TCP Form-DD2345

Overview

Militarily Critical Technical Data Agreement DD Form 2345 is used for:

U.S./Canadian defense contractors or other entities to obtain DOD/DND unclassified export controlled technical data; and to attend gatherings such as symposiums, program briefings; meetings designed to publicize advance requirements of contracting agencies; pre-solicitation, pre-bid, pre-proposal, pre-award conferences, workshops, and tours.

Unclassified Militarily Critical Technical Data (MCTD) received during these activities is data that can be used to produce military or space equipment and related technology. It includes blueprints, drawings, computer software, operating instructions, and technical information. Technical information, data, materials, or software received must be secured from use and observation by unlicensed non-U.S. citizens.

Procedure

The Office of Research & Innovation-Research Compliance holds and administers a centralized DD 2345 Militarily Critical Technical Data Agreement on behalf of the University. If you are requested to provide a Militarily Critical Technical Data Agreement (Form DD 2345) or have one on file, you may be receiving or will be granted access to export controlled technical data. You must have a Technology Control Plan (TCP) before bringing any technical data to the Drexel University campus or any of its subsidiaries and locations.

Project and Personnel Information

This section asks for specifics related to the project and the personnel associated with the project

Date Requested

mm/dd/yyyy

First Name

This is the first name of the individual responsible for and requesting the TCP

Last Name

This is the last name of the individual responsible for and requesting the TCP

Telephone Number

Phone

Email Address

College and Department

No acronyms. Please write the department out in full

Department Chair or Dean

This is the official who will approve your TCP on the departmental/college level

Email of Department Chair or Dean

Support/ Sponsor Name

Coeus/InfoEd #

Due Date

mm/dd/yyyy

Projected Start Date of Project

Projected End Date of Project

Additional Agreements

Please reference any additional agreements associated with this project (e.g. Business Associate Agreements, Non-Disclosure Agreements, Data Use Agreements)

Description of Controls

This is the description of the EAR or ITAR Category that you will utilize in this project. Please be as specific as possible.

Number of Locations this Work will be Conducted

Project Personnel

Please list the names of personnel who will have access export controlled subject matter

How many personnel (besides yourself) will have access to this information?

If you have more than five personnel who will have access, please contact export@drexel.edu

Technology Control Plan Proposal

This section is where you draft your TCP and certify the information required for approval. All individuals participating in this project are required to complete the following:

Drexel University is committed to export control compliance. The Office of Research Compliance is responsible for implementing technology control plans as applicable. Aleister Saunders, Ph.D., Executive Vice Provost for Research & Innovation, is the University Official that oversees Export Controls. Questions related to Export Controls should be directed to export@drexel.edu.

I certify that I am responsible for ensuring commitment and compliance to this TCP

Background and Description of the Use of Controlled Items and Information

Please provide a brief overview of the project. Describe what sensitive data and materials will be provided and how they will be delivered.

I require an authorization to export an export control listed material as a part of this TCP

Physical Security

Please describe the physical security controls used to prevent unauthorized access to secured areas and protect project materials and information technology. At a minimum, your description must cover the following items:

Protection of the materials and methods ensures they do not leave designated secure areas.

Ensuring that work for this project is done within secured areas and that only project members are present when work is being done.

Marking all physical materials (e.g. hardcopy, removable media, etc.) as export-controlled, proprietary, and/or subject to a non-disclosure agreement (NDA) as appropriate. The plan should provide that such materials be physically secured when not in use.

Prevention of non-U.S. persons viewing or having access to any project materials or information (physical or digital).

Information Security Plan

Drexel University requires all researchers to ensure that sensitive digital research data is appropriately protected. Drexel University provides guidance on data security at https://drexel.edu/it/security/data-security-initiative/.

Please explain, in sufficient detail, what information security controls will be used to protect sensitive project data. At a minimum, your plan must address the following IT security policy and guidelines:

Any requirements explicitly outlined in the contract/NDA, such as technology controls, data classification, encryption, network access (or lack thereof), non-disclosure, secure destruction, etc., must be adhered to at all times.
User activity and project data must be sent securely (encrypted) over any networks. All sensitive data stored on computers and removable media must be encrypted at rest, wherever feasible.
User activity and security-relevant events must be recorded/logged on systems and monitored for suspicious activity.
Account passwords must comply with https://drexel.edu/it/security/best-practices/#passwords
Project computers should not be networked or Internet-accessible unless allowed/required by the research contract/grant. If project computers are Internet-accessible, operating system and application patches must be applied promptly (at least monthly) and configured for automatic updates. Project computers must be configured to deny all non-essential inbound and outbound traffic, and University recommended anti-virus and anti-malware must be used on all eligible devices.
Any suspicious activity or suspected (or confirmed) information security incidents must be immediately reported to the Information Security Team at InformationSecurity@drexel.edu
When project computers are decommissioned, all hard disks in the device must be sanitized. Sanitization refers to the process that renders access to target data on the media infeasible for a given level of effort per NIST SP 800-88. This is achieved by overwriting all data on the disk multiple times or using a disk's secure erase function if one exists. Contact consult@drexel.edu
Provisions for adequate backups and recovery procedures for all project information must comply with Information Security protocols

Describe any data retention requirements (Data Management Plan) that must remain in effect for Export Controlled information and items, as well as the on-going security measures that will be in place following termination of the project:

Security measures will be required for Export Controlled information and items after the project termination. Export Control documents should be retained for 5 years unless directed otherwise by the applicable agency. Drexel University Records Management Policy may be found at https://drexel.edu/generalcounsel/policies/OGC-4/

I certify that I understand that all personnel listed on this plan or added later must undergo a Restricted Party Screening.

I certify that personnel with access to Export-Controlled information, technology, software, or items on this project have read and understand the Defense Logistics Agency’s “Introduction to Proper Handling of DoD Export-Controlled Technical Data.” Export control training for this project shall be completed through CITI and a copy of the training completion certificate must be filed with this TCP. No person shall have access to Export-Controlled information, technology, software or items on this project until such training is completed.

Please upload training certifications below

I certify that I understand my responsibility to create and conduct as internal assessment process whereby procedures are reviewed and any findings reported to Export Control at export@drexel.edu . The Export Control team may also conduct periodic evaluations and/or training to monitor compliance with the TCP procedures. Any changes to the approved procedures or personnel having access to controlled information covered under this TCP will be cleared in advance by the Export Control and noted by a modification to this TCP.

I certify that he PI and department shall notify Export Control (1) prior to adding new personnel; (2) when the scope of the project changes; (3) to request modifications to the approved TCP; and (4) when there is a change in funding or in the award terms or conditions. In the event of a suspected violation of the export control regulations, please contact Export Control or the Office of General Counsel.

I certify, that I will re-certify no later than 31 March annually that the project is being carried out in compliance with the approved TCP. A TCP signed between January 1st and March 31st of the respective year, shall not require recertification until the following calendar year, but must occur no more than 15 months from the date the TCP is initiated.

File Upload

Please upload copies of training completion for all participants and any additional information needed for the TCP to be fully assessed.

Drop your files here

Send me a copy of my responses

Report Abuse

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.