Cybersecurity Requirements and Resources for US Nonprofits

US nonprofits occupy a distinct position in the cybersecurity compliance landscape — subject to federal and state data protection obligations, yet often operating without the dedicated security infrastructure common in commercial enterprises. This page maps the regulatory requirements, applicable standards frameworks, and service categories relevant to nonprofit organizations handling donor data, protected health information, or federally derived funding. The Cyber Safety Providers provider network provides categorized provider providers for organizations seeking qualified vendors or assessors in this sector.

Definition and scope

Cybersecurity requirements for US nonprofits are not governed by a single unified statute. Instead, obligations arise from intersecting federal frameworks, state privacy laws, and contractual conditions attached to funding sources. A nonprofit's specific compliance profile depends on the type of data it processes, the populations it serves, and the federal programs it participates in.

Three primary regulatory domains apply to the majority of US nonprofits:

  1. HIPAA (Health Insurance Portability and Accountability Act) — Nonprofits that provide healthcare services or operate as business associates of covered entities must comply with the HIPAA Security Rule (45 CFR Part 164), which mandates administrative, physical, and technical safeguards for electronic protected health information (ePHI).

  2. FERPA (Family Educational Rights and Privacy Act) — Nonprofits operating schools or receiving federal education funding are subject to FERPA requirements administered by the US Department of Education, covering the security and privacy of student education records.

  3. State data breach notification laws — All 50 US states have enacted breach notification statutes (National Conference of State Legislatures, State Security Breach Notification Laws). Nonprofits collecting personally identifiable information (PII) from residents of any state must comply with the applicable notification timelines and scope requirements of those states.

Nonprofits receiving federal grants may also face cybersecurity-specific conditions under the Office of Management and Budget's Uniform Guidance (2 CFR Part 200), particularly where IT systems are involved in program delivery or financial management.

How it works

Nonprofit cybersecurity compliance operates through a risk-based framework rather than a prescriptive checklist. The NIST Cybersecurity Framework (CSF), published by the National Institute of Standards and Technology, provides the most widely referenced structure for this sector. The CSF organizes security activities across five functions: Identify, Protect, Detect, Respond, and Recover.

For nonprofits with limited technical staff, the Center for Internet Security (CIS) publishes the CIS Controls, a prioritized set of 18 safeguard categories. CIS Implementation Group 1 (IG1) is specifically designed for organizations with limited cybersecurity expertise and resources — making it a common baseline for small-to-midsize nonprofits.

A structured compliance process typically proceeds through these phases:

  1. Asset inventory — Identify all systems, data stores, and third-party integrations that handle sensitive information.
  2. Risk assessment — Evaluate threats, vulnerabilities, and potential impact using a documented methodology aligned with NIST SP 800-30 or equivalent.
  3. Policy development — Establish written information security policies covering access control, incident response, and acceptable use.
  4. Technical controls implementation — Deploy safeguards such as multi-factor authentication, encryption at rest and in transit, and endpoint protection.
  5. Training and awareness — Conduct annual security awareness training for all staff, as required under HIPAA and recommended by NIST.
  6. Incident response planning — Maintain a documented incident response plan with defined roles, escalation paths, and breach notification procedures.
  7. Audit and reassessment — Conduct periodic internal or third-party assessments to validate control effectiveness.

Common scenarios

Nonprofit cybersecurity risk concentrates in three operational scenarios that represent distinct regulatory exposures:

Healthcare and social services nonprofits handling ePHI must comply with the HIPAA Security Rule's 75+ implementation specifications across administrative, physical, and technical safeguard categories. A breach affecting 500 or more individuals in a single state triggers mandatory notification to HHS within 60 days (HHS Breach Notification Rule, 45 CFR §164.408).

Education-focused nonprofits operating charter schools or after-school programs funded through Title I of the Elementary and Secondary Education Act face FERPA obligations and, in some states, additional student privacy laws such as California's Student Online Personal Information Protection Act (SOPIPA).

Fundraising and donor management platforms collecting payment card data must comply with the Payment Card Industry Data Security Standard (PCI DSS), maintained by the PCI Security Standards Council. PCI DSS v4.0, released in 2022, expanded requirements around multi-factor authentication and web application security.

The contrast between HIPAA-regulated nonprofits and general-purpose nonprofits is significant: HIPAA organizations face mandatory risk analysis requirements with documented evidence, while non-HIPAA nonprofits typically operate under voluntary frameworks unless state law or grant conditions impose specific mandates.

Decision boundaries

Determining the applicable compliance tier requires answering four structured questions:

  1. Does the organization handle ePHI? If yes, HIPAA Security Rule compliance is mandatory regardless of organizational size or nonprofit status.
  2. Does the organization receive federal funding? If yes, review the specific award conditions and applicable OMB Uniform Guidance provisions for IT security requirements.
  3. Does the organization process payment card transactions? If yes, PCI DSS compliance obligations attach based on transaction volume and processing method.
  4. In which states does the organization collect PII from residents? Breach notification obligations are triggered on a per-state basis — the most stringent state law in the affected resident population typically sets the operational standard.

Organizations that fall outside all four categories above still benefit from adopting CIS IG1 controls as a documented baseline, both for operational resilience and for grant eligibility purposes. Funders including federal agencies and major private foundations increasingly require evidence of security practices as a condition of award. The page describes how qualified service providers are categorized within this reference network, and How to Use This Cyber Safety Resource outlines how to navigate provider providers by compliance domain.

 ·   · 

References

Read Next

Cyber Safety Listings ANA › Professional Services Authority › National Cyber › National Cyber Safety Cyber Safety Providers The providers contained within... Cyber Safety Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › National Cyber Safety Cyber Safety Network: Purpose and Scope The National... Cybersecurity Requirements for Small Businesses ANA › Professional Services Authority › National Cyber › National Cyber Safety Cybersecurity Requirements for Small Businesses Small...