The Higher Ground

Regulatory Stack, Community Stack

The Research CIO's Regulatory Stack

Your R1 CIO is triaging three federal compliance clocks at once: NSPM-33 training tracking live at NIH since May, CMMC Level 2 assessments five months out with no university exemption, and a budget environment where court victories against indirect cost caps didn't restore the planning capacity lost fighting them. This is the pressure map. The companion piece covers the community conversations she's carrying alongside it.

Regulatory Stack, Community Stack

The Research CIO's Community Stack

The companion piece maps the regulatory clocks your R1 CIO is managing. This one maps the community rooms she's in and the conversations she carries out of them. She's processing ACAMP federation friction debates, REN-ISAC's live MISP threat-sharing deployment, and an identity proofing conversation with no single clean standard. Reference these correctly and you signal fluency. Miss them and the regulatory knowledge from the companion piece lands without context.

Regulatory Stack, Community Stack

The Research CIO's Regulatory Stack

Your R1 CIO is triaging three federal compliance clocks at once: NSPM-33 training tracking live at NIH since May, CMMC Level 2 assessments five months out with no university exemption, and a budget environment where court victories against indirect cost caps didn't restore the planning capacity lost fighting them. This is the pressure map. The companion piece covers the community conversations she's carrying alongside it.

Regulatory Stack, Community Stack

The Research CIO's Community Stack

The companion piece maps the regulatory clocks your R1 CIO is managing. This one maps the community rooms she's in and the conversations she carries out of them. She's processing ACAMP federation friction debates, REN-ISAC's live MISP threat-sharing deployment, and an identity proofing conversation with no single clean standard. Reference these correctly and you signal fluency. Miss them and the regulatory knowledge from the companion piece lands without context.

Regulatory Stack, Community Stack

The Research CIO's Regulatory Stack

Your R1 CIO is triaging three federal compliance clocks at once: NSPM-33 training tracking live at NIH since May, CMMC Level 2 assessments five months out with no university exemption, and a budget environment where court victories against indirect cost caps didn't restore the planning capacity lost fighting them. This is the pressure map. The companion piece covers the community conversations she's carrying alongside it.

Regulatory Stack, Community Stack

The Research CIO's Community Stack

The companion piece maps the regulatory clocks your R1 CIO is managing. This one maps the community rooms she's in and the conversations she carries out of them. She's processing ACAMP federation friction debates, REN-ISAC's live MISP threat-sharing deployment, and an identity proofing conversation with no single clean standard. Reference these correctly and you signal fluency. Miss them and the regulatory knowledge from the companion piece lands without context.

The CIO's Dashboard

Your research CIOs are past the planning phase. NIH's RST took effect May 25. NIAGADS DSS started enforcing IAL2 identity proofing on June 1. CBI is gone, and HECVAT exchange now runs without a broker. These are live operational realities, not items on a future compliance calendar.

Six items below, each carrying a confirmed status and a conversation entry point. The principle behind every one: show that you know where things stand today, at the agency and program level, before you open a product conversation. A rep who cites "July 2026" as a blanket NSPM-33 deadline or references a pre-4.1.5 HECVAT gets sorted as an outsider before slide two loads.

The CIO's Dashboard

Your research CIOs are past the planning phase. NIH's RST took effect May 25. NIAGADS DSS started enforcing IAL2 identity proofing on June 1. CBI is gone, and HECVAT exchange now runs without a broker. These are live operational realities, not items on a future compliance calendar.

Six items below, each carrying a confirmed status and a conversation entry point. The principle behind every one: show that you know where things stand today, at the agency and program level, before you open a product conversation. A rep who cites "July 2026" as a blanket NSPM-33 deadline or references a pre-4.1.5 HECVAT gets sorted as an outsider before slide two loads.

Research Security

NSPM-33 Deadlines Are Staggered, Not Universal

NSF RST live since December 2, 2025. NIH RST effective May 25, 2026 (NOT-OD-26-017). RSP certification still unfinalized per IARPA/NSF. Agency-specific 18-month windows stretch into 2027. "July 2026" is shorthand that research CIOs will correct you on. Your entry: "Which agencies are your top five funders?" before quoting any date.

Defense Research

CMMC Phase Two Arrives November, No Carve-Out

Level 2 C3PAO certification required at contract award starting November 10, 2026. Phase 1 self-assessments live since November 2025. As of October 2025, only 0.5% of an estimated 80,000 organizations held Level 2 certification. Most R1s sit as subcontractors, not primes. Ask: have DoD-funded labs mapped CUI flows to sub obligations?

Procurement Trust

Send Your HECVAT Before They Chase It

Version 4.1.5 current since February 2025. CBI retired July 31, 2025, so direct vendor-institution exchange is now the default. 321 questions across 7 sections, including an AI/ML domain aligned with NIST AI RMF. 63% of institutions still lack formal third-party risk management (Isora GRC, directional). Your move: send the completed HECVAT before procurement opens the ticket. That signals service.

Identity Proofing

NIH CADR Identity Proofing Is Enforcing Now

NIAGADS DSS began enforcing IAL2 on June 1, 2026. System-wide CADR deadline holds at January 2027. InCommon is an approved NIH broker, and over half its members have active NIH researchers. InCommon ran an 8-week identity proofing accelerator cohort through April 2026. Ask: has the IAM team mapped their CADR researcher population against that accelerator roadmap?

Threat Intelligence

REN-ISAC MISP Now Live for 780 Members

Production instance went live February 2026, enabling automated threat intelligence sharing across 780+ member institutions. Higher ed ransomware up 70% since 2022 (single-source, RIMM 2026 session description). Your entry: reference MISP as shared threat intel the security team likely already ingests, then connect to vendor risk posture.

Strategic Framing

EDUCAUSE Puts Collaborative Cybersecurity at Number One

The 2026 Top 10 reframes security as shared cross-campus responsibility, not a technical perimeter problem. Federal support reductions are squeezing budgets while threats compound. Vendor risk management also ranks among top institutional concerns. Frame identity governance as the connective layer enabling this collaboration model EDUCAUSE is calling for.

The Behavior Translation

Quoting "July 2026" Tells a Research CIO You Haven't Done the Work

By Colleen Birch Halvorsen— June 3, 2026

Feature image for article: Quoting "July 2026" Tells a Research CIO You Haven't Done the Work

NSPM-33 is a matrix of agency-specific deadlines, and every research CIO with significant federal funding has been tracking it for over a year. NIH's RSP certification obligation is already live. NSF's centralized process is still being finalized. DOE and DoD haven't published RSP certification dates at all. Quote "July 2026" as a single universal date in a Tier 1 meeting and you've told the room you read a summary instead of the source documents. One question fixes this. Start with their funding portfolio.

The Behavior Translation

Quoting "July 2026" Tells a Research CIO You Haven't Done the Work

By Colleen Birch Halvorsen— June 3, 2026

NSPM-33 is a matrix of agency-specific deadlines, and every research CIO with significant federal funding has been tracking it for over a year. NIH's RSP certification obligation is already live. NSF's centralized process is still being finalized. DOE and DoD haven't published RSP certification dates at all. Quote "July 2026" as a single universal date in a Tier 1 meeting and you've told the room you read a summary instead of the source documents. One question fixes this. Start with their funding portfolio.

Identity Proofing Sidebar

The NIH CADR Conversation Your Tier 1 CIO Is Already Having

NIH's January 2027 CADR identity proofing deadline is already consuming cycles at campus IAM teams across the R1 landscape. InCommon is an approved NIH RAS broker, and over half of federation members have active NIH researchers. Eleven institutions finished the inaugural Identity Proofing Accelerator cohort this spring. The fall cohort is recruiting now.

Internet2's Ann West frames identity proofing as "a business problem that touches admissions, HR, the registrar, financial aid, and research administration all at once." Borrow that framing. It tells the CIO you see governance, not a config task.

Identity Proofing Sidebar

The NIH CADR Conversation Your Tier 1 CIO Is Already Having

NIH's January 2027 CADR identity proofing deadline is already consuming cycles at campus IAM teams across the R1 landscape. InCommon is an approved NIH RAS broker, and over half of federation members have active NIH researchers. Eleven institutions finished the inaugural Identity Proofing Accelerator cohort this spring. The fall cohort is recruiting now.

Internet2's Ann West frames identity proofing as "a business problem that touches admissions, HR, the registrar, financial aid, and research administration all at once." Borrow that framing. It tells the CIO you see governance, not a config task.

Rep behavior:

Reference the accelerator cohort and January 2027 as something the IAM team is working through, not news you're delivering cold

Technical standard:

CADR access requires IAP/high under REFEDS RAF v2; NIH confirmed in September 2025 that IAP High satisfies NIST IAL2

Scale exposed:

Over 202 InCommon member institutions are home organizations for CADR users, with 130,000-plus eRA grants tied to InCommon participants

Parallel effort:

Internet2 is running a NET+ service evaluation for identity proofing solutions alongside the accelerator program, so procurement context is live

Deadline caveat:

January 2027 is the communicated date, but CADR operator uptake challenges and possible government delays could push timelines into late 2027