Protected Data

The Office of Research Computing's environment supports the following protected data types with prior written authorization:

• Export-controlled data:
  • International Traffic in Arms Regulations (ITAR)
  • Export Administration Regulations (EAR)
  • Office of Foreign Assets Control (OFAC)
  • "US citizens and lawful permanent residents only"
• Department of Defense: Cybersecurity Maturity Model Certification (CMMC) Level 2
• Department of Defense: DFARS 252.204-7008, DFARS 252.204-7012
• NIST SP 800-171 (revision 2)
• NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy. (aka "dbGaP")
• Most forms of intellectual property protection requirements

Other forms of protected data might be supported after careful evaluation by the Office of Research Computing. Please open a support ticket with any questions about protected data.

Protected Data from Non-BYU Entities  

BYU is not the same entity as BYU-Idaho or other CES institutions. We cannot currently assist you in supporting protected data unless you are a BYU (meaning BYU in Provo) faculty member, employee, or student. If you are at a different CES institution and would like to begin using protected data on our systems, please contact our director to see if it is a possibility.

Export-controlled data  

The Office of Research Computing specifically complies with the following export-control regulations: ITAR, EAR, OFAC, "US citizens and lawful permanent residents only". It is the only campus-level entity that is currently able to work with export-controlled data.

Researchers can work with export-controlled data on their own unless:

• the data is covered by NIST SP 800-171
• the data is part of a contract or subcontract with the Department of Defense

If either of the above conditions apply, the researcher must work through the Office of Research Computing.

Every person who has access to export-controlled data MUST be screened in advance by the director of RAO (Research Administration Office). Please email the director for approval of each person who has access to the data. This is extremely important and must be done for faculty, staff, students, postdocs, research assistants, collaborators, IT staff with access, and any other person who might access the data. Criminal and civil penalties are both possible for non-compliance.

If you have any questions about who can work with export-controlled data, please consult with the director of RAO. In addition to filing an export-control plan with RAO, you must work with Human Resource Services to make sure that your hiring practices are aligned with employment law and laws regarding export-controls.

Note that you may be able to hire citizens, lawful permanent residents, people with certain asylum statuses, and potentially others if you only have to comply with ITAR. Full-time university employees have additional exemptions. However, the regulations are complex and you should defer to the director of RAO for screening of hires.

Employees of the Office of Research Computing are US citizens or lawful permanent residents who are screened for the ability to work with export-controlled data.

Please work with the Office of Research Computing for any export-controlled data, including vetting of cloud providers for compliance.

Department of Defense  

The Office of Research Computing specifically complies with CMMC Level 2, DFARS 252.204-7008, DFARS 252.204-7012 and NIST SP 800-171.

CMMC, DFARS 252.204-7008, and -7012 are standard clauses in many Department of Defense contracts and subcontracts that require the protection of Controlled Unclassified Information / Controlled Defense Information (CUI / CDI).

These clauses require NIST SP 800-171 and are often incorrectly treated as being equivalent to NIST SP 800-171. The DFARS clauses specify additional requirements, such as rapid breach reporting requirements, that are beyond what NIST SP 800-171 requires.

When using cloud solutions in particular, special attention must be paid to DFARS compliance. It is insufficient to only comply with NIST SP 800-171.

Please work with the Office of Research Computing for any DoD data, including vetting of cloud providers for compliance.

NIST Special Publication 800-171  

The Office of Research Computing specifically complies with NIST Special Publication 800-171 revision 2. It is the only entity on campus authorized to work with data that must be protected by that standard.

Please note that NIST SP 800-171 requirements often accompany export-controlled data. NIST SP 800-171 by itself is insufficient to comply with export-controls. NIST SP 800-171 only deals with security and standards compliance; the citizenship and residency status of the people involved with that effort are not part of the NIST SP 800-171 standard. Therefore, it is important to note that every environment used to store, transmit, or process export-controlled data must also be evaluated for export-control compliance in addition to compliance with NIST SP 800-171.

Also note that if you are working with Department of Defense data, NIST SP 800-171 by itself is usually insufficient to comply with data security requirements. Please see the section on this page about Department of Defense data, if applicable.

Please work with the Office of Research Computing for any NIST SP 800-171 data, including vetting of cloud providers for compliance.

Audits

The Office of Research Computing undergoes periodic audits.

Cloud providers

Please work with the Office of Research Computing when choosing a cloud provider to store or process protected data. Most university contracts are insufficient for the storage and processing of most forms of protected data.