VPs of Research, Provosts, CISOs responsible for strategic compliance and institutional certification.
81 relevant references
NSF begins rolling out annual MFTRP certification for PIs/co-PIs
NIH anticipates implementing new foreign subaward structure
NIH Other Support disclosure training requirement takes effect
NSF Important Notice 149 requirements take effect
Federal agencies anticipated to issue RSP requirements to awardee institutions
A matrix that lists policies and requirements under the headings of: Disclosures, Agency Risk Assessment, FCOI & COC, Training, Certifications, and Research Security Program for each federal agency. Per COGR, this tool is frequently updated to reflect the release of new documentation. Updated September 30, 2025.
A chart that compares federal laws, regulations, and policies in the area of science and security. The chart is divided into three separate tabs that cover (a) major federal-wide legislation or policy, (b) agency disclosure requirements for researchers and research institutions; and (c) agency conflict of interest policies. Updated September 30, 2025.
Published July 10, 2025. Includes NSF implementation of three new requirements (and three existing ones) in alignment with the CHIPS and Science Act and NSPM-33. The requirements, effective October 10, 2025, include: a. Recipient institutions must maintain supporting documentation for foreign activities reported as current and pending (other) support, b. Senior/key personnel must certify they have completed research security training (RST) within 12 months prior to proposal submission; Recipient institutions' Authorized Organizational Representative (AOR) must certify that all senior/key personnel have completed required RST and that the institution has a plan to provide appropriate training, c. AORs at institutions of higher education (IHEs) must certify that, absent a waiver granted by the NSF Director, the IHE does not maintain a contract or agreement between the institution and a Confucius Institute.
Issued July 8, 2025. This memorandum: a. Requires all USDA Mission Areas, Agencies, and Offices to: i. Within 30 days, conduct a comprehensive review of all current USDA awards/subawards with foreign persons/entities and provide justification as to why a US recipient was not selected, ii. Effective immediately, request approval (including justification) prior to issuing an award/subaward to a foreign person/entity. b. Requires applicants (i.e., covered individuals) to: i. Complete the Common Forms for Biographical Sketches and Current and Pending (Other) Support and provide updated information annually, ii. Certify they are not a participant in a malign foreign talent recruitment program (MFTRP) and recertify annually, iii. Certify that they are not contracting with or providing benefit to any foreign person/entity in a country of concern, iv. Certify that they are not party to utilizing forced labor, v. Complete an annual disclosure of contracts associated with participation in programs sponsored by foreign governments/entities, vi. Seek approval from USDA to subaward any portion of a funded arrangement, including university students, post-doctoral fellows, and visiting researchers. c. Requires Employing Entities to: i. Certify to applicants' completion of research security training, ii. Prohibit applicants who either are currently or have in the past 10 years participated in MFTRPs from working on USDA projects, iii. Provide supporting documentation for foreign activities reported as current and pending support, iv. Review any documents required under the memorandum for compliance with USDA award terms and conditions.
Issued by the White House OSTP in February 2024, this policy requires federal agencies to use the Common Forms for current and pending support and biosketches, noting that NSF will serve as steward. Deviation from the common disclosure forms will require Office of Management and Budget (OMB)/Office of Information and Regulatory Affairs (OIRA) review and clearance under the Paperwork Reduction Act (PRA).
A November 2023 supplement to the NSPM-33 Implementation Guidance that provides definitions of terms used throughout the guidance and related policy documents.
A January 2022 report by the White House OSTP/NSTC Research Security Subcommittee providing additional details on 1.) Disclosure Requirements and Standardization 2.) Persistent Identifiers 3.) Consequences for Violation of Disclosure Requirements 4.) Information Sharing and 5.) Research Security Programs. Largely superseded by the final July 9, 2024 guidelines.
A summary document issued by COGR in January 2022 that highlights key points of the Guidance for Implementing NSPM-33 Provisions.
A Presidential Memorandum issued in January 2021 to strengthen protections of U.S. Government-supported R&D against foreign government interference and exploitation. It focuses on ensuring full disclosure of potential conflicts of interest and commitment by recipients of federal R&D and requires research institutions receiving over $50 million in federal R&D funding to certify they operate a research security program covering cybersecurity, foreign travel security, insider threat awareness, and export control training. As of November 2025, federal agencies continue to coordinate and work to implement this requirement for awardee institutions.
AAMC's portal for research security resources, providing guidance and advocacy materials on research security and foreign influence at U.S. academic institutions.
The ODNI research security portal providing resources, threat briefings, and guidance for the academic research community on protecting research from foreign intelligence threats.
The APLU homepage providing access to research security resources and advocacy materials from the Association of Public and Land-Grant Universities.
The AAU homepage providing access to research security resources, policy statements, and advocacy materials from the Association of American Universities.
COGR's homepage providing access to research security resources, matrices, quick reference tables, and policy analysis for research institutions navigating federal research security requirements.
In a September 29, 2025, notice (NOT-OD-25-161), the National Institutes of Health (NIH) rescinded the September 11, 2025, notice (NOT-OD-25-154) Implementation of NIH Research Security Policies. Per the notice, 'NIH continues to work with the National Science Foundation and other Federal research agencies to finalize guidance on each of the required elements outlined in the Office of Science and Technology Policy (OSTP) Guidelines for Research Security Programs at Covered Institutions, and to develop a centralized process for recipients to certify compliance.' The notice indicates that the implementation date for the requirements announced in NOT-OD-25-154 have not been finalized, the notice is therefore rescinded, and that 'NIH will issue updated guidance on Research Security requirements in the coming months.'
The National Academies Assessing Research Security Efforts in Higher Education working group held a number of meetings and a May workshop with federal and non-federal experts beginning September 2024 and concluding September 4, 2025, to discuss assessment of federal research security efforts. Proceedings from the workshop can be found on the National Academies website.
Published September 3, 2025, a National Academies Committee conducted an expedited study to examine federal research regulations and identify ways to improve regulatory processes and administrative tasks, reduce or eliminate unnecessary work, and modify and remove policies and regulations that have outlived their purpose while maintaining necessary and appropriate integrity, accountability, and oversight. Research security specific options include: implement the NSPM-33 common disclosure forms and disclosure table without deviation; establish common principles for agency research security risk reviews for fundamental research; continue prior efforts to streamline and clarify export controls; and adapt cybersecurity requirements for university settings.
Final Research Security Program (RSP) Guidelines published on July 9, 2024, via a memorandum to the heads of federal research funding agencies. Federal agencies are directed to implement the guidelines and provide time for institutional implementation. The four required areas are: cybersecurity, foreign travel security, research security training, and export control training. Agencies are coordinating implementation under a memorandum of agreement and anticipated to issue the requirements in early 2026.
A summary of the NSF-funded workshop 'Responsible Collaboration Through Appropriate Research Security' held at Rice University's Baker Institute for Public Policy in May 2024. Discusses challenges and opportunities in the emerging field of RoRS and provides recommendations to guide NSF's new RoRS program.
A summary document from AAU, updated in January 2024, that references key federal documentation that has been developed to address foreign influence in research.
EDUCAUSE's formal response commenting on the Research Security Programs standard requirement, submitted in June 2023.
AAMC's formal response to the OSTP Request for Information on the NSPM-33 Research Security Programs Standard Requirement, submitted in June 2023.
AAU's formal response to the OSTP Request for Information on the NSPM-33 Research Security Programs Standard Requirement, submitted in May 2023.
COGR's formal response to the OSTP Request for Information on the NSPM-33 Research Security Programs Standard Requirement, submitted in May 2023.
A Request for Information published in March 2023 by the White House OSTP seeking public comment on the NSPM-33 Research Security Programs Standard Requirement.
A March 2023 report issued by JASON and commissioned by NSF. Provides definitions of Research Integrity as adherence to accepted values and principles -- objectivity, honesty, openness, accountability, fairness, and stewardship -- that guide the conduct of research. Research Security is protecting the means, know-how, and products of research until they are ready to be shared. JASON suggests research security does not vary across disciplines, but the consequences of breaches in research security and the measures taken to prevent breaches will differ. Key points include an emphasis on training researchers on risks in international collaborations, the need to encourage collaboration with international organizations that are also concerned with research security, and avoiding creating a reputation of racial profiling or using the research security programs to disadvantage anyone based on ethnicity or nationality.
Draft standards for research security programs published for comment in February 2023 by OSTP/the NSTC Research Security Subcommittee. The document was superseded by the final standard guidelines published on July 9, 2024. The following are related documents and comments from higher education associations.
The National Academies of Sciences, Engineering, and Medicine's National Science, Technology, and Security Roundtable, called for in the Fiscal Year 2020 National Defense Authorization Act, explored issues related to protecting U.S. national and economic security while ensuring the open exchange of ideas and the international talent.
A May 2021 joint release from AAU and APLU highlighting key principles that can be adapted by both universities and the federal government to protect the research enterprise from foreign influence.
A supplement to NSPM-33 outlining recommendations for research organizations to enhance research security and integrity. Categories include: Demonstrate organizational leadership and oversight; Establish an expectation of openness and transparency; Provide and share training, support, and information; Ensure effective mechanisms for compliance with organizational policies; and Manage potential risks associated with collaborations and data.
A May 2020 joint release from AAU and APLU providing effective practices that can be utilized by universities to implement research security efforts and minimize foreign influence.
Issued on November 26, 2024. DOE's RTES office issued a 'framework to minimize, mitigate, and manage risks while maintaining an open, collaborative, and world-leading scientific enterprise.' The process includes three phases during which RTES will coordinate with program offices. This includes ensuring solicitations include appropriate language on RTES requirements, including assessment of technology risk level; and RTES 'due diligence' reviews before selection for award; and changes that occur during the life of a project that may trigger RTES review. Risk reviews use information disclosed to the agency as well as public and classified sources. Risk factors include ties to malign foreign talent recruitment programs, 'certain foreign funding sources', 'certain concerning behaviors associated with patenting', and ties to foreign entities or foreign collaborators on specified [certain U.S. restricted] lists 'or with specified characteristics.'
August 2024. Assists agency staff in assessing grant applications and ongoing awards for potential foreign interference. Factors considered include: (1) current or past participation in a malign foreign talent recruitment program, which is prohibited by law, (2) undisclosed current or prior funding from a foreign country of concern (FCOC), or connected entity (currently China, Russia, North Korea, and Iran (higher risk)) or other foreign country (lower risk) and, (3) Indicators of an undisclosed current or past affiliation with an institution or entity located in or connected to a FCOC (higher-risk/mitigation) or foreign country (lower-risk/mitigation). Per the matrix, mitigation is either required, recommended, suggested, or not required based on the timing of the engagement and if accurate and complete disclosure information was provided. Mitigation conditions include: (1) specific award conditions, (2) modification of terms and conditions of award, (3) suspension, termination, or withdrawal of an award, (4) conversion from advance payment to reimbursement, and (5) recovery of funds.
A survey issued by COGR in April 2024 documenting research institutions' experiences with DoD's policy for risk-based security reviews of fundamental research.
A March 2024 report commissioned by NSF and issued by the JASON group. Recommends NSF adopt a dynamic approach for identifying potentially sensitive research topics as they arise and weigh the balance between the protective benefits and the unintended negative consequences of controls on sensitive research. It is suggested that the identification of sensitive projects proposed to NSF occurs most naturally before peer or panel review. Specific mitigation strategies for sensitive research projects should be negotiated and agreed upon by the principal investigator (PI), NSF, and the institution and be proportionate to the assessed risk, relative to the associated costs.
A February 2024 biannual update from the Fast Track Action Subcommittee on Critical and Emerging Technologies of the NSTC that defines critical and emerging technologies (CETs), which are a subset of advanced technologies that have a significant impact on U.S. national security. [List of CETs is outlined on pages 8-11]
RTES presented on research security risk reviews during a COGR meeting in October 2023, noting that much of the agency's portfolio includes critical and emerging technologies. Among the areas noted as potential targets were Advanced batteries, Advanced computing, Advanced engineering materials, Advanced manufacturing, Artificial intelligence/machine learning, Autonomous systems and robotics, Biotechnologies, Quantum information technologies, Next generation renewable energy generation and storage and Semiconductors and microelectronics.
Issued June 29, 2023 by DoD. The document includes: 1. A Policy on Risk-based Security Reviews of Fundamental Research, 2. A Decision Matrix to Inform Fundamental Research Proposal Mitigation (Amended May 5, 2025), 3. A list of foreign institutions identified as engaging in problematic activity (Part 3, Table 1, Amended June 24, 2025), and 4. A list of foreign talent recruitment programs identified as posing a threat to U.S. national security interests (Part 3, Table 2). The Decision Matrix contains four factors for assessing senior/key personnel disclosures: a. Participation in foreign talent recruitment programs, b. Current or prior funding from foreign countries of concern (FCOCs), c. Filing a patent in an FCOC or on behalf of an FCOC-connected entity without disclosure, and d. Associations or affiliations with organizations on U.S. Entity (trade restriction) and other indicated (U.S. restricted) lists.
A June 2023 report issued by the National Academies providing recommendations that U.S. institutions of higher education can take to identify and mitigate risks associated with foreign-funded language and culture institutes on campus.
February 2023. Outlines advanced monitoring and verification activities of NSF proposals and awards. The guidelines largely serve to provide transparency and identify guardrails NSF has put in place around the use of data analytics to monitor and validate information disclosed (e.g., in biosketches and current and pending support). For example, the activities are not investigative and cannot be incorporated into the merit review process. Sources of information include SCOPUS, Web of Science, and the U.S. Patent and Trademark Office Patent Database.
Issued by the NCSC in December 2021, this document includes links to risk mitigation materials that can be utilized to improve: physical security, personnel security, operations security, cybersecurity, defensive counterintelligence, insider threat mitigation, and supply chain risk management.
NSF's formal response to the JASON Group's report on Fundamental Research Security, outlining how the Foundation plans to address the report's findings and recommendations.
A December 2019 report from the JASON Group commissioned by NSF. The report outlines that concerns of foreign influence can be addressed within the framework of research integrity and, in addition, that the benefits of openness in research and of the inclusion of foreign researchers dictate against measures that would restrict fundamental research. The report includes questions for researchers to consider when entering a collaboration [Section 7.3 Assessment Tools: pages 34-36].
Effective October 1, 2025, recipient institutions must train senior/key personnel on the requirement to disclose all research activities and affiliations in Other Support and maintain a 'written and enforced policy on requirements for the disclosure of other support to ensure Senior/Key Personnel fully understand their responsibility to disclose.'
Research security training developed by institutions and organizations under cooperative agreements funded by NSF in collaboration with the National Institutes of Health (NIH), Department of Energy (DoE), and Department of Defense (DoD), with engagement from the Federal Bureau of Investigation (FBI). The training consists of 4 modules: 1.) What is Research Security?; 2.) Disclosure; 3.) Manage and Mitigate Risk; 4.) International Collaboration.
Supplemental summary document and press release from DoD announcing the final CMMC Program rule.
The final CMMC Program rule published in October 2024 by the DoD Office of the Secretary establishing the Cybersecurity Maturity Model Certification framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the defense supply chain.
Joint comments submitted by ACE, AAU, APLU, COGR, and EDUCAUSE on February 26, 2024 in response to the proposed CMMC rule.
An initial public draft issued by NIST in August 2023 that summarizes feedback NIST received on institutions of higher education (IHE) cybersecurity challenges and includes resources and possible next steps. Per the final research security program guidelines published July 9, 2024, institutions are to implement a cybersecurity program one year after publication of the final version of this NIST cybersecurity resource. Federal research funding agencies, working with NIST and IHEs via the Federal Demonstration Partnership (FDP), are currently developing cybersecurity guidelines that align with NIST 8481 for use in RSPs.
Published August 4, 2025, this guidance provides background on Fundamental Research (FR) as defined by NSDD-189 and DoD's implementation of the Directive via the May 24, 2010 'Carter Memo'. The Guidance notes that 'under the Carter Memo, research funded by 6.1 budget activity or 6.2 research conducted on a university campus is fundamental. For other research categories, the Department must be deliberate when deciding that a particular research topic is appropriate for openly published fundamental research'. It incorporates Considerations for Program Managers and Contracts and Grants Officers, including: a. Refraining from imposing publication review of research that has been formally designated as fundamental; b. For awards with multiple performers, considering whether some portion of the work should be designated as FR even if much of the award is not; and c. Avoiding flowing down restrictions to awardees performing FR that are inappropriate for FR. In addition, no security vetting should be done on personnel engaged in fundamental research and no preapproval conditions for the addition of researchers.
A foundational federal document from September 1985 issued by the Office of the President that outlined a national policy of openness in federally-funded fundamental research, including the fundamental research exclusion.
Published by DoD on June 24, 2025, this document introduces the FY23 lists of foreign institutions identified as engaging in problematic activity and foreign talent recruitment programs identified as posing a threat to U.S. national security, as required by Section 1286 of the FY2019 NDAA.
Per Section 10631 of the CHIPS and Science Act, this document issued in February 2024 from the White House OSTP provides definitions of both foreign talent recruitment programs (FTRPs) and malign foreign talent recruitment programs (MFTRPs) [pages 4-6] and what is not considered an FTRP. A foreign talent recruitment program is any program, position, or activity that includes compensation in the form of cash, in-kind compensation, including research funding, promised future compensation, complimentary foreign travel, things of non de minimis value, honorific titles, career advancement opportunities, or other types of remuneration or consideration directly provided by a foreign country at any level or their designee, or an entity based in, funded by, or affiliated with a foreign country.
A 2024 report by the National Academies: Sciences, Engineering and Medicine examining international talent programs in the context of the changing global environment.
The G7 research security portal providing resources and coordination among G7 member nations (Canada, France, Germany, Italy, Japan, United Kingdom, and United States) on research security best practices and policies.
On September 18, 2025, NIH released additional information regarding the agency's new application and award structure for international collaborations, previously announced in NIH NOT-OD-25-155. In addition to summarizing impacts to proposing/recipient institutions, the announcement provides links to additional information for the four new Activity Codes (grant types) that will be used to facilitate the new application and award process.
Issued September 12, 2025, this notice provides additional information on the agency's new process for handling foreign components, as NIH announced in NOT-OD-25-104 that the agency would not issue awards for proposals that include subawards to foreign entities. Under the process described in NOT-OD-25-155, competing applications that include one or more foreign components must submit to a Notice of Funding Opportunity (NOFO) that supports a complex mechanism activity code, including two new international project 'parent' activity codes that NIH is creating: PF5 for grants and UF5 for cooperative agreements.
Issued July 18, 2025 as a follow-up to NOT-OD-25-104. This updated guidance creates an alternative, short-term approach for existing grants and cooperative agreements involving human subjects research (e.g., clinical trials and clinical research) with foreign sites. The alternative approach involves removing a foreign sub-award from the primary award and having it issued as a foreign supplement award.
Issued May 1, 2025. Prospectively updates NIH policies and practices for utilizing foreign subawards. Per the notice, 'NIH is establishing a new award structure that will prohibit foreign subawards from being nested under the parent grant. This new award structure will include a prime [with independent linked awards] that will allow NIH to track the project's funds individually while scientific progress will be reported collectively by the primary institution under the Research Performance Progress Report.' NIH anticipates implementing the new award structure by no later than September 30, 2025, prior to Fiscal Year 2026. The policy continues to support direct foreign awards and plans to expand this policy to domestic subawards in the future, for consistency.
An August 2024 report emphasizing the importance of the critical quantum information science and technology (QIST) field and the need to enhance interagency cooperation, fund international collaboration, and track global competitiveness.
Published February 2024, this document outlines best practices agreed upon by G7 member nations for maintaining secure and open research.
Published August 2023 by NIST, this report integrates several U.S. government policies and guidelines to develop a framework for an integrated, risk-balanced approach for safeguarding international science and technology from undue foreign interference.
Released in May 2022 from the Committee on guidelines for international research and innovation cooperation to facilitate international cooperation in research.
November 2021 guidelines for the Australian University sector to help manage and engage with risk to deepen resilience against foreign interference in the university sector.
Published April 2021, Japan's policy directions for ensuring research integrity in response to new risks associated with increasing internationalization and openness of research activities.
Published in 2020. Purpose is to aid universities in assessing collaborations and the best approach to international collaboration.
A reference (2019) that can be utilized for advice and guidance which supports the integrity of the system of international research collaboration.
The Congressional Research Service (CRS) issued a report on May 20, 2025, summarizing federal research security policy efforts to date, and providing options Congress might consider to address perceived gaps or deficiencies while also remaining cognizant of the potential increase to administrative burden they would present. Proposed options discussed include: a. Expanding sources of foreign support researchers are required to disclose, b. Broadening the scope of who is required to disclose Current and Pending (Other) Support, c. Increasing the frequency of post-award updates, d. Expanding agency requirements when reviewing disclosed information, e. Focusing risk assessment activities more narrowly on critical and emerging technologies, f. Expanding agencies' requirements to report to congress on research security violations, mitigation measures, and implementation status.
September 2024, report ordered by Committee on Homeland Security. States that IHEs which have a relationship with a Confucius Institute or Chinese entity of concern is ineligible to receive any funds from the Department of Homeland Security, unless the institution terminates the relationship.
A congressional hearing held in February 2024 with representatives from the White House (OSTP), NSF, NIH, and DoE examining federal science agency actions to secure the U.S. science and technology enterprise.
Directs [NSF] to establish a research security and integrity information sharing analysis organization to enable the research community to share information, identify research security risks, and implement risk assessment and mitigation best practices and procurement of a non-government organization to run this center. The SECURE Program, including the SECURE Center and SECURE Analytics, were implemented to answer this call.
Establishes a Chief of Research Security position within the NSF Office of the Director to manage the Office of Research Security and Policy.
Establishes an Office of Research Security, Strategy, and Policy within NSF.
DOE Office of Science to develop and maintain tools and processes to manage and mitigate research security risks such as an S&T risk matrix, informed by threats identified by the Office of Defense National Intelligence (ODNI).
Signed into law in August 2022, the CHIPS and Science Act includes a number of research security provisions. Key sections address research security at DOE, NIST cybersecurity guidance, NSF Office of Research Security and Policy, research security training requirements, information sharing analysis organizations, Confucius Institute restrictions, foreign financial support reporting, and foreign talent recruitment program requirements.
Directs NSF to collect annual summaries of foreign financial support from universities. The provision establishes a reporting threshold of $50,000 or more in [cumulative] financial support, including gifts and contracts, received directly or indirectly from a foreign country of concern (China, Russia, North Korea, and Iran at the time the law was enacted), or any other country determined to be a concern by the Secretary of State. This is in addition to the reporting of gifts and contracts from all foreign countries with a cumulative value of $250,000 or more via the Higher Education Act and Department of Education.
OSTP to issue guidance to Federal research agencies to prohibit participation in 'foreign talent recruitment programs' by agency personnel and provide additional clarification to the research community regarding which activities are considered 'foreign talent recruitment programs.' OSTP is also directed to issue guidance clarifying that researchers working on Federally supported research projects must disclose participation in FTRPs in Federal research award proposals. OSTP is further directed to issue guidance for Federal research agencies to prohibit researchers working on agency-funded projects from participating in 'malign foreign talent recruitment programs,' and certify both at the time of proposal and annually that they are not part of a malign foreign talent recruitment program.
Places restrictions on eligibility for NSF R&D funding for institutions that host or support Confucius [or Confucius-like] institutes.
Signed January 3, 2020. Section 223 mandates disclosure of funding sources in applications for federal R&D awards and holds universities accountable for ensuring faculty awareness. Section 1299C is an amendment to FY 2019 NDAA Section 1286 requiring designation of an official responsible for liaising with academic institutions and briefing them on espionage risks. Section 1062 restricts DoD and NSF funds to institutions hosting a Confucius Institute. Section 9907 prohibits any funds for microelectronics initiatives to a foreign entity of concern.
Signed December 20, 2019. Section 1746 directs OSTP to establish an interagency working group (the Research Security Subcommittee) under the NSTC to protect federally funded R&D from foreign interference, cyberattacks, theft, or espionage and to develop recommendations for best practices for federal agencies and grantee institutions. Section 1746 also called on the National Academy of Science, Engineering and Medicine to stand up a new Roundtable on Science, Technology, and Security. Includes Confucius Institute waiver criteria for DoD.
Signed into law July 26, 2018. Section 1286 directs the Secretary of Defense to establish an initiative to work with IHEs who perform defense research and engineering activities and name an academic liaison. It also directed DoD to publish a list of institutions and foreign talent recruitment programs that have perpetuated malicious activities or that operate under the direction of the military forces or the intelligence agency of the applicable country and thus pose a threat to national security. The resulting list is updated annually.