NSF Announces New TRUST Research Security Risk Management Framework


Last week, the National Science Foundation announced the Trusted Research Using Safeguards and Transparency (TRUST) research security risk management framework. This is the latest step the agency has taken in safeguarding NSF-funded research projects and to identify, “potential undue foreign influence in NSF-funded projects.” The agency has also launched several research security training modules earlier this year, and last year released their research security data analytics processes.

Research security – the safeguarding of the US’s research enterprise against the misappropriation of research, related violations of research integrity, and foreign government interference – has been a topic of concern to lawmakers in Washington for the past several years. Long time readers of the Policy Blog will recall National Security Presidential Memorandum – 33 (NSPM-33), which was released in the final days of the Trump Administration, and the subsequent guidance from OSTP on implementation of that memorandum. The topic also featured prominently in the House China Committee’s recent report on resetting the US-China relationship and was a major policy focus in the Chips and Science Act of 2022, the last major piece of science legislation that Congress passed into law.

With regard to the TRUST framework, NSF has tried to craft a system that balances, “mitigating risks to the integrity and security of NSF-funded research,” while, “respecting the science,” and, “finding ways to get to ‘yes,’” with funding research proposals. To that end, the agency has developed a three-branch decision tree. The first branch is, “focused on assessing active appointments, positions, and research support,” while the second one focuses, “on identifying instances of nondisclosure.” Research projects moving through these first two branches will follow similar paths, with members of NSF’s research security office conducting analysis of proposal submissions and other data to flag potential concerns. The agency will then assess whether any proposals warrant engagement with a PI’s institution to, “gather additional information and consider whether risk mitigation and management may be required.”

The third branch of the risk management framework involves the convening of a “Research Security Review Team.” These review teams will be:

made up of 5-6 members…comprised of relevant NSF program office staff, OCRSSP staff, NSF subject matter experts, and (as needed) other U.S. Government national security experts who will serve as observers and provide guidance.

The Review Team will review the analyses from the first two branches and assess potential national security concerns. If the Review Team determines that there is sufficient national security risk associated with the research project, or if they confirm a concern raised in the first two criteria, NSF staff and the awardee institution will work collaboratively to gather additional information. According to NSF, this is a significant new effort by the agency and fulfills several Congressional mandates passed into law.

Decision tree of the three branches of NSF's Trusted Research Using Safeguards and Transparency, or TRUST, research security risk management framework.

Finally, NSF plans on a staged rollout of the risk framework over the next several fiscal years. The first stage of the rollout will start in Fiscal Year 2025 (which begins on October 1st, 2024) and will cover quantum-related proposals after they undergo merit review. The second stage will focus on, “implementing lessons learned from the quantum pilot,” and will, “explore the need for making policy updates, including to the Proposal Awards Policy and Procedures Guide (PAPPG).” The second stage will also expand the pilot to include other CHIPS and Science Act key technology areas (which technology areas are not specified in the memo). The third and final stage of the pilot will focus on, “scaling up and streamlining the review process,” and expanding the scope of projects to include all CHIPS and Science Act key technology areas. Stages two and three should be implemented in subsequent fiscal years.

NSF is continuing to work with its community of researchers to refine their research security plans and approaches. To that end they have set up Q&A webinars for members of the community to speak with NSF staff. They have also set up a dedicated email address to field questions from the NSF community: trust@nsf.gov.

This is likely not the last action that NSF, or other federal research agencies, will take with regard to research security. CRA is continuing to monitor this topic for new developments and announcements from throughout the Federal government and will report them to the community. We will also continue to make sure the needs of the researcher community for a fair, open, and transparent research system are balanced against any research security action by the Federal government.

NSF Announces New TRUST Research Security Risk Management Framework