The National Security Presidential Memorandum-33 (NSPM-33), issued in January 2021, directed federal agencies that fund research and development (R&D) projects to require certain "Covered Institutions" to certify that the institution operates a compliant "research security program" (RSP).

On July 9, 2024, the White House Office of Science and Technology Policy (OSTP) published a memorandum (OSTP Memorandum) containing implementation guidelines for NSPM-33, specifically, the contents of RSPs and their related certification requirements. The OSTP Memorandum also defines the "Covered Institutions" that will be subject to the RSP and certification requirements as follows:

• an institution of higher education, a federally funded research and development center (FFRDC) or a nonprofit research institution, and
• receives more than $50 million per year, in fiscal year 2022 constant dollars, under either 1) the three-year average of federal R&D obligations provided to participants in the U.S. R&D enterprise as reported in the most recent version of the Survey of Federal Science and Engineering Support to Universities, Colleges, and Nonprofit Institutions, or 2) the three-year average of federal R&D obligations to FFRDCs as provided in the most recent versions of the Survey of Federal Funds for Research and Development.¹

Hospitals and universities that receive $50 million in federal research funding are most likely Covered Institutions that will be subject to the RSP implementation and certification requirements.

Federal agencies must update their agency-specific RSP requirements no later than Jan. 9, 2025, and Covered Institutions will subsequently have 18 months to enact compliant RSPs (or conform existing RSPs) to the new federal standards and the specific requirements of their funding agency(ies). In summary, by July 2026, all Covered Institutions will need to have a compliant RSP in place.²

Additionally, all Covered Institutions will be required to affirmatively certify to their funding agency(ies) that they have implemented and are operating a compliant RSP that contains, at a minimum, the elements summarized below. The current guidance does not specify whether this is a one-time certification, an annual certification requirement or a "per grant" certification requirement.

RSP Requirements

Per the OSTP Memorandum, Covered Institutions must implement and maintain an RSP that contains, at a minimum, 1) cybersecurity elements, 2) foreign travel security elements, 3) research security training elements and 4) export control training elements. Additionally, NSPM-33 requires that each Covered Institution's RSP address the Institution's "unique needs, challenges, and risk profiles."³ A Covered Institution's RSP will also need to cover any requirements that a federal funding agency may issue in addition to these OSTP requirements.

In the context of RSPs, a "Covered Individual" is an individual 1) who contributes in a substantive, meaningful way to the scientific development or execution of an R&D project proposed to be carried out with a R&D award from a federal research agency and 2) is designated as a "covered individual" by such federal research agency.⁴

• Cybersecurity: For Covered Institutions that are institutions of higher education, the Institution's RSP must include a cybersecurity program that conforms with the cybersecurity resource issued each year by the National Institute of Standards and Technology (NIST) under the CHIPS and Science Act. For Covered Institutions that are not institutions of higher education, the RSP must include a cybersecurity program that meets the requirements of a relevant NIST standard or a standard promulgated by a relevant federal research agency.⁵
• Foreign Travel Security: RSPs must include training programs on foreign travel security that are given to Covered Individuals engaging in international travel for Covered Institution business, teaching, conference attendance or research purposes. The RSP must mandate that Covered Individuals take this training at least once every six years.⁶ Additionally, for institutions that have a federal R&D award under which security risks require travel reporting, the RSP must include a travel tracking program that logs the international trips taken by Covered Individuals at the Covered Institutions for business, teaching, conference attendance or research purposes (i.e., tracking of private travel or vacations is not required).⁷
• Research Security Training: RSPs must include a mandatory research security training program for all Covered Individuals that addresses the unique needs, challenges and risk profiles of the Covered Institution's Covered Individuals. A Covered Institution's RSP meets this requirement if 1) it requires Covered Individuals to complete training modules made available by the National Science Foundation (NSF) and those Covered Individuals complete such trainings, or 2) the training program contains explicit examples of behaviors resulting in known improper/illegal transfer of U.S. government-supported R&D in the context of a research environment and communicates the importance of U.S. researcher participation in global discoveries as a core principle of maintaining international leadership and national security.⁸
• Export Control Training: RSPs must include a mandatory export control training program for Covered Individuals performing R&D on export-controlled technologies. A Covered Institution's RSP meets this requirement if 1) it requires Covered Individuals to complete relevant trainings administered by the U.S. Department of Commerce's Bureau of Industry and Security (BIS) or 2) the training program covers U.S. export control and compliance requirements and the requirements and processes for reviewing foreign sponsors, collaborators and partnerships.⁹

False Claims Act Risks

The new RSP certification requirements open the door to potential liability for Covered Institutions under the federal False Claims Act (FCA).¹⁰ Under the FCA, any person or entity that "knowingly presents, or causes to present, a false or fraudulent claim for payment or approval" to the federal government can be found liable for civil monetary penalties up to three times the government's damages.

Covered Institutions may expose themselves to FCA liability if they falsely certify that their RSP is fully compliant or misrepresent such compliance, because this certification and the RSP itself is a condition to receipt of federal grant funding.

As a potential preview of how the government may employ the FCA in the context of RSPs, several high-profile research institutions and hospitals have recently resolved FCA allegations for failing to disclose foreign (i.e., non-U.S.) or external (i.e., private funding, domestic or international) funding sources for R&D programs that were also funded by federal grants:

• The Cleveland Clinic agreed to pay $7.6 million to "resolve allegations that it violated the [FCA] by submitting to the National Institutes of Health (NIH) federal grant applications and progress reports in which the Clinic failed to disclose that a key employee involved in administering the grants had pending and/or active financial research support from other sources."
• Stanford University agreed to pay $1.9 million to resolve FCA allegations that proposals for federal research grants failed to disclose Stanford faculty members who received support from a Chinese university.
• The Ohio State University agreed to pay $875,689 to resolve allegations that it failed to disclose a faculty member's affiliations with and support from a foreign government in connection with federal research funding.

Conclusion

Research institutions such as universities, teaching hospitals, academic medical centers and health systems that receive more than $50 million in federal funding per year for research (including clinical research) should evaluate their current research security programs, protocols and trainings to determine whether they meet the RSP requirements promulgated by the OSTP. In the event any gaps or deficiencies are identified, the institutions should ensure they are remediated and brought into compliance by July 2026. Institutions should also closely monitor guidelines issued by the federal agencies from which they receive funding, as those agencies may issue additional requirements for RSPs. Institutions should be mindful of the potential FCA liability the RSP certification process may trigger – falsely certifying an RSP exists and/or that it is compliant may expose the institution to an FCA allegation or investigation.

Notes

¹ Id. at 4.

² Id. at 4.

³ Id. at 4.

⁴ Id. at 10; 42 U.S.C. § 19237(1).

⁵ Id. at 4.

⁶ Id. at 5.

⁷ Id. at 5.

⁸ Id. at 5-6.

⁹ Id. at 6.

¹⁰ 31 U.S.C. § 3729.