Technology Control Plan (TCP) design and deemed-export risk assessment
Technology Control Plan (TCP) design and deemed-export risk assessment is the systematic process of creating documented protocols to control access to controlled technology and data, and evaluating whether the release of technical information to foreign nationals within the U.S. constitutes an export under U.S. export control regulations (ITAR/EAR).
This skill is critical for preventing severe legal penalties, maintaining government contracting eligibility, and protecting national security interests by ensuring regulatory compliance. It directly impacts business outcomes by enabling secure international collaboration and avoiding catastrophic fines or loss of export privileges.
1Careers
1Categories
9.2 Avg Demand
25%
Avg AI Risk
How to Learn Technology Control Plan (TCP) design and deemed-export risk assessment
1. Master the core regulatory definitions: Understand the distinction between 'export,' 'deemed export,' 'foreign person,' and 'controlled technology' under ITAR (22 CFR §120) and EAR (15 CFR §734.13). 2. Study the fundamental components of a TCP: Technology Control Officer (TCO) designation, access control lists, physical and cybersecurity measures, and training programs. 3. Conduct a basic self-assessment: Identify one piece of technology or data in your organization and determine its Export Control Classification Number (ECCN) or USML category.
1. Move from theory to practice by drafting a TCP for a specific, controlled project (e.g., a research lab handling ITAR-controlled satellite components). 2. Analyze real-world deemed-export scenarios: e.g., a foreign national intern accessing technical drawings on a shared server. 3. Avoid common mistakes: Do not conflate citizenship with 'foreign person' status (green card holders are not foreign persons under EAR); ensure your TCP addresses digital access, not just physical documents.
1. Master the integration of TCPs with corporate-wide compliance programs, aligning them with ISO 27001 and CMMC frameworks. 2. Develop strategies for complex scenarios: managing joint ventures with foreign entities, handling 'born classified' information under NNSA regulations, or conducting pre-acquisition due diligence on export control risks. 3. Mentor junior staff by designing tabletop exercises that simulate a Bureau of Industry and Security (BIS) or Directorate of Defense Trade Controls (DDTC) audit.
Practice Projects
Beginner
Case Study/Exercise
Drafting a Basic TCP for a University Research Lab
Scenario
A university engineering lab is developing a new composite material with potential dual-use applications (EAR99 and ECCN 1C010). The lab employs two graduate students from China (on F-1 visas) and one professor from India (on H-1B).
How to Execute
1. Classify the technology: Research and assign the correct ECCN to the specific technical data and prototypes. 2. Identify 'foreign persons': Determine the immigration status of each individual to confirm deemed export applicability. 3. Draft a one-page TCP: Outline who has access to what, where the technology is stored (servers, labs), and basic training requirements. 4. Present the plan to a mock 'Export Control Officer' for critique.
Intermediate
Project
Conducting a Deemed-Export Risk Assessment for a Product Launch
Scenario
A U.S. tech company is preparing to launch a new commercial drone product containing an advanced inertial navigation system (ECCN 7A003). The R&D team includes engineers from Russia (permanent residents) and Canada (H-1B). The company is considering hiring a software developer from Iran.
How to Execute
1. Map the technology flow: Create a data flow diagram showing who accesses the controlled navigation software, CAD files, and test data. 2. Perform a 'release' analysis: Determine if any technical data required for the job will be shared with the potential Iranian hire, triggering a deemed export. 3. Evaluate license requirements: Research whether a license exception (e.g., TSR) applies or if a license application to BIS is needed for the Iranian national. 4. Update the corporate TCP to include specific access restrictions for the drone project.
Advanced
Case Study/Exercise
Designing a Global TCP Framework for a Multinational Defense Contractor
Scenario
A U.S.-headquartered defense contractor is acquiring a German company with subsidiaries in Japan and the UAE. The German company manufactures components on the U.S. Munitions List (USML Category XI). All entities employ a mix of U.S. persons, green card holders, and foreign nationals from various countries.
How to Execute
1. Conduct a global technology mapping: Identify all USML and EAR-controlled technology across all entities, including legacy data. 2. Develop a tiered TCP framework: Create a master policy with subsidiary-specific appendices addressing local data sovereignty laws (e.g., GDPR) while maintaining U.S. export control primacy. 3. Design a 'technology control board' governance model: Establish a cross-functional committee (Legal, IT, Security, HR) to approve foreign national access requests. 4. Simulate a DDTC compliance audit: Stress-test the framework with a mock audit focusing on intra-company transfers of technical data between the U.S. and the UAE subsidiary.
Tools & Frameworks
Regulatory Databases & Classification Tools
Commerce Control List (CCL) - Supplement No. 1 to Part 774 (EAR)U.S. Munitions List (USML) - 22 CFR §121BIS SNAP-R (for license applications)DDTC's D-Trade 2 portal
Primary sources for classifying technology. The CCL and USML are the definitive lists for determining control status. SNAP-R and D-Trade 2 are the mandatory electronic systems for submitting export license applications to BIS and DDTC, respectively.
Compliance Management Software
SAP Global Trade Services (GTS)Thomson Reuters ONESOURCE Global TradeVisual Compliance
Enterprise platforms used to automate restricted party screening, manage license agreements, maintain audit trails for TCP activities, and integrate export control checks into business workflows like shipping and HR onboarding.
Mental Models & Methodologies
The 'Release' Framework (15 CFR §734.15 for EAR, 22 CFR §120.17 for ITAR)The 'Deemed Export' Decision TreeRisk-Based Approach to TCP Design
The 'Release' framework provides the legal definition of what constitutes a release of technology (visual inspection, oral exchange, or application to physical objects). The Decision Tree is a step-by-step tool to assess if a deemed export occurs. A risk-based approach prioritizes controls for the highest-risk technologies and access points.
Interview Questions
Answer Strategy
This question tests understanding of 'U.S. person' status and practical TCP implementation. The candidate must clarify that a U.S. citizen is a 'U.S. person' under both ITAR and EAR, so no deemed export occurs. However, a strong answer addresses insider threat and need-to-know. Sample Answer: 'First, his U.S. citizenship means he is a U.S. person, so a deemed export is not triggered by his employment. However, for our TCP, I would still implement strict need-to-know protocols. He would only access the specific algorithm modules required for his task, not the entire codebase. His access would be logged, and he would receive annual ITAR training focused on the penalties of unauthorized re-transfer, given his background. The TCP would also include a clean-desk policy for printed materials and multi-factor authentication for the secure server.'
Answer Strategy
This tests crisis management and remediation skills. The interviewer is looking for a structured, compliance-focused response. Sample Answer: 'Immediate: Secure the evidence. Freeze the intern's access, preserve all server logs, and initiate a preliminary fact-finding to determine the scope of the breach. Short-term (within 72 hours): Conduct a self-initiated voluntary disclosure to the DDTC (for ITAR) or BIS (for EAR), as voluntary disclosure is a major mitigating factor in penalties. Simultaneously, conduct a root cause analysis to determine how the intern bypassed controls. Long-term: Remediate the control failure. This likely involves upgrading to a role-based access control (RBAC) system with automated alerts, implementing mandatory data classification labels, and requiring manager sign-off for any foreign national access request.'
Careers That Require Technology Control Plan (TCP) design and deemed-export risk assessment