On July 9th, OSTP provided long awaited updated guidance in support of NSPM-33 for Research Security Programs at Covered Institutions.
Many items were removed from this version of the guidance for all elements of NSPM-33. Specifically related to data and technology, the prescriptive cyber security controls were removed and NIST IR 8481 is referenced as the standard for these controls. This standard is not yet available. The new guidance also defines a "covered institution".