Skip to content

University of Rochester Research Security Program Update

October 4, 2023

In January of this year, the Vice President for Research published a message to the University research community regarding the expansion of the University’s research security program in order to align with federal requirements outlined in the National Security Presidential Memorandum-33 (NSPM-33). Below are key updates regarding NSPM-33 and the development of the University’s research security program.

Regards,
Steve

Steve Dewhurst, PhD
Vice President for Research


NSPM-33 Status

In March 2023, the Office of Science and Technology Policy (OSTP) published a draft Research Security Programs Standard Requirement (Draft Standard Requirement) developed in response to NSPM-33, which outlines the baseline requirements of research security programs. OSTP is currently reviewing comments to the Draft Standard Requirement.

We estimate that OSTP will issue final NSPM-33 regulations during Q4 2023 or Q1 of 2024, and the requirements will go into effect one year from issuance. While OSTP may make changes, the University is not planning for the final NSPM-33 regulations to deviate substantially from the provisions of the Draft Standard Requirement.

Updates on Core NSPM-33 Requirements

The Office of the Vice President for Research and applicable campus units have reviewed the Draft Standard Requirement in detail and have conducted an initial assessment on areas where action is needed to align with federal requirements. Although the review is ongoing, the University community should be aware of several key updates. Some of the requirements of NSPM-33, particularly those relating to cybersecurity and foreign travel, will require changes to University practices. To achieve compliance, cooperation at all levels of the University will be essential.

NSPM-33 Working Group

The Office of the Vice President of Research has formed an NSPM-33 Working Group that will coordinate efforts across the University to ensure that the NSPM-33 requirements of a research security program are met. The Working Group is tasked with conducting analyses and developing policy and procedure updates to ensure compliance with NSPM-33.

Working Group membership list
  • IT: Julie Myers, Mark Baker, Kara Walsh, Jean-Claude Johnson
  • Global Engagement: Jane Gatewood, Jeff Russin
  • ORPA: Gunta Liders, Josef Mejido
  • Finance: Jeff Sullivan
  • Office of the Vice President for Research: Libby Reitz, Joe Doyle
  • Office of Counsel: Mark Wright
  • University Audit: Chris Butler
  • Genomics Research Center: John Ashton
  • Privacy Office: Kathleen Tranelli
  • Accounts Payable: Marta Herman
  • College/School Representatives:
    • Sally Norton, SON
    • John Hain, ESM
    • Cindy Gary, AS&E
    • Jane Tolbert, SMD
What happens next

As the regulations are finalized, the NSPM-33 Working Group will communicate and meet regularly to ensure coordination of the University’s NSPM-33 compliance efforts.

Cybersecurity

Information Security has reviewed the cybersecurity controls required by the Draft Standard Requirement and assessed them against the current University security environment. The InfoSec team, in conjunction with University IT, ISD and Office of Research IT, has developed an initial plan to achieve compliance with the required cybersecurity controls.

What happens next

In the coming months, members of these Security and IT teams will be contacting specific University departments and units that conduct federally funded research to begin to inventory the types of equipment and devices utilized in federally funded research. As many of the cybersecurity controls required are best enforced at the equipment or device level, they will need information from relevant groups to determine next steps towards achieving compliance. At the same time, the InfoSec and IT teams will be developing additional security policies and implementing necessary security controls.

The NSPM-33 Working Group will establish a subcommittee that includes faculty stakeholders, InfoSec, and IT representatives to help address the development and implementation of NSPM-33 cybersecurity matters. Our goal is to meet the cybersecurity requirements of NSPM-33 in a way that minimizes any negative effects on research.

Foreign Travel Security

Among other things, the Draft Standard Requirement requires that organizations have international travel policies for “covered individuals” engaged in federally funded research and who travel internationally for certain purposes. These polices must include (1) maintenance of an organizational record of certain international travel by certain individuals engaged in federally funded research, and (2) a disclosure and authorization requirement in advance of international travel. Currently, University policy provides that prior registration of University-sponsored or supported international travel is mandatory for staff and students, and is strongly recommended for faculty.

What happens next

We believe that in order to meet the requirements of NSPM-33, the University may need to modify its travel policies to provide that prior registration of University-sponsored or supported international travel is mandatory for faculty members. This change would support the University’s compliance with NSPM-33 and would help the University better protect the safety and security of faculty. Travel policy modifications will be subject to the final research security program requirements.

The NSPM-33 Working Group will establish a subcommittee of faculty stakeholders and administration to assist with international travel policy updates. As policy updates are made, applicable University units will provide guidance necessary to support compliance with the new policy. The University will also develop and implement required enforcement mechanisms to help achieve compliance with the requirements.

Research Security Training

The Draft Standard Requirement requires that research security training be incorporated into existing programs and incorporate specific topics. Organizations must maintain the ability to certify that personnel have completed the required training, and organizations must tailor training to appropriate personnel.

What happens next

Working with grantee institutions, NSF is preparing research security training modules that the University will incorporate into its training practices. The University will augment these training modules with University-specific materials as appropriate.

Export Control Training

The Draft Standard Requirement requires that organizations provide training to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators, and partnerships, and for ensuring compliance with export control requirements and restricted entities lists.

What happens next

The University will update or expand its existing export control training practices as appropriate to achieve compliance with the regulations.

Other updates

Visitor processes

As part of the effort to expand the University’s research security program, the Office of the Vice President of Research is currently reviewing University policies and procedures relating to international visitors to the University.

What happens next

In the coming months, the Office of the Vice President for Research will formulate a working group to develop and implement new processes to help guard against research security risks associated with visitors to the University.