Frequently Asked Questions (FAQ): National Security Guidelines for Research Partnerships

The following questions are intended to help those completing the National Security Guidelines for Research Partnerships.

General Questions

  1. Why might my research be impacted by national security risks?
  2. Why do I need to complete the Risk Assessment Form?
  3. Where can I find resources to help effectively complete the Risk Assessment Form?
  4. Can or should my partner organization help in completing the Risk Assessment Form?
  5. What is required from the researcher and their institution to comply with the Guidelines?
  6. What does the Government of Canada do with the information that is collected on the Risk Assessment Form?

Specific Questions

  1. In cases where the researcher is confident that their project is low risk overall, should they still flag any and all potential risks in the Risk Assessment Form even if they are very unlikely?
  2. What is a Risk Mitigation Plan?
  3. How specific should a Risk Mitigation Plan be?
  4. Does the question “Your partner organization will have access to Canadian facilities, networks, or assets for conducting the research unrelated to this specific partnership” refer to facilities, networks, or assets on my campus / institutions, or in Canada more generally?
  5. Does the question “You are working with sensitive personal data or large amounts of data that could be sensitive in the aggregate”, imply that large amounts of data are always considered sensitive?
  6. Is the question “Your partner organization has been charged, admitted guilt, or has been convicted of fraud, bribery, espionage, corruption, or other criminal acts that could speak to a lack of transparency or ethical behaviour” referring only to charges or convictions in Canada, or should I consider charges / convictions in other countries?
  7. Is the question “Your partner organization has been charged, admitted guilt, or has been convicted of fraud, bribery, espionage, corruption, or other criminal acts that could speak to a lack of transparency or ethical behaviour” referring strictly to the participating partner organization(s), or does this also apply to the organization’s parent company and affiliates?
  8. For the question “You are working in research areas focused on critical infrastructure”, what is the definition of critical infrastructure?
  9. Why are there multiple questions dealing with different Control Lists and how do I answer them?


1. Why might my research be impacted by national security risks?

A: Your research might be impacted by national security risks because of its value. Your valuable research might be an attractive target for those seeking to engage in theft, espionage, or foreign interference on Canadian research and intellectual property to advance their own national priorities and gains. In some scenarios, research could lead to advancements in the strategic, military, or intelligence capabilities of other state and non-state actors, or be used to purposefully cause harm.

The negative impacts of inadequate research security could include:

  • Diminished trust and confidence in your research data and results
  • Loss of research data
  • Loss of exclusive control over intellectual property, patent opportunities, and potential revenue
  • Legal or administrative consequences
  • Loss of potential future partnerships
  • Tarnished reputation

To learn more, consult What are the risks? or What Parts of Your research may be vulnerable?

top of page


2. Why do I need to complete the Risk Assessment Form?

A: You need to complete the Risk Assessment form if (a) you are applying to the Natural Sciences and Engineering Research Council of Canada’s (NSERC) Alliance Grants program and (b) your research project involves a private sector partner organization. If you meet this criteria, you must complete the form to the best of your ability and submit the form as an integral part of your grant application.

The intent of this process is to help identify and mitigate any potential national security risks related to your research partnership, as well as protect the research partnership itself.

More information can be found here: Why Safeguard Your Research?

top of page


3. Where can I find resources to help effectively complete the Risk Assessment Form?

A: You can find resources to help you effectively complete the Risk Assessment Form on this website, the Safeguarding Your Research Portal. Our resources can help you:

To effectively complete the "Know your Partner" section, it is recommended that you use elements of Open Source Intelligence (OSINT) research to better know your partner organization.

top of page


4. Can or should my partner organization help in completing the Risk Assessment Form?

A: No, your partner organization should not complete your Risk Assessment Form on your behalf. While your partner could provide relevant information and resources to help you complete the Risk Assessment Form, they should not complete it on your behalf.

It is recommended that you and your partner organization communicate about your mutual interests and objectives regarding your research. You should have open conversations about the sensitivity and intended uses of your research, its inputs and results, and data.

top of page


5. What is required from the researcher and their institution to comply with the Guidelines?

A: Researchers are responsible for completing the Risk Assessment Form. In the case of NSERC’s Alliance Grants program, the institution is responsible for validating the form before it is submitted as an integral part of the grant application.

Both the researcher and their institution have a shared responsibility in safeguarding their research from potential security risks. This includes responsibility for implementing and maintaining any risk mitigation measures presented in the Risk Mitigation Plan.

top of page


6. What does the Government of Canada do with the information that is collected on the Risk Assessment Form?

A: The information that is collected in the Risk Assessment form will (a) only be used by the Government of Canada and (b) be used to assess any potential risks to national security. All information is shared and managed in accordance with the Privacy Act.

When the Risk Assessment Form is submitted as part of a grant application, prior to the scientific merit review, NSERC will first conduct an administrative review of your application to ensure its completeness and validate the information you have provided, using open source tools and methods.

If your application requires a national security risk assessment, it will also be shared with Canada’s national security departments and agencies for their assessment and advice.

After the national security risk assessment has been completed, Canada’s national security departments and agencies will inform NSERC of their findings regarding the potential national security risks. This information will be considered, alongside the results of the scientific merit review, when NSERC makes its funding decision.

For more information on the an overview of the process, please visit Appendix A and B found in the National Security Guidelines for Research Partnerships.

top of page


7. In cases where the researcher is confident that their project is low risk overall, should they still flag any and all potential risks in the Risk Assessment Form even if they are very unlikely?

A: Yes, even in cases where the researcher is confident that their project is low security risk overall, they must still flag any and all potential risks.

You must describe all reasonable risks, no matter their magnitude or their likelihood, in your response in the Risk Assessment Form. You are advised to demonstrate that you have completed your due diligence, and should state why you believe these risks to be of low magnitude and/or likelihood.

top of page


8. What is a Risk Mitigation Plan?

A: The Risk Mitigation Plan is the third section of the Risk Assessment Form. It involves a response of up to 750 words where you identify any measures that address, or seek to address, all of the potential and identified risks to your research that were listed in the section of the Risk Assessment Form, titled “Potential Risks Identified”.

For any Risk Assessment Form question where you answered “yes” or “unsure”, you must describe these risks and address them in your Risk Mitigation Plan. Any grant application where this has not been properly completed (e.g., where a risk is not described, or where there is no corresponding mitigation measure) will be removed from consideration.

top of page


9. How specific should a Risk Mitigation Plan be?

A: We encourage you to be as specific as possible in your Risk Mitigation Plan and to consult both your partner organization and research institution when determining the appropriate risk mitigation measures to address the identified risks.

A strong Risk Mitigation Plan can help decrease the likelihood of potential risks occurring. Potential measures to highlight in your mitigation plan can align with the following categories:

  • Building a Strong Research Team
  • Assessing Alignment of Your Partners' Motivations
  • Ensuring Sound Cybersecurity and Data Management Practices; and,
  • Agreement on Intended Use of Research Findings, including any commitments to Open Science, Open Data and Open Publication.

Keep in mind that all projects are unique, and some may require more risk mitigation measures than others. Examples of specific measures to consider in your risk mitigation plan include, but are not limited to:

  • Training (research security, cyber security, and intellectual property training)
  • Guidance and best practices from Government of Canada departments
  • Partnership agreements that include intellectual property and technology transfer clauses that address national security risks
  • Data management plan (for useful resources, consult the Frequently Asked Questions of the Tri-Agency Data Management Policy)
  • Cyber security plan (for useful resources, consult the Canadian Centre for Cyber Security’s Security Considerations for Research and Development)
  • Establishing access restrictions for partners and personnel to an “as needed” basis
  • Regular reporting to your institution on the implementation and effectiveness of the proposed risk mitigation measures

For more information on completing the Risk Mitigation Plan, please visit the bottom of the National Security Guidelines for Research Partnerships webpage or consult What steps can you take to protect your research?

top of page


10. Does the question “Your partner organization will have access to Canadian facilities, networks, or assets for conducting the research unrelated to this specific partnership” refer to facilities, networks, or assets on my campus / institutions, or in Canada more generally?

A: Yes, that question refers specifically to the facilities, networks, or assets on the campus or institution that the work will be performed on. In other words, the scope is limited to the facilities, networks, or assets of your campus/institution.

However, you should only answer “yes” if you believe your proposed research partnership project could permit your partner organization access to the facilities, networks, or assets of your campus / institution for reasons unrelated to the specific project to be conducted. It is important to note that this does not include non-business related access (i.e., access to gym or recreational facilities).

Situations where the partner organization already has access to facilities, networks, or assets of your campus / institution as a result of other partnerships or projects do not need to be mentioned.

top of page


11. Does the question “You are working with sensitive personal data or large amounts of data that could be sensitive in the aggregate”, imply that large amounts of data are always considered sensitive?

A: No. The sensitivity of a dataset depends on the nature, type, and state of the information it contains, as well as how it may be used in the aggregate. Data of any size, if identified as having ethical, commercial, or legal impact on the individual, domestic, or international level could be considered a sensitive research area. Examples could be human health data or satellite data.

top of page


12. Is the question “Your partner organization has been charged, admitted guilt, or has been convicted of fraud, bribery, espionage, corruption, or other criminal acts that could speak to a lack of transparency or ethical behaviour” referring only to charges or convictions in Canada, or should I consider charges / convictions in other countries?

A: The response to this question should consider a conviction in any jurisdiction, not just within Canada.

top of page


13. Is the question “Your partner organization has been charged, admitted guilt, or has been convicted of fraud, bribery, espionage, corruption, or other criminal acts that could speak to a lack of transparency or ethical behaviour” referring strictly to the participating partner organization(s), or does this also apply to the organization’s parent company and affiliates?

A: The necessary checks must also cover the partner's parent company or affiliates. Even if the partner is not involved in the alleged activities, they may be financially influenced, obtain technical support, or work closely with parent companies or affiliates.

top of page


14. For the question “You are working in research areas focused on critical infrastructure”, what is the definition of critical infrastructure?

A: As defined in the National Strategy for Critical Infrastructure and Action Plan for Critical Infrastructure, critical infrastructure refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. This includes the following ten critical infrastructure sectors:

  1. Energy and Utilities
  2. Information and communication technology
  3. Finance
  4. Health
  5. Food
  6. Water
  7. Transportation
  8. Safety
  9. Government
  10. Manufacturing

top of page


15. Why are there multiple questions dealing with different Control Lists and how do I answer them?

A: There are multiple questions dealing with different Control Lists because if your research is on one or more of those Control Lists, it could be considered sensitive. Each list, while similar, is different, and each should be consulted to determine if the subject matter of your research is included in one of the lists.

The Export Control List of Goods and Technology identifies those goods and technology whose export is controlled from Canada to other countries, regardless of the method of transmission (including, for example, shipping, transferring, or, transmitting information by electronic means, provision of technical or consulting services, etc.) The Import Control List identifies the range of goods that Canada imposes import controls on as they come from other countries to Canada.

To answer these questions dealing with the different Control List, consult each list and look for your area of research. This will help you determine if your research area could be considered sensitive and at risk of theft, espionage, and foreign interference.

For more information or questions related to items on the Export Controls Lists, you are encouraged to refer to Canada's Export Controls Manual. You can also contact the division at Global Affairs Canada responsible for the Export Controls list by phone (613-996-2387) or by email (tie.reception@international.gc.ca).

top of page