The Tell
A rep sits down with a Tier 1 VP for Research and says "your RSP certification is due July 2026." The research security officer two seats over stops writing. The VP nods politely. The meeting continues, but you've been sorted into a category: vendor who read a summary. The VP has spent eighteen months tracking staggered deadlines across four funding agencies. There is no single date. Quoting one proves you haven't done the work they've done.
The Mechanic
NSPM-33 directs each funding agency to publish its own Research Security Program (RSP) requirements on its own timeline. The January 2022 OSTP guidance is explicit on this point. Institutions then have up to 18 months from each agency's effective date to certify compliance. The result is a staggered calendar that varies by funding portfolio.
Where things stand today:
| Agency | Requirement | Status | Source |
|---|---|---|---|
| NIH | RSP certification | Mandatory May 25, 2026 | NOT-OD-26-017 |
| NSF | Research security training (RST) | Effective Dec 2, 2025 | Important Notice 149 |
| DOE | RST | Required since May 1, 2025 | DOE RST page |
| DOE | RSP certification | Unconfirmed at primary-source level | — |
| DoD | RSP certification | Unconfirmed at primary-source level | — |
| NSF | Centralized RSP certification | Process still being finalized | IARPA, confirmed June 2026 |
The person across the table tracks all of this. They have a matrix. When you quote a single date, you reveal you don't have one.
The Move
Say this: "Which agencies represent your largest funding exposure? Has your research security team built a deadline matrix, or is that still in progress?" Then stop talking. If they name NIH, acknowledge the certification obligation is already live. If they name DOE or DoD, note that RSP certification dates for those agencies haven't been publicly finalized, which creates a different planning problem.
From there, move to the four RSP program elements: cybersecurity, research security training, foreign travel security, and export control training. The last three are primarily policy and training obligations. Cybersecurity is where the infrastructure conversation starts. The OSTP guidance (Section 6, p. 20) specifies 14 cybersecurity requirements; 12 overlap with FAR 52.204-21 basic safeguarding controls (Trusted CI's August 2022 analysis provides a useful cross-reference). The two additions are cybersecurity awareness training and ransomware data protection (EDUCAUSE Review, May 2022). By our count from the OSTP requirements list, six of those 14 fall in the access control and identification/authentication domains. That's where the conversation earns its next ten minutes.
Not that: "Your RSP certification is due July 2026." One date. No agency context. No question about their funding mix.
When: First substantive meeting with a VP for Research, research CIO, or research security officer at an R1. Before any product discussion. This is the credibility gate.
Why it lands: Asking about their deadline matrix tells the buyer you understand NSPM-33 compliance as an agency-by-agency operational problem. They hear someone who has read the source documents. That distinction determines whether you get a second meeting.
Tier Calibration
- R1: Full RSP certification applies to institutions above the $50M federal R&D threshold (FY2022 constant dollars, 3-year average per the July 2024 OSTP Guidelines). The deadline matrix question is essential. Lead with it.
- Mid-size (Tier 2): Many fall below the $50M threshold and face no RSP certification requirement. They may still encounter agency-specific RST requirements on individual awards. Ask about funding volume before assuming RSP applies. Getting this wrong in either direction costs credibility.
- Community college / consortia: RSP certification is almost certainly not applicable. Do not raise it. If an institution holds individual federal research grants, agency-level RST requirements could surface, but this is rare enough that the conversation belongs elsewhere.
NIH RSP certification live date (May 25, 2026) confirmed via NOT-OD-26-017. NSF centralized certification process unconfirmed since December 2025 FDP report. DOE and DoD RSP certification effective dates unconfirmed at primary-source level. NIST IR 8481 finalization status, which may supersede the current 14-requirement cybersecurity list for IHEs per the July 2024 OSTP Guidelines, is unconfirmed. [Verify by: August 2026 — check NSF research security, DOE Financial Assistance Letters, defense.gov for DoD guidance, and NIST CSRC for IR 8481 status.]
Things to follow up on...
- CMMC Phase 2 overlap: R1 universities holding DoD subcontracts face a November 10, 2026 Level 2 C3PAO certification requirement under CMMC Phase 2, and the NIST 800-171 control spine shared with NSPM-33 cybersecurity requirements makes these two compliance conversations inseparable at DoD-funded accounts.
- DoD risk matrix update: The DoD's March 9, 2026 updated Decision Matrix for fundamental research introduces new foreign collaboration restrictions that may directly affect funding eligibility and will surface alongside RSP certification questions in DoD-funded R1 meetings.
- NIH identity proofing deadline: NIH now requires IAL2-level identity proofing for controlled-access data repository access by January 2027, and InCommon has been added to NIH's approved broker list, creating a second compliance conversation at the same accounts where RSP certification just went live.
- FDP certification forecast missed: The Federal Demonstration Partnership's December 2025 report forecast that agency RSP certification requirements would publish in February–March 2026, but no confirmation of that publication has surfaced, which means the "not yet finalized" framing for the centralized NSF-led process may need updating any week.