Classified research involves information or materials that have been designated by the U.S. government as requiring protection against unauthorized disclosure for national security reasons. Such research is governed by federal classification standards (e.g., Confidential, Secret, Top Secret) and access is restricted to individuals with the appropriate security clearance and a need to know. Classified research is not considered fundamental research and is subject to strict handling, storage, and communication requirements.

A list of items under the jurisdiction of the EAR, including commodities, software, and technology, which are subject to export controls based on their nature and technical parameters.

Comprehensively sanctioned countries are nations subject to the most extensive U.S. economic sanctions, imposed by the Department of the Treasury’s Office of Foreign Assets Control (OFAC). These sanctions generally prohibit nearly all direct and indirect transactions involving the country, its government, and entities or individuals located there. As of April 2025, the comprehensively sanctioned countries are Cuba, Iran, and North Korea.

Contextualized data refers to information that has been linked with additional details—such as metadata, technical specifications, origin, or intended use—that gives it specific meaning or relevance. In controlled research settings, contextualized data may enable interpretation, replication, or application, and can elevate the regulatory sensitivity of the information. When combined with identifying or technical context, such data is more likely to be subject to export control or safeguarding requirements.

Controlled research refers to research activities that are subject to restrictions on publication, access, or participation due to regulatory, contractual, or sponsor-imposed limitations. Unlike fundamental research, which is intended to be openly published and broadly shared, controlled research may involve export-controlled information, proprietary data, or technologies subject to U.S. export control laws (such as the EAR or ITAR), Controlled Unclassified Information (CUI), or classified information. When research is designated as controlled, specific safeguards—such as a Technology Control Plan (TCP), access restrictions, or licensing—may be required to ensure compliance with applicable laws and institutional policies.

A student thesis or dissertation subject to export control or other regulatory restrictions. Access and participation in defenses involving controlled theses/dissertations are limited to U.S. persons and must be coordinated with the Research Security and Export Controls (RSEC) Office.

Controlled Unclassified Information (CUI) is information that the U.S. Government creates or possesses—or that an entity creates or possesses for or on behalf of the government—that requires safeguarding or dissemination controls in accordance with applicable laws, regulations, and government-wide policies.

A foreign country of concern (FCOC) is a nation identified by the U.S. government as posing heightened risks to national security, research integrity, or economic competitiveness. Under the CHIPS and Science Act of 2022, this designation includes China, Iran, North Korea, and Russia. Entities outside these countries but owned or controlled by them are also subject to restrictions.

Covered Defense Information (CDI) is a subset of Controlled Unclassified Information (CUI) that includes unclassified information provided to or developed by a contractor in connection with a Department of Defense (DoD) contract that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy.

Customs and Border Protection (CBP) is a federal agency within the U.S. Department of Homeland Security responsible for enforcing customs, immigration, and trade laws at U.S. borders and ports of entry. CBP regulates the import and export of goods, collects duties and taxes, and ensures compliance with laws related to international shipments, including those involving export-controlled or restricted items.

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to assess and verify the cybersecurity practices of contractors and organizations handling Controlled Unclassified Information (CUI). CMMC defines multiple levels of maturity, each with specific requirements for safeguarding sensitive federal information, and is intended to ensure that appropriate cybersecurity protections are in place throughout the defense supply chain.

The Directorate of Defense Trade Controls (DDTC) is a division of the U.S. Department of State responsible for administering and enforcing the International Traffic in Arms Regulations (ITAR). DDTC oversees the licensing, registration, and compliance requirements for exports of defense articles, defense services, and related technical data listed on the U.S. Munitions List (USML).

A deemed export refers to the release or transmission of controlled technology, technical data, or source code to a foreign person within the United States. Under U.S. export control regulations—particularly the EAR and ITAR—such a release is considered an export to the foreign person’s country of citizenship. Deemed exports can occur through visual inspection, oral discussions, training, or access to controlled research environments. Because no physical shipment takes place, deemed exports are often overlooked, but they are subject to the same licensing requirements and restrictions as physical exports.

A defense article is any item, technical data, or software that is specifically designed, developed, configured, adapted, or modified for a military application and is listed on the U.S. Munitions List (USML), which is regulated under ITAR. This includes weapons, military vehicles, protective equipment, spacecraft components, and related parts and accessories. The export, transfer, or disclosure of defense articles—whether internationally or to a foreign person in the U.S.—typically requires prior authorization from the U.S. Department of State’s DDTC.

Defense services refer to the provision of assistance—whether in the United States or abroad—to foreign persons in the development, design, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, or use of defense articles. This includes the transfer of technical data and the provision of training or other forms of support related to items on the USML. Defense services are regulated under ITAR.

Delivery terms, often referred to as Incoterms (International Commercial Terms), are standardized terms used in international trade to define the responsibilities of buyers and sellers for shipping, insurance, customs clearance, and risk of loss.

EAR99 is a classification under the Export Administration Regulations (EAR) for items that are subject to the EAR but are not specifically listed on the Commerce Control List (CCL). These items are generally low-risk and often do not require a license for export to most destinations. However, a license may still be required if the export is to a sanctioned country, a prohibited end user, or for a restricted end use.

Eligibility refers to whether a person, entity, or organization is legally permitted to access controlled items, information, or research under U.S. export control regulations, contract terms, or institutional policies. Eligibility may be determined based on factors such as citizenship, immigration status, affiliations, end use, or inclusion on restricted party lists.

Effective control refers to the ability to maintain physical possession of an export-controlled item or to secure it in a manner that prevents unauthorized access—such as in a locked container, room, or hotel safe.

At Purdue, an end point refers to a computer, workstation, or other device that is connected to a controlled research environment or secure computing system. End points serve as the access point through which users interact with regulated data, software, or systems, and must meet specific security and configuration requirements.

End use refers to the specific purpose for which an item, software, or technology will be employed by the recipient. Under U.S. export control regulations, the end use is a critical factor in determining whether a license is required, especially if the item may be used in activities such as nuclear proliferation, missile development, chemical or biological weapons production, or military applications.

An end user is the individual, organization, or entity that will ultimately receive and use an exported item, technology, or service. Identifying the end user is essential for determining export license requirements and for screening against U.S. government restricted party lists.

An export is the physical shipment, electronic transmission, or transfer of items, software, or technical data from the United States to a foreign country or to a foreign person, regardless of location. Exports can occur through shipping, email, cloud storage, hand-carry, verbal communication, or visual access, and are subject to U.S. export control laws.

The Export Administration Regulations (EAR) are U.S. federal regulations administered by the Department of Commerce’s Bureau of Industry and Security (BIS) that control the export, reexport, and transfer of dual-use items—goods, software, and technologies with both civilian and military applications.

An Export Control Classification Number (ECCN) is an alphanumeric code used in the EAR to identify items subject to export controls on the Commerce Control List (CCL). Each ECCN describes the item’s technical characteristics and indicates the reasons for control, which help determine licensing requirements based on the destination, end use, and end user.

Export control regulations are U.S. federal laws that govern the export of sensitive items, technology, software, and technical data to foreign countries and foreign persons. These include the EAR, the ITAR, and sanctions regulations administered by OFAC.

The Purdue office responsible for managing classified contracts and security matters under the National Industrial Security Program (NISP). The FSO oversees facility clearances, personnel clearances, and compliance with federal requirements for handling classified information.

Foreign Adversary (aka Adversary Countries), as defined by Indiana House Enrolled Act (HEA) 1179, are nations identified as foreign adversaries under 15 CFR § 7.4 or designated by the Governor of Indiana as threats to critical infrastructure. As of April 2025, these countries include Cuba, China, Hong Kong, Iran, Macau, North Korea, Russia and Venezuela. The law imposes disclosure requirements on Indiana public universities for any gifts or contracts involving these countries and restricts the transfer of intellectual property or use of state resources in collaborations with entities linked to them.

A foreign person is any individual who is not a U.S. citizen, lawful permanent resident (green card holder), or protected individual under U.S. immigration law (such as a refugee or asylee). The term also includes any foreign corporation, business, organization, or government not incorporated or organized under U.S. law. Foreign persons are subject to export control restrictions when accessing controlled items or information.

The Foreign Trade Regulations (FTR) are U.S. federal rules administered by the Census Bureau that govern the reporting of export shipment information through the Automated Export System (AES). Compliance with the FTR is essential for lawful export documentation and reporting.

Fundamental research is basic or applied research in science and engineering where the results are intended to be published and broadly shared within the research community. It is not subject to export control regulations so long as there are no restrictions on publication or access based on nationality. This definition is established under National Security Decision Directive 189 (NSDD-189) and applies primarily to research conducted at accredited institutions of higher education in the United States.

A General Guidance Memorandum is a formal communication issued to provide clarification, interpretation, or recommended practices related to export control regulations, U.S. sanctions, or research security requirements. These memoranda help faculty, staff, and administrators understand how to ensure compliance in common scenarios and are generally advisory in nature.

Hand carry refers to the physical transportation of tangible items—such as equipment, samples, or documents—across international borders by an individual, typically as part of personal luggage during travel. Even though no commercial shipment is involved, hand-carrying items is still considered an export under U.S. regulations and may require prior review, documentation, or licensing depending on the nature of the items and destination.

High-risk destinations are: Afghanistan, Armenia, Azerbaijan, Belarus, Burma (Myanmar), Cambodia, Central African Republic, China (including Hong Kong), Democratic Republic of Congo, Cyprus, Eritrea, Georgia, Haiti, Iraq, Kazakhstan, Kyrgyzstan, Laos, Lebanon, Libya, Macau, Moldova, Mongolia, Nicaragua, Russia, Somalia, South Sudan, Sudan, Tajikistan, Turkmenistan, Uzbekistan, Venezuela, Vietnam, Yemen, Zimbabwe.

Instruction materials refer to general information or content used to teach or explain how to operate, assemble, maintain, or use a product or system. Under export control regulations, publicly available instructional materials—such as manuals, textbooks, or training guides—are typically not controlled, unless they contain or reveal technical data or controlled technology subject to the EAR or ITAR.

The International Traffic in Arms Regulations (ITAR) are U.S. regulations administered by the Department of State’s DDTC that control the export, reexport, and transfer of defense articles, defense services, and related technical data listed on the U.S. Munitions List (USML). ITAR is designed to protect U.S. national security and foreign policy interests.

A license is formal authorization issued by a U.S. government agency—such as the Department of Commerce (BIS) or Department of State (DDTC)—that permits the export, reexport, transfer, or disclosure of controlled items, technology, or services to a foreign person or destination. A license is typically required when an export cannot be made under a license exception or general authorization due to the item’s classification, end use, end user, or destination.

A license exception is a provision under the EAR that allows the export, reexport, or transfer of certain controlled items without the need to obtain a specific license, provided that defined criteria and conditions are met. License exceptions are limited in scope and must be used in strict accordance with the regulations.

Purdue’s secure instance of Microsoft’s Government Community Cloud High (GCC High). Luna provides a compliant environment for storing, transmitting, and collaborating on export-controlled and Controlled Unclassified Information (CUI) data. It meets the safeguarding requirements of NIST SP 800-171 and is required for certain regulated research activities.

A Material Transfer Agreement (MTA) is a contractual document used to govern the transfer of tangible research materials between two organizations. It defines the terms under which the materials may be used, including restrictions on redistribution, intellectual property rights, publication, and liability.

Information that is raw output with no identifying marks generated, processed, stored, and/or transmitted under a controlled project subject to dissemination controls, export control regulations and federal cybersecurity rules. The information is raw output with no identifying marks for the controlled project. The information must be correlated with additional input from a person, application or second data source in scope of the controlled research project to become Contextualized Controlled Research Data thus in scope of the export control regulations and federal cybersecurity rules.

Non-contextualized Data is categorized as Restricted, under Purdue’s Data Classification and Handling Procedures and is not the results of Fundamental Research. Therefore access to the data is still limited to authorized individuals as identified by a Technology Control Plan and effective security controls must be maintained over non-contextualized Controlled Research Data as defined by the Technology Control Plan.

A National Institute of Standards and Technology (NIST) Special Publication that defines cybersecurity requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. It establishes 14 control families covering access, system integrity, and incident response.

A legally binding contract between two or more parties that governs the sharing of confidential or proprietary information for limited purposes while restricting disclosure to others. In a research context, NDAs may limit the ability to freely publish or disseminate information. Research performed under an NDA may nullify a claim that the work qualifies as fundamental research.

The Office of Foreign Assets Control (OFAC) is a division of the U.S. Department of the Treasury responsible for administering and enforcing economic and trade sanctions based on U.S. foreign policy and national security objectives. OFAC maintains lists of sanctioned individuals, entities, and countries, and regulates transactions that may involve restricted parties or embargoed regions.

A Personal Acknowledgment Form is a document used to confirm that an individual—typically a researcher, student, or staff member—has been informed of and agrees to comply with applicable export control regulations, institutional policies, and specific requirements related to controlled research or access-restricted information.

Purdue’s electronic research administration system used for proposal submission, agreement review, and research compliance processes, including export control review.

A Principal Investigator (PI) is the lead researcher responsible for the overall design, conduct, and management of a sponsored research project. The PI holds primary accountability for compliance with institutional policies, sponsor requirements, and applicable laws, including those related to export controls, data security, and the ethical conduct of research.

A release refers to the act of making controlled technology, technical data, or software available to a foreign person through any means, including visual inspection, oral communication, electronic transmission, or access to physical or digital systems. Under U.S. export control regulations, such a release—whether intentional or inadvertent—is considered an export and may require prior government authorization depending on the item’s classification and the recipient’s nationality.

Restricted end use refers to the intended application of an item, software, or technology that is prohibited or controlled under U.S. export control regulations due to national security, nuclear nonproliferation, chemical/biological weapons, or military-related concerns. Even if the item itself is not highly controlled, a license may be required—or the transaction may be entirely prohibited—if the end use involves activities such as weapons development, missile technology, or military applications in embargoed countries.

A person who is responsible for the design and conduct of research and/or reporting/publishing research outcomes.

Collective term for U.S. government lists identifying parties subject to restrictions—such as denied, debarred, or sanctioned persons and entities—maintained by agencies including the Departments of Commerce (e.g., Entity List, Denied Persons List), State (e.g., Debarred List), and the Treasury’s Office of Foreign Assets Control (e.g., SDN List). These lists change frequently and must be checked before engaging in research collaborations, hiring, purchasing, travel, shipments, or data sharing. Purdue conducts Restricted Party Screening using the hosted service Visual Compliance.

Restricted party screening is the process of checking individuals, organizations, or entities against U.S. government-issued lists of parties that are subject to trade, export, or financial restrictions. This screening helps ensure that Purdue does not engage, directly or indirectly, with entities that are denied export privileges, sanctioned, or otherwise prohibited from receiving controlled items, information, or funding.

A restriction, in the context of fundamental research, refers to any limitation on the publication, dissemination, or access to research results—such as sponsor-imposed approval rights, foreign national participation limits, or confidentiality clauses—that would prevent the research from being openly shared. The presence of such restrictions disqualifies a project from being considered fundamental research under U.S. export control regulations.

Note: This use of the term restriction is distinct from a restricted party, which refers to an individual or entity listed by the U.S. government as being subject to trade or export prohibitions.

Sanctions are legal restrictions imposed by a government to limit or prohibit economic activity with specific countries, entities, or individuals in order to achieve national security, foreign policy, or human rights objectives. U.S. sanctions, administered primarily by OFAC, may include bans on exports, imports, financial transactions, or the provision of services. Sanctions can be comprehensive (targeting entire countries) or targeted (focusing on specific parties or sectors).

Technology refers to specific information necessary for the development, production, or use of a product. Under U.S. export control regulations, this includes technical data, blueprints, plans, diagrams, models, formulas, and instructions, whether in tangible or intangible form. Technology is controlled when it is listed on the Commerce Control List (CCL) or U.S. Munitions List (USML) and may require authorization before being shared with foreign persons or entities.

A Technology Control Plan (TCP) is a document that outlines the specific security measures, access restrictions, and procedural safeguards in place to prevent unauthorized access to export-controlled technology, technical data, or other regulated information. TCPs are used to ensure compliance with U.S. export control regulations and are typically required when foreign persons are involved in research subject to access restrictions.

A U.S. Munitions List (USML) Category is a designation used under ITAR to identify defense articles, defense services, and related technical data that are subject to Department of State jurisdiction. Each item on the USML is assigned to a specific category (e.g., Category I for firearms, Category XV for spacecraft) based on its military function or capability. Unlike ECCNs under the EAR, items controlled under the USML generally require a license for export to any foreign person or country, unless a specific exemption applies.

In export control regulations, “use” refers to the direct application of controlled technology. Under the EAR, the term is generally defined to include all of the following activities: operation, installation (including on-site installation), maintenance, repair, overhaul, and refurbishing. For most EAR-controlled items, all six activities must be present for “use” to apply, though this standard is not uniform across all categories. Under ITAR, the term “use” is not defined in the same way, and access by a foreign person to defense articles or technical data may constitute an export even if only a single activity is involved.

(ITAR term) Information which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation (22 CFR 120.9).

A hosted compliance service used by Purdue to support export control obligations. Visual Compliance enables screening of individuals, organizations, and entities against U.S. Government restricted, denied, and sanctioned party lists. At Purdue, it is primarily used for Restricted Party Screening of visitors, collaborators, and vendors.

A secure high-performance computing cluster managed by Purdue’s Rosen Center for Advanced Computing (RCAC). Weber provides an environment that meets the safeguarding requirements of NIST SP 800-171 and is used for research projects involving Controlled Unclassified Information (CUI) and other restricted data.

Any person who is a U.S. Citizen, lawful permanent resident (Green Card holder), or a protected individual as defined by 8 U.S.C. 1324b(a)(3); and entities that are incorporated or organized to do business in the United States. This includes U.S. subsidiaries of foreign entities.