This clause requires the university to implement security measures as outlined in the NIST 800-171. In the event of a cybersecurity incident, the university’s responsibility under DFARS  252.204-7012 is to report the incident to the DoD within 72 hours. The university should preserve and protect images of all known affected information systems identified in this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report.

NIST 800-171 Rev. 2:  The National Institute of Standards and Technology Special Publication 800-171 provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when resident in Non-Federal Information Systems and Organizations. There are over one hundred security requirements in the NIST; this document is summary in nature and not an exhaustive list.

Executive Order 13556 “Controlled Unclassified Information,” (the Order), issued on November 4, 2010, established the CUI program, which standardizes and simplifies the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. The National Archives and Records Administration (NARA) serves as the Executive Agent to implement this order and oversee agency actions to ensure compliance.

Export Control works closely with various Liaisons across campus. Export Control established a liaison toolkit (checklists, forms, and procedures to determine if export control concerns exist). Examples of “red flags” include publication restrictions, foreign person restrictions, and projects related to military and space. Liaisons enable the University to be proactive in identifying/resolving issues.

Penalties for export control violations are substantial, including significant fines, debarment from participation in federal contracting, loss of export privileges, and in some cases imprisonment.

In addition to these severe penalties, the potential reputational damage to an institution from violation of these laws could be difficult to repair, possibly resulting in lost opportunities for attracting world-class researchers and/or decreased access to research funding.

The federal government is identifying emerging technologies essential to US national security and placing new or additional export controls on these technologies. Starting in 2019, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) published export controls on several emerging technologies.

Prior to travel, to avoid collaborating with a prohibited party, foreign parties should be screened using the Restricted Party Screening tool. Export Control or your Department Administrator can assist with conducting screenings.