In response to growing security risks posed by the People’s Republic of China, the White House has mandated enhanced cybersecurity measures for research and development institutions. Directed by the Office of Science and Technology Policy, the new guidelines require federal research agencies to ensure that designated institutions, including higher education entities, adopt rigorous cybersecurity protocols.
OSTP Director Arati Prabhakar underscored the necessity of bolstering security against adversarial threats in a memorandum released recently. Highlighting the exploitation of international research collaborations by the PRC, Prabhakar emphasized the strategic importance of technology and R&D in national security and competition. The memorandum aims to equip R&D enterprises with the necessary tools to counteract such threats effectively.
According to the memorandum, higher education institutions certified by federal research agencies must adhere to cybersecurity frameworks consistent with the CHIPS and Science Act. These frameworks encompass provisions for foreign travel security, research security training, and export control training. Implementation of these cybersecurity programs must commence within one year of the final issuance of the directive.
For institutions outside the realm of higher education but certified by federal research agencies, compliance involves adopting cybersecurity protocols aligned with relevant resources stipulated by the National Institute of Standards and Technology (NIST) or other designated federal entities. The NIST has already released an initial draft outlining cybersecurity resources tailored for research-focused entities.
Federal research agencies are tasked with revising their policies to incorporate standardized requirements for R&D security programs. These updates must be submitted within six months, with enforcement beginning six months after the finalized policies are adopted. The directive stresses the importance of providing adequate time for covered institutions to implement these requirements, specifying an implementation period of under 18 months from the effective date of the guidelines.
While emphasizing the criticality of cybersecurity enhancements, the Biden administration also emphasizes the need for fairness and equality in the implementation process. Agencies are directed to enforce security policies without bias, xenophobia, or discrimination, aligning with the principles outlined in the CHIPS and Science Act.
