Safeguarding Export Controlled Data
The following guidelines are drawn from regulations issued by the Department of Defense, mandating "enhanced safeguarding" measures for certain types of data. Note that breaches of systems containing Unclassified Controlled Technical Information must be reported to the Department of Defense within 72 hours of discovery. The University of Cincinnati (UC) offers a service for storing export controlled research data that adheres to the guidelines below. For more information about this service, click here.
Export-controlled information housed at the University of Cincinnati must be managed in accordance with these guidelines. Export-controlled information that is received by or brought to UC must be housed on the Isilon server designated for this purpose. Any exceptions must be explicitly approved by the Export Controls Office.
Data subject to ITAR or EAR export control restrictions is referred to collectively below as Controlled Information.
- Do not access Controlled Information from shared, public computers such as kiosk computers in libraries, hotels, and business centers, or from computers that have no local access control
- Do not post Controlled Information on public websites or websites that rely solely on IP addresses for access control. Secure access using individually-assigned accounts requiring username/password, user certificates, or other user-specific authentication methods
- Protect Controlled Information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control
- Use regularly-updated malware protection software
- Keep computers hosting Controlled Information up to date on security patches and updates
- All Controlled Information must be encrypted if stored on mobile computing devices such as laptops, PDA's and removable media such as thumb drives or CD/DVD (see additional notes below)
- Wipe electronic media in accordance with NIST 800–88, Guidelines for Media Sanitization
Transmission of Data
- Do not transmit or email Controlled Information unencrypted. If encryption is not available, data must be individually encrypted using at least application-provided mechanisms such as the password-based encryption provided in Microsoft Office 2007 and above
- Transmit Controlled Information via voice or fax only where there is reasonable assurance that access is limited to authorized persons
- Wireless network access to Controlled Information must be encrypted using, e.g., WPA2 Enterprise wireless network encryption or VPN
- Provide monitoring and control over inbound and outbound network traffic. Include blocking unauthorized ingress and egress
- Detect exfiltration of data using firewalls, router policies, intrusion prevention/detection systems, or host-based security services
- Transfer controlled information only to subcontractors with a need to know. Subcontractors must adhere to these same data protection requirements - include these data protection requirements, including this requirement, in all subcontracts if access to or generation of controlled data will take place
In such cases where the Controlled Information is a software executable that will be run on a shared (multi-user) system such as a compute cluster, the following additional guidelines apply:
- The directories containing the software shall be access controlled so that only the designated user(s) as approved by the PI will have read, write and execute permissions. All others shall have no access permissions
- The shared system shall have audit logging enabled, and the audit logs shall be backed up
- The shared system shall be managed solely by U.S. Persons, as defined in the export regulations. All users with root or pseudo privileges must be U.S. Persons
- Only U.S. Persons shall have unescorted physical access to the shared system
Mobile Computing Systems
In such cases where data must be stored locally on a mobile device, as determined by the PI, the following guidelines apply:
- The data must be stored on a single-user portable device in a volume using strong encryption (e.g., AES-256) with a unique decryption passphrase known only to the device's authorized primary user
- Where feasible (e.g., if the mobile device is a laptop computer), the mobile device must be protected by a software firewall
- Where feasible (e.g., if the mobile device is a laptop computer), the mobile device must have audit logging enabled and audit logs backed up
- Where feasible (e.g., if the mobile device is a laptop computer), the mobile device must be accessed using a login account with a password of no less than 8 characters in length, a mixture of upper -and lower-case letters, numbers and symbols, subject to change no less frequently than annually, or when any possibility of password exposure is suspected
- Inbound remote login to any mobile device containing export-controlled data is prohibited by policy
- If data backup is required, the encrypted volume must be backed up intact, with encryption preserved
- In all cases, export-controlled data must be housed on Institute-owned devices
Requirements for Safeguarding DoD Unclassified Controlled Technical Infirmation
There are additional requirements for safeguarding Department of Defense (DoD) unclassified controlled technical information that resides on or transits through UC's information technology systems.
Please contact the Export Controls office for guidance if you plan to receive DoD Unclassified Technical Information on behalf of UC.
The goal of your security measures is to be able to answer the following questions in the affirmative:
(All information adapted with permission from CalTech Information Management Systems & Services)
- Can you trace with precision who is working on the project?
- How do you know with whom they can share the work? How do you track/ensure this?
- Do you have appropriate physical and electronic precautions in place to prevent unauthorized access?
- Do you have the appropriate physical and electronic precautions in place to restrict access to project data to only authorized individuals?
Contact Us Mailing Address:
University Hall, Suite 560D
51 Goodman Drive
PO Box 210567
Cincinnati, OH 45221-0567 Tara Wood
Director, Export Controls Exportco@uc.edu
Sr. Export Control Specialist Tina.Bosworth@uc.edu
513-558-1128 What to do fact sheet