Export Control & Data Security Review Process

Export Control & Data Security
Review Process
Export Compliance & Data Security
Compliance with U.S. export control laws is mandatory
U.S. export laws require protection of export controlled data
Additionally, all DoD awards (and most other Federal awards)
require compliance with heightened data security standards for
all Controlled Unclassified Information (CUI)
Export controlled information is a sub-category of CUI
Thus, all requirements that apply to a particular award for the protection
of CUI will be triggered if the project involves export controlled
information (example: DFARS 252.204-7012)
Step 1
PI Completes Award Compliance Form
Once the award comes in and enters the set-up phase within the
Division of Sponsored Programs (DSP), the PI will receive a
request via UFIRST to complete the award compliance form
PI must complete the award compliance form for all awards
(i.e., both grants and contracts)
Depending on the PI’s responses on the compliance form and
other risk criteria, UFIRST may automatically send the form to
the Division of Research Compliance (DRC) for review
UFIRST Award Compliance Form
Step 2
DRC Review
DRC reviews the award compliance form, scope of work,
grant/contract, etc.
Often, DRC will contact the PI to further discuss the scope of work and
planned activities
DRC is looking for whether the project involves any export
controlled information or equipment
DRC also flags any special data security requirements, such as
DFARS 252.204-7012
Step 3
TCP Kick-Off Meeting
If DRC determines that the project involves export controlled
information or equipment, DRC will work with the PI to
develop a Technology Control Plan (TCP)
TCPs include requirements for physical security and
information security of the export controlled data or items
If the award agreement requires heightened data security (i.e.,
compliance with NIST 800-171), DRC will invite departmental
IT and Research Computing to the TCP kick-off meeting
Step 4
Develop Data Security Plan
Departmental IT and Research Computing will work with PI to
understand the scope of the project, identify controlled data,
and determine best data security approach
Goal is to provide data security that meets the needs of the project and is
compliant
DRC will support throughout this process to help identify
which data is and is not controlled
Once the data security plan is developed, DRC will include it in
the TCP and circulate the TCP for signatures
Step 5
TCP Monitoring
DRC conducts annual reviews of all TCPs
DRC will invite departmental IT and Research Computing to
the annual review meetings
Terra DuBois, Director of Research Compliance and Global Support
tdubois@ufl.edu
352-392-9174
http://research.ufl.edu/faculty-and-staff/research-compliance/export-controls.html
Slide Note
Embed
Share

Compliance with U.S. export control laws is mandatory for all projects involving export controlled information. The process involves completing award compliance forms, reviews by Division of Research Compliance, and developing Technology Control Plans for data security. Departmental IT and Research Computing play crucial roles in ensuring compliance with data security standards.

  • Export Control
  • Data Security
  • Compliance
  • Technology Control Plan
  • U.S. Laws

Uploaded on Oct 07, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Export Control & Data Security Review Process

  2. Export Compliance & Data Security Compliance with U.S. export control laws is mandatory U.S. export laws require protection of export controlled data Additionally, all DoD awards (and most other Federal awards) require compliance with heightened data security standards for all Controlled Unclassified Information (CUI) Export controlled information is a sub-category of CUI Thus, all requirements that apply to a particular award for the protection of CUI will be triggered if the project involves export controlled information (example: DFARS 252.204-7012)

  3. Step 1 PI Completes Award Compliance Form Once the award comes in and enters the set-up phase within the Division of Sponsored Programs (DSP), the PI will receive a request via UFIRST to complete the award compliance form PI must complete the award compliance form for all awards (i.e., both grants and contracts) Depending on the PI s responses on the compliance form and other risk criteria, UFIRST may automatically send the form to the Division of Research Compliance (DRC) for review

  4. UFIRST Award Compliance Form

  5. Step 2 DRC Review DRC reviews the award compliance form, scope of work, grant/contract, etc. Often, DRC will contact the PI to further discuss the scope of work and planned activities DRC is looking for whether the project involves any export controlled information or equipment DRC also flags any special data security requirements, such as DFARS 252.204-7012

  6. Step 3 TCP Kick-Off Meeting If DRC determines that the project involves export controlled information or equipment, DRC will work with the PI to develop a Technology Control Plan (TCP) TCPs include requirements for physical security and information security of the export controlled data or items If the award agreement requires heightened data security (i.e., compliance with NIST 800-171), DRC will invite departmental IT and Research Computing to the TCP kick-off meeting

  7. Step 4 Develop Data Security Plan Departmental IT and Research Computing will work with PI to understand the scope of the project, identify controlled data, and determine best data security approach Goal is to provide data security that meets the needs of the project and is compliant DRC will support throughout this process to help identify which data is and is not controlled Once the data security plan is developed, DRC will include it in the TCP and circulate the TCP for signatures

  8. Step 5 TCP Monitoring DRC conducts annual reviews of all TCPs DRC will invite departmental IT and Research Computing to the annual review meetings

  9. Terra DuBois, Director of Research Compliance and Global Support tdubois@ufl.edu 352-392-9174 http://research.ufl.edu/faculty-and-staff/research-compliance/export-controls.html

More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#