5.1 In the event of conflict, the sponsoring organization’s directives take precedence.
- 5.1.1. Defining the parameters. Principal Investigators are responsible for obtaining the sponsoring organization’s guidance
- a.What information is CUI or classified? In the case of the latter, the DD form 254 should provide general
For the former, consultation with the sponsoring agency’s program officer is advisable.
- b.What are the applicable governing laws, regulations or policies?
- c.What are the exact limits of disclosure?
- d.Who can be granted access? For classified information this access is limited to those with proper security
clearance and need-to-know.For CUI, consultation with the sponsoring agency’s program officer is advisable.
- 5.1.2. Access.
- a. Principal Investigators are responsible to determine who will have access to CUI and/or classified information obtained or generated through their project activities, consistent with the guidance of the sponsoring organization.
- b. Access to classified information is limited to appropriately cleared persons with need-to-know.
- c. Access to CUI is normally restricted to US citizens with need-to-know, though sponsoring agencies may make exceptions for operational or other reasons.
- d. An up-to-date access roster will be maintained. It will be available to all authorized personnel so they may readily identify who is authorized access to any CUI or classified information handled by the project. This roster will include people who are directly involved in project activities as well as people who provide administrative, logistical, and technical support whose duties require them to access the information, e.g., administrative personnel who prepare and handle project reports. A copy of the roster will be provided to the UTEP Assistant Facility Security Officer (AFSO) in the Office of Research and Sponsored Projects.
- e. Access to work sites where classified information is handled or stored may be controlled by badge systems and special locks and entry controls. Such areas will have published access plans that comply with the NISPOM or other sponsoring agency directives.
- 5.1.3. Visitors.
- a. Visitors to classified activities will be appropriately cleared. Visit requests will be submitted by the visitor’s parent organization to the UTEP AFSO. Such visits will be conducted in accordance with the NISPOM or other appropriate sponsoring agency directive.
- b. Visitors to CUI work sites will be approved by the project Principal Investigator or his/her designee, after appropriate approval of the sponsoring agency’s program office, if required. Visitors must have appropriate access and need-to-know, and must be escorted at all times by an approved project staff member; visitors who are directly and routinely involved with the project, e.g., sponsoring agency program office or collaborating organization personnel, do not require escorts.
- 5.1.4. Personnel.
- a. The UTEP Human Resources department should be advised on any job-specific requirements, including citizenship. Job notices will include citizenship requirements, if necessary, and HR will check proof of citizenship of candidates who are not currently UTEP employees. For job candidates who are already in the UTEP personnel system HR may not be able to determine their citizenship based on their personnel files. In those cases where citizenship is required and HR files cannot document it, the HR department will require the candidate to provide appropriate documentation.
- b. All employees of the University are required to pass background checks prior to employment or appointment, including students appointed as research assistants.
- c. Students who volunteer to work on research activities without appointments are not subject to background checks. Principal Investigators who consider using such students are responsible to determine citizenship and background checks for suitability as if they would be employed by the University.
- d. Employees working on classified activities will have security clearances granted by the appropriate security agency.
- e. Citizenship. For activities involving CUI, access is usually restricted to US citizens
- f. Prior to beginning work on a project, all personnel to be granted access to CUI or classified information will sign a non-disclosure statement acknowledging their obligation to safeguard CUI and the penalties for failure to do so.
- i. Persons granted a security clearance will sign the SF 312 (Classified Information Nondisclosure Statement).
- ii. Persons granted access to CUI, employees will sign the UTEP CUI Nondisclosure Statement (Appendix A). They may also be required to sign sponsor-specific forms, such as the DHS Form 11000-6.
- g.Subsequent information. If, after a person has been granted access to CUI or classified information, additional or new information comes to light that may raise concerns about his/her suitability for continued access, the individual will be suspended from access immediately pending a final determination by the Principal Investigator, his/her supervisory chain, and the UTEP Assistant Facility Security Officer (AFSO) in the Office of Research and Sponsored Projects, and, in the case of personnel with security clearances, the cognizant security authority. The sponsoring agency will also be notified, so that appropriate actions can be taken to mitigate the risk associated with the inappropriate access. Consult with sponsoring agency directives and award documentations for timeliness requirements for reporting such information.
- 5.1.5. Work sites.
- a. On campus.
- a. When using CUI, authorized users will work in a space that is segregated from unauthorized personnel; a separate room is sufficient. Authorized personnel will know who else has access to the work and will challenge unauthorized others when they attempt to access the site. If unauthorized personnel are present at the work site, CUI will be covered from view. CUI will not be left unattended. When not in use, CUI will be stored as directed in the following paragraph and the work site will be secured with a locked door.
- b. Use of classified information is restricted to those areas that adhere to the requirements identified in the NISPOM or the DD form 254 issued by the sponsoring agency.
- c. Some projects may deal with a mix of non-sensitive and sensitive information and may employ persons who may not have access or need-to-know to work on the latter. The Principal Investigator is responsible to separate the work activities, physically and cognitively, to preclude inadvertent or wrongful disclosure. Those persons authorized to work with CUI will be briefed about the activities and scope of work of the non-sensitive group, and specifically about the limits of information to be exchanged with the latter. It may be appropriate to explicitly define the specific tasks and limits of the scope of work assigned to the non-sensitive group.
- b. Off campus.
- a. At approved sponsor or collaborating agency facilities. Authorized project personnel may visit such facilities in the performance of their duties, subject to the approval of the facility director.
- b. Other off campus locations. Project personnel may work on CUI at other off campus locations only with the prior approval of the Principal Investigator, and only after appropriate safeguards are applied. Use of classified information is restricted to those areas that adhere to the requirements identified in the NISPOM or the DD form 254 issued by the sponsoring agency.
- 5.1.6. Storage. When hard copy CUI is not being used it will be stored in a locked container in a locked room; a file cabinet or desk may be sufficient.Key control should ensure that only authorized personnel have access to the room or storage container. Classified information will stored as directed in the NISPOM.
- 5.1.7. IT Security. CUI may be stored on desk top computers, laptop computers or on university servers, as well as on external memory devices such as hard drives, USB drives, and on CD;
password access or encryption will be used at a level appropriate to the sensitivity of the information involved and consistent with the guidance of the sponsoring agency. When not in use, external storage media and laptop computers will be secured in a locked container. Use of classified information on IT systems must adhere to the NISPOM and other relevant regulations.
- 5.1.8. Marking. CUI and classified information will be marked in accordance with the sponsoring organization’s security directives and the NISPOM.
- 5.1.9. Transmission. The transmission or dissemination of CUI or classified information will follow the procedures of the sponsoring organization’s security directives and the NISPOM.
- 5.1.10. Disposition, retention and/or disposal. Disposition and retention of classified material are normally included in the security guidance provided by the DD 254. If this is not the case, UTEP will contact the sponsoring agency for guidance. Destruction will be conducted in accordance with the requirements of the NISPOM. For CUI, the PI will consult with the sponsoring agency’s program officer for guidance.