Research Security Program Guidelines Have (Finally) Arrived
On July 9, 2024, the White House Office of Science and Technology Policy (OSTP) released the long-awaited “Guidelines for Research Security Programs at Covered Institutions” (the Guidelines). The Guidelines are intended to assist federal agencies in their efforts to implement certification requirements for “Covered Institutions” intended to ensure that such institutions have “established and operate” Research Security Programs (RSPs) addressing four specific areas, each of which is discussed below.
The Guidelines explain that they are “intended to be consistent with ‘Presidential Memorandum on United States Government-Supported Research and Development National Security Policy’ (January 14, 2021) (NSPM-33)1 and ‘relevant portions of the CHIPS and Science Act.’”2 While the Guidelines do provide helpful clarification of the impending RSP requirements, they leave some important open questions unanswered, and also introduce some new areas of uncertainty, particularly when it comes to cybersecurity.
1. Who is covered?
The Guidelines define a “covered institution” by explaining that:
a participant in the U.S. R&D enterprise is a “covered institution” if and only if (A) it is an institution of higher education, a federally funded research and development center (FFRDC), or a nonprofit research institution; and (B) it receives in excess of $50 million per year, in fiscal year 2022 constant dollars, under (1) the three-year average of federal R&D obligations provided to participants in the U.S. R&D enterprise as reported in the most recent version of the Survey of Federal Science and Engineering Support to Universities, Colleges, and Nonprofit Institutions; or (2) the three-year average of federal R&D obligations to FFRDCs as provided in the most recent versions of the Survey of Federal Funds for Research and Development.
Notably, the Guidelines “encourage” federal agencies to impose research security obligations for non-covered institutions that meet the funding requirements in Part B of the definition quoted above.
Covered Institutions will be required to certify that their RSPs address (i) cybersecurity, (ii) foreign travel security, (iii) research security training and (iv) export control training. What the Guidelines do not, however, do is provide the specific certification language, which will likely matter significantly from the perspective of assessing institutional risk under the False Claims Act.
2. RSP Elements
a. Cybersecurity
The Guidelines explain that institutions of higher education will be required to:
certify that the institution will implement a cybersecurity program consistent with the cybersecurity resource for research institutions described in the CHIPS and Science Act, within one year after the National Institute of Standards and Technology (NIST) of the Department of Commerce publishes that resource.
The National Institute of Standards and Technology (NIST) published an initial draft of the “resource” in August 2023, NIST Interagency Report 8481 “Cybersecurity for Research: Findings and Possible Paths Forward.” The draft NIST resource is, however, written at a very high level that does not include specific requirements. Covered Institutions that are not institutions of higher education will have to comply with another NIST resource or a resource maintained by some other research agency. The Guidelines do not identify that resource.
In short, the scope of RSP cybersecurity requirements remains far from clear. For example, prior drafts of the Guidelines set forth specific cybersecurity protocols and procedures that were roughly consistent with Federal Acquisition Regulation 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems.” The introduction of new questions and uncertainty in the cybersecurity area is a significant disappointment. In part because of their decentralized nature, cybersecurity is a challenging area for many universities and research institutions. As reflected in recent False Claims Act settlements, it also a hot enforcement area. Additional guidance in this component of an RSP would have been quite helpful to the research community.
b. Foreign Travel Security
The Guidelines address two elements of foreign travel security. The first is a requirement that Covered Institutions certify that they will provide foreign travel security training to Covered Individuals who are engaged in international travel, which is described as including “sponsored international travel, for organizational business, teaching, conference attendance, or research purposes.”
The Guidelines use the CHIPS and Science Act definition of a Covered Individual, which provides that:
The term “covered individual” means an individual who—
(A) contributes in a substantive, meaningful way to the scientific development or execution of a research and development project proposed to be carried out with a research and development award from a Federal research agency; and
(B) is designated as a covered individual by the Federal research agency concerned.
42 U.S.C. § 19237(1). The training will have to be implemented within one year of a foreign travel security training resource being made available by a federal research agency and Covered Individuals will have to take the training at least once every six years.
The second element of the travel certification calls for a “travel reporting program,” which must include an “organizational record of international travel, including sponsored international travel, for organization business, teaching, conference attendance, and research purposes” by Covered Individuals when the sponsor determines that security risks warrant a reporting obligation. This is likely going to be a challenging area for the research community because of the breadth of the requirement, buy-in needed from researchers who will have to dutifully use a required travel system or share their travel records, and the institutional discipline that will be required to obtain and maintain the required records.
The Guidelines also leave open some key questions, including among others whether the organizational record reaches travel that is outside the scope of an individual’s appointment, e.g., consulting. It is also open to debate whether the examples are the only types of travel that would have to be reported or whether they are merely illustrative; for example, is personal travel subject to reporting?
c. Research Security Training
Here too there are two elements of the certification. First, Covered Institutions will be required to certify that they have implemented a research security training program that will be made available to Covered Individuals and that will address their “unique needs, challenges and risk profiles.” The institution will also have to certify that it ensures that its Covered Individuals take the required training. Institutions will be permitted to meet the training requirement in one of two ways: (1) through use of the National Science Foundation-developed training modules (or successor trainings); or (2) through modules developed in-house or by a third-party so long as the modules include specific examples of problematic behavior and stress the importance of U.S. researchers collaborating globally.
d. Export Control Training
Covered Individuals engaged in research and development work that involves export-controlled technology must complete export control and compliance training and the institution must certify that they have done so. The training element is met either through completion of “relevant” trainings from the Bureau of Industry and Security of the Department of Commerce or completion of other training covering (i) export control and compliance requirements, and (ii) requirements and processes for reviewing foreign sponsors, collaborators, and partnerships.
3. Implementation Timeline
The Guidelines explain that within six months of their promulgation, federal agencies are expected to provide OSTP and the Office of Management and Budget (OMB) their plans to update their policies to reflect the Guidelines. Updated policies will then take effect six months after the plans are provided to OSTP and OMB. Covered Institutions will then have no more than 18 months after the agency plans go into effect to comply with the policies implementing the Guidelines. Assuming that schedule remains in place, we are unlikely to see any of these requirements in effect any sooner than mid-2026.
4. Standardization, or Not . . .
While the Guidelines discuss standardization of RSPs across the government, they also contemplate agency-specific “additional requirements” and indeed include guidance on when those may be appropriate, namely when:
- Policies are required by statute, regulation or executive order or other executive action.
- More stringent protections are necessary for protection of research and development (R&D) that includes classified information, technologies subject to Export Administration Regulations or otherwise legally protected matters.
- There are other compelling agency-specific reasons consistent with legal authorities and missions of an individual federal research agency and in coordination with the Director of OSTP.
When considering whether to impose additional requirements, the Guidelines instruct agencies to, among other factors, consider whether their goal can be met on an award-specific basis and if the requirement mitigates “a clear and describable risk related to an observed or known improper or illegal transfer of U.S. government-supported R&D to foreign countries of concern.” Perhaps because the Guidelines focus on reducing administrative burden, they reference the possibility of the agency providing “supplemental funds” to cover associated compliance costs.
1 “Presidential Memorandum on United States Government-Supported Research and Development National Security Policy.” The White House (January 14, 2021)
2 Pub. L. 117-167 §10634, 42 U.S.C. §19234