EDUCAUSE Responds to Draft OSTP Research Cybersecurity Provisions

On June 5, 2023, EDUCAUSE issued a response to the White House Office of Science and Technology Policy (OSTP) regarding the proposed cybersecurity provisions that OSTP incorporated into its draft requirements for research security programs at institutions receiving $50 million or more in federal research funding annually.^Footnote1 OSTP created the Research Security Programs Standard Requirement (Standard Requirement) based on the implementation guidance for the federal government that it previously developed in relation to National Security Presidential Memorandum 33 (NSPM-33), which established new expectations for research security associated with federally funded research projects.^Footnote2

In the NSPM-33 implementation guidance released early last year, OSTP identified the basic safeguarding requirements for Federal Contract Information (FCI) as the cybersecurity measures that institutions would likely have to incorporate into the overall research security programs mandated by the guidance.^Footnote3 ("Research security" in this context primarily relates to issues such as faculty reporting on research conflicts of interest or conflicts of commitment, foreign government-sponsored talent recruitment programs, research-related travel and gifts, etc.) Despite concerns about this approach raised by EDUCAUSE and its partners, OSTP essentially doubled down on its use of the FCI basic safeguards as the cybersecurity requirements for research security programs at covered institutions—those with $50 million or more in federally funded research each year for at least two consecutive years.^Footnote4 It took the lightly edited version of the safeguards from the NSPM-33 implementation guidance and inserted it into the draft Standard Requirement with only a couple of additional edits (e.g., the cybersecurity training requirement was moved from the Cybersecurity Protocols section to the Research Security Training section).^Footnote5

The EDUCAUSE comments on the draft Standard Requirement begin by reiterating a key position the association took last year based on member feedback—that OSTP should shift from the checklist approach to research cybersecurity represented by the FCI basic safeguards and instead encourage institutions to adopt a risk management approach to research cybersecurity.^Footnote6 Under the latter model, OSTP would set clear cybersecurity objectives for institutional research security programs, and covered institutions would implement appropriate measures to meet those objectives based on the nature and risk profiles of the research they support. If a federal funding agency had concerns about the measures taken by an institution in a given case, then it could negotiate with the institution to resolve those issues starting with the steps implemented by institutional representatives closest to, and therefore most knowledgeable about, the given research project and environment.

The EDUCAUSE response continues, however, by noting that OSTP needs to explicitly allow for institutional discretion in the Standard Requirement if it decides not to change the Requirement as EDUCAUSE has requested. Given that the FCI safeguards were written for an administrative systems environment involving data not intended for public release, they do not necessarily fit well with academic research contexts where the knowledge produced is largely intended for public release. Therefore, EDUCAUSE argued that OSTP should clearly state in the Standard Requirement that institutions have the discretion to interpret and apply the Requirement's "cybersecurity protocols" via institutional policy.^Footnote7 Again, federal funding agencies could hold institutions accountable for the decisions reflected in their research cybersecurity policies, but institutions would have the flexibility upfront to adapt the cybersecurity protocols to their research environments so that the protocols might reasonably work in those environments.

Similarly, EDUCAUSE urged OSTP to explicitly state in the Standard Requirement that institutions have the discretion to identify and implement alternative safeguards when conditions require.^Footnote8 For example, EDUCAUSE member representatives noted that the cybersecurity protocol on authenticating "users, processes, and devices" before allowing them access to "organizational information systems" presents a problem for research projects utilizing equipment that doesn't have the capacity to support authentication (but is essential to conducting the research in question).^Footnote9 In such cases, institutions would have to pursue other options for addressing the underlying cybersecurity objective of the protocol or risk an otherwise unavoidable compliance breakdown. Rather than waiting for these problems to inevitably arise, EDUCAUSE argued that the final version of the Standard Requirement should anticipate such difficulties and provide a mechanism by which institutions can adopt alternative measures when necessary to achieve compliance to the extent reasonably possible.^Footnote10

In addition to these overarching points, the EDUCAUSE response highlights concerns about specific cybersecurity provisions, such as the problematic addition of a reference to Office of Management and Budget guidance on activity logging in the first protocol, which addresses system access authorization by individuals, devices, and other systems. (Member representatives indicated that the rationale for including the reference isn't clear in this context and has the potential to introduce costly—and likely unnecessary—logging requirements.) Our comments also note the lack of compliance metrics for the Standard Requirement cybersecurity provisions as well as the lack of references to relevant assessment guides, such as NIST SP 800-171A, that might serve to provide institutions with relevant compliance standards.^Footnote11 OSTP limited responses to five pages, thus forcing EDUCAUSE and other respondents to provide only high-level feedback on the draft Standard Requirement brief. As a result, EDUCAUSE will continue to work with other higher education associations to press for additional opportunities to inform the development of the Standard Requirement as it moves from draft to final version. While a specific timeline for that transition is not currently available, previous comments from federal officials indicate that the Standard Requirement could be released in final form later this year, at which point federal funding agencies would begin incorporating compliance with it as a condition of their grants and other funding agreements.

Notes

1. EDUCAUSE letter to Stacy Murphy, Deputy Chief Operations Officer/Security Officer, Office of Science and Technology Policy, "Regarding Comment on Research Security Programs," June 5, 2023; "Draft Research Security Programs Standard Requirement," Interagency Working Group on Research Security Programs, Subcommittee on Research Security, National Science and Technology Council, February 2023. Jump back to footnote 1 in the text.↩
2. "Presidential Memorandum on United States Government-Supported Research and Development National Security Policy," White House National Security Presidential Memorandum – 33, January 14, 2021. Jump back to footnote 2 in the text.↩
3. Federal Acquisition Regulation (FAR) System, "52.204-21 Basic Safeguarding of Covered Contractor Information Systems," Acquisition.gov (website), June 2, 2023 (effective date). Jump back to footnote 3 in the text.↩
4. Jarret Cummings, "Problems with National Research Cybersecurity Requirements," EDUCAUSE Review, May 17, 2022. Jump back to footnote 4 in the text.↩
5. "Draft Research Security Programs Standard Requirement," February 2023. Jump back to footnote 5 in the text.↩
6. EDUCAUSE letter to Stacy Murphy, "Comment on Research Security Programs," June 5, 2023. Jump back to footnote 6 in the text.↩
7. Ibid. Jump back to footnote 7 in the text.↩
8. Ibid. Jump back to footnote 8 in the text.↩
9. "Draft Research Security Programs Standard Requirement," February 2023. Jump back to footnote 9 in the text.↩
10. EDUCAUSE letter to Stacy Murphy, "Comment on Research Security Programs," June 5, 2023. Jump back to footnote 10 in the text.↩
11. Ibid. Jump back to footnote 11 in the text.↩

---

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.