Title 42 — The Public Health and WelfareRelease 119-73not60

§18935 Dissemination of Resources for Research Institutions

Title 42 › Chapter 163— RESEARCH AND DEVELOPMENT, COMPETITION, AND INNOVATION › Subchapter II— NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FOR THE FUTURE › Part A— Measurement Research › § 18935

Last updated Apr 5, 2026|Official source

Summary

The Director must, within one year after August 9, 2022, put out and publish tailored resources to help certain colleges and universities find, check, manage, and lower cybersecurity risks for research. The resources must work for many kinds of schools and match each school’s size and the sensitivity of its data. They must teach basic controls and a security-minded workplace, cover third-party relationships, give case studies and examples, focus on real results that can be done with common commercial technology, and, when possible, follow international technical standards. The Director must use existing authority under federal law, keep the resources consistent with the Director’s other work under section 7443 of title 15, review and update them as needed, and make their use voluntary. Nothing here changes cybersecurity rules that apply to Federal agencies. Qualifying institutions: colleges and universities that get more than $50,000,000 per year in total Federal research funding. Resources: guidelines, tools, best practices, technical standards, methods, and other information materials.

Full Legal Text

Title 42, §18935

The Public Health and Welfare — Source: USLM XML via OLRC

(a)(1)Not later than one year after August 9, 2022, the Director shall, using the authorities of the Director under subsections (c)(15) and (e)(1)(A)(ix) of section 272 of title 15, disseminate and make publicly available tailored resources to help qualifying institutions identify, assess, manage, and reduce their cybersecurity risk related to conducting research.

(2)The Director shall ensure that the resources disseminated pursuant to paragraph (1)—

(A)are generally applicable and usable by a wide range of qualifying institutions;

(B)vary with the nature and size of the qualifying institutions, and the nature and sensitivity of the data collected or stored on the information systems or devices of the qualifying institutions;

(C)include elements that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships, to assist qualifying institutions in mitigating common cybersecurity risks;

(D)include case studies, examples, and scenarios of practical application;

(E)are outcomes-based and can be implemented using a variety of technologies that are commercial and off-the-shelf; and

(F)to the extent practicable, are based on international technical standards.

(3)The Director shall ensure that the resources disseminated under paragraph (1) are consistent with the efforts of the Director under section 7443 of title 15.

(4)The Director shall review periodically and update the resources under paragraph (1) as the Director determines appropriate.

(5)The use of the resources disseminated under paragraph (1) shall be considered voluntary.

(b)Nothing in this section may be construed to supersede, alter, or otherwise affect any cybersecurity requirements applicable to Federal agencies.

(c)In this section:

(1)The term “qualifying institutions” means institutions of higher education that are awarded in excess of $50,000,000 per year in total Federal research funding.

(2)The term “resources” means guidelines, tools, best practices, technical standards, methodologies, and other ways of providing information.

Reference

Citations & Metadata

Citation

42 U.S.C. § 18935

Title 42 — The Public Health and Welfare

Last Updated

Apr 5, 2026

Release point: 119-73not60