Research Security Program 

About the Program

The Research Security Program is a collaboration between many university-wide departments based on campus policies and federal regulations.   The Director of Research Security, reporting to the Vice-President for Research, serves as the university's research security program's point of contact. 

This website has been developed to (1) provide resources to the campus community and (2) formalize the ongoing development of Stony Brook University's Research Security Program as required by National Security Presidential Memorandum 33 (NSPM-33).  

---

University research

Guided by State University of New York (SUNY) Policy that prohibits the acceptance of any awards (1) restrict dissemination of research results (Document 1800) and/or (2) restrict foreign national participation (Document 1801)  research conducted at SBU is primarly fundamental research as defined in National Security Decision Directive (NSDD) 189 (read more here).   

A waiver is required to accept restrictions on dissemination or foreign national participation, whether your project is funded or unfunded.   Contact the Director of Research Security for assistance or questions.

The policies, information and guidance provided on this page are applicable to all research projects even if public dissemination of results is expected.

---

Disclosure of External Interests, Commitments and Resources

All external relationships - both domestic and international - should be transparent and must be disclosed in a manner that is consistent with applicable requirements, including federal and state laws/regulations/agency guidance, as well as the university's own policies and procedures.   

The Office of Sponsored Programs maintains a website with resources to assist researchers in complying with federal sponsor disclosure requirements. 

The Research Security Program maintains a website with guidance to assist campus disclosers in complying with the SBU Disclosure of External Interests and Commitments Policy.

---

Export Controls

All campus activities must comply with U.S. government export control laws.  These laws regulate:

• Disclosure, shipment, use, transfer, or transmission of any item, commodity, material, technical information, technology, software, or encrypted software for the benefit of a foreign person or foreign entity anywhere (including the transfer of controlled information within the U.S. “deemed export”); 
• Transactions and the provision of services involving prohibited countries, persons or entities based on trade sanctions, embargoes and travel restrictions; and 
• Certain transactions with persons or entities designated on a federal  restricted parties lists.

The Research Security Program maintains a website with guidance to assist the campus community in complying with federal regulations and the SBU Export Control Policy.

---

international activities

Faculty and students are encouraged to participate in international activities, as these may promote the creation of knowledge and enrich learning experiences.     The Research Security Program maitains a website with resources and guidance for individuals engaging in these activities.    

---

international Travel Security 

International travel may pose significant health and safety risks, and travelers are encouraged to carefully plan for trips prior to departure.  Preparation should take into consideration government warnings, University policies, health insurance coverage, and country-specific requirements.  The Research Travel Page provides guidance on travel and travel security. 

As a reminder, all international travel, regardless of funding source, must register their travel in Concur prior to travel.

IT Security Considerations While Traveling

Training Resources

FBI: Safety and Security for Business Professionals Traveling Abroad Brochure

FBI: Safety and Security for U.S. Students Traveling Abroad Brochure

FBI: The Key to U.S. Student Safety Overseas Brochure

Office of the Director of National Intelligence: Know the Risk - Raise Your Shield:  Travel Awareness Video

---

cybersecurity: Secure Computing

The Information Security Program, Division of Information Technology's website  contains resources, guidance and services to help ensure privacy and protection of our data.  

Secure Computing Guides - tip sheet and guides for students and faculty/staff designed to provide what they need to know in a concise format. 

Security Consulting -  consultative, training, education and awareness resources to assist students and faculty/staff in safe computing. 

Incident Response/Reporting - notify the cybersecurity team if you aware of a potential cybersecurity incident. 

SBU Training Requirement

All faculty and staff are required to take annual Cybersecurity Awareness Training. 

---

Insider Threat Awareness and Training 

According to the NSPM-33 Implementation Guidance, an Insider Threat is defined as "the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities."

Insider threat includes:  espionage, sabatoge, fraud and intellectual property theft!  See something, say something!  Report it to your supervisor  or contact the Director of Research Security, or you can submit a confidential report to Audit & Management Advisory Services. 

Training Resources

The Center for Development of Security Excellence has short training videos 

---

Data management

The SBU Libraries Research Data Services' website provides resources, consultation and support for all aspects of a data lifecycle, from planning the data management strategy during the proposal phase through preserving the data at the conclusion of the project.    They can assist with data management plans, federal public access plans, funder managements and research data management. 

---

Federal awards & Data protection standards

Some federal awards/subawards (issued as contracts) include clauses that require additional data security.

Research that includes the receipt, or in some cases the creation, of Controlled Unclassified Information (CUI), Covered Defense Information (CDI) or Government-Furnished Information (GFI) requires a consultation with the Director of Research Security and SBU's Information Security Program.  Read more about government information.

Contract clauses that require review:

52.204-21 Basic Safeguarding of Covered Contractor Information Systems

252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting 

252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements

252.204-7020 NIST SP 800-171 DoD Assessment Requirements

These clauses are often included with 252.204-7000 Disclosure of Information which is a prior approval publication restriction if a fundamental research determination is not granted by the U.S. federal sponsor's contracting officer.

---

restriction on certain telecommunications & survelliance equipment

Government contracting clauses that implement prohibitions from National Defense Authorization Acts. All purchases for these types of services, hardware and software must go through Procurement to ensure compliance with these regulations. 

52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities

52.204-24 Representation Regarding Certain Telecommunications and Video Survelliance Services or Equipment

52.204-25 Prohibition on Contracting for Certain Telecommunications and Video Survelliance Services or Equipment 

52.204-26 Covered Telecommunications Equipment or Services-Representation

---

Physical Security 

Careful consideration should be given to the level of physical security that is needed to protect equipment, materials, and research.  Environmental  Health  & Safety has established  baseline requirements for lab  security based on risk factors. 

Related Guidance

Access Control & Lock Shop

Filming on Campus and Export Controls Compliance 

Lab Tours, Visitors and Guests

• Know who will be visiting the lab and the reason for the visit.
• Maintain a log of visitors to the lab.
• Ensure that no confidential or proprietary information is visible at the time of the tour/visit.
• Prohibit the taking of photographs/video of lab equipment or lab set-up.
• Do not permit visitors to insert thumb drives or other media into university computers during the tour.
• Escort visitors throughout the tour/visit.

---

INTELLECTUAL PROPERTY protection

Beyond securing your data and physical space, intellectual property (potential or realized) should also be appropriately disclosed and protected.

Disclose

• Intellectual propery as required to sponsors.
• Any potential inventions or other intellectual property to Intellectual Property Partners (IPP).

Protect

• Use the proper agreement (i.e. material transfer agreement (MTA), data use agreement (DUA) or  non-disclosure agreement (NDA) when exchanging materials, data or other confidential/non-public information.  
  
  

 

The Office of the Vice President for Research (OVPR) continues to monitor new regulations and guidance provided by the federal government regarding research security, and we will inform the University community of relevant changes. Updates and new information will also be provided on this page.