NSPM-33 Technology Impacts

Current Status

Initial Guidance (June 2022)
Final Guidance - Expected throughout 2024
Effective Date - Expected 2026

What is NSPM-33 (National Security Presidential Memorandum 33)?

On January 14, 2021, the Presidential Memorandum on United States Government-Supported Research and Development National Security Policy was issued. This memorandum directs action to strengthen protections of United States Government-supported Research and Development (R& D) against foreign government interference and exploitation. This R&D, including both basic and applied research. The five key areas addressed are:

Disclosure Requirements and Standardization
Digital Persistent Identifiers (ORCID)
Consequences for Violation of Disclosure Requirements
Information Sharing (re: violations of disclosure requirements)
Research Security Program (cybersecurity, foreign travel, training, publicly designate a POC)

What is the scope of NSMP-33?

Research institutions receiving Federal science and engineering support in excess of 50 million dollars per year must certify to the funding agency that the institution has established and operates a research security program.

What is a Research Security Program?

Institutional research security programs include elements of cyber security, foreign travel security, insider threat awareness and identification, and, as appropriate, export control training.

When will the WVU research community be impacted?

The current target effective date is late 2026. However, it is important to consider allowable costs when submitting proposals now. Click here to request assistance.

Since NSPM-33 is not the only new regulatory requirement for Digital Persistent Identifiers (Chips and Science Act and other agency specific requirements) and impacting data (OSTP Public Access Memo and new agency DMS policies), the research community will be impacted throughout 2024 and into 2025 as new requirements are implemented.

What are the impacts NOW related to technology and research and how can I ensure I am prepared?

The significant impacts of NSPM-33 are in the export control, disclosure/reporting, the technology impacts are related to cybersecurity controls over data, and use of DPIs like ORCID.

Incorporation of Digital Persistent Identifiers (DPI) or Persistent Digital Identifiers (PDI) into grant and cooperative agreements, and application/disclosure processes.
The ORCID iD meets the DPI requirement.
Read about the WVU Plan for ORCID - How is WVU planning to meet this requirement?

2. Research Security Programs - Cybersecurity Controls

Starting immediately PIs preparing proposals budgets should review the baseline technology offered for data storage, HPC and software.
If the data (purchased, collected, generated) will amount to over 2TB (total for all files), or if the standard storage cannot be used for regulatory or other reasons a consultation is required to ensure WVU can meet the requirements for the research and sufficient allowable costs are included in the budget.
The cybersecurity controls will require that federally funded data used for research be stored and managed on WVU ITS approved technology. (USB drives, external drives, third-party cloud vendors must be approved as expectations).
Federally funded research data is baselined as medium-risk (this data cannot be stored or managed using low-risk storage plans).

Will federal agencies coordinate requirements for NSPM-33?

Yes, the National Security Technology Council (NSTC) will coordinate across the agencies to ensure consistent implementation in effort to decrease the compliance burden.

Who can I contact for questions?

Rosemary Casteel - WVU Research Office - Director of Research Systems and Operational Research Data Services