Office of Export and Secure Research Compliance

The Office of Export and Secure Research Compliance (OESRC) supports Virginia Tech's commitment to complying with U.S. laws and regulations applicable to export and trade sanctions. OESRC works with the Office of Sponsored Programs (OSP) and other University departments to ensure compliance with regulations promulgated by the regulatory agencies, including but not limited to the Department of State, Department of Commerce, and the Department of the Treasury. If an export assessment determines that an activity is subject to these regulations, OESRC will assist the affected party in setting up security measures and protocols needed to ensure compliance with export and sanction regulations through the establishment of a Technology Control Plan (TCP) or other certification document.

The Technology Control Plan details the export control classification, restriction on release of information, physical and information security protocols, and screening, training and acknowledgment requirements from all project personnel. OESRC will monitor project related activity throughout the life of the TCP and the Principal Investigator or TCP Custodian will be required to disposition all controlled items before close out of the TCP.

If you are a signatory to a TCP, you may view documents, information, and training/acknowledgement status of personnel on the TCP Review website at https://secure.research.vt.edu/tcp_review.

Here are some basic security protocol guidelines for protection of export controlled materials or information:

• Do not process export controlled information on public computers (e.g., those available for use by the general public in kiosks, hotel business centers, etc.) or computers that do not have access controls.
• Do not post export controlled information on websites that are publicly available or have access limited only by domain/Internet Protocol restriction. Such information may be posted to web pages that control access by user ID/password, user certificates, or other technical means, and that provide protection via use of security technologies after review and approval by OESRC.
• Do not email or transmit export controlled information unencrypted. Acceptable methods of transmitting encrypted information is use of software such as PGP Email (email and attachments), True Crypt (files only), or file drop information into a secure file sharing system that has been approved by OESRC and is under full control by project personnel.
• Transmit voice and fax of export controlled information only when the sender has a reasonable assurance that access is limited to authorized recipients.
• “One Lock”. Protect export controlled materials or information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control.
• Clear export controlled information from media before external release or disposal in accordance with NIST 800-88, Guidelines for Media Sanitization. http://csrc.nist.gov/publications/PubsSPs.html
• At a minimum, provide the following protections against computer intrusions and data compromise including exfiltration:
  • Current and regularly updated malware protection services, e.g., anti-virus, anti-spyware
  • Prompt operating system and application of security-relevant software upgrades, e.g. patches, service packs, and hot fixes.
• Need to Know. Transfer export controlled information only to personnel that have a need to know and provide at least the same level of security as specified herein.

Additionally, some sponsored research agreements may contractually require enhanced safeguarding of information. The following guidelines are drawn from 252.204-70YY Enhanced Safeguarding of Unclassified DoD Information proposed by the Department of Defense, mandating "enhanced safeguarding" measures for the following types of data:

• Designated as Critical Program Information in accordance with DoD Instruction 5200.39, Critical Program Information (CPI) Protection Within the Department of Defense; http://www.dtic.mil/whs/directives/corres/pdf/520039p.pdf
• Designated as critical information in accordance with DoD Directive 5205.02, DoD Operations Security (OPSEC) Program; http://www.dtic.mil/whs/directives/corres/pdf/520502p.pdf
• Subject to export controls under International Traffic in Arms Regulations and Export Administration Regulations;
• Exempt from mandatory public disclosure under DoD Directive 5400.07, DoD Freedom of Information Act (FOIA) Program, and DoD Regulation 5400.7-R, DoD Freedom of Information Program; http://www.dtic.mil/whs/directives/corres/pdf/540007p.pdf
• Bearing current and prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive);
• Technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents, and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure; http://www.dtic.mil/whs/directives/corres/pdf/523024p.pdf
  http://www.dtic.mil/whs/directives/corres/pdf/523025p.pdf

• Personally identifiable information including, but not limited to, information protected pursuant to the Privacy Act and the Health Insurance Portability and Accountability Act.

The Contractor shall apply the following safeguarding requirements for DoD information that requires enhanced safeguarding:
The Contractor shall implement information security in its project unclassified information technology system(s). The information security program shall implement, at a minimum, the 59 specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls of this Enhanced Safeguarding clause of this contract, or, if the control is not implemented, the Contractor shall prepare a written determination that explains how either the required 59 security control of this clause is not applicable, or how an alternative control or protective measure is used to achieve equivalent protection. The Contractor shall provide the written determination to the Contracting Officer upon request. A description of the security controls is in the NIST SP 800-53 (current version at time of award), “Recommended Security Controls for Federal Information Systems and Organizations” (http://csrc.nist.gov/publications/PubsSPs.html).

These are the 59 enhanced security controls for protection of export controlled materials or information:

All information systems must be certified by the Department and OESRC to comply with these information security standards.

Important information to be aware of:

• Each Department will be required to assign a Designated Information Technology Administrator (DITA) which is responsible for working with OESRC and the project personnel to implement and monitor the Technology Control Plan.
• Cyber incident reporting - Reporting requirement: The Contractor shall report to DoD (URL to be determined) within 72 hours of discovery of any cyber incident, in accordance with paragraph (f)(2), that affects DoD information resident on or transiting through the Contractor’s unclassified information systems.

(f)(2) Reportable cyber incidents. Reportable cyber incidents include the following:
(i) A cyber incident involving possible data exfiltration or manipulation or other loss or compromise of any DoD information resident on or transiting through its, or its subcontractors’, unclassified information systems.
(ii) Incident activities not included in paragraph (f)(2)(i) or (ii) of this clause that allow unauthorized access to an unclassified information system on which DoD information is resident on or transiting.

• OESRC will require network monitoring of all systems accessing the internet to have a unique Internet Protocol address (IP address). IP addresses will have enhanced monitoring conducted by Virginia Tech Information Technology Office.
• For planning purposes, the Principal Investigator or TCP Custodian should plan on needing dedicated computer systems, solely for use on the DoD contract on which you are performing.