[CITL] Notice of Federally Prohibited Devices and Campus Compliance Plan

UCR Information Technology Solutions its at ucr.edu
Fri Jun 17 08:17:22 PDT 2022 

CITL,

This email is to remind you of the campus NDAA 889 Compliance Plan and the
upcoming change to networking services, now taking place on *June 30, 2022*.


*Background*

UC Riverside is legally required to adhere to Section 889 of the 2019
National Defense Authorization Act (NDAA 889)
<https://its.ucr.edu/cybersecurity/ndaa>, which prohibits the use of
equipment made by a limited set of manufacturers
<https://smartpay.gsa.gov/ndaa-section-889>. In compliance with this
Federal requirement and resulting UCOP guidance
<https://researchmemos.ucop.edu/php-app/index.php/site/document?memo=UlBBQy0yMC0wNQ==&doc=3765>,
the Chief Compliance Office (CCO) and Information Technology Solutions
(ITS) have partnered to develop a compliance plan
<https://its.ucr.edu/cybersecurity/ndaa/guidance> for campus.

*What is changing?*

The compliance plan includes a change to networking services, taking place
June 30, 2022. This change will affect anyone attempting to make a wired
connection to the UCR-secure network using a non-compliant device, as the
connection will be denied.

Please refer to this article <https://its.ucr.edu/blog/ndaa> for more
information about the changes taking place.

*How does this affect CITL?*

Please note that the original publication of the NDAA 889 Compliance Plan
included specific scanning requirements for campus units that monitor their
own network. This guidance has since been revised. Unit IT Directors and
Unit Information Security Leads should ensure that their networks have
received reasonable inquiries and work with ITS to identify suspect devices
and remove network access, as necessary. Similarly, all campus units are
prohibited from purchasing or contracting for non-compliant equipment or
services.

It is important to note that the prohibition of these devices applies to
*all* University business and research activity, regardless of the funding
source.

*Where can I find additional resources?*

For more information about NDAA 889, please refer to these campus
resources:

   - Compliance Plan for Implementation of Section 889 of the National
   Defense Authorization Act (NDAA) for Fiscal Year 2019
   <https://its.ucr.edu/sites/g/files/rcwecm321/files/2022-02/NDAA%20889%20Compliance%20Plan%2001-22.pdf>

   - Information about NDAA 889, including a list of prohibited
   manufacturers <https://its.ucr.edu/cybersecurity/ndaa>

Thank you for your attention to this matter,

Kiersten Boyce
Associate Vice Chancellor and Chief Compliance Officer
Chief Compliance Office

Dewight Kramer
Chief Information Security Officer
Information Technology Solutions

On Tue, Mar 29, 2022 at 12:50 PM UCR Information Technology Solutions <
its at ucr.edu> wrote:

> CITL Members,
>
> This email is to inform you of a new campus compliance plan and an
> upcoming change to networking services taking place on May 2, 2022.
>
> *Background*
>
> UC Riverside is legally required to adhere to Section 889 of the 2019
> National Defense Authorization Act (NDAA 889)
> <https://its.ucr.edu/cybersecurity/ndaa>, which prohibits the use of
> equipment made by a limited set of manufacturers
> <https://smartpay.gsa.gov/ndaa-section-889>. In compliance with this
> Federal requirement and resulting UCOP guidance
> <https://researchmemos.ucop.edu/php-app/index.php/site/document?memo=UlBBQy0yMC0wNQ==&doc=3765>,
> the Chief Compliance Office (CCO) and Information Technology Solutions
> (ITS) have partnered to develop a compliance plan
> <https://its.ucr.edu/cybersecurity/ndaa/guidance> for campus.
>
> *What is changing?*
>
> The compliance plan includes a change to networking services, taking place
> May 2, 2022. This change will affect anyone attempting to make a wired
> connection to the UCR-secure network using a non-compliant device, as the
> connection will be denied.
>
> The compliance plan <https://its.ucr.edu/cybersecurity/ndaa/guidance>
> also outlines the roles and responsibilities of all campus units that
> manage any aspect of the network and/or procure equipment and services.
>
> Please refer to this article <https://its.ucr.edu/blog/ndaa> for more
> information about the changes taking place.
>
> *How does this affect CITL?*
>
> Campus units that manage any aspect of the network are required to adhere
> to the campus compliance plan
> <https://its.ucr.edu/cybersecurity/ndaa/guidance>, which includes network
> scanning procedures to detect non-compliant devices and remediation steps.
> Similarly, all campus units are prohibited from purchasing or contracting
> for non-compliant equipment or services.
>
> It is important to note that the prohibition of these devices applies to
> *all* University business and research activity, regardless of the
> funding source.
>
> *Where can I find additional resources?*
>
> For more information about NDAA 889, please refer to these campus
> resources:
>
>    - Compliance Plan for Implementation of Section 889 of the National
>    Defense Authorization Act (NDAA) for Fiscal Year 2019
>    <https://its.ucr.edu/cybersecurity/ndaa/guidance>
>    - Information about NDAA 889, including a list of prohibited
>    manufacturers <https://its.ucr.edu/cybersecurity/ndaa>
>    - NDAA 889 guidance for campus units
>    <https://its.ucr.edu/cybersecurity/ndaa/guidance>
>
> Thank you for your attention to this matter,
>
> Kiersten Boyce
> Associate Vice Chancellor and Chief Compliance Officer
> Chief Compliance Office
>
> Dewight Kramer
> Chief Information Security Officer
> Information Technology Solutions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/citl/attachments/20220617/d2a18a83/attachment.html>

More information about the CITL mailing list