Overview
Educational institutions and EdTech contractors face a blend of student-privacy law (FERPA) and federal research-data security (NIST SP 800-171), especially where federally funded research generates CUI.
FERPA
The Family Educational Rights and Privacy Act protects the privacy of student education records. While FERPA is a privacy statute rather than a prescriptive security standard, safeguarding records adequately is a practical necessity, and breaches can jeopardize funding.
NIST SP 800-171 for Research
Universities performing federal research contracts frequently handle CUI (for example, export-controlled or controlled technical information). Those systems must implement NIST SP 800-171, and DoD-funded research can bring DFARS 252.204-7012 and CMMC. Research security has become a focus area, so segmenting CUI research environments is increasingly common.
FISMA and Agency Rules
Systems operated on behalf of the Department of Education or other agencies fall under FISMA and agency ATO processes.
What to Do Next
Identify which research projects generate CUI, segment those environments, and apply NIST 800-171 there while maintaining FERPA safeguards across student records. Check Find My Requirements.
Sources
- FERPA, 20 U.S.C. § 1232g / 34 CFR Part 99 (ed.gov); NIST SP 800-171; DFARS 252.204-7012