top of page

NSF SECURE Center
Research Security Briefing

Vol. 2, No. 4
January 30, 2026

Any opinions, findings and conclusions or recommendations expressed are those of the author(s) and do not necessarily reflect the views of the U.S. National Science Foundation or other US Government Agencies.

The SECURE Center distributes research security briefings and timely alerts via its listserv. The Briefing provides a centralized resource for research security-related information, including new statutory and research funding agency requirements, new or updated federal and community resources, and significant news items and scholarly works. The Center will also assess and provide commentary, interpretation, or implementation considerations on new requirements, notices and resources, working with higher education associations, legal partners, or agencies as needed.

Briefing Contents

Federal News & Updates

NIH Issues ‘Leniency Period’ for Compliance with Common Forms via SceENcv

On January 27, 2026, the National Institutes of Health (NIH) updated its FAQs on “Common Forms for Biographical Sketch and Current and Pending (Other) Support,” stating that NIH will not withdraw initial applications, JITs, RPPRs, or Prior Approvals submitted on or after January 25 that fail to use Common Forms via SciENcv for Biographical Sketches, Current and Pending (Other) Support and NIH Biographical Sketch Supplements, as the agency had previously communicated.
 

Instead, to provide a “period of leniency,” NIH will issue a warning if the Common Forms are not used but will not withdraw submissions that don’t use them.  NIH anticipates that this period of leniency will be in place through May 2026.  NIH will release a notice of policy change (NOT) in the near future regarding the period of leniency.

GAO Report: Actions Needed to Address Foreign Risks in Small Business Programs

On January 28, 2026, the Government Accountability Office (GAO) released the report, “Small Business Research Programs: Additional Actions Needed to Incorporate Best Practices for Addressing Foreign Risks.”  The report examines how federal agencies are implementing new due-diligence requirements to address foreign risks in Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs, which together awarded about $4.5 billion to more than 3,000 small businesses in fiscal year 2023. GAO found that all participating agencies have adopted at least some of the Small Business Administration’s (SBA) 12 best practices (e.g., use of standardized foreign affiliation disclosures, encouraging research security training), but overall implementation is uneven. Many agencies have incorporated additional practices, but gaps remain in areas such as clearly defining “covered individuals,” minimizing reporting burden, and consistently documenting how risks are assessed across all required domains.

GAO Report: Research Security—Agencies Should Assess Safeguards Against Discrimination

On January 21, 2026, the GAO published the report, Research Security: Agencies Should Assess Safeguards Against Discrimination.  The GAO examined whether major federal research funding agencies are implementing research security programs in ways that effectively prevent improper foreign influence without discriminating against scientists based on race, ethnicity, or national origin, particularly scientists of Chinese or Asian descent.
 

GAO reviewed research security practices at five agencies that collectively fund the majority of U.S. extramural research: the Departments of Defense and Energy (DOD, DOE), NASA, NIH, and NSF.
 

Key Findings
 

  • All five agencies have research security policies, but they vary significantly in how they incorporate safeguards to prevent discrimination.

  • GAO identified five safeguards that help reduce the risk of discriminatory outcomes:
     

  1. Transparent improper foreign influence review processes

  2. Collection and use of demographic data to assess outcomes

  3. Multiple levels of review

  4. Staff training on non-discrimination

  5. Clear leadership commitment to non-discrimination
     

  • No agency had conducted a formal assessment to determine whether its research security processes adequately protect against discrimination.

  • NASA and NSF documented how they identify improper foreign influence but did not document how risk mitigation decisions are made, limiting transparency and consistency for institutions and researchers.
     

While safeguarding federally funded research from improper foreign influence is critical, GAO found that lack of transparency, inconsistent safeguards, and absence of internal assessments increase the risk of discriminatory application, potentially undermining research integrity, trust, and international collaboration.
 

GAO concludes that research security and nondiscrimination are not mutually exclusive, but agencies must take additional steps—particularly through documentation and self-assessment—to ensure that research security programs are applied fairly, consistently, and transparently across the U.S. research enterprise.

Professional Association Resources & Reports

Federal Demonstration Partnership (FDP) January 2026 Meeting: Research Security Highlights

While meeting sessions covered a variety of topics, research security-related highlights are provided below.  FDP has indicated that slides and recordings (if available) will be posted in the near future on the meeting website.

FDP Session: Federal Agency Updates

Moderator/Host: Michelle Bulls, Director, Office of Policy for Extramural Research Administration, OER, NIH

Speakers:
 

  • Kasima Garst, NIH

  • Jason Bossie, NSF

  • Christiane Diallo & Mary Sladek, NASA

  • Chelsea Cole, USDA

  • Kimberly Whittet, NIFA
     

National Institutes of Health (NIH)
 

  • NIH reminded the community that the agency’s research security training requirement, to comply with the CHIPS and Science Act, goes into effect for applications submitted on or after May 25, 2026.  Covered individuals (for NIH, this is defined as senior/key personnel) will complete this certification on their Biosketch, via SciENcv.  Authorized Organization Representatives (AORs) will certify the applicant institution’s compliance with this requirement via their signature on the face page of the application.
     

  • In regard to the agency’s transition to the Common Forms for Biosketches and Current and Pending Support through SciENcv, NIH acknowledged significant system backlogs and technical challenges, prompting the implementation of a “leniency period” until May 2026 for applications using the previous format of these forms (see above). The agency confirmed there is no leniency on the linkage of an ORCID ID and the requirement is effective now.
     

  • NIH clarified that Biosketches must include all of a senior/key personnel’s current and previous academic and institutional appointments.   Per NIH’s Common Forms FAQ page, “Senior/key persons must report on all professional appointments that have been active in the last three years. Professional appointments that concluded more than three years ago are not required to be reported on the NIH Biosketch Common Form but may be included if relevant to the specific application.” 
     

  • With the transition to the Common Forms, updated Current and Pending (Other) Support included at the time of the Research Performance Progress Report (RPPR) must be uploaded as a separate document for each individual, rather than as a single, combined PDF.
     

  • The “Parent” Notice of Funding Opportunity (NOFO) for NIH-funded international collaborations is now available.   New information is being added to NIH’s Foreign Subaward Policy FAQ page.
     

  • NIH clarified that Foreign Components not receiving NIH funds may still be included in applicant proposals, however, per NOT-OD-25-155, proposers must use the agency’s new application and award structure for NIH-funded international collaborations involving subawards.
     

National Science Foundation (NSF)
 

NSF noted that the December 8, 2025 Supplement to the Proposal & Award Policies & Procedures Guide (PAPPG) includes the clarification for FFDRs that satellite, branch, or regional campuses that are not direct recipients of NSF funding must report any financial support via the main campus of the recipient institution.
 

National Aeronautics and Space Administration (NASA)
 

  • NASA noted that the agency’s Science Mission Directorate (SMD) is leading negotiations for an agency-wide agreement for use of SciENcv for collection of Common Forms.  (The next day, representatives from SciENcv confirmed that these negotiations have been successful, and NASA will have Common Forms available via SciENcv. This effort on NASA’s part to align with other agencies and further reduce administrative burden through use of SciENcv will be appreciated by the research community.)
     

  • Research security-related questions for NASA should be directed to the agency’s new mailbox:  hq-researchsecurity@mail.nasa.gov.
     

United States Department of Agriculture (USDA)
 

  • USDA noted that, per the recent secretarial memorandum, all USDA awarding agencies are required to adhere to the agency’s new General Terms and Conditions (T&Cs), complete a review of their existing T&Cs, and ensure adherence to the new T&Cs within 45 days (February 14, 2026). The new T&Cs provide guidance on multiple research security requirements.
     

  • The USDA Office of the Chief Scientist is currently working on providing additional information regarding the T&C’s requirement that “each individual employed by the recipient to work on the award has completed research security training,” as opposed to “covered individuals.”
     

The National Institute of Food and Agriculture (NIFA) will be updating the T&Cs across its various programs (e.g., general research, SBIR, facilities) to incorporate the new General T&Cs, with specific addenda that will carry forward NIFA-specific conditions.  The institute anticipates communicating more about these changes in the near future, including a webinar for NIFA funding recipients.

FDP Session: Research Security & Subawards Working Group

Moderators/Hosts: Jim Luther, Yale University, Lisa Nichols, University of Notre Dame

Speakers:
 

  • Jason Day, Research Policy Director, Department of War

  • Michelle Bulls, Director, Office of Policy for Extramural Research Administration, OER, NIH

  • Julie Anderson, Director, Research Technology and Economic Security, Department of Energy

  • Sarah Stalker-Lehoux, Acting Chief of Research Security, Strategy and Policy, NSF, and Co-Chair, FDP Research Security Subcommittee [Unable to attend.]
     

Jason Day (DoW) emphasized that, while the interagency RSP framework is not yet finalized, broad agreement is emerging around core elements such as cybersecurity controls and foreign travel reporting, and additional communication is expected in the near future.
 

With regard to DoW’s January 7, 2026, Fundamental Research Security Initiatives and Implementation Memo, Day noted that he doesn’t anticipate significant impacts on recipient institutions.  The memo requires DoW Components to conduct formal post-award spot checks, including re-reviews of awards with mitigation plans in place and a 25 percent sample of awards without them.  These reviews will likely be conducted in conjunction with Research Performance Progress Report (RPPR) updates and coordinated with institutional research security offices.  There was discussion of guidance around citing DoW grants in publications and a follow-up question about whether DoW would consider providing guidance on citing the institution(s) where the DoW/federal work was conducted, as opposed to the institution where the researcher is currently employed.  Day indicated this was a possibility.  Risk concerns have arisen when DoW funding is cited and students or scholars returning to or taking employment in a country of concern cite the new institution in publications.
 

Discussion also addressed how agencies intend to manage variability and risk over time. Agencies expect to use moving averages to assess institutions near the $50 million threshold and encouraged institutions below the threshold to begin voluntarily adopting scalable research security controls to avoid abrupt compliance burdens later.
 

Panelists underscored that disclosure inconsistencies, especially those contradicted by public records, are most likely to trigger additional review. Agencies also acknowledged that perfect uniformity across funders is unlikely but stressed that regular interagency coordination aims to prevent significant divergence and resolve outliers.
 

A significant portion of the discussion focused on adoption of the Common Forms via SciENcv, including NIH’s addition of monetary donations as a reporting requirement.  Michelle Bulls explained that this change was driven by Office of the Inspector General recommendations and acknowledged that the current structure does not align cleanly with the Current and Pending (Other) Support format.  NIH indicated it is exploring alternative mechanisms to collect this information while minimizing audit risk and administrative burden for institutions.
 

Participants had many questions for NIH regarding international collaborations (also see NOT-OD-25-155 and PA-26-002).  Michelle Bulls highlighted that the prime institution is still responsible for scientific oversight (e.g., as part of the RPPR), but not financial oversight as they were previously.  Distinctions were made regarding foreign subawards versus foreign vendors and consultants, which remain acceptable, as do unfunded foreign components.  Questions remain regarding the prime domestic recipient’s responsibility to require foreign subawardees to provide documentation (e.g., lab notebooks) supporting the research outcomes, per NOT-OD-23-182, or whether this responsibility should now fall to NIH.  Bulls will take this question back to NIH leadership for further discussion.
 

Agencies addressed ongoing questions about research security training (RST) and international participation in U.S. research. Panelists confirmed that RST requirements generally apply to senior/key personnel, unless expanded by specific programs, and that the one-hour SECURE Center CTM training, or institutional training meeting the CHIPS Act requirements are recognized as meeting the RST requirements.  There was discussion about the SECURE Cetner developing a shorter 15–20-minute annual refresher training.  Agencies may consider acceptance of shorter annual refresher modules; however, final determination has not been made.
 

The panelists reaffirmed that international students and researchers, including those from China, may continue to participate in fundamental research, provided existing disclosure, approval, and compliance processes are followed.

FDP Session: Research Security & Subawards Working Group

Moderators/Hosts:
 

  • Taren Ellis Langford, Executive Director, Research Security & Responsible Outside Interests, The University of Arizona

  • Jennifer J. Ford, Research Compliance and Integrity (RCI) Operational Executive Director, University of California San Diego

 

The Research Security and Subawards Working Group focused on practical implementation challenges at the institutional and inter-institutional level, particularly around subawards and FDP templates. Discussion centered on pre-meeting survey and live-poll results showing a strong preference for general, flexible research security language in the FDP Letter of Intent (LOI), rather than detailed or agency-specific certifications. Participants expressed concern about inconsistent expectations among FDP institutions, which can undermine efforts to reduce administrative burden. The group also explored expanding FDP Clearinghouse profiles to capture institutional-level research security information (such as “covered entity” status and institutional points of contact) to reduce repetitive, project-specific exchanges. Participants also indicated the need for institutional assessment on any proposed text to the LOI; the moderators indicated that model text will be provided for feedback. The session concluded with agreement that clearer guidance, shared future FAQs, and better use of centralized profiles could help balance compliance with efficiency as research security requirements continue to evolve. 

FDP Session: Federal Research Security Program Requirements

Moderator/Hosts: Lisa Nichols, Executive Director, Research Security, RSS Co-Chair, Deputy Director, NSF SECURE Center; Jim Luther, Yale University

 

Speakers:
 

  • Sarah Stalker-Lehoux, Acting Chief of Research Security, Strategy and Policy, National Science Foundation, and Co-Chair, FDP Research Security Subcommittee

  • Julie Anderson, Director, Research Technology and Economic Security, Department of Energy

  • Jason Day, Research Policy Director, Department of War

  • Jarret Cummings, Senior Advisor for Policy and Government Relations, EDUCAUSE

  • Beth Kolko, Director, NSF SECURE Center, Professor, Human Centered Design and Engineering, University of Washington
     

The session provided an in-depth update on the status and likely features of the forthcoming Research Security Program (RSP) requirements, with a particular focus on agency coordination, institutional thresholds, and implementation expectations.  Multiple federal agencies are nearing completion of a coordinated rollout of the RSP requirements, with implementation targeted for early 2026. NSF, DOE, DOW, and NIH described significant progress toward a joint memorandum of agreement (MOA) that will establish a centralized, harmonized certification process for “covered institutions.”  NSF is expected to manage this process, annually notifying institutions of their covered status and collecting a simple yes/no certification confirming compliance with the four core RSP elements: cybersecurity, foreign travel security, research security training, and export control training. The agencies emphasized that, while timelines remain contingent on final approvals, an upcoming “Important Notice” will preview expectations to help institutions plan and prepare.
 

Cybersecurity represents the most substantial new requirement, with agencies planning to recognize compliance with NIST IR 8481 once it is finalized, alongside newly developed “Effective Practices” created collaboratively by the FDP, EDUCAUASE, and federal and institutional partners. Other requirements—such as export control training as applicable, and research security training—are largely familiar and either implemented or in progress.  For foreign travel security, agencies will continue to take a risk-based, project-by-project approach, rather than requiring all covered individuals to register international travel.  Officials stressed that foreign-funded travel remains a key focus, and that the SECURE Center’s condensed training module, or other training aligned with CHIPS Act requirements, is acceptable for meeting the training requirement.  Agencies signing on to the MOA plan a synchronized rollout of final requirements in early 2026, at which point formal compliance timelines will begin

FDP Session: DOJ Bulk Data

Moderator/Host: Melissa Korf (Harvard Medical School)

Speakers:
 

  • Emily Baxter, Director, Contracts, University of Michigan

  • Eric Ward, Assistant Director, Unfunded Agreements, University of Michigan

  • Stephanie Stone, Executive Director-Research Management Contracts, Mass General Brigham

  • Thomas Burns, Associate Vice President for Research Compliance, Johns Hopkins University

 

After providing an overview of the Department of Justice (DOJ) Bulk Data Rule, speakers discussed early institutional experiences interpreting and operationalizing the new requirements, particularly around identifying “covered persons” and assessing whether proposed agreements are permissible. Rather than focusing solely on the nationality or identity of a collaborating entity, institutions reported that DOJ’s emphasis is on the nature and type of data involved in an arrangement. One example highlighted an agreement in which a Chinese contract research organization (CRO) asserted that an exemption applied. The institution advised that the CRO should identify the specific exemption and that the applicability of the exemption be evaluated through internal legal review.
 

Participants also addressed practical compliance challenges, including how institutions are tracking cumulative data thresholds over time. The prevailing approach described was a conservative one: if an activity involves regulated categories of bulk data, institutions are generally assuming the rule applies, rather than attempting to calculate precise totals. Responsibility for implementation and interpretation has largely fallen to Offices of General Counsel, often working with outside legal counsel and coordinating across procurement and other administrative units likely to encounter affected agreements. The discussion underscored the importance of centralized oversight and cautious risk management as institutions navigate the rule’s early implementation phase.

FDP Session: SciENcv: Operational Updates & The Addition of new NIH Common Forms

Moderator/Hosts: Lori Schultz, Colorado State University; Bart Trawick, NIH

 

NIH NCBI staff provided operational updates on SciENcv and the rollout of the new NIH Common Forms for Biographical Sketch and Current and Pending (Other) Support. Presenters confirmed that updated guidance and help documentation will be released in the coming weeks, along with system enhancements to streamline ORCID integration. NIH has announced an extended leniency period for use of the Common Forms, through May 2026, during which time applications not using the Common Forms will receive warnings but will not be withdrawn. However, NIH emphasized that this leniency period does not apply to linking ORCID IDs to eRA Commons profiles, which remains a firm requirement and a common cause of proposal submission issues.
 

Much of the discussion focused on practical challenges institutions are encountering, including duplicate My NCBI accounts, ORCID mis-linking when delegates prepare documents, and gaps in institutional visibility into investigator ORCID status. NIH reiterated that ORCID accounts must be linked by investigators themselves and that duplicate eRA Commons or NCBI accounts should be merged through the appropriate help desks. Participants also highlighted the growing use of XML uploads as a way to reduce errors, while noting the need for clearer examples, improved system validations, and additional tools to help institutions manage compliance risk. Presenters also announced that NASA versions of the Common Forms will be available through SciENcv in the future.

Research Security News, Reports & Events

Please note, articles linked below may require a subscription to view.

NSF SECURE Center cannot distribute copies of subscription-based articles.

Texas Moves to Curtail Visas for Skilled Foreign Workers
(New York Times, 1/27/2026)

On Tuesday, Texas Governor Greg Abbott announced that the state would investigate public agencies and universities that employ individuals with H1-B visas. A letter was issued by the Governor to various state agencies and state universities to freeze any use of this visa type in current hiring. The letter also required the state agencies and universities to provide a report, due March 27,2026, detailing the scope of H-1B visas at their sites along with supporting information, including country of origin, job category, and expiration dates. Texas is one of the top five states with regard to the number of H1-B visa holders. (more)

Foreign talent visa remains stalled months after launch
(University World News, 1/20/2026)

China’s newly announced K-type visa, designed to attract independent foreign STEM talent without requiring an employer sponsor, has yet to appear on official visa application portals more than three months after its planned launch, raising questions about implementation readiness. Experts say the delay reflects the administrative and technical complexity of rolling out China’s first employer-independent visa, which requires coordination across multiple government agencies and upgrades to immigration systems. While the K-visa is intended to support long-term talent retention and could offer multi-year, renewable stays, its rollout has sparked public debate amid high youth unemployment, with critics questioning its impact on domestic jobs. Chinese officials and state media have pushed back, arguing that concerns are overstated and that attracting top global talent remains essential to China’s economic and technological goals. (more)

Registration is now open for COGR’s virtual membership meeting, taking place February 24-27, 2026.  Information regarding dates and times of research security-related sessions will be included in future SECURE Research Security Briefings as details become available.

COGR February 2026 Virtual Membership Meeting Registration Now Open

Registration is now open for the 2026 Academic Security and Counter Exploitation (ASCE) Program. Next year is the 10th anniversary of the largest research security conference in the world: February 24 - 26, 2026. (more

RISC Bulletin

Texas A&M University’s Research and Innovation Security and Competitiveness (RISC) Institute disseminates weekly RISC Media Bulletins, covering topics related to research security, foreign influence, and the intersection of science, technology, and national security.  To join the distribution list for the RISC Bulletin or view previous editions, click here.

ASCE 2026 Registration Now Open

NSF SECURE Opportunities, Updates & Resources

Researchers in Quantum and Computer Science Sought for Input on RS Resources

Faculty Researchers at universities, non-profits or other research institutions, who have received federal funding and are working in quantum computing, computer science, and related fields are invited to volunteer for short virtual information-gathering sessions.  The sessions, organized by the NSF-funded SECURE Center, aim to gather researchers’ perspectives on challenges related to research security and international collaboration, with a focus on developing practical, low-burden resources to address these challenges. Participation will directly inform future guidance, training, and tools intended to reduce administrative workload and impediments to international collaborations while safeguarding research. Sessions are currently scheduled for:
 

  • Friday, February 6, 2026, 10-11:00 am ET

  • Wednesday, February 11, 2026, 1-2:00 pm ET

  • Friday, February 20, 2026, 11:00 am-12:00 pm ET

  • Friday, February 20, 2026, 2-3:00 pm ET
     

Faculty researchers are encouraged to share this opportunity with research colleagues who may be interested. Questions or interest to participate should be directed to SECURE Center staff at researchsecurity@nd.edu.

Previous SECURE Research Security Briefings

2026 issues of the Research Security Briefing are available on the SECURE Center website.

A combined, searchable version of all 2025 issues of the Briefing is also available.

Looking to participate in NSF SECURE Center co-creation activities or contribute to weekly briefings?

Contact info@secure-center.org or sign up here.

The information provided by the NSF SECURE Center is intended for general research and educational purposes only. While we strive to ensure the accuracy and reliability of our content, we do not guarantee its completeness, timeliness, or applicability to specific circumstances. Each user is responsible for conducting their own risk assessments and making decisions based on independent judgment.

 

Further, the NSF SECURE Center does not provide professional or legal advice, and users are encouraged to consult qualified professionals before making decisions based on the information found here. The NSF SECURE Center shall not be liable for any damages or costs of any type arising out of or in any way connected with your use of this information. External links are provided for convenience and do not constitute an endorsement of the content or services offered by any third-party resources.

bottom of page