Research Security
The Research & Innovation Office (RIO) is responsible for leading security and compliance efforts to ensure the campus’s adherence to security requirements, as well as supporting faculty and staff in their related responsibilities.
Research security has emerged as a top priority for US institutions receiving sponsored project funds from federal sponsors. The NSPM-33 Implementation Guidance, released in January 2022, requires any institution receiving over $50 million in federal research funding to establish a Research Security Program touching on four main areas of focus: research security training, cybersecurity, foreign travel security and export control training. In response to this guidance, the Research and Innovation Office, in collaboration with several other campus units, including the Office of Contracts and Grants and the Office of Information Technology, has established this page as a starting point in the development of our own Research Security Program.
What steps have recently been taken at CU «Ƶ?
- Completed an internal review of our approach to international collaborations and developed a framework for how we will continue to pursue international collaboration. As part of this review, we have issued the Guidelines for International Collaborations Memo.
- The Office of Export Controls has reviewed campus procedures regarding J-1 visiting scholars and have updated the campus procedures for review, management and out-processing.
- CU «Ƶ’s Research Innovation Office established the Campus Misconduct Advisory Group (CMAG) which meets collaboratively to inquire into allegations of misconduct (and may include activities concerning external affiliations, conflict of interest, international travel, and sponsor disclosures). CMAG is comprised of stakeholders across campus and occasionally hosts external partners for updates on evolving policies and potential risks scenarios.
- CU «Ƶ’s Conflicts of Interest & Commitment Office has implemented additional disclosure requirements which include $0 threshold for all significant foreign financial interests and foreign travel and a new Foreign Research Collaboration section which must be answered by everyone (which includes identification of any research collaborations with any foreign entity and reporting of any involvement with a foreign talent recruitment program).
- In fulfillment of the research security measures incorporated in the CHIPS and Science Act, CU «Ƶ’s Research Innovation Office conducted a review of campus practices and policies pertaining to foreign talent recruitment programs. As part of this review, our campus COIC policy has been updated to incorporate a prohibition from «Ƶ affiliated individuals from participating in a malign foreign talent recruitment program (MFTRP). A MFTRP is broadly defined as a foreign program, position or activity that includes compensation (defined broadly to include compensation, honorific titles, research funding, etc) in return for certain actions (e.g. unauthorized transfer of intellectual property, recruitment of other to the programs, establishing a laboratory or a company in the foreign country, etc) sponsored by or based in a country of concern.
- For additional information, please refer to Office of Science and Technology Policy’s or contact RIO’s Office of Research Security.
If you have questions about research security at the university, please contact CU «Ƶ’s Facility Security Officer Justin Mack: justin.mack@colorado.edu.
What do you need help with?
Explore the topics below to connect with our experts.
[anchors /]
Definitions
To learn more about different terms associated with research security as defined by the federal government, please visit:
Research Security Topics
What is Classified Research?
Classified reserach is any research that bears a security classification from the federal government, such as top secret, secret, or confidential. Classified research restricts some or all of the results, procedures, and personnel working on the project under rules established by the agency for which the research is being conducted.
Contact cufso@colorado.edu for support.
What External Activities Should Be Disclosed to Federal Sponsors?
Currently, each federal sponsor has their own guidelines specifying which activites need to be disclosed prior to funding, or during the period of performance, to remain compliant with the award's terms and conditions. For assistance in navigating those various requirements, use the resources below and ask your OCG Proposal Analyst.
Due to the release of the guidance outlined in National Security Presidential Memorandum (NSPM) 33, we anticipate that these requirements will be changing in the near future. Federal sponsors have been asked to develop uniform disclosure requirements to reduce confusion and administrative burden. Stay tuned for updates to external activity disclosure requirements.
Contact ocgcompliance@colorado.edu or your OCG Proposal Analyst for support.
What is a Foreign Government (Sponsored) Talent Recruitment Program?
According to the , a Foreign Government-Sponsored Talent Recruitment Program is defined as an "Effort organized, managed, or funded by a foreign government, or a foreign government instrumentality or entity, to recruit science and technology professionals or students (regardless of citizenship or national origin, or whether having a full-time or part-time position).
- Some foreign government-sponsored talent recruitment programs operate with the intent to import or otherwise acquire from abroad, sometimes through illicit means, proprietary technology or software, unpublished data and methods, and intellectual property to further the military modernization goals and/or economic goals of a foreign government.
- Many, but not all, programs aim to incentivize the targeted individual to relocate physically to the foreign state for the above purpose.
- Some programs allow for or encourage continued employment at United States research facilities or receipt of Federal research funds while concurrently working at and/or receiving compensation from a foreign institution, and some direct participants not to disclose their participation to United States entities.
- Compensation could take many forms including cash, research funding, complimentary foreign travel, honorific titles, career advancement opportunities, promised future compensation, or other types of remuneration or consideration, including in-kind compensation."
Contact cufso@colorado.edu for support.
What is an Insider Threat?
According to the NSPM-33 Implementation Guidance, an Insider Threat is defined as "the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities."
Contact cufso@colorado.edu for support.
What is National Security Presidential Memorandum (NSPM) 33?
NSPM-33 is a directive from the President requiring all federal research funding agencies to strengthen and standardize disclosure requirements for federally funded awards. In addition, it also mandates the establishment of research security programs at major institutions receiving in excess of $50 million per year in federal research funding.
Due to the release of the NSPM-33 implementation guidance, we are anticipating changes in federal disclosure requirements and processes by 2023 or earlier.
Contact ocgcompliance@colorado.edu or your OCG Proposal Analyst for support.
Why Do We Sceen Our Research Collaborators?
In order to ensure that the «Ƶ is compliant with United States Federal regulations (), OCG must screen individuals and organizations that are contributing to our research to ensure they are appropriately vetted prior to receiving funding. This includes verification of the Department of Commerce Lists (which include the Denied Persons List, Unverified List, and Entity List), Nonproliferation Sanctions, AECA Debarred List, and Specially Designated Nationals List.
How Do We Sceen Our Research Collaborators?
OCG utilizes two tools to screen entities and individuals to ensure they are not debarred, suspended, or appear on Restricted and Denied Party lists.
The University of Colorado is licensed to use the services of Visual Compliance (https://www.visualcompliance.com) to ensure companies as well as individuals are not contained on mandatory Restricted and Denied Parties lists that are maintained by the United States Government and its allies, world organizations, and law enforcement agencies. These lists help prevent CU from having business dealings with parties deemed as blocked, restricted, or denied by Governments, world organizations and law enforcement bodies.
The System for Award Management (SAM) (https://www.sam.gov) is a United States Government-managed database that serves as the repository for all screened entities. This database can include both domestic and foreign entities. Furthermore, all businesses that are working with the Government must first register before they are able to receive a contract. While an individual must log in before making changes to an existing account or establishing a new record, the public can search the records without creating an account.
When Are Potential Collaborators Screened by OCG?
There are several checkpoints for screening potential collaborators. All sponsors in OCG's research administration database (InfoEd) are screened by Visual Compliance before they are added to they system to create a proposal record. During contract negotiation, SBIRs/STTRs and agreements with international entities are also screened through Visual Compliance. During subcontract negotiation, all domestic entities are screened through SAM and all international entities are screened through Visual Compliance. If a screening tool returns a match for a potential collaborator, a risk mitigation plan is discussed.
Contact cufso@colorado.edu for support.
What are the concerns regarding undue foreign influence in research?
According to JCORE:
"Over the past several years there has been increasing concern about potential malign foreign influence and research security risk at U.S. research institutions. These concerns encompass a variety of activities such as:
- nondisclosure of foreign gifts to and contracts with U.S. academic institutions;
- nondisclosure of employment affiliations and appointments with foreign entities
- development of parallel (shadow) laboratories
- recruitment of U.S. scientists to participate in foreign government-sponsored talent programs (FGTPs) that support the development of critical emerging technologies;
- and theft of intellectual property and/or diversion of intellectual capital developed with U.S. government funds at U.S. research institutions.
While certain countries, including Russia, Iran, and others, have caused concern, the U.S. government’s primary focus has been on the People’s Republic of China (China), as illustrated by FBI Director Christopher Wray’s February 2018 address before the U.S. Senate Intelligence Committee in which he stated that the academic sector was naïve to the China threat."
Contact cufso@colorado.edu for support.
Research Security Scenario
Assistant Professor Ellen Nguyen is an emerging expert in microelectronics. She has several active federal awards managed by CU «Ƶ’s Office of Contracts and Grants, including projects with NSF, DOD and DOE. During the International Conference on Microelectronics, she was introduced to a professor who recently published an article on a new cooling technology. In their conversation they realize that they share mutual goals which results in a collaboration in which Dr. Nguyen receives equipment in-kind for which she can utilize in her laboratory for two years. Dr. Nguyen is thrilled, as the market value of this equipment is close to $50,000, and she did not originally plan for this purchase on her projects.
- Is Dr. Nguyen required to take any further action or reach out to any CU offices?
Dr. Nguyen should first reach out to the Office of Contracts and Grants (OCG) as they are responsible for review, negotiation, and acceptance of a bailment (or loan) agreement. OCG will then be able to internally route to ensure other units may complete their review (and may include fiscal reporting (Campus Controller’s Office), Research Security, and Office of Export Controls). Dr. Nguyen should also plan to disclose this as part of her Disclosure of External Professional Activities (DEPA). In addition, here are some campus resources:- Office of Contracts and Grants' Property and Equipment Website
- Office of Export Controls Website
- Conflicts of Interest & Commitment (and DEPA) Website
- While the equipment was provided in-kind, would this change if the item was gifted to her (rather than a loan)?
Assistant Professor Nguyen will be required to disclose in-kind support. OCG is able to support her in making the appropriate disclosures.- See the Office of Contracts and Grants' External Activities Disclosure Website
- Are there any concerns in receiving this equipment in which she should be aware of?
Depending on the nature of the equipment, Office of Information Technology may also review to ensure that the appropriate measures are taken. This will further ensure that the possibility of any security concerns have been mitigated.- See the CU System Office of Information Security’s
- Would the approach be altered if the professor is from a “higher risk” country (for example, Iran) and the equipment is provided from this country?
As part of the internal review process, the Office of Export Controls will review the terms and condition, specifications of the equipment, and export control requirements. Any changes or updates to one’s DEPA shall also be made within 30 days of a change in a previously disclosed interest or activity or having something new to disclose. Depending on the nature of the agreement and requirements, additional measures may need to be taken (including incorporation of a technology control plan, export license or permit, etc).- See the Office of Export Controls’ Managing Export Controls Website
- See the Conflicts of Interest & Commitment (and DEPA) Website
Cybersecurity Topics
What is CUI?
CUI was defined in as information held by or generated for the Federal Government that requires safeguarding or dissemination controls. Research data and other project information that a research team receives, possesses, or creates during the performance of federally funded research may be CUI. The obligation to determine whether or not an award will involve CUI belongs to the federal sponsor; award documents should specifically identify CUI and applicable security requirements.
Contact CU «Ƶ's Research Cybersecurity Program (itso-sec-review@colorado.edu) for support.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a training, certification, and third party assessment program of cybersecurity in the United States government Defense Industrial Base aimed at measuring the maturity of an organization's cybersecurity processes toward demonstrating compliance with the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.
Contact CU «Ƶ's Research Cybersecurity Program (itso-sec-review@colorado.edu) for support.
University of Colorado Office of Information Security (OIS)
The OIS offers many services to help ensure the privacy and proper handling of university information assets. The following are provided in support of the university’s academic mission and the strategic vision of each campus.
- Security Posture Assessment
- Compliance Support
- Security Consulting and Review
- Awareness and Training
- Security Monitoring/Response
- Investigation Support
- Technology Solutions
- Policy and Governance
Contact CU Office of Information Security (security@colorado.edu) for support.
All CU community members have a stake in reducing risks that could impact the university’s financial, reputational, and legal standing. The mission of OIS is to provide you relevant and attainable guidance that will keep sensitive university information private and secure.
Contact CU Office of Information Security (security@colorado.edu) for support.
Center for the Development of Security Excellence (CDSE)
The offers several resources and trainings focused on topics related to Information Security and Cybersecurity, including:
Foreign Travel Security Topics
What Is the Fly America Act?
The is a federal regulation that:
- Requires the use of U.S. carriers for travel that will be reimbursed from federal grants and contracts, regardless of cost or convenience.
- Allows for air transportation by or under a “code-sharing agreement” with a U.S. flag air carrier if service provided by such a carrier is available.
- Requires travel on a U.S. carrier as far as possible if there is no U.S. carrier to your destination.
Contact your OCG Grant or Contract Officer for support.
Considerations for Foreign Travel
Before you depart, be sure to evaluate risk, educate yourself on necessary safety precautions, and ensure compliance with export control regulations, sponsor requirements and University travel policies.
Contact your OCG Contract or Grant Officer or exportcontrolhelp@colorado.edu for support.
As a general rule, international travel should not involve export-controlled equipment, materials, software, or technology (together "items") without first consulting with OEC. If you are unsure as to whether your item is export-controlled, OEC can assist in both classifying the technology, as well as assessing the risk involved. We will work with you to identify ways to mitigate risks - looking at the countries, foreign parties, and technology involved - in a manner that continues to facilitate your research.
Contact the Office of Export Controls (exportcontrolhelp@colorado.edu) for support.
When making international travel arrangements and purchases as a CU employee.
Contact your CCO Area or Grant Accountant or psc@cu.edu for support.
Export Control Topics
What are Export Controls?
Export controls are federal laws that regulate the distribution of controlled devices, software, and information when such items are designated as “defense articles” or "dual use" commodities. Although these regulations frequently do not affect research activities, they can apply to the following situations:
- The nature of the technology in the research has actual or potential military applications,
- Foreign countries, organization(s), or individual(s) involved in the research are prohibited by law,
- The government regulates the potential end-use or the end-user of the technology resulting from the research.
Contact the Office of Export Controls (exportcontrolhelp@colorado.edu) for support.
When Is an Export Control License Needed?
An Export License is a written authorization provided by the federal government granting permission for the release or transfer of export controlled information or item under a defined set of conditions. In many cases, basic and applied research may be included under one or more of the exemptions or exclusions provided in the Export Control regulations. In some cases, it may be necessary to apply for an export license or Technical Assistance Agreement.
If it is determined that your activity requires an export license, the Export Control Committee will coordinate the license application process. Contact the Export Control Committee at exportcontrolhelp@colorado.edu. They will work with you and the Office of Legal Affairs to submit a license request to the appropriate regulatory body on your behalf. It is important to note that obtaining an export license can take 3-6 months and there is no guarantee that a license will be granted.
Contact Your OCG Proposal Analyst or the Office of Export Controls (exportcontrolhelp@colorado.edu) for support.
For most countries, collaborations with personnel and scholars at foreign institutions or organizations do not require export licenses unless there is export controlled or restricted technology involved. However, for a small number of sanctioned countries, and a growing list of restricted foreign universities and organizations in a slightly broader set of countries, U.S. universities must conduct due diligence to ensure that academic and research collaborations do not violate U.S. law.
Contact the Office of Export Controls (exportcontrolhelp@colorado.edu) for support.
What is a Technology Control Plan?
A Technology Control Plan (TCP) is a document drafted by the researcher in collaboration with the Export Control Committee and their department chair specifying procedures that will be taken in order to safeguard and control access to information or items that are export restricted.
In general, a TCP will outline what the restricted information/item is, who will have access to it, how access will be monitored and controlled, how the information/item will be physically and electronically stored, what information about it can be shared or presented, and what will be done with the information/item once the project is completed.
Contact the Office of Export Controls (exportcontrolhelp@colorado.edu) for support.
Research and expertise across CU «Ƶ.
Our 12 research institutes conduct more than half of
the sponsored research at CU «Ƶ.
More than 75 research centers span the campus,
covering a broad range of topics.
A carefully integrated cyberinfrastructure supports CU «Ƶ research.