Research Security Program

NSPM-33 Directive to Federal Agencies

Federal agencies should require the following from research organizations:

• Provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches.
• Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
• Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• Verify and control/limit connections to and use of external information systems.
• Control any non-public information posted or processed on publicly accessible information systems.
• Identify information system users, processes acting on behalf of users, or devices.
• Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
• Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
• Provide protection of scientific data from ransomware and other data integrity attack mechanisms.
• Identify, report, and correct information and information system flaws in a timely manner.
• Provide protection from malicious code at appropriate locations within organizational information systems.
• Update malicious code protection mechanisms when new releases are available.
• Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.