EDUCAUSE Comments: Draft Cybersecurity Provisions for Research Security Programs

Abstract

EDUCAUSE submitted comments to the White House Office of Science and Technology Policy (OSTP) on June 5, 2023, concerning the draft requirements for research security programs under National Security Presidential Memorandum 33 (NSPM-33). EDUCAUSE focused its feedback on the research cybersecurity provisions of the OSTP “Research Security Programs Standard Requirement” (i.e., the Standard Requirement), which essentially replicate the basic safeguards for Federal Contract Information (FCI). EDUCAUSE argued that the FCI safeguards should be replaced by a requirement for institutions to implement research cybersecurity measures based on a risk management approach. Absent that change, EDUCAUSE urged OSTP to explicitly state in the Standard Requirement that institutions have the discretion to interpret and apply the FCI safeguards to their research environments via institutional policy. EDUCAUSE also called for OSTP to clearly state within the Standard Requirement that institutions have the discretion to implement appropriately documented alternative controls to address cases when the specified Standard Requirement controls cannot be implemented. In addition, the EDUCAUSE comments highlight problems with individual cybersecurity provisions in the Standard Requirement.