White House Guidance on Implementing NSPM-33: Standardization of Disclosure and Security Measures for Federal Research Funding
The Situation: Foreign influence in U.S.-funded scientific research has been the subject of increased scrutiny and federal enforcement over the last four years, culminating in January 2021, when the Trump administration issued National Security Presidential Memorandum 33 ("NSPM-33"). NSPM-33 requires all federal research funding agencies to strengthen and standardize disclosure requirements for research and development awards, as well as research security measures at major institutions receiving federal funds.
The Result: The White House Office of Science and Technology recently released guidance implementing NSPM-33, including detailed disclosure and security requirements. These requirements will impact every researcher and research institution applying for federal scientific research funding.
Looking Ahead: Research institutions—including private companies receiving federal research dollars—should review the guidance and ensure that their policies, including training, compliance and research security functions, conform with these upcoming federal requirements.
On January 4, 2022, the White House Office of Science and Technology ("OSTP") released guidance for federal agencies to implement National Security Presidential Memorandum 33 ("NSPM-33"). Issued in the final days of the Trump administration, NSPM-33 requires U.S. research funding agencies to strengthen and standardize procedures for protecting U.S.-funded scientific research from foreign exploitation. The incoming Biden administration endorsed NSPM-33 and, in August 2021, OSTP announced it would issue implementing guidance in the coming months.
OSTP's guidance implemented NSPM-33 by providing a detailed set of reporting and security requirements impacting every researcher and research institution applying for federal research funding. Affected organizations include academic research institutions, but also independent research institutes, medical centers, and private companies. Moreover, in April 2021, Congress passed the National Defense Authorization Act, Section 223 of which requires OSTP to ensure consistency across federal agency disclosure requirements in all applications for research support.
Over the last four years, the federal government has drastically increased its scrutiny of foreign influence in U.S.-funded scientific research. For example, in August 2018, the National Institutes of Health ("NIH") issued a letter to research institutions emphasizing the need for full and accurate disclosures of ties with foreign governments in grant applications. Shortly thereafter, the Department of Justice ("DOJ") announced the China Initiative, an enforcement push designed to protect U.S. research and development from what DOJ claimed was widespread trade secret theft by Chinese entities and nationals.
NSPM-33's new reporting requirements for individual researchers and institutions expands existing disclosure obligations, and ongoing enforcement activity has increased the consequences of failing to comply with them. Since DOJ announced the China Initiative, it has prosecuted more than two dozen U.S.-based scientific researchers for allegedly failing to disclose foreign affiliations in federal grant applications, most recently Harvard University Professor Dr. Charles Lieber. Potential exposure extends to the institutional level: In September 2021, DOJ reached a $1.1 million settlement with a Michigan research institute under the False Claims Act for allegedly failing to disclose foreign grants made to researchers who had applied for U.S. research funding. This followed an earlier $5.5 million settlement with the same organization in 2019 for allegedly failing to prevent the same misconduct.
OSTP's January 4th guidance provides a framework for standardizing disclosure requirements for all federal science and engineering-related support, including: consequences for violating those requirements, steps for interagency sharing of researcher data, and mandatory research security protocols for organizations receiving more than $50 million in federal dollars annually. OSTP expects to publish model disclosure forms by May 2022.
Although many research institutions (particularly those receiving funding from NIH and the National Science Foundation) have already begun revamping their conflict of interest and related disclosure processes, research hospitals, universities, and other institutions that routinely seek U.S. federal scientific funding must familiarize themselves with the OSTP guidance, with an eye toward conforming their policies with the new requirements. Larger organizations will be required to undertake potentially substantial upgrades in research security, including computer network security, to comply with OSTP's implementing guidance.
Disclosure Process and Requirements
To support uniformity and reduce administrative burdens, the guidance directs agencies to develop standardized model award application forms and instructions within the next four months. As part of that effort, OSTP urges agencies to implement the use of digital persistent identifiers ("DPIs"), numerical codes, specific to individual researchers, which can be used to tag and track that person's disclosures. When entering or updating disclosures, researchers can use DPIs to submit information on all pending federal applications and grants at once—a step that, if properly implemented, would greatly simplify the disclosure process.
The guidance also includes tables detailing the types of activities that must be disclosed in the award application process and who is subject to certain disclosure requirements. In general:
- Principal investigators and key personnel (defined as individuals who contribute substantively to the research and development and are designated as covered individuals by the relevant federal research agency), will be required to disclose: (i) organization affiliations and employment; (ii) other positions and appointments; (iii) foreign government-sponsored talent recruitment program involvement; and (iv) other current and pending support; and
- Peer reviewers and advisory committee members will be required to disclose the same information, with the exception of other current and pending support.
OSTP acknowledges that the requirement to disclose participation in programs sponsored by foreign governments will only capture arrangements directly or indirectly associated with a foreign government entity. OSTP, however, also expects to capture participation in foreign research programs that are not associated with a foreign government through other required disclosures, such as entries for affiliations, appointments, and other support. The guidance also warns agencies and research institutions to ensure that researchers "do not inappropriately characterize" involvement in foreign government-sponsored talent recruitment programs as "consulting."
Research institutions will also be required to certify that all covered individuals listed in the application have been made aware of the disclosure requirements and advised that false representations may be subject to prosecution and liability. Although it makes sense to ensure that researchers are aware of the requirements and potential consequences, note that such warnings also improve the government's position in future criminal enforcement actions. After initial disclosures have been made, institutions will be required to update all disclosures before an award of support, at least annually, and more frequently as agencies deem appropriate.
In practice, the failure to make or update disclosures may trigger a range of penalties, including criminal liability for individual researchers; civil liability for research institutions under the False Claims Act; and research impediments, such as terminated or suspended grants, mandatory return of research funds, or exclusion of certain personnel from research activities. However, the guidance requires agencies to create mechanisms for researchers to fix incorrect disclosures and to encourage such corrections, strongly suggesting that highlighting and fixing errors—especially before they become the subject of an inquiry—will not necessarily lead to investigations or enforcement actions. The guidance also promotes interagency sharing of information about violations of disclosure requirements, such as when administrative or enforcement action has been taken and in support of risk analysis. Accordingly, research institutions should ensure that disclosures to multiple research funding agencies are consistent.
Research Security Programs
OSTP also imposes a number of research security program enhancements that will be mandatory for research institutions receiving more than $50 million per year in federal science or engineering support. Although the requirements have not been finalized, once they are, institutions must certify compliance to remain eligible for federal funding. The requirements are substantial:
- Cyber-related security, including:
- System-wide limitations on information system access;
- Authentication of users as a prerequisite to access; and
- Regular cybersecurity awareness training.
- Foreign travel security, including:
- A disclosure and authorization requirement in advance of international travel, security briefings, assistance with device security, and pre-registration requirements.
- Organizational record-keeping of covered international travel by faculty and staff.
- Research security training for insider threat awareness and identification.
- Export control training, including reviews of foreign sponsors and collaborators to ensure compliance with federal requirements.
The guidance contemplates that research institutions will have flexibility in structuring these programs, but institutions will only have one year after the date of issuance of the formal requirements to comply. Compliance will require knowledgeable legal assessments across several areas, including cybersecurity infrastructure, internal organizational compliance procedures, and export regulations.
Three Key Takeaways
- New guidance issued by the White House Office of Science and Technology directs federal research funding agencies to require detailed, uniform disclosures from researchers and research institutions relating to funding from, and affiliations with, foreign government-sponsored programs. The agencies will release model award applications within the next four months to clarify the specific disclosure requirements.
- Research institutions should review OSTP's detailed guidance and begin the process of aligning their policies and processes with the new guidance and training personnel as needed; failure to make proper disclosures may trigger a range of penalties, from criminal liability to suspension of grants and/or mandatory return of research funds.
- Research institutions receiving more than $50 million per year in federal research funding will also be required to implement enhanced research security programs and certify compliance with the program requirements to remain eligible for funding.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.