RESEARCH SECURITY — In January 2021 the National Security Presidential Memorandum 33 (NSPM-33) came into effect, both to safeguard the security and integrity of federally funded research and development programmes and to prevent research misappropriation, and ensure responsible management of U.S. taxpayer dollars.
The purpose of NSPM-33 is:
- To protect intellectual capital and prevent misappropriation of government-funded research
- To ensure responsible use of U.S. taxpayer dollars while continuing the national environment for new research and innovation
- To safeguard the integrity of U.S. innovative research and development
- To standardize disclosure requirements and processes across all federal funding agencies.
In this article we will give you an overview of NSPM-33 compliance, what you need to do, and what the NSPM-33 means for research organizations and agencies alike.
Why is research security important?
International collaboration is a fundamental part of any research enterprise and so, it helps enrich the research experience, cultivate new ideas, and strengthen partnerships. But given the current geopolitical climate it can also pose risks to both the physical and intellectual safety of your research and researchers.
Because of this, research organizations have an increasing need to identify possible risks that may occur from unwanted access, interference, or even theft.
Who needs to comply with NSPM-33?
NSPM-33 applies to research organizations that receive in excess of $50 million per year in total federal research funding as well as all federal research funding agencies.
Requirements for NSPM-33 compliance
NSPM-33 requires all federal research funding agencies to strengthen and standardize disclosure requirements for federally funded awards while it requires research organizations to implement a research security program.
The research security program needs to cover the following four elements:
- Cybersecurity
- Foreign travel security
- Export control training
- Research security training.
Cybersecurity
Organizations are required to implement robust cybersecurity practices to protect digital research data and infrastructure from unauthorized access, theft, and damage
Cybersecurity practices ensure secure networks, systems, and safe data storage against threats.
Foreign travel security
Organizations need to establish policies and training programs to help mitigate and diminish risks associated with international travel for their researchers.
This could include guidelines on how to secure devices during travel, awareness of espionage tactics, and protocols for reporting suspicious activity during travel and conferences.
Export control training
Organizations need to ensure that all personnel involved in research are trained on laws and regulations regarding export control.
This includes understanding what information, technologies, and material are subject to export controls, and what implications that has for research collaboration.
Research security + training
Organizations need to develop programs to educate employees on how to recognize and report on insider threats as well as establish processes to conduct thorough vetting of foreign visitors and researchers to prevent unauthorized transfer of technology and information.
Consequences of non-compliance
According to section 4(b) of NSPM-33 “Agencies shall ensure appropriate and effective consequences for violation of disclosure requirements and engagement in other activities that threaten research security and integrity.”
Depending on the nature of the violation in question the consequences can range from civil to institutional or even criminal consequences.
Additionally, U.S. Federal and State laws may apply, such as when individuals intentionally try to mislead agencies by providing incomplete or incorrect information during the grant funding process.
Achieving NSPM-33 Compliance
Navigating compliance requirements like NSPM-33 can be seen as a big challenge, and living up to the regulatory requirements has a vital impact on your organization’s success.
Cybersecurity
Everything from Controlled Unclassified Information (CUI) to Personally Identifiable Information (PII), health data, financial data, law enforcement data, export-controlled data, and other forms of CUI needs to be properly protected.
A responsible way of ensuring security and data protection of protected data types is to secure service(s) that can:
- Provide you with the ability to configure security for your data,
- Operate on secure cloud or on-premise storage,
- Live up to external security audits such as SOC2 II or 3PAO,
- Apply compliance against US industrial, sectoral, state or federal requirements.
Foreign travel security
Make sure your personnel are able to provide the right information the first time, and brief them on relevant secure guidelines and practices for their travels.
One of the easiest ways to do that is to implement a system that allows you to create workflows and to automate briefings that are relevant to your field and send them out to groups of employees as they become relevant.
Export control training
Living up to requirements of export control training requires you to have a way to train your employees and document that they have undergone the necessary training.
This is easily achieved with a system that allows you to train staff in bulk by sending out courses and tests, automate reminders for incomplete or overdue courses, as well as track completion status for all employees.
Research security + training
And lastly, Research security and training includes continuously educating employees on things like insider threat awareness and identification, setting up screening and vetting processes and constantly assessing your current practices.
You typically achieve this through systems that allow you to educate staff on relevant compliance topics while tracking the completion status for security modules, as well as implementing processes or systems that allow you to run background checks, screen visitors or employees against watchlists.