5

Advancing Research Security in the Research Community

Humphrey moderated a panel focused on advancing research security in the research community. She asked the panelists about the infrastructure needed to ensure compliance with research security policies and requirements, including any associated costs for researchers and research institutions.

Panelist Jeremy Forsberg (The University of Texas at Arlington [UTA]) said that federal agencies have been inconsistent in the implementation of research security requirements, including having a broad range of disclosure requirements for grant proposals. Given the significant paperwork required to comply with necessary disclosures, the energy and resources spent are high. Inconsistencies create extra burden and waste, but universities must comply with all requirements. Risks to universities for noncompliance are significant, including potential False Claims Act liability.¹

Humphrey said that, according to NSF Higher Education Research and Development survey data,² between 2010 and 2023 federal research funding has dropped by $7 billion. At the same time, institutional investment in R&D has increased by $6.5 billion, in large part to cover the cost of various unfunded mandates. For institutions of higher education, research security is, in essence, an unfunded government mandate, Humphrey said.

___________________

¹ The False Claims Act (31 U.S.C. §§ 3729–3733) is a federal law that allows the U.S. government to sue individuals or companies that defraud government programs.

² Survey data can be found at https://ncses.nsf.gov/surveys/higher-educationresearch-development/2023.

This presents particular challenges for smaller institutions, she continued, noting that, at Northeastern University, one- and one-half full-time employees support research security compliance activities.

Forsberg noted that, in fiscal year 2023, the Council on Governmental Relations (COGR)³ conducted a facilities and administrative cost (F&A) survey. For institutions receiving less than $50 million in federal grants, the actual F&A of facilities and administration is 76 percent. The government F&A rate is capped, on average, at 61.5 percent. As the negotiated rate for indirect costs is 53.3 percent, this means that institutions are responsible for an F&A shortfall of around 15 percent—which is untenable. There is, however, an opportunity to leverage other institutional functions to cover research security compliance costs.

Panelist Geeta Krishna Swamy (Duke University) said that dedicated staff at universities handling research security compliance must have content expertise and training on research security. She also noted that IT systems associated with compliance and related matters are expensive and represent a hidden cost. Panelist Lori Ann Schultz (Colorado University) agreed that there are hidden costs related to research security compliance work. Costs include those associated with research information management systems, the collection of bibliometric data, and the identification of faculty collaborating with external parties.

Humphrey suggested that research security is a whole-of-campus issue, touching everything from lab safety to IT, campus security, and the office of the general counsel. Each has competing priorities but there is a need to convey the importance of research security across an institution and negotiate boundaries around how much effort and funding can be applied to research security efforts. Schultz said that it is important to get buy-in from institutional leadership to advance research security efforts campuswide. Forsberg added that UTA integrates processes across multiple offices. Swamy said that, to achieve buy-in across an institution, it is necessary to develop partnerships that bring people together to create a secure environment.

Panelist Jonathan Snowden (University of Missouri, Kansas City [UMKC]) agreed that buy-in from leadership is critical. It is also important to build relationships with federal agencies such as the FBI. Snowden said

___________________

³ COGR was “founded in 1948 to address the need for sensible federal research policy.” It “provides a unified voice for U.S. research universities, affiliated medical centers, and independent research institutions” and advocates “for effective and efficient research policies and regulations.” See https://www.cogr.edu/cogrs-purpose.

that his previous university has convened a research security integrity working group with representatives from across the university; it created an insider-threat working group to identify and mitigate research security risks.

Humphrey asked what funding would be needed to ensure that an institution’s research security measures are effective. Forsberg said that institutions should explore ways to maximize direct charging for certain research security activities while finding efficient ways to implement research security requirements. Schultz suggested that institutional approaches to research security align with institutional culture and size. One of the hard things about research security is that it is difficult to measure its effectiveness, she said; addressing research security requires culture change, and cultural shifts are particularly challenging to measure.

Forsberg said that a recent NIH notice on foreign subawards introduced a new process and requirements.⁴ He suggested that the requirements will have unintended consequences and may result in less foreign collaboration. Swamy said that the costs of research security are borne where research is performed and if the cost burden becomes too high, certain institutions will be unable to participate.

Humphrey said that there has been a shift in international collaborations because of research security requirements. In addition, there are data to suggest that foreign students have chosen not to return to the United States due a climate seen as unwelcoming to international scholars and the potential for enhanced vetting processes to meet research security protocols. Universities have become better at identifying risk on the basis of sanctions, export controls, and research security awareness, but continued improvement in these areas is needed.

Humphrey said that it is important to achieve a balance between open and closed research. Forsberg said that the boundary between open and sensitive research is fluid and that, in many instances, universities spend time evaluating risk in areas that are not sensitive scientifically in order to meet administrative requirements.

Humphrey said that it is important to develop research security training that resonates with faculty. This can be achieved by helping faculty understand the risks involved in their area of research. Snowden said that face-to-face interactions with faculty are important in helping faculty understand

___________________

⁴ The new award structure, which went into effect on May 1, 2025, probits “awards to domestic or foreign entities (new, renewal or non-competing continuation), that include a subaward to a foreign entity.” See https://grants.nih.gov/grants/guide/notice-files/NOT-OD-25-104.html.

research security issues. Schultz has found it helpful to frame educational opportunities as “increasing awareness of risk” rather than “training.”

Schultz asked about pathways that enable everyone at institutions to learn more about research security. Swamy said that clearer guidelines, understanding, approaches, and harmonized content are needed.

Murdick said that, in light of federal proposals to lower indirect cost recovery, there are assumptions that reimbursable direct costs could become a line-item cost for universities. Direct costing would be time consuming and complicated. He asked panelists to comment on the information that would be needed to develop a direct reimbursable cost plan to cover research security activities. For smaller universities, would it be possible for direct costs to be aligned and provided by an independent clearinghouse or some organization that works on behalf of a collection of smaller institutions?

Swamy offered an example of the institutional review board (IRB) system at Duke University. Duke and other institutions participate in an IRB system run by Harvard University. This allows for the centralization of IRB activities as constituent institutions adopt a similar IRB structure and process. Swamy said that the NSF SECURE Center will be helpful as a centralized repository of informational and educational resources related to research security.

Forsberg said there is a need to collect information via surveys as well and a need to better understand the current costs of research security efforts. Surveys could collect the information needed to understand costs and provide a vehicle to assess models for covering these costs, particularly for smaller institutions. He noted that 34 percent of larger institutions have greater economies of scale on indirect recovery.

Snowden noted that UMKC has been examining opportunities for vendor support of research security–related activities. Over time, vendors have been able to make products that can help make research security activities more affordable for smaller schools. UMKC can use a vendor to help with hiring decisions for research security work, potentially eliminating the need to hire an additional full-time employee to work on research security issues.

Humphrey noted that other countries use different models to address research security issues. For example, in Canada each institution receives, based on the size of their research portfolio, funds that can be used for their research security program.

Fox asked panelists about their experience with Controlled Unclassified Information (CUI) programs. At Fox’s institution, the requirements

associated with CUI have been confusing to implement and often need to involve the participation of individuals with security clearances. Schultz said that she implemented a CUI program at a previous institution, and it was difficult to get faculty to understand what they need to be doing and why. She found success in treating CUI as a service like high-performance or research computing: “This is the environment, this is how you use it, this is what it costs,” to be accessed similarly to other services. This makes more sense for faculty accustomed to working in a central IT environment. CUI was handled outside the university’s research office (though the office was involved in defining what CUI looked like) and managed by individuals who understood how to protect data.

Forsberg said that it is expensive to work with CUI and that any expansion of CUI should be met with caution. He said that there is a need for simplification and noted that information has been incorrectly marked as CUI. Snowden said that more education about CUI is needed. Schultz said that safeguarding CUI within universities requires infrastructure that does not exist in most places. For example, providing faculty with a clean laptop is challenging because clean devices do not have in storage the information they need; establishing connections to secure IT systems requires a significant infrastructure and planning.

Snowden and Swamy said that coordinated effort on research security activities is necessary to leverage resources and streamline the work of institutions. Forsberg suggested that it might be helpful to calibrate research security expectations prior to centralizing research security measures within an institution.

Panelists discussed the use of outside expertise to support campus research security efforts. Snowden said that many in government do not understand what goes on in academia. He recounted an experience where a Defense Counterintelligence and Security Agency (DCSA) counterintelligence special agent conducted a role-playing training on research security. As an expert on counterintelligence, the agent knew how academic solicitation works, but by engaging faculty, was able to understand how solicitation is viewed in the academic environment.

Swamy suggested that universities be allowed to provide input as part of the development of a new rule. “Getting input before the rule comes out” is important, she said, because if institutions cannot understand it, they cannot explain it. Forsberg added that one way to gather input is for federal agencies to survey institutions about proposed regulations and ask questions about what will be effective.

Humphrey said that there is the potential to lose out on opportunities to pursue research collaborations if an institution does not have full information on risk because of a lack of understanding about how the government classifies operations or intelligence services. Swamy said that this is a challenge encountered at Duke.

Caputo said researchers know that measurement is really hard. While “we all love metrics and measures of effectiveness,” she said, the goal is risk reduction. She asked how to know whether the research community is reducing risks and securing research more effectively. Forsberg said that UTA’s first research security endeavor was the result of widespread attention being given to malign foreign-talent recruiting programs. The university conducted a risk assessment of all faculty interactions with China by examining travel records, funding, unfunded agreements, collaborations, and publications and interviewing faculty. Because of the campaign and changes in policies, faculty do not participate in foreign-talent programs anymore. Risks identified through transactional reviews have also led to increased awareness of potential threats and the need to protect information.

Snowden believes that faculty are more educated and aware of research security and potential threats, but to achieve true awareness, one-on-one interactions with faculty are necessary. Swamy has found that when administrative staff directly interacts with faculty, there has been more reporting about research security matters, particularly on issues that would not be considered misconduct. Faculty are also coming forward with questions, which demonstrates not only that they understand the importance of research security but that they know where to ask questions (and why).

Schultz said that one of the challenges of measurement is that universities do not know what they are measuring against. Institutions can track how many people took the training, completed conflict of interest disclosures, and filled out documents correctly. They can also track conversations that they have had with individual faculty at campus events and one-on-one meetings. But unless they know what the risk was to begin with, institutions cannot measure the scope of risk reduction.

Snowden added that DCSA collects data on research security reporting. He suggested that DOD might use collected information to support evaluations of the effectiveness of research security policies.