This message was sent to the University research community on January 18, 2023.
Research security has emerged as a priority for US research institutions receiving sponsored project funds from federal agencies. Research security is a broad term that refers primarily to national security concerns surrounding research involving certain types of sensitive data, intellectual property, export-controlled information, and other risks.
In effort to start to establish more secure, uniform, and transparent processes for funding and conducting federally sponsored research, the White House issued the National Security Presidential Memorandum-33 (NSPM-33) in January 2021, which was followed up in January 2022 with Guidance for Implementing National Security Presidential Memorandum 33 (NSPM-33) on National Security Strategy for United States Government-Supported Research and Development, issued by the White House Office of Science and Technology Policy (OSTP).
OSTP’s guidance specifies how high research activity institutions like Rochester need to establish a research security program. As an original requirement of NSPM-33, any research institution receiving $50 million or more in federal research funding for the previous two fiscal years must establish such a program touching on four main areas of focus: research security training, cybersecurity, foreign travel security, and (as appropriate) export control training.
As one of the nation’s leading research universities, the University of Rochester is expanding its research security program to align with these requirements. The effort is aimed at upholding safety and security in our research endeavors while continuing to foster the open global exchange of ideas.
In the coming months, the University’s Office of the Vice President of Research will be fully developing the components of a robust research security program in collaboration with several other campus units, including the Office for Global Engagement, the Office of Research and Project Administration (ORPA), University IT, and Finance and University Audit.
Review additional information about the University’s Research Security Program below.
Steve Dewhurst, PhD
Interim Vice President for Research
Why is a research security program needed now?
The U.S. government is concerned that some foreign governments do not demonstrate a reciprocal dedication to open scientific exchange, and in some cases increasingly seek to exploit open United States and international research environments to avoid the costs and risks of conducting research. While continuing to recognize the importance and benefits of international research collaboration and the discoveries and innovation that benefit the global community, the US government has indicated that now is the time to strengthen the security of research development in order to protect intellectual capital, discourage research misappropriation, and ensure responsible management of United States tax-funded resources. These actions and strategies are meant to protect federally funded research while still maintaining and encouraging productive collaborations with international researchers.
What is meant by research security training, cybersecurity, foreign travel security and export control training?
- Cybersecurity: Research organizations should apply basic safeguarding protocols and procedures that include providing regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches; limiting information system access to authorized users; controlling any non-public information posted or processed on publicly accessible information systems; and providing protection of scientific data from ransomware and other data integrity attack mechanisms, among additional safeguards.
- Foreign travel security: Research organizations should maintain international travel policies for faculty and staff traveling for organization business, teaching, conference attendance, research purposes, or any offers of sponsored travel that would put a person at risk. These policies should include an organizational record of covered international travel by faculty and staff and, as appropriate, a disclosure and authorization requirement in advance of international travel, security briefings, assistance with electronic device security (smartphones, laptops, etc.), and pre-registration requirements.
- Research security training: Research organizations need to provide training to relevant personnel on research security threat awareness and identification. Research organizations should consider incorporating relevant elements of research security into existing training on responsible and ethical conduct of research for faculty and students. In addition to periodic training, research organizations should conduct tailored training in the event of a research security incident.
- Export control training: Research organizations conducting R&D that is subject to export control restrictions need to provide training to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators and partnerships, and for ensuring compliance with federal export control requirements and restricted entities lists.
What steps is the University taking to expand its research security program?
The federal government is to provide standardized technical assistance to support development of training content and programmatic guidelines, tools, and best practices to be made available to organizations for incorporation into research security programs. Additionally, flexibility has been granted for institutions to structure the organization’s research security program to best serve its specific needs, and to leverage existing programs and activities where relevant, provided that the organization implements all required program components.
Currently, the University’s Office of the Vice President for Research already provides information on research security, including in the areas of disclosing research collaborations and travel guidelines. These components will be further built out and added to in the coming months as more guidance is issued by the federal government.
When will these new requirements go into effect?
The federal government will be providing additional guidance on implementation, but we estimate that these requirements will go into effect during the first or second quarter of calendar year 2024.
Where can I go for updated information?
Check back to our Science and Security page, which will be updated as new information is available. Communications will also be broadly distributed about any new requirements of researchers or departments as part of the research security program, including at monthly CLASP meetings for research administrators.