Your R1 CIO is triaging three federal compliance clocks at once with a team that spent the last eighteen months fighting budget fires instead of building audit infrastructure. Know the whole pile, every layer of it.
Regulatory freshness note: All dates below verified against primary federal sources as of June 2026. NSPM-33 agency timelines beyond NIH remain in flux. CMMC Phase 2 date confirmed via DOD rulemaking. Confirm against agency Federal Register notices before any deal conversation.
NSPM-33 Training Is Live and Under-Automated
NIH's Research Security Training requirement went effective May 25, 2026 (confirmed). Covered individuals on NIH-funded projects must complete approved modules on foreign talent recruitment risks, disclosure obligations, and research security fundamentals. The institution owns the tracking, attestation, and audit burden. Not the researcher.
The operational problem is immediate. Training completion must be tracked per-person, per-grant, per-agency. Disclosure obligations require accurate affiliation and conflict-of-interest data flowing across systems that were never designed to share it. Your CIO needs to know who is covered, whether they've completed requirements, and whether their institutional profile reflects current affiliations. All of it is identity governance work, funded and tracked under a compliance line item.
What "under-automated" looks like concretely: most institutions are pulling covered-individual lists from HR systems, cross-referencing against grant management platforms, and reconciling training completion records manually or through ad hoc scripts. The systems don't share data natively. Affiliation changes for visiting researchers and postdocs often lag weeks behind reality. The rep who can describe this back to the CIO, accurately, earns the next ten minutes of the conversation.
The harder part: RSP certification timelines at DOE and DOD have not been published (directional estimate: alignment with NSPM-33 framework, binding dates TBD). She is building infrastructure against a moving target, knowing whatever she stands up for NIH will need to extend to other agencies on timelines she cannot yet confirm.
CMMC Phase 2 Hits in Five Months With No University Carve-Out
CMMC Level 2 C3PAO assessments become required November 10, 2026 (confirmed). No university exemption exists. Any institution holding or processing CUI under DOD contracts must demonstrate compliance with NIST SP 800-171 controls through certified third-party assessment.
R1s with significant DOD research portfolios have been building CUI enclaves for two or more years. By June 2026, awareness is universal. Capacity is the constraint. C3PAO assessment slot availability is widely reported as tight; specific wait-time data is not publicly available as of June 2026. Institutions that haven't scheduled are competing for a shrinking window against defense contractors with dedicated compliance teams. The identity controls in 800-171, access control, identification and authentication, audit and accountability, require demonstrable enforcement. Policy documentation without that enforcement will not pass.
The Budget Squeeze Is Real Even Where the Courts Won
All four federal agency attempts to impose a 15% flat indirect cost cap on university research were vacated by courts or abandoned through 2025 and early 2026. The First Circuit upheld the permanent injunction against the NIH cap in January 2026. DOE ended its appeal in March 2026. FY2026 appropriations explicitly block agencies from unilaterally reducing negotiated F&A rates (P.L. 119-75, §224 of Division B, enacted February 3, 2026).
The caps are not in effect. Eighteen months of institutional triage left the damage to planning capacity already embedded.
Institutions diverted compliance, finance, and legal staff throughout 2025 to track, model, and litigate these actions. Court records cited estimated annual losses of $121M at UCSF, $136M at Johns Hopkins, $129M at Penn, $119M at Michigan had the caps held (NYT analysis cited in April 2025 injunction record). Those dollar losses didn't materialize, but the staff hours diverted to tracking, modeling, and litigating the caps came directly out of NSPM-33 and CMMC readiness work.
And the threat recycles annually. The FY2027 budget re-proposes the 15% cap and seeks to eliminate the appropriations prohibition blocking it (confirmed, CRS analysis, April 2026). Meanwhile, DOD executed structural cuts that courts cannot reverse. The Minerva Research Initiative was shut down in April 2026, ending all 91 social science studies. DOD basic research funding took a 4.9% cut in FY2026 appropriations, even as applied science funding rose 15.4%. These reduce the research portfolio against which compliance costs are spread, concentrating the burden on the STEM and engineering programs that remain.
Before the Meeting
Her cognitive state in June 2026 breaks into three layers.
Immediate: NSPM-33 training tracking is live and under-automated. She needs identity governance connecting personnel records, grant affiliations, and training completion across disconnected systems. She knows the manual process doesn't scale to DOE and DOD when those timelines land.
Near-term: CMMC assessment scheduling. November is uncomfortably close. Identity controls are table stakes for the assessment, and the assessment pipeline is constrained.
Background: FY2027 budget uncertainty. Even if the 15% cap fails again in Congress, the annual cycle erodes her ability to commit to multi-year infrastructure investments. Every procurement conversation carries the question: will F&A revenue sustain this in year three?
Lead with the stack. Show you understand these obligations compound, the budget to meet them is contested, and identity infrastructure is the connective tissue across all three.