DFARS proposed rule change impact on ITAR/EAR

["Bates, Cathy C - (cbates)" <cbates () EMAIL ARIZONA EDU>]

Good Afternoon,

I am soliciting your IT security stance on the proposed rule changes to DFARS that specify enhanced security controls 
for EAR/ITAR contracts.  Enhanced security controls are referenced back to sections of NIST SP 800-53 as per the matrix 
included in the document.  The controls would include items like encryption in transit and at rest, non-repudiation, 
continuous monitoring, intrusion detection, NIST standard configuration builds, access controls, etc.

http://www.regulations.gov/#!documentDetail;D=DARS-2011-0052-0001

Do you see areas where ITAR and EAR could be exempt from the new controls?  I have seen a couple of research 1 
institutions declare that they won't be able to do this work anymore and a couple that would build special environments 
for this research.  The culture change for the research investigators would be quite dramatic in many cases.  If you 
are doing this work on your campus, what is your planned course of action if this rule change goes through?  Is your 
institution doing anything with submitting additional comments on the impact for your research program?

Thanks in advance for your thoughts.

Best,

Cathy


Cathy Bates
University Information Security Officer
Information Security Office | CC207
University of Arizona
(520) 626-2399
cbates () email arizona edu<mailto:cbates () arizona edu>
http://security.arizona.edu<http://security.arizona.edu/>