NIH Security Best Practices for Users of Controlled-Access Data

The National Institutes of Health (“NIH”) has issued NOT-OD-24-157 which implements heightened security requirements for controlled-access data effective January 25, 2025. The NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy requires enhanced security requirements for accessing, handling, and storing controlled-access data, including human genomic data, from NIH controlled-access data repositories.

Scope and Applicability

All researchers who access NIH controlled-access data must ensure their institutional systems, third-party IT systems, and Cloud Service Providers (CSPs) comply with NIST SP 800-171 standards. This includes attesting to compliance as part of new or renewed Data Use Certifications executed on or after January 25, 2025.

The updated requirements apply to: 

• Approved Users of controlled-access human genomic data from specified NIH controlled-access data repositories.
• All NIH funding mechanisms, including grants, cooperative agreements, contracts, Other Transactions, and intramural support, that involve the use of NIH controlled-access data generated and shared under the GDS Policy that will be downloaded from specified NIH controlled-access data repositories.

Stanford Resources

NIST 800-171 outlines a comprehensive set of implementable controls that address various aspects of information security, including audit and accountability, incident response, and risk assessment. The Information Security Office has conducted a thorough review of the following Stanford systems and confirmed that they meet the minimum NIH security requirements as specified in NOT-OD-24-157. 

• Stanford Research Computing (SRC) Nero Google Cloud Platform (Nero)
• Stanford Research Computing (SRC) Carina On-Prem Computing Platform (Carina)
• Stanford Bioinformatics Service Center SCG Cluster (SCG)
• Cardinal Cloud (Amazon Web Services’ GovCloud)

For additional information: 

 NIH/NIST information page and FAQ

Notification Memo: NIH NIST Compliance Requirements for Controlled-Access Data

Researcher Action Items

• Assess IT environment/systems

  • Evaluate the current environment your NIH research project resides in. If it is not one of the approved systems listed above, please email Stanford Research Computing (SRC) at srcc-support@stanford.edu, with “NIH” in the title of the email.
  • If Cardinal Cloud (AWS GovCloud) is an appropriate option, submit a Help ticket through ServiceNow at https://services.stanford.edu/ — search for the “New AWS Service Request” form and provide details on your project. Someone from UIT Hosting will follow up with a discussion.

  • See Notification Memo: NIH NIST Compliance Requirements for Controlled-Access Data for additional information.

• Attest to compliance

  • Ensure data subject to the NIH Security Best Practices for Users of Controlled-Access Data is housed in one of the compliant systems prior to signing any necessary attestations that are included in new or renewed data use agreements. For more information please contact the Office of Research Administration (ORA) at osr_intake@stanford.edu with “NIH data” in the title of the email.

• Develop your budget plan

  • Factor in the costs of compliance at the proposal development stage.

Need further assistance? Please direct inquiries to osr_intake@stanford.edu