Research Security Program

The National Science and Technology Council’s GUIDANCE FOR IMPLEMENTING NATIONAL SECURITY PRESIDENTIAL MEMORANDUM 33 (NSPM-33), supported by the CHIPS and Science Act, requires institutions to implement a Research Security Program that includes the following: Cybersecurity, Foreign Travel Security, Research Security Training, and Export Control Training.

An additional component of Berkeley’s Research Security Program is research disclosures which includes enhanced controls on and certification of accurate disclosure of international activities in current and pending support and biosketches, as well as restrictions on participation in foreign government talent recruitment programs.

Berkeley’s Research Security Program implements the requirements as follows:

Cybersecurity is a foundational element of the Berkeley’s Research Security Program, aimed at safeguarding information systems and data integrity against cyber threats. This section outlines protocols for awareness training, access control, monitoring, and protection mechanisms necessary to mitigate risks such as social engineering, data breaches, and malicious code attacks.

Elements include:
  • Regular cybersecurity awareness training for authorized users.
  • Access control to information systems for authorized users and processes.
  • Verification and control of connections to external information systems.
  • Protection of non-public information.
  • Identification and authentication of system users.
  • Monitoring and protection of organizational communications.
  • Implementation of subnetworks for publicly accessible system components.
  • Protection of scientific data from cyber threats like ransomware.
  • Regular scanning for and protection against malicious code.
  • Timely identification, reporting, and correction of system flaws.

Classifying data helps ensure that appropriate cybersecurity measures are applied to protect information based on its sensitivity and the potential impact of a security breach.

Under the UC’s Electronic Information Security Policy, IS-3, information is categorized based on its sensitivity and the level of security required to protect it. Amongst various levels of security, the levels of higher risk include:

  1. P3 (Protection Level 3):
    • Description: Data that is sensitive and requires protection from unauthorized access, but not classified as highly confidential.
    • Examples: Certain research data, internal business processes, and personal information that, if disclosed, could cause moderate harm to individuals or the institution.
    • Security Measures: Enhanced access controls, encryption in transit and at rest, regular monitoring, and security training for personnel handling this data.
  2. P4 (Protection Level 4):
    • Description: Highly sensitive data that requires the highest level of protection due to the significant harm that unauthorized access or disclosure could cause.
    • Examples: Classified research data, critical infrastructure information, and highly confidential personal or financial information.
    • Security Measures: Strict access controls with multi-factor authentication, advanced encryption methods, continuous monitoring and auditing, stringent physical security measures, and comprehensive security training for personnel.

Please use Berkeley’s Data and IT Resource Classification Guideline to help determine the level of risk associated with your data and understand the steps needed to mitigate that risk.

For research data classified as P3 and P4 data, Berkeley offers the following secure resources:
  • Active Archive
  • CalShare
  • SRDC Secure Research Data and Compute (SRDC) Platform for sensitive data may be available on a case-by-case basis if your project qualifies.
Additional Cybersecurity Resources:

Foreign Travel Security is a foundational element of a research security program as required by the White House Office of Science and Technology Policy (OSTP), aimed at mitigating potential risks associated with foreign travel and protecting research integrity. This section highlights the elements of foreign travel security, emphasizing pre-travel disclosures, security briefings, and measures to secure electronic devices.

Foreign Travel Security under NSPM-33 requires UC Berkeley to ensure:

  • Maintenance of international travel policies for faculty and staff. Guidelines and Requirements for International Travel
  • Organizational record-keeping of international travel.
  • Disclosure and authorization requirements for international travel.
  • Provision of security briefings and electronic device security assistance.
  • Pre-registration requirements for international travel.

What travel security measures do international travelers need to take?

  • Review the UC Berkeley International Travel Protocols and Security Tips for International Travel.
  • Review the Security Tips for International Travel below:
  • Upon registration, the Research Security office will be notified for travel to countries of concern. “Countries of concern” include Qatar, Saudi Arabia, the United Arab Emirates, the People’s Republic of China (including Hong Kong and Macau), the Democratic People’s Republic of Korea (North Korea), the Russian Federation, and the Islamic Republic of Iran. See e.g., Section 19221 of the CHIPS and Science Act of 2022 [42 U.S. Code § 19221]; Section 117 of the U.S Higher Education Act of 1965
  • Prior to international travel to countries of concern, contact researchsecurity@berkeley.edu to assess if a pre-travel security briefing is needed.
  • Use the Worldcue Planner® travel intelligence portal to research any location and obtain global security insight.
  • For travel to China, Hong Kong, Macau, Russia, and Venezuela, please review the Electronic Export Information (EEI) filing requirements below for Hand-Carried items.
  • For hand-carrying or shipping computers, research materials, samples or equipment when traveling abroad, review Berkeley’s Export Control page on International Travel and contact the export control team at exportcontrol@berkeley.edu to determine whether an export control license is required to travel with these items.
  • If you do travel with a device containing research data, it should NOT contain any of the following:
    • Data and/or any documents or files containing Protection Level 3 and 4 data.
    • Data or information received under an obligation of confidentiality.
    • Devices, equipment or computer software received with restrictions on export to or on access by foreign nationals.
    • Devices, systems or software specifically designed or modified for military or space applications (even if these items are used in an academic research setting).
    • If the computer you plan to take with you includes any of the above, please immediately contact the Export Control Office to ensure you do not inadvertently violate export control regulations.
  • Check the US State Department’s travel advisory page.
    • U.S. Customs and Foreign Government officials have the authority to search and seize any electronic devices (e.g., cellphones, laptops, digital cameras) without probable cause. You may be asked to unlock your computer. Therefore, it is advisable that you:
      • Only carry information and data that you would be comfortable that others could see.
      • Do not carry the only copy of irreplaceable data.
      • Consider taking a clean laptop that is equipped with only minimum software and data as recommended in the security tips for international travel.

If you have any questions or would like specific advice, please contact the Export Control Office at exportcontrol@berkeley.edu.

Research security training is another core component of a research security program mandated by NSPM-33. Effective research security training enhances awareness and preparedness among personnel to identify and respond to threats that could compromise research integrity. This section outlines research security training available to UC Berkeley researchers. Research Security Training under NSPM-33 requires UC Berkeley to ensure that all federally funded researchers complete research security training and receive insider threat training, as applicable.

Research Security Training Available to UC Berkeley Investigators

Currently, all Principal investigators with at least $1 of extramural funding and any other personnel and students paid from extramural funding are required to complete: The UC Ethics and Compliance Briefing for Researchers, or ECBR. This briefing provides a summary of what is expected of you as a researcher at the University and of the various obligations this role entails, covering topics such as:

  • How to protect yourself, your research, and the University through comprehensive disclosure and ethical behavior
  • UC Whistleblower purpose, policies, protection, and procedures
  • Export control
  • Conflicts of interest, conflicts of commitment and associated disclosure processes
  • Form 700-U, PHS, NIH, and NSF disclosure processes

The ECBR training was rolled out in 2022 and must be completed every two years. All federally funded researchers must complete this training. For information on how to complete this training, please see How to Complete ECBR Training. The ECBR training in UC Learning may be found here or by typing “ECBR” into the UC Learning search bar.

UCOP is in the process of updating the ECBR content in light of the NSPM-33 implementation guidance.

Additional Research Security Training Resources Available:

  • UC Learning Center’s Research Security training

    This Research Security Training includes topics such as Disclosures, Talent Recruitment Programs, International Collaborations, and Data Security. As an alternative, these modules may also be accessed individually, at Research Security Video Shorts.

  • Courses available on CITI

    Under the CHIPS and Science Act, Research Security Training is now mandated for inclusion as part of the Responsible and Ethical Conduct of Research (RCR) training. For researchers required to complete online (not in-person) RCR training, UC Berkeley offers RCR training through the online Collaborative Institutional Training Initiative (CITI) program.

    To access the courses, follow these steps:

    1. Go to CITI.
    2. Go to the login page, select “Log In Through My Organization”, then select “University of California, Berkeley”.
    3. Use your CalNet ID and passphrase.

    For more information see the DETAILED LOGIN AND REGISTRATION INSTRUCTIONS.

  • NSF Research Security Training

    The U.S. National Science Foundation, in partnership with the National Institutes of Health, the Department of Energy and the Department of Defense, has developed online research security training modules and made them available for the research community. This training provides recipients of federal research funding with information on risks and threats to the global research ecosystem — and the knowledge and tools necessary to protect against these risks. Training modules include:

    • Module 1: What is Research Security
    • Module 2: Disclosure
    • Module 3: Managed and Mitigate Risks
    • Module 4: International Collaboration

Another component of research security programs per NSPM-33 is Export Control Training. Compliance with export control regulations is crucial for research involving collaborations with foreign entities or sensitive technologies.

All faculty and staff are encouraged to take export control training for general awareness. This section highlights the key elements for Export Control Training per NSPM-33, federal research agencies will require UC Berkeley to certify that the institution requires researchers who perform R&D involving export-controlled technologies, to complete training on U.S. export control and compliance requirements. A key element of export control training is mandatory training for personnel conducting research involving export control technologies.

To assist in guiding researchers through Export Control regulations, the Export Control Office offers several training and educational resources.

Training available through UC Learning:

  • Restricted Party Screening (RPS) Training: Overview of the importance and requirements of restricted party screening. Topics include understanding the importance of restricted party screening, following RPS requirements, using Visual Compliance as a screening tool, and escalations.
  • Export Control Training for Buyers: Export Control Training for Buyers provides resources for buyers during the procurement process to ensure UC compliance with federal export control regulations.
  • Intro to Foreign Corrupt Practices Act: The University of California is increasingly involved in international collaborations, ranging from overseas research projects to student exchanges, to formal affiliations.

Who should take this course:

  • Faculty who collaborate internationally
  • University personnel who travel internationally
  • Administrative support staff
  • Parties hosting foreign visitors and delegations – even from visiting universities
  • Financial disbursement personnel
  • Compliance professionals Knowing the issues and implementing a program for managing the risks is the best way to have a successful international collaboration

Export Control Mini Modules. Topics include:

If you need additional guidance, please contact the export control team at exportcontrol@berkeley.edu.

Training available through CITI:

UC Berkeley offers export control training through the online Collaborative Institutional Training Initiative (CITI) program.

For more information and login instructions see the Export Control Training Page.

The University of California Berkeley has established formal programs with comprehensive policies on conflicts of interest and conflicts of commitment, requiring faculty members and other investigators to disclose relevant information to ensure compliance with federal, state, and university regulations. These procedures provide guidance for the identification and management of outside professional activities in order to avoid conflicts of interest and conflicts of commitment, while assuring that faculty may engage in a wide array of outside activities without unnecessary limitations.

To promote transparency, Berkeley researchers must follow disclosure requirements regarding research security. These disclosure requirements apply to:

Failure to disclose all resources in accordance with a sponsor’s requirements can have serious consequences. It is critical to closely review and adhere to each sponsor’s specific disclosure requirements.

Participation in foreign talent recruitment programs (FTRPs) can pose significant risks that must be carefully considered, mitigated, and sometimes avoided altogether. Congress, the Federal Bureau of Investigation, and other government organizations have identified certain FTRPs as threats to the integrity and security of the national research enterprise. Participation in Malign Foreign Talent Recruitment Programs (MFTRP) is prohibited by agencies including NSF and DoD.

These agencies require federally funded institutions to impose certain requirements and restrictions on the institution’s covered individuals engaged in federally funded research projects.

Researchers must:

  • disclose if they are a party to a foreign talent program contract, agreement, or other arrangement, and
  • not participate in malign foreign talent programs.

Various agencies have their own FTRP requirements separate from CHIPS Act requirements and are in the process of developing policies and forms. Effective May 20, 2024, the National Science Foundation (NSF) adopted NSTC Common Forms for certification from senior and key persons. Other agencies are anticipated to move to Common Forms in the future.

As defined by Section 10638(4) of the CHIPS and Science Act, a malign foreign talent recruitment program is:
  1. any program, position, or activity that includes compensation in the form of cash, in-kind compensation, including research funding, promised future compensation, complimentary foreign travel, things of non de minimis value, honorific titles, career advancement opportunities, or other types of remuneration or consideration directly provided by a foreign country at any level (national, provincial, or local) or their designee, or an entity based in, funded by, or affiliated with a foreign country, whether or not directly sponsored by the foreign country, to the targeted individual, whether directly or indirectly stated in the arrangement, contract, or other documentation at issue, in exchange for the individual—
    1. engaging in the unauthorized transfer of intellectual property, materials, data products, or other nonpublic information owned by a United States entity or developed with a Federal research and development award to the government of a foreign country or an entity based in, funded by, or affiliated with a foreign country regardless of whether that government or entity provided support for the development of the intellectual property, materials, or data products;
    2. being required to recruit trainees or researchers to enroll in such program, position, or activity;
    3. establishing a laboratory or company, accepting a faculty position, or undertaking any other employment or appointment in a foreign country or with an entity based in, funded by, or affiliated with a foreign country if such activities are in violation of the standard terms and conditions of a Federal research and development award;
    4. being unable to terminate the foreign talent recruitment program contract or agreement except in extraordinary circumstances;
    5. through funding or effort related to the foreign talent recruitment program, being limited in the capacity to carry out a research and development award or required to engage in work that would result in substantial overlap or duplication with a Federal research and development award;
    6. being required to apply for and successfully receive funding from the sponsoring foreign government’s funding agencies with the sponsoring foreign organization as the recipient;
    7. being required to omit acknowledgment of the recipient institution with which the individual is affiliated, or the Federal research agency sponsoring the research and development award, contrary to the institutional policies or standard terms and conditions of the Federal research and development award;
    8. being required to not disclose to the Federal research agency or employing institution the participation of such individual in such program, position, or activity; or
    9. having a conflict of interest or conflict of commitment contrary to the standard terms and conditions of the Federal research and development award; and
  2. a program that is sponsored by—
    1. a foreign country of concern or an entity based in a foreign country of concern, whether or not directly sponsored by the foreign country of concern;
    2. an academic institution on the list developed under section 1286(c)(8) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (10 U.S.C. 4001 note; Public Law 115-232); or
    3. a foreign talent recruitment program on the list developed under section 1286(c)(9) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (10 U.S.C. 4001 note; Public Law 115-232).

Transparency and disclosure of potential conflicts of interest are integral to maintaining research integrity and credibility. This section mandates policies requiring personnel to disclose financial interests, affiliations, and relationships that may influence research outcomes. Transparent reporting of funding sources and collaborations helps mitigate risks associated with undue foreign influence and ensures accountability.

For additional information regarding compliance with UC Berkeley’s Conflict of Interest Policies, please see the resources below:

The Academic Personnel Manual (section 025) places limits on the amount of outside professional activities faculty members are permitted to undertake and sets out reporting guidelines for compensated and uncompensated outside professional and non-professional activities.

See UC Berkeley’s campus information on conflict of commitment from the Academic Personnel Office. See the UCOP APM 025. Questions regarding conflict of commitment should be addressed to the Office of the Vice Provost for Faculty.

UC Berkeley Research: Conflict of Commitment

Federal awarding agencies have raised concerns surrounding improper foreign influence on federally funded research. To mitigate this risk, the University is requiring researchers to disclose all sources of support (current and pending) of their research to avoid potential exposure. PIs must disclose foreign sources of support in the Current and Pending sections of a proposal according to the requirements of each federal agency. Some of these requirements have been in place for some time and others are new or are being interpreted differently and/or more rigorously than in the past.

Consistent with NSPM-33, individuals are required to disclose contracts associated with participation in programs sponsored by foreign governments, instrumentalities, or entities, including foreign government-sponsored talent recruitment programs.

Additional Information:

Agency Specific Information:

The Sponsored Projects Office has additional resources to guide the disclosure of current and pending support for federally funded research.

Foreign Financial Disclosure Report (FFDR)

Overview of the Requirement:

In accordance with the CHIPS and Science Act, institutions of higher education that receive National Science Foundation (NSF) funding must disclose annually all current financial support, including gifts and contracts valued at $50,000 or more, received directly or indirectly from foreign sources associated with a foreign country of concern. These countries include the People’s Republic of China, the Democratic People’s Republic of Korea, the Russian Federation, the Islamic Republic of Iran, among others as designated by the Secretary of State.

Key Compliance Details:
  • Reporting Period: The first report is due by July 31, 2024, covering the period from July 1, 2023, to June 30, 2024. Subsequent reports will be due by July 31 each year.
  • Information to be Reported: Details of legal entities, contract specifics, gift information, and related financial support must be meticulously documented.
  • Record Retention: Records must be maintained for at least four years after the award end date, the agreement termination date, or as required by state law.
Leadership Role of the Research Ethics and Compliance (REC) Office:

The REC Office is dedicated to guiding and supporting our university community through this reporting process. Our roles include:

  • Collecting and Aggregating Data: Collaborating with various university offices such as SPO, UDAR, IAO, Business Contracts, and others to collect relevant data.
  • Aggregating and Finalizing Submission: Compiling data from all units, verifying its accuracy, and preparing the final submission.
  • Uploading to Research.gov: Managing the logistical aspects of submitting the report through the new designated NSF portal.

We count on the cooperation and diligence of each department to ensure timely and accurate reporting. Non-compliance could result in delays in processing additional funding and administrative actions, including no-cost extensions and funding increments for ongoing grants.

For further information and resources, please visit:

If you have any questions or need further assistance, please do not hesitate to contact us at Researchsecurity@berkeley.edu.