Research Security & Compliance

Texas A&M University fosters a vibrant research environment built on principles of openness, collaboration, and integrity. As a leading global research institution, we also recognize the critical importance of safeguarding our research enterprise from potential risks, including foreign government interference, intellectual property theft, and violations of research integrity. Ensuring research security is essential not only for compliance with federal regulations but also for protecting national security and maintaining the public trust in our work.

To help ensure that the devices, computers, cloud services, and/or technologies you propose to use for your research meet TAMU and State requirements, engage your local IT personnel (e.g. the IT Executive Director or senior IT staff for your unit/college). If you are unsure how to contact your local IT staff, please refer to the Campus IT Contacts List.

Using only university-owned, TAMU Technology Services-managed endpoints is required for research. TAMU Technology Services helps to ensure that the Texas A&M Information Security Controls Catalog requirements are met. The Texas A&M Information Security Controls Catalog is our university's implementation of standardized security controls based on NIST 800-53 and mandated by Texas Administrative Code §202. It provides specific guidance for protecting university information systems and data across all departments and roles- including research.

The catalog contains 21 control families covering the full spectrum of information security and are designed to safeguard university data and comply with State and TAMU System requirements. Additionally, the proper implementation of these controls has a significant impact on complying with many sponsor requirements. Your local IT helps ensure you meet university requirements by providing centralized management for your university-owned endpoints (e.g. laptops, desktops, etc.).

University Standard Administrative Procedure 29.01.03.M0.01 "Security of Electronic Information Resources" further underscores the importance of the controls catalog, as 2.3 states that, “...All university data maintained on information resources must be afforded the appropriate safeguards stated in TAC 202 and applicable University Rules, SAPs, and security controls (found in the Texas A&M Security Controls Catalog); as well as applicable federal and contractual requirements. It is the responsibility of the information resource owner, or designee, to ensure that adequate security measures are in place and that an annual risk assessment is performed..."

Go to Controls Catalog

IRB Ancillary IT Reviews are performed to ensure that required university (see the TAMU Information Security Controls Catalog), state, and any federal and/or sponsor IT requirements can be met and are in place prior to the research beginning. This review process includes communicating with and coordinating with the PI's local IT personnel, as they are required to validate and ensure that all IT requirements are met.

The IT requirements extend beyond endpoints (e.g. workstations, laptops, desktops, etc.), and include cloud services as well. For example, any cloud services must be reviewed by and approved for use by TAMU Technology Services and/or TX-RAMP Level 2 certified. This State requirement is to ensure that data used for research has appropriate safeguards in place to protect data and/or code used put into a cloud service. For more information on how to facilitate speeding up the IRB Ancillary IT Review process (e.g. the “red, yellow, green” scenarios), go here:

IRB Ancillary IT Reviews

Where third-party cloud services are desired to be used in research, TAMU IT Risk & Compliance must be able to ensure that a minimum level of information security mechanisms are in place. Depending upon the type of data and its classification, State and/or university requirements must be met prior to using the cloud service.

Cloud Services and Research

Texas A&M University, as a state institution, is required to follow directives and laws set by the State of Texas regarding information technology security. One important area involves restrictions on the use of certain technologies deemed to pose a security risk to the state's data and critical infrastructure. For more information, see Texas Prohibited Technologies.

Texas Prohibited Technologies

The landscape of research security has evolved significantly, with increased federal focus on protecting U.S. government-funded research and development. Key regulations and concepts that impact Texas A&M researchers include:

Controlled Unclassified Information (CUI)

This category refers to sensitive government information that, while not classified, requires specific safeguarding measures when handled, often as part of federal contracts or projects. Protecting CUI is vital for meeting contractual obligations and protecting government interests.

Cybersecurity Maturity Model Certification (CMMC)

This framework is primarily required for Department of Defense (DoD) funded research and verifies that appropriate cybersecurity standards are met to protect CUI and Federal Contract Information (FCI). Guidance and resources for handling Controlled Unclassified Information and meeting CMMC requirements for relevant DoD-funded projects is provided by the Texas A&M System Research Security Office in collaboration with IT security and your local IT.

National Security Presidential Memorandum 33 (NSPM-33)

This directive requires major research institutions receiving significant federal funding, like Texas A&M, to establish comprehensive research security programs. NSPM-33 emphasizes standardized disclosure requirements for researchers regarding potential conflicts of interest and commitment, and mandates institutional programs covering cybersecurity, foreign travel security, research security training, and export control training. Get more information on NSPM-33.

NSPM-33

Navigating these complex requirements is a shared responsibility, and Texas A&M provides dedicated support through the Research Security and Export Controls (RESEC) office, part of the Division of Research. RESEC serves as a central resource to help faculty, staff, and students conduct research securely and ethically while meeting all applicable federal, state, and university regulations.

Key Services Provided by RESEC:

RESEC offers guidance, training, and administrative support across several crucial areas:

• Export Controls: Assisting researchers in understanding and complying with U.S. export control laws (EAR, ITAR) that govern the transfer of controlled items, technology, or software to foreign nationals or foreign destinations, including support for international shipping and travel assessments.
• Research Security Program (NSPM-33 Implementation): Guiding the implementation of NSPM-33 requirements, including developing training programs, advising on foreign travel security protocols, and supporting cybersecurity compliance efforts for research projects. Get more information on NSPM-33.
• Conflicts of Interest and Commitment (COI/COC): Managing the disclosure process for financial conflicts of interest and conflicts of commitment related to research activities, ensuring transparency and objectivity.
• Responsible Conduct of Research (RCR): Providing mandatory and supplemental RCR training covering core ethical research practices, including data management, authorship, plagiarism, peer review, and research security awareness.
• Visiting Scholars: Facilitating the review and approval process for international visiting scholars engaging in research at Texas A&M, ensuring compliance with relevant regulations.
• Foreign Influence Mitigation: Educating the research community on federal concerns regarding undue foreign influence and the importance of fully disclosing foreign collaborations, affiliations, and support.

While RESEC provides critical support, individual researchers play a vital role in maintaining research security and compliance. This includes:

• Completing required RCR, export control, and research security training modules.
• Accurately and fully disclosing external activities, affiliations, and support as required by university policy and federal sponsors.
• Consulting with RESEC before engaging in activities involving export-controlled items or information, international collaborations that may pose risks, or projects involving CUI/CMMC requirements.
• Following university IT security policies and procedures for protecting research data, especially sensitive or controlled information.

For questions or assistance related to research security and compliance matters, please reach out to the appropriate contact within the Research Security and Export Controls office:

• Export Controls: exportcontrols@tamu.edu
• Conflicts of Interest/Commitment: coi@tamu.edu
• Responsible Conduct of Research: rcr@tamu.edu
• Visiting Scholars: visitingscholars@tamu.edu
• General Inquiries: (979) 862-6419
• TAMU Research Security and Export Controls web page

By working together, we can ensure Texas A&M University continues to conduct world-class research securely, ethically, and in full compliance with all applicable requirements.