ITAR / EAR

CUI on HiPerGator-RV Process

Purpose

This document describes the policy and procedures for managing CUI data on HiPerGator. To meet the NIST 800-171 and CMMC 2.0 specified in DFARS and other contractual requirements, the users who work with CUI on HiPerGator-RV need to follow the steps outlined below and take extra training. 

HiPerGator is a shared system, with many users working on open and sensitive data, as classified by UF Guidelines:

https://it.ufl.edu/it-policies/information-security/related-standards-and-documents/data-classification-guidelines/ 

HiPerGator-RV is a secure enclave with a higher level of security controls active. University policy requires that work with data that is classified as CUI (Controlled Unclassified Information) or CDI (Covered Defense Information) needs to be done on HiPerGator-RV.

Policy

The majority of CUI handled at the university is information that is covered by ITAR (International Trade of Arms Regulation) and EAR (Export Control Information). 

Each ITAR/EAR project will be authorized by UF Research with the details spelled out in the TCP (Technical Control Program). The TCP lists the resources the project will use, which includes HiPerGator-RV and possibly other equipment in labs. It will also list all participants, who will be required to sign the TCP, indicating that they are aware of the requirements for training and safeguarding data during the lifetime of the project.

Other projects may require compliance with CUI safeguarding and as such will have to work inside HiPerGator-RV.

Procedure

When an activity that falls in the scope of this policy, the researcher shall work with various support staff to accomplish the following tasks.

Project registration

A project is registered by UF Research, which will create a TCP for the project as required.

A data management plan that is part of the TCP will briefly describe the workflow and disposition of the project data and what actions participating members, by their role, are expected and allowed to do with the data.

Participant registration and agreement

The members of the project group will then sign the TCP which specifies

  • They understand their role in the project,
  • All participants will take the following training in myTraining 
    • “Export Controls: The Basics” (UF_RSH613_OLT)
    • “Export Controls: UF Project Personnel” (UF_RSH633_OLT)
  • The project administrators will also take
    • “Export Controls: UF Administrators” (UF_RSH623_OLT)
  • They will take HiPerGator-RV training.

See Export Control Training for more details.

When the procedure is not followed, the project will not be given any resources. If participants fail to follow the steps, the university process for CUI/ITAR/EAR violations will be followed as described in the training.

Special Precautions

If there are special precautions that apply to this project and are called out in the TCP, then such actions or requirements will be added to the agreement documented in Archer and become part of regular review, vulnerability scanning, and/or risk assessments, depending on the level of risk assessed for the set of special precautions.

 

Project Owner/Data Manager Responsibilities

UFIT Research Computing as the operator of the HiPerGator services is responsible for the vast majority of the security and compliance controls, but compliance and security are a shared responsibility, and some responsibilities, with accountability, fall on the principal Investigator (PI) or the designated data manager of the approved project involving restricted data and the authorized members of the project team.

The users and their project supervisors/mentors are responsible for ensuring that the endpoints used to access HiPerGator follow UF standards:

  • All persistent storage within mobile computing devices will be encrypted:
    (https://policy.ufl.edu/policy/mobile-computing-and-storage-devices-policy/)
  • Screen lock after 15 minutes of inactivity
  • Use devices in locations where shoulder surfing is not possible
  • If transferring files via Globus, it is the responsibility of the user/project manager to enforce the use of encrypted communication options available in Globus for the incoming or outgoing data transfers.

The PI is responsible for providing instructions to authorized users when they telework from approved locations to ensure that these procedures are followed. Users will also be instructed to not access the HiPerGator system and their restricted data projects from their endpoints while in public locations like airports, libraries, and other public venues such as coffee shops.

Each approved restricted data project will designate a data manager, whose responsibilities are listed below:

  • Record and maintain the signed Rules of Behavior form (paper or electronic) signed by each user after training. Provide a copy of this list as a report to UFIT Research Computing quarterly.
    • The list of authorized participants is maintained in the IRB record for projects involving PHI research, the UFHealth risk assessment record for projects involving operational work with PHI, the technology control plan (TCP) for ITAR/EAR project work, and the UFIT risk assessment system for FERPA projects. This requirement can be satisfied by pulling that information from the IRB, TCP, or relevant risk assessment database.
  • Keep a record of when users complete training and ensure that training is renewed annually. Provide a report to UFIT Research Computing quarterly of this list. Training examples include:
    • HIPAA training (PHI)
    • FERPA training (FERPA)
    • Export control training (Export controlled data)
    • Protecting UF: Information Security Training
  • Verify and review authorized accounts regularly, at least once per month, and notify UFIT Research Computing staff immediately when users leave the project or change roles in the project (e.g. when they take on a new job in the university or leave the university) so that access to the restricted data project can be removed.
  • If the restricted data project involves transaction-based systems, the project manager and team are responsible for ensuring transactions can be recovered in the case of failures. This can be implemented in collaboration with UFIT Research Computing staff.

Restricted Data Project Retirement and Removal

All restricted data projects on HiPerGator are required to have a data management plan filed with the security assessment. This data management plan must include a project retirement and removal section. Unless otherwise approved by the director, all restricted data projects will have the following retirement conditions:

  • Upon completion of the project, the designated data manager is responsible for removing all data in the project group's folders within the HiPerGator ecosystem. This includes, but is not limited to, all restricted data.
  • Once removed, the data manager will contact HiPerGator support and open a request to have the top-level project folders removed.
  • The UFIT Research Computing staff will then remove all designated project folders and record the project closure date in the support request and any appropriate internal systems.

Abandoned Restricted Data Projects

If the storage investments for a specific restricted data project expire and are not replaced, then the restricted data project will be considered abandoned. UFIT Research Computing staff will make a good-faith effort to notify the Principal Investigator (PI) when internal processes indicate that a project has been abandoned. If a PI would like to renew their investments, it should be made within 60 days of the previous expiration date. Once a project has been abandoned for more than 60 days, UFIT Research Computing reserves the right to remove all data from the project folders to maintain the security of the data on HiPerGator systems.