Research Security Program
About the Program
The Research Security Program is a collaboration between many university-wide departments based on campus policies and federal regulations. The Director of Research Security, reporting to the Vice-President for Research, serves as the university's research security program's point of contact.
This website has been developed to (1) provide resources to the campus community and
(2) formalize the ongoing development of Stony Brook University's Research Security
Program as required by National Security Presidential Memorandum 33 (NSPM-33).
University research
Guided by State University of New York (SUNY) Policy that prohibits the acceptance of any awards (1) restrict dissemination of research results (Document 1800) and/or (2) restrict foreign national participation (Document 1801) research conducted at SBU is primarly fundamental research as defined in National Security Decision Directive (NSDD) 189 (read more here).
A waiver is required to accept restrictions on dissemination or foreign national participation, whether your project is funded or unfunded. Contact the Director of Research Security for assistance or questions.
The policies, information and guidance provided on this page are applicable to all research projects even if public dissemination of results is expected.
Disclosure of External Interests, Commitments and Resources
All external relationships - both domestic and international - should be transparent and must be disclosed in a manner that is consistent with applicable requirements, including federal and state laws/regulations/agency guidance, as well as the university's own policies and procedures.
The Office of Sponsored Programs maintains a Federal Disclosure Requirements website with resources to assist researchers in complying with federal sponsor disclosure requirements.
The Research Security Program maintains a University Disclosure Requirements website with guidance to assist campus disclosers in complying with the SBU Disclosure of External Interests and Commitments Policy.
entities and countries of concern
June 2023, the U.S. Department of Defense issued "Countering Unwanted Foreign Influence in Department-Funded Research at Institutions of Higher Education".
Pages 18-21 of this document serve as the FY22 Lists Published in Response to Section 1286 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (public Law 115-232) - commonly referred to as the "1286 List".
The 1286 List :
- Identifies those foreign institutions that have been confirmed as engaging in problematic activity as described in the referenced law
- Identifies foreign talent programs that have been confirmed as posing a threat to the U.S. as described in the referenced law.
- This list is subject to updates
FOREIGN TALENT RECRUITMENT PROGRAMS
Faculty and other key personnel on federally funded research awards should understand the definitions of Foreign Talent Recruitment Programs (FTRP) and Malign Foreign Talent Recruitments Programs (MFTRP) and federal sponsor restrictions on MFTRPs.
Many federal sponsors now require certification that faculty and other key personnel are not participating in a MFTRP.
The Research Security Program maintains a website with resources and guidance on FTRPs and MFTRPs.
Export Controls
All campus activities must comply with U.S. government export control laws. These laws regulate:
- Disclosure, shipment, use, transfer, or transmission of any item, commodity, material, technical information, technology, software, or encrypted software for the benefit of a foreign person or foreign entity anywhere (including the transfer of controlled information within the U.S. “deemed export”);
- Transactions and the provision of services involving prohibited countries, persons or entities based on trade sanctions, embargoes and travel restrictions; and
- Certain transactions with persons or entities designated on a federal restricted parties lists.
The Research Security Program maintains an Export Control website with guidance to assist the campus community in complying with federal regulations and the SBU Export Control Policy.
Don't Let This Happen to You! Actual Investigations of Export Control and Antiboycott Violations (March 2024). U.S. Department of Commerce, Bureau of Industry and Security.
U.S. Department of Justice, the U.S. Department of Commerce, and the U.S. Department of the Treasury’s Office of Foreign Assets Control, have issued a Tri-Seal Compliance Note: Obligations of foreign-based persons to comply with U.S. sanctions and export control laws. (March 6, 2024)
international activities
Faculty and students are encouraged to participate in international activities, as these may promote the creation of knowledge and enrich learning experiences. The Research Security Program maitains a International Activities website with resources and guidance for individuals engaging in these activities.
international Travel Security
International travel may pose significant health and safety risks, and travelers are
encouraged to carefully plan for trips prior to departure. Preparation should take
into consideration government warnings, University policies, health insurance coverage,
and country-specific requirements. The Research Travel Page provides guidance on travel and travel security.
As a reminder, all international travel, regardless of funding source, must register their travel in Concur prior to travel.
IT Security Considerations While Traveling
Training Resources
FBI: Safety and Security for Business Professionals Traveling Abroad Brochure
FBI: Safety and Security for U.S. Students Traveling Abroad Brochure
FBI: The Key to U.S. Student Safety Overseas Brochure
Office of the Director of National Intelligence: Safe Travels Brochure
National Security Agency: Mobile Device Best Practices
cybersecurity: Secure Computing
The Information Security Program, Division of Information Technology's website contains resources, guidance and services to help ensure privacy and protection of our data.
Secure Computing Guides - tip sheet and guides for students and faculty/staff designed to provide what they need to know in a concise format.
Security Consulting - consultative, training, education and awareness resources to assist students and faculty/staff in safe computing.
Incident Response/Reporting - notify the cybersecurity team if you aware of a potential cybersecurity incident.
SBU Training Requirement
All faculty and staff are required to take annual Cybersecurity Awareness Training.
Insider RISK Awareness and Training
According to the NSPM-33 Implementation Guidance, an Insider Risk (Threat) is defined as "the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities."
Insider risk includes: espionage, sabatoge, fraud and intellectual property theft! See something, say something! Report it to your supervisor or contact the Director of Research Security, or you can submit a confidential report to Audit & Management Advisory Services.
Training Resources
The Center for Development of Security Excellence has short training videos
Data management
The SBU Libraries Research Data Services' website provides resources, consultation and support for all aspects of a data lifecycle, from planning the data management strategy during the proposal phase through preserving the data at the conclusion of the project. They can assist with data management plans, federal public access plans, funder managements and research data management.
Federal awards & Data protection standards
Some federal awards/subawards (issued as contracts) include clauses that require additional data security.
Research that includes the receipt, or in some cases the creation, of Controlled Unclassified Information (CUI), Covered Defense Information (CDI) or Government-Furnished Information (GFI) requires a consultation with the Director of Research Security and SBU's Information Security Program. Read more about government information.
Contract clauses that require review:
52.204-21 Basic Safeguarding of Covered Contractor Information Systems
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
252.204-7020 NIST SP 800-171 DoD Assessment Requirements
These clauses are often included with 252.204-7000 Disclosure of Information which is a prior approval publication restriction if a fundamental research determination is not granted by the U.S. federal sponsor's contracting officer.
restriction on certain telecommunications & survelliance equipment
Government contracting clauses that implement prohibitions from National Defense Authorization Acts. All purchases for these types of services, hardware and software must go through Procurement to ensure compliance with these regulations.
52.204-26 Covered Telecommunications Equipment or Services-Representation
restriction on BYTEdance covered application (e.g., TIKTOK,capcut, lemon8 )
Government contracting clause that restricts the use of ByteDance applications (covered applications) on information technology, university of personally owned equipment (such as computers, tablets and phones) that store, access or transmit federal contract informaiton and data (used to any extent on a government contract).
52.204.27 Prohibition on a ByteDance Covered Application (June 2023)
Physical Security
Careful consideration should be given to the level of physical security that is needed to protect equipment, materials, and research. Environmental Health & Safety has established baseline requirements for lab security based on risk factors.
Related Guidance
Filming on Campus and Export Controls Compliance
Lab Tours, Visitors and Guests
- Know who will be visiting the lab and the reason for the visit.
- Maintain a log of visitors to the lab.
- Ensure that no confidential or proprietary information is visible at the time of the tour/visit.
- Prohibit the taking of photographs/video of lab equipment or lab set-up.
- Do not permit visitors to insert thumb drives or other media into university computers during the tour.
- Escort visitors throughout the tour/visit.
INTELLECTUAL PROPERTY protection
Beyond securing your data and physical space, intellectual property (potential or realized) should also be appropriately disclosed and protected.
Disclose
- Intellectual propery as required to sponsors.
- Any potential inventions or other intellectual property to Intellectual Property Partners (IPP).
Protect
- Use the proper agreement (i.e. material transfer agreement (MTA), data use agreement (DUA) or non-disclosure agreement (NDA) when exchanging materials, data or other confidential/non-public information.
The Office of the Vice President for Research (OVPR) continues to monitor new regulations
and guidance provided by the federal government regarding research security, and we will inform the University community of relevant changes. Updates and new
information will also be provided on this page.
federal sponsors and risk reviews
U.S. federal agencies are increasing efforts to identify and counter undue foreign influence in federally-funded research. Federal agencies have implemented a variety of policies and processes for these purposes. Continue reading the overview.
- Department of Defense
- Department of Energy
- National Aeronautics & Space Administration
- National Institutes of Health
- National Science Foundation
FEDERAL POLICY
NSPM-33: Presidential Memorandum on United States Government-Supported Research and Development National Security Policy (January 14, 2021)
Requires:
-
Federal funding agencies to strengthen and standardize disclosure requirements for federally funded awards; and
-
Research organizations awarded in excess of $50 million per year in total Federal research funding to implement a research security program that includes the four elements (cybersecurity, foreign travel security, research security training and export control training).
NSPM Fact Sheet
federal GUIDANCE
March 7, 2023. The Office of Science and Technology Policy issued a reequest for comments. Comments were due by June 5, 2023.
Major organizations that submitted letters:
Association of American Universities (AAU), American Council on Education (ACE), the Association of Public and Land-grant Universities (APLU), the Council on Governmental Relations (COGR), the
Association of American Medical Colleges (AAMC), and EDUCAUSE
Draft Research Security Programs Standards Requirement
February 2023. The Office of Science and Technology Policy (OSTP) acting through the National Science and Technology Council (NSTC) Joint Committee on the Research Environment (JCORE) Subcommittee on Research Security released Draft Research Security Programs Standards Requirement.
January 4, 2022. The Office of Science and Technology Policy (OSTP) acting through the National Science and Technology Council (NSTC) Joint Committee on the Research Environment (JCORE) Subcommittee on Research Security released NSPM-33 Guidance.
January 10, 2022 Council of Government Relations (COGR)
Clear Rules for Research Security and Researcher Responsibility
August 10, 2021. Office of Science and Technology Policy (OSTP Blog)Dr. Eric Lander, President’s Science Advisor and Director of the Office of Science and Technology Policy. States "over the next 90 days, OSTP will develop clear and effective implementation guidance for NSPM-33, working in close partnership with the National Security Council staff, fellow Cabinet agencies, and other federal agencies through the National Science and Technology Council." The guidance will include a disclosure policy for all federally funded researchers, oversight and enforcement guidance for federal agencies that includes interagency sharing of information and a research security program requirement for research organizations that receive over $50 million anually in federal R&D funding.
related federal policies
National Defense Authorization Act (NDAA)
- FY23 NDAA: Science and Technology Policy Highlights
- FY22 Congress Passes National Defense Authorization Act for Fiscal Year 2022
- FY21 NDAA Enacted: Science and Technology Policy Highlights
FYI: Science Policy News, American Institute of Physics
The NDAA is a federal policy that outlines the U.S. defense budget and priorities on an annual basis.
CHIPS (Creating Helpful Incentives to Produce Semiconductors) and Science Act
- National Science Foundation: Chips and Science
- U.S. Department of Commerce: Biden-Harris Administration Launches First CHIPS for America Funding Opportunity
- COGR: Looking at the Chips on the Table - An Overview of the CHIPS & Science Act of
2022
PUBLICATIONS
Safeguarding the Research Enterprise (March 2024). National Science Foundation commissioned study -JASON report
Critical and Emerging Technologies List Update (2024 List) National Science and Technology Council (NSTC) (February 2024)
G7 Best Practices for Secure & Open Research. Security and Integrity of the Global Research Ecosystem (SIGRE) Working Group (February 2024)
Safeguarding International Science, Research Security Framework. National Institute of Standards and Technology (August 2023)
Protecting Critical and Emerging U.S. Technologies from Foreign Threats The National Counterintelligence and Security Center (NCSC) (October 2021)
Recommended Practices for Strengthening the Security and Integrity of America's Science and Technology Research Enterprise National Science and Technology Council (NSTC) (January 2021)
Advancing America's Global Leadership in Science and Technology, Trump Administration Highlights: 2017-2020 . (October 2020)
Enhancing the Security and Integrity of America's Research Enterprise (OSTP) October 2020)
Summary of the 2019 White House Summit of the Joint Committee on the Research Environment (JCORE) (November 2019)
Letter to United States Research Community from OSTP Director Kelvin Droegemeier (September 2019)
Update from the National Science and Technology Council Joint Committee on Research Environments (July 2019)
Related Campus Policies
Responsible Use of Information Technology Resources
Disclosure of External Interests & Commitments Policy
Information Security Program Administration Policy
Cyber Incident Response Policy
Sensitive Information Classification Policy
Additional Division of Information Technology policies
Physical and Electronic Access Control Policy
Provost's Office: Outside Consulting Work
Last Updated 6.23.24