Breadcrumb
Research Security
Breadcrumb
The Research & Innovation Office (RIO) is responsible for leading security and compliance efforts to ensure the campus’s adherence to security requirements, as well as supporting faculty and staff in their related responsibilities.
Research security has emerged as a top priority for US institutions receiving sponsored project funds from federal sponsors. The NSPM-33 Implementation Guidance, released in January 2022, requires any institution receiving over $50 million in federal research funding to establish a Research Security Program touching on four main areas of focus: research security training, cybersecurity, foreign travel security and export control training. In response to this guidance, the Research and Innovation Office, in collaboration with several other campus units, including the Office of Contracts and Grants and the Office of Information Technology, has established this page as a starting point in the development of our own Research Security Program.
CU Boulder’s Facility Security Officer, who is responsible for overseeing the university’s facility security clearance, is also housed within RIO. If you have questions about research security at the university, please contact Justin Mack: justin.mack@colorado.edu.
What do you need help with?
Explore the topics below to connect with our experts.
Research Security Topics
What is Classified Research?
Classified reserach is any research that bears a security classification from the federal government, such as top secret, secret, or confidential. Classified research restricts some or all of the results, procedures, and personnel working on the project under rules established by the agency for which the research is being conducted.
Contact cufso@colorado.edu for support.
What External Activities Should Be Disclosed to Federal Sponsors?
Currently, each federal sponsor has their own guidelines specifying which activites need to be disclosed prior to funding, or during the period of performance, to remain compliant with the award's terms and conditions. For assistance in navigating those various requirements, use the resources below and ask your OCG Proposal Analyst.
Due to the release of the guidance outlined in National Security Presidential Memorandum (NSPM) 33, we anticipate that these requirements will be changing in the near future. Federal sponsors have been asked to develop uniform disclosure requirements to reduce confusion and administrative burden. Stay tuned for updates to external activity disclosure requirements.
Contact ocgcompliance@colorado.edu or your OCG Proposal Analyst for support.
What is a Foreign Government (Sponsored) Talent Recruitment Program?
According to the NSPM-33 Implementation Guidance, a Foreign Government-Sponsored Talent Recruitment Program is defined as an "Effort organized, managed, or funded by a foreign government, or a foreign government instrumentality or entity, to recruit science and technology professionals or students (regardless of citizenship or national origin, or whether having a full-time or part-time position).
- Some foreign government-sponsored talent recruitment programs operate with the intent to import or otherwise acquire from abroad, sometimes through illicit means, proprietary technology or software, unpublished data and methods, and intellectual property to further the military modernization goals and/or economic goals of a foreign government.
- Many, but not all, programs aim to incentivize the targeted individual to relocate physically to the foreign state for the above purpose.
- Some programs allow for or encourage continued employment at United States research facilities or receipt of Federal research funds while concurrently working at and/or receiving compensation from a foreign institution, and some direct participants not to disclose their participation to United States entities.
- Compensation could take many forms including cash, research funding, complimentary foreign travel, honorific titles, career advancement opportunities, promised future compensation, or other types of remuneration or consideration, including in-kind compensation."
Contact ocgcompliance@colorado.edu for support.
What is an Insider Threat?
According to the NSPM-33 Implementation Guidance, an Insider Threat is defined as "the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities."
Contact cufso@colorado.edu for support.
What is National Security Presidential Memorandum (NSPM) 33?
NSPM-33 is a directive from the President requiring all federal research funding agencies to strengthen and standardize disclosure requirements for federally funded awards. In addition, it also mandates the establishment of research security programs at major institutions receiving in excess of $50 million per year in federal research funding.
Due to the release of the NSPM-33 implementation guidance, we are anticipating changes in federal disclosure requirements and processes by 2023 or earlier.
Contact ocgcompliance@colorado.edu or your OCG Proposal Analyst for support.
Why Do We Sceen Our Research Collaborators?
In order to ensure that the University of Colorado Boulder is compliant with United States Federal regulations (FAR Subpart 9.4), OCG must screen individuals and organizations that are contributing to our research to ensure they are appropriately vetted prior to receiving funding. This includes verification of the Department of Commerce Lists (which include the Denied Persons List, Unverified List, and Entity List), Nonproliferation Sanctions, AECA Debarred List, and Specially Designated Nationals List.
How Do We Sceen Our Research Collaborators?
OCG utilizes two tools to screen entities and individuals to ensure they are not debarred, suspended, or appear on Restricted and Denied Party lists.
When Are Potential Collaborators Screened by OCG?
There are several checkpoints for screening potential collaborators. All sponsors in OCG's research administration database (InfoEd) are screened by Visual Compliance before they are added to they system to create a proposal record. During contract negotiation, SBIRs/STTRs and agreements with international entities are also screened through Visual Compliance. During subcontract negotiation, all domestic entities are screened through SAM and all international entities are screened through Visual Compliance. If a screening tool returns a match for a potential collaborator, a risk mitigation plan is discussed.
Contact cufso@colorado.edu for support.
What are the concerns regarding undue foreign influence in research?
According to JCORE:
"Over the past several years there has been increasing concern about potential malign foreign influence and research security risk at U.S. research institutions. These concerns encompass a variety of activities such as:
- nondisclosure of foreign gifts to and contracts with U.S. academic institutions;
- nondisclosure of employment affiliations and appointments with foreign entities
- development of parallel (shadow) laboratories
- recruitment of U.S. scientists to participate in foreign government-sponsored talent programs (FGTPs) that support the development of critical emerging technologies;
- and theft of intellectual property and/or diversion of intellectual capital developed with U.S. government funds at U.S. research institutions.
While certain countries, including Russia, Iran, and others, have caused concern, the U.S. government’s primary focus has been on the People’s Republic of China (China), as illustrated by FBI Director Christopher Wray’s February 2018 address before the U.S. Senate Intelligence Committee in which he stated that the academic sector was naïve to the China threat."
Contact cufso@colorado.edu for support.
Cybersecurity Topics
What is CUI?
CUI was defined in Executive Order 13556 as information held by or generated for the Federal Government that requires safeguarding or dissemination controls. Research data and other project information that a research team receives, possesses, or creates during the performance of federally funded research may be CUI. The obligation to determine whether or not an award will involve CUI belongs to the federal sponsor; award documents should specifically identify CUI and applicable security requirements.
Contact CU Boulder's Research Cybersecurity Program (itso-sec-review@colorado.edu) for support.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a training, certification, and third party assessment program of cybersecurity in the United States government Defense Industrial Base aimed at measuring the maturity of an organization's cybersecurity processes toward demonstrating compliance with the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.
Contact CU Boulder's Research Cybersecurity Program (itso-sec-review@colorado.edu) for support.
University of Colorado Office of Information Security (OIS)
The OIS offers many services to help ensure the privacy and proper handling of university information assets. The following are provided in support of the university’s academic mission and the strategic vision of each campus.
- Security Posture Assessment
- Compliance Support
- Security Consulting and Review
- Awareness and Training
- Security Monitoring/Response
- Investigation Support
- Technology Solutions
- Policy and Governance
Contact CU Office of Information Security (security@colorado.edu) for support.
All CU community members have a stake in reducing risks that could impact the university’s financial, reputational, and legal standing. The mission of OIS is to provide you relevant and attainable guidance that will keep sensitive university information private and secure.
Contact CU Office of Information Security (security@colorado.edu) for support.
Center for the Development of Security Excellence (CDSE)
The Center for the Development of Security Excellence (CDSE) offers several resources and trainings focused on topics related to Information Security and Cybersecurity, including:
Foreign Travel Security Topics
What Is the Fly America Act?
The Fly America Act is a federal regulation that:
- Requires the use of U.S. carriers for travel that will be reimbursed from federal grants and contracts, regardless of cost or convenience.
- Allows for air transportation by or under a “code-sharing agreement” with a U.S. flag air carrier if service provided by such a carrier is available.
- Requires travel on a U.S. carrier as far as possible if there is no U.S. carrier to your destination.
Contact your OCG Grant or Contract Officer for support.
Considerations for Foreign Travel
Before you depart, be sure to evaluate risk, educate yourself on necessary safety precautions, and ensure compliance with export control regulations, sponsor requirements and University travel policies.
Contact your OCG Contract or Grant Officer or exportcontrolhelp@colorado.edu for support.
As a general rule, international travel should not involve export-controlled equipment, materials, software, or technology (together "items") without first consulting with OEC. If you are unsure as to whether your item is export-controlled, OEC can assist in both classifying the technology, as well as assessing the risk involved. We will work with you to identify ways to mitigate risks - looking at the countries, foreign parties, and technology involved - in a manner that continues to facilitate your research.
Contact the Office of Export Controls (exportcontrolhelp@colorado.edu) for support.
When making international travel arrangements and purchases as a CU employee.
Contact your CCO Area or Grant Accountant or psc@cu.edu for support.
Export Control Topics
What are Export Controls?
Export controls are federal laws that regulate the distribution of controlled devices, software, and information when such items are designated as “defense articles” or "dual use" commodities. Although these regulations frequently do not affect research activities, they can apply to the following situations:
- The nature of the technology in the research has actual or potential military applications,
- Foreign countries, organization(s), or individual(s) involved in the research are prohibited by law,
- The government regulates the potential end-use or the end-user of the technology resulting from the research.
Contact the Office of Export Controls (exportcontrolhelp@colorado.edu) for support.
When Is an Export Control License Needed?
An Export License is a written authorization provided by the federal government granting permission for the release or transfer of export controlled information or item under a defined set of conditions. In many cases, basic and applied research may be included under one or more of the exemptions or exclusions provided in the Export Control regulations. In some cases, it may be necessary to apply for an export license or Technical Assistance Agreement.
If it is determined that your activity requires an export license, the Export Control Committee will coordinate the license application process. Contact the Export Control Committee at exportcontrolhelp@colorado.edu. They will work with you and the Office of Legal Affairs to submit a license request to the appropriate regulatory body on your behalf. It is important to note that obtaining an export license can take 3-6 months and there is no guarantee that a license will be granted.
Contact Your OCG Proposal Analyst or the Office of Export Controls (exportcontrolhelp@colorado.edu) for support.
For most countries, collaborations with personnel and scholars at foreign institutions or organizations do not require export licenses unless there is export controlled or restricted technology involved. However, for a small number of sanctioned countries, and a growing list of restricted foreign universities and organizations in a slightly broader set of countries, U.S. universities must conduct due diligence to ensure that academic and research collaborations do not violate U.S. law.
Contact the Office of Export Controls (exportcontrolhelp@colorado.edu) for support.
What is a Technology Control Plan?
A Technology Control Plan (TCP) is a document drafted by the researcher in collaboration with the Export Control Committee and their department chair specifying procedures that will be taken in order to safeguard and control access to information or items that are export restricted.
In general, a TCP will outline what the restricted information/item is, who will have access to it, how access will be monitored and controlled, how the information/item will be physically and electronically stored, what information about it can be shared or presented, and what will be done with the information/item once the project is completed.
Contact the Office of Export Controls (exportcontrolhelp@colorado.edu) for support.