The Role of OPSEC in Research Security

Overview

An Interview with John Talerico III

Research security has become an unavoidable reality for institutions that receive federal research funding. Under mandates such as National Security Presidential Memorandum 33 and the CHIPS and Science Act, institutions are now required to implement formal research security programs that address training, cybersecurity, foreign travel, and disclosure obligations.

At the same time, many of the most consequential research security failures do not originate from malicious actors or sophisticated cyber intrusions. Instead, they often arise from ordinary behavior. Casual conversations, routine emails, early presentations, vendor tools, and well-intentioned sharing can all expose sensitive information before an institution or research team is ready.

Operations Security, commonly referred to as OPSEC, offers a practical way to address this gap. While OPSEC has roots in military and intelligence contexts, its principles are increasingly relevant in academic research environments navigating rapid policy change, global collaboration, and accelerating technology adoption.

To explore how OPSEC applies in research settings, we spoke with John Talerico III, a research security practitioner with extensive experience implementing OPSEC-aligned practices across academic institutions. His insights illustrate how OPSEC can strengthen research security programs without undermining academic openness or collaboration.

What Is OPSEC and How Does It Relate to Research Security?

When asked how OPSEC differs from formal research security requirements, Talerico emphasized that the two are related but distinct.

Research security, he explained, is a prescribed, rule-based program tied directly to federal funding. Institutions that accept federal research dollars must implement specific requirements such as training, research cybersecurity controls, and oversight of foreign travel. As Talerico notes, “when you sign up to take federal money, research security is real life.” These obligations are not optional and are increasingly enforced across agencies.

OPSEC, by contrast, functions as a mindset and decision-making framework. It focuses on situational awareness and timing. At its core, OPSEC asks a simple question: what information, if shared too early or without context, could create risk for the research, the people involved, or the institution?

According to Talerico, OPSEC is not intended to replace existing research security programs. Instead, it supports them by shaping how individuals think about information protection in their daily work. OPSEC helps researchers and administrators recognize what they are authorized to share, when sharing is appropriate, and when a pause or consultation is warranted.

He also noted that OPSEC concepts must be translated for academic environments. Military terminology and examples rarely resonate with researchers focused on lab work, field studies, or clinical investigations. When OPSEC is framed in ways that reflect academic realities, adoption becomes far more likely.

Why OPSEC Matters for Research Institutions

For many researchers, the most compelling reason OPSEC matters is not abstract national security concerns. It has a direct impact on both personal and professional life.

Publications, grants, intellectual property, and student training all depend on protecting work until it is ready to be shared. As Talerico puts it, “when I think of STEM fields in higher education, research is your currency.” Protecting ideas, data, and methods until appropriate safeguards are in place allows researchers to publish, patent, commercialize, or collaborate on their own terms.

Talerico often describes researchers as small business owners. They are responsible for staffing, funding, compliance, and outputs, often simultaneously. OPSEC supports this reality by helping researchers protect their work, their teams, and their future funding opportunities.

Well-known university spin-offs such as Gatorade and Google illustrate how research benefited from careful protection before broad release. While not every project follows that trajectory, the underlying principle remains consistent. Once information is released prematurely, control is lost.

In a global research environment where information is widely accessible and easily aggregated, small disclosures can combine into meaningful exposure. OPSEC helps institutions and researchers recognize this risk before it becomes irreversible.

OPSEC and Federal Research Security Policies

Federal research security policy has evolved rapidly in recent years. NSPM-33 established baseline expectations for institutional research security programs, while the CHIPS and Science Act reinforced training and oversight requirements across federal agencies.

In practice, implementation has been uneven. Agencies such as the National Science Foundation, the National Institutes of Health, the Department of Energy, and the Department of Agriculture have updated their requirements on different timelines, sometimes with subtle differences. This has created confusion for institutions and researchers attempting to comply in good faith.

OPSEC does not resolve policy misalignment, but it helps institutions operate responsibly within it. By improving awareness, communication, and internal coordination, OPSEC supports compliance efforts and reduces inadvertent missteps.

Talerico noted that instability itself has become difficult. “Defining what is the right thing is the challenge,” he explains, particularly as requirements shift and expectations change. Uncertainty in policy, visa rules, and foreign recruitment constraints affect how institutions hire, collaborate, and plan long-term research agendas. OPSEC provides a way to navigate this uncertainty by encouraging deliberate planning around information release and engagement.

High-profile enforcement cases involving undisclosed affiliations or unauthorized access underscore how quickly demands can be repositioned. The lesson for institutions, Talerico emphasized, is not fear but preparation. Clear guidance, early planning, and consistent communication reduce risk as policies evolve.

Promoting OPSEC Awareness and Training

One of the most persistent misconceptions in research security is that researchers resist compliance. Talerico strongly disagreed with that characterization.

In his experience, well over 98 percent of researchers want to do the right thing. The challenge lies in defining what “the right thing” means in complex and rapidly changing environments.

Effective OPSEC training avoids a policing mindset. When researchers feel investigated rather than supported, engagement drops. Training is most effective when it is relatable, practical, and clearly connected to researchers’ real concerns, such as protecting students, securing future funding, and maintaining publication priority. As Talerico emphasizes, “how do you make the easy way the right way?” Clear points of contact and simple escalation pathways empower researchers to pause and ask questions when something feels unclear.

Celebrating positive behavior also plays a critical role. Highlighting researchers who flag concerns or seek guidance reinforces that OPSEC is about partnership rather than punishment. Over time, these champions help shift institutional culture from compliance fatigue to shared responsibility.

Success, Talerico noted, is not measured by turning researchers into security experts. It is measured by knowing when to ask and who to ask.

Best Practices for Incorporating OPSEC in Research Environments

OPSEC is most effective when embedded into existing workflows rather than layered on top as an additional requirement.

Key practices include planning information release early, clarifying sponsor expectations, and identifying areas that require additional protection. As Talerico explains, “You need to have a conscious plan. When am I going to release information? At what times? What is my sponsor going to be comfortable with?”

Institutions also benefit from clear guidance on vendor due diligence, including the use of artificial intelligence and data-processing tools, where data handling terms and protections vary widely. Integration across domains matters. OPSEC complements cybersecurity, physical security, foreign travel processes, and personnel vetting by focusing on how information flows between them.

Operationally, much of this responsibility converges on a designated Research Security Officer or point of contact. This role requires a broad skill set spanning compliance, training, policy interpretation, and communication. Supporting these professionals with resources and leadership backing is essential for sustainable programs.

Above all, researchers must feel empowered rather than constrained. OPSEC succeeds when researchers understand that the goal is to help them succeed, even when guidance is difficult to hear.

Practical Resource: Operations Security in Academia

For institutions and individuals seeking a foundational introduction to OPSEC concepts in academic contexts, the CITI Program’s course Operations Security in Academia offers a practical starting point. The course is designed to build shared understanding and support institutional research security efforts without replacing local policies or programs.

Balancing Openness, Protection, and Responsibility

For Talerico, OPSEC is not about secrecy or restricting collaboration. It is about awareness, timing, and responsibility. As Talerico puts it, “If you go in to tell somebody something they don’t want to hear, but at the end of the conversation you get a thank you, you’ve done your job.”

In an environment defined by rapid policy change, global research collaboration, and expanding data exposure, OPSEC helps institutions protect research, people, and public trust. When security practices are relevant, simple, and supportive, they become part of how research is done rather than an obstacle to it.

The goal is not perfection. It is making the secure choice the easiest choice and building a culture where asking questions is a sign of professionalism rather than risk.

References

1. National Science Foundation. n.d. “Research Security Training.” Alexandria, VA: National Science Foundation. Accessed January 15, 2026. https://www.nsf.gov/research-security/training.

2. Cybersecurity and Infrastructure Security Agency (CISA). 2022. Insider Threat Mitigation Guide. Washington, DC: U.S. Department of Homeland Security. https://www.cisa.gov/sites/default/files/2022-11/Insider%20Threat%20Mitigation%20Guide_Final_508.pdf.

3. Office of the Director of National Intelligence. n.d. “Safeguarding Science: Research Security.” Washington, DC: Office of the Director of National Intelligence. Accessed January 15, 2026. https://www.dni.gov/index.php/safeguarding-science/research-security.

4. White House Office of Science and Technology Policy. 2022. Guidance for Implementing National Security Presidential Memorandum 33. Washington, DC: Executive Office of the President, January. https://bidenwhitehouse.archives.gov/wp-content/uploads/2022/01/010422-NSPM-33-Implementation-Guidance.pdf.

5. White House Office of Science and Technology Policy. 2024. Research Security Program Guidelines. Washington, DC: Executive Office of the President, July. https://bidenwhitehouse.archives.gov/wp-content/uploads/2024/07/OSTP-RSP-Guidelines-Memo.pdf.