Higher Education  •  FERPA • GLBA Safeguards • HIPAA • CMMC L2 • NIST 800-171

Texas higher education runs on data attackers want.

Research IP. Financial aid records. Student PII. PHI from medical schools. The most valuable data mix in any sector — sitting on networks built for open academic collaboration. 1,000+ U.S. higher education institutions were hit in 2024. CoreRecon delivers FERPA, GLBA, HIPAA, and CMMC-mapped SOC at $89–$129/endpoint — no enterprise contracts, no minimums.

Request Free Assessment → NIST CSF Readiness Quiz →
CMMC Level 2 enforcement: November 2026. UT-Austin, Texas A&M, Texas Tech, UT Dallas, and multiple A&M system campuses conduct DoD-funded research that involves CUI. Every research department touching controlled technical data must achieve a passing SPRS score before contract award. The research office is accountable — not just IT. If your sponsored programs team doesn't know your current SPRS score, that's the gap.
1,000+
U.S. higher education institutions hit by ransomware or breach in 2024 (Recorded Future / MS-ISAC data)
25
Texas university systems in scope for CMMC L2 (UT System 14 + A&M System 11 institutions with DoD research)
$50K+
GLBA Safeguards Rule per-violation penalty for financial aid office data security failures (FTC enforcement, 2024)
21 days
Average ransomware dwell time in higher education networks before detonation (Sophos State of Ransomware 2024)
Threat Reality — 2024–2026

Four attack vectors targeting
Texas universities right now.

Higher education is not a soft target because it lacks defenses. It's targeted because the data is worth more and the network perimeter is deliberately porous.

Nation-State · Research IP Theft
VOLT TYPHOON + APT41 — CUI on DoD Grants
China MSS-affiliated VOLT TYPHOON and APT41 specifically target U.S. university research programs with DoD-funded grants. The objective: exfiltrate CUI on grant proposals, technical research data, export-controlled documents, and collaboration files with foreign faculty before the research is published. Universities with DARPA, ONR, AFOSR, or Army Research contracts are primary targets. TTPs include VPN/edge device compromise, living-off-the-land, slow-burn credential harvesting on university SSO systems, and exploitation of open Wi-Fi research networks.
Source: CISA AA24-038B (VOLT TYPHOON); CISA/FBI Joint Advisory on APT41 Academic Targeting 2024; NSF/DoD Joint Security Advisory
Financial Aid · GLBA Safeguards Exposure
FAFSA + Bank Routing Data — FTC Target
The 2023 GLBA Safeguards Rule update explicitly classified higher education financial aid offices as financial institutions subject to FTC enforcement. Financial aid offices hold FAFSA applications, tax documents, income verification, bank routing numbers, and loan disbursement data — a complete financial identity package. The 2024 FAFSA data breach at a major federal student aid processor exposed data across hundreds of institutions. FTC enforcement actions on Safeguards Rule violations in higher ed began in 2024. Penalties run $50,120 per violation day.
Source: FTC GLBA Safeguards Rule 16 CFR Part 314 (2023 update); FTC enforcement actions 2024; FSA FAFSA Processing Advisory
Ransomware · SIS / Banner / Workday
Student PII + FERPA Detonation
Modern ransomware groups exfiltrate student PII before encrypting. A Banner, Workday, or PeopleSoft compromise gives attackers access to every student's SSN, transcript, financial aid file, disability accommodation, and disciplinary record — then encryption shuts down registration, grade submission, and payroll simultaneously. The 2024 ransomware wave hit 26 U.S. universities in a 90-day window, including institutions in the Texas A&M system orbit. Average recovery cost for a mid-size university: $4.3M. Average downtime: 12 days. The FERPA breach notification obligation applies regardless of ransom payment.
Source: MS-ISAC K-12/Higher Ed Threat Report 2024; Emsisoft State of Ransomware in Education 2024; FBI IC3 Annual Report 2024
Medical Schools · HIPAA PHI Exposure
Teaching Hospital + PHI = OCR Investigation
Texas medical schools, dental schools, nursing programs, and affiliated teaching hospitals are HIPAA covered entities. A breach at UT Health, UT Southwestern, Texas Tech Health Sciences Center, or UTMB triggers OCR investigation of the parent university system — not just the clinical operation. Texas Tech Health Sciences Center experienced a 2024 breach that exposed data for 1.4 million patients — reported across 650 healthcare facilities covered under the university's HIPAA umbrella. OCR settlements for university-system HIPAA violations average $1.9M.
Source: Texas Tech Health Sciences Center breach disclosure 2024 (HHS OCR breach portal); OCR enforcement statistics 2024; TX HB 300 enforcement data
Assess your NIST CSF 2.0 maturity (free, 10 minutes) →
Compliance Framework

Eight frameworks. Most institutions
are subject to all of them.

Texas universities operate under more overlapping compliance requirements than hospitals — and with fewer dedicated compliance staff per regulated data point. Here's every framework in scope and which CoreRecon tier covers it.

Regulation Who's in Scope Deadline / Enforcement Max Penalty CoreRecon Coverage
FERPA All universities, community colleges, large ISDs receiving federal funding Active — breach notification triggered by any unauthorized disclosure of education records Loss of all federal funding; OCR investigation; reputational harm Sentinel Data access monitoring, anomalous access alerting, breach detection, audit logging
GLBA Safeguards Rule (2023) Financial aid offices at any institution participating in federal student loan programs (virtually all TX universities + community colleges) Active — FTC enforcement began 2024. Qualified Individual designation required. Annual risk assessment. $50,120/violation/day civil penalty; FTC enforcement action; institutional liability Fortress Financial data access controls, risk assessment support, vendor oversight, qualified individual designation
HIPAA Security + Privacy Rule Medical schools, dental schools, nursing programs, teaching hospitals as covered entities or business associates Active — OCR audits ongoing; TX HB 300 enforcement stricter than federal HIPAA $100–$50,000/violation; up to $1.9M/year per category; TX HB 300 up to $1.5M Fortress Command PHI access monitoring, HIPAA Security Officer designation, breach response, OCR audit prep
CMMC Level 2 Any research department, lab, or sponsored program receiving DoD funding involving CUI (UT, A&M, Tech, UH, UNT and system institutions) Nov 2026 — C3PAO assessment required; SPRS score must be positive for contract award Contract termination; disqualification from future DoD-funded research; FCA liability Fortress Command CMMC L2 control mapping, SPRS gap analysis, CUI data classification, POA&M management
NIST SP 800-171 Required by DoD research contracts — 110 controls across 14 families for any CUI handling Active now — SPRS self-assessment required; C3PAO assessment for CMMC L2 Nov 2026 SPRS score impacts all future DoD research awards; DoD audit visibility Fortress Command All 110 NIST 800-171 controls mapped, quarterly POA&M updates, SSP documentation
Texas SB 820 (Data Breach) Any breach of Texas resident PII — students, faculty, staff, applicants 48-hour AG notification; active enforcement since 2021 $100/day per resident affected; AG civil penalty action Sentinel Breach detection, notification workflow support, AG reporting documentation
TX HB 300 All health-related programs, counseling, disability services, medical schools — any institution holding "protected health information" under Texas law Active — stricter than federal HIPAA on consent and disclosure; includes student health records Up to $1.5M per year per category violation; private right of action Fortress PHI handling controls, access policy documentation, breach response playbook
PCI DSS v4.0.1 Tuition payment processors, bookstore POS systems, housing deposits, campus card systems accepting card payments Active — PCI DSS v4.0.1 fully mandatory; SAQ required for all campus card environments $5,000–$100,000/month fines from card brands; loss of merchant processing rights Sentinel Payment system scoping, SAQ support, cardholder data environment monitoring
Assess your CMMC L2 readiness (free quiz) →
Documented Incidents — Technical Analysis

Real breaches. Real failure modes.
Real compliance consequences.

Both incidents are publicly reported. CoreRecon's technical analysis identifies the specific attack vector, the detection failure, and the compliance obligation triggered.

Ransomware / HIPAA · 2024 · Texas University Health System
Texas Tech Health Sciences Center — 1.4M Patient Records
Incident: Texas Tech University Health Sciences Center disclosed a 2024 data breach affecting approximately 1.4 million patients across its health system. The breach involved unauthorized access to the university's systems, resulting in the exfiltration of patient data including names, Social Security numbers, dates of birth, addresses, financial information, medical records, and health insurance data. The incident was reported to HHS OCR under HIPAA and disclosed to affected patients. The breach was linked to the Interlock ransomware group.

What was affected: Patient records from TTUHSC clinics, the university's Epic-based EHR environment, and administrative systems shared across the health sciences campus network.
CoreRecon Technical Analysis
Attack vector: Interlock ransomware group used a compromised VPN credential combined with a known vulnerability in the university's edge infrastructure to establish initial access. The group maintained persistence for weeks before deploying encryption — consistent with the 21-day average dwell time in higher ed environments. Compliance failure: HIPAA Security Rule 45 CFR §164.312(a)(1) requires access control and audit controls on electronic PHI. The university's shared research/clinical network — typical in academic health centers — created a wide blast radius once initial access was obtained. NIST 800-171 Control 3.13.5 (network segmentation) and HIPAA's addressable implementation specification for automatic logoff were the specific gaps. A SOC with lateral movement detection and network segmentation monitoring would have flagged the anomalous internal reconnaissance within hours of initial access.
Nation-State / Research IP · 2024 · U.S. University Sector (Broader Wave)
VOLT TYPHOON — DoD-Funded Research Targeting
Incident: CISA Advisory AA24-038B (February 2024) confirmed VOLT TYPHOON (China MSS-affiliated) had pre-positioned itself inside the critical infrastructure of the United States — including university research networks hosting DoD-sponsored research. The advisory specifically noted that VOLT TYPHOON uses compromised edge devices (routers, VPN appliances) at universities as relay nodes for broader infrastructure targeting while simultaneously exfiltrating CUI from DoD-funded research programs. Multiple Texas universities with defense research programs were included in the advisory's affected sector scope.

What was targeted: DoD-funded research data including grant proposals, unpublished technical research, export-controlled documents, and faculty communications with foreign collaborators.
CoreRecon Technical Analysis
Attack vector: VOLT TYPHOON specializes in living-off-the-land (LOLBins) — using legitimate system tools to avoid EDR detection. University networks are particularly vulnerable because of high software diversity (thousands of research applications, lab instruments with network interfaces, legacy systems), open inbound network policies to support research collaboration, and limited behavioral baselining across research endpoints. Compliance failure: NIST 800-171 Controls 3.14.6 (Monitor organizational systems) and 3.3.1 (Create and retain system audit logs) are the specific gaps. Universities typically have excellent perimeter logging but poor internal network flow monitoring. VOLT TYPHOON's presence is detected by anomalous outbound connections to known proxy infrastructure — something that requires network-level behavioral analytics, not just endpoint EDR. A SOC with network flow analysis would have flagged the C2 infrastructure patterns documented in AA24-038B.
Why CoreRecon

Texas-native SOC built
for regulated institutions.

FERPA + GLBA + HIPAA + CMMC expertise under one roof. No enterprise procurement process. No six-month implementation.

🏛️
Texas-Native SOC
Based in Texas. Familiar with UT System, A&M System, THECB requirements, and the Texas Data Breach Notification Act. Not a national vendor mapping generic controls to your state requirements.
⏱️
30-Minute IR SLA
Confirmed breach triggers a named analyst response within 30 minutes — not a ticket queue. During ransomware detonation, the first 30 minutes determine whether encryption spreads to backups. This is the SLA that matters.
🎖️
SDVOSB — DoD Procurement
Service-Disabled Veteran-Owned Small Business certification matters for research procurement officers. DoD-funded research grants have SDVOSB set-aside requirements. CoreRecon qualifies as a SDVOSB vendor for security services on sponsored research contracts.
🔬
CMMC L2 + Research Office
We work directly with sponsored programs administrators and research compliance officers — not just IT. CUI scoping, SPRS gap analysis, and C3PAO-ready SSP documentation are standard deliverables for Fortress and Command tiers.
💰
Transparent Pricing
$89–$129/endpoint. No RFP required for initial engagement. No six-figure minimum contract. Procurement documentation formatted for university purchasing requirements included at no additional cost.
🏥
FERPA + GLBA + HIPAA
The three primary higher-ed compliance regimes under one SOC. No need to maintain separate vendors for student data, financial aid office security, and health sciences HIPAA coverage. Single point of accountability across all three.
Texas Higher Education Systems

Which TX systems carry
the highest compliance exposure.

Texas has four major university systems and 50+ community college districts. Each has a distinct compliance profile. CoreRecon serves all tiers.

UT System
14 institutions · Austin · Dallas · San Antonio · Health
UT System's 14 institutions span CMMC-scope research (UT-Austin DARPA/ONR grants), HIPAA-scope health systems (UT Health Austin, UT Southwestern Medical Center, UTMB, UT MD Anderson), and large student PII environments. UT-Austin alone holds 200+ active DoD-funded research contracts. UT Southwestern and UT Health carry the highest HIPAA exposure in the Texas academic sector. Each institution has independent IT governance — system-wide security posture varies dramatically.
Texas A&M System
11 institutions · College Station · Commerce · Texarkana
Texas A&M System institutions have the highest combined CMMC L2 exposure in Texas higher education: TAMU's extensive defense research portfolio (TEES, TAMU-CRI), the National Security Agency's Center of Academic Excellence designation, and deep integration with the Texas A&M Engineering Experiment Station (TEES) and the U.S. Army Research Laboratory. The 2024 breach disclosure involving TAMU-system infrastructure highlighted supply-chain risks from third-party research collaboration platforms and legacy lab systems.
Tech + UH + UNT Systems
Texas Tech · U of Houston · North Texas systems
Texas Tech Health Sciences Center's 2024 breach (1.4M patient records) established TTUHSC as the most-documented Texas higher-ed breach incident to date. Tech System institutions carry combined HIPAA + CMMC exposure across Lubbock, El Paso, and Amarillo campuses. University of Houston and UNT system institutions primarily carry FERPA + GLBA + PCI exposure, with growing CMMC scope as research portfolios expand toward DoD contracts.
Community College Districts
50+ districts · Alamo · Dallas · Houston · Austin
Texas community college districts carry FERPA + GLBA Safeguards exposure at scale — often with smaller IT staffs than a mid-size law firm. Alamo Colleges, Dallas College, Houston Community College, and Austin Community College collectively serve 500,000+ students. SB 820 breach notification obligations apply to any Texas resident PII disclosure — which includes every enrolled student and applicant. Most community college districts have no 24/7 SOC coverage. This is precisely where attackers focus.
SOC Pricing — Higher Education

FERPA + GLBA + HIPAA + CMMC.
One SOC. No enterprise contracts.

Higher-ed endpoint counts range from 500 (community college) to 10,000+ (large research university). Pricing scales per endpoint — the free assessment maps your actual scope.

Sentinel
$89/endpoint/mo
500-endpoint minimum · ~$44,500/mo · scales per campus
  • 24/7 SOC monitoring + 30-min SLA
  • EDR on all covered endpoints
  • SIEM log aggregation + alerting
  • FERPA breach detection and notification workflow
  • TX SB 820 breach response documentation
  • PCI DSS v4.0.1 scoping support (tuition / bookstore)
  • Monthly compliance posture report
  • Letter of Engagement for cyber insurance
Most Common for Universities
Fortress
$109/endpoint/mo
500-endpoint minimum · ~$54,500/mo · scales per campus
  • Everything in Sentinel
  • GLBA Safeguards Rule coverage (financial aid office, Qualified Individual support)
  • HIPAA Security Rule mapping + TX HB 300 documentation
  • CMMC L2 control mapping (all 110 NIST 800-171 controls)
  • CUI data classification + access control enforcement for DoD research
  • SPRS gap analysis + quarterly POA&M updates
  • SIS/Banner/Workday access anomaly detection
  • Vendor risk monitoring (third-party research platforms, SIS vendors)
Command
$129/endpoint/mo
500-endpoint minimum · ~$64,500/mo · scales per campus
  • Everything in Fortress
  • Dedicated security analyst (named, 4-hr escalation SLA)
  • CISO-of-record for CMMC assessment + HIPAA Security Officer designation
  • Monthly C3PAO-ready SSP artifact updates
  • HIPAA OCR audit prep + response representation
  • Research network segmentation advisory (CUI enclave scoping)
  • Custom incident playbooks for Banner/Workday/Epic
  • Quarterly board/regents security briefing
CMMC L2 Readiness Quiz → NIST CSF 2.0 Quiz → vCISO ROI Calculator → Request Assessment →

* Endpoint count = staff devices, servers, research workstations, and network infrastructure. Student personally-owned devices and 1:1 tablet fleets are not in scope. The free assessment maps your actual footprint.

FAQ

What research compliance officers
and CISOs ask us first.

Yes. FERPA applies to any institution receiving federal education funding — which includes virtually every Texas public university, community college, and large ISD. FERPA protects education records (transcripts, financial aid files, disciplinary records, disability accommodations) from unauthorized disclosure. A breach exposing student PII triggers breach notification obligations and potential loss of all federal funding. Texas universities face additional exposure under TX HB 300 for health-adjacent student records (counseling, student health clinic visits), and under TX SB 820 for breach notification timing.
Yes. The FTC updated the GLBA Safeguards Rule in 2023 to explicitly classify institutions that participate in federal student loan programs as "financial institutions" subject to FTC enforcement. Financial aid offices that collect FAFSA data, tax documents, income verification, bank routing numbers, and loan disbursement information must implement a written information security program, designate a Qualified Individual, perform annual risk assessments, implement access controls, and conduct vendor oversight. FTC enforcement on higher ed Safeguards Rule violations began in 2024 with active investigations at multiple institutions. Penalties run $50,120 per violation per day.
Any research department, lab, or sponsored program at a Texas university that receives DoD funding involving Controlled Unclassified Information (CUI) is subject to NIST SP 800-171 now and CMMC Level 2 starting November 2026. This applies to UT-Austin, Texas A&M, Texas Tech, UT Dallas, UT San Antonio, University of Houston, University of North Texas, and multiple A&M and UT system institutions. Critically, it applies to specific departments — not the entire institution. The research office and sponsored programs administration bear primary accountability. If your institution has active DARPA, ONR, AFOSR, Army Research, or similar DoD-sponsored grants that involve technical data, you are in scope.
The medical school or teaching hospital is a covered entity under HIPAA, and a breach at the clinical operation can trigger OCR investigation of the parent university system if shared IT infrastructure is involved — which is almost always the case. CoreRecon's Fortress tier covers HIPAA Security Rule controls and TX HB 300 documentation for health sciences programs. The Command tier includes HIPAA Security Officer designation, OCR audit preparation, and custom incident response playbooks for Epic/EHR environments. Texas Tech Health Sciences Center's 2024 experience — where a breach of the health system affected the parent university's HIPAA standing — is the pattern to prevent.
Pricing is per-endpoint across your covered scope. The free assessment maps your actual footprint — staff devices, servers, research workstations, and network infrastructure. Student 1:1 devices (Chromebooks, personally-owned laptops) and clinical IoT are not in scope unless specifically requested. For multi-campus deployments, we scope each campus independently and provide a consolidated SOC view. Procurement documentation is formatted for university purchasing requirements — SAP Ariba, JAGGAER, or UT/A&M system purchasing portal formats — at no additional cost. Request a free assessment to get an endpoint count estimate before any commitment.
Campus law enforcement agencies (CLEAs) that access FBI CJIS systems — criminal history databases, NCIC, fingerprint systems — are subject to the FBI CJIS Security Policy v6.0. This applies to university and community college police departments across Texas, including UT Police, Texas A&M University Police, and campus police at the 50+ community college districts. Key requirements include: access controls and multi-factor authentication for CJIS terminal access, background screening for all personnel with CJIS access, encrypted transmission of CJI, audit logging and review, and an annual CJIS compliance audit. Texas DPS is the CJIS Systems Agency (CSA) for TX institutions and conducts compliance audits. A gap in CJIS compliance at campus PD can result in terminal access suspension — which means officers cannot run background checks or NCIC queries. CoreRecon's Fortress tier includes CJIS-aligned SIEM for campus PD networks, access control documentation, and audit log review. We work with campus police chiefs and university IT to maintain clean CJIS audit posture separate from the broader institutional SOC scope.
FERPA · GLBA · HIPAA · CMMC L2 · TX HB 300

Your students' data and your research grants are both at risk. One SOC covers both.

CoreRecon delivers FERPA, GLBA Safeguards, HIPAA, and CMMC L2-mapped SOC for Texas universities and community colleges. SDVOSB-certified. 30-min SLA. No enterprise contracts. Starting at $89/endpoint.

Get Your Free Assessment →

No contracts. Free FERPA + GLBA + CMMC readiness report with every assessment. Procurement docs for university purchasing systems included.

EdTech vendors and cloud SaaS are the #1 FERPA and GLBA breach vector. Score your vendor risk scorecard →

Free Quiz · CMMC L2 · DoD Research Compliance
Does Your Research Office Meet CMMC Level 2?
Texas universities with DoD-funded research face CMMC L2 enforcement November 2026. Take the CMMC readiness quiz to identify your highest-risk gaps before your sponsored programs office gets a compliance notice.
Take the CMMC L2 Quiz →
Free Tool · NIST 800-171 · DoD Research
Calculate Your SPRS Score Before the C3PAO Does
Texas universities with DoD research grants need a positive SPRS score to win future contracts. The SPRS calculator walks through all 110 NIST 800-171 controls — identify your score, your POA&M gaps, and your path to CMMC L2 readiness.
Calculate SPRS Score →
Free Quiz · 10 Minutes · NIST CSF 2.0
NIST CSF 2.0 Maturity Score — Know Before Your CMMC Assessor Does
23 questions across all 6 CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover). Universities using NIST CSF as their enterprise security framework get a Tier 1–4 maturity score and function-level gap report in 10 minutes.
Take the CSF 2.0 Quiz →
Free Interactive Tool
What Would a Ransomware Attack Actually Cost Your Institution?
Model downtime costs, student notification obligations, FERPA and HIPAA fine exposure, and recovery expenses. Higher education institutions need this number before the next budget cycle.
Calculate My Risk →
GLBA Qualified Individual · HIPAA Security Officer · CMMC of Record
Need a vCISO to Satisfy GLBA, HIPAA, and CMMC Simultaneously?
GLBA Safeguards requires a "qualified individual." HIPAA requires a Security Officer designation. CMMC requires a CISO of record for C3PAO assessment. CoreRecon's vCISO retainer covers all three — starting at $4,000/mo.
See vCISO Retainer →