Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On 4 January 2022, the White House Office of Science and Technology Policy (OSTP) issued Guidance to federal agencies for implementing National Security Presidential Memorandum 33 (NSPM-33) to strengthen protections against foreign interference in federally-funded scientific research. The Guidance centers on five key areas: (1) Disclosure Requirements and Standardization; (2) Consequences for Violation of Disclosure Requirements; (3) Research Security Programs; (4) Information Sharing; and (5) Digital Persistent Identifiers. We discuss the Guidance’s key points and provide considerations for federal grantees and contractors.
Over the past few years, inappropriate foreign influence in America’s research enterprise has taken center stage. Agencies such as the National Science Foundation (NSF) and the National Institutes of Health (NIH) have introduced vigorous measures to protect US federally-funded research and guard against misappropriation of US intellectual property. These measures have placed enormous pressures on awardee institutions to collect information and disclose to funding agencies potential researcher conflicts of interest, conflicts of commitment, non-US activity, and sources of funding support.
At the same time, research institutions have faced a proliferation of federal investigation and enforcement activity – including by the Offices of Inspector General (OIGs) and the US Department of Justice (DOJ) – focused on failures to fully disclose foreign affiliations and activities. The DOJ’s China Initiative has sought to prosecute academic researchers for concealing ties to China and falsifying federal grant applications or obscuring participation in foreign government-sponsored talent recruitment programs. And just recently, the US House of Representatives released the America COMPETES Act of 2022 which, similar to a Senate bill last year, places additional scrutiny on foreign gifts and contracts with higher education institutions.
In its last week in office, the Trump Administration issued NSPM-33 aimed at preserving US national security in federally-supported research and development. The Biden Administration endorsed that objective and has now prepared Guidance on the implementation of NSPM-33.
National Science and Technology Council (NSTC) Chair Eric Lander prepared a “Foreword” to the Guidance which offers two important framing points:
The Guidance aims to crystalize the disclosure requirements and harmonize forms that agencies must apply to principal investigators, senior/key personnel, peer reviewers, and advisory committee/panel members.
In terms of disclosure obligations, the Guidance offers a table of personal and professional activities that agencies must require researchers to disclose in the award application process and in post-award submissions. At present, there remains inconsistency in the language used by the Guidance, NIH, and NSF regarding the same type of researcher activity to be disclosed – for example, in the areas of outside consulting activity, honoraria, and submission of foreign contracts. The Guidance leaves to agencies whether to require awardee institutions to submit to funding agencies copies of contracts that researchers hold with foreign parties; NIH requires such submission as part of its Other Support disclosure process – which is a significant burden on research institutions – but NSF does not automatically require a copy of such contracts. Query how other agencies will address this point.
Another highly consequential issue involves “certifications” regarding the information disclosed. The Guidance and NIH both require a “Certification by the individual that the information disclosed is accurate, current, and complete” which for NIH means a signature of the researcher. NSF does not currently require a researcher’s specific signature of certification. In all cases, the Guidance mandates federal agencies to “require certification by the applicant organization that each covered individual who is listed on the application has been made aware of all relevant disclosure requirements”. This will be yet another research compliance obligation on institutions, with all the implications that come with making a “certification”.
Here, the Guidance enumerates arrayed potential consequences for researchers and institutions that omit to disclose appropriately, including criminal, civil, and administrative actions.
Notably, the Guidance maintains some limiting parameters for when organizations can be subject to enforcement action: Consistent with Section 223 of the National Defense Authorization Act (NDAA) for Fiscal Year 2021, an enforcement action
“may be taken by a research agency against a research organization only in cases in which (a) the organization did not meet requirements for entities to certify that covered individuals have been made aware of disclosure requirements; (b) the organization knew that a covered individual failed to disclose required information and the research organization did not take steps to remedy such nondisclosure before the application was submitted; or (c) the head of the research agency concerned determines that the organization is owned, controlled, or substantially influenced by a covered individual; and such individual knowingly failed to disclose required information.”
Many institutions are already taking steps to clearly document how covered individuals have been made aware of disclosure requirements (e.g., training programs), and to centralize institutional knowledge of key information, such as researcher conflicts of interest and other funding support.
Furthermore, the Guidance directs agencies to “strongly encourage” individuals to come forward to correct past omissions or inaccuracies. To be clear, there is no “amnesty” program, which many institutions had hoped would materialize under the Guidance. Accordingly, voluntary disclosure will remain a complicated situation for which no standard playbook applies. The Guidance signals that voluntary disclosure will be considered favorably in any resolution process.
Among the most significant features of the Guidance is the new “research security program” that federal agencies must require institutions to implement. Research organizations awarded in excess of $50 million per year in federal research funding must certify to implementation of a research security program that covers four elements: (1) Cybersecurity; (2) Foreign Travel Security; (3) Research Security Training; and (4) Export Control Training. Qualifying institutions would have one year to establish compliance following an agency’s issuance of the formal requirement.
Most institutions already have programs aimed at responsible conduct of research (RCR) but the “research security program” appears to take compliance to another level. For example, the government’s focus on foreign travel security includes “international travel policies for faculty and staff” as well as “an organizational record of covered international travel” and “disclosure and authorization” in advance of international travel, along with security briefings and assistance with electronic device security. For institutions that have historically handled travel on a decentralized basis, this new requirement could demand an overhaul of the way business travel is handled.
With regard to cybersecurity, the Guidance indicates several basic safeguarding protocols, such as authenticating users, scanning for malicious code, and rolling out cybersecurity awareness training. One question will be whether these protocols apply only to federally-funded units of the institution or to the entire institution, and whether it’s even practical to limit such safeguards to individual departments. Institutions should note that, last October, the DOJ announced a Civil Cyber-Fraud Initiative which is expressly focused on using the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients.
Research institutions already have spent considerable time addressing inappropriate foreign influence. The new Guidance presents yet another opportunity to evaluate whether disclosures as enumerated in the Guidance are sufficiently addressed in institutional policies on outside activity, conflicts of interest and commitment, and Other Support. But that is not enough. Equally important is designing an institutional system that effectively captures information that may sit in multiple locations across the organization. Leveraging existing repositories of data and eliminating architectural barriers to pooling information is critical to compliance. With respect to the “research security program,” institutions may wish to mobilize early a cross-disciplinary team (IT, HR, travel, export control, legal, etc.) to determine how such a program would function within the organization.
Our team is guiding many research organizations as they navigate the evolving foreign influence and research security landscape. Please contact us at any point.
Authored by William Ferreira, Stephanie Gold, Will Crawford, Adilene Rosales, and Sarah Godwin.