Definition · Plain-language
Technology control plan (TCP)
A technology control plan (TCP) is a written, institutional plan that describes how export-controlled technology, items and information will be physically and electronically secured and how access will be limited to authorised persons.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
What a TCP is for
A technology control plan is the operational document an institution uses to manage a project involving export-controlled technology or items. It is generally required when controlled material is present and the fundamental research exclusion does not apply — for example, where there are publication restrictions, ITAR-controlled defence articles, or controlled physical equipment. The TCP sets out concrete safeguards so that controlled technology is not released to unauthorised persons, including foreign persons whose access would be a deemed export.
What a TCP typically covers
A TCP commonly addresses physical security (locked spaces, marked areas, secure storage), information security (access-controlled drives, encryption, network segregation), and personnel measures (identifying authorised individuals, restricted-party screening, confidentiality undertakings). It usually specifies who may access the technology, how access is logged, how visitors and shipments are handled, and how controlled material is disposed of. Training of project personnel and recordkeeping to evidence compliance are standard components.
How TCPs are used in research
When an export-control review flags a project as involving controlled technology, the institutional export-control office typically works with the principal investigator to draft and approve a TCP before work begins. The plan is tailored to the specific technology, the people involved and the facilities used, and it is reviewed and updated as the project, personnel or controls change. The TCP becomes the reference point for demonstrating that access was limited to authorised persons.
Key facts
At a glance
- Definition: institutional plan to secure controlled technology and limit access
- When used: controlled material present and exclusion does not apply
- Physical security: locked, marked, access-controlled spaces
- Information security: access controls, encryption, network segregation
- Personnel: authorised-person lists, screening, training
- Goal: prevent unauthorised release, including deemed exports
Common misconceptions
What people often get wrong
Often heard: Every research project needs a technology control plan.
Actually: A TCP is generally needed only when a project involves export-controlled technology or items that the fundamental research exclusion does not shelter. Openly published fundamental research typically does not require one.
Often heard: A technology control plan is a government-issued licence.
Actually: A TCP is an internal institutional security and access-management document, not a licence. A separate export licence may still be required from BIS, DDTC or OFAC depending on the activity.
Often heard: Once a TCP is written, no further action is needed.
Actually: A TCP is a living document. It is reviewed and updated as personnel, technology or controls change, and it depends on ongoing access management, training and recordkeeping to remain effective.
Going deeper
