2025 Federal Administration Transition Information & Resources - This will be updated as new information is available.

Stanford
Office of Research Administration

NIH Security Best Practices for Users of Controlled-Access Data

The National Institutes of Health (“NIH”) has issued NOT-OD-24-157 which implements heightened security requirements for controlled-access data effective January 25, 2025. The NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy requires enhanced security requirements for accessing, handling, and storing controlled-access data, including human genomic data, from NIH controlled-access data repositories.

Scope and Applicability

All researchers who access NIH controlled-access data must ensure their institutional systems, third-party IT systems, and Cloud Service Providers (CSPs) comply with NIST SP 800-171 "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organization" standards. This includes attesting to compliance as part of new or renewed Data Use Certifications executed on or after January 25, 2025.

The updated requirements apply to: 

  • Approved Users of controlled-access human genomic data from specified NIH controlled-access data repositories.
  • All NIH funding mechanisms, including grants, cooperative agreements, contracts, Other Transactions, and intramural support, that involve the use of NIH controlled-access data generated and shared under the GDS Policy that will be downloaded from specified NIH controlled-access data repositories.

Stanford Resources

NIST 800-171 outlines a comprehensive set of implementable controls that address various aspects of information security, including audit and accountability, incident response, and risk assessment. The Information Security Office has conducted a thorough review of the following Stanford systems and confirmed that they meet the minimum NIH security requirements as specified in NOT-OD-24-157. 

For additional information: 

 NIH/NIST information page and FAQ

Notification Memo: NIH NIST Compliance Requirements for Controlled-Access Data

Researcher Action Items

  • Assess IT environment/systems

  • Attest to compliance

    • Ensure data subject to the NIH Security Best Practices for Users of Controlled-Access Data is housed in one of the compliant systems prior to signing any necessary attestations that are included in new or renewed data use agreements. For more information please contact the Office of Research Administration (ORA) at osr_intake@stanford.edu with “NIH data” in the title of the email.

  • Develop your budget plan

    • Factor in the costs of compliance at the proposal development stage.

Additional Information

NOT-OD-25-159 Required Security and Operational Standards for NIH Controlled-Access Data Repositories establishes requirements to ensure NIH controlled-access data repositories adopt standardized data submission, access, and sharing processes; implement enhanced security controls (including for approved users of controlled-access data); and adhere to applicable statutes, regulations, and NIH policies. NIH Controlled Access Data Repositories (CADR) should follow the National Institutes of Health (NIH) Controlled-Access Data Repository Guidebook to Adhere to “Required Security and Operational Standards for NIH Controlled-Access Data Repositories” (NIH CADR Guidebook). 

Need further assistance? Please direct inquiries to osr_intake@stanford.edu