On Research Podcast – Protecting Innovation: COGR’s Guidance on Research Security for Tech Transfer

To easily navigate through our podcast, simply click on the ☰ icon on the player. This will take you straight to the chapter timestamps, allowing you to jump to specific segments and enjoy the parts you’re most interested in.

1. Episode Introduction and Research Security Context (00:00:20) Host introduces the episode and frames why research security has become an increasing concern for technology transfer offices.
2. Introducing COGR and the Guests (00:00:48) Overview of COGR, the guests’ roles, and why this guidance was developed for the tech transfer community.
3. What is COGR? (00:03:03) Discussion of the organizational structure and purpose of COGR.
4. Why Tech Transfer Is Now on the Front Lines of Research Security (00:05:56) Discussion of how tech transfer activities increasingly intersect with research security, export controls, and foreign influence concerns.
5. What are the Main Research Security Risk Areas for Tech Transfer Offices? (00:09:37) Explanation of the guidance’s practical, function-based structure and the role of the executive summary.
6. Understanding the Fundamental Research Exclusion and Its Limits (00:11:30) Clarification of misconceptions about the fundamental research exclusion and where it does — and does not — apply.
7. Disclosure and Transparency Requirements for Tech Transfer (00:13:28) Overview of Section 117 and NSF foreign financial disclosure requirements relevant to tech transfer offices.
8. On Campus Promo (00:17:08)
9. The Risks of Moving from Fundamental Research to Commercialization (00:17:31) Discusses the what, the where, the who and the why when making export control decisions.
10. Practical Considerations when Sharing Data and Materials or Technical Agreements (00:22:00) Clarifies how material transfer agreements, data use agreements, and non-disclosure agreements might impact export control considerations and data sharing decisions.
11. Research Security Concerns of Patents, Foreign Filings, and Foreign Investments (00:25:15) Explains how a tech transfer office’s patent strategy may have an impact on the institution’s ability to obtain federal funding.
12. Key Takeaways for Technology Transfer Offices (00:28:24) Emphasis on early risk identification, coordination with compliance offices, and using the guidance as a decision-support tool.
13. Closing Reflections and Resources (00:32:11) Final thoughts on the value of practical guidance and where institutions can go for additional support.

Alexa McClellan: Technology transfer offices are often thought of as the bridge between discovery and commercialization, but today they’re also increasingly on the front lines of research security. As federal expectations around foreign influence, export controls, data protection, and disclosure continue to evolve, tech transfer professionals are being asked to navigate risk in ways that didn’t exist a decade ago, often without clear practical guidance.

In this episode of On Research with CITI Program, I’m joined by Allen DiPalma and Kevin Wozniak from the Council on Governmental Relations, or COGR, to discuss COGR’s recent research security guidance for technology transfer, why it was needed, what it covers, and how institutions can use it to responsibly protect innovation while still supporting openness and collaboration. Allen and Kevin, thank you for joining us today.

Allen DiPalma: Thank you.

Kevin Wozniak: Thank you.

Alexa McClellan: So to start off with, could you each briefly introduce yourselves, and share your roles at COGR, and in the development of this guidance?

Kevin Wozniak: Absolutely. Allen, if you don’t mind, I’ll go first and thank you for having us today, Alexa. As you mentioned, I’m Kevin Wozniak. I serve as the director of research security and intellectual property at COGR, where I focus on federal regulations that impact areas of academic tech transfer and malign foreign influence.

Before joining COGR’s staff, approximately two years ago, I spent over a quarter of a century in higher education, leading a team whose responsibilities included technology transfer and licensing, industry and international contracting, sub-awards, as well as funding from foundations and philanthropic organizations. With that, Allen, let me turn it over to you, and you can talk about your day job and all the extensive stuff you do for COGR.

Allen DiPalma: Sure. So thanks, Kevin and Alexa. So Allen DiPalma, my day job is at the University of Pittsburgh where I’m currently the executive director of research, security and trade compliance. I’ve been at the University of Pittsburgh for 35 years. And I’ve held various roles that range from directing our sponsored programs office to my current position leading the research security and export controls teams. My involvement with COGR is through my institution. We are members of COGR and have been for many years. I’m a current board member there and have the pleasure of working with Kevin on the Research Security and Intellectual Property Committee.

Alexa McClellan: Wonderful. Thank you so much. So for those listeners who may be less familiar, what is the Council on Government Relations, and what role does it play in research policy and compliance?

Kevin Wozniak: So if I could, I’m going to spend a couple minutes talking about who we are and a couple minutes on how we’re organizationally structured, as Allen alluded to, the committees, and I think that’s important for how this guidance came about.

So COGR is an association of 230 plus leading research universities, some affiliated medical schools, and a few independent research institutions that we really work at that intersection of federal policy and institutional implementation of those regulations. We serve as a national authority on federal policies and regulations, and we provide a unified voice for our members engaging directly with federal agencies to hopefully help shape policies that are, not only effective, but that our members can actually implement.

As Allen mentioned, we’re organizationally structured around four functional areas, each led by a director, and supported by a committee of approximately 12 subject matter experts from our member institutions. One of those in my committee happens to be Allen. This committee driven model is really central to how we operate. It ensures that our policy positions and guidance are grounded in real world experience.

And as we’ll discuss today, increasing a lot of our time in several of these committees is being focused on the ever-evolving research security landscape. And that’s become very important as our member institutions are really trying to balance their compliance obligations with their core mission of openness and innovation. It was the members of COGR’s research security and intellectual property committee, also known as RSIP, who were the instrumental experts behind putting this guidance together and really did bring the on the ground expertise to ensure it’s both practical and responsive to the needs of the tech transfer community. Allen, do you have anything you want to add to that?

Allen DiPalma: I’ll add, Kevin, that for everyone’s benefit, Kevin did draft the original version of this. We filled in the holes as necessary, but his initial draft was really good. And what’s very effective about this to the community are the practical considerations. It’s just not a paper that lists out the problems. It actually gives you suggestions on how to more effectively manage the two topics. So as we go through some questions today, we’ll be able to more fully discuss those things.

Alexa McClellan: Yeah. Thank you so much, both of you. Before we get into the details of what the guidelines cover, I want to talk about what made it clear that COGR needed to develop research security guidance specifically for technology transfer offices.

Kevin Wozniak: So I think that’s a great question. There’s really two convergent forces, I think, that we’re playing upon why now and why this? One is really the pace and the scope of change in the research security landscape. Over the past several years, particularly with the passage of the NSPM-33 and the CHIPS and Science Act, and all of the agencies’ regulations that are trying to implement those things, the higher ed community really has seen a significant expansion of the expectations by the federal agencies around our foreign engagement disclosures, export control, especially in certain critical technology areas, as well as the protection of sensitive data and controlled information that really has gone beyond what historically universities had to be concerned about.

And if you look, I think we’d all agree that, historically, most of the guidance that’s been out there in this area, or really even across compliance, has either been focused on the sponsor programs office or the compliance officers themselves. And it really seems tech transfer offices are routinely now dealing with areas that are overlapping in research security, whether that’s foreign patent filings, licensing to international or multinational companies. There are startup companies seeking investments that are not US-based investments, and even the transfer of data or materials to entities that may be outside the United States.

And so when you look at that, I had the opportunity to do several presentations for the AUTM, which used to be known as the Association of University Technology Managers, in which I presented as a panelist giving updates on research security regulations. And the response I got from the tech transfer professionals was just overwhelming. And it became pretty clear that there was a appetite for more practical tech transfer focused guidance that the questions I was being asked and the follow-ups that I got was just absolutely phenomenal from the tech transfer community.

So what we were hoping was that this guidance closed that gap a little bit, gave some written references for the tech transfer professional, that a lot of these other offices within the research enterprise already had at their fingertips.

Allen DiPalma: Yeah. The overarching question, how does research security in its present form apply to tech transfer activities? And really, that’s the key when you’re setting up a research security program. Identifying the areas that it applies to, and then going on and communicating with them on how to effectively manage the risk involved. And I believe that’s what COGR through Kevin has done through this practical considerations guidance document.

Alexa McClellan: Thank you. So at a high level, what are the main research security risk areas that this guidance is trying to help tech transfer offices navigate?

Kevin Wozniak: I’m going to say that I’m actually probably the proudest of the executive summary of this guidance. And that sounds silly, but I think the executive summary does a really good job of answering that question, Alexa, and does it in a way that takes a very jumbled, convoluted, and ever-changing landscape that has been outside the purview mostly of tech transfer offices, and puts it in a two or three-page summary that hopefully the reader says, “Aha, I understand what this is about and what I need to know. And I can go in and get the further details as I dig into the guidance.”

I know we’re going to go into some more details about a lot of these very shortly, so I’m just going to briefly give an overview. And Allen, I’d love for you to step in as well. But we did it in a way that we tried to coalesce it around the functions of the tech transfer office, not the research security policies. So when you look at it, we start the guidance with something that’s been around for a while. I would dare say not a lot of tech transfer professionals may have understood their role in ensuring compliance, but it’s that disclosure of foreign transactions to both the Department of Education through Section 117 and the newer requirement by NSF, their foreign financial disclosure reporting requirement.

They’re both a little different. They have different criteria, different triggers. But at the end of the day, their goals are the same, which is for universities to disclose and be transparent about where they’re receiving their foreign federal fundings from. We do go into quite a bit on export control and the fundamental research exclusion. I think tech transfer officers do understand, or at least have heard of the FRE, or the fundamental research exclusion, but through Allen and others on the team, I think we’ve done a really good job of describing, not only what is that exclusion, but what does it apply to, when does it apply, and more importantly, when it doesn’t.

Allen DiPalma: The fundamental research exemption limits are something that a lot of people misunderstand. And really when you look at the exemption itself, it only covers technology and software that emanates from fundamental research. It does not cover anything that’s tangible. And I think over the years, there’s been an uncertainty among certain faculty members, and also central office people that, okay, the fundamental research exemption covers everything. So it is important to understand those limits.

And then further, when that exemption is nullified through the acceptance of certain contract language. So there’s like a full circle event going on here where it starts at sponsored programs. It then goes to the actual activities under the project itself. And at the end, most likely, and hopefully, it will lead to a licensing or a patenting opportunity. So it’s important to understand what is exempt and what can be freely used and shared versus what is more restricted and carry some limits to it.

Alexa McClellan: I want to talk more about that fundamental research exclusion in a minute, but to begin with, let’s talk about disclosures and transparency. What should tech transfer offices understand about their role in foreign gift, contract, and financial disclosure requirements?

Kevin Wozniak: So I had briefly mentioned both Department of Education as well as NSF have their own requirements. The Department of Education’s requirement has been around for several decades, where NSF’s requirement is newer within the past couple years. They were required by legislation to implement their own reporting regime, if you will.

And I think what’s important for tech transfer offices to understand is that their commercialization activities can potentially be subject to both Section 117 in addition to NSF’s FFDR reporting. And as I said, while the scope is different, and the triggering requirements are different, the essence of what information is going to be the same.

So under Section 117, it’s really almost every US college and university is going to be required to report twice a year to the Department of Education any foreign gifts or agreements that they have that are valued at over a quarter million dollars or more. The 250,000 is the trigger level. But that is whether it’s an individual gift or agreement, or whether it’s a combination of gifts and contracts with the same entity in any given year.

And that while the NSF FFDR is a much lower threshold, NSF funded universities have to report any financial support that they get of $50,000 or more. And where the Department of Education is, any foreign entity, the NSF requirement is from a entity or individual that is from a country of concern. Think those countries that we’re hearing in the news right now, Iran, China, Russia, there’s others, and the guidance goes through which each of those are.

Where it is important for the TTOs to understand is their license agreements, their equity positions in companies, other transactions, if they’re taking any sort of monetary compensation for data use agreement, for material transfer agreement, may trigger a disclosure under one of these two requirements.

And so we go through those examples in the guidance as well as really underscore the need for them, the tech transfer offices, to work with their authorized organizational representative to ensure that information is compiled because it may not be the tech transfer office’s transaction that puts them over the minimal limit, but the combination of multiple transactions with the university that does so.

Ed Butch: I hope you’re enjoying this episode of On Research. If you’re interested in important and diverse topics and the latest trends in the ever-changing landscape of universities, join me, Ed Butch, for CITI Program’s podcast On Campus. New episodes released monthly. Now back to On Research.

Alexa McClellan: So now I’m moving into fundamental research and commercialization. Why is the transition from fundamental research to commercialization such a critical moment for research security and export controls?

Allen DiPalma: So let me take a step back and discuss or at least introduce some of the concepts and principles that we follow on the export side. And it really comes down to four questions, the what, the where, the who, and the why. So within each case or circumstance, we always start with those four questions. And when you start with the what, especially with tech transfer, it’s, okay, what are you doing through that office that would intersect with export controls? And typically it’s licensing, it’s patenting. And in some cases, depending on your institution, it could also include material transfer agreements, non-disclosure agreements, et cetera. So it really starts with that. It’s the what are you trying to do and with what type of technology?

So knowing that as a starting point, the what becomes technology. Is the technology that you want to license, that you want to patent, that you want to include in certain transfer activities, is it or is it not subject to the export control regulations? And this is where the fundamental research exemption comes in. If it emanates from fundamental research, the technology is not subject to the regulations, you are free to disseminate it when you want. And that is really powerful.

And the second part is the where. Now that you’ve discussed the what, it’s the where is that going? What country is it going to and what entity? And this is where restricted party screenings come into play. The government maintains multiple lists of entities and individuals that have been sanctioned for export and other activities. And so it’s important for the tech transfer office to understand who they’re working with and if they appear on any restricted party lists. And this is particularly germane if the technology you want to provide to them or the commodity is not covered by the fundamental research exemption. Because at that point, licensing considerations come in from the export side. Since it’s not exempt from the regulations, you then have to go through the process, the licensing process, determine if you need a license to go to that country into that entity.

The third thing is the what, the where, the who, which I just went over with the restricted party screenings, and then the why. Why are you doing things with this third party? Is it for purposes of licensing? Is it just to transfer information for purposes of a confidential discussion, et cetera? Knowing the why behind there has national security implications, because if you’re wanting to transfer some technology that is sensitive for national security reasons and it happens to be considered controlled unclassified information or restricted from dissemination, then you have even a further layer of compliance obligations you have to meet in order to be approved to transfer that information. So knowing what type of information it is and the why behind it is also important.

Alexa McClellan: Thank you. Kevin, do you have anything to add to that one?

Kevin Wozniak: No, I think Allen covered that very well. I will say, after I say no, I will say that I think the importance of this guidance is that there is a perception that anything that comes out of research that is fundamental research is going to have that fundamental research exclusion as we license the technologies as tech transfer professionals. And that Allen brings up a very good point. It’s the tangible stuff in particular are outside of it, but there are other things that can trigger that as well, things like publication restrictions that may be in the sponsored research agreement. So it is very important that the presumption is not all technologies are coming out of fundamental research because not all of our contracts as universities meet that fundamental research definition as we do more and more with non-federally funded sponsors.

Alexa McClellan: Yeah, thank you. Allen, you mentioned material transfer agreements, data use agreements, and I’d like to talk a bit more about that. What practical considerations does the guidance highlight when sharing data and materials or technical information through one of these types of agreements?

Allen DiPalma: So it centers on the what, the where, the who, and the why. And it really, when you look at those vehicles, a material transfer agreement, it centers on material. It’s something that your institution owns and you want to share, you want to transfer, and share with a third party. And knowing exactly what it is that you’re going to share is really important. Like Kevin said, is it a commodity? If it’s a commodity, it is subject to export control considerations. You have to know the licensing around it before you send it off to an individual or a company in another country.

And then further, the non-disclosure agreement also centers around what is it that you’re going to be talking about? Do you have the freedom to talk about it? And this centers on technology. If it is fundamental research, you have the ability to freely discuss it. If it’s restricted from dissemination, that’s a separate discussion. Because then depending on how it’s restricted, whether it’s export controlled, whether it’s controlled on classified information, there are other approvals that you will probably need to get before you can share it with a third party. And those other control regimes discuss and define for you what those approval processes look like. So it’s really important when you look at a vehicle, an NDA, et cetera, DUA, you understand upfront what kind of controls, if any, are around that within the focus of that vehicle before you move ahead.

Alexa McClellan: Thank you.

Kevin Wozniak: I would add on there, Alexis, that there have been some new regulations, one coming out of the Department of Justice, NIH is also putting in more and more restrictions on the transfer of certain data. So again, even though there may not be a restriction on the data itself contractually and the university owns it, areas of human genomics, what they’ve termed as other nomic data, as well as human biospecimen data, is becoming more and more controlled based on the amount that’s being transferred in addition to the jurisdictions that the university would like to transfer that to. And there’s obligations with the recipient. There are some prohibitions, but there are also obligations that the recipient meets certain cybersecurity requirements and agrees to additional non-retransferring that data that become important. And this guidance goes into some of these newer regulations as well.

Alexa McClellan: Where do patents, foreign filings, or foreign investments most commonly raise research security concerns for institutions?

Kevin Wozniak: I’ll start with the patent filings and the foreign filings. Tech transfer offices are very aware, and it’s well ingrained, not only in the TTOs, but also patent council, that if you are filing a US invention, it is required that you file in the US first, and then obtain a foreign filing license from the USPTO before you file your corresponding non-US jurisdiction patent. That’s pretty well ingrained. We do not really go into that here.

What we wanted to bring attention to in this particular guidance is that the tech transfer office’s patent strategy may now have impact on the researcher’s ability to obtain federal funding, and particularly in this case from the Department of War. The Department of War, along with other agencies, have started introducing a risk-based framework for assessing potential risks of fundamental research proposal work that our researchers are submitting to them. And in particular, the Department of War uses one category to assess that foreign risk, which is foreign patenting activities of key personnel on the research project.

And what they’re looking at is to what extent is that collaboration occurring? Is that intellectual property co-owned by a non-US entity in a country of concern? And that can trigger either the potential of a researcher not being awarded that particular proposal or being required to submit a risk mitigation plan to that directorate within the Department of War to ensure that potential conflict can be managed. So in part, we’re trying to call out that patent strategies are now having a potential impact on a researcher’s ability to obtain future research funding from the federal government.

Allen DiPalma: Yeah. What Kevin touched on was a high risk trigger within one agency’s risk review process. It’s the foreign patent filings. And it’s important to be aware of these triggers when submitting applications and receiving awards, because there is such an emphasis now on transparency, and knowing who you’re working with and knowing how you’re treating the results of research, which are considered technology, that there are so many more things now you have to keep in mind when you’re moving forward under the research security umbrella.

Alexa McClellan: Thank you. So is there anything else in the guidance that we haven’t touched on that you would like to highlight in our conversation today?

Kevin Wozniak: I think my answer to that question is that we’ve probably covered what we want to cover. This is a living document. Things are changing rapidly in this area. Things affecting the tech transfer office is changing very rapidly in this area. We just spoke about patents. Only a few weeks ago, the USPTO issued their final rule on their rule of practice, which is now going to require non-US applicants to be represented by USPTO approved council, which previous to this, they did not have to be. And that’s got a bearing on tech transfer offices because of the fact that they’re now going to have to ensure that their licensees are co-assignees, co-owners, or even co-inventors, have the appropriate designated council representing them, or that could put their intellectual property at risk.

So these things are changing. I would say that we’re going to try to keep up and continue to issue new versions of the guidance. We would encourage any of our member institutions or any tech transfer office to provide us suggestions of what we can include that would be helpful. When we originally wrote this document, there were sections that were not being included, and people said, “No, we really need to include this as well.” So we’re open to those additional suggestions and recommendations.

Through this, we’re not trying to tell a tech transfer or a university how to set up their compliance regime, but rather bringing and highlighting the need for that cross-campus coordination, and that this research security environment is no longer going to allow for silos within the organization. It really does require folks to talk with multiple departments. And we do recommend they do that before there’s an issue. Because it’s always easier to say, “What’s my role and what’s the process,” before there’s an audit in place or your intellectual property is put at risk. Allen, again, anything to add?

Allen DiPalma: Yeah, communication. I mean, really, if nothing else, my hope is that this document spurs on additional discussions internally. The landscape is changing so rapidly. To give you an example, four years ago, we didn’t have the CHIPS and Science Act. We didn’t have federal agency risk reviews. We didn’t have the DOJ’s bulk sensitive data rule. We didn’t have NIH restrictions on the transfer of biospecimens to foreign countries of concern. We didn’t have any of that. And now each one of those is in scope for many functions on a university campus, including tech transfer offices. So to keep up with this is daunting, which is why communication is so important.

Alexa McClellan: Kevin Wozniak and Allen DiPalma, thank you so much for your time today. It’s been so informative, and we look forward to hearing more from COGR in the future as these policies continue to evolve.

Kevin Wozniak: Thank you for having us.

Allen DiPalma: Thanks, Alexa.

Alexa McClellan: CITI Program offers self-paced courses in research compliance, including on animal and human subjects research, responsible conduct of research, and research security. As research security rules tighten, moving discoveries from the lab to the marketplace takes more than good science. It takes the right safeguards.

Check out CITI’s Technology Transfer course for a walkthrough on how institutions can protect IP, manage partnerships, and support innovation, while keeping security front and center. Enhance your skills, deepen your expertise, and lead with integrity across research settings. If you’re not currently affiliated with a subscribing organization, you can sign up as an independent learner and access CITI Program’s full course catalog. Check out the link in this episode’s description to learn more.

As a reminder, I want to quickly note that this podcast is for educational purposes only. It is not designed to provide legal advice or legal guidance. You should consult with your organization’s attorneys if you have questions or concerns about the relevant laws and regulations that may be discussed in this podcast. In addition, the views expressed in this podcast are solely those of our guests. Evelyn Fornell is our line producer, and production and distribution support are provided by Raymond Longaray and Megan Stuart. Thanks for listening.