Skip to content
a group of people sitting on a bench in front of a building

Why Congress Is Turning its Attention Back to Research Universities

Published
Jun 5, 2026
By
Matthew Nichols
Samantha Tatum
Share

For decades, universities have managed research under decentralized, trust-based models built around openness, academic freedom, and researcher autonomy. Federal policy largely accepted that approach, even as oversight bodies raised early concerns about how institutions managed sensitive research data. Recent federal policy developments marked a clear inflection point, signaling that research security would be treated as a national security issue rather than solely an academic concern.  

Research security now extends well beyond classified programs and contract-specific clauses. It covers enterprise-wide cybersecurity, data governance, disclosure, collaboration review, and identity and access controls. This expanded scope reflects a broader conclusion by Congress and federal agencies that risks are structural, not isolated, and require mandatory, auditable controls at the institutional level. As a result, funding and contract eligibility are now directly tied to compliance.  

These changes create tension within traditional higher education environments, where research oversight is decentralized, and practices may vary across departments, projects, and principal investigators. Moving from autonomy-driven models to standardized, enterprise-level controls require institutions to align governance, expectations, and accountability in ways that may not have existed.  

Key Points 

  • US policy long relied on the assumption that open scientific collaboration and peer norms would discourage abuse. Federal investigations showed that foreign governments and organizations deliberately exploited openness, not just benefited from open collaboration. 
  • Law enforcement and intelligence officials have publicly linked academic research activity to national security risks. FBI leadership has testified that US adversaries are targeting universities as an entry point into sensitive technologies because of weaker controls.  
  • Prior to new guidance on research security, compliance with cybersecurity requirements relied heavily on self-attestation by institutions and Principal Investigators (PIs). Congress concluded that self-attestation fails when adversarial incentives exist.  

Reading the Signals: 2026 Senate Letters on Research Security 

Congress has shifted from indirect to direct oversight of research security, primarily through the House Select Committee on China (Select Committee on the CCP). In 2025, the Select Committee on the CCP and the Committee on Education and the Workforce released findings from a two-year investigation on how the Chinese Communist Party (CCP) exploits US universities to access federally funded research. The report confirms that Congress now treats research security as a national security issue and signals closer scrutiny of institutions involved in sensitive projects. In 2026, Select Committee on the CCP Chair John Moolenaar sent a letter to the National Science Foundation (NSF) Interim Director demanding a pause on funding to universities whose leadership is involved in NSF SECURE initiatives or whose faculty have documented collaborations with Chinese military-linked entities. 

What this means for institutions:  

  • Disclosure and risk acknowledgment are no longer sufficient on their own.  
  • In sensitive and dual-use fields, certain risks must be eliminated entirely, not just disclosed.  
  • Funding pauses are now a viable enforcement tool.  
  • Institutions may be held accountable for current, historical, and indirect affiliations.  

Collectively, these responses from the Select Committee on the CCP articulate expectations for governance, accountability, and ongoing oversight of institutional research risk.  

Foreign Influence, Disclosure Gaps, and the Compliance Squeeze 

Traditional disclosure-based models are shifting. Institutions should conduct independent due diligence to confirm foreign affiliations rather than relying solely on PI findings. The interconnected nature of foreign relationships makes performing due diligence harder to address linearly. In the Fox in the Henhouse investigation, the joint publication linked various US university researchers to People’s Republic of China (PRC) military universities, providing a sufficient basis for congressional scrutiny. When conducting due diligence, reviewers should:  

  • Pay close attention to informal and public relationships  
  • Rely on open-source indicators, such as co-authored publications  
  • Publicly document academic affiliations  
  • Establish evidence of collaboration on research activities 

Inconsistencies across university departments and administrations further increase the institutional risk of how foreign affiliations are identified, placing a greater burden on research offices without proportional resources while also shifting responsibility to identify higher risk affiliations earlier.  

Insider Risk: The Overlooked Dimension of Research Security 

Insider risk does not stem from a breached perimeter, but from the misuse and exploitation of trust placed in legitimate researchers. As foreign influence rules have expanded, who has access to sensitive research, and how that access is granted and reassessed over time has become a focal point. Roles, relationships, and external affiliations can affect access and exposure, especially when verification, monitoring, and oversight procedures aren’t regularly updated. Lawmakers have raised concerns about:  

  • Undisclosed affiliations 
  • Visiting-scholar arrangements 
  • Honorary appointments 
  • Foreign funding 
  • Travel 
  • Participation in talent programs 

Congress is now expecting institutions to establish insider threat programs that consistently track research accessibility throughout the research lifecycle, in line with federal expectations. 

Insider Threats at Research Universities: The Human Factor 

The Department of Education and the National Counterintelligence and Security Center have documented how foreign intelligence services exploit academic environments by recruiting students directly or cultivating individuals to collect their insights. Students and early career researchers may be targeted well before institutions are aware.   Recent cases at major research universities illustrate how this risk plays out at the individual level, highlighting how insider risk can emerge from both external targeting and trusted access with limited visibility.

  •  In 2026, a US undergraduate researcher studying Chinese industry testified that she was targeted by someone believed to be associated with a foreign intelligence service. Contact began through social media, then escalated to solicitation, pressure to travel abroad, and communication on monitored platforms. While this espionage attempt did not result in an insider-threat incident, it demonstrates how foreign intelligence services identify and cultivate individuals with inside access to sensitive research.  
  • In a separate federal investigation, a university professor serving as principal investigator on a US government-funded research project failed to disclose foreign affiliations and financial incentives while overseeing potentially dual-use nanotechnology research.  The case resulted in criminal convictions and financial penalties, and left the university with reputational damage within the research community. 

Together, these cases show that research security risk increasingly concentrates at the individual level, whether through external targeting or through trusted insiders, making sustained oversight of who has access to sensitive research, and why, a critical institutional responsibility.  

From Guidance to Enforcement: A Shift in Federal Expectations  

Recent guidance, congressional correspondence, and funding actions establish that security risks should be actively managed and enforced through federal law. 

Key Research Security Laws & Directives, 2019 - today 

The laws and directives below translate research security expectations into enforceable conditions, defining what sponsors and regulators now require universities to know, document, and demonstrate in practice.  

Regulation   Year Description Key Implication
NDAA- Section 1286  2019  Requires the DoD to identify and publish lists of foreign institutions and talent programs linked to military or intelligence threats.  Regulators expect institutions to have awareness of risky foreign partners and account for those risks. 
NDAA (Ongoing)  2020-2025 Expand and reinforce research security provisions, including collaboration restrictions and enhanced reporting for federal research rewards. Research security obligations are continually reaffirmed as national security priorities confirming that compliance is no longer discretionary.
NSPM- 33  2021 Establishes federal research security policy requiring standardized disclosures, research security programs at institutions with high funding, and oversight mechanisms for foreign interference. Formally frames research security as an institutional responsibility tied to eligibility for federal funding. 
CHIPS and Science Act 2022  Codifies NSPM-33 concepts into statute, mandates agency-level research security offices, prohibits participation in malignant foreign talent programs, and authorizes risk assessments using open-source intelligence. Research security becomes law, with explicit authority for monitoring, assessments, and enforcement across funding agencies. 
OSTP Guidelines for Research Security Programs  2024 Require covered institutions to formally certify that they have implemented research security programs that address cybersecurity, insider risk, foreign travel, and export controls.   Institutions must demonstrate research security capability as a requirement for federal funding eligibility. 
NSF and Agency Specific Research Security Rules  2024-2025 Require research security training, certification, and documentation of disclosure for key personnel, and tasks agencies conducting risk assessments of proposals and awards.  Disclosures and documentation are now subject to validation by agency validation and review.
Higher Education Act – Section 117  2025 Strengthens enforcement of foreign funding disclosure requirements and makes compliance key to federal funding and potential False Claims Act exposure.  Transparency around foreign financial relationships becomes treated as a national security obligation.
Dept. of Education–State Dept. Interagency Enforcement  2026 Enables foreign funding disclosures to be leveraged for national security review and enforcement beyond just education oversight. Foreign funding data now expected to withstand scrutiny beyond compliance offices.

Federal agencies have demonstrated a willingness to enforce research security expectations through civil enforcement actions tied to funding disclosures. In 2023, the Department of Justice reached a $1.9 million False Claims Act settlement with a university after determining that foreign research support and affiliations had not been fully disclosed in the submitted federal grant proposals. The case reflected the government’s position that incomplete disclosures can be material to create institutional liability. Similarly, disclosure‑based enforcement is now a standard compliance risk and has changed how institutions think about acceptable exposure. As enforcement mechanisms solidify, research security becomes an operational challenge that affects how institutions manage people, partnerships, and risk across the research lifecycle.  

Operational Impacts: What University Leaders Should Be Doing Now  

The move from guidance to enforcement requires institutions to rethink how research security responsibilities are coordinated and executed. These requirements now span multiple functions, including: 

  • Research administration 
  • IT 
  • Legal 
  • Compliance 
  • Risk 

Institutions should inventory international collaborations, review disclosure processes, and prepare for both pre‑award and ongoing sponsor scrutiny. These pressures expose gaps in decentralized models that were not designed for sustained, coordinated oversight. To close gaps, institutions should conduct targeted audits and evaluate processes to align with sponsor and regulatory requirements.  Insider risk management is often a practical entry point, supported by targeted reviews of high-risk personnel, decentralized systems, and key compliance processes. Together, these efforts help leadership see where research security risks are emerging and where controls fall short. 

Securing Your Organization with EisnerAmper 

Higher education research environments are intentionally open, decentralized, and collaborative, conditions that are now subject to heightened regulatory and sponsor scrutiny. As research security expectations move from guidance to enforcement, institutions are now judged on how well they oversee people, partnerships, data, and funding across the research lifecycle. 

EisnerAmper helps universities address that challenge by taking a practical, institution-specific approach to research security.  

Our Advisory and Cyber Risk team works with institutions to evaluate insider threat practices, research governance structures, disclosure and funding controls, and the IT systems that support research. By doing so, we help institutions move beyond baseline compliance and toward demonstrable operational readiness, so they are better positioned to manage the risks that come next. 

What's on Your Mind?

a man in a blue shirt

Matthew Nichols

View Profile
a woman in a black suit

Samantha Tatum

View Profile

Start a conversation with the team

Explore More Insights

a city at night
Article

A City Within a Town: A Municipal Leader's Guide to Data Center Readiness

  • Artificial Intelligence
Read More
a large firework exploding in the night sky
Podcast

Risk Mitigation for Law Firm Escrow and Trust Accounts

  • Cybersecurity
Read More
a person playing a game
Article

Technology as a Strategic Advantage in Manufacturing & Distribution

  • Cybersecurity
Read More
a large building with columns and a flag on top
On-Demand Webinar

Reporting from Washington, D.C. | What You Need to Know about the FEMA Recommendations

  • Disaster Recovery
Read More
a person holding a cup of coffee
Article

DOL Cybersecurity Inquiries: Is Your Employee Benefit Plan Ready?

Read More
a close up of a keyboard
Article

DPRK Remote IT Workers and the Threat to Cryptocurrency Markets

  • Cybersecurity
Read More
a tall metal tower
Article

IRS Lifts the Curtain: New 990 Initiative Puts Nonprofit Funding in the Spotlight

  • Tax Legislation
Read More
a building with a large fire coming out of the top
Article

Internal Audit’s Role in Government Modernization

Read More
a person writing on a piece of paper
Article

How GASB 104 Shapes Future Government Accounting Standards

Read More
background pattern
Article

How the Promoting Interoperability Program Affects Healthcare Security

Read More
a helicopter flying over a forest
Article

FEMA Procurement in 2026: Critical Changes for Successful Contracting

Read More
graphical user interface
Article

Do You Have Cybersecurity Insurance? Here's Why You Might Need It

  • Cybersecurity
Read More
View All Insights

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.

Subscribe