It works both ways.
I wouldn't call it oversight, because there's not a jurisdictional kind of accountability. If there's a security threat, the security agencies would act on that threat. If there is a concern about risks, there would be a discussion. There would be information shared with institutions where appropriate—where it doesn't compromise our security interests—but it is also about developing a relationship with institutions where, as they have questions or concerns, they have a place to go, a trusted source of expertise and advice they can use to better mitigate risks on their campuses.