The joint letter from the Council on Governmental Relations (COGR) and the Association of American Universities (AAU) addresses concerns regarding the interim DFARS rule (Case 2013-D018), which introduces new safeguarding and reporting requirements for institutions handling controlled defense information. COGR and AAU, representing leading research universities, highlight significant compliance burdens, particularly relating to the adoption of stringent cybersecurity controls outlined in NIST SP 800-171. The letter provides concrete examples illustrating that institutional costs far exceed government estimates, citing substantial investments in IT infrastructure, personnel, and ongoing maintenance. The authors emphasize problems of scalability and feasibility for large, decentralized academic organizations and argue that the rule’s lack of flexibility regarding alternative security measures could delay contracts and create unnecessary administrative complexity.
Furthermore, the letter raises concerns about the DFARS rule’s expanded definitions, potentially encompassing categories such as fundamental research, export control information, and services only incidentally using cloud computing, thus imposing unwarranted obligations on research universities. The authors urge the Department of Defense (DOD) to reaffirm exemptions for fundamental research, clarify the scope of new requirements, coordinate with forthcoming government-wide regulations, and recognize the need for funding adjustments in research contracts to offset compliance costs. Without such measures, the letter warns, universities may be discouraged from engaging in DOD-funded work. In conclusion, COGR and AAU advocate for balance, flexibility, and clear policy boundaries to ensure both effective information security and the continued vitality of federally funded research.
