Research Security Program
Update
July 9, 2024: Office of Science and Technology Policy issued Guidelines for Research Security Programs at Covered Institutions
Securing and protecting research involves developing awareness of the potential domestic and international threats and implementing procedures and controls to reduce those risks. This Research Security Program also implements the requirements described in National Security Presidential Memorandum-33 required by the federal government as a recipient of federal research funding. This webpage will be updated as new resources become available.
Cybersecurity
NSPM-33 Directive to Federal Agencies
Federal agencies should require the following from research organizations:
- Provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches.
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control any non-public information posted or processed on publicly accessible information systems.
- Identify information system users, processes acting on behalf of users, or devices.
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Provide protection of scientific data from ransomware and other data integrity attack mechanisms.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
UCI's Implementation
As a researcher, maintaining good cybersecurity practices and understanding the appropriate level of security is necessary to protect the research.
Training: UCLC Cybersecurity Awareness Training
Resources:
Foreign Travel Security
NSPM-33 Directive to Federal Agencies
Federal agencies should require that research organizations:
- Maintain international travel policies for faculty and staff traveling for organization business, teaching, conference attendance, research purposes, or any offers of sponsored travel that would put a person at risk.
- Include an organizational record of covered international travel by faculty and staff and,
- As appropriate, a disclosure and authorization requirement in advance of international travel, security briefings, assistance with electronic device security (smartphones, laptops, etc.), and preregistration requirements.
UCI's Implementation
Researchers should review the following resources in preparation for any foreign travel to avoid any loss or theft of data and determine if any documents or licenses are required.
Resources:
Research Security Training
NSPM-33 Directive to Federal Agencies
Agencies should require that, as part of their research security programs, research organizations provide training to relevant personnel on research security threat awareness and identification, including insider threat training where applicable. Research organizations should consider incorporating relevant elements of research security into existing training on responsible and ethical conduct of research for faculty and students. In addition to periodic training, research organizations should conduct tailored training in the event of a research security incident.
UCI's Implementation
Awaiting release of UCOP research security training module
Resources:
Export Control Training
NSPM-33 Directive to Federal Agencies
Agencies should require that research organizations conducting R&D that is subject to export control restrictions provide training to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators and partnerships, and for ensuring compliance with Federal export control requirements and restricted entities lists.
UCI's Implementation
Training is required to relevant personnel on requirements and processes for reviewing foreign sponsors, collaborators and partnerships, and for ensuring compliance with Federal export control requirements and restricted entities lists.
Training: Training & Policies
Resources: Export Control