March 1, 2018
MEMORANDUM
TO: The Audit, Compliance, and Risk Committee:
Babur B. Lateef, M.D., Chair
Robert M. Blue
Mark T. Bowles
L. D. Britt, M.D.
Margaret F. Riley, Faculty Member
Frank M. Conner III, Ex Officio
Adelaide Wilcox King, Faculty Consulting Member
and
The Remaining Members of the Board:
Whittington W. Clement
Elizabeth M. Cranwell
Thomas A. DePasquale
Barbara J. Fried
John A. Griffin
Robert D. Hardie
Maurice A. Jones
John G. Macfarlane III
Tammy S. Murphy
James B. Murray Jr.
James V. Reyes
Jeffrey C. Walker
Bryanna F. Miller, Student Member
FROM: Susan G. Harris
SUBJECT: Minutes of the Meeting of the Audit, Compliance, and Risk Committee on March 1, 2018
The Audit, Compliance, and Risk Committee of the Board of Visitors of the University of Virginia met, in Open Session, at 11:05 a.m., on Thursday, March 1, 2018, in the Upper West Oval Room of the Rotunda. Dr. Babur Lateef, Chair, presided.
Present: Frank M. Conner III, Robert M. Blue, Margaret F. Riley, and Adelaide Wilcox King
Absent: Mark T. Bowles and L. D. Britt, M.D.
Tammy S. Murphy and James B. Murray, Jr. also were present.
Present as well were Patrick D. Hogan, Susan G. Harris, Ronald R. Hutchins, Melur K. Ramasubramanian, Roscoe C. Roberts, and Robert M. Tyler.
Virginia H. Evans, Beth C. Hodsdon, Thomas T. Leonard, Gary S. Nimax, and Carolyn D. Saint were the presenters.
Dr. Lateef opened the meeting and reported on Ufirst, the University’s human resources transformation project. He had been briefed by Ms. Kelley Stuck, Vice President and Chief Human Resources Officer, and Mr. Sean Jackson, Ufirst Project Executive Director, on the project’s technological and organizational challenges. While these were significant and risks remained, the team was confident they would be able to launch on July 1 as planned. He gave the floor to Mr. Nimax, Associate Vice President for Compliance.
NIST 800-171 Compliance: Protecting Controlled Unclassified Information in Non-Federal Information Systems
Mr. Nimax introduced this item, a new federal compliance requirement (NIST 800-171), for the protection of controlled unclassified information (CUI) for certain types of research. He asked Ms. Evans, Chief Information Officer, and Mr. Ramasubramanian, Vice President of Research, to review the requirement and the University’s response.
Mr. Ramasubramanian explained research grants have terms and conditions that address financial stewardship, conduct of research, and regulatory compliance. The new NIST regulations focus on data security and place the burden of compliance on institutions.
Ms. Evans said less than 1% of the University’s sponsored research dealt with CUI, but this type of research was expected to grow. The NIST compliant environment is not simple. Its 110 controls focus on people, processes, and technology. Federal contractors were required to meet NIST 800-171 for Department of Defense (DoD) contracts with CUI clauses by December 31, 2017.
Written Reports
Dr. Lateef asked if there were any questions about the written reports in the committee materials; there were none.
Closed Session
At 11:20 a.m., the committee went into closed session upon the following motion made by Mr. Blue, duly seconded and approved:
Mr. Chair, I move the Audit, Compliance, and Risk Committee into closed meeting to consult with University Counsel regarding legal compliance matters requiring the provision of legal advice by counsel as provided for in Section 2.2-3711(A) (8) of the Code of Virginia.
At 11:50 a.m., the committee concluded closed session and approved the following motion, made by Mr. Blue and duly seconded, by unanimous roll call vote.
Voting in the affirmative:
Babur B. Lateef, M.D. Margaret F. Riley
Frank M. Conner III Adelaide W. King
Robert M. Blue
Motion:
I move that we vote on and record our certification that, to the best of each member’s knowledge, only public business matters lawfully exempted from open meeting requirements and which were identified in the motion authorizing the closed session, were heard, discussed or considered in closed session.
----------------------
The chair adjourned the meeting at 11:50 a.m.
SGH:wtl
These minutes have been posted to the University of Virginia’s Board of Visitors website: http://www.virginia.edu/bov/auditminutes.html