Dear colleagues,
In January 2023 and October 2023, I shared information regarding the University’s research security program. Below are some new updates regarding federal mandates that will inform the continuing evolution of the University’s research security program.
Regards,
Steve
Steve Dewhurst, PhD
Vice President for Research
Guidelines for Research Security Programs at Covered Institutions
Only July 9, 2024, the Office of Science and Technology Policy (OSTP) issued Guidelines for Research Security Programs at Covered Institutions (the Guidelines). The Guidelines require that certain research institutions (including the University) certify to federal funding agencies that the institution has established and operates a research security program, that includes specific elements relating to: (1) cybersecurity; (2) foreign travel security; (3) research security; and (4) export control – as outlined in more detail below.
A key aspect of the Guidelines is that they also specify that “covered individuals” (see “Definitions”) will be required to take new trainings that relate to these core elements.
Fortunately, the University has some flexibility in terms of how we can provide those trainings. The Office of the Vice President for Research, together with other University stakeholders, will therefore review and evaluate applicable training modules made available by federal agencies, as well as other training options that may be available or developed (e.g., thru CITI). The goal of this effort will be to identify materials that deliver quality educational training on the subject matter in a format that does not add unnecessary burden on our faculty.
Cybersecurity:
The University is required to implement a cybersecurity program consistent with a “cybersecurity resource for research institutions” within one year after the National Institute of Standards and Technology (NIST) of the Department of Commerce Information Security publishes the requirements for that cybersecurity resource.
- What Happens Next: Earlier this year, members of Information Security, in conjunction with University IT, ISD and Office of Research IT, began to contact University departments and units that conduct federally funded research to inventory the types of equipment and devices used in their federally funded research. To best position researchers and departments to comply with the future NIST cybersecurity program requirements, these Security and IT teams will continue this inventory process. The University will implement the required cybersecurity program elements within one year after NIST publishes the cybersecurity resource.
- How This Impacts You: Depending on the cybersecurity program requirements that NIST ultimately publishes, the University and departments may be required to update security practices to achieve compliance. Our focus will be to meet the cybersecurity program requirements in a way that minimizes any negative effects on research, and this process may indeed optimize research IT infrastructure across University schools.
Foreign Travel Security:
The University must implement periodic training on foreign travel security to covered individuals engaged in international travel.
Also, the University must implement a travel reporting program, to include an organizational record of international travel, for covered individuals participating in research and development awards when a federal research agency has determined that security risks warrant travel reporting. Please note that our current understanding is that such a determination will be specifically included in the terms of the award (i.e., in the federal agency’s Notice of Award, NOA or contract), however, it remains to be seen whether federal research agencies will incorporate this travel reporting requirement as a standard award term.
- What Happens Next: Once the training materials/requirements are made available by a federal research agency, the University will implement periodic training on foreign travel security to covered individuals within one year. In parallel, we will review our processes to ensure that researchers are aware of when the terms of a specific federal award require travel registration. Finally, the University will also review its travel policies and procedures to ensure that covered individuals register their travel in the University’s travel registration system, when the terms of an award require this.
- How This Impacts You: Moving forward, you may be required to take periodic training on foreign travel security and to register your travel in the University’s travel registration system.
Research Security Training:
The University is required to implement a research security training program for all covered individuals, and to ensure that each covered individual completes such training.
- What Happens Next: The University will implement periodic training on research security as required by the federal agencies.
- How This Impacts You: Moving forward, you may be required to complete research security training.
Export Control Training:
The University must ensure that covered individuals who perform research and development involving export-controlled technologies complete training on U.S. export control and compliance requirements.
- What Happens Next: The University will implement periodic training on export control and compliance as required by the federal agencies.
- How This Impacts You: Moving forward, you may be required to complete export control training.
Timeline:
Within six months of July 9, 2024, federal research agencies are required to submit their plans to OSTP for updating their research security policies to include the elements specified in the Guidelines. These updated policies will go into effect no later than six months after they have been submitted and finalized.
The Guidelines state that federal research agencies should ensure that covered institutions have adequate time, but not more than 18 months after the effective date of their plans, to implement the requirements of the Guidelines.
Definitions:
“Covered Individual” means: an individual who (a) contributes in a substantive, meaningful way to the scientific development or execution of a research and development project proposed to be carried out with a research and development award from a Federal research agency; and (b) is designated as a covered individual by the Federal research agency concerned.
In practical terms, the vast majority of University faculty/investigators (PI, co-PI, Senior Scientist, etc.) who are conducting research efforts under a federal award are considered “covered individuals” under this definition.
For More Information:
The Office of the Vice President of Research (OVPR) will publish additional information on the research security program requirements as it becomes available. The OVPR website also provides other resources on research security matters.