CASRAI Dictionary

Tag: export controls

  • NSPM-33 Research Security: Disclosure & Programmes

    National Security Presidential Memorandum 33 (NSPM-33) set US policy on strengthening protections for federally funded research and development. It directs federal funding agencies to standardise and clarify disclosure requirements for participants in research, and it asks certain research institutions to establish research-security programmes. This article is a neutral explainer of what NSPM-33 covers; it is not legal or compliance advice, and the binding detail lives in each agency’s implementing rules.

    What NSPM-33 is trying to do

    NSPM-33 responds to concerns about the integrity of the research enterprise — chiefly around undisclosed conflicts of interest and commitment, and the risk of inappropriate transfer of federally funded research results. Its core principle is that openness and security can coexist: it reaffirms that fundamental research should remain open while asking the system to be more transparent about affiliations, support and commitments so that risks can be identified and managed.

    Importantly, the memorandum directs agencies to act consistently. A recurring frustration before NSPM-33 was that different agencies asked for disclosures in different formats and used different definitions. A central aim is to harmonise those expectations across the federal government.

    Standardised disclosure requirements

    The disclosure element asks that researchers consistently report information relevant to identifying conflicts of interest and conflicts of commitment. In broad terms this includes current and pending research support, professional appointments and positions, and other affiliations and resources that could bear on the integrity of the research.

    • Current and pending support: all sources of research funding, foreign and domestic.
    • Appointments and positions: including foreign appointments and titles.
    • Other support and in-kind resources: resources that benefit the research effort.
    • Consistency: common forms and definitions so disclosures are comparable across agencies.

    The emphasis is on completeness and accuracy rather than on prohibiting international collaboration. Disclosure makes relationships visible so that genuine conflicts can be evaluated and managed.

    Research-security programmes: the four elements

    NSPM-33 also contemplates that covered institutions receiving federal science funding above a defined level maintain a research-security programme. As described in implementation guidance, such programmes are generally built around four elements:

    • Cybersecurity: protecting research data and systems.
    • Foreign-travel security: tracking and supporting security for international research travel.
    • Research-security training: educating researchers on risks and obligations.
    • Export-control training: ensuring awareness of export-control responsibilities.

    The export-control element connects research security to a separate, long-standing legal regime. For background on how export controls treat openly published research, see our explainer on the fundamental-research exclusion, which is central to understanding what NSPM-33 does and does not restrict.

    Openness and security as complementary goals

    A theme worth drawing out is that NSPM-33 frames openness and security not as opposites but as goals to be balanced. The US research enterprise has long derived strength from international collaboration and the open exchange of ideas, and the memorandum is explicit that it does not seek to undermine that openness or to discourage legitimate international partnership. Instead, it aims to make the system more resilient to a narrow set of risks — undisclosed conflicts and inappropriate transfer of results — while leaving the open, collaborative character of fundamental research intact. The emphasis on transparency rather than prohibition is the practical expression of that balance.

    The fundamental-research principle

    A key point of reassurance in NSPM-33 is that it does not seek to close off basic and applied research that is ordinarily published and shared. Long-standing US policy treats such fundamental research as outside many export-control restrictions precisely because it is openly disseminated. NSPM-33 operates alongside that principle: it improves transparency about who is involved and how they are supported, rather than reclassifying open research as controlled.

    This is why disclosure, not restriction, is the dominant tool. The aim is informed risk management — knowing the affiliations and support behind a project — rather than blanket limits on collaboration. Our broader research-compliance overview situates these expectations within the wider grants framework.

    Conflicts of interest versus conflicts of commitment

    NSPM-33’s disclosure emphasis turns on two related but distinct concepts that are worth separating. A conflict of interest arises when an external financial or personal interest could bias the design, conduct or reporting of research. A conflict of commitment arises when outside obligations — such as an undisclosed appointment at another institution — compete with the time and intellectual commitments a researcher owes to their primary employer and to a funded project.

    Much of the concern that motivated NSPM-33 involved undisclosed conflicts of commitment, where affiliations or support were not reported. The disclosure framework is designed to surface both kinds of conflict so they can be evaluated. Disclosure does not by itself imply wrongdoing; it is the mechanism that allows institutions and agencies to distinguish benign, well-managed relationships from genuine problems.

    What institutions did in practice

    In response, many research institutions reviewed and updated their conflict-of-interest and conflict-of-commitment policies, refreshed disclosure processes, and built or formalised research-security functions covering the four programme elements. Some appointed designated research-security officials or points of contact, expanded training, and integrated disclosure checks into proposal and award workflows. Because the requirements are implemented through individual agency rules and award terms, the specific obligations an institution faces depend on which agencies fund it and at what level, and institutions track the rules of each relevant funder rather than assuming a single uniform standard.

    The headline is a balance: NSPM-33 pairs clearer, standardised disclosure with structured research-security programmes, while preserving the openness of fundamental research. For authoritative detail, institutions consult the implementing guidance from the relevant federal agencies and OSTP at whitehouse.gov/ostp. For related terminology, see our standards dictionary.

  • Trusted research and international collaboration: managing risk without barriers

    International collaboration is not a luxury of modern research; it is largely how the best of it gets done. The hardest problems — in health, climate, energy, fundamental science — are addressed by teams that cross borders, pool data and combine expertise that no single country holds. At the same time, a minority of partnerships carry real risks: the loss of sensitive technology, undisclosed competing obligations, the misuse of dual-use research, or arrangements that conflict with a researcher’s legal duties. The challenge that ‘research security’ tries to meet is to manage those genuine risks without throwing up barriers that would damage the open, collaborative culture on which research depends. This article sets out a proportionate approach, drawing on the framework defined in the research security domain of the CASRAI Dictionary.

    Two policy reference points

    Two reference points dominate the conversation. In the United States, NSPM-33 — the National Security Presidential Memorandum on protecting the integrity of government-supported research — directs funding agencies to strengthen disclosure requirements and asks institutions receiving substantial federal funding to maintain research-security programmes. Its emphasis is on transparency: knowing who is funding what, and what other obligations a researcher carries, so that conflicts of interest and conflicts of commitment can be seen and managed rather than hidden.

    In the United Kingdom, the Trusted Research guidance, developed with the national protective-security and cyber-security bodies, takes a similar but distinctly proportionate line. Its framing is that the overwhelming majority of international collaboration is benign and beneficial, and that the goal is to help researchers and institutions identify the small number of cases where caution is warranted — and to do so without discouraging legitimate partnership. Both frameworks share a premise worth stating plainly: the aim is risk management, not risk elimination, because eliminating risk would mean eliminating collaboration.

    Where the risks actually sit

    It helps to name the categories of risk concretely, because vague anxiety is the enemy of proportionate action. Conflicts of interest and commitment arise when a researcher has financial interests or outside appointments — including foreign talent-programme affiliations — that are not disclosed and could bias their work or divide their loyalties. Export controls and sanctions govern the transfer of certain technologies, data and know-how across borders, and can apply even to a conversation or a shared dataset, not only to physical goods. Dual-use research of concern covers work that, though conducted for legitimate purposes, could be repurposed to cause harm. And there are data-protection and confidentiality obligations that follow data across jurisdictions with different legal regimes.

    Naming these categories matters because the appropriate response differs for each. An export-control question is a legal compliance matter; a conflict-of-commitment question is a disclosure matter; a dual-use question is an ethical-review matter. Treating them as one undifferentiated ‘security’ problem leads either to overreaction or to missing the specific control that actually applies.

    Due diligence that is proportionate

    The practical heart of trusted research is proportionate due diligence: doing more checking where the stakes are higher, and not burdening low-risk collaboration with high-risk procedures. A sensible due-diligence process asks a graded set of questions. What is the nature of the work — is it fundamental and openly publishable, or does it touch sensitive technology? Who is the partner, who ultimately funds and controls them, and are there links that raise concern? What will be shared — data, materials, know-how — and does any of it fall under export controls? What are the terms — who owns the results, who can publish, are there clauses that would compromise academic freedom or open dissemination?

    The point of grading is that a routine collaboration on openly published basic science should pass through quickly, while a project involving controlled technology and an opaque funding structure warrants real scrutiny and, often, expert advice. A process that treats every partnership as a threat will be ignored or resented; a process that treats none as a risk fails its purpose.

    Disclosure as the connective tissue

    Across both frameworks, disclosure is the mechanism that makes everything else work. Most research-security failures are not espionage; they are undisclosed relationships and obligations that, once visible, could have been managed straightforwardly. Accurate, complete and current-and-pending disclosures — of funding, appointments, in-kind support and outside activities — let an institution and a funder see the whole picture. The move toward machine-readable disclosure formats is making this less of a paperwork burden and more of a maintainable record, and recording these obligations in structured form complements the recognition of legitimate contributions through the CRediT taxonomy: the same record can show both what someone did and what other commitments they hold.

    Keeping the lab door open

    The risk that gets least attention is the risk of overreaction — of institutions retreating from international partnership, or of researchers from particular backgrounds being treated with suspicion on the basis of nationality rather than conduct. Both the UK and US frameworks are explicit that security measures must not become a pretext for discrimination, and that openness is itself a value worth protecting. A trusted-research programme that makes researchers feel surveilled or unwelcome will cost more in lost collaboration and damaged trust than it saves in averted risk.

    The balance, then, is genuinely a balance: assess risk honestly and proportionately, manage it with the specific control that fits, insist on transparent disclosure, and keep the default disposition open. The shared vocabulary for describing these obligations consistently across systems and partners is maintained in the CASRAI Dictionary, which is part of what makes a risk-management conversation possible across institutional and national lines.

  • Dual-use research and export controls: managing sensitive science alongside open science

    Most research is unambiguously for the good: it cures disease, feeds people, advances understanding. But a portion sits in a more difficult place, where the same knowledge that brings benefit could also cause serious harm if misused. A study of how a pathogen spreads can guide vaccines or, in the wrong hands, inform a weapon; an advance in a sensitive technology can serve civilian and military ends alike. This is the territory of dual-use research, and it forces a genuine tension with the dominant movement of contemporary science, which is towards greater openness. How institutions manage research that is both valuable and potentially dangerous — without betraying the openness that makes science work or ignoring real risks — is the subject of this article, which draws on the research-security domain of the CASRAI Dictionary.

    Dual-use research of concern

    The phrase dual-use research of concern, or DURC, refers specifically to life-sciences research that could be reasonably anticipated to provide knowledge, products or technologies that could be directly misused to threaten public health, agriculture, the environment or national security. The concept narrows a vast and unhelpful category — almost any knowledge could in principle be misused — to a manageable set of research with a credible and serious potential for harm. In the United States, oversight of such work has been organised through DURC policy and the related potential pandemic pathogen care and oversight (P3CO) process, which requires particularly risky research — for instance, work that could enhance a pathogen’s transmissibility or virulence — to undergo additional review before it proceeds. The aim is not to stop the research but to ensure its risks are deliberately weighed against its benefits by people equipped to judge.

    Export controls: a different lever

    Alongside biosecurity oversight sits a quite different and often less familiar set of obligations: export controls. These are legal regimes that restrict the transfer of certain sensitive goods, technologies and technical knowledge across borders — and crucially, in many regimes, a transfer to a foreign national can occur even without anything leaving the country, simply by sharing controlled knowledge. For researchers, this means that international collaboration, hosting visiting scholars, or sharing technical data can fall within the scope of export law. Several regimes matter here. The Wassenaar Arrangement is a multilateral export-control regime through which participating states coordinate controls on conventional arms and dual-use goods and technologies. In the United States, the Export Administration Regulations (EAR) govern most dual-use items, while the International Traffic in Arms Regulations (ITAR) govern defence-related articles and services. In the United Kingdom, the Export Control Joint Unit administers strategic export controls, and the European Union’s dual-use regulation provides a common framework across member states. The details differ, but the principle is shared: some knowledge cannot be transferred freely.

    Screening and the fundamental-research exclusion

    To meet these obligations, institutions increasingly carry out screening — checking collaborators, partners and destinations against sanctions and restricted-party lists, and assessing whether a project involves controlled technology. Properly done, this is not suspicion towards international colleagues; it is due diligence to ensure legitimate collaboration does not inadvertently breach the law or aid a hostile actor. Importantly, most export-control regimes include an exclusion for fundamental research — basic and applied research ordinarily published and shared broadly with the scientific community. This exclusion allows the vast majority of open academic research to proceed without entanglement in export law. The controls bite mainly where research is genuinely sensitive, restricted from publication, or involves specifically listed technologies.

    The tension with open science

    The difficulty is plain: the default and the aspiration of modern research is openness — open access, open data, open methods, free international collaboration — while DURC oversight and export controls are, by nature, mechanisms of restriction. The two genuinely pull against each other, and pretending otherwise helps no one. The mature response is not to abandon openness, the engine of scientific progress, nor to ignore risk, which would be reckless. It is to recognise that the vast majority of research should be as open as possible, while a small, identifiable subset requires careful handling. The skill lies in identifying that subset accurately — neither over-restricting, which chills legitimate science, nor under-restricting, which courts real harm. This is the same calibrated thinking that governs sensitive data: as open as possible, as closed as necessary.

    Security without closing the door

    Getting this balance right is partly a matter of culture and partly of process. A trusted-research approach asks institutions to build awareness of these issues into the research lifecycle — at the point of forming partnerships, applying for funding, hosting visitors and preparing to publish — so that risks are spotted early and handled proportionately, rather than discovered late or missed entirely. Embedding this within ordinary research administration, rather than treating it as an exceptional intervention, is what allows security and openness to coexist. The goal is a research environment that is both open and secure: confident enough in its openness to collaborate widely, and alert enough to handle the genuinely sensitive cases with care.

    A shared vocabulary for sensitive research

    For research-security obligations to be managed consistently across institutions, funders and national systems, the concepts involved must be described in compatible ways — what counts as controlled technology, what a screening determination records, how a dual-use assessment is captured. That consistency is what the CASRAI Dictionary works towards: a shared vocabulary so that the information about sensitive research and its handling means the same thing wherever it is recorded. And because the work of conducting research responsibly — including the oversight and stewardship that sensitive work requires — is part of the research record, it can be described alongside the contributions captured in the CRediT taxonomy and its full set of contribution roles. Open science and research security are not enemies; managed well, they are two aspects of doing research responsibly in a connected and sometimes dangerous world.