July 22, 2024 By Jonathan Reed 2 min read

Federal cyber regulation is edging further into research and development (R&D) and higher education. A recent memo from the Office of Science and Technology Policy (OSTP) states that certain covered institutions will be required to implement cybersecurity programs for R&D security. These mandates will also apply to institutions of higher education that support R&D.

Beyond strengthening the overall U.S. security posture, this move is also in direct response to growing threats posed by the People’s Republic of China (PRC), as per Arati Prabhakar, Assistant to the President for Science and Technology and author of the memo.

Why R&D must improve security

Today, a top priority is placed on security controls and other measures seeking to prevent malware attacks on high-value targets such as critical infrastructure. Also, modern military and economic power largely hinge on technical competitive advantages.

“Technology and R&D are central to this strategic competition, and the PRC has exploited international research collaboration by undermining values — such as transparency, accountability and reciprocity — in order to advance its strategic objectives and military modernization,” writes Prabhaka in the OSTP memo.

A shift in attitude towards security responsibilities

The memo states that the Biden Administration’s research security efforts are twofold. The White House wants to ensure that institutions of higher education and research recognize the current global landscape and fulfill their security responsibilities. Unlike proprietary R&D, most academic research is intended to be published or shared. However, some scholarly research may involve applications with national security implications.

In the past, researchers may have been encouraged to collaborate with institutions within the PRC. However, the OSTP states that the geopolitical landscape is different now. The memo says, “We must be clear with the research community about how the world has changed… the policies and practices of foreign countries of concern differ from those of the U.S.” Furthermore, “Some of the results from U.S. R&D can contribute to human rights abuses, surveillance and military aggression,” as per the memo.

New education R&D requirements

According to the OSTP memo, higher education institutions certified by federal research agencies must implement a cybersecurity program following the CHIPS and Science Act’s cybersecurity document for research-focused entities. That implementation must occur within one year following the final issuance of the document.

Now, covered institutions that receive federal science and engineering support “in excess of $50 million per year” must certify to the funding agency that the institution has established and operates a research security program. Covered institutions will be required to certify that their research security programs include elements relating to (1) cybersecurity; (2) foreign travel security; (3) research security training; and (4) export control training, as appropriate.

By early January 2025, federal research agencies must submit plans for updating policies to comply with the new guidance measures. From there, the agencies have six more months to have finalized plans submitted to OSTP and OMB. Covered institutions will have no more than 18 months after the effective date of their plans to implement the requirements of the memorandum.

Emphasis on avoiding xenophobia

To address risks posed by strategic competitors to the U.S. research and development enterprise, the Biden-Harris Administration is implementing these new measures to improve research security. The new OSTP memo also explicitly states that this must be accomplished “without exacerbating xenophobia, prejudice or discrimination.”

In the increasingly complex task of strengthening national cybersecurity, these new requirements are essential. It’s no surprise that federal regulation is reaching further into R&D.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today