The "July 2026" NSPM-33 deadline is a planning myth. Agency-specific research security training requirements are already being enforced.
| Agency | RST Requirement | Status |
|---|---|---|
| DOE | May 2025 | Enforcing |
| NSF | December 2025 | Enforcing |
| NIH | May 25, 2026 (NOT-OD-26-017) | Enforcing |
| NASA | August 5, 2026 | Upcoming |
| DoD | No single published date | Implementing |
The broader RSP certification framework follows an 18-month window after each agency's effective date, meaning institutional certification deadlines stagger from mid-2026 into 2027 depending on sponsor mix. Cite a blanket July 2026 date to a research compliance officer who has been certifying DOE proposals for over a year and the stated reaction will be polite correction. The actual reaction is that you've lost the room.
Rep action: Ask the research compliance officer which agency-specific RST deadlines they're already certifying against and whether their RSP certification timeline accounts for the staggered 18-month windows across their top five sponsors.
Sources: NIH NOT-OD-26-017, December 2, 2025; NSF Important Notice via Yale Research Support; DOE Financial Assistance Letter via UCSC Office of Research; NASA guidance, February 5, 2026; BakerHostetler/Mondaq analysis, March 12, 2026.
CMMC certification must precede contract bidding. Penn State's False Claims Act exposure shows what happens when institutions treat it as concurrent.
Universities pursuing DoD-funded research cannot self-attest CMMC compliance during the proposal process and certify later. Certification must be in hand before the bid. Penn State faced federal False Claims Act action over cybersecurity compliance representations in government contracts, and that case is now the reference point every research-active university's general counsel has flagged. The sharper question for the CISO: can the identity infrastructure supporting CUI environments pass a CMMC Level 2 assessment today, or has the institution been quietly assuming there would be more runway.
Rep action: Ask the CISO whether their CMMC certification timeline is built to complete before their next DoD proposal deadline, and whether identity controls in CUI-scoped enclaves have been assessed against Level 2 requirements.
Sources: DoD CMMC Program Final Rule, 32 CFR Part 170, effective December 16, 2024; DOJ False Claims Act action involving Penn State.
GLBA's Safeguards Rule contains exactly one prescriptive technical control: MFA. The February 2026 EDUCAUSE Review piece makes this unambiguous.
The updated FTC Safeguards Rule is otherwise principles-based. MFA is the exception: explicitly required for any individual accessing customer financial information. The February 2026 EDUCAUSE Review analysis cut through the ambiguity that has allowed institutions to defer MFA rollout behind "risk-based" framing, a governance choice in compliance clothing that the EDUCAUSE piece strips bare. Tier 2 and Tier 3 institutions are disproportionately exposed; R1s with dedicated security teams generally implemented MFA earlier. The EDUCAUSE Review sourcing matters because a CISO can hand it to their CFO without it looking like a vendor pitch.
Rep action: Ask the CISO or CIO whether every user with access to student financial information is currently covered by MFA, and whether they've mapped GLBA Safeguards Rule obligations against their current authentication coverage.
Sources: EDUCAUSE Review, February 2026 (Safeguards Rule analysis); FTC Standards for Safeguarding Customer Information, 16 CFR Part 314.