New Data Management and Access Requirements for NIH Genomic Data

Beginning January 25, 2025, any researchers who plan to work with genomic data from NIH repositories will need to comply with new data management and storage requirements per updated “NIH Security Best Practices for Users of Controlled-Access Data”. NIH announced in NOT-OD-24-157:

• “Approved Users” of NIH controlled-access data will attest to NIH that institutional systems used to access or store covered data are compliant with NIST SP 800-171 (“secure environment”). This attestation will likely be part of the NIH data use agreements that are reviewed and signed by OCG and required to become an “Approved User.”
• “Approved Users” choosing a third-party IT system and/or Cloud Service Provider (CSP) for data analysis and/or storage will provide NIH with an attestation affirming that the third-party system is compliant with NIST SP 800-171.

Additional information about this change and covered repositories:

• Accessing Genomic Data from NIH Repositories
• COGR Summary on Updates to NIH GDS Policy
• The change will be in effect for new or renewed genomic data use agreements but should not be required for data use agreements in place before January 25, 2025 (until renewed).
• Costs of using a secure environment should be an allowable cost and part of a proposal budget when known at the proposal stage. Work with your OCG Proposal Analyst to ensure these data management costs are included as necessary for the project.
• Please contact Research Computing at rc-help@colorado.edufor assistance with solutions to address the new requirements.

If you have general questions about this policy change, reach out to Alexa Van Dalsem, Senior Director of OCG, at alexa.vandalsem@colorado.edu.