The National Security Presidential Memorandum-33 (NSPM-33), along with the CHIPS and Science Act of 2022, ties receipt of new or renewed federal research funding to cybersecurity compliance. The Office of the Vice Chancellor for Research created the Research Security Program in response to these federal policies. It enables UW–Madison to certify a comprehensive, non-discriminatory research security program across four key areas:
- Cybersecurity
- Foreign travel security
- Research security training
- Export control training
In this page
- What has already happened
- What’s happening now
- What’s happening later
- News and updates
- FAQ
- Questions?
Preview the assessment questions by downloading this onetrust PDF. If you experience an accessibility barrier, contact the RMC team.
What has already happened?
To help validate UW–Madison Cybersecurity compliance, approximately 20 pre-selected research data environments were assessed using a set of 20 cybersecurity controls (including 15 controls for NSPM-33 and 5 for Cybersecurity Maturity Model Certification (CMMC)). This first phase of the NSPM-33 compliance project started in October 2025 and the deadline for completion of the questionnaire was January 30, 2026. Results from this first phase are being presented to campus leadership.
What’s happening now
Once results from Phase 1 of this project are presented to campus leadership, individual research environments will receive a report documenting compliance gaps. The Office of Cybersecurity Risk Management and Compliance (RMC) Team will be working with these PI’s and their IT support to remediate these compliance gaps.
Phase 2 of the compliance review will include smaller federal awards and those PI’s who have multiple projects. Beginning the week of March 9, these federal awardees will be receiving instructions as to how they can submit responses to the compliance questions for their awards. Phase 2 will include 30 PI’s with 80 research environments/individual awards. Response will be requested by May 29, 2026.
What’s happening later
We will follow-up with any sub-awardees internal to UW–Madison or any collaborators who would not be included in your list of Covered individuals.
News and updates
This initiative is evolving. More information will be released in the coming weeks. Please check back here for updates.
FAQ
Below are some answers to common questions.
This is an accordion element with a series of buttons that open and close related content panels.
What is NSPM-33 Compliance?
Find information on the NSPM webpage.
How will I know if I need to complete this questionnaire?
Most everyone who is working on your federally funded research project is a covered individual (See Definition in FAQ). Each project will need to complete the compliance questionnaire for all covered individuals.
What if I have collaborators at different institutions or sub-award recipients?
Currently, UW–Madison is only reviewing the compliance of the primary award recipient. Sub-awardees or collaborators should be noted in the covered individuals section, but will not be asked to validate their NSPM-33 compliance as a part of this phase of the project.
What is the definition of a covered individual?
A covered individual is a person who contributes in a substantive way to the scientific development or execution of a research and development (R&D) award carried out with support from a federal research agency AND is designated as a covered individual by the federal research agency concerned. Covered individuals include principal investigators/project directors, co-investigators, those listed as senior project personnel/key project personnel, postdoctoral researchers/associates, and graduate and undergraduate students.
As you review the questionnaire for compliance, you may find that some of the responses will require collaboration between the research team members and the IT support team from the unit which is storing your data. It will be important to include the distributed IT Teams in this discussion to ensure that responses are accurate and documented.
As you reach the bottom of the compliance questionnaire, you will also be asked to answer 5 additional questions about data security for CMMC. The Cybersecurity Maturity Model Certification (CMMC) will be required in 2026 by research projects which store Department of Defense data. Responding to these additional 5 questions now would allow movement toward achieving Level 1 CMMC Self-Attestation should you need it. https://www.dcsa.mil/Industrial-Security/Controlled-Unclassified-Information-CUI/Cybersecurity-Maturity-Model-Certification-CMMC/
Can I complete this questionnaire independently?
Yes, As the Lead PI, you will certainly be the resource to respond to these questions for the remainder of your team. It may require a conversation with your distributed IT support team to ensure proper responses and collect documentation.
How do I get help?
The technical team within your unit will be able to assist you with responses to IT configuration questions. Commenting capabilities are built into the questionnaire. You can add comments to a response, and our team will provide help directly within this tool. You can re-assign questions to be answered by different members on your team to provide the most accurate answers possible from the right people.
At any time if you need additional help, please contact us at rmc-cybersecurity@cio.wisc.edu.
What is OneTrust?
OneTrust is a tool that is used by Cybersecurity to make it easier and faster for RMC to provide timely and relevant security guidance for your projects. It also makes it easy for you to collaborate with the Office of Cybersecurity, as well as with your peers to receive closure on your projects.
Is a "Criteria for yes" required or a recommendation?
As you review the compliance questions in OneTrust, the “Criteria for Yes” are examples. If you have other paths to secure data and respond “yes”, simply add those activities to the justification section.
How do I interpret which data needs compliance?
Compliance is primarily focused on the security of collected data. The collection of the data may present unique security challenges. If this is the case, again, please use the justification section of the question to offer additional detail.
If I am working with other institutions, do I need to validate their compliance too?
In projects where you are collaborating with other institutions or “subcontractors”, we will eventually need to collect compliance information from these institutions to confirm that they also are securing the research data. Currently there is no requirement to collect this nor is there a form to address this collaboration. UW–Madison is currently working to review our own compliance. Subcontractors or collaborators could respond to the same questions you are answering for your project compliance, but it is not a requirement. Subcontractors should be noted in the justification section of question 2.3 or 2.4.