Signal: NSF's June 2 implementation memo sets September 30, 2026 as the hard deadline for federated identity assurance documentation on all CUI-adjacent research systems. Most R1 institutions are not ready — and the VP for Research and CISO at most accounts have not yet had the conversation that would tell them how far behind they are.
NSF's Office of the Chief Information Officer published NSF NSPM-33 Implementation Guidance, June 2026 on June 2, 2026. The memo operationalizes a requirement that has been latent in the NSPM-33 framework since 2022 but lacked enforcement specificity: institutions receiving NSF awards that involve CUI must now document federated identity assurance for every system that touches that data, with documentation submitted to the relevant program officer by September 30.
This is not a checkbox. Compliance means demonstrating that each in-scope system is covered by an InCommon-aligned assurance profile — at minimum IAL2/AAL2 under NIST SP 800-63B — and that attribute release to those systems is governed by a current, auditable policy. For institutions running Shibboleth-based federation with manually maintained metadata and ad hoc attribute release configurations, that is a significant remediation lift in roughly 120 days.
The harder problem is organizational, not technical. According to the Internet2 IAM Community Brief, Q1 2026, 58% of R1 institutions surveyed reported that responsibility for identity assurance on research data systems is either unassigned or informally split between the CISO's office and the VP for Research's office without a formal governance agreement. NSF's memo doesn't accommodate that ambiguity. Documentation has to come from somewhere, and the September 30 deadline makes the ownership question a compliance liability with a date attached.
The VP for Research knows which awards involve CUI. The CISO knows what the identity infrastructure can and cannot assert. At most R1 institutions, those two people have not sat in a room together to map one against the other — and NSF's memo makes that misalignment a compliance liability with a hard date attached.
Whether that conversation happens now, with time to remediate, or in October, after a program officer flags a gap, is largely a function of who surfaces the issue first.
The memo carries one additional pressure point: documentation must cover systems operated by research computing units that sit outside the central IT org chart. At many R1 institutions, those units run their own service accounts, their own access controls, and their own data sharing agreements. The CISO may not have current visibility into what those systems are asserting to federated service providers — or whether they're asserting anything at all.
Rep action: Before your next call with a CISO or VP for Research at an R1 account, pull the institution's current InCommon participant record and check whether they have published an assurance profile. Most haven't. Open with: "NSF's June 2 memo sets a September 30 deadline for federated identity assurance documentation on CUI-adjacent systems. I want to understand whether your CISO and VP for Research have a shared inventory of which systems are in scope — because that's the gap we're seeing at peer institutions." That question surfaces the misalignment without requiring you to diagnose it first.