ARTICLE
23 July 2024

New Federal Guidelines For Research Security Programs At Covered Institutions

CM
Crowell & Moring LLP

Contributor

Crowell & Moring LLP logo
Our founders aspired to create a different kind of law firm when they launched Crowell & Moring in 1979. From those bold beginnings, our mission has been to provide our clients with the best services of any law firm in the world through a spirit of trust, respect, cooperation, collaboration, and a commitment to giving back to the communities around us.
Explore
On July 9, 2024, the Office of Science and Technology Policy (OSTP) released new guidance for federal research agencies that require certain research institutions ("covered institutions")...
United States Technology
Photo of Linda Malek
Photo of Jason Johnson
Photo of Blaze Waleski
Photo of Eunice LaLanne
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

On July 9, 2024, the Office of Science and Technology Policy (OSTP) released new guidance for federal research agencies that require certain research institutions ("covered institutions") to certify that the institution has established and operates a research security program that includes certain specific standardized requirements. The certification requirements are in accordance with the National Security Presidential Memorandum-33 (NSPM-33) and the CHIPS and Science Act. The purpose of these guidelines is to address increased foreign risk to research security in the U.S. Research and Development ("R&D") landscape and to preserve the open and collaborative nature of the R&D environment. The research security requirements are summarized below.

Research Security Program Requirements

The new certification requirements apply only to certain institutions, referred to as "covered institutions." The guidance defines covered institutions as (1) an institution of higher education, a federally funded research and development center (FFRDC), or a nonprofit research institution; and (2) an institution that receives more than $50 million per year, in fiscal year 2022 constant dollars, which is measured in two different ways, a) under the three-year average of federal R&D obligations or b) the three-year average of federal R&D obligations to FFRDCs.

The NSPM-33 already requires federal research agencies to ensure covered institutions certify that they implement their own research security programs. However, this new guidance requires standardized requirements for covered instiutions to certify that their research security programs includes four elements related to (1) cybersecurity; (2) foreign travel security; (3) research security training; and (4) export control training.

Cybersecurity

Federal research agencies will require covered institutions of higher learning to certify that the institution will implement a cybersecurity program consistent with the cybersecurity resources described in the CHIPS and Science Act within one year after the National Institute of Standards and Technology (NIST) publishes that resource.

For covered institutions that are not institutions of higher education, such institutions are required to certify that the institution will implement a cybersecurity program consistent with another relevant cybersecurity resource maintained by NIST or another federal research agency.

Foreign travel security

Covered institutions will be required to certify that they will implement periodic training on foreign travel security to individuals engaged in international travel, including sponsored international travel, such as travel for organization business, teaching, conference attendance, or research purposes. The training has to be given within one year after a foreign travel security training resource is made available by a federal research agency. Training that meets this requirement is training provided by a federal research agency. Per the guidance, through coordination of the NSTC Subcommittee on Research Security, the National Science Foundation (NSF) intends to enter into an agreement or contract with a qualified entity for the development of a foreign travel security training module. All covered individuals have to take this training at least once every six years.

Additionally, covered institutions are required to implement a travel reporting program that should include an organizational record of international travel, including sponsored international travel, for organization business, teaching, conference attendance, and research purposes by covered individuals when a federal research agency has determined that security risks warrant travel reporting in accordance with the terms of an R&D award.

Research security training

Federal research agencies must now require covered institutions to certify that the institution has implemented a research security training program for all covered individuals that addresses the unique needs, challenges, and risk profiles of the individual. The institution must also then certify that each such individual completes the training.

Covered institutions can meet these requirements in either of two ways:

(1) Certify that the institution requires covered individuals to complete training modules made available by the National Science Foundation (NSF) or successor trainings developed by the government designed to fulfill requirements of the CHIPS and Science Act and that each such covered individual has completed such trainings; or

(2) Certify that the institution requires covered individuals to complete research security training that includes (a) explicit examples of behaviors that result in an improper or illegal transfer of U.S. government-supported R&D in a research environment and (b) communicates to covered individuals the importance of U.S. researcher participation in global discoveries, including attracting foreign talent to U.S. research institutions, as a core principle of maintaining international leadership and national security, and that each such covered individual has completed such research security training that meet these requirements.

Export control training

Covered institutions are required to certify that individuals who perform R&D involving export-controlled technologies complete trainings on U.S. export control and compliance requirements. Institutions can meet this requirement in two ways:

(1) Certify that institutions require covered individuals who perform R&D involving export-controlled technologies complete trainings administered by the Bureau of Industry and Security of the Department of Commerce and that each individual has completed the training (the guidance notes that the Directorate of Defense Trade Controls at the Department of State has publicly available resources to assist an institution in developing its own individually tailored and robust compliance programs); or

(2) Certify that covered individuals who perform R&D involving export-controlled technologies are required to complete export-control training and that each such covered individual has completed training on complying with (a) U.S. export control and compliance requirements and (b) requirements and processes for reviewing foreign sponsors, collaborators, and partnerships.

Additional information

The guidance includes additional responsibilities and requirements for federal research agencies to adhere to including an implementation timeline. Federal research agencies have six months from the release of this guidance to submit their plans for updating their policies to OSTP and the Office of Management and Budget (OMB). Updated policies will take effect no later than six months after finalized plans were submitted to OSTP and OMB.

Federal research agencies are allowed to develop additional requirements for research security programs for covered institutions beyond the four elements described in the guidance, but the use of any additional requirements should be limited to where (a) policies are required by statute, regulation, or executive order or other executive actions; (b) more stringent protections are necessary for protection of R&D that includes classified information, technologies subject to Export Administration Regulations, or otherwise legal protected matters; or (c) there are other agency-specific reasons consistent with law and the federal research agency's mission. Federal research agencies are encouraged to first consider adding additional requirements to an R&D award, as opposed to more broadly part of general security requirements, so it is important for covered institutions to review all R&D awards to ensure no additional requirements have been provided at the award level.

Also, federal research agencies are required to ensure that their research security program requirements can:

  • Be non-discriminatory on the basis of race, color, ethnicity, religion, sex (including pregnancy, sexual orientation, or gender identity), national origin, age (40 or older), disability, or genetic information (including family medical history).
  • Allow institutions the flexibility to structure their programs to best fit the institution's needs and to be able to leverage existing programs and activities.
  • Meet certification requirements when covered institutions can provide a written or electronic attestation to a federal research agency that the covered institution has met relevant research security program requirements.
  • Reduce administrative burden on institutions and individuals.
  • Avoid disadvantaging non-covered institutions during the award process in order to facilitate broad participation in the federal R&D enterprise.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Linda Malek
Linda Malek
Photo of Jason Johnson
Jason Johnson
Photo of Blaze Waleski
Blaze Waleski
Photo of Eunice LaLanne
Eunice LaLanne
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More