What are the Security Expectations of Your Research Sponsor?

Increasingly, research sponsors require grantees meet strict security requirements to protect the data and systems used in funded projects. For example, projects involving protected data (e.g., HIPAA, CUI) or export controls may have a heightened security requirement. This is especially common in federally funded research.

To identify sponsor-specific security requirements, regulations, or security frameworks. remember to:

  1. Carefully read the solicitation to identify security requirements.  
  2. Work with your department and/or the Office of Information Security to develop the best strategy for meeting security requirements.
  3. Discuss with your research sponsor whether the costs of security compliance can be direct charged to the grant.
  4. If security costs can be direct charged to the grant, be sure to include those costs in the proposed budget.

Types of Protected Data

Protected data refers to data regulated by federal, state, and local legislation. These data require specific information security controls because they could be used to identify an individual or are sensitive in nature. Visit the Protected Data section on our Data Classification page to learn more.

Example Security Requirements and Regulations

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171

The NIST SP 800-171 details the recommended requirements for defense contractors working with controlled unclassified information (CUI).

Federal Acquisition Regulation (FAR) 52.204-21: Basic Safeguarding of Covered Content

The Federal Acquisition Regulation (FAR) describes procurement rules for contracts issued by the federal government. Clause 52.204-21 describes required safeguards for protecting covered contractor information systems.

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting

The DFARS 7012 clause went into effect on December 31, 2017 as a response to growing cybersecurity threats and data breaches. This regulation applies to Controlled Unclassified Information (CUI) and specifies requirements for defense contractors. In brief, the clause requires contractors to develop, document, and periodically update security plans, submit evidence of compliance with NIST SP 800-171, ensure compliance among subcontractors and cloud providers, and commit to timely reporting of cybersecurity incidents.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (EU) regulates privacy and data protection in the European Union.

Additional Resources

Data Classification, Office of Information Security

What is CUI? Office of Information Security

Protected Data, Office of Information Security

CMMC at WUSTL, Office of Information Security

Export Control, Office of the Vice Chancellor of Research