Two-factor authentication is now required of all users. Last Updated Wednesday, Jan 23 09:55 am 2019

Protected Data

The Office of Research Computing's environment supports the following protected data types with prior written authorization:

Other forms of protected data might be supported after careful evaluation by the Office of Research Computing. Please open a support ticket with any questions about protected data.

Export-controlled data  

The Office of Research Computing specifically complies with the following export-control regulations: ITAR, EAR, OFAC. It is the only campus-level entity that is currently able to work with export-controlled data.

Researchers can work with export-controlled data on their own unless:

  • the data is covered by NIST SP 800-171
  • the data is part of a contract or subcontract with the Department of Defense

If either of the above conditions apply, the researcher must work through the Office of Research Computing.

Every person who has access to export-controlled data MUST be screened in advance by the director of ORCA. Please call or email the director for approval of each person who has access to the data. This is extremely important and must be done for faculty, staff, students, postdocs, research assistants, collaborators, IT staff with access, and any other person who might access the data. Criminal and civil penalties are both possible for non-compliance.

If you have any questions about who can work with export-controlled data, please consult with the director of ORCA. Additionally, you must work with Human Resource Services to make sure that your hiring practices are aligned with employment law and laws regarding export-controls. Ask them "how do I make my hiring practices compliant with export-control restrictions such as ITAR?"

Note that you may be able to hire citizens, lawful permanent residents, people with certain asylum statuses, and potentially others. Full-time university employees have additional exemptions. However, the regulations are complex and you should defer to the director of ORCA for screening of hires.

Employees of the Office of Research Computing are "US Persons" screened for the ability to work with export-controlled data. Note that "US Persons", as defined by the regulations, can include non-citizens who meet certain criteria.

Please work with the Office of Research Computing for any export-controlled data, including vetting of cloud providers for compliance.

Department of Defense: DFARS 252.204-7008 and DFARS 252.204-7012  

The Office of Research Computing specifically complies with DFARS 252.204-7008, which requires DFARS 252.204-7012 and NIST SP 800-171.

DFARS 252.204-7008 and -7012 are standard clauses in many Department of Defense contracts and subcontracts that require the protection of Controlled Unclassified Information / Controlled Defense Information (CUI / CDI).

DFARS 252.204-7008 and -7012 require NIST SP 800-171 and are often incorrectly treated as being equivalent to NIST SP 800-171. The DFARS clauses specify additional requirements, such as rapid breach reporting requirements, that are beyond what NIST SP 800-171 requires.

When using cloud solutions in particular, special attention must be paid to DFARS compliance. It is insufficient to only comply with NIST SP 800-171 when the requirement is to comply with DFARS 252.204-7008 and -7012.

Please work with the Office of Research Computing for any DFARS 252.204-7008 and -7012 data, including vetting of cloud providers for compliance.

NIST Special Publication 800-171  

The Office of Research Computing specifically complies with NIST Special Publication 800-171. It is the only entity on campus authorized to work with data that must be protected by that standard.

Please note that NIST SP 800-171 requirements often accompany export-controlled data. NIST SP 800-171 by itself is insufficient to comply with export-controls. NIST SP 800-171 only deals with security and standards compliance; the citizenship and residency status of the people involved with that effort are not part of the NIST SP 800-171 standard. Therefore, it is important to note that every environment used to store, transmit, or process export-controlled data must also be evaluated for export-control compliance in addition to compliance with NIST SP 800-171.

Also note that if you are working with Department of Defense data, NIST SP 800-171 by itself is usually insufficient to comply with data security requirements. Please see the section on this page about Department of Defense data, if applicable.

Please work with the Office of Research Computing for any NIST SP 800-171 data, including vetting of cloud providers for compliance.

Cloud providers

Please work with the Office of Research Computing when choosing a cloud provider to store or process protected data.

The Office of Research Computing will soon make several special cloud offerings available to researchers with protected data. Most other cloud offerings are not compliant with various forms of data security requirements.

Cloud offering NIST SP 800-171 DFARS 252.204-7008, -7012 Export-controlled HIPAA (through authorized entity)
Box No No No Yes
Google Drive Yes, with 2fa No No Possible with a BAA
Office 365 Yes, with 2fa No No No

*Coming soon. Also note that some "No" answers are always "No", though sometimes extra money can be paid to use a compliant offering.

Remember that systems that upload or download data to cloud providers are also in scope for data security requirements. For example, just because Box can handle HIPAA data does not mean that you can put that same data on your system for upload or download purposes.