Cybersecurity Requirements and Resources for US Nonprofits

US nonprofit organizations face a distinct cybersecurity compliance landscape shaped by the types of data they collect, the federal and state regulations that apply to their activities, and the funding relationships they maintain with government agencies. Nonprofits handling health records, payment data, or grant funds from federal sources are subject to sector-specific regulatory frameworks that carry real enforcement exposure — not merely best-practice guidance. This page maps the applicable regulatory structure, the operational scenarios where compliance obligations arise, and the decision logic nonprofits use to determine which frameworks apply to their organization.

Definition and scope

For cybersecurity purposes, US nonprofits are not a monolithic category. The Internal Revenue Service recognizes more than 30 distinct nonprofit classifications under 26 U.S.C. § 501, but cybersecurity obligations are determined not by tax status but by the nature of data processed, the sector in which the organization operates, and the origin of its funding.

A nonprofit hospital system is subject to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 CFR Part 164), which mandates administrative, physical, and technical safeguards for electronic protected health information — regardless of the organization's tax status. A nonprofit that accepts payment cards must comply with PCI DSS standards maintained by the PCI Security Standards Council. A nonprofit receiving federal grant funds through the Department of Health and Human Services or another agency may be subject to FedRAMP requirements if it processes data in federal cloud environments, and to the cybersecurity provisions embedded in 2 CFR Part 200 (Uniform Guidance), which governs federal award administration.

The Cybersecurity and Infrastructure Security Agency (CISA) does not maintain a nonprofit-specific regulatory framework, but its advisories and the NIST Cybersecurity Framework (CSF) are the primary voluntary reference architectures that funders, auditors, and insurers use to evaluate nonprofit security posture. The NIST CSF organizes controls around five functions: Identify, Protect, Detect, Respond, and Recover. A full breakdown of the CSF structure is available on the NIST Cybersecurity Framework Reference page.

How it works

Cybersecurity compliance for nonprofits operates through four overlapping regulatory channels, each triggered by specific organizational characteristics:

1. Data type triggers: Organizations collecting protected health information (PHI) fall under HIPAA. Those processing credit card transactions fall under PCI DSS. Those holding student records trigger FERPA (20 U.S.C. § 1232g) requirements.

2. Funding source triggers: Federal grantees are subject to the cybersecurity conditions embedded in their award agreements, including requirements derived from NIST SP 800-171 for controlled unclassified information (CUI) and 2 CFR Part 200 audit requirements.

3. State law triggers: 50 US states have enacted data breach notification statutes, and a growing subset — including California (CCPA/CPRA), Virginia (VCDPA), and Colorado (CPA) — impose broader data protection obligations. The full state-by-state breakdown is covered on the State Cybersecurity Laws by State page.

4. Contractual triggers: Nonprofits acting as business associates under HIPAA, as subcontractors on federal awards, or as vendors to regulated entities inherit compliance obligations through contractual chains regardless of their direct regulatory exposure.

Compliance verification typically runs through annual audits, third-party assessments, or self-attestation depending on the applicable standard. HIPAA enforcement falls to the HHS Office for Civil Rights (OCR), which has assessed civil monetary penalties reaching $1.9 million in individual settlements against covered entities including nonprofits.

Common scenarios

Three operational scenarios account for the majority of cybersecurity compliance questions nonprofits encounter:

Healthcare and social services nonprofits: Organizations providing direct patient care, behavioral health services, or insurance-adjacent services are covered entities under HIPAA. Their cybersecurity obligations include a mandatory risk analysis, workforce training, access control policies, and breach notification within 60 days of discovery to affected individuals and HHS OCR. The Healthcare Cybersecurity and HIPAA Standards page details the technical safeguard requirements.

Education and youth-serving nonprofits: Nonprofits operating after-school programs, charter schools, or higher education access programs that maintain student educational records are subject to FERPA. Those receiving federal education funding through Title IV programs face additional Department of Education cybersecurity guidance published under 34 CFR Part 668.

Advocacy and community organizations with donor databases: Organizations maintaining donor personally identifiable information (PII) without a sector-specific federal overlay are primarily governed by state privacy and breach notification laws. A nonprofit operating nationally must map its breach notification obligations against the laws of each state where donors or clients reside — a compliance burden that reaches all 50 states for large membership organizations.

Decision boundaries

The threshold question for any nonprofit evaluating its cybersecurity obligations is whether it qualifies as a covered entity or business associate under a federal sector statute, or whether its obligations derive primarily from state law and contractual arrangements.

A covered entity under HIPAA faces mandatory compliance with a codified federal standard enforceable by a federal agency. A nonprofit outside any federal sector statute faces a patchwork of state obligations with no single federal baseline — but is not exempt from enforcement. State attorneys general have authority to enforce data breach notification and privacy statutes, and the FTC Act Section 5 (unfair or deceptive practices) has been applied to nonprofits that misrepresented their data security practices.

Nonprofits evaluating whether to pursue formal cybersecurity certifications should distinguish between voluntary frameworks (NIST CSF, ISO/IEC 27001) and mandatory standards (HIPAA Security Rule, PCI DSS). Certifications relevant to the nonprofit sector — including SOC 2 Type II examinations and HITRUST assessments — are covered in the Cybersecurity Certifications and Credentials reference. Organizations seeking to assess their current risk posture against these frameworks can reference the Cybersecurity Risk Assessment Frameworks page for methodology comparisons.

References

• NIST Cybersecurity Framework (CSF)
• HHS Office for Civil Rights — HIPAA Security Rule
• CISA — Cybersecurity Resources for Nonprofits and Critical Infrastructure
• 45 CFR Part 164 — HIPAA Security and Privacy Rules (eCFR)
• 2 CFR Part 200 — Uniform Administrative Requirements for Federal Awards (eCFR)
• HHS OCR — Civil Monetary Penalty and Settlement Agreements
• NIST SP 800-171 — Protecting Controlled Unclassified Information
• PCI Security Standards Council
• FTC — Section 5 Unfair or Deceptive Acts or Practices