Three New Hurdles Facing Research Organizations – Implementation of NSPM-33, The CHIPS Act and DOJ’s Civil Cyberfraud Initiative

Since 2018, the perceived threat of undue foreign influence on U.S.-funded scientific research has been the subject of increased government scrutiny resulting in more than two dozen criminal prosecutions and countless other government probes. This wave of government enforcement has exposed the inherent risk that all recipients of federal funding – and most notably those organizations who rely on federal funding to perform groundbreaking scientific research – face potential civil and criminal liability arising from allegations that those research dollars were misused or not used transparently. For many in academia, these initiatives marked a new era of government enforcement in a historically unregulated sphere of fundamental research.

The well-publicized efforts of the DOJ and the FBI to target the Chinese government’s theft of intellectual property and espionage activities under the now disbanded and controversial “China Initiative” has evolved over the past five years into a far broader, government-wide initiative aimed to protect U.S.-based research from foreign governmental interference and exploitation through a variety of government programs. We address three recent developments which dramatically change the landscape for government enforcement in federally-funded research:

• Implementation Guidance for the NSPM-33: The 2021 National Security Presidential Memorandum-33 (NSPM-33) along with its January Implementation Guidance and August 2022 Update, represents a marked change from what has previously been an autonomously-run sphere to an area fraught with increased federal regulation, expanded mandatory disclosures, and heightened security requirements. Among other things, the January 2022 NSPM-33 Implementation Guidance created entirely new obligations for institutions, such as  mandating research organizations, including colleges and universities, to implement a Research Security Program (RSP) if they received more than $50 million in federal funding in the prior two fiscal years and provide a security compliance certification to remain eligible for federal grants.
• The CHIPS Act of 2022: In July 2022, with the enactment of the CHIPS and Science Act of 2022, the government has used legislation to impose several new disclosure and security requirements, further increasing the regulatory burden on institutions receiving federal research dollars as well as on institutions of higher education generally.
• DOJ’s Renewed Corporate and Cyberfraud Enforcement Efforts: The heightened scrutiny of research programs and grant compliance goes far beyond new laws and written forms, but has become a central focus for DOJ from both a national security as well as corporate criminal prosecution perspective. Additionally, in October 2021, Deputy Attorney General (DAG) Lisa Monaco (Monaco) announced the launch of DOJ’s Civil Cyber-Fraud Initiative, designed to combat new and emerging cyber threats to the security of sensitive information and critical systems using the False Claims Act (FCA). This initiative would also target federal contractors and grant recipients that misrepresent their cybersecurity practices or protocols. Just last week, on September 15, 2022, DAG Monaco publicly announced that DOJ was strengthening its emphasis on corporate crime prosecutions and its number one priority was individual accountability. Thus, expanded disclosure and security certification requirements present the potential for both criminal liability and FCA civil liability for research organizations.

With the spotlight on research organizations, we suggest organizations give careful consideration to the expanded requirements in implementing their compliance programs, although the final standards have not yet been released. As detailed below, research organizations should be aware of these three issues to stay ahead of the game.

NSPM-33 Marks a New Era of Government Disclosure and Standardization

On January 14, 2021, former President Trump announced NSPM-33, which sought to “to strengthen protections of United States Government-supported Research and Development (R&D) against foreign government interference and exploitation.” The memorandum, which included both basic and applied research, recognized that US-supported research plays a key role in American science and technology innovation and is a driving force in the U.S. economy. The Biden Administration endorsed NSPM-33 in August 2021, giving it further life beyond the Trump Administration.

In fact, on January 4, 2022, the White House Office of Science and Technology Policy (OSTP) issued the first wave of guidance implementing the protective pillars articulated in the NSPM-33. The guidance required that within 120 days, the federal funding agencies would establish policies in at least five key areas of research security: (i) expanded disclosure requirements and standardization of application forms and instructions across all federal agencies; (ii) the use of digital persistent identifiers, which allow for more streamlined disclosures across different federal agencies; (iii) imposition of appropriate and effective consequences for violations of disclosure requirements; (iv) implementation of new RSP certification requirements for research organizations awarded in excess of $50 million per year; and (v) the sharing of information about violators amongst federal agencies. The January 4, 2022 guidance underscored dual goals of strengthening protections of U.S-based research while maintaining an open and collaborative research environment that facilitates innovation and serves the global community.^[1] 

Proposed Forms for Disclosure Among Federal Grants: New Requirements and New Questions

Since the release of the first wave of implementation guidance, academic research organizations have eagerly awaited further guidance from the federal funding agencies and the new model disclosure forms. On August 31, 2022, after months of collaboration across federal agencies, the National Science and Technology Council’s Subcommittee on Research Security (SRS) finally released proposed forms for comment that featured standardized data fields and instructions designed for the stated purpose of gathering more information to meaningfully vet potential conflicts of interest and conflicts of commitment among researchers applying for federal funding. Comments are due by October 31, 2022 for consideration in developing the final forms.

On behalf of SRS, the National Science Foundation released two draft common forms for public comment – the Biographical Sketch and Current and Pending (Other) Support forms. These forms are intended to streamline and standardize the grant application process across all federal agencies. The proposed forms and instructions provided much-needed clarity about the information that is required to be disclosed about foreign sources of support and foreign sponsored activities. This includes, but is not limited to information pertaining to contracts associated with participation in programs sponsored by foreign governments, instrumentalities, or entities, including foreign government-sponsored talent recruitment programs, as well as other foreign government sponsored related activities. OSTP has also provided organizations an illustrative list of the types of activities that must be reported, the types of activities that are categorically not required to be reported, and on which form such activities must be reported in pre-award and post-award disclosures. See here. When these forms are adopted, there will likely be little tolerance for noncompliance and nondisclosures in light of the repeated governmental warnings since 2018^[2] of the importance of disclosing information about foreign government support and affiliations in assessing conflicts of interest.

Certifying Individual or Representative

Equally as important as the newly-released forms is what information is not specifically addressed in the SRS’s release. It is important to note that the proposed forms are silent as to whom must sign and certify the new forms – whether an individual, entity or both – and ensure their accuracy. This will likely further complicate the competing obligations of Principal Investigators and grantee organizations when it comes to the ownership and control of federal research grant awards. It remains to be seen whether the government expects the recipient organization to be solely responsible, as it has through its historic use of Authorized Organizational Representative (AORs), or whether the focus will shift to PIs/PDs responsible for directing the research on the ground regardless of who certifies the proposed forms. Like predecessor forms issued by the funding agencies, the proposed forms require the certifying party to affirm the accuracy of the information provided. The forms explicitly state that “when an individual signs the certification on behalf of themselves, they are certifying that the information is current, accurate, and complete,” which may give rise to criminal and/or civil liability under 18 U.S.C. §§ 287 (false claims), 1001 (false statements), 1031 (major fraud) and 31 U.S.C. §§ 3729-3733 and 3802 (False Claims Act) for any misrepresentations and/or omissions.

Biographical Sketch

The proposed form further refines the information that is required in a biographical sketch, which has historically been used to demonstrate the qualifications and expertise of the proposed research team and is required for the vast majority federally-funded research applications. The proposed form sets out five categories of required information: (1) identification information about researcher/individual; (2) primary organization and location of the individual; (3) a list of the individual’s professional preparation (e.g., education and training); (4) a list of the individual’s appointments and positions; and (5) a list of products that demonstrate the individual’s qualifications to carry out the proposed project. Notably, included in the identifying information section of this form will now be a persistent identifier (PID) – a unique and open digital identifier used to distinguish an individual from others with the same or similar names – to better track disclosures by each individual researcher/scientist. Perhaps most significantly, the proposed forms require that all researchers/scientists referenced in the biosketch list all academic, professional, or institutional appointments and positions (presumably foreign or domestic), with an emphasis that appointments should be construed broadly to include “any titled academic, professional, or institutional position whether or not remuneration is received, and whether full-time, part-time, or voluntary (including adjunct, visiting, or honorary).”

Current and Pending (Other) Support

 Like the biosketch form, the proposed “Current and Pending (Other) Support” form further enhances and expands the instructions of “support” to ensure all foreign government-sponsored projects, including participation in foreign government sponsored talent recruitment programs, which are disclosed to U.S. granting agencies. Federal agencies rely on applicants to disclose  current and other pending support form to assess whether the applicant has the capacity to commit the proposed research and is not overcommitted and whether the proposed research raises concerns of scientific redundancy across agencies (i.e., a scientist is being paid for identical or substantially similar research by more than one agency). The proposed form requires every senior/key person identified on a federally funded research project to disclose all of their existing projects as well as all projects currently under consideration for funding, the sources of funding for those projects, the objectives of those projects, and any potential overlap in terms of scope, budget, or commitment.

It clearly states:

The release of these new proposed disclosure and standardization forms underscores the government’s continued focus on policing in the area of academic research. While the NSPM-33 sets out a more cohesive and uniform regulatory scheme, the increased information sharing and uniform disclosures may not be a welcome change for all research organizations. Moving forward, research organizations must be mindful of the pending regulatory guidance in conducting internal conflicts of interest and/or commitment probes. As illustrated by the Department of Justice’s recently-rescinded “China Initiative,” research organizations and individual scientists remain likely targets of government enforcement efforts.

NSPM’s Increased Cybersecurity Requirements and Mandatory Research Security Programs for Federal Grant Recipients Receiving More than $50 Million per year.

Under OSTP’s Guidance for Implementing NSPM-33 issued in January 2022, federal grant recipients were required to implement RSPs that incorporate cybersecurity, foreign travel and insider threat security, and export security standards and begin filing compliance certifications in January 2023 to be eligible to obtain new research funding. OSTP’s August 2022 update did not provide specific guidelines for these programs but previewed that new guidelines and clarity will be issued this fall regarding RSPs so the January 2023 deadline will likely be extended:

As detailed below, even if the January 2023 deadline is extended, implementation of an RSP will entail extensive planning, coordination, and lead time for educational and research institutions.

In contrast to the defense industrial base (DIB) that is currently preparing for the challenges associated with the implementation Cybersecurity Maturity Model Certification (CMMC) 2.0, a large amount of the federally funded research conducted at colleges and universities is fundamental research, which is intended for public release by its very nature. Thus, this type of data is not subject to export controls.  Nor does it constitute controlled unclassified information (CUI). Further, the number of institutions affected by these rules far outnumbers the DIB. Unlike the disclosure and transparency requirements, when it comes to RSP rules, a one-size-fits-all approach could prove detrimental to the Biden-Harris Administration’s stated goal of promoting scientific and technological innovation while also strengthening research security without compromising our core values. Accordingly, institutions should be given more flexibility in designing their RSP provided each institution incorporates significant research security training and cybersecurity measures to mitigate risks from foreign governments.

OSTP’s January 2022 Guidance stated that organizations receiving $50 million or more per year in federal research funding (determined using total federal science and engineering support for the previous two fiscal years as recorded in USASpending.gov), must certify that it has established and operates a research security program, specifically RSP. It further mandated that this certification would entail satisfying four essential components:

1. Cybersecurity: While organizations that conduct research involving classified information or controlled unclassified information are typically required to adhere to the most stringent standards contained in the National Institute of Standards and Technology (NIST) 800-171, all research organizations will be required to incorporate at a minimum, 14 basic cybersecurity protocols and procedures into their research security program,^[3] including:

• Provide regular cybersecurity awareness training for authorized users of information systems on topics such as recognizing social engineering threats and cyber breaches;
• Implement access control policies to ensure that only authorized users and devices can access your network;
• Incorporate access restrictions/privileges for each account based upon the types of functions they are permitted to perform on your network;
• Authenticate and verify identities of users on your network using individual authenticators such as passwords or smartcards;
• Provide protection from malicious code at designated locations within organizational systems, including entry and exit points;
• Implement steps to protect scientific data from ransomware and other data integrity attack mechanisms;
• Identify, report, and correct system flaws and vulnerabilities in a timely manner; and
• Perform periodic scans of your information system and conduct real-time scans of files from external sources as files are downloaded, opened, or executed by users.

2. Foreign travel security: Research organizations will be required to maintain international travel policies for faculty and staff traveling overseas for their own organization’s business as well as teaching, attending conferences, conducting research, or non-organization sponsored travel. In designing these policies, organizations should consider the espionage risk associated with each country and provide security briefings in advance to personnel traveling to high risk countries. Researchers should be also be provided clean smartphones or laptops if they are traveling to countries known to copy electronic devices at the border, to protect the integrity of their research. The OSTP guidance suggests that organizations consider requiring an advance notification or approval requirement for international travel.
3. Research security training: As part of their RSP, research organizations will be required to provide periodic and tailored training in response to a research security event to personnel on research threat awareness and identification, including risks associated with insider threats. As described, in Hinckley Allen’s Insider Threat Awareness advisory, this is especially important to institutions involved in the commercialization of intellectual property, work on projects involving CUI, or possess confidential or export controlled data on their networks.
4. Export control training: If the research organization conducts research and development that is subject to U.S. export control restrictions, export control training should be provided to ensure compliance with U.S. export law requirements. To prevent illegal exports, including oral or electronic disclosures, to a foreign person^[4] especially in a university setting, a Technology Control Plan may be required.

The CHIPS and Science Act of 2022 Targets Foreign Government Influence at Higher Education Institutions

The CHIPS and Science Act of 2022 (CHIPS Act), passed in July 2022 (Public Law 117-167), implements numerous new disclosure and security requirements for institutions receiving federal research dollars as well as higher education generally. The Act creates a new Office of Research Security and Policy within the National Science Foundation (NSF) and gives NSF new authorities and responsibilities. For instance, Section 10339B entitled “Foreign Financial Support” directs and authorizes NSF to collect annual summaries of foreign financial support from higher education institutions.  The reporting threshold is $50,000. Under this provision, NSF is authorized to seek copies of contracts and records related to money received from foreign sources directly or indirectly in the form of gifts or contracts. The CHIPS Act further directs OSTP to issue guidance that researchers working on federally supported research projects must disclose participation in foreign talent recruitment programs in federal research award proposals. This requirement appears to have been addressed by the new proposed forms described above.

The CHIPS Act also contains provisions regarding RSPs. It directs OSTP to issue guidelines for universities to develop research security training programs. Most significantly, Section 10114 on research security requires the Secretary to develop and maintain tools and processes to manage and mitigate security risks associated with any research activities under the Act and imposes penalties on funding recipients who knowingly violate the protocols established to mitigate security risks.

 Enforcement and Application of DOJ’s Civil Cyber Fraud Initiative to Grant Recipients

Over the last four years, the federal government has publicly criticized foreign governments for the misappropriation of U.S. intellectual property, technology, and research and aggressively investigated those efforts, which included the criminal prosecution of federally funded researchers for alleged nondisclosures of foreign appointments, ties, and funding. Although many of these prosecutions were brought under the now terminated DOJ China Initiative, Assistant Attorney General (AAG) for National Security Matthew Olsen, advised that criminal prosecutions will still be considered in cases involving academic integrity and research security. AAG Olsen, however, noted that voluntarily correcting any material omissions would, however, counsel against bringing criminal charges.

DOJ’s Civil Cyber Fraud Initiative will use the FCA to pursue government contractors and grant recipients for cybersecurity noncompliance. Thus, from a FCA risk perspective, the NSPM-33 January 2022 Guidance makes clear that research institutions and individuals could face civil liability as well as suspension and debarment. Although the new certification form has not yet been released, the Guidance states that institutions will be required to provide a “certification of compliance” for their RSP to remain eligible for research funding. If this certification plays any role in the grant making or contract-awarding process, it will provide sufficient grounds for FCA liability for making misrepresentations to the government or submitting false claims.

Conclusion

The NSPM’s new and sweeping requirements for federal research dollars, the CHIPS Acts provisions targeting foreign government influence at higher education, and DOJ’s statements on increased prosecutions of corporate crime and cyberfraud demonstrate the serious consequences for noncompliance. Research institutions that engage in federally-funded research, should consult counsel to ensure that their disclosure and security programs will comply with new and evolving requirements.

[1] https://www.whitehouse.gov/wp-content/uploads/2022/01/010422-NSPM-33-Implementation-Guidance.pdf

[2]In August 2018, the National Institutes of Health (NIH) issued a letter to research institutions emphasizing the need for full and accurate disclosures of ties with foreign governments in grant applications.  NIH publicly announced that it had investigated at least 180 scientists at more than 65 institutions for failing to disclose foreign ties in grant applications.  NIH referred 21 of these cases to HHS Office of the Inspector General for debarment.  Similarly, DOJ prosecuted more than two dozen U.S.-based scientific researchers for allegedly failing to disclose foreign affiliations in federal grant applications, including Harvard University Professor Dr. Charles Lieber who was convicted by a jury of making false statements and tax fraud and will be sentenced in January 2023.  

[3]With the exception of the requirement to protect scientific data from ransomware and other data integrity attack mechanisms, these requirements are substantially similar and virtually identical to the security controls contained in Section 52.204-21(b)(1) of the Federal Acquisition Regulation (FAR).  See FAR § 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” November 2021.  This FAR provision corresponds to 17 of the 110 controls contained in NIST 800-171 and are the same basic cybersecurity requirements required for Level 1 of DOD’s CMMC.        

[4]Before defense technical data controlled under the U.S. Munitions List or export-restricted technology or software controlled under the Commerce Control List can be shared with a foreign person, an export license must be obtained from Department of State or Department of Commerce, respectively.  This type of export is often referred to as a “deemed export” and deemed to occur when the controlled technology is released to a foreign person within the United States.