SECURE-ing Research and Data
March 18, 2025 – For more than 150 years, Lincoln College served the underserved communities in rural central Illinois. After surviving both world wars, the 1918 Spanish flu epidemic, and the Great Depression, the private undergraduate institution struggled with enrollment after the COVID-19 epidemic. A 2021 ransomware attack proved more than the school could survive; it closed its doors less than a year later. But it’s not just small institutions at risk of a security breach. High-profile universities and colleges have been victimized in highly publicized cases—targeted for their research, IP, and links to government agencies. In this era when international research collaboration is both a necessity and a challenge, ensuring research security has become a national priority.
Recognizing this, the U.S. National Science Foundation (NSF) invested $67 million over five years in the University of Washington ($50 million) and Texas A&M University ($17 million) to establish the SECURE (Safeguarding the Entire Community in the U.S. Research Ecosystem) Program—an initiative aimed at bolstering the integrity and security of federally funded research through a community-driven approach.
The NSF SECURE Program consists of two separate components: the NSF SECURE Center (led by the University of Washington) and NSF SECURE Analytics (led by Texas A&M University). Both institutions are UIDP members and the lead PIs, Mark Haselkorn (University of Washington) and Kevin Gamache (Texas A&M), along with Lisa Nichols (University of Notre Dame) who is a member of the SECURE Center team, offered an update and glimpse of what’s to come during a March 10 UIDP webinar, moderated by Susan Sedwick of Attain Partners. (See the recording here.)
Threats change, and rules do, too
New security threats continue to emerge, so research security policies and resources must evolve to meet them. Institutions receiving more than $50 million in federal R&D funding will need to meet to be identified federal cybersecurity requirements. In addition, institutions that accept DFARS 7012 terms must adhere to NIST 800-171 guidelines and proposed Federal Acquisition Regulation (FAR) clauses that were recently published. These include:
- Incident Reporting: Institutions must notify federal authorities of any suspected CUI incidents within eight hours, a significant tightening of prior reporting timelines.
- Data Safeguarding: New standards for marking, disseminating, and securing CUI to prevent unauthorized access.
- Contractor Responsibilities: Universities must vet vendors, subcontractors, and IT providers to ensure compliance with federal security requirements.
Additionally, the U.S. Department of Justice’s final rule on sensitive personal data protections has introduced critical restrictions on data sharing with foreign entities. Universities must be especially vigilant, as exemptions for academic research were notably absent from the final regulations. For insights on security programs outside the United States, check out this previous 3-Minute Read.
Why it matters
For research leaders navigating an increasingly complex security landscape, leveraging the NSF SECURE Program, through the NSF SECURE Center and NSF SECURE Analytics, will be essential in balancing openness and security while facilitating global collaboration. As the landscape continues to evolve, these efforts will be crucial to preserving the integrity and innovation of the U.S. research enterprise. A breach, after all, could mean more than just the loss of data; it could lead to drastic consequences, as Lincoln College learned. For additional information on data, research security, and other compliance issues, see the UIDP webinar recording and slides from “Tools to Address Research Security Challenges.”
We want to hear from you. What are your thoughts on SECURE’s community model? Let us know on LinkedIn.