Research Security Program

Released in January 2021, National Security Presidential Memorandum 33 (NSPM-33)  is a presidential directive to strengthen protections of US government-supported research and development against foreign government interference and misappropriation, while maintaining an open environment to foster research discoveries and innovation that benefit the United States and the world. The main areas of concern are non-disclosure of foreign resources such as foreign employment arrangements, foreign grant support and foreign talent programs; undisclosed significant financial conflicts of interest; and compliance with regulatory requirements including US Export Control laws and regulations. Among other guidelines for increased security measures, NSPM-33 establishes stricter reporting requirements to ensure the protection of research and requires standardization across governmental agencies regarding disclosure of conflicts of interest and commitment, relationships or affiliations with foreign entities, and research support provided by those entities.

NSPM-33 also requires a certification from research organizations awarded in excess of $50 million per year in total federal research funding that they have implemented a research security program that includes four elements:

Cybersecurity

Research organizations satisfy the cybersecurity element of the research security program requirement by applying the following basic safeguarding protocols and procedures:

• Provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches.
• Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• Verify and control/limit connections to and use of external information systems.
• Control any non-public information posted or processed on publicly accessible information systems.
• Identify information system users, processes acting on behalf of users, or devices.
• Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
• Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
• Provide protection of scientific data from ransomware and other data integrity attack mechanisms.
• Identify, report, and correct information and information system flaws in a timely manner.
• Provide protection from malicious code at appropriate locations within organizational information systems.
• Update malicious code protection mechanisms when new releases are available.
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Foreign Travel Security

• Research organizations maintain international travel policies for faculty and staff traveling for organization business, teaching, conference attendance, research purposes, or any offers of sponsored travel that would put a person at risk. Such policies should include an organizational record of covered international travel by faculty and staff and, as appropriate, a disclosure and authorization requirement in advance of international travel, security briefings, assistance with electronic device security (smartphones, laptops, etc.), and preregistration requirements.

Research Security Training

• Provide training to relevant personnel on research security threat awareness and identification, including insider threat training where applicable. Responsible and ethical conduct of research training for faculty and students will include Research Security. In addition to periodic training, research organizations should conduct tailored training in the event of a research security incident.

Export Control Training

• Research organizations conducting research that is subject to export control restrictions provide training to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators and partnerships, and for ensuring compliance with federal export control requirements and restricted entities lists.

• National Security Presidential Memorandum-33 (NSPM-33)
• NSPM-33 Implementation Guidance
• OSTP Guidelines for Research Security Programs at Covered Institutions (7/9/24)

The Research Security Committee is developing policies and procedures to comply with the federal government’s regulations related to protecting the US research and development enterprise and overseeing Boston University’s research security program. The committee includes the following:

• Sarah Porter, Chair, Director of Research Security (and BU Research Security Point of Contact), FCOI and Export Control, Research Compliance
• Lilly Huang, Associate General Counsel, Office of General Counsel
• Eric Jacobsen, Assistant Vice President and Chief Information Security Officer, IS&T
• Renna Lilly, Assistant Vice President, Sponsored Programs
• Kevin Nelson, Assistant Vice President, Finance and Operations, Global Programs
• Jessica Wong, Director, Federal Relations

Boston University encourages international collaboration and will continue to advocate for these critical partnerships. The university also recognizes it is important for investigators to be transparent about their foreign relationships and activities. The federal government’s increased focus on foreign involvement in US research has resulted in an increase of disclosure requirements. Please visit the Disclosure Requirements page for detailed requirements and considerations organized by agency.

BU Information Security helps researchers conduct their research efficiently and securely. Information Security will make resources for complying with the cybersecurity requirements of NSPM-33 available once the requirements are finalized by the government. For more information, please visit BU Information Security’s Security for Researchers webpage. For travel cybersecurity information, please see the Foreign Travel Security section of this website.

BU Global Programs and IS&T are available to assist BU researchers as they plan for engagements outside the US, especially on issues of information security and data privacy. In anticipation of travel, researchers are encouraged to review the Foreign Travel Security webpage.

The US National Science Foundation, in partnership with the National Institutes of Health, the Department of Energy, and the Department of Defense, has released an online research security training for the research community. The training, available via the NSF website and CITI, consists of four modules, with each module taking approximately an hour to complete.

• NSF will require training beginning in 2025 as will be set forth in the NSF 25 PAPPG. Timelines for training requirements for other agencies is not yet known.
• The Research Security training, and its counterpart training ‘Undue Foreign Influence: Risk and Management’, is also available via the BU CITI training portfolio.
• BU’s requirements for Research Security Training are still in development and will be communicated to the research community as the federal requirements become clear.

If research falls under export control, BU requires training provided by the Export Control Office. In addition, online export control training is available to the BU community via BU’s CITI training portfolio.

Please visit the BU Export Control website or reach out to the Export Control Office at export@bu.edu if you need assistance.

The CHIPS and Science Act directs federal research funding agencies to establish policies that require covered individuals to disclose all participation in Foreign Talent Recruitment Programs, prohibit research and development awards from being made for any proposal in which a covered individual is participating in a Malign Foreign Talent Recruitment Program, and require certification at proposal, and annually for the duration of the award, that the covered individual is not a party to a MFRTP. Learn more on our Foreign Talent Recruitment Program page.

• August 15, 2024: NIH issues a Decision Matrix for Assessing Potential Foreign Influence. NIH has developed the matrix as a guide to assist NIH in reviewing grant applications and ongoing awards for signs of potential foreign interference and in mitigating risk.
• July 31, 2024: NIH announces that the Common Forms for Biographical Sketch and Current and Pending (Other) support are required to be used with all applications and Research Performance Progress Reports by May 25, 2025. These forms will be collected through SciENcv.
• July 9, 2024: : The Office of Science and Technology Policy (OSTP) released a memorandum to the heads of federal research agencies regarding new guidelines for research security programs at covered institutions. This guidance supersedes, in full, the portions of the NSTC Implementation Guidance describing Research Security Programs (see pages 18-21).
• June 5, 2024: NSF announces the Trusted Research Using Safeguards and Transparency (TRUST) research security risk management framework to be used in funding decisions. TRUST is a decision tree approach to assess research proposals and ongoing projects for concerning appointments and research support, non-compliance with disclosure and other requirements, and potential risks to national security. Beginning in fiscal year (FY) 2025, a first phase pilot program will be implemented in which the TRUST framework will be applied to quantum-related proposals after they undergo merit review.
• May 20, 2024: BU Policy on in Malign Foreign Talent Recruitment Program goes into effect for NSF-funded projects. The policy will go into effect on August 9, 2024 for all other research.
• May 20, 2024: NSF use of Common Forms for Biographical Sketch and Current and Pending (Other) Support, including certification regarding Malign Foreign Talent Recruitment Program participation goes into effect.
• May 17, 2024: BU announces adoption of Policy on Participation in Malign Foreign Talent Recruitment Program which prohibits all Researchers conducting research at BU from participating in Malign Foreign Talent Recruitment Programs regardless of the source of funding and including federal, non-federal, internally funded and unfunded research.
• April 4, 2024: NIH announced that it would adopt the Common Disclosure Forms for the Biographical Sketch and Current and Pending (Other) Support for applications submitted in 2025.
• February 14, 2024: OSTP issued a set of guidelines regarding Foreign Talent Recruitment Programs (FRTPs), as required by section 10631(b) of the CHIPS and Science Act of 2022. The OSTP guidelines define a Foreign Talent Recruitment Program and Malign Foreign Talent Recruitment Programs consistent with the CHIPS and Science Act definitions.
• February 14, 2024: OSTP issued Policy Regarding Use of Common Disclosure Forms for the “Biographical Sketch” and the “Current and Pending (Other) Support” Sections of Applications by Federal Research Funding Agencies. This policy requires federal research funding agencies to use the NSF common disclosure forms for the Biographical Sketch and the Current and Pending (Other) Support portions of funding application packages for grants and cooperative agreements and provides that the Common Forms will replace other forms that agencies currently use to disclose biographical sketch, and current and pending (other) support information, when applicants apply for federal research funding. Although there may be circumstances where agencies choose not to use the Common Forms, deviation from the common disclosure forms will require United States Office of Management and Budget (OMB) review and clearance. The policy requires each federal funding agency with an annual extramural research expenditure of over $100,000,000 to submit a plan to implement use of the Common Forms to OSTP by May 14, 2024.
• January 30, 2024: NSF, in partnership with the NIH, DOE and DOD, released an online research security training for the research community which satisfies the research security program training requirement of NSPM 33.
• January 22, 2024: NSF released PAPPG 24-1, effective for proposals submitted or due on or after May 20, 2024. PAPPG 24-1 institutes a requirement for Senior Key Personnel on a proposal to certify that they do not participate in a Malign Foreign Talent Recruitment Program (MFTRP) and prohibits those who participate in MFTRP from being eligible for NSF funding of the proposal.

• November 1, 2023: NSF released common disclosure forms for “Current and Pending (Other) Support Information” and “Biographical Sketch”. The common disclosure forms are part of the Government’s effort to harmonize disclosure requirements across federal agencies. NSF will require senior and key personnel to use the common disclosure forms starting spring 2024. Other federal agencies will adopt the common disclosure forms for use on a rolling basis.
• September 15, 2023: NIH updated its grants policy guidance for foreign subaward agreements. NOT-OD-23-182. Effective January 1, 2024, agreements for foreign subawards must contain a provision requiring foreign subrecipients to provide access to copies of all lab notebooks, all data, and all documentation that supports the research outcomes as described in the progress report, to the primary recipient (Boston University) with a frequency of no less than once per year, in alignment with the timing requirements for Research Performance Progress Report (RPPR) submission.
• June 29, 2023: DOD released guidance regarding countering unwanted foreign influence in department-funded research at institutes of higher education and established a Decision Matrix to Inform Fundamental Research Proposal Mitigation Decisions. Review the full document here. Beginning August 9, 2024, DoD is prohibited from providing funding to or making an award of a fundamental research project proposal in which a covered individual is participating in a malign foreign talent recruitment program (MFTRP) or to a proposing institution that does not have a policy addressing MFTRPs pursuant to Section 10632 of the CHIPS and Science Act of 2022.
• June 2, 2023: DOD, GSA and NASA issued an interim rule for federal contracts prohibiting the use of the social networking service TikTok and other applications from parent company ByteDance Limited on any devices for federal contract work, including personally-owned devices. More information can be found here.
• January 30, 2023: NSF issues PAPPG 23-1, effective January 30, 2023,

• August 9, 2022: CHIPS and Science Act of 2022 signed into law to bolster innovative research and enhance research security.
• June 1, 2022: DOE issues FAL 2022-04, Department of Energy Current and Pending Support Disclosure Requirements.
• January 2022: National Science and Technology Council issues Guidance for Implementing NPSM 33, which requires federal funding agencies to establish policies in the following areas:
  • Expanded disclosure requirements and application forms, and consequences for violations of requirements;
  • Use of digital persistent identifiers;
  • Implementation of research security program certification process. Institutions should establish a research security program that must address cybersecurity, foreign travel, research security training and export control training.

• December 20, 2021: DOE issues, FAL 2022-12, enacting the Department of Energy Interim Conflict of Interest Policy.
• January 14, 2021: National Security Presidential Memorandum 33 “directs action to strengthen protections of US government-supported research against foreign government interference and exploitation.”