Research security

Institutions applying for or receiving CFI funding have research security obligations both when they apply for funding as well as after they receive funding and throughout the life of the project. The research security requirements for a project could change between the proposal and the final financial report as the circumstances of the project change, so be sure to consult the section below that describes what you need to do after your institution receives funding.

Find out what you need to do when your institution applies for funding

Find out what you need to do after your institution receives funding

What is the CFI’s approach to research security?

The CFI works diligently with all Canadian research stakeholders to ensure that Canada’s research ecosystem remains as open as possible. Collectively, the CFI and our stakeholders also have the responsibility to ensure that this ecosystem is safe and secure.

We acknowledge that certain partnerships can pose a risk to Canada’s national security and that there may be risks involved in pursuing research and innovation, including theft, interference or unwanted transfer of knowledge, which have results that research teams and their members do not intend.

Currently, the CFI’s approach to research security is meant to mitigate two types of risks:

To mitigate these risks, we have implemented requirements for institutions both when they apply for funding and after they receive funding. These requirements include developing a risk mitigation strategy, submitting various forms throughout the funding cycle and maintaining regular communication with the CFI about changes to projects that could have an impact on the risk to national security. These requirements are outlined below.

Which CFI funding programs are subject to research security requirements?

These research security requirements apply to every CFI funding program except the College Fund. We will implement these requirements according to the timeline in the table under “Timeline for implementation” below. They are expected to apply to any new CFI funding program.

Funding programWhen will NSGRP requirements be implemented?When will STRAC requirements be implemented?
Biosciences Research Infrastructure Fund – Partnership with Stage 2 of the Canada Biomedical Research FundBeginning with proposals submitted to the Biosciences Research Infrastructure Fund – Partnership with Stage 2 of the Canada Biomedical Research FundNot applicable
College FundNot applicableNot applicable
Exceptional Opportunities FundBeginning immediately with any new proposalBeginning with any new proposal submitted after May 1, 2024
Innovation FundBeginning with proposals submitted to the 2025 competitionBeginning with proposals submitted to the 2025 competition
2023 Innovation Fund competitionAt award finalization*Not applicable*
John R. Evans Leaders Fund (affiliated)To be determined. Check back here for updates.To be determined. Check back here for updates.
John R. Evans Leaders Fund (unaffiliated)Beginning with any new proposal submitted after June 25, 2024Beginning with any new proposal submitted after June 25, 2024
Major Science Initiatives FundTo be determined. Check back here for updates.To be determined. Check back here for updates.
Northern FundBeginning immediately with any new proposalBeginning with any new proposal submitted after May 1, 2024

*Although the STRAC policy was not in place for proposals submitted to the 2023 Innovation Fund competition, the Government of Canada may take research affiliations into account immediately as part of the award finalization process, should risks be identified. In particular, research affiliations will be considered as part of the national security assessment of any project that is subject to the NSGRP.

How should institutions submit the necessary forms?

We will soon implement the ability to complete all of the research security forms (with the exception of STRAC attestation forms submitted after a project is funded) directly in the CFI Awards Management System (CAMS). Until that system is ready, email completed forms to your institution’s Senior Programs Officer at the same time you submit your proposal.

 

What do institutions need to do when they apply for CFI funding?

First, refer to the table under “Timeline for implementation” to see if these requirements have yet been implemented for the funding program to which you are applying. Then, review the steps below to determine which forms you will need to submit.

Step 1: Determine if you need to submit STRAC attestation forms

Review the Government of Canada’s list of Sensitive Technology Research Areas to determine if the proposal is in support of research that aims to advance any of the areas listed. If it will, each project/team leader and team member who is named in the proposal must complete an attestation form to be submitted with the proposal.

Attestation forms are not required for proposals that will not advance any of the listed sensitive technology research areas. Proposals in support of research that aims to use but not advance an existing technology do not require attestation forms. 

Within the attestation form, researchers declare that they are not currently affiliated with, or in receipt of funding or in-kind support from, any of the Government of Canada’s Named Research Organizations and that they will refrain from becoming so until the submission of the final financial report. Project/team leaders and team members are individually responsible for ensuring that they respect the terms of the attestation they complete.

Proposals that support research that aims to advance sensitive technology research area will not be funded if any of the project/team leaders or team members are currently affiliated with, or in receipt of funding or in-kind support from, any of the Government of Canada’s Named Research Organizations. 

In the context of CFI research infrastructure projects, only project/team leaders and team members are subject to requirements under the STRAC policy. While we encourage institutions to take adequate security measures, no other users of the research infrastructure are subject to requirements under the STRAC policy.

How do researchers know if their research advances a sensitive technology research area?

Researchers should identify their research as aiming to advance a sensitive technology research area if it supports research that aims to generate or discover knowledge that contributes to progress in the development of a technology described in the sub-categories of the list of Sensitive Technology Research Areas. Only areas of research covered by the sub-categories of the list are currently considered sensitive for the purposes of the STRAC policy. Lean towards a cautionary approach. Your institution’s research security expert can provide guidance and can contact the CFI or the Government of Canada’s Research Security Centre for case-specific advice.

How can research infrastructure advance sensitive technology research areas?

While the research infrastructure itself is unlikely to advance a sensitive technology research area, the research it supports can potentially do so. If one or more of the research projects that uses the research infrastructure aims to advance a sensitive technology research area, the policy applies and the project/team leaders and team members need to provide attestation forms.

Can a researcher who was previously affiliated with an organization on the list of Named Research Organizations be a project/team leader or a team member?

Yes, the policy only applies to currently held affiliations and financial or in-kind support at the moment of applying for funding and until the submission of the final financial report. Past affiliations and previous financial or in-kind support will not be considered.

Will the CFI validate proposals not identified to be advancing a sensitive technology research area?

We will conduct periodic validations on a random subset of funded projects to ensure that institutions appropriately identified whether the research supported by the funded infrastructure would aim to advance a sensitive technology research area. In cases where a proposal should have been marked as sensitive, we will inform the applicant institution and may request the submission of attestation forms.

Will submitted attestation forms be validated?

Yes, we will periodically select proposals to validate the accuracy of the attestation forms. This will be done in one of two ways:

  • If we refer a proposal to a Government of Canada agency for their assessment and advice as part of our normal procedure for NSGRP, then at that time, the Government of Canada will also take into account research affiliations.
  • We will randomly select a subset of funded projects that were identified as aiming to advance a sensitive technology research area and will share the attestation forms (as well as the title and project summary) of those projects with the appropriate Government of Canada agency for their assessment.

What happens if an attestation is found to be inaccurate?

If the validation process uncovers inaccurate information in an attestation form, the CFI will work with the relevant institution(s) to address the issue and to determine the best route forward to minimize impacts on the project.

Recourse varies by severity, intentionality and impact of the breach, but may include and is not limited to:

  • Ineligibility of the researcher to participate in the research activities supported by the CFI-funded research infrastructure listed in the proposal
  • A letter of reprimand
  • Withholding instalments of and/or termination of the funding of the project
  • A requirement to reimburse funds
  • Ineligibility of the researcher to be part of any CFI proposal for a defined period of time or permanently.

Step 2: Determine if you need to submit an NSGRP Risk Assessment Form, including a risk mitigation plan

Determine if the project involves a private-sector partner that:

  • Has an active role in the research activities described in the proposal (e.g., sharing of intellectual property, providing expertise, actively participating in research activities, contributing financially to the research activities); or
  • Houses part or all of the research infrastructure; or
  • Contributes more than $500,000 to the infrastructure through a cash or in-kind contribution to any single item.

For any proposal involving one or more private-sector partners that meet any of the above criteria, provide a National Security Guidelines for Research Partnerships Risk Assessment Form (RAF). Provide one form per proposal.

Create a risk mitigation plan

The Risk Assessment Form requires that you identify potential risks and create a risk mitigation plan. We encourage institutions to conduct open source due diligence and validate information by consulting private-sector partner(s) to determine risks and mitigation strategies. For more information, consult the comprehensive guide Conducting Open Source Due Diligence for Safeguarding Research Partnerships.

What happens after a research institution submits an RAF?

CFI staff will assess and validate the RAFs against risks to national security. When we cannot ascertain the risk or if we cannot determine whether the proposed mitigation measures are sufficient, we will refer the proposal and the RAF to the appropriate Government of Canada agency for further review. Following this referral, we may require that the institution put in place specific mitigation measures, including ending specific partnerships, for the project to be considered for funding.

What factors will determine if a national security assessment is necessary? 

In most cases, we refer proposals to the Government of Canada for a national security assessment and advice in cases where: 

  • The nature of the proposed research could be deemed sensitive (per Annex A of the NSGRP) and
  • One or more private-sector partner organizations were identified from open-source information to be:
    • Associated with, or originating from, organizations or countries that are subject to sanctions, and/or
    • Associated with criminal or ethical concerns. 

Where can applicant institutions find the outcome of their proposal’s national security assessment? 

When possible, we will communicate any new and relevant information that we receive from a Government of Canada agency to the applicant institution along with the funding decision. In cases where the funding is conditional on additional mitigation measures, or where funding was declined due to the risk assessment results, institutions can request a meeting with the CFI and representatives from the Government of Canada’s Research Security Centre. Contact your Senior Programs Officer to do so. 

Do institutions need to assess whether every private-sector partner they have identified in the proposal meets the criteria?

Yes. If a partner is identified in the proposal, you must determine whether they meet the criteria for a Risk Assessment Form. Every partner listed in the proposal is significant enough to warrant your consideration in this regard.

Step 3: If you determine you need to submit a Risk Assessment Form, also submit a Private-sector partner identification form for every partner that meets the criteria

Provide one completed Private-sector partner identification form for each private-sector partner identified in the proposal that meets any of the criteria that require a Risk Assessment Form (you may need several of these forms per project, depending on the number of partners that meet the criteria).

What do institutions need to do after they receive CFI funding?

Step 1: Implement the risk mitigation plan that you articulated in your RAF

If you submitted an RAF with your proposal, implement the risk mitigation measures you identified in it. Continue to follow these measures until you submit the final financial report for the project. The implementation of risk mitigation measures is stipulated in your institution’s award agreement.

Step 2: Submit a new STRAC attestation form if there is a change in the nature of the research or if there is a new project/team leader

If, when you submitted your proposal, you identified your project as aiming to advance a sensitive technology research area, you are required to immediately submit an attestation form for any new project/team leader, unless that person was a team member listed on the proposal, in which case they would have already submitted one.

If your project was not aiming to advance a sensitive technology research area when you submitted the proposal, remain aware of any change in the nature of the project that would mean it now does. In such an instance, each project/team leader and team member is required to immediately submit an attestation form. Contact your Senior Programs Officer for detailed instructions on how to submit those forms. (In this instance, you cannot submit the attestation forms in CAMS.)

Step 3: Submit a new NSGRP Risk Assessment Form if there are any changes to the project’s national security risk

Whether or not you submitted an RAF with your proposal, immediately communicate any change to the national security risk associated with the project to your institution’s Senior Programs Officer. Without delay, submit a new RAF that takes into account any changes to a funded project that would impact the national security risk under the National Security Guidelines for Research Partnerships, and continue to do so until you submit the final financial report.

Examples of situations warranting an updated RAF include:

  • The development of new partnerships meeting the criteria that require an RAF
  • An increase in a partner’s financial contribution to the infrastructure such that it contributes more than $500,000 to the infrastructure through a cash or in-kind contribution to any single item
  • The relocation of research infrastructure to the premises of a private-sector partner.

Step 4: Submit a new Private-sector partner identification form if required

If, in step 3 above, you determine you need to submit an updated RAF, also submit a new Private-sector partner identification form for any private-sector partner that is new to the project and meets the criteria or whose change in circumstances has led to the requirement for an updated RAF.

Canada’s approach to research security has been informed by ongoing dialogue and collaboration with the country’s research community and it aligns with international best practices such as the G7 Common Values and Principles of Research Security and Integrity. Following these best practices, it is the shared responsibility of researchers, research institutions, the CFI, federal research funding organizations, and the Government of Canada to safeguard the integrity of our research ecosystem from activities that undermine its foundational principles of openness, transparency, merit, academic freedom and reciprocity.

Accordingly, the CFI and Canada’s federal research funding organizations — the Canadian Institutes of Health Research (CIHR), the Natural Sciences and Engineering Research Council of Canada (NSERC) and the Social Sciences and Humanities Research Council of Canada (SSHRC) — recognize the importance of research security in the conduct of research and research training, as well as in research funding opportunities and policies, to contribute to safeguarding Canada’s national security and its open and collaborative research ecosystem. In so doing, we are committed to ensuring that the research enabled by the infrastructure that we fund does not contribute to advancements in military, security and intelligence capabilities of foreign state actors that pose a threat to Canada.

We will continue to support and to work with the research community, to safeguard Canada’s research alongside our continued commitments to open science, to international collaboration, and to equity, diversity and inclusion. Together, we can cultivate a strong, globally competitive research and innovation system in Canada, such that the fruits of Canadian research and development are realized by those that conduct it and for the benefit of Canadians.

Read the guiding principles for research security that were developed by the Government of Canada and implemented by the CFI and the federal research funding organizations.

Questions?

Email us at research.security [at] innovation.ca (research[dot]security[at]innovation[dot]ca).