University Policy 4.22
Export and Import Control Compliance
Policy Introduction
This policy sets forth Cornell's commitment to compliance with U.S. Export and Import Control Regulations, identifies responsibilities, and establishes the administrative foundation for University Compliance.
To Whom This Policy Applies
The Export and Import Control Compliance Policy applies to every Cornell University staff member, faculty, and student (whether paid or unpaid), as well as all activities undertaken by or on behalf of the University.
- Cornell University
- Weill Cornell Medicine (WCM)
- Cornell Technology
- WCM Qatar
1.0 Policy Principles
The following principles are expected to be adhered to by all individuals to whom this policy applies:
1.1 Fundamental Research:
Cornell University conducts only research that qualifies as Fundamental Research, with exceptions upon approval by the Provost. Research projects that restrict the free and open publication of results are not accepted at Cornell. In particular, research which is confidential to the sponsoring entity, or which is classified for security purposes is not permitted. It is the responsibility of all Cornell personnel to ensure that any contract signed adheres to this principle, and that no actions are taken that would circumvent or compromise this foundational research and scholarship tenet. Any exception must be granted by the Export Controls Office (ECO) and approved by university leadership, as appropriate.
1.2 International Shipments:
All international shipments must be assessed for export or import control concerns, related to both the item(s) being shipped, and the end user/end use of the item(s). It is the responsibility of all parties involved to ensure that the international shipment complies with regulatory and legal requirements. All shipments being sent from or on behalf of Cornell to an international location must be reviewed and approved by the ECO.
1.3 Controlled Information:
Controlled Information at Cornell may result in a Deemed Export violation, if not properly controlled. The use, storage, or receipt of Technology or Technical Data controlled under U.S. Export Control Regulations is prohibited at Cornell University, unless expressly authorized by the ECO.
1.4 International Travel:
Travel to certain sanctioned countries is prohibited without a general or specific license. All international travel conducted on behalf of Cornell must be pre-registered in the Cornell or WCM Travel Registry, as appropriate. Registration is required pursuant to University Policy 8.5, Risk Management for International Travel, and timely registration ensures compliance with current sanctions. Before departure, all items and information hand carried abroad must be reviewed using resources on the Export Control Website to confirm compliance. Any questions or uncertainties should be directed to the ECO.
1.5 Bulk U.S. Sensitive Data or U.S. Government-Related Data:
Any transaction involving U.S. government-related data or bulk U.S. sensitive data, as defined in 28 CFR Part 202 regulations, must be reviewed by the ECO whenever required under ECO procedures. Cornell personnel are responsible for adhering to the thresholds and criteria established in those procedures. The ECO is authorized to require mitigation measures, impose conditions, or prohibit a transaction at its discretion, including in cases where applicable volume thresholds are not met.
1.6 Restricted Parties:
Cornell does not authorize engagement with any entity or party that appears on U.S. government sanctions, export control, watch lists, or restricted party lists, including, but not limited to, lists maintained by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS), the U.S. Office of Foreign Assets Control (OFAC), the U.S. Department of Defense (DoD), the U.S. Office of Management and Budget (OMB), and the Center for Security and Emerging Technology, without express authorization of the ECO.
2.0 Responsibilities
2.1 Responsible Office:
Export Control Compliance Officer (ECCO): The ECCO and their delegate(s) is granted authority to oversee and administer the University's Export Control Program, this policy, and is granted the ability to halt exports or imports that violate (or are reasonably suspected of violating) U.S. Export or Import Control Regulations. The ECCO and delegate(s) shall serve as the University’s authorized signatory on export and import control documentation, including customs documents and license applications. The ECCO and delegate(s) are also granted the authority to authorize shipping carriers and freight forwarders to make export and import control filings, if any, on Cornell’s behalf. The ECCO and delegate(s) are responsible for developing and administering the University’s Bulk Data Rule Program.
Export Control Office (ECO): The ECO serves as the primary resource to the Cornell community on export and import control matters.
2.2 University Management:
Responsible for having knowledge of the information in the University's Export Control Program, as well as knowledge of the export and import controls relating to the area(s) and activities that are under their purview. University Management shall, upon request by the ECO, designate a primary point of contact in their Unit to serve as the ECO’s liaison on export and import control related matters. University Management requires that everyone working under their authority takes mandated training and follows all processes and procedures as required by the ECO.
2.3 Individuals:
Each Cornell University staff member, faculty, and student, whether paid or unpaid, is responsible for: compliance with U.S. Export and Import Control Regulations, reading and abiding by the processes and procedures set forth in the University's Export Control Program, consulting the ECO when questions arise, and taking training as required. No University faculty, staff, or student may engage in any activity, or commit the University to engage in any activity that violates U.S. Export or Import Control Laws and Regulations. Failure to comply with the Export Control Program when required does not excuse non-compliance and may be treated as a policy violation.
3.0 How to Report a Concern
Individuals are encouraged to report compliance and ethics concerns to their direct supervisor or HR representative where possible.
Where this is not feasible or where additional subject matter expertise is needed, individuals may use institutional mechanisms listed on the Concern Reporting at Cornell site.
The Cornell Ethics and Compliance Hotline is the primary mechanism to confidentially or anonymously report ethics, integrity, or compliance concerns to the University.
4.0 Record Retention
Records associated with this policy shall be maintained by the individual or Unit engaging in the activity. Records shall be retained or disposed of in accordance with University Policy 4.7, Retention of University Records and University Policy 4.21, Research Data Retention.
Under U.S. Export Control Regulations, and U.S. Import Regulations, records must be retained for five years after the completion of the activity and made available to the regulating authority upon request. Under Department of Justice Regulations (28 CFR Part 202), records must be retained for ten years after completion of any restricted transaction. Records that must be retained include all memoranda, notes, correspondence (including email), financial records, shipping documentation, as well as any other information related to the export activities.
5.0 Compliance
The Export Control Office, University Compliance, University Audit, and others may audit or investigate to assess compliance with this policy. Non-compliance with university policies is addressed in accordance with applicable policies and procedures and is subject to progressive disciplinary action up to and including termination.
In addition to complying with federal, state, and local laws that apply to Cornell employees working in New York State, Cornell will also comply with applicable state and local laws in the non-NYS jurisdictions where its employees work. Therefore, if those applicable state and local laws in the non-NYS jurisdictions provide greater or additional benefits or protections not available under university policies, the university will comply with the applicable state and local laws.
6.0 Related Resources
For All Units and Colleges Including Weill Cornell Medicine
- Cornell Travel Registry
- Export Controls Website
- University Policy 8.5, Risk Management for International Travel
For All Units and Colleges Except Weill Cornell Medicine
- Department of Justice (DOJ) Bulk Data Rule
- Disclose Foreign Collaborations and Support
- Export Control Compliance Manual
- High Risk Travel Loaner Program
For All Weill Cornell Medicine Units
- Export Controls Manual
- Research Security
- Office of Sponsored Research Administration
- SMARTdesk (High Risk Travel Loaner Program)
7.0 Definitions
| Term | Definition |
|---|---|
| Controlled Information | Technology or Technical Data as defined below. |
| Covered Person | Foreign entities that are organized under the laws of a country of concern, have their principal place of business in a country of concern, or are 50% or more owned by a country of concern; Entities that are 50% or more owned by another covered person; Foreign individuals who are primarily a resident in a country of concern or employed by or acting on behalf of a covered entity; or any individual specifically designated by the U.S. Department of Justice as subject to the direction or control of a country of concern or another covered person. |
| Deemed Export | The release of any Technology, Technical Data, source code, or service subject to export controls to any foreign national in the United States or abroad. Deemed exports may occur through such means as a demonstration, email, computer access, oral exchanges, or visual inspection of equipment and facilities, as well as the electronic transmission of controlled information or technology. This exchange is “deemed” to be an export to the country of the foreign national. |
| Export | Any release of export-controlled items, information, technology, technical data, or services to anyone (including a U.S. citizen) outside the U.S. “Release” includes shipment as well as oral, written, electronic (fax, e-mail, Internet, etc.), or visual disclosure as well as the export of encryption software source code or object code. Deemed Export are also considered exports. |
| Fundamental Research | Basic or applied research, the results of which ordinarily are published and shared broadly, and for which the researchers and/or the University have not accepted restrictions for proprietary or national security reasons. For International Traffic in Arms Regulations (ITAR) purposes, Fundamental Research must be conducted at an accredited institute of higher learning in the U.S. |
| Import | Goods brought into the United States from a foreign location. |
| Technology | Information necessary for the “development,” “production,” “use,” operation, installation, maintenance, repair, overhaul, or refurbishing of a controlled item. Technology may be in any tangible or intangible form, such as written or oral communications, blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, manuals or documentation, electronic media or information revealed through visual inspection. |
| Technical Data | Information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. Technical Data includes information in the form of blueprints, drawings, photographs, plans, instructions, or documentation. It further includes classified information, information covered by an invention secrecy order and software directly related to defense articles. |
| University's Export Control Program | Cornell University’s export control related processes, procedures, and requirements as set forth by the ECCO and contained on the export control websites, in the manuals for both the main campus and WCM, and as further determined by the ECCO. |
| University’s Bulk Data Rule Program | Cornell University’s bulk data related processes, procedures, and requirements as set forth by the ECCO and contained on bulk data rule websites, in the manuals for both the main campus and WCM, and as further determined by the ECCO. |
8.0 Responsible Office and Policy Administration
| Policy Clarification and Interpretation | Contact | Phone | Email/Web Address |
|---|---|---|---|
| Cornell University | Export Control Officer | (607) 255-5284 | |
| Weill Cornell Medicine | Export Control and Compliance Officer | (607) 255-5284 |
9.0 Responsible Executive
| Unit | Title |
|---|---|
| Research | Vice Provost for Research |
10.0 Revision History
| Date Issued: | August 27, 2021 |
|---|---|
| Date of Full Review: | April 6, 2026 |
| Date Last Updated: | April 6, 2026 |
| Revision notes: | Substantial revision; Converted to HTML. Revised to include Bulk Data Rule. |