Many higher education leaders are not fully aware of the cyber risks facing their academic research, particularly research funded by federal grants. Foreign actors, for example, may attempt to infiltrate systems to gain access to research with sensitive applications for defense, science, or technological purposes. Most health research also involves patient data which must be stored and protected according to the Health Insurance Portability and Accountability Act (HIPAA). Universities and federal grantors also want research data stored securely, so that data may be revisited to test the veracity and repeatability of published studies
Not all leaders understand the specific technical needs for following data security requirements for specific research awards. Additionally, many leaders believe their institution has assigned staff to handle research security compliance needs when this may not be the case. As a result, many institutions do not have an institution-wide research security policy, or if they do have a policy, it is not properly enforced. An institution-wide, properly enforced, research security policy can help enhance cybersecurity and federal funder trust.
Challenges with Research Security
Federal grants have specific requirements for how to store and secure research data and these differ by funding agency and grant. At universities with a decentralized IT model, each academic department might be responsible for individually managing their own data and compliance with research security requirements. However, without oversight, the institution runs the risk of inconsistent application of research security policies.
Even at institutions that have centralized IT, policy enforcement may be a challenge. If centralized IT must navigate a patchwork of research security requirements outlined in various grants, several questions are raised: First, who is responsible for identifying the data security requirements for each grant and interfacing with IT? Second, does IT have the storage and security capabilities to identify and manage various security requirements, understand what data is stored where, and communicate that information to the necessary academic staff?
By having a standard research security policy and consistently enforcing it, researchers and IT staff can gain a clear understanding of what procedures to follow and when.
What NSPM-33 Means for Universities
To protected federally-funded research security, National Security Presidential Memorandum 33 (NSPM-33) seeks to:
- Strengthen protections for United States government-supported research and development (R&D) against foreign government interference and misappropriation, while maintaining an open environment to foster research discoveries and innovation.
- Mandate the establishment of research security programs at research institutions receiving federal funds. The directive outlines guidelines for a research security program, which consists of a relatively basic checklist for addressing security risk, including requirements for cybersecurity, foreign travel security, research security training, and export control training.
- Standardize disclosure requirements across all federal funding agencies. While some agencies have begun rolling out new research security processes, others have taken longer.
As NSPM-33 requirements are finalized and fully implemented following delays from the Office of Science and Technology Policy, final rules may incorporate new research security expectations from the CHIPS and Science Act. Yet, it remains to be seen how NSPM-33 will be enforced, and which aspects of the directive will be most critical for institutions to follow.
Developing and Enforcing an Institution-Wide Research Security Policy
Institutions receiving more than $50 million per year of federal research grants must follow the NSPM-33 guidelines for their research security program. However, the guidelines are relatively high level. Even for institutions that accept less than $50 million annually in federal grants, there are best practices to follow for a research security policy to enhance data security, data structure and organization, and data veracity and repeatability.
Key components of an effective research security policy include:
- Establishing guidelines for classifying and storing data.
- Determining who is allowed access to which data classifications.
- Guidelines on if and how data can be transferred out of storage.
- Determining who is responsible for identifying specific data security requirements outlined in an award and working with IT to implement those requirements.
But while many universities may have a research security policy, the policy will do little to enhance security if it is not followed and enforced. Higher education leaders can help ensure researchers internalize and follow security policies with a few methods:
- Training: While most researchers need to undergo security training at least once per year, they may forget elements of the training over time. Consider hosting follow-up trainings and facilitating quizzes and test scenarios to reinforce learnings and policy adherence.
- Communication: An organization’s people are its best line of defense. However, sometimes researchers make decisions without thinking about the security repercussions. For example, a researcher may download data to an external hard drive so they can work remotely. Leaders should explain to researchers how even a seemingly innocuous decision puts the institution at serious risk. Not only does it compromise data and increase the likelihood of hacks, but if federal funders question the security environment of an institution, the institution could be denied or delayed future grants.
- Oversight and Monitoring: While training and communication can encourage researchers to consistently follow policy, oversight is necessary to ensure full adherence. A central organizing leadership body can periodically check the status of their data security with department heads and IT. In addition, universities may want to hire an independent third party to audit the research security policy and data security practices.
To develop and enforce a thorough research security policy, universities should designate a central organizing leadership body of academic leaders, IT leaders, representatives from the sponsored programs office, representatives from the research compliance office, and representatives from the dean’s council. By coordinating across offices and academic departments, leaders can foster a high standard of research security and data governance across the university.
How the Future of Academic Research Security May Evolve
A thorough and enforced research security policy can help protect academic research security, improve data organization and governance, and ensure compliance, allowing for the continued reception of federal grants.
As the federal government adopts more stringent research security requirements, with the implementation of NSPM-33, it will behoove universities to reinforce their data security.
Audit and enforcement will reveal what aspects of NSPM-33 concern the government most and where institutions should focus their compliance efforts. By setting high standards for academic research security and evaluating how to mitigate potential security risks, you can protect your research data and your university.
Looking to improve academic research security at your institution? Contact BDO to discuss how to tackle your research security challenges and compliance needs.