ITAR / EAR

CUI on HiPerGator-RV Process

Purpose

This document describes the policy and procedures for managing CUI data on HiPerGator. To meet the NIST 800-171 and CMMC 2.0 specified in DFARS and other contractual requirements, the users who work with CUI on HiPerGator-RV need to follow the steps outlined below and take extra training. 

HiPerGator is a shared system, with many users working on open and sensitive data, as classified by UF Guidelines:

https://it.ufl.edu/it-policies/information-security/related-standards-and-documents/data-classification-guidelines/ 

HiPerGator-RV is a secure enclave with a higher level of security controls active. University policy requires that work with data that is classified as CUI (Controlled Unclassified Information) or CDI (Covered Defense Information) needs to be done on HiPerGator-RV.

Policy

The majority of CUI handled at the university is information that is covered by ITAR (International Trade of Arms Regulation) and EAR (Export Control Information). 

Each ITAR/EAR project will be authorized by UF Research with the details spelled out in the TCP (Technical Control Program). The TCP lists the resources the project will use, which includes HiPerGator-RV and possibly other equipment in labs. It will also list all participants, who will be required to sign the TCP, indicating that they are aware of the requirements for training and safeguarding data during the lifetime of the project.

Other projects may require compliance with CUI safeguarding and as such will have to work inside HiPerGator-RV.

Procedure

When an activity that falls in the scope of this policy, the researcher shall work with various support staff to accomplish the following tasks.

Project registration

A project is registered by UF Research, which will create a TCP for the project as required.

A data management plan that is part of the TCP will briefly describe the workflow and disposition of the project data and what actions participating members, by their role, are expected and allowed to do with the data.

Participant registration and agreement

The members of the project group will then sign the TCP which specifies

  • They understand their role in the project,
  • All participants will take the following training in myTraining 
    • “Export Controls: The Basics” (UF_RSH613_OLT)
    • “Export Controls: UF Project Personnel” (UF_RSH633_OLT)
  • The project administrators will also take
    • “Export Controls: UF Administrators” (UF_RSH623_OLT)
  • They will take HiPerGator-RV training.

See Export Control Training for more details.

When the procedure is not followed, the project will not be given any resources. If participants fail to follow the steps, the university process for CUI/ITAR/EAR violations will be followed as described in the training.

Project owner and data manager responsibilities

UFIT Research Computing as operator of the HiPerGator services is responsible for the vast majority of the security and compliance controls, but compliance and security are a shared responsibility and some responsibilities, with accountability, fall on the principal investigator (PI) or the designated data manager of the approved project and the members of the project team.

The users and their project supervisors/mentors are responsible for ensuring that the endpoints used to access HiPerGator follow UF standards

  • Encrypted laptops
  • Screen lock after 15 minutes of inactivity
  • Use devices in locations where shoulder surfing is not possible

The responsibility includes that the PI will provide instructions to users for when they telework from approved locations to ensure that these procedures are followed. Users will also be instructed to not access the HiPerGator system and their projects from their endpoints while in public locations like airports, libraries, and venues like Starbucks. 

Each approved PHI project will designate a data manager, whose responsibility includes

  • Record and maintain the signed form (paper or electronic) signed by each user after training. Provide a report to UFIT Research Computing quarterly of this list. 
    • The list of authorized participants is maintained in the TCP maintained by the Office of Research. This requirement can be satisfied by pulling that information from the TCP.
  • Keep a record of when users complete training and ensure that training is renewed annually. Provide a report to UFIT Research Computing quarterly of this list.
  • Verify and review authorized accounts regularly, at least once per month, and notify UFIT Research Computing staff immediately when users leave the project, change roles in the project (e.g. when they take on a new job in the university or leave the university) so that access to the project can be removed within one business day.

Special Precautions

If there are special precautions that apply to this project and are called out in the TCP, then such actions or requirements will be added to the agreement documented in Archer and become part of regular review, vulnerability scanning, and/or risk assessments, depending on the level of risk assessed for the set of special precautions.

 

Restricted Data Project Retirement and Removal

All restricted data projects on HiPerGator are required to have a data management plan filed with the security assessment. This data management plan must include a project retirement and removal section. Unless otherwise approved by the director, all restricted data projects will have the following retirement conditions:

  • Upon completion of the project, the designated data manager is responsible for removing all data in the project group's folders within the HiPerGator ecosystem. This includes, but is not limited to, all restricted data.
  • Once removed, the data manager will contact HiPerGator support and open a request to have the top-level project folders removed.
  • The UFIT Research Computing staff will then remove all designated project folders and record the project closure date in the support request and any appropriate internal systems.

Abandoned Restricted Data Projects

If the storage investments for a specific restricted data project expire and are not replaced, then the restricted data project will be considered abandoned. UFIT Research Computing staff will make a good-faith effort to notify the Principal Investigator (PI) when internal processes indicate that a project has been abandoned. If a PI would like to renew their investments, it should be made within 60 days of the previous expiration date. Once a project has been abandoned for more than 60 days, UFIT Research Computing reserves the right to remove all data from the project folders to maintain the security of the data on HiPerGator systems.