White House to require increased cybersecurity protocols for R&D institutions

The Office of Science and Technology Policy said federal research agencies must certify proper security requirements for covered institutions, including in higher education.
Arati Prabhakar attends the 2023 Milken Institute Global Conference at The Beverly Hilton on May 01, 2023 in Beverly Hills, California. (Photo by Jerod Harris/Getty Images)

Federal research agencies will now require certain covered institutions to implement cybersecurity programs for research and development security, a move the White House attributes to growing threats posed by the People’s Republic of China. 

Office of Science and Technology Policy Director Arati Prabhakar made her case in the memorandum for increased awareness of security threats from adversaries. The guidance aims to enable national R&D enterprise research agencies and participants to “respond appropriately” through certifying that institutions’ research security programs — and cybersecurity protocols — include foreign travel security, research security training and export control training. 

“Technology and R&D are central to this strategic competition, and the PRC has exploited international research collaboration by undermining values — such as transparency, accountability and reciprocity — in order to advance its strategic objectives and military modernization,” the memo states. 

According to the memo, higher education institutions certified by the federal research agencies must implement a cybersecurity program consistent with the CHIPS and Science Act’s cybersecurity resource for research-focused entities. That implementation must occur one year following the final issuance of this document; the National Institute of Standards and Technology has posted an initial draft of the resource. 


Covered institutions that are not part of higher education but are certified by the research agencies are required to “implement a cybersecurity program consistent with another relevant cybersecurity resource maintained by NIST or another federal research agency,” the memo states.

Federal research agencies are required to submit plans to update policies regarding “standardized requirements” for research security programs within six months, and those will take effect six months after finalized plans have been submitted. Additionally, agencies must “ensure that covered institutions have adequate time”  to implement those requirements, though it must happen in under 18 months after the effective date. 

The Biden administration, however, makes clear that federal research agencies must balance security efforts without prejudice throughout the process of implementation. 

“Federal research agencies should implement research security policies in a way that treats everyone equally under the law, without xenophobia, prejudice or discrimination, a principle reinforced by the CHIPS and Science Act,” the memo states.

Caroline Nihill

Written by Caroline Nihill

Caroline Nihill is a reporter for FedScoop in Washington, D.C., covering federal IT. Her reporting has included the tracking of artificial intelligence governance from the White House and Congress, as well as modernization efforts across the federal government. Caroline was previously an editorial fellow for Scoop News Group, writing for FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. She earned her bachelor’s in media and journalism from the University of North Carolina at Chapel Hill after transferring from the University of Mississippi.

Latest Podcasts