Posted January 10, 2025 by Tiffany Lee
The National Institutes of Health recently announced significant updates to its Genomic Data Sharing (GDS) Policy, which will take effect on Jan. 25. These updates introduce enhanced cybersecurity requirements and new terms of access, impacting researchers and developers accessing genomic data stored in NIH-controlled repositories.
Cybersecurity enhancements
Researchers accessing de-identified human genomic data must ensure that institutional systems meet the National Institutes of Standards and Technology Special Publication 800-171 cybersecurity standard. Institutions must evaluate their IT infrastructure, identify gaps and develop a Plan of Action and Milestones (POAM) to address risks. Developers managing repositories must comply with the stricter NIST SP 800-53 standard.
Defined roles and responsibilities
The policy distinguishes between “Approved Users” (researchers accessing data for study) and “Approved Developers” (those building tools or managing data repositories). Each must adhere to tailored security practices and terms of access, including mandatory reporting of data breaches and adherence to NIH security training.
New access procedures for developers
Developers must submit a Developer Use Statement (DUS) outlining their planned activities and attesting to cybersecurity compliance. Terms of access prohibit unauthorized data sharing, require prompt incident reporting and mandate data destruction upon project completion.
Institutional action steps
Institutions are advised to:
- Review ongoing and new projects for compliance with updated requirements.
- Collaborate with IT, sponsored programs and institutional review board offices to align systems with NIST standards.
- Educate researchers and developers about their obligations under the new policy.
Effective date and compliance deadlines
The updated requirements apply to all grants, contracts and agreements initiated or renewed after Jan. 25. Existing projects can continue under their current terms until renewal.
To help institutions and researchers prepare for these updates, NIH hosted two information sessions in January. When available, recordings and transcripts can be accessed on the past NIH VideoCasts page. For more details, visit NIH’s Genomic Data Sharing Policy page. Questions about compliance with the NIST standards can be directed to Matthew Long, director of research IT services at the University of Nebraska.
