The RSP cybersecurity certification window begins opening in July. NSF still hasn't published final validation guidance. NIH training certifications became effective for proposals submitted after May 25, 2026. And at every Tier 1 R1 on your list, the VP for Research is staring at a certification she must sign personally, under False Claims Act liability, for a cybersecurity program whose requirements are still being finalized by the agency that funds a third of her portfolio. Federal funding contraction means the budget she'd use to solve this problem is the same budget she's fighting to keep. Here's how to frame the deal.
The Positive Business Outcome
Say it the way the VP for Research would say it to her Provost:
"We need to maintain eligibility for federal research awards without exposing the institution to False Claims Act liability on the RSP cybersecurity certification."
She will never say "modernize identity" or "implement lifecycle governance" to her Provost. The institution wants to keep receiving federal research dollars, and it wants the person who signs the certification to be able to defend what she signed.
Why Do Anything
The forcing function is the signature itself.
Under NSPM-33, every institution receiving more than $50M annually in federal research funding must certify implementation of a Research Security Program with four elements, including cybersecurity controls. The specific standard for the cybersecurity element hasn't been finalized — Yale's compliance office is still waiting on it — but NIST 800-171 is the framework most institutions are building toward, and it's the standard DOJ has already enforced under the FCA in the Penn State and Georgia Tech cases. The VP for Research signs that certification. If it's false, the institution is exposed under the False Claims Act: treble damages plus per-claim penalties. This applies to Tier 1 R1s above the $50M threshold; at Tier 2 institutions the RSP requirement doesn't bind, but the identity governance gap underneath it is the same.
Two things your buyer needs to hear you understand:
DOJ's Civil Cyber-Fraud Initiative has established that noncompliance alone is sufficient. Penn State paid $1.25M (October 2024) for failing to implement NIST 800-171 controls. Georgia Tech settled for $875K (September 2025) over DARPA contract cybersecurity failures. Neither case involved an actual data breach. And the current NSPM-33 guidance offers no safe harbor — the certification carries the liability on its face.
No breach is required. Penn State paid $1.25M in October 2024 for failing to implement NIST 800-171 controls across fifteen contracts. Georgia Tech Research Corporation settled for $875K in September 2025 over DARPA contract cybersecurity failures. DOJ's Civil Cyber-Fraud Initiative established in both cases that noncompliance alone was sufficient. No actual data breach in either one.
No safe harbor exists in the current NSPM-33 guidance. The certification carries the liability on its face.
The identity governance gap is specific: the RSP cybersecurity element requires demonstrable access control, lifecycle management, and audit trails for research personnel, including affiliates, visiting scholars, and cross-institutional collaborators whose identity lifecycle doesn't map to the HR system. Most R1s can demonstrate these controls for employees. Almost none can demonstrate them for the research population that actually handles controlled data.
Why Now
The July 2026 deadline is real but more nuanced than the headline. The actual mechanism is a rolling 18-month clock starting when each sponsoring agency finalizes its RSP standard. For NIH-funded institutions, the clock is running now. For NSF-primary portfolios, final guidance is still pending. Your buyer's deadline depends on her funding mix, and she may face staggered certification dates across sponsors through early 2027. That complexity makes the procurement harder to schedule, not less urgent.
Training milestones are already live. NIH training took effect May 25, 2026. Your buyer has already been through the training compliance sprint. The cybersecurity element is next, harder, and requires infrastructure the institution doesn't have.
A caveat you should be prepared to hear: if the portfolio is primarily NSF-funded and NSF hasn't finalized RSP validation guidance, the VP for Research may argue she has more time than July implies. She might be right. The FCA liability argument holds regardless of the deadline, though. The certification will come on its own schedule whether or not she's ready for it.
Why Us
Start with the thing the CISO already knows: neither Okta nor Microsoft Entra ID has native multilateral federation support. Both require a third-party bridge (Cirrus Identity or equivalent) to participate in InCommon. Say this in the room. Pretending otherwise costs you credibility on everything that follows.
The structural fit argument rests on three capabilities:
Lifecycle governance for the research population. RSP cybersecurity certification requires demonstrable joiner/mover/leaver controls with audit trails. Okta's identity governance layer, FedRAMP High authorized as of February 2026, provides automated lifecycle management and access certification campaigns that produce the auditable record your buyer needs when she signs. In ManTech's CMMC 2.0 assessment, the C3PAO completed account management review in 45 minutes instead of the expected two days. That's certification-ready evidence versus assembling it under pressure.
Coexistence with existing federation infrastructure. Your buyer cannot afford a rip-and-replace of her Shibboleth stack while a certification window is opening. Okta coexists with the existing federation infrastructure. Entra ID's value proposition pulls toward consolidation. NC State announced its Shibboleth-to-Entra migration in May 2025 and as of April 2026 is still migrating application by application, with no estimated retirement date. That may be a reasonable long-term architecture decision, but it doesn't fit a compliance timeline.
The provisioning model matters for research. Entra ID defaults to SCIM pre-provisioning: accounts must be created before access. InCommon's standard pattern is JIT provisioning, where a researcher at another institution authenticates and an account is created on first login. That difference creates real friction for cross-institutional research collaboration, which is exactly the use case the RSP cybersecurity element is designed to secure.
Acknowledge the cost argument. Entra's bundled licensing in E5 is a real advantage in the CFO's spreadsheet. The CIO's E5 license, however, doesn't include the identity governance layer the VP for Research needs for RSP certification. That's a separate SKU, a separate procurement, and a separate conversation where Okta's structural fit is strongest.
The Conversation
Open with the VP for Research. She owns the liability.
"I've been tracking the RSP cybersecurity certification timeline for institutions with your funding mix. The certification your office will sign carries False Claims Act exposure. Penn State and Georgia Tech both settled FCA cases in the last two years, neither involving an actual breach. The gap I keep hearing is that R1s can demonstrate identity controls for employees but not for the research population handling controlled data. That's the gap we close, and we do it without requiring migration off your existing federation infrastructure."
She asks about the audit trail — what the certification evidence looks like, who reviews it, whether it maps to the specific NIST 800-171 controls her compliance office has flagged. That means she's past "why" and into "how," and you've earned the next meeting with her CISO.
Things to follow up on...
- CMMC Phase II stacking: CMMC Level 2 certification requirements are now appearing in DoD solicitations, and R1s operating as subcontractors face compliance validation from their primes on a 12–18 month certification timeline that runs parallel to the RSP window.
- Administrative False Claims Act: The AFCA passed in December 2024 lets federal agencies pursue cybersecurity noncompliance directly without a DOJ lawsuit, lowering the enforcement threshold below what Penn State and Georgia Tech faced.
- InCommon's federation future: OpenID Federation is emerging as a potential successor to the SAML-based trust framework, which would shift the multilateral federation architecture toward OIDC and change the competitive calculus for both Okta and Entra ID over the next two to three years.
- Research funding contraction scale: NIH awards are down 29% and NSF awards have dropped 50% in 2025 compared to recent years, with some AAU institutions reporting 10–25% declines in federal research funding that directly compress the budget your champion controls.