Skip to main content
Research Data, Technology and Services
Feedback

NSPM-33

 

NSPM-33 Data & Technology Impacts

Current Timeline
  • June 2022 -  Initial OSTP Guidance 
  • July 2024 -  Updated Guidelines   NIST IR 8481 (Initial Draft April 2023)
  • December 2024 - Federal Research Agencies must submit plans for updated policies to OSTP and OMB
  • July 2025 - Updated policies go into effect (could be staggered dates depending on when policies were submitted)
  • Federal agencies are to ensure that covered institutions have adequate time but no more than 18 months after the effective date to implement the requirements.
  • NOTE: The date for the final NIST IR 8481 has not bee provided and could move the timelines up.
What is NSPM-33 (National Security Presidential Memorandum 33)?

On January 14, 2021, the Presidential Memorandum on United States Government-Supported Research and Development National Security Policy was issued. This memorandum directs action to strengthen protections of United States Government-supported Research and Development (R& D) against foreign government interference and exploitation. This R&D, including both basic and applied research. The five key areas addressed are:

  • Disclosure Requirements and Standardization 
  • Digital Persistent Identifiers (ORCID)
  • Consequences for Violation of Disclosure Requirements
  • Information Sharing (re: violations of disclosure requirements)
  • Research Security Program ( cybersecurity, foreign travel, training, publicly designate a POC)
What is the scope of NSMP-33?

The institution must receive great than 50 million dollars in federal support (based on fiscal year 2022 dollars.

What is a Research Security Program?

Institutional research security programs include elements of cyber security, foreign travel security, insider threat awareness and identification, and, as appropriate, export control training.  

When will the WVU research community be impacted?

Current guidance regarding the effective dates indicate 12/31/26 as the date for covered institution compliance. However, it is important to consider allowable costs when submitting proposals now. Click here to request assistance.

Since NSPM-33 is not the only new regulatory requirement for Digital Persistent Identifiers (Chips and Science Act and other agency specific requirements) and impacting data (OSTP Public Access Memo and new agency DMS policies), the research community will be impacted throughout 2024 and into 2025 as new requirements are implemented.

What are the impacts NOW related to technology and research and how can I ensure I am prepared?

The significant impacts of NSPM-33 related to research data is the introduction of cybersecurity controls.  The controls are expected to be basic good information security and data protection practice.  The controls will be included in a soon to be published NIST standard.

To ensure compliance PIs should consider research data as a project asset as they would equipment or other project component.  Protecting the data is a requirement for the University as funding is received to complete the research, the same as protecting equipment or other asset purchased with agency funding.  

  • Funded research data is considered by WVU to be medium-risk at a minimum. 
  • Medium-risk data requires WVU-managed storage and approved technology.  
  • Medium-risk data requires that researchers us WVU-managed devices if data will be downloaded or stored on the device.
  • Starting immediately PIs preparing proposal budgets should review the baseline technology offered for data storage, HPC and software
  • If the data (purchased, collected, generated) will amount to over 2TB (total for all files), or if the standard storage cannot be used for regulatory or other reasons a consultation is required to ensure WVU can meet the requirements for the research and sufficient allowable costs are included in the budget.
  • Use of low-risk storage plans like external hard drives unless ITS- Information Security Office provides approval.
Will federal agencies coordinate requirements for NSPM-33?

Yes, the National Security Technology Council (NSTC) will coordinate across the agencies to ensure consistent implementation in effort to decrease the compliance burden.

Who can I contact for questions?

Rosemary Casteel - WVU Research Office - Director of Research Systems and Operational Research Data Services