Re: DFARS proposed rule change impact on ITAR/EAR

["Payne, Shirley (scp8b)" <scp8b () VIRGINIA EDU>]

Thanks for raising this issue, Cathy.  In answer to your questions, we're just beginning at my institution to get our 
heads around the proposed DFARS changes and we're still in the process of determining if/how we will be providing 
specific comments on the Federal Register notice. I'm not aware of exemptions regarding EAR/ITAR contracts, although I 
don't claim to be an expert on this. Unfortunately, if our reading is correct, the scope of applicability goes beyond 
contracts subject to export controls.

Here is additional information, as I understand it, for those not yet familiar with the proposed DFARS (Defense Federal 
Acquisition Regulation Supplement) rule changes:


1.      If finalized, the changes will apply enhanced security standards to non-classified DoD data. Strong standards 
already apply, of course, to classified DoD data.

2.      The changes will initially affect new DoD contracts and I'm hearing the standards will likely also be applied 
to existing contracts as those are renewed or modified.  The DFARS does not apply to DoD grants; however, I'm advised 
that it is not unusual for DoD to transition research programs from grant to contract funding as they progress. It is 
also possible we will start to see similar language showing up in DoD grant terms and conditions.

3.      Since the latest version of the proposed rule is strikingly similar to the initial version issued by DoD in 
March 2010, we're assuming there will not be substantial changes to the rule before it is ultimately finalized.  Public 
comments are due August 29th, 2011.

Although we already comply at an institution level with a fair number of the proposed standards, which Cathy noted are 
aligned with selected NIST SP 800-53 requirements, my general sense is that we will have quite an effort ahead of us to 
identify, evaluate, and remediate systems and data affected by the DFARS changes if they are implemented. At a minimum, 
we'll want to ensure contract participants are using dedicated computers or separate "virtual machines" when doing 
contract-related work, and we'll want those separate systems on highly restricted network infrastructure. We also will 
need to tweak one or more of our institution level security processes to accommodate certain new requirements, e.g., 
adding a step to our incident response process to send forensic evidence to DoD when investigations involve 
unclassified DoD data.

For institutions having lots of DoD contracts using unclassified data, this could be a substantial effort. And then 
there's the cost recovery issue:  will PIs be able to recover these compliance costs in their contract budgets or will 
the costs be characterized as F&A and therefore subject to our negotiated rate agreement? Lots to consider!

-Shirley

Shirley C. Payne, CISSP, CRISC
Assistant Vice President for Information Security, Policy, and Records
University of Virginia
P.O. Box 400898
Charlottesville, Virginia 22904-4898
(434) 924-4165


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bates, 
Cathy C - (cbates)
Sent: Friday, August 12, 2011 7:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] DFARS proposed rule change impact on ITAR/EAR

Good Afternoon,

I am soliciting your IT security stance on the proposed rule changes to DFARS that specify enhanced security controls 
for EAR/ITAR contracts.  Enhanced security controls are referenced back to sections of NIST SP 800-53 as per the matrix 
included in the document.  The controls would include items like encryption in transit and at rest, non-repudiation, 
continuous monitoring, intrusion detection, NIST standard configuration builds, access controls, etc.

http://www.regulations.gov/#!documentDetail;D=DARS-2011-0052-0001

Do you see areas where ITAR and EAR could be exempt from the new controls?  I have seen a couple of research 1 
institutions declare that they won't be able to do this work anymore and a couple that would build special environments 
for this research.  The culture change for the research investigators would be quite dramatic in many cases.  If you 
are doing this work on your campus, what is your planned course of action if this rule change goes through?  Is your 
institution doing anything with submitting additional comments on the impact for your research program?

Thanks in advance for your thoughts.

Best,

Cathy


Cathy Bates
University Information Security Officer
Information Security Office | CC207
University of Arizona
(520) 626-2399
cbates () email arizona edu<mailto:cbates () arizona edu>
http://security.arizona.edu<http://security.arizona.edu/>