Technology Control Plan (TCP) Security Guidance
MSU’s Office of Export Control and Trade Sanctions (ECTS) and Office of Information Security have developed this guidance for MSU’s IT systems that may be used to safeguard export- controlled data/information. Export controlled data/information has specific federal regulatory controls on access. The Principal Investigator (PI) of a research project should complete the IT Security requirements of the Technology Control Plan collaboratively with their department IT manager or administrator, other IT, and/or IT security support staff. MSU’s SecureIT web page contains additional information on IT Security controls for safe computing.
Transmission Protocols
If you are sending or receiving export-controlled technology, materials, equipment, information, data, or software, please describe how will these technologies be delivered (physically) or transmitted (electronically)?
Transmission Protocol Guidance
To transmit electronic export-controlled information, please first ask your research sponsor whether they have an export compliant solution that they would like you to use to transmit data. DoD contractors have controlled access cards and approved mechanisms to securely transmit CUI/ITAR data. If this isn’t possible, MSU PI’s may use MSU FileDepot as long as the information is encrypted with FIPS validated encryption prior to to upload and transmission. Password-protected and encrypted removable storage media, secure and encrypted fax transmission may also be used for transmission of export-controlled information.
Storage Protocols
Describe where export-controlled data/information will be stored and the protocols for secure storage.
Storage Protocol Guidance
To store export-controlled data/information please first ask your research sponsor whether they have an export compliant solution that they would like you to use to store data. DoD contractors have controlled access cards and approved storage solutions for CUI/ITAR data. Faculty may also leverage Elastic Storage offered through MSU IT as it meets export control (ITAR) storage requirements. Faculty in MSU’s College of Engineering may leverage the Division of Engineering Computing Services (DECS). DECS currently employs only US persons as administrators for these services and has encrypted-at-rest options available for dedicated computers. When requesting services be sure to inform MSU IT or DECS that you will be working with export controlled information. Data may also be stored on an approved, offline computer, or an external media device secured with FIPS validated encryption. If using this option, then the computer must be hardened following MSU’s SecureIT instructions. The computer and any external media must be physically secured as well.
Physical Security
What IT security controls will be used to prevent unauthorized access to export-controlled information?
Physical Security Guidance
- Only individuals specifically listed as authorized personnel (Additional Investigators) in the TCP will be granted access to devices, servers, or storage that process, maintain, transmit, or store project export-controlled information.
- Use MSU VPN whenever information is remotely accessed.
- All MSU owned devices must have endpoint security protection enabled.
Conversation Security
If you will be discussing any exported controlled technology within or external to MSU, how will you ensure conversations are heard only by authorized persons?
Conversation Security Guidance
Limit project-related discussions to authorized individuals and only in areas where there is no possibility of non-authorized individuals being inadvertently included. Limit any conversation, including on telephone, that includes discussion or sharing of export-controlled information to authorized project personnel only and in locations that are restricted to authorized personnel.
Marking of Export Controlled Technology
Describe the content and placement of markings or warnings that will be placed on export-controlled equipment, materials, software, and information (both paper and electronic) or explain why they are not practical or possible.
Marking Guidance
- Include an export control label as a warning on all export controlled physical items and information, whether electronic or hard copy.
- Place restricted access signage at entrance to labs and research areas where export-controlled materials and information are located if possible.
Secure Return or Disposal of Export Controlled Technology
After completion of your research, you may maintain the export-controlled technology at MSU under a TCP or you must properly return/destroy the export-controlled items covered under your TCP.
Return or Disposal Guidance
After you have completed your research project, you must take one or more of the below actions with respect to each export-controlled item covered by your TCP. You may:
- Return the export-controlled equipment, materials, software, and information to your research sponsor at the completion or termination of the project,
- Securely delete or destroy export-controlled items (paper or electronic) at the completion or termination of the project,
- Use up the export-controlled items in the research activities or incorporating the export-controlled items into your research results to send to the sponsor, or
- Maintain a TCP for any export-controlled items you are keeping after the research is finished. A TCP must remain in place with appropriate security controls until you no longer have the export control items
Reporting IT Security Incidents
Report suspected security incidents immediately. Suspected or actual compromises, breaches, or unauthorized disclosures of export-controlled data or materials should be immediately reported by following the instructions at Report a Security Incident. If it is determined that an export control violation occurred, the university must promptly report the violation to the contracting agency and the appropriate federal department.
- Guidelines for Reporting Security Breach
- Call the IT Service Desk at (517) 432-6200 and follow the recorded instructions for reporting a “security incident.”