Travel Security Policy¶
Document ID: AUL-POL-13 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD
1. Purpose¶
This policy defines security requirements for Aulendur Labs personnel traveling domestically and internationally on business. Travel — particularly international travel — increases exposure to physical theft, electronic surveillance, border device searches, and export control risks. As a defense contractor with TS/SCI-cleared personnel and access to CUI, Aulendur shall mitigate these risks through pre-travel preparation, in-transit discipline, and post-travel review. This policy implements NIST SP 800-171 Rev. 3 control 03.04.12 (System and Component Configuration for High-Risk Areas).
2. Scope¶
This policy applies to:
- Personnel: All employees, contractors, and advisors traveling on Aulendur business or carrying Aulendur equipment/data while traveling for any purpose.
- Travel types: Domestic business travel, international business travel, personal travel with Aulendur devices, and conference/trade show attendance.
- Equipment: All Aulendur-managed devices and any personal devices containing Aulendur data.
3. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Chief Executive Officer (CEO) | Approves international travel to high-risk countries. |
| Chief Technology Officer (CTO) / ISSM | Owns this policy; conducts pre-travel and post-travel briefings; configures travel devices; approves data carried during travel. |
| Traveling Personnel | Comply with travel security requirements; report security incidents during travel; attend pre/post-travel briefings. |
4. Policy Statements¶
4.1 Travel Classification¶
4.1.1 Aulendur classifies travel into the following risk tiers:
| Tier | Description | Examples | Approval Required |
|---|---|---|---|
| Tier 1 — Low Risk | Domestic travel, no CUI carried | Conference attendance, client meetings (domestic) | No special approval |
| Tier 2 — Moderate Risk | Domestic travel with CUI, or international travel to allied/low-risk countries | Customer site visit with CUI data, travel to Canada/UK/Australia/EU | CTO/ISSM approval |
| Tier 3 — High Risk | International travel to countries with known intelligence collection targeting US defense contractors | Travel to China, Russia, Iran, North Korea, or countries on the current ODNI threat list | CEO + CTO/ISSM approval |
4.2 Pre-Travel Requirements¶
4.2.1 Personnel planning Tier 2 or Tier 3 travel shall notify the CTO/ISSM at least 10 business days before departure.
4.2.2 The CTO/ISSM shall conduct a pre-travel security briefing for Tier 2 and Tier 3 travel covering: (a) data allowed on travel devices, (b) device configuration requirements, (c) threat awareness for the destination, (d) border search procedures and rights, (e) social engineering and elicitation risks, (f) secure communication procedures, and (g) incident reporting while traveling.
4.2.3 Travel device preparation (NIST SP 800-171 R3 03.04.12):
| Requirement | Tier 1 | Tier 2 | Tier 3 |
|---|---|---|---|
| Full-disk encryption | Required | Required | Required |
| OS and apps fully patched | Required | Required | Required |
| Remove CUI data from device | N/A | Only approved CUI | No CUI on travel device |
| Use loaner/travel-specific device | Optional | Recommended | Required |
| Disable Bluetooth when not in use | Recommended | Required | Required |
| VPN for all network access | On untrusted networks | Always | Always |
| Biometric unlock disabled (border search) | Optional | Recommended | Required — PIN/password only |
4.2.4 For Tier 3 travel, the CTO/ISSM shall provision a clean loaner device with no Aulendur data beyond what is explicitly approved for the trip. The loaner shall be wiped and re-imaged upon return.
4.2.5 No ITAR-controlled data shall be carried on any device during international travel without a valid export license or applicable ITAR exemption per the Export Control Policy (forthcoming).
4.3 In-Transit Security¶
4.3.1 Personnel shall maintain physical control of Aulendur devices at all times during travel. Devices shall not be left in checked luggage, hotel safes (for Tier 3 travel), unattended vehicles, or conference rooms.
4.3.2 Personnel shall not use hotel business centers, public kiosks, or shared computers to access Aulendur systems.
4.3.3 Personnel shall not connect to unknown USB charging stations (to prevent juice jacking). AC power adapters or portable batteries shall be used instead.
4.3.4 Personnel shall use only Aulendur-managed VPN for accessing Aulendur systems from travel locations. Free VPN services are prohibited.
4.3.5 Personnel shall not discuss CUI, ITAR-controlled information, or Confidential business matters in public areas, hotel lobbies, taxis, rideshares, restaurants, or other locations where conversations may be overheard.
4.3.6 If a border agent requests to inspect or copy an Aulendur device, the traveling individual shall: (a) comply with lawful instructions (do not physically resist), (b) state that the device contains proprietary business information, (c) request that inspection be conducted in their presence, (d) note the names/badge numbers of inspecting agents if possible, and (e) report the incident to the CTO/ISSM within 1 hour. A device inspected by foreign border agents during Tier 3 travel shall be treated as potentially compromised.
4.4 Post-Travel Requirements¶
4.4.1 Personnel returning from Tier 2 or Tier 3 travel shall attend a post-travel debrief with the CTO/ISSM within 5 business days of return.
4.4.2 The post-travel debrief shall cover: (a) any security incidents or suspicious contacts, (b) whether devices were out of the traveler's control at any point, (c) whether border agents inspected or seized any devices, and (d) any elicitation attempts or unusual contacts.
4.4.3 Devices used during Tier 3 travel shall be surrendered to the CTO/ISSM for inspection and re-imaging before reconnecting to Aulendur networks. Devices inspected by foreign border agents shall be wiped and re-imaged regardless of travel tier.
4.4.4 Personnel with active security clearances shall comply with all post-travel reporting requirements under SEAD 3 and their cognizant security authority.
4.5 Conference and Trade Show Security¶
4.5.1 Personnel attending conferences or trade shows shall: (a) not connect to conference-provided Wi-Fi without VPN, (b) not leave devices unattended at booths or sessions, (c) not insert USB devices received at conferences into Aulendur equipment, and (d) not share Confidential or CUI information in presentations or conversations without CTO/ISSM approval and public release review per the Information Classification & Handling Policy.
5. Standards & Procedures Referenced¶
The following companion documents implement this policy:
- Remote Work / Telework Policy
- Information Classification & Handling Policy
- Export Control Policy (forthcoming)
- Foreign Travel Pre/Post-Briefing SOP (forthcoming)
6. Compliance & Enforcement¶
Violations of this policy may result in disciplinary action up to and including termination. Carrying ITAR-controlled data internationally without proper authorization may constitute a criminal violation of 22 USC 2778. Failure to report border device inspection or suspicious contacts is a policy violation. Suspected violations shall be reported to the CTO/ISSM.
7. Exceptions¶
Exceptions to this policy require written approval per the Policy Exception & Waiver Policy. No exceptions may be granted that would result in unauthorized export of ITAR-controlled data.
8. Definitions¶
| Term | Definition |
|---|---|
| High-Risk Country | A country identified by ODNI, DoD, or the intelligence community as posing elevated counterintelligence or espionage risks to US defense contractors. |
| Loaner Device | A clean, minimally configured device provisioned for travel that contains no persistent Aulendur data beyond what is explicitly approved. |
| Border Search | Inspection of electronic devices by customs or border agents, which in many jurisdictions may be conducted without a warrant. |
| Elicitation | A technique used to subtly extract information through casual conversation. |
| CUI | Controlled Unclassified Information, per 32 CFR Part 2002. |
| ITAR | International Traffic in Arms Regulations (22 CFR 120-130). |
| SEAD 3 | Security Executive Agent Directive 3, establishing reporting requirements for cleared personnel. |
9. References¶
- NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- ITAR (22 CFR 120-130), International Traffic in Arms Regulations
- SEAD 3, Reporting Requirements for Personnel with Access to Classified Information
- CISA, Cybersecurity Tips for Travelers
10. Control Mappings¶
| Framework | Control ID | Control Title | Coverage |
|---|---|---|---|
| NIST SP 800-171 R3 | 03.04.12 | System and Component Configuration for High-Risk Areas | Full |
| CMMC 2.0 L2 | CM.L2-3.4.9 | Travel Configuration | Full |
| NIST SP 800-53 R5 | CM-7(9) | Least Functionality — Use of High-Risk Components | Full |
| NIST SP 800-53 R5 | PE-17 | Alternate Work Site | Supports |
11. Revision History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | TBD-YYYY-MM-DD | J. Gershenson | Initial issue. |
© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.