UW–Madison Completes Second Phase of NSPM-33 Cybersecurity Assessments | Research | UW–Madison Skip to main content
University of Wisconsin–Madison

UW–Madison Completes Second Phase of NSPM-33 Cybersecurity Assessments

UW–Madison has completed Phase 2 of its cybersecurity compliance assessment initiative, launched to support federal research funding requirements under National Security Presidential Memorandum-33 (NSPM-33) and the CHIPS and Science Act of 2022.

Building on Phase 1, which assessed 20 large research environments representing approximately 20% of the university’s research funding, Phase 2 focused on smaller federally funded projects and research teams managing multiple awards. The assessment evaluated 79 research environments across 30 principal investigators, with 60 active environments ultimately completing the review.

Results indicate that UW–Madison largely complies with NSPM-33 cybersecurity requirements, achieving an overall compliance rate of 88%. Thirty-three of the 60 assessed environments demonstrated full compliance and other environments presented partial compliance. Identified gaps were rated as low or moderate risk and are generally expected to be remediated with minimal effort.

A key finding from Phase 2 was the use of personal devices by researchers and students to access research data. While not restricted under university policy, personal devices must meet UW–Madison security standards under UW-526. The assessment highlighted opportunities to strengthen awareness and management of these devices. Additional gaps were primarily related to documentation of cybersecurity procedures within smaller research teams.

No high-risk findings were identified. The Office of Cybersecurity’s Risk Management and Compliance (RMC) team will work with research groups to address identified gaps and develop remediation plans. RMC also plans to refine the assessment process and communication materials in collaboration with campus IT partners.

The results of Phases 1 and 2 provide encouraging evidence that UW–Madison’s distributed research enterprise is well positioned to meet federal cybersecurity expectations while continuing to strengthen protections for research data across campus. Although a Phase 3 has not yet been formally defined, the RMC team is evaluating options for continuing targeted sampling efforts to support ongoing assessment and continuous improvement.

For more information reach out to the Research Security Program.