Time Is Up: The Research Security Program Standards Won’t Save the Waiting Research Organizations
If you are like other university research executives, you probably have been waiting for more definitive guidance to come out of Washington, DC, regarding the National Security Presidential Memorandum 33 (or NSPM-33). Most research institutions in the higher education community have been hoping that the Office of Science and Technology Policy (OSTP) will tell them exactly how to protect their research from foreign influence threats. Unfortunately, the NSPM-33 final ruling, which should be published soon and details Research Security Program Standards (the “Standards”), will not provide the solution many organizations desire. The Standards will likely be vague, leaving the direct requirements to the federal research grant funding agencies. The Standards are unlikely to directly benefit research grant awardee organizations, as the federal government remains reluctant to commit funding and personnel to assist in building research security programs. However, the consequences of not establishing a research security program could be "dire." Organizations receiving federal funding that want to stay competitive must design, implement, and manage their internal research security programs capable of meeting the various requirements mandated by individual funding agencies, such as the National Institutes of Health (NIH), the National Science Foundation (NSF), the Department of Energy (DoE), and others.
Over the past five years, Congress and funding agencies have published new requirements and guidelines to address research security concerns, including foreign influence and unreported conflicts of interest and commitment (COI/C). The requirements outlined in the NSPM-33, the CHIPS and Science Act, the National Defense Authorization Act (NDAA), and grant policy statements from federal research grant funding agencies did not provide standardized guidelines to instruct research universities on what or how to implement research security program components. Instead, the requirements highlighted that organizations must establish adequate research security programs, leaving the specific standards to meet the federal agencies providing the research funding. Many research universities and organizations responded to the requirements by waiting for further guidance from the federal government through the Research Security Program Standards. The reality, however, is that specific guidance will not be available.
One aspect is certain. The forthcoming Research Security Program Standards will not change the underlying practical requirements already written into the NSPM-33 and encoded into law by the passage of the CHIPS and Science Act: Every research university should implement a formal research security program, led by a professional research security officer, to identify, assess, investigate, and remediate research security risks. The proverbial clock to self-certify has started ticking, and research universities should anticipate that research security requirements will be showing up in the terms and conditions of their grant awards and contracts.
It's crucial for organizations not to wait for specific implementation guidance from the federal government. U.S. research organizations have already faced fines or funding denials due to research security violations. Congress and the funding agencies expect organizations to take a proactive, risk-based approach to tackle potential COI/C and Foreign Influence. The institutions that will benefit the most will be those that are proactive about these requirements, understand the specifications of each funding agency, and implement a research security program accordingly. By taking the initiative, these institutions are ensuring their compliance and securing their future funding opportunities. Conversely, those who wait to establish a research security program will gravely affect their institution's ability to receive funding.