• A TCP is a written security plan that details procedures designed to eliminate or minimize the risk of unlicensed exports in labs and other research facilities engaged in export-controlled research. ​
  • A TCP outlines expectation and controls such as physical security, IT security, and all personnel authorized to participate in export-controlled activities and access export-controlled items and information.​
  • A TCP will document additional contract and regulation requirements. ​
  • A TCP is also the institutional commitment to comply with applicable regulations and the certification of all personnel to comply with the security requirements outlined in the TCP.

Keep in mind that a TCP is separate from other lab or research protocols and must be implemented in addition to them. 

Do I need a TCP?

What type of research needs a TCP?

  • CUI/CDI (controlled defense information)
  • NSR CUI (CUI categories that require protection for national security reasons; i.e., DHS)
  • Export Controlled information/technology
    • ITAR
    • EAR Dual-Use (license required)
  • DOE (Department of Energy)
TCP Elements

-Locked cabinets
-Card access
-Screen protectors
IT Security
-CMMC environments for CDI: GCC High, SDE, KRI, ECUAS
-Laptops vs. desktops
-Location: shared lab space vs. private office
-Who will be accessing CUI/CDI or export controlled information or technology?
– Screening (RPS) and training requirements
-Any foreign national restrictions
Prior to the TCP being instated, all personnel listed on the TCP accessing controlled information must sign a certification form stating that they comply with applicable regulations and the security requirements outlined in the TCP.
TCP Access Controls/Participant Responsibilities
People (TCP
Section 5)
-Do not discuss CUI/CDI research or results at any time with non-project personnel​
-Project conversations should take place in private spaces​
-Ensure that your workspace doesn’t allow visual disclosure of CUI/CDI (i.e., shared lab space)​
Physical (TCP Section 6)-Do not print physical instances of CUI/CDI, unless authorized on TCP​
-If physical instances of CUI/CDI are authorized, these can only be stored in identified locations ​
-Any work environment that defers from that listed on the TCP will need prior approval (i.e., remote work)​
Systems (TCP Section 7)-Only use compliant systems to store, process or transmit CUI/CDI data or export-controlled data  ​
-Only store in authorized environments   ​
-Only use GCC high email to transfer and discuss CUI/CDI between GCC account holders listed on the TCP​
Secure Enclaves

These environments are managed by Northeastern safeguarded to access and store CUI, including CDI to meet the NIST 800-171 and DFAR 7012 clause.

GCC HighGCC High is a cloud service model that provides a cloud computing solution to a limited number of individuals or organizations that is governed, managed and secured by Northeastern.
SDEThe Secure Data Enclave (SDE) is a Linux-based HPC cluster available to research projects that require data-security – such as CUI, HIPPA, and other sensitive data.
KRIThe Kostas Research Institute (KRI) serves as a secure indoor facility for materials and devices, cybersecurity, additive manufacturing, nanomanufacturing, structural testing, and data analytics, systems modeling and network science. 
ECUASThe Expeditionary Cyber and Unmanned Aerial System (ECUAS) is a secure indoor and outdoor facility where researchers focus on autonomy, cybersecurity and a vast array of EM spectrum technologies. 
Sanctions & Restricted Persons/Entities
  • Everyone on a TCP goes through training and restricted party screening.​
  • There are sanctioned persons and entities in every country, including the U.S.​
  • NU faculty, staff and students are prohibited from engaging with restricted persons or entities.​

For more information on sanctioned and embargoed countries, please click here.

Related Government Guidance/Policies

last updated 11.15.2023