NSPM-33 Research Cybersecurity Guidance

This post provides background on the National Security Presidential Memorandum-33 (NSPM-33) for research institutions that receive federal support, who it applies to and a focus on the research security program requirements. 

Recently the National Science and Technology Council developed implementation guidance, in conjunction with the White House Office of Science and Technology Policy (OSTP), for National Security Presidential Memorandum-33 to ensure research security.   

The goal, as the Memo states, is for “government to clearly describe what it needs to know and for researchers to be able to report the same information in the same way to the greatest extent possible, regardless of which funding agency they’re applying to.” The NSPM-33 has sections focused on gaining knowledge of the researchers -knowing who the researchers are, their interests, conflicts, etc. – at institutions participating in federally funded research programs as well as the security of those institutions for those research programs.  

U.S. research institutions are an important component to America’s R&D leadership that is rooted in “the core commitment of our shared research environment to openness, transparency, honesty, equity, fair competition, objectivity, and democratic values.” Research institutions are being targeted by foreign governments who are actively trying to illicitly gain information for their advantage from these programs. NSPM-33 exists to offer guidance that does not overburden researchers or cause difficulty in complying with relevant U.S. laws and regulations and strengthens protections of U.S. Government-supported R&D against foreign government interference. 

The original document can be read for further expansion on researcher disclosure requirements and standardization, digital persistent identifiers/digital CVs, government agency grant model completion, conflicts of interest, information sharing, foreign investments, and other topics. The rest of this document will highlight the guidance as it relates to cybersecurity.  

Who does the NSPM-33 apply to? 

Research institutions that receive Federal science and engineering support of $50 million per year for the previous two fiscal years, as recorded by USASPending.gov.   

What are the implementation guidelines for research security programs under NSPM-33? 

Research Security Programs, as described in NSPM-33, “require a certification from research organizations awarded in excess of $50 million per year in total Federal research funding that they have implemented a research security program that includes: 

  1. Cybersecurity
  2. Foreign travel security
  3. Research security training
  4. Export control training (as appropriate) 

Research organizations will have to certify to the requirements. OSTP in conjunction with NSTC and OMB will plan to develop a single certification standard and process across all research agencies. Research organizations are required to have a description of the research security program and provide to requesting agencies within a 30-day period. This requirement is being considered for inclusion to the Compliance Supplement’s Research and Development Cluster audit guidance as part of Federal Grant and assistance programs (2 C.F.R. Part 200, Appendix XI). 

The timeline for establishing a security research program, if one does not exist currently, is one-year from a date of issuance to formally comply with this requirement. If an organization meets the funding requirement (meet/exceed $50M) in subsequent years, they will have one additional year to comply.  

U.S. research agencies should also require that research organizations appoint a research security point of contact for the security program. Organizations already conducting research with classified or controlled unclassified information may combine points of contact but remain subject to the already-established security protocols. 

Section 6 of Research Security Programs – Ensuring the cybersecurity elements of research security programs meet the objectives of the requirement. 

Agencies should require that research organizations satisfy the cybersecurity element of the research security program requirement by applying the following basic safeguarding protocols and procedures: 

    • Provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches. 
    • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). 
    • Limit information system access to the types of transactions and functions that authorized users are permitted to execute. 
    • Verify and control/limit connections to and use of external information systems. 
    • Control any non-public information posted or processed on publicly accessible information systems. 
    • Identify information system users, processes acting on behalf of users, or devices. 
    • Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. 
    • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. 
    • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. 
    • Provide protection of scientific data from ransomware and other data integrity attack mechanisms. 
    • Identify, report, and correct information and information system flaws in a timely manner. 
    • Provide protection from malicious code at appropriate locations within organizational information systems. 
    • Update malicious code protection mechanisms when new releases are available. 
    • Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. 

Additional cybersecurity requirements, for example, those provided by the National Institute of Standards and Technology (NIST), will apply in some cases, such as for research involving classified information or CUI. 

Since the issuance of this Memorandum, more work will be done by various Agencies, per the guidance, and this post will be updated as new guidance is published by Office of Science and Technology Policy or National Science and Technology Council. 

Related Resources

E-Book: Six Steps to an Effective Third-Party Cyber Risk Management Program

FortifyData’s Cyber Risk Management Platform – Overview Video

Unified Cyber Risk Management for Higher Education