Research Security Program

Cybersecurity is a foundational element of the Berkeley’s Research Security Program, aimed at safeguarding information systems and data integrity against cyber threats. This section outlines protocols for awareness training, access control, monitoring, and protection mechanisms necessary to mitigate risks such as social engineering, data breaches, and malicious code attacks.

Elements include:

• Regular cybersecurity awareness training for authorized users.
• Access control to information systems for authorized users and processes.
• Verification and control of connections to external information systems.
• Protection of non-public information.
• Identification and authentication of system users.
• Monitoring and protection of organizational communications.
• Implementation of subnetworks for publicly accessible system components.
• Protection of scientific data from cyber threats like ransomware.
• Regular scanning for and protection against malicious code.
• Timely identification, reporting, and correction of system flaws.

Classifying data helps ensure that appropriate cybersecurity measures are applied to protect information based on its sensitivity and the potential impact of a security breach.

Under the UC’s Electronic Information Security Policy, IS-3, information is categorized based on its sensitivity and the level of security required to protect it. Amongst various levels of security, the levels of higher risk include:

1. P3 (Protection Level 3):
   • Description: Data that is sensitive and requires protection from unauthorized access, but not classified as highly confidential.
   • Examples: Certain research data, internal business processes, and personal information that, if disclosed, could cause moderate harm to individuals or the institution.
   • Security Measures: Enhanced access controls, encryption in transit and at rest, regular monitoring, and security training for personnel handling this data.
2. P4 (Protection Level 4):
   • Description: Highly sensitive data that requires the highest level of protection due to the significant harm that unauthorized access or disclosure could cause.
   • Examples: Classified research data, critical infrastructure information, and highly confidential personal or financial information.
   • Security Measures: Strict access controls with multi-factor authentication, advanced encryption methods, continuous monitoring and auditing, stringent physical security measures, and comprehensive security training for personnel.

Please use Berkeley’s Data and IT Resource Classification Guideline to help determine the level of risk associated with your data and understand the steps needed to mitigate that risk.

For research data classified as P3 and P4 data, Berkeley offers the following secure resources:

• Active Archive
• CalShare
• SRDC Secure Research Data and Compute (SRDC) Platform for sensitive data may be available on a case-by-case basis if your project qualifies.

Additional Cybersecurity Resources:

Foreign Travel Security is a foundational element of a research security program as required by the White House Office of Science and Technology Policy (OSTP), aimed at mitigating potential risks associated with foreign travel and protecting research integrity. This section highlights the elements of foreign travel security, emphasizing pre-travel disclosures, security briefings, and measures to secure electronic devices.

Foreign Travel Security under NSPM-33 requires UC Berkeley to ensure:

• Maintenance of international travel policies for faculty and staff. Guidelines and Requirements for International Travel
• Organizational record-keeping of international travel.
• Disclosure and authorization requirements for international travel.
• Provision of security briefings and electronic device security assistance.
• Pre-registration requirements for international travel.

What travel security measures do international travelers need to take?

• Review the UC Berkeley International Travel Protocols and Security Tips for International Travel.
• Review the Security Tips for International Travel below:
  • Registering all foreign travel and obtaining insurance. UC travel protection is also available via UCOP.
  • Leaving your data/device at home or considering a temporary computer for your trip containing limited data.
• Upon registration, the Research Security office will be notified for travel to countries of concern. “Countries of concern” include Qatar, Saudi Arabia, the United Arab Emirates, the People’s Republic of China (including Hong Kong and Macau), the Democratic People’s Republic of Korea (North Korea), the Russian Federation, and the Islamic Republic of Iran. See e.g., Section 19221 of the CHIPS and Science Act of 2022 [42 U.S. Code § 19221]; Section 117 of the U.S Higher Education Act of 1965
• Prior to international travel to countries of concern, contact researchsecurity@berkeley.edu to assess if a pre-travel security briefing is needed.
• Use the Worldcue Planner® travel intelligence portal to research any location and obtain global security insight.
• For travel to China, Hong Kong, Macau, Russia, and Venezuela, please review the Electronic Export Information (EEI) filing requirements below for Hand-Carried items.
• For hand-carrying or shipping computers, research materials, samples or equipment when traveling abroad, review Berkeley’s Export Control page on International Travel and contact the export control team at exportcontrol@berkeley.edu to determine whether an export control license is required to travel with these items.
• If you do travel with a device containing research data, it should NOT contain any of the following:
  • Data and/or any documents or files containing Protection Level 3 and 4 data.
  • Data or information received under an obligation of confidentiality.
  • Devices, equipment or computer software received with restrictions on export to or on access by foreign nationals.
  • Devices, systems or software specifically designed or modified for military or space applications (even if these items are used in an academic research setting).
  • If the computer you plan to take with you includes any of the above, please immediately contact the Export Control Office to ensure you do not inadvertently violate export control regulations.
• Check the US State Department’s travel advisory page.
  • U.S. Customs and Foreign Government officials have the authority to search and seize any electronic devices (e.g., cellphones, laptops, digital cameras) without probable cause. You may be asked to unlock your computer. Therefore, it is advisable that you:
    • Only carry information and data that you would be comfortable that others could see.
    • Do not carry the only copy of irreplaceable data.
    • Consider taking a clean laptop that is equipped with only minimum software and data as recommended in the security tips for international travel.

If you have any questions or would like specific advice, please contact the Export Control Office at exportcontrol@berkeley.edu.

Research security training is a core component of a research security program and mandated by NSPM-33. Effective research security training enhances awareness and preparedness among personnel to identify and respond to threats that could compromise research integrity. This section outlines research security training available to UC Berkeley researchers. Research Security Training under NSPM-33 requires UC Berkeley to ensure that all federally funded researchers complete research security training and receive insider threat training, as applicable.

The following federal agencies require Covered Individuals to complete research security training:

Agency	Effective Date	Who must take the training (Covered Individuals)	When must training be taken by	Agency Guidance
DOE/NNSA	5/1/2025	Covered Individual means an individual who (a) contributes in a substantive, meaningful way to the development or execution of the scope of work of a project funded by DOE or proposed for funding by DOE, and (b) is designated as a covered individual by DOE. At a minimum, PI/PD, Co-PI/Co-PD, project manager, and any other individual functionally performing as any of the above, as well as anyone else identified in a specific NOFO.	Proposal stage: complete within the 12 months immediately preceding the application submission date Award stage: new Covered Individuals must complete within 30 days of joining the project.	DOE Financial Assistance Letter (FAL) 25-02
NSF	10/10/2025	Senior/key personnel include individuals designated by the proposer/recipient organization and who contribute in a substantive, meaningful way to the scientific development or execution of a research and development project proposed to be carried out with a research and development award.	complete within the 12 months immediately preceding the application submission date	Important Notice No. 149: Updates to NSF Research Security Policies
NIH (fulfills NIH Other Support training requirement)	Other Support Training: 10/1/2025 Research Security Training: TBD	Senior/key personnel listed on the application	For Other Support Training: Required at the Just-in-Time (JIT) or Research Performance Progress Report (RPPR) phase. In accordance with UC implementation and policy. See UCOP Contract and Grant Manual, Chapter 2. For Research Security Training: Implementation postponed by NIH.	Other Support Training: NIH NOT-OD-25-133 Research Security Training: Implementation postponed. See NOT-OD-25-161.
DOD	TBD
NASA	TBD
USDA	TBD

Research Security Training Available to UC Berkeley Investigators

The research security training covers topics related to foreign influence, including international travel, disclosures related to foreign funding, as well as foreign talent recruitment programs, information and data security, and export controls. To meet this new training requirement, a new Research Security Training is now live and available in the UC Learning Center.

The required training is entitled “Research Security at the University of California” and can be accessed here or by searching “Research Security” or “RESEC-BE” in the search box of the Learning Management System.

The course is approximately 40 minutes long. Upon completion, the system will issue a training completion certificate that must be provided to SPO by you or your assigned RA, at the time of submission of a research grant application, for an applicable agency. For UC Berkeley to comply with this requirement, SPO must validate that the training has been completed for all covered individuals before submitting your application.

In order to meet this federal requirement, Covered Individuals who plan to apply for new funding from the agencies listed above must complete the training prior to proposal (application) submission. Failure to complete this required training could impact your proposal/application from being submitted or delays in accepting new awards.

For the NIH Other Support training requirement, completion of the research security training is required at the Just-in-Time (JIT), Research Performance Progress Report (RPPR) phase, or on the rare occasion where a solicitation requires other support as part of the proposal submission.

In summary, what do PIs need to do?

1. Take the training. You can access it here.
2. Identify all “Covered Individuals” and have them take the training.
3. Share the completion certificates for yourself and all covered individuals with your RA to upload to Phoebe. Note, Covered Individuals only need to take the training once a year—the training certificate can be used to meet the training requirement for all proposals and awards subject to the federal requirement for the year.
4. Monitor email for annual notifications to re-take the training.

Another component of research security programs per NSPM-33 is Export Control Training. Compliance with export control regulations is crucial for research involving collaborations with foreign entities or sensitive technologies.

All faculty and staff are encouraged to take export control training for general awareness. This section highlights the key elements for Export Control Training per NSPM-33, federal research agencies will require UC Berkeley to certify that the institution requires researchers who perform R&D involving export-controlled technologies, to complete training on U.S. export control and compliance requirements. A key element of export control training is mandatory training for personnel conducting research involving export control technologies.

To assist in guiding researchers through Export Control regulations, the Export Control Office offers several training and educational resources.

Training available through UC Learning:

• Restricted Party Screening (RPS) Training: Overview of the importance and requirements of restricted party screening. Topics include understanding the importance of restricted party screening, following RPS requirements, using Visual Compliance as a screening tool, and escalations.
• Export Control Training for Buyers: Export Control Training for Buyers provides resources for buyers during the procurement process to ensure UC compliance with federal export control regulations.
• Intro to Foreign Corrupt Practices Act: The University of California is increasingly involved in international collaborations, ranging from overseas research projects to student exchanges, to formal affiliations.

Who should take this course:

• Faculty who collaborate internationally
• University personnel who travel internationally
• Administrative support staff
• Parties hosting foreign visitors and delegations – even from visiting universities
• Financial disbursement personnel
• Compliance professionals: Knowing the issues and implementing a program for managing the risks is the best way to have a successful international collaboration

Export Control Mini Modules. Topics include:

• Export Control Overview
• Export Control Risks – International Shipping
• Export Control Risks – Biological Agents
• Export Control Risks – ITAR
• Export Control Risks – OFAC
• Export Control Risks – Travel Abroad

If you need additional guidance, please contact the export control team at exportcontrol@berkeley.edu.

Training available through CITI:

UC Berkeley offers export control training through the online Collaborative Institutional Training Initiative (CITI) program.

For more information and login instructions see the Export Control Training Page.

The University of California, Berkeley has established formal programs with comprehensive policies on conflicts of interest and conflicts of commitment, requiring faculty members and other investigators to disclose relevant information to ensure compliance with federal, state, and university regulations. These procedures provide guidance for the identification and management of outside professional activities in order to avoid conflicts of interest and conflicts of commitment, while assuring that faculty may engage in a wide array of outside activities without unnecessary limitations.

To promote transparency, Berkeley researchers must follow disclosure requirements regarding research security. These disclosure requirements apply to:

• Participation in Foreign Talent Recruitment Programs
• Malign Foreign Talent Recruitment Programs (MFTRP)
• Research Disclosures
  • Conflicts of Interest (including financial conflict of interest)
  • Conflicts of Commitment
  • Current and Pending Support
• Foreign Financial Transactions and Gifts

Failure to disclose all resources in accordance with a sponsor’s requirements can have serious consequences. It is critical to closely review and adhere to each sponsor’s specific disclosure requirements.