Federal Updates

Federal Guidance and Critical Sponsor Updates

NIST 800-171 Compliance Certifications 

PIs and researchers requesting access to Adolescent Brain Cognitive Development (ABCD) and Healthy Brain and Child Development (HBCD) study data through the NBDC Data Hub (NIH Brain Development Cohorts) are now required to certify the following statement:

“By checking this box, I, as the PI requesting access to this data, attest that data will be secured, at a minimum, in accordance with NIST SP 800-171 or the equivalent ISO/IEC 27001/27002 standards as stipulated by the NIH Security Best Practices for Users of Controlled-Access Data. Institutions with Plans of Action and Milestones (POAMs) to mitigate security risks will be considered compliant.” 

Prior to signing or checking the box on this attestation or any similar attestations requiring NIST SP 800-171 compliance, you must have a POAM in place to ensure the data is secured.   

Please contact your Post Award sponsored projects administrator (SPA) who will be serving as the signing official on the data use certification. Post Award will also connect you with the UO IT Security Risk & Compliance (ISRC) team for their assistance with putting a POAM in place. We recommend you reach out as soon as you know you will be renewing or requesting data access to allow adequate time for this process.   

NIH Resources

Researchers interested in applying to NIH can find a range of resources on the OVPRI website. Find information on funding opportunities, how to use NIH Matchmaker and eRA Commons, the peer review process, and writing competitive proposals. Checklists, templates, and short training videos (e.g., how to write an aims page) are also available on the site to assist you as you begin your application. In addition, Research Development Services (rds@uoregon.edu) is always available to answer questions and provide substantive feedback on your application.

MFTRP Certification Required at NIH RPPR Submission 

NOT-OD-26-018 introduces an Annual Malign Foreign Talent Recruitment Program (MFTRP) certification requirement for all Senior/Key Personnel. This applies to Research Performance Progress Report (RPPR) submissions on or after January 25, 2026. The certification must be uploaded as a separate PDF for each individual in RPPR Section G.1. If you have questions about this requirement, please contact your Post Award Team. 

Basic Experimental Studies in Humans (BESH) Will No Longer Be Considered Clinical Trials by the NIH 

Effective for applications submitted to due dates on or after May 25, 2026, the NIH will no longer characterize BESH as clinical trials. After the effective date, BESH will not have to follow the requirements for clinical trials, including registration and reporting in ClinicalTrials.gov. BESH must continue to follow all other applicable clinical research laws, regulations, and policies, including, but not limited to human subjects protections and the NIH Data Management and Sharing Policy. See NOT-OD-26-032 for more information. 

Salary Limitation for Grants and Cooperative Agreements FY 2026 

The Office of Personnel Management recently released new salary limitation levels (salary cap) for NIH grants. The new level is affective January 11, 2026. The salary cap applies to both direct salaries and indirect salaries. Effective January 11, 2026, the salary limitation for Executive Level II is $228,000. See NOT-OD-26-034 for more information. 

NIH Re-Issues Research Security Training Requirement and Reminder about UO’s Implementation of the Training

The National Institutes of Health (NIH) re-released their research security training requirements. Senior/key personnel must complete training within 12 months prior to proposal submission and certify completion via the biographical sketch in SciENcv, beginning May 25, 2026. The training requirement extends to senior/key personnel on a subaward.

The UO has already implemented research security training, effective October 1, 2025, for principal investigators (PIs), co-PIs, and senior/key personnel who apply to or have federal sponsors. This includes NIH researchers. Any researcher who contributes in a substantive, meaningful way to the scientific development or execution of the project is considered senior/key personnel and has the training requirement.

The training must be completed prior to submitting a proposal and annually during the period of a federal award. The research security training is available in MyTrack Learning (DuckID required to log in). It takes approximately one hour to complete. 

Researchers must advance the training to the very end, until they see the certificate of completion, for MyTrack to recognize they’ve completed the module.

More details can be found on the research security training webpage, and if researchers experience issues, please email exportcontrols@uoregon.edu.

New information for Subawardees and Contractors  

The subawardee PI, co-PI, and senior/key personnel need to complete research security training, as does any other subaward researcher who contributes in a substantive, meaningful way to the scientific development or execution of the project. Contractors who contribute in a substantive, meaningful way to the scientific development or execution of the project also need to complete research security training. Some contractors will meet this definition, and others won’t.

Subawardees and contractors can complete the one-hour, condensed version of the research security training offered by the SECURE Center. They should complete, print, and retain the certificate of completion at the end. Subawardees confirm their completion of the training requirement via the subaward certification form.

NIH Projects with Foreign Components  

NIH has ended the use of foreign subawards to support foreign components. A new application structure for NIH-funded international collaborations  (NOT-OD-25-155) was announced September 12, 2025, with a companion forecasted PF5 mechanism NOFO. If you plan to apply for funds to support a foreign collaboration, please review these.  

Importantly, this new PF5 funding mechanism is not expected to be published until November 2025, so you will have to wait until January 25, 2026, to submit one of these new PF5 applications. Until then, if you submit a regular investigator-initiated R01 application to support a foreign collaborator/subaward, it will be pulled from the system before review and the application will be withdrawn from consideration. 

Use of AI in Research Applications 

NIH recently released Supporting Fairness and Originality in NIH Research Applications (NOT-OD-25-132), effective September 25, 2025, that prohibits the substantial use of AI in developing proposals and limits each PI to six applications per calendar year, with exceptions for training (T series) and conference (R13) grants. Applications that are substantially developed using AI will not be considered original and may be subject to review under research misconduct or other relevant rules. 

As a reminder, NSF released a notice in 2023 (Use of generative artificial intelligence technology in the NSF merit review process) that encourages researchers to indicate in the project description the extent to which, if any, generative AI technology was used and how it was used to develop their proposal. 

Back to Top

NSF News

NSF PIs and Co-PIs Must Complete MFTRP Certification in Research.gov 

Many National Science Foundation (NSF) principal investigators (PIs) and co-PIs have received an email from the sponsor indicating that their malign foreign talent recruitment program (MFTRP) certification in research.gov is overdue. Please act immediately—log in to research.gov and complete the certification if you receive this email. 

Learn more about characteristics of MFTRPs on our website. 

In accordance with the NSF Proposal and Award Policies and Procedures Guide (PAPPG) Chapter II.D.1.e(ii) and Important Notice No. 149: Updates to NSF Research Security Policies, all PIs and co-PIs named on an NSF award made on or after May 20, 2024, must certify in Research.gov that they are not party to a malign foreign talent recruitment program (MFTRP) on an annual basis. The certification must be completed within 30 days of the anniversary of the relevant award start date. 

NSF Policy Changes to Proposal and Award Policies and Procedures Guide 

On January 22, 2026, the NSF issued an update to its Proposal and Award Policies and Procedures Guide. These changes impact areas such as: 

• Requirements related to public access to research products (public access policy) 
• Dissemination and sharing of research results 
• Data management and sharing (DMS) plans 

Please note that NSF-funded studies (and NIH-funded studies) are required to have DMS plans in place. Exceptions to NSF data sharing requirements, such as a need to safeguard the privacy and rights of individuals and subjects, must be addressed in the Data Management and Sharing Plan at the time of the original grant proposal submission. When research involves human subjects, these DMS plans must be submitted first to the sponsor and then to the Institutional Review Board (IRB) for review. The DMS plans must be consistent with the IRB-approved research plans, consent forms, and other materials. For more information, see the Research Compliance Services (RCS) website on Safety Monitoring, Participant Privacy and Confidentiality of Data, and the Informed Consent Form Template Guidance.  

Research Security Certification Now Included with NSF NCE Requests 

NSF has incorporated the Research Security Certification into the no-cost extension (NCE) prior approval request in Research.gov. When submitting an NCE that requires prior approval, please ensure all Senior/Key Personnel have completed the required research security training. Please plan accordingly to avoid delays in NCE processing. 

All PIs and Senior/Key Personnel Accepting Sponsored Awards Must Take Research Security Training Annually

The National Science Foundation (NSF), the National Institutes of Health (NIH), the US Department of Energy (DOE) and the US Department of Agriculture (USDA) have all recently updated their research security requirements. 

As a result, effective October 1, 2025 (and effective August 7, 2025, for USDA researchers), ALL principal investigators (PIs) and senior/key personnel, regardless of sponsor, must annually complete Research Security Training.  

The training must be completed prior to submitting a proposal and must be completed annually thereafter. The Research Security Training is available in MyTrack Learning (DuckID required to log in). It takes approximately one hour to complete. More details can be found on the research security training webpage. 

NSF, NIH, DOE, and USDA will require PIs and senior/key personnel to certify they completed research security training in the previous 12 months and to re-certify annually for the duration of the award.

This new certification for NSF and USDA researchers is in addition to the annual certification in research.gov for PIs and co-PIs to indicate they are not party to a malign foreign talent recruitment program.  

PIs should carefully read all certifications. If you have questions or concerns, contact your SPS post-award team.

Back to Top

2024 updates to the Final Rule

The Office of Research Integrity (ORI) issued the 2024 Final Rule to update the 2005 Public Health Service (PHS) Policies on Research Misconduct. The 2024 updates to the Final Rule establish requirements for addressing research misconduct; the application date for the final rule is January 1, 2026. UO policy changes to comply with the new final rule will be communicated to the research community once available. For more information, see the ORI announcement or contact Sheryl Johnson, the UO’s research integrity officer at sherylj@uoregon.edu.

Back to Top

New DOE Requirements for Biographical Sketches and Support Documents

In December 2025, the Department of Energy (DOE) issued a Financial Assistance Letter (FAL) adopting the Biographical Sketch and Current and Pending (Other) Support Common Forms. This FAL included two new requirements that apply to both prime awardees and subawardees. For the life of a funded award:

1. New principal investigators (PIs) or senior/key personnel on the project must submit a biosketch and current/pending support document to the DOE and obtain agency approval before they begin work on the project.
2. Previously approved PIs and senior/key personnel on the project must submit an update to the DOE within 30 calendar days of any change to their biosketch or current/pending support document. For example, senior/key personnel would need to update their current/pending support document when they have a new pending award or adjust FTE on a previously reported funded award.

PIs and departmental grant administrators (DGAs) should be prepared to contact their post-award teams regularly to request approvals for new PIs or senior/key personnel, including for changes in senior/key personnel on subawards, and to update researchers' biosketches and current/pending support documents throughout the life of an award.  

There are a few exceptions to these requirements, which we expect will rarely apply to UO projects. These exclusions are:

• Notice of Funding Opportunities (NOFOs) and financial assistance agreements with Native American Tribes and Tribal organizations
• NOFOs and financial assistance agreements that exclusively fund conferences, workshops, technical meetings, education/outreach projects, and deployment of off-the-shelf products. However, please note that a program may choose to require an update
• State and Community Energy Program, Administration and Legal Requirements Documents, SCEP formula awards, and Federal Energy Management Program actions

Conflict of Interest Disclosure Requirements on Department of Energy Awards

The Conflict of Interest (COI) team is streamlining procedures for Department of Energy (DOE) awards subject to the DOE’s Interim COI Policy, which went into effect December 20, 2021.

Under this policy, anyone who “participates in the purpose, design, conduct, or reporting of a project funded by DOE” must complete COI training, submit an annual financial conflict of interest disclosure, and update it within 30 days of any change or new interest. This requirement extends beyond principal investigators (PIs), co-PIs, and senior/key personnel who typically complete COI training and disclosures.

DOE PIs may receive a request from the COI Office to provide names and contact information for postdocs, graduate or undergraduate students, or others whose work will be charged to the sponsored award and who would not usually submit disclosures.

The DOE’s Interim COI Policy also applies to subawardees. Subawardees who do not have their own enforced financial conflict of interest in research policy must use the UO’s.

Please see the webpage for subawardees for more information.

Questions about this policy can be directed to coi@uoregon.edu. 

Back to Top

Anthropic’s Claude AI Not Allowable on Department of Defense Projects

Effective September 2, 2026, Anthropic, the company that builds and sells Claude (a generative AI platform), cannot be used in conjunction with projects sponsored by the Department of Defense (DOD) nor purchased with DOD funds.

If you have DOD funding and are using Claude on another project, you must ensure adequate segmentation between the DOD-sponsored project and the project using Claude. Claude cannot access DOD systems, infrastructure, or data.

Requirements for Working with Foreign Entities Under USDA and DOD Funding 

Foreign entities listed on U.S. government restricted party lists may not receive USDA or DOD funding. If you are a UO researcher who holds USDA or DOD funding, ensure that all agreements with foreign parties are reviewed through a central office, such as: 

• Purchasing and Contracting Services 
• Industry, Innovation, and Translation 
• Sponsored Projects Services 

 The Office of Export Controls reviews foreign counterparties on agreements processed through these offices and will identify any potential matches on restricted party lists. 

If your collaboration or agreement with a foreign entity does not go through a central office, you must request a restricted party screening before beginning the engagement. To do so, email exportcontrols@uoregon.edu or complete the online form. 

Department of Defense’s Updated Decision Matrix and Its Impact on Researchers

DOD has issued an updated decision matrix to inform fundamental research proposal mitigation decisions. The matrix may directly affect researchers’ eligibility for funding or require mitigation for those who have certain international collaborations or co-authors.

Most notably, risk factors that now require mitigation measures include:

• Within the past five years, the researchers’ co-authors on publications are affiliated with an entity on a prohibited entity list at the time of grant review.
• Within the past five years, the researchers’ co-authors on publications are participants in a malign foreign talent recruitment program.

DOD researchers should email exportcontrols@uoreogn.edu to request a compliance check or complete the compliance check request form prior to co-authorship to ensure their co-authors do not appear on any prohibited lists.

As a reminder

• When submitting academic work for publication, cite only grants that supported the conduct of the study and if the work was in-scope.  
• If a student, postdoctoral scholar, or visiting scholar has subsequently moved to another institution, cite the (home/grantee) institution where the work was conducted and not the current affiliation of the co-author. Otherwise, if the current affiliation is on a Prohibited Entity List, this will impact the risk assessment of your proposal, including with other agencies. However, if the work was conducted at another institution, that must be cited.
• Performance of significant elements of a federally funded project outside the U.S. must be disclosed and approved by the funding agency in advance.

Enhanced Cybersecurity Requirements for DOD Grants

The Department of Defense (DOD) will implement enhanced cybersecurity requirements for all DOD research awards involving sensitive, unclassified information proposed after November 10, 2025. If you are a researcher, Sponsored Projects Administrator, or DGA, and you anticipate working on a new DOD-funded award, please be aware of the Cybersecurity Maturity Model Certification (CMMC).  

The CMMC has three tiers, Levels 1, 2, and 3. As described in the proposed rule, “Under the CMMC program, defense contractors and subcontractors will be required to implement certain cybersecurity protection requirements tied to a designated CMMC level and either perform a self-assessment or obtain an independent assessment from either a third-party or DOD as a condition of a DOD contract award.  

Research Integrity is prepared to help facilitate researcher compliance with CMMC 1.0 and will work with you to ensure that appropriate associated costs are included in your proposal. If you pursue an award that requires compliance with CMMC 2.0, please be in touch as early as possible, as those heightened cybersecurity standards require extensive planning and investment, and the time we have to prepare may impact whether it is possible to pursue the award.   

The scope of applicable exceptions, appropriate allocation of cost burdens, and the impact on existing awards are just a few of several questions that remain to be answered. We will take compliance seriously; failure to comply with the cybersecurity standards can result in False Claims Act liability. We will continue to monitor implementation and associated guidance. 

Back to Top

USDA Restricts Foreign Publication and Data Hosting for Federally Funded Research

On April 7, 2026, the U.S. Department of Agriculture (USDA) published a new policy, “Public Access to Scholarly Publications and Digital Scientific Research Data.” This policy places restrictions on where USDA-funded research can be published and where related data can be stored. Under the policy, researchers may not publish USDA-funded work in journals that are owned, managed, controlled, or operated (physically or virtually) by entities based in a designated “foreign country of concern.” In addition, any data repositories used to store or share research results must not be hosted, funded, or controlled by organizations located in these countries. The USDA currently defines “foreign countries of concern” as China, North Korea, Russia, and Iran. These requirements are intended to limit the involvement of certain foreign entities in the dissemination and storage of federally funded research. 

Federal Awards with Cybersecurity Requirements: NIST 800-171, CMMC, CUI DFARS 242.204-7012

We are beginning to see more requests for proposals that include requirements to meet:

• NIST 800-171
• Cybersecurity Maturity Maturation Certification (CMMC)
• Controlled Unclassified Information (CUI)
• DFARS 252.204-7012

Currently, the UO can comply with CMMC Level 1 requirements.

Compliance with CMMC Level 2, NIST 800-171, CUI, or DFARS 252.204-7012 will require a more in-depth assessment to determine whether the UO can comply. In most cases, the project will need to budget the costs of compliance with the increased cybersecurity requirements. UO cannot comply with CMMC Level 3 requirements at this time.

The Office of Export Controls monitors Department of Energy and DOD proposals in EPCS to help identify these requirements in requests for proposals. However, if departmental grant administrators (DGAs) or principal investigators (PIs) find these terms in their requests for proposals, please email exportcontrols@uoregon.edu as soon as possible so there is adequate time to determine whether the UO can comply and the impact on the project budget.

Prohibition on Use of Some Drone Manufacturers in Federally Funded Research Now in Effect

As a reminder, effective December 22, 2025, drones manufactured by companies located in a foreign country of concern are prohibited from being purchased with or used in federally sponsored research. This prohibition includes popular manufacturers such as DJI and Autel.  

There is a new checkbox in the compliance tab of the Electronic Proposal Clearance System (EPCS) where PIs must indicate whether the proposed research involves the purchase or use of drones. For existing federally funded research with drone use, please contact exportcontrols@uoregon.edu for additional guidance.

Back to Top