Research Security Program
About the Program
The Research Security Program is a collaboration between many university-wide departments based on campus policies and federal regulations. The Director of Research Security, reporting to the Vice-President for Research, serves as the university's research security program's point of contact.
This website has been developed to (1) provide resources to the campus community and
(2) formalize the ongoing development of Stony Brook University's Research Security
Program as required by National Security Presidential Memorandum 33 (NSPM-33).
Guided by State University of New York (SUNY) Policy that prohibits the acceptance of any awards (1) restrict dissemination of research results (Document 1800) and/or (2) restrict foreign national participation (Document 1801) research conducted at SBU is primarly fundamental research as defined in National Security Decision Directive (NSDD) 189 (read more here).
A waiver is required to accept restrictions on dissemination or foreign national participation, whether your project is funded or unfunded. Contact the Director of Research Security for assistance or questions.
The policies, information and guidance provided on this page are applicable to all research projects even if public dissemination of results is expected.
Disclosure of External Interests, Commitments and Resources
All external relationships - both domestic and international - should be transparent and must be disclosed in a manner that is consistent with applicable requirements, including federal and state laws/regulations/agency guidance, as well as the university's own policies and procedures.
The Office of Sponsored Programs maintains a website with resources to assist researchers in complying with federal sponsor disclosure requirements.
The Research Security Program maintains a website with guidance to assist campus disclosers in complying with the SBU Disclosure of External Interests and Commitments Policy.
All campus activities must comply with U.S. government export control laws. These laws regulate:
- Disclosure, shipment, use, transfer, or transmission of any item, commodity, material, technical information, technology, software, or encrypted software for the benefit of a foreign person or foreign entity anywhere (including the transfer of controlled information within the U.S. “deemed export”);
- Transactions and the provision of services involving prohibited countries, persons or entities based on trade sanctions, embargoes and travel restrictions; and
- Certain transactions with persons or entities designated on a federal restricted parties lists.
The Research Security Program maintains a website with guidance to assist the campus community in complying with federal regulations and the SBU Export Control Policy.
Faculty and students are encouraged to participate in international activities, as these may promote the creation of knowledge and enrich learning experiences. The Research Security Program maitains a website with resources and guidance for individuals engaging in these activities.
international Travel Security
International travel may pose significant health and safety risks, and travelers are
encouraged to carefully plan for trips prior to departure. Preparation should take
into consideration government warnings, University policies, health insurance coverage,
and country-specific requirements. The Research Travel Page provides guidance on travel and travel security.
As a reminder, all international travel, regardless of funding source, must register their travel in Concur prior to travel.
IT Security Considerations While Traveling
FBI: Safety and Security for Business Professionals Traveling Abroad Brochure
FBI: Safety and Security for U.S. Students Traveling Abroad Brochure
FBI: The Key to U.S. Student Safety Overseas Brochure
Office of the Director of National Intelligence: Know the Risk - Raise Your Shield: Travel Awareness Video
cybersecurity: Secure Computing
The Information Security Program, Division of Information Technology's website contains resources, guidance and services to help ensure privacy and protection of our data.
Secure Computing Guides - tip sheet and guides for students and faculty/staff designed to provide what they need to know in a concise format.
Security Consulting - consultative, training, education and awareness resources to assist students and faculty/staff in safe computing.
Incident Response/Reporting - notify the cybersecurity team if you aware of a potential cybersecurity incident.
SBU Training Requirement
All faculty and staff are required to take annual Cybersecurity Awareness Training.
Insider Threat Awareness and Training
According to the NSPM-33 Implementation Guidance, an Insider Threat is defined as "the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities."
Insider threat includes: espionage, sabatoge, fraud and intellectual property theft! See something, say something! Report it to your supervisor or contact the Director of Research Security, or you can submit a confidential report to Audit & Management Advisory Services.
The Center for Development of Security Excellence has short training videos
The SBU Libraries Research Data Services' website provides resources, consultation and support for all aspects of a data lifecycle, from planning the data management strategy during the proposal phase through preserving the data at the conclusion of the project. They can assist with data management plans, federal public access plans, funder managements and research data management.
Federal awards & Data protection standards
Some federal awards/subawards (issued as contracts) include clauses that require additional data security.
Research that includes the receipt, or in some cases the creation, of Controlled Unclassified Information (CUI), Covered Defense Information (CDI) or Government-Furnished Information (GFI) requires a consultation with the Director of Research Security and SBU's Information Security Program. Read more about government information.
Contract clauses that require review:
52.204-21 Basic Safeguarding of Covered Contractor Information Systems
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
252.204-7020 NIST SP 800-171 DoD Assessment Requirements
These clauses are often included with 252.204-7000 Disclosure of Information which is a prior approval publication restriction if a fundamental research determination is not granted by the U.S. federal sponsor's contracting officer.
restriction on certain telecommunications & survelliance equipment
Government contracting clauses that implement prohibitions from National Defense Authorization Acts. All purchases for these types of services, hardware and software must go through Procurement to ensure compliance with these regulations.
52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities
52.204-24 Representation Regarding Certain Telecommunications and Video Survelliance Services or Equipment
52.204-25 Prohibition on Contracting for Certain Telecommunications and Video Survelliance Services or Equipment
52.204-26 Covered Telecommunications Equipment or Services-Representation
Careful consideration should be given to the level of physical security that is needed to protect equipment, materials, and research. Environmental Health & Safety has established baseline requirements for lab security based on risk factors.
Filming on Campus and Export Controls Compliance
Lab Tours, Visitors and Guests
- Know who will be visiting the lab and the reason for the visit.
- Maintain a log of visitors to the lab.
- Ensure that no confidential or proprietary information is visible at the time of the tour/visit.
- Prohibit the taking of photographs/video of lab equipment or lab set-up.
- Do not permit visitors to insert thumb drives or other media into university computers during the tour.
- Escort visitors throughout the tour/visit.
INTELLECTUAL PROPERTY protection
Beyond securing your data and physical space, intellectual property (potential or realized) should also be appropriately disclosed and protected.
- Intellectual propery as required to sponsors.
- Any potential inventions or other intellectual property to Intellectual Property Partners (IPP).
- Use the proper agreement (i.e. material transfer agreement (MTA), data use agreement (DUA) or non-disclosure agreement (NDA) when exchanging materials, data or other confidential/non-public information.
The Office of the Vice President for Research (OVPR) continues to monitor new regulations
and guidance provided by the federal government regarding research security, and we will inform the University community of relevant changes. Updates and new
information will also be provided on this page.
NSPM-33: Presidential Memorandum on United States Government-Supported Research and Development National Security Policy (January 14, 2021)
Federal funding agencies to strengthen and standardize disclosure requirements for federally funded awards; and
Research organizations awarded in excess of $50 million per year in total Federal research funding to implement a research security program that includes the four elements (cybersecurity, foreign travel security, research security training and export control training).
NSPM Fact Sheet
Guidance for Implementing National Security Presidential Memorandum 33 (NSPM-33) on National Security Strategy for United States Governement-Supported Research and Development ("NSPM-33 Guidance")
January 4, 2022. The Office of Science and Technology Policy (OSTP) acting through the National Science and Technology Council (NSTC) Joint Committee on the Research Environment (JCORE) Subcommittee on Research Security released NSPM-33 Guidance.
Summary of NSTC Guidance for Implementing NSPM-33: Provisions Regarding DPIs, Consequences,
and Research Security Programs
January 10, 2022 Council of Government Relations (COGR)
Clear Rules for Research Security and Researcher Responsibility
August 10, 2021. Office of Science and Technology Policy (OSTP Blog)Dr. Eric Lander, President’s Science Advisor and Director of the Office of Science and Technology Policy. States "over the next 90 days, OSTP will develop clear and effective implementation guidance for NSPM-33, working in close partnership with the National Security Council staff, fellow Cabinet agencies, and other federal agencies through the National Science and Technology Council." The guidance will include a disclosure policy for all federally funded researchers, oversight and enforcement guidance for federal agencies that includes interagency sharing of information and a research security program requirement for research organizations that receive over $50 million anually in federal R&D funding.
Protecting Critical and Emerging U.S. Technologies from Foreign Threats The National Counterintelligence and Security Center (NCSC) (October 2021)
Recommended Practices for Strengthening the Security and Integrity of America's Science and Technology Research Enterprise National Science and Technology Council (NSTC) (January 2021)
Advancing America's Global Leadership in Science and Technology, Trump Administration Highlights: 2017-2020 . (October 2020)
Enhancing the Security and Integrity of America's Research Enterprise (OSTP) October 2020)
Summary of the 2019 White House Summit of the Joint Committee on the Research Environment (JCORE) (November 2019)
Letter to United States Research Community from OSTP Director Kelvin Droegemeier (September 2019)
Update from the National Science and Technology Council Joint Committee on Research Environments (July 2019)
Related Campus Policies
Responsible Use of Information Technology Resources
Disclosure of External Interests & Commitments Policy
Information Security Program Administration Policy
Cyber Incident Response Policy
Sensitive Information Classification Policy
Additional Division of Information Technology policies
Physical and Electronic Access Control Policy
Provost's Office: Approval Process for Faculty Members who are Offered Appointments at Foreign and Domestic Institutions
Provost's Office: Outside Consulting Work