Please consider downloading the latest version of Internet Explorer
to experience this site as intended.
Skip to content
ORPA logo

IT Security

Before ever receiving or creating export controlled information at the University of Rochester, please discuss with both Josef Mejido, the University’s Export Control Officer, and University IT security (e.g. Mark Baker, Information Security Officer – Research & Education). In such cases, we will need to implement a technology control plan.



EAR:

The Bureau of Industry and Security, U.S. Department of Commerce has made clear that the following is not an export, even if routed out of the U.S.:

Sending, taking, or storing “technology” or “software” that is:

  • (i) Unclassified;
  • (ii) Secured using 'end-to-end encryption;'
  • (iii) Secured using cryptographic modules (hardware or “software”) compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by “software” implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other equally or more effective cryptographic means; and
  • (iv) Not intentionally stored in a country listed in Country Group D:5 (see Supplement No. 1 to part 740 of the EAR) or in the Russian Federation.
  • Data in-transit via the Internet is not deemed to be stored.

For purposes of this section, End-to-end encryption means
  • (i) the provision of cryptographic protection of data such that the data is not in unencrypted form between an originator (or the originator's in-country security boundary) and an intended recipient (or the recipient's in-country security boundary), and
  • (ii) the means of decryption are not provided to any third party. The originator and the recipient may be the same person.
References and additional information about the EAR encryption export carve out:
  • See section 734.18(a)(5) on pages 12 and 13, and
  • pages 11 – 13 of this FAQ from BIS/Commerce.


ITAR:

Department of State 22 CFR Part 120

Effective March 25, 2020 in accordance with an interim final rule by the U.S. Department of State, the following is not an export:

Sending, taking, or storing technical data that is:

  • (i) Unclassified;
  • (ii) Secured using end-to-end encryption;
  • (iii) Secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140–2 (FIPS 140–2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES– 128);
  • (iv) Not intentionally sent to a person in or stored in a country proscribed in §126.1 of this subchapter or the Russian Federation; and Note that Data in-transit via the internet is not deemed to be stored.
  • (v) Not sent from a country proscribed in §126.1 of this subchapter or the Russian Federation.
For purposes of this section, end-to-end encryption is defined as:
  • (i) The provision of cryptographic protection of data, such that the data is not in an unencrypted form, between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary); and
  • (ii) The means of decryption are not provided to any third party. (2) The originator and the intended recipient may be the same person.

The intended recipient must be the originator, a U.S. person in the United States, or a person otherwise authorized to receive the technical data, such as by a license or other approval pursuant to this subchapter.

The ability to access technical data in encrypted form that satisfies the criteria set forth above does not constitute the release or export of such technical data.



NIST 800-171 / Controlled Unclassified Information (CUI)

“Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.” [32 CFR § 2002.4]

The National Archives Federal Registration (NARA) (the agency tasked with management of the CUI program) clarified that:

“Information that non-executive branch entities generate themselves and that they do not create, collect, or possess for the Federal Government by definition does not constitute Federal CUI, nor would it fall within the provisions of a contract or information-sharing agreement covering CUI. We have slightly revised the definition of CUI under § 2002.4 to make this clearer.” 81 FR 63323 .

There are several CUI categories , including but not limited to: export controlled information; controlled technical information; and unclassified controlled nuclear information - Energy

NARA has adopted NIST 800-171 as the standard for protecting CUI, which may be required through a contract clause (e.g. DFARS clause 252.204-7012).