January 16, 2025

NIH implements stricter regulations on controlled-access data

Written by
rep cheaha nih change 550pxUAB IT recommends researchers leverage UAB’s Cheaha high-performance computing system for managing data from NIH genomic data repositories.

The National Institutes of Health (NIH) has announced significant updates to its Genomic Data Sharing Policy, which will take effect Jan. 25, 2025. These changes aim to enhance the security and management of controlled access data, reflecting the growing importance of data protection in the face of increasing global threats.


Key changes

  • NIH will now require genomic data repositories to comply with the NIST SP 800-171 standard, which is more stringent than previous guidelines.
  • Approved users of NIH controlled-access data must attest that their institution complies with NIST SP 800-171. This includes those using third-party IT systems or Cloud Service Providers (CSPs) for data analysis and storage.

Impact on researchers

The policy is not retroactive. Approved users operating under existing Data Use Certifications or similar agreements signed before the effective date can continue under the terms of those agreements until renewal. This policy change affects new and renewed requests for data access from these 20 NIH-supported data repositories. For example, researchers seeking to access controlled human genomic data from dbGaP must attest that their systems meet NIST SP 800-171 requirements. Additionally, these changes may require specialized systems or the use of third-party systems to meet the new requirements, which will need to be factored into grant budgets. Additional information is provided by the NIH Frequently Asked Questions (FAQs) web page.


Preparing for the changes

UAB IT recommends researchers leverage UAB’s Cheaha high-performance computing system for managing this data. All systems in a researcher’s data pipeline for NIH controlled-access data must comply with NIST SP 800-171, which requires significant effort.

Cheaha, managed by UAB IT’s Research Computing office, has previously been audited for HIPAA alignment, and controls overlap significantly with NIST SP 800-171. Research Computing is validating those controls against NIST SP 800-171 and developing a plan to address any gaps. Researchers will be able to use Cheaha to analyze NIH controlled-access data. Documentation for using Cheaha is available at docs.rc.uab.edu/.


Resources