Peer Practices

Draft Research Institution Community Developed SSP

One of the major challenges faced by institutions engaged in regulated research is determining how to align  their interpretation of controls with those of other institutions engaged in similar activities. Given the sensitive nature of implementation decisions and the varied resources available to institutions, the primary means of addressing this challenge is traditionally through internal teams or external consulting efforts. However, when teams have been heavily involved in the development and implementation of a System Security Plan, they may inadvertently overlook crucial details or overcommit themselves to additional and unnecessary effort  in their solutions.

This advanced, full-day workshop on May 1, 2023 focused on the creation of key components of a NIST 800-171 / CMMC Level 2 System Security Plan (SSP) through collaboration and expert input. 

This workshop produced a novel resource achieved from national experts finding consensus of implementation strategies and determining best practices. 

Download COGR's "Research Security and the Cost of Compliance"

View COGR Presentation on "Research Security & the ROI"

"The projected year one, average total cost per institution for compliance with the Disclosure Standards, regardless of institutional size, is significant and concerning. The figure ranges from an average of over $100,000 for smaller institutions to over $400,000 for mid-size and large institutions. Although some of these expenses are one-time costs, a sizeable portion will be annual recurring compliance costs. Overall, the cost impact to research institutions in year one is expected to exceed $50 million. "

Research Security and the Cost of Compliance

COGR Results from COGR’s Phase I Survey on the Costs of Complying with Research Security Disclosure Requirements

Gathered from 26 complete answers examining institutional costs for fiscal year 2022-23 

Over the past four and a half years, universities and their affiliated academic medical centers (AMCs) and research institutions have focused on addressing federal funding agency requirements adopted to address inappropriate foreign influence on research. These requirements include new and clarified provisions calling for researchers to disclose all sources of research support and all types of appointments and affiliations (“Disclosure Requirements”) so that agencies and institutions will have the information they need to identify any areas of commitment, funding, or scientific overlap. These Disclosure Requirements are set forth in the Guidance for Implementing National Security Presidential Memorandum 33 (NSPM-33) on National Security Strategy for United States Government Supported Research and Development1 (“Implementation Guidance”) and in agency notices.

COGR conducted Phase I of the survey described in this report to quantify the considerable time and resources (financial and otherwise) that research institutions have invested (or will invest) to achieve compliance with the Disclosure Requirements.

Community Workshops 2020-2021

Higher Education Regulated Workshop Series: A Collective Perspective

Co-authored by contributors from Purdue University, Duke University, University of Florida, Indiana University, Case Western Reserve University, University of Central Florida, Clemson University, Georgia Institute of Technology, and University of South Carolina.

After an eight month effort concluding in June of 2021, 155 participants from 84 research institutions from across the United States gathered for six facilitated, NSF-sponsored workshop sessions to determine if coming together as a community could improve the support of individual programs to secure regulated data in research involving the Department of Defense or health sciences.

The report represents the collective perspective of those who participated in the workshop series and the efforts of volunteer authors who helped put it together. The primary aim of the document is to identify challenges, share best practices, and provide recommendations to the community on how to handle regulated research data on campus.

Effective Cybersecurity for Research

Authored By: William Drake and Anurag Shankar of Indiana University

The tension between cybersecurity and researchers has long hampered attempts to secure research. It is also why institutional cybersecurity efforts in academia have been confined to the most sensitive research. The status quo has persisted for other reasons as well, for instance the complexity of the research environment, but latest developments in the regulatory and cyber threat landscape are quickly changing the status quo. Funding requirements scoped beyond individual awards and newly evolving threats are pointing to a future where securing research holistically is no longer optional. This paper describes an approach to cybersecurity for research that is showing great promise in breaking the security versus research impasse. A product of years of effort at Indiana University, it focuses exclusively on the researcher and the research mission, reduces the cybersecurity and compliance burden on the researcher, and aims to secure all research. It has been stress tested on campus, with success evidenced by researchers embracing it voluntarily and research being accelerated measurably.

Regulated Research Benchmarking Study

Authored By: Liz Rulli, Jane Livingston, and Neal Wozniak of Notre Dame Research, University of Notre Dame

As its research portfolio grows, and with increasing emphasis by sponsors on cybersecurity and research data security, the University of Notre Dame is embarking on creating a program for handling regulated research data from cradle to grave. In order to learn more about how best to build a program, the University surveyed its peers to understand what they are doing and collect best practices.

Unsurprisingly, there are as many approaches to the task of managing a compliant regulated research program as there were interviews conducted. At the highest level, there is broad awareness of the need to comply with the various agency regulations governing data security and moves to address them. That being said, of a dozen institutions in the study, most report being in the early phases of building a comprehensive program for managing regulated data.

For more information: lrulli at