Final Issuance Of Federal Guidelines For Security In Scientific Research: Impact On Universities, Academic Medical Centers And Other Research Institutions

On July 9, 2024, the White House Office of Science and Technology Policy ("OSTP") issued highly anticipated final guidelines setting forth a framework under which academic research institutions must establish and operate formal research security programs (the "Final Guidelines").¹ These final guidelines will be critically important to research operations at universities, academic medical centers, and other research institutions, and will affect the daily operations of, for example, such institutional offices as information technology, privacy, sponsored research, international programs, in-house legal counsel, export controls, and faculty affairs. Specifically, the Final Guidelines establish a definition of "Covered Institution" and outline standardized requirements that institutions must adopt relating to (1) cybersecurity; (2) foreign travel security; (3) research security training; and (4) export control training. In practice, these institutional requirements will be overseen by individual federal research funding agencies and not OSTP itself, as the Final Guidelines require individual federal research agencies (e.g., the National Institutes of Health ("NIH"), National Science Foundation ("NSF"), U.S. Department of Defense ("DoD"), National Aeronautics and Space Administration, and U.S. Department of Energy ("DOE")) to implement their agency-specific plans that execute the standardized requirements. Unless the deadlines relating to agency adoption of the standardized requirements are delayed, covered research institutions will need to implement the requirements detailed under the Final Guidelines no later than January 9, 2027 (and possibly earlier, if federal agencies finish their implementation efforts in advance of OSTP-prescribed deadlines). We have prepared a timeline of the implementation deadlines set forth in the Final Guidelines at the end of this Alert.

Research institutions have been eagerly awaiting the details set forth in the Final Guidelines for some time, as a presidential directive in January 2021 ordered OSTP to develop research security program requirements, and OSTP subsequently published draft requirements relating to research security programs in March 2023 (the "Draft Requirements").² Prior OSTP guidance had announced that the final research security program requirements would be issued within 120 days of the close of the public comment period for the Draft Requirements. Under this timeline, the final research security program requirements were expected to be published by October 2023. During a congressional hearing in February 2024, OSTP Director Arati Prabhakar addressed the delay, acknowledging that the public comments on the Draft Requirements gave OSTP "considerable pause," such that finalizing the research security program requirements had become "more complex" than anticipated but remained a top priority at OSTP.³

In light of this commentary from the OSTP Director, it is perhaps not surprising that the Final Guidelines vary considerably from the Draft Requirements. Specifically, while the Draft Requirements itemized many specific controls in the area of cybersecurity, outlined expansive requirements relating to training on research security and export control compliance, and specified onerous requirements relating to international travel by institutional researchers, the Final Guidelines allow for significantly greater flexibility to institutions in developing their research security programs. The Final Guidelines also provide greater clarity as to which institutions are "Covered Institutions" that will be subject to the requirements. While these differences from the Draft Requirements will be welcome news for research institutions, there is still much for research institutions to unpack in planning for implementation of the requirements set forth under the Final Guidelines. In this Alert, we explain the legal backdrop giving rise to the Final Guidelines, review the definition of "Covered Institutions" that will be required to comply with the Final Guidelines, and provide an overview of the topical areas that institutional research security programs will need to address.

Background on NSPM-33 and Research Security

On January 14, 2021, then-President Trump issued a Presidential Memorandum on United States Government-Supported Research and Development National Security Policy ("NSPM-33"), aimed at "strengthening protections of United States Government-supported Research and Development [("R&D")] against foreign government interference and exploitation."⁴ President Biden subsequently endorsed and moved forward with NSPM-33. NSPM-33 requires that federal research agencies that fund R&D activities shall require participants in the United States R&D enterprise to (i) disclose certain information "that will enable reliable determinations of whether and where conflicts of interest and commitment exist" and (ii) ensure that policies and procedures are in place "to identify and manage risks to research security and integrity." Specifically with regard to research security, NSPM-33 states that federal agencies shall require such research institutions receiving more than $50 million per year of federal science and engineering support to certify to the funding agency that the institution has a research security program, which includes elements of cybersecurity, foreign travel security, insider threat awareness and identification, and, as appropriate, export control training.

A year later, in January 2022, the National Science and Technology Council of OSTP and the Joint Committee on the Research Environment released a report providing guidance to federal agencies regarding their implementation of NSPM-33 in five key areas, including research security programs.⁵ In this guidance, OSTP provided recommendations regarding the specific requirements that federal agencies should establish under the four elements of research security programs as required by NSPM-33. The draft standardized requirements were published in February 2023, building on the framework outlined in the 2022 implementation guidance.

In addition to NSPM-33, the federal government has been focused on foreign government and misappropriation of U.S.-supported research and technology through other recent statutory and regulatory developments. For example, the CHIPS Act of 2022 (the "CHIPS Act"),⁶ signed into law in August 2022, focuses in part on developing policies, tools, and processes to manage and mitigate research security risks. Separately, NSF has established a "Research on Research Security Program,"⁷ and recently issued subregulatory guidance on foreign financial disclosure requirements, as required under the CHIPS Act.⁸ In the Final Guidelines, OSTP appears to focus on aligning research security mandates across NSPM-33 and the CHIPS Act to a much greater extent than the Draft Requirements.

Summary of the Final Guidelines

Below, we summarize the key components of the Final Guidelines and point out some of the key distinctions between the Final Guidelines and the Draft Requirements.

1. Definition of Covered Institution

As stated above, NSPM-33 applies to research institutions receiving more than $50 million per year of federal science and engineering support. To clarify how a research institution determines whether it meets this criterion, the Final Guidelines provide a definition that is more detailed than the NSPM-33 description of research institutions and more concise than the definition of "covered institution" utilized in the Draft Requirements.⁹ Specifically, under the Final Guidelines, a "Covered Institution":

1. is an institution of higher education, a federally funded research and development center ("FFRDC"), or a nonprofit research institution; and
2. receives in excess of $50 million per year, in fiscal 2022 constant dollars, under (1) the three-year average of federal R&D obligations provided to participants in the U.S. R&D enterprise as reported in the most recent version of the Survey of Federal Science and Engineering Support to Universities, Colleges, and Nonprofit Institutions; or (2) the three-year average of federal R&D obligations to FFRDCs as provided in the most recent versions of the Survey of Federal Funds for Research and Development.

We anticipate that a small number of institutions may have questions as to whether they fall within the definition of "Covered Institution," but that the vast majority of institutions conducting science and engineering research that is supported by federal funding will be able to determine, based on this definition, whether they qualify as a "Covered Institution."

2. Research Security Program Requirements

Consistent with the NSPM-33 directive, the Final Guidelines require that federal research agencies require covered institutions to implement and certify that their research security programs address four key elements: (1) cybersecurity; (2) foreign travel security; (3) research security training; and (4) export control training. The specific requirements for each element are described below.

i. Cybersecurity

With respect to cybersecurity, federal research agencies must require that institutions of higher education implement a cybersecurity program consistent with the U.S. Department of Commerce's National Institute of Standards and Technology's ("NIST") cybersecurity resource for research institutions, once finalized.¹⁰ Covered institutions that are not institutions of higher education must certify that the institution will implement a cybersecurity program consistent with another relevant cybersecurity resource published by NIST or another federal research agency. The cybersecurity requirements of institutional research security programs in the Final Guidelines give institutions more flexibility in instituting a cybersecurity program, in contrast to the Draft Requirements, which would have required covered institutions to implement 12 specific safeguarding protocols and procedures, which may or may not be directly applicable to the diverse research portfolios of particular institutions.

While more flexible than the Draft Requirements, the exact contours of the cybersecurity requirements are unclear and cannot be confirmed until additional guidance is issued by NIST. The specific NIST guidance referenced in the Final Guidelines for institutions of higher education is a draft guidance document titled "Cybersecurity for Research: Findings and Possible Paths Forward,"¹¹ and the Final Guidelines provide that institutions of higher education will be required to implement cybersecurity programs that are consistent with the final version of this guidance, once it is issued. Consistent with its title, the NIST guidance document is effectively a reference document, and begins with a statement that "this resource seeks to document and cultivate a common understanding of the state of cybersecurity across higher education research environments and is intended to help institutions of higher education identify, assess, manage, and reduce cybersecurity risks related to conducting research, as described in Section 10229 of the [CHIPS Act]."¹² The remainder of the document contains high-level principles and a list of resources that may assist institutions in evaluating research security issues. In short, at least in its current draft form, this NIST guidance document does not contain specific standards that an institution can use to evaluate whether its existing cybersecurity controls are consistent with the Final Guidelines and, if not, what specific enhancements may be needed. Covered Institutions other than institutions of higher education will need to determine which additional guidances are directly applicable to their activities, in light of the statement in the Final Guidelines that these institutions will be required to certify that their cybersecurity program is "consistent with another cybersecurity resource maintained by NIST or another federal research agency."

ii. Foreign Travel Security

Under the Final Guidelines, federal research agencies must require each covered institution to certify that it will implement periodic training (i.e., at least every six years) on foreign travel security to "covered individuals"¹³ that travel internationally for business, teaching, conferences, or other research purposes, within one year after a foreign travel security training resource is issued by a federal research agency. OSTP states that it will, in coordination with other federal agencies, such as NSF, NIH, DOE, and DoD, contract with a qualified entity to develop a foreign travel security training module for this purpose. In addition, covered institutions must implement a travel reporting program, which records international travel of covered individuals when traveling internationally for business, teaching, conferences, or other research purposes, if a federal research agency has determined that security risks warrant travel reporting in accordance with the covered individual's R&D award.

These requirements are substantially different from the requirements proposed in the Draft Requirements. Under the Draft Requirements, covered institutions would have been required to establish extensive international travel policies and procedures including, for example, mandatory security briefings, disclosure and authorization requirement, and electronic device security. Some of the language in the Draft Requirements relating to international travel also arguably extended to personal travel (i.e., international vacations taken by an institution's researchers, with no business component to the trip). The Final Guidance outlines that the training and reporting requirements relating to international travel must have a clear nexus to institutional activities (e.g., travel for business, teaching, conferences, or other research purposes).

iii. Research Security Training

For research security training, the Final Guidelines require that federal research agencies require each covered institution to certify that it has implemented a research security training program for covered individuals. Covered institutions may meet this requirement by either (1) requiring that covered individuals complete NSF's research security training modules¹⁴ or later-developed research security training modules by the federal government to satisfy requirements of NSPM-33 and the CHIPS Act, or (2) requiring that covered individuals complete research security training that includes topics such as (a) behaviors in the context of the research environment that have resulted in improper transfer of U.S. government-supported R&D and (b) the importance of U.S. researcher participation in global discoveries. These requirements for research security training are much less prescriptive than the requirements proposed in the Draft Requirements, which do not explicitly permit covered institutions to rely on training modules created by the federal government, and would have required training programs to include instruction on nine different focus areas.

iv. Export Control Training

Finally, with respect to export control training, federal research agencies must require covered individuals who participate in research that involves export-controlled technologies to complete training on U.S. export control and compliance requirements. Similar to the requirement for research security training, covered institutions may meet this requirement by either (1) requiring that the applicable individuals complete relevant trainings administered by the U.S. Department of Commerce's Bureau of Industry and Security, or (2) requiring that the applicable individuals complete training that includes topics such as (a) U.S. export control and compliance requirements and (b) requirements and processes for reviewing foreign sponsors, collaborators, and partnerships. Export control training requirements in the Final Guidelines are similar to those proposed in the Draft Requirements, but as with the modifications made to the other requirements of institutional research security programs, the requirements are less specific and afford institutions greater flexibility in implementing their research security programs.

3. Implementation and Certification

As previewed in the introduction to this Alert, we have prepared a timeline outlining the key deadlines for research agencies and institutions relating to the implementation of the Final Guidelines.

Once covered institutions are required to comply with the federal research agencies' updated policies relating to institutional research security programs, covered institutions will be required to certify that they have implemented research security programs in compliance with the Final Guidelines and the applicable federal research agencies' policies through a written or electronic attestation to the federal research agency. The exact manner of certification to agencies is not specified and will be managed at the level of the cognizant federal funding agency. However, the Final Guidelines point out that the CHIPS and Science Act "directs federal research agencies to require covered individuals as part of an R&D award application to certify that they have completed research security training and requires R&D award applicants to certify that covered individuals have completed relevant trainings." As such, it seems likely that institutional certifications as to compliance with the standards outlined in the Final Guidelines will be made in connection with the submission of grant applications to the cognizant federal agencies.

Conclusion: Moving Forward with Research Security Program Implementation

Many institutions are already well underway in their planning for implementation of the research security program requirements detailed under the Final Guidelines, having taken the initiative in light of the research security directive outlined in NSPM-33 in January 2021. For example, some institutions have convened cross-functional task forces evaluating the research security needs within their institutions, and others have even hired a dedicated research security officer. While the Final Guidelines have addressed some of the concerns of the research community regarding the administrative burden imposed on covered institutions by the Draft Requirements, research institutions will still have much to do to ensure they comply with the research security program requirements described in the Final Guidelines and are equipped to track the additional agency-specific requirements as such requirements are developed and finalized, all in advance of the anticipated "go-live" date of January 9, 2027, if not earlier.

Footnotes

1 OSTP, "Memorandum for the Heads of Federal Research Agencies: Guidelines for Research Security Programs at Covered Institutions" (July 9, 2024), https://www.whitehouse.gov/wp-content/uploads/2024/07/OSTP-RSP-Guidelines-Memo.pdf; "White House Office of Science and Technology Policy Releases Guidelines for Research Security Programs at Covered Institutions" (July 9, 2024), https://www.whitehouse.gov/ostp/news-updates/2024/07/09/white-house-office-of-science-and-technology-policy-releases-guidelines-for-research-security-programs-at-covered-institutions/.

2 OSTP, "Request for Information; NSPM 33 Research Security Programs Standard Requirement," 88 Fed. Reg. 14187 (Mar. 7 2023); Subcommittee on Research Security, National Science and Technology Council, Office of Science and Technology Policy, "DRAFT Research Security Programs Standard Requirement" (Feb. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/02/RS_Programs_Guidance_public_comment.pdf.

3 Examining Federal Science Agency Actions to Secure the U.S. Science and Technology Enterprise, Committee on Science, Space, and Technology, 118th Cong. (statement of Arati Prabhakar, Director, White House Office of Science and Technology Policy).

4 "Presidential Memorandum United States Government-Supported Research and Development National Security Policy" (Jan. 14, 2021), https://trumpwhitehouse.archives.gov/presidential-actions/presidential-memorandum-united-states-government-supported-research-development-national-security-policy/.

5 Subcommittee on Research Security and Joint Committee on the Research Environment, "Guidance for Implementing National Security Presidential Memorandum 33 (NSPM-33) on National Security Strategy for United States Government-Supported Research and Development" (Jan. 2022), https://www.whitehouse.gov/wp-content/uploads/2022/01/010422-NSPM-33-Implementation-Guidance.pdf.

6 CHIPS Act of 2022, Pub. L. No. 117-167, 136 Stat. 1366 (Aug. 9, 2022).

7 U.S. National Science Foundation, "NSF announces Research on Research Security Program" (July 12, 2023), https://new.nsf.gov/news/nsf-announces-research-research-security-program.

8 See U.S. National Science Foundation, "About Foreign Financial Disclosure Report," https://www.research.gov/research-web/content/aboutffd#psm.

9 Under the Draft Requirement, "covered research organization" was defined as "Covered research organizations have received at least $50 million per year in Federal science and engineering support for each of the previous two consecutive fiscal years. Management and Operations (M&O) Contractors are not covered research organizations. Covered research organizations may be single research organizations, such as a university, non-profit educational institutions or non-profit organizations, and are inclusive of the component parts of that research organization (e.g., departments, affiliated research centers, or schools). Covered research organizations do not include interconnected networks of universities (e.g., public university systems)."

10 National Institutes of Standards and Technology, "NIST IR 8481: Cybersecurity for Research: Findings and Possible Paths Forward" (Aug. 31, 2023), https://csrc.nist.gov/pubs/ir/8481/ipd.

11 Id.

12 0Id. at 1.

13 "Covered individual" means an individual who (A) contributes in a substantive way to the scientific development or execution of an R&D project proposed to be carried out with an R&D award from a federal research agency; and (B) is designated as a covered individual by the federal research agency concerned.

14 National Science Foundation, "Research Security Training," https://new.nsf.gov/research-security/training.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.