Research wrapped: Key developments for academic research institutions in 2024 and looking ahead to 2025

Research misconduct

On September 12, 2024, ORI released a long anticipated Final Rule to revise policies and procedures for research misconduct proceedings under 42 CFR Part 93. Sensitive to a deluge of research community reactions to an October 2023 Notice of Proposed Rulemaking (NPRM), ORI declined to adopt several controversial proposals from the NPRM. 

Key features of the new research misconduct rule include the following: 

• Clarification to the assessment, inquiry, and investigation process: ORI clarified that a Research Integrity Officer (RIO) or another institutional official may conduct an inquiry in lieu of a committee, which promotes efficiency and flexibility in the overall process. ORI also made clear that an ongoing investigation may add new allegations and respondents without a separate inquiry process.

• Clarification to confidentiality obligations: The Final Rule resolves a classic question about those who “need to know” about a research misconduct proceeding. Disclosure of the identity of respondents, complainants, and witnesses is “determined by the institution” and those who need to know may include “journals, editors, publishers, co-authors, and collaborating institutions.” Further, institutions are permitted to acknowledge that data may be unreliable.

• Clarification to transcript requirements: ORI shed the NPRM’s requirement for institutions to prepare transcripts of all interviews at the assessment and inquiry stage but maintained the requirement for transcripts at the investigation stage, which must be shared with the respondent.

• Clarification to the institutional record: In an effort to promote meticulous recordkeeping and orderliness under the new rule, institutions must prepare and supply to ORI the “institutional record” after the Deciding Official has made a final determination of research misconduct findings. The institutional record comprises a great deal of documentation, including documentation of the assessment and inquiry; all records considered or relied on during the inquiry and investigation; transcripts of any transcribed interviews; decisions of the Deciding Official; records of appeals; and an index listing all the research records and evidence that the institution compiled during the research misconduct proceeding.

• Clarification to definitions: A finding of research misconduct requires there be a significant departure from accepted practices of the relevant research community, and the misconduct must be committed “intentionally, knowingly, or recklessly”. The Final Rule provides—for the first time—definitions of the terms intentionally, knowingly, and recklessly, leaving less room for subjective interpretation.

• Clarification to the subsequent use exception: Generally, the research misconduct process applies only to research misconduct that occurs within six years before the date an institution receives an allegation of research misconduct. But the so-called “subsequent use exception” means that allegations are reviewable if the respondent “continues or renews any incident of alleged research misconduct that occurred before the six-year limitation.” In the Final Rule, ORI attempted to clarify and narrow the subsequent use exception by indicating that it triggers only where the respondent “uses, republishes, or cites to the portion(s) of the research record that is alleged to have been fabricated, falsified, or plagiarized” (emphasis added).

The Final Rule applies to research misconduct proceedings for allegations received by institutions on or after January 1, 2026. In the coming year, many institutions will need to commence internal processes to prepare revised policies and procedures that comply with the Final Rule. 

2 CFR part 200 | Guidance for Federal Financial Assistance

In April, OMB released its long-awaited “Guidance for Federal Financial Assistance” to update 2 CFR Part 200, which governs federal grants and cooperative agreements. Our full analysis is available here. The revisions were effective on October 1, 2024. Notable revisions include the following items:

• Mandatory disclosure obligations: OMB revised the mandatory disclosure obligations to require applicants, recipients, and subrecipients to “promptly disclose” whenever, in connection with the federal award, it has “credible evidence” of violation of federal criminal law involving fraud, conflict of interest, bribery, or gratuity violations, or the civil False Claims Act (31 U.S.C. 3729–3733). The previous requirement had mandated disclosure of actual violations of federal criminal law. With OMB’s new revisions, the mandatory disclosure obligation more closely aligns with the Federal Acquisition Regulation (FAR) requirement for government contractors.

• Cost Principles: Among several revisions to the cost principles, OMB raised the de minimis indirect cost rate from 10% to 15% to allow for additional recovery of indirect costs, particularly for organizations that may not have resources to negotiate an indirect cost rate with HHS.

• Audit Requirements: OMB increased the Single Audit threshold from $750,000 to $1,000,000.

Historically, HHS maintained its own set of implementing regulations for federal financial assistance awards codified at 45 CFR Part 75. But on October 2, 2024, HHS issued an interim Final Rule to forgo the separate codification, fully adopt 2 CFR Part 200, reduce the total number of HHS-specific changes, and codify those changes in 2 CFR Part 300. 

Research security guidelines

In July, the Office of Science and Technology Policy (OSTP) issued long-awaited Guidelines for Research Security Programs at Covered Institutions (“Guidelines”), which outline how federal research agencies must require “covered institutions”—including certain institutions of higher education and nonprofit research institutions—to certify their implementation of programs related to cybersecurity, foreign travel security, research security, and export control. We summarized here the new Guidelines, the entities affected, and the timeline for implementation. Recent developments in False Claims Act (FCA) enforcement under the DOJ’s Civil Cyber-Fraud Initiative (including recent settlements involving universities) place even more pressure on institutions relative to campus cybersecurity. 

NIH decision matrix on foreign interference 

Hundreds of institutions have been on the receiving end of NIH inquiries about inappropriate foreign interference, including undisclosed other support, foreign components, and conflicts of interest and commitment. In August, NIH released a decision matrix on how it assesses potential foreign interference in research, aiming to increase transparency about the types of behaviors that NIH finds problematic. The matrix outlines how NIH evaluates foreign influence concerns and how NIH determines whether to request additional information from institutions. NIH also published a series of case studies to help familiarize institutions with potentially problematic foreign engagements, which include situations involving duplicative funding, conflict of interest, overcommitment, and dishonesty. 

HHS Grants Policy Statement

In October 2024, HHS finally published a new version of its HHS Grants Policy Statement (HHS GPS) to replace the severely outdated 2007 version of the same document. The new HHS GPS applies to awards and modifications made on or after October 1, 2024, for HHS components such as CDC, FDA, HRSA, and CMS. The HHS GPS does not apply to awards made by NIH, which are subject to the separate (and frequently revised) National Institutes of Health Grants Policy Statement (NIH GPS). While not as detailed as the NIH GPS, the HHS GPS brings a much-needed policy refresh and consistency to the HHS grants community. 

Audit requirement for foreign awardees

Following years of inconsistent messaging, in July, NIH clarified the single audit requirements for foreign recipients and subrecipients. Effective as of October 1, 2024, non-U.S. NIH recipients and subrecipients that expend $750,000 or more in federal awards during their fiscal year must conduct either a single audit performed in accordance with 2 CFR 200 Subpart F, or a program-specific audit in accordance with the terms and conditions of the award (and only if the foreign entity’s federal awards are received from the same federal agency or pass-through entity, which must approve in advance a program-specific audit). 

Foreign disclosure policy for SBIR and STTR awards

Over the past year, NIH revised its Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) foreign disclosure requirements to enhance national security and protect sensitive research and development programs, consistent with the SBIR and STTR Extension Act of 2022. Key changes include a requirement for applicants to the SBIR and STTR programs to disclose all funded and unfunded relationships with foreign countries, using the SBIR STTR Foreign Disclosure Form, for all owners and covered individuals. NIH may deny an award where foreign involvement with “countries of concern” poses security risk. Countries of concern include China, North Korea, Russia, and Iran. 

Common forms for Biosketch and other support disclosure 

In February, the National Science and Technology Council (NSTC) Research Security Subcommittee issued common disclosure forms for the Biographical Sketch and the Current and Pending (Other) Support portions of funding application packages for grants and cooperative agreements, as directed by NSPM-33. The Common Forms are an important step toward interagency harmonization for research and development awards. 

Starting May 25, 2025, NIH will implement the Common Forms for the Biographical Sketch and Current and Pending (Other) Support disclosures across all applications and Research Performance Progress Reports (RPPRs). NIH also will require the use of the Science Experts Network Curriculum Vitae (SciENcv) to complete and certify these forms. NIH will mandate that all Senior/Key Personnel include their ORCID ID in the Persistent Identifier (PID) section of the Common Forms and link their ORCID ID to their eRA Commons Personal Profile.

Artificial intelligence

Following a July reorganization of its technology, cybersecurity, data, and artificial intelligence (AI) strategy and policy functions, HHS hosted in September an Exploratory Workshop on “The Evolving Landscape of Human Research with AI – Putting Ethics to Practice” to exchange ideas between government and industry on the use of AI in research and to explore ethical considerations for the use of AI in biomedical, social, and behavioral research. There remain several opportunities and tensions in the use of AI in clinical research; many institutions will continue to build policies, procedures, and risk management frameworks throughout 2025.

BIOSECURE Act

Efforts to curtail U.S. reliance on biotechnology companies in China came to the fore this past year with the introduction of the BIOSECURE Act. As described in our analysis, the legislation (if passed) would have been disruptive to clinical research organizations that rely on certain Chinese companies for genome sequencing, pharmaceutical ingredient manufacturing, and research cell lines. The Act essentially prohibited federal agencies from contracting with organizations that do business with “companies of concern” such as WuXi Apptec, WuXi Biologics, MGI, BGI, and Complete Genomics. However, the proposed legislation was omitted from the 2025 National Defense Authorization Act, which was its best chance of winning passage in 2024. The Act’s 2025 fate remains to be seen. 

Looking ahead to 2025

Congress and the incoming Trump Administration are poised to shake up the research compliance community in expected and unexpected ways. Items on our radar include the following:

• Research Security 2.0: Reinstatement of the controversial “China Initiative” likely will materialize in some form, with renewed focus on curbing espionage and inappropriate foreign influence within academia, putting pressure on institutions to manage an ever-growing and fluid list of obligations related to conflict of interest, conflict of commitment, biosketches, other support, training, export control, and supply chain prohibitions. Learning from failed attempts to prosecute scientists, the Justice Department may pivot attention to institutions that appear cozy with “foreign countries of concern.”

• Proliferation of Research Security Certifications: Funding agencies will continue to implement the security certification requirements of the FY 2021 NDAA and CHIPS and Science Act of 2022 (CHIPS Act), with some sponsors using the common forms and others using homegrown mechanisms. Certifications will include the following:
  • Current and pending support: Covered individuals must certify to the accuracy of their current, pending, and other support disclosures, and institutions must certify that each individual employed by the organization and identified on the proposal as a Senior/Key Person has been made aware of the certification requirements (Section 223 of the FY 2021 National Defense Authorization Act - 42 U.S.C. § 6605(a)(1)).
  • Malign Foreign Talent Recruitment Programs (MFTRP): Covered individuals (generally senior/key personnel) must certify prior to proposal submission that they are not a party to a MFTRP (and annually thereafter for the duration of the award), and institutions must certify that their covered individuals have been made aware of and have complied with their certification (Section 10632 of the CHIPS and Science Act of 2022 - 42 U.S.C. § 19232).
  • Research security training: Covered Institutions must implement a research security training program for all covered individuals, and institutions can meet the requirement by certifying (i) that it requires covered individuals to complete the federal government’s research security training modules currently hosted by NSF, and (ii) that each covered individual has completed the training. Alternatively, institutions may deploy their own training modules. (Section 10634 of the CHIPS and Science Act of 2022 - 42 U.S.C. § 19234).

• Gifts guidance? Whether and to what extent monies that arrive in the form of a “gift” are disclosable as Other Support has been a point of debate within the research community. Many research compliance professionals expected a set of Frequently Asked Questions (FAQs) by the end of 2024. Potentially, 2025 could bring a more aggressive posture.

• NIH Reforms: Some proposals on the table for the incoming Administration include consolidating the various Institutes, slashing NIH’s workforce, enhanced research security authority, term limits for NIH leadership, and bringing more transparency to research grant funding decisions. NIH’s budget for extramural awards—a key funding source for research institutions including small businesses—typically has seen bipartisan support in Congress, but institutions can expect more scrutiny than in past years, including a focus on “academic freedom” among the strings attached to awards.

• NIH Grants Policy Statement: An updated NIH Grants Policy Statement for Fiscal Year 2025 is coming and likely will include reference to the certifications noted above, implementation of the revised 2 CFR Part 200, and new SBIR/STTR foreign disclosure requirements.

• Immigration Reform: Enhanced scrutiny of visa applications including changes to the H-1B visa program may make it harder for academic institutions to recruit and retain foreign students and highly skilled scholars.

• DETERRENT Act: Universities should keep close watch on the Defending Education Transparency and Ending Rogue Regimes Engaging in Nefarious Transactions Act (DETERRENT Act), which passed the House in 2023. Among other things, the bill slashes the threshold for foreign gift and contract reporting under Section 117 of the Higher Education Act from $250,000 down to $50,000, with an even stricter threshold of $0 for “countries of concern,” subject to a waiver process established by the U.S. Department of Education.

• Department of Government Efficiency (DOGE): Whether targeted by DOGE or shifting agency priorities, it seems inevitable that the new administration will discontinue certain research grants and programs, potentially including funding for non-U.S. collaborations and foreign capacity building initiatives, and grants painted as “wasteful” of taxpayer funds. Institutions may need to rapidly seek other sources of support to bridge scientists and labs affected by such decisions.

• Data transfer to China, Russia, and other designated countries: On October 21, 2024, the U.S. Department of Justice issued a NPRM that aims to restrict the ability of designated “countries of concern” and persons subject to their jurisdiction from access to sensitive personal data or U.S. government-related data by restricting or prohibiting certain transactions. If the NPRM is finalized as-is, any U.S.-based organization engaged in global transactions will need to develop and deploy compliance programs. See our advisory here: DOJ proposes regulations limiting certain data transfers to protect national security.

As 2025 unfolds, there will be more to do and more to track within an ever more complex research compliance ecosystem. Our team welcomes the opportunity to help you track and navigate the evolving regulatory landscape.

Authored by William Ferreira, William Crawford, Lauren Colantonio, Stephanie Gold, and Joel Buckman.