Educause Security Discussion mailing list archives
Re: DFARS proposed rule change impact on ITAR/EAR
From: "Bates, Cathy C - (cbates)" <cbates () EMAIL ARIZONA EDU>
Date: Mon, 15 Aug 2011 14:53:25 -0700
Shirley, That would be good news regarding scope if it applied to new contracts and not to grants (until and unless they are converted to contracts). Where did you find that information? I would like to bring that info to a meeting that I've called this week. I believe this will be a sizable effort for all the contracts at UA. I don't see us throwing up our hands and leaving the contracts on the table. We will likely have opportunities to share approaches and stories in the year ahead. Best, Cathy Cathy Bates University Information Security Officer Information Security Office | CC207 University of Arizona (520) 626-2399 cbates () email arizona edu<mailto:cbates () arizona edu> http://security.arizona.edu<http://security.arizona.edu/> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Payne, Shirley (scp8b) Sent: Monday, August 15, 2011 2:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] DFARS proposed rule change impact on ITAR/EAR Thanks for raising this issue, Cathy. In answer to your questions, we're just beginning at my institution to get our heads around the proposed DFARS changes and we're still in the process of determining if/how we will be providing specific comments on the Federal Register notice. I'm not aware of exemptions regarding EAR/ITAR contracts, although I don't claim to be an expert on this. Unfortunately, if our reading is correct, the scope of applicability goes beyond contracts subject to export controls. Here is additional information, as I understand it, for those not yet familiar with the proposed DFARS (Defense Federal Acquisition Regulation Supplement) rule changes: 1. If finalized, the changes will apply enhanced security standards to non-classified DoD data. Strong standards already apply, of course, to classified DoD data. 2. The changes will initially affect new DoD contracts and I'm hearing the standards will likely also be applied to existing contracts as those are renewed or modified. The DFARS does not apply to DoD grants; however, I'm advised that it is not unusual for DoD to transition research programs from grant to contract funding as they progress. It is also possible we will start to see similar language showing up in DoD grant terms and conditions. 3. Since the latest version of the proposed rule is strikingly similar to the initial version issued by DoD in March 2010, we're assuming there will not be substantial changes to the rule before it is ultimately finalized. Public comments are due August 29th, 2011. Although we already comply at an institution level with a fair number of the proposed standards, which Cathy noted are aligned with selected NIST SP 800-53 requirements, my general sense is that we will have quite an effort ahead of us to identify, evaluate, and remediate systems and data affected by the DFARS changes if they are implemented. At a minimum, we'll want to ensure contract participants are using dedicated computers or separate "virtual machines" when doing contract-related work, and we'll want those separate systems on highly restricted network infrastructure. We also will need to tweak one or more of our institution level security processes to accommodate certain new requirements, e.g., adding a step to our incident response process to send forensic evidence to DoD when investigations involve unclassified DoD data. For institutions having lots of DoD contracts using unclassified data, this could be a substantial effort. And then there's the cost recovery issue: will PIs be able to recover these compliance costs in their contract budgets or will the costs be characterized as F&A and therefore subject to our negotiated rate agreement? Lots to consider! -Shirley Shirley C. Payne, CISSP, CRISC Assistant Vice President for Information Security, Policy, and Records University of Virginia P.O. Box 400898 Charlottesville, Virginia 22904-4898 (434) 924-4165 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bates, Cathy C - (cbates) Sent: Friday, August 12, 2011 7:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] DFARS proposed rule change impact on ITAR/EAR Good Afternoon, I am soliciting your IT security stance on the proposed rule changes to DFARS that specify enhanced security controls for EAR/ITAR contracts. Enhanced security controls are referenced back to sections of NIST SP 800-53 as per the matrix included in the document. The controls would include items like encryption in transit and at rest, non-repudiation, continuous monitoring, intrusion detection, NIST standard configuration builds, access controls, etc. http://www.regulations.gov/#!documentDetail;D=DARS-2011-0052-0001 Do you see areas where ITAR and EAR could be exempt from the new controls? I have seen a couple of research 1 institutions declare that they won't be able to do this work anymore and a couple that would build special environments for this research. The culture change for the research investigators would be quite dramatic in many cases. If you are doing this work on your campus, what is your planned course of action if this rule change goes through? Is your institution doing anything with submitting additional comments on the impact for your research program? Thanks in advance for your thoughts. Best, Cathy Cathy Bates University Information Security Officer Information Security Office | CC207 University of Arizona (520) 626-2399 cbates () email arizona edu<mailto:cbates () arizona edu> http://security.arizona.edu<http://security.arizona.edu/>
Current thread:
- DFARS proposed rule change impact on ITAR/EAR Bates, Cathy C - (cbates) (Aug 12)
- Re: DFARS proposed rule change impact on ITAR/EAR Payne, Shirley (scp8b) (Aug 15)
- Re: DFARS proposed rule change impact on ITAR/EAR Bates, Cathy C - (cbates) (Aug 15)
- Re: DFARS proposed rule change impact on ITAR/EAR Payne, Shirley (scp8b) (Aug 16)
- Re: DFARS proposed rule change impact on ITAR/EAR Bates, Cathy C - (cbates) (Aug 15)
- Re: DFARS proposed rule change impact on ITAR/EAR Payne, Shirley (scp8b) (Aug 15)