SCG is suitable for storing and processing NIH Controlled-Access Data (including dbGaP)¶
As of March 1, 2025, SCG meets the minimum requirements specified in NIH Security Best Practices for Users of Controlled-Access Data [3]. We are operating under an Interim Authorization to Operate signed by Amy R. Steagall, Chief Information Security Officer at Stanford University.
If you are working with data coming from an NIH Controlled-Access repository
(which is any repository on the list at [4], and includes repositories like
dbGaP)—you can work with the data on SCG. Specifically, you can use SCG and
store your data within SCG Home (~), Lab (/labs/…) , and Project
(/projects/…) directories.
For more information on this attestation, please look at the list of “Frequently Anticipated Questions” below. If your question is not asked there, reach out to scg-action@lists.stanford.edu. To ensure your email is routed correctly, please include “NIH” somewhere in the subject line.
Background¶
On July 25, 2024, the NIH announced [7] that the security best-practices for NIH Controlled-Access Data (including dbGaP) [3] would require systems and facilities adhere to a new set of controls created by the National Institute of Standards and Technology (NIST) and published in the website below:
“Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”
This set of requirements, colloquially known by its document ID of “NIST 800-171”, are more comprehensive and stringent than those in previous NIH guidelines and include new requirements for user training, incident management, and audit tracking, to name a few.
The link below gives a list of the controlled-access databases which provide data which will need to be managed in accordance with the NIST 800-171 standards. This list includes the dbGaP repository and 19 other repositories:
NIH Security Best Practices for Controlled-Access Data and Repositories
The NIH set January 25, 2025 as the date for requiring that systems storing/processing dbGaP data comply with the controls described in NIST 800-171. But, to respect the difficulties in making the difficult transition to compliant status, the NIH has allowed organizations to attest to their facilities as being compliant by outlining a detailed set of steps showing how they plan to take their systems to NIST 800-171 compliance. On March 1, 2025, Stanford and SCG completed a document defining the necessary set of steps.
Frequently Anticipated Questions¶
My projects do not have NIH Controlled-Access Data. Does this affect me?¶
This page only talks about NIH Controlled-Access Data, which is data coming from one of the repositories listed in [4]. If you only have data that came from other sources, then this page does not apply to you.
That being said, your data source may have other restrictions that are just as strict or even more strict. You should be aware of any restrictions on how you may obtain, store, use, and transmit the data you obtain from outside sources. You can email us at scg-action@lists.stanford.edu to ask us if SCG meets the requirements for the data source you use.
I have a project that’s been going since before January 25, 2025. Does this affect me?¶
If you use NIH Controlled-Access Data, and you started—or last renewed—your project on or after January 25, 2025, then yes, the NIH Security Best Practices for Users of Controlled-Access Data [3] applies.
If your project started before January 25, 2025, and you have not renewed it, then your project is still governed by the older NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy [5].
In our opinion, the newer NIH Security Best Practices for Users of Controlled-Access Data document is a superset of the requirements stated in the older NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy, and so SCG meets both sets of requirements.
Do I need to store—or work with—my data in a particular way?¶
The most important thing you can do, when it comes to data storage, is to ensure that data for one project is kept separate from data for another project.
For example, in your lab directory (/labs/pi_sunetid/…), you can have a
directory for each project (projects/ABCD or prj_ABCD, for example). Keep
things like scripts, conda environments, etc. in the project’s directory (maybe
in /labs/pi_sunetid/prj_ABCD/Scripts, for example).
You can do the same in your home directory (~), such as by making a (~/ABCD)
directory for scripts related to ABCD. But really, you should be keeping those
things in the lab directory, even if you are the only person working on a
project.
If you do use things like conda environments or Python virtual environments,
make sure to deactivate before switching to work on another project! Avoid
multi-tasking, or working on different projects simultaneously.
Do I need to do anything special on my desktop, laptop, or mobile device?¶
All of the machines you use to access SCG should appear in the list of devices in MyDevices, and they should either show as “Compliant”, or have a compliance exception. If you use a shared lab machine, check with your PI to ensure the shared lab machine is in MyDevices (under someone else’s name) and is compliant.
If you have a laptop or desktop that is not listed in MyDevices, and you will be using it to access SCG, you will need to download and run SDR on that device. If you have a mobile device (phone, tablet, etc.), and you will be using it to access SCG, install MDM on that device.
(Once you have completed SDR enrollment or MDM installation, you should consider installing Cardinal Key. It makes web site logins much faster!)
If you are affiliated with the School of Medicine, in addition to everything above, you also need to have an up-to-date AMIE Attestation.
I use Carina or Nero GCP for NIH Controlled-Access Data. Can I continue using either of them?¶
Both Carina and Nero GCP also have Interim Authorizations to Operate for NIH Controlled-Access Data, so you can continue using them. In addition, Carina and Nero GCP meet the stricter standards required for HIPAA compliance for storage of PHI.
Moving data in or out of Carina and Nero GCP is not an easy task, so we suggest sticking to one platform, if possible.
I use FarmShare, Marlowe, or Sherlock for NIH Controlled-Access Data. Can I continue using any of them?¶
Neither FarmShare nor Sherlock are currently planning on meeting the NIST SP 800-171 standard, and so they are not an appropriate location to use with NIH Controlled-Access Data. Marlowe is also not planning on meeting NIST SP 800-171, although we are performing a Gap Analysis. As such, FarmShare, Marlowe, and Sherlock are not appropriate places to work with NIH Controlled-Access Data.
If you are using these machines to store and process NIH Controlled-Access Data, you should plan on moving the data out of those platforms expeditiously.
I use Native Oak for NIH Controlled-Access Data. Can I continue using Native Oak?¶
First, a clarification: “SCG Oak” refers to directories under /labs and
/projects, which ultimately live in /oak/stanford/scg, and which you can rent
in 1 TiB increments. “Native Oak” refers to other paths under /oak/stanford,
which is rented in 10 TiB increments.
Our Interim Authorization to Operate only covers SCG Oak. If you are storing NIH Controlled-Access Data in Native Oak, you should move it to SCG Oak.
I store or process NIH Controlled-Access Data in the Cloud. Can I continue using the Cloud?¶
That is a complicated question. Rather than just give a simple “Talk to your local IT” answer, here are a few of the things you’ll need to think about, when working with NIH Controlled Access Data in the Cloud.
First, make sure your cloud access is obtained through Stanford. This can be through GBSC Managed Cloud, or Cardinal Cloud. Basically, if your cloud charges are billed directly to a PTA, and not through a credit card, you probably meet this requirement.
Next, make sure you are only using services which the cloud provider can cover under NIST SP 800-171. Both Google Cloud and AWS are able to meet NIST SP 800-171 for at least some of their services.
Those are just two of the basic requirements that you will have to meet. It does not include the work involved in assessing where you are relevant to NIST SP 800-171, and what you would need to do to get there. If you don’t have the resources needed to assess, implement, and maintain compliance, NIST compliance is a huge task to face alone.
If this is a task you want to take on, you need to be talking to an appropriate IT organization to get guidance on how to proceed. Your Department’s or School’s IT organization is a good place to start!
Some of the data are stored or processed on lab-member machines or on shared lab machines. Does this apply to those machines?¶
SCG’s Interim Authorization to Operate does not cover storing or processing NIH Controlled-Access Data on local machines.
If you are storing or processing NIH Controlled-Access Data on your own machines, you need to attest that those machines meet the requirements set by the NIH [3]. Your first point of contact should be the IT organization that helps support your local machines.
Since you have an Interim Authorization to Operate, does that mean you are not fully compliant with NIST SP 800-171?¶
We have conducted a gap analysis against NIST SP 800-171 Rev. 3, and created a Plan of Actions & Milestones (POAM). Those documents have been reviewed by Amy R. Steagall, Chief Information Security Officer, who has issued an Interim Authorization to Operate for SCG.
This NIH has said that “an institution with a POAM in place can still attest to protecting NIH-controlled access data while working toward full compliance.” See [1], page 2, “If an institution is not fully compliant but has a POAM in place, is that sufficient as of January 25, 2025?”.
At this time, the requirements [3] do not require that our self-attestation be reviewed by a third party. However, we are considering a third-party audit in the future, especially as we reach various milestones in our POAM.
NIST SP 800-171 is meant to apply to CUI (Controlled Unclassified Information). Does that mean SCG is appropriate for storing CUI?¶
No. The NIH chose to use NIST SP 800-171 because it “aligns with widely used security controls across government agencies, including HIPAA and NIST 800-53”, not necessarily because genomic data is CUI. See [1], page 1, “Why was NIST 800-171 chosen as the standard?”.
As such, we are not saying that SCG is an appropriate platform for working with CUI in general; it is only approved for NIH Controlled-Access Data.
References¶
[1] Extracted Questions and Answers from NIH Security Best Practices for Users of Genomic Controlled Access Data. IBI Center for Applied AI, University of Kentucky, 1 Feb. 2025, https://caai.ai.uky.edu/wp-content/uploads/2025/02/QA-from-NIH-Security-Best-Practices-for-Users-of-Genomic-Controlled-Access-Data.pdf.
[2] “NIH Security Best Practices for Users of Genomic Controlled Access Data Day 1.” National Institutes of Health, U.S. Department of Health and Human Services, 8 Jan. 2025, https://videocast.nih.gov/watch=56520.
[3] “NIH Security Best Practices for Users of Controlled-Access Data”. National Institutes of Health, U.S. Department of Health and Human Services, 25 July 2024, https://sharing.nih.gov/sites/default/files/flmngr/NIH-Security-BPs-for-Users-of-Controlled-Access-Data.pdf.
[4] “NIH Security Best Practices for Controlled-Access Data and Repositories”. National Institutes of Health, U.S. Department of Health and Human Services, https://sharing.nih.gov/accessing-data/NIH-security-best-practices.
[5] “NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy”. National Institutes of Health, U.S. Department of Health and Human Services, 29 Nov. 2021 https://sharing.nih.gov/sites/default/files/flmngr/NIH_Best_Practices_for_Controlled-Access_Data_Subject_to_the_NIH_GDS_Policy.pdf.
[6] “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. National Institute fo Standards and Technology, U.S. Department of Commerce, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/800-171r3/NIST.SP.800-171r3.html.
[7] NOT-OD-24-157. “Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy”. National Institutes of Health, U.S. Department of Health and Human Services, 25 July 2024 https://grants.nih.gov/grants/guide/notice-files/NOT-OD-24-157.html.