Reference Library

In the September 10, 2025, Federal Register, the Department of Defense (DoD) issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the final Cybersecurity Maturity Model Certification (CMMC) program rule. The new rule formalizes the ability of the DoD to include CMMC requirements as a condition of contract award, to include either Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both.

Published August 4, 2025, this guidance provides background on Fundamental Research (FR) as defined by NSDD-189 and DoD's implementation of the Directive via the May 24, 2010 'Carter Memo'. The Guidance notes that 'under the Carter Memo, research funded by 6.1 budget activity or 6.2 research conducted on a university campus is fundamental. For other research categories, the Department must be deliberate when deciding that a particular research topic is appropriate for openly published fundamental research'. It incorporates Considerations for Program Managers and Contracts and Grants Officers, including: a. Refraining from imposing publication review of research that has been formally designated as fundamental; b. For awards with multiple performers, considering whether some portion of the work should be designated as FR even if much of the award is not; and c. Avoiding flowing down restrictions to awardees performing FR that are inappropriate for FR. In addition, no security vetting should be done on personnel engaged in fundamental research and no preapproval conditions for the addition of researchers.

Published by DoD on June 24, 2025, this document introduces the FY23 lists of foreign institutions identified as engaging in problematic activity and foreign talent recruitment programs identified as posing a threat to U.S. national security, as required by Section 1286 of the FY2019 NDAA.

The final CMMC Program rule published in October 2024 by the DoD Office of the Secretary establishing the Cybersecurity Maturity Model Certification framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the defense supply chain.

Supplemental summary document and press release from DoD announcing the final CMMC Program rule.

Frequently asked questions about DARPA's Fundamental Research Risk-Based Security Review Program (FRR-BS), issued May 2024.

A survey issued by COGR in April 2024 documenting research institutions' experiences with DoD's policy for risk-based security reviews of fundamental research.

Joint comments submitted by ACE, AAU, APLU, COGR, and EDUCAUSE on February 26, 2024 in response to the proposed CMMC rule.

The proposed rule for the CMMC Program published in December 2023, which was superseded by the final rule in October 2024.

Issued June 29, 2023 by DoD. The document includes: 1. A Policy on Risk-based Security Reviews of Fundamental Research, 2. A Decision Matrix to Inform Fundamental Research Proposal Mitigation (Amended May 5, 2025), 3. A list of foreign institutions identified as engaging in problematic activity (Part 3, Table 1, Amended June 24, 2025), and 4. A list of foreign talent recruitment programs identified as posing a threat to U.S. national security interests (Part 3, Table 2). The Decision Matrix contains four factors for assessing senior/key personnel disclosures: a. Participation in foreign talent recruitment programs, b. Current or prior funding from foreign countries of concern (FCOCs), c. Filing a patent in an FCOC or on behalf of an FCOC-connected entity without disclosure, and d. Associations or affiliations with organizations on U.S. Entity (trade restriction) and other indicated (U.S. restricted) lists.

Signed January 3, 2020. Section 223 mandates disclosure of funding sources in applications for federal R&D awards and holds universities accountable for ensuring faculty awareness. Section 1299C is an amendment to FY 2019 NDAA Section 1286 requiring designation of an official responsible for liaising with academic institutions and briefing them on espionage risks. Section 1062 restricts DoD and NSF funds to institutions hosting a Confucius Institute. Section 9907 prohibits any funds for microelectronics initiatives to a foreign entity of concern.

Signed December 20, 2019. Section 1746 directs OSTP to establish an interagency working group (the Research Security Subcommittee) under the NSTC to protect federally funded R&D from foreign interference, cyberattacks, theft, or espionage and to develop recommendations for best practices for federal agencies and grantee institutions. Section 1746 also called on the National Academy of Science, Engineering and Medicine to stand up a new Roundtable on Science, Technology, and Security. Includes Confucius Institute waiver criteria for DoD.

Signed into law July 26, 2018. Section 1286 directs the Secretary of Defense to establish an initiative to work with IHEs who perform defense research and engineering activities and name an academic liaison. It also directed DoD to publish a list of institutions and foreign talent recruitment programs that have perpetuated malicious activities or that operate under the direction of the military forces or the intelligence agency of the applicable country and thus pose a threat to national security. The resulting list is updated annually.

DoD's Basic Research and Research Directorate portal providing access to fundamental research policies, the decision matrix, Section 1286 lists, and research security guidance for defense-funded research.