Chapter 430: Research Security / en 430.010 Industrial Security Program /ums/rules/collected_rules/research/ch430/430.010-industrial-security-program <span>430.010 Industrial Security Program</span> <span><span>kuscheld</span></span> <span><time datetime="2024-07-19T19:55:01+00:00" title="Friday, July 19, 2024 - 19:55">Fri, 07/19/2024 - 19:55</time> </span> <div><p>Bd. Min. 06-27-24; <a href="/sites/default/files/media/curators/crr-amendments/crr-430.010-20241120.pdf">Amended Bd. Min. 11-20-24</a>.</p> <ol class="upperalpha"> <li><strong>Statement of Purpose</strong><br> <ol class="numeric"> <li>This rule addresses The Curators of the University of èapp (a.k.a., the University of èapp System (èappSystem)) compliance with U.S. industrial security policy, including applicable federal statutes, Executive Orders (E.O.), Code of Federal Regulations (CFR), Department of Defense Instructions (DoDI), and other applicable authorities. èappSystem is committed to compliance for the protection of classified information disclosed to or developed by contractors of the U.S. Government (USG), employed or the responsibility of èappSystem (contractors).</li> <li>This rule will be applied to achieve compliance with applicable federal authorities, including:<br> <ol class="loweralpha"> <li>E.O. 12829, <em>National Industrial Security Program</em></li> <li>E.O. 10865, <em>Safeguarding Classified Information within Industry</em></li> <li>32 CFR Part 2004, <em>National Industrial Security Program</em></li> <li>DoDI 5220.22, <em>National Industrial Security Program</em></li> <li>32 CFR Part 117, <em>National Industrial Security Program Operating Manual (NISPOM)</em></li> </ol> </li> <li>This rule implements policy, assigns responsibilities, and establishes requirements for the protection of classified information disclosed to, or developed by contractors across the èappSystem.</li> </ol> </li> <li><strong>Scope and Compliance Policy</strong><br> <ol class="numeric"> <li>This rule applies to all cleared facilities (i.e., Facility Clearances or FCLs) within the èappSystem holding a FCL, to all personnel whose personnel security clearances are held by a èappSystem or subsidiary FCL, and to all personnel who hold roles related to ensuring compliance with the authorities outlined in subsection A.2 (e.g., Key Management Personnel or KMPs).</li> <li>The èappSystem is the “corporate family” for all classified work taking place at any FCL within the System. Individual universities may have subsidiary Facility Clearances under the èappSystem Facility Clearance if they have federal authorization to hold classified materials on-site, a secondary place-of- performance, or flow down to a sub-tier contractor.</li> <li>The èappSystem shall implement a corporate-wide Insider Threat Program to address insider threats throughout the èappSystem.</li> <li>The President will appoint the following personnel to oversee and implement the èappSystem industrial security program (ISP) (System ISP):<br> <ol class="loweralpha"> <li>Senior Management Official (SMO)</li> <li>Insider Threat Program Senior Management Official (ITPSO)</li> <li>Facility Security Officer (FSO)</li> </ol> </li> <li>The personnel identified in subsection B.4 must:<br> <ol class="loweralpha"> <li>Oversee the implementation of the requirements of the NISPOM;</li> <li>Undergo the same security training that is required of all contractors, in addition to any position specific training;</li> <li>Be designated in writing; and</li> <li>Undergo a personnel security investigation and national security eligibility determination for access to classified information at the level of the entity’s eligibility determination for access to classified information.</li> </ol> </li> <li>SMO: The President of the èappSystem is the SMO for the èappSystem FCL and for all subsidiary FCLs held by an individual university within the èappSystem. The SMO will:<br> <ol class="loweralpha"> <li>Ensure a system of security controls in accordance with the NISPOM;</li> <li>Appoint an èappSystem ITPSO and FSO in writing;</li> <li>Remain fully informed of the èappSystem ISP classified operations;</li> <li>Make decisions based on the threat reporting and information and the potential impacts to the èappSystem ISP; and</li> <li>Retain accountability for the management and operations of the System’s ISP without delegating that accountability.</li> </ol> </li> <li>ITPSO: The Director, Research Security and Compliance is the ITPSO and will be designated in writing by the SMO. The ITPSO will:<br> <ol class="loweralpha"> <li>Ensure the FSO(s) is part of the insider threat program;</li> <li>Complete training in accordance with the NISPOM; and</li> <li>Develop an insider threat program that meets the requirements of the NISPOM.</li> </ol> </li> <li>FSO: An FSO will be appointed in writing by the SMO for any University with an active FCL. Each FSO will:<br> <ol class="loweralpha"> <li>Supervise and direct security measures necessary for implementing the NISPOM to ensure the protection of classified information.</li> <li>Complete security training as deemed appropriate by the Cognizant Security Agency (CSA) who accredits the FCL. Both direct and reciprocity CSAs training must be met.</li> <li>Appoint an Information System Security Manager (ISSM) if classified information will be processed on an information system at a University with an FCL.</li> </ol> </li> <li>ISSM: If classified information will be processed on an information system at a University with an FCL, the FSO will appoint an ISSM. Each ISSM will:<br> <ol class="loweralpha"> <li>Be adequately trained and possess the technical competence required to operate, maintain, and secure the contractor’s classified information system; and</li> <li>Oversee development, implementation, and evaluation of the University's classified information system program.</li> </ol> </li> </ol> </li> <li><strong>University of èapp Research Security and Compliance Team</strong><br> <ol class="numeric"> <li>èappResearch Security and Compliance Team<br>Each FCL within the èappSystem will have an appointed FSO who reports to the èappSystem Director of Research Security and Compliance. Each FSO shall be a member of the University of èapp Research Security and Compliance Team (“èappRSC Team”).</li> <li>Collaboration<br>Recognizing both the necessity and administrative efficiencies gained, the èappRSC Team shall work in collaboration with each other and with those also holding responsibilities for compliance with the authorities outlined in subsection A.2. to ensure that no single point of failure exists within the System.</li> <li> <p>Accountability and Alignment<br>To ensure the accountability and alignment of the èappRSC Team, each Chancellor shall designate one of that University's Vice Chancellors to work with the èappSystem Director for Research Security and Compliance, who will jointly approve the following as it relates to the FSO at each institution:</p> <ol class="loweralpha"> <li>Recruitment and hiring decisions;</li> <li>Disciplinary and termination decisions; and,</li> <li>Annual performance evaluations and compensation decisions.</li> </ol> <p>For situations in which concurrence is not reached, the collective decision will be made with the President.</p> </li> </ol> </li> <li><strong>Strategies</strong><br> <ol class="numeric"> <li>The FSO(s) will develop the industrial security strategies for the èappSystem to establish, document, and implement processes and procedures to ensure the System remains in compliance with the authorities outlined in subsection A.2. These strategies will be brought before the èappRSC Team for approval before implementation.</li> <li>A Standard Practice Procedures (SPP) is developed and maintained by the èappRSC Team and maintained. This SPP documents the current processes and procedures used across the System. The SPP will contain information describing acceptable structures for the Security Executive Committee (SEC).</li> <li>University-specific appendices will be maintained within the SPP as needed.</li> <li>At least once annually, the Board of Curators will review and ratify a Security Resolution outlining the members of the SEC and those who are excluded from the SEC in alignment with the structure outlined in the SPP.</li> </ol> </li> <li><strong>Implementation</strong><br>The FSOs and Insider Threat Program Senior Official on the èappRSC Team are responsible for the implementation of the industrial security programs and the Insider Threat Program for the èappSystem.</li> </ol> </div> Fri, 19 Jul 2024 19:55:01 +0000 kuscheld 12272 at 430.020 Export Control and Sanctions Compliance /ums/rules/collected_rules/research/ch430/430.020_export_control_and_sanctions_compliance <span>430.020 Export Control and Sanctions Compliance</span> <span><span>kuscheld</span></span> <span><time datetime="2023-01-30T14:59:50+00:00" title="Monday, January 30, 2023 - 14:59">Mon, 01/30/2023 - 14:59</time> </span> <div><p>Executive Order No. 49, issued 1-24-23; <a href="/sites/default/files/media/curators/crr-amendments/crr-430.020-2024-11-21.pdf">Amended 11-21-24</a>.</p> <ol class="upperalpha"> <li><strong>Statement of Purpose</strong><br> <ol class="numeric"> <li>This rule addresses the University’s compliance with U.S. export control and sanctions laws and regulations (“export controls”). The University is committed to export control compliance in all activities that may result in an export or sanctioned transaction with a foreign person, entity, or country.</li> <li>Unless otherwise indicated, this rule applies to all transactions by the University of èapp System, its administration, and four universities and all of their component parts (hereafter referred to as "University" or "èappSystem"), regardless of whether or not those transactions are research related, and is intended to comply with the Foreign Assets Control Regulations (“FACR”) at 31 CFR §§ 500-599, the International Traffic in Arms Regulations (“ITAR”) at 22 CFR §§ 120-130, the Export Administration Regulations (“EAR”) at 15 CFR §§ 730-799, the Foreign Trade Regulations (“FTR”) at 15 CFR § 30, and other similar regulations to which export controls or sanctions apply.</li> </ol> </li> <li><strong>Scope and Compliance Policy</strong><br> <ol class="numeric"> <li>This rule applies to all University employees, students, contractors, consultants, and any other persons acting on behalf of or at the direction of the University.</li> <li>No person may do or facilitate anyone doing any of the following on behalf of the University:<br> <ol class="loweralpha"> <li>Engaging in transactions prohibited by the Foreign Assets Control Regulations (FACR) or other sanctions programs administered by the U.S. Department of the Treasury, unless otherwise authorized;</li> <li>Exporting items, technical data, or defense services subject to the ITAR other than as authorized by the U.S. Department of State;</li> <li>Exporting items, technology, or software subject to the EAR other than as authorized by the U.S. Department of Commerce; or</li> <li>Violating any other U.S. export control law or regulation.</li> </ol> </li> <li>All persons must be mindful of export control requirements across all University activities. This includes, but is not limited to, the considerations listed below. This list is only illustrative, and compliance will be determined by applicable statutes and regulations in place at the relevant time, so all persons should seek guidance whenever activities may involve exports or involve interactions with countries, persons, or entities subject to sanctions.<br> <ol class="loweralpha"> <li>Performing any service of value for a person or entity located in a sanctioned destination (regardless of that person’s citizenship) may be regulated by the FACR.</li> <li> <p>The ITAR and EAR regulate the transfer of controlled items, technical data, technology, and software to foreign persons or destinations, in addition to regulating defense services. An export may include:</p> <div class="margin10">1) An actual shipment or transmission out of the United States, including the sending or taking of an item out of the United States, in any manner;<br>2) Releasing or otherwise transferring technical data or technology (including software) to a foreign person in the United States (a “deemed export”);<br>3) Transferring registration, control, or ownership of any spacecraft, aircraft, vessel, or satellite by a U.S. Person to a foreign person;<br>4) Releasing or otherwise transferring a defense article to an embassy or to any of its agencies or subdivisions, such as a diplomatic mission or consulate, in the United States;<br>5) Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad; or<br>6) The release of previously encrypted technical data.</div> </li> <li> <p>The following types of technical data, technology, and software generally may be exempt from export control regulations:</p> <div class="margin10"> <p>1) Publicly available information. Technical data and technology may be considered publicly available when they are generally accessible or available to the public through sales at newsstands and bookstores; through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information; through second class mailing privileges granted by the U.S. Government; at libraries open to the public or from which the public can obtain documents; through patents available at any patent office; through unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States; or through public release (i.e., unlimited distribution) in any form (e.g., not necessarily in published form) after approval by the cognizant U.S. government department or agency.<br>2) Educational information. Technical data may be considered educational information when it is general scientific, mathematical, or engineering principles commonly taught in schools, colleges, and universities. Technology may be considered educational information when it is released by instruction in a catalog course or associated teaching laboratory of an academic institution.<br>3) Fundamental Research. Fundamental research generally may mean basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, as distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reasons. Fundamental research should not be considered to apply to information and software received during the course of research. It should only be considered to apply to the technical data, technology, and software that arises from or is generated during the research. In order for technical data, technology, and software to qualify as fundamental research, the research:</p> <div class="margin25">a. Must be conducted by an accredited institution of higher learning;<br>b. Must take place in the U.S.; and<br>c. The University and its researchers cannot have accepted other restrictions on publication of or access to scientific and technical information resulting from the project or activity.</div> </div> </li> </ol> </li> </ol> </li> <li><strong>University of èapp Research Security and Compliance Team</strong><br> <ol class="numeric"> <li>èappResearch Security and Compliance Team<br>Each University within the èappSystem will have at least one designated export controls and sanctions point of contact (POC) who reports to the èappSystem Director of Research Security and Compliance. The èappSystem Director of Research Security and Compliance, research security contacts designated pursuant to CRR 330.120.C.1, and all POCs comprise the University of èapp Research Security and Compliance Team (“èappRSC Team”). Additional personnel with compliance responsibilities related to export controls and/or sanctions may be consulted by the èappRSC Team or included within the èappRSC Team at the designation of the èappSystem Director for Research Security and Compliance.</li> <li>Collaboration<br>Recognizing both the necessity and administrative efficiencies gained, the èappRSC Team shall work in collaboration to meet the needs of the èappSystem.</li> <li> <p>Accountability and Alignment<br>To ensure the accountability and alignment of the èappRSC Team, each Chancellor shall designate one of that University’s Vice Chancellors to work with the èappSystem Director for Research Security and Compliance, who will jointly approve the following as it relates to the POCs and other export controls and/or sanctions professionals at each institution:</p> <ol class="loweralpha"> <li>Recruitment and hiring decisions</li> <li>Disciplinary and termination decisions</li> <li>Annual performance evaluations and compensation decisions.</li> </ol> <p><br>For situations in which concurrence is not reached, the collective decision will be made with the President.</p> </li> </ol> </li> <li><strong>Strategies</strong><br> <ol class="numeric"> <li>The Director of Research Security and Compliance, in collaboration with the èappRSC Team, will develop the export compliance strategies for the èappSystem to establish, document, and implement processes needed to ensure that the University, and its personnel, remain in full compliance with applicable U.S. export control and sanctions related laws and regulations while still achieving its academic and global outreach missions.</li> <li>These strategies are outlined in an Export Compliance Management Program (ECMP) which operationalizes this policy, establishes processes, reiterates its commitment to compliance, and provides information and guidance to the University community.</li> <li>Each university has the flexibility to develop university specific export compliance and sanctions strategies and procedures after consultation with the Director of Research Security and Compliance and so long as the strategies are not in conflict with or interfere with the èappSystem export compliance strategies.</li> </ol> </li> <li><strong>Implementation</strong><br>The University of èapp Research Security and Compliance Team is responsible for the implementation of the export controls and sanctions compliance strategies for the èappSystem.</li> </ol> </div> Mon, 30 Jan 2023 14:59:50 +0000 kuscheld 11848 at