ARTICLE
12 March 2026

Are You Tracking The Right NSPM-33 Research Security Program Deadline—or Just The Popular One?

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
Explore Firm Details
Universities that receive more than $50 million in federal research and development funding annually are required to stand up research security programs (RSPs).
United States Food, Drugs, Healthcare, Life Sciences
Artie McConnell
Your Author LinkedIn Connections
Artie McConnell’s articles from BakerHostetler are most popular:
  • within Food, Drugs, Healthcare and Life Sciences topic(s)
  • in United States
  • with readers working within the Healthcare and Pharmaceuticals & BioTech industries

Key Takeaways

  • Universities that receive more than $50 million in federal research and development funding annually are required to stand up research security programs (RSPs).
  • The White House Office of Science and Technology Policy issued guidelines that standardize what an RSP must include, but each funding agency issues its own policy on its own schedule, resulting in a separate 18‑month certification window for each agency.
  • Tracking and planning for unique and staggered deadlines is essential for proper RSP certification and mitigating potential institutional and individual exposure under the False Claims Act.

What Is a Research Security Program?

On July 9, 2024, pursuant to National Security Presidential Memorandum 33 (NSPM-33), the White House Office of Science and Technology Policy (OSTP) issued guidelines for research security programs (RSPs) at “covered institutions,” including universities that receive more than $50 million in federal research and development funding annually. Per the OSTP guidance, an RSP must meet four core requirements:

  • Cybersecurity safeguards appropriate to federally funded research environments
  • Foreign travel security (e.g., pretravel briefings, device and data protections, incident reporting)
  • Research security training (RST) (e.g., threat awareness, insider threat preparedness, role-based content)
  • Export control training and integration with sanctions and restricted party screening

Risks of delay, incomplete implementation or inaccurate certification can carry serious consequences, including:

  • Individual and institutional exposure under the False Claims Act and other federal statutes
  • Sponsor agency audits and government enforcement
  • Loss of funding eligibility
  • Process disruptions and reputational damage

Why July 2026 May Not be Everyone's Deadline

RSP planning memos commonly reference “by July 2026” as a representative date, but that is inaccurate – that anchor can slide significantly earlier or later.

This is because the OSTP guidelines leave implementation timing to the funding agencies. In other words, while the OSTP guidelines set a single federal framework for RSPs, each funding agency must translate the OSTP framework into its own policy on its own schedule. Institutions then get up to 18 months after that agency's effective date to implement and certify compliance.

The result is that implementation and certification deadlines vary by agency, and some institutions will face staggered, sponsor‑specific due dates stretching from mid‑2026 into 2027, depending on when their major sponsors finalize their updates.

For example, if an agency's updated RSP standard became effective Jan. 15, 2025, a covered institution's RSP certification would be due by roughly July 15, 2026 – approximately 18 months later. If another agency's policy took effect April 30, 2025, RSP certification for that sponsor would be due around Oct. 31, 2026. If an agency were even later (e.g., July 2025), the deadline could slide into early 2027.

How Not To Miss Your Deadlines

Covered universities need to map their top sponsors – such as the National Institutes of Health (NIH), the Department of Defense (DoD), the Department of Energy (DOE) and the National Science Foundation (NSF) – and track each policy effective date.

  • Build a deadline matrix. For each funding agency, track (i) the effective date of that agency's RSP standard, (ii) your computed 18‑month certification deadline and (iii) interlocking dates (e.g., RST effective dates, common forms adoption, Malign Foreign Talent Recruitment Program certification points).
  • Subscribe to and log updates from funding agencies.  For example, the DoD and DOE have agency research security pages that post updates. Similarly, NSF has the Proposal and Award Policies and Procedures Guide on its Policy Office updates page, and NIH issues notices for RST, common forms adoption and other NSPM-33 matters. As each sponsor issues or updates its policy, compute and record your exact 18‑month deadline (to the day), then version‑control that record with a link to the agency notice. Keep a change log anytime an agency revises an effective date.
  • Assign a single RSP certification owner.  This individual will need authority across different areas to maintain the deadline matrix. Whether they should be empowered to sign off on sponsor-specific certifications requires situation-specific analysis.
  • Harmonize to the earliest binding date while avoiding unnecessary overapplication. While applying a blanket July 2026 deadline may seem to simplify things, this can lead to an excessive and unnecessary compliance burden and overapplication of sponsor-specific measures that aren't required by other programs.
  • Maintain all records by sponsor for certification.  A certification evidence binder and pre-certification audit, while not explicitly required, are advisable practices.

Conclusion

A right-sized, faculty-sensitive RSP design that preserves open research and international collaboration begins with properly meeting agency deadlines. Avoiding last-minute, checkbox compliance is the first step in building and maintaining a certifiable, auditable and defensible RSP and minimizing potential disruption, litigation and reputational damage.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Artie McConnell
Artie McConnell
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More