Institutional Certification

Final Research Security Program (RSP) Guidelines published on July 9, 2024, via a memorandum to the heads of federal research funding agencies. Federal agencies are directed to implement the guidelines and provide time for institutional implementation. The four required areas are: cybersecurity, foreign travel security, research security training, and export control training. Agencies are coordinating implementation under a memorandum of agreement and anticipated to issue the requirements in early 2026.

On September 24, 2025, and effective immediately, NIH issued NOT-OD-25-159, establishing new security, operational, and transparency standards for controlled-access data repositories (CADRs) that store and manage sensitive human research data.

Issued September 24, 2025, and effective October 24, 2025, NIH implemented NOT-OD-25-160, a policy to enhance security for human biospecimens in NIH-funded research.

In a September 29, 2025, notice (NOT-OD-25-161), the National Institutes of Health (NIH) rescinded the September 11, 2025, notice (NOT-OD-25-154) Implementation of NIH Research Security Policies. Per the notice, 'NIH continues to work with the National Science Foundation and other Federal research agencies to finalize guidance on each of the required elements outlined in the Office of Science and Technology Policy (OSTP) Guidelines for Research Security Programs at Covered Institutions, and to develop a centralized process for recipients to certify compliance.' The notice indicates that the implementation date for the requirements announced in NOT-OD-25-154 have not been finalized, the notice is therefore rescinded, and that 'NIH will issue updated guidance on Research Security requirements in the coming months.'