February 8, 2024
Research Security Policies: An Overview
The international scientific community generally views the
to disclose and reaffirmed the need for agency coordination.
free and open exchange of information as vital to the
The 2022 NSPM-33 implementation guidance further
process of scientific inquiry, including the vetting of ideas
elaborated that funding applicants should disclose all
and the verification of research results. The U.S. research
“resources made available, or expected to be made
ecosystem broadly operates on these principles. Sources
available, in support of the individual’s [R&D] efforts,”
have documented a variety of mechanisms employed on
including both domestic and foreign support, both monetary
behalf of foreign governments—most notably the People’s
and in kind.
Republic of China—to influence and exploit the openness
of the U.S. research ecosystem. The acquisition of U.S.
To help all federal agencies require applicants to disclose
advances in science and technology, intellectual property,
such information, the National Science Foundation (NSF)
and talent by strategic competitors may pose a risk to U.S.
released two common forms in November 2023 expected to
national defense and global economic competitiveness.
be included in all applications for federal research awards:
the Biographical Sketch Common Form and the Current
Congress and the executive branch have taken several
and Pending (Other) Support Common Form. OSTP must
actions to try to maintain the benefits of an open research
review any potential modifications to the common forms
ecosystem while attempting to protect it from external
that agencies may wish to make.
threats. For example, in 2019, Section 1746 of the National
Defense Authorization Act (NDAA) for Fiscal Year (FY)
P.L. 116-283 directed agencies to require that covered
2020 (P.L. 116-92) directed federal agencies to, among
individuals, as defined in the NSPM-33 implementation
other things, develop descriptions of known and potential
guidance, update their disclosure information during the
threats to federally funded research and development
term of the award, as determined by the agency. Though the
(R&D) and the integrity of the U.S. scientific enterprise. In
NSPM-33 implementation guidance also directed agencies
January 2021, President Trump issued National Security
to require certified updates to disclosure reporting during
Presidential Memorandum 33 (NSPM-33), which
the term of the award, the common disclosure form defers
“direct[ed] action to strengthen protections of United States
to individual agency policies on the frequency and timing
Government-supported Research and Development (R&D)
of post-award disclosure requirements.
against foreign government interference and exploitation.”
And in January 2022, the Biden Administration issued
Foreign Talent Recruitment Programs
guidance to federal agencies on the implementation of
In addition to requiring the disclosure of foreign support,
NSPM-33.
the executive branch and Congress have issued specific
policies governing both federal employee and grantee
This In Focus summarizes key developments in four
participation in foreign talent recruitment programs. For
selected research security policy areas—disclosure
example, Section 4(c)(ii) of NSPM-33 directed agency
requirements; foreign talent recruitment programs; research
heads to establish or clarify existing policies that prohibit
security training and program requirements; and
federal employee participants in the U.S. R&D enterprise
information sharing and risk assessment—and poses
from participating in foreign government-sponsored talent
potential oversight questions for Congress to consider.
recruitment programs. It also indicated that agency heads
may consider establishing agency-specific policies that
Disclosure Requirements
would extend the prohibition to “some or all agency
Congress and the executive branch have strengthened
contractor personnel.”
existing policies and instituted new requirements
concerning the information that applicants for federal R&D
Congress, however, mandated more restrictive measures on
funding must disclose, especially regarding foreign support.
foreign talent recruitment program participation. Section
10631 of P.L. 117-167, known as the CHIPS and Science
In January 2021, with the enactment of the NDAA for
Act, specified that agency guidelines should (a) require
FY2021 (P.L. 116-283), Congress directed federal agencies
covered individuals to disclose if they are party to a foreign
to require individuals applying for federal R&D funding to
talent recruitment program contract, and (b) to the extent
disclose all current and pending research support. Congress
practicable, require federal R&D funding recipients to
also charged the Office of Science and Technology Policy
prohibit covered individuals participating in malign foreign
(OSTP) with ensuring that disclosure requirements are
talent recruitment programs from working on projects
consistent across federal agencies.
supported by federal R&D awards.
Section 4(b)(vi) of NSPM-33 listed specific types of
Section 10632 also specified that, not later than August 9,
information that agencies should require funding applicants
2024, federal research agencies should establish policies
https://crsreports.congress.gov
Research Security Policies: An Overview
requiring an R&D award proposal to include (1)
NIST’s framework included a range of guidance for federal
certification from covered individuals that they are not a
agencies, institutions of higher education, and other entities,
party to a malign foreign talent recruitment program, as part
in developing research security programs, acquiring
of the initial submission and annually for the duration of the
research security personnel, and conducting research
award; and (2) certification from an institution of higher
security risk analysis, among other elements.
education or other organization applying for the award that
each covered individual employed by the entity has been
On January 20, 2024, as directed by P.L. 117-167, NSF
made aware of and is in compliance with the malign foreign
released four interactive online research security training
talent recruitment program disclosure requirements.
modules to be used by U.S. researchers and institutions.
The Biographical Sketch Common Form currently requires
Information Sharing and Risk
applicants to certify that “at the time of submission” they
Assessment
are not party to a malign foreign talent recruitment
To improve the ability of federal agencies to identify and
program. It also includes the institutional certification
respond to potential research security threats, section 4(e)
required by statute.
of NSPM-33 directed agencies to share information about
individuals and institutions that violate disclosure policies.
Research Security Training and Program
Requirements
Similarly, P.L. 117-167 directed NSF to establish an
To build awareness and strengthen compliance with
independent research security and integrity information-
research security policies, NSPM-33 issued new
sharing analysis organization. The organization is to,
requirements related to research security training.
among other duties, serve as a clearinghouse of information
for the research community, provide timely reports on
Section 4(f) directed funding agencies to ensure that federal
research security risks, and develop risk assessment best
personnel involved in the conduct of R&D or allocation of
practices.
R&D funding receive training to include “risks to the
United States R&D enterprise, individuals’ responsibilities
Congress has also directed individual agencies to develop
related to research security and integrity, and circumstances
risk assessment tools and frameworks to manage and
and behaviors that may indicate risk to research security
mitigate security risks. For example, the Consolidated
and integrity.”
Appropriations Act, 2023 (P.L. 117-328) required the
Department of Health and Human Services to develop a set
Section 4(g) directed agencies to require research
of strategies and frameworks to protect federally funded
institutions receiving more than $50 million in federal
biomedical R&D from national security and other risks.
science and engineering support per year to certify that the
institution has established and operates a research security
Potential Issues for Congress
program. The provision directed institutional research
As Congress oversees the implementation of current
security programs to include “elements of cyber security,
research security provisions and the potential development
foreign travel security, insider threat awareness and
of new measures, the following topics could be considered:
identification, and, as appropriate, export control handling.”
• Should the disclosure information associated with
In February 2023, OSTP released a “Draft Research
covered individuals and research institutions be made
Security Programs Standard Requirement” to facilitate
publicly available?
implementation of Section 4(g) of NSPM-33 as well as
• How frequently should post-award disclosure reporting
research security training requirements mandated by
occur and should agencies be required to harmonize
Section 10634 of P.L. 117-167. The draft guidance
such requirements?
provided additional details on covered organizations,
foreign travel security, research security training,
• What mechanisms exist to ensure effective and
cybersecurity, and export control training. It also specified
consistent monitoring and enforcement of research
that federal agencies should communicate the required
security provisions?
training components and standards to research
• Are research security roles and responsibilities clearly
organizations as part of their funding agreement processes.
and appropriately allocated between federal agencies
and research institutions?
In August 2023, the National Institute of Standards and
Technology (NIST) released the Safeguarding International
• Are research security efforts, including monitoring and
Science: Research Security Framework, through which
enforcement activities, sufficiently staffed and funded?
NIST intended to establish
• Should agencies be required to use disclosed
information in performing security risk assessments?
a uniform Research Security implementation
•
methodology designed to safeguard America’s
How, if at all, should risk assessments vary among
federal agencies (e.g., defense or civilian), stage of
science and research community from undue
research (e.g., basic or applied), or area of research (e.g.,
foreign interference while safeguarding the benefits
critical or emerging technology)?
of international science, thus ensuring the integrity
of the U.S. innovation ecosystem.
Emily G. Blevins, Analyst in Science and Technology
Policy
https://crsreports.congress.gov
Research Security Policies: An Overview
IF12589
Marcy E. Gallo, Analyst in Science and Technology Policy
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF12589 · VERSION 1 · NEW