Research Security Program

Released in January 2021, National Security Presidential Memorandum 33 (NSPM-33)  is a presidential directive to strengthen protections of US government-supported research and development against foreign government interference and misappropriation, while maintaining an open environment to foster research discoveries and innovation that benefit the United States and the world. The main areas of concern are non-disclosure of foreign resources such as foreign employment arrangements, foreign grant support and foreign talent programs; undisclosed significant financial conflicts of interest; and compliance with regulatory requirements including US Export Control laws and regulations. Among other guidelines for increased security measures, NSPM-33 establishes stricter reporting requirements to ensure the protection of research and requires standardization across governmental agencies regarding disclosure of conflicts of interest and commitment, relationships or affiliations with foreign entities, and research support provided by those entities.

NSPM-33 also requires a certification from research organizations awarded in excess of $50 million per year in total federal research funding that they have implemented a research security program that includes four elements:

Cybersecurity

Research organizations satisfy the cybersecurity element of the research security program requirement by applying the following basic safeguarding protocols and procedures:

• Provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches.
• Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• Verify and control/limit connections to and use of external information systems.
• Control any non-public information posted or processed on publicly accessible information systems.
• Identify information system users, processes acting on behalf of users, or devices.
• Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
• Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
• Provide protection of scientific data from ransomware and other data integrity attack mechanisms.
• Identify, report, and correct information and information system flaws in a timely manner.
• Provide protection from malicious code at appropriate locations within organizational information systems.
• Update malicious code protection mechanisms when new releases are available.
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Foreign Travel Security

• Research organizations maintain international travel policies for faculty and staff traveling for organization business, teaching, conference attendance, research purposes, or any offers of sponsored travel that would put a person at risk. Such policies should include an organizational record of covered international travel by faculty and staff and, as appropriate, a disclosure and authorization requirement in advance of international travel, security briefings, assistance with electronic device security (smartphones, laptops, etc.), and preregistration requirements.

Research Security Training

• Provide training to relevant personnel on research security threat awareness and identification, including insider threat training where applicable. Responsible and ethical conduct of research training for faculty and students will include Research Security. In addition to periodic training, research organizations should conduct tailored training in the event of a research security incident.

Export Control Training

• Research organizations conducting research that is subject to export control restrictions provide training to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators and partnerships, and for ensuring compliance with federal export control requirements and restricted entities lists.

• National Security Presidential Memorandum-33 (NSPM-33)
• NSPM-33 Implementation Guidance
• OSTP Guidelines for Research Security Programs at Covered Institutions (7/9/24)

The Research Security Committee is developing policies and procedures to comply with the federal government’s regulations related to protecting the US research and development enterprise and overseeing Boston University’s research security program. The committee includes the following:

• Sarah Porter, Chair, Director of Research Security (and BU Research Security Point of Contact), FCOI and Export Control, Research Compliance
• Lilly Huang, Associate General Counsel, Office of General Counsel
• Eric Jacobsen, Assistant Vice President and Chief Information Security Officer, IS&T
• Renna Lilly, Assistant Vice President, Sponsored Programs
• Kevin Nelson, Assistant Vice President, Finance and Operations, Global Programs
• Jessica Wong, Director, Federal Relations

Boston University encourages international collaboration and will continue to advocate for these critical partnerships. The university also recognizes it is important for investigators to be transparent about their foreign relationships and activities. The federal government’s increased focus on foreign involvement in US research has resulted in an increase of disclosure requirements. Please visit the Disclosure Requirements page for detailed requirements and considerations organized by agency.

BU Information Security helps researchers conduct their research efficiently and securely. Information Security will make resources for complying with the cybersecurity requirements of NSPM-33 available once the requirements are finalized by the government. For more information, please visit BU Information Security’s Security for Researchers webpage. For travel cybersecurity information, please see the Foreign Travel Security section of this website.

BU Global Programs and IS&T are available to assist BU researchers as they plan for engagements outside the US, especially on issues of information security and data privacy. In anticipation of travel, researchers are encouraged to review the Foreign Travel Security webpage.

Research Security Training is one of the four required elements of a Research Security Program mandated by National Security Presidential Memorandum 33 (NSPM 33). The CHIPS and Science Act of 2022 codifies the requirement for research security training into law. Research Security Training is designed to create awareness of, and protect against, behaviors aimed at misappropriating research and development to the detriment of national or economic security, related violations of research integrity, and foreign government interference.

Beginning May 1, 2025, all “Covered Individuals” listed on Department of Energy (DOE) proposals must certify to DOE that they have completed Research Security Training. Individuals who later join a DOE award, proposed on or after May 1, 2025, will
also be required to take this training before participating in the research.

Please see the FAQs below for who meets the definition of a “Covered Individual.”

It is expected that other agencies will also require Research Security Training. The National Science Foundation training requirement is anticipated in October 2025. Research Compliance will update the research community as other agency deadlines are announced. In anticipation of these further agency requirements, BU is requiring that all Researchers who engage in or propose to engage in sponsored research at BU, both federally and non-federally sponsored, must complete the CITI Research Security Training (Combined) by June 30, 2025.

Boston University has adopted the Collaborative Institutional Training Initiative (CITI) Program’s Research Security Training (Combined) course to meet research security training requirements. The four-module training takes approximately one hour and covers an introduction to research security, the importance of disclosure, risk mitigation and management, and international collaboration.

Please see the FAQs below for detailed responses to the questions you may have and do not hesitate to contact the Director of Research Security at sbporter@bu.edu with any further questions.

If research falls under export control, BU requires training provided by the Export Control Office. In addition, online export control training is available to the BU community via BU’s CITI training portfolio.

Please visit the BU Export Control website or reach out to the Export Control Office at export@bu.edu if you need assistance.

The CHIPS and Science Act directs federal research funding agencies to establish policies that require covered individuals to disclose all participation in Foreign Talent Recruitment Programs, prohibit research and development awards from being made for any proposal in which a covered individual is participating in a Malign Foreign Talent Recruitment Program, and require certification at proposal, and annually for the duration of the award, that the covered individual is not a party to a MFRTP. Learn more on our Foreign Talent Recruitment Program page.

The U.S. government has defined “research security” as “safeguarding the research enterprise against behaviors aimed at misappropriating research and development to the detriment of national or economic security, related violations of research integrity, and foreign government interference.” Research Security aims to mitigate the threat to the U.S. research enterprise and individual researchers posed by parties who wish to take advantage of the culture of openness and collaboration of the U.S. research ecosystem. Research Security Training is designed to create awareness of, and protect against, these threats.

The required elements of Research Security Training are:

• The benefits and risks associated with International Collaborations
• Cybersecurity risks
• Travel Security risks
• The Importance of Transparency and Disclosure of potential outside funding and potential influence.

Research Security Training is one of the four required elements of a Research Security Program mandated by National Security Presidential Memorandum 33 (NSPM 33), issued on Jan. 14, 2021. The “CHIPS and Science Act of 2022,” codifies the requirement for research security training into law.

Beginning May 1, 2025, all “Covered Individuals” listed on Department of Energy (DOE) award applications must certify to DOE that they have completed Research Security Training. Individuals that later join a DOE award, proposed on or after May 1, 2025, will also be required to take this training before participating in the research.

It is expected that other agencies will also require Research Security Training. The National Science Foundation training requirement is anticipated in October 2025. Research Compliance will update the research community as other agency deadlines are announced.

All “Covered Individuals” on DOE projects, active or to be proposed as of May 1, 2025, must complete the CITI Research Security (Combined) Training prior to May 1, 2025.

For all other Researchers who engage in or propose to engage in sponsored projects at BU, both federally and non-federally sponsored, all Covered Individuals must complete the CITI Research Security (Combined) training by June 30, 2025.

A “Covered Individual” is an individual who:

• Contributes in a substantive, meaningful way to the development or execution of the scope of work of a project proposed for funding AND
• Is designated as a principal investigator (PI), project director (PD), co-principal investigator (Co-PI), co-investigator (CO-I), co-project director (Co-PD), project manager, key personnel, and any individual regardless of title (inclusive of consultants, graduate students, or postdoctoral associates) that is functionally performing in one of these named roles.

DOE researchers who have not completed Research Security Training prior to May 1, 2025, will not be able to submit proposals as of May 1, 2025.

All other researchers who have not completed RST by June 30, 2025, will not be allowed to submit new proposals.

Boston University has adopted the Collaborative Institutional Training Initiative (CITI) Program Research Security Training (Combined) course to meet the training requirements.

It will take approximately one hour to complete the training.

Yes. To track your training in our systems, you are required to take the BU CITI Research Security Training (Combined).

Yes. BU is requiring Research Security Training for all sponsored research at BU, including industry-sponsored research, not just federally sponsored research. Research Security is a shared responsibility of all researchers and across all academic disciplines.

If you are considered a “Covered Individual” on the research, you will need to take Research Security Training. This includes any individual regardless of title, and inclusive of undergraduates, graduate students and postdoctoral associates.

If you are considered a “Covered Individual” on the research, you will need to take the research security training. It is unlikely, however, that an undergraduate student would be considered a “covered individual” on a sponsored award.

If you are a sub-awardee to a BU prime award and your home institution has a Research Security Training requirement, then you will take your home institution’s training. If you do not have a Research Security training program in place, you must take the BU Research Security Training.

If you are a BMC Researcher conducting research at Boston University, you will need to complete BU’s Research Security Training. If you are a BMC Researcher conducting research at BMC, you are not required to take the training at this time. Please contact BMC Research Compliance (COI-Compliance@bmc.org) if you have any questions.

To complete CITI Research Security (Combined) training course, please follow the below steps:

1. Access the CITI website: https://www.citi.org.
2. Log in to your existing CITI account or register if this is your first time visiting CITI
3. To access the Research Security Training, you must affiliate with the Boston University CRC campus. Note that in CITI you may be affiliated with other institutional accounts, such as BUMC, however the Research Security Training is only available via the CRC training portfolio
4. When you select an email address for your registration, please use your BU email address (this enables your training certifications to connect with other University systems, such as Huron)
5. Under ‘Learner Tools…’ choose ‘Add a Course’
6. Under ‘Getting Started’ select ‘Research Security’
7. Under ‘Research Security Curriculum’, select ‘Research Security Training (Combined)’ This will add the course to your ‘Courses Ready to Begin’
8. Next, click ‘Start Now’ and take the course!

• March 25, 2025: NIH announces that, until further notice, it is postponing its implementation of the Common Forms for Biographical Sketch and Current and Pending (Other) Support, originally required to be used with all applications and Research Performance Progress Reports by May 25, 2025.

• October 7, 2024: Department of Energy releases Research Security Training Requirements for all R&D Financial Assistance Awards. Financial Assistance Letter (FAL 2025-02). As of May 1, 2025, Covered Individuals must certify that they have “completed within one year of such application research security training that meets the guidelines described in the CHIPS and Science Act of 2022. DOE interprets this as the 12 months immediately preceding the application date.
• August 15, 2024: NIH issues a Decision Matrix for Assessing Potential Foreign Influence. NIH has developed the matrix as a guide to assist NIH in reviewing grant applications and ongoing awards for signs of potential foreign interference and in mitigating risk.
• July 31, 2024: NIH announces that the Common Forms for Biographical Sketch and Current and Pending (Other) support are required to be used with all applications and Research Performance Progress Reports by May 25, 2025. These forms will be collected through SciENcv.
• July 9, 2024: : The Office of Science and Technology Policy (OSTP) released a memorandum to the heads of federal research agencies regarding new guidelines for research security programs at covered institutions. This guidance supersedes, in full, the portions of the NSTC Implementation Guidance describing Research Security Programs (see pages 18-21).
• June 5, 2024: NSF announces the Trusted Research Using Safeguards and Transparency (TRUST) research security risk management framework to be used in funding decisions. TRUST is a decision tree approach to assess research proposals and ongoing projects for concerning appointments and research support, non-compliance with disclosure and other requirements, and potential risks to national security. Beginning in fiscal year (FY) 2025, a first phase pilot program will be implemented in which the TRUST framework will be applied to quantum-related proposals after they undergo merit review.
• May 20, 2024: BU Policy on in Malign Foreign Talent Recruitment Program goes into effect for NSF-funded projects. The policy will go into effect on August 9, 2024 for all other research.
• May 20, 2024: NSF use of Common Forms for Biographical Sketch and Current and Pending (Other) Support, including certification regarding Malign Foreign Talent Recruitment Program participation goes into effect.
• May 17, 2024: BU announces adoption of Policy on Participation in Malign Foreign Talent Recruitment Program which prohibits all Researchers conducting research at BU from participating in Malign Foreign Talent Recruitment Programs regardless of the source of funding and including federal, non-federal, internally funded and unfunded research.
• April 4, 2024: NIH announced that it would adopt the Common Disclosure Forms for the Biographical Sketch and Current and Pending (Other) Support for applications submitted in 2025.
• February 14, 2024: OSTP issued a set of guidelines regarding Foreign Talent Recruitment Programs (FRTPs), as required by section 10631(b) of the CHIPS and Science Act of 2022. The OSTP guidelines define a Foreign Talent Recruitment Program and Malign Foreign Talent Recruitment Programs consistent with the CHIPS and Science Act definitions.
• February 14, 2024: OSTP issued Policy Regarding Use of Common Disclosure Forms for the “Biographical Sketch” and the “Current and Pending (Other) Support” Sections of Applications by Federal Research Funding Agencies. This policy requires federal research funding agencies to use the NSF common disclosure forms for the Biographical Sketch and the Current and Pending (Other) Support portions of funding application packages for grants and cooperative agreements and provides that the Common Forms will replace other forms that agencies currently use to disclose biographical sketch, and current and pending (other) support information, when applicants apply for federal research funding. Although there may be circumstances where agencies choose not to use the Common Forms, deviation from the common disclosure forms will require United States Office of Management and Budget (OMB) review and clearance. The policy requires each federal funding agency with an annual extramural research expenditure of over $100,000,000 to submit a plan to implement use of the Common Forms to OSTP by May 14, 2024.
• January 30, 2024: NSF, in partnership with the NIH, DOE and DOD, released an online research security training for the research community which satisfies the research security program training requirement of NSPM 33.
• January 22, 2024: NSF released PAPPG 24-1, effective for proposals submitted or due on or after May 20, 2024. PAPPG 24-1 institutes a requirement for Senior Key Personnel on a proposal to certify that they do not participate in a Malign Foreign Talent Recruitment Program (MFTRP) and prohibits those who participate in MFTRP from being eligible for NSF funding of the proposal.

• November 1, 2023: NSF released common disclosure forms for “Current and Pending (Other) Support Information” and “Biographical Sketch”. The common disclosure forms are part of the Government’s effort to harmonize disclosure requirements across federal agencies. NSF will require senior and key personnel to use the common disclosure forms starting spring 2024. Other federal agencies will adopt the common disclosure forms for use on a rolling basis.
• September 15, 2023: NIH updated its grants policy guidance for foreign subaward agreements. NOT-OD-23-182. Effective January 1, 2024, agreements for foreign subawards must contain a provision requiring foreign subrecipients to provide access to copies of all lab notebooks, all data, and all documentation that supports the research outcomes as described in the progress report, to the primary recipient (Boston University) with a frequency of no less than once per year, in alignment with the timing requirements for Research Performance Progress Report (RPPR) submission.
• June 29, 2023: DOD released guidance regarding countering unwanted foreign influence in department-funded research at institutes of higher education and established a Decision Matrix to Inform Fundamental Research Proposal Mitigation Decisions. Review the full document here. Beginning August 9, 2024, DoD is prohibited from providing funding to or making an award of a fundamental research project proposal in which a covered individual is participating in a malign foreign talent recruitment program (MFTRP) or to a proposing institution that does not have a policy addressing MFTRPs pursuant to Section 10632 of the CHIPS and Science Act of 2022.
• June 2, 2023: DOD, GSA and NASA issued an interim rule for federal contracts prohibiting the use of the social networking service TikTok and other applications from parent company ByteDance Limited on any devices for federal contract work, including personally-owned devices. More information can be found here.
• January 30, 2023: NSF issues PAPPG 23-1, effective January 30, 2023,

• August 9, 2022: CHIPS and Science Act of 2022 signed into law to bolster innovative research and enhance research security.
• June 1, 2022: DOE issues FAL 2022-04, Department of Energy Current and Pending Support Disclosure Requirements.
• January 2022: National Science and Technology Council issues Guidance for Implementing NPSM 33, which requires federal funding agencies to establish policies in the following areas:
  • Expanded disclosure requirements and application forms, and consequences for violations of requirements;
  • Use of digital persistent identifiers;
  • Implementation of research security program certification process. Institutions should establish a research security program that must address cybersecurity, foreign travel, research security training and export control training.

• December 20, 2021: DOE issues, FAL 2022-12, enacting the Department of Energy Interim Conflict of Interest Policy.
• January 14, 2021: National Security Presidential Memorandum 33 “directs action to strengthen protections of US government-supported research against foreign government interference and exploitation.”