White House mandates stricter cybersecurity for R&D institutions


Federal cyber regulation is edging further into research and development (R&D) and higher education. A recent memo from the Office of Science and Technology Policy (OSTP) states that certain covered institutions will be required to implement cybersecurity programs for R&D security. These mandates will also apply to institutions of higher education that support R&D.

Beyond strengthening the overall U.S. security posture, this move is also in direct response to growing threats posed by the People’s Republic of China (PRC), as per Arati Prabhakar, Assistant to the President for Science and Technology and author of the memo.

Why R&D must improve security

Today, a top priority is placed on security controls and other measures seeking to prevent malware attacks on high-value targets such as critical infrastructure. Also, modern military and economic power largely hinge on technical competitive advantages.

“Technology and R&D are central to this strategic competition, and the PRC has exploited international research collaboration by undermining values — such as transparency, accountability and reciprocity — in order to advance its strategic objectives and military modernization,” writes Prabhaka in the OSTP memo.

A shift in attitude towards security responsibilities

The memo states that the Biden Administration’s research security efforts are twofold. The White House wants to ensure that institutions of higher education and research recognize the current global landscape and fulfill their security responsibilities. Unlike proprietary R&D, most academic research is intended to be published or shared. However, some scholarly research may involve applications with national security implications.

In the past, researchers may have been encouraged to collaborate with institutions within the PRC. However, the OSTP states that the geopolitical landscape is different now. The memo says, “We must be clear with the research community about how the world has changed… the policies and practices of foreign countries of concern differ from those of the U.S.” Furthermore, “Some of the results from U.S. R&D can contribute to human rights abuses, surveillance and military aggression,” as per the memo.

New education R&D requirements

According to the OSTP memo, higher education institutions certified by federal research agencies must implement a cybersecurity program following the CHIPS and Science Act’s cybersecurity document for research-focused entities. That implementation must occur within one year following the final issuance of the document.

Now, covered institutions that receive federal science and engineering support “in excess of $50 million per year” must certify to the funding agency that the institution has established and operates a research security program. Covered institutions will be required to certify that their research security programs include elements relating to (1) cybersecurity; (2) foreign travel security; (3) research security training; and (4) export control training, as appropriate.

By early January 2025, federal research agencies must submit plans for updating policies to comply with the new guidance measures. From there, the agencies have six more months to have finalized plans submitted to OSTP and OMB. Covered institutions will have no more than 18 months after the effective date of their plans to implement the requirements of the memorandum.

Emphasis on avoiding xenophobia

To address risks posed by strategic competitors to the U.S. research and development enterprise, the Biden-Harris Administration is implementing these new measures to improve research security. The new OSTP memo also explicitly states that this must be accomplished “without exacerbating xenophobia, prejudice or discrimination.”

In the increasingly complex task of strengthening national cybersecurity, these new requirements are essential. It’s no surprise that federal regulation is reaching further into R&D.

Comments