Export Control

How can University personnel safeguard research while traveling abroad?

The research that occurs at the University of Arizona is innovative and often of high value and needs protecting even if it is not subject to export control restrictions. Take steps to protect your information, access to university systems, and report to your department administration any concerns or peculiarities that emerge. Steps to secure your research include:
  • limiting what you take abroad;
  • keeping information in your possession or locked in a secure location;
  • using a “clean” laptop – with minimal information;
  • using the university VPN if you need to access data;
  • encrypting your device; and
  • screening collaborators in advance.

Do export control regulations impact international shipments and purchases?

Yes. See the following link for detailed guidance on purchases and shipping. Depending on the item, export control laws and regulations may require security protocols (such as a TCP) to be in place before the item arrives on campus or is released for use. Items intended to be shipped outside the U.S. must be evaluated and coordinated by Export Control. If a license to export the item is required, Export Control will apply for such government authorizations. A customs broker may need to be involved in international shipments and purchases.

What if the 252-204.7000 and/or the 252.204.7012 are in the contract but we think our work is fundamental in nature?

If both the 7000 and 7012 clauses are in an agreement we can go back to the prime contracting officer and ask if the University of Arizona’s portion on the work is fundamental in nature. If we receive confirmation in writing from the prime contracting officer that the university’s work in fundamental it nullifies the CUI clauses.

How do we identify CUI? 

The University of Arizona’s Export Control team works closely with the Contracting Office to identify contracts with NIST requirements or clauses with publication restrictions (e.g., DFARS 252.204-7012 and 252.204-7000). Export Control is also alerted when there are similar safeguards/restriction clauses in contracts that are not sponsored by Department of Defense (NASA contracts often have similar clauses). 

An export control checklist is used in the evaluation process. The three-part checklist must be completed by the PI, Contracting Office, and Export Control. The checklist highlights DFARs clauses in addition to potential export control red flags. 

What is the DFARS 252.204-7000 clause? 

Disclosure of Information restricts the release of information unless the information is already in the public domain, the Prime Contracting Officer has given prior written approval, or the results during the performance of the project involved no covered defense information and has been determined by the Prime Contracting Officer to be fundamental research.

What is the DFARS 252.201-7012:  Safeguarding Covered Defense Information and Cyber Incident clause?  

This clause requires the university to implement security measures as outlined in the NIST 800-171. In the event of a cybersecurity incident, the university’s responsibility under DFARS  252.204-7012 is to report the incident to the DoD within 72 hours. The university should preserve and protect images of all known affected information systems identified in this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report.

What is the National Institute of Standards and Technology (NIST)? 

NIST 800-171 Rev. 2:  The National Institute of Standards and Technology Special Publication 800-171 provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when resident in Non-Federal Information Systems and Organizations. There are over one hundred security requirements in the NIST; this document is summary in nature and not an exhaustive list. See the NIST for complete details.

What is Controlled Unclassified Information (CUI)? 

Executive Order 13556 “Controlled Unclassified Information,” (the Order), issued on November 4, 2010, established the CUI program, which standardizes and simplifies the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. The National Archives and Records Administration (NARA) serves as the Executive Agent to implement this order and oversee agency actions to ensure compliance.

 

 

What is the Export Control Liaison program?

Export Control works closely with various Liaisons across campus. Export Control established a liaison toolkit (checklists, forms, and procedures to determine if export control concerns exist). Examples of “red flags” include publication restrictions, foreign person restrictions, and projects related to military and space. Liaisons enable the University to be proactive in identifying/resolving issues. If you are interested in becoming a liaison contact Export Control.