top of page

NSF SECURE Center
Research Security Briefing

Vol. 2, No. 14
April 24, 2026

The NSF SECURE Center distributes research security briefings and timely alerts via its listserv. The Briefing provides a centralized resource for research security-related information, including new statutory and research funding agency requirements, new or updated federal and community resources, and significant news items and scholarly works. The Center will also assess and provide commentary, interpretation, or implementation considerations on new requirements, notices and resources, working with higher education associations, legal partners, or agencies as needed.

Briefing Contents

Federal News & Updates

NIH Announces System Enforcement of Common Forms and End of Leniency Period

On April 21, 2026, the National Institutes of Health (NIH) released Notice NOT-OD-26-079, announcing the end of the agency’s leniency period regarding use of the Common Forms for Biographical Sketch, Current and Pending (Other) Support, and NIH Biographical Sketch Supplement.

 

Beginning May 8, 2026, all NIH applications and related submissions, including Just-in-Time (JIT), progress reports, and prior approval requests, must use the new Common Forms via SciENcv.  The previously announced “leniency period” will end on May 7, 2026, after which non-compliant submissions will not be accepted.

 

The Notice also includes the announcement that, effective April 22, 2026, NIH has restored the Research Security Training (RST) certification language to the Common Forms, requiring that senior/key personnel certify that they have completed RST that meets the requirements specified in Item 2 of Important Notice No. 149 within 12 months prior to proposal submission.

 

NIH notes that if senior/key personnel already certified their Common Forms, prior to the addition of this text on April 22, 2026, for applications due on or after May 25, 2026:

 

  • For applications that have yet been submitted, senior/key personnel should regenerate their Common Form PDFs prior to submission.

  • For applications that been submitted, senior/key personnel do not need to resubmit with updated Common Forms, as NIH staff will collect these updated documents at JIT for applications selected for potential funding.

 

NIH will not hold senior/key personnel accountable for the RST-related portion of the certification statement for applications that include Common Forms for due dates on or before May 24, 2026.

The Notice also includes:

  • The announcement that SciENcv has been updated to allow users to enter zero person months effort for Proposals/Active Projects and In-Kind Contributions on the Current and Pending (Other) Support Form

  • A reminder for senior/key personnel to link their ORCID to their SciENcv and eRA Commons accounts

  • A reminder that the RPPR, JIT, and Prior Approval (PA) eRA modules have been updated to allow Common Form attachments at an individual person-level, so documents for multiple individuals no longer have to be compiled and flattened as a single PDF.

NIH Policy Changes to SBIR and STTR Foreign Disclosure and Risk Management

On April 20, 2026, the NIH released Notice NOT-OD-26-074, implementing new requirements for Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) applicants, in follow-up to the Small Business Innovation and Economic Security Act recently being signed into law. The policies covered in the Notice apply to both SBIR/STTR proposals and to existing SBIR/STTR awards.

The Department of Health and Human Services (HHS) has implemented a due diligence program to assess the potential security risks of applicants, including:

  • The cybersecurity practices of a small business concern (SBC)

  • Patent analysis

  • Employee analysis

  • Connections between SBCs and individuals or entities in foreign countries of concern, including:

    • Foreign ownership, financial ties, and obligations

    • Foreign affiliations and investment relationships

    • Investment relationships

    • Technology licensing agreements or joint ventures (including joint venture-like agreements)

    • Business relationships

 

Under the Act, HHS cannot make an award to an SBC applicant if the SBC is determined to include any disqualifying characteristics, including, but not limited to:

  • an owner or covered individual (i.e., senior/key personnel) that is party to a malign foreign talent recruitment program

  • a business entity, parent company, or subsidiary located in the People's Republic of China or another foreign country of concern

  • an owner or covered individual that has a foreign affiliation with a research institution located in the People's Republic of China or another foreign country of concern

  • a security risk connecting the SBC to an entity, including any affiliates of the entity, or individual on eight listed U.S. restricted entities lists

  • a security risk with a primary source that is classified

  • a security risk that the federal agency determines warrants a denial

 

If HHS determines that an award cannot be made due to one of these risk factors, it will advise the SBC as to which of these factors prevented the award from being issued.  While applicants do not have the ability to address any identified concerns for the denied application, a denial does not prohibit SBCs from being eligible for subsequent awards.

 

Recipients of SBIR/STTR awards are responsible to monitor relationships with foreign countries throughout the duration of the award, and submit updated disclosures if there is:

  • any change to a disclosure on the disclosure form

  • any material misstatement that poses a risk to national security

  • any change of ownership, change to entity structure, or other substantial change in circumstances of the SBC that the sponsor determines poses a risk to national security

 

If any of these types of incidents occur between submissions of an award’s Research Performance Progress Report (RPPR) submissions, the SBC must submit an updated disclosure form within 30 days using the Additional Materials (AM) tool in eRA Commons.

 

If the recipient reports a covered foreign relationship that meets any of the risk criteria prohibiting funding, NIH, CDC, and FDA may deem it necessary to terminate the award for material failure to comply with the federal statutes, regulations, or terms and conditions of the federal award.

 

Agency Recovery Authority and Repayment of Funds

The notice indicates that an SBC will be required to repay all amounts received from NIH, CDC, and FDA under the award if either of the following determinations are made upon assessment of a change to their disclosure:

  • the small business concern makes a material misstatement that NIH, CDC, and FDA determine poses a risk to national security; or

  • there is a change in ownership, change in entity structure, or other substantial change in circumstances of the SBC that NIH, CDC, and FDA determine poses a risk to national security.

DOJ Press Release: IU Biology Researcher Pleads Guilty to Smuggling

In an April 10, 2026, press release, the U.S. Department of Justice (DOJ) stated that Youhuang Xiang, A former postdoctoral researcher at Indiana University has pleaded guilty to smuggling biological materials into the United States.  According to the DOJ, Xiang admitted to concealing DNA samples of E. coli bacteria in a shipment from China that was falsely labeled as clothing in order to evade U.S. import controls. Xiang, who was in the U.S. on a J-1 visa, initially denied knowledge of the shipment but later acknowledged intentionally mislabeling the package to circumvent federal regulations.  Investigators also reported that Xiang failed to disclose certain affiliations during immigration screening. The case came to light following an FBI investigation into suspicious shipments to university-affiliated individuals.  Xiang was sentenced to more than four months in prison, fined, and will be deported following completion of the sentence.

Upcoming Webinar: Multiple NSF Directorates Invite Research Security-Related Proposals

The National Science Foundation (NSF) will be holding a webinar on April 29, 2026, from 4-5:30pm EST, highlighting and differentiating the range of research security funding opportunities from multiple NSF directorates appropriate for those involved in research security policy, implementation, administration, and research. All organization types, including those in EPSCoR jurisdictions, are encouraged to attend. The following NSF programs will participate:

 

Register now to learn more.  Note that content provided at the April 29 webinar will be identical to that presented at the April 2, 2026, session.

Research Security News, Reports & Events

Please note, articles linked below may require a subscription to view.

NSF SECURE Center cannot distribute copies of subscription-based articles.

‘Hysteria’ or national security? IU researcher from China to be deported
(Indiana Public Media, 4/17/2022)

A recent case involving a former Indiana University researcher has drawn attention to the tension between research security enforcement and concerns about overreach. The researcher pleaded guilty to failing to properly declare a shipment of plasmid DNA from China, which had been mislabeled to bypass import procedures, and now faces deportation.

 

Federal authorities characterized the incident as an intentional effort to evade U.S. laws, emphasizing the importance of compliance with import and research regulations. However, colleagues argue the material involved was non-hazardous and commonly used in research, suggesting the case may reflect broader concerns about how such incidents are framed and prosecuted.

 

The situation has fueled debate within the academic community about whether increased enforcement actions are appropriately targeted at genuine risks or may contribute to a climate of heightened scrutiny, particularly for international researchers. (more)

Insufficient research security could turn e-Estonia into NATO's weak link
(Estonian Public Broadcasting, 4/17/2026)

In this opinion piece, Riin Tamm, vice-rector for research, Estonian Academy of Security Sciences, calls upon all Estonian researchers and research institutions to implement research security measures, warning that insufficient attention could pose serious risks not only to Estonia’s digital infrastructure but also to NATO as a whole.  Estonians use a national e-Identity system to vote, declare taxes, pay bills, and more.  Tamm argues that in Estonia’s highly digital society, the “theft of research, sabotage of important studies and obstruction of development activities vital to Estonia are all very real threats” and discusses the reputational risk for the country itself. Tamm posits that research security measures “must inevitably become everyday life for Estonian researchers.”  She notes that, while “Estonia stands out in Europe for the large role students, especially doctoral students, play in conducting research,” examples of foreign doctoral students expelled due to malicious intentions means “the system must be smart, not distrustful,” and points to lessons that can be learned from other countries in the European Union. (more)

Biomedical researchers lose US citizenship over trade secrets theft
(Chemistry World, 4/10/2026)

A married couple, both biomedical researchers, has been stripped of their U.S. citizenship following convictions for stealing proprietary medical research from a U.S. institution.  The case involved the theft of a specialized method related to exosome isolation, which the researchers sought to commercialize through a company in China.  Li Chen and Yu Zhou, who had previously worked for Nationwide Children’s Hospital in Ohio and became naturalized U.S. citizens, received funding through China’s Thousand Talents program, according to the Department of Justice.  Chen and Zhou were sentenced to prison, ordered to pay millions in restitution, and are now expected to be deported. (more)

Registration Open for FDP May Membership Meeting in Washington D.C.

Registration is open for the Federal Demonstration Partnership (FDP) May 27-29 membership meeting in Washington D.C.  Research security-related sessions currently listed on the preliminary agenda include:

  • Federal Agency Updates

  • Federal Agency Research Security Risk Assessment Processes (Michelle Bulls, NIH, Sarah Stalker-Lehoux, NSF, Julie Anderson, DOE, Jason Day, DoW (Invited))

  • Federal Panel on Research Security (Michelle Bulls, NIH, Sarah Stalker-Lehoux, NSF, Julie Anderson, DOE, Jason Day, DoW (Invited))

Registration is open for COGR’s June 11-12 membership meeting in Washington DC.  Research security-related sessions currently listed on the preliminary agenda include:

  • Across the Agencies: Key Updates and Priorities (NIH, NSF, and DOE invited)

  • Research Security & Biosafety: What’s New and What’s Next

RISC Bulletin

Registration Open for COGR June Membership Meeting in Washington D.C.

Texas A&M University’s Research and Innovation Security and Competitiveness (RISC) Institute disseminates weekly RISC Media Bulletins, covering topics related to research security, foreign influence, and the intersection of science, technology, and national security.  To join the distribution list for the RISC Bulletin or view previous editions, click here.

NSF SECURE Opportunities, Updates & Resources

Upcoming NSF SECURE Center SPARK Webinars

SECURE Programming: Advancing Research Knowledge (SPARK) webinars are free, interactive, virtual webinars designed to help the research security community better understand and implement requirements, resources, and best practices.

NSF SECURE Center Calendar of Events

Each week the NSF SECURE Center hosts events through the National and Regional Centers, including co-creation workshops, educational, and engagement sessions with the research community. The events calendar provides more information about these opportunities and more.

Previous NSF SECURE Center Research Security Briefings

2026 issues of the Research Security Briefing are available on the NSF SECURE Center website.

A combined, searchable version of all 2025 issues of the Briefing is also available.

Research Security by Design with Amanda Humphrey and Lee Stadler

The NSF SECURE Center will host a webinar on April 28, 2026, at 10:30am PT (11:30am MT, 12:30pm CT, 1:30pm ET) with Amanda Humphrey, Chief Research Operations Officer at Northeastern University, and Lee Stadler, Design Lead at the NSF SECURE Center. Humphrey and Stadler will explore how institutions can develop and sustain research security programs in a complex and evolving landscape. Registration remains open via this link.

 

Strengthening Shared Awareness in Research Security

The NSF SECURE Center will host a webinar on May 1, 2026, at 12:00PM PT (1:00PM MT, 2:00PM CT, 3:00PM ET) with Dr. Narcisa Pricope, Professor and AVP for Research at Mississippi State University, and John Talerico, AVP for Research Security at Virginia Tech University. Pricope will introduce the SECURE Center’s Incident Reporting System, a pilot tool designed to help research security professionals share and learn from activities of concern across institutions. The session will explore how the system enables users to document observations, identify emerging patterns, and learn from peer responses to strengthen early awareness and institutional decision making.

Registration remains open via this link.

 

AI, Analytics, and Data-Driven Decision Making in Research Security

The NSF SECURE Center will host a webinar on May 12, 2026, at 1:00pm PT (2:00pm MT, 3:00pm CT, 4:00pm ET). This panel will explore how AI, analytics, and big data are reshaping research security and what it takes to translate complex data into meaningful, defensible decisions. Drawing on real-world examples, speakers will examine how institutions can identify true risk signals, avoid overgeneralization, and responsibly integrate data-driven tools with expert judgment.

 

The panel will feature Allen DiPalma, Deputy Director, NSF SECURE Analytics and Executive Director, Research Security & Trade Compliance at the University of Pittsburgh; Baron Wolf, Research Analytics at the University of Kentucky; and Deepika Bhatia, Director of the NSF SECURE Southeast Regional Center and AVP | Chief Research Security Officer at Emory University. The session will be moderated by Jeff Seo, Chief Research Compliance Officer at Northeastern University. Registration is open via this link

Looking to participate in NSF SECURE Center co-creation activities or contribute to weekly briefings?

Contact info@secure-center.org or sign up here.

The information provided by the NSF SECURE Center is intended for general research and educational purposes only. While we strive to ensure the accuracy and reliability of our content, we do not guarantee its completeness, timeliness, or applicability to specific circumstances. Each user is responsible for conducting their own risk assessments and making decisions based on independent judgment.

 

Further, the NSF SECURE Center does not provide professional or legal advice, and users are encouraged to consult qualified professionals before making decisions based on the information found here. The NSF SECURE Center shall not be liable for any damages or costs of any type arising out of or in any way connected with your use of this information. External links are provided for convenience and do not constitute an endorsement of the content or services offered by any third-party resources.

 

This material is based upon work supported by the U.S. National Science Foundation under Cooperative Agreement No. 2403771.  Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. National Science Foundation or other U.S. Government Agencies.

bottom of page