Federal Updates: Please visit the following page for up-to-date information and guidance for navigating recent Executive Orders  See latest information

Customize Your Path

Select all of the following that apply to you and your research project to tailor the topics and resources displayed. Your selections will persist every time you access the site on the same device, until you change or reset the selections.
Your role:
Project inclusions:
Project sponsor or funding:
(seeking funding from or have already secured funding from)
Project managed by:

Customize Your Experience.

Utilize the "Customize Your Path" feature to refine the information displayed in myRESEARCHpath based on your role, project inclusions, sponsor or funding, and management center.

Stage
Scientific Integrity
Topic

Research Security

Need assistance with protecting sensitive information and technologies?

Research is a critical part of innovation and progress, but it also involves the handling of sensitive information and technologies. To ensure that this information remains protected and secure, it is essential to have a robust research security program in place. This page provides information on the key aspects of research security, including guidance from federal sponsors and other federal agencies involved in ensuring research security.

What is Research Security?

Research security involves protecting sensitive information and technologies from unauthorized access, theft, or misuse. This information can include proprietary information, research data, and personal information of research subjects. Failure to adequately protect this information can result in significant harm to individuals, institutions, and national security.
National Security Presidential Memorandum-33 (NSPM-33): Actions to Strengthen Protections of United States Government-supported Research and Development Against Foreign Government Interference and Exploitation

The NSPM-33 Implementation Guidance provides guidance to federal funding agencies (e.g., NIH, NSF, etc.) for protecting the nation's research and development infrastructure. This directive recognizes the critical role that research plays in advancing national security and economic competitiveness and outlines key elements of research security:

  • Disclosure Requirements and Standardization
  • Digital Persistent Identifiers
  • Information Sharing
  • Research Security Programs
Research Security Program Guidance (proposed)

The Research Security Program guidance is a set of requirements and best practices for institutions that have received at least $50 million per year in Federal science and engineering support to establish and maintain effective research security programs. The guidance covers the following areas:

  • Overarching Research Security Program
  • Foreign Travel Security
  • Research Security Training
  • Cybersecurity
  • Export Control Training
Federal Acquisition Regulatory (FAR) Council TikTok prohibition

The Federal Acquisition Regulatory (FAR) Council recently published an interim rule, effective immediately, that broadly prohibits contractors from having or using TikTok (and other successor applications by ByteDance Limited) on any “information technology” used in the performance of a government contract. The ban applies to technology owned by the government, Duke, or employees working on the contract.  

What is expected of me to comply with this requirement?

Immediately remove TikTok and any ByteDance application from any information technology (see definition below) used in the performance of a federal contract or cease use of that information technology to perform the federal contract. Note that Personal cell phones not used in performance of a contract are not subject to this prohibition.

Information technology, as defined in 40 U.S.C. 11101(6)  

  1. Means any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use -
    1. Of that equipment; or
    2. Of that equipment to a significant extent in the performance of a service or the furnishing of a product;
  2. Includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; but
  3. Does not include any equipment acquired by a Federal contractor incidental to a Federal contract.
  4. Note that Personal cell phones not used in performance of a contract are not subject to this prohibition.

How do I know if the research activities I engage in are subject to this ban?

The ban is being implemented through a new clause at FAR 52.204-27 that appears in the federal contract either in full text or by reference.  The Office of Research Administration (ORA) or the Office of Research Support (ORS) will notify you if the contract clause appears in the federal contract that funds the research you are engaged in and is therefore applicable to you.

If so, all employees working on the federal contract whether compensated by the federal contract or not are required to remove TikTok and any ByteDance application from any equipment used in the performance of the federal contract or cease use of that equipment to perform the federal contract. Personal cell phones not used in performance of a contract are not subject to this prohibition.

Who can I contact if I have questions?

Questions regarding application of the prohibition can be directed to ResearchSecurity@duke.edu.

NDAA 889: Prohibited Devices

The National Defense Authorization Act for Fiscal Year 2019 (NDAA 889) prohibits federal agencies from using certain telecommunications and video surveillance equipment and services produced by certain companies, including Huawei, ZTE, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company. Full details can be found on this General Services Administration (GSA) site.

This prohibition also extends to institutions that receive federal research funding. Institutions must ensure that any prohibited devices are not used in their research activities and should take steps to identify and mitigate any risks associated with the use of these devices. Duke has implemented procedures to mitigate these risks, but please ensure you are not using these prohibited devices and services within your units.  Questions regarding NDAA 889 should be directed to ResearchSecurity@duke.edu

Federal Sponsor-Specific Research Security Training

Below are federal sponsor-specific guidelines that will be updated as more information regarding additional sponsor trainings comes out.
Department of Energy (DOE) - Research Security Training

The DOE, through the 2025-02 Financial Assistance Letter (FAL), requires all "Covered Individuals" to complete Research Security Training (RST) effective May 1st, 2025. 

The DOE defines a "Covered Individual" as “…an individual who (a) contributes in a substantive, meaningful way to the development or execution of the scope of work of a project funded by DOE or proposed for funding by DOE, and (b) is designated as a covered individual by DOE. At a minimum, DOE designates as covered individuals any principal investigator (PI); project director (PD); co-principal investigator (Co-PI); co-project director (Co-PD); project manager; and any individual regardless of title that is functionally performing as a PI, PD, Co-PI, Co-PD, or project manager.” 

Complete Research Security Training Here: Duke LMS Research Security Training

National Science Foundation (NSF) - Research Security Training

The NSF, through Importance Notice No. 149 which goes into effect October 10, 2025, requires all senior/key personnel that are to be submitting an NSF proposal on or after October 10th, 2025, to complete Research Security Training within 12 months prior to proposal submission.

"Research Security Training Requirement for Federal Award Personnel: In accordance with Section 10634 of the CHIPS and Science Act of 2022 (42 U.S.C. § 19234), each individual identified as a senior/key person must certify that they have completed the requisite research security training that meets the requirements specified in Item 2 of Important Notice No. 149 within 12 months prior to proposal submission."

Complete Research Security Training Here: Duke LMS Research Security Training

Assessment & Management of Risk

Federal regulations and policy change frequently, oftentimes with little notice. This page is kept up to date, and we encourage you to come back periodically to ensure your activities are in line with current policy and guidelines. You may also contact researchsecurity@duke.edu with any questions regarding research security-related matters including risk assessments, risk mitigation measures, and management of risk.
Malign Foreign Talent Recruitment Programs (MFTRPs)

The term “Malign Foreign Talent Recruitment Program” is defined in the CHIPS and Science Act of 2022 (Sec. 10638) as: 

(A) Any program, position or activity compensated with cash or in-kind compensation such as complimentary foreign travel, honorific titles, career advancement opportunities, where the compensation is in exchange for one or more of the following:

  1. Unauthorized transfer of intellectual property, materials, data products, or other nonpublic information developed through U.S. federal funding to a foreign government or entity affiliated with a foreign country;
  2. Being required to recruit trainees or researchers to participate in the program or activity;
  3. Establishing a lab or company or accepting a faculty position or other employment if these activities are in violation of standard terms and conditions of a federal award;
  4. Being unable to terminate the contract except in extraordinary circumstances;
  5. Requiring commitments that limit the capacity to carry out a U.S. federal award or would result in substantial overlap or duplication;
  6. Being required to apply for or successfully receive funding from the sponsoring foreign government’s funding agencies, with the foreign organization as the recipient;
  7. Being required to omit acknowledgement of the recipient institution (i.e., Wake Forest University), or the U.S. federal research agency sponsor, contrary to institutional policies or standard award terms and conditions;
  8. Being required to withhold information about participation in the program and not to disclose it to the U.S. funding agency or to Wake Forest University; OR
  9. Having a conflict of interest or conflict of commitment contrary to the standard terms and conditions of the award.

and (B)

  1. A foreign country of concern (FCOC) or an entity based in a FCOC, whether or not directly sponsored by the FCOC;
  2. An academic institution on the list developed under section 1286(c)(8) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA 2019) (10 U.S.C. 2358 note; Public Law 115-232); or
  3. A foreign talent recruitment program on the list developed under section 1286(c)(9) of the NDAA 2019 (10 U.S.C. 2358 note; Public Law 115-232).

Note that Foreign Countries of Concern (FCOC) include the People's Republic of China, the Democractic People's of Korea (North Korea), the Islamic Republic of Iran, and the Russian Federation.

 

If you have been approached by an oganization that may meet the above definition, please contact researchsecurity@duke.edu.