CASRAI Dictionary

Tag: research security

  • NSPM-33 implementation: 18 months in

    National Security Presidential Memorandum 33, issued in 2021 and operationalised through implementation guidance during 2022-2024, requires US federal research-funding recipients to disclose certain affiliations, support, and resources from foreign sources, with the aim of identifying conflicts of commitment and undue foreign influence. The major federal agency rollouts (NIH, NSF, DOE, DOD, NASA, USDA) became binding through 2024 and 2025. We are now 18 months into substantive implementation. This post is a status report.

    What NSPM-33 requires

    The disclosure requirements run across three axes. Current and pending support: applicants must disclose all sources of support for ongoing and planned research activities, including foreign sources, with structured detail. Biographical sketch: applicants must list all affiliations, including foreign ones, in a structured format. Conflicts of interest and commitment: applicants must disclose financial conflicts of interest, foreign relationships, and any obligations to entities that could constitute conflicts of commitment.

    The structure is mostly common-form across agencies — the Common Forms work coordinated by NSTC’s Joint Committee on the Research Environment produced templated disclosure formats — though agency-specific variations persist. The CASRAI NSPM-33 entry tracks the common-form versions.

    What worked

    Three things have worked better than was expected at rollout.

    First, institutional infrastructure. Most major research universities built the disclosure-collection and -review infrastructure during 2022-2024 in anticipation of binding requirements. By the binding date, most had functional systems: faculty-facing tools for disclosure entry, research-administration review workflows, integration with proposal-submission pipelines. The smaller and less-resourced institutions struggled more, but the AAU- and APLU-coordinated capacity-building efforts substantially closed the gap.

    Second, the common-form approach. The Common Forms work was widely criticised during development for being slow and produced-by-committee. The result has held up well: a researcher applying to multiple agencies can use the same biographical sketch and current-and-pending-support disclosures with only minor agency-specific extensions. The pre-Common-Forms world had every agency requiring its own format; the post-Common-Forms world has substantial harmonisation.

    Third, the compliance posture. The major agencies have, on the whole, used the disclosure requirements as compliance tools rather than enforcement weapons. The early concerns about a wave of investigations leveraging disclosure inconsistencies as the predicate for action have largely not materialised. Where investigations have proceeded, they have done so in cases with substantive concerns beyond disclosure failures alone.

    What is broken

    Three implementation problems persist.

    First, retroactive disclosure. The requirements ask for disclosure of historical affiliations and support, often going back several years. Researchers have variable recollection and variable access to records of those years. Honest mistakes — forgotten honorary positions, misremembered dates, inaccurate amounts on past awards — produce disclosure inconsistencies that institutions then have to investigate and resolve. The investigation overhead is substantial; the underlying integrity concerns are usually minor.

    Second, international-collaboration chilling. The disclosure requirements have, in our community’s observation, produced a chilling effect on international collaboration, particularly with collaborators in countries that the US identifies as competitor jurisdictions. Researchers report declining collaboration invitations they would previously have accepted, in part to avoid the disclosure overhead, in part out of caution about how the disclosed activity might later be interpreted. The chilling effect is hard to measure but is widely reported.

    Third, the institutional-versus-individual line. The disclosure requirements ask the individual researcher to disclose their affiliations, but many “foreign affiliations” are institutional arrangements (university-to-university partnerships, MOUs, joint programmes) that the individual researcher discovers only when asked to disclose them. The institutional research administration knows the partnerships; the individual researcher often does not. Surfacing institutional partnerships in individual-disclosure workflows is an unsolved UX problem.

    The ORCID interlock

    One concrete improvement that NSPM-33 implementation has driven is tighter integration with ORCID as the canonical record of researcher affiliations. ORCID 4.0’s affiliation history with ROR IDs and date ranges is the natural source for the biographical-sketch component of NSPM-33 disclosures; agencies are increasingly accepting ORCID-derived biographical sketches and several are piloting direct ingestion from ORCID at submission. The CASRAI ORCID implementation guide has been updated with the NSPM-33 patterns.

    The longer-term value of this integration is that it incentivises researchers to maintain a current and complete ORCID record, which has benefits well beyond compliance. The institutions that have invested in ORCID adoption are well-positioned for NSPM-33 compliance; the institutions that have not are pushing researchers to maintain disclosure information in institutional systems that diverge from ORCID, creating a synchronisation problem.

    The CRediT angle

    NSPM-33 does not require CRediT roles in disclosures, but the disclosure framework’s interest in “all sources of support” includes contributions to research activities. A researcher who contributed to a foreign-funded project — even without being a PI — has a disclosure obligation. The CRediT role framework provides a vocabulary for characterising those contributions, and several institutional implementations now use CRediT-aligned controlled vocabularies in their disclosure forms.

    What’s still pending

    Three institutional adjustments are still in motion 18 months in.

    First, training and culture. The disclosure requirements need to become routine, the way IRB compliance has become routine. Most institutions still treat disclosure as a special workflow with episodic attention; the maturity target is that disclosure is built into hiring, promotion, sabbatical, and proposal workflows as a routine compliance item.

    Second, institutional-individual reconciliation. The institutional partnerships and the individual disclosures need to be reconciled systematically. Several institutions have built dashboards that show, for each researcher, the institutional partnerships their disclosed affiliations imply, with prompts for confirmation. This is the right direction; it is not yet widely deployed.

    Third, cross-institutional data sharing. When a researcher moves between US institutions, their disclosure history needs to travel with them. The current state is that it does not, reliably; the new institution rebuilds the disclosure profile from scratch. This is wasteful and produces unnecessary inconsistencies. ORCID-anchored disclosure portability is the right architectural answer; institutional adoption is the missing piece.

    What CASRAI recommends

    For research-administration offices, the priority for 2026 is to consolidate the operational maturity of disclosure workflows: routine integration with proposal submission, ORCID-anchored biographical sketches, institutional-partnership reconciliation, training programmes that treat disclosure as a standard compliance item. The CASRAI institutional research-security guide walks through the maturity model.

    For researchers, the operating posture is to keep ORCID current, to maintain a personal log of affiliations and support that supports disclosure, and to treat disclosure as part of professional practice rather than as exceptional compliance.

    For agencies, the priority is to continue the common-form harmonisation work and to consider further ORCID integration. The 2026 update to the Common Forms is in development and the indications are positive.

    Related dictionary entries

  • NSPM-33 disclosure: what US researchers must report in 2026

    National Security Presidential Memorandum 33 (NSPM-33), signed in January 2021, directed US federal research funding agencies to strengthen and harmonise disclosure requirements for federally funded researchers. Five years later the implementation has stabilised across NIH, NSF, DOE, DOD, NASA, USDA, and the other major science agencies, with the CHIPS and Science Act of 2022 having added enforcement teeth and the 2024 Research Security Programs Standard Requirement having added institutional-level obligations. This post is the practical 2026 compliance map for US-funded researchers.

    The shape of NSPM-33 in 2026

    NSPM-33’s core mandate is straightforward: a federally-funded researcher must disclose all support they receive (financial, in-kind, or in the form of positions, appointments, or affiliations) so that the funding agency can identify potential conflicts of commitment, undisclosed foreign components, or scientific overlap. The disclosure is made at proposal stage and updated throughout the project’s life.

    The five years of implementation have produced two important refinements. First, the common disclosure forms: NIH’s Other Support format, NSF’s Current and Pending (Other) Support, and parallel formats at other agencies have been substantially harmonised under the NSPM-33 implementation guidance. By 2026 a researcher can largely produce one structured disclosure record (typically in SciENcv format) and have it serve all federal agencies. Second, the structured-data submission: the agencies now require disclosure forms in machine-readable format with ORCID linkage, not as free-form PDFs.

    What must be disclosed

    The 2026 disclosure scope at the major agencies covers, at a minimum:

    • All ongoing and pending research support (federal, non-federal, and foreign).
    • All in-kind support of significance (laboratory space, equipment access, personnel time).
    • All positions and appointments (professorships, visiting positions, advisory roles, board memberships) regardless of whether they are paid.
    • All consulting arrangements above a defined threshold (typically a few thousand dollars per year, but agency-specific).
    • Foreign government talent recruitment programme participation (see below).
    • Patents and patent applications related to the funded research.
    • Sponsored or paid travel above defined thresholds.
    • For NIH specifically, all support for research effort regardless of how titled.

    The Current and Pending Support form (NSF terminology) and the Other Support form (NIH terminology) are the canonical artefacts. They are populated by the researcher at the proposal stage and re-verified at the just-in-time (JIT) request stage if the proposal is funded.

    The foreign-component question

    The single most consequential 2021-2024 enforcement focus was undisclosed foreign components. A foreign component is any significant scientific element of a project performed outside the United States by any source of funding, including foreign collaborator efforts even if not separately funded.

    NIH’s foreign-component disclosure rule existed before NSPM-33 but was inconsistently enforced. Post-NSPM-33 the enforcement has been substantial: dozens of researchers had grants terminated or returned, and several criminal cases proceeded for fabricated disclosures. The 2023-2024 cohort of cases clarified the threshold: an undisclosed foreign-funded position, a foreign-government talent-recruitment-programme membership, or a substantial unreported collaboration with a foreign laboratory are all material non-disclosures with grant-termination and criminal consequences.

    In 2026 the practical rule is conservative: if you have any affiliation, position, support, or significant collaboration outside the US that overlaps in time with your federal-funded project, disclose it. The cost of over-disclosure is filling in more forms; the cost of under-disclosure has become very high.

    Foreign Talent Recruitment Programmes

    The Foreign Talent Recruitment Programme (FTRP) category was sharpened by Section 10632 of the CHIPS and Science Act of 2022, which required agencies to prohibit federally-funded researchers from participating in malign FTRPs. The 2024 implementation guidance defined a malign FTRP as one that involves transfer of intellectual property, transfer of laboratory resources, or compensation contingent on outcomes that benefit a foreign government’s national interests, among several other criteria.

    The category is narrower than the original 2018-2021 “China Initiative” framing might have suggested. Participation in a non-malign FTRP (a competitive postdoctoral programme, an academic exchange visit, an honorary professorship) is not prohibited but must be disclosed. Participation in a malign FTRP is prohibited for federally-funded researchers and must be terminated as a condition of receiving federal funding.

    The institutional-side burden under the 2024 Research Security Programs Standard Requirement is substantial: institutions over a defined funding threshold must implement a research security programme with training, conflict-of-interest screening, foreign-collaboration approval, and ongoing monitoring. The standard requirement specifies the elements; institutions implement them with their own policies.

    The reporting workflow in practice

    The 2026 workflow for a federally-funded researcher at a US institution typically looks like:

    1. SciENcv profile. Maintain a current SciENcv profile with all positions, appointments, and support. SciENcv (Science Experts Network Curriculum Vitae) is the federal-government-supported tool and produces the structured-data formats accepted by NIH, NSF, and other agencies.
    2. Proposal-stage disclosure. Export the relevant disclosure form from SciENcv at proposal preparation. Verify with the institution’s sponsored-research office before submission.
    3. JIT update. For NIH, re-verify Other Support at JIT request. Any changes since proposal submission must be reported.
    4. Award updates. Any new support, position, or appointment acquired during the award must be reported to the agency. NIH’s threshold is “significant changes”; in practice, disclose anything that would have been on the original form.
    5. Annual progress reports. RPPR and other annual reporting captures updated Other Support and current-and-pending. Treat this as a real update, not a copy-paste.
    6. Final reports and closeout. Disclosure obligations continue through closeout.

    Institutional research security programmes

    The 2024 Research Security Programs Standard Requirement obligates institutions over the $50M annual federal-research threshold to operate a research security programme covering: cybersecurity training, foreign-collaboration approval workflow, conflict-of-interest and conflict-of-commitment training, export-control compliance, and ongoing monitoring of researchers’ disclosures against external data sources.

    The institutional layer matters because most disclosure failures are not fraud; they are inadvertent omission by researchers who did not realise an affiliation was disclosable. A well-functioning research security programme acts as a backstop, with regular reminders, training, and a pre-submission review that catches omissions before they become non-disclosures of consequence.

    The CASRAI funder-mandate guide covers the agency-specific disclosure requirements with current links; the research-security domain tracks the cross-agency policy harmonisation.

    What’s still uncertain

    Three areas remain in active interpretation in 2026. First, the treatment of dual-affiliated researchers: a researcher with a tenured position at a US institution and a part-time appointment at a non-US institution must disclose both, but the threshold for the non-US appointment counting as a foreign component is fuzzy in practice. Second, the scope of the conflict-of-commitment definition: an unpaid advisory role at a foreign institution may not count as support but does count as commitment; the agencies vary in how they treat this. Third, the retroactive application: disclosure failures discovered years after the funded work was completed have been treated with substantial inconsistency, with some cases pursued criminally and others handled administratively.

    For researchers, the safe path is conservative disclosure, current SciENcv maintenance, and proactive consultation with the institution’s sponsored-research office whenever an affiliation or support is ambiguous. The compliance cost of asking is low; the cost of under-disclosure that surfaces later is potentially career-ending.

    Related dictionary entries

    References

    NSTC Joint Committee on the Research Environment, Guidance for Implementing National Security Presidential Memorandum 33 (January 2022). NIH Office of Extramural Research, Notice of Information: Updates to Other Support (NOT-OD-22-150 and subsequent updates). CHIPS and Science Act of 2022, Section 10632 (Foreign Talent Recruitment Programs). OSTP, Research Security Programs Standard Requirement (July 2024). NSF, Proposal and Award Policies and Procedures Guide (current version).