Universities are engines of discovery, breakthroughs, and innovation. But behind every research project and trial, there’s a web of data that may include personal, sensitive, and sometimes regulated data at the highest levels. For research institutions, understanding and managing IT security and privacy compliance is no longer optional; it’s foundational to operations and the overarching goal of digital transformation.
The Compliance Challenge in Research
From cancer trials to climate science to behavioral studies, university research spans a wide array of data types, each triggering different data protection obligations.
A few examples to illustrate the complexity of the compliance requirements:
- Clinical trials with human subjects: Health Insurance Portability and Accountability Act (HIPAA), U.S. Food and Drug Administration (FDA) 21 Code of Federal Regulations (CFR) Part 11, International Council for Harmonisation (ICH), Good Clinical Practice (GCP), General Data Protection Regulation (GDPR) if international
- Veteran or military studies: U.S. Department of Veterans Affairs (VA) directives, Controlled Unclassified Information (CUI)/National Institute of Standards and Technology (NIST) 800-171, Cybersecurity Maturity Model Certification (CMMC)
- Genomic and omics research: National Institutes of Health (NIH) directives, CUI/NIST 800-171
- Education studies: Family Educational Rights and Privacy Act (FERPA), state student privacy laws
- Finance or insurance-related research: Gramm-Leach-Bliley Act (GLBA), National Association of Insurance Commissioners (NAIC) privacy rules, state insurance laws
- International collaborations: UK GDPR, Data Protection Act 2018 (UK), Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), etc.
This list is not exhaustive. There is much more to consider based on an institution’s particular area of research. To help track it, our team created an extensive list of potential research types and the likely compliance requirements for each. We use this list to help universities understand their data and the associated cyber governance requirements.
What we’ve found from experience is that no single framework covers it all. Universities must navigate a matrix of federal, state, sponsor, and international requirements, and the complexity is only growing.
Emerging Pressures
Beyond the business-as-usual compliance activities, we are finding that several new trends are putting additional stress on research compliance offices.
CMMC:
- New U.S. Department of Defense (DoD) research grants and contracts from November 2025 and beyond will include CMMC compliance requirements. Since the DoD invests billions in university research, non-compliance could mean a university could lose access to critical funding and partnerships.
NIH Data:
- NIH contracts are now referencing NIST SP 800-171 for genomics, transcriptomics, proteomics, and metabolomics (omics) data. This effectively pulls health sciences into CUI compliance.
- Access to data sets and national registries like the Database of Genotypes and Phenotypes (dbGaP) or The Cancer Genome Atlas (TCGA) now requires controls aligned to NIST 800-171, shifting from individual policies to standardized security frameworks.
Global Reach:
- International partners bring GDPR, European Medicines Agency (EMA), ICH, Medicines and Healthcare products Regulatory Agency (MHRA), and more into play. Compliance is not just based on the university’s location, but also on where the data or participants are.
Based on our experience, many universities are grappling with these requirements and expect to dedicate additional team member hours to meet these compliance requirements.
Steps Universities Should Take
In order to effectively manage the increased IT compliance requirements, universities should evaluate their current IT compliance programs to make sure they provide enough compliance coverage for the research institutes and departments. Below are identified steps to consider for enhancing a current program.
Strengthen Governance
Know your data. This includes knowing the types, categories, classifications, systems and storage, sharing, etc., of your data. Ensure coordination among Institutional Review Boards (IRBs), compliance committees, export control offices, and IT security teams. Compliance is cross-functional, not siloed.
Map the Research Landscape
Document and track a living inventory of the types of research your institution conducts, e.g., clinical trials, social sciences, genomics, animal studies, defense-funded work, etc.
Align to Baseline Frameworks
Adopt NIST CSF or NIST 800-53 Moderate as a baseline. Layer in specialized frameworks (HIPAA, 21 CFR Part 11, FERPA, CMMC, GDPR) as required. Consider the newly published Cybersecurity Risk Management Construct (CSRMC) for additional frameworks.
Identify Emerging Requirements
Flag scenarios where the compliance bar is rising, such as omics, national registries, and CUI-funded projects. Build a road map for alignment now, e.g., CUI/NIST 800-171, before contracts mandate it.
Invest in Training & Awareness
Researchers are domain experts, but they are not typically compliance experts. Consider providing practical training on what HIPAA, CUI, GDPR, or dbGaP access controls mean in day-to-day research.
Document, Assess, & Remediate
Complete self-assessments, e.g., 800-171 scoring, track plan of action and milestones (POA&Ms), and be prepared to demonstrate compliance to sponsors and regulators.
The Opportunity for Leadership
While the compliance landscape looks daunting, it also creates an opportunity. Universities that get ahead of these requirements can become trusted leaders for sponsors, governments, and industry partners. This may put them in a better position to win more grants, attract more collaborations, and avoid costly breaches or contract penalties.
How Forvis Mazars Can Help
IT compliance is not just an administrative checkbox. It’s a strategic capability for the modern research university. Now is the time to mature your IT compliance routines and possibly enhance your use of Governance, Risk, and Compliance (GRC) platforms. If you have questions or would like to learn more, reach out to a professional at Forvis Mazars.