Safeguarding Export Controlled Data

The following guidelines are drawn from new draft regulations proposed by the Department of Defense, mandating "enhanced safeguarding" measures for certain types of data. 

Export-controlled information housed at Caltech must be managed in accordance with these guidelines.  Export-controlled information that is to be shared among more than one person must be housed on an IMSS-run server designated for this purpose.  Any exceptions must be explicitly approved by the Director of Information Security, the Director of Export Compliance, and the Vice Provost for Research. 

Guidelines

Data subject to ITAR or EAR export control restrictions is referred to collectively below as Controlled Information.

Access controls:

* Do not access Controlled Information from shared, public computers such as kiosk computers in libraries, hotels, and business centers, or from computers that have no local access control.

* Do not post Controlled Information on public websites or websites that rely solely on IP addresses for access control.  Instead, secure access using individually-assigned accounts requiring username/password, user certificates, or other user-specific authentication methods.

* Protect Controlled Information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control.


System management:

* Use regularly-updated malware protection software

* Keep computers hosting Controlled Information up to date on security patches and updates.

* All Controlled Information must be encrypted if stored on mobile computing devices such as laptops, PDA's and removable media such as thumb drives or CD/DVD.  See additional notes below.

* Wipe electronic media in accordance with NIST 800–88, Guidelines for Media Sanitization


Transmission of Data:

* Do not transmit or email Controlled Information unencrypted.  If encryption is not available, data must be individually encrypted using at least application-provided mechanisms such as the password-based encryption provided in Microsoft Office 2007 and above.

* Transmit Controlled Information via voice or fax only where there is reasonable assurance that access is limited to authorized persons.

* Wireless network access to Controlled Information must be encrypted using, e.g., WPA2 Enterprise wireless network encryption (Caltech Beavernet) or VPN.

* Provide monitoring and control over inbound and outbound network traffic. Include blocking unauthorized ingress and egress.

* Detect exfiltration of data using firewalls, router policies, intrusion prevention/detection systems, or host-based security services.

* Transfer controlled information only to subcontractors with a need to know. Subcontractors must adhere to these same data protection requirements. Include these data protection requirements, including this requirement, in all subcontracts if access to or generation of controlled data will take place.

Mobile computing devices

In such cases where data must be stored locally on a mobile device, as determined by the PI, the following guidelines apply:

The data must be stored on a single-user portable device in a volume using strong encryption (e.g., AES-256) with a unique decryption passphrase known only to the device's authorized primary user. 

Where feasible (e.g., if the mobile device is a laptop computer), the mobile device must be protected by a software firewall. 

Where feasible (e.g., if the mobile device is a laptop computer), the mobile device must have audit logging enabled and audit logs backed up.  

Where feasible (e.g., if the mobile device is a laptop computer), the mobile device must be accessed using a login account with a password of no less than 8 characters in length, a mixture of upper -and lower-case letters, numbers and symbols, subject to change no less frequently than annually, or when any possibility of password exposure is suspected. 

Inbound remote login to any mobile device containing export-controlled data is prohibited by policy.

If data backup is required, the encrypted volume must be backed up intact, with encryption preserved. 
 

Goal

The GOAL of your security measures is to be able to answer the following questions in the affirmative:

• Can you trace with precision who is working on the project?
• How do you know with whom they can share the work?  How do you track/ensure this?
• Do you have appropriate physical and electronic precautions in place
  • To prevent unauthorized access?
  • To restrict access to project data only to authorized individuals?

Notes:
See "Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified Information  (DFARS Case 2008–D028)," 75 Federal Register 41 (3 March 2010), pp. 9563-9568.

The new regulations pertain to any Department of Defense information identified as one of the following:

• Subject to ITAR and Export Administration Regulations.
• Critical Program Information (Designated as Critical Program Information in accordance with DoD Instruction 5200.39, Critical Program Information Protection Within the Department of Defense).
• Designated for withholding from public release under DoD Directive 5400.07, DoD Freedom of Information Act Program.
• Bearing current and prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive).
• Technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents, and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure.
• Personally identifiable information protected under existing federal law (e.g., HIPAA).

Updated  2/09/2011