National Security Presidential Memorandum (NSPM)-33

NSPM-33 Compliance Plan

Protecting Emory’s Federally Funded Research Data Against Foreign Interference and Exploitation

In response to increasing concerns of foreign government interference and exploitation of federally funded research, the U. S. government issued National Security Presidential Memorandum 33 (NSPM-33) in January of 2021. NSPM-33 directs agencies and departments to focus on improving research security in the following areas:

• Disclosure Requirements and Standardization
• Digital Persistent Identifiers
• Consequences for Violation of Disclosure Requirements Information Sharing
• Research Security Programs

In January 2022 the National Science and Technology Council issued Guidance for Implementing NSPM-33 to federal departments and agencies regarding their implementation of NSPM-33, and general guidance for research institutions to establish research security programs with the following elements:

• Cybersecurity
• Foreign travel security
• Research security training
• Export control training

Following NSPM 33 guidance, Emory is required to apply certain basic safeguarding protocols and procedures to its research endeavors. ORA, RCRA and OIT are working on ensuring that Emory’s cybersecurity, disclosure, and training policies and procedures for research data meet these requirements.

Disclosure Requirements

Emory University Policies are accessible through a central Policy website.  Individual policies and procedures are reviewed and updated as needed with the latest revision dated noted below each policy heading. Policy 7.24, Policy 7.38, and Policy 7.7 cover conflicts of commitment, conflicts of interest, and disclosure of significant financial interest, and will be amended in 2023 to provide clarity on who is required to make disclosures, what needs to be disclosed, and how to revise or correct past disclosures.

In November of 2022 Emory University implemented its eDisclose web-based tool to manage, store, and report on institution-wide disclosures.  The new system enhances Emory University’s ability to adapt to changes to the federal regulatory environment.  The system has integrated help and guidance resources for disclosers, approvers, and administrators.

Workflows and process are being revised to prompt disclosures from new hires and international visiting scholars during the onboarding process with an emphasis on the importance of disclosing foreign contracts, affiliations, and disclosing involvement with foreign talent recruitment programs.  Foreign affiliation disclosures are routed to Research Compliance and Regulatory Affairs office for export control and research security risk assessment and may involve a management plan as a condition for collaboration.  New policies regarding international travel and the use of loaner devices are being implemented, and a new policy regarding collaborations with foreign visitors is under review

Violation of disclosure requirements may have criminal., civil, and/or administrative consequences. Emory University investigators are ultimately responsible for ensuring that they make any necessary disclosures required by sponsors and internal policy and follow any prescribed plan for the management, reduction, or elimination of a real or perceived risk identified in a disclosure. Failure to do so is a violation of University Policy. The investigator’s department, Dean and/or the Conflict of Interest review office may inspect records to ensure compliance with the plan. Failure to report a significant institutional financial interest, or failure to cooperate in a conflict of interest management plan may be cause for disciplinary action up to and including dismissal. Possible violations of policy include, but are not limited to providing false, misleading, or incomplete information. Refer to Emory Policy 7.24 and Policy 7.7.E for details.

Digital Persistent Identifiers

Emory University’s Libraries maintain a website dedicated to ORCID ID that helps researchers understand benefits and use of Orcid iDs.  The website provides details on what ORCID is, why ORCID is being implemented at Emory University, how to get an ORCID iD, how to use an ORCID iD, how to add scholarly works to a profile, and frequently asked questions about ORCID iDs. 

Emory University is developing a new policy to guide researchers on research data protection.  The draft policy contains guidance on institutional and individual responsibilities regarding data protection, data quality, research misconduct, data sharing, data repositories, data security during travel, and relevant international laws on data use and protections.

Research Security

National Security Presidential Memorandum 33 (NSPM-33) is a directive from the executive branch intended to safeguard the security and integrity of federally funded research. NSPM-33 mandates the establishment of research security programs to protect against foreign government interference and exploitation at research institutions receiving federal funds in excess of $50 million per year. In 2022 the Research Security office was established as the 5^th office within the Research Security and Regulatory Affairs office. The Research Security office performs research security evaluations on a case by case basis, and coordinates research data protection efforts throughout Emory University in compliance with the 4 requirements of NSPM-33: cybersecurity, foreign travel security, research security training, and export control training.

Cybersecurity

National Security Presidential Memorandum 33 (NSPM-33) is a directive from the executive branch intended to safeguard the security and integrity of federally funded research. As part of this goal, it mandates the establishment of research security programs at major institutions receiving federal funds in excess of $50 million per year to protect against foreign government interference and exploitation. While NSPM-33 outlines basic safeguarding protocols and procedures, specific cybersecurity data protection requirements from Emory’s funding agencies is forthcoming in 2023.

The implementation of NSPM-33’s cybersecurity requirements are a shared responsibility amongst the Emory Office of Information Technology, schools and departments that manage research IT systems, and Principal Investigators who conduct the sponsored research. Cybersecurity training can be found in Emory's Brainier Learning Management System from within PeopleSoft. Log into PeopleSoft Self Service, then click on the Learning Management – Brainier tile, then at the top of the screen search for "Emory Cybersecurity Awareness Training".

Foreign Travel Security

The Office of Global Strategic Initiatives provides guidance on Emory sponsored international travel that to obtain authorization for international travel, registration of international travel in a central database, safety briefings, health insurance, research data security guidelines, and travel with clean loaner electronic devices.

Research Security Training

NSF has awarded financial support to establish research security training frameworks that address U.S.-funded research and development security concerns, risks, and threats. The four awardees will focus on developing training modules that detail research security insights and best practices, address the importance of disclosure, identify and remedy knowledge gaps in risk management and mitigation, and provide training on principled international collaboration. The awardees and their training focus are:

• Research Security Training: The Importance of Research Security, The University of Alabama in Huntsville.
• Research Security Training: The Importance of Disclosure, Texas A&M University System. 
• Research Security Training: Risk Management and Mitigation, University of Pennsylvania. 
• Research Security Training: International Collaboration, Associated Universities, Inc., and AUI Labs.

Training modules are integrated in the Research Security Training Module in Emory’s Learning Management System.

Export Control Training

Export control training is essential for ensuring compliance with export controls regulations. Emory has developed a training that provides a high-level overview of export control regulations and their relevance to Emory's business. The training covers

• Overview of export control regulations that are relevant to the type of research and research related activities conducted at Emory.
• Examples of activities that can be impacted by the regulations.
• Types activities that are not subject to export control regulations
• The Fundamental Research exclusion

To access the training, log on to Brainier and search for Export Controls Compliance in Research and Academic Environment.