UW–Madison Completes Phase I of NSPM‑33 Cybersecurity Assessment

UW–Madison has completed Phase I of its institution-wide assessment of cybersecurity practices required under National Security Presidential Memorandum–33 (NSPM‑33) and the CHIPS and Science Act of 2022. These federal regulations make adherence to baseline cybersecurity standards a condition of receiving federal research funding.

In response, the Interim Vice Chancellor for Research and the Vice Provost for IT/CIO directed an evaluation of cybersecurity practices across the university’s diverse digital research environments. A digital research environment is defined as a place where the federally funded research occurs.  This could include IT assets in a lab, on a farm, in a classroom, or a data center. Phase I focused on 20 environments representing approximately 20% of the university’s research portfolio.

Staff in these environments completed a cybersecurity questionnaire designed to gauge core cyber hygiene practices. The Office of Cybersecurity’s Risk Management and Compliance (RMC) team reviewed the submissions and validated each environment’s overall compliance posture.

Findings indicate that UW–Madison is largely aligned with NSPM‑33 requirements. Identified compliance gaps were limited to low- and moderate-risk issues, most of which can be addressed with minimal effort in a reasonable timeframe. Collectively, these gaps represent a low-to-moderate level of institutional risk.

RMC has now documented the gaps, started developing remediation plans with local IT and research staff, and has refined the assessment tool based on Phase I feedback. Phase II launched the week of March 9, 2026, and expands the assessment to include smaller or more distributed research environments, helping determine whether these units face different compliance challenges.