Animal Care and UseAward ManagementConflicts of InterestContracts and SubawardsControlled SubstancesEnvironmental Health and SafetyExport ControlHIPAAHuman Stem Cell ResearchHuman Subjects Research

Implementation Update for Data Management and Access Practices under the Genomic Data Sharing (GDS) Policy: NOT-OD-24-157

Published December 12, 2024, via Research News

NOT-OD-24-157

Effective Saturday, January 25, 2025, NIH will begin requiring a new cybersecurity requirement for the use of human genomic data from NIH controlled-access data repositories (e.g., NIH dbGaP). Users of NIH controlled-access genomic data will be required to attest that the IT systems used for data analysis and storage are compliant with NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organization.  

Scope
This notice details NIH’s security expectations for (1) users of NIH controlled-access data repositories/systems that access human genomic data (shared under NIH’s Genomic Data Sharing Policy) and (2) developers who oversee controlled-access repositories or are working on testing platforms, pipelines, analysis tools, and user interfaces that use human genomic data from NIH controlled-access data repositories.

A list of NIH controlled-access data repositories can be found here, which includes dbGaP and NIAGADS.

Proposals and Awards
Effective Saturday, January 25, 2025, all NIH funding mechanisms (e.g., new/renewal/non-competing continuation grants, cooperative agreements, contracts, and other transactions) that involve the activities described above, such as, downloads resulting from new/renewal dbGaP access requests, will require that downloaded data be maintained on IT systems that are compliant with NIST SP 800-171 security standards.

  1. NIH Institute/Center/Office (ICO) will include the applicable implementation update per this notice in the NOFO for competing applications that are impacted. When awarded, compliance with the applicable implementation update will be included in the terms and conditions of award.
  2. For non-competing continuation awards, the recipient will work with their funding NIH ICO to update the existing terms and conditions of award to reflect the applicable implementation update per this notice, as soon as possible, but no later than the next budget period following the effective date. 

Upcoming Plans to Ensure Compliance
If you have an ongoing project or are working on a proposal that will be affected by this new requirement, WashU IT Research Infrastructure Services (RIS) offers a secure enclave serviceThis is the only certified facility on campus that complies with the necessary security controls. Researchers are also encouraged to utilize the cloud services provided by NIH Institute and Center Supported Repositories to access and analyze controlled data.

Please contact Craig Pohl at cpohl@wustl.edu or request assistance, to develop a plan and estimate the costs of using these solutions.

Save the date
There will be a virtual research forum on Wednesday, January 8, 2025 at 3 p.m. to review how the new NIH policy will be supported at WashU. Registration is required.