The Office of Research Computing's environment supports the following protected data types with prior written authorization:
- International Traffic in Arms Regulations (ITAR)
- Export Administration Regulations (EAR)
- Office of Foreign Assets Control (OFAC)
- "US citizens and lawful permanent residents only"
- Department of Defense: DFARS 252.204-7008, DFARS 252.204-7012
- NIST SP 800-171 (revisions 1 and 2)
- NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy. (aka "dbGaP")
- Protected Health Information (PHI) protected under HIPAA
- Most forms of intellectual property protection requirements
Other forms of protected data might be supported after careful evaluation by the Office of Research Computing. Please open a support ticket with any questions about protected data.
BYU is not the same entity as BYU-Idaho or other CES institutions. We cannot currently assist you in supporting protected data unless you are a BYU (meaning BYU in Provo) faculty member, employee, or student. If you are at a different CES institution and would like to begin using protected data on our systems, please contact our director to see if it is a possibility.
The Office of Research Computing specifically complies with the following export-control regulations: ITAR, EAR, OFAC, "US citizens and lawful permanent residents only". It is the only campus-level entity that is currently able to work with export-controlled data.
Researchers can work with export-controlled data on their own unless:
- the data is covered by NIST SP 800-171
- the data is part of a contract or subcontract with the Department of Defense
If either of the above conditions apply, the researcher must work through the Office of Research Computing.
Every person who has access to export-controlled data MUST be screened in advance by the director of RAO (Research Administration Office). Please email the director for approval of each person who has access to the data. This is extremely important and must be done for faculty, staff, students, postdocs, research assistants, collaborators, IT staff with access, and any other person who might access the data. Criminal and civil penalties are both possible for non-compliance.
If you have any questions about who can work with export-controlled data, please consult with the director of RAO. In addition to filing an export-control plan with RAO, you must work with Human Resource Services to make sure that your hiring practices are aligned with employment law and laws regarding export-controls.
Note that you may be able to hire citizens, lawful permanent residents, people with certain asylum statuses, and potentially others if you only have to comply with ITAR. Full-time university employees have additional exemptions. However, the regulations are complex and you should defer to the director of RAO for screening of hires.
Employees of the Office of Research Computing are US citizens or lawful permanent residents who are screened for the ability to work with export-controlled data.
Please work with the Office of Research Computing for any export-controlled data, including vetting of cloud providers for compliance.
DFARS 252.204-7008 and -7012 are standard clauses in many Department of Defense contracts and subcontracts that require the protection of Controlled Unclassified Information / Controlled Defense Information (CUI / CDI).
DFARS 252.204-7008 and -7012 require NIST SP 800-171 and are often incorrectly treated as being equivalent to NIST SP 800-171. The DFARS clauses specify additional requirements, such as rapid breach reporting requirements, that are beyond what NIST SP 800-171 requires.
When using cloud solutions in particular, special attention must be paid to DFARS compliance. It is insufficient to only comply with NIST SP 800-171 when the requirement is to comply with DFARS 252.204-7008 and -7012.
Please work with the Office of Research Computing for any DFARS 252.204-7008 and -7012 data, including vetting of cloud providers for compliance.
The Office of Research Computing specifically complies with NIST Special Publication 800-171 revisions 1 and 2. It is the only entity on campus authorized to work with data that must be protected by that standard.
Please note that NIST SP 800-171 requirements often accompany export-controlled data. NIST SP 800-171 by itself is insufficient to comply with export-controls. NIST SP 800-171 only deals with security and standards compliance; the citizenship and residency status of the people involved with that effort are not part of the NIST SP 800-171 standard. Therefore, it is important to note that every environment used to store, transmit, or process export-controlled data must also be evaluated for export-control compliance in addition to compliance with NIST SP 800-171.
Also note that if you are working with Department of Defense data, NIST SP 800-171 by itself is usually insufficient to comply with data security requirements. Please see the section on this page about Department of Defense data, if applicable.
Please work with the Office of Research Computing for any NIST SP 800-171 data, including vetting of cloud providers for compliance.
The Office of Research Computing undergoes periodic audits by Internal Audit Services. IAS audits are considered to be arms-length audits since there is no shared reporting chain except for the university president.
Please work with the Office of Research Computing when choosing a cloud provider to store or process protected data.
The Office of Research Computing will soon make several special cloud offerings available to researchers with protected data. Most other cloud offerings are not compliant with various forms of data security requirements.
|Cloud offering||NIST SP 800-171||DFARS 252.204-7008, -7012||Export-controlled||HIPAA (through authorized entity)|
|Google Drive||Yes, with 2fa||No||No||Possible with a BAA|
|Office 365||Yes, with 2fa||No||No||No|
*Coming soon. Also note that some "No" answers are always "No", though sometimes extra money can be paid to use a compliant offering.
Remember that systems that upload or download data to cloud providers are also in scope for data security requirements. For example, just because Box can handle HIPAA data does not mean that you can put that same data on your system for upload or download purposes.