[RITL] Notice of Federally Prohibited Devices and Campus Compliance Plan

UCR Information Technology Solutions its at ucr.edu
Fri Jun 17 08:18:22 PDT 2022 

RITL,

This email is to remind you of the campus NDAA 889 Compliance Plan and the
upcoming change to networking services, now taking place on *June 30, 2022*.


*Background*

UC Riverside is legally required to adhere to Section 889 of the 2019
National Defense Authorization Act (NDAA 889)
<https://its.ucr.edu/cybersecurity/ndaa>, which prohibits the use of
equipment made by a limited set of manufacturers
<https://smartpay.gsa.gov/ndaa-section-889>. In compliance with this
Federal requirement and resulting UCOP guidance
<https://researchmemos.ucop.edu/php-app/index.php/site/document?memo=UlBBQy0yMC0wNQ==&doc=3765>,
the Chief Compliance Office (CCO) and Information Technology Solutions
(ITS) have partnered to develop a compliance plan
<https://its.ucr.edu/cybersecurity/ndaa/guidance> for campus.

*What is changing?*

The compliance plan includes a change to networking services, taking place
June 30, 2022. This change will affect anyone attempting to make a wired
connection to the UCR-secure network using a non-compliant device, as the
connection will be denied.

Please note that the original publication of the NDAA 889 Compliance Plan
included specific scanning requirements for campus units that monitor their
own network. This guidance has since been revised, as ITS will work with
these units to conduct reasonable inquiries.

Please refer to this article <https://its.ucr.edu/blog/ndaa> for more
information about the changes taking place.

*How does this affect RITL?*

The prohibition of these devices will impact anyone currently using them,
which likely includes researchers and graduate students (among others). The
impact will be that people will be unable to connect these devices
physically (e.g., via ethernet) to the UCR network.

It is important to note that the prohibition of these devices applies to
*all* University business and research activity, regardless of the funding
source. Please refer to the compliance plan
<https://its.ucr.edu/cybersecurity/ndaa/guidance> for guidance on roles and
responsibilities.

*Where can I find additional resources?*

For more information about NDAA 889, please refer to these campus
resources:

   - Compliance Plan for Implementation of Section 889 of the National
   Defense Authorization Act (NDAA) for Fiscal Year 2019
   <https://its.ucr.edu/sites/g/files/rcwecm321/files/2022-02/NDAA%20889%20Compliance%20Plan%2001-22.pdf>

   - Information about NDAA 889, including a list of prohibited
   manufacturers <https://its.ucr.edu/cybersecurity/ndaa>

Thank you for your attention to this matter,

Kiersten Boyce
Associate Vice Chancellor and Chief Compliance Officer
Chief Compliance Office
Dewight Kramer
Chief Information Security Officer
Information Technology Solutions

On Tue, Mar 29, 2022 at 12:54 PM UCR Information Technology Solutions <
its at ucr.edu> wrote:

> RITL Members,
>
> This email is to inform you of a new campus compliance plan and an
> upcoming change to networking services taking place on May 2, 2022.
>
> *Background*
>
> UC Riverside is legally required to adhere to Section 889 of the 2019
> National Defense Authorization Act (NDAA 889)
> <https://its.ucr.edu/cybersecurity/ndaa>, which prohibits the use of
> equipment made by a limited set of manufacturers
> <https://smartpay.gsa.gov/ndaa-section-889>. In compliance with this
> Federal requirement and resulting UCOP guidance
> <https://researchmemos.ucop.edu/php-app/index.php/site/document?memo=UlBBQy0yMC0wNQ==&doc=3765>,
> the Chief Compliance Office (CCO) and Information Technology Solutions
> (ITS) have partnered to develop a compliance plan
> <https://its.ucr.edu/cybersecurity/ndaa/guidance> for campus.
>
> *What is changing?*
>
> The compliance plan includes a change to networking services, taking place
> May 2, 2022. This change will affect anyone attempting to make a wired
> connection to the UCR-secure network using a non-compliant device, as the
> connection will be denied.
>
> The compliance plan <https://its.ucr.edu/cybersecurity/ndaa/guidance>
> also outlines the responsibilities of all campus units that manage any
> aspect of the network and/or procure equipment and services.
>
> Please refer to this article <https://its.ucr.edu/blog/ndaa> for more
> information about the changes taking place.
>
> *How does this affect RITL?*
>
> The prohibition of these devices will impact anyone currently using them,
> which likely includes some researchers (among others). As of May 2, 2022,
> network connection will be denied to any non-compliant device attempting a
> *wired* connection (e.g., via ethernet cable) to the UCR-secure network.
> Non-compliant devices attempting to *wirelessly* connect to the
> UCR-secure network are already automatically re-routed to a non-secure
> network. Together, these networking policies mean that the user of a
> non-compliant device is unable to access secure campus resources.
>
> It is important to note that the prohibition of these devices applies to
> *all* University business and research activity, regardless of the
> funding source. Please refer to the compliance plan
> <https://its.ucr.edu/cybersecurity/ndaa/guidance> for guidance on roles
> and responsibilities.
>
> *Where can I find additional resources?*
>
> For more information about NDAA 889, please refer to these campus
> resources:
>
>    - Compliance Plan for Implementation of Section 889 of the National
>    Defense Authorization Act (NDAA) for Fiscal Year 2019
>    <https://its.ucr.edu/cybersecurity/ndaa/guidance>
>    - Information about NDAA 889, including a list of prohibited
>    manufacturers <https://its.ucr.edu/cybersecurity/ndaa>
>    - NDAA 889 guidance for campus units
>    <https://its.ucr.edu/cybersecurity/ndaa/guidance>
>
> Thank you for your attention to this matter,
>
> Kiersten Boyce
> Associate Vice Chancellor and Chief Compliance Officer
> Chief Compliance Office
>
> Dewight Kramer
> Chief Information Security Officer
> Information Technology Solutions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/ritl/attachments/20220617/2aabc2b7/attachment.html>

More information about the RITL mailing list