2025 Federal Administration Transition Information & Resources - This will be updated as new information is available.

Stanford
Office of Research Administration

Research Cybersecurity and Data Security Resources

This page aims to provide practical guidance on research cybersecurity and data security requirements relevant to sponsored projects administration in receiving federal research funding.The US government has issued multiple directives requiring federal agencies and contractors to develop and implement a program to identify and mitigate potential research security risks. Many research projects contain sensitive data linked to critical sectors like defense, public safety, technology, and infrastructure. If your award contains enhanced cybersecurity or data security language, your OSR Contract and Grant Officer will coordinate with the VPDoR Research Security, Export Controls, and Global Engagement team, Stanford Information Security, the University Privacy Office, and other stakeholders as needed. 

NSPM-33

The National Security Presidential Memorandum-33 (NSPM-33) is a presidential directive that requires all federal research funding agencies to strengthen and standardize disclosure requirements for federally funded awards. NSPM-33 also requires the establishment of research security programs at research institutions receiving federal funds, and requires organizations awarded more than $50 million per year in total research funding to certify that they have implemented a research security program that includes the four elements: cybersecurity, foreign travel security, research security training, and export control training. See VPDoR Research Security, Export Controls, and Global Engagement Review Program for information on Stanford’s research security program. 

General applicability of NSPM-33 for researchers is to comply with the NSPM-33 Implementation Guidance Pre- and Post-award Disclosures Relating to the Biographical Sketch and Current and Pending (Other) Support. This ORA disclosure resources webpage sets forth the various Federal agency disclosure requirements, including requirements by NSPM-33 and Section 10632 of the Chips and Science Act of 2022 (42 U.S.C. S19232).

NIST 800-171 and Cybersecurity Maturity Model Certification (“CMMC”)

On November 10, 2025, the Department of Defense (DoD)’s Final Rule Assessing Contractor Implementation of Cybersecurity Requirements went into effect, making CMMC a condition of eligibility for most DOD contract awards and continued performance. NIST 800-171 contains requirements related to protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) when it is processed, stored, or transmitted on non-federal systems, such as those of government contractors. DFARS 252.204-7020 allows the federal government to ensure contractors are meeting required standards in NIST 800-171. While most research at Stanford is fundamental research which does not involve CUI and is exempt from CMMC requirements, the DOD may ask about Stanford’s CMMC Level 1 and Level 2 status at the time of proposal. Other federal agencies also have the authority to classify data as CUI and require enhanced cybersecurity controls. 

See the bottom of the UIT Risk Classifications Webpage for a table setting forth which Stanford environments are appropriate for managing specified data classifications, including the requirements from NIST 800-171 and CMMC. See the UIT webpages Protect Sensitive Data at Stanford and protect information assets on how to safeguard sensitive data and information assets generally.

NIH Security Requirements for Controlled-Access Data

On January 25, 2025, the National Institutes of Health (NIH) issued NOT-OD-24-157 which implements heightened security requirements for controlled-access data. The NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy requires all researchers who access NIH controlled-access data to ensure their institutional systems, third-party IT systems, and Cloud Service Providers (CSPs) comply with NIST SP 800-171 standards. This includes attesting to compliance as part of new or renewed Data Use Certifications executed on or after January 25, 2025. This ORA webpage contains guidance on action items for researchers and specific resources to comply with the rule.

Bulk Data Transfer Rule

This ORA resource provides information on the Department of Justice (DOJ) final rule to implement Executive Order 14117: Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons. Knowledge of these regulations are important if transferring bulk data or U.S. Government-related data to Countries of Concern (CoCs): China (including Hong Kong and Macau), Russia, Iran, North Korea, Venezuela, and Cuba. 

General Applicability for Researchers:

When Sharing Bulk Data Internationally

  • When planning to send Bulk Data to CoCs, contact ORA to discuss whether the transfer is impacted by the Bulk Data Rule, whether exemptions apply, and how to adhere to Bulk Data Rule recordkeeping requirements. Note that there is no exception for de-identified, anonymized, or encrypted data.
  • When sending Bulk Data to foreign parties that are not CoCs, specific agreement language prohibiting onward transfers to CoCs or Covered Persons is required.
  • Contact ORA within 24 hours if:
    • You learn or suspect of a contractually prohibited onward transfer.
    • You receive an offer from another person to engage in any prohibited bulk data brokerage transaction.
  • There are additional requirements for restricted transactions through Vendor Agreements, Employment Agreements, and Investment Agreements. 

When Sharing Bulk Data with US Entities

  • The Bulk Data Rule does not restrict sending bulk data to researchers at Universities or Institutions in the U.S., if the US person is not designated as a Covered Person in the NSD Covered Persons List. However, a data use agreement including a provision to restrict onward transfers of data in accordance with the Rule will be required. 

When Stanford is the Recipient of Bulk Data

  • The Bulk Data Transfer Rule applies to outgoing data. However, partner universities have begun to place the burden on data recipients to ensure compliance with the Bulk Data Rule, requiring Stanford researchers to ensure compliance with Bulk Data received.
  • If a researcher plans to access covered data in a foreign country, contact ORA to discuss as such access could constitute a “transfer”.
  • If Stanford is a recipient of Bulk Data, contact ORA within 24 hours if:
  • You are accessing Bulk Data in a Country of Concern
  • You fall under the definition of a Covered Person
  • You provide access of the data to a Country of Concern or Covered Person

Resources for Additional Federal Requirements Related to Research Data and Research Security

Covered Entities and Prohibited Components: This page provides notice of government prohibitions related to certain products, services, and equipment, including NDAA Section 889 (Huawei Technologies Company and other covered entities), NDAA Section 1634 (Kaspersky Lab and Other Covered Entities), OMB-M-23-13 (TikTok and Lark), and NDAA Sections 1821, 1822, 1826 (American Security Drone Act).

U.S. Federal Agency Public Access Requirements: This Stanford University Library Public Access Policies Webpageoutlines the federal government’s public access mandate that requires that all publicly funded research, including publications and the underlying data, be made publicly accessible immediately upon publication, and all agencies must have updated public access policies in place by December 31, 2025. For further information and to request a consultation, Stanford’s Office of Scholarly Communications is available to Stanford community members who have questions or concerns about navigating public access requirements.