Notice Regarding the Applicability of the Federal Information Security Management Act to NIH Grantees

Notice Number: NOT-OD-08-032

Key Dates
Release Date: January 9, 2008

Issued by
National Institutes of Health (NIH), (http://www.nih.gov)

NIH is providing this notice to inform its grantee organizations of the recent Department of Health and Human Services (HHS) announced policy regarding applicability of the Federal Information Security Management Act (FISMA) to grantees.

All information systems, electronic or hard copy which contain federal data need to be protected from unauthorized access. This also applies to information associated with NIH grants and contracts.

Congress and the Office of Management and Budget (OMB) have instituted laws, policies and directives that govern the creation and implementation of federal information security practices that pertain specifically to grants and contracts. The current regulations are pursuant to the Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002 Pub. L. No. 107-347 (beginning on page 48).

Given the nature of the relationship between the NIH and its grantees (which differs from a contractual relationship), the question arose as to whether data collected in the course of NIH-funded research through grants and cooperative agreements fall under the FISMA regulations. The applicability of FISMA to grantees funded by the Department of Health and Human Services (including the NIH) has been addressed by the HHS Chief Information Security Officer in an October 29 memo clarifying federal regulations governing the management and protection of the data the federal government collects for grants.

The memo stated that:

FISMA (Federal Information Security Management Act) applies to grantees only when they collect, store, process, transmit or use information on behalf of HHS or any of its component organizations.

In all other cases, FISMA is not applicable to recipients of grants, including cooperative agreements with grantees. The grantee retains the original data and intellectual property, and is responsible for the security of this data, subject to all applicable laws protecting security, privacy and research. If and when information collected by a grantee is provided to HHS, responsibility for the protection of the HHS copy of the information is transferred to HHS and it becomes the agency’s responsibility to protect that information and any derivative copies as required by FISMA.

Inquiries

If you have any questions about whether the data collected in the course of your NIH-funded research fall under FISMA please contact Sally Rockey at 301-496-1096 or rockeysa@od.nih.gov