This article is published in the August 2023 issue.

NSF Releases Guidelines for Research Security Analytics Practices

By Brian Mosley, Associate Director, Government Affairs

At the end of June the National Science Foundation released their long-anticipated guidelines covering their internal guidance for research security data-related practices. In their announcement, NSF said these, “guidelines are one of several NSF activities demonstrating that the principles of open science can align with research security standards.” The guidelines were released on the website of the Office of Chief of Research Security Strategy and Policy (OCRSSP).

Research Security, defined by NSF as, “safeguarding of the U.S. enterprise against the misappropriation of research and development,” has become an issue of importance in government circles, particularly in Congress, over the past few years. Several parts of the Federal Government have taken steps to counter threats, and perceived threats, from foreign adversaries, with China, Russia, North Korea, and Iran being the main countries of concern. There are several examples of these efforts, such as the Department of Justice now shuttered “China Initiative;” several pieces of legislation, such as the Chips and Science Act, passed by Congress directing Federal research agencies to develop policies and procedures to combat these threats; and in the closing days of the Trump Administration, National Security Presidential Memorandum 33 (NSPM-33), directing OSTP to develop guidance to clear up conflicts of interest, so research agencies know where researchers are receiving support, while also providing a framework of penalties for deliberate noncompliance or evasion of these requirements. Much of these efforts are directed at the Chinese central government, who is seen as both the main geopolitical rival to the United States and a country engaged in exfiltration of US taxpayer funded research efforts and findings.

Hence NSF’s research security announcement. The guidelines prohibit NSF program officers from engaging with principal investigators (PIs) directly on any research security matters. Instead, NSF staff are required to forward any concerns to the OCRSSP, who will look into the discrepancies. As well, OCRSSP will not engage directly with PIs; instead, they will engage with the PI’s institution (Section 6.2, page 10). Within the document, NSF makes a point that OCRSSP’s use of these analytics are designed only to identify, “potential compliance inconsistencies,” and are not actual “investigations.” Investigations are considered part of the Office of Inspector General’s (OIG) mission and are more serious. There is particular emphasis that “human oversight” (Section 10, page 15) is present at all levels of analysis and must be well documented; “no information on individuals may be reported and no adverse action may be taken based solely on a potential inconsistency without human verification of the matching criteria.” Finally, in Section 8 (page 12), which covers permissible and prohibited practices, OCRSSP staff are not allowed to make inquiries that are, “explicitly or implicitly designed to return the identities of individuals of a specific national origin or racial identity.” There are several examples included in Section 8 on prohibited practices.

It appears that NSF has struck a careful balance with their guidelines. It restricts activities between NSF and the institutions, sparing PIs from dealing with NSF directly or with a heavy-handed OIG investigation, while being very clear on permissible and prohibited practices by OCRSSP and NSF program staff. The prohibition on broad racial, ethnic, or citizenship searches should satisfy a key concern about the agency’s research security efforts (ie: that they could easily be fueled by racial or ethnic profiling), while also keeping humans in the loop for oversight. In practice, how the research community responds to these new practices will depend on how OCRSSP staff conduct themselves in clearing up the discrepancies they find. But it appears, at the moment, that the right guardrails are in place. CRA will continue to monitor the situation and keep tabs on how the other research agencies roll out their research security plans in the near future.