U.S. NSTC NSPM-33 — National Security Presidential Memorandum 33: Research Security

Why it Matters

NSPM-33 establishes comprehensive research security requirements tosafeguard federally funded research and protect national innovationecosystems.

Key benefits include:

• Strengthen research security governance

Promoteconsistent oversight of research security processes and helporganizations identify and mitigate emerging threats across researchactivities.

• Enhance compliance with federal mandates

Enableorganizations to meet federal research security requirements,reducing the risk of funding disruptions and reputational harm.

• Improve protection of sensitive information

Supportsafeguards that reduce unauthorized access to confidential orproprietary research data and intellectual property.

• Increase transparency and accountability

Establishreporting and disclosure standards that improve clarity regardingexternal collaborations, financial interests, and researcheraffiliations.

• Promote operational resilience

Enable researchorganizations to better prepare for, respond to, and recover fromincidents affecting research integrity or security.

How it Works

The U.S. NSTC NSPM-33 – National Security Presidential Memorandum33: Research Security framework structures research securityrequirements around core governance domains such as risk management,disclosure, and due diligence. NSPM-33 establishes a set ofregulatory and security controls that address the identification,assessment, and mitigation of risks related to foreign influence,conflicts of interest, and protection of federally funded researchactivities. The framework also specifies mandatory processes forinformation disclosure, research integrity, and compliancemonitoring, which integrate into the broader research lifecycle.

Organizations implement NSPM-33 by establishing procedures forvetting research personnel and collaborators, maintaining systems fordisclosing significant relationships or support, and integratingsecurity controls to protect sensitive research data. Routineactivities include conducting risk assessments, mapping compliancerequirements into internal governance programs, monitoring adherenceto disclosure policies, and managing incident response related tobreaches or noncompliance. These steps support ongoing researchsecurity, accountability, and regulatory compliance with federalmandates.

SmartSuite enables operationalization of NSPM-33 by providing controllibraries aligned to framework requirements, facilitating disclosureand conflict tracking, and supporting policy governance.Organizations leverage SmartSuite’s risk registers for ongoingthreat assessment, automate evidence collection to demonstratecompliance, and employ dashboards and reporting tools to monitorsecurity posture and audit readiness, ensuring effective managementof research security and compliance obligations.

Key Elements

• Research Security Program Governance

Establishesorganizational responsibility, oversight structures, and leadershiproles for safeguarding research activities.

• Disclosure and Transparency Requirements

Outlinesprotocols for reporting outside affiliations, financial interests,and potential conflicts in research personnel.

• Foreign Engagement Risk Assessment

Describesprocesses for evaluating and mitigating risks posed by internationalcollaborations and partnerships.

• Information Security Safeguards

Specifiesrequirements for protecting sensitive research data and controllingaccess to research environments.

• Researcher Training and Awareness

Defines mandatoryeducation and awareness initiatives targeting research integrity,security, and compliance topics.

• Compliance Monitoring and Enforcement

Organizesmechanisms for oversight, periodic review, and enforcement ofinstitutional research security practices.

Framework Scope

U.S. NSTC NSPM-33 — National Security Presidential Memorandum 33 isadopted by research institutions, universities, and entities managingfederally funded research activities. It governs research securitypolicies, compliance controls, and management of sensitive researchdata, and is typically applied when enhancing research securityoversight, addressing risk management, and supporting assuranceprograms for federally supported research environments.

Framework Objectives

U.S. NSTC NSPM-33 outlines objectives to safeguard research securityand promote strong risk management in federally funded research.

Protect sensitive research data through robust cybersecurity andsecurity controls

Strengthen governance and oversight of research activities andpartnerships

Enhance compliance with federal regulations and institutionalpolicies

Promote effective risk management and reduce vulnerabilities inresearch environments

Support operational resilience by establishing consistent researchsecurity protocols

Improve audit readiness and transparency for research securityprograms NSPM-33 aligns with U.S. federal research securityrequirements and is often integrated with frameworks like NIST SP800-53, ISO 27001, and CMMC. Organizations, particularly researchinstitutions and federal grant recipients, implement NSPM-33 to meetfederal security mandates, enhance institutional security governance,and ensure compliance with funding agency expectations.

Framework in Context

NSPM-33 aligns withU.S. federal research security requirements and is often integratedwith frameworks like NIST SP 800-53, ISO 27001, and CMMC.Organizations, particularly research institutions and federal grantrecipients, implement NSPM-33 to meet federal security mandates,enhance institutional security governance, and ensure compliance withfunding agency expectations.

Common Framework Mappings

NSTC NSPM-33 is often mapped to other security and complianceframeworks to strengthen research security, support regulatoryalignment, and enable efficient cross-framework risk management andreporting for federal contractors and research institutions.

Mapped frameworks include:

CIS Critical Security Controls

CMMC

FERPA

FISMA

GDPR

HIPAA

ISO/IEC 27001

NIST Cybersecurity Framework

NIST SP 800-53

SOC 2

‍