Statutes, codes, and regulations
Ohio Administrative Code
Title 3361:10 - University of Cincinnati
Chapter 3361:10-30 - Research
Section 3361:10-30-04 - Research: policy on classified research

Ohio Admin. Code 3361:10-30-04

Download
PDF
Current through all regulations passed and filed through December 23, 2024
Section 3361:10-30-04 - Research: policy on classified research
(A) Purpose.

This rule describes the responsibilities of university of Cincinnati faculty and staff, students, volunteers, and visitors to comply with university policies and procedures and, as applicable, federal and state laws and regulations concerning activities involving the access, dissemination or storage of classified information at the university, on behalf of the university, or at any facility controlled by the university, or with the direct or indirect use of university resources. Classified information is defined as certain information requiring protection against unauthorized disclosure in the interests of national defense and security or foreign relations of the United States pursuant to federal statute or executive order. The term includes restricted data, formerly restricted data, and national security information.

(B) Scope.

All university faculty, staff, students, volunteers, and visitors involved in the following activities (collectively referred to hereinafter as "activities involving classified information") at or on behalf of the university are subject to this rule:

(1) Seeking or being awarded classified contracts or subcontracts, seeking to or in any way performing research or other activities involving access to, dissemination of, or storage of classified information;
(2) Development, production or use of classified information;
(3) International travel and collaborations that involve classified research.
(C) Foundational principles.

The university of Cincinnati may seek and be awarded classified contracts or subcontracts approved and funded by the U.S. government. When awarded a classified contract or subcontract, there will be limitations on public dissemination of certain information in accordance with U.S. laws and regulations and/or the terms and conditions of the contracts or subcontracts. As set forth in this rule, decisions to engage in activities involving classified information will be made by university leadership only when doing so is (1) in the best interests of the university, (2) consistent with the university's mission, and (3) in full compliance and accordance with any and all laws and regulations concerning classified information.

(D) Requirement for requisite clearances.

Prior to undertaking activities involving classified information, the university of Cincinnati shall be sponsored for and granted a facility clearance at the appropriate level, as determined by the agency's cognizant authority. As part of this process, the following university of Cincinnati personnel, as well as any additional personnel designated by the agency, shall be processed for and granted a personnel security clearance at the same level or higher:

(1) President;
(2) Executive vice president for academic affairs and provost ("provost");
(3) Vice president for research;
(4) Employees of the university who require personnel security clearances in order to perform or assist with the review, oversight or performance of activities involving classified information in connection with a contract pursuant to which the university of Cincinnati is sponsored for or required to hold a facility security clearance.
(E) Responsibilities of the president of the university.

While other university personnel will assist the president of the university of Cincinnati, the president maintains ultimate authority on behalf of the university over activities involving classified information undertaken at the university or at any facility controlled by the university, on behalf of the university, or with the direct or indirect use of any university resources or by any university faculty, staff, students, volunteers, or visitors ("the classified research program"). No individual can engage in activities involving classified information at the university, on behalf of the university, or at any facility controlled by the university, or with the direct or indirect use of university resources without the president's knowledge and express approval. The president, with assistance of other university personnel including the vice president of research and provost, will take necessary and appropriate steps to regularly (no less than annually) review and monitor the classified research program and activities involving university employees, university facilities or resources.

(F) Responsibilities of the vice president for research of the university.

The vice president for research will assist the president in the performance of his/her duties and responsibilities in connection with the classified research program. The vice president for research will also be responsible for the creation, dissemination and tracking of the requisite trainings as referenced in paragraph I of this rule, as well as the requisite financial and foreign travel disclosures. In addition, it shall be the responsibility of the vice president for research, in collaboration with the advisory committee on classified research, and in consultation with the general counsel, to develop unclassified policies and/or procedures for the conduct of classified research (to include policies related to access to, dissemination of, and storage of classified information, and reporting as applicable) consistent with this board rule, U.S. laws and regulations, other university policies and procedures and with the mission of the university.

(G) Responsibilities of the provost of the university.

The provost will assist the president in the performance of his/her duties and responsibilities in connection with the classified research program. The provost, in collaboration with the president and the vice president for research, will also be responsible for the final step in the approval process described in this rule.

(H) Advisory committee on classified research.

The president, in consultation with the vice president for research and the provost, shall appoint a university advisory committee on classified research ("ACCR") to include at a minimum, the vice president for research, facility security officer ("FSO"), insider threat program senior official ("ITPSO"), and at least one university faculty member or dean holding the requisite personnel security clearance. The president may appoint additional university faculty or staff to the ACCR, or remove any appointee from the ACCR, at the president's sole discretion. The ACCR shall be responsible for the following activities:

(1) Making recommendations to the president, vice president for research, and the provost in connection with the approval process described in this rule concerning the appropriateness of the university engaging in certain activities involving classified information;
(2) Assisting with providing oversight of the university's classified research program;
(3) Reviewing and recommending policies and operational matters impacting the university's classified research program; and
(4) Assisting the president with regular review and monitoring of the university's classified research program for conformance with applicable policies and regulations.
(I) Training and visitors.

All university employees and students engaged in activities at or on behalf of the university involving classified information or otherwise involved in the classified research program shall receive regular training on all applicable U.S. laws and policies associated with classified information on no less than an annual basis, or more frequently, as determined by the ACCR or applicable laws and regulations. The FSO shall be responsible for ensuring that any visitors who will have access to classified information possess a personnel clearance at that requisite level and a need to know and that the visitor is a representative of an organization with a clearance at the requisite level and a need to know.

(J) Compliance with applicable laws and regulations.

All faculty, staff, students, volunteers, and visitors engaged in activities at or on behalf of the university involving classified information must comply with all applicable laws and regulations as they relate to such activities.

(K) Requirements for approval of activities involving classified information.

To ensure that all activities involving classified information are aligned with the mission and values of the institution and to ensure appropriate oversight, assessment, security, and accountability, the following approval process must be adhered to. No activities involving classified information can be undertaken until the following levels of review and approval have all been obtained and the president of the university has expressly approved:

(1) Proposal development review

The initial level of review will involve the FSO and faculty member(s) seeking to engage in activities involving classified information, including the applicable program manager ("investigator"). To obtain approval at this level of review it must be determined that the university has the appropriate facilities and capabilities to undertake the proposed research in compliance with applicable policies, rules, laws and regulations, and that the investigator has or is eligible for a security clearance.

(2) Opportunity review

The second level of review will involve the appropriate local academic leadership (i.e., department head(s) and dean(s)). To obtain approval at this level, it must be determined that the investigator is appropriate, supported, and capable of doing the proposed activity involving classified information.

(3) Administrative review

The third level of review will involve the ACCR. To obtain approval at this level, it must be determined that the proposed classified research is the type of work appropriate for the university and aligned with the university's mission and values; it must also be determined that the appropriate mechanisms are in place to ensure continued alignment with mission and values throughout the course of the project or activity, and also that necessary and comprehensive oversight and management over the project or activity will remain in place to ensure compliance with applicable policies, procedures, laws, and regulations. If the ACCR agrees to support and recommend the classified research request, it may impose conditions on its approval consistent with laws and regulations and university rules and policies governing access to, dissemination of, and storage of classified information. The ACCR is the only entity empowered to make recommendations to senior leadership regarding approval/disapproval of activities involving classified information.

(4) Senior leadership review

If the ACCR approves the project or activity, it will make a recommendation to senior leadership defined here as the president, provost, and vice president for research. Approval by university senior leadership must be granted before any individual with a verified security clearance may engage in activities at, or on behalf of, the university that involves access, dissemination, or storage of classified information. In determining whether to grant approval, senior leadership should consider the following, among other things;

(a) The criteria used at the prior levels of review;
(b) Whether the merits of the proposed research and the potential benefits outweigh the disadvantages and costs of engaging in activities that involve the restriction of information to individuals with appropriate clearances and compliance with appliable security regulations and other laws;
(L) Ongoing oversight of activities involving classified information.
(1) The classified research program and all those engaged in activities involving classified information shall comply with all laws and regulations and university policies and procedures for classified research.
(2) Violations of U.S. law must be reported to the cognizant authority with knowledge of the president and ACCR as required by the cognizant authority. Violations of university policies and procedures shall be reported to the provost and vice president for research immediately upon discovery and within seventy-two hours to the ACCR.
(3) The vice president for research shall annually remind those engaged in activities involving classified information and/or in any way related to the classified research program of the confidential communication system for university employees to report violations of U.S. law and regulation and university policies and procedures involving classified research (e.g., ethicspoint or its successor and others detailed in the insider threat program). There shall be no negative employment outcomes or considerations for reports submitted through this confidential communication system or to university or leadership.
(4) The FSO and ITPSO in collaboration with the ACCR and the applicable program manager(s) shall submit an annual report (unclassified and classified versions) to the president concerning its conduct of classified research at the university. The report shall summarize classified activities conducted in the previous twelve months, identify any matters (positive or negative) of concern, identify existing and/or future needs, discuss regulatory and university compliance, and provide any other comments concerning how to improve university classified activities.

Ohio Admin. Code 3361:10-30-04

Effective: 11/10/2022
Promulgated Under: 111.15
Statutory Authority: 3361.
Rule Amplifies: 3361.