Overview

NIH has issued an implementation update for data management and access practices under the Genomic Data Sharing (GDS) Policy (see Guide Notice NOT-OD-24-157). This introduces updated security standards for Approved Users of controlled-access data shared under the NIH GDS Policy (NOT-OD-14-124) and for repositories and/or systems storing or providing access to these data. (FAQs) The updates will take effect on January 25, 2025, and apply only to new projects started after that date and recompetes of continuing projects.

A list of data repositories can be found HERE.

The updates require PIs working with data in these repositories to attest to NIH that the system storing their project’s human genomic data is compliant with NIST SP 800-171.

Today, NIH genomic data from these repositories is stored in a variety of IT resources at Purdue. To provide a single centrally managed and appropriately secured resource to support faculty working with these data, the Office of Research and Purdue IT are working together to deploy “Rossmann,” a new computing and storage resource to support these and other restricted data uses, fully implementing the NIST 800-171 standard.

New DUAs with requests for NIH GDS data will be assigned to work within the Rossmann system.

Frequently Asked Questions

Q: I have an existing NIH dbGaP dataset that I work with, am I subject to these new requirements? Do I need to move my project into “Rossmann” ? A: No, only new or renewal requests will be expected to secure data according to the updated NIH Security Best Practices.

Q: I work with my NIH GDS data on my laptop, does that mean that my laptop is required to be aligned with the updated NIH Security Best Practices? A: Yes. However, NIST 800-171 endpoints are not currently supported by Purdue IT.

Q: I have a 3rd party system that I use to work with NIH GDS data, can I continue to do so? A: Yes, but the PI is responsible for ensuring and attesting to the compliance of whatever IT system or cloud provider is utilized. To make it easier for faculty and to lower risk, we recommend the use of Purdue-managed resources.

Q: Do the updated NIH Security Best Practices mean that NIH data now requires CMMC certification? Is genomic data now Controlled Unclassified Information (CUI)? A: No, while they all use the same NIST 800-171 cybersecurity standard, NIH Security Best Practices are not subject to CMMC, nor are genomic data considered CUI.

Q: Who can I talk to for more information? A: For cybersecurity questions, please contact Purdue IT Information Assurance (pss-ia@purdue.edu). For high-performance computing and workflow questions, contact the Rosen Center for Advanced Computing (rcac-help@purdue.edu).