Purpose
In September 2025, the National Institutes of Health (NIH) released Notice Number: NOT-OD-25-154, establishing new compliance requirements to strengthen research security across federally funded science and engineering projects. This initiative supports national efforts to safeguard U.S. research, in alignment with the CHIPS and Science Act of 2022, National Security Presidential Memorandum-33 (NSPM-33), and the Office of Science and Technology Policy (OSTP) Guidelines for Research Security Programs (July 29, 2024).
Background
The NIH is implementing measures to enhance transparency and accountability in federally supported research. These requirements emphasize institutional responsibilities and individual researcher compliance, ensuring that U.S. research remains secure against foreign interference, cybersecurity threats, and misuse of federal research funds.
Research Security Program Policy
The policy introduces a two-part compliance structure:
Covered Institutions
- Any institution receiving more than $50 million yearly in federal science and engineering support must establish a research security program. Each program must include:
- Cybersecurity
- Foreign travel security
- Research security training
- Export control training (as appropriate)
Covered Individuals
- Each individual identified as a senior/key person must complete research security training within 12 months before application submission and certify compliance.
Compliance is effective for applications submitted on or after January 25, 2026. NIH is coordinating with the National Science Foundation (NSF) and other federal agencies to provide resources and a centralized certification process.
Research Security Training Requirements
NIH requires both institutional and individual certification:
- Institutional Certification: The Authorized Organizational Representative (AOR) must certify, via the application cover form, that all senior/key personnel have completed research security training within the past 12 months.
- Individual Certification (Application Stage): Each senior/key person must provide an electronically signed PDF certification uploaded in the application package.
- Annual Certification (RPPR Stage): Senior/key personnel must continue to certify annually that they have completed training within the past 12 months.
NIH fully supports the NSF online Research Security Training modules and the SECURE Center’s condensed version of the four modules. Institutions may also use equivalent training that addresses cybersecurity, international collaboration, conflicts of interest, and proper use of research funds.
How CITI Program Helps Meet This Requirement
CITI Program’s Research Security series includes several options for research security training, including the NSF Research Security Training modules, the SECURE Center condensed training, a Research Security Advanced Refresher course, and Research Security: A Basic Course. Institutions and individuals can utilize these courses to fulfill their training needs.
Malign Foreign Talent Recruitment Program (MFTRP) Prohibition
Effective immediately, individuals participating in a Malign Foreign Talent Recruitment Program (MFTRP) are ineligible to serve as senior/key personnel on NIH-funded projects.
Certification requirements include:
- Institutional Certification: The AOR must certify awareness and compliance regarding MFTRP restrictions.
- Individual Certification: Senior/key personnel must attest on their biographical sketch that they are not part of an MFTRP.
- Annual Certification: Beginning January 25, 2026, senior/key personnel must upload an annual MFTRP certification as part of the RPPR process.
Key Takeaways
- NIH Notice NOT-OD-25-154 establishes mandatory research security training and certifications for covered institutions and individuals.
- Compliance begins with applications submitted on or after January 25, 2026.
- Institutions must implement research security programs covering cybersecurity, foreign travel security, training, and export controls.
- CITI Program Research Security Training (Combined) course, which includes the SECURE module, fulfills the NIH training requirement.
- CITI Program offers several options to fulfill research security training requirements.
