NSF SECURE Center · Cooperative Agreement No. 2403771 Research Security Briefing Vol. 2, No. 4 | January 30, 2026 | |
This Week at a Glance NIH Issues ‘Leniency Period’ for Compliance with Common Forms via SceENcv Federal Demonstration Partnership (FDP) January 2026 Meeting: Research Security Highlights Texas Moves to Curtail Visas for Skilled Foreign Workers (New York Times, 1/27/2026) | |
NIH Issues ‘Leniency Period’ for Compliance with Common Forms via SceENcv On January 27, 2026, the National Institutes
of Health (NIH) updated its FAQs on “Common
Forms for Biographical Sketch and Current and Pending (Other) Support,”
stating that NIH will not withdraw initial applications, JITs, RPPRs, or Prior
Approvals submitted on or after January 25 that fail to use Common Forms via
SciENcv for Biographical Sketches, Current and Pending (Other) Support and NIH
Biographical Sketch Supplements, as the agency had previously communicated. Instead, to provide a “period of leniency,” NIH will issue a warning if the Common Forms are not used but will not withdraw submissions that don’t use them. NIH anticipates that this period of leniency will be in place through May 2026. NIH will release a notice of policy change (NOT) in the near future regarding the period of leniency. GAO Report: Actions Needed to Address Foreign Risks in Small Business Programs On January 28, 2026, the Government Accountability Office (GAO) released the report, “Small Business Research Programs: Additional Actions Needed to Incorporate Best Practices for Addressing Foreign Risks.” The report examines how federal agencies are implementing new due-diligence requirements to address foreign risks in Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs, which together awarded about $4.5 billion to more than 3,000 small businesses in fiscal year 2023. GAO found that all participating agencies have adopted at least some of the Small Business Administration’s (SBA) 12 best practices (e.g., use of standardized foreign affiliation disclosures, encouraging research security training), but overall implementation is uneven. Many agencies have incorporated additional practices, but gaps remain in areas such as clearly defining “covered individuals,” minimizing reporting burden, and consistently documenting how risks are assessed across all required domains. GAO Report: Research Security—Agencies Should Assess Safeguards Against Discrimination On January 21, 2026, the GAO published the
report, Research Security:
Agencies Should Assess Safeguards Against Discrimination. The
GAO examined whether major federal research funding agencies are implementing
research security programs in ways that effectively prevent improper foreign
influence without discriminating against scientists based on race, ethnicity, or
national origin, particularly scientists of Chinese or Asian descent. GAO reviewed research security practices at
five agencies that collectively fund the majority of U.S. extramural research: the
Departments of Defense and Energy (DOD, DOE), NASA, NIH, and NSF. Key Findings
All five agencies have research security policies, but they vary significantly in how they incorporate safeguards to prevent discrimination. GAO identified five safeguards that help
reduce the risk of discriminatory outcomes:
Transparent improper foreign influence review processes Collection and use of demographic data to assess outcomes Multiple levels of review Staff training on non-discrimination Clear leadership commitment to
non-discrimination
No agency had conducted a formal assessment to determine whether its research security processes adequately protect against discrimination. NASA and NSF documented how they
identify improper foreign influence but did not document how risk mitigation
decisions are made, limiting transparency and consistency for institutions and
researchers. While safeguarding federally funded research
from improper foreign influence is critical, GAO found that lack of transparency,
inconsistent safeguards, and absence of internal assessments increase the risk of
discriminatory application, potentially undermining research integrity, trust, and
international collaboration. GAO concludes that research security and nondiscrimination are not mutually exclusive, but agencies must take additional steps—particularly through documentation and self-assessment—to ensure that research security programs are applied fairly, consistently, and transparently across the U.S. research enterprise. | |
Federal Demonstration Partnership (FDP) January 2026 Meeting: Research Security Highlights While meeting sessions covered a variety of topics, research security-related highlights are provided below. FDP has indicated that slides and recordings (if available) will be posted in the near future on the meeting website. FDP Session: Federal Agency Updates Moderator/Host: Michelle Bulls, Director, Office of Policy for Extramural Research Administration, OER, NIH Speakers:
Kasima Garst, NIH Jason Bossie, NSF Christiane Diallo & Mary Sladek, NASA Chelsea Cole, USDA Kimberly Whittet, NIFA National Institutes of Health (NIH)
NIH reminded the community that the
agency’s research security training requirement, to comply with the
CHIPS and Science Act, goes into
effect for applications submitted on or after May 25, 2026. Covered
individuals (for NIH, this is defined as senior/key personnel) will complete
this certification on their Biosketch, via SciENcv. Authorized
Organization Representatives (AORs) will certify the applicant
institution’s compliance with this requirement via their signature on
the face page of the application. In regard to the agency’s
transition to the Common Forms for Biosketches and Current and Pending Support
through SciENcv, NIH acknowledged significant system backlogs and technical
challenges, prompting the implementation of a “leniency period”
until May 2026 for applications using the previous format of these forms (see
above). The agency confirmed there is
no leniency on the linkage of an ORCID ID and the requirement is effective
now. NIH clarified that Biosketches must
include all of a senior/key personnel’s current and previous academic and institutional appointments.
Per NIH’s Common Forms FAQ page,
“Senior/key persons must report on all professional appointments that
have been active in the last three years. Professional appointments that
concluded more than three years ago are not required to be reported on the NIH
Biosketch Common Form but may be included if relevant to the specific
application.” With the transition to the Common Forms,
updated Current and Pending (Other) Support included at the time of the
Research Performance Progress Report (RPPR) must be uploaded as a separate
document for each individual, rather than as a single, combined PDF. The “Parent” Notice of
Funding Opportunity (NOFO) for NIH-funded international collaborations is
now
available. New information is being added to
NIH’s Foreign Subaward Policy FAQ
page. NIH clarified that Foreign Components
not receiving NIH funds may still be included in applicant proposals, however,
per NOT-OD-25-155, proposers must use
the agency’s new application and award
structure for NIH-funded international collaborations involving
subawards. National Science Foundation (NSF) NSF noted that the December 8, 2025 Supplement to the Proposal &
Award Policies & Procedures Guide (PAPPG) includes the clarification for FFDRs
that satellite, branch, or regional campuses that are not direct recipients of NSF
funding must report any financial support via the main campus of the recipient
institution. National Aeronautics and Space
Administration (NASA)
NASA noted that the agency’s
Science Mission Directorate (SMD) is leading negotiations for an agency-wide
agreement for use of SciENcv for collection of Common Forms. (The next
day, representatives from SciENcv confirmed that these negotiations have been
successful, and NASA will have Common Forms available via SciENcv. This effort
on NASA’s part to align with other agencies and further reduce
administrative burden through use of SciENcv will be appreciated by the
research community.) Research security-related questions for
NASA should be directed to the agency’s new mailbox: hq-researchsecurity@mail.nasa.gov. United States Department of Agriculture
(USDA)
USDA noted that, per the recent secretarial
memorandum, all USDA awarding agencies are required to adhere
to the agency’s new General Terms and Conditions
(T&Cs), complete a review of their existing T&Cs, and ensure adherence
to the new T&Cs within 45 days (February 14, 2026). The new T&Cs
provide guidance on multiple research security requirements. The USDA Office of the Chief Scientist
is currently working on providing additional information regarding the
T&C’s requirement that “each individual employed by the
recipient to work on the award has completed research security
training,” as opposed to “covered individuals.” The National Institute of Food and Agriculture (NIFA) will be updating the T&Cs across its various programs (e.g., general research, SBIR, facilities) to incorporate the new General T&Cs, with specific addenda that will carry forward NIFA-specific conditions. The institute anticipates communicating more about these changes in the near future, including a webinar for NIFA funding recipients. FDP Session: Research Security & Subawards Working Group Moderators/Hosts: Jim Luther, Yale University, Lisa Nichols, University of Notre Dame Speakers:
Jason Day, Research Policy Director, Department of War Michelle Bulls, Director, Office of Policy for Extramural Research Administration, OER, NIH Julie Anderson, Director, Research Technology and Economic Security, Department of Energy Sarah Stalker-Lehoux, Acting Chief of
Research Security, Strategy and Policy, NSF, and Co-Chair, FDP Research
Security Subcommittee [Unable to attend.] Jason Day (DoW) emphasized that, while the
interagency RSP framework is not yet finalized, broad agreement is emerging around
core elements such as cybersecurity controls and foreign travel reporting, and
additional communication is expected in the near future. With regard to DoW’s January 7, 2026,
Fundamental Research Security Initiatives and Implementation Memo, Day noted that he doesn’t
anticipate significant impacts on recipient institutions. The memo requires
DoW Components to conduct formal post-award spot checks, including re-reviews of
awards with mitigation plans in place and a 25 percent sample of awards without
them. These reviews will likely be conducted in conjunction with Research
Performance Progress Report (RPPR) updates and coordinated with institutional
research security offices. There was discussion of guidance around citing
DoW grants in publications and a follow-up question about whether DoW would
consider providing guidance on citing the institution(s) where the DoW/federal
work was conducted, as opposed to the institution where the researcher is
currently employed. Day indicated this was a possibility. Risk
concerns have arisen when DoW funding is cited and students or scholars returning
to or taking employment in a country of concern cite the new institution in
publications. Discussion also addressed how agencies
intend to manage variability and risk over time. Agencies expect to use moving
averages to assess institutions near the $50 million threshold and encouraged
institutions below the threshold to begin voluntarily adopting scalable research
security controls to avoid abrupt compliance burdens later. Panelists underscored that disclosure
inconsistencies, especially those contradicted by public records, are most likely
to trigger additional review. Agencies also acknowledged that perfect uniformity
across funders is unlikely but stressed that regular interagency coordination aims
to prevent significant divergence and resolve outliers. A significant portion of the discussion
focused on adoption of the Common Forms via SciENcv, including NIH’s
addition of monetary donations as a reporting requirement. Michelle Bulls
explained that this change was driven by Office of the Inspector General recommendations and acknowledged that
the current structure does not align cleanly with the Current and Pending (Other)
Support format. NIH indicated it is exploring alternative mechanisms to
collect this information while minimizing audit risk and administrative burden for
institutions. Participants had many questions for NIH
regarding international collaborations (also see NOT-OD-25-155 and PA-26-002). Michelle Bulls
highlighted that the prime institution is still responsible for scientific
oversight (e.g., as part of the RPPR), but not financial oversight as they were
previously. Distinctions were made regarding foreign subawards versus
foreign vendors and consultants, which remain acceptable, as do unfunded foreign
components. Questions remain regarding the prime domestic recipient’s
responsibility to require foreign subawardees to provide documentation (e.g., lab
notebooks) supporting the research outcomes, per NOT-OD-23-182, or whether this
responsibility should now fall to NIH. Bulls will take this question back to
NIH leadership for further discussion. Agencies addressed ongoing questions about
research security training (RST) and international participation in U.S. research.
Panelists confirmed that RST requirements generally apply to senior/key personnel,
unless expanded by specific programs, and that the one-hour SECURE Center CTM
training, or institutional training meeting the CHIPS Act
requirements are recognized as meeting the RST requirements. There was
discussion about the SECURE Cetner developing a shorter 15–20-minute annual
refresher training. Agencies may consider acceptance of shorter annual
refresher modules; however, final determination has not been made. The panelists reaffirmed that international students and researchers, including those from China, may continue to participate in fundamental research, provided existing disclosure, approval, and compliance processes are followed. FDP Session: Research Security & Subawards Working Group Moderators/Hosts:
Taren Ellis Langford, Executive Director, Research Security & Responsible Outside Interests, The University of Arizona Jennifer J. Ford, Research Compliance and Integrity (RCI) Operational Executive Director, University of California San Diego The Research Security and Subawards Working Group focused on practical implementation challenges at the institutional and inter-institutional level, particularly around subawards and FDP templates. Discussion centered on pre-meeting survey and live-poll results showing a strong preference for general, flexible research security language in the FDP Letter of Intent (LOI), rather than detailed or agency-specific certifications. Participants expressed concern about inconsistent expectations among FDP institutions, which can undermine efforts to reduce administrative burden. The group also explored expanding FDP Clearinghouse profiles to capture institutional-level research security information (such as “covered entity” status and institutional points of contact) to reduce repetitive, project-specific exchanges. Participants also indicated the need for institutional assessment on any proposed text to the LOI; the moderators indicated that model text will be provided for feedback. The session concluded with agreement that clearer guidance, shared future FAQs, and better use of centralized profiles could help balance compliance with efficiency as research security requirements continue to evolve. FDP Session: Federal Research Security Program Requirements Moderator/Hosts: Lisa Nichols, Executive Director, Research Security, RSS Co-Chair, Deputy Director, NSF SECURE Center; Jim Luther, Yale University Speakers:
Sarah Stalker-Lehoux, Acting Chief of Research Security, Strategy and Policy, National Science Foundation, and Co-Chair, FDP Research Security Subcommittee Julie Anderson, Director, Research Technology and Economic Security, Department of Energy Jason Day, Research Policy Director, Department of War Jarret Cummings, Senior Advisor for Policy and Government Relations, EDUCAUSE Beth Kolko, Director, NSF SECURE Center,
Professor, Human Centered Design and Engineering, University of Washington The session provided an in-depth update on
the status and likely features of the forthcoming Research Security Program (RSP)
requirements, with a particular focus on agency coordination, institutional
thresholds, and implementation expectations. Multiple federal agencies are
nearing completion of a coordinated rollout of the RSP requirements, with
implementation targeted for early 2026. NSF, DOE, DOW, and NIH described
significant progress toward a joint memorandum of agreement (MOA) that will
establish a centralized, harmonized certification process for “covered
institutions.” NSF is expected to manage this process, annually
notifying institutions of their covered status and collecting a simple yes/no
certification confirming compliance with the four core RSP elements:
cybersecurity, foreign travel security, research security training, and export
control training. The agencies emphasized that, while timelines remain contingent
on final approvals, an upcoming “Important Notice” will preview
expectations to help institutions plan and prepare. Cybersecurity represents the most substantial new requirement, with agencies planning to recognize compliance with NIST IR 8481 once it is finalized, alongside newly developed “Effective Practices” created collaboratively by the FDP, EDUCAUASE, and federal and institutional partners. Other requirements—such as export control training as applicable, and research security training—are largely familiar and either implemented or in progress. For foreign travel security, agencies will continue to take a risk-based, project-by-project approach, rather than requiring all covered individuals to register international travel. Officials stressed that foreign-funded travel remains a key focus, and that the SECURE Center’s condensed training module, or other training aligned with CHIPS Act requirements, is acceptable for meeting the training requirement. Agencies signing on to the MOA plan a synchronized rollout of final requirements in early 2026, at which point formal compliance timelines will begin FDP Session: DOJ Bulk Data Moderator/Host: Melissa Korf (Harvard Medical School) Speakers:
Emily Baxter, Director, Contracts, University of Michigan Eric Ward, Assistant Director, Unfunded Agreements, University of Michigan Stephanie Stone, Executive Director-Research Management Contracts, Mass General Brigham Thomas Burns, Associate Vice President for Research Compliance, Johns Hopkins University After providing an overview of the
Department of Justice (DOJ) Bulk
Data Rule, speakers discussed early institutional experiences
interpreting and operationalizing the new requirements, particularly around
identifying “covered persons” and assessing whether proposed
agreements are permissible. Rather than focusing solely on the nationality or
identity of a collaborating entity, institutions reported that DOJ’s
emphasis is on the nature and type of data involved in an arrangement. One example
highlighted an agreement in which a Chinese contract research organization (CRO)
asserted that an exemption applied. The institution advised that the CRO should
identify the specific exemption and that the applicability of the exemption be
evaluated through internal legal review. Participants also addressed practical compliance challenges, including how institutions are tracking cumulative data thresholds over time. The prevailing approach described was a conservative one: if an activity involves regulated categories of bulk data, institutions are generally assuming the rule applies, rather than attempting to calculate precise totals. Responsibility for implementation and interpretation has largely fallen to Offices of General Counsel, often working with outside legal counsel and coordinating across procurement and other administrative units likely to encounter affected agreements. The discussion underscored the importance of centralized oversight and cautious risk management as institutions navigate the rule’s early implementation phase. FDP Session: SciENcv: Operational Updates & The Addition of new NIH Common Forms Moderator/Hosts: Lori Schultz, Colorado State University; Bart Trawick, NIH NIH NCBI staff provided operational updates
on SciENcv and the rollout of the new NIH Common Forms for Biographical Sketch and
Current and Pending (Other) Support. Presenters confirmed that updated guidance
and help documentation will be released in the coming weeks, along with system
enhancements to streamline ORCID integration. NIH has announced an extended
leniency period for use of the Common Forms, through May 2026, during which time
applications not using the Common Forms will receive warnings but will not be
withdrawn. However, NIH emphasized that this leniency period does not apply to
linking ORCID IDs to eRA Commons profiles, which remains a firm requirement and a
common cause of proposal submission issues. Much of the discussion focused on practical challenges institutions are encountering, including duplicate My NCBI accounts, ORCID mis-linking when delegates prepare documents, and gaps in institutional visibility into investigator ORCID status. NIH reiterated that ORCID accounts must be linked by investigators themselves and that duplicate eRA Commons or NCBI accounts should be merged through the appropriate help desks. Participants also highlighted the growing use of XML uploads as a way to reduce errors, while noting the need for clearer examples, improved system validations, and additional tools to help institutions manage compliance risk. Presenters also announced that NASA versions of the Common Forms will be available through SciENcv in the future. | |
Texas Moves to Curtail Visas for Skilled Foreign Workers (New York Times, 1/27/2026) On Tuesday, Texas Governor Greg Abbott announced that the state would investigate public agencies and universities that employ individuals with H1-B visas. A letter was issued by the Governor to various state agencies and state universities to freeze any use of this visa type in current hiring. The letter also required the state agencies and universities to provide a report, due March 27,2026, detailing the scope of H-1B visas at their sites along with supporting information, including country of origin, job category, and expiration dates. Texas is one of the top five states with regard to the number of H1-B visa holders. (more) Foreign talent visa remains stalled months after launch (University World News, 1/20/2026) China’s newly announced K-type visa, designed to attract independent foreign STEM talent without requiring an employer sponsor, has yet to appear on official visa application portals more than three months after its planned launch, raising questions about implementation readiness. Experts say the delay reflects the administrative and technical complexity of rolling out China’s first employer-independent visa, which requires coordination across multiple government agencies and upgrades to immigration systems. While the K-visa is intended to support long-term talent retention and could offer multi-year, renewable stays, its rollout has sparked public debate amid high youth unemployment, with critics questioning its impact on domestic jobs. Chinese officials and state media have pushed back, arguing that concerns are overstated and that attracting top global talent remains essential to China’s economic and technological goals. (more) Registration is now open for COGR’s virtual membership meeting, taking place February 24-27, 2026. Information regarding dates and times of research security-related sessions will be included in future SECURE Research Security Briefings as details become available. COGR February 2026 Virtual Membership Meeting Registration Now Open Registration is now open for the 2026 Academic Security and Counter Exploitation (ASCE) Program. Next year is the 10th anniversary of the largest research security conference in the world: February 24 - 26, 2026. (more) RISC Bulletin Texas A&M University’s Research and Innovation Security and Competitiveness (RISC) Institute disseminates weekly RISC Media Bulletins, covering topics related to research security, foreign influence, and the intersection of science, technology, and national security. To join the distribution list for the RISC Bulletin or view previous editions, access this link for more info. | |
Researchers in Quantum and Computer Science Sought for Input on RS Resources Faculty Researchers at universities,
non-profits or other research institutions, who have received federal funding and
are working in quantum computing, computer science, and related fields are invited
to volunteer for short virtual information-gathering sessions. The sessions,
organized by the NSF-funded SECURE Center, aim to gather researchers’
perspectives on challenges related to research security and international
collaboration, with a focus on developing practical, low-burden resources to
address these challenges. Participation will directly inform future guidance,
training, and tools intended to reduce administrative workload and impediments to
international collaborations while safeguarding research. Sessions are currently
scheduled for:
Friday, February 6, 2026, 10-11:00 am ET Wednesday, February 11, 2026, 1-2:00 pm ET Friday, February 20, 2026, 11:00 am-12:00 pm ET Friday, February 20, 2026, 2-3:00 pm
ET Faculty researchers are encouraged to share this opportunity with research colleagues who may be interested. Questions or interest to participate should be directed to SECURE Center staff at researchsecurity@nd.edu. 2026 issues of the Research Security Briefing are available on the SECURE Center website. A combined, searchable version of all 2025 issues of the Briefing is also available. Looking to participate in NSF SECURE Center
co-creation activities or contribute to weekly briefings? The information provided by the NSF SECURE Center is intended for general research and educational purposes only. While we strive to ensure the accuracy and reliability of our content, we do not guarantee its completeness, timeliness, or applicability to specific circumstances. Each user is responsible for conducting their own risk assessments and making decisions based on independent judgment. Further, the NSF SECURE Center does not provide professional or legal advice, and users are encouraged to consult qualified professionals before making decisions based on the information found here. The NSF SECURE Center shall not be liable for any damages or costs of any type arising out of or in any way connected with your use of this information. External links are provided for convenience and do not constitute an endorsement of the content or services offered by any third-party resources. Our Work Products About Us Contact Connect University of Washington, Seattle, WA This activity is supported by NSF award #2403771 Any opinions, findings and conclusions or recommendations expressed are those of the author(s) and do not necessarily reflect the views of the U.S. National Science Foundation or other U.S. Government Agencies. / / / | |
SECURE Center Safeguarding the Entire Community in the U.S. Research Ecosystem University of Washington, Seattle, WA Supported by NSF award #2403771 Any opinions, findings and conclusions or recommendations expressed are those of the author(s) and do not necessarily reflect the views of the U.S. National Science Foundation or other U.S. Government Agencies. |