Reference Library

A chart that compares federal laws, regulations, and policies in the area of science and security. The chart is divided into three separate tabs that cover (a) major federal-wide legislation or policy, (b) agency disclosure requirements for researchers and research institutions; and (c) agency conflict of interest policies. Updated September 30, 2025.

A matrix that lists policies and requirements under the headings of: Disclosures, Agency Risk Assessment, FCOI & COC, Training, Certifications, and Research Security Program for each federal agency. Per COGR, this tool is frequently updated to reflect the release of new documentation. Updated September 30, 2025.

In a September 29, 2025, notice (NOT-OD-25-161), the National Institutes of Health (NIH) rescinded the September 11, 2025, notice (NOT-OD-25-154) Implementation of NIH Research Security Policies. Per the notice, 'NIH continues to work with the National Science Foundation and other Federal research agencies to finalize guidance on each of the required elements outlined in the Office of Science and Technology Policy (OSTP) Guidelines for Research Security Programs at Covered Institutions, and to develop a centralized process for recipients to certify compliance.' The notice indicates that the implementation date for the requirements announced in NOT-OD-25-154 have not been finalized, the notice is therefore rescinded, and that 'NIH will issue updated guidance on Research Security requirements in the coming months.'

On September 24, 2025, and effective immediately, NIH issued NOT-OD-25-159, establishing new security, operational, and transparency standards for controlled-access data repositories (CADRs) that store and manage sensitive human research data.

Issued September 24, 2025, and effective October 24, 2025, NIH implemented NOT-OD-25-160, a policy to enhance security for human biospecimens in NIH-funded research.

On September 18, 2025, NIH released additional information regarding the agency's new application and award structure for international collaborations, previously announced in NIH NOT-OD-25-155. In addition to summarizing impacts to proposing/recipient institutions, the announcement provides links to additional information for the four new Activity Codes (grant types) that will be used to facilitate the new application and award process.

Issued September 12, 2025, this notice provides additional information on the agency's new process for handling foreign components, as NIH announced in NOT-OD-25-104 that the agency would not issue awards for proposals that include subawards to foreign entities. Under the process described in NOT-OD-25-155, competing applications that include one or more foreign components must submit to a Notice of Funding Opportunity (NOFO) that supports a complex mechanism activity code, including two new international project 'parent' activity codes that NIH is creating: PF5 for grants and UF5 for cooperative agreements.

In the September 10, 2025, Federal Register, the Department of Defense (DoD) issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the final Cybersecurity Maturity Model Certification (CMMC) program rule. The new rule formalizes the ability of the DoD to include CMMC requirements as a condition of contract award, to include either Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both.

The National Academies Assessing Research Security Efforts in Higher Education working group held a number of meetings and a May workshop with federal and non-federal experts beginning September 2024 and concluding September 4, 2025, to discuss assessment of federal research security efforts. Proceedings from the workshop can be found on the National Academies website.

On September 4, 2025, NIH issued notice NOT-OD-25-152, regarding the agency's plans to release preview versions of NIH's Common Forms for Biographical Sketches (Biosketches) and Current and Pending (Other) Support in the Science Experts Network Curriculum Vitae (SciENcv) system. Access to the preview versions is purely for informational purposes and applicants/recipients may not submit documents to NIH that were created using the preview functionality. Applicants/recipients must continue to use the current NIH Biosketch and Other Support forms until NIH officially implements its Common Forms, which the agency anticipates will occur in November 2025. The fall 2025 government shutdown may impact this timeline.

Published September 3, 2025, a National Academies Committee conducted an expedited study to examine federal research regulations and identify ways to improve regulatory processes and administrative tasks, reduce or eliminate unnecessary work, and modify and remove policies and regulations that have outlived their purpose while maintaining necessary and appropriate integrity, accountability, and oversight. Research security specific options include: implement the NSPM-33 common disclosure forms and disclosure table without deviation; establish common principles for agency research security risk reviews for fundamental research; continue prior efforts to streamline and clarify export controls; and adapt cybersecurity requirements for university settings.

Published August 4, 2025, this guidance provides background on Fundamental Research (FR) as defined by NSDD-189 and DoD's implementation of the Directive via the May 24, 2010 'Carter Memo'. The Guidance notes that 'under the Carter Memo, research funded by 6.1 budget activity or 6.2 research conducted on a university campus is fundamental. For other research categories, the Department must be deliberate when deciding that a particular research topic is appropriate for openly published fundamental research'. It incorporates Considerations for Program Managers and Contracts and Grants Officers, including: a. Refraining from imposing publication review of research that has been formally designated as fundamental; b. For awards with multiple performers, considering whether some portion of the work should be designated as FR even if much of the award is not; and c. Avoiding flowing down restrictions to awardees performing FR that are inappropriate for FR. In addition, no security vetting should be done on personnel engaged in fundamental research and no preapproval conditions for the addition of researchers.

Issued July 18, 2025 as a follow-up to NOT-OD-25-104. This updated guidance creates an alternative, short-term approach for existing grants and cooperative agreements involving human subjects research (e.g., clinical trials and clinical research) with foreign sites. The alternative approach involves removing a foreign sub-award from the primary award and having it issued as a foreign supplement award.

Effective October 1, 2025, recipient institutions must train senior/key personnel on the requirement to disclose all research activities and affiliations in Other Support and maintain a 'written and enforced policy on requirements for the disclosure of other support to ensure Senior/Key Personnel fully understand their responsibility to disclose.'

Published July 10, 2025. Includes NSF implementation of three new requirements (and three existing ones) in alignment with the CHIPS and Science Act and NSPM-33. The requirements, effective October 10, 2025, include: a. Recipient institutions must maintain supporting documentation for foreign activities reported as current and pending (other) support, b. Senior/key personnel must certify they have completed research security training (RST) within 12 months prior to proposal submission; Recipient institutions' Authorized Organizational Representative (AOR) must certify that all senior/key personnel have completed required RST and that the institution has a plan to provide appropriate training, c. AORs at institutions of higher education (IHEs) must certify that, absent a waiver granted by the NSF Director, the IHE does not maintain a contract or agreement between the institution and a Confucius Institute.

Issued July 8, 2025. This memorandum: a. Requires all USDA Mission Areas, Agencies, and Offices to: i. Within 30 days, conduct a comprehensive review of all current USDA awards/subawards with foreign persons/entities and provide justification as to why a US recipient was not selected, ii. Effective immediately, request approval (including justification) prior to issuing an award/subaward to a foreign person/entity. b. Requires applicants (i.e., covered individuals) to: i. Complete the Common Forms for Biographical Sketches and Current and Pending (Other) Support and provide updated information annually, ii. Certify they are not a participant in a malign foreign talent recruitment program (MFTRP) and recertify annually, iii. Certify that they are not contracting with or providing benefit to any foreign person/entity in a country of concern, iv. Certify that they are not party to utilizing forced labor, v. Complete an annual disclosure of contracts associated with participation in programs sponsored by foreign governments/entities, vi. Seek approval from USDA to subaward any portion of a funded arrangement, including university students, post-doctoral fellows, and visiting researchers. c. Requires Employing Entities to: i. Certify to applicants' completion of research security training, ii. Prohibit applicants who either are currently or have in the past 10 years participated in MFTRPs from working on USDA projects, iii. Provide supporting documentation for foreign activities reported as current and pending support, iv. Review any documents required under the memorandum for compliance with USDA award terms and conditions.

Published by DoD on June 24, 2025, this document introduces the FY23 lists of foreign institutions identified as engaging in problematic activity and foreign talent recruitment programs identified as posing a threat to U.S. national security, as required by Section 1286 of the FY2019 NDAA.

The CHIPS and Science Act of 2022 directs federal research funding agencies to establish a policy that requires each covered individual (CI) listed in an R&D proposal to certify that they are not a party to a MFTRP in the proposal submission and annually thereafter for the duration of the award. NSF was the first federal agency to implement this certification via the common federal biosketch and current and pending support forms in May 2024. NSF began rolling out the annual certification on June 7, 2025, for all PIs and co-PIs named on an NSF award made on or after May 20, 2024. NSF is making sample contracts available that meet the parameters of a MFTRP. Contract examples and frequently asked questions can be found on the NSF website under MFTRPs.

The Congressional Research Service (CRS) issued a report on May 20, 2025, summarizing federal research security policy efforts to date, and providing options Congress might consider to address perceived gaps or deficiencies while also remaining cognizant of the potential increase to administrative burden they would present. Proposed options discussed include: a. Expanding sources of foreign support researchers are required to disclose, b. Broadening the scope of who is required to disclose Current and Pending (Other) Support, c. Increasing the frequency of post-award updates, d. Expanding agency requirements when reviewing disclosed information, e. Focusing risk assessment activities more narrowly on critical and emerging technologies, f. Expanding agencies' requirements to report to congress on research security violations, mitigation measures, and implementation status.

Issued May 1, 2025. Prospectively updates NIH policies and practices for utilizing foreign subawards. Per the notice, 'NIH is establishing a new award structure that will prohibit foreign subawards from being nested under the parent grant. This new award structure will include a prime [with independent linked awards] that will allow NIH to track the project's funds individually while scientific progress will be reported collectively by the primary institution under the Research Performance Progress Report.' NIH anticipates implementing the new award structure by no later than September 30, 2025, prior to Fiscal Year 2026. The policy continues to support direct foreign awards and plans to expand this policy to domestic subawards in the future, for consistency.

Effective immediately (April 29, 2025), the SBIR and STTR Foreign Disclosure and Risk Management Requirements described in NOT-OD-23-139 and NOT-OD-24-029 may be applied to all active SBIR and STTR awards regardless of the due date the competing application was submitted. Recipients with active awards that did not undergo foreign risk assessment at the time of their original application may be required to disclose all funded and unfunded relationships with foreign countries, using the Required Disclosures of Foreign Affiliations or Relationships to Foreign Countries Form. If the recipient reports a covered foreign relationship that meets any of the risk criteria prohibiting funding, NIH may deem it necessary to terminate the award for material failure to comply with the federal statutes, regulations, or terms and conditions of the federal award.

Issued on November 26, 2024. DOE's RTES office issued a 'framework to minimize, mitigate, and manage risks while maintaining an open, collaborative, and world-leading scientific enterprise.' The process includes three phases during which RTES will coordinate with program offices. This includes ensuring solicitations include appropriate language on RTES requirements, including assessment of technology risk level; and RTES 'due diligence' reviews before selection for award; and changes that occur during the life of a project that may trigger RTES review. Risk reviews use information disclosed to the agency as well as public and classified sources. Risk factors include ties to malign foreign talent recruitment programs, 'certain foreign funding sources', 'certain concerning behaviors associated with patenting', and ties to foreign entities or foreign collaborators on specified [certain U.S. restricted] lists 'or with specified characteristics.'

Issued on October 7, 2024, this document outlines DOE's implementation of research security training requirements for covered individuals on financial assistance applications and for organizations applying for an award. The requirement was effective immediately but not mandatory until May 1, 2025. The training requirement is satisfied either by completion of the four training modules created by NSF, completion of the SECURE Center CTM (as indicated per DOE post FAL), or by a custom training program that is aligned with the CHIPS and Science Act Section 10634(b). Per DOE the training must be completed within the 12 months immediately preceding the application submission, consistent with the CHIPS Act requirements, and any covered individuals added to the project must certify that they have completed the training within 30 calendar days of joining the project.

Supplemental summary document and press release from DoD announcing the final CMMC Program rule.

The final CMMC Program rule published in October 2024 by the DoD Office of the Secretary establishing the Cybersecurity Maturity Model Certification framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the defense supply chain.