Protecting Federally Funded Research at Colleges and Universities (National Security Presidential Memorandum 33)

Colleges and universities received over $40 billion from the U.S. federal government as grants in 2018. Many federal agencies fund research activities at colleges and universities that form the basis for major advances in health, technology, and national security. This blog will help colleges and universities better understand National Security Presidential Memorandum 33 and its implications for research institutions. It includes resources and guidance to help you get a jump-start on implementation activities if your institution is subject to the requirements.

In recognition of the importance of research and development to the U.S. economy and national security interests, the Trump Administration issued National Security Presidential Memorandum 33 (NSPM 33) in January 2021. The purpose of NSPM 33 was to marshal a national effort to safeguard federally-funded U.S. research and development activities. NSPM seeks to educate federal agencies and American researchers about research security risks and mitigate the threats posed by some foreign governments’ efforts to steal American research or recruit American researchers.

Academic research institutions and medical centers are specifically included in the definition of research participants used in NSPM 33. While NSPM has many objectives, of most importance to colleges and universities are NSPM 33 requirements to:

• Strengthen and standardize disclosure requirements regarding potential conflicts of interest and commitment from American researchers
• Require research institutions to establish and operate research security programs

In January 2022, the National Science and Technology Council issued guidance for implementing NSPM 33 for U.S. government-supported research.

Disclosure Requirements

NSPM 33 requires federal agencies to improve the reporting of conflicts of interest and conflicts of commitments in federal grant contracts and agreements.

• A conflict of interest is “a situation in which an individual, or the individual’s spouse or dependent children, has a financial interest or financial relationship that could directly and significantly affect the design, conduct, reporting, or funding of research.” NSPM 33, Section 2(c).
• A conflict of commitment is “a situation in which an individual accepts or incurs conflicting obligations between or among multiple employers or other entities.” They can include “conflicting commitments of time and effort” or include “obligations to share improperly information with, or to withhold information from, an employer or funding agency.” NSPM 33, Section 2(d).

Reporting conflicts of interest and commitment are important because such conflicts can bias research results or how research is reported—in short, these types of conflicts can compromise the integrity of the researcher or their research activities. Failing to report conflicts of interest and commitment can also result in penalties and fines, both for the individual researcher with the conflict of interest and for the institution for which the researcher works

NSPM 33 and its implementing guidance seek to make disclosing conflicts of interest and commitment easier. To do this, it requires federal research funding agencies to standardize these types of reporting forms to make it easier for researchers to comply with the reporting and for funding agencies to identify problematic conflicts of interest and/or commitment. The recently released January 2022 implementation guidance document sets forth the disclosure requirements for researcher type as well as the type of personal and professional information that must be disclosed within the research grant application process (pages 2-5). Agencies were directed to make progress on creating model grant application forms and instructions that can be used by any federal funding agency in early 2022.

Research Security Programs

While much of NSPM 33 is focused on actions that federal agencies must take to safeguard federally-funded U.S. research and development activities, it also requires research institutions, like colleges and universities, that receive more than $50 million per year in federal research support to certify to their funding agencies that the institution has established and operates a research security program. While federal agencies can add additional research security program requirements when funding research in critical and emerging technology areas with implications for U.S. national and economic security, all research security programs must address:

• Cybersecurity
• Foreign travel security
• Insider threat awareness and identification
• Export control training

The implementation guidance requires research institutions to apply basic safeguards to research activities, including:

• Provide regular cybersecurity awareness training for authorized users of information systems, including recognizing and responding to social engineering threats and cyber breaches.
• Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• Verify and control/limit connections to and use of external information systems.
• Control any non-public information posted or processed on publicly accessible information systems.
• Identify information system users, processes acting on behalf of users, or devices.
• Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems.
• Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
• Protect scientific data from ransomware and other data integrity attack mechanisms.
• Identify, report, and correct information and information system flaws promptly.
• Protect from malicious code at appropriate locations within organizational information systems.
• Update malicious code protection mechanisms when new releases are available.
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

From Implementation Guidance, pages 28-31.

While research institutions will be allowed flexibility in structuring their research security programs, the federal government is also expected to provide technical assistance to support the development of the required program. Once the federal government issues final research security program guidance, it is expected that research institutions will be required to certify compliance with program requirements.

Next Steps

More guidance regarding NSPM 33 will be issued throughout the year. In the meantime, higher education institutions subject to the NSPM 33 research security program requirements can get a jump-start on implementation activities by:

1. Conveying the importance of research security and integrity at the leadership level and introducing institutional leadership to NSPM 33 requirements.
2. Ensuring an organizational approach to research security that includes designating a responsible individual and creating written research security policies. In many instances, institutions may find extensive overlap between research security programs and the institution’s already-established general information security programs.
3. Adopting a risk management approach to the institution’s research security program, including identifying research projects that are federally funded, data repositories that might be subject to enhanced safeguards (such as those required for Controlled Unclassified Information), and the researchers conducting federally funded research and development.

To read more about NSPM 33, check out the following resources:

• Presidential Memorandum on United States Government-Supported Research and Development National Security Policy, National Security Presidential Memorandum 33 (January 2021)
• NSPM 33 Fact Sheet (January 2021)
• Recommended Practices for Strengthening the Security and Integrity of America’s Science and Technology Research Enterprise (January 2021)
• Guidance for Implementing National Security Presidential Memorandum 33 (NSPM-33) on National Security Strategy for United States Government-Supported Research and Development (January 2022)

This post was authored by Vice President Joanna Grama, who advises clients on information security program governance and strategy.

If you’d like assistance improving your campus information security program, the Vantage Strategic Planning and Technology Management team can help. We have extensive experience designing information security programs, drafting policies and procedures, conducting controls assessments, and preparing incident response plans. Our consultants are experienced InfoSec leaders and practitioners who understand the issues of complex organizations. Our certifications include CISSP, HCISPP, CISM, CGEIT, CRISC, GSLC, and GSTRT. Contact us to learn more.