What is Regulated Research
Understanding regulated research at Clemson
Regulated research is research that involves data, materials, technologies, or activities that are subject to specific laws, regulations, contract clauses, or institutional policies. It requires heightened controls for how information is created, accessed, stored, shared, transmitted, and ultimately archived or destroyed. Researchers are stewards of sensitive data and must understand the risks of non-compliance, including legal, financial, and reputational harm to themselves and to Clemson University.
Common Categories of Regulated Research Data
Controlled Unclassified Information (CUI)
Information the U.S. Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, which requires safeguarding or dissemination controls pursuant to laws, regulations, or government-wide policies. CUI is not classified but still sensitive and must be protected and marked according to the applicable CUI category.
Export Controlled (ITAR/EAR)
Technical data, software, or commodities subject to the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Access by non–U.S. persons or transfer outside the U.S. may be prohibited without a license or documented authorization.
HIPAA-Protected Health Information (PHI)
Individually identifiable health information in any form (electronic, paper, oral) that relates to a person’s health status, provision of healthcare, or payment for healthcare. HIPAA sets strict privacy and security requirements for PHI handling.
Personally Identifiable Information (PII)
Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information. Examples include Social Security numbers, driver’s license numbers, financial account data, and certain combinations of names, dates, and addresses.
Publication-Restricted / Sponsor-Limited Data
Data where contracts, NDAs, or sponsor terms restrict dissemination or publication prior to review/approval. Even if not CUI or export controlled, sponsor restrictions may still impose specific security and access requirements.
What Makes Research "Regulated"?
- A law or regulation imposes controls (e.g., 32 CFR Part 2002 for CUI; ITAR/EAR for exports; HIPAA for PHI).
- A contract, grant, or cooperative agreement requires specific protections, markings, reporting, or approvals.
- Institutional policies mandate security controls based on the data classification (e.g., restricted or regulated).
- International access, collaboration, or travel introduces export control risks or data residency concerns.
Quick Do / Don’t Checklist
Do
- Use only Clemson-approved, project-authorized systems for storing and sharing regulated data (e.g., secure enclave/VDI).
- Complete initial and annual research security, CUI, and insider-threat training as assigned.
- Keep your TCP current: update when people, software, devices, media, or data flows change.
- Label and handle data per applicable marking guides (e.g., CUI).
Don’t
- Email regulated data or place it in unapproved cloud services or personal storage.
- Share passwords or use shared accounts; never bypass MFA.
- Give access to anyone not listed in the TCP or without documented need-to-know.
- Take regulated data on personal, unencrypted, or unmanaged devices.
Where Can I Work with Regulated Data at Clemson?
Use Clemson’s Granite Secure Enclave (HPC/VDI) or other systems specifically authorized for your project. Coordinate with the Office of Research Security (ORS) and CCIT to ensure the environment, tools, and workflows are approved in your Technology Control Plan.
Contacts & Reporting at Clemson
- Office of Research Security (ORS): researchsecurity@clemson.edu
- Security Incident Reporting: security@clemson.edu
- IT Support (CCIT): ccit.clemson.edu