The National Security Presidential Memorandum-33 (NSPM-33), along with the CHIPS and Science Act of 2022, ties receipt of new or renewed federal research funding to cybersecurity compliance. Under these federal policies, UW–Madison will need to certify that it has an integrated, non-discriminatory research security program that covers four areas:
- Cybersecurity
- Foreign travel security
- Research security training
- Export control training
What’s happening now
To help validate UW–Madison Cybersecurity compliance, approximately 20 pre-selected research data environments will be assessed using a set of 20 cybersecurity controls (including 15 controls for NSPM-33 and 5 for Cybersecurity Maturity Model Certification (CMMC)). This work must be completed by May 29, 2026.
Beginning October 14, Principal Investigators (PIs) across various schools, colleges, and divisions (S/C/D/s) will be notified that their data environments have been selected for assessment. Members of DoIT’s Risk Management & Compliance (RMC) team will work closely with the selected PIs and appropriate IT leads to make sure each assessment is completed successfully.
Teams should plan for individual assessments to take about 30 days. Actual time will vary according to the complexity of cybersecurity within each research environment. RMC will work with PIs and local IT leads to develop action plans to address any compliance gaps identified through the assessments.
What’s next
Once your questionnaire is completed, you can expect the following:
- The Office of Cybersecurity (RMC) will confirm completion via e-mail to the Lead PI.
- RMC will review the responses to the questionnaire and determine what security gaps may exist.
- RMC will generate a report that outlines these security gaps and offer options to eliminate the gaps.
- RMC will deliver the final report to the Lead PI, the IT team and Leadership within Research and Sponsored Programs who are responsible for Research Compliance.
What’s happening later
After the initial assessments have been completed, additional environments will be selected for assessment and on-going monitoring will be needed to address any non-compliance. If your department receives federal funding, or if it will in the future, your department will eventually be required to validate its compliance.
News and updates
This initiative is evolving. More information will be released in the coming weeks. Please check back here for updates.
FAQ
Below are some answers to common questions.
This is an accordion element with a series of buttons that open and close related content panels.
What is NSPM-33 Compliance?
Find information on the NSPM webpage.
How will I know if I need to complete this questionnaire?
Most everyone who is working on your federally funded research project is a covered individual (See Definition in FAQ). Each project will need to complete the compliance questionnaire for all covered individuals.
What is the definition of a covered individual?
A covered individual is a person who contributes in a substantive way to the scientific development or execution of a research and development (R&D) award carried out with support from a federal research agency AND is designated as a covered individual by the federal research agency concerned. Covered individuals include principal investigators/project directors, co-investigators, those listed as senior project personnel/key project personnel, postdoctoral researchers/associates, and graduate and undergraduate students.
As you review the questionnaire for compliance, you may find that some of the responses will require collaboration between the research team members and the IT support team from the unit which is storing your data. It will be important to include the distributed IT Teams in this discussion to ensure that responses are accurate and documented.
As you reach the bottom of the compliance questionnaire, you will also be asked to answer 5 additional questions about data security for CMMC. The Cybersecurity Maturity Model Certification (CMMC) will be required in 2026 by research projects which store Department of Defense data. Responding to these additional 5 questions now would allow movement toward achieving Level 1 CMMC Self-Attestation should you need it. https://www.dcsa.mil/Industrial-Security/Controlled-Unclassified-Information-CUI/Cybersecurity-Maturity-Model-Certification-CMMC/
Can I complete this questionnaire independently?
Yes, As the Lead PI, you will certainly be the resource to respond to these questions for the remainder of your team. It may require a conversation with your distributed IT support team to ensure proper responses and collect documentation.
How do I get help?
The technical team within your unit will be able to assist you with responses to IT configuration questions. Commenting capabilities are built into the questionnaire. You can add comments to a response, and our team will provide help directly within this tool. You can re-assign questions to be answered by different members on your team to provide the most accurate answers possible from the right people.
At any time if you need additional help, please contact us at rmc-cybersecurity@cio.wisc.edu.
What is OneTrust?
OneTrust is a tool that is used by Cybersecurity to make it easier and faster for RMC to provide timely and relevant security guidance for your projects. It also makes it easy for you to collaborate with the Office of Cybersecurity, as well as with your peers to receive closure on your projects.