1. Travelers must obtain budgetary, programmatic and risk (see Sections 1.09, 1.10, 1.11) approval prior to departure and in accordance with the timeframes set by their respective campus.
   1. Campuses may grant an exception to compliance with their respective timeframes.
2. Campuses have the discretion to grant blanket approvals to Travelers for domestic University Travel.

1. Registration of University Travel not only makes it possible to deliver destination-specific travel advice, but also assists the University in identifying and supporting Travelers potentially impacted by itinerary-specific threats and/or compliance requirements and in providing, as appropriate, assistance in response to events that might present health, safety and security risks to Travelers.
2. Travelers must register all in-state (Massachusetts) overnight and out-of-state (outside of Massachusetts) domestic Travel and international Travel in the University Travel Registry prior to departure and in accordance with the timeframes set by their respective campus.
   1. Each instance of Domestic overnight University Travel approved through a blanket approval is required to be registered.
3. Travelers must update the University Travel Registry with any changes in Travel itinerary such as travel dates, destinations and on-site contact information as soon as the information becomes available.
   1. Changes to Travel may be subject to review and approval.
   2. Changes to Travel are subject to University Device and Data restrictions (see Section 1.10).

1. Travel expenses are governed by the Business and Travel Expense Policy (T92-031, Appendix C) and associated Standards.
2. Travelers must abide by the Business and Travel Expense Policy and associated Standards for allowability of travel expenses and reimbursement of travel expenses.
    

1. Travelers must abide by the Business and Travel Expense Policy and associated Standards for allowability of travel expenses and reimbursement of travel expenses:
   1. The risk associated with the Travel, despite mitigation measures, poses an unacceptable risk to health, safety, or well-being of the Traveler or
   2. The risk associated with the Travel, despite mitigation measures, poses an unacceptable liability risk to the University.
2. Restrictions may include delay, abbreviation or indefinite postponement of Travel to a given location.
3. Such restrictions can be implemented prior to, or during, Travel.
4. Such restrictions may include prohibiting the Traveler from traveling with University Devices and/or University Data or accessing University Data during Travel.  See Section 1.10.

1. In accordance with M.G.L. c. 75, § 32, the University has the authority to require a Traveler to leave or evacuate a given location in the event of a voluntary or mandatory evacuation order by the U.S. Government or when, in its sole judgement and discretion, the University determines continued presence in that location may seriously endanger health, safety or well-being of University Travelers or others.

1. Travelers must comply with all local, state, federal and national laws and regulations, even if such laws are more restrictive than those applicable in their home jurisdiction.
2. Travelers must comply with the U.S. Foreign Corrupt Practices Act (“FCPA”) and 18 USC Section 201, which prohibit bribery of and by foreign officials.
3. Travelers must comply with all export control requirements for all University Travel to International Destinations.
4. Travelers must adhere to the Massachusetts conflict-of-interest law (MGL Chapter 268A) and related University conflict-of-interest policies while conducting University Travel.
5. University Travelers are responsible for tax compliance associated with international Travel (Value-Added Taxes (VAT)).
   1. Campuses should consider consulting with the University customs broker (Highland Forwarding) for those unique, bespoke or high-value items that may trigger tax compliance and to advise on the applicability of necessary documentation.
6. It is the responsibility of the Traveler to be or become familiar with and maintain compliance with said laws, regulations and requirements.
7. University Travelers are responsible for determining and complying with all visa and entry requirements associated with Travel to International Destination(s), noting that visa requirements vary depending on the Traveler’s citizenship and planned activities. Travelers can contact the University’s travel management company or international travel emergency services provider for personalized guidance.

1. Personal Travel is travel that is not University Travel.
2. Personal Side Trips are Personal Travel made by a University Traveler while on University Travel. Personal Side Trips include travel adjacent to and during University Travel.
   1. Examples of Personal Side Trips:
      • A Traveler is on approved University Travel to Germany from June 14 through June 24. The Traveler arranges and goes on Personal Travel to another destination from June 2-14.
      • A Traveler is on approved University Travel to Germany from June 14 through June 24. The Traveler arranges and goes on Personal Travel to another destination for a weekend during this timeframe.
      • A Traveler is participating in a Study Abroad Program in Germany and makes a weekend trip to another destination.
   2. Personal Side Trips are generally covered by University travel accident and sickness insurance provided the Personal Side Trip meets the coverage conditions (i.e., within the duration limit specified in the insurance policy – generally 7 days or less).  Additional information can be obtained through the UMass Treasurer’s Office.
   3. If a Personal Side Trip involves travel to a High-Risk Destination, the Campus may require the Traveler to complete a release of liability.
3. Personal Travel and Personal Side Trips are subject to Section G of the Policy (Travel with University Devices and/or Data) and Section 1.10 of these Standards.

1. Travel Risk Management Advisory Committee (TARMAC).
   1. The University shall establish a systemwide Travel and Risk Management Advisory Committee (TARMAC).
      1. TARMAC Responsibilities and Authorities.
         1. TARMAC has authority to designate High-Risk Destinations and set criteria used in designating High-Risk Destinations.
         2. High-Risk Destinations designated by TARMAC and/or High-Risk Designations meeting the criteria set by TARMAC shall have systemwide applicability.
         3. Each Campus/UMPO has the authority to designate additional High-Risk Destinations for applicability to their respective Campus/UMPO.
            1. Campuses may delegate this responsibility to the Campus Travel Risk Review Committee.
         4. Each Campus/UMPO has the authority to allow Travel to a High-Risk Destination when the campus Travel Risk Approver has approved such Travel. See Section 1.08(d).
         5. TARMAC does not have the authority to approve or deny requests for Travel to a High-Risk Destination; the authority to approve or deny requests to High-Risk Travel Destinations resides with the respective campus/UMPO Travel Risk Approver of Traveler.
         6. TARMAC may share travel risk information and resources among members.
      2. TARMAC Membership
         1. TARMAC membership at a minimum must include representatives from each of the following:
            1. Amherst Campus (2)
            2. Boston Campus (2)
            3. Dartmouth Campus (2)
            4. Lowell Campus (2)
            5. Chan Medical School Campus (2)
            6. UMPO - President’s Office Operations (1)
            7. UMPO - Office of the General Counsel (2)
            8. UMPO - Enterprise Risk Management (1)
            9. UITS Information Security (1)
            10. Campus CISO (1)
         2. Only members of Campus/UMPO Risk Review Committees can serve as their respective TARMAC Campus/UMPO representative.
         3. TARMAC membership shall designate a Chairperson.
         4. TARMAC shall designate a TARMAC member to be responsible for ensuring High Risk Destinations and associated criteria are made available to University Travelers.
         5. TARMAC shall meet quarterly.
            1. TARMAC may set an alternate schedule with agreement of a majority of the membership.
            2. As needed, TARMAC may request through the TARMAC Chairperson and at the TARMAC Chairperson’s discretion that TARMAC convene.
            3. The TARMAC Chairperson can add destinations to the High-Risk Destination list if such destinations objectively meet the criteria set forth by the TARMAC.
2. Designation of High-Risk Destinations.
   1. TARMAC shall set criteria for designation of High-Risk Destinations.
      1. Criteria shall be made available to University Travelers.
   2. TARMAC, in consultation with UITS and Campus Chief Information Security Officers, shall set criteria for designation of Elevated Cyber Security Risk Destinations.
      1. Criteria shall be made available to University Travelers.
   3. Using designated criteria, TARMAC shall designate High-Risk Destinations and Elevated Cyber Security Risk Destinations.
      1. Information on such Destinations shall be made available to University Travelers.
3. Campus Travel Risk Review Committee.
   1. Each Campus/UMPO shall designate a Campus Travel Risk Review Committee for the respective Campus/UMPO.
   2. Responsibilities and Authorities.
      1. Campus Travel Risk Review Committee is responsible for reviewing requests by prospective Traveler(s) from the respective Campus/UMPO for University Travel to or through High-Risk Destinations.
      2. Campus Travel Risk Review Committee is authorized to make recommendations to the Travel Risk Approver on the approval, denial or modifications to the requested Travel.
   3. Committee Membership.
      1. Each Campus/UMPO has the authority to designate the membership of their respective Campus Travel Risk Review Committee.
         1. Each Campus Travel Risk Review Committee should include at least three members.
            1. Each Campus/UMPO should ensure the membership of their respective Campus Travel Risk Review Committee includes individuals/disciplines that can address the risks specific to the respective Campus/UMPO.
         2. Each Campus/UMPO Travel Risk Review Committee may consult with additional subject matter experts from their respective Campus or with the TARMAC as the Campus deems appropriate.
4. Campus Travel Risk Approver.
   1. Each Campus/UMPO shall designate a Travel Risk Approver to approve or deny Travel to High-Risk Destinations by their respective Campus/UMPO Travelers.
      1. A Campus/UMPO may delegate the role of the Travel Risk Approver to their respective Campus Travel Risk Review Committee.
   2. Role and Authorities of Travel Risk Approver.
      1. The Travel Risk Approver is authorized to approve, deny or require modifications to Travel to High-Risk Destinations.
      2. Travel Risk Approver should evaluate the recommendations of the Campus Travel Risk Review Committee prior to making a decision.
         1. In cases where an expedited decision is required because of extenuating circumstances which exclude convenience, the Travel Risk Approver may decide without first consulting the Travel Risk Review Committee.

(proposed content for discussion)

1. Each Campus/UMPO must develop and implement a pre-departure High-Risk Travel Destination Request Review Protocol for identifying and reviewing all anticipated University Travel to or through High-Risk Destinations for the respective Campus/UMPO.
   1. Protocol should be written and publicly available for the University Travelers.
   2. Protocol should include Export Control review for Travel to International Destinations (See Section 1.11).
   3. Protocol should require the Campus Travel Risk Review Committee to review all requests from their respective Campus Travelers to High-Risk Destinations.
      1. Although TARMAC can serve as a resource for a Campus Travel Risk Review Committee, TARMAC does not play a role in the Campus Travel Risk Review Protocol.
   4. Campus Travel Risk Review Committee makes recommendation to Travel Risk Approver about approving, denying or conditionally approving Travel to High-Risk Destination.
      1. In limited circumstances, Travel Risk Approver may be required to approve, deny or conditionally approve Travel to High-Risk Destination without prior review by the Campus Travel Risk Review Committee.
   5. Travel Risk Approver approves, denies or conditionally approves Travel.
      1. Approval of Travel to High-Risk Destination.
         1. University Traveler approved to travel to a High-Risk Destination must comply with all pre-departure requirements prior to departure, including but not limited to the following:
            1. Registration of Travel in University Travel Registry, including travel itinerary.
            2. Export Control (see Section 1.11).
            3. University Device and Data requirements (see Section 1.10).
            4. Enrollment with the U.S. Department of State Smart Traveler Enrollment Program (STEP) or the equivalent citizen service of the University Traveler’s country of citizenship.
            5. Registration with the University’s travel accident and sickness insurance emergency services provider, including travel itinerary.
            6. Becoming familiar with travel-related policies and guidelines.
            7. Completing and acknowledging completion of a safety, cybersecurity and security training or briefing as required by the Campus.
               1. Briefings are provided by the Traveler’s respective Campus and may be in-person and/or through distributed materials.
         2. University Traveler approved to travel to a High-Risk Destination may also need to take the following pre-departure activities, including but not limited to the following:
            1. Enrollment with the U.S. Department of State Smart Traveler Enrollment Program (STEP) or the equivalent citizen service of the University Traveler’s country of citizenship.
            2. Registration with the University’s travel accident and sickness insurance emergency services provider, including travel itinerary.
      2. Denial of Travel to High-Risk Destination.
         1. When Travel to a High-Risk Destination is denied:
            1. Said Travel is Unauthorized Travel.
            2. Said Travel is not University Travel.
            3. Said Travel shall not be supported with University funds.
         2. Denied Travel is Unauthorized Travel.
            1. If a Traveler travels to a High-Risk Destination when the Travel has been denied, the Traveler travels:
               1. As Personal Travel
               2. In their personal capacity
               3. At Traveler’s own personal expense
               4. Without University support
                  1. The University has no obligation(s) or liability in connection with Unauthorized Travel.
                  2. Unauthorized Travel may not be eligible for support through the University emergency travel assistance program or University insurance coverage.
      3. Conditional Approval of Travel to High-Risk Destination.
         1. Travel to a High-Risk Destination may be conditionally approved pending actions by the Traveler and/or modifications to Travel.
            1. All conditional approval requirements shall be in writing and acknowledged by Traveler.
            2. Prior to departure, and within the timeframe required by the Campus, Traveler shall demonstrate in accordance with Campus processes that all conditions of travel have been met.
               1. Should conditional approval requirements not be met by the Traveler in accordance with the Campus processes and within the timeframe required by the Campus, such Travel shall be deemed denied and subject to section 1.09(a)(v)(2)(b) above.

1. University Travelers traveling with University Devices or accessing University Data remotely shall not create data security or other confidentiality risks that cannot be effectively mitigated.
2. Travelers traveling with University Device(s) and/or University Data on University Travel to a High-Risk Destination or Elevated Cybersecurity Risk Destination must comply with cybersecurity, connectivity, telecommunication requirements as set forth by the Traveler’s respective Campus as well as any pertinent state, federal or international requirement, regulation or law.
   1. Each Campus shall establish these requirements for their respective Campus and respective Travelers.
   2. University Travelers traveling to a High-Risk Destination or Elevated Cybersecurity Risk Destination are responsible for securing permission from their respective Campus IT department or designated IT point of contact to bring or access University Devices or Data prior to traveling to these Destinations.
      1. The Campus IT department or designated IT point of contact is authorized to determine the measures required to be taken to effectively mitigate the cybersecurity risk. These measures must be implemented by the Traveler or IT Department to be allowed to bring and/or access University Devices or University Data while traveling to these Destinations.
         1. If the Campus IT department or designated IT point of contact determines the cybersecurity risks cannot be effectively mitigated, University Travelers shall not be allowed to bring University Devices or Data on Travel or access University Data during Travel.
      2. If a Traveler stores or accesses University Data on or from a personal device (which is strongly discouraged), said personal device is subject to the Campus IT department’s requirements and mitigation measures while the Traveler is on University Travel to a High-Risk Destination or Elevated Cybersecurity Risk Destination.  If mitigation measures are not feasible, or the Traveler chooses not to apply mitigation measures to the personal device, said Data or access to Data must be removed from the personal device. 
   3. Personal Travel:
      1. Individuals who intend to bring or access University Devices or Data on Personal Travel to a High-Risk Destination or Elevated Cybersecurity Risk Destination must comply with cybersecurity, connectivity, telecommunication requirements as set forth by the Traveler’s respective Campus for University Devices and Data.
         1. Such individuals are responsible for securing permission from their respective Campus IT department or designated IT point of contact to bring or access University Devices or Data prior to commencing Personal Travel.
            1. The Campus IT department or IT point of contact is authorized to determine the requirements and measures that must be taken to mitigate the cybersecurity risk to University Devices or University Data. These measures must be implemented by the individual or Campus IT Department to be allowed to bring or access University Devices or University Data while on said Personal Travel to a High-Risk Destination or Elevated Cybersecurity Risk Destination.
      2. If the Campus IT department or designated IT point of contact determines that that the cybersecurity risks to University Devices or Data cannot be mitigated, University Travelers are not allowed to bring and/or access University Devices or University Data while on said Personal Travel to these Destinations.
         1. If individuals who intend to access University Data on or from a personal device (which is strongly discouraged) while conducting Personal Travel to a High-Risk Destination or Elevated Cybersecurity Risk Destination, said personal device is subject to the individual’s respective Campus IT department’s requirements and mitigation measures. If mitigation measures are not feasible, or the individual chooses not to apply mitigation measures to the personal device, said Data or access to Data must be removed from the personal device.

1. When traveling internationally, University Travelers are “exporters” of any tangible items and technical information they take with them and/or share abroad.
2. Therefore, University Travelers traveling to an International Destination(s) must comply with all export control and sanctions laws, regulations and requirements including, but not limited to, proper handling, transfer, access, storage, control, and release of export-controlled commodities, hardware, software, information, technology, and technical data.
3. Export Control review is required for all University Travel to or through International Destinations, High Risk Destinations and Elevated Cyber Security Risk Destinations. Export Control approval is required for travel to High-Risk Destinations and Elevated Cyber Security Risk Destinations.
4. Campus Export Control Review and Approval Processes.
   1. Campuses / UMPO shall implement export control review and approval processes for all international University Travel conducted by their respective University Traveler(s).
   2. Campus Export Control Review Process will determine, document and communicate applicable licensing or documentation requirements related to:
      1. Office of Foreign Assets Control (OFAC) regulations (for travel to a sanctioned destination).
      2. Department of Commerce Export Administration Regulations (EAR).
      3. Department of State International Traffic in Arms Regulations (ITAR).
   3. At a minimum, international University Travelers must disclose the following information to campus export control offices for review and consideration.  This disclosure may be accomplished through the process for obtaining pre-travel authorization for Travel. 
      1. Purpose and details of Travel.
      2. Travel itinerary including dates, locations and modes of travel.
      3. University Traveler details (citizenship / passport / employment / student)).
      4. List of any University equipment and materials the Traveler will bring on Travel, such as data, technology, software, specimens, and samples.
   4. Campuses may require additional information disclosure(s) depending on the purpose, destination and scope of the trip, such as the individuals and entities with whom the Traveler will interact.
   5. Campuses/UMPO will establish required timeframes for their respective Travelers’ submission of information for export control review and compliance.
      1. Campus export control review will be conducted prior to the Traveler’s departure, and, for Travel to High-Risk Destinations or Elevated Cyber Security Destinations, prior to a Campus Travel Risk Approver approving or denying Travel.
      2. Campus export control approval, if required, must be obtained by the Traveler prior to departure.
5. Export Control Review and Approval Process may be embedded in the Campus Travel Risk Review Protocol (see Section 1.09).Export Control requirements apply to University Devices and/or Data that are brought on Personal Travel to International Destinations, High-Risk Destinations and Elevated Cyber Security Risk Destinations.
6. Campuses will provide international University Travelers educational and awareness training or resources on export control and sanctions as needed to maintain compliance with regulations. Training and resources may include, but not necessarily be limited to:
   1. Export controls and sanctions programs awareness.
   2. Information on “Tools of the Trade” (TMP) and “Baggage” (BAG) license exceptions.
   3. Timeframes and expectations for obtaining applicable export license(s).
   4. Restricted-Party Screening of Individuals and Entities with whom University Travelers will be meeting, communicating and collaborating while abroad.
   5. Cybersecurity requirements.
7. University Travelers are responsible for making determinations about applicability “Tools of the Trade” (TMP) and “Baggage” (BAG) license exceptions but may request assistance from Campus export control personnel with these determinations.

1. Insurance: The University maintains international travel accident and sickness insurance.
   1. The insurance policy is maintained by UMass Treasurer’s Office.
   2. The insurance policy provides coverage to University Travelers while on approved University Travel to ensure Traveler access to medical support and services to support safety while on international University Travel.
2. Emergency Travel Assistance: The University maintains an emergency travel assistance program, typically associated with the University international travel accident and sickness insurance, to facilitate access to services in support of the health and safety of University Travelers while on University Travel. This program coordinates access to medical care and evacuation support to University Travelers when needed.
   1. University Travelers conducting University Travel to an International Destination may avail themselves of the resources provided by the emergency services provider, such as: obtaining pretravel assistance, downloading their mobile app and enabling location services to receive local alerts, and enabling one-touch emergency calls to the provider.
3. Travelers planning Travel to an International Destination are responsible for reviewing information on the University’s emergency travel assistance and international travel accident and sickness insurance program prior to departure.
   1. Information can be obtained through the Traveler’s Campus global program office or similar, or from the UMass Treasurer’s Office.
4. Travelers are responsible for providing information to the UMass Treasurer’s Office when a claim is or is anticipated to be filed.