COGR Submits Letter to DOD on Security Requirements

The Council on Governmental Relations (COGR), representing over 185 leading research universities and institutes, addresses concerns to the Department of Defense (DOD) regarding compliance implications of the DFARS 252.204-7012 clause, which mandates System Security Plans (SSPs) and NIST 800-171 security requirements in defense contracts. COGR notes that this clause is being broadly included in all DOD prime contracts and frequently in subcontracts to universities, often regardless of whether the work actually involves operationally critical support or covered defense information (CDI). This practice has led to considerable confusion and uncertainty, especially in cases where research is characterized as fundamental and thus should not trigger such compliance requirements. Ambiguities over the interpretations of terms like “involves” further complicate determining whether a project falls under these requirements.

The Council also expresses concern about inconsistent and restrictive marking requirements imposed on technical reports by some DOD representatives, which conflict with the established definition of fundamental research and may unintentionally impose publication restrictions. Furthermore, COGR argues that mandating SSPs and NIST compliance in contracts that do not handle CDI or controlled unclassified information results in unnecessary administrative and financial burdens for universities. They therefore urge the DOD to provide clear guidance exempting contracts and subcontracts that pertain solely to fundamental research and do not involve CDI from these security requirements, noting past discussions where DOD staff indicated such measures were not intended to apply in these situations. COGR emphasizes the need for clarification to reduce confusion and ensure appropriate application of compliance requirements in government-funded academic research.