Skip to main content
Research Data, Technology and Services
Feedback

NSPM-33

 

NSPM-33 Data & Technology Impacts

Current Timeline
  • June 2022 - Initial OSTP Guidance 
  • July 2024 - Updated Guidance 
  • December 2024 - Federal Research Agencies must submit plans for updated policies to OSTP and OMB
  • July 2025 - Updated policies go into effect (could be staggered dates depending on when policies were submitted)
  • Federal agencies are to ensure that covered institutions have adequate time but no more than 18 months after the effective date to implement the requirements.
What is NSPM-33 (National Security Presidential Memorandum 33)?

On January 14, 2021, the Presidential Memorandum on United States Government-Supported Research and Development National Security Policy was issued. This memorandum directs action to strengthen protections of United States Government-supported Research and Development (R& D) against foreign government interference and exploitation. This R&D, including both basic and applied research. The five key areas addressed are:

  • Disclosure Requirements and Standardization 
  • Digital Persistent Identifiers (ORCID)
  • Consequences for Violation of Disclosure Requirements
  • Information Sharing (re: violations of disclosure requirements)
  • Research Security Program (cybersecurity, foreign travel, training, publicly designate a POC)
Note that the WVU Export Control and Conflict of Interest Offices are preparing for the non data and technology elements of NSPM-33.
What is the scope of NSMP-33?

NSPM-33 directs federal research agencies to require that participants in the U.S. R&D enterprise receiving federal science and engineering support “in excess of $50 million per year” certify to the funding agency that the institution has established and operates a research security program. 

For purposes of this guidance, a participant in the U.S. R&D enterprise is a “covered institution” if and only if;

(A) it is an institution of higher education, a federally funded research and development center (FFRDC), or a nonprofit research institution; and

(B) it receives in excess of $50 million per year, in fiscal year 2022 constant dollars, under 

(1) the three-year average of federal R&D obligations provided to participants in the U.S. R&D enterprise as reported in the most recent version of the Survey of Federal Science and Engineering Support to Universities, Colleges, and Nonprofit Institutions; 

or 

(2) the three-year average of federal R&D obligations to FFRDCs as provided in the most recent versions of the Survey of Federal Funds for Research and Development15.  

What is a Research Security Program?

Institutional research security programs include elements of cyber security, foreign travel security, insider threat awareness and identification, and, as appropriate, export control training.  Note that the WVU Export Control Office is leading the effort for research security training and general compliance.  

When will the WVU research community be impacted?

Current guidance regarding the effective dates indicate 12/31/26 as the date for covered institution compliance. However, it is important to consider allowable costs when submitting proposals now. Click here to request assistance.

Since NSPM-33 is not the only new regulatory requirement for Digital Persistent Identifiers (Chips and Science Act and other agency specific requirements) and impacting data (OSTP Public Access Memo and new agency DMS policies), the research community will be impacted throughout 2024 and into 2025 as new requirements are implemented.

What are the impacts NOW related to technology and research and how can I ensure I am prepared?

The significant impacts of NSPM-33 are in the export control, disclosure/reporting, the technology impacts are related to cybersecurity controls over data, and use of DPIs like ORCID.

The significant impacts of NSPM-33 are in the export control, disclosure/reporting, the technology impacts are related to cybersecurity controls over data, and use of DPIs like ORCID.

  1. Incorporation of Digital Persistent Identifiers (DPI) or Persistent Digital Identifiers (PDI) into grant and cooperative agreements, and application/disclosure processes.
  2. The ORCID meets the DPI requirement.
  3. Read about the WVU Plan for ORCID -  How is WVU planning to meet this requirement?

2. Research Security Programs - Cybersecurity Controls
  • Starting immediately PIs preparing proposals budgets should review the baseline technology offered for data storage, HPC and software
  • If the data (purchased, collected, generated) will amount to over 2TB (total for all files), or if the standard storage cannot be used for regulatory or other reasons a consultation is required to ensure WVU can meet the requirements for the research and sufficient allowable costs are included in the budget.
  • The cybersecurity controls and institutional policy require that federally funded data used for research be stored and managed on WVU ITS approved technology. USB drives, external drives, third-party cloud vendors will not be approved unless an exception is warranted.
  • At WVU, federally funded research data is baselined as medium-risk.  This data cannot be stored or managed using low-risk storage plans like external hard drives unless ITS- Information Security Office provides approval.
Will federal agencies coordinate requirements for NSPM-33?

Yes, the National Security Technology Council (NSTC) will coordinate across the agencies to ensure consistent implementation in effort to decrease the compliance burden.

Who can I contact for questions?

Rosemary Casteel - WVU Research Office - Director of Research Systems and Operational Research Data Services