A Panel Conversation about NSPM-33 Preparedness

Research Institutions may not be paying enough attention to NSPM-33, and perhaps this is because it is being overshadowed by CMMC (due in no small amount because the DoD has been very public about developing and implementing CMMC). Nonetheless, NSPM-33 potentially has a deeper reach into an institution’s research, as it affects more than just DoD-sponsored research. While the questions of when NSPM-33 will ultimately be issued and what new requirements will be in the final version are still unclear, the draft guidance from March 2023 does outline various areas that are going to be included in the final version, and institutions are expected to be in compliance within 120 days of issuance. Standing up a comprehensive Research Security Program in four months for any institution would be a challenge, especially if you are trying to align the work to also meet the new CMMC. For most research-heavy institutions, NSPM-33 compliance entails an additional component of forcing central Information Security Offices and IT to collaborate with Research Offices, and that involves its own special brand of careful conversations around ownership and resourcing as historically, those units prefer to work separately. Institutions need to be beginning their work now to lay the foundation for NSPM success. During this session, we will discuss NSPM-33 preparedness thoughts, challenges, and successes with a panel with diverse backgrounds and perspectives.