Research Security

The NSPM-33 Implementation Guidance provides guidance to federal funding agencies (e.g., NIH, NSF, etc.) for protecting the nation's research and development infrastructure. This directive recognizes the critical role that research plays in advancing national security and economic competitiveness and outlines key elements of research security:

• Disclosure Requirements and Standardization
• Digital Persistent Identifiers
• Information Sharing
• Research Security Programs

The Research Security Program guidance is a set of requirements and best practices for institutions that have received at least $50 million per year in Federal science and engineering support to establish and maintain effective research security programs. The guidance covers the following areas:

• Overarching Research Security Program
• Foreign Travel Security
• Research Security Training
• Cybersecurity
• Export Control Training

Research security training is listed as one of four elements of a Research Security Program required by National Security Presidential Memorandum 33, issued on Jan. 14, 2021, to safeguard our research ecosystem. The "CHIPS and Science Act of 2022," Section 10634, codifies the requirement for research security training for federal research award personnel in public law.

Complete Research Security and Disclosure Training Here: Duke LMS Research Security and Disclosure Training

NIH Subrecipient Research Security and Disclosure Training Requirement:

All applications that have subrecipients with covered individuals/key personnel are also required to complete the Research Security and Disclosure Training requirements.  In order to submit the application, the subrecipient's authorized official must complete a Duke-specific letter of intent, certifying to completion of the training requirements for covered individuals/key personnel.  Applications will NOT be submitted if required individuals have not completed the training when the funding agency has a training requirement that is currently in effect.

• Subrecipient Letter of Intent

For NIH RPPRs with subcontracts, please use this document: Subcontract Documents for NIH RPPR

The DOE, through the 2025-02 Financial Assistance Letter (FAL), requires all "Covered Individuals" to complete Research Security and Disclosure Training (RSDT) effective May 1st, 2025. 

The DOE defines a "Covered Individual" as “…an individual who (a) contributes in a substantive, meaningful way to the development or execution of the scope of work of a project funded by DOE or proposed for funding by DOE, and (b) is designated as a covered individual by DOE. At a minimum, DOE designates as covered individuals any principal investigator (PI); project director (PD); co-principal investigator (Co-PI); co-project director (Co-PD); project manager; and any individual regardless of title that is functionally performing as a PI, PD, Co-PI, Co-PD, or project manager.” 

Complete Research Security and Disclosure Training Here: Duke LMS Research Security and Disclosure Training

The NSF, through Important Notice No. 149 which goes into effect October 10, 2025, requires all senior/key personnel that are to be submitting an NSF proposal on or after October 10th, 2025, to complete Research Security and Disclosure Training (RSDT) within 12 months prior to proposal submission.

"Research Security Training Requirement for Federal Award Personnel: In accordance with Section 10634 of the CHIPS and Science Act of 2022 (42 U.S.C. § 19234), each individual identified as a senior/key person must certify that they have completed the requisite research security training that meets the requirements specified in Item 2 of Important Notice No. 149 within 12 months prior to proposal submission."

Complete Research Security and Disclosure Training Here: Duke LMS Research Security and Disclosure Training

Disclosure Training Requirement

On July 17, 2025, the NIH announced a new policy requirement to train senior/key personnel on other support disclosure requirements through NOT-OD-25-133, which goes into effect on October 1, 2025. 

"Effective October 1, 2025,  recipients must implement trainings, in addition to maintaining a written and enforced policy, on requirements for the disclosure of other support to ensure Senior/Key Personnel fully understand their responsibility to disclose all resources made available to the researcher in support of and/or related to all of their research endeavors, regardless of whether or not they have monetary value and regardless of whether they are based at the institution the researcher identifies for the current grant."

Disclosure Training Due Date: Prior to Proposal Submission on/after October 1, 2025.

Research Security Training Requirement

In conjunction with this required disclosure training, the NIH released the Implementation of NIH Research Security Policies Notice (NOT-OD-26-017) which requires all senior/key individuals to complete Research Security Training 12 months prior to proposal submission, effective May 25, 2026. The Research Security and Disclosure Training, which is a comprehensive training module provided by the NSF SECURE Center, will count towards both this Research Security Training requirement and the NIH Disclosure training requirement.

Please be aware that the NIH will require the submission of the signed certificate that is obtained at the end of the Research Security and Disclosure Training (see below):

"In accordance with Section 10634 of Act, each covered individual (for NIH this is defined as senior/key personnel) listed on an NIH grant application must certify that they have completed Research Security Training within 12 months of the date of application submission. NIH does not collect Current and Pending (Other) Support at the time of application based on our Just-in-Time policy. Therefore, NIH will collect the individual certification at the time of the application submission, through the Biographical Sketch in SciENcv."

Research Security Training Due Date:  Prior to Proposal Submission on/after May 25, 2026.

Complete Research Security and Disclosure Training (RSDT) Here: Duke LMS Research Security and Disclosure Training

RSDT will count towards both the NIH Disclosure Training requirement and the NIH Research Security Training requirement.

NIH Subrecipient Research Security and Disclosure Training Requirement:

All applications that have subrecipients with covered individuals/key personnel are also required to complete the Research Security and Disclosure Training requirements.  In order to submit the application, the subrecipient's authorized official must complete a Duke-specific letter of intent, certifying to completion of the training requirements for covered individuals/key personnel.  Applications will NOT be submitted if required individuals have not completed the training when the funding agency has a training requirement that is currently in effect.

• Subrecipient Letter of Intent

For NIH RPPRs with subcontracts, please use this document: Subcontract Documents for NIH RPPR

Effective July 8, 2025, the U.S. Department of Agriculture (USDA), through Secretary's Memorandum SM 1078-014, has required that all senior/key personnel must complete Research Security and Disclosure Training (RSDT) within 12 months prior to USDA proposal submission. 

"As a term and condition of entering into an arrangement with USDA related to research and
development (R&D) or science and technology (S&T), applicants must:

certify that research security training has been completed not more than one year prior to
the date of application and must recertify annually for the duration of the award;"

Complete Research Security and Disclosure Training Here: Duke LMS Research Security and Disclosure Training

The term “Malign Foreign Talent Recruitment Program” is defined in the CHIPS and Science Act of 2022 (Sec. 10638) as: 

(A) Any program, position or activity compensated with cash or in-kind compensation such as complimentary foreign travel, honorific titles, career advancement opportunities, where the compensation is in exchange for one or more of the following:

1. Unauthorized transfer of intellectual property, materials, data products, or other nonpublic information developed through U.S. federal funding to a foreign government or entity affiliated with a foreign country;
2. Being required to recruit trainees or researchers to participate in the program or activity;
3. Establishing a lab or company or accepting a faculty position or other employment if these activities are in violation of standard terms and conditions of a federal award;
4. Being unable to terminate the contract except in extraordinary circumstances;
5. Requiring commitments that limit the capacity to carry out a U.S. federal award or would result in substantial overlap or duplication;
6. Being required to apply for or successfully receive funding from the sponsoring foreign government’s funding agencies, with the foreign organization as the recipient;
7. Being required to omit acknowledgement of the recipient institution (i.e., Wake Forest University), or the U.S. federal research agency sponsor, contrary to institutional policies or standard award terms and conditions;
8. Being required to withhold information about participation in the program and not to disclose it to the U.S. funding agency or to Wake Forest University; OR
9. Having a conflict of interest or conflict of commitment contrary to the standard terms and conditions of the award.

and (B)

1. A foreign country of concern (FCOC) or an entity based in a FCOC, whether or not directly sponsored by the FCOC;
2. An academic institution on the list developed under section 1286(c)(8) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA 2019) (10 U.S.C. 2358 note; Public Law 115-232); or
3. A foreign talent recruitment program on the list developed under section 1286(c)(9) of the NDAA 2019 (10 U.S.C. 2358 note; Public Law 115-232).

Note that Foreign Countries of Concern (FCOC) include the People's Republic of China, the Democractic People's of Korea (North Korea), the Islamic Republic of Iran, and the Russian Federation.

If you have been approached by an oganization that may meet the above definition, please contact researchsecurity@duke.edu.

The Federal Acquisition Regulatory (FAR) Council recently published an interim rule, effective immediately, that broadly prohibits contractors from having or using TikTok (and other successor applications by ByteDance Limited) on any “information technology” used in the performance of a government contract. The ban applies to technology owned by the government, Duke, or employees working on the contract.  

What is expected of me to comply with this requirement?

Immediately remove TikTok and any ByteDance application from any information technology (see definition below) used in the performance of a federal contract or cease use of that information technology to perform the federal contract. Note that Personal cell phones not used in performance of a contract are not subject to this prohibition.

Information technology, as defined in 40 U.S.C. 11101(6)  

1. Means any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use -
   1. Of that equipment; or
   2. Of that equipment to a significant extent in the performance of a service or the furnishing of a product;
2. Includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; but
3. Does not include any equipment acquired by a Federal contractor incidental to a Federal contract.
4. Note that Personal cell phones not used in performance of a contract are not subject to this prohibition.

How do I know if the research activities I engage in are subject to this ban?

The ban is being implemented through a new clause at FAR 52.204-27 that appears in the federal contract either in full text or by reference.  The Office of Research Administration (ORA) or the Office of Research Support (ORS) will notify you if the contract clause appears in the federal contract that funds the research you are engaged in and is therefore applicable to you.

If so, all employees working on the federal contract whether compensated by the federal contract or not are required to remove TikTok and any ByteDance application from any equipment used in the performance of the federal contract or cease use of that equipment to perform the federal contract. Personal cell phones not used in performance of a contract are not subject to this prohibition.

Who can I contact if I have questions?

Questions regarding application of the prohibition can be directed to ResearchSecurity@duke.edu.

The National Defense Authorization Act for Fiscal Year 2019 (NDAA 889) prohibits federal agencies from using certain telecommunications and video surveillance equipment and services produced by certain companies, including Huawei, ZTE, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company. Full details can be found on this General Services Administration (GSA) site.

This prohibition also extends to institutions that receive federal research funding. Institutions must ensure that any prohibited devices are not used in their research activities and should take steps to identify and mitigate any risks associated with the use of these devices. Duke has implemented procedures to mitigate these risks, but please ensure you are not using these prohibited devices and services within your units.  Questions regarding NDAA 889 should be directed to ResearchSecurity@duke.edu. 

Research security involves protecting research from risks such as theft, unauthorized access, foreign influence, and improper disclosures. This is critical to maintain scientific integrity, protect intellectual property, and comply with federal regulations. 

Foreign influence concerns arise when outside entities, often from other countries, attempt to access sensitive research or unduly influence outcomes. Foreign influence may include people that are not acting in the best interest of your research, Duke University, or the federal government. Compliance includes full disclosure of foreign relationships and ensuring no unapproved sharing of sensitive information. 

You must safeguard research data based on its classification. Use approved storage locations for data, controlled-access systems in place as required, report security incidents promptly. We strongly encourage the use of Electronic Research Notebooks, like Duke-supported LabArchives, to support best data practices including data accessibility, transparency, and security.  

A Malign Foreign Talent Recruitment Program (MFTRP) is a program run by certain foreign governments to recruit researchers to share knowledge, technology, or research in ways that may undermine U.S. interests. These programs often offer money, positions, or resources in exchange for transferring sensitive information, sometimes in violation of U.S. laws or grant terms. See more details on the Research Security MRP Page on Malign Foreign Talent Recruitment Programs. 

Participation in an MFTRP can result in loss of federal funding eligibility, institutional discipline, or legal consequences. U.S. funding agencies require that researchers avoid these programs and fully disclose foreign affiliations or support. If you receive an invitation or have questions about a program, contact your institution’s research compliance office. 

The term “foreign country of concern” means the People’s Republic of China, the Democratic People’s Republic of Korea, the Russian Federation, the Islamic Republic of Iran, or any other country determined to be a country of concern by the Department of State.  

This is different than those Countries of Concern which includes the People's Republic of China, the Democratic People’s Republic of Korea, the Russian Federation, the Islamic Republic of Iran, Venezuela, and Cuba. These countries may have other restrictions associated with them that are focused on biospecimen and data transfers, export controls, or sanctions. Additional countries are regularly added by the U.S. government to this list. 

We recommend reaching out to the Research Security Team for questions on risks to your federal funding portfolio when collaborating with individuals from a Foreign Country of Concern (FCOC). Each federal agency perceives and interprets research security risks differently, some more conservatively than others. Likewise, some federal agencies are much more explicit in their documented risk identifications and strategies to mitigate these risks. 

See the Risk Matrix Reference Guide for information on how the DoD, DOE, NSF, and NIH are interpreting research security risks.