White House Issues New Security Rules for Government-Funded Research

The White House published long-awaited guidelines this month that will govern efforts to ensure research institutions funded by federal agencies take adequate measures to protect their work from theft or misappropriation. 

The guidelines will require institutions receiving $50 million or more per year in federal R&D funding to operate research security programs that meet certain standards regarding staff training and cybersecurity.

The programs must cover four main areas:

• Research security training: Covered institutions must certify that they have implemented a broad security training program for researchers, with individuals taking either the training modules developed by the National Science Foundation, future training programs developed by federal agencies, or training developed internally. The training must include examples of “known improper or illegal transfer” of R&D while also conveying the value of international collaboration in research.
• Foreign travel security: Covered institutions must implement periodic training for researchers who travel internationally. Institutions must also report where researchers travel in cases where agencies deem the security risks of foreign travel warrant monitoring. The government has not yet created a training resource for international travel but plans to do so.
• Export control training: Researchers who participate in projects that involve export-controlled technologies must complete training developed by the Commerce Department’s Bureau of Industry and Security or training developed internally that covers specific topics.
• Cybersecurity: Covered higher education institutions must implement a cybersecurity program consistent with a forthcoming resource developed by the National Institute of Standards and Technology. Other covered institutions must certify that their programs are consistent with relevant cybersecurity guidelines published by NIST or another federal research agency. 

The guidelines are meant to help researchers navigate a world that is characterized by “fierce military and economic competition,” explained White House Office of Science and Technology Policy Director Arati Prabhakar in a preamble to the document, singling out actions by the Chinese government as especially concerning. Prabhakar said the guidelines aim to ensure research institutions “recognize the altered global landscape and fulfill their responsibilities as the first line of defense against improper or illicit activity.” 

“We know that members of the R&D community are still acclimating to the changes in geopolitics,” Prabhakar added. “Many of the actions that researchers were encouraged to undertake only a decade ago, including collaborations with the People’s Republic of China, are now being recognized for the risks they may present. This is why we must be clear with the research community about how the world has changed; how the policies and practices of foreign countries of concern differ from those of the U.S. R&D enterprise and the values that sustain our system; and the ways that some of the results from U.S. R&D can contribute to human rights abuses, surveillance, and military aggression.” 

Federal agencies now have six months to submit their implementation plans to OSTP and the Office of Management and Budget, with their final policies taking effect no more than six months later. Institutions will have up to 18 months to comply. 

OSTP produced the guidelines in response to a presidential memorandum on research security issued at the end of the Trump administration and carried forward by the Biden administration. The guidelines also address certain requirements of the CHIPS and Science Act.

OSTP received criticism from Congress for how long it has taken to produce the final guidance, given that it published the draft version in February 2023. Prabhakar explained to Congress earlier this year that the delay stemmed from a desire to consider public feedback on the draft that raised concerns that the requirements initially proposed would overburden administrators and researchers. 

The final guidance drops some requirements included in the draft version. For example, the draft would have directed institutions to implement an “authorization” process for foreign travel. The final version also adds flexibility to the research security and export control training requirements.

Tobin Smith, senior vice president for government relations and public policy at the Association of American Universities, said the final guidelines are much improved from the draft but he still worries there could be a lack of uniformity in how federal agencies implement the guidelines.

“This is much better than what we saw in February 2023, we have much fewer concerns. It provides a great deal of flexibility to our institutions, which we appreciate,” Smith said in an interview. “My only worry is that, instead, agencies will now use that flexibility to add their own additional requirements on, and that will make it hard for our institutions to comply and more costly and burdensome if we end up in a situation where there isn’t harmonization.”

The guidelines permit additional security requirements to be implemented in cases involving “compelling agency-specific reasons,” among other situations. OSTP asks agencies to consider whether any additions would address “an observed or known improper or illegal transfer of U.S. government-supported R&D to foreign countries of concern,” defined by the CHIPS and Science Act as China, Russia, Iran, and North Korea. It also asks them to assess whether the additional requirements would be “substantially burdensome to the covered institution, particularly the least well-resourced covered institutions,” and whether they would require supplemental funds to implement.