>> HELLO AND WELCOME TO TODAY'S OVERVIEW OF THE NIH SECURITY VIEW BEST PRACTICES OF THE SECURITY UPDATES IN THE GUIDE NOTICE NOT 154127. WE'LL PUT THAT IN THE CHAT. I'M FROM THE OFFICE OF DATA SCIENCE STRATEGY AND INTRODUCING CHERYL JACOBS AND MS. MAUREEN FALVELLA. DR. JACOBS IS THE ASSISTANT DIRECTOR FROM THE OFFICE OF SCIENCE POLICY. SHE HAS OVER 10 YEARS EXPERIENCE WORKING ON AND LEADING EVIDENCE-BASED POLICIES TO SUPPORT GENOMIC DATA AND FACILITATES ACCESS TO GENOMIC AND SCIENTIFIC DATA. MS. FALVELLA IS THE CHIEF INFORMATION SECURITY OFFICE. SHE HAS 15 YEARS OF EXPERIENCE DEVELOPING STRATEGIES, DIRECTING OPERATIONS AND OVERSEEING CYBER SECURITY PROGRAMS TO PROTECT ASSETS AT THE THE NATIONAL INSTITUTES OF HEALTH INCLUDING SECURING NIH TO ENHANCE RECOVERY KNOWN AS RECOVER, COVID INITIATIVE AND NHLBI'S THE NATIONAL HEART, LUNG AND BLOOD INSTITUTE BIO DATA CATALYST PROGRAM AND BRINGS BUSINESS EXPERIENCE AND ADVANCED EXPERTISE AND STRONG UNDERSTANDING OF NIH'S SCIENTIFIC MISSION. BOTH JOIN US TODAY TO DISTHE UPDATES TO DATA MANAGEMENT AND SECURITY STANDARDS THAT WILL TAKE EFFECT ON JANUARY 25, 2025. TODAY'S IS BEING BROADCAST ON THE NIH VIDEOCAST AND RECORDED FOR FUTURE VIEWING. I HAVE A FEW HOUSEKEEPING ITEMS BEFORE WE GET STARTED. AS NOTED TODAY'S PRESENTATION IS BEING BROADCAST ON NIH VIDEOCAST. THAT LINK WILL BE INSERTED IN THE CHAT IN CASE THERE WILL BE ISSUES WITH CONNECTIVITY AS THIS IS A WIDELY ATTENDED EVENT. THE RECORDING WILL ALSO BE AVAILABLE ON THE NIH SHARING WEBSITE AND WE'LL ALSO HAVE THAT LINK PUT IN THE CHAT. SLIDES FOR TODAY'S PRESENTATION ARE AVAILABLE ON THE WEBSITE. PLEASE ENTER YOUR QUESTIONS IN THE Q&A. THOSE PARTICIPATING VIA ZOOM WILL BE ABLE TO UPLOAD QUESTIONS FOR THE Q&A FOR PRESENTERS TO ADDRESS AND ANY ADDITIONAL QUESTIONS FOR THOSE JOINING THROUGH VIDEOCAST OR QUESTIONS THAT ARE NOT ABLE TO BE ENTERED IN THE IN THE Q&A CAN BE SEND TO GDS@MAIL AT NIH.gov. TODAY'S PRESENTATION WILL BE DIVIDED INTO THREE SECTIONS WITH A GENERAL OVERVIEW OF THE NIH GUIDE NOTICE FOCUSSING ON THE NIH BEST PRACTICE FOR USERS OF CONTROLLED ACCESS DATA FOLLOWED BY IN DEPTH OVERVIEW OF THE SECURITY CONTROLS INSTITUTIONS AND APPROVED USERS ARE EXPECTED TO ADHERE TO BEGINNING JANUARY 25, 2025. FOLLOWED BY TIME FOR QUESTIONS AND ANSWERS. NOW I'M GOING TO HAND OVER THE PRESENTATION TO DR. JACOBS AND MS. FALVELLA. DR. JACOBS, OVER TO YOU. >> HI, GOOD MORNING AND WELCOME TO TODAY'S PRESENTATION. I'M GOING TO PROVIDE HERE A BRIEF DESCRIPTION OF THE NIH GENOMIC DATA POLICY TO DESCRIBE THE EXPECTATIONS OF THE POLICY BY WHICH THE UPDATES WE'RE DISCUSSING TODAY WILL TAKE EFFECT. SO THE GDS POLICY HAS BEEN EFFECTIVE SINCE JANUARY 20, 2015 AND ENSURES THE BROAD AND RESPONSIBLE SHARING OF NON-HUMAN AND HUMAN LARGE SCALE AND GENOMIC DATA. IN PART FOR HUMAN GENOMIC DATA EXPECTED CONSENT FOR RESEARCH USE AND THERE'S OTHER BROAD AND RESPONSIBLE SHARING WE'LL TOUCH ON LATER IN THE TALK. AS WELL AS THE GDS POLICY SCOPE TO APPLY TO THE GENERATION OF LARGE SCALE HUMAN AND NON-HUMAN DATA AS WELL AS THE USE OF THE DATA FOR SECONDARY RESEARCH USE IRRESPECTIVE OF THE FUNDING MECHANISM. SO ENSURING LARGE SCALE HUMAN GENOMIC DATA POLICY AND THE POLICY EXPECTS THAT INVESTIGATORS CONSIDER THEIR APPROPRIATENESS OF SHARING THE DATA AND IF THEY'RE SHARING THE DATA SHARE THE DATA ACCORDING TO PARTICIPANT CONSENT. BEFORE THE DATA'S SUBMITTED TO NIH, THAT AN IRB PRIVACY BODY OR EQUIVALENT BODY HAS REVIEWED THE CONSENT AND HAVE DETERMINED THE LIMITATIONS ON SHARING. AND ULTIMATELY THAT THE DATA IS SUBMITTED TO NIH. WHEN INVESTIGATORS REQUEST ACCESS TO THESE DATA FROM AN NIH CONTROLLED ACCESS AND REPOSITORY, USERS AGREE TO THE TERMS OF ACCESS THAT INCLUDE SECURING THE DATA ACCORDING TO SECURITY STANDARDS AND THIS EXPECTATION IS WHETHER THE APPROVED USER IS FUNDED BY NIH OR NOT. SO, TODAY WE'LL BE DISCUSSING THE UPDATE TO THE GDS POLICY ON THAT CONTINUES TO PROMOTE IT ACCESS TO THE DATA AND THIS UPDATE HAS THREE PARTS TO IT. THE FIRST PART APPLIES TO NIH CONTROLLED ACCESS REPOSITORIES THAT MEET THE CURRENT CRITERIA BELOW. THAT THEY'RE SUPPORT THE BY AN NIH AWARD OF SOME KIND OR SOME SORT OF NIH SUPPORT THAT THE REPOSITORY STORE OR PROVIDE ACCESS TO HUMAN GENOMIC DATA GENERATED UNDER THE GDS POLICY. THAT THERE IS CONTROLLED ACCESS TO THESE DATA THAT PERSPECTIVELY REVIEW SO PERHAPS SOME SORT OF FIRE WALL BETWEEN ACCESS AND THE ACTUAL DATA AND THE USE OF FEDERAL EMPLOYEES ARE PROVIDED TO CONDUCT REVIEWS. YOU CAN LOOK AT THIS AS FOR EXAMPLE A DATA ACCESS COMMITTEE. AND SO REPOSITORIES THAT MEET THESE CRITERIA WILL BE KNOWN AS OUR NIH CONTROLLED ACCESS REPOSITORIES. THE SECOND UPDATE APLAYS TO DEVELOPERS THAT WORK IN THESE REPOSITORIES AS STATED ABOVE AND THE THIRD UPDATE, WHICH YOU'RE ALL HERE FOR, UPDATES SECURITY EXPECTATIONS FOR APPROVED USERS. SO, FOR THE FIRST UPDATE THE REPOSITORIES THAT MEET THE CRITERIA, NIH HAS IDENTIFIED 20 OF THESE REPOSITORIES THAT ARE IN SCOPE. THERE'S A CURRENT LIST OF THESE REPOSITORIES ON THE NIH SCIENTIFIC DATA SHARING WEBSITE AND THAT CAN BE ACCESSED HERE. AND WE WANT TO EMPHASIZE THAT IF YOUR REPOSITORY IS NOT CURRENTLY LISTED, THIS UPDATE IS NOT APPLICABLE TO YOU AND YOUR REPOSITORY'S NOT CONSIDERED AN NIH CONTROLLED ACCESS REPOSITORY WHEREBY THESE PARTICULAR SECURITY EXPECTATIONS WILL BE EXPECTED JANUARY 25, 2025. THERE'S BEEN QUESTIONS WE RECEIVED WHETHER THE UPDATE APPLIES TO AN INSTITUTION THAT'S BEEN FUNDED TO GENERATE LARGE SCALE HUMAN GENOMIC DATA AND STORED ON LOCAL SERVERS. WE WANT TO REMIND YOU THIS IS NOT IN SCOPE OF THIS PARTICULAR SECURITY UPDATE ONLY THOSE REPOSITORIES CURRENTLY LISTED ARE IN SCOPE OF THEE OF THIS UPDATE. SO THE SECOND UPDATE DEALS WITH MINIMUM EXPECTATIONS AND OVERSIGHT FOR DEVELOPERS. SO THIS PATHWAY IS SPECIFIC FOR NIH OR FEDERALLY FUNDED DEVELOPERS AND CENTRAL TO THE MISSION IF THE DEVELOPERS ARE FUNDED TO ESTABLISH, SUPPORT OR MAINTAIN NIH CONTROLLED REPOSITORY THOSE MENTIONED ON THE WEBSITE I MENTIONED PREVIOUSLY. AND BEGINNING JANUARY 25, 2025, NIH NOTICE OF FUNDING OPPORTUNITIES, CONTRACTS OR OTHER TRANSACTIONS WILL INDICATE THE APPLICABILITY OF THIS PARTICULAR UPDATE. SO FINALLY WE GET TO THE THIRD UPDATE OF PARTICULAR INTEREST TO THIS COMMUNITY. THE UPDATE TO SECURITY STANDARDS FOR APPROVED USERS. SO, TO BREAK THIS DOWN WE WANT TO START WITH THE DEFINITION FIRST OF WHO IS AN APPROVED USER. APPROVED USERS ARE PRINCIPALED INVESTIGATORS WHO HAVE APPROVED ACCESS DATA FROM ONE OF THE 20 CONTROLLED ACCESS DATA REPOSITORIES INDICATED ON THE PREVIOUS SLIDE. AS TYPICAL THEY AGREE TO TERMS OF ACCESS THAT ARE IN THE DATA USE CERTIFICATION AGREEMENT OR DATA USE AGREEMENT AND WHEN AGREEING TO THESE TERMS THERE'S ALSO AGREEMENT TO SECURE THE DATA ACCORDING TO PARTICULAR STANDARDS AND EXISTING DOCUMENT DESCRIBED THE SECURITY STANDARDS IN THE NIH SECURITY BEST PRACTICES FOR CONTROLLED ACCESS DATA SUBJECT TO THE NIH GENOMIC SHARING POLICY. DUE TO THE NOTICE UPDATE, THIS DOCUMENT IS GETTING UPDATED WITH UPDATED SECURITY STANDARDS THAT WILL APPLY ON OR AFTER JANUARY 25, 2025. AND THIS UPDATED SECURITY STANDARD WILL BE DESCRIBED IN THE NIH SECURITY BEST PRACTICES FOR USERS OF CONTROLLED ACCESS DATA. THESE TAKES EFFECT FOR USERS WHO SUBMIT A NEW REQUEST OR RENEWING AN EXISTING REQUEST ON OR AFTER JANUARY 25, 2025. AND SO THOSE WITH EXISTING REQUESTS DO NOT HAVE TO WITH A SWITCH TO UPDATE TO THE UPDATED STANDARDS ON JANUARY 25, 2025. AND IT'S ONLY AFTER THAT DATE IF THE PROJECT IS RENEWED THE UPDATED SECURITY STANDARDS WILL BE EXPECTED TO BE ADHERED TO. SO WHAT IS NIH EXPECTING IN THIS UPDATE? NIH EXPECTS THAT APPROVED USERS WILL SECURE THE DATA ACCORDING TO STANDARD 800-171 AND IF ON A THIRD PARTY CLOUD TO ATTEST THE THIRD PARTY OR CLOUD SERVICE PROVIDER IS SECURING THE DATA ACCORDING TO IT NIST800-171 AND SECURE THE DATA TO THE NIST STANDARD EQUIVALENT ISO, ISE27001 OR 27002 STANDARD. WHEN YOU TALK ABOUT ATTESTATION THEY MAY VARY BUT IT'S BASED ON A SELF-ASSESSMENT UNDERTAKEN BY THE PRINCIPAL INVESTIGATOR AND THE INSTITUTION THE SYSTEM HOLDING THE GENOMIC DATA MEETS NIST SECURITY CONTROLS. SO I WILL PASS IT ON TO MY COLLEAGUE MS. FALVELLA TO DIVE DEEPER INTO EXPECTATIONS FOR MEETING THESE SECURITY STANDARDS. >> GOOD MORNING. WE'LL START OFF TALKING ABOUT WHY NIH MADE THE CHANGES AND WHAT YOU AS A RESEARCHER NEEDS TO KNOW ABOUT THE SECURITY BEST PRACTICES BEFORE WE SHIFT AND DEEP DIVE INTO WHAT YOU AS AN I.T. ADMINISTRATOR MAY NEED TO KNOW AND HAVE KEY TAKEAWAYS AND PROVIDE RESOURCES BEFORE WE OPEN UP TO QUESTIONS. LETS DIVE IN THE GLOBAL THREAT LANDSCAPE. THERE'S WILL THREATS NATION STATE ACTORS TO DEMONSTRATE THEIR CYBER CAPABILITIES AS A DEFENSE DETERRENT OR SEEKING ACCESS TO INFORMATION TO GAIN A GETTIVE EDGE AND WE HAVE CRIMINAL ORGANIZATIONS TO CONSIDER AND THEY'RE SEEKING IT FINANCIAL GAIN AND BOTH LEVERAGE ADVERSARIAL TECHNOLOGIES AND THIS IS A GROWING CONCERN AS A.I. TOOL AND THE CAPABILITIES OF A.I. TOOL BECOME MORE ACCESSIBLE AS WELL AS SUPER COMPUTING POWER BECOME GROWING CONCERNS. SO ALL THESE THREAT SOURCES HAVE CREATED PROBLEMS AND WE RELY ON COLLABORATION AND INFORMATION SHARING TO DRIVE INNOVATION AND DISCOVERY. THE EROSION OF PUBLIC TRUST AND FINANCIAL LOSSES FROM CYBER SECURITY ATTACKS POSE A SUBSTANTIAL CHALLENGE NOT ONLY TO NIH BUT THE BROADER RESEARCH INSTITUTIONS AND THEIR COMMUNITIES. JUST TO FURTHER EMPHASIZE THIS, WE'VE SEEN AN 84% OF DATA BREACHERS OVER THE LAST DECADE. HEALTH CARE AND RESEARCH INSTITUTIONS HAVE SEEN AN INCREASE IN RANSOMWARE ATTACKS. WITH THE WORLD BEING ON THE BRINK OF REACHING POST QUANTUM COMPUTING AND A.I., THE ABILITY TO LINK IDENTITIES FROM DE-IDENTIFIED INFORMATION IS A REAL CONCERN. SO IF LEADERS WITHIN THE BIOMEDICAL COMMUNITY WE HAVE A UNIQUE ROLE TO PLAY. NIH IS COMMITTED TO PROTECTING PUBLIC TRUST AND PREPARING FOR NATIONAL SECURITY DIRECTIVES AND POLICIES AND ACKNOWLEDGE AT TIMES RESEARCH INSTITUTIONS HAVE FOUND IT CHALLENGES TO FOLLOW A PATCH WORK OF SECURITY STANDARDS SO NIH IS UNIFYING OUR SECURITY STANDARDS TO EASE THE BURDEN ON INSTITUTIONS SEEKING FUNDING FROM NIH. THESE FACTORS NECESSITATE AND WERE THE DRIVERS IN NIH UPDATING THE SHARING POLICY AND BEST PRACTICES FOR USERS OF DATA. SO, WHAT DO YOU AS A RESEARCHER NEED TO KNOW? NIH SECURITY BEST PRACTICES ARE SECURITY BENCHMARKS. THEY'RE NOT REGULATORY REQUIREMENTS AND THEY'RE USED TO MEASURE YOUR INSTITUTE'S SECURITY POSTURE AGAINST THE NIST PUBLICATION 800-171 WHICH HAS SECURITY CONTROLS THAT ALIGN TO THE NIST RISK MANAGEMENT FRAMEWORK. THE FRAMEWORK OFFERS YOU A PATHWAY TO ACHIEVE ATTAINABLE SECURITY PRACTICES THROUGH A SIX-PHASED PROCESS DESIGN TO CONTINUOUSLY MONITOR THE RISK IN THE I.T. LIFE STRIKE FROM THE INCEPTION OF AN I.T. SYSTEM TO THE DECOMMISSIONING OF THAT SYSTEM. THE BEST PRACTICES FOR USERS OF CONTROLLED ACCESS DATA ARE ONLY EXPECTED TO BE APPLIED TO THOSE SYSTEMS THAT HANDLE ACCESS DATA. I'M GOING TO REALLY STRESS THAT POINT AND STATE THAT AGAIN. IT'S NOT EXPECTED THAT NIH SECURITY BEST PRACTICES BE APPLIED TO ALL OF YOUR I.T. SYSTEMS JUST THE SYSTEMS THAT PROCESS NIH CONTROLLED ACCESS DATA. SYSTEMS AT YOUR INSTITUTION THAT DO NOT INTERACT WITH THE DATA ARE NOT EXPECTED TO ADOPT THE SECURITY STANDARD THOUGH WE WOULD ENCOURAGE YOU TO MAKE THAT ADOPTION. YOU'LL FIND THE SECURITY STANDARDS UNDER THE 800-171 ARE REALLY THE BEST PRACTICES FOR MODERN ORGANIZATIONS AGAINST MODERN THREAT. BY JANUARY 25, 2025 IMPLEMENT SECURITY CONTROLS. ANY DEVIATION FROM THE DOCUMENTED CONTROLS SHOULD BE DOCUMENTED IN YOUR PLAN OF ACTION AND MILESTONES WHICH WILL ALLOW YOU TO FURTHER MITIGATE THE RISK. ONCE ASSESSMENTS HAVE BEEN MADE AND DEVIATIONS DOCUMENTED, INSTITUTIONS SHOULD INFORM THEIR RESEARCHERS THEY CAN ATTEST TO THE NIH SECURITY BEST PRACTICES WHEN SUBMITTING NEW OR RENEWAL DATA ACCESS REQUEST TO NIH CONTROLLED ACCESS GENOMIC DATA ON OR AFTER JANUARY 25, APPROVED USERS OF NIH CONTROLLED ACCESS GENOMIC DATA ARE EXPECTED TO CONTROL THE DATA TO THE STANDARD AND IF YOU CHOOSE A THIRD PARTY CLOUD ACCESS SYSTEM FOR ANALYSIS OR STORAGE OF YOUR PROJECT, YOU SHOULD REQUEST FROM THAT THIRD PARTY OR CLOUD SERVICE PROVIDER AN ATTESTATION OF THEIR COMPLIANCE TO 800-171 BECAUSE THAT'S THE ONLY WAY YOU'LL HAVE ASSURANCES IT WILL ALLOW YOU TO ATTEST TO THE STANDARD WHEN SUBMITTING RENEWAL OF ACCESS REQUESTS. OKAY. SO AS AN I.T. ADMINISTRATOR, WHAT CAN DO YOU NEED TO KNOW? WE'LL SHIFT NOW TO TALK ABOUT WHAT I.T. SUPPORT STAFF NEED TO KNOW. SO THE NIST 800-171 ARTICULATES THE REQUIREMENTS ACROSS 17 CONTROLLED FAMILIES FROM ACCESS SECURITY AND MANAGEMENT TO SUPPLY CHAIN RISK MANAGEMENT. WITH THE RECENT INTRODUCTION OF REV 3, THREE WERE ADDED AROUND SUPPLY CHAIN RISK MANAGEMENT WITH THE UNDERSTANDING MOST MODERN SOPHISTICATED ACTORS ARE ACCESSING THROUGH THIRD PARTY PROVIDERS OR PROCURED SOFTWARE OR EQUIPMENT. ADDITIONALLY, REV 3 INTRODUCED THE CONCEPT RISK SHOULD NOT ONLY BE ASSESSED ONCE BUT MONITORED THROUGH THE LIFE CYCLE OF A SYSTEM. SO PLEASE NOTE IF YOU'RE INSTITUTION IS ALREADY ON REV 2 AND ACKNOWLEDGE AND TIME TO ADJUST UNDER REV 3 SO WE WILL ACCESS REV 2 AND REV 3 AS FULFILLING THE EXPECTATIONS OF THE NIH SECURITY BEST PRACTICES. WE ASK THAT IF YOU ARE ON REV 2 YOU START TO PLAN FOR REV 3 ADOPTION. START TO PLAN NOW, CREATE A PLAN OF ACTION AND MILESTONE ENTRY FOR EACH OF THE NEW CONTROL FAMILIES SO YOU CAN TRACK YOUR PROGRESS AND ATTAIN REV 3 COMPLIANCE. OKAY. WE'RE GOING TO SHIFT NOW TO KIND OF LOOK AT THE ANATOMY OF THE NIST800171 CONTROLS TO GIVE YOU SITUATIONAL AWARENESS TO KNOW HOW TO USE THE 800-171 SERIES. ONCE BEING ON SERIES IS MADE OF UP OF TWO DOCUMENTS. ONE IS THE 171 WHICH DOCUMENTS THE CONTROLS. AND THEN THERE'S A COMPLIMENTARY 171A USED TO ASSESS THE CONTROLS. SO THE NIST 800-171 WILL PROVIDE THE REQUIREMENT FOR THE CONTROL AND SOME WILL LIST ORGANIZATIONAL REQUIREMENTS. WHEN YOU SEE THIS THAT MEANS YOUR ORGANIZATION CAN SET OR ESTABLISH THE POLICY OR PROCEDURE FOR THAT CONTROL. YOU GENERALLY SEE THAT IN A CONTROL WHERE THE FREQUENCY OF THE ACTIVITY OR FREQUENCY OF THE CONTROL IS AT THE ORGANIZATION'S DIRECT DISCRETION. THAT OFFERS MAXIMUM FLEXIBILITY. NEXT YOU'LL SEE NIST WILL HAVE THE CONTROL DESCRIPTION. THAT WILL ARTICULATE ACCEPTABLE MEANS AND YOU'LL SEE A CROSSWALK OF CONTROL IN THE 800-CONTROL AND ADDITIONAL RESOURCES AVAILABLE TO YOU WHICH YOU CAN REFERENCE FOR CONTEXT OR ADDITIONAL OPTIONS OR CLARIFICATION FOR THE CONTROL. SO THE KEY TAKEAWAY IS THE 171 WILL PROVIDE EVERYTHING YOU NEED TO KNOW HOW TO SELF-ASSESS OR IMPLEMENT THE CONTROL IN THE SERIES. NOW WE'LL SHIFT TO THE 171A. THIS IS THE DOCUMENT THAT YOU'RE GOING TO USE FOR YOURSELF ASSESSMENT AND COMPLIMENTS THE NIST800-171. YOU'LL SEE NIST WILL PROVIDE THE CONTROL NUMBER AND NAME AND UNDERNEATH YOU'LL GET THE REQUIREMENTS YOU'RE ASSESSING AGAINST. YOU'LL DETERMINE IF THE ASSESSMENT AND WAYS TO DETERMINE AND EXAMINE AND POLICY OR PROCEDURE. YOU CAN INTERVIEW SUCH AS INTERVIEW I.T. PERSONNEL OR CONDUCT AN I.T. TEST SUCH AS ATTEMPTING TO PASSWORD GUESS THE ACCESS MANAGEMENT SYSTEM. WHAT LEVEL YOU CONDUCT THE SELF-ASSESSMENT AT IS UP TO YOU AND YOU CAN DETERMINE THE RIGHT LEVEL BASED ON YOUR SECURITY AND CONTROL IMPLEMENTED AND THE RESOURCES AND TIME AVAILABLE TO YOU. DEPENDING ON THE METHOD, THE 171A ASSESSMENT METHOD WILL ARTICULATE WHICH ARTIFACT SHOULD BE REVIEWED, WHO YOU SHOULD BE INTERVIEWING AND WHAT CONTROLS ARE APPLICABLE FOR TESTING. KEY TAKEAWAY IS THE 171A WILL PROVIDE YOU WITH EVERYTHING YOU NEED TO KNOW TO SELF-ASSESS AGAINST THE 171 CONTROLS. NIST PROVIDES A WEALTH OF INFORMATION AND RESOURCES AVAILABLE TO YOU TO LEVERAGE. ONE IS THE NIST CYBER SECURITY REFERENCE TOOL AND OVERLAY AND ALLOW YOU TO EXPORT THE FAMILIES INTO A NICE EXCEL SPREAD SHEET. YOU CAN TURN IT OVER TO YOUR I.T. STAFF FOR THEM TO DOCUMENT THE CONTROLS DIRECTLY IN THE SPREAD SHEET AND SIMILARLY OFFERS A TOOL WITH A SIMILAR FUNCTIONALITY FOR CONDUCTING SELF-ASSESSMENTS. WE'RE ALSO GOING TO PROVIDE IN THE CHAT THE LINK TO PROVIDE A DEEP DIVE OF THE 800-171 SERIES AS WELL AS AN OVERVIEW OF THE TWO POOLS. SO, LET'S RECAP WHERE WE ARE. IF YOU ARE AN I.T. SUPPORT STAFF MEMBER, YOU ARE TO ASSESS IN-SCOPE SYSTEMS AGAINST THE NIST800-171 CONTROLS AND TO THE BEST OF YOUR ABILITY PERIMETER THE SECURITY CONTROLS. YOU'RE ALSO TO DOCUMENT ANY DEVIATIONS AND PLAN OF ACTION AND MILESTONES AND ANY CONTROLS YOU PARTIALLY IMPLEMENTED OR PLAN TO AND ONCE DONE YOU SHOULD COMMUNICATE OUT TO STAFF AND RESEARCHERS TO ATTEST THE APPROPRIATE CONDITIONS. STARTING ON JANUARY ON OR AFTER JANUARY 25, YOUR TO ATTEST TO PROTECTING NIH GENOMIC DATA WHEN REQUESTING NEW OR RENEWING ACCESS TO NIH CONTROLLED ACCESS DATA JUST TO PROVIDE YOU WITH ALL THE LINKS IN ONE SPOT WE COVERED TODAY, NIH HAS AN EXTENSIVE LIBRARY OF DOCUMENTS AND INFORMATION AVAILABLE TO YOU AND ALSO WANTED TO COLLECT AND HIGHLIGHT THE NIST RESOURCES AVAILABLE TO YOU. THEY'RE HERE ON THE SLIDE AND WILL BE SHARED OUT WITH YOU AFTER THE PRESENTATION. I WANT TO THANK YOU FOR HANGING IN THERE AS WE WENT OVER THE INFORMATION AND MICHAEL WILL BE FACILITATING OUR Q&A SESSION AND COORDINATING. OVER TO YOU. >> THANK YOU. I'M THE NIH ICO COMMUNICATIONS LEAD AND I'LL BE FACILITATING THE Q&A SESSION FOR THIS EVENT. AS A FRIENDLY REMINDER ENTER YOUR QUESTIONS IN THE Q&A AND THOSE IN ZOOM YOU CAN ADD YOUR QUESTIONS AND WE'LL TRY TO TODAYS AS MANY QUESTIONS AND YOU CAN E-MAIL QUESTIONS AT THE E-MAIL ON THE SCREEN. TO KICK OFF THE Q&A THE FIRST QUESTION IS FOR MS. FALVELLA. HOW MUCH AMOUNT OF TIME TO REMEDIATE. >> TIME TO REMEDIATE AND MILESTONE ITEMS THAT COULD INCLUDE IDENTIFIED RISK OR SYSTEM WEAKNESSES ANY PARTIAL OR PLANNED CONTROLS IDENTIFIED IN THE SELF-ASSESSMENT AND THOSE MEDIATION TIMES ARE SPECIFIC TO YOUR ORGANIZATION BUT THEY SHOULD BE ALIGNED TO BEST EFFORTS TO RESOLVE IN A TIMELY MANNER WITHOUT REASONABLE DELAY AND BASED ON THE RISK OF POTENTIAL IMPACT. IT'S UP TO THE ORGANIZATION. ANY RISK MANAGEMENT YOU WANT TO MAKE SURE IT'S TIMELY, REALISTIC, FEASIBLE WITHOUT UNREASONABLE DELAY AND BASED ON THE RISK THAT CONTROL OR WEAKNESS MAY PRESENT TO THE ORGANIZATION. >> THANK YOU. ANOTHER QUESTION FOR YOU, MS. FALVELLA TOO THE SCANNING. IT READS DO DOCKER IMAGES NEED TO HAVE BASELINE CONFIGURATION AND VULNERABILITY SCANS BEFORE THEY'RE ALLOWED TO HANDLE NIH CONTROLLED ACCESS DATA? >> YES, VULNERABILITY MONITORING AND SCANNING IS PART OF THE NIST CONTROL FAMILIES UNDER 800-171. IT'S CONTROLLED 3.1102 AND REQUIRE SYSTEMS UNDER GO VULNERABILITY MONITORING AND SCANNING. THE TYPES OF SCANS AND FREQUENCY ARE ORGANIZATIONALLY DEFINED REQUIREMENT. THOSE ARE THE CONTROLS WE MENTIONED WITH MAXIMUM FLEXIBILITY BUT THE EXPECTATION IS IF YOU ARE CONDUCTING VULNERABILITY MONITORING AND SCANNING AS APPROPRIATE FOR SYSTEMS THAT ARE PROCESSING THE NIH CONTROLLED ACCESS DATA. >> OUR NEXT QUESTION IS FOR DR. JACOBS, DOES NIH INTEND FOR IT TO GO TO DATA CREATED THROUGH THE PROCESSING OR ANALYSIS OF THE CONTROLLED ACCESS GENOMIC DATA, IF SO WHAT DERIVED DATA WOULD BE CONSIDERED RESTRICTED AND WHAT DATA ARE NOT SUBJECT TO THESE CONTROLS? DR. JACOBS, OVER TO YOU. >> THANK YOU. TO BE CLEAR, NIH IS NOT FORMERLY OR HAS NOT FORMERLY DIAG DESIGNATED TO BE CLASSIFIED DEFINED IN THE REGULATION. NIH IS EXPECTING USERS IN THEIR INSTITUTIONS THAT OBTAIN HUMAN GENOMIC DATA FROM THE NIH CONTROLLED ACCESS DATA REPOSITORIES THAT WERE INDICATED PREVIOUSLY THAT THEY WILL PROTECT THESE DATA ACCORDING TO THE NIST STANDARD 800-171. WE WANT TO REMIND FOLKS ON THE CALL THAT NIH HAS TYPICALLY INDICATED IN TERMS OF ACCESS AGREEMENTS SUCH AS THE DATA USE CERTIFICATION, ALL TYPES OF DERIVED DATA ARE PROTECTED AND CONTROLLED ACCESS REPOSITORIES SO THE EXAMPLE GIVEN IN THE DOCK ARE SINGLE NUCLEOTIDE POLYMORPHISMS OR SNIPS THEY'RE CONSIDERED DATA DERIVATIVES AND WOULD BE TYPICALLY TREATED AND SECURED SIMILARLY TO INDIVIDUAL CONTROLLED ACCESS DATA. >> THANK YOU, DR. JACOBS. WE HAVE ANOTHER QUESTION FOR YOU. COULD YOU PROVIDE EXAMPLES OF DEVELOPERS AT UNIVERSITY THAT ARE ALSO NOT RESEARCHERS? >> WE GET THIS QUESTION A LOT AND WE ARE REALLY FOCUSSING ON THE ACTION OF THOSE INVESTIGATORS THAT ARE FUNDED TO DO THE WORK RATHER THAN THE DEFINITION AND SO WHEN WE'RE TALKING ABOUT DEVELOPERS, THEIR WORK IS NOT RESEARCH AND WHAT WE MEAN BY THAT IS THESE DEVELOPERS ARE FUNDED BY NIH TO DO A PARTICULAR SERVICE ON ONE OF THE 20 OR SO REPOSITORIES THAT WE INDICATED ON THE SLIDE. AND THEY'RE ESTABLISHING THE REPOSITORY PROVIDING MAINTENANCE OR DEVELOPING A TOOL FOR A REPOSITORY AND WE WOULD CONSIDER THAT AWARDED P.I. TO BE A DEVELOPER. IN CONTRAST IF A P.I. IS AWARDED TO MAKE A TOOL THAT WOULD BE OF SERVICE IN GENERAL TO RESPOSITORIES AND NOT FUNDED TO WORK ON A PARTICULAR REPOSITORY, THAT WOULD BE CLASSIFIED AS RESEARCH. AND SOMETHING WE WANT TO POINT OUT IS THAT BASED ON THE ACTIVITY, A P.I. COULD BE FUNDED TO DO DEVELOPER WORK SO WORK THAT IS ON ONE OF THE 20 REPOSITORIES AND ALSO SEPARATELY HAVE A RESEARCH GOAL AND IF THEY DO, THEY WOULD BE EXPECTED TO SUBMIT A DATA ACCESS REQUEST TO THE APPROPRIATE DECK FOR RESEARCH. >> AWESOME. NOW, WE HAVE ANOTHER QUESTION AND THIS IS FOR YOU, MS. F FALVE FALVELLA, IS VERSION 2 OR 3? >> NIH WILL ACCEPT THE REV 2 AND REV 3 AS FULFILLING SECURITY EXPECTATIONS IN THE BEST PRACTICES. SO WHAT WE DO ENCOURAGE IS THAT THEY ASSESS AGAINST THE REV 3. SO IF YOU'RE ON REV 2, ADD THE ADDITIONAL CONTROL FAMILIES TO YOUR PLAN OF ACTION MILESTONES FOR YOUR I.T. SYSTEMS SO YOU CAN START TO PLAN AHEAD FOR THAT CONVERSION. WE HAVE NOT ESTABLISHED A DATE WHEN WE'LL SUNSET THE REV 2 BUT YOU SHOULD PLAN FOR ADOPTING THE FULL REV 3 STANDARD. THAT'S DRIVEN BY WHAT WE'RE SEEING IN THE THREAT LANDSCAPE. THERE'S SO MANY THREATS COMING IN THROUGH AUTHORIZED SERVICE PROVIDERS AND AUTHORIZED SOFTWARE AND SO WE REALLY ENCOURAGE YOU TO MAKE A SWITCH FROM A SECURITY PERSPECTIVE BECAUSE THE RISKS ARE SO HIGH. THANKS. >> THANK YOU, MS. FALVELLA. I THINK THERE'S INTEREST TO KNOW WHERE CAN WE FIND THE LIST OF SUBJECT REPOSITORIES? WE'LL SHARE THE LINK IN THE CHAT. WE'LL GATHER THAT HERE. WE'LL PUT THAT IN THE CHAT FOR YOU. CARLOS PUT THAT IN THE CHAT SO YOU CAN FIND THE LINK TO THE LIST OF SUBJECT REPOSITORIES. WE HAVE A QUESTION FOR YOU, DR. JACOBS. DOES NIH CONSIDER THIS DATA TO BE CUI OR ARE YOU SIMPLY USING THE CUI SAFEGUARDS AND STANDARDS BECAUSE IT'S BEST PRACTICE? >> NIH DOES NOT CONSIDER TO BE THE DATA TO BE CONTROLLED, UNCLASSIFIED INFORMATION. RATHER WE'RE USING THE STANDARD AND SECURITY CONTROLS AT NIH PREVIOUSLY HAD A DOCUMENT THAT OUTLINED SECURITY CONTROLS SEPARATE FROM PARTICIPANT PRIVACY AND PROTECTION AND SO THIS IS IN LINE WITH UPDATING HOW THE DATA SHOULD BE SECURED AND PROTECTED FROM ANY CYBER SECURITY THREATS AS MS. FALVELLA HAD OUTLINED. >> THANK YOU. NOW, WE HAVE A QUESTION ASKING WHAT IS THE DEFINITION OF DEVELOPER? I THINK WE TOUCHED ON THIS SLIGHTLY BEFORE BUT I THINK WE NEED TO ISOLATE THIS AND EXPAND ON IT. FOR THE DEVELOPERS, WHAT IS THE DEFINITION OF WHO IS A DEVELOPER? >> YEAH, SO TO GO BACK THERE ISN'T -- IT'S BASED ON AN AWARDEE FUNDED TO DO PARTICULAR WORK IN ONE OF THE 20 REPOSITORIES LISTED ON THE SHARING SITE AND SO THAT'S WHERE THE PARTICULAR -- DAVID ON THE ACTION IS WHEN THE WORDING WOULD BE CHARACTERIZED AS DOING DEVELOPER ACTIVITIES. >> SOUNDS GOOD. AND DR. JACOBS, WHILE YOU'RE STILL ON THE MIKE THERE'S A QUESTION FOR YOU. IT READS, I KNOW THIS IS FOCUSSING PRIMARILY ON NIH CONTROLLED ACCESS DATA. WHAT THE EXPECTATIONS FOR DATA GENERATIONS AND FACILITIES WHICH CAN GENERATE FACILITY BASED ON GDS POLICY, IRB AND CONSENT MAY END UP IN ONE OF THE FUNDED DATABASE LIKE THE GB GAP. IS THERE DOCUMENTATION FOR GUIDANCE? >> I WANT TO BETTER UNDERSTAND THAT QUESTION. IF YOU DON'T MIND READING THAT AGAIN. >> IT READS I KNOW THIS IS FOCUSSING PRIMARILY ON INTERACTION FOR NIH-FUNDED CONTROLLED ACCESS DATA, WHAT ARE THE EXPECTATIONS FOR DATA GENERATORS, EXAMPLE, CAR FACILITIES WHICH CAN GENERATE FACILITIES BASED ON GDS POLICY, IRB AND CONSENT MAY END UP IN A FUNDED DATABASE LIKE GP GAP. IS THERE DOCUMENTATION FOR GUIDANCE? >> GOT IT. THE USERS OF CONTROLLED ACCESS DATA IS LIMITED TO THOSE P.I.s THAT ARE REQUESTING ACCESS AND ARE APPROVED. ACCESS DATA FROM ONE OF THE 20 REPOSITORIES INDICATED, THIS DOES NOT APPLY TO DATA GENERATORS, THERE'S NOT AN EXPECTATION FOR ANY OF THE SECURITY STANDARDS INDICATED IN THIS UPDATE TO APPLY TO THOSE ENTITIES. >> SOUNDS GOOD. THANK YOU, DR. JACOBS. NOW, OUR NEXT QUESTION, NIH ACCESS TRACKING. INVESTIGATE HOW THE NIH IS TRACKING ACCESS TO CORRELATE AND VALIDATE THE RIGHT PEOPLE WITH THE RIGHT ACCESS. WHEN AN INDIVIDUAL DOWNLOADS CONTROLLED DATA AND THAT PERSON LEAVES FOR ANOTHER INSTITUTION, WHICH INSTITUTION IS RESPONSIBLE FOR THAT DATA SET? IS THE INDIVIDUAL REQUIRED TO RESUBMIT TO ACCESS THE DATA SET, ARE THEY TRACKING LEVERS? IF SOMEONE COMES TO MAYO AND BRINGS DATA, WHAT IS THE PROCESS AND WHO IS RESPONSIBLE? >> I'LL TAKE THAT ONE. SO, NIH DOES NOT TRACK DOES NOT APPLY ANY IDENTIFIER TO TRACK USERS WHEN THEY GET ACCESS TO DATA OR IF THEY'RE WORKING INSIDE A CLOUD ENVIRONMENT AT NIH. WHAT IS RECORDED IS THE P.I.'S NAME AND THEIR INSTITUTION AND THEIR RESEARCH USE STATEMENT. WHAT WE DO SAY IN THE DATA USE CERTIFICATION THAT IF A P.I. LEAVES AN INSTITUTION THAT THEY ARE EXPECTED TO CLOSE OUT THEIR PROJECT AT THEIR OLD INSTITUTION AND THEN AT THEIR NEW INSTITUTION TO SUBMIT A NEW -- COULD BE THE SAME BUT TO SUBMIT ANOTHER DATA ACCESS REQUEST AT THE NEW INSTITUTION WHERE THAT INSTITUTIONAL SETTING OFFICIAL AND THEREFORE INSTITUTION IS AGREEING TO THE TERMS OF ACCESS AS WELL AS THE P.I. THIS IS ON THE INSTITUTION AND THE P.I. TO MAKE SURE THAT ONCE A P.I. LEAVES, THEY HAVE APPROPRIATELY CLOSED THE PROJECT AND IF THEY'RE NOT MOVING DATA TO THEIR NEW INSTITUTION, THEN DELETED THE DATA FROM THE OLD INSTITUTION AND THEN IT'S UP TO THE NEW INSTITUTION TO MAKE SURE THE P.I., IF THEY'RE STILL WORKING WITH THAT DATA HAVE SUBMITTED A NEW DAR TO COVER THAT RESEARCH AT THE NEW INSTITUTION. >> EXCELLENT. THANK YOU, DR. JACOBS. I HAVE ANOTHER QUESTION FOR YOU AND MAUREEN CAN CONTEXT AFTER YOUR RESPONSE. WILL NIH REQUIRE AN AUTHORIZED OFFICIAL TO SUBMIT THE ATTESTATION OR ARE RESEARCHERS GOING TO BE ABLE TO SUBMIT THE ATTESTATION DIRECTLY? >> YES, THIS IS A GOOD QUESTION. SO, WHAT WE DO EXPECT IS THAT THERE WILL BE A SELF-ASSESSMENT GUIDED BY THE P.I. AND THEIR INSTITUTION AND THROUGHOUT THE DAR PROCESS THAT IS TYPICAL RIGHT NOW SAY FOR DB GAP WE HAVE THE PRINCIPAL INVESTIGATOR SUBMITTING THE DAR SIGN OFF ON MEETING CERTAIN REQUIREMENTS AND EXPECTATIONS IN TERMS OF ACCESS AND THE INSTITUTIONAL SIGNING OFFICIAL. SO THE WAY WE HAVE IT RIGHT NOW, THERE WILL NOT BE A SEPARATE ATTESTATION LETTER OR ANYTHING SUBMITTED. THIS WILL BE A PART OF THE DAR PROCESS THAT IS TYPICAL RIGHT NOW TO ADHERE TO SECURITY BEST PRACTICES THE ATTESTATION WILL BE PART OF THE DAR PROCESS AND WILL NOT BE A SEPARATE LETTER ACCEPTED AND THAT THE P.I. WILL SIGN OFF ON THIS IT ATTESTATION. RIGHT NOW IN DB GAP IS A CHECK BOX IN A DIFFERENT SYSTEM AND SIMILARLY THE INSTITUTIONAL SIGNING OFFICIAL WOULD ATTEST AS PART OF THE DAR PROCESS AND DB GAP WE ANTICIPATE THIS WILL BE A CHECK BOX BUT AGAIN IN ANOTHER SYSTEM THIS COULD BE DIFFERENT. >> THAT'S GREAT. I WANTED TO CLARIFY THE TERMINOLOGY USED, AUTHORIZING OFFICIAL IS A TERMINOLOGY USED FOR REGULATORY COMPLIANCE. THIS IS NOT A REGULATORY REQUIREMENT. THIS IS A SECURITY BENCHMARK THAT WE'RE APPLYING. SO I JUST WANT TO CLARIFY BUT AUTHORIZING OFFICIALS, THAT ROLE WHICH IS CLOSELY TIED TO PISMA FOR INVESTIGATORS AT THE POINT OF ACCESS MUST ATTEST ALIGNING TO 171 SO FURTHER CLARIFYING THE AUTHORIZATION OF AUTHORIZING OFFICIAL IS NOT TO SUBMIT DOCUMENTATION TO THE GOVERNMENT. THIS IS NOT A PISMA REQUIREMENT AND AUTHORIZATION TO OPERATE THE COST SO -- GOVERNMENT SO JUST WANT TO ADD CONTEXT THERE. >> SPEAKING OF ATTESTATION WE HAVE AN INQUIRY ABOUT THE FUTURE ATTESTATION PROCESS. THIS QUESTION STATES, FOR THE LONG-TERM ATTESTATION AND VISION IS THE INDIVIDUAL OR ENTERPRISE THAT COMPLETES THE ATTESTATION. >> THE INDIVIDUAL IS ATTESTING TOE PROTECTING THE DATA TO A SECURITY BENCHMARK WHICH IS THE 171 OR INTERNATIONAL. >> SOUNDS GOOD. WE HAVE LOTS OF QUESTIONS COMING IN. LET ME CAPTURE THEM AND ASK ACCORDINGLY. ALL RIGHT. SO FOR THE CONTROL REPOSITORY SCOPE, THERE'S A QUESTION IF THE ATTESTATION PROCESS WOULD EXTEND TO OTHER REPOSITORIES OR OTHER DATA TYPES. >> I'LL TAKE THAT ONE. WHAT IS TYPICAL OF THE ATTESTATION AT THE REPOSITORY LEVEL. IT'S NOT BY INDIVIDUAL DATA TYPE SO IF THERE ARE MULTIPLE DATA TYPES IN A REPOSITORY ALONG WITH GENOMIC DATA OR PROTEOMICS AND THE ATTESTATION AND THE EXPECTATION TO SECURE THE DATA WILL APPLY DESPITE IT NOT NECESSARILY BEING GENOMIC DATA. SO IF A REPOSITORY HAS GENOMIC AND ASSOCIATED DATA ALL THAT DATA WILL BE EXPECTED TO BE SECURED ACCORDING TO THE NIST STANDARD AND SO THE ATTESTATION WILL APPLY EVEN IF SAY GENOMIC DATA IS NOT NECESSARILY ACCESSED AT THE SAME TIME AS THE OTHER ASSOCIATED DATA. >> AWESOME. THANK YOU, DR. JACOBS. NOW, WE HAVE A QUESTION FOR MS. FALVELLA AND THERE'S QUESTIONS AND STATES WHAT ARE THE EXPECTATIONS FOR APPROVAL UNDER POEM WILL THERE BE AN EXTENSIVE REVIEW OR CREATING THE POEM AND THE DOCUMENT IS THAT ENOUGH? THE SECOND PART. WE'LL ADDRESS THE FIRST PART AND THEN GO TO THE SECOND PART. >> SOUNDS GOOD. SO THE EXPECTATION IS THAT RESEARCHERS ATTEST TO PROTECTING THE DATA AND THEN PROTECT THE DATA. AFTER YOU ATTEST AFTER THAT POINT YOU'RE HELD ACCOUNTABLE FOR PROTECTING THE DATA IN ACCORDANCE WITH NIST800-171. YOUR ORGANIZATION WILL HAVE TO SELF-ASSESS AGAINST THE SERIES AND ANY PLANNED SYSTEM YOU CREATE A POEM FOR. THOSE ARE ALL ORGANIZATIONALLY MANUALED ARTIFACTS THAT WILL THEN ALLOW MORE RESEARCHERS TO ATTEST TO PROTECTING THE DATA. SO THIS IS NOT A DELIVERABLE TO THE GOVERNMENT. POEMS ARE NOT DELIVERABLE TO THE GOVERNMENT THEY'RE AN ORGANIZATIONALLY MANAGED ARTIFACT. YOU'LL MANAGE THOSE WITHIN YOUR INSTITUTION AND SO YOUR ORGANIZATION MAINLY YOUR I.T. SUPPORT STAFF SHOULD HELP YOU CREATE YOUR PLAN OF ACTION MILESTONE AND SHOULD BE MANAGING THAT. THAT WILL GIVE YOU ASSURANCES. IF THERE IS AN INSTANCE OR CONCERN RELATIVE TO A DATA MANAGEMENT OR FROM A PRIVACY BREACH, THOSE ARE INSTANCES WHERE THE GOVERNMENT MAY REQUEST ADDITIONAL INFORMATION IN ALIGNMENT WITH YOUR AGREEMENT THROUGH YOUR DATA ACCESS REQUEST THAT'S AN AGREEMENT WE HAVE WITH YOU. SO THOSE ARE INSTANCES WHERE WE WOULD REQUIRE ADDITIONAL INFORMATION AND MAY REQUIRE AS PART OF THAT YOUR PLAN OF ACTION AND MILESTONE BUT THAT'S NOT A DELIVERABLE TO THE GOVERNMENT. THIS IS WHERE IT'S DIFFERENT THAN A FEDERAL PISMA REGULATION RATHER THAN A SECURITY BENCHMARK. >> AWESOME. THE SECOND PART OF THAT QUESTION IS WHAT ARE THE EXPECTATIONS AND TIME PERIOD FOR POEMS? ONE YEAR, MORE OR LESS? YOU CAN AUG >> GREAT QUESTION. I WANT TO GO BACK TO THE ORGANIZATIONS SHOULD AND IT'S AT THEIR DISCRETION ALIGN TO BEST EFFORTS, RIGHTS, RESOLVING IN A TIMELY MANNER WITHOUT UNREASONABLE DELAY AND BASED ON A RISK OF A SECURITY CONTROL OR SYSTEM WEAKNESS NOT IN PLACE OR WEAKNESS DISCOVERED SHOULD DETERMINE WHAT THE FEASIBLE TIME IS, REALISTIC TIME TO RESOLVE A POEM ITEM. THE GOVERNMENT IS NOT ARTICULATING WHAT THE REQUIREMENT SHOULD BE. THAT IS AN ORGANIZATION DETERMINED ELEMENT, IF YOU WILL. AGAIN, OUR EXPECTATIONS ARE YOU ARE PROTECTING THE DATA ALIGNED TO THE 800-171 THAT ALSO HAS A CONTROL AND PLAN OF ACTION AND MILESTONES AND TIME. >> EXCELLENT. DR. JACOBS, I HAVE ANOTHER ONE FOR YOU. DID NIH DO ANY REVIEW OF THE FINANCIAL IMPACT OF THESE NEW STANDARDS? MANY BIO MEDICAL INSTITUTIONS DON'T HAVE EXISTING ENVIRONMENT OR ONLY HAVE COMPLIANCE BASED ON THEIR AIR GAPS. OVER TO YOU. >> THANK YOU. SO, NIH HAS CONSIDERED THE IMPACT OF THESE CONTROLS ON INSTITUTION AND WHEN CONSIDERING THE IMPACT IT'S ALSO IN CONSIDERATION OF THE LANDSCAPE IN WHICH REGULATIONS AND LAWS ARE DEFINING THE DATA SECURITY EXPECTATIONS. IN WEIGHING BOTH OF THOSE NIH WENT WITH THE SECURITY STANDARD WE HAVE IDENTIFIED THAT DOES REQUIRE A SELF-ASSESSMENT AND PLAN OF ACTION AND MILESTONES AS MS. FALVELLA OUTLINED SO IF INSTITUTIONS ARE NOT ABLE TO FULLY IMPLEMENT THE CONTROLS BUT CAN ONLY PARTIALLY IMPLEMENT THERE'S A PATHWAY TO WORK TOWARDS IN SECURING ALL THE NIST CONTROLS. >> THANK YOU, DR. JACOBS. ONE MORE. IF A RESEARCHER SUBMITS AN APPLICATION ATTESTING THEIR SYSTEM IS COMPLIANT AND DIDN'T REALIZE WHAT THEY WERE ATTESTING TO AND DIDN'T CONFIRM WITH THEIR ORGANIZATION, COULD THEY OR THEIR INSTITUTION BE SUBJECT TO FALSE CLAIMS ACT OR ENFORCEMENT OR SOME CONSEQUENCES? >> THERE WOULD BE CONSEQUENCES THAT NIH WOULD FOLLOW-UP AS A CYBER SECURITY OR DATA MANAGEMENT INCIDENT AND NIH WOULD WORK WITH INSTITUTION TO REMEDIATE ANY PLAN TO BE ABLE TO MEET CERTAIN SECURITY EXPECTATIONS BUT WHAT WE DON'T WANT SO EXACTLY WHAT THIS EXAMPLE OUTLINED THAT AN INVESTIGATOR IS ATTESTING TO SOMETHING THEY DON'T UNDERSTAND THAT IS A MISLEADING STATEMENT I DON'T THINK NIH WOULD USE ITS EXISTING PROCESSES FOR DEALING WITH STATEMENT ARE NOT ACCURATE EITHER PURPOSEFULLY OR UNKNOWINGLY TO REMEDIATE THE ACTION AND MAY TAKE FURTHER COMPLIANCE ISSUES BASED ON THE RESPONSE FROM THE INSTITUTION AND PRINCIPAL INVESTIGATOR BUT WHAT WE WANT TO EMPHASIZE HERE IS INVESTIGATORS WORK WITH YOUR SECURITY EXPERTS AT YOUR INSTITUTION TO KNOWINGLY MEET THE EXPECTATIONS OUTLINED FOR REQUESTING DATA FROM NIH. >> THANK YOU, DR. JACOBS. MY NEXT QUESTION IS FOR YOU TOO, DR. JACOBS AND MS. FALVELLA. WHY WAS THIS CHOSEN AS STANDARD? IT ONLY DEALS WITH CONFIDENTIALITY WHICH IS NOT THE SAME AS PRIVACY? >> I CAN TAKE THAT ONE. THE NIST800-171 IS DERIVED FROM THE 80053 SERIES AND YOU'RE RIGHT IT DEALS WITH CONFIDENTIALITY AND INTEGRITY BUT REMOVES THE SECURITY CONTROLS THAT ARE AROUND AVAILABILITY AND SO IT IS WIDELY USED NOT ONLY ACROSS THE DEPARTMENTS OF THE GOVERNMENT BUT ALSO ACROSS OUR OP DIVES TO PROTECT THE CONFIDENTIALITY AND INTEGRITY OF THE INFORMATION FOR OUR NON-FEDERAL SYSTEMS. SO THAT WAS ONE CONSIDERATION. THE OTHER CONSIDERATIONS THAT ARE IN PLAY IS IT EASILY CROSSWALKS TO HIPAA AS WELL AS THE 800-53. WHEN WE LOOKED AND NEEDED TO EASILY TRANSLATE AND CROSSWALK TO THE OTHER WIDELY USED STANDARDS AND FROM A RESEARCH AND DEVELOPMENT STANDPOINT WE WANTED A STANDARD A CROSSWALK WOULD EASILY TRANSLATE INTO THE OTHER DEPARTMENTS THAT HAVE LARGE RESEARCH AND DEVELOPMENT AND THE 171 IS THE ONE WIDELY USED FOR THOSE PURPOSES ACROSS THE GOVERNMENT. AND SO, THE POLICY ALREADY PROVIDES CONTROL INTENDED TO ADDRESS PRIVACY AND PARTICIPANT AUTONOMY AND THAT WILL CONTINUE TO BE THE CASE AND THE STANDARD IS ALSO USED BY OTHER PARTS OF THE FEDERAL GOVERNMENT FOR RESEARCH WITH NON-FEDERAL INSTITUTIONS. I'M NOT SURE IF THERE'S ANYTHING ELSE YOU WANTED TO ADD TO THAT? >> I WOULD JUST ADD THAT TO CLARIFY THAT NIH HAS REQUIRED SECURITY STANDARD TO SECURE DATA PREVIOUS TO THIS SO THIS IS IN LINE WITH THAT AND AS FAR AS ADDRESSING PRIVACY AND PARTICIPANT AUTONOMY THE GDS POLICY HAS MANY DIFFERENT WAYS TO DO THAT AND SECURITY IS ONE OF THOSE AND THERE'S OTHER CONTROLS OF PRIVACY AND PARTICIPANT AUTONOMY >> THANK YOU. THIS WILL BE OUR LAST QUESTION AND A CLARIFYING KWESQUESTION, E DON'T HAVE FULL COMPLIANCE BUT HAVE A POEM IT'S SUFFICIENT OF JANUARY 25 IS THAT SO? >> THAT IS CORRECT. SO WHAT WE EXPECT OF OUR RESEARCH INSTITUTIONS TO DO PRIOR TO JANUARY 25 IS TO CONDUCT SELF-ASSESSMENT AND IMPLEMENT THE BEST OF YOUR ABILITIES AND THEN TO IMPLEMENT A PLAN OF ACTION MILESTONE AS YOUR ROAD MAP OF HOW YOU'LL REACH FULL COMPLIANCE. THAT WILL INCLUDE ANY SYSTEM OR BUSINESS YOU IDENTIFIED AS WELL AS ANY PARTIALLY IMPLEMENTED OR NOT FULLY PLANNED CONTROLS AND CONSIDERED TO BE IMPLEMENTED. ONCE YOU DO THAT YOU SHOULD COMMUNICATE THAT OUT TO YOUR STAFF AND RESEARCHERS AND INVESTIGATORS AND THAT WILL ALLOW THEM TO ATTEST TO 800-171. >> THANK YOU. THIS CONCLUDES OUR Q&A SESSION. WE'LL HAVE QUESTIONS WE'LL FUSE INTO OUR DAY TWO ON FRIDAY. I'LL TURN IT OVER TO DR. CHEN TO CLOSE US OUT. THANK YOU, ALL. >> THANK YOU, MICHAEL. THANK YOU, DR. JACOBS AND MS. FALVELLA AND OUR INTERPRETER AND CLOSED CAPTIONER. THIS CONCLUDES TODAY'S OVERVIEW FOR THE NIH SECURITY BEST PRACTICES FOR USERS OF CONTROLLED ACCESS DATA. THANK YOU FOR YOUR TIME AND IF THERE'S MORE QUESTIONS SEND THEM TO THE GDS@MAIL@NIH.gov AND WE'LL HAVE SUMMARIES AND DAY TWO AND QUESTIONS ANSWERS DURING THAT TIME TOO. THANK YOU AGAIN AND HAVE A WONDERFUL REST OF YOUR DAY AND THIS CONCLUDES THE WEBINAR.