National Security Presidential Memorandum 33 (NSPM-33) represents a pivotal directive from the U.S. government aimed at enhancing research security at federally funded research organizations.

Issued in January 2021 and further clarified by updated guidance in January 2022, NSPM-33, supported by the Creating Helpful Incentives to Produce Semiconductors (CHIPS) and Science Act, seeks to safeguard American research against foreign interference, theft, and exploitation, while maintaining an open and collaborative research environment. As research organizations including universities, national laboratories, and other entities engaged in significant scientific inquiry navigate the complex landscape of compliance, understanding NSPM-33’s research security program requirements and implications is critical.

This Complete Guide from SaltyCloud provides a comprehensive overview of NSPM-33, detailing who must comply, what is required, and how institutions can effectively implement its mandates.

What is NSPM-33?

This memorandum addresses the growing concerns of foreign government interference and intellectual property theft in U.S. research and development. NSPM-33 sets forth comprehensive requirements for research institutions to implement stronger research security measures, focusing on transparency, cybersecurity, and safeguarding intellectual property.

What are the Key Objectives?

NSPM-33 has several primary research security objectives aimed at protecting the U.S. research organizations:

• Protecting Intellectual Property: Ensures that federally funded research and development are protected from unauthorized transfer and foreign government interference.
• Standardizing Disclosure Requirements: Mandates the standardization of disclosure forms and processes across all federal agencies who fund research to promote transparency and reduce administrative burdens.
• Enhancing Cybersecurity: Requires institutions to implement robust cybersecurity measures, consistent with standards set by the National Institute of Standards and Technology (NIST), to protect sensitive research data from cyber threats.
• Developing Research Security Programs: Obligates research organizations awarded more than $50 million annually in total federal research funding to create comprehensive security programs.

What are the Specific Requirements?

Institutional research security programs as outlined by NSPM-33 should include:

• Disclosure of Foreign Ties: Researchers and institutions must fully disclose all professional affiliations, funding, and collaborations with foreign entities. This includes positions, financial support, and any other ties that could present a conflict of interest.
• Cybersecurity Protocols: Institutions are required to develop cybersecurity measures that align with NIST standards, focusing on protecting research data from unauthorized access and cyber threats.
• Foreign Travel Security: Policies must be in place to monitor and manage risks associated with international travel by researchers, particularly when involving countries known for intellectual property theft.
• Research Security Training: Institutions must provide research security training to researchers and staff on the risks of foreign influence and the importance of complying with security protocols.
• Export Control Compliance: Ensures that institutions adhere to U.S. export control regulations, such as the International Traffic in Arms Regulations (ITAR). This includes governing the sharing of sensitive technologies and information with foreign nationals, particularly in research that involves defense-related articles and services.
• Annual Certification (TBD): Although institutions will eventually need to certify their compliance with NSPM-33 to continue receiving federal funding, the specific requirements and procedures for this certification are still to be determined as the final guidelines have not yet been issued.

Who Needs to Comply?

NSPM-33 applies to all research organizations that receive more than $50 million per year in federal research funding for science and engineering research. Specifically, the memorandum targets:

• Universities and Colleges: Institutions of higher education that conduct federally funded research in various scientific and engineering fields.
• National Laboratories: Government-funded laboratories that engage in advanced research across numerous disciplines, particularly those that support national security, energy, and technology development.
• Federally Funded Research and Development Centers (FFRDCs): Institutions that are sponsored by the federal government to meet specific research or development needs, especially those involving long-term projects that are critical to national interests.
• Nonprofit Research Institutions: Organizations that engage in scientific research but operate independently of government control, often focusing on public interest issues or foundational scientific inquiries.

Who Oversees Compliance?

Compliance with NSPM-33 is overseen by several federal entities:

• Federal Agencies: These agencies, such as the National Science Foundation (NSF) and the National Institutes of Health (NIH), are responsible for enforcing NSPM-33 requirements at the institutional level.
• Office of Science and Technology Policy (OSTP): The National Science and Technology Council of the OSTP provides guidance and oversight to ensure that institutions adhere to NSPM-33’s mandates. They issue specific instructions for agencies and institutions to follow.
• National Institute of Standards and Technology (NIST): NIST provides the cybersecurity standards that institutions must implement as part of their compliance with NSPM-33. Their guidelines are integral to safeguarding research data.

Challenges for Higher Education Institutions

Implementing the requirements of NSPM-33 presents several challenges for higher education institutions, particularly those engaged in significant research activities. These challenges stem from the complexity of aligning federal security mandates with the collaborative and open nature of academic research.

Balancing Security with Academic Openness

One of the primary challenges is finding the balance between adhering to stringent security measures and maintaining the open, collaborative environment that is essential for academic research. Research institutions are traditionally built on principles of openness, where knowledge and resources are shared freely among scholars across the globe. NSPM-33, however, imposes strict security protocols that can potentially hinder this open exchange, particularly when dealing with foreign collaborations.

Navigating Varying Agency Requirements

Another significant challenge is the variability in requirements across different federal funding agencies. While NSPM-33 provides a broad framework, individual agencies have the discretion to enforce specific requirements tailored to their particular concerns. This lack of uniformity can lead to confusion and increased administrative burden as institutions may need to comply with multiple sets of guidelines, each with its own set of standards and expectations. Not to mention overlap with existing regulations like the CHIPS and Science Act, International Traffic in Arms Regulations (ITAR), and Cybersecurity Maturity Model Certification (CMMC).

Resource Constraints and Administrative Burden

For many institutions, the implementation of NSPM-33’s requirements poses significant resource challenges. Developing and maintaining comprehensive research security program covering cybersecurity, foreign travel security, and research security training requires substantial investment in both financial and human resources. Smaller institutions may struggle to allocate the necessary resources, leading to concerns about their ability to comply fully with the memorandum’s mandates.

Impact on International Collaborations and Foreign Government Interference

NSPM-33’s focus on foreign influence and its associated security measures can also have a chilling effect on international collaborations. Researchers may become hesitant to engage with foreign colleagues, fearing that such interactions could trigger compliance issues or jeopardize funding. This is particularly problematic in fields where international collaboration is not only common but essential for advancing knowledge.

Ensuring Institutional Buy-In and Compliance

Finally, ensuring buy-in from all levels of the institution from senior leadership to individual researchers is crucial for successful implementation. Resistance can arise if the requirements are perceived as overly burdensome or if there is a lack of understanding about their importance. Institutions must invest in research security training and communication to ensure that everyone involved in research activities understands the importance of these security measures and is committed to their implementation.

Steps for Establishing a Research Security Program

Step 1: Understanding and Implementing NIST IR 8481

To support the cybersecurity requirements of Section 10229 of the CHIPS and Science Act, NIST is spearheading an initiative to provide higher education institutions with resources like NIST IR 8481. This document, which is still in initial public draft, offers essential guidance on identifying, assessing, managing, and mitigating cybersecurity risks in research, ensuring institutions can meet NSPM-33’s standards while safeguarding their research endeavors.

1. Integration into the Research Lifecycle: NIST IR 8481 emphasizes embedding cybersecurity throughout the research process. This includes assessing risks from the planning phase of research projects and maintaining security protocols during the entire research lifecycle.
2. Risk-Based Approach: The document advocates for a risk-based approach, where institutions assess their specific vulnerabilities and tailor their cybersecurity measures accordingly. This might involve implementing stringent data protection measures for high-risk projects or adapting existing security frameworks to meet the needs of specific research activities.
3. Collaboration and Resource Sharing: NIST IR 8481 underscores the importance of collaboration among higher education institutions, particularly through partnerships with organizations like EDUCAUSE HEISC, REN-ISAC, and others. These collaborations promote the sharing of resources, best practices, and cybersecurity tools, helping institutions collectively enhance their security efforts across the research community.
4. Ongoing Updates and Monitoring: The guidance stresses the importance of keeping cybersecurity measures up-to-date with evolving threats. Institutions should regularly review and enhance their security protocols based on the latest threat intelligence and technological advancements.

Step 2: Inventory and Assessment

Once institutions have a foundational understanding of the guidance provided by NIST IR 8481, they should conduct a comprehensive inventory of all research-related assets, systems, and data. This involves identifying all equipment, devices, and systems used in federally funded research. Institutions like the University of Rochester have already begun this process to better understand their cybersecurity needs and ensure compliance with NSPM-33.

Step 3: Conduct a Risk Self-Assessment

After completing the inventory, institutions should use a detailed questionnaire to assess a covered unit’s current security posture. The following questions can guide this assessment:

1. Do you provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches?
2. Do you limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)?
3. Do you limit information system access to the types of transactions and functions that authorized users are permitted to execute?
4. Do you verify and control/limit connections to and use of external information systems?
5. Do you control any non-public information posted or processed on publicly accessible information systems?
6. Do you identify information system users, processes acting on behalf of users, or devices?
7. Do you authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems?
8. Do you monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems?
9. Do you implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks?
10. Do you provide protection of scientific data from ransomware and other data integrity attack mechanisms?
11. Do you identify, report, and correct information and information system flaws in a timely manner?
12. Do you provide protection from malicious code at appropriate locations within organizational information systems?
13. Do you update malicious code protection mechanisms when new releases are available?
14. Do you perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed?
15. Do additional cybersecurity requirements, such as those provided by the National Institute of Standards and Technology (NIST), apply to your research involving classified information or Controlled Unclassified Information (CUI)?

Step 4: Aligning with Security Frameworks

After completing the risk assessment, institutions should adapt their information security risk management programs to align with NSPM-33 requirements. While NSPM-33 doesn’t prescribe a specific security framework, institutions can either leverage their existing control frameworks or explore options like NIST 800-171 or NIST Cybersecurity Framework (CSF), especially if they are required to do so for other regulations like CMMC. Since federal agencies may impose varying requirements, it’s essential to find a common approach that addresses the core security needs across these mandates. This strategy helps institutions create a flexible, comprehensive security program capable of meeting diverse compliance challenges.

Step 5: Ongoing Training and Awareness

To ensure continuous compliance, institutions must provide regular training and awareness programs for researchers and staff. Training should focus on the importance of cybersecurity, foreign travel security, and export control compliance. For example, Emory University has integrated these training programs into its learning management systems, ensuring all relevant personnel can easily access essential resources.

NSPM-33 Compliance Timeline

The compliance timeline for NSPM-33 is dependent on the finalization of its guidelines, which remains pending as of late 2024. Institutions must prepare to meet key deadlines that will be established following the release of the final guidelines. Here’s an overview of the anticipated timeline:

• Agency Implementation Plans (6 Months Post-Finalization): Federal research agencies will have six months from the finalization of the guidelines to develop and submit their implementation plans to the Office of Science and Technology Policy (OSTP) and the Office of Management and Budget (OMB). These plans will specify how each agency intends to enforce NSPM-33 compliance.
• Institutional Compliance (18 Months Post-Finalization): Following the submission of agency implementation plans, institutions will have an additional 12 months to align with these requirements, resulting in a compliance deadline approximately 18 months after the final guideline issuance.

• Full Compliance Deadline (Possibly End of 2026): It is anticipated that full compliance with NSPM-33, including cybersecurity and other research security program elements, will be required by the end of 2026. Institutions will need to be fully compliant with all relevant federal research agency policies and procedures by this time.

Isora GRC: The #1 Trusted Governance, Risk, and Compliance Platform in Higher Education

Isora GRC is the leading choice for information security teams in higher education, trusted by institutions large and small to streamline Governance, Risk, and Compliance (GRC) security risk management initiatives. As higher education institutions face increasing regulatory demands, including compliance with NSPM-33, CMMC, GLBA, HIPAA, and more, Isora GRC offers a powerfully flexible solution to manage the complexities of managing an information security risk management (ISRM) program.

With Isora GRC, you can:

• Streamline Information Security Risk Management: Efficiently manage your institution’s risk management program across all organizational units, ensuring compliance with federal regulations.
• Collaborate Seamlessly: Facilitate collaboration across departments and teams, making compliance and resilience efforts more cohesive and effective.
• Adapt to Multiple Frameworks: Whether it’s NSPM-33, CMMC, GLBA, HIPAA, or other regulatory requirements, Isora GRC is designed to help you align with and meet these diverse standards effortlessly.

Discover why information security teams in higher education trust Isora GRC to achieve compliance and resilience. Request a demo today.

Conclusion

As higher education institutions navigate the evolving landscape of research security and compliance, understanding and preparing for NSPM-33 is crucial. The timeline for compliance, driven by the finalization of guidelines, will set the stage for institutions to implement the necessary measures to protect their research activities. By adopting best practices, leveraging resources like the upcoming NIST IR 8481, and using comprehensive platforms like Isora GRC, institutions can meet these new requirements and enhance their overall security posture.