Grant Development & Strategy |
Research Security is the latest buzz word in research administration. What is it, why should we care, and who is responsible? This article discusses the history and evolution of research security as we know it today, and what pre-award professionals need to know to ensure compliance from the very beginning.
Research Security is the latest buzzword, now here to stay, with many funding agencies changing or adding policies that require mandatory security training certifications at the point of proposal submissions. For example, the National Science Foundation (NSF) currently requires each senior personnel member on proposal submissions to complete research security training, and the National Institutes of Health (NIH) will start requiring these certifications starting May 25, 2026 (National Institutes of Health, 2025). Other federal agencies also require the certifications now, or will soon follow suit.
Because research security training certifications are required for proposals, pre-award administrators will now need to ensure this information is collected at the time of proposal submissions. Many central research administration offices are collecting these security certificates as a prerequisite for proposal submissions. Understanding the background of these mandates is important to effectively communicate with investigators. So, what is research security, why now, and who is responsible?
What is research security?
“Research security,” as per National Security Presidential Memorandum 33 (NSPM-33), is “safeguarding the U.S. research enterprise against the misappropriation of research and development to the detriment of national or economic security, related violations of research integrity, and foreign government interference” (The White House, 2022).
What prompted this, and why should we care?
Research security is not entirely a new concept; however, a series of high-profile violations between 2014 and 2020, including cyber theft of academic data, discovery of undisclosed "shadow labs" funded by foreign governments, undisclosed conflicts of interest and commitment, and Intellectual Property theft (Joint Committee on the Research Environment (JCORE), 2020), fueled a release of new regulations in the past five years to protect research. Research security has transformed from “good to know” to “must know” to be compliant with federal agencies’ requirements.
Regulations Passed
In January 2021, the National Security Presidential Memorandum-33 executive order directed agencies to require institutions with more than $50 million in federal funding per year to establish a Research Security program (Research Security Policies: An Overview, 2026). The CHIPS and Science Act of 2022 (Subtitle D– Research Security) required that each covered individual and institution applying for federal funding certify:
- That they are not a party to a malign foreign talent recruitment program and re-certify annually for the duration of the award (Section 10632).
- That they have completed Research Security training within one year of application (Section 10634) (U.S. Congress, 2022).
The Four Pillars
The Office of Science and Technology Policy (OSTP) released a memorandum, Guidelines for Research Security Programs at Covered Institutions, on July 9, 2024. This memorandum required institutions to have four elements in their research security program. These four pillars are:
- Cybersecurity
- Foreign travel security
- Research security training
- Export control training (Office of Science and Technology Policy, 2024)
NSF SECURE
With the OSTP guidelines, NSF released research security training modules in January 2024 and announced the establishment of the Safeguarding the Entire Community of the U.S. Research Ecosystem (SECURE) Center (Research Security Policies: An Overview, 2026).
The SECURE Center is a federally funded, non-government, independent entity that aims to enhance research security. The Center has developed a condensed version of research security training recognized by NSF, NIH, DOE, DoD, and USDA as meeting federal requirements, Foreign Travel Resource Toolkit, and Risk Assessment Framework, among other products.
Who is responsible?
A compliant research security program is a shared responsibility between institutional officials and key personnel. Institutions can provide a secure environment that meets security standards set by the National Institute of Standards and Technology (NIST) (National Institute of Standards and Technology, 2016). The principal investigator and their team should ensure that the data is stored on approved systems.
Investigators should check institutional policy or take available training when traveling abroad. They should pre-disclose all international travel, so that institutions can conduct the necessary research assessments (including screening, understanding the purpose of the trip, noting the entities involved, etc.) and ensure that laptops and other electronic devices are secure to protect data.
Investigators and their team must take the training every 12 months. Similarly, institutions would collect all disclosures, and the investigators should ensure that all disclosures are complete. Institutions can develop and provide research security training for their key personnel. NSF offers Research Security Training that satisfies these requirements. The CITI Program also offers Research Security Courses.
What are the penalties?
The stakes of non-compliance have never been higher, with potential consequences for both the individual and the institution. Non-compliance with research security mandates can result in termination of awards or the debarment from receiving future federal funding (CHIPS and Science Act, 2022). These certifications are collected through standardized biosketches and “Current and Pending (Other) Support” forms via SciENcv. Providing inaccurate or incomplete information on these documents can trigger civil and criminal penalties under the False Claims Act for knowingly certifying false claims to the federal government.
CHIPS and Science Act. (2022). PUBL167 dkrause on LAP5T8D0R2PROD with PUBLAWS. https://www.congress.gov/117/plaws/publ167/PLAW-117publ167.pdf
Joint Committee on the Research Environment (JCORE). (2020, June). Enhancing the security and integrity of America’s research enterprise. The White House Office of Science and Technology Policy. https://trumpwhitehouse.archives.gov/wp-content/uploads/2020/07/Enhancing-the-Security-and-Integrity-of-Americas-Research-Enterprise.pdf
National Institute of Standards and Technology. (2016, June 30). Cybersecurity and privacy | NIST. NIST. https://www.nist.gov/cybersecurity-and-privacy
National Institutes of Health. (2025). NOT-OD-26-017: Research Security Training Requirements for NIH. Nih.gov. https://grants.nih.gov/grants/guide/notice-files/NOT-OD-26-017.html
Office of Science and Technology Policy. (2024, July 9). Guidelines for Research Security Programs at Covered Institutions. Executive Office of the President. https://bidenwhitehouse.archives.gov/wp-content/uploads/2024/07/OSTP-RSP-Guidelines-Memo.pdf
Research Security Policies: An Overview. (2026). Congress.gov. https://www.congress.gov/crs-product/IF12589
The White House. (2022, September). An Update on Research Security: Streamlining Disclosure Standards to Enhance Clarity, Transparency, and Equity | OSTP | The White House. The White House. https://bidenwhitehouse.archives.gov/ostp/news-updates/2022/08/31/an-update-on-research-securitystreamlining-disclosure-standards-to-enhance-clarity-transparency-and-equity/
U.S. Congress. (2022, August 9). H.R.4346 - 117th Congress (2021-2022): Supreme Court Security Funding Act of 2022. Www.congress.gov. https://www.congress.gov/bill/117th-congress/house-bill/4346
US Department of Justice. (2025, January 15). The False Claims Act. Justice.gov; U.S. Department of Justice. https://www.justice.gov/civil/false-claims-act
AI Use Statement: The views expressed are solely my own and not of any institution or as a representative of NYU.