Compliance & Regulations
Utah State University is committed to protecting the privacy and security of the information entrusted to us by students, faculty, staff, and research partners. As part of this commitment, we must also stay aligned with an evolving regulatory landscape that governs how personal and institutional data are collected, used, and safeguarded. This includes not only federal mandates and international regulations, but also state-specific laws and USHE policy that apply to public institutions in Utah.
Maintaining compliance with these requirements helps ensure that sensitive information is protected from misuse, unauthorized access, and other security threats. It also supports the integrity of our academic, research, and administrative operations. The resources in this section provide an overview of the data protection laws that impact USU, along with practical guidance for understanding your responsibilities and taking the appropriate steps to comply.
As a USU employee or student, did you know the university is required to comply with all of the following regulations? How might we work together to ensure USU continues to meet these expectations while supporting innovation, collaboration, and learning?
State, Federal, & International Regulations
Americans with Disabilities Act
ADA
Jurisdiction
Federal
Description
ADA regulations affect USU’s digital content, including websites and other technology platforms, ensuring that they are accessible to individuals with disabilities.
Source
ADA.gov - Information and Communication Technology Standards
Cybersecurity Maturity Model Certification (v2.0)
CMMC
Jurisdiction
Federal
Description
A cybersecurity framework designed to protect Controlled Unclassified Information (CUI) within the defense industrial base (DIB). It establishes three maturity levels of cybersecurity practices that defense contractors must implement to qualify for DoD contracts.
USU Level 1 ComplianceSource
Family Educational Rights and Privacy Act
FERPA
Jurisdiction
Federal
Description
FERPA protects the privacy of student education records. USU must ensure that student records are not disclosed without the student’s consent, except under specific circumstances, and must allow students to review their records upon request.
FERPA ComplianceSource
Federal Information Security Modernization Act
FISMA
Jurisdiction
Federal
Description
FISMA applies to federal agencies and contractors, including universities like USU when they conduct research under federal contracts. It requires stringent information security programs to protect federal data from cybersecurity threats.
Source
General Data Protection Regulation
GDPR
Jurisdiction
International, but impacts U.S. entities handling data from EU residents
Description
If USU processes personal data of individuals residing in the European Union, it must comply with the GDPR’s stringent data protection and privacy rules, which include consent requirements, data minimization, and the right to access and delete personal data.
GDPR ComplianceSource
Gramm-Leach-Bliley Act
GLBA
Jurisdiction
Federal
Description
The GLBA mandates that institutions of higher education implement safeguards to protect the privacy of financial information, including student financial aid data. USU must develop and maintain a comprehensive security plan to protect this information.
GLBA ComplianceSource
Utah Government Records Access and Management Act
GRAMA
Jurisdiction
Utah
Description
GRAMA governs the management, retention, and access to government records in Utah. It balances the public's right to access government information with the right of individuals to privacy. At Utah State University, GRAMA ensures that records are handled with integrity, classified appropriately, and disclosed only as permitted by law.
Source
Utah Code Title 63G Chapter 2 – Government Records Access and Management Act
Health Insurance Portability and Accountability Act
HIPAA
Jurisdiction
Federal
Description
HIPAA regulates the privacy and security of health information. If USU handles any health-related data through its clinics, healthcare programs, or employee benefits programs, it must comply with HIPAA’s stringent requirements for data protection and breach notification.
HIPAA ComplianceSource
National Security Presidential Memorandum 33
NSPM-33
Jurisdiction
Federal
Description
NSPM-33 directs federal agencies to strengthen protections for research and development against foreign interference and cyber espionage. It applies to institutions like USU that engage in federally funded research, requiring greater transparency in research funding and more stringent security measures.
Source
Payment Card Industry Data Security Standard
PCI DSS
Jurisdiction
Industry Standard, enforced through contracts
Description
PCI DSS sets security standards for organizations that process, store, or transmit payment card information. If USU accepts payments through credit cards for tuition or other services, it must comply with PCI DSS to protect cardholder data.
PCI DSS ComplianceSource
Personal Information Protection Law
PIPL
Jurisdiction
China
Description
PIPL governs how entities collect, process, and store personal data of Chinese citizens. If USU deals with any research, collaborations, or data from Chinese nationals, it must comply with these data protection rules similar to GDPR.
Source
Utah Government Data Protection Act
GDPA
Jurisdiction
Utah
Description
The Utah GDPA establishes requirements for state agencies and educational institutions regarding the protection of personal data. It mandates that personal data be safeguarded from unauthorized access and imposes notification requirements in the event of data breaches involving personal information.
GDPA ComplianceSource
Utah Protection of Personal Information Act
PPIA
Jurisdiction
Utah
Description
This state law regulates the collection and protection of personal information by businesses and government entities in Utah. It requires notification to affected individuals in the event of a security breach involving personal information, with specific guidelines on how data must be protected.
Source
Information Technology Resource Security Policy
USHE R345
Jurisdiction
Utah Higher Education
Description
This policy governs the security of information technology (IT) resources within institutions under the Utah System of Higher Education (USHE). It requires institutions to protect IT systems and sensitive data by implementing security controls and procedures that align with recognized standards.