White House to require increased cybersecurity protocols for R&D institutions
Federal research agencies will now require certain covered institutions to implement cybersecurity programs for research and development security, a move the White House attributes to growing threats posed by the People’s Republic of China.
Office of Science and Technology Policy Director Arati Prabhakar made her case in the memorandum for increased awareness of security threats from adversaries. The guidance aims to enable national R&D enterprise research agencies and participants to “respond appropriately” through certifying that institutions’ research security programs — and cybersecurity protocols — include foreign travel security, research security training and export control training.
“Technology and R&D are central to this strategic competition, and the PRC has exploited international research collaboration by undermining values — such as transparency, accountability and reciprocity — in order to advance its strategic objectives and military modernization,” the memo states.
According to the memo, higher education institutions certified by the federal research agencies must implement a cybersecurity program consistent with the CHIPS and Science Act’s cybersecurity resource for research-focused entities. That implementation must occur one year following the final issuance of this document; the National Institute of Standards and Technology has posted an initial draft of the resource.
Covered institutions that are not part of higher education but are certified by the research agencies are required to “implement a cybersecurity program consistent with another relevant cybersecurity resource maintained by NIST or another federal research agency,” the memo states.
Federal research agencies are required to submit plans to update policies regarding “standardized requirements” for research security programs within six months, and those will take effect six months after finalized plans have been submitted. Additionally, agencies must “ensure that covered institutions have adequate time” to implement those requirements, though it must happen in under 18 months after the effective date.
The Biden administration, however, makes clear that federal research agencies must balance security efforts without prejudice throughout the process of implementation.
“Federal research agencies should implement research security policies in a way that treats everyone equally under the law, without xenophobia, prejudice or discrimination, a principle reinforced by the CHIPS and Science Act,” the memo states.
