OSTP Releases Research Security Memo to Research Agencies; Begins Implementation Timeline
By Brian Mosley, Associate Director of Government Affairs
Last month, the Office of Science & Technology Policy (OSTP) released their long-expected memo on “Guidelines for Research Security Programs at Covered Institutions.” This memo is the latest action taken by OSTP to implement the requirements in National Security Presidential Memorandum 33 (NSPM-33) and certain provisions of the Chips and Science Act. The purpose is also to, “make sure that institutions of higher education and other research institutions recognize the altered global landscape and fulfill their responsibilities as the first line of defense against improper or illicit activity,” from nation-states and actors.
The memorandum defines a “covered institution” as an organization that is both, “both an institution of higher education, FFRDC, or a nonprofit research institution,” and receives in excess of $50 million per year from the federal government. The memo is then broken into two parts, which correspond to the requirements of covered institutions and the standard requirements of their research security programs, and federal research agencies’ responsibilities and principles for implementation.
In the first part for covered institutions, there are four standard requirements for an institution’s research security program to contain:
- Cybersecurity – Requires that institutions of higher education institute a cybersecurity program, “constituent with the cybersecurity resource for research institutions,” within one year after NIST publishes the resource. Non-institutions of higher education are required to certify that they will implement a cybersecurity program, “consistent with another relevant cybersecurity resource maintained by NIST or another federal research agency.”
- Foreign travel security – Requires periodic training (at least once every six years) on foreign travel security for covered individuals, “engaged in international travel, including sponsored international travel, for organization business, teaching, conference attendance, or research purposes.” Also requires covered institutions to implement a travel reporting program, “for covered individuals participating in R&D awards when a federal research agency has determined that security risks warrant travel reporting in accordance with the terms of an R&D award.”
- Research security training – Institutions are required to implement a research security training program, “for all covered individuals to address the unique needs, challenges, and risk profiles of covered individuals and to certify that the institution ensures that each such covered individual completes such training.” There is some flexibility given to institutions here, as it allows them to use NSF’s training modules or certify that covered researchers have completed a program with similar components.
- Export control training – Requires covered institutions to certify that they require, “covered individuals who perform R&D involving export-controlled technologies, to complete training on U.S. export control and compliance requirements.” Again, some flexibility is provided here, allowing institutions to use the training offered by the Bureau of Industry and Security of the Department of Commerce, Directorate of Defense Trade Controls at the Department of State, or a training program with similar components.
In the second part of the memo, there are six responsibilities and principles that research agencies are expected to adhere to:
- Non-discrimination – Agencies are to ensure that the research security program requirements they impose, “do not result in targeting, stigmatization, or discrimination against individuals on the basis of race, color, ethnicity, religion, sex (including pregnancy, sexual orientation, or gender identity), national origin, age (40 or older), disability, or genetic information (including family medical history).” There is also a stipulation that agencies require covered institutions to certify that they have implemented safeguards, “to protect the rights of researchers, students, and research support staff or otherwise comply with such requirements.”
- Flexibility – Agencies are to allow covered institutions, “to structure their research security program to best serve the institution’s particular needs and to leverage existing programs and activities where relevant, provided that the institution implements all required program components.”
- Mechanism for certifications – Requires agencies to provide, “a written or electronic attestation to a federal research agency that the covered institution has met relevant research security program requirements.”
- Reducing administrative burdens – In developing their research security program requirements, agencies are expected to, “minimize administrative burden on covered institutions and covered individuals.” Additionally, agencies should encourage, “covered institutions to minimize administrative burden on covered individuals.” There is also a specific call out to be mindful of the administrative burden for less resourced institutions, with EPSCoR, HBCU, and MSI institutions specifically cited.
- Minimizing impact to smaller institutions – Straight from the memo: “Federal research agencies should avoid disadvantaging non-covered institutions during the award process in order to facilitate broad participation in the federal R&D enterprise.”
- Additional requirements for the agency’s mission/community – NSPM-33 permits agencies to develop additional requirements for their specific mission and community. The memo limits agencies to cases where, 1) policies are required by “statute, regulation, or executive order,” 2) more protections are need for R&D that is, “classified information, technologies subject to Export Administration Regulations, or otherwise legally protected matters,” or 3) “other compelling agency-specific reasons” which are consistent with the law or the agency’s mission.
Finally, the memo begins the implementation timeline for these requirements. Agencies have six months to submit their plans to OSTP and OMB for the purposes of updating their policies, “to ensure this guidance is reflected in the Research Security Programs Standard Requirements of each federal research agency.” The updated policies are expected to go into effect six months after OSTP and OMB sign off on the plans. Agencies are then required to make sure covered institutions have adequate time to implement their research security programs. However, institutions must have their programs up and running no more than 18 months after the effective date of the agencies’ plans. Put another way, the community has no more than two and a half years to start up their research security programs, and those programs start impacting researchers directly.
There are several ways of looking at this document. From a positive perspective, the memo itself is quite reasonable and has no real surprises in it. OSTP and the federal research agencies have telegraphed their actions for the past several years on this topic. The policies set out in the memo provides plenty of lead time for the research community to implement the requirements. As an example, NSF has steadily rolled out their research security actions over the last two years, from data analytics practices, to training modules, and their TRUST risk management framework. The other agencies have done the same or will start taking similar actions.
From another perspective, these requirements will start impacting researchers directly, particularly at universities, very soon. Research security programs are here to stay, and the research community should take these requirements seriously. For more context on the complexities of this topic, in February, several research agencies went before the House Science Committee and spoke about the challenges of implementing these policies and the trepidation coming from their individual communities. Little has changed in the intervening months, except that the policies are now on the path to implementation.