Research Data Compliance

Properly protecting research data is a fundamental obligation that is grounded in the values of stewardship, data integrity, and honoring commitments to the providers and sources of the data.  It is also the responsibility of everyone involved in the development, proposal, conduct, administration/support, and reporting of research. Research data security is essential to the ongoing health of the research environment including, but not limited to, maintaining public trust in and support for research.

In an academic setting where the vast majority of research data is intended to be openly published it may seem counterintuitive to worry about data security; however, even when there is an intent to publish, it's still important to protect the integrity of the data, assure accessibility, and control access so the researchers who developed the idea, data, algorithm, methodology, hypothesis, model, analysis, etc. are the ones who decide what, when, how, and to whom it is released. With respect to sponsored research data, the data belongs to the institution (or in limited situations to the sponsor) with the Principal Investigator serving as the data custodian charged with making sure data is appropriately safeguarded and shared consistent with institutional policies, terms and conditions, and applicable laws/regulations.  

    Research Security Program Standard - Draft for Public Comment

    In March 2023, the White House Office of Science and Technology Policy (OSTP) issued a request for comment (Federal Register Notice) on the draft Research Security Program (RSP) standard (Draft Standard); comments were due by June 5, 2023.

    NSPM-33 and the NDAA FY20 directed Federal funding agencies to require organizations receiving more than $50M/year in Federal R&D funding awards to implement various safeguards to secure the U.S. R&D enterprise, including having an RSP. The draft standard for RSPs is the result of an extensive interagency process, including engagement with the external research community. Given this process, compliance professionals generally agree that we should not expect substantive changes to the standard as a result of the open comment period.

    As proposed, there are four required elements for Research Security Programs:

    1. Foreign Travel Security,
    2. Research Security Training,
    3. Export Control Training, and
    4. Cybersecurity (12 required protocols).

    UVA already has many of the necessary elements to comply with the proposed standard and will be working over the coming months to assure we are fully compliant before the certification deadline, one-year from release of the final standard.

    Upcoming Requirements to Secure the U.S. R&D Enterprise

    Over the last several years all branches of the federal government have expressed growing concern regarding the safety and security of the US research enterprise and have taken a variety of steps to improve safeguarding (e.g., clarified investigator disclosure requirements, increased enforcement, increased threat communication, prohibited procurement from certain companies, modified contract clauses, etc.). 

    The initiative with the broadest impact was initiated by the release of the Presidential Memorandum on United states Government-Supported Research and Development National Security Policy (National Security Presidential Memorandum 33 (NSPM-33)) in January 2021. Concurrent with the release of NSPM-33 the White House Office of Science and Technology Policy (OSTP) released Recommended Practices for Strengthening the Security and Integrity of America's Science and Technology Research Enterprise which was broadly directed to the research community including, but not limited, institutions of higher education. In January 2022, OSTP released Guidance Implementing NSPM-33 to provide direction and specific recommendations to the federal research sponsoring agencies.

    Among the recommendations made to federal research sponsoring agencies was to create a common requirement that entities receiving >$50M annually in federal research assistance funding (grants and cooperative agreements) certify that they have a Research Security Program and recommended requiring the following four elements:

    1. Cybersecurity;
    2. Foreign travel security;
    3. Research security training; and 
    4. Export control training, as appropriate.

    The implementing guidance also recommends that compliance with the Research Security Program requirements be assessed as part of the single audit of Federal grant and assistance programs. UVA's single audit is performed by the Auditor of Public Accounts (APA) for the Commonwealth of Virginia as part of our annual institutional audit. 

    While the specific requirements and implementation timeline are not yet clear, we anticipate that the institutional certification statement will be finalized in 2022 with compliance required within one year of release. 

    New NIH Data Management and Sharing Policy (Effective 1/25/2023)

    NIH issued a new Data Management and Sharing (DMS) policy on October 29, 2020 to promote the sharing of scientific data. This policy applies to all NIH research proposals due on or after January 25, 2023. Sharing scientific data accelerates biomedical research discovery, in part, by enabling validation of research results, providing accessibility to high-value datasets, and promoting data reuse for future research studies.

    Under the DMS policy, NIH expects that investigators and institutions:

    • Plan and budget for the managing and sharing of data
    • Submit a DMS plan for review when applying for funding
    • Comply with the approved DMS plan
    • Request prior approval for significant changes to approved plans e.g. new scientific direction; a different data repository; timeline revision.

    With the implementation of this new policy NIH is emphasizing the importance of planning and budgeting for data sharing starting with the initial phases of proposal development. While necessary for all research proposals, early planning and budgeting is particularly critical for research programs that will generate "big data".  

    For researchers working with human subjects, including clinical trials, you will need to align your DMS plan and IRB consent forms.  Sharing your DMS plan with clinical trial staff and the IRB (or consulting them during its development) will help assure informed consent as well as compliance with the DMS plan.

    To assist investigators and institutions in complying with the new DMS policy, NIH has created a new website: https://sharing.nih.gov.  Content includes, but is not limited to, the following:

    • Best Practices for Scientific Data Management
    • Selecting a Data Repository
    • List of NIH-affiliated Data Repositories
    • Writing a DMS Plan
    • Budgeting for Data Management and Sharing

    Other Available Resources:

     

    Fundamental Research Data At Risk in Ransomware Attacks

    Think cybersecurity is only important for research data subject to privacy controls, confidentiality requirements, or US government access/dissemination controls? Think again!

    A ransomware attack that hit Michigan State University's physics and astronomy department left researchers without access to their research data; halted and delayed research programs; and in some cases, resulted in research data being unrecoverable.

    “In a ransomware attack, criminals encrypt a victim’s data in order to deny the victim the ability to carry out their business until they pay the ransom fee," said Von Welch, associate vice president for information security at Indiana University and director of Trusted CI. "The encrypted data are not necessarily valuable to the attackers. However, for researchers, loss of their data can mean lost productivity in terms of months or years.” 

    While MSU didn't pay the $6M ransom demand, it estimates the total cost of remediation for the incident at $1.09M. The costs included IT response and recovery, legal bills, as well as identity theft notification and mitigation measures for disclosure of personally identifiable data.

    For more information, check out the news article; watch the webinar from Trusted CI, the NSF Cybersecurity Center of Excellence; or read the report MSU made publicly available to warn the higher education community.  

    DOJ's Civil Cyber Fraud-Initiative

    On 10/6/2021, Deputy Attorney General Lisa O. Monaco announced the launch of a new Civil Cyber-Fraud Initiative to combat new and emerging cyber threats to the security of sensitive information and critical systems. The Initiative will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The intent is to hold entities and individuals accountable for knowingly putting U.S. information or systems at risk by

    • providing deficient cybersecurity products or services,
    • misrepresenting their cybersecurity practices or protocols, or
    • violating obligations to monitor and report cybersecurity incidents and breaches

    The department will work closely on the Initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government. 

    Promoting Research Data Security at UVA

    The Vice President for Research has appointed a group to provide advice on research data security (RDS) issues; specifically, the group is tasked with 1) ongoing governance of the University's designated IT system for safeguarding controlled unclassified information (CUI); 2) monitoring evolving federal requirements and expectations; and 3) making recommendations on how to facilitate the conduct of University research in ways that effectively safeguard intellectual property and protect US national security.

    Contact Andrew Bedotto, Research Data Compliance Manager, for information about RDS, the advisory group, associated working groups, and ongoing activities related to upcoming federal requirements (e.g., Research Security Program and DOD's Cybersecurity Maturity Model Certification (CMMC) program for contracts).