News

Research security program guidelines: more work for federally-funded research institutions

Universities and academic research institutions must implement programs for cybersecurity, foreign travel security, research security training, and export control training

Image
Image

The White House Office of Science and Technology Policy (OSTP) has issued long-awaited Guidelines for Research Security Programs at Covered Institutions (“Guidelines”), which outline how federal research agencies must require “covered institutions” – including certain institutions of higher education and nonprofit research institutions – to certify their implementation of programs related to cybersecurity, foreign travel security, research security, and export control. Below we summarize the new Guidelines, the entities affected, and the timeline for implementation.

Background on the new Guidelines

In January 2021, National Security Presidential Memorandum-33 (NSPM-33) directed agency action to preserve U.S. national security in federally-supported research and development. The Biden Administration endorsed that objective and issued in January 2022 Guidance on the implementation of NSPM-33 (which we summarized online here). Among the most significant features of that Guidance was a new “research security program” that federal agencies must require institutions to implement. The Guidance contemplated that research organizations awarded in excess of USD $50 million per year in federal research funding must implement a research security program centered on four elements: (1) cybersecurity; (2) foreign travel security; (3) research security training; and (4) export control training.

In August 2022, President Biden signed into law the CHIPS and Science Act (“CHIPS Act”), which we summarized online here. The CHIPS Act required federal research agencies to establish a requirement that, as part of an application for a research and development award from the agency, certain covered individuals complete research security training. The Act directed OSTP to develop guidelines that institutions of higher education and other organizations receiving Federal research and development funds could use to develop training programs, in compliance with NSPM-33. (See Pub. L. 117-167 §10634, 42 U.S.C. §19234.)

OSTP has now issued the new Guidelines in a memo titled “Guidelines for Research Security Programs at Covered Institutions” (July 9, 2024). The Guidelines expressly refer to “institutions of higher education and other research institutions” as operating in an “altered global landscape” and as “the first line of defense against improper or illicit activity” by malign foreign actors in the modern geopolitical environment. The Guidelines provide uniform requirements for four mandatory elements of a research security program pursuant to NSPM-33 and the CHIPS Act, as discussed below.

Who are covered institutions?

A participant in the U.S. R&D enterprise is a “covered institution” and is subject to the research security program certification requirements if (and only if):

  1. it is an institution of higher education, a federally funded research and development center (FFRDC), or a nonprofit research institution; and,

  2. it receives in excess of USD $50 million per year, in fiscal year-2022 constant dollars, under

    1. the three-year average of federal R&D obligations provided to participants in the U.S. R&D enterprise as reported in the most recent version of the Survey of Federal Science and Engineering Support to Universities, Colleges, and Nonprofit Institutions; or,

    2. the three-year average of federal R&D obligations to FFRDCs as provided in the most recent versions of the Survey of Federal Funds for Research and Development.

Importantly, OSTP “encourages” federal agencies to apply research security requirements to non-covered institutions that meet the funding threshold described in part (B) above.

What must covered institutions certify?

The Guidelines state that Federal research agencies must require covered institutions to certify that their research security programs include elements relating to (1) cybersecurity; (2) foreign travel security; (3) research security training; and (4) export control training, as appropriate. The Guidelines elaborate on the four mandatory elements:

  1. Cybersecurity. Institutions of higher education must implement a cybersecurity program that is consistent with the final version of the National Institute of Standards and Technology (NIST) cybersecurity resource for research institutions, within one year after NIST publishes the final version of that resource. The current public draft of the NIST resource is available here: Cybersecurity for Research: Findings and Possible Paths Forward (August 31, 2023).

The NIST publication is a general document focused on broad cybersecurity principles; it’s not clear whether more concrete controls will materialize in the final version of the NIST publication. Cybersecurity is a complex subject at any scientific research organization, made more complex when the required security controls are opaque. A vague set of cybersecurity principles may be frustrating for large research institutions, especially given recent developments in False Claims Act enforcement under the DOJ’s Civil Cyber-Fraud Initiative (see our update here).

For covered institutions that are not institutions of higher education, the institution must implement a cybersecurity program consistent with another relevant cybersecurity resource maintained by NIST or another federal research agency – currently not specified.

  1. Foreign travel security. Covered institutions must:

(A) provide periodic training (at least once every six years) on foreign travel security to covered individuals[1] engaged in international travel including “sponsored international travel, for organization business, teaching, conference attendance, or research purposes” and such training must be implemented within one year after a federal research agency issues a “foreign travel security training resource” (OSTP states that it will coordinate with NSF, NIH, DOE, and DoD to develop a foreign travel security training module for this purpose); and,

(B) implement a travel reporting program, to include an organizational record of international travel, for covered individuals who participate in a federal R&D award, when a federal research agency has determined that “security risks warrant travel reporting.”

For institutions that have historically handled travel on a decentralized basis, this new travel reporting program may demand an overhaul of the way business travel is handled. While many institutions already have travel reporting protocols, the advent of a centralized organizational record of international travel is a logistical and personnel challenge, especially within a traditional academic setting where global mobility is the norm. Questions remain about whether and to what extent personal or blended business/personal international travel should be captured in the organizational record.

  1. Research security training. Covered Institutions must implement a research security training program for all covered individuals “to address the unique needs, challenges, and risk profiles of covered individuals” and such individuals must complete the training. Institutions can meet the requirement by certifying (i) that it requires covered individuals to complete the federal government’s research security training modules currently hosted by NSF, and (ii) that each covered individual has completed the training. Alternatively, institutions may deploy their own training modules, as long as those modules (1) provide explicit examples of risky behaviors that lead to improper or illegal transfer of U.S. government-supported research; and (2) underscore the importance of U.S. researcher participation in global discoveries.

  2. Export control training. Where covered individuals work with export-controlled technologies, covered institutions must certify that such individuals have completed trainings administered by the U.S. Department of Commerce’s Bureau of Industry and Security, or certify that such individuals have completed other training centered on topics such as (a) compliance with U.S. export control requirements, and (b) requirements and processes for reviewing foreign sponsors, collaborators, and partnerships. It appears that institutions may have some autonomy to determine the precise features of its export control training.

While the Guidelines are intended to drive standardization across agencies, they still permit agencies to develop additional research security requirements beyond those set out in the Guidelines, subject to OMB approval. Agencies are instructed to limit such cases to the following situations:

  • Statute, regulation, or Executive Orders require such additional policies
  • More stringent requirements are necessary, such as for classified information and export-controlled technologies
  • Other “compelling agency-specific reasons” in coordination with OSTP

The Guidelines also lay out additional principles for agency implementation of the research security requirements:

  • Non-discrimination. Agencies must implement research security policies in a way that treats everyone equally under law, without “targeting, stigmatization, or discrimination against individuals on the basis of race, color, ethnicity, religion, sex (including pregnancy, sexual orientation, or gender identity), national origin, age (40 or older), disability, or genetic information (including family medical history).” And yet another certification is attached to this principle – covered institutions must certify that they have implemented safeguards to comply with this principle (although it appears that an institution’s pre-existing certifications of compliance with U.S. nondiscrimination law associated with receipt of federal financial assistance may serve as this certification).

  • Flexibility. The Guidelines give a nod to latitude that agencies should afford to covered institutions to address the institution’s particular needs and to leverage existing programs and activities, provided they fulfill all required research security program components.

Next steps

Within six months after the issuance of the Guidelines, federal research agencies must submit to OSTP and OMB plans to update their policies to reflect the new research security programs requirements. Those updated agency policies will take effect no later than six months after finalized plans are submitted to OSTP and OMB. Then, covered institutions will have no more than 18 months to achieve compliance.

Institutions of higher education and research institutions already have spent considerable time addressing research security over the past several years. Cross-disciplinary institutional teams – including IT, HR, sponsored research, travel, export control, and advancement – have methodically tackled many facets of inappropriate influence in federally-sponsored research, ranging across subjects such as outside activity, conflicts of interest and commitment, current and pending support, and foreign gifts and contracts. With the new Guidelines comes more to do and more to track within an ever more complex research compliance ecosystem.


Authored by Bill Ferreira, Will Crawford, and Lauren Colantonio

 

[1] The term “covered individual” has the meaning given in Section 10638(1) of the CHIPS and Science Act (42 U.S.C. 19237(1)). It is defined as an individual who—

  1. contributes in a substantive, meaningful way to the scientific development or execution of a research and development project proposed to be carried out with a research and development award from a Federal research agency; and
  2. is designated as a covered individual by the Federal research agency concerned.

Search

Register now to receive personalized content and more!