NIH's certification deadline for covered individuals is December 2026. Seven months out. The rep who leads with that date as urgency has already signaled they're reading the policy summary, not talking to anyone who's implementing it.
The research CIO at an NIH-funded R1 is living inside four simultaneous implementation tracks moving at different speeds, generating different kinds of institutional resistance, and surfacing different operational gaps. The deadline is the fixed point. The friction is the present-tense reality.
Know which element is actually on fire right now
The four required NSPM-33 program elements — disclosure review, foreign travel tracking, cybersecurity requirements for research systems, and certification of covered individuals — are not equally far along at most institutions. Certification is the visible deliverable, the thing the NIH will ask for. But the two elements generating the most operational friction right now are disclosure review and foreign travel tracking, and they're generating different kinds of friction for different reasons.
Disclosure review is a faculty culture problem wearing a compliance costume. The requirement that covered individuals disclose relationships with foreign entities, foreign governments, and foreign talent recruitment programs runs directly into how research universities have always operated: international collaboration is a feature, not a risk signal, and faculty who have spent careers building those relationships are not naturally inclined to route them through a compliance review process. The CIO didn't build that resistance. They inherited it. And they're now trying to implement a disclosure workflow — usually some combination of a COI/COC system, identity-linked attestation, and manual review — on top of a faculty population that ranges from fully cooperative to actively skeptical that the requirement applies to them.
Foreign travel tracking is a different problem. It's not a culture problem; it's a coordination problem. The requirement surfaces immediately across at least four offices that don't normally share data in real time: research compliance, HR, export control, and IT. Who is traveling, when, where, with what credentials, accessing what systems from what jurisdictions — that information lives in different places, managed by different people, under different policies. At most R1s, the honest answer to "do you know which covered individuals are currently traveling internationally with active access to controlled research systems" is: not reliably.
Disclosure review is a faculty culture problem. Foreign travel tracking is a coordination problem across at least four offices. They require different conversations and are moving at different speeds.
That gap is where identity infrastructure becomes directly relevant to the compliance conversation — and the CIO is unlikely to draw that line unprompted. You have to draw it.
The difference between naming the elements and knowing them
A rep who can say "NSPM-33 has four program elements, and NIH's deadline is December 2026" has done the minimum. A rep who can say "the disclosure-review implementation is probably your faculty relations problem, and the foreign travel tracking is probably your cross-office coordination problem, and those two are moving at different speeds for different reasons" is describing something the CIO is actually experiencing.
That specificity reads as field knowledge, not product positioning. The CIO will test it, consciously or not, by the questions they ask next. If you can stay in the conversation without reverting to product features, you've earned the room.
The cybersecurity element is your entry point, not your lead
The third program element — cybersecurity requirements for research systems — is where identity infrastructure connects most directly to NSPM-33 compliance. Covered individuals need to be identifiable and auditable across the systems they access. Access certifications need to be completable. Privileged access to controlled research environments needs to be documented and reviewable. Most R1s are not starting from zero here, but most are also not starting from a position where their existing identity infrastructure was designed with NSPM-33 in mind.
Lead with the friction the CIO is managing — disclosure review, foreign travel coordination — and let the cybersecurity element surface as the connective tissue. The CIO who is already frustrated by the cross-office coordination problem for foreign travel tracking will hear "your identity layer is the place where those data sources can actually converge" very differently than the CIO who thinks you're there to sell them something.
What to say in the first five minutes
Not this: "We know NSPM-33 has a December 2026 deadline and we want to help you get there."
This:
"Most of the institutions we're talking to are further along on the certification piece than on the foreign travel tracking — the cross-office coordination is where things are getting stuck. Is that where you're feeling it, or is the disclosure-review workflow the bigger friction point right now?"
That question demonstrates you know the implementation is uneven, names the two elements actually generating friction, and asks the CIO to tell you which problem is theirs — which is the only question that matters.
Confidence note: The December 2026 NIH certification deadline reflects NIH-specific guidance as of early 2026 and should be verified against current NIH policy documentation before use in a customer conversation. NSPM-33 agency implementation timelines are not uniform across federal funders.