NSF SECURE Center
Research Security Briefing

The tenth annual Academic Security and Counter Exploitation (ASCE) seminar took place February 24-26, at Texas A&M University.  Following are summaries of a few of the sessions offered.

 

ASCE Session: Research Security at the U.S. National Science Foundation
 

This presentation from Dr. Rebecca Spyke Keiser, Chief of Research Security Strategy and Policy at the U.S. National Science Foundation (NSF), highlighted ongoing efforts to strengthen research security across the U.S. research enterprise, including implementation of National Security Presidential Memorandum-33 (NSPM-33) and provisions of the CHIPS and Science Act of 2022. Dr. Keiser reported that several key requirements are now complete, including common disclosure forms, research security training modules, and requirements related to participation in malign foreign talent recruitment programs. The agency has also established the NSF SECURE Center to support the research community with training, best practices, and tools, while the NSF SECURE Analytics initiative provides data-driven support for institutional due diligence and risk assessment.
 

Dr. Keiser discussed a renewed focus on reducing administrative burden when applying for federal funding. For example, there are malign foreign talent recruitment certifications and an increased focus on comprehensive disclosure. She noted the interest in a common application portal for applying for federal funding and that, while agencies have SciENcv as one common function, there is a need to strategize more on easing administrative work. The White House Office of Science and Technology Policy (OSTP) is also focusing on reducing administrative burden. NIH and NSF have been meeting regularly with OSTP, conducting a side-by-side comparison of all aspects of the proposal process. This includes differences across agencies in what must be disclosed, how the agencies handle conflicts of interest, and how to harmonize these efforts. In addition, agencies are examining whether there are aspects of the proposal process that are no longer needed.  Dr. Keiser indicated that OSTP will broaden this effort to other federal agencies through a National Science and Technology Council subcommittee aimed at reducing administrative burden, mentioning recent COGR and National Academies reports, and suggested options while welcoming additional feedback.
 

Dr. Keiser also described updates to NSF’s TRUST (Trusted Research Using Safeguards and Transparency) framework, including a shift from a decision-tree model, which was extremely labor-intensive, to a decision matrix for evaluating risk, expanding the lists of U.S. proscribed entities, and continued attention to emerging technology areas such as quantum information science and programs within the Technology, Innovation, and Partnerships (TIP) directorate. Dr. Kaiser’s presentation included a slide depicting NSF’s expanded list of U.S. proscribed parties, comprised of approximately 11 entity lists, mainly overlapping with the 13 prohibited entity lists published in DoW’s recently updated risk matrix.
 

The presentation also addressed policy questions surrounding international collaborations in fundamental research.  Dr. Keiser noted that, under the fundamental research exemption established by National Security Decision Directive (NSDD) 189, there are currently no restrictions on international collaborations if the research is intended for open publication. However, recent analyses have identified cases where NSF-funded researchers collaborated with entities appearing on U.S. proscribed or restricted lists, prompting ongoing policy discussions across the federal government about whether and how such collaborations should be addressed. Dr. Keiser noted that agencies are actively discussing how to define “international collaboration,” which could include exchanges of people, data, equipment, or other items of value—not merely co-authorship—and whether additional visibility into secondary collaborations or foreign subawards may be necessary. These discussions, occurring through interagency coordination led by the National Science and Technology Council, aim to balance research security concerns with the continued openness and global engagement that underpin the U.S. research enterprise.
 

Dr. Keiser also discussed the definition of fundamental research writ large, noting that National Security Decision Directive - 189 has been revisited, but not for several years. A JASON study commissioned by NSF observed that the landscape is changing in terms of the scope and scale of research, and that the time from fundamental research to application can now be on the order of months rather than years. Dr. Keiser noted the need to consider whether the definition is clear and that this conversation is taking place within the interagency group. She indicated interest in convening a broader discussion on the topic, including perspectives from those comfortable with the existing definition and those who are not.

 

ASCE Session: NSF SECURE Center Overview
 

Dr. Beth Kolko, Director of the NSF SECURE Center and Professor in the Department of Human Centered Design & Engineering at the University of Washington, presented on the expanding work of the NSF SECURE Center to help universities, research organizations, and industry partners strengthen research security practices while maintaining the openness that underpins the U.S. research enterprise.
 

Established under the CHIPS and Science Act of 2022, the Center provides tools, training, and community-driven resources designed to help institutions navigate evolving federal research security expectations associated with initiatives such as NSPM-33. Using a collaborative “co-creation” model, the Center works with researchers, research security administrators, and other compliance professionals to identify emerging risks and develop practical guidance that institutions can incorporate into their existing research security and due-diligence processes.
 

The NSF SECURE Center has developed a Shared Virtual Environment (SVE), a secure online platform that serves as a clearinghouse for research security resources and collaboration among institutions. The platform includes a risk assessment framework that guides users through structured questions to evaluate potential collaboration risks related to international partnerships, critical technologies, data protection, export control considerations, and cybersecurity concerns.
 

Additional resources include a Travel Center providing guidance and checklists for international travel risk management, available on the Center website as well as in the Shared Virtual Environment, and a community forum where research security professionals can exchange information and discuss evolving policy issues, such as federal restrictions affecting research collaborations. The center also produces research security briefings and additional resources to help institutions interpret federal policy developments and emerging research security topics.
 

Several pilot initiatives highlighted during the session aim to further strengthen collaboration and information sharing across the research security community. One pilot project introduces an Incident Reporting System that allows institutions to report research security concerns or incidents and contribute to a shared database intended to improve situational awareness across the community. Another pilot effort is the Research Security Mentorship Program, a six-month initiative designed to support professional development and knowledge sharing among research security professionals. The program provides participants with access to experienced mentors, a community of practice, and opportunities to help shape the development of future NSF SECURE Center tools and services. 
 

Looking ahead, the NSF SECURE Center plans to expand its offerings through rapid prototyping and community feedback, allowing tools and resources to evolve quickly as policies and risks change. The Center is also increasing engagement with small and medium-sized businesses, including startups that participate in federally funded research programs. Planned resources include contract-review tools that help organizations identify research security risks, guidance on intellectual property strategies, and practical “just-in-time” action plans for responding to emerging threats. Through these combined efforts, the NSF SECURE Center aims to provide the research community with shared infrastructure, expertise, and collaborative networks that support secure and responsible international research partnerships.

 

ASCE Session: NSF SECURE Analytics Overview
 

Kevin Gamache (Texas A&M University System), Dr. Glenn Tiffert (Hoover Institution, Stanford University) and Allen DiPalma (University of Pittsburgh) highlighted the work to date of NSF SECURE Analytics, including the development and beta testing of the Argus platform, a tool designed to help organizations conduct due diligence on potential collaborators and identify research security risks in international partnerships.  The team reported that development of the Argus minimal viable product (MVP) has been completed and that an initial beta test with approximately 60 institutional partners produced encouraging results that are informing the next phase of refinement and deployment. The platform is intended to support institutional processes—not replace them—by providing structured information that research security, export control, and research integrity professionals can incorporate into their existing due-diligence workflows.
 

The six-week beta test ran from November 10 through December 19. Participants completed four structured case studies and submitted responses through an online form, generating 128 case-study responses and 18 additional comments. The exercises focused on identifying potential risk indicators in research collaborations, including whether partners appear on U.S. restricted party lists, whether collaborating sites are located in countries of concern (China, Russia, Iran, or North Korea), whether lead investigators have affiliations with restricted entities, and whether publications in sensitive fields such as artificial intelligence or semiconductors involve co-authors from restricted organizations.
 

Hypothetical scenarios included responding to congressional inquiries about collaborations with foreign institutions, evaluating partners for international clinical trials, and conducting due diligence for a small business producing dual-use technology.
 

Feedback from the beta test was largely positive. Participants reported that the platform was easy to navigate, that query results were well structured and downloadable in PDF or CSV formats, and that integrated restricted-party-list screening significantly accelerated institutional due-diligence workflows. Prominent risk flags helped highlight potential concerns and improved the usefulness of search results. At the same time, testers identified several “trust thresholds” required for broader adoption, including strong data integrity and entity-resolution capabilities, explainable risk indicators, stable system performance and security, defensible documentation suitable for leadership decision-making, and enterprise-scale search, filtering, and reporting functions that allow users to drill down into underlying data.
 

The session also highlighted NSF SECURE Analytics release of research security advisories that provide contextual analysis of global science and technology ecosystems. Two advisories have been released to date, one focused on China and another on Iran. The China advisory examines the country’s state-directed approach to science and technology development, including targeted R&D investment, large-scale national laboratory and infrastructure projects, innovation clusters designed to promote technological self-reliance, and expanded talent recruitment efforts alongside increasing emphasis on intellectual property and technology transfer. The Iran advisory notes that the United States remains Iran’s largest international research partner, that numerous Iranian universities are linked to military or intelligence systems, and that Iranian security organizations have been associated with cyber activity targeting universities while the country deepens research ties with China and Russia. A third advisory examining broader global trends in foreign talent recruitment programs is expected in the future.
 

Looking ahead, the presenters emphasized that addressing research security challenges requires coordinated efforts across policy, operational practice, and technical analytics. The initiative brings together partners including Texas A&M University, the Hoover Institution, FINCH AI, and Elsevier, combining practice-based research security expertise, geopolitical analysis, scalable entity-resolution analytics, and reliable scholarly data. Future work aims to further advance capabilities that can help universities, small businesses, and research organizations make more informed decisions about collaborations while maintaining open and globally engaged research environments.

 

ASCE Session: Federal Agency Research Security Update and Hot Topics
 

A federal panel including Dr. Rebecca Keiser of the National Science Foundation (NSF), Kris Gardner of the Department of War (DoW), Jeannette Singsen of the Department of Energy (DOE), and Dr. Patricia Valdez of the National Institutes of Health (NIH) provided the latest agency information on research security. The discussion was led by moderators Jessa Albertson (Stanford University) and Drs. Holly Bante (University of Cincinnati) and Lisa Nichols (University of Notre Dame).
 

On the topic of the status of research security program (RSP) requirements, Dr. Keiser indicated the interagency group (comprised of federal research funding agencies and other agencies and offices) agree on the requirements. They are coordinating with the White House Office of Science and Technology Policy on next steps with the intent that everything can be issued uniformly and not agency by agency.
 

Dr. Keiser suggested that the group hopes institutions will have at least a year to implement the requirements and understands the community needs adequate time to prepare. She indicated agencies will provide plenty of notice on cybersecurity in particular. They want to give advance notice of this first, as they understand this will be the “heavier lift” for covered institutions. Agencies are working with the National Institute of Standards and Technology (NIST) with respect to the cybersecurity requirements developed in cooperation with institutions in an effort led by the Federal Demonstration Partnership and EDUCAUSE.
 

Regarding RSP foreign travel security requirements, under a shared memorandum of agreement (MOA), the approach agencies have taken is to focus on risk-based travel registration/notification, similar to agencies’ current approach to travel requirements in research security risk mitigation plans. The MOA has not been formally released, and the agencies will let the community know if there are changes. There was a brief discussion of the foreign travel training requirement and incorporating this into the research security training. Regarding institutional certification of research security programs, there will be a single (government-wide) certification for each entity. There was discussion on whether audits or assessments of RSPs would occur, e.g., by agency Inspectors General.  The panelists indicated that this is something they envision happening, possibly by led by a single agency.
 

Regarding NSF efforts, Dr. Keiser indicated the agency will scale up research security analytics during proposal review. She suggested that institutions could perform analytics in advance of submission. NSF will conduct analytics on receipt, identifying issues prior to fuller merit review.
 

Jeannette Singsen provided the DOE update. Regarding the DOE Current and Pending Support Addendum form, the agency is employing this for proposals with more sensitive technologies. DOE will also be checking back on progress with risk mitigation. DoW previously announced similar plans. There was a question about whether researchers could use the same mitigation plan rather than multiple plans within or across agencies. DOE and other agencies seemed amenable to looking into this approach.
 

Kris Gardner indicated the DoW is updating its matrix for fundamental research risk reviews in an effort to simplify it. He noted the 1260H list was being updated and would become a prohibition, including a prohibition on using equipment from the entities on this list. It was suggested that the implementation timeline would be 60 days after the publication of the new matrix (published March 9) and would be considered on an award basis. Per a January memo, the Department will conduct annual reviews of risk mitigation plans as well as 25% of projects without mitigation. Gardner indicated that greater consistency in the risk mitigation process is making it go faster but also noted that some institutions are being contacted for the first time and are not sure how to proceed. He suggested it could be helpful for institutions to share this information. The moderators noted that this is a project currently underway with the NSF SECURE Center, including redacted agency letters and email communications, case studies, and a database with details on the circumstances, process, timeline and outcomes of the risk review and mitigation process.
 

NIH discussed the agency’s implementation of the Common Forms for disclosure and additional case studies the agency has published. Dr. Valdez indicated that, since 2018, NIH has had approximately 700 reports of potential research security-related noncompliance (e.g., potential non-disclosure, foreign components, and financial conflicts of interest) and that NIH has contacted institutions regarding 271 of those reports. Presently, about 50% involve self-disclosure from the institution.
 

On the topic of measuring the impact of federal research security activities, it was noted that there has been a significant decline in engagement with China but that the community needs to look beyond the numbers and look at outcomes and impact (e.g., publications, citations, impact, and quality). The panel briefly discussed how the agencies protect the information that universities and individuals provide under risk mitigation plans; NSF referenced their System of Records Notice (SORN), as well as the challenge of ensuring that risk mitigation requirements do not unfairly diminish a researcher’s reputation/career.
 

Agencies are meeting with their equivalents in other countries, including through the G7 and OECD Global Science Forum.  In addition, agency representatives noted that the National Science and Technology Council was reconvening the research security subcommittee as a means to address administrative burden, noting this would be a principal focus. Agencies also cited last year’s National Academies report on this topic and Council on Governmental Relations (COGR) resources.