Research NewsletterIssue: ORN-2024-32

OSTP Releases Research Security Memo to Research Agencies; Begins Implementation Timeline

The Office of Science & Technology Policy (OSTP) released their long-expected memo on “Guidelines for Research Security Programs at Covered Institutions.” This memo is the latest action taken by OSTP to implement the requirements in National Security Presidential Memorandum 33 (NSPM-33) and certain provisions of the Chips and Science Act. The purpose is also to, “make sure that institutions of higher education and other research institutions recognize the altered global landscape and fulfill their responsibilities as the first line of defense against improper or illicit activity,” from nation-states and actors.

The memorandum defines a “covered institution” as an organization that is both, “both an institution of higher education, FFRDC, or a nonprofit research institution,” and receives in excess of $50 million per year from the federal government. The memo is then broken into two parts, which correspond to the requirements of covered institutions and the standard requirements of their research security programs, and federal research agencies’ responsibilities and principles for implementation.

In the first part for covered institutions, there are four standard requirements for an institution’s research security program to contain:

• Cybersecurity – Requires that institutions of higher education institute a cybersecurity program, “constituent with the cybersecurity resource for research institutions,” within one year after NIST publishes the resource. Non-institutions of higher education are required to certify that they will implement a cybersecurity program, “consistent with another relevant cybersecurity resource maintained by NIST or another federal research agency.”
• Foreign travel security – Requires periodic training (at least once every six years) on foreign travel security for covered individuals, “engaged in international travel, including sponsored international travel, for organization business, teaching, conference attendance, or research purposes.” Also requires covered institutions to implement a travel reporting program, “for covered individuals participating in R&D awards when a federal research agency has determined that security risks warrant travel reporting in accordance with the terms of an R&D award.”
• Research security training – Institutions are required to implement a research security training program, “for all covered individuals to address the unique needs, challenges, and risk profiles of covered individuals and to certify that the institution ensures that each such covered individual completes such training.” There is some flexibility given to institutions here, as it allows them to use NSF’s training modules or certify that covered researchers have completed a program with similar components.
• Export control training – Requires covered institutions to certify that they require, “covered individuals who perform R&D involving export-controlled technologies, to complete training on U.S. export control and compliance requirements.” Again, some flexibility is provided here, allowing institutions to use the training offered by the Bureau of Industry and Security of the Department of Commerce, Directorate of Defense Trade Controls at the Department of State, or a training program with similar components.

_______________________________

NSF Research Security Training

The National Science Foundation launched four new interactive online research security training modules. Stipulated in the Chips and Science Act of 2022, the purpose of these training modules is to, “facilitate principled international collaboration in an open, transparent and secure environment that safeguards the nation’s research ecosystem.” The training modules are now available for researchers and institutions across the country and will help the research community understand and get a better handle on this issue.

The U.S. National Science Foundation, in partnership with the National Institutes of Health, the Department of Energy and the Department of Defense, is sharing online research security training for the research community.  This training provides recipients of federal research funding with information on risks and threats to the global research ecosystem — and the knowledge and tools necessary to protect against these risks.

Take the research security training

Take the training directly from your browser. Visit the four training modules at the links below.

• Each module should take about 60 minutes to complete.
• You can leave a module and return without losing progress from this browser.
• When you complete the module, you can download or print a completion certificate, but the module will not save a record of your training.

Module 1: What is Research Security?

Learn key concepts of research security and how to recognize situations that may indicate undue foreign influence. Understand the regulatory landscape that shapes research security and discover what you can do to safeguard the core values that underpin U.S. academic research.

Module 2: Disclosure

Learn about federal funding agency disclosure requirements, including types of information that must be disclosed, how that information is used, and why such disclosures are fundamental to safeguarding the U.S. research enterprise from foreign government interference and exploitation. 

Module 3: Manage and Mitigate Risk

Learn to identify types of international collaborative research and professional activities, associated potential risks, and strategies and best practices for managing and mitigating such risk. Learner experience will be customized based on their role as either a researcher or administrator.

Module 4: International Collaboration

Learn about the role of principled international collaboration in U.S. science, innovation and economic competitiveness. Discover how to balance principled international collaboration with research security concerns, as well as how to foster an open, welcoming research environment that fulfills research security needs.

Why the Research Security Training Required:

Research security training is listed as one of four elements of a Research Security Program required by National Security Presidential Memorandum 33, issued on Jan. 14, 2021, to safeguard our research ecosystem. The "CHIPS and Science Act of 2022," Section 10634, codifies the requirement for research security training for federal research award personnel in public law.

NSF: Planning Grants to Create Artificial Intelligence (AI)-Ready Test Beds; NSF Graduate Research Fellowship Program (GRFP)

NIH: Revolutionizing Innovative, Visionary Environmental Health Research (RIVER) (R35); Tissue Chips in Space 2.0: Translational Multi-Organ Tissue Chip Systems for Drug Efficacy, Toxicity Testing, and Personalized Medicine in Human Health, Aging and Associated Diseases (UG3/UH3)

Department of Defense/US Army/DARPA/ONR: Machine learning and Optimization-guided Compilers for Heterogeneous Architectures (MOCHA); Department of Defense Research and Education Program for Historically Black Colleges and Universities and Minority-Serving Institutions (HBCU/MI); DoD Combat Readiness - Medical, Translational Research Award

Department of Energy: Offshore Wind National and Regional Research and Development; Smart Manufacturing Technologies for Material and Process Innovation

NASA: MUREP Earth System Science Research (MUREP ESSR)

National Endowment of Humanities: Spotlight on Humanities in Higher Education; Humanities Connections; Summer Stipends

White House roadmap looks to guide emerging tech standardization: The Biden administration released a new roadmap to guide the implementation of emerging technology systems within the federal government on Friday in an effort to synchronize standards development with private industry partners.  The guidance is tailored to helping deploy the four key objectives introduced in the May 2023 National Standards Strategy for Critical and Emerging Technology –– increasing investment; broadening participation; enhancing the workforce; and sustaining integrity and inclusivity –– and looks to offer concrete guidance for the government to work with the private sector in collaborating on standards development.

Based on a request for information and other stakeholder engagements, the roadmap lays out both short- and long-term efforts to implement the strategy’s provisions. Short-term actions the government plans on taking to begin standardization processes focus internally. These include identifying opportunities for pre-standardization research and development; tracking existing education grants and programs for emerging technology standards; and evaluating current international agreements and mechanisms for standards cooperation.

On the long-term side, the roadmap sets nine steps for the federal government to take: enhance coordination across the federal government; enhance coordination with the private sector; enhance coordination with foreign governments; recognize and incentivize federal agency engagement; provide strong and sustained funding for critical and emerging technology R&D and pre-standardization coordination; engage academia as a critical partner; enhance educational efforts; develop and sustain communications; and remove barriers to participation. These efforts focus on consolidating standardization efforts between agencies and bringing private sector partners into play as well.

The roadmap looks to standardize emerging technologies like artificial intelligence, quantum information sciences, digital identity infrastructure, semiconductors, telecommunications, and more. More information is posted on the NextGov website.

_______________________________

Senate panel advances cyber regulatory harmonization bill: A Senate panel advanced a forerunner cybersecurity regulatory overhaul bill on Wednesday aimed at synchronizing federal-level cybersecurity laws. The Streamlining Federal Cybersecurity Regulations Act, helmed by Sens. Gary Peters, D-Mich. and James Lankford, R-Okla., advanced out of the Homeland Security Committee in a 10 to 1 vote. It would create an interagency group in the White House’s Office of the National Cyber Director focused on harmonizing U.S. cyber regulatory regimes and establish a pilot program to test new regulatory frameworks. Academics and officials have touted the Biden administration as a strong player in U.S. cybersecurity policy, which has aimed to stick private firms with requirements that force them to be more transparent and responsive about neverending cyberattacks. But industry feedback has said requirements like notification deadlines and other procedures create cost and time burdens because of inconsistencies or duplicate rules.  Many of the regulatory mainstays were ushered in by a sweeping national cybersecurity strategy implementation plan first unveiled last year, which assigned agencies tasks to shore up U.S. cyber posture, including regulators who oversee sectors like energy, telecommunications and financial services. More information is posted on the NextGov website.

_______________________________

Energy looks to balance AI electricity demands and clean energy goals: Energy consumption for artificial intelligence technologies is a “critical” emerging mission area for the Department of Energy as the agency looks to advance the benefits of AI and machine learning systems while minimizing the technologies’ carbon footprint.  Speaking at an Axios forum on Tuesday, Helena Fu, the director of the Office of Critical and Emerging Technologies at Energy, said that her agency sees automated systems’ burgeoning demand on the power grid as a way to usher in more clean firm power — clean energy solutions that are not dependent on weather as solar and wind are — with help from industry partners. Fu said that through various internal initiatives — namely the Frontiers in Artificial Intelligence for Science, Security and Technology program — her agency is looking to address the energy challenges posed by AI-enabled computing. She noted that, apart from AI, other digital services coming online and more manufacturing work based in the U.S. are also two leading burdens on U.S. power sources. More information is posted on the NextGov website.