carnet, an internationally recognized customs document that facilitates the temporary importation of goods into participating countries without paying import duties or taxes. Carnets are commonly used for:

• Scientific equipment taken abroad for demonstrations or presentations
• Prototypes or models sent for short-term evaluation
• University-owned devices temporarily exhibited at conferences or trade shows

Key considerations:

• Purdue is the exporter and the re-importer
• No servicing or modification of the item should occur while abroad
• The item must return to Purdue in the same condition, typically within one year
• The ATA Carnet must accompany the item during export, re-import, and any border crossings
• Not all countries accept ATA Carnets. RSEC will help determine eligibility and alternatives

To initiate the process, submit the request through eShipGlobal and notify RSEC well in advance to allow time for licensing review and coordination of the carnet application, if applicable.

What risks are involved with unreviewed export shipments? Moving physical items across borders—whether through shipping or hand-carrying—without prior review can result in a range of risks and consequences, including:

• Detention or seizure of items by customs authorities
• Delays that disrupt project timelines or international collaborations
• Unnecessary import duties or value-added tax (VAT) charges, which may not be recoverable
• Penalties and other punative actions resulting from violations of U.S. export control, sanctions, or trade regulations
• Reputational harm to both the individual and the university

To avoid these issues, Purdue requires advance review of all physical exports. RSEC helps ensure that transfers comply with applicable laws and institutional policies, while minimizing risk and facilitating timely, secure delivery.

Whom should I contact at Purdue with questions about international shipments or hand carries? For questions related to export shipments, please contact the following offices:

• RSEC – for guidance on export control regulations, sanctions compliance, and license requirements.
• The Materials Management and Distribution Center (MMDC) – for assistance with logistics, eShipGlobal, carrier coordination, and campus shipping procedures

Early coordination with both offices helps ensure compliance with applicable regulations and smooth handling of your shipment.

For questions related to hand-carries, please contact RSEC for guidance on export control regulations and sanctions compliance.