Overview of Decision Matrices
Several federal funding agencies have published decision matrices outlining the types of international activities that require risk mitigation. These decision matrices provide an understanding of what specific international activities are considered risky to individual agencies and can help you better manage your international engagement. Importantly, there are differences in how each agency categorizes risk, so something that might not be considered risky for one agency might require mitigation measures for another.
The chart below provides a general overview of risk factors considered by funding agencies. While there are differences in how each agency determines risk, there is a common concern with undisclosed support, undisclosed affiliations, and participation in foreign talent recruitment programs. For more on what to disclose and agency specific guidance on disclosures, please see the disclosures section of this website. Read below to learn more about each agency's decision matrix.
Sponsor Requests for More Information and Risk Mitigation Plans
Sponsors may reach out for more information about international collaborations or ask for a specific risk mitigation plan to manage international activities. Receiving such a request does not mean you have done something wrong. Rather, it means that the sponsor has identified some kind of affiliation, support, or other activity that it considers a risk factor and is seeking clarification.
RIC works with VU researchers to respond to these requests. If you receive a request for more information or for a specific risk mitigation plan, please contact ric@vanderbilt.edu.
National Institutes of Health
In August 2024, the National Institutes of Health (NIH) issued a decision matrix to assess foreign interference. The decision matrix identifies 3 risk factors: (1) Foreign Talent Recruitment Program (FTRP) participation; (2) undisclosed or incompletely disclosed foreign funding; (3) and undisclosed or incompletely disclosed affiliation with foreign institutions or entities. NIH is reviewing these risk factors for activities within the past 5 years. Co-authorship is not considered a risk factor if not directly related to NIH-funded work.
Please see the NIH Decision Matrix as well as a NIH's press release for more information.
National Science Foundation
The National Science Foundation has detailed a new risk mitigation process called Trusted Research Using Safeguards and Transparency (TRUST). TRUST will first be piloted with quantum related proposals in October 2024 before being applied more widely. NSF is reviewing 3 factors through TRUST: (1) active appointments and positions with or research support from proscribed parties including participation in Malign Foreign Talent Recruitment Programs; (2) non-disclosure of appointments, activities, and sources of research support; and (3) potential national security applications of the research. NSF is reviewing disclosures from January 2022 when implementation plans for NSPM-33 were released. NSF is not using co-authorship as a risk factor at this time.
For more information, see the TRUST Policy memo as well as a June 2024 webinar describing the policy.
Department of Defense
In May 2025 the Department of Defense (DoD) updated its decision matrix for countering unwanted foreign influence as part of a Risk-Based Security Reviews policy. The policy identifies 4 risk factors: (1) participation in a Malign Foreign Talent Recruitment Program (MFTRP) or co-authorship with a participant in an MFTRP; (2) funding sources from foreign countries of concern; (3) patent applications or patents filed outside the US; and (4) affiliation with an entity on US restricted entity lists. Co-authorship with individuals on entity lists or the BIS Denied Persons List is considered a risk factor. The National Defense Authorization Act (NDAA) for FY 2025 prohibits the DoD from funding fundamental research projects that include collaboration with an institution or employee of an institution on DoD's list of problematic entities. If you are unsure if a collaborator is on this list, please submit a Restricted Party Screening Request to Vanderbilt Export Compliance.
For more information, please see the Department of Defense policy, specifically pages 3-4.
Defense Advanced Research Projects Agency
Per a December 2023 memorandum, the Defense Advanced Research Projects Agency (DARPA) has adopted the above DoD Risk-Based Security Reviews policy and decision matrix. This policy replaces the previously established Countering Foreign Influence Program (CFIP) policy, DARPA Risk Rubric, and FAQs. In May, 2024, DARPA published updated FAQs to address how it is implementing the DoD policy.
US Army
The US Army has not yet adopted the DoD Risk-Based Security Reviews policy and continues to use the Army Research Risk Assessment Program (ARRP) matrix for Senior/Key Personnel. The ARRP identifies 4 risk factors: (1) participation in foreign talent recruitment programs of strategic competitors; (2) affiliation or association with entities on US government entity lists; (3) funding from strategic competitors; and (4) affiliation, association, or collaboration with a foreign institution, person, or entity from a strategic competitor. Co-authorship is considered a form of collaboration by the ARRP.
For more information, please see the FAQs and the official website detailing the program.
Department of Energy
In November 2024, the Department of Energy issued a memo outlining their Research, Technology, and Economic Security (RTES) Framework. The RTES Framework identifies multiple risk factors, which we have bundled as follows: (1) ties to a Malign Foreign Talent Recruitment Program (MFTRP); (2) funding (both monetary and in-kind) from certain foreign sources, as well as concerning behaviors associated with patenting, such as transferring to foreign entities after filing; (3) ties to foreign entities or foreign collaborators on specified lists or with specified characteristics; and (4) and whether the project falls within a critical and emerging technology area, will have physical or cyber access to critical infrastructure, and includes work with proximity to a military installation. DOE presentations have indicated that co-authorship is considered a form of collaboration and it may be assessed.
For more information, please see the DOE Research, Technology & Economic Security website and memo detailing the framework.
More Information
Please see the SECURE Center's Risk Matrix Reference Guide for a more detailed breakdown of the above risk matrices.