NIH Research Data
As of January 25th, 2025 the United States Goverment has enacted additional security requirements for researchers working with National Institutes of Health (NIH) data. More details about these changes can be found at NIH-security-best-practices.
A brief summary of some of the changes and requirements are as follows.
- Compliance with NIST SP 800-171 Rev.3
- Maintaining an up-to-date inventory of all systems and devices used to process NIH data.
- Endpoint Protection Agent deployed and running on all systems and devices used to process NIH data.
- Access Controls to include MFA and strong Password policies.
- Cybersecurity Awareness training for all personnel accessing NIH data.
- Logging of System Access & modification to NIH data with 1 year retention.
- Data breach and incident response awareness.
- Risk Assessment (https://risk.uwo.ca/) for any third party software and solutions used with NIH data.
- Subcontractor Compliance: Ensure all subcontractors or third-party vendors handling NIH data adhere to NIST SP 800-171 standards.
WTS Security Operations has prepared a spreadsheet for researchers applying for grants to work with NIH data for them to be able to track compliance with the requirements set forth in NIST SP 800-171 Rev.3, as well as several template documents that can be used for reference. Links to these files can be found below. Please contact security@uwo.ca if you require any assistance.
- Western Research - Submission Tracking and Responsibilities - NIH Data.xlsx
- System_Inventory_Template_Research_NIH.xlsx
- Data_Inventory_Template_Research_NIH.docx
- Incident_Response_Plan_Template.docx
- IT_Acceptable_Use_Policy_Template.docx
Published on and maintained in Cascade.
