Problems with National Research Cybersecurity Requirements

A few days before the end of the Trump administration, the White House released National Security Presidential Memorandum (NSPM)–33, which established new security directives related to basic and applied research sponsored by the federal government.^Footnote1 NSPM–33 was intended as a response to the perceived need to better protect federally sponsored research from compromise or theft by foreign governments, primarily China. Consistent with the  Department of Justice's "China Initiative," which began under the Trump administration and sought to investigate and prosecute university researchers who were alleged to have intentionally misled funding agencies about their conflicting participation in Chinese government-sponsored work, NSPM–33 ordered federal agencies to pursue additional steps to limit the possibility that researchers with such conflicts might receive federal grants or that their conflicts might go undiscovered (and unpunished) if they did. For example, under NSPM–33, funding agencies are required to facilitate the investigation of suspected violations of conflict of interest disclosure requirements and enforce "appropriate and effective consequences" for such violations.^Footnote2

The Biden administration kept NSPM–33 in place, and during 2021, the administration worked to clarify the measures that federal agencies and the researchers and institutions receiving federal research grants would need to take to fulfill the directives in NSPM–33. The White House published Guidance for Implementing National Security Presidential Memorandum 33 (NSPM–33) on National Security Strategy for United States Government-Supported Research and Development in January 2022.^Footnote3 The report provides a common framework for federal funding agencies to follow in establishing consistent, comprehensive research security policies and processes, particularly in five key areas:

• Disclosure requirements and standardization
• Digital persistent identifiers
• Consequences for violating disclosure requirements
• Information sharing
• Research security programs^Footnote4

Not surprisingly, the section on research security programs includes requirements for research cybersecurity, which explains its relevance to the EDUCAUSE community.^Footnote5 These requirements are the same as those for securing contractor information systems containing federal contract information (FCI), except for two additional mandates: (1) providing authorized users with security awareness training and (2) taking measures to protect scientific data from ransomware attacks.^Footnote6

The problem with applying the requirements for systems containing FCI to the requirements for the security of research data and related systems (as the NSPM–33 guidance does) is that FCI refers to contract information that is "not intended for public release."^Footnote7 However, a great deal of federally funded research at colleges and universities is fundamental research, which is intended for public release by its very nature. And thus, by taking safeguards meant for one data context and porting them directly into a distinctly different data context, the NSPM–33 implementation guidance sets the stage for the law of unintended consequences.

Conversations with information security leaders at research colleges and universities indicate that a primary unintended consequence of the guidance is likely to be the adoption of a "compliance checklist" approach to research covered by NSPM–33. While the checklist model might work for a relatively standardized FCI data environment, the academic research context involves a diverse array of data and systems in which cybersecurity requirements that are appropriate and cost-effective in one instance may be unnecessarily restrictive and cost-prohibitive in another. That is why research cybersecurity leaders and professionals generally take a risk-management approach to securing research data and related systems. Rather than requiring all research projects at the institution to incorporate all of a given set of safeguards, a risk-management approach allows chief information security officers (CISOs) and their staffs to tailor cybersecurity measures to the relative risk of hacking, ransomware, etc., that a given project faces. This tailored approach, in turn, prevents the perfect from being the enemy of the good by enabling institutions to deploy limited cybersecurity resources where they are most needed while ensuring that the costs of securing a research project do not exceed the reasonably justifiable needs (and likely the available funding).

Because the NSPM–33 cybersecurity requirements as currently written might force a one-size-fits-all approach, EDUCAUSE members believe that the requirements could easily, but unnecessarily, limit or even eliminate research opportunities for some researchers and institutions. This would hurt those institutions and researchers and undermine the potential progress of the nation's research enterprise. Therefore, EDUCAUSE is working with members of its research CISO community as well as REN-ISAC and the Council on Governmental Relations (COGR), a higher education research administration association, to engage the White House Office of Science and Technology Policy (OSTP) and National Science and Technology Council (NSTC) Subcommittee on Research Security in a discussion about whether the cybersecurity goals reflected in the NSPM–33 implementation guidance might be better served by a risk-management approach rather than an approach where specific safeguards derived from a different, perhaps incompatible context are stipulated. The guidance could still cite the FCI safeguards as a reference for the baseline cybersecurity measures that agencies, institutions, and researchers should adopt when appropriate. However, shifting the cybersecurity focus of the guidance to risk management would avoid forcing those safeguards from being applied to any and all research contexts, regardless of the risk-reward considerations involved.

The White House's stakeholder engagement process for the NSPM–33 implementation guidance has already exceeded its original schedule, so it unclear when the process will conclude. Likewise, it is unclear how long it might take for the Biden administration's research policy organizations to revise the guidance based on stakeholder feedback or for funding agencies to incorporate the NSPM–33 requirements into their grants and contracts. EDUCAUSE will continue to collaborate with its members and partners to try to inform NSPM–33 developments so that the final guidance supports effective and appropriate research cybersecurity.

Notes

1. Donald J. Trump, "Presidential Memorandum on United States Government-Supported Research and Development National Security Policy" (National Security Presidential Memorandum–33), January 14, 2021. Jump back to footnote 1 in the text.↩
2. Ibid., Sec. 3(a)(iv) and (v). Jump back to footnote 2 in the text.↩
3. Guidance for Implementing National Security Presidential Memorandum 33 (NSPM–33) on National Security Strategy for United States Government-Supported Research and Development, report (Washington DC: Subcommittee on Research Security, Joint Committee on the Research Environment, National Science and Technology Council, January 2022). Jump back to footnote 3 in the text.↩
4. Ibid., ix. Jump back to footnote 4 in the text.↩
5. Ibid., 20. Jump back to footnote 5 in the text.↩
6. Federal Acquisition Regulation (FAR) 52.204-21, "Basic Safeguarding of Covered Contractor Information Systems," November 2021. Jump back to footnote 6 in the text.↩
7. Ibid., (a) Definitions, "Federal contract information." Jump back to footnote 7 in the text.↩

---

Jarret Cummings is the Senior Advisor for Policy and Government Relations at EDUCAUSE.

© 2022 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.