Regulations on the Management, etc. of National Research and Development Projects
Regulations on the Management, etc. of National Research and Development Projects
Chapter 5 Security and Information Management of National Research and Development Projects
Article 24 (Security of National Research and Development Projects)
① The head of the central administrative agency, the head of the professional agency, and the head of the research institute carrying out the R&D task shall formulate and implement security measures, such as by designating security management officers regarding national research and development projects and establishing security management regulations. In this case, the participating agencies of the R&D task of the principal research institute (cooperating research institute in the case of sub-tasks) shall observe the national research and development project security management regulations and measures of the principal research institute
② The head of the central administrative agency may conduct joint inspections with the Director of the National Intelligence Service and other heads of agencies concerned regarding the security management status of national research and development projects under competence thereof. In this case, each of the following shall be negotiated with the head of the agency concerned.
1. Target and date of inspection
2. Content and method of inspection
3. Inspection team composition
4. Other matters necessary for inspection
③ The head of the central administrative agency, following the security management status inspection under paragraph 2, may order corrective action via prior negotiation with the heads of the central administrative agencies concerned and the Director of the National Intelligence Service. The head of the research institute carrying out the R&D task shall report to the head of the central administrative agency and the Director of the National Intelligence Service on the results of follow-up measures regarding the corrective action within six months of receiving the correction order.
④ The head of the central administrative agency shall formulate and implement separate security measures via cooperation with the Director of the National Intelligence Service in order to prevent overseas leakage of information related to national research and development projects.
⑤ The head of the research institute shall formulate and implement autonomous security measures, including national research and development project security management measures under Article 24-7 (2) and other matters deemed necessary by the head of the research institute, in order to prevent overseas leakage of key research information related to national research and development projects.
⑥ When visiting or receiving visitors from an overseas government, organization, or group regarding a confidential task, the head of the research institute shall notify the heads of the central administrative agencies concerned and the Director of the National Intelligence Service of the name of the R&D task, principal investigator, date and location of the visit, and key details of the visit at least 5 days prior to the visit in document form prescribed by the Ordinance of the Ministry of Science, ICT and Future Planning. However, in the event that a visit takes place in a manner that varies from that previously advised, the corresponding matters shall be reported in addition after the visit. In the event of any visit made or received without prior notification due to urgency, etc., the notification may be made after the visit.
⑦ In the event of a security incident that corresponds to any one of the following regarding R&D tasks, the head of the professional agency and the head of the research institute shall take the necessary measures immediately upon learning of the incident and at the same time report to the heads of the central administrative agencies concerned, and shall submit additional details on the incident such as the date and time, location, personal details of the persons involved, and particulars of the incident within five days of the date of report. However, in the event that the R&D task is a confidential task, the Director of the National Intelligence Service shall also be notified immediately.
1. Exposure, leakage, loss, or theft of information related to R&D tasks
2. Exposure, damage, or destruction of systems to distribute/manage/store information related to R&D tasks
3. Other security-related incidents specified by the head of the central administrative agency
⑧ In the event of any security incident that corresponds to any one of the subparagraphs of paragraph 7, the head of the central administrative agency may jointly investigate the circumstances by requesting investigation/support from the Director of the National Intelligence Service or other agencies concerned, and the head of the research institute and principal investigator, etc. shall faithfully cooperate in the investigation. However, in the event that the R&D task is a confidential task, the circumstances of the incident shall be jointly investigated with the National Intelligence Service.
⑨ The heads of the central administrative agencies, the professional agency, and the research institute concerned shall not disclose relevant matters until the end of the investigation, shall prepare preventive measures after addressing the incident, and, when necessary, may request support from the Director of the National Intelligence Service for security training to prevent security incidents and other relevant measures.
Article 24-2 (Security Management Council)
① The head of the central administrative agency shall establish and operate a security management council to deliberate on each of the following.
1. Establishment/amendment of national research and development project security management regulations
2. Matters regarding security management of professional agencies
3. Follow-up measures in the event of any security incident regarding national research and development projects
4. Other matters deemed necessary by the chair of the security management council
② The chair of the security management council shall be a public official belonging to a senior civil service of the department in charge of the affairs of national research and development projects. Matters regarding establishment and operation of the security management council shall be as prescribed by the head of the central administrative agency.
[This article newly established Mar. 28, 2011]
Article 24-3 (Research Institute Security Management Council)① The head of the professional agency and the head of the research institute shall establish and operate a research institute security management council (hereinafter “research security council” in this Article) to deliberate on each of the following matters. However, this shall not apply to SMEs under the Framework act on Small and Medium Enterprises, venture businesses under the Act on Special Measures for the Promotion of Venture Businesses, and other research institutes whose organizational structure makes it difficult to operate a research security council.
1. Establishment/amendment of autonomous security management regulations related to national research and development projects
2. Matters regarding changes to security ratings of R&D tasks
3. Processing security incidents related to national research and development projects
4. Other matters deemed necessary by the chair of the research security council
② Matters regarding establishment and operation of the research security council shall be as prescribed by the head of the agency to which the research security council belongs.
[This article newly established Mar. 28, 2011]
Article 24-4 (Classification Standards)① The security rating of R&D tasks shall be classified as follows.
1. Confidential task: A R&D task that corresponds to any one of the following and that requires security measures as external leakage of research and development outcomes is expected to cause significant loss to the value of the technology/property
A. Any R&D task related to the development of world-leading technological products
B. Any R&D task whose need for protection is recognized as it involves localization of a technology whose transfer was refused from overseas or a future core technology
C. Any R&D task related to a national core technology pursuant to Article 2 (2) of the Act on Prevention of Divulgence and Protection of Industrial Technology
D. Any R&D task related to a technology that requires restriction, such as an export permit, under Article 19 (1) of the Foreign Trade Act and Article 32-2 of the Enforcement Decree of the same act
E. Any other task deemed necessary by the head of the central administrative agency to be classified as a confidential task
2. Standard task: A task that has not been designated a confidential task
② All documents produced in the course of a R&D task shall be marked with the security rating classified under paragraph 1.
③ Notwithstanding paragraphs 1 and 2, tasks classified under the Security Operational Rule as Top Secret, Secret, Confidential, or equally restricted and tasks classified under the Enforcement Decree of the Military Secret Protection Act as Top Secret, Secret, Confidential, or equally restricted shall be in accordance with the provisions of relevant laws.
[This article newly established Mar. 28, 2011]
Article 24-5 (Classification Procedure)① When preparing a research and development plan under Article 6 (4), the principal investigator shall comply with the security rating of the research and development project announced by the head of the central administrative agency under paragraph 2 of the same Article.
② When selecting R&D tasks, the head of the central administrative agency shall instruct the R&D evaluation team pursuant to Article 7 (1) to review the appropriateness of the security rating classification under Article 7 (3) 4 and reflect the results thereof in determining the security rating.
Article 24-6 (Change of Security Rating)① The head of the professional agency and the head of the research institute may change the security rating of a R&D task via research security council deliberation according to procedures prescribed by autonomous security management regulations related to national research and development projects. The details of and reason for the change shall be reported to the heads of the central administrative agencies concerned.
② In the event that the details of the change in security rating, etc. submitted under paragraph 1 are deemed inappropriate, the head of the central administrative agency may order the withdrawal of the change in security rating.
③ When a security rating is changed, the head of the professional agency and the head of the research institute shall notify the research institutes concerned. However, in the event that a task is changed from a standard task to a confidential task, the Director of the National Intelligence Service shall be notified of the relevant details.
Article 24-7 (Measures according to Security Rating)① The head of the professional agency, with respect to the selection, evaluation, and management of R&D tasks, shall classify security ratings according to Article 24-4 and establish and enforce security measures accordingly.
② The head of the research institute and the principal investigator shall take security management measures according to the security rating of Article 24-4 (1) and the details thereof shall be as prescribed in Schedule 2-3.
③ In the event that the head of the central administrative agency signs an agreement with the head of the principal research institute regarding a confidential task, the agreement shall expressly require the implementation of the measures in Schedule 2-3 under Article 9 (1) 14.
Article 24-8 (Security Rating of Research and Development Outcomes)① The security ratings of research and development outcomes under Article 15 (2) 7 shall be the security rating of the R&D task determined under Article 24-5 or changed under Article 24-6.
② When conducting a final evaluation under Article 16 (1) regarding a R&D task, the head of the central administrative agency may require the research and development outcomes evaluation team under paragraph 4 of the same article to review the appropriateness of the security rating for the research and development outcomes under paragraph 1, and reflect the results thereof to change the security rating.
Article 24-9 (Reporting on Security Management Status of Research and Development Tasks)① The head of the professional agency may investigate the national research and development project security management status of research institutes according to the format prescribed by the Ordinance of the Ministry of Science, ICT and Future Planning.
② The head of the professional agency shall collate and report on the results pursuant to paragraph 1 within the deadline specified by the heads of the central administrative agencies concerned.
Article 24-10 (Measures for Security Management Violations)
① The professional agency, research institute, principal investigator, participating researchers, etc. shall comply the matters prescribed in this Decree and the relevant national research and development project security operational regulations.
② Under Article 9 (1) 14, the agreement shall state that the head of the central administrative agency may apply penalty measures in the selection or evaluation, etc. of national research and development projects regarding any individual who fails to make reports under Article 24 (7) or implement security management measures, etc. under Article 24-7 (2) without legitimate reason.