Cybersecurity for researchers
The National Security Presidential Memorandum-33 (NSPM-33), along with the CHIPS and Science Act of 2022, ties receipt of new or renewed federal research funding to cybersecurity compliance. The Office of the Vice Chancellor for Research created the Research Security Program in response to these federal policies. It enables UW–Madison to certify a comprehensive, non-discriminatory research security program across four key areas:
- Cybersecurity
- Foreign travel security
- Research security training
- Export control training
In this page
Preview the assessment questions by downloading this onetrust PDF. If you experience an accessibility barrier, contact the RMC team.
What’s happening now
To help validate UW–Madison Cybersecurity compliance, a first phase of approximately 20 pre-selected research data environments were selected to respond to a set of 20 cybersecurity controls (including 15 controls for NSPM-33 and 5 for Cybersecurity Maturity Model Certification (CMMC)). These Phase 1 participants responded by January 30, 2026. Individual review and reporting of compliance was sent to these participants in April 2026.
To expand the sampling of research environments, a second phase of requests were sent to 32 PI’s/researchers who are responsible for 78 federally funded research environments. Phase 2 began March 10, 2026 and responses have been requested by May 29, 2026. Phase 2 includes smaller federally funded research awards. It also included PIs/researchers who are receiving multiple federally funded awards. In conversations with Phase 2 participants, we are hoping to document cybersecurity compliance for all their awards simultaneously, so a PI only has to participate in this process during one phase.
Members of DoIT’s Risk Management & Compliance (RMC) team will work closely with the selected PIs and appropriate IT leads to make sure each assessment is completed successfully. Teams should plan for individual assessments to take about 30 days. Actual time will vary according to the complexity of cybersecurity within each research environment. RMC will work with PIs and local IT leads to develop action plans to address any compliance gaps identified through the assessments.
What’s next
Once your questionnaire is completed, you can expect the following:
- The Office of Cybersecurity (RMC) will confirm completion via e-mail to the Lead PI.
- RMC will review the responses to the questionnaire and determine what security gaps may exist.
- RMC will generate a report that outlines these security gaps and offer options to eliminate the gaps.
- RMC will deliver the final report to the Lead PI, the IT team and Leadership within Research and Sponsored Programs who are responsible for Research Compliance.
What’s happening later
Following receipt of the security compliance responses for all research environments for Phase 2, RMC will generate a stakeholder report to summarize Phase 1 and Phase 2 results. This summary will be presented to stakeholders. In addition, an individual compliance report will be returned to each PI included in Phase 2. Guidance from the Research Security Team would recommend review of the compliance gaps and resolution over the next 6 months.
News and updates
This initiative is evolving. More information will be released in the coming weeks. Please check back here for updates.
FAQ
Below are some answers to common questions.
Find information on the NSPM webpage.
Most everyone who is working on your federally funded research project is a covered individual (See Definition in FAQ). Each project will need to complete the compliance questionnaire for all covered individuals.
A covered individual is a person who contributes in a substantive way to the scientific development or execution of a research and development (R&D) award carried out with support from a federal research agency AND is designated as a covered individual by the federal research agency concerned. Covered individuals include principal investigators/project directors, co-investigators, those listed as senior project personnel/key project personnel, postdoctoral researchers/associates, and graduate and undergraduate students.
As you review the questionnaire for compliance, you may find that some of the responses will require collaboration between the research team members and the IT support team from the unit which is storing your data. It will be important to include the distributed IT Teams in this discussion to ensure that responses are accurate and documented.
As you reach the bottom of the compliance questionnaire, you will also be asked to answer 5 additional questions about data security for CMMC. The Cybersecurity Maturity Model Certification (CMMC) will be required in 2026 by research projects which store Department of Defense data. Responding to these additional 5 questions now would allow movement toward achieving Level 1 CMMC Self-Attestation should you need it. https://www.dcsa.mil/Industrial-Security/Controlled-Unclassified-Information-CUI/Cybersecurity-Maturity-Model-Certification-CMMC/
Yes, As the Lead PI, you will certainly be the resource to respond to these questions for the remainder of your team. It may require a conversation with your distributed IT support team to ensure proper responses and collect documentation.
The technical team within your unit will be able to assist you with responses to IT configuration questions. Commenting capabilities are built into the questionnaire. You can add comments to a response, and our team will provide help directly within this tool. You can re-assign questions to be answered by different members on your team to provide the most accurate answers possible from the right people.
At any time if you need additional help, please contact us at rmc-cybersecurity@cio.wisc.edu.
OneTrust is a tool that is used by Cybersecurity to make it easier and faster for RMC to provide timely and relevant security guidance for your projects. It also makes it easy for you to collaborate with the Office of Cybersecurity, as well as with your peers to receive closure on your projects.
As you review the compliance questions in OneTrust, the “Criteria for Yes” are examples. If you have other paths to secure data and respond “yes”, simply add those activities to the justification section.
Compliance is primarily focused on the security of collected data. The collection of the data may present unique security challenges. If this is the case, again, please use the justification section of the question to offer additional detail.
In projects where you are collaborating with other institutions or “subcontractors”, we will eventually need to collect compliance information from these institutions to confirm that they also are securing the research data. Currently there is no requirement to collect this nor is there a form to address this collaboration. UW–Madison is currently working to review our own compliance. Subcontractors or collaborators could respond to the same questions you are answering for your project compliance, but it is not a requirement. Subcontractors should be noted in the justification section of question 2.3 or 2.4.