CUI on HiPerGator-RV Process
This document describes the policy and procedures for managing CUI data on HiPerGator. To meet the NIST 800-171 and CMMC 2.0 specified in DFARS and other contractual requirements, the users who work with CUI on HiPerGator-RV need to follow the steps outlined below and take extra training.
HiPerGator is a shared system, with many users working on open and sensitive data, as classified by UF Guidelines:
HiPerGator-RV is a secure enclave with a higher level of security controls active. University policy requires that work with data that is classified as CUI (Controlled Unclassified Information), CDI (Covered Defense Information).
The majority of CUI handled at the university is information that is covered by ITAR (International Trade of Arms Regulation) and EAR (Export Control Information).
Each ITAR/EAR project will be authorized by UF Research with the details spelled out in the TCP (Technical Control Program). The TCP lists the resources the project will use, which includes HiPerGator-RV and possibly other equipment in labs. It will also list all participants, who will be required to sign the TCP, indicating that they are aware of the requirements for training and safeguarding data during the lifetime of the project.
Other projects may require compliance with CUI safeguarding and as such will have to work inside HiPerGator-RV.
When an activity that falls in the scope of this policy, the researcher shall work with various support staff to accomplish the following tasks.
A project is registered by UF Research, which will create a TCP for the project as required.
A data management plan that is part of the TCP will briefly describe the workflow and disposition of the project data and what actions participating members, by their role, are expected and allowed to do with the data.
Participant registration and agreement
The members of the project group will then sign the TCP which specifies
- They understand their role in the project,
- All participants will take the following training in myTraining
- “Export Controls: The Basics” (UF_RSH613_OLT)
- “Export Controls: UF Project Personnel” (UF_RSH633_OLT)
- The project administrators will also take
- “Export Controls: UF Administrators” (UF_RSH623_OLT)
- They will take HiPerGator-RV training.
See Export Control Training for more details.
When the procedure is not followed, the project will not be given any resources. If participants fail to follow the steps, the university process for CUI/ITAR/EAR violations will be followed as described in the training.
Project owner and data manager responsibilities
UFIT Research Computing as operator of the HiPerGator services is responsible for the vast majority of the security and compliance controls, but compliance and security are a shared responsibility and some responsibilities, with accountability, fall on the principal investigator (PI) or the designated data manager of the approved project and the members of the project team.
The users and their project supervisors/mentors are responsible for ensuring that the endpoints used to access HiPerGator follow UF standards
- Encrypted laptops
- Screen lock after 15 minutes of inactivity
- Use devices in locations where shoulder surfing is not possible
The responsibility includes that the PI will provide instructions to users for when they telework from approved locations to ensure that these procedures are followed. Users will also be instructed to not access the HiPerGator system and their projects from their endpoints while in public locations like airports, libraries, and venues like Starbucks.
Each approved PHI project will designate a data manager, whose responsibility includes
- Record and maintain the signed form (paper or electronic) signed by each user after training. Provide a report to UFIT Research Computing quarterly of this list.
- The list of authorized participants is maintained in the TCP maintained by the Office of Research. This requirement can be satisfied by pulling that information from the TCP.
- Keep a record of when users complete training and ensure that training is renewed annually. Provide a report to UFIT Research Computing quarterly of this list.
- Verify and review authorized accounts regularly, at least once per month, and notify RC staff immediately when users leave the project, change roles in the project (e.g. when they take on a new job in the university or leave the university) so that access to the project can be removed within one business day.
If there are special precautions that apply to this project and are called out in the TCP, then such actions or requirements will be added to the agreement documented in Archer and become part of regular review, vulnerability scanning, and/or risk assessments, depending on the level of risk assessed for the set of special precautions.