National Security Presidential Memorandum 33 (NSPM-33) represents a pivotal directive from the U.S. government aimed at enhancing research security at federally funded research organizations.
Issued in January 2021 and further clarified by updated guidance in January 2022, NSPM-33, supported by the Creating Helpful Incentives to Produce Semiconductors (CHIPS) and Science Act, seeks to safeguard American research against foreign interference, theft, and exploitation, while maintaining an open and collaborative research environment. As research organizations including universities, national laboratories, and other entities engaged in significant scientific inquiry navigate the complex landscape of compliance, understanding NSPM-33’s research security program requirements and implications is critical.
This Complete Guide from SaltyCloud provides a comprehensive overview of NSPM-33, detailing who must comply, what is required, and how institutions can effectively implement its mandates.
This memorandum addresses the growing concerns of foreign government interference and intellectual property theft in U.S. research and development. NSPM-33 sets forth comprehensive requirements for research institutions to implement stronger research security measures, focusing on transparency, cybersecurity, and safeguarding intellectual property.
NSPM-33 has several primary research security objectives aimed at protecting the U.S. research organizations:
Institutional research security programs as outlined by NSPM-33 should include:
NSPM-33 applies to all research organizations that receive more than $50 million per year in federal research funding for science and engineering research. Specifically, the memorandum targets:
Compliance with NSPM-33 is overseen by several federal entities:
Implementing the requirements of NSPM-33 presents several challenges for higher education institutions, particularly those engaged in significant research activities. These challenges stem from the complexity of aligning federal security mandates with the collaborative and open nature of academic research.
One of the primary challenges is finding the balance between adhering to stringent security measures and maintaining the open, collaborative environment that is essential for academic research. Research institutions are traditionally built on principles of openness, where knowledge and resources are shared freely among scholars across the globe. NSPM-33, however, imposes strict security protocols that can potentially hinder this open exchange, particularly when dealing with foreign collaborations.
Another significant challenge is the variability in requirements across different federal funding agencies. While NSPM-33 provides a broad framework, individual agencies have the discretion to enforce specific requirements tailored to their particular concerns. This lack of uniformity can lead to confusion and increased administrative burden as institutions may need to comply with multiple sets of guidelines, each with its own set of standards and expectations. Not to mention overlap with existing regulations like the CHIPS and Science Act, International Traffic in Arms Regulations (ITAR), and Cybersecurity Maturity Model Certification (CMMC).
For many institutions, the implementation of NSPM-33’s requirements poses significant resource challenges. Developing and maintaining comprehensive research security program covering cybersecurity, foreign travel security, and research security training requires substantial investment in both financial and human resources. Smaller institutions may struggle to allocate the necessary resources, leading to concerns about their ability to comply fully with the memorandum’s mandates.
NSPM-33’s focus on foreign influence and its associated security measures can also have a chilling effect on international collaborations. Researchers may become hesitant to engage with foreign colleagues, fearing that such interactions could trigger compliance issues or jeopardize funding. This is particularly problematic in fields where international collaboration is not only common but essential for advancing knowledge.
Finally, ensuring buy-in from all levels of the institution from senior leadership to individual researchers is crucial for successful implementation. Resistance can arise if the requirements are perceived as overly burdensome or if there is a lack of understanding about their importance. Institutions must invest in research security training and communication to ensure that everyone involved in research activities understands the importance of these security measures and is committed to their implementation.
To support the cybersecurity requirements of Section 10229 of the CHIPS and Science Act, NIST is spearheading an initiative to provide higher education institutions with resources like NIST IR 8481. This document, which is still in initial public draft, offers essential guidance on identifying, assessing, managing, and mitigating cybersecurity risks in research, ensuring institutions can meet NSPM-33’s standards while safeguarding their research endeavors.
Once institutions have a foundational understanding of the guidance provided by NIST IR 8481, they should conduct a comprehensive inventory of all research-related assets, systems, and data. This involves identifying all equipment, devices, and systems used in federally funded research. Institutions like the University of Rochester have already begun this process to better understand their cybersecurity needs and ensure compliance with NSPM-33.
After completing the inventory, institutions should use a detailed questionnaire to assess a covered unit’s current security posture. The following questions can guide this assessment:
After completing the risk assessment, institutions should adapt their information security risk management programs to align with NSPM-33 requirements. While NSPM-33 doesn’t prescribe a specific security framework, institutions can either leverage their existing control frameworks or explore options like NIST 800-171 or NIST Cybersecurity Framework (CSF), especially if they are required to do so for other regulations like CMMC. Since federal agencies may impose varying requirements, it’s essential to find a common approach that addresses the core security needs across these mandates. This strategy helps institutions create a flexible, comprehensive security program capable of meeting diverse compliance challenges.
To ensure continuous compliance, institutions must provide regular training and awareness programs for researchers and staff. Training should focus on the importance of cybersecurity, foreign travel security, and export control compliance. For example, Emory University has integrated these training programs into its learning management systems, ensuring all relevant personnel can easily access essential resources.
The compliance timeline for NSPM-33 is dependent on the finalization of its guidelines, which remains pending as of late 2024. Institutions must prepare to meet key deadlines that will be established following the release of the final guidelines. Here’s an overview of the anticipated timeline:
Isora GRC is the leading choice for information security teams in higher education, trusted by institutions large and small to streamline Governance, Risk, and Compliance (GRC) security risk management initiatives. As higher education institutions face increasing regulatory demands, including compliance with NSPM-33, CMMC, GLBA, HIPAA, and more, Isora GRC offers a powerfully flexible solution to manage the complexities of managing an information security risk management (ISRM) program.
With Isora GRC, you can:
Discover why information security teams in higher education trust Isora GRC to achieve compliance and resilience. Request a demo today.
As higher education institutions navigate the evolving landscape of research security and compliance, understanding and preparing for NSPM-33 is crucial. The timeline for compliance, driven by the finalization of guidelines, will set the stage for institutions to implement the necessary measures to protect their research activities. By adopting best practices, leveraging resources like the upcoming NIST IR 8481, and using comprehensive platforms like Isora GRC, institutions can meet these new requirements and enhance their overall security posture.
Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.
Learn MoreLearn how NSPM-33 impacts research institutions and explore compliance strategies, including cybersecurity, export controls, and disclosure requirements.
This guide covers everything you need to know about TAC 202, including what it entails, why it's important, and how you can comply. We even included a TAC 202 checklist to make it easy for your organization to get started.
This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule risk assessment of customer information security programs.