Educause pushes back against cybersecurity proposals for research 

Educause is seeking changes to the White House Office of Science and Technology Policy’s proposed cybersecurity requirements for federally funded research projects, the higher ed IT group shared in a blog post on Wednesday. 

The OSTP’s draft cybersecurity proposals, shared in February 2023, would introduce new cybersecurity requirements for higher education institutions that receive more than $50 million in annual federal research funding. The requirements are largely modeled on the basic safeguarding requirements for Federal Contract Information — an approach that Educause claimed is misguided because FCI safeguards weren’t written with academic research in mind. 

“The OSTP should shift from the checklist approach to research cybersecurity represented by the FCI basic safeguards and instead encourage institutions to adopt a risk management approach to research cybersecurity,” Jarrett Cummings, Educause’s senior adviser for policy and government, wrote in the blog post. “Under the latter model, OSTP would set clear cybersecurity objectives for institutional research security programs, and covered institutions would implement appropriate measures to meet these objectives based on the nature and risk profiles of the research they support.”

Educause leaders said the group will continue to help develop the guidelines. Cummings estimated the final version of the guidelines could be published this year.