Rethinking faculty data management and security in higher ed

In the wake of the National Security Presidential Memorandum 33 (NSPM-33) earlier this year, research universities are rethinking and reorganizing how they approach management and security of faculty data. While many institutions have taken necessary action steps across the past few years to combat foreign interference (e.g., updating conflict of interest and commitment forms, educating faculty about research security vulnerabilities), the NSPM-33 provided the much-anticipated structural guidance university leaders have been demanding.

If you are looking for a comprehensive summary of the NSPM-33 guidance to date, this primer from the Council on Government Relations (COGR) is one we would recommend.

While the NSPM-33 outlines important parameters for both universities and federal funding agencies, there are still many unanswered questions across the industry as it relates to implementation and downstream implications of this guidance. Explore the takeaways below.

Review the key takeaways

Overall, the certification process for reported faculty data accuracy remains a double-edged sword

On one hand, the responsibility ultimately lies with the individual to self-report and certify accurately, with full knowledge of what is required of them and the consequences of misrepresenting or misreporting. But simply maintaining these records does not absolve the institution of risk; in fact, as the collector/steward of this data, the institution is also liable under the NSPM-33 and subsequent National Defense Authorization Act (FY21 NDAA) guidance.

And while updated trainings, more specialized compliance and security personnel, software systems, and standard operating procedures (SOPs) can curb some risk, the feeling remains that this guidance has the potential to do equal harm and good; especially as federal agencies have not yet produced the called-upon structural support.

Many institutions are hiring a “central data steward” to coordinate data across campus

This position looks different across institutions, but some of the shared qualities are a leadership title (AVP or chief), reporting to either the president or the provost, and a sweeping mandate across divisions to coordinate data capture, ensure accuracy, and report out as necessary.

Beyond the central coordination and stewardship of data, these individuals seek to bring the same holistic data understanding that institution’s have of their enrollment picture to the research and compliance spaces—this requires reporting and visualization systems, SOPs around data access, and likely an updated or net-new policy framework for data reporting from faculty, departments, and colleges.

There are still questions about frequency and applicability when training researchers

Some institutions are staggering the research and compliance components of new faculty onboarding, providing a general session alongside all other campus divisions, and then providing a more specialized onboarding once an investigator has received a funded award (can be months or years after their initial onboarding).

For more established/tenured faculty researchers, the trainings must become more targeted—both in audience (e.g., departments with many tenured faculty accustomed to older procedures) and in content (e.g., departments that need refreshers on export control vs. those who need updates on animal care). Partners also report a (slowly) increasing attention in these trainings among faculty, as very public cases of wrongdoing (perceived and otherwise) make their way into the mainstream media.

Most institutions employ an export control director that coordinates trainings and faculty outreach

The training burden complicates the export control director’s role: this individual was hired to govern policies and procedures that safeguard the institution, but with the ever-changing training requirements, they ultimately become the “trainer-in-chief” for all matters related to research compliance (especially where foreign interference is concerned).

While there cannot be a complete solution without more firm federal guidance on training requirements, the short-term solution is to train up additional research staff (central and unit-specific) so they can conduct the introductory compliance trainings, freeing up the director for the more advanced sessions. Many institutions are also using external vendors to provide some of these trainings, like the Collaborative Institutional Training Initiative (CITI) Program.

On using external experts, research security and compliance remains a cottage industry of those that analyze and review policies, procedures, and organizational structures

While there are some established groups that conduct audits and reviews for universities, most one-off consulting engagements in this space occur with individuals—likely former federal auditors, agency research staff, or security professionals.

Have you used an individual consultant or consulting firm to review your research security policies, procedures, and organizational structures? Let us know who you used, and we will curate a list to be shared with other partners anonymously. Send any recommendations to Jon Barnhart ([email protected]).