Your CIO carries three community conversations into every vendor meeting: federation friction from ACAMP, operational threat sharing through REN-ISAC's live MISP instance, and identity proofing requirements surfacing across InCommon. Reference any of these correctly and you signal fluency. Get one wrong and you're a tourist with a slide deck.
Regulatory and source freshness note: Community dates below verified against primary InCommon, REN-ISAC, and Internet2 sources as of June 2026. MISP production go-live confirmed February 2026. InCommon Thread Meetup data from March 2026. Agency assurance-level requirements are evolving through grant conditions and guidance rather than a single binding published standard; confidence-flag any specific requirement claim before use in a meeting.
The regulatory stack tells you what she must do. The community stack tells you who she listens to and how she evaluates what you're selling. These are the rooms she's in, the vocabulary she uses when she's deciding whether you understand her world.
ACAMP 2025 Put Federation Friction on the Record
The InCommon recap of Advance Camp at the 2025 Internet2 Technology Exchange, published March 2026, is worth reading before any R1 meeting. Federation dominated. A dozen sessions covered onboarding barriers, protocol coexistence, vendor non-participation, and the organizational capacity gaps that make federation harder than the technology warrants.
Three signals to carry into the conversation:
Vendor non-participation is a named grievance. Relying Parties join InCommon to win campus contracts and then disengage. The sponsorship model meant to fix this has a chicken-and-egg problem: institutions best positioned to sponsor RPs increasingly have leadership who don't understand what they're being asked to offer. Practitioners at ACAMP are building dashboards showing InCommon integrations hold while bilateral ones break. The community is also exploring pooled resources for developer-friendly federation libraries as a structural fix. If your product participates meaningfully in federation, say so in the first five minutes. If it doesn't, expect the question.
Commercial migration risk is already debated. ACAMP sessions surfaced a pattern: campus leaders asking why they run Shibboleth when they could buy a commercial service. The discussions exposed real costs. Dual MFA contracts. Business continuity risks for services like student health that depend on the existing IdP. Your CIO has already had this conversation internally. Do not pitch against Shibboleth as though she hasn't weighed the operational implications of leaving it. Pitch what coexistence looks like.
Staffing erosion is structural. Understaffed IdPs, expertise drain, vendors lacking federation competence, federations themselves stretched thin. When something breaks, nobody owns the fix. This shapes how she evaluates build-versus-buy for identity infrastructure. The sustainability question is real and it comes up in every capacity planning conversation, not just the ones about identity.
REN-ISAC MISP Went Live in February
REN-ISAC's MISP production instance has been operational for members since February 2026 (confirmed, OmniSOC blog, February 20, 2026). Members share and receive structured cyber threat intelligence from peer institutions, trusted partners, and open-source providers including a GreyNoise partner feed. The platform runs in Indiana University's Kubernetes environment with active onboarding continuing.
Ransomware remains a persistent daily-occurrence threat to education, with nearly 40% of IT respondents reporting sustained anxiety following attacks even as some recovery metrics improve (Sophos State of Ransomware in Education 2025, September 2025). The community's investment in MISP is a collective response to that sustained pressure.
Why it matters in your meeting: MISP represents operational commitment to collective defense. Your CIO knows whether her institution is an early adopter or still evaluating. Either way, she is thinking about how threat intelligence connects to her identity stack. Compromised credentials remain a primary attack vector. The link between what MISP surfaces and what her IAM infrastructure can act on, whether that's automated indicator ingestion, accelerated credential revocation, or correlated access anomaly detection, is a live architectural question. Speak to that integration point without overselling it and you're in a useful conversation.
Identity Proofing Is Escalating Quietly With Real Friction
NIH and NSF are pushing security requirements that mandate higher assurance levels within InCommon Federation. These requirements are arriving through grant conditions, agency-specific guidance, and evolving expectations around phishing-resistant authentication rather than a single published binding standard (confirmed framing per InCommon ACAMP recap, March 2026). The absence of one canonical requirement document makes compliance harder to scope. Each agency's expectations must be interpreted independently.
At ACAMP, practitioners shared implementation friction worth knowing: users refusing to enroll work authentication on personal devices, medical workers who cannot bring devices into treatment areas, students from export-controlled countries facing device restrictions, YubiKeys failing in embedded browsers despite bulk adoption efforts.
This identity proofing conversation is building across InCommon and Internet2, driven partly by agency requirements and partly by the federation's own maturity arc. The March 2026 InCommon Thread Meetup surfaced a 70% gap in library federation participation. Federation maturity is uneven even within institutions that consider themselves mature.
The thread connects directly to the regulatory stack. NSPM-33 compliance requires knowing who someone is at a level well beyond successful authentication. CMMC controls require identity verification at levels many campus IdPs were not designed to provide. The community is working through how to raise the assurance floor without breaking the access model that makes federation valuable.
Before the Meeting
She can tell within two minutes whether a vendor rep understands the ecosystem she operates in or is translating from an enterprise playbook. Three things to get right:
Reference ACAMP by name. Citing the vendor non-participation problem or the staffing erosion theme tells her you've read the material she's read. "I saw the InCommon recap from ACAMP" is a signal with weight.
Know MISP is live. Asking whether her institution participates in REN-ISAC threat sharing is a reasonable discovery question. Assuming she hasn't heard of it will cost you credibility immediately.
Acknowledge the identity proofing tension honestly. Higher assurance requirements are arriving from agencies and from within the community without a single clean standard to implement against. The implementation friction is real. Phishing-resistant MFA deployment on a research campus is hard, and she already knows that. A vendor who can name the edge cases, the personal device refusals, the embedded browser failures, the device-restricted clinical environments, earns credibility that a clean demo cannot.
The regulatory stack and the community stack are the same CIO's Tuesday and Wednesday. Show up prepared for both days.