[CITL] Notice of Federally Prohibited Devices and Campus Compliance Plan

UCR Information Technology Solutions its at ucr.edu
Tue Mar 29 12:50:00 PDT 2022 

CITL Members,

This email is to inform you of a new campus compliance plan and an upcoming
change to networking services taking place on May 2, 2022.

*Background*

UC Riverside is legally required to adhere to Section 889 of the 2019
National Defense Authorization Act (NDAA 889)
<https://its.ucr.edu/cybersecurity/ndaa>, which prohibits the use of
equipment made by a limited set of manufacturers
<https://smartpay.gsa.gov/ndaa-section-889>. In compliance with this
Federal requirement and resulting UCOP guidance
<https://researchmemos.ucop.edu/php-app/index.php/site/document?memo=UlBBQy0yMC0wNQ==&doc=3765>,
the Chief Compliance Office (CCO) and Information Technology Solutions
(ITS) have partnered to develop a compliance plan
<https://its.ucr.edu/cybersecurity/ndaa/guidance> for campus.

*What is changing?*

The compliance plan includes a change to networking services, taking place
May 2, 2022. This change will affect anyone attempting to make a wired
connection to the UCR-secure network using a non-compliant device, as the
connection will be denied.

The compliance plan <https://its.ucr.edu/cybersecurity/ndaa/guidance> also
outlines the roles and responsibilities of all campus units that manage any
aspect of the network and/or procure equipment and services.

Please refer to this article <https://its.ucr.edu/blog/ndaa> for more
information about the changes taking place.

*How does this affect CITL?*

Campus units that manage any aspect of the network are required to adhere
to the campus compliance plan
<https://its.ucr.edu/cybersecurity/ndaa/guidance>, which includes network
scanning procedures to detect non-compliant devices and remediation steps.
Similarly, all campus units are prohibited from purchasing or contracting
for non-compliant equipment or services.

It is important to note that the prohibition of these devices applies to
*all* University business and research activity, regardless of the funding
source.

*Where can I find additional resources?*

For more information about NDAA 889, please refer to these campus
resources:

   - Compliance Plan for Implementation of Section 889 of the National
   Defense Authorization Act (NDAA) for Fiscal Year 2019
   <https://its.ucr.edu/cybersecurity/ndaa/guidance>
   - Information about NDAA 889, including a list of prohibited
   manufacturers <https://its.ucr.edu/cybersecurity/ndaa>
   - NDAA 889 guidance for campus units
   <https://its.ucr.edu/cybersecurity/ndaa/guidance>

Thank you for your attention to this matter,

Kiersten Boyce
Associate Vice Chancellor and Chief Compliance Officer
Chief Compliance Office

Dewight Kramer
Chief Information Security Officer
Information Technology Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/citl/attachments/20220329/114fe402/attachment.html>

More information about the CITL mailing list