Engaging with a Foreign Country of Concern

Indiana University supports global collaboration while protecting our people, data, and intellectual property. Certain engagements with a Foreign Country of Concern may be restricted or prohibited by law or IU policy.

Engaging with entities based in or subject to the jurisdiction of a Foreign Country of Concern can trigger multiple, overlapping requirements:

• Indiana state law (HB1179) on intellectual property transfers; implemented at IU via UA-23 (copyrightable works) and UA-24 (inventions & patents).
• IU Research Security Policy (RP-11-012) (disclosures, training, risk reviews, restrictions); implementation of State of Indiana Executive Order 25-64, “Protecting Critical Infrastructure and Hoosier Resources by Increasing Prohibitions on Dealing with Certain Foreign Adversaries.”
• U.S. export controls & sanctions (EAR, ITAR, OFAC).
• DOJ “Bulk Data Rule” (28 CFR 202) for bulk sensitive personal data and U.S. government-related data.
• NIH Biospecimen Security Policy (NOT-OD-25-160) (for NIH-funded work handling human biospecimens).

1. Indiana HB1179: Transfers of IP Developed with IU Resources

What it does: Requires IU to prohibit the transfer, license, or sublicense of IP developed with university resources to certain foreign-adversary entities.

How IU implements this:

• UA-23: Intellectual Property — Copyrightable Works
• UA-24: Intellectual Property — Inventions & Patents

2. IU Research Security Policy (RP-11-012)

Indiana University’s Research Security Policy (RP-11-012) applies to all students, faculty, staff, and anyone conducting research or sponsored activity under the auspices of IU.

Key responsibilities & disclosures:

• Ensure complete and accurate disclosures in proposals, reports, and certifications—especially foreign employment/appointments, foreign support, contracts/agreements, and any involvement in Malign Foreign Talent Recruitment Programs (MFRTPs) or Foreign Recruitment Programs by Foreign Countries of Concern. Click here for RSO guidance on Talent Recruitment Programs.
• Maintain and provide supporting documentation (agreements, contracts, gifts, affiliations) when requested.

Research security training:

• Senior/Key Personnel on proposals/awards must complete recurring research security training (e.g., annually or as sponsor-required) covering export controls, IP protection, data safeguards, and foreign-influence risk.

Restrictions on talent recruitment programs:

• IU personnel are prohibited from participating in foreign recruitment programs sponsored by a Foreign Country of Concern; IU certifies compliance with federal requirements (e.g., CHIPS & Science Act).

International engagements, restricted parties, and approvals:

• No agreements/disbursements to restricted parties (e.g., OFAC SDNs, BIS Entity List/Unverified List/Military End-User List, certain §1286 institutions) unless lawful, licensed, and formally approved by IU leadership; cross-border agreements must follow IU vetting (OVPIA) and coordinate with RSO.

Sensitive research materials, data, and IP protection:

• Sensitive Research Materials require formal agreements (e.g., MTAs) and, in some cases, written approval from IU leadership when a Foreign Country of Concern is implicated; protect research data and IP per IT- 12/DM-01 and any elevated controls; consult RSO before any transaction implicating export controls.

3. U.S. Export Controls & Sanctions

Even when IU policy permits an engagement, federal rules may still prohibit or require licenses/authorizations for sharing items, software, technology, technical data, or services.

• EAR (BIS): dual-use items & technology; includes deemed exports to foreign persons in the U.S.
• ITAR (DDTC): defense articles, defense services, and technical data.
• OFAC sanctions: embargoes, sectoral controls, SDNs/sanctioned parties, etc.

IU uses Visual Compliance to conduct restricted party screenings. Please contact rsohelp@iu.edu for screening requests, or for access requests to our screening software.

4. DOJ “Bulk Data Rule” (28 CFR 202)

Effective April 8, 2025, the DOJ rule restricts or prohibits certain transactions involving bulk sensitive personal data (e.g., genomic, health, financial, biometric, precise geolocation) and U.S. government-related data when parties, routing, infrastructure, or beneficiaries involve a foreign country of concern. Read more on Bulk Data here.

5. NIH Biospecimen Security Policy (NIH-funded work)

NIH’s Policy on Enhancing Security Measures for Human Biospecimens (effective October 24, 2025) sets requirements for the collection, storage, use, and distribution of human biospecimens supported by NIH funds—aligned with EO 14117/28 CFR Part 202.

IU announcement: NIH Announces New Biospecimen Security Policy for NIH-Funded Research

Contact RSO early with details of parties, ownership, locations, data types, equipment, and access needs. RSO can help:

• Screen counterparties for beneficial ownership and restricted lists; determine whether to refer to ICO for HB1179 and UA-23/UA-24 compliance.
• Classify what you’ll share (export jurisdiction, DOJ bulk data, NIH biospecimen scope).
• Secure approvals & agreements (licenses/authorizations, data-use and contract safeguards, IP clearance).
• Implement controls (encryption, logging, training; no-onward-transfer and termination clauses).

• U.S. subsidiary owned/controlled by a parent in a covered jurisdiction (heightened risk under the BIS affiliates rule).
• Requests for source code, design files, unpublished technical data, or remote admin access.
• Proposals to host bulk human-subjects data or biospecimens on infrastructure tied to a Foreign Country of Concern.
• Visitors/students needing hands-on access to controlled equipment or unpublished know-how.

Contact rsohelp@iu.edu with any questions or service requests.