Schools, Researchers Warned to Prepare for New US Export Control Training Requirements
Recently issued guidelines by the White House’s Office of Science Technology Policy could raise export compliance stakes for universities and research institutions, law firms said, especially for researchers that receive semiconductor-related federal funding under the Chips Act.
Under the guidelines, released in July, government agencies involved in federal research will require certain schools and research organizations that receive certain minimum funding to certify that they’re implementing export control and research security training, as well as cybersecurity measures and other similar programs. Schools and researchers must specifically certify that they completed training administered by the Bureau of Industry and Security, Hogan Lovells said in a recent client alert, or certify that they have completed other training on export control requirements and rules for reviewing foreign sponsors and partnerships.
Institutions covered by the new requirements must certify that they have implemented required research security programs by submitting a “written or electronic attestation” to the federal research agency, the White House’s memo said.
The guidelines appear to give researchers “some autonomy to determine the precise features” of their export control training, the firm said, and noted that many U.S. universities “already have spent considerable time addressing research security” in recent years. But “with the new guidelines comes more to do and more to track within an ever more complex research compliance ecosystem,” it said.
Ropes & Gray made similar points, saying the guidelines “allow for significantly greater flexibility to institutions in developing their research security programs” than the draft guidelines issued by the White House last year. It also said many researchers “are already well underway in their planning” for new export control training expectations.
But “research institutions will still have much to do to ensure they” are “equipped to track the additional agency-specific requirements as such requirements are developed and finalized,” the firm said.
Along with specific export control training requirements, institutions also have to put in place training on foreign travel security to make sure researchers aren’t improperly disclosing sensitive information when traveling for business, conferences or teaching, Ropes & Gray said. The firm said these rules are “substantially different” than the requirements proposed in draft form last year, which appeared to cover personal travel as well as professional travel.
“The Final Guidance outlines that the training and reporting requirements relating to international travel must have a clear nexus to institutional activities (e.g., travel for business, teaching, conferences, or other research purposes),” the firm said.
Holland & Knight noted that covered research organizations may not have to comply with the new policy until more than a year after federal agencies update their own internal policies to align with the new guidelines. Until then, universities and others should “evaluate their current research security programs, protocols and trainings to determine whether they meet the” new requirements, the firm said. “In the event any gaps or deficiencies are identified, the institutions should ensure they are remediated and brought into compliance” before the effective date.