Securing NIH Controlled-Access Genomic Data
Effective January 25, 2025, researchers who plan to work with controlled access genomic data from NIH repositories will need to comply with new data management and storage requirements per updated “NIH Security Best Practices for Users of Controlled-Access Data”
NIH announced in NOT-OD-24-157:
- “Approved Users” of NIH controlled-access data will attest to NIH that institutional systems used to access or store covered data are compliant with NIST SP 800-171 (“secure environment”). This attestation will likely be part of the NIH data use agreements that are reviewed and signed by OSP and required to become an “Approved User.”
- “Approved Users” choosing a third-party IT system and/or Cloud Service Provider (CSP) for data analysis and/or storage will provide NIH with an attestation affirming that the third-party system is compliant with NIST SP 800-171.
- The change will be in effect for new or renewed genomic data use agreements but should not be required for data use agreements in place before January 25, 2025 (until renewed).
- Costs of using a secure environment should be an allowable cost and part of a proposal budget when known at the proposal stage. Work with RCRA, Emory Digital, and OSP to ensure these data management costs are included as necessary for the project.
- 20 NIH controlled-access data repositories are within scope of the update
- The current list of repositories are on the NIH Scientific Data Sharing website (https://sharing.nih.gov/accessing-data/NIH-security-best-practices)
- If your repository is not currently listed, this update is not applicable.
- Institutions that generate large-scale human genomic data as a part of an award, and store it at their institution, cloud-service provider, or third-party IT system are not in scope
Frequently Asked Questions
Emory Digital will reach out to you and your project team to conduct a security assessment of your existing machines and information systems, and they will address any security controls that are not met.
This assessment will inform your attestation to the NIH that you are either in compliance with the new GDS policy or that you do not yet meet certain controls, but have a plan to do so. The latter is referred to as a Plan of Action and Milestones (POA&M) which the NIH accepts in the attestation.
Please note that POA&Ms must be regularly updated and used in a good faith effort to ensure your system(s) are in compliance with the GDS policy.
For questions about the policy and compliance, reach out to the Research Security office at researchsecurity@emory.edu
NIH Resources
- Genomic Data Sharing Policy | Data Sharing (nih.gov)
- NOT-OD-24-157: Implementation Update for Data Management and
- Access Practices Under the Genomic Data Sharing Policy (nih.gov)
- NIH-Security-Best Practices-for-Users-of-Controlled-Access-Data.pdf
- NIH-Security-Best Practices-for-Controlled-Access-Repositories.pdf
- Frequently Asked Questions (FAQs) | Data Sharing
Additional Resources
- NIST 800 53: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
- SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations | CSRC
- NIST 800 171 Rev 3: SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations | CSRC
- NIST 171 Rev 2: SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations | CSRC
- NIST 171 A: SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information | CSRC
- COGR Summary on Updates to NIH GDS Policy