Skip to main content

National Institute of Standards and Technology: Strengthening Disclosure Requirements and Assessing Training Could Improve Research Security

GAO-24-106074 Published: Dec 14, 2023. Publicly Released: Dec 14, 2023.
Jump To:

Fast Facts

Some foreign governments try to acquire U.S. research and technology dishonestly. Protecting federally funded research from such threats is critical.

The National Institute of Standards and Technology collaborates with foreign and domestic researchers—requiring them to disclose potential conflicts of interest. But NIST doesn't require domestic researchers to disclose as much information as foreign nationals. NIST needs to ensure it can identify research security risks posed by all researchers.

In addition, NIST doesn't evaluate whether staff training on security policies and practices is effective.

We recommended that NIST address these issues.

Summary of NIST’s Process for Reviewing and Hosting Foreign National Associates

process is: gather info, security review, approve/deny, background check, report suspicious activity

Skip to Highlights

Highlights

What GAO Found

Researchers employed at the National Institute of Standards and Technology (NIST) collaborate on research projects with about 2,500 domestic and foreign national researchers (known as “associates”) each year. The agency also awards grants and cooperative agreements under which extramural (i.e., external) researchers carry out research. While such collaborations are intended to benefit NIST, they may pose security risks. NIST has taken steps to help ensure research security by requiring researchers to disclose information that can help it determine whether they have potential conflicts of interest or commitment.

However, at the time of our review, NIST had not fully implemented federal disclosure requirements as the agency was waiting for the Office of Science and Technology Policy (OSTP) to issue government-wide guidance in two areas:

  • uniform disclosure forms for extramural researchers, and
  • guidelines on foreign talent recruitment programs, which seek to recruit researchers—sometimes with malign intent.

According to NIST officials, OSTP's delays in issuing the forms and guidelines have delayed NIST's collection of certain disclosures. Without these disclosures, NIST is missing key information—such as domestic researchers' participation in foreign talent recruitment programs—that could help it address research security risks.

Separately, NIST requires fewer disclosures from domestic associates than from foreign national associates. Officials said the agency primarily focuses on risks posed by foreign national associates and by certain countries of concern. However, domestic researchers can also have concerning affiliations with foreign entities. By not requiring domestic associates to disclose the same information as foreign national associates, NIST is missing opportunities to assess and mitigate risks.

Information That NIST Requires Associates to Disclose

Type of researcher

Organizational affiliations/ employment

Positions/ appointments

Participation in foreign talent recruitment programs

Current and pending research support

Foreign national associate

Domestic associate

-

-

-

Source: GAO analysis of the National Institute of Standards and Technology (NIST) information. | GAO-24-106074

NIST and Commerce also help ensure research security by training researchers. The training program generally aligns with most selected leading training practices. However, because they do not evaluate the program's effectiveness, the agencies are limited in their ability to identify opportunities for improvement. For example, NIST employees told GAO that NIST could provide more examples of risks that employees may encounter. Collecting and analyzing such feedback could help strengthen the agency's training and improve research security.

Why GAO Did This Study

Countries of concern pose security risks to U.S. research and innovation. Such countries have sought to access information through collaborative research efforts. NIST employees regularly collaborate with outside researchers from academia or private-sector companies. The Research and Development, Competition, and Innovation Act includes a provision for GAO to review NIST's research security program.

This report examines, among other things, NIST's efforts to (1) meet federal disclosure requirements for intramural and extramural researchers, (2) collect and review disclosures from foreign national associates and domestic associates, and (3) align its security training with selected leading training practices.

GAO reviewed NIST's information and available data on identified risks, research security policies, and procedures, and interviewed agency officials. GAO also compared NIST's policies and practices against selected federal requirements and leading practices on training.

Recommendations

GAO is making three recommendations: one to OSTP on issuing timely research security guidance; and two to NIST on strengthening disclosure requirements for domestic associates and evaluating its training program. OSTP and NIST agreed with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Science and Technology Policy The Director of OSTP should expedite the development and issuance of guidelines on foreign talent recruitment programs as required by section 10631 of the CHIPS and Science Act of 2022. (Recommendation 1)
Closed – Implemented
In February 2024, OSTP issued the guidelines for federal research agencies regarding foreign talent recruitment programs, consistent with the CHIPS and Science Act of 2022. The guidelines include a prohibition on federal personnel of federal research agencies from participating in foreign talent recruitment programs. The guidelines also prohibit certain covered individuals from participating in a federally funded research and development project if they are currently participating in a malign foreign talent recruitment program. Further, the guidelines provide a definition for a malign foreign talent recruitment program.
National Institute of Standards and Technology The Director of NIST should, consistent with applicable statutes and regulations, collect and review disclosures from domestic associates—including information on positions and appointments, current and pending research support, and participation in foreign talent recruitment programs—and require updates to these disclosures, as appropriate. (Recommendation 2)
Open
According to an April 2024 action plan, NIST intends to take several actions to implement this recommendation, such as expanding its review process for domestic associates by leveraging the information collection template used for foreign national associates, and modifying an information system used to collect and store this information. As of November 2024, GAO continues to monitor NIST's pending adoption of the new form for use with domestic associates.
National Institute of Standards and Technology The Director of NIST should, in coordination with the Secretary of Commerce as appropriate, evaluate the effectiveness of research security training courses for NIST staff. For example, this could include collecting and analyzing employee feedback. (Recommendation 3)
Closed – Implemented
In September 2024, NIST provided an update on its actions to address this recommendation. NIST stated that the Department of Commerce's Office of Security conducted an internal assessment of the departmental research security program, including NIST. The assessment found that the threat awareness trainings used across the department differed in content, uniformity of message, and overall effectiveness. In response, Commerce's Office of Security developed a department-wide training course available to NIST to use starting by the end of calendar year 2024. According to training slides that we reviewed, the training includes topics such as foreign intelligence threats and counterintelligence. Additionally, NIST developed a set of survey questions to gather employee feedback on the training following completion of the course. Going forward, NIST's Office of Security intends to review the survey results to assist in assessing training effectiveness.

Full Report

GAO Contacts

Candice N. Wright
Director
Science, Technology Assessment, and Analytics

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Agency evaluationsBackground investigationsBest practicesDefense budgetsEmployee developmentFederal researchForeign nationalsIntelligence communityInteragency relationsMilitary intelligenceNational securityResearch and developmentScience and technologySecurity risksUnauthorized disclosure