Federal Agency Guidance

On June 30, 2023, the DoD issued Countering Unwanted Foreign Influence in DoD-Funded Research at Institutions of Higher Education. This guidance includes: 

• A policy outlining risk-based security reviews for fundamental research,
• A decision matrix to help assess and mitigate risks in research proposals,
• A list of foreign institutions flagged for concerning activities, and
• A list of foreign talent recruitment programs deemed threats to U.S. national security (see Part 3, Tables 1 and 2). 

This initiative supports the DoD’s broader effort to prevent foreign influence and misappropriation of federally funded research that could compromise national or economic security. 

The decision matrix evaluates senior/key personnel disclosures based on four criteria: 

1. Involvement in foreign talent recruitment programs,
2. Current or past funding from “foreign countries of concern” (FCOCs)—currently China, Russia, North Korea, and Iran, as defined by the CHIPS Act of 2022,
3. Patent filings in or on behalf of FCOCs or related entities, especially if undisclosed,
4. Affiliations with organizations listed on U.S. trade restriction or other flagged lists. 

The policy and matrix are designed to guide DoD program managers in reviewing unclassified fundamental research proposals for potential conflicts of interest or commitment. Public release of these materials aims to help researchers understand the DoD’s concerns regarding international engagements. This policy will eventually replace existing matrices used by agencies like DARPA and the Army Research Lab. Updates will be posted on the DoD Basic Research webpage. 

Effective June 7, 2025, the National Science Foundation (NSF) requires all Principal Investigators (PIs) and co-Principal Investigators (co-PIs) on awards made after May 20, 2024, to annually certify that they are not participating in a Malign Foreign Talent Recruitment Program (MFTRP). This certification must be completed via Research.gov, as outlined in the NSF Proposal and Award Policies and Procedures Guide (PAPPG), Chapter II.D.1.e(ii). 

Effective June 7, 2025, the National Science Foundation (NSF) requires all Principal Investigators (PIs) and co-Principal Investigators (co-PIs) on awards made after May 20, 2024, to annually certify that they are not participating in a Malign Foreign Talent Recruitment Program (MFTRP). This certification must be completed via Research.gov, as outlined in the NSF Proposal and Award Policies and Procedures Guide (PAPPG), Chapter II.D.1.e(ii). 

As of October 23, 2023, NSF requires all biosketches and Current and Pending (Other) Support documents to be prepared using SciENcv for new proposals (NSF 23-1, 11-23, and 11-26).

In May 2024, NSF introduced the TRUST framework—Trusted Research Using Safeguards and Transparency—to assess proposal risk. This process, similar to those used by DoD and DoE, focuses on critical technologies, beginning with quantum research in FY25 and expanding to other areas identified in the CHIPS and Science Act. 

NSF evaluates risk based on three criteria: 

1. Current appointments with U.S.-sanctioned entities or participation in MFTRPs,
2. Undisclosed affiliations, activities, or financial support,
3. Potential national security applications of the proposed research. 

Unlike other agencies, NSF does not consider co-authorships in its risk assessments. The framework is informed by the March 2024 JASON report, Safeguarding the Research Enterprise. 

As of October 10, 2025, all researchers serving as key personnel on National Science Foundation (NSF) proposals or research projects are required to complete Research Security training in compliance with federal guidelines. This training is essential to ensure our institution remains eligible for NSF funding and to support national research security efforts. If you are currently working on or planning to submit an NSF proposal, please ensure you and your team complete the training as soon as possible. Please login to CITI and complete the “Research Security Training (Combined)” module.  If you need assistance with a CITI account please click here.  If you have additional questions, please contact researchsecurity@louisville.edu. 

RTES coordinates with DoE Program Offices, the National Nuclear Security Administration (NNSA), and the Office of Intelligence and Counterintelligence (DOE-IN) across three phases: 

• Phase 1: Pre-publication review of funding opportunities to ensure applicants are informed of RTES-related requirements and technology risk levels.
• Phase 2: Due diligence review of financial assistance projects prior to selection, incorporating Phase 1 risk assessments.
• Phase 3: Ongoing review during the project lifecycle, triggered by changes in personnel, scope, or ownership/control. 

RTES uses disclosed, public, and classified information to evaluate risk across several dimensions: 

• Covered Individuals: Assessed for ties to malign foreign talent programs, foreign funding (monetary or in-kind), concerning patent behaviors, and affiliations with entities on restricted U.S. lists. Notably, foreign birth or citizenship alone is not considered a risk factor.
• Covered Entities: Evaluated for foreign ownership/control, regulatory or criminal issues, sensitive supply chains, and connections to restricted entities.
• Timing of Activities: Consideration is given to when the relationship or activity occurred, whether it has ceased, and whether it reflects a pattern or isolated event.
• Technology Context: Risk indicators are weighed against the nature of the technology, including proximity to critical infrastructure or military installations. 

DoE may address identified risks through certifications, tailored mitigation agreements, reporting requirements, special terms and conditions, or removal of individuals or entities from a project. Applicants may request reconsideration of removals. Disclosed activities are more likely to result in a viable path forward.

DoE has issued a Financial Assistance Letter (FAL) mandating research security training for covered individuals—those contributing substantively to a project. Training must be completed within 12 months prior to proposal submission. This requirement is effective May 1, 2025, and may apply to earlier proposals depending on the Notice of Funding Opportunity (NOFO). Implementation details will be communicated in early 2025. 

This training aligns with NSPM-33, which mandates research security programs across all federal agencies. 

As of May 26, 2026, all researchers serving as key personnel on National Institute of Health (NIH) proposals or research projects are required to complete Research Security training in compliance with federal guidelines. This training is essential to ensure our institution remains eligible for NIH funding and to support national research security efforts. If you are currently working on or planning to submit an NIH proposal, please ensure you and your team complete the training as soon as possible. Please login to CITI and complete the “Research Security Training (Combined)” module.  If you need assistance with a CITI account, please click here.  If you have additional questions, please contact researchsecurity@louisville.edu. 

The National Institutes of Health (NIH) requires prior approval for any “foreign component” in a research project. This includes the performance of a significant portion of the project outside the U.S. by either the award recipient or a researcher affiliated with a foreign organization—regardless of whether NIH funds are used.

On August 15, 2024, NIH released a decision matrix to help agency staff evaluate grant applications and active awards for potential foreign interference, particularly undisclosed relationships. Key risk factors include: 

1. Participation in a malign foreign talent recruitment program (now prohibited by law),
2. Undisclosed current or prior funding from a foreign country of concern (FCOC)—currently China, Russia, North Korea, and Iran (higher risk)—or other foreign countries (lower risk),
3. Undisclosed affiliations with institutions or entities located in or connected to a FCOC (higher risk) or other foreign countries (lower risk). 

Mitigation requirements depend on the timing of the engagement (active vs. within the past five years) and the completeness of disclosure. Possible mitigation actions include: 

• Imposing specific award conditions,
• Modifying award terms,
• Suspending, terminating, or withdrawing the award,
• Switching from advance payment to reimbursement,
• Recovering funds. 

In accordance with NOT-OD-21-073, NIH mandates immediate notification if other support was not disclosed during the proposal or progress reporting stages.