Increasingly, research sponsors require grantees meet strict security requirements to protect the data and systems used in funded projects. For example, projects involving protected data (e.g., HIPAA, CUI) or export controls may have a heightened security requirement. This is especially common in federally funded research.
To identify sponsor-specific security requirements, regulations, or security frameworks. remember to:
- Carefully read the solicitation to identify security requirements.
- Work with your department and/or the Office of Information Security to develop the best strategy for meeting security requirements.
- Discuss with your research sponsor whether the costs of security compliance can be direct charged to the grant.
- If security costs can be direct charged to the grant, be sure to include those costs in the proposed budget.
Types of Protected Data
Protected data refers to data regulated by federal, state, and local legislation. These data require specific information security controls because they could be used to identify an individual or are sensitive in nature. Visit the Protected Data section on our Data Classification page to learn more.
Example Security Requirements and Regulations
The NIST SP 800-171 details the recommended requirements for defense contractors working with controlled unclassified information (CUI).
The Federal Acquisition Regulation (FAR) describes procurement rules for contracts issued by the federal government. Clause 52.204-21 describes required safeguards for protecting covered contractor information systems.
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
The DFARS 7012 clause went into effect on December 31, 2017 as a response to growing cybersecurity threats and data breaches. This regulation applies to Controlled Unclassified Information (CUI) and specifies requirements for defense contractors. In brief, the clause requires contractors to develop, document, and periodically update security plans, submit evidence of compliance with NIST SP 800-171, ensure compliance among subcontractors and cloud providers, and commit to timely reporting of cybersecurity incidents.
The General Data Protection Regulation (EU) regulates privacy and data protection in the European Union.
Data Classification, Office of Information Security
What is CUI? Office of Information Security
Protected Data, Office of Information Security
CMMC at WUSTL, Office of Information Security
Export Control, Office of the Vice Chancellor of Research