PRIA Logo
Take the PRIA Score
Title 42The Public Health and WelfareRelease 119-73

§18935 Dissemination of resources for research institutions

Title 42 › Chapter CHAPTER 163— - RESEARCH AND DEVELOPMENT, COMPETITION, AND INNOVATION › Subchapter SUBCHAPTER II— - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FOR THE FUTURE › Part Part A— - Measurement Research › § 18935

Last updated Apr 6, 2026|Official source

Summary

Not later than one year after August 9, 2022, the Director must publish and share tailored resources to help qualifying colleges and universities find, assess, manage, and reduce cybersecurity risks tied to research. The materials must work for many types of institutions, scale by institution size and the sensitivity of their data, teach simple controls, workplace cybersecurity habits, and how to handle third parties, include real case studies and examples, focus on outcomes and work with commercial off‑the‑shelf technology, and, when practical, follow international technical standards. The resources must align with the Director’s work under section 7443 of title 15, be reviewed and updated periodically, and their use is voluntary. Nothing here changes or overrides cybersecurity rules that apply to Federal agencies. Qualifying institutions means institutions of higher education that get more than $50,000,000 per year in total Federal research funding. Resources means guides, tools, best practices, technical standards, methods, and other ways of providing information.

Full Legal Text

Title 42, §18935

The Public Health and Welfare — Source: USLM XML via OLRC

(a)(1)Not later than one year after August 9, 2022, the Director shall, using the authorities of the Director under subsections (c)(15) and (e)(1)(A)(ix) of section 272 of title 15, disseminate and make publicly available tailored resources to help qualifying institutions identify, assess, manage, and reduce their cybersecurity risk related to conducting research.
(2)The Director shall ensure that the resources disseminated pursuant to paragraph (1)—
(A)are generally applicable and usable by a wide range of qualifying institutions;
(B)vary with the nature and size of the qualifying institutions, and the nature and sensitivity of the data collected or stored on the information systems or devices of the qualifying institutions;
(C)include elements that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships, to assist qualifying institutions in mitigating common cybersecurity risks;
(D)include case studies, examples, and scenarios of practical application;
(E)are outcomes-based and can be implemented using a variety of technologies that are commercial and off-the-shelf; and
(F)to the extent practicable, are based on international technical standards.
(3)The Director shall ensure that the resources disseminated under paragraph (1) are consistent with the efforts of the Director under section 7443 of title 15.
(4)The Director shall review periodically and update the resources under paragraph (1) as the Director determines appropriate.
(5)The use of the resources disseminated under paragraph (1) shall be considered voluntary.
(b)Nothing in this section may be construed to supersede, alter, or otherwise affect any cybersecurity requirements applicable to Federal agencies.
(c)In this section:
(1)The term “qualifying institutions” means institutions of higher education that are awarded in excess of $50,000,000 per year in total Federal research funding.
(2)The term “resources” means guidelines, tools, best practices, technical standards, methodologies, and other ways of providing information.

Reference

Citations & Metadata

Citation

42 U.S.C. § 18935

Title 42The Public Health and Welfare

Last Updated

Apr 6, 2026

Release point: 119-73