The Office of Science and Technology Policy has released its final requirements for research security programs, which federal research funding agencies will have to apply to colleges and universities that average $50 million or more per year in federal research grants. The requirements include potentially positive guidelines for research cybersecurity at covered institutions.
In early 2023, the White House Office of Science and Technology Policy (OSTP) released its initial proposal for a "research security program standard requirement." All federal research funding agencies would have to apply the requirement to colleges and universities that receive more than $50 million per year in federal research funding.Footnote1 The development of these comprehensive research security mandates stems from National Security Presidential Memorandum – 33 (NSPM-33), "Supported Research and Development National Security Policy." When finalized, the "standard requirement" would establish the basic parameters for the research security programs that covered institutions must have in place to continue competing for federal research grants.
Most of the proposed framework addresses research security issues such as faculty conflicts of interest and commitment and research talent recruitment programs of foreign governments. However, it also includes a research cybersecurity section that essentially would make the cybersecurity guidelines for Federal contract information (FCI) the standards for higher education research cybersecurity. As the Policy team discussed in our review of this issue last summer, EDUCAUSE member feedback indicated that the FCI basic safeguards do not fit well with higher education research environments because they are primarily intended for administrative contexts and data.Footnote2 EDUCAUSE urged OSTP to revamp its proposed research security program guidance and focus on allowing institutions to pursue a risk management approach to research cybersecurity. Rather than the one-size-fits-all checklist model that the FCI guidelines would impose, a risk management approach would enable institutions to prioritize cybersecurity measures and resources based on national security risks associated with research areas and projects.
EDUCAUSE was not alone in asking OSTP to alter its course and base its research security program guidance on risk management. The Association of American Universities (AAU), the Association of Public and Land-grant Universities (APLU), and the Council on Governmental Relations (COGR) also stressed the need for a risk management emphasis in other areas of higher education research security. Fortunately, OSTP heard the combined input of our respective associations. Rather than rushing forward with research security program requirements that largely reflected those in its original proposal, OSTP took roughly one year to rethink its guidance before releasing the final version on July 9, 2024. The final research security program guidelines do not base research cybersecurity program requirements on the FCI safeguards. Instead, OSTP points to a pending report on higher education research cybersecurity from the National Institute of Standards and Technology (NIST).
As the first element of the standardized requirement, federal research agencies shall require institutions of higher education to certify that the institution will implement a cybersecurity program consistent with the cybersecurity resource for research institutions described in the CHIPS and Science Act,[18] within one year after the National Institute of Standards and Technology (NIST) of the Department of Commerce publishes that resource.Footnote3
Footnote 18 in the memorandum (in brackets above) identifies the relevant NIST report as NIST Interagency Report (IR) 8481: Cybersecurity for Research: Findings and Possible Paths Forward, which is currently available in "Initial Public Draft" (IPD) form. The CHIPS and Science Act provision from which the report stems required NIST to explore the resources it could develop to better support research cybersecurity at higher education institutions.Footnote4 NIST conducted substantial outreach to EDUCAUSE and its members in pursuing the project, leading to a draft that largely incorporates the recommendations of our research cybersecurity community. It is a welcome development to see OSTP cite the report as the governing reference for research cybersecurity under its research security program guidelines.
Although OSTP's reliance on a report that reflects substantial EDUCAUSE member input provides a basis for cautious optimism regarding how federal research agencies will implement research cybersecurity requirements, there is still room for agency compliance efforts to jump the rails. The OSTP memorandum does not explain or provide parameters for what constitutes "a cybersecurity program consistent with" the NIST report (emphasis added).Footnote5 Given the overall tenor of the guidelines, which stress the importance of federal research agencies providing substantial flexibility and discretion to higher education institutions in establishing and maintaining research security programs, research agencies might reasonably develop policies and procedures that allow institutions to draw from the range of resources identified in the NIST report—as well as models and frameworks similar to them—in determining the basis of their programs. However, the lack of guidance on what "consistent with" means may leave space for agencies to mandate that their grantees implement specific frameworks or measures presented in the NIST report. Such a development could produce substantial risks for institutions and agencies alike, given that not all resources identified in the draft NIST report will necessarily lead to optimal—or even appropriate—outcomes in all higher education research contexts.
Our concern about the potential for agencies to mandate inappropriate requirements is exacerbated by the fact that the NIST report was not written for the purposes for which OSTP is applying it. As previously mentioned, the CHIPS and Science Act charged NIST with identifying ways the agency could better support higher education research cybersecurity. Given that task, the current draft of the report—not surprisingly—focuses on highlighting a variety of options that institutions might explore to advance their research cybersecurity posture. This focus does not exactly match how OSTP wants to use the report in its research security program guidelines. The advisory nature of the NIST report may lend itself to the institutional flexibility and discretion that the OSTP memo implies should be the basis of federal agency approaches to research (cyber)security. However, the report does not provide clear direction about what cybersecurity should look like for research security programs that comply with NSPM-33. Without a definitive framework, both research agencies and higher education institutions may struggle to determine what constitutes compliance.
Fortunately, EDUCAUSE members should not have to wait long to get a sense of whether federal agencies that fund research will either try to be highly prescriptive or allow covered institutions to choose what elements of the NIST report—or options similar to them—will form the basis of their research cybersecurity programs. The memo from OSTP states that agencies will have six months from the date the memo was published to provide OSTP and the Office of Management and Budget (OMB) with their proposed implementation plans for the research security program guidelines. Once those agency plans are submitted, colleges and universities should be able to better understand what agencies' compliance regimes might look like. Agencies will then have another six months to implement their policies and processes, with institutions getting up to eighteen months from that point to ensure that they have compliant research security programs.Footnote6 Based on these time frames, we should see research agency implementation plans by early January 2025, with the final execution of those plans due by mid-2025. Institutions would then have to achieve compliance with the relevant agency policies and processes by around December 2026.
Remember, though, that OSTP provides a unique timeline for its research cybersecurity requirements. As stated above, institutions will have one year from the publication of the NIST final report to ensure that they have research cybersecurity programs that are "consistent with" the report. With that in mind, NIST could try to align the release of its final report with the timeline for institutional compliance with OSTP's research security program guidelines. In this case, the overall measures mandated by the OSTP guidelines would have to be in place by the end of 2026. However, nothing in the OSTP memo precludes NIST from starting the research cybersecurity clock much sooner by releasing its final report at some point later this year or in early 2025. At this juncture, we will have to wait for NIST to provide more information about its plans, which will most likely include making some adjustments between the draft and final versions to account for how research agencies and higher education institutions will have to make use of the final report for compliance purposes.
EDUCAUSE will continue to monitor developments in this space and look for opportunities to inform OSTP, NIST, and agency implementation efforts. In the interim, EDUCAUSE members should review the draft NIST report for reference points that align with their current institutional research cybersecurity program and for resources they might find useful in strengthening their research cybersecurity posture given NSPM-33 and the OSTP research security guidelines that derive from it.
Notes
- Arati Prabhakar, Memorandum for the Heads of Federal Research Agencies, "Guidelines for Research Security Programs at Covered Institutions," (Office of Science and Technology Policy, Executive Office of the President, July 9, 2024), 3. Jump back to footnote 1 in the text.
- EDUCAUSE letter to Stacy Murphy, Deputy Chief Operations Officer/Security Officer, Office of Science and Technology Policy, "Regarding Comment on Research Security Programs," June 5, 2023. Jump back to footnote 2 in the text.
- Prabhakar, "Guidelines for Research Security Programs," 4. Jump back to footnote 3 in the text.
- Jarret Cummings, "NIST Explores Developing Research Cybersecurity Resources for Higher Ed," EDUCAUSE Review, August 1, 2023. Jump back to footnote 4 in the text.
- Prabhakar, "Guidelines for Research Security Programs," 4–5. Jump back to footnote 5 in the text.
- Ibid., 9. Jump back to footnote 6 in the text.
Jarret Cummings is Senior Advisor, Policy and Government Relations, at EDUCAUSE.
© 2024 EDUCAUSE. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.