NSPM-33
"6. Ensuring that cybersecurity elements of research security programs meet the objectives of the requirement
Agencies should require that research organizations satisfy the cybersecurity element of the research security program requirement by applying the following basic safeguarding protocols and procedures:" - page 30 https://www.whitehouse.gov/wp-content/uploads/2022/01/010422-NSPM-33-Implementation-Guidance.pdf
While at first glance this looks like yet another framework, we were pleased to notice this is VERY similar to CMMC Level 1 which are comprised of the 15 basic safeguarding requirements specified Federal Acquisition Regulation (FAR) Clause 52.204-21.
NSPM-33 Security Compliance crosswalk to CMMC Level 1
AWARENESS & TRAINING | Provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches. | closely aligned with work supporting CMMC 3.2.1 and using NSF NSPM-33 research security training
ACCESS CONTROL | Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). | identical to CMMC 3.1.1 & FAR 52.204-21 i
ACCESS CONTROL | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | identical to CMMC 3.1.2 & FAR 52.204-21 ii
ACCESS CONTROL | Verify and control/limit connections to and use of external information systems. identical to CMMC 3.1.20 & FAR 52.204-21 iii
ACCESS CONTROL | Control any non-public information posted or processed on publicly accessible information systems. | identical to CMMC 3.1.22 & FAR 52.204-21 iv
IDENTIFICATION & AUTHENTICATION | Identify information system users, processes acting on behalf of users, or devices. | identical to CMMC 3.5.1 & FAR 52.204-21 v
IDENTIFICATION & AUTHENTICATION | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | identical to CMMC 3.5.2 & FAR 52.204-21 vi
SYSTEM COMMUNICATION | Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. | identical to CMMC 3.13.1 & FAR 52.204-21 x
SYSTEM COMMUNICATION | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | identical to CMMC 3.13.5 & FAR 52.204-21 xi
SYSTEM INTEGRITY | Provide protection of scientific data from ransomware and other data integrity attack mechanisms.| none identical; closest to CMMC 3.14.2
SYSTEM INTEGRITY | Identify, report, and correct information and information system flaws in a timely manner.| identical to CMMC 3.14.1 & FAR 52.204-21 xii
SYSTEM INTEGRITY | Provide protection from malicious code at appropriate locations within organizational information systems. | identical to CMMC 3.14.2 & FAR 52.204-21 xiii
SYSTEM INTEGRITY | Update malicious code protection mechanisms when new releases are available. | identical to CMMC 3.14.4 & FAR 52.204-21 xiv
SYSTEM INTEGRITY | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | identical to CMMC 3.14.5 & FAR 52.204-21 xv
CMMC Level 1 Additional Controls
MEDIA PROTECTION CMMC 3.8.3 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
PHYSICAL PROTECTION CMMC 3.10.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
PHYSICAL PROTECTION CMMC 3.10.3 Escort visitors and monitor visitor activity.
PHYSICAL PROTECTION CMMC 3.10.4 Maintain audit logs of physical access.
PHYSICAL PROTECTION CMMC 3.10.5 Control and manage physical access devices.
Research Security and the Cost of Compliance
Download COGR's "Research Security and the Cost of Compliance"
View COGR Presentation on "Research Security & the ROI"
"The projected year one, average total cost per institution for compliance with the Disclosure Standards, regardless of institutional size, is significant and concerning. The figure ranges from an average of over $100,000 for smaller institutions to over $400,000 for mid-size and large institutions. Although some of these expenses are one-time costs, a sizeable portion will be annual recurring compliance costs. Overall, the cost impact to research institutions in year one is expected to exceed $50 million. "
COGR Results from COGR’s Phase I Survey on the Costs of Complying with Research Security Disclosure Requirements
Gathered from 26 complete answers examining institutional costs for fiscal year 2022-23
Over the past four and a half years, universities and their affiliated academic medical centers (AMCs) and research institutions have focused on addressing federal funding agency requirements adopted to address inappropriate foreign influence on research. These requirements include new and clarified provisions calling for researchers to disclose all sources of research support and all types of appointments and affiliations (“Disclosure Requirements”) so that agencies and institutions will have the information they need to identify any areas of commitment, funding, or scientific overlap. These Disclosure Requirements are set forth in the Guidance for Implementing National Security Presidential Memorandum 33 (NSPM-33) on National Security Strategy for United States Government Supported Research and Development1 (“Implementation Guidance”) and in agency notices.
COGR conducted Phase I of the survey described in this report to quantify the considerable time and resources (financial and otherwise) that research institutions have invested (or will invest) to achieve compliance with the Disclosure Requirements.
Source: https://www.cogr.edu/june-9-10-2022-cogr-meeting-presentations
Higher Education public webpages on NSPM-33
Cornell University - Research Security
Emory University - NSPM-33 Compliance Plan
Indiana University - National Security Presidential Memorandum 33
University of California, Berkeley - National Security Presidential Memorandum 33
University of Georgia - Research Security
University of Houston - NSPM-33
University of Notre Dame Research
Libraries (Lyrasis) - NSPM-33 & ORCID: Information for Research Organizations
Higher Education Response to NSPM-33
EDUCAUSE - Draft Cybersecurity Provisions for Research Security Programs | June 14, 2023
COGR - NSPM 33 Research Security Programs Standard Requirement (88 FR 14187) May 23, 2023
FDP - NSPM-33, CHIPS, and Research Security September (presentation) 19, 2023
FDP - NSF & NSPM-33 (video) | May 5, 2022
COGR - Letter to OSTP Concerning January 2022 Guidance for Implementing NSPM-33 February 15, 2022
FDP - January 2022 Release of NSPM-33 Guidance (video) | January 13, 2022
Higher Education Presentations
August '22: "Analysis of NSPM-33: Cybersecurity Requirements for Federally Funded Research Organizations" (Blog)
May '23 Let's Talk NSPM-33 by Carolyn Ellis and Joanna Grama [View Presentation]
Jump Start Your NSPM-33 Research Security Compliance Program by Carolyn Ellis and Joanna Grama [View Presentation]
Federal Demonstration Partnership Federal NSPM-33 Research Security Training Modules: Overview/Introduction and Panel Discussion (Video)
Federal Demonstration Partnership NSPM-33 (Video) May 2022