How to Write a Technology Control Plan That Satisfies DDTC and University Research Office Requirements

What a Technology Control Plan Actually Needs to Do

A Technology Control Plan is not a checkbox document. When the Directorate of Defense Trade Controls reviews your ITAR compliance posture, or when a university research office evaluates your suitability as a sponsored research partner, they are not looking for a boilerplate PDF with your company name pasted in the header. They are looking for evidence that your organization has thought through exactly how it will prevent unauthorized access to export-controlled technical data and defense articles — and has implemented the controls to back it up.

If you are a defense contractor, a university with active government-sponsored research, or a manufacturing organization handling ITAR-controlled commodities, you need a TCP that is operationally grounded, legally defensible, and specific enough to survive scrutiny. This guide walks you through how to build one that works in both environments.

If you are still working out whether your organization needs a TCP at all, our overview of what a Technology Control Plan is and who is required to have one is a useful starting point before you begin drafting.

Core Sections Every TCP Must Include

Whether your TCP is going to DDTC as part of a consent agreement, submitted to a university's export control office for a sponsored project, or maintained internally as part of your ITAR and export controls compliance program, the document structure should address the same fundamental areas. The depth and formality will vary, but the substance should not.

1. Scope and Purpose Statement

Begin with a clear statement of what export-controlled technology or technical data the TCP governs. Be specific. Reference the applicable United States Munitions List categories, Export Control Classification Numbers if EAR applies alongside ITAR, contract numbers, grant identifiers, or sponsored research agreements. Vague scope statements are the leading cause of TCP rejections at university research offices and a red flag during DDTC examinations.

Your purpose statement should also identify the regulatory framework. State explicitly that the TCP is designed to ensure compliance with the International Traffic in Arms Regulations, 22 CFR Parts 120-130, and reference any specific license conditions or exemptions that apply to the project or program in scope.

2. Identification of Controlled Technology

List the specific technical data, hardware, software, or defense services covered. For university research settings, this section must also address the fundamental research exclusion — and document clearly whether it applies. If the research is not fundamental research, or if the project has publication restrictions or sponsor controls that disqualify it from the exclusion, that needs to be stated explicitly with supporting rationale.

For defense contractors, this section should map controlled items to your internal classification system and align with how you have identified and labeled ITAR data across your organization. If you have not yet established a formal labeling and classification process, that gap needs to be closed before your TCP is credible.

3. Access Controls and Authorization Procedures

This is where many TCPs fail. Access controls must be specific, enforceable, and documented. The plan must explain:

• Who is authorized to access the controlled technology and on what basis
• How U.S. person status is verified for all personnel with access
• What process governs access requests and approvals for foreign nationals
• How physical access to controlled areas is restricted and monitored
• What IT controls prevent unauthorized electronic access to controlled technical data

For organizations handling ITAR-controlled technical data in cloud or collaborative environments, your access control documentation needs to address your specific platform. University research offices increasingly ask about cloud storage, collaboration tools, and whether those environments meet ITAR requirements before approving a TCP for a sponsored project.

4. Physical Security Measures

DDTC expects physical security controls commensurate with the sensitivity of the controlled technology. Your TCP must describe the physical environment where controlled activities occur, including:

• Facility boundaries and restricted areas
• Visitor control procedures, including badging protocols for foreign national visitors
• Storage controls for physical hardware, documentation, and media
• Procedures for escorting unauthorized personnel

University facilities present unique challenges here. Shared laboratory spaces, open-door academic cultures, and rotating research personnel require visitor controls that are more deliberate than most academic institutions maintain by default. The TCP must account for these realities and establish procedures that are actually followed — not just written down.

5. Training Requirements

Your TCP must specify who receives ITAR and export control training, how often, what the training covers, and how completion is documented. This section matters to both DDTC and university research offices. The research office needs to know that all personnel with project access — including graduate students, postdoctoral researchers, and visiting scholars — have received appropriate training before accessing controlled technology.

Training records should be maintained and available for review. Annual refreshers are a minimum; project-specific briefings are best practice when new personnel are added mid-project.

6. Recordkeeping and Audit Procedures

Your TCP must describe how records are maintained, where they are stored, for how long, and who is responsible for their integrity. ITAR requires a five-year retention period for most export-related records. Your TCP should specify this requirement, identify the records custodian, and describe the process for producing records upon request.

Include a provision for periodic internal audits or reviews of TCP compliance. This demonstrates to DDTC — and to a university research office — that the plan is a living document with active oversight, not a one-time submission.

7. Incident Reporting and Corrective Action

Define what constitutes a potential ITAR violation or unauthorized disclosure, who must be notified, and what the escalation path looks like. This section should reference your organization's broader compliance program, including how voluntary self-disclosures to DDTC are handled. University research offices often require this section to specify institutional reporting obligations as well, given the dual accountability to both the federal sponsor and the institution's export control office.

Tailoring Your TCP for University Research Office Review

University research offices have their own requirements layered on top of DDTC expectations. Most research offices use an internal TCP template or checklist, and they will expect your submitted plan to address specific institutional concerns, including:

• Whether the fundamental research exclusion applies and the basis for that determination
• How the institution's export control officer is integrated into the project oversight structure
• What happens when a foreign national student or researcher joins the project
• How publication and dissemination of research results will be reviewed prior to release
• Whether any foreign subcontractors or collaborating institutions are involved

If you are an industry partner or prime contractor collaborating with a university, align your TCP language with the institution's standard format where possible. Reviewing the research office's existing TCP templates before drafting your plan will reduce revision cycles significantly.

For organizations in the educational institutions space navigating these dual compliance obligations, the intersection of academic freedom, open research norms, and ITAR restrictions requires careful and experienced handling.

Common Mistakes That Get TCPs Rejected

After reviewing dozens of TCPs on behalf of clients in defense, aerospace, and research environments, I consistently see the same failure patterns:

1. Generic language that does not reflect actual operations. Copying a template without adapting it to your specific facility, technology, and personnel structure tells a reviewer that no one actually thought through the controls.
2. Scope that does not match the underlying license or agreement. If your ITAR license covers specific commodities and categories, your TCP must mirror that scope precisely.
3. No designated responsible official. Every TCP needs a named individual or position accountable for implementation and compliance oversight.
4. Missing or inadequate foreign national access procedures. This is the section most likely to generate questions from a university research office and scrutiny from DDTC.
5. No update or review cadence. A TCP written three years ago for a project that has since added new personnel, new technology, and new subcontractors is not a compliant plan — it is a liability.

For a broader look at how ITAR program gaps get organizations into trouble, the resource on ITAR violations and guidance for compliance managers is worth reviewing before you finalize your TCP.

Integrating the TCP Into Your Broader ITAR Compliance Program

A Technology Control Plan does not stand alone. It should be one component of a documented, implemented, and auditable ITAR compliance program. That program should include a written compliance policy, a designated empowered official, formal training records, documented procedures for license management, and a process for internal compliance reviews.

Organizations that treat the TCP as a standalone submission — detached from their broader export compliance structure — consistently struggle when DDTC examiners ask for supporting documentation or when a university research office asks to review the program behind the plan.

Our ITAR Compliance Documentation Toolkit includes template language and structural guidance that can accelerate the drafting process while ensuring your TCP integrates appropriately with your full compliance program. For teams building their program from the ground up, our Compliance Program Development service provides the structured support needed to get it right the first time.

Getting Expert Help When You Need It

Writing a Technology Control Plan that satisfies both DDTC expectations and a university research office's requirements is a specialized task. The regulatory nuance involved — particularly around the fundamental research exclusion, foreign national access determinations, and the intersection of ITAR and EAR — is not something most compliance managers should navigate without experienced guidance.

At Cleared Systems, we develop, review, and remediate Technology Control Plans for defense contractors, universities, aerospace firms, and manufacturers across the aerospace and defense sector. We have seen what DDTC examiners flag and what research offices push back on, and we build plans that hold up under both.

If your organization needs a TCP developed or reviewed, or if you want an expert assessment of whether your current plan would survive scrutiny, request a quote today and let us help you get it right before it matters most.