National Security Presidential Memorandum (NSPM)-33
NSPM-33 Compliance Plan
Protecting Emory’s Federally Funded Research Data Against Foreign Interference and Exploitation
In response to increasing concerns of foreign government interference and exploitation of federally funded research, the U. S. government issued National Security Presidential Memorandum 33 (NSPM-33) in January of 2021. NSPM-33 directs agencies and departments to focus on improving research security in the following areas:
- Disclosure Requirements and Standardization
- Digital Persistent Identifiers
- Consequences for Violation of Disclosure Requirements Information Sharing
- Research Security Programs
In January 2022 the National Science and Technology Council issued Guidance for Implementing NSPM-33 to federal departments and agencies regarding their implementation of NSPM-33, and general guidance for research institutions to establish research security programs with the following elements:
- Cybersecurity
- Foreign travel security
- Research security training
- Export control training
Following NSPM 33 guidance, Emory is required to apply certain basic safeguarding protocols and procedures to its research endeavors. ORA, RCRA and OIT are working on ensuring that Emory’s cybersecurity, disclosure, and training policies and procedures for research data meet these requirements.
Disclosure Requirements
Emory University Policies are accessible through a central Policy website. Individual policies and procedures are reviewed and updated as needed with the latest revision dated noted below each policy heading. Policy 7.24, Policy 7.38, and Policy 7.7 cover conflicts of commitment, conflicts of interest, and disclosure of significant financial interest, and will be amended in 2023 to provide clarity on who is required to make disclosures, what needs to be disclosed, and how to revise or correct past disclosures.
In November of 2022 Emory University implemented its eDisclose web-based tool to manage, store, and report on institution-wide disclosures. The new system enhances Emory University’s ability to adapt to changes to the federal regulatory environment. The system has integrated help and guidance resources for disclosers, approvers, and administrators.
Workflows and process are being revised to prompt disclosures from new hires and international visiting scholars during the onboarding process with an emphasis on the importance of disclosing foreign contracts, affiliations, and disclosing involvement with foreign talent recruitment programs. Foreign affiliation disclosures are routed to Research Compliance and Regulatory Affairs office for export control and research security risk assessment and may involve a management plan as a condition for collaboration. New policies regarding international travel and the use of loaner devices are being implemented, and a new policy regarding collaborations with foreign visitors is under review
Violation of disclosure requirements may have criminal., civil, and/or administrative consequences. Emory University investigators are ultimately responsible for ensuring that they make any necessary disclosures required by sponsors and internal policy and follow any prescribed plan for the management, reduction, or elimination of a real or perceived risk identified in a disclosure. Failure to do so is a violation of University Policy. The investigator’s department, Dean and/or the Conflict of Interest review office may inspect records to ensure compliance with the plan. Failure to report a significant institutional financial interest, or failure to cooperate in a conflict of interest management plan may be cause for disciplinary action up to and including dismissal. Possible violations of policy include, but are not limited to providing false, misleading, or incomplete information. Refer to Emory Policy 7.24 and Policy 7.7.E for details.
Digital Persistent Identifiers
Emory University’s Libraries maintain a website dedicated to ORCID ID that helps researchers understand benefits and use of Orcid iDs. The website provides details on what ORCID is, why ORCID is being implemented at Emory University, how to get an ORCID iD, how to use an ORCID iD, how to add scholarly works to a profile, and frequently asked questions about ORCID iDs.
Emory University is developing a new policy to guide researchers on research data protection. The draft policy contains guidance on institutional and individual responsibilities regarding data protection, data quality, research misconduct, data sharing, data repositories, data security during travel, and relevant international laws on data use and protections.
Research Security
National Security Presidential Memorandum 33 (NSPM-33) is a directive from the executive branch intended to safeguard the security and integrity of federally funded research. NSPM-33 mandates the establishment of research security programs to protect against foreign government interference and exploitation at research institutions receiving federal funds in excess of $50 million per year. In 2022 the Research Security office was established as the 5th office within the Research Security and Regulatory Affairs office. The Research Security office performs research security evaluations on a case by case basis, and coordinates research data protection efforts throughout Emory University in compliance with the 4 requirements of NSPM-33: cybersecurity, foreign travel security, research security training, and export control training.
Cybersecurity
National Security Presidential Memorandum 33 (NSPM-33) is a directive from the executive branch intended to safeguard the security and integrity of federally funded research. As part of this goal, it mandates the establishment of research security programs at major institutions receiving federal funds in excess of $50 million per year to protect against foreign government interference and exploitation. While NSPM-33 outlines basic safeguarding protocols and procedures, specific cybersecurity data protection requirements from Emory’s funding agencies is forthcoming in 2023.
The implementation of NSPM-33’s cybersecurity requirements are a shared responsibility amongst the Emory Office of Information Technology, schools and departments that manage research IT systems, and Principal Investigators who conduct the sponsored research.
Foreign Travel Security
The Office of Global Strategic Initiatives provides guidance on Emory sponsored international travel that to obtain authorization for international travel, registration of international travel in a central database, safety briefings, health insurance, research data security guidelines, and travel with clean loaner electronic devices.
Research Security Training
NSF has awarded financial support to establish research security training frameworks that address U.S.-funded research and development security concerns, risks, and threats. The four awardees will focus on developing training modules that detail research security insights and best practices, address the importance of disclosure, identify and remedy knowledge gaps in risk management and mitigation, and provide training on principled international collaboration. The awardees and their training focus are:
Research Security Training: The Importance of Research Security, The University of Alabama in Huntsville.
Research Security Training: The Importance of Disclosure, Texas A&M University System.
Research Security Training: Risk Management and Mitigation, University of Pennsylvania.
Research Security Training: International Collaboration, Associated Universities, Inc., and AUI Labs.
Training modules are expected to be completed by the end of 2023 and will be integrated with Emory’s Learning Management System.
Export Control Training
Emory has subscription to CITI Program export control training modules which can be assigned depending on training need. The Export Control Office is also available to conduct one-on-one training customized for specific groups.