NIH Data Management and Access Requirements for Sharing Genomic Data

NIH has made significant changes to its policy related to data security requirements for researchers wishing to access or renew access to human genomic data stored in certain NIH controlled-access data repositories. Effective January 25, 2025, users and developers of controlled access genomic data will be required to manage that data in compliance with NIST 800-171 cybersecurity requirements. The following information addresses how to determine if your data is subject to the requirement and provides details on how Penn will implement the requirements.

The requirement will apply to data obtained from the following repositories:

• dbGap
• BioData Catalyst
• AnVIL
• NCI Genomic Data Commons
• CDS-Trusted Partner
• Kids First Data Resource
• INCLUDE data hub
• Restricted portion of Sequence Read Active
• National Institute of Mental Health Data Archive
• NIAAADA
• ABCD
• The Neuroscience Multi-omic data Archive Brain/NeMo
• The CommonMind Consortium Knowledge Portal
• PsychENCODE Knowledge Portal
• NIAGADS
• Accelerating Medicines Partnership^® Parkinson’s Disease
• Parkinson’s Disease Biomarkers Program Data Management Resource
• PEGS
• NIMH Repository and Genomics Resources
• NIDCR FaceBase

This list will be updated from time to time.  Additional information on applicable access systems and websites for these data sources is available here.

The NIST 800-171 compliance requirement will be a contractual obligation. You will need to comply with all new requests on or after January 25, 2025, for pending requests where data use agreements are not yet in place before January 25, 2025, and for data use renewals on or after January 25, 2025.

You may continue to use your data if you have an active data use agreement for one of the controlled access databases.  You should plan to ensure the data is in a compliant database by the time of your next renewal.

NIST 800-171 is a framework for cybersecurity that includes several control families with specific requirements for each family. The control families include:

• Access Control
• Awareness and Training
• Audit and Accountability
• Assessment
• Authorization and Monitoring
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Physical and Environmental Protection
• Planning
• Personnel Security
• Risk Assessment
• System and Services Acquisition
• System and Communications Protection
• System and Information Integrity
• Supply Chain Risk Management

The full text of the NIST 800-171 requirements is available here.

NIH is not currently planning to actively audit compliance. However, the data requestor, the IT contact, and the signing official on the data use agreement are required to attest to compliance. If there are gaps between available computing environments and the NIST 800-171 requirements, a Plan of Action and Milestones (POAM) may be submitted. This plan details how the data environment will be brought into compliance if the access is granted.

Penn is actively developing compliant solutions. An AWS cloud-based solution, managed centrally by Penn Information and Computing Systems (ISC), will be available in February 2025. The upcoming Penn Advanced Research Computing Center (PARCC) will be compliant as it becomes available later this year. In the Perelman School of Medicine (PSOM), additional environments (HPC/LPC and HSDRC) are being assessed to be brought into compliance. Researchers wishing to use other environments will need to have those environments reviewed and approved prior to approval of controlled data access.

Yes. One of the NIST 800-171 requirements is security training. All lab members granted access to the controlled data sets will need to complete training prior to receiving authorization to access the data.

In addition to training required by specific federal research sponsors, the following security-related courses help meet the NIST 800-171 training requirements:

• Email Security (https://www.myworkday.com/upenn/email-universal/inst/17816$464/rel-task/2998$29489.htmld).
• Introduction to Phishing (https://www.myworkday.com/upenn/email-universal/inst/17816$316/rel-task/2998$29489.htmld).
• Research Security at Penn (https://www.myworkday.com/upenn/email-universal/inst/17816$1444/rel-task/2998$29489.htmld).

Please reach out to your local IT support team to discuss how best to manage the controlled data you will be using. The Office of Research Services will verify with Penn’s IT professionals that the proposed environment is compliant with NIST 800-171 requirements prior to signing your data use agreement. Ensuring that your IT team is aware of the request will allow for more timely access to the data.

If you are a researcher in the PSOM, please reach out to pmacs_sio@pennmedicine.upenn.edu. If you are in another campus location, please reach out to your local research IT support team.

Not sure the requirements apply to your project? Please contact PennResearchSecurity@pobox.upenn.edu.