- Stage
-
Scientific Integrity
- Topic
-
Research Security
Need assistance with protecting sensitive information and technologies?
Research is a critical part of innovation and progress, but it also involves the handling of sensitive information and technologies. To ensure that this information remains protected and secure, it is essential to have a robust research security program in place. This page provides information on the key aspects of research security, including guidance from federal sponsors and other federal agencies involved in ensuring research security.
What is Research Security?
National Security Presidential Memorandum-33 (NSPM-33): Actions to Strengthen Protections of United States Government-supported Research and Development Against Foreign Government Interference and Exploitation
The NSPM-33 Implementation Guidance provides guidance to federal funding agencies (e.g., NIH, NSF, etc.) for protecting the nation's research and development infrastructure. This directive recognizes the critical role that research plays in advancing national security and economic competitiveness and outlines key elements of research security:
- Disclosure Requirements and Standardization
- Digital Persistent Identifiers
- Information Sharing
- Research Security Programs
Research Security Program Guidance (proposed)
The Research Security Program guidance is a set of requirements and best practices for institutions that have received at least $50 million per year in Federal science and engineering support to establish and maintain effective research security programs. The guidance covers the following areas:
- Overarching Research Security Program
- Foreign Travel Security
- Research Security Training
- Cybersecurity
- Export Control Training
Federal Acquisition Regulatory (FAR) Council TikTok prohibition
The Federal Acquisition Regulatory (FAR) Council recently published an interim rule, effective immediately, that broadly prohibits contractors from having or using TikTok (and other successor applications by ByteDance Limited) on any “information technology” used in the performance of a government contract. The ban applies to technology owned by the government, Duke, or employees working on the contract.
What is expected of me to comply with this requirement?
Immediately remove TikTok and any ByteDance application from any information technology (see definition below) used in the performance of a federal contract or cease use of that information technology to perform the federal contract. Note that Personal cell phones not used in performance of a contract are not subject to this prohibition.
Information technology, as defined in 40 U.S.C. 11101(6)
- Means any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use -
- Of that equipment; or
- Of that equipment to a significant extent in the performance of a service or the furnishing of a product;
- Includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; but
- Does not include any equipment acquired by a Federal contractor incidental to a Federal contract.
- Note that Personal cell phones not used in performance of a contract are not subject to this prohibition.
How do I know if the research activities I engage in are subject to this ban?
The ban is being implemented through a new clause at FAR 52.204-27 that appears in the federal contract either in full text or by reference. The Office of Research Administration (ORA) or the Office of Research Support (ORS) will notify you if the contract clause appears in the federal contract that funds the research you are engaged in and is therefore applicable to you.
If so, all employees working on the federal contract whether compensated by the federal contract or not are required to remove TikTok and any ByteDance application from any equipment used in the performance of the federal contract or cease use of that equipment to perform the federal contract. Personal cell phones not used in performance of a contract are not subject to this prohibition.
Who can I contact if I have questions?
Questions regarding application of the prohibition can be directed to ResearchSecurity@duke.edu.
NDAA 889: Prohibited Devices
The National Defense Authorization Act for Fiscal Year 2019 (NDAA 889) prohibits federal agencies from using certain telecommunications and video surveillance equipment and services produced by certain companies, including Huawei, ZTE, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company. Full details can be found on this General Services Administration (GSA) site.
This prohibition also extends to institutions that receive federal research funding. Institutions must ensure that any prohibited devices are not used in their research activities and should take steps to identify and mitigate any risks associated with the use of these devices. Duke has implemented procedures to mitigate these risks, but please ensure you are not using these prohibited devices and services within your units. Questions regarding NDAA 889 should be directed to ResearchSecurity@duke.edu.