Reporting an Export Controls (EAR/ITAR) Compliance Violation

Department IT Areas must now perform the following reporting procedures when faculty and staff in their department have experienced an EAR/ITAR Compliance Violation (e.g., receiving ITAR/EAR info sent/received via gmail, violating TCP, etc.): NOTE: This could also involve Department of Energy (DoE) and/or Nuclear Regulatory Commission (NRC) data.

1) Properly report the Incident

Notify the CoE Research Development Office, the Export Controls Office, Information Assurance, and CoE Security. The email addresses to reach these areas are:

Include a detailed account of the problem, including a description of the export controlled content and EC classification (EAR/ITAR/DoE/NRC) if known. In addition, indicate if everyone involved is a U.S. Person if possible (note: if you do not know at this time, the EC office will need to eventually gather this information).

Important Note:

If you forward an existing TeamDynamix (TDX) ticket email to any of the above email addresses, please strip off the white-on-white text TDX token at the bottom of the message otherwise it will not make it to that destination. Since the TDX token is white-on-white text, it may look invisible until you highlight it.

2) Perform any follow-up actions

Follow any specific instructions from any of the above groups replying to you in STEP 1. Note that for ITAR/EAR/EC violations involving info sent/received via gmail, begin follow-up actions noted below (a-d) automatically:

a) If the sponsor was at fault for causing the violation, then you or your research staff must reach back out to the sponsor and re-educate them on proper ITAR/EAR/EC information transmission. If personnel from U-M were at fault for causing the violation, then you must reach out to them similarly and also advise them on any Technology Control Plan violations if applicable. Please document your reach out actions. Note that all violations are reported back to the Associate Vice President for Research (Research Policy and Compliance) per U-M policy.

b) Delete all the messages that contain EC information in gmail and empty the trash folder on all accounts involved.

c) Contact ITS (Trouble Ticket or Email) to have them check to make sure a “restore” from the trash has not been done on the gmail accounts involved, and set up a follow-up check with them for 30 days out. Please use the following template:

“Hello U-M Google Team. We’ve had an export control violation with gmail and have been instructed by those involved in U-M compliance administration to contact you to perform a check for us now and also in 30 days from now. The gmail accounts involved are: [LIST_OF_UNIQNAMES]

Can the U-M Google team please use the Google Admin Console to check audit logs for the account(s) listed above to verify that no email restores have been done since <DATE_INCIDENT_OCCURED> and notify us of the results of that check? We will also need this rechecked in 30 days from that date and to be notified of the results of that check as well. Thanks in advance for your help.”

d) Report any results from contacting ITS in Step 2c to the email addresses you used to report the incident in STEP 1. Also note what reach out actions were performed in 2a. Once you have reported the final 30 days results then you can close the issue out.

You must set reminders on your own so you know when you should hear back from the U-M Google team when you expect to hear from them. If you do not hear back on time, please re-contact them until you do.

3) Confer with the Export Control Program on next steps

The Export Control Officer may wish to send an email to your sponsor (if the email violation originated with the sponsor) or schedule a call to discuss further. It will be important to know whether the U-M recipient(s) were all U.S. Persons. And also whether the email was encrypted by the sender. Your TCP may need to be amended if it does not sufficiently cover email transmissions. Additional training may also be needed. Send an email to [email protected] to confirm.