News

Background on NSPM-33 and Research Security

On January 14, 2021, then-President Trump issued a Presidential Memorandum on United States Government-Supported Research and Development National Security Policy (“NSPM-33”), aimed at “strengthening protections of United States Government-supported Research and Development [(“R&D”)] against foreign government interference and exploitation.”⁴ President Biden subsequently endorsed and moved forward with NSPM-33. NSPM-33 requires that federal research agencies that fund R&D activities shall require participants in the United States R&D enterprise to (i) disclose certain information “that will enable reliable determinations of whether and where conflicts of interest and commitment exist” and (ii) ensure that policies and procedures are in place “to identify and manage risks to research security and integrity.” Specifically about research security, NSPM-33 states that federal agencies shall require such research institutions receiving more than $50 million per year of federal science and engineering support to certify to the funding agency that the institution has a research security program, which includes elements of cybersecurity, foreign travel security, insider threat awareness and identification, and, as appropriate, export control training.

A year later, in January 2022, the National Science and Technology Council of OSTP and the Joint Committee on the Research Environment released a report guiding federal agencies regarding their implementation of NSPM-33 in five key areas, including research security programs.⁵ In this guidance, OSTP provided recommendations regarding the specific requirements that federal agencies should establish under the four elements of research security programs as required by NSPM-33. The draft standardized requirements were published in February 2023, building on the framework outlined in the 2022 implementation guidance.

In addition to NSPM-33, the federal government has been focused on foreign government and misappropriation of U.S.-supported research and technology through other recent statutory and regulatory developments. For example, the CHIPS Act of 2022 (the “CHIPS Act”),⁶ signed into law in August 2022, focuses in part on developing policies, tools, and processes to manage and mitigate research security risks. Separately, NSF has established a “Research on Research Security Program,”⁷ and recently issued subregulatory guidance on foreign financial disclosure requirements, as required under the CHIPS Act.⁸ In the Final Guidelines, OSTP appears to focus on aligning research security mandates across NSPM-33 and the CHIPS Act to a much greater extent than the Draft Requirements.

Summary of the Final Guidelines

Below, we summarize the key components of the Final Guidelines and point out some of the key distinctions between the Final Guidelines and the Draft Requirements.

1. Definition of Covered Institution

As stated above, NSPM-33 applies to research institutions receiving more than $50 million per year of federal science and engineering support. To clarify how a research institution determines whether it meets this criterion, the Final Guidelines provide a definition that is more detailed than the NSPM-33 description of research institutions and more concise than the definition of “covered institution” utilized in the Draft Requirements.⁹ Specifically, under the Final Guidelines, a “Covered Institution”:

1. is an institution of higher education, a federally funded research and development center (“FFRDC”), or a nonprofit research institution; and
2. receives over $50 million per year, in fiscal 2022 constant dollars, under (1) the three-year average of federal R&D obligations provided to participants in the U.S. R&D enterprise as reported in the most recent version of the Survey of Federal Science and Engineering Support to Universities, Colleges, and Nonprofit Institutions; or (2) the three-year average of federal R&D obligations to FFRDCs as provided in the most recent versions of the Survey of Federal Funds for Research and Development.

We anticipate that a small number of institutions may have questions as to whether they fall within the definition of “Covered Institution,” but that the vast majority of institutions conducting science and engineering research that is supported by federal funding will be able to determine, based on this definition, whether they qualify as a “Covered Institution.”

2. Research Security Program Requirements

Consistent with the NSPM-33 directive, the Final Guidelines require that federal research agencies require covered institutions to implement and certify that their research security programs address four key elements: (1) cybersecurity; (2) foreign travel security; (3) research security training; and (4) export control training. The specific requirements for each element are described below.

ii. Foreign Travel Security

Under the Final Guidelines, federal research agencies must require each covered institution to certify that it will implement periodic training (i.e., at least every six years) on foreign travel security to “covered individuals”¹³ that travel internationally for business, teaching, conferences, or other research purposes, within one year after a foreign travel security training resource is issued by a federal research agency. OSTP states that it will, in coordination with other federal agencies, such as NSF, NIH, DOE, and DoD, contract with a qualified entity to develop a foreign travel security training module for this purpose. In addition, covered institutions must implement a travel reporting program, which records international travel of covered individuals when traveling internationally for business, teaching, conferences, or other research purposes, if a federal research agency has determined that security risks warrant travel reporting per the covered individual’s R&D award.