OSTP Issues Guidance to Agencies to Implement NSPM 33—Key Takeaways for Institutions Conducting Federally-Funded Research

Firm Publication

On January 4, the White House Office of Science and Technology Policy (OSTP) issued guidance for federal agencies to implement National Security Presidential Memorandum 33 (NSPM 33). NSPM 33 was issued in January 2021 at the end of the Trump administration as a means to strengthen protections of U.S. government-supported research against foreign government interference. NSPM 33 set deadlines for certain activities for January 2022 and OSTP had announced in August that it was preparing the guidance in response to those deadlines.

The guidance is aimed at federal agencies and, among other things, directs them to harmonize their varying requirements for disclosure and assessment of potential conflicts of interest and commitment by grant applicants, the processes for determining violations of such requirements, and the consequences for such violations.

For further insight on this topic, read the insight Audrey Anderson provided to Science in response to the guidance.

Key Takeaways on OSTP Guidance

Standardization of conflict disclosures across agencies is coming relatively soon.

The guidance proclaims that disclosure requirements, forms and formats will be standardized across agencies “to the greatest extent practicable.” The National Science and Technology Council (NSTC) Subcommittee on Research Security is tasked with developing template forms and requirements with relevant agencies. OSTP has called for model award proposal disclosure forms and instructions within 120 days. Agencies presumably will then determine the extent to which their statutes or regulations require deviation from the model forms, a process for which the guidance provides no deadlines.

This should make applying for federal research funding easier for institutions because researchers and institutions should, in theory, be able to submit core information in common across applications and funding agencies. We will have to see in practice the extent to which agencies believe that they need to deviate from the model form.

Research agencies are called on to use robust means of information sharing between agencies about disclosure violations and to develop means to share information about suspected violations.

The guidance calls on agencies to make robust use of existing means of information sharing for disclosure violations through means such as SAM.gov (for suspension and debarments) and the Federal Award Performance and Integrity Information System (for a variety of actions, including award terminations for cause), and then goes one step further. The guidance instructs agencies to “coordinate to establish improved mechanisms for sharing information” about suspected violations among research agencies. The guidance calls on the agencies to do this work consistent with federal privacy laws. The guidance does not reflect any recognition of the differences between sharing information about violations after the awardee has been afforded due process and sharing such information before an awardee has had the benefit of due process as to the allegations.

NSPM 33 itself addresses this issue in a much more nuanced way, calling on heads of agencies to consider providing notice to other agencies where “significant concerns have arisen but a final determination has not been made,” not just where there are “suspected violations.”  NSPM 33 also calls on funding agencies to include within grant terms and conditions provisions, as appropriate, that would allow for this kind of sharing. As the agencies move to develop their systems to share “suspected” violations, we can hope that they will look to the terms of NSPM 33 for the details of their work.

There is no timeline in the guidance for developing these means of information sharing. But be on the lookout for new terms and conditions that address an agency’s ability to share “suspected” violations with other agencies.

OSTP is developing the standards for required research security plans for institutions that receive more than $50 million in annual federal research funding, but standards will not be in place for months (at least).

NSPM 33 stated that all institutions receiving more than $50 million in annual research funding would be required to certify by January 14, 2022, and annually thereafter, that the institution has established and operates a research security program.

The guidance provides a few more details on that requirement:

  • The $50 million threshold is established by the last two years of total federal science and engineering support as reflected on USASpending.gov.
  • Institutions will be required to have a point of contact (POC) responsible for their research security program. Institutions that do classified or CUI research may use the same person who is the POC for that program as the POC for these purposes.
  • Required elements of a research security program are cybersecurity, foreign travel security, research security training, and export control training.

The guidance states that OSTP will develop a standardized requirement for uniform implementation of a research security program across agencies. But the timeline it establishes for this, which includes a 90-day engagement period during which OSTP will consult with external stakeholders, provides OSTP with almost seven months before it provides the standardized requirements to OMB. Then, OMB must develop an implementation plan for the requirements.

And while OMB can work quickly when called upon to do so, it is unclear whether its work on this requirement will be a high priority. The guidance states that qualifying research institutions should establish a research security program as soon as possible but should be provided one year from the date of issuance of formal requirement, meaning after OMB acts, to comply.

While it will be some months before we know the exact details of a required research security program, institutions receiving more than $50 million in federal research funding should look at the four required basic elements as outlined in the guidance, all of which are important aspects of a good research compliance program. Institutions should consider determining which, if any, of the required elements of the research security plan are missing from their institutions and begin thinking ahead to how they can be incorporated on their campuses.

If you have any questions about any of the above, please contact the authors.

Related Professionals
Related Services
Firm Publication

On January 4, the White House Office of Science and Technology Policy (OSTP) issued guidance for federal agencies to implement National Security Presidential Memorandum 33 (NSPM 33). NSPM 33 was issued in January 2021 at the end of the Trump administration as a means to strengthen protections of U.S. government-supported research against foreign government interference. NSPM 33 set deadlines for certain activities for January 2022 and OSTP had announced in August that it was preparing the guidance in response to those deadlines.

The guidance is aimed at federal agencies and, among other things, directs them to harmonize their varying requirements for disclosure and assessment of potential conflicts of interest and commitment by grant applicants, the processes for determining violations of such requirements, and the consequences for such violations.

For further insight on this topic, read the insight Audrey Anderson provided to Science in response to the guidance.

Key Takeaways on OSTP Guidance

Standardization of conflict disclosures across agencies is coming relatively soon.

The guidance proclaims that disclosure requirements, forms and formats will be standardized across agencies “to the greatest extent practicable.” The National Science and Technology Council (NSTC) Subcommittee on Research Security is tasked with developing template forms and requirements with relevant agencies. OSTP has called for model award proposal disclosure forms and instructions within 120 days. Agencies presumably will then determine the extent to which their statutes or regulations require deviation from the model forms, a process for which the guidance provides no deadlines.

This should make applying for federal research funding easier for institutions because researchers and institutions should, in theory, be able to submit core information in common across applications and funding agencies. We will have to see in practice the extent to which agencies believe that they need to deviate from the model form.

Research agencies are called on to use robust means of information sharing between agencies about disclosure violations and to develop means to share information about suspected violations.

The guidance calls on agencies to make robust use of existing means of information sharing for disclosure violations through means such as SAM.gov (for suspension and debarments) and the Federal Award Performance and Integrity Information System (for a variety of actions, including award terminations for cause), and then goes one step further. The guidance instructs agencies to “coordinate to establish improved mechanisms for sharing information” about suspected violations among research agencies. The guidance calls on the agencies to do this work consistent with federal privacy laws. The guidance does not reflect any recognition of the differences between sharing information about violations after the awardee has been afforded due process and sharing such information before an awardee has had the benefit of due process as to the allegations.

NSPM 33 itself addresses this issue in a much more nuanced way, calling on heads of agencies to consider providing notice to other agencies where “significant concerns have arisen but a final determination has not been made,” not just where there are “suspected violations.”  NSPM 33 also calls on funding agencies to include within grant terms and conditions provisions, as appropriate, that would allow for this kind of sharing. As the agencies move to develop their systems to share “suspected” violations, we can hope that they will look to the terms of NSPM 33 for the details of their work.

There is no timeline in the guidance for developing these means of information sharing. But be on the lookout for new terms and conditions that address an agency’s ability to share “suspected” violations with other agencies.

OSTP is developing the standards for required research security plans for institutions that receive more than $50 million in annual federal research funding, but standards will not be in place for months (at least).

NSPM 33 stated that all institutions receiving more than $50 million in annual research funding would be required to certify by January 14, 2022, and annually thereafter, that the institution has established and operates a research security program.

The guidance provides a few more details on that requirement:

  • The $50 million threshold is established by the last two years of total federal science and engineering support as reflected on USASpending.gov.
  • Institutions will be required to have a point of contact (POC) responsible for their research security program. Institutions that do classified or CUI research may use the same person who is the POC for that program as the POC for these purposes.
  • Required elements of a research security program are cybersecurity, foreign travel security, research security training, and export control training.

The guidance states that OSTP will develop a standardized requirement for uniform implementation of a research security program across agencies. But the timeline it establishes for this, which includes a 90-day engagement period during which OSTP will consult with external stakeholders, provides OSTP with almost seven months before it provides the standardized requirements to OMB. Then, OMB must develop an implementation plan for the requirements.

And while OMB can work quickly when called upon to do so, it is unclear whether its work on this requirement will be a high priority. The guidance states that qualifying research institutions should establish a research security program as soon as possible but should be provided one year from the date of issuance of formal requirement, meaning after OMB acts, to comply.

While it will be some months before we know the exact details of a required research security program, institutions receiving more than $50 million in federal research funding should look at the four required basic elements as outlined in the guidance, all of which are important aspects of a good research compliance program. Institutions should consider determining which, if any, of the required elements of the research security plan are missing from their institutions and begin thinking ahead to how they can be incorporated on their campuses.

If you have any questions about any of the above, please contact the authors.

In Case You Missed It: