Export Control

• limiting what you take abroad;
• keeping information in your possession or locked in a secure location;

Yes. See the following link for detailed guidance on purchases and shipping. Depending on the item, export control laws and regulations may require security protocols (such as a TCP) to be in place before the item arrives on campus or is released for use. Items intended to be shipped outside the U.S. must be evaluated and coordinated by Export Control. If a license to export the item is required, Export Control will apply for such government authorizations.

Once a project is determined to be CUI it is managed under a security plan. The University of Arizona Export Control office worked closely with the IT-CUI team to develop “The Plan,” a joint Technology Control Plan and System Security Plan. This plan outlines the security measures researchers and staff must follow in order to protect the CUI data.

If both the 7000 and 7012 clauses are in an agreement we can go back to the prime contracting officer and ask if the University of Arizona’s portion on the work is fundamental in nature. If we receive confirmation in writing from the prime contracting officer that the university’s work in fundamental it nullifies the CUI clauses.

The University of Arizona’s Export Control team works closely with the Contracting Office to identify contracts with NIST requirements or clauses with publication restrictions (e.g., DFARS 252.204-7012 and 252.204-7000). Export Control is also alerted when there are similar safeguards/restriction clauses in contracts that are not sponsored by Department of Defense (NASA contracts often have similar clauses). 

Disclosure of Information restricts the release of information unless the information is already in the public domain, the Prime Contracting Officer has given prior written approval, or the results during the performance of the project involved no covered defense information and has been determined by the Prime Contracting Officer to be fundamental research.

This clause requires the university to implement security measures as outlined in the NIST 800-171. In the event of a cybersecurity incident, the university’s responsibility under DFARS  252.204-7012 is to report the incident to the DoD within 72 hours. The university should preserve and protect images of all known affected information systems identified in this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report.

NIST 800-171 Rev. 2:  The National Institute of Standards and Technology Special Publication 800-171 provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when resident in Non-Federal Information Systems and Organizations. There are over one hundred security requirements in the NIST; this document is summary in nature and not an exhaustive list.

Executive Order 13556 “Controlled Unclassified Information,” (the Order), issued on November 4, 2010, established the CUI program, which standardizes and simplifies the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. The National Archives and Records Administration (NARA) serves as the Executive Agent to implement this order and oversee agency actions to ensure compliance.

Export Control works closely with various Liaisons across campus. Export Control established a liaison toolkit (checklists, forms, and procedures to determine if export control concerns exist). Examples of “red flags” include publication restrictions, foreign person restrictions, and projects related to military and space. Liaisons enable the University to be proactive in identifying/resolving issues. If you are interested in becoming a liaison contact Export Control.