8

Legislative, Regulatory, and Other Types of Responses

Maria Zuber (Massachusetts Institute of Technology) moderated a panel that considered legislative, regulatory, and other types of responses to research security. Zuber said that countering the rise of China has strong bipartisan support and, while congressional actions taken on research security are generally well-meaning, actions have sometimes had deleterious effects. She said that the House Select Committee on the Strategic Competition between the United States and the Chinese Communist Party¹ has been bipartisan and thoughtful under chairs Mike Gallagher (R-WI) and John Moolenaar (R-MI). She referenced the recently issued White House Office of Science and Technology Policy guidelines for research security programs at covered institutions² in National Security Presidential Memorandum–33³ (NSPM-33), noting that NSPM-33 and its implementation guidance is the result of bipartisan efforts. Zuber said that successful execution of research

___________________

¹ The Select Committee on the Strategic Competition between the United States and the Chinese Communist Party was formed in January 2023 in the United States House of Representatives to provide coordination regarding policy on China. See https://selectcommitteeontheccp.house.gov/.

² Office of Science and Technology Policy. 2024. Memorandum for the Heads of Federal Research Agencies. Guidelines for Research Security Programs at Covered Institutions, July 9, 2024. https://www.whitehouse.gov/wp-content/uploads/2024/07/OSTP-RSP-Guidelines-Memo.pdf.

³ The White House. 2021. “Presidential Memorandum on United States Government-Supported Research and Development National Security Policy.” National Security Presidential Memorandum–33 (NSPM-33), January 14, 2021.

security guidelines will depend on hitting the “sweet spot” between getting too prescriptive and too open-ended.

Toby Smith (Association of American Universities) identified five core principles for research security:

• Ensuring risk-based and harmonized policies across federal research agencies
• Making openness a priority to advance both science and national security
• Ensuring that research security and preserving scientific openness are complimentary, not contradictory
• Ensuring that policies avoid racial profiling and have clear mechanisms for due process
• Having researchers and universities take responsibility for assessment of risk

Smith said that there has been an “incredible” amount of work done since he began working on research security issues in 2018, referring to as examples the NSPM-33 common disclosure forms and guidelines; the creation of the National Science and Technology Council (NSTC) interagency working group; the creation of the National Science, Technology, and Security Roundtable (NSTSR); the establishment of the National Science Foundation chief research security officer, SECURE (Safeguarding the Entire Community in the U.S. Research Ecosystem) Center, and TRUST (Trusted Research Using Safeguards and Transparency) pilot program; mandatory faculty disclosure of all funding sources in research and development (R&D) award applications; and the prohibition on participation in malign foreign talent programs. While a lot has been done to address research security, it is a challenge to convince Congress that this is the case.

Smith called for the following:

1. Forum(s) like the NSTSR where stakeholders and government intelligence, security, and research officials can engage in an ongoing dialogue
2. Continued interagency collaboration, for example, the NSTC interagency working group
3. The creation of a Federal Bureau of Investigation (FBI) Liaison Office for universities at the national level

4. Better coordination among intelligence agencies in their research security efforts
5. Training for agency program officers on Controlled Unclassified Information (CUI) and controls, including when and how specific restrictions should be imposed
6. Clear processes for ensuring due process, especially in instances of agency administrative action
7. Increased sharing of information regarding clear security risks, for example, the development of mechanisms for sharing classified information with specific trusted university officials
8. Additional mechanisms to help improve research security and assess potential risks, which might, for example, employ the model of the Research and Education Networks Information Sharing and Analysis Center Cybersecurity Assessment Service⁴ or involve the creation of a Federal Demonstration Partnership project related to research security and integrity
9. The development, support, and funding of new strategic international partnerships
10. Increasing retention of foreign students who graduate from American universities with advanced science, technology, engineering, and mathematics (STEM) degrees, for example, through enacting the STAPLE Act.⁵

Information designated as CUI is often sensitive personal information (e.g., student records, health information, grant proposals, and budgets), rather than national security information. Currently, there are 20 broad groupings of CUI and 120 CUI categories within those groupings,⁶ and Smith said that CUI designations are challenging for program officers to understand. This, in turn, leads to a tendency to overidentify material as CUI, which triggers a set of requirements from the federal government that are “tough and expensive.”

In responding to the challenges of research security, Smith said that it is important to avoid requiring excessive and duplicative reporting by faculty and/or institutions; developing lists of “sensitive research” for which faculty would be unable to share and publish their scientific results; overly

___________________

⁴ See https://www.ren-isac.net/services/pas/index.html.

⁵ H.R. 2717, 115th Congress (2017–2018). See https://www.congress.gov/bill/115th-congress/house-bill/2717/all-info.

⁶ See https://www.archives.gov/cui/registry/category-list.

restricting the ability of U.S. researchers to participate in important international scientific partnerships; adding new categories of CUI; making significant changes to how we treat fundamental research for purposes of export control; and reinstating the China Initiative.

Smith said that scientific progress requires science to be open and replicable, testable, and reproducible. It is important to consider the costs versus benefits of closed versus open science, and they must not be viewed as mutually exclusive. The United States no longer has a monopoly on the top science. National security requires investments in fundamental scientific research and not merely walling it off. National security also requires the development of a national talent recruitment, retention, and development strategy. Universities and government must work together to ensure research security, research integrity, and continued scientific openness.

Paul Doucette (Batelle) said that Batelle has a significant role in a number of federally funded research and development centers (FFRDCs), including eight Department of Energy national labs. DOE has had protections in place to shield research ever since the Manhattan Project, but such measures are unprecedented for civilian science agencies. He suggested that intelligence personnel who understand the importance of managing risk and the need to preserve openness and collaboration while simultaneously protecting research and intellectual property are missing from the conversations about research security. For FFRDCs, there has been a pivot from thinking about export controls and dual-use technologies in the context of national security to thinking about economic security as well.

DOE is a member of the Intelligence Community and is the largest federal sponsor of open, collaborative, basic research in the physical sciences. This fact is part of what has drawn additional scrutiny to DOE in recent years. Being a member of the Intelligence Community means that DOE labs have access to threat assessments and information, which are valuable and informative. But it also means that DOE and its national labs fall under the jurisdiction of the House and Senate Intelligence Committees, which, together with the House and Senate Armed Services Committees, has put the agency under increased scrutiny, especially regarding concerns about China. There

has also been scrutiny from the committees with programmatic jurisdiction over DOE and the House Select Committee on the Strategic Competition between the United States and the Chinese Communist Party.

The House and Senate National Defense Authorization Acts for Fiscal Year 2025 both have provisions that would prohibit access to DOE labs by certain foreign nationals.⁷ This is problematic because open, collaborative research is crucial to the national labs’ work on nuclear deterrents. An open research environment also provides encouragement for the best and brightest scientists from around the world to work at our national labs. DOE has controls and infrastructure in place to manage risks from foreign entities and measures to advance open collaborative research while also protecting intellectual property. DOE performs extensive screening of anyone who accesses laboratories or laboratory networks and has security measures in place to limit access of foreign nationals who come on to their sites. The department rejects about 10 percent of foreign national requests to access DOE sites.

Doucette enumerated policy principles and recommendations in the categories of transparency, consistency, balance, encouraging innovation, and resourcing appropriately. For increased transparency, he recommended updating systems to enable better tracking and sharing of information and improving data quality and reliability. For improving consistency, he recommended developing common definitions and standardized policies and procedures, while acknowledging differences among DOE’s national labs. To achieve balance in policies, he recommended prioritizing risk management rather than attempting risk avoidance, as well as balancing the protection of research and intellectual property with open collaboration in order to advance science. He recommended encouraging innovation by sharing best practices among national laboratories, universities, and federal agencies. Finally, he emphasized the importance of appropriately resourcing not only research security and counterintelligence efforts but also R&D programs. Doucette concluded by saying that “the best defense is a good offense.”

DISCUSSION

Richard Meserve (formerly of the Carnegie Institution), advocated for aggressive limits on the use of the CUI designation, calling for an exam-

___________________

⁷ The provisions that prohibit access to DOE labs by certain foreign nationals in the House and Senate versions of the 2025 National Defense Authorization Act are:
House: H.R. 8070 § 3111
Senate: S.4638 § 3120

ination of CUI and greatly reducing the number of categories. Smith said that CUI categories have become a “catchall for everything” and that there should be more training, suggesting that not all CUI categories should be treated equally. He suggested there should be training for program officers about changing the designation of research from fundamental to protected research, including when such changes should take place. John Gannon (formerly of the National Intelligence Council) expressed agreement for Smith’s recommendation to establish an FBI Liaison Office for universities at the national level but said that providing federal resources for such an office would be an issue.

Smith said that both Republicans and Democrats agree it is necessary to create an immigration pathway for highly skilled STEM talent; however, in the current polarized political environment, immigration reform is a fraught topic. As a result, reforms to highly skilled STEM immigration policies will not be addressed until comprehensive immigration reform is achieved.

Michael McQuade (Carnegie Mellon University) said that it would be beneficial for cleared university presidents and vice presidents of research (and perhaps compliance officers) to have a venue to be able to discuss threats. It is important to establish a flow of information to aid decision-making within universities. Given evidence of the threats to research security, McQuade now assumes a zero-trust environment for foreign engagement. We need to think, he said, about what would define demonstrable trust among allies and partners rather than focusing so much on China. Doucette said that in some cases, countries the United States considers allies are also countries we need to be careful about collaborating with. Just because someone is an ally does not mean we can trust them in international collaborations. Rather, it is about managing risk for collaborating with all international partners. Smith said that today’s ally might be tomorrow’s adversary.