Skip to main content

Graduated Scale of Disciplinary Action for Research Security Violations

Graduated Scale of Disciplinary Action for Research Security Violations

Purpose

As a federal contractor, the University of Dayton is required to follow federal regulations regarding research security.  Such regulations include the Controlled Unclassified Information (CUI) Program and the National Industry Security Program Operating Manual (NISPOM), which establishes requirements, restrictions and other safeguards that are necessary to prevent the unauthorized disclosure of sensitive and classified information. In addition to disciplinary action that may be taken pursuant to other University policies, the NISPOM requires a graduated scale of disciplinary actions in the event of employee security violations or noncompliance. This policy establishes such a graduated scale of disciplinary action in response to security violations in accordance with applicable federal regulations.

Scope

This Graduated Scale of Disciplinary Action for Research Security Violations applies to all University of Dayton (UD) employees who participate in sponsored research activities or who must adhere to security practices because of their physical proximity to secured spaces.

Policy History

I. Effective Date: November 7, 2022

II. Approval:  November 7, 2022

III. History: 

  • Approved in its original form: November 7, 2022

IV. Maintenance of Policy: The University Facility Security Officer (FSO)

Policy

As a federal contractor, the University of Dayton must follow federal regulations regarding research security. Protecting information is important to our sponsors and to national security. The University is committed to following applicable regulations to protect national security and to safeguard customer information related to sponsored research programs. As such, it has developed and implemented security procedures to comply with its obligations.

Employees who violate these procedures are subject to disciplinary action. Disciplinary action may include, but is not limited to the following or a combination thereof:

  • Remedial training;
  • Verbal warning - notification and warning to employee (may or may not be documented in writing);
  • Written reprimand - formal notification in writing to employee; this may take the form of a “last chance” letter to inform the employee that termination will result should another violation occur;
  • Suspension - loss of work and wages for a number of days, as determined by the University. Note that all employees may be subject to an unpaid disciplinary suspension (whether for a full day or a longer increment as determined by the University), regardless of their exempt or non-exempt status. Note that, for non-exempt employees, a suspension may be based on partial-day increments; and
  • Discharge - termination of employment.

A violation could occur in a number of ways, including but not limited to, the examples listed in Appendix A.

A graduated scale of disciplinary action requires a consistent increase in the corrective measures taken against an individual who has violated security procedures on more than one separate occasion. The disciplinary action to be taken for a specific violation will be based on a variety of factors, including, but not limited to, the nature and severity of the violation, nature and severity of previous infractions, frequency of violations, intent (negligent, willful, planned), and any relevant external factors. Multiple violations within a one-year period indicate a pattern of non-compliance with security procedures.

Additional corrective measures may include the following:

  • Removal from a specific research program
  • Suspension of security clearance
  • Termination of security clearance
  • Criminal action

All security incidents will become part of the employee’s security record that is maintained by the University Facility Security Officer (FSO). Depending on the nature of the incident, a formal report may be submitted to the relevant government office for further investigation (such as the Defense Counterintelligence and Security Agency (DCSA), Federal Bureau of Investigation (FBI), etc.).

Appropriate University leadership (including the applicable division or department head or dean, the Executive Director of the University of Dayton Research Institute, the Vice President for Research, the Vice President of Human Resources, and the University’s Senior Management Official as defined by the NISPOM) will be notified of any security violations that result in the loss, compromise, or suspected compromise of classified or sensitive information, or other security incidents that pose a significant threat to the University’s ability to safeguard information.

Reference Documents

  1. National Industrial Security Program Operating Manual (NISPOM), 32 CFR 117.8(e)(3)
  2. 32 CFR Part 2002, Controlled Unclassified Information
  3. NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  4. DoDM 5200.01 Vol. 3, Protection of Classified Information
  5. DoDI 5200.48, Controlled Unclassified Information
  6. University of Dayton Staff Corrective Action
  7. University of Dayton Business Ethics & Integrity Code for Sponsored Research
  8. Security Standard Practices Procedure
  9. Sensitive Information Control Procedure

Appendix A

Research Security Incident Examples

  • Keeping classified material in a desk or unauthorized cabinet, container, or area.
  • Removing classified material from the work area in order to work on it at home.
  • Granting a visitor, contractor, employee or any other person access to classified information without verifying both the individual's clearance level and need-to-know.
  • Discussing Sensitive Information in lobbies, cafeterias, corridors, or any other public area where the discussion might be overheard.
  • Carrying safe combinations or computer passwords (identifiable as such) on one's person, writing them on calendar pads, keeping them in desk drawers, or otherwise failing to protect the security of a safe or computer.
  • Failing to follow appropriate procedures for the destruction of material containing Sensitive Information.
  • Failing to report a security violation.
  • Exhibiting a pattern of routine security violations due to inattention, carelessness, or a cynical attitude toward security.
  • Attempting to gain access to or information about projects or activities for which the person does not have (or no longer has) a need to know
  • Being intoxicated while carrying classified materials or to an extent that it causes one to speak inappropriately about classified matters or to unauthorized persons.
  • Sending Sensitive Information via email to an outside party without encryption.
  • Allowing visitors into a Controlled Area without proper authorization and processing.
  • Disclosing CUI to a non-authorized individual.
  • Violating any IT policies or procedures on a system or network authorized for Sensitive Information.
  • Leaving a Controlled Area unattended and unsecured.
  • Storing electronic Sensitive Information on an unapproved system or network.
  • Taking export controlled material or data to a foreign country without proper export approval.
CONTACT

For questions relating to the University policies of Research, please contact:


Kelli Tittle, Research Compliance & Export Control Administrator
937-229-3515
Email