CUIE Secure Data Transfer, Destruction, Retention


Data transfer

Options to transfer data into the CUI Environment

  1. CUIE inbox - provide a URL to sponsor and they add the files; the connection is secure and files are encrypted from the start of the process. The files will land directly in users’ vault in CUIE.
  2. Encrypted data transfer - download encrypted data (FIPS 140-2 validated) from sponsor and upload data into the environment using tiCrypt Connect SFTP. Only unencrypt once data is inside the CUI Environment. Delete encrypted data file from non-CUIE machine.
  3. DoD SAFE- Connect from within the CUIE to DoD SAFE (or another approved URL based file transfer tool). 

Options to transfer data out of the CUI Environment

  1. Connect directly to the sponsor’s URL based file drop service. These URLs can be added as exceptions for CUIE to be able to connect.
  2. Encrypt data inside of CUIE using FIPS 140-2 validated encryption; download and then upload to the sponsor's file drop URL or transfer using another approved method. Delete encrypted data from non-CUIE machine. 

Data retention

Closeout instructions should be established at the beginning of each project. The instructions will determine whether any project data needs to be retained at closeout, and for what duration. 

If the project data does not have outlined handling instructions in the contract language and/or data management plan, university retention schedule will be followed by default.

When project closeout requires retention, there are two data storage options currently available:

Data storage options

Project freezing

Projects can be retained within the CUIE when necessary. All accounts with access to the project and project data will be deactivated and/or removed from the project team. Project Tagging may be used to prevent accounts that must remain active from accessing the data. The inactive accounts will prevent any access to the data, thus freezing it in place. Future access will require approval by ORA and DIT Security. 

Project data encryption and download 

When only trivial amounts of data need to be retained, it may be more appropriate to encrypt the data using FIPS 140-2 Validated methods, and download the data for storage in a secure location. All decryption keys are to be maintained in a separate location from the data. Appropriate storage locations for the encrypted files are: UMD Box, Network Storage. Any other storage locations must be approved by ECO, ORA and DIT. 

Data destruction

Upon completion of a CUIE project, if your research agreement or Data Use Agreement (DUA) requires any destruction/sanitization of data, the following offboarding procedures should be followed:

  1. On the Project End Date, ServiceNow will automatically create a task assigned to the Research Computing team to decommission the CUIE.
  2. The Research Computing team will contact the PI and relevant Division of Research admin (Office of Research Administration; Technology Control Plan (if applicable) with Export Control Office) and confirm the data destruction requirement.
  3. The PI and research team will be instructed to delete all relevant files and data in the project Vault and Drives to satisfy the requirements of the research agreement.
    • Researchers should be sure to differentiate between any raw data that must be deleted vs any analysis or generated data that must be retained.
  4.  Research Computing staff will verify deletion of data and drives, and provide tiCrypt Audit logs as evidence to ORA and any third parties to confirm deletion of project data. 
  5. The Research Computing team will proceed with deletion of the CUIE Project and the project team will be decommissioned and deleted, and the ServiceNow task will be completed. 

Appendix

Sanitization methods

Per Tera Insights, deletion in tiCrypt is equivalent to cryptologic sanitization. When a user deletes a file from their vault, the system deletes the key file used to decrypt it. This very long randomly generated key is the only way to decrypt the file. Since the drives contain random noise without any decryption keys, there is no need to officially sanitize. Any attempts of data sanitation do not do anything because there is no longer a decryption key.

Any physical data drives in the CUIE that must be removed will be shredded according to the DIT provided Device Destruction Service.