<div dir="ltr"><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">CITL, </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">This email is to remind you of the campus NDAA 889
Compliance Plan and the upcoming change to networking services, now taking place
on <b>June 30, 2022</b>. </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Background</b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">UC Riverside is legally required to adhere to <a href="https://its.ucr.edu/cybersecurity/ndaa" style="color:rgb(5,99,193)">Section 889 of the 2019 National
Defense Authorization Act (NDAA 889)</a>, which prohibits the use of equipment made
by a <a href="https://smartpay.gsa.gov/ndaa-section-889" style="color:rgb(5,99,193)">limited set of
manufacturers</a>. In compliance with this Federal requirement and resulting <a href="https://researchmemos.ucop.edu/php-app/index.php/site/document?memo=UlBBQy0yMC0wNQ==&doc=3765" style="color:rgb(5,99,193)">UCOP
guidance</a>, the Chief Compliance Office (CCO) and Information Technology
Solutions (ITS) have partnered to develop a <a href="https://its.ucr.edu/cybersecurity/ndaa/guidance" style="color:rgb(5,99,193)">compliance plan</a> for
campus.</p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>What is changing?</b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">The compliance plan includes a change to networking
services, taking place June 30, 2022. This change will affect anyone attempting
to make a wired connection to the UCR-secure network using a non-compliant
device, as the connection will be denied. </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Please <a href="https://its.ucr.edu/blog/ndaa" style="color:rgb(5,99,193)">refer to this
article</a> for more information about the changes taking place.</p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>How does this affect CITL?</b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Please note that the original publication of the NDAA 889
Compliance Plan included specific scanning requirements for campus units that
monitor their own network. This guidance has since been revised. Unit IT
Directors and Unit Information Security Leads should ensure that their networks
have received reasonable inquiries and work with ITS to identify suspect
devices and remove network access, as necessary. Similarly, all campus units
are prohibited from purchasing or contracting for non-compliant equipment or
services. </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">It is important to note that the prohibition of these
devices applies to <i>all</i> University
business and research activity, regardless of the funding source. </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Where can I find
additional resources?</b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">For more information about NDAA 889, please refer to these
campus resources: </p>
<ul style="margin-top:0in;margin-bottom:0in" type="disc">
<li class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><a href="https://its.ucr.edu/sites/g/files/rcwecm321/files/2022-02/NDAA%20889%20Compliance%20Plan%2001-22.pdf" title="NDAA 889 Plan for UC Riverside" style="color:rgb(5,99,193)">Compliance Plan for Implementation
of Section 889 of the National Defense Authorization Act (NDAA) for Fiscal
Year 2019</a> </li>
<li class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><a href="https://its.ucr.edu/cybersecurity/ndaa" title="NDAA 889 - UCR" style="color:rgb(5,99,193)">Information
about NDAA 889, including a list of prohibited manufacturers</a> </li>
</ul>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Thank you for your attention to this matter, </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Kiersten Boyce<br>
Associate Vice Chancellor and Chief Compliance Officer<br>
Chief Compliance Office</p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Dewight Kramer <br>
Chief Information Security Officer <br>
Information Technology Solutions </p></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 29, 2022 at 12:50 PM UCR Information Technology Solutions <<a href="mailto:its@ucr.edu">its@ucr.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">CITL Members, </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">This email is to inform you of a new campus compliance plan
and an upcoming change to networking services taking place on May 2, 2022. </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Background</b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">UC Riverside is legally required to adhere to <a href="https://its.ucr.edu/cybersecurity/ndaa" style="color:rgb(5,99,193)" target="_blank">Section 889 of the 2019 National
Defense Authorization Act (NDAA 889)</a>, which prohibits the use of equipment made
by a <a href="https://smartpay.gsa.gov/ndaa-section-889" style="color:rgb(5,99,193)" target="_blank">limited set of
manufacturers</a>. In compliance with this Federal requirement and resulting <a href="https://researchmemos.ucop.edu/php-app/index.php/site/document?memo=UlBBQy0yMC0wNQ==&doc=3765" style="color:rgb(5,99,193)" target="_blank">UCOP
guidance</a>, the Chief Compliance Office (CCO) and Information Technology
Solutions (ITS) have partnered to develop a <a href="https://its.ucr.edu/cybersecurity/ndaa/guidance" style="color:rgb(5,99,193)" target="_blank">compliance plan</a> for
campus.</p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>What is changing?</b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">The compliance plan includes a change to networking
services, taking place May 2, 2022. This change will affect anyone attempting
to make a wired connection to the UCR-secure network using a non-compliant
device, as the connection will be denied. </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">The <a href="https://its.ucr.edu/cybersecurity/ndaa/guidance" style="color:rgb(5,99,193)" target="_blank">compliance
plan</a> also outlines the roles and responsibilities of all campus units that
manage any aspect of the network and/or procure equipment and services. </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Please <a href="https://its.ucr.edu/blog/ndaa" style="color:rgb(5,99,193)" target="_blank">refer to this
article</a> for more information about the changes taking place.</p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>How does this affect CITL?</b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Campus units that manage any aspect of the network are
required to adhere to the <a href="https://its.ucr.edu/cybersecurity/ndaa/guidance" style="color:rgb(5,99,193)" target="_blank">campus compliance plan</a>,
which includes network scanning procedures to detect non-compliant devices and
remediation steps. Similarly, all campus units are prohibited from purchasing
or contracting for non-compliant equipment or services. </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">It is important to note that the prohibition of these
devices applies to <i>all</i> University
business and research activity, regardless of the funding source. </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Where can I find
additional resources?</b></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">For more information about NDAA 889, please refer to these
campus resources: </p>
<ul style="margin-top:0in;margin-bottom:0in" type="disc">
<li class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><a href="https://its.ucr.edu/cybersecurity/ndaa/guidance" title="NDAA 889 Plan for UC Riverside" style="color:rgb(5,99,193)" target="_blank">Compliance Plan for Implementation
of Section 889 of the National Defense Authorization Act (NDAA) for Fiscal
Year 2019</a> </li>
<li class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><a href="https://its.ucr.edu/cybersecurity/ndaa" title="NDAA 889 - UCR" style="color:rgb(5,99,193)" target="_blank">Information
about NDAA 889, including a list of prohibited manufacturers</a> </li>
<li class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><a href="https://its.ucr.edu/cybersecurity/ndaa/guidance" title="NDAA 889 Guidance for Campus Units" style="color:rgb(5,99,193)" target="_blank">NDAA 889 guidance for campus
units</a> </li>
</ul>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Thank you for your attention to this matter, </p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Kiersten Boyce<br>
Associate Vice Chancellor and Chief Compliance Officer<br>
Chief Compliance Office</p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Dewight Kramer <br>
Chief Information Security Officer <br>
Information Technology Solutions </p></div>
</blockquote></div>