NIH's May 25 Research Security Training Deadline Is Almost Here. Every PI and Senior Researcher Has 12 Months to Get Certified.

On May 25, 2026 — eleven days from today — the National Institutes of Health will begin rejecting new grant proposals from any institution that cannot certify every principal investigator and senior researcher has completed compliant research security training within the prior 12 months. The mandate is not a quirk of NIH policy. It is the final domino in a multi-year implementation of Section 10634 of the CHIPS and Science Act of 2022, a statutory requirement that now binds every covered individual submitting to the National Science Foundation, the Department of Energy, the Department of Defense, the U.S. Department of Agriculture, and — as of May 25 — the National Institutes of Health.

For an institution that has been treating research security as a compliance memo to circulate in the fall, May 25 is a wall. New R01s, R21s, U-series cooperatives, training grants, and supplements all become non-submittable the moment a single covered individual on the team lacks a current certification. The certification window is rolling and runs for 12 months, which means an institution cannot simply train everyone once and forget it. PIs who completed training in April 2025 are already out of compliance for any proposal submitted after May 25, 2026.

This deep dive walks through what the statute actually says, who counts as a "covered individual," what the training must cover, the one-hour federally recognized module that satisfies all five agencies, and the operational changes most research offices need to make in the next eleven days to keep their grant pipeline alive.

The Statutory Spine: CHIPS Act Section 10634 and NSPM-33

The story does not start with NIH. It starts with National Security Presidential Memorandum 33 (NSPM-33), issued in January 2021, which directed federal research agencies to require covered individuals to complete research security training as a condition of receiving R&D awards. NSPM-33 was a directive without teeth. The teeth arrived with the CHIPS and Science Act of 2022, which codified the requirement at 42 USC 19234 and gave agencies explicit authority to enforce it.

Section 10634(c) of the CHIPS Act specifies the four content domains every compliant training program must address: cybersecurity, international collaboration and travel security, the proper use of funds (including disclosure, conflict of commitment, and conflict of interest), and foreign interference. Section 10634(b) requires the recipient institution — not the individual researcher — to certify compliance. That certification flows through the institution's authorized organizational representative, not through each PI's personal account, which means the legal exposure for non-compliance sits at the institutional level.

The Office of Science and Technology Policy issued implementation guidelines to federal research agencies in July 2024, setting a coordinated rollout. NSF activated its requirement first under Important Notice 149. DOE followed. USDA and DOD aligned their internal policies. NIH, the last major agency to formalize its policy, set its effective date at May 25, 2026 — a date now eleven days away from every research office in the country.

Who Counts as a "Covered Individual"

The CHIPS Act defines a covered individual as anyone who "contributes in a substantive, meaningful way to the scientific development or execution" of a federally funded R&D project. That definition is broader than the colloquial "PI plus co-PI." In practice, it includes:

• Principal Investigators and Multiple PIs
• Co-Investigators and senior/key personnel listed on the budget
• Postdoctoral researchers with independent scientific roles
• Faculty collaborators at subaward institutions
• National laboratory staff with joint university appointments
• Faculty with foreign appointments or sabbaticals who contribute scientifically to the project

Graduate students, research assistants, and technical staff are generally outside the covered individual definition unless they have independent scientific authorship or decision-making responsibility. The bright line, per DOE guidance, is "substantive, meaningful" scientific contribution — not hours worked or salary charged.

The institutional certification language matters here. When an Authorized Organizational Representative signs the Current and Pending Support disclosure attesting that all covered individuals have completed compliant training, that signature is a False Claims Act exposure. Research offices that have historically treated AOR certification as a procedural rubber stamp are reading the language carefully right now.

What "Compliant Training" Actually Means

The agencies have published two paths to compliance, and the practical difference between them is enormous.

Path 1: The SECURE Center Consolidated Training Module. The SECURE Center — a CHIPS Act–authorized research security center developed in partnership with NSF, NIH, DOE, and DOD — released a free, one-hour Consolidated Training Module at secure-center.org/ctm. Completion of this single module is recognized as compliant by NSF, NIH, DOE, DOD, and USDA. It is the path of least resistance and is what most universities have built their compliance programs around.

Path 2: Institutional Training. Universities may develop their own training programs that meet the statutory content requirements at 42 USC 19234(c). Pre-approval from a federal agency is not required; the Prime Applicant's certification on the proposal is sufficient. The University of Colorado, Iowa State, UC Santa Cruz, and Yale, among others, have built institution-specific modules in SkillSoft, Percipio, CITI, or proprietary LMS platforms. Institutional training is operationally heavier — every module must be reviewed against the statute, every revision documented, every completion tracked — but it lets institutions integrate research security into broader compliance ecosystems alongside RCR, HIPAA, and export controls.

Critically, agencies do not accept external certificates, continuing education credits, or training completed at a prior institution unless that training meets the same statutory content requirements and is documented in the current institution's compliance system. A PI who completed NSF-recognized training at Harvard in 2024 and moved to Yale in 2026 must complete Yale's compliant training before submitting from Yale.

The Eleven-Day Triage

For institutions that have not yet activated a research security training program, the realistic triage between today and May 25 looks like this:

Step 1 — Identify covered individuals on pending and forthcoming NIH submissions. Pull the active-proposal pipeline from your grants management system. Filter to NIH submissions targeting deadlines on or after May 25. Map covered individuals across the prime institution and all subawards.

Step 2 — Audit existing certifications. Most universities have a compliance system (CITI, Percipio, internal LMS) where training completions are logged. Pull a report of who has completed which module in the prior 12 months. The 12-month window is the binding constraint, not "ever completed."

Step 3 — Default to the SECURE Center module for everyone who is not current. It is free, one hour, and recognized by every agency a researcher might submit to. The institutional time investment to develop a custom module in eleven days is not worth it.

Step 4 — Update your AOR certification workflow. The signature that flows on the NIH proposal needs to be backed by a documented institutional record that every covered individual is current. Most research offices are adding a research security training check to their pre-award review checklist, alongside conflict of interest and RCR verification.

Step 5 — Communicate to PIs in writing. A short, direct memo from the VP for Research stating the May 25 deadline, the SECURE Center URL, the one-hour time commitment, and the consequence (proposal rejection) tends to move PI behavior more effectively than an HR-style training email.

The Bigger Picture: Research Security as a New Compliance Layer

Research security training is not a one-time event. The 12-month rolling window means every research office now operates a perpetual compliance machine. Faculty who completed training in May 2026 must be recertified by April 2027 to remain eligible to submit. New hires must be certified before their first federally funded proposal. Sabbatical returns trigger a review. Joint appointments at national labs require dual documentation.

For grant-seeking organizations outside of large R1 universities — small consulting firms, independent research institutes, community-based nonprofits, SBIR/STTR applicants — the operational lift is sharper. A two-person small business submitting an SBIR Phase I to NIH must certify that both researchers have completed compliant training in the prior 12 months. The SECURE Center module is free, but the documentation burden is real, and the AOR signature carries the same False Claims Act exposure as it does at Harvard.

The broader signal is unmistakable. The federal research enterprise is moving toward a compliance posture that treats research security with the same operational weight as human subjects protection, animal welfare, and financial conflict of interest. The agencies that historically diverged on disclosure formats, indirect cost methodologies, and proposal templates have now aligned on a single research security baseline. That alignment is the rare federal grants story where the harmonization actually reduces burden — one one-hour module satisfies five agencies — but only for institutions that act on it before May 25.

For institutions that miss the deadline, the consequence is not a fine or a sanction letter. It is the silent rejection of new proposals at the agency's electronic intake. The grant pipeline stops moving. That is the compliance design: not punishment after the fact, but eligibility gating at the front door. Eleven days from now, the door closes.

For background on the underlying regulatory shift, see our coverage of NSF's merit review overhaul and the broader Executive Order 14332 restructuring reshaping federal grantmaking in 2026.