Technology Control Plan

 * DISCLAIMER – These are items of interest as they relate to FOCI only.

A Technology Control Plan (TCP) is required by the NISPOM to be developed for entities under FOCI mitigation (voting trust agreement, proxy agreement, special security agreement, and security control agreement). DSS is responsible for approving the TCP. The TCP must include a description of all security measures determined to be necessary to prevent the unauthorized disclosure of classified or export-controlled information.  

The purpose of the Technology Control Plan (TCP) is to provide specific access and physical control measures to manage access to classified information by foreign national employees and visitors. To remind contractors of the NISPOM requirement for a TCP when hiring a foreign national and long-term plan visits, the requirements were added to the International Traffic in Arms Regulation (ITAR) Part 126.13. The TCP must cover the requirements of export control laws and regulations, the NISPOM, classified contracts and in the case of a FOCI situation, the provisions of the facility clearance arrangement. Even though foreign nationals who are “protected individuals” may be given access to unclassified export controlled information pursuant to the ITAR and Export Administration Regulation (EAR), the TCP must address such persons since they are not eligible for access to classified information (except in limited circumstances pursuant to a Limited Access Authorization (LAA) which has been approved pursuant to DoD 5200.2-R and the NISPOM). In such cases, access under the LAA will be restricted to specified classified information and limited to a specified government program or project; therefore, access to other information must be controlled.

Their access to certain controlled unclassified information (e.g., privacy information, another company’s proprietary information) also is restricted unless the consent of the person (for privacy information) or originator is obtained.  

The original purpose for the TCP was to require cleared contractor facilities to develop specific access and physical control measures to control access to classified information and programs by foreign national employees and visitors similar to the procedures required for DoD Components in DoD Directive 5230.20. This requirement is described in Section 10-509 of the NISPOM. In an attempt to remind cleared contractors of the requirement and expedite decisions on export license applications related to the hiring of foreign nationals and long term plant visits by foreign nationals, the requirement specified in the NISPOM was included in Part 126.13 of the ITAR. With respect to this requirement for the TCP, the Defense Security Service (DSS) may grant an exception regarding the preparation of a specific “TCP” if the facility has in place other security documentation (such as a Standard Practices Procedures (SPP) document) that adequately covers the specific components of a TCP.  

When a SPP or other security document adequately covers controls for classified information and programs, the TCP may be limited to unclassified export controlled information, including that related to dual-use items controlled by the Export Administration Regulation. However, the documents should cross reference each other.

It is not necessary or desirable to repeat the requirements that are stated in the NISPOM or the export control regulations except where necessary to emphasize a particular requirement. The facility security and export control officials must be thoroughly familiar with the specific security and export control requirements, they are responsible for monitoring enforcement.
It is not necessary to prepare a TCP for each foreign national visitor or employee. Access authorizations and restrictions for individual situations can be prepared and appended to a single, generic TCP.  

Even if a facility’s internal security procedures document fully the requirements that are to be addressed in a TCP and DSS determines that a separate TCP is not necessary, it would be preferable that the TCP requirements be included in a separate annex to the Standard Practices and Procedures (SPP) or other document so the guidance can be removed, merged with guidelines on information access authorizations and restrictions and provided to the foreign national visitor or employee and co-workers. This also will facilitate compliance with the ITAR provision dealing with the submission of a copy of the TCP with requests for licenses for foreign national visitors and employees by cleared companies.  

The TCP guidance and the information access authorizations and restrictions must be provided to each foreign national visitor or employee, as well as co-workers and they must acknowledge their receipt and understanding of the requirements.