Required Security and Operational Standards for NIH Controlled-Access Data Repositories
Notice Number:
NOT-OD-25-159

Key Dates

Release Date:

September 24, 2025

Related Announcements

  • April 2, 2025 - Implementation Update: Enhancing Security Measures for NIH Controlled-Access Data. See notice NOT-OD-25-083
  • July 25, 2024 - Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy. See notice NOT-OD-24-157
  • August 27, 2014 - NIH Genomic Data Sharing Policy See Notice NOT-OD-14-124

Issued by

NATIONAL INSTITUTES OF HEALTH (NIH)

Purpose

The National Institutes of Health (NIH) is implementing consistent and robust protocols to ensure NIH controlled-access data are appropriately safeguarded, consistent with Executive Order 14117 and 28 CFR Part 202, "Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons." In addition to further protecting Americans' sensitive personal health-related data from misuse by foreign adversaries, these security and operational standards are intended to enhance the efficacy of controls for protecting the privacy and autonomy of research participants, harmonize NIH controlled-access data repositories’ submission and access processes, standardize user terms of access, establish specific security requirements for repositories and users, and set requirements for public transparency.

Background

NIH has contributed substantial data resources to the biomedical research community to accelerate scientific discovery and collaboration. As these resources have grown in number and complexity, ensuring consistency, security, and interoperability across repositories has become increasingly important. This is especially relevant for NIH controlled-access data repositories, which often offer controlled- or restricted-access measures to protect human participant data and have increased substantially in number over the last decade. Such repositories have in place both the security and administration to provide access to data only to approved requestors.

To ensure consistency and enhanced protections, NIH recently took several steps to standardize controlled-access data repository operations and strengthen their security practices. On July 25, 2024, NIH released the “Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy” (NOT-OD-24-157) to modernize security standards provided in the “NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy” and establish minimum expectations for access to controlled-access data by developers. On April 2, 2025, NIH published “Implementation Update: Enhancing Security Measures for NIH Controlled-Access Data” (NOT-OD-25-083) to prohibit access to NIH controlled-access and associated data by institutions located in countries of concern.

The requirements set forth in this Notice build upon these initiatives by ensuring that NIH controlled-access data repositories adopt standardized data submission, access, and sharing processes; implement enhanced security controls (including for approved users of controlled-access data); and adhere to applicable statutes, regulations, and NIH policies. Enacting these requirements promotes efficient and secure data sharing to advance the NIH mission while simultaneously mitigating national security risks. 

Scope and Applicability

These requirements apply to the NIH Intramural Research Program and all NIH funding mechanisms (cooperative agreements, intramural funding, contracts, Other Transactions, and grants), regardless of the activity code, that support NIH controlled-access data repositories and access management systems (hereafter NIH CADRs) that meet all the following criteria:

  • Are supported by an NIH cooperative agreement, intramural funding, contract, Other Transaction, or grant;                                                                                                               
  • Provide long-term storage for, or provide access to, data for research purposes (hereafter, "data");                                                        
  • Control access to data by prospective review of data access requests or partner with access systems that control access via prospective review of requests; and                    
  • Use federal employees to conduct reviews and authorize access, or partner with access systems that use federal employees for those purposes. 

Repositories and access management systems that control access to data, but do not meet the criteria of an NIH CADR as described above, will not be subject to these requirements. Repositories that only facilitate direct sharing between investigator teams, cloud workspaces that only temporarily store data, data coordinating centers, and similar activities that do not manage data sharing beyond specific programs or initiatives, will not be considered an NIH CADR.

NIH will determine which repositories are subject to these requirements and will maintain a public list of NIH CADRs, which can be found here. NIH will periodically update this list as needed. 

Requirements 

To meet the requirements stated in this Guide Notice, NIH CADRs should follow the National Institutes of Health (NIH) Controlled-Access Data Repository Guidebook to Adhere to “Required Security and Operational Standards for NIH Controlled-Access Data Repositories” (NIH CADR Guidebook), which can be found here. The NIH CADR Guidebook provides a detailed explanation of the procedures for meeting the requirements in this Guide Notice and a description of all responsible parties.

NIH CADRs that cannot satisfy these requirements may choose to migrate controlled-access data to another NIH CADR that is compliant with these requirements. NIH staff who believe they are supporting or operating, or will be supporting or operating, a CADR that meets the criteria outlined in Scope and Applicability should contact the Office of Science Policy using the Standard Operating Procedure for Maintaining and Modifying the NIH CADR List provided in the NIH CADR Guidebook.

Effective Date

NIH will employ a phased approach for implementing these requirements. NIH CADRs that meet the criteria described in Scope and Applicability must comply with all security and operational standards by the effective dates listed below.

Effective immediately, NIH CADRs must comply with the following categories of requirements as described in the NIH CADR Guidebook:

  • NIH CADR Registration and Immediate Steps

Effective starting November 1, 2025, NIH CADRs must comply with the following categories of requirements as described in the NIH CADR Guidebook:

  • Documentation of Adherence to Relevant Laws and Policies
  • Standard Data Access Processes

Effective starting February 25, 2026, NIH CADRs must comply with the following categories of requirements as described in the NIH CADR Guidebook:

  • Standard Data Submission Processes
  • Security Standards and Practices
  • Transparency and Utility Standards

Compliance and Enforcement

Compliance with and enforcement of these requirements will be consistent with applicable statutes, regulations, and NIH policies.

Requirements in this Notice do not supersede any local, state, Tribal, or federal laws and regulations.

Inquiries

Please direct all inquiries to:

NIH Office of Science Policy

301-496-9838

[email protected] 

Weekly TOC for this Announcement
NIH Funding Opportunities and Notices
NIH Office of Extramural Research Logo
Department of Health and Human Services (HHS) - Home Page
Department of Health
and Human Services (HHS)
USA.gov - Government Made Easy
NIH... Turning Discovery Into Health®