We strongly recommend using ITS-Managed services to implement IT controls specific to your sensitive data requirements.  The guidelines outlined in this webpage are for IT System Administrators whom will configure the system or endpoint to meet NIST 800-171 requirements. If you choose not to use ITS-Managed services, you will be responsible for ensuring that the requirements listed on this webpage are met, as well as the requirements listed in the Safeguarding Export-Controlled Technical Data for Researchers article should your contract require this level of security.

Access Controls

  • Logical access will be granted to a limited number of authorized users only, as determined and requested by the Principal Investigator (PI). Only individuals listed on the PI's Technology Control Plan (TCP) should be granted access.  You may contact Export Control to confirm the individual is listed on the TCP.

  • All access requests and approvals should be logged.

  • No access will be granted to non-US Persons without an export license, exemption, or other government authorization. This applies to both research team members and OneIT staff.

  • For OneIT staff, US Person status should be confirmed with the ITS Human Resources department before access requests are granted (e.g. A University system administrator needs access to an export-controlled share or the datacenter for system management). Exception status will be confirmed with Export Control staff.

  • For members of the research team, US person status will be confirmed by Export Control.  No further actions need to be taken to confirm US person status if a PI requests additional research team members to be granted access to their export-controlled share.  All research team members are included on the TCP and are vetted by Export Control.

System Management

  • The system must be kept up to date on security patches and updates, and must use regularly-updated malware protection software.

  • If the ITS-managed datacenters are hosting systems that contain export-controlled data, system controls will be managed by the ITS department.

  • All Controlled Information must be backed up and encrypted if stored on mobile computing devices such as laptops, PDA's and removable media such as thumb drives or CD/DVD. See additional notes below under Laptops.


  • The data must be stored on a University-owned and managed single-user laptop device using whole disk encryption (e.g. FileVault2 for Mac, BitLocker for Windows, LUKS for Linux) with a unique decryption passphrase known only to the device's authorized primary user.

  • A normal-use account without Local Administrator or Power User privileges (exceptions may be made in cases where an essential application requires elevated privileges) must be used for non-privileged/normal work.  If a privileged account is necessary, it should only be used for actions that require those privileges.

  • The laptop must be joined to the UIOWA Active Directory system, for device security policy management.

  • The laptop must be accessed using HawkID credentials.

  • The laptop must have a password protected screen saver enabled with an inactivity threshold of 20 minutes or less.

  • The laptop must have the most up-to-date virus and malware protection products installed (e.g. MS System Center Endpoint Protection) and must be configured to update the signatures as often as possible (e.g. daily)

  • Critical updates and patches must be applied within 5 days, normal patches within 30 days.

  • The laptop must be protected by a software firewall that limits communications to only those necessary for operation.

  • Laptop change control management must be utilized, such as UI Casper or MS-SCCM services.

  • The laptop must have audit logging enabled, audit logs backed up, and audit logs must be reviewed regularly by IT staff.  This can be accomplished using OSSEC, which offers automated alerting of unusual, inappropriate, or suspicious events to the IT Staff.

  • If data backup is required, the encryption must be preserved in backups.

  • The laptop should be erased using Department of Defense (DoD) approved method prior to disposal or prior to repurposing the laptop at the conclusion of the project.


Systems and devices that host export-controlled data need to be clearly labeled so that everyone can handle them correctly. Labeling should include:

  • A physical label on devices that have export-controlled data on them (e.g. laptop, external drive)

  • A physical label on racks in computer rooms that house systems with export-controlled data.

Storing ITAR covered data

  • Export-controlled data is stored only on devices listed in the IT Security Plan.

  • If the export-controlled data cannot be encrypted at rest using an electronic barrier, a physical barrier must be implemented (e.g. locked rack, storage safe, etc.).

Please visit DSP Export Control webpage or reach out to export-control@uiowa.edu for more information on Export Control regulations. Questions about technical implementations that support ITAR/EAR compliance can be sent to research-computing@uiowa.edu.

Article number: 
Last updated: 
May 11, 2023