White House OSTP / NSTC Research Security Subcommittee|
ActiveFederal
A Presidential Memorandum issued in January 2021 to strengthen protections of U.S. Government-supported R&D against foreign government interference and exploitation. It focuses on ensuring full disclosure of potential conflicts of interest and commitment by recipients of federal R&D and requires research institutions receiving over $50 million in federal R&D funding to certify they operate a research security program covering cybersecurity, foreign travel security, insider threat awareness, and export control training. As of November 2025, federal agencies continue to coordinate and work to implement this requirement for awardee institutions.
National Counterintelligence and Security Center (NCSC)|
ActiveFederal
Issued by the NCSC in December 2021, this document includes links to risk mitigation materials that can be utilized to improve: physical security, personnel security, operations security, cybersecurity, defensive counterintelligence, insider threat mitigation, and supply chain risk management.
Final Research Security Program (RSP) Guidelines published on July 9, 2024, via a memorandum to the heads of federal research funding agencies. Federal agencies are directed to implement the guidelines and provide time for institutional implementation. The four required areas are: cybersecurity, foreign travel security, research security training, and export control training. Agencies are coordinating implementation under a memorandum of agreement and anticipated to issue the requirements in early 2026.
Signed into law in August 2022, the CHIPS and Science Act includes a number of research security provisions. Key sections address research security at DOE, NIST cybersecurity guidance, NSF Office of Research Security and Policy, research security training requirements, information sharing analysis organizations, Confucius Institute restrictions, foreign financial support reporting, and foreign talent recruitment program requirements.
Published September 3, 2025, a National Academies Committee conducted an expedited study to examine federal research regulations and identify ways to improve regulatory processes and administrative tasks, reduce or eliminate unnecessary work, and modify and remove policies and regulations that have outlived their purpose while maintaining necessary and appropriate integrity, accountability, and oversight. Research security specific options include: implement the NSPM-33 common disclosure forms and disclosure table without deviation; establish common principles for agency research security risk reviews for fundamental research; continue prior efforts to streamline and clarify export controls; and adapt cybersecurity requirements for university settings.
On September 24, 2025, and effective immediately, NIH issued NOT-OD-25-159, establishing new security, operational, and transparency standards for controlled-access data repositories (CADRs) that store and manage sensitive human research data.
The final CMMC Program rule published in October 2024 by the DoD Office of the Secretary establishing the Cybersecurity Maturity Model Certification framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the defense supply chain.
In the September 10, 2025, Federal Register, the Department of Defense (DoD) issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the final Cybersecurity Maturity Model Certification (CMMC) program rule. The new rule formalizes the ability of the DoD to include CMMC requirements as a condition of contract award, to include either Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both.
Requires NIST to offer resources and technical assistance to research intensive universities to help them mitigate cyber risks related to conducting research.
National Institute of Standards and Technology (NIST)|
DraftNIST
An initial public draft issued by NIST in August 2023 that summarizes feedback NIST received on institutions of higher education (IHE) cybersecurity challenges and includes resources and possible next steps. Per the final research security program guidelines published July 9, 2024, institutions are to implement a cybersecurity program one year after publication of the final version of this NIST cybersecurity resource. Federal research funding agencies, working with NIST and IHEs via the Federal Demonstration Partnership (FDP), are currently developing cybersecurity guidelines that align with NIST 8481 for use in RSPs.