Security Plans

Security Plans Allison Koss

University researchers working with export controlled technical data shall have controls in place to protect data, technology, and/or materials and the systems/devices that store, transmit and process this data BEFORE any such work may be initiated. Technical data is defined under the ITAR at 22 CFR § 120.33, and CCL controlled technology is defined under the relevant ECCNs. For projects that require the use of technical data, Technology Control Plans (TCPs) outline various security controls for personnel, computer systems, technology, materials, data, and data transmission. Before researchers are authorized to begin such a project, the TCP must be approved by ORC, be operational, and all personnel working on the project must complete export compliance training. All personnel assigned to work on the project must be briefed on the controls under the TCP, and they must sign the TCP to signify their agreement before any work is initiated or controlled materials are accepted. TCPs are customized for each activity and are based on the risks particular to the data, technology, and/or materials that require protection.

Physical Controls

Physical controls are required for all export-controlled activities or materials controlled by the ITAR, EAR, or other regulations to protect the item/technology from unauthorized access. Controls are implemented via the development of a TCP, which may condition approval on implementing specific requirements. This may include such things as specific hardware to secure areas, electronic key card access, signage to limit access, security badges, locked cabinets, etc. In addition, systems that store and process technical data must be located in a physically secure location (e.g., managed data center, locked office space). Specific terms for transmission of data are included in the TCP. Physical access to any rooms where export controlled activities take place are subject to monitoring and periodic review of access logs to ensure only authorized persons are entering the area.

Technical Data Controls

The technical data for the export-controlled project shall be protected during storage, processing, and transmission. These controls apply to:

  • the original technical data received from governmental agencies or other research sponsors or collaborators,
  • copies made of the technical data,
  • new technical data derived from the original technical data, and
  • any new technical data generated for the project.

Controlled technical data should only be transmitted and stored using approved encryption/security. If there are contract clauses which dictate IT security standards (such as DFARs clause 252.204-7012), UMass Amherst IT Security staff should be involved in the establishment of the TCP to ensure these standards are met. No controlled information should ever be transmitted via unencrypted e-mail.

The following guidance shall be followed for all Technical Data usage and transmission:

  • Servers and devices storing technical data shall be under the administrative control of the University and reside on the University network.
  • Technical data stored on servers shall be encrypted using industry standard file and folder encryption when appropriate.
  • Full-disk encryption shall be used for technical data stored on any electronic devices - laptops, desktops, portable/removable storage.
  • Principal Investigators (PIs) are advised that technical data is not permitted on mobile devices (e.g., tablets, smart phones).
  • PIs are also advised that the use of unencrypted email is prohibited for transmission of any export-controlled data.
  • Electronic and physical media storing technical data shall be disposed of securely when no longer needed (e.g., cross-cut shredding paper documents, degaussing, securely wiping, or physically destroying magnetic and flash media) or returned to the sponsor in a secure manner.
  • When data security controls are required by a specific contract clause (e.g., DFARs 252.204-7012), the controls specified under such a clause must be followed.

Information Security Controls

Computer systems storing, processing and transmitting the technical data shall be compliant with the University Information Security Policy (BoT Doc. T10-089), as well as any other controls imposed by contract clauses or other requirements. Controls are evaluated and implemented on a case-by-case basis by ORC and UMass Amerst IT Security personnel (as appropriate). The controls shall include, but are not limited to the following:

Identification of Systems

  • An inventory of computer systems that store, access, and/or process controlled technical data must be maintained.
  • Systems not identified for the export-controlled project are prohibited from accessing the export-controlled systems and data. These include mobile devices (smartphones, tablets), personal laptops, unsecured servers, and other unmanaged computer systems.

Network Security Controls

Separate from any controls mandated by contract clauses or other requirements, any systems connected to the network and possibly handling controlled data shall have some or all of the following network security controls implemented, dependent upon the nature of the project:

  • Connect only to the University wired or secure wireless network (i.e., eduroam [and at UMass Amherst only]). If connecting to a wireless network, 802.1.x protocol must be used.
  • A host-based firewall shall be configured to block all connections to the system other than the specific connections needed to perform the approved research.
  • Periodic network-based vulnerability scans and network penetration tests shall be performed at least annually by UMass Amherst IT Security.
  • Authorized users, as identified in the TCP, must be on the campus central authentication systems using campus-issued user IDs to log in to the secure systems. (See Office of Information Technology (OIT) Acceptable Use of Information Resources Policy.)
  • Each user shall have an individual login ID. Shared login IDs are prohibited.
  • Default system and user/guest accounts shall be disabled on the systems.
  • Passwords must meet the documented University password complexity criteria.
  • Administrative access shall only be granted to U.S. citizens and permanent residents with a business need for elevated privileges.
  • Users shall log in with restricted rights. Administrative rights will be revised as necessary on a case-by-case basis when certain restrictions apply.
  • Systems shall be configured with a login inactivity timeout (e.g., 10 minutes) and with an account lockout mechanism that locks the account after more than 5 failed login attempts in a 15-minute period.
  • Administrative access and functions on the servers or applications that access confidential information must be logged. The logs should include the identity of the user, the date/time, and the operations performed.
  • Systems and application logs shall be retained for 90 days.
  • Anti-virus software with centralized management shall be installed on all systems (Windows and Macintosh).
  • The anti-virus software shall be configured to update daily, scan files “On Access” and, when removable media is installed, scheduled to scan fixed disks at least weekly.
  • Systems shall be running a supported version of their respective operating system.
  • Operating system and application patches must be installed in a timely manner, with critical patches installed within 48 hours of their release.
  • Discovered vulnerabilities shall be remediated in a timely manner, with critical vulnerabilities fixed within 48 hours of notification.
  • System backup media shall be stored in physically secure and locked facilities.
  • Login accounts shall be removed or disabled once they are no longer needed (e.g., when a user leaves the project).
  • System time shall be synced with accurate Network Time Protocol clock sources.
  • Network and system services and processes that are not required for the specific research shall be shut down and disabled.
  • Administrative access to the systems shall only be granted to administrators who are not foreign persons under the ITAR at 22 CFR 120.16

Monitoring

System log and access shall be routinely monitored for unauthorized users or unauthorized access to technical data by UMass Amherst IT Security or the Systems Administrator. In certain situations, computers involved in export-controlled projects may be disconnected from the network. This is determined on a case-by-case basis and outlined in the TCP. Systems not on the network will not be monitored, but will be evaluated by ORC and UMass Amherst IT personnel during the required periodic audit of the TCP.

Citizenship Verification

Status as a “U.S. person” under the export regulations is one of many qualifications that must be met by persons proposing to participate in export-controlled projects, because foreign persons are prohibited from accessing materials, systems, and/or technical data (unless expressly authorized under a lawful exemption or valid license). All persons who may be assigned to work on an export-controlled project must provide proof of status as an authorized “U.S. person”, as defined under the applicable export regulations, or authorized under another category, and be screened by ORC and listed in the TCP. All persons assigned to a controlled project are required to sign a non-disclosure agreement confirming they will not export any controlled data, technology, materials, or information to any unauthorized person.

Reporting Concerns and Possible Nonfeasance

The Principal Investigator (PI) is the person with primary responsibility for the lawful conduct of an export-controlled project. Any violations of these controls, and/or unauthorized access to technical data, must be reported immediately to the Principal Investigator and ORC.

Roles and Responsibilities

Office of Information Technology Information Security Office

  • Provide applicable security software, including, but not limited to anti-virus software and others.
  • Perform routine network-based vulnerability scans and network penetration tests as may be necessary.
  • Provide assistance with research and evaluation of encryption solutions.
  • Assure the project controls adhere to any application IT security-related contract clauses or other sponsor-imposed controls.
  • Assist with response to any data security incidents involving systems storing export-controlled technology and/or data.

Researchers & IT Support Staff

Researchers (including technicians and administrators) working with export controlled technologies and technical data, as well as the IT professionals supporting these projects, are responsible for complying with export regulations, terms of the TCP, and the security controls outlined above.

Office of Research Compliance (ORC)

ORC personnel oversee implementation of the TCP and evaluate and audit the TCP periodically (at a minimum, annually). Any reports of security incidents or other problems should be reported to ORC immediately for evaluation and assessment.