The National Institutes of Health recently announced significant updates to its Genomic Data Sharing (GDS) Policy, which will take effect on Jan. 25, 2025. These updates introduce enhanced cybersecurity requirements and new terms of access, impacting researchers and developers accessing genomic data stored in NIH-controlled repositories.

Cybersecurity enhancements

Researchers accessing de-identified human genomic data must ensure that institutional systems meet the National Institutes of Standards and Technology Special Publication 800-171 cybersecurity standard. Institutions must evaluate their IT infrastructure, identify gaps and develop a Plan of Action and Milestones (POAM) to address risks. Developers managing repositories must comply with the stricter NIST SP 800-53 standard.

Defined roles and responsibilities

The policy distinguishes between “Approved Users” (researchers accessing data for study) and “Approved Developers” (those building tools or managing data repositories). Each must adhere to tailored security practices and terms of access, including mandatory reporting of data breaches and adherence to NIH security training.

New access procedures for developers

Developers must submit a Developer Use Statement (DUS) outlining their planned activities and attesting to cybersecurity compliance. Terms of access prohibit unauthorized data sharing, require prompt incident reporting and mandate data destruction upon project completion.

Institutional action steps

Institutions are advised to:

• Review ongoing and new projects for compliance with updated requirements.
• Collaborate with IT, sponsored programs and institutional review board offices to align systems with NIST standards.
• Educate researchers and developers about their obligations under the new policy.

Effective date and compliance deadlines

The updated requirements apply to all grants, contracts and agreements initiated or renewed after Jan. 25. Existing projects can continue under their current terms until renewal.

The National Institutes of Health recently announced significant updates to its Genomic Data Sharing (GDS) Policy, which will take effect on Jan. 25. These updates introduce enhanced cybersecurity requirements and new terms of access, impacting researchers and developers accessing genomic data stored in NIH-controlled repositories.

Cybersecurity enhancements

Researchers accessing de-identified human genomic data must ensure that institutional systems meet the National Institutes of Standards and Technology Special Publication 800-171 cybersecurity standard. Institutions must evaluate their IT infrastructure, identify gaps and develop a Plan of Action and Milestones (POAM) to address risks. Developers managing repositories must comply with the stricter NIST SP 800-53 standard.

Defined roles and responsibilities

The policy distinguishes between “Approved Users” (researchers accessing data for study) and “Approved Developers” (those building tools or managing data repositories). Each must adhere to tailored security practices and terms of access, including mandatory reporting of data breaches and adherence to NIH security training.

New access procedures for developers

Developers must submit a Developer Use Statement (DUS) outlining their planned activities and attesting to cybersecurity compliance. Terms of access prohibit unauthorized data sharing, require prompt incident reporting and mandate data destruction upon project completion.

Institutional action steps

Institutions are advised to:

• Review ongoing and new projects for compliance with updated requirements.
• Collaborate with IT, sponsored programs and institutional review board offices to align systems with NIST standards.
• Educate researchers and developers about their obligations under the new policy.

Effective date and compliance deadlines

The updated requirements apply to all grants, contracts and agreements initiated or renewed after Jan. 25, 2025. Existing projects can continue under their current terms until renewal.