Research Security Program
About the Program
The Research Security Program is a collaboration between many university-wide departments
based in campus policies and federal regulations. The Director of Research Security, reporting to the Vice-President for Research, serves
as the university's research security program's point of contact.
This website has been developed to (1) provide resources to the campus community and
(2) formalize the ongoing development of Stony Brook University's Research Security
Program as required by National Security Presidential Memorandum 33 (NSPM-33).
Guided by State University of New York (SUNY) Policy that prohibits the acceptance
of any awards (1) restrict dissemination of research results (Document 1800) and/or (2) restrict foreign national participation (Document 1801) research conducted at SBU is primarly fundamental research as defined in National
Security Decision Directive (NSDD) 189 (read more here).
A waiver is required to accept restrictions on dissemination or foreign national participation,
whether your project is funded or unfunded. Contact the Director of Research Security
for assistance or questions.
The policies, information and guidance provided on this page are applicable to all
research projects even if public dissemination of results is expected.
Disclosure of External Interests, Commitments and Resources
All external relationships - both domestic and international - should be transparent
and must be disclosed in a manner that is consistent with applicable requirements,
including federal and state laws/regulations/agency guidance, as well as the university's
own policies and procedures.
The Office of Sponsored Programs maintains a website with resources to assist researchers in complying with federal sponsor disclosure requirements.
The Research Security Program maintains a website with guidance to assist campus disclosers in complying with the Disclosure of External
Interests and Commitments Policy (P209).
All campus activities must comply with U.S. government export control laws. These
- Disclosure, shipment, use, transfer, or transmission of any item, commodity, material,
technical information, technology, software, or encrypted software for the benefit
of a foreign person or foreign entity anywhere (including the transfer of controlled
information within the U.S. “deemed export”);
- Transactions and the provision of services involving prohibited countries, persons
or entities based on trade sanctions, embargoes and travel restrictions; and
- Certain transactions with persons or entities designated on a federal restricted
The Research Security Program maintains a website with guidance to assist the campus community in complying with federal regulations
and the Export Control Policy (P212).
Faculty and students are encouraged to participate in international activities, as
these may promote the creation of knowledge and enrich learning experiences. The
Research Security Program maitains a website with resources and guidance for individuals engaging in these activities.
international Travel Security
International travel may pose significant health and safety risks, and travelers are
encouraged to carefully plan for trips prior to departure. Preparation should take
into consideration government warnings, University policies, health insurance coverage,
and country-specific requirements. The Research Travel Page provides guidance on travel and travel security.
As a reminder, all international travel, regardless of funding source, must register
their travel in Concur prior to travel.
IT Security Considerations While Traveling
FBI: Safety and Security for Business Professionals Traveling Abroad Brochure
FBI: Safety and Security for U.S. Students Traveling Abroad Brochure
FBI: The Key to U.S. Student Safety Overseas Brochure
Office of the Director of National Intelligence: Know the Risk - Raise Your Shield:
Travel Awareness Video
cybersecurity: Secure Computing
The Information Security Program, Division of Information Technology's website contains resources, guidance and services to help ensure privacy and protection of
Secure Computing Guides - tip sheet and guides for students and faculty/staff designed to provide what they
need to know in a concise format.
Security Consulting - consultative, training, education and awareness resources to assist students and
faculty/staff in safe computing.
Incident Response/Reporting - notify the cybersecurity team if you aware of a potential cybersecurity incident.
SBU Training Requirement
All faculty and staff are required to take annual Cybersecurity Awareness Training.
Insider Threat Awareness and Training
According to the NSPM-33 Implementation Guidance, an Insider Threat is defined as "the
potential for an insider to use their authorized access or understanding of an organization
to harm that organization. This harm can include malicious, complacent, or unintentional
acts that negatively affect the integrity, confidentiality, and availability of the
organization, its data, personnel, or facilities."
Insider threat includes: espionage, sabatoge, fraud and intellectual property theft! See something, say something! Report it to your supervisor or contact the Director
of Research Security, or you can submit a confidential report to Audit & Management Advisory Services.
The Center for Development of Security Excellence has short training videos.
The SBU Libraries Research Data Services' website provides resources, consultation and support for all aspects of a data lifecycle,
from planning the data management strategy during the proposal phase through preserving
the data at the conclusion of the project. They can assist with data management
plans, federal public access plans, funder managements and research data management.
Federal awards & Data protection standards
Some federal awards/subawards (issued as contracts) include clauses that require additional
Research that includes the receipt, or in some cases the creation, of Controlled
Unclassified Information (CUI), Covered Defense Information (CDI) or Government-Furnished
Information (GFI) requires a consultation with the Director of Research Security and SBU's Information
Security Program. Learn More
Contract clauses that require review:
52.204-21 Basic Safeguarding of Covered Contractor Information Systems
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
252.204-7020 NIST SP 800-171 DoD Assessment Requirements
These clauses are often included with 252.204-7000 Disclosure of Information which is a prior approval publication restriction if a fundamental research determination
is not granted by the U.S. federal sponsor's contracting officer.
restriction on certain telecommunications & survelliance equipment
Government contracting clauses that implement prohibitions from National Defense Authorization
Acts. All purchases for these types of services, hardware and software must go through Procurement
to ensure compliance with these regulations.
52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed
or Provided by Kaspersky Lab and Other Covered Entities
52.204-24 Representation Regarding Certain Telecommunications and Video Survelliance
Services or Equipment
52.204-25 Prohibition on Contracting for Certain Telecommunications and Video Survelliance
Services or Equipment
52.204-26 Covered Telecommunications Equipment or Services-Representation
Careful consideration should be given to the level of physical security that is needed
to protect equipment, materials, and research. Environmental Health & Safety has established baseline requirements for lab security based on risk factors.
Access Control & Lock Shop
Filming on Campus and Export Controls Compliance
Lab Tours, Visitors and Guests
- Know who will be visiting the lab and the reason for the visit.
- Maintain a log of visitors to the lab.
- Ensure that no confidential or proprietary information is visible at the time of the
- Prohibit the taking of photographs/video of lab equipment or lab set-up.
- Do not permit visitors to insert thumb drives or other media into university computers
during the tour.
- Escort visitors throughout the tour/visit.
INTELLECTUAL PROPERTY protection
Beyond securing your data and physical space, intellectual property (potential or
realized) should also be appropriately disclosed and protected.
- Use the proper agreement (i.e. material transfer agreement (MTA), data use agreement
(DUA) or non-disclosure agreement (NDA) when exchanging materials, data or other
The Office of the Vice President for Research (OVPR) continues to monitor new regulations
and guidance provided by the federal government regarding research security, and we will inform the University community of relevant changes. Updates and new
information will also be provided on this page.