If you’re working with NIH’s genomic data—for research, developing and testing tools, or hosting repositories—you’ll want to know about a new Notice, NOT-OD-24-157, which takes effect on January 25, 2025.

This Notice details NIH’s security expectations for controlled-access data repositories/systems that store or give access to human genomic data (shared under NIH’s Genomic Data Sharing [GDS] Policy) as well as your use of those repositories. The Notice also establishes minimum standards for developers who oversee controlled-access repositories.

How does this policy change impact you?

• Are you using an NIH repository to access genomic data for research? You’ll need to make certain your institute’s IT system, third-party IT system, and/or Cloud Service Provider complies with the standards outlined in National Institutes of Standards and Technology’s (NIST’s) standard procedure 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” If you’re located outside the United States, you will need to meet a similar standard.
• Are you responsible for overseeing a genomic data repository? Your security controls must meet the NIST SP 800-53 Moderate baseline controls. Repositories that comply with FedRAMP’s Moderate Baseline or FISMA Moderate standards automatically satisfy the NIST SP 800-53 Moderate baseline controls.
• Are you a developer working on testing platforms, pipelines, analysis tools, user interfaces that use human genomic data? The NIH’s new framework impacts lead developers (and staff they directly supervise) working with controlled-access human genomic data. Lead developers must follow the NIH Developer Access Process and submit a Developer Use Statement to the NIH Developer Data Access Committee. This requirement applies to all contracts, intramural support, other transactions, grants, or cooperative agreements, regardless of the activity code.

In the coming months, NCI will offer more detailed guidance to help you navigate these changes and prepare for the policy update in January. In the meantime, be sure to subscribe to our weekly email updates to stay abreast of the latest news.