Research Data

NIST SP 800-171 Compliance for Controlled-Access Data Security

Background

NIH policy states that new and renewal data use requests to access controlled-access data stored in any of the NIH controlled access data repositories (CADRs) must protect data in an environment compliant with NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” NIST SP 800-171 provides 110 security controls organized into 14 families to protect NIH controlled-access data. The implementation and maintenance of these controls is time consuming and expensive. When investigators request access to data from an NIH CADR, the investigator and the Institution must attest that the data will be secured in an NIST SP 800-171 compliant site. This requirement creates risk for the Institution if the data is not secured in a compliant site.

Policy for Protection of NIH Controlled-Access Data

  1. All projects with new data use agreements must store and compute NIH controlled-access data on the Research Infrastructure Services (RIS) Facility or other certified facility.
  2. All NIH controlled-access data currently stored and computed on individual servers in labs or other small, isolated sources must move to RIS or other certified facility with the renewal of their NIH data use agreement.
  3. Large clusters in Centers or Departments like RCIF and HTCF must work with the Associate Chief Information Security Officer (ACISO) for Research, Teaching, and Learning to obtain advice and guidance for implementing NIST SP 800-171 controls. The administration of these facilities is responsible for compliance with this security standard and must enlist a third party to perform a gap assessment to determine the state of compliance, ongoing support, and remediation work. Review and attestation of compliance must be done internally every year and by an outside third party every three years. The Center or Department is responsible for the cost of building and maintaining compliance. They are responsible for providing the ACISO with documentation of compliance before the Institution attests to the NIH that the facility is compliant.
  4. At this time, WashU cloud environments for Box, Azure, AWS, and GCP are not NIST SP 800-171 compliant and can not host NIH controlled-access data.