Research Security Resources and Best Practices
Publication Date: May 21, 2024
As stewards of federal funding, institutions of higher education must play a role in protecting the security and integrity of the research enterprise. Maintaining an open and collaborative research environment is critical to fostering research discoveries and innovations that benefit the United States and the world. Simultaneously, this open environment must be balanced by guardrails that protect intellectual capital and prevent deceptive practices, foreign government influence, theft of research data, and unwanted knowledge transfer. Over the past few years, federal agencies have issued multiple guidance documents intended to support ongoing efforts to keep international research collaboration both open and secure.
Federal Agency Guidance
In December 2019, the National Science Foundation (NSF) released a report by the independent science advisory group JASON titled “Fundamental Research Security.” The report identified the need for a robust, coordinated approach to strengthen the integrity and security of the United States research enterprise by highlighting threats to basic research posed by foreign governments, which have taken actions that violate the principles of scientific ethics and research integrity. On January 14, 2021, the National Security Presidential Memorandum-33 (NSPM-33) was issued, which directs a national response intended to improve research security efforts at federal agencies. Approximately one year later, on January 4, 2022, the Office of Science and Technology Policy (OSTP) issued “Guidance for Implementing NSPM-33 on National Security Strategy for United States Government Supported Research and Development” (NSPM-33 Guidance). The NSPM-33 Guidance aims to clarify requirements for federally funded researchers, set best practices at federal agencies to strengthen research security, and offers direction on five major areas of research security addressed by NSPM-33: disclosure requirements and standardization, digital persistent identifiers, consequences for disclosure requirement violations, information sharing, and research security programs at federally funded research institutions.
In March 2023, OSTP requested public comment on the “DRAFT Research Security Programs Standard Requirement” (Draft Memorandum), prepared by the Interagency Working Group on Research Security Programs. The requirement applies to any research organization whose component parts receive at least $50 million in Federal science and engineering support annually in the aggregate. As of March 2024, the final research security program requirements have not been published. However, as per the Draft Memorandum, covered research organizations will need to certify they maintain a research security program which meets the requirements for foreign travel security, research security training, cybersecurity, and export control training. Additionally, they must:
- Maintain a description of the finalized research security program made available on a publicly accessible website, with descriptions of each requirement.
- Designate and provide contact information for a research security point of contact.
- Maintain clear response procedures to address reported allegations of research security non-compliance.
- Report incidents of research security violations to the federal awarding agency or agencies.
- Establish or maintain international travel policies for covered individuals engaged in federally funded research and development (R&D) who are traveling internationally for organizational business, teaching, conference attendance, research purposes, or who receive offers of sponsored travel for research or professional purposes.
- Implement research security training as a component of research security programs.
- Implement baseline safeguarding protocols and procedures for information systems used to store, transmit, and conduct federally funded R&D.
- Provide training to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators, and partnerships, and for ensuring compliance with Federal export control requirements and restricted entities lists.
The National Institute of Standards and Technology (NIST) released further guidance in August 2023 entitled “Safeguarding International Science Research Security Framework,” which establishes a set of recommended best practices and a methodology for implementing a risk-balanced, institutional research security program that addresses the requirements of NSPM-33. Additionally, the NSF has developed resources to enhance research security practices and implement research security provisions of the CHIPS and Science Act of 2022, including:
- Prohibition of malign foreign government talent recruitment programs where, beginning in May 2024, investigators submitting a proposal for NSF funding will need to certify that they are not part of such a program and the proposing institution will need to certify that they have a means to assess faculty participation in malign foreign government talent recruitment programs.
- The development of research security training modules for covered personnel (i.e., What is Research Security, Disclosure, Manage and Mitigate Risk, and International Collaboration research security training modules) currently available for the research community to use based on their needs.
- Establishment of a research security and integrity information sharing and analysis organization called SECURE to be operational by the end of calendar year 2024 that will develop tools and provide information and services to the research community.
- Establishment of Research on Research Security (RORS) program, where NSF seeks to fund research that will identify attributes that distinguish research security from research integrity, improve understanding of research security risks, provide insight into methods for identifying and preventing research security violations, and develop methods to assess the potential impact of research security threats on the U.S. economy, national security, and the research enterprise.
- The requirement for institutions of higher education that receive NSF funding to report foreign financial transactions, including contracts and gifts, totaling over $50,000 per year from foreign sources associated with countries of concern. The first report is due July 31, 2024.
- Prohibition of NSF funding to universities with Confucius Institutes, effective in 2025.
Research Security Best Practices
As research focused institutions of higher education await the final research security program requirements, institutions should assess their current processes against the research security provisions and guidelines outlined in the aforementioned documents and implement best practices to strengthen and protect the security and integrity of the research enterprise. The Subcommittee on Research Security under the National Science & Technology Council Joint Committee on the Research Environment recommends the following practices for research institutions to effectively address threats to research security and integrity:
- Demonstrate robust leadership and oversight that conveys the importance of research security and integrity.
- Ensure an organizational approach to research security where responsibilities for research security span across the organization.
- Establish research security and integrity working groups and task forces to develop and implement policies and practices.
- Establish and operate a comprehensive research security program that includes elements of cyber security, foreign travel security, insider threat awareness and education, and export control training.
- Establish and administer organizational policies regarding conflicts of interest, conflicts of commitment, and disclosure.
- Require disclosure to the organization of all information necessary to identify and assess potential conflicts of interest and commitment, including affiliations and employment with outside entities, other support and current or pending participation in, or applications to, programs sponsored by foreign governments, including foreign government-sponsored talent recruitment programs.
- Ensure compliance with requirements for reporting foreign gifts and contracts.
- Provide researchers with responsible conduct of research training.
- Promote awareness of circumstances and behaviors that may pose risk to research security and integrity.
- Establish procedures to monitor for noncompliance with organizational policies.
- Establish a centralized review and approval process for evaluating formal research partnerships.
- Establish a risk-based security process for foreign travel review and guidance.
- Develop and deploy requirements for vetting and securely hosting foreign visitors.
- Identify and implement measures to improve data security, internal breach prevention, and incident response processes.
Internal Audit Approach to Mitigate Research Security Risks
Internal audit functions within research focused institutions of higher education can help improve the organization’s research security posture by providing management and the board with independent and objective assurance on governance, risk management, and controls pertaining to research security. This includes assessing the overall effectiveness of the institution’s research security program to ensure compliance with all applicable federal laws, regulations, rules, and directives. Focus areas for internal audit may include:
- Assessing organizational culture and tone at the top relative to research security priorities and directives.
- Reviewing the results of risk assessments performed to assess the sensitivity of the institution’s research, including risks of theft, espionage, or foreign influence.
- Evaluating the institution’s research security program against the NIST Safeguarding International Science Research Security Framework.
- Comparing conflict of interest and commitment disclosures for key personnel to investigator certification questionnaire responses obtained during the proposal submission process to identify undisclosed appointments or affiliations with foreign institutions.
- Assessing compliance with institutional policies (i.e., foreign travel, other support, export controls, visitors, intellectual property, or code of conduct).
- Assessing compliance with institutional training requirements (i.e., conflict of interest and commitment, responsible conduct of research, export controls, electronic device security, research security, disclosure, risk mitigation, and international collaboration)
- Conducting searches of open-source information to identify any key risk indicators for research associate appointments, including participation in a foreign talent or malign foreign talent recruitment program.
- Reviewing research data handling, storage, and protection practices to ensure compliance with encryption protocols, data protection regulations, and privacy requirements.
- Assessing compliance with reporting requirements for foreign gifts and contracts.
- Evaluating the sufficiency of the institution’s incident response plan, communication protocols, and recovery procedures.
Council on Governmental Relations
In addition to guidance provided by federal agencies, the Council on Governmental Relations (COGR), an association of research universities, affiliated medical centers, and independent research institutes, has developed a Science and Security webpage to provide resources and analysis to assist member institutions in navigating requirements in this area. The webpage provides links to statues, regulations, and other sources of legal requirements related to science and security, including links to federal research agency policy and guidance. Two recently updated COGR publications contain useful information regarding federal research security requirements:
- “Quick Reference Table of Current & Upcoming Federal Research Security Requirements”
- “COGR Matrix of Science & Security Laws, Regulations, and Policies”
Final Thought
As the timeline for issuance of final research security program requirements is uncertain, research focused institutions of higher education should continue to engage with institutional leaders to determine how the new requirements may impact current processes and procedures and ensure appropriate steps are taken to protect the security and integrity of the research they conduct.
About the Author
From This Issue
- Letter from the Editor
- Letter from the President
- Agile Auditing: Three Pillars for Effective Implementation
- ACUA Committee Updates
- How Did ACUA Begin?
- Tips for New Internal Auditors
- On the Merits of Subtraction, a Discussion of Audit Documentation
- Emerging Risks of Higher Education that Auditors Need to Know
- New Global Internal Audit Standards Released