March 1, 2018

MEMORANDUM

TO: The Audit, Compliance, and Risk Committee:

Babur B. Lateef, M.D., Chair

Robert M. Blue

Mark T. Bowles

L. D. Britt, M.D.

Margaret F. Riley, Faculty Member

Frank M. Conner III, Ex Officio

Adelaide Wilcox King, Faculty Consulting Member

and

The Remaining Members of the Board:

FROM: Susan G. Harris

SUBJECT: Minutes of the Meeting of the Audit, Compliance, and Risk Committee on March 1, 2018

The Audit, Compliance, and Risk Committee of the Board of Visitors of the University of Virginia met, in Open Session, at 11:05 a.m., on Thursday, March 1, 2018, in the Upper West Oval Room of the Rotunda. Dr. Babur Lateef, Chair, presided.

Present: Frank M. Conner III, Robert M. Blue, Margaret F. Riley, and Adelaide Wilcox King

Absent: Mark T. Bowles and L. D. Britt, M.D.

Tammy S. Murphy and James B. Murray, Jr. also were present.

Present as well were Patrick D. Hogan, Susan G. Harris, Ronald R. Hutchins, Melur K. Ramasubramanian, Roscoe C. Roberts, and Robert M. Tyler.

Virginia H. Evans, Beth C. Hodsdon, Thomas T. Leonard, Gary S. Nimax, and Carolyn D. Saint were the presenters.

Dr. Lateef opened the meeting and reported on Ufirst, the University’s human resources transformation project. He had been briefed by Ms. Kelley Stuck, Vice President and Chief Human Resources Officer, and Mr. Sean Jackson, Ufirst Project Executive Director, on the project’s technological and organizational challenges. While these were significant and risks remained, the team was confident they would be able to launch on July 1 as planned. He gave the floor to Mr. Nimax, Associate Vice President for Compliance.

NIST 800-171 Compliance: Protecting Controlled Unclassified Information in Non-Federal Information Systems

Mr. Nimax introduced this item, a new federal compliance requirement (NIST 800-171), for the protection of controlled unclassified information (CUI) for certain types of research. He asked Ms. Evans, Chief Information Officer, and Mr. Ramasubramanian, Vice President of Research, to review the requirement and the University’s response.

Mr. Ramasubramanian explained research grants have terms and conditions that address financial stewardship, conduct of research, and regulatory compliance. The new NIST regulations focus on data security and place the burden of compliance on institutions.

Ms. Evans said less than 1% of the University’s sponsored research dealt with CUI, but this type of research was expected to grow. The NIST compliant environment is not simple. Its 110 controls focus on people, processes, and technology. Federal contractors were required to meet NIST 800-171 for Department of Defense (DoD) contracts with CUI clauses by December 31, 2017.

Written Reports

Dr. Lateef asked if there were any questions about the written reports in the committee materials; there were none.

Closed Session

At 11:20 a.m., the committee went into closed session upon the following motion made by Mr. Blue, duly seconded and approved:

Mr. Chair, I move the Audit, Compliance, and Risk Committee into closed meeting to consult with University Counsel regarding legal compliance matters requiring the provision of legal advice by counsel as provided for in Section 2.2-3711(A) (8) of the Code of Virginia.

At 11:50 a.m., the committee concluded closed session and approved the following motion, made by Mr. Blue and duly seconded, by unanimous roll call vote.

Voting in the affirmative:

Babur B. Lateef, M.D. Margaret F. Riley

Frank M. Conner III Adelaide W. King

Robert M. Blue

Motion:

I move that we vote on and record our certification that, to the best of each member’s knowledge, only public business matters lawfully exempted from open meeting requirements and which were identified in the motion authorizing the closed session, were heard, discussed or considered in closed session.

----------------------

The chair adjourned the meeting at 11:50 a.m.

SGH:wtl

These minutes have been posted to the University of Virginia’s Board of Visitors website: http://www.virginia.edu/bov/auditminutes.html