Assessments begin for federal research data compliance with cybersecurity requirements | Research | UW–Madison Skip to main content
University of Wisconsin–Madison

Assessments begin for federal research data compliance with cybersecurity requirements

PostedOctober 8, 2025

Beginning Oct. 14, select research data environments will be assessed for compliance with the cybersecurity requirements in National Security Presidential Memo – 33 (NSPM-33). Principal investigators (PIs) whose data environments have been selected for assessment will be notified by members of the Office of Cybersecurity’s Risk Management and Compliance (RMC) team.

Assessments in each environment will be based on the application of 15 cybersecurity controls that align with requirements in NSPM-33, which aims to protect federally sponsored research from “foreign government interference and exploitation.” Additional five controls that align with Cybersecurity Model Maturity Certification (CMMC) will also be assessed.

“NSPM-33-aligned cybersecurity controls are not new for us,” says Didier Contis, vice provost for information technology and chief information officer. “Most of these controls are already required by UW–Madison and UW System policy.”

What is new, says Contis, is the need for UW–Madison to certify that its research security program meets NSPM-33’s cybersecurity training and certification requirements. This certification will be required as soon as July 1, 2026.

“That’s why we’re doing these assessments now,” says Contis. “They’re an important first step toward certifying that we meet the requirements being tied to receipt of federal research funding.”

Contis and Mark Rickenbach, interim associate vice chancellor for research policy and integrity, have called for approximately 20 assessments to be completed by May 29, 2026. Research data environments will be selected from across schools, colleges, and divisions, based on a variety of factors, including the amount of federal funding received.

“UW–Madison is fully committed to timely compliance with NSPM-33,” says Rickenbach. “From cybersecurity and training to export controls and travel, these federal requirements will provide consistency toward preserving the open and collaborative nature of the U.S. research enterprise.”

RMC staff will work with PIs and local IT staff to complete the assessments, each of which is expected to take an average of 30 days. RMC and local IT staff will also work with PIs to develop plans for addressing any compliance gaps identified during the assessments.

Once the initial assessments are completed, ongoing assessments are expected. “PIs who have or might receive federal funding should be prepared to validate their cybersecurity compliance sooner or later,” says Contis. “We encourage those PIs to reach out to local IT staff or RMC to get connected to support and resources.”

This initiative is sponsored by the OVCR, VCFA and VCLA and is a joint effort of Research Security & Export Control (RSEC) and the Office of Cybersecurity. As additional information becomes available, it will be posted to the Cybersecurity for researchers webpage. Questions can be directed to local IT staff or to RMC.

Categorized under: