NSPM-33 in Plain English: A Principal Investigator's Practical Guide
What NSPM-33 actually means for working researchers—and how to stay ahead of it
For most principal investigators, “research security compliance” sounds like someone else’s job—a problem for the compliance office, the export control officer, or the sponsored programs team. Then a proposal deadline arrives, a funding agency asks for evidence of a research security program, and suddenly the requirements land squarely on the PI’s desk. National Security Presidential Memorandum 33, or NSPM-33, is the federal directive that put them there.
NSPM-33 directs federal funding agencies to strengthen the protection of federally funded research, including clearer disclosure requirements and expectations that institutions maintain research security programs covering areas like cybersecurity, foreign travel, and training. Translated out of policy language, it means three practical things for a working researcher: disclose your affiliations and support accurately and completely, complete the required research security training, and be able to demonstrate that you did both. The first two are manageable. The third—proving it, repeatedly, across every sponsor and every proposal—is where the friction lives.
That friction is not trivial. Researchers re-enter the same training records and attestations for each institution and each sponsor, compliance offices chase documentation, and proposal reviews slow down while everyone confirms that the paperwork is in order. The administrative drag pulls scientists away from science, and the inconsistency creates exactly the kind of gaps that draw enforcement attention.
This is the problem the Certified Secure Researcher™ (CSR) program was built to solve. CSR links a verifiable security designation directly to the ORCiD identifier that funding agencies already recognize, so a researcher documents attestations, disclosures, and training completion once—then shares them with every sponsor instead of duplicating the effort. Most applicants receive their CSR number within 10 business days, and the credential travels with the researcher from proposal to proposal and institution to institution.
NSPM-33 is not going away, and the agencies implementing it expect researchers to keep pace. The PIs who treat compliance as a portable, one-time investment rather than a recurring tax on their time will spend less of their week on paperwork and more of it on discovery. That is a trade worth making.