Export-controlled technical data housed at the University of Iowa should be managed in accordance with the following recommended guidelines based on NIST 800-171 standards. Specific requirements depend on the contractual language and must be confirmed by the Export Control office before any changes or implementations take place. A project specific Technology Control Plan is required for all research projects that involve the use of export-controlled data.  If the research project requires specific IT requirements in order to safeguard the data, researchers must work with the Information Security and Policy Office (ISPO) and IT staff responsible for implementation to complete an IT Security Plan. Establishing a TCP and an IT Security Plan is a multi-step process where:


  1. The PI develops the TCP in coordination with the Division of Sponsored Programs Export Control staff.

  2. Should it be deemed that the research project requires specific IT requirements to safeguard the data, the researcher will work with Export Control, ISPO, and the IT staff responsible for implementation to complete an IT Security Plan.

  3. Export Control, ISPO, and the system administrators will need to review and individually sign off on the IT Security Plan.

  4. The PI submits a copy of all signed documents to Export Control, keeps the originals with the project file, and implements the TCP and IT Security Plan.

  5. The PI notifies Export Control of any updates to the TCP as they occur (personnel, scope of work, safeguards, etc.). All staff who are accessing or handling export controlled technical data, including IT staff, are required to be included in the TCP and will need to attend an Export Control training.

*Please note, the ITF & Lindquist datacenters have been approved to host hardware that contains export-controlled data.  Please visit the ITS-Managed Hosting Services for Export-Controlled Data article for more detailed information about ITS-Managed services.

It is important to distinguish between International Traffic in Arms Regulations (ITAR) and Defense Federal Acquisition Regulation Supplement (DFARS).  All research projects under a Department of Defense (DoD) contract are subject to the IT requirements mandated in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. The following guidelines outlined in this webpage will satisfy NIST 800-171 IT requirements and therefore, satisfy DFARS IT requirements. However, please reference the above DFARS article for specific breach reporting and other non-IT requirements. 

*Please note, even if your contract mentions ITAR, not all project data may be ITAR-controlled.  Please contact Export Control regarding what specifically in your project is ITAR-controlled according to the contract.

The goal of the security measures listed below is to answer the follow questions in the affirmative and be able to prove they are being met:

  • Can you trace with precision who is working on the project?

  • Can you track who has access to the export-controlled data and with whom they can share the data with?

  • Do you have the appropriate physical and electronic precautions in place -

    • To prevent unauthorized access?

    • To restrict access to project data only to authorized individuals?

Article number: 
Last updated: 
May 11, 2023