The four-pillar Compliance OS for federally-funded research.
National Security Presidential Memorandum 33 was issued January 2021. The OSTP Implementation Guidance for the Research Security Programs Standard Requirement was issued July 9, 2024. Institutions receiving more than $50M in federal R&D funding must implement an RSP covering four pillars before staggered agency deadlines. Vigilarx is the four-pillar Compliance OS that runs underneath.
A federal presidential memorandum on research security.
National Security Presidential Memorandum 33 (NSPM-33) directs federal research funding agencies to implement uniform research security policies, with the goal of protecting the U.S. federally-funded research enterprise from foreign government interference and exploitation.
The OSTP Implementation Guidance for the Research Security Programs Standard Requirement, issued July 9, 2024, codifies the four-pillar Research Security Program (RSP) requirement for institutions receiving more than $50M in federal R&D funding annually. Each pillar carries operational obligations, and the institutional officer who signs the RSP certification is the named author of that certification.
Federal agency deadlines are staggered: NIH (Jan 25, 2026 window opened), NSF (May 25, 2026), DOE (May 1, 2025), DOD (Aug 9, 2024), USDA (Dec 31, 2025), NASA (active 2025). A de-facto industry-wide implementation deadline has settled around July 1, 2026 — the date by which most federally-funded institutions need to demonstrate compliance.
Each pillar requires demonstrable operational coverage.
Cybersecurity
Implement an institutional cybersecurity plan meeting NIST IR 8481 controls applicable to research data.
Per OSTP guidance: institution self-attests. Vigilarx tracks attestation evidence + expiry; the institution is the named author.
Foreign Travel Security
Track international travel by covered individuals; pre-approve and brief; debrief on return.
Travel registration with auto-screen of destination + briefing log + debrief log. Pillar gate consumes operational data when COMPLIANCE_GATE_V4_5_ENABLED=TRUE.
Research Security Training
All covered individuals complete the NSF Research Security Training (RST) on a recurring cycle.
Completion ledger + expiry tracker per covered individual. Pillar 3 marks COMPLETE when ≥80% of covered individuals are current on RST (per-org override available via /settings/thresholds).
Export Control Training
Train covered individuals on EAR / ITAR / OFAC export control obligations applicable to their research.
Course completion log + per-individual status. Pillar 4 same-shape gating as Pillar 3. Reminder banner above export-control surfaces flags Section 889 telecom procurement adjacency.
Who is covered?
The OSTP Implementation Guidance applies the four-pillar RSP requirement to institutions whose federal R&D obligations exceed $50 million annually. Below that threshold, the guidance still applies as a recommended practice — but the certification requirement and FCA exposure attach above it.
Federal R&D volume is calculated by combining all federally-funded research awards across all federal agencies for the institution's most recent reporting fiscal year. The $50M threshold applies to the institutional total, not per-agency. Institutions with $50M-$100M in federal R&D should expect to be covered the same as $500M+ institutions.
July 1, 2026 — what happens if you miss it?
Federal funding agencies have set staggered deadlines, but the de-facto industry-wide expectation has settled around July 1, 2026. Past that date, institutions submitting federal proposals are expected to certify NSPM-33 RSP compliance, and certifying compliance without operational coverage exposes the institution to False Claims Act liability under 31 U.S.C. §§3729–3733.
FCA penalties are non-trivial: treble damages plus per-claim civil penalties (currently $13,946–$27,894 per false claim). Each grant proposal that includes a false NSPM-33 certification is a separate claim. For institutions submitting hundreds of proposals annually, the exposure scales accordingly.
The defensible posture is: certify when (and only when) the underlying operational coverage is real and documented. The cert PDF Exhibits A (signatory), B (methodology), and C (audit trail) preserve the chain that survives federal review.
NSPM-33 sits in a regulatory neighborhood.
An NSPM-33 RSP certification is anchored by NSPM-33 itself, but its operational reach extends to a cluster of adjacent federal authorities. The watchlists Vigilarx checks against are derived from these named statutes and executive orders.
NDAA §1286 (FY2019)
Restricts DoD-funded research at institutions with material affiliations to 40+ named Chinese defense universities (the SASTIND-58 / Seven Sons list).
NDAA §1260H (FY2021)
Lists Chinese Military Companies (CMCs) operating directly or indirectly in the U.S.; procurement prohibition. Updated annually by DoD.
NDAA §889 (FY2019)
Prohibits federal funds from being used to procure telecommunications equipment from Huawei, ZTE, Hikvision, Hytera, Dahua.
NDAA §5949 (FY2023)
Prohibits federal agencies from procuring covered PRC semiconductor products/services from SMIC, CXMT, YMTC and downstream products incorporating their components; effective Dec 23, 2027.
UFLPA
Rebuttable presumption against goods produced in whole or part in the Xinjiang Uyghur Autonomous Region or by listed entities.
EAR / ITAR
Govern dual-use and defense-article export control. Deemed export rule: sharing controlled technology with a foreign national inside the U.S. is legally equivalent to physically exporting it.
EO 14117
Restricts bulk-data transfers to countries of concern (China, Russia, Iran, North Korea, Cuba, Venezuela). Affects research-data sharing arrangements.
False Claims Act (FCA)
31 U.S.C. §§3729–3733. Treble damages + per-claim civil penalties for materially false certifications submitted to the federal government. The FCA wedge is why NSPM-33 certifications need to be defensible.
How each NSPM-33 element maps to a Vigilarx surface.
Pillar 4 is the gateway. The full Export Control module is the rest of the system.
NSPM-33 Pillar 4 (Export Control Training) is the institutional attestation that covered individuals are trained on EAR / ITAR / OFAC obligations. Vigilarx tracks that. But the federally-funded research enterprise also faces the operational export-control workflow downstream of the training: FRE/TCP triage, ECCN classification, deemed-export scholar vetting, country/embargo screening, BIS Affiliates Rule cascade, annual TCP review. The same defensibility shape applies to all of them.
See it in the demo before you talk to procurement.
Demo University tenant is pre-loaded with sample researchers, four pillars at varying completion, sample signed cert PDF, plus example triage / TCP / ECCN classification / scholar vetting / country screening / Affiliates Rule cascade artifacts.