Safeguarding Export Controlled Data

The following guidelines are drawn from regulations issued by the Department of Defense, mandating "enhanced safeguarding" measures for certain types of data. Note that breaches of systems containing Unclassified Controlled Technical Information must be reported to the Department of Defense within 72 hours of discovery.

Export-controlled information housed at Caltech must be managed in accordance with these guidelines.  Export-controlled information that is received by or brought to Caltech must be housed on an IMSS-run server designated for this purpose.  Any exceptions must be explicitly approved by the Chief Information Security Officer, the Director of Export Compliance, and the Vice Provost for Research

Guidelines

Data subject to ITAR or EAR export control restrictions is referred to collectively below as Controlled Information.

Access controls

  • Do not access Controlled Information from shared, public computers such as kiosk computers in libraries, hotels, and business centers, or from computers that have no local access control.
  • Do not post Controlled Information on public websites or websites that rely solely on IP addresses for access control.  Instead, secure access using individually-assigned accounts requiring username/password, user certificates, or other user-specific authentication methods.
  • Protect Controlled Information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control.

System management

  • Use regularly-updated malware protection software
  • Keep computers hosting Controlled Information up to date on security patches and updates.
  • All Controlled Information must be encrypted if stored on mobile computing devices such as laptops, PDA's and removable media such as thumb drives or CD/DVD.  See additional notes below.
  • Wipe electronic media in accordance with NIST 800–88, Guidelines for Media Sanitization

Transmission of Data

  • Do not transmit or email Controlled Information unencrypted.  If encryption is not available, data must be individually encrypted using at least application-provided mechanisms such as the password-based encryption provided in Microsoft Office 2007 and above.
  • Transmit Controlled Information via voice or fax only where there is reasonable assurance that access is limited to authorized persons.
  • Wireless network access to Controlled Information must be encrypted using, e.g., WPA2 Enterprise wireless network encryption (Caltech Beavernet) or VPN.
  • Provide monitoring and control over inbound and outbound network traffic. Include blocking unauthorized ingress and egress.
  • Detect exfiltration of data using firewalls, router policies, intrusion prevention/detection systems, or host-based security services.
  • Transfer controlled information only to subcontractors with a need to know. Subcontractors must adhere to these same data protection requirements. Include these data protection requirements, including this requirement, in all subcontracts if access to or generation of controlled data will take place.

Shared Systems

In such cases where the Controlled Information is a software executable that will be run on a shared (multi-user) system such as a compute cluster, the following additional guidelines apply:

  • The directories containing the software shall be access controlled so that only its designated user(s) as approved by the PI will have read, write and execute permissions. All others shall have no access permissions.
  • The shared system shall have audit logging enabled, and the audit logs shall be backed up.
  • The shared system shall be managed solely by U.S. Persons, as defined in the export regulations. All users with root or sudo privileges must be U.S. Persons
  • Only U.S. Persons shall have unescorted physical access to the shared system.

Mobile computing devices

In such cases where data must be stored locally on a mobile device, as determined by the PI, the following guidelines apply:

  • The data must be stored on a single-user portable device in a volume using strong encryption (e.g., AES-256) with a unique decryption passphrase known only to the device's authorized primary user. 
  • Where feasible (e.g., if the mobile device is a laptop computer), the mobile device must be protected by a software firewall. 
  • Where feasible (e.g., if the mobile device is a laptop computer), the mobile device must have audit logging enabled and audit logs backed up.  
  • Where feasible (e.g., if the mobile device is a laptop computer), the mobile device must be accessed using a login account with a password of no less than 8 characters in length, a mixture of upper -and lower-case letters, numbers and symbols, subject to change no less frequently than annually, or when any possibility of password exposure is suspected. 
  • Inbound remote login to any mobile device containing export-controlled data is prohibited by policy.
  • If data backup is required, the encrypted volume must be backed up intact, with encryption preserved. 

 

Requirements for Safeguarding DoD Unclassified Controlled Technical Information

There are additional requirements for safeguarding Department of Defense (DoD) unclassified controlled technical information that resides on or transits through Caltech’s information technology systems. Please contact the Caltech Export Compliance (CEC) Office for guidance on this if you plan to receive DoD Unclassified Technical Information on behalf of Caltech.

 

Goal

The GOAL of your security measures is to be able to answer the following questions in the affirmative:

  • Can you trace with precision who is working on the project?
  • How do you know with whom they can share the work?  How do you track/ensure this?
  • Do you have appropriate physical and electronic precautions in place
    • To prevent unauthorized access?
    • To restrict access to project data only to authorized individuals?

References

  1.  "Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified Information  (DFARS Case 2008–D028)," 75 Federal Register 41 (3 March 2010), pp. 9563-9568.
  2.  "Defense Federal Acquisition Regulation Supplement: Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011–D039),'"78 Federal Register 222 (November 18, 2013), pp. 69273-69282.

The new regulations pertain to any Department of Defense information identified as one of the following:

  • Subject to ITAR and Export Administration Regulations.
  • Critical Program Information (Designated as Critical Program Information in accordance with DoD Instruction 5200.39, Critical Program Information Protection Within the Department of Defense).
  • Designated for withholding from public release under DoD Directive 5400.07, DoD Freedom of Information Act Program.
  • Bearing current and prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive).
  • Technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents, and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure.
  • Personally identifiable information protected under existing federal law (e.g., HIPAA).

Institute Policy on Compliance with Export Laws & Regulations