Export Control Guidance Topics: Data Security & Retention

Accordion Content

Data Security is vital to safeguarding sensitive data and preventing unauthorized transfers. When an “export” occurs and controlled technical data is shipped, transmitted or shared in any format, including oral, written, physical observation, email, phone, fax, etc., to persons in foreign countries or foreign nationals in the United States, it must be done securely and lawfully.

  • The regulations which govern your activity, will describe the type of data that are referring to, and how you must manage it accordingly. Examples include: sensitive data vs non-sensitive date and classified vs unclassified data.

    Contact Export Control to assist you in determining your type of data and how to manage it lawfully.

  • Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act.

    View the CUI Registry, a federal repository containing all approved CUI categories, general descriptions, and handling requirements. View the Federal CUI Training Tools which will help you to handle, store, mark, etc. Controlled Unclassified Information (CUI).

  • To store or share files internally or externally with non-Rutgers users, use Microsoft’s OneDrive which is part of Office365 which is available to all Rutgers users: connect.rutgers.edu.

    OneDrive lets you easily backup, store and share photos, videos, documents, and more – anywhere, on any device. Only a web browser is required to securely login using your Rutgers NetID.

    To determine what types of data can be stores using cloud services provided by Rutgers, view the Data Classification and Storage Matrix. If the type of data you need to storage is not on this list or not allowed, contact Export Control for assistance.

    Contact RU secure for assistance with data storage.

  • A virtual private network (VPN) is a technology that allows you to create a secure connection over a less-secure network between your computer and the internet. Rutgers OIT will assist you to setup VPN on your Rutgers device. To learn more, visit Rutgers IT's VPN webpage.

  • The management of export controlled data must adhere to Rutgers policy and Export Control regulations. Periodically, you should reassess the data’s security measure, and ensure the data is appropriate classified and secured. This includes the following responsibilities which RU Secure can assist you to perform: 

    • Accessing Data: Use a VPN when access data remotely. Make sure you are allowed to access data from your current location. When you access cloud-based data, you have just exported it to your current location (including internationally) regardless if you are the only user accessing the data. All Export Control Regulations apply. 

    • Storing Data: Data must be stored on secure devices with encryption and strong passwords. Make sure to segregate and label controlled technical data from other data. 

    • Sharing Data: Export-controlled information must be encrypted for electronic transmission or emailing. Rutgers’ Office 365 offers encrypted emailing options. 

    • Secure Your Devices: Sensitive data should only be stored or transferred using approved Rutgers devices that meet or exceed Rutgers’ minimum-security standards. Do not use personal devices for handling sensitive work data including on your computer or mobile phone.

  • Cloud Storage is a data storage method involving the storage of data on the internet instead of your local computer or server. While this is convenient and has many benefits, it is also a risk for those working with Export Controlled data. 

    Without implementing certain security measures, however, the use of such technology for the transmission and storage of electronic data may constitute an export of that data. Transmitting or storing electronic data that meets certain security standards, would NOT constitute an export of that data, provided that the technology or software is:  

    1. Unclassified  

    1. Secured using “end-to-end encryption”  

    1. Secured using cryptographic modules (hardware or software) compliant with federal requirements; and  

    1. Not intentionally stored in a military-embargoed country or in the Russian Federation. 

    View the BIS Presentation on Cloud Computing 2018 [PDF]

  • Encrypting data is a requirement often required by Export Control.

    Encryption is the process of encoding data, making it unintelligible and scrambled. Encrypted data is also paired with an encryption key, and only those that possess the key will be able to open it.

    All devices including work laptops, work mobile phones and USB storage devices must be encrypted. Contact your local IT departments for assistance. Note, you should never use personal devices for business purposes.

    Encrypted Devices which are lost or stolen will still be safe because any unauthorized user does not have the key.

    Taking your laptop with encryption software to certain countries without proper authorization could violate U.S. export law or the import regulations of the country to which you are traveling, and could result in your laptop to be confiscated, in fines or in other penalties.

    To get help to encrypt data and/or your device, contact the Rutgers IT’s Information Protection and Security Group.

  • Export Control documents must be retained by the person who is responsible for managing the Export Controlled data. This includes all shipping documents, RU Export Control Approvals, and Export Licenses. The length of time is determined by the type of data and any applicable laws including Rutgers policies.

    For ITAR documents, ITAR regulations contain rules for the filing, retention, and return of export licenses and filing of export information under 22 CFR §123.22. Deadlines are found in the regulations.

  • Export Controlled data must be stored only as long as required (as per Federal Regulations, Rutgers Policy, Sponsor Instructions, etc.), then it must be destroyed properly. Contact your local IT department for assistance.

  • A technology control plan (TCP) stipulates how an organization will control its technology. The plan establishes procedures to protect classified, proprietary, and export-controlled information; to control access by foreign visitors; and to control access by employees who are non-U.S. persons. 

    Export Control will create a custom plan for you based on your situation, as applicable.