PROGRAM NAME
FOREIGN PERSON
TECHNOLOGY CONTROL PLAN
Date
PICTURES OF COUNTRY FLAGS TCP APPLIES TO
UNITED KINGDOM
COMPANY NAME
ADDRESS
CITY & ZIP CODE
Approved By: NAME OF PERSON AUTHORIZING TCP
TITLE OF PERSON AUTHORIZING TCP
Any deviation or waiver from or exception to this plan requires the prior approval of the designated point of contact and Security Services.
document change history
title: PROGRAM NAME TECHNOLOGY CONTROL PLANrEV / DATE / REV. BY / PAGES
AFFECTED / REMARKS
table of contents
I.SCOPE......
II.PURPOSE......
III.TECHNOLOGY CONTROL PLAN & NONDISCLOSURE STATEMENT ACKNOWLEDGMENT.
IV.TECHNICAL DATA......
A.Classified......
B.Unclassified......
C.Reviewing Requirements Of All Technical Data......
V.INDOCTRINATION OF FOREIGN PERSONS......
A.Safeguarding Private Data, Proprietary Data, Classified Data......
1.Private Data......
2.Proprietary Information......
3.Classified Information......
B.Facility Services......
1.International Mailing......
2.International Freight and Courier Shipments......
3.Electronic Transmissions......
4.Information Systems Requirements......
5.Reproduction......
6.Classified Storage Containers......
C.Security Violations......
VI.FACILITY ACCESS......
A.Badge Requirements......
B.Hours Of Access......
C.Area Of Access......
D.Dress Policy......
E.Unauthorized Personal Items......
F.Container Searches......
VII.EXPORT/IMPORT......
VIII.OUT PROCESSING......
IX.SECURITY POINT OF CONTACTS......
X.PROGRAM NAME PROGRAM CONTACTS......
ATTACHMENT A(AREAS OF ACESS)
ATTACHMENT A(AREAS OF ACCESS) (CON’T)......
ATTACHMENT B(INTERNATIONAL SHIPPING DOCUMENT FORM)
ATTACHMENT C(NOTES)......
ATTACHMENT DTECHNOLOGY CONTROL PLAN (TCP) & (NONDISCLOSURE STATEMENT (NDS)) ACKNOWLEDGMENT
1
I.SCOPE
This plan applies to all elements of Company Name associated with foreign government or commercial programs. Disclosure of information to Foreign Persons in the course of a non-escorted visitor or employee status is considered an export disclosure under the International Traffic and Arms Regulations (ITAR) and is subject to a Department of State License/Agreement.
II.PURPOSE
To delineate the controls necessary to ensure that no transfer of technical information or technical data is effected to Foreign Person visitors beyond that which is approved for license by the Department of State or Office of Defense Trade Controls (ODTC). Compliance with Department of Defense Requirements for “Technology Control Plan” (TCP) Limiting Access by Foreign Nationals at Cleared DoD Facilities, and International Traffic In Arms Regulations (ITAR) which covers access to Defense Articles and information.
III.TECHNOLOGY CONTROL PLAN & NONDISCLOSURE STATEMENT ACKNOWLEDGMENT
Disclosure of controlled technical data to a Foreign National assigned at a U.S. security-cleared facility is considered an export under the International Traffic in Arms Regulations (ITAR)(22 CFR 126.13(c)). Such a release requires a Department of State license agreement or an exemption, and submission of a Technology Control Plan (TCP) and a Non-Disclosure Statement.
All visitors and Company Name employees on Program Name to whom technical data will be disclosed under license by Office of Defense Trade Controls, will be required to sign a Technology Control Plan (TCP) & Nondisclosure Statement (NDS)) Acknowledgement (see Attachment D). A signed and dated copy of the TCP & NDS Acknowledgement will be maintained by Company Name Security or forwarded to the Office of Defense Trade Controls, if required. In order to be allowed “No-Escort” status, the Technology Control Plan (TCP) & Nondisclosure Statement (NDS) Acknowledgement form, (Attachment D), must be signed by you and the briefer. Violation of the Technology Control Plan may subject the visitor(s) to the loss of their “No-Escort” privilege.
IV.TECHNICAL DATA
You are not authorized access to any advanced technology materials under U.S. Government contracts; nor to any advanced technology material on the U.S. Munitions List not under U.S. Government contract unless approved under a specific export License/Agreement.
A.Classified
You will be allowed access to classified information only when Company Name has a license or agreement for the release of the technology from the State Department and the Foreign Disclosure Office. There must be an assurance from your Government through the Department of the Air Force, Foreign Disclosure Office advising that you have been approved for access to classified information.
B.Unclassified
Unclassified data may be accessed to the extent necessary to fulfill designated duties in accordance with the Technical Assistance Agreement (TAA) submitted with the Department of State License Application Form DSP-5 export license or agreement. Access to such data will be controlled by the Program Manager responsible for Program Name.
While assigned to Company Name, or any other Company Name division, you not authorized access to any advanced controlled technical data materials under U.S. Government contract, or on the U.S. Munitions List, or the Commerce Control List (CCL), except that which is approved under a specific export license or agreement.
C.Reviewing Requirements Of All Technical Data
All technical data will be reviewed by the Program Office designated personnel responsible for verification that the information does not exceed the scope or violate any limitations/provisos of the active Technical Assistance Agreement and/or Export Licenses. Technical data, that is not contractually required, will be reviewed by COMPANY NAME Security Representatives. Only materials in the English language will be transferred unless adequate translation services are available.
V.INDOCTRINATION OF FOREIGN PERSONS
It is the intent of Company Name to retain technology and/or experience sensitive to its business operations. Procedures regarding the protection of sensitive data serve as an additional safeguard, ensuring against inadvertent or intentional transmission of such information.
A.Safeguarding Private Data, Proprietary Data, Classified Data
Any Company Name Private Data, Proprietary Data, or Classified data that is authorized for release to you will require the following safeguards.
1.Private Data
- Private data includes not just personal, but also business (Company Private), and Government (Official) information that is generally unavailable to the public and whose unauthorized use or disclosure is not in the best interests of Company Name, its employees, or those doing business with Company Name. Private information is business sensitive material that is not for public disclosure, as determined by management. For example, such material could include process and procedures type manuals and handbooks; pricing data and rate structures; data controlled reports and drawings; unmarked microfilm, photographic, and archived Company Name material; Legal, investigative, and security case files; as well as other business specific information and correspondence that the resource owner designates as requiring Company Private markings and controls.
- Private Data must be protected from unauthorized disclosure, modification, distribution or destruction, whether accidental or intentional.
- Private Data will be locked in a desk, credenza, file cabinet; or in a locked or access controlled office, suite of offices, or entire building complex in which unescorted access is restricted.
- Private Data that has not been properly secured by the user or the area security monitor will be recovered and safeguarded by Security Services. Persons determined to be responsible for leaving the material unattended will be charged with a security violation.
- Private Data that is no longer required should be placed in blue barrels located in or near the Program Name areas.
- Material will be marked Company Name Company Private Data at the top and bottom of each page.
2.Proprietary Information
- Proprietary information is material, methods, and Patentable, Trade Secret, Competition Sensitive, Restricted Access Program (RAP) and other exclusive information that if compromised would result in the loss of business, investment, market opportunity, and profit.
- Need-to-know – A determination made by a Company Name employee based on the requirements of this plan that an intended recipient has a need for access to, knowledge of, or possession of Proprietary Information.
- Proprietary Information will be locked in a desk, credenza, file cabinet; or in a locked or access controlled building, quadrant, office, or suite of offices in which individuals who do not possess a need-to-know are escorted.
- Violations involving Proprietary Information are identified as major or minor security incidents. The determination as to whether a violation is a major or minor incident depends on extent and impact of damage. The unauthorized disclosure or removal of Proprietary Information will result in a security violation, and could lead to legal redress. Proprietary information that has not been properly secured by the user will be recovered and safeguarded by Security Services. Persons determined to be responsible for leaving the material unattended and exposed will be charged with a security violation.
- Proprietary Information containing technical data will not be transported outside the Continental U.S. unless authorized by Security Services and the Export Control Office.
- All proprietary data that needs to be transmitted electronically can only be passed by PGP encryption, 128 bit encryption, IDE, VPN, and/or the TBDNetwork. All other transmission will require it to be mailed.
- Proprietary Information that is no longer required should be placed in blue barrels located in or near the Program Name areas.
- Material will be marked Company Name Proprietary at the top and bottom of each page.
3.Classified Information
- Classified Information will be physically marked with the appropriate classification level. Classification designation by physical marking, notation, or other means serves to warn and to inform you what degree of protection against unauthorized disclosure is required for that information or material. It is essential that all classified information and material be marked in such a manner that it is clear to the holder what level of classification is assigned to the information or material and exactly what portions of the information or material contain or reveal classified information.
- Company Name employees and visitors working on the Program Name program will be required to have NATO access before accessing NATO classified.
- The NATO classified must be approved by an export license DSP-85 or TAA covering such information.
- Classified Information must not be left unattended at any time. To ensure proper storage of classified material during non-working hours or when such material is not under the direct control and surveillance of an authorized person, classified containers will be provided only on a case by case basis. An approved security filing cabinet, a safe, steel file cabinet, or safe-type file container having an automatic unit locking mechanism and a built-in three position, dial-type, changeable combination lock, or steel file cabinet secured by a steel bar and a three-position, dial-type, changeable combination padlock will be used. The combination will be placed in an envelope, sealed and stored in Security Services in a Government Supplied Agency (GSA) approved container.
- Need-to-know and the proper security clearance must be verified prior to the release or discussion of any classified.
- Classified information entering the facility by a Foreign Person must immediately be brought to the Government Representative Officelocated at the Facility location facility. The Government Representative Office will open the package and sign a receipt for the material received and take it to the CompanyNameDocumentControlCenter. The DocumentControlCenter will assign a control number to the material and return it to the custodian of the material. The custodian will then secure the material in an approved locked container.
- Any classified information generated at the facility by you must immediately be brought to Data Configuration Manager. The Data Configuration Manager will take the material to the DocumentControlCenter. The DocumentControlCenter will assign a control number to the material and then return the controlled material to the Data Configuration Manager, you, or the appropriate custodian who will assume custodianship for the material. The Custodian of the material will then secure the material in an approved locked container.
- Removing classified information from the facility is strictly prohibited without prior approval from Security Services. Classified information that needs to be removed from the facility by you must be given to the Government Representative Office (Security Services will coordinate). The Government Representative Office will then take the material to the CompanyNameDocumentControlCenter. The document ControlCenter will then prepare the document for courier or shipment, whichever has been approved.
- Classified information requiring destruction must be given to the Program NameData Configuration Manager. The Data Configuration Manager will take the material to the DocumentControlCenter. The DocumentControlCenter will then destroy the material, sign and/or witness the destruction certificate document control number will be taken off of your inventory and a copy of the destruction certificate will be provided authenticating that the destruction has occurred.
- Classified information, which Company Name is not authorized to see, and needs to be destroyed, must be given to the Government Representative Office (Security Services will coordinate). The Government Representative Office will prepare a destruction certificate and take the material to the CompanyNameDocumentControlCenter. The DocumentControlCenter will then destroy the material, sign and/or witness the destruction certificate authenticating that the document has been destroyed. The document control number will be taken off of your inventory and a copy of the destruction certificate will be provided authenticating that the destruction has occurred.
- Classified working papers that are no longer needed are to be placed in red barrels located in the Program Name area.
B.Facility Services
The services provided by the facility (i.e., International mailing, International Freight and Courier shipments, Facsimile, Automated information systems, Reproduction, Classified Storage Containers), as appropriate.
1.International Mailing
All international mail shipments require an International Shipping Document (Attachment B) signed by the Export/Import Control Coordinator (ECC) and International Shipping Manager. The ECC will review and, if a license or exemption applies, will coordinate the license information to be annotated with the International Shipping Office, execute appropriate export documentation, and apply package markings. Once the form has been signed it should be attached to the sealed envelope and sent to the mail room for shipment. Nonreleasable letters or packages will be returned to the sender.
2.International Freight and Courier Shipments
International shipments, other than Government Bills of Lading, or administrative material with proper release approval will be submitted through the ECC-D, to the International Shipping Office. The originator will prepare the International Shipping Document (Attachment B), which is to be completed according to instructions on the form, and forward it to the ECC-D. ECC-D will review the International Shipping Document, indicate the type of export license required for the shipment, affix authorization signature, and forward to the International Shipping Office. The originator of administrative material to be shipped via Courier shall prepare an International Shipping Document, obtain cognizant Director signature, and submit to the International Shipping Office. International Shipping Office personnel will then prepare the appropriate export documentation, process the export licenses in accordance with the applicable U.S. Government Regulations, and coordinate with shipping and forwarder/carrier. The International Shipping Office will maintain records of shipments exported.
3.Electronic Transmissions
Transmittal of technical data to Foreign Persons or Company Name employees overseas by electronic transmission, including by telephone, facsimile, e-mail, the Internet, the Company Name Intranet or other similar means, requires appropriate export control authorization. Everyone must safeguard all technical data in accordance with both company policy and the U.S. export regulations. You must not ignore these requirements due to the urgency of the situation or the convenient use of electronic transmission. Any information requiring facsimile must be reviewed by Program Management and it may only be accomplished by anCompany NameProgram NameEmployeeprovided that the data is unclassified, and is not proprietary data and does not contain technical data the information may be faxed. Access to facsimile machines will only be permitted if the material is Program Name program specific or generic administrative data.
4.Information Systems Requirements
- Members of the Company Name Information Technology Security Department (Company Name IT Security) are authorized to conduct periodic security audits and to initiate appropriate remediation on systems, design topologies, remote access, etc.
- Access to the Company NameLAN by non Company Name foreign national is not authorized. If a computer is provided, it will be a standalone system or a system connected to a specified dedicated Program LAN only.
- No unapproved wireless network technology can be deployed and/or used.
- No unauthorized wireless network access devices are allowed in the Program area.
- All removable storage media devices (defined as any device that acts as a portable hard drive (including but not limited to laptops, phones, iPOD’s and PDA’s)) MUST be compliant with established facility policies. All removable storage media devices MUST also be declared and cleared by physical security when checking into the facility.
- Any data being posted to IDE / SFE / IFE must be in accordance with established facility policies. Information being exported must not exceed the scope or violate any provisos/limitations of the active Technical Assistance Agreement and/or Export Licenses and will be audited for compliance.
- Users of the Internet should have no expectation of privacy in anything they create, store, send or receive using an Company Name provided Internet connection. Internet access, email, and system access will be logged and audited for inappropriate usage.
- PROHIBITED ACTIVITIES. Without prior written permission from Company Name, the company provided Internet connection may not be used to disseminate, view or store commercial or personal advertisements, solicitations, promotions, destructive code (e.g., viruses, Trojan horse programs, etc.) or any other unauthorized materials. Further, at all times users are responsible for the professional, ethical and lawful use of the Internet connection.
- ILLEGAL COPYING. Users may not illegally copy material protected under copyright law or make that material available to others for copying. You are responsible for complying with copyright law and applicable licenses that may apply to software, files, graphics, documents, messages, and other material you wish to download or copy.
- COMMUNICATION OF PROPRIETARY DATA. Unless expressly authorized to do so, User is prohibited from sending, transmitting, or otherwise distributing proprietary information, data, trade secrets or other protected information belonging to Company Name. Unauthorized dissemination of such material may result in severe disciplinary action as well as substantial civil and criminal penalties under state and federal laws.
- VIRUS DETECTION. Files obtained from un-trusted sources, including disks brought from home, files downloaded from the Internet, newsgroups, bulletin boards, or other online services; files attached to e-mail, and files provided by customers or vendors, may contain dangerous computer viruses that may damage the attached PC. Users should never download files from the Internet, accept e-mail attachments from outsiders, or use disks from un-trusted sources, without first scanning the material with updated virus checking software.
- Non-COMPANY NAME employees who are provisioned Internet network access are prohibited from connecting any device (laptop, desktop, etc.) to any other network.
- Classified processing is authorized not authorized in the Program area and all ITAR qualified data must be covered under the Program’s TAA.
5.Reproduction
Material requiring reproduction must be program specific with the exception of day to day administrative data. Reproduction of classified information is not authorized.