1 00:00:06,647 --> 00:00:10,851 >> HELLO AND WELCOME TO TODAY'S 2 00:00:10,851 --> 00:00:12,252 OVERVIEW OF THE NIH SECURITY 3 00:00:12,252 --> 00:00:19,593 VIEW BEST PRACTICES OF THE 4 00:00:19,593 --> 00:00:22,830 SECURITY UPDATES IN THE GUIDE 5 00:00:22,830 --> 00:00:25,666 NOTICE NOT 154127. 6 00:00:25,666 --> 00:00:28,602 WE'LL PUT THAT IN THE CHAT. 7 00:00:28,602 --> 00:00:31,972 I'M FROM THE OFFICE OF DATA 8 00:00:31,972 --> 00:00:35,008 SCIENCE STRATEGY AND INTRODUCING 9 00:00:35,008 --> 00:00:36,043 CHERYL JACOBS AND MS. MAUREEN 10 00:00:36,043 --> 00:00:41,715 FALVELLA. 11 00:00:41,715 --> 00:00:43,684 DR. JACOBS IS THE ASSISTANT 12 00:00:43,684 --> 00:00:44,785 DIRECTOR FROM THE OFFICE OF 13 00:00:44,785 --> 00:00:46,119 SCIENCE POLICY. 14 00:00:46,119 --> 00:00:48,922 SHE HAS OVER 10 YEARS EXPERIENCE 15 00:00:48,922 --> 00:00:49,456 WORKING ON AND LEADING 16 00:00:49,456 --> 00:00:55,896 EVIDENCE-BASED POLICIES TO 17 00:00:55,896 --> 00:01:00,934 SUPPORT GENOMIC DATA AND 18 00:01:00,934 --> 00:01:03,370 FACILITATES ACCESS TO GENOMIC 19 00:01:03,370 --> 00:01:04,171 AND SCIENTIFIC DATA. 20 00:01:04,171 --> 00:01:08,275 MS. FALVELLA IS THE CHIEF 21 00:01:08,275 --> 00:01:09,243 INFORMATION SECURITY OFFICE. 22 00:01:09,243 --> 00:01:12,279 SHE HAS 15 YEARS OF EXPERIENCE 23 00:01:12,279 --> 00:01:14,214 DEVELOPING STRATEGIES, DIRECTING 24 00:01:14,214 --> 00:01:16,650 OPERATIONS AND OVERSEEING CYBER 25 00:01:16,650 --> 00:01:18,118 SECURITY PROGRAMS TO PROTECT 26 00:01:18,118 --> 00:01:20,354 ASSETS AT THE THE NATIONAL 27 00:01:20,354 --> 00:01:21,922 INSTITUTES OF HEALTH INCLUDING 28 00:01:21,922 --> 00:01:24,625 SECURING NIH TO ENHANCE RECOVERY 29 00:01:24,625 --> 00:01:27,594 KNOWN AS RECOVER, COVID 30 00:01:27,594 --> 00:01:33,333 INITIATIVE AND NHLBI'S THE 31 00:01:33,333 --> 00:01:33,967 NATIONAL HEART, LUNG AND BLOOD 32 00:01:33,967 --> 00:01:34,868 INSTITUTE BIO DATA CATALYST 33 00:01:34,868 --> 00:01:36,303 PROGRAM AND BRINGS BUSINESS 34 00:01:36,303 --> 00:01:37,838 EXPERIENCE AND ADVANCED 35 00:01:37,838 --> 00:01:39,439 EXPERTISE AND STRONG 36 00:01:39,439 --> 00:01:40,941 UNDERSTANDING OF NIH'S 37 00:01:40,941 --> 00:01:41,441 SCIENTIFIC MISSION. 38 00:01:41,441 --> 00:01:43,977 BOTH JOIN US TODAY TO DISTHE 39 00:01:43,977 --> 00:01:46,079 UPDATES TO DATA MANAGEMENT AND 40 00:01:46,079 --> 00:01:47,247 SECURITY STANDARDS THAT WILL 41 00:01:47,247 --> 00:01:50,851 TAKE EFFECT ON JANUARY 25, 2025. 42 00:01:50,851 --> 00:01:52,986 TODAY'S IS BEING BROADCAST ON 43 00:01:52,986 --> 00:01:56,757 THE NIH VIDEOCAST AND RECORDED 44 00:01:56,757 --> 00:01:57,925 FOR FUTURE VIEWING. 45 00:01:57,925 --> 00:01:59,459 I HAVE A FEW HOUSEKEEPING ITEMS 46 00:01:59,459 --> 00:02:00,761 BEFORE WE GET STARTED. 47 00:02:00,761 --> 00:02:03,130 AS NOTED TODAY'S PRESENTATION IS 48 00:02:03,130 --> 00:02:05,265 BEING BROADCAST ON NIH 49 00:02:05,265 --> 00:02:05,532 VIDEOCAST. 50 00:02:05,532 --> 00:02:07,935 THAT LINK WILL BE INSERTED IN 51 00:02:07,935 --> 00:02:10,671 THE CHAT IN CASE THERE WILL BE 52 00:02:10,671 --> 00:02:11,972 ISSUES WITH CONNECTIVITY AS THIS 53 00:02:11,972 --> 00:02:14,074 IS A WIDELY ATTENDED EVENT. 54 00:02:14,074 --> 00:02:16,577 THE RECORDING WILL ALSO BE 55 00:02:16,577 --> 00:02:19,446 AVAILABLE ON THE NIH SHARING 56 00:02:19,446 --> 00:02:21,648 WEBSITE AND WE'LL ALSO HAVE THAT 57 00:02:21,648 --> 00:02:22,716 LINK PUT IN THE CHAT. 58 00:02:22,716 --> 00:02:23,817 SLIDES FOR TODAY'S PRESENTATION 59 00:02:23,817 --> 00:02:26,320 ARE AVAILABLE ON THE WEBSITE. 60 00:02:26,320 --> 00:02:27,988 PLEASE ENTER YOUR QUESTIONS IN 61 00:02:27,988 --> 00:02:28,589 THE Q&A. 62 00:02:28,589 --> 00:02:31,058 THOSE PARTICIPATING VIA ZOOM 63 00:02:31,058 --> 00:02:36,229 WILL BE ABLE TO UPLOAD QUESTIONS 64 00:02:36,229 --> 00:02:40,968 FOR THE Q&A FOR PRESENTERS TO 65 00:02:40,968 --> 00:02:42,669 ADDRESS AND ANY ADDITIONAL 66 00:02:42,669 --> 00:02:43,403 QUESTIONS FOR THOSE JOINING 67 00:02:43,403 --> 00:02:44,705 THROUGH VIDEOCAST OR QUESTIONS 68 00:02:44,705 --> 00:02:47,107 THAT ARE NOT ABLE TO BE ENTERED 69 00:02:47,107 --> 00:02:54,781 IN THE IN THE Q&A CAN BE SEND TO 70 00:02:54,781 --> 00:02:59,953 GDS@MAIL AT NIH.gov. 71 00:02:59,953 --> 00:03:00,887 TODAY'S PRESENTATION WILL BE 72 00:03:00,887 --> 00:03:02,055 DIVIDED INTO THREE SECTIONS WITH 73 00:03:02,055 --> 00:03:04,191 A GENERAL OVERVIEW OF THE NIH 74 00:03:04,191 --> 00:03:07,494 GUIDE NOTICE FOCUSSING ON THE 75 00:03:07,494 --> 00:03:09,663 NIH BEST PRACTICE FOR USERS OF 76 00:03:09,663 --> 00:03:11,698 CONTROLLED ACCESS DATA FOLLOWED 77 00:03:11,698 --> 00:03:14,001 BY IN DEPTH OVERVIEW OF THE 78 00:03:14,001 --> 00:03:15,736 SECURITY CONTROLS INSTITUTIONS 79 00:03:15,736 --> 00:03:17,437 AND APPROVED USERS ARE EXPECTED 80 00:03:17,437 --> 00:03:20,574 TO ADHERE TO BEGINNING JANUARY 81 00:03:20,574 --> 00:03:21,675 25, 2025. 82 00:03:21,675 --> 00:03:22,709 FOLLOWED BY TIME FOR QUESTIONS 83 00:03:22,709 --> 00:03:23,644 AND ANSWERS. 84 00:03:23,644 --> 00:03:26,013 NOW I'M GOING TO HAND OVER THE 85 00:03:26,013 --> 00:03:28,682 PRESENTATION TO DR. JACOBS AND 86 00:03:28,682 --> 00:03:29,049 MS. FALVELLA. 87 00:03:29,049 --> 00:03:34,354 DR. JACOBS, OVER TO YOU. 88 00:03:34,354 --> 00:03:37,624 >> HI, GOOD MORNING AND WELCOME 89 00:03:37,624 --> 00:03:39,326 TO TODAY'S PRESENTATION. 90 00:03:39,326 --> 00:03:42,696 I'M GOING TO PROVIDE HERE A 91 00:03:42,696 --> 00:03:44,931 BRIEF DESCRIPTION OF THE NIH 92 00:03:44,931 --> 00:03:47,300 GENOMIC DATA POLICY TO DESCRIBE 93 00:03:47,300 --> 00:03:48,669 THE EXPECTATIONS OF THE POLICY 94 00:03:48,669 --> 00:03:51,071 BY WHICH THE UPDATES WE'RE 95 00:03:51,071 --> 00:03:51,638 DISCUSSING TODAY WILL TAKE 96 00:03:51,638 --> 00:03:54,541 EFFECT. 97 00:03:54,541 --> 00:03:57,744 SO THE GDS POLICY HAS BEEN 98 00:03:57,744 --> 00:04:00,380 EFFECTIVE SINCE JANUARY 20, 2015 99 00:04:00,380 --> 00:04:03,316 AND ENSURES THE BROAD AND 100 00:04:03,316 --> 00:04:05,419 RESPONSIBLE SHARING OF NON-HUMAN 101 00:04:05,419 --> 00:04:07,921 AND HUMAN LARGE SCALE AND 102 00:04:07,921 --> 00:04:10,223 GENOMIC DATA. 103 00:04:10,223 --> 00:04:14,828 IN PART FOR HUMAN GENOMIC DATA 104 00:04:14,828 --> 00:04:19,299 EXPECTED CONSENT FOR RESEARCH 105 00:04:19,299 --> 00:04:21,501 USE AND THERE'S OTHER BROAD AND 106 00:04:21,501 --> 00:04:23,003 RESPONSIBLE SHARING WE'LL TOUCH 107 00:04:23,003 --> 00:04:25,105 ON LATER IN THE TALK. 108 00:04:25,105 --> 00:04:26,973 AS WELL AS THE GDS POLICY SCOPE 109 00:04:26,973 --> 00:04:30,110 TO APPLY TO THE GENERATION OF 110 00:04:30,110 --> 00:04:33,413 LARGE SCALE HUMAN AND NON-HUMAN 111 00:04:33,413 --> 00:04:35,449 DATA AS WELL AS THE USE OF THE 112 00:04:35,449 --> 00:04:38,051 DATA FOR SECONDARY RESEARCH USE 113 00:04:38,051 --> 00:04:38,618 IRRESPECTIVE OF THE FUNDING 114 00:04:38,618 --> 00:04:44,558 MECHANISM. 115 00:04:44,558 --> 00:04:50,030 SO ENSURING LARGE SCALE HUMAN 116 00:04:50,030 --> 00:04:57,471 GENOMIC DATA POLICY AND THE 117 00:04:57,471 --> 00:05:00,073 POLICY EXPECTS THAT 118 00:05:00,073 --> 00:05:01,308 INVESTIGATORS CONSIDER THEIR 119 00:05:01,308 --> 00:05:02,943 APPROPRIATENESS OF SHARING THE 120 00:05:02,943 --> 00:05:04,878 DATA AND IF THEY'RE SHARING THE 121 00:05:04,878 --> 00:05:08,715 DATA SHARE THE DATA ACCORDING TO 122 00:05:08,715 --> 00:05:09,416 PARTICIPANT CONSENT. 123 00:05:09,416 --> 00:05:14,354 BEFORE THE DATA'S SUBMITTED TO 124 00:05:14,354 --> 00:05:19,326 NIH, THAT AN IRB PRIVACY BODY OR 125 00:05:19,326 --> 00:05:23,196 EQUIVALENT BODY HAS REVIEWED THE 126 00:05:23,196 --> 00:05:28,635 CONSENT AND HAVE DETERMINED THE 127 00:05:28,635 --> 00:05:29,936 LIMITATIONS ON SHARING. 128 00:05:29,936 --> 00:05:33,440 AND ULTIMATELY THAT THE DATA IS 129 00:05:33,440 --> 00:05:35,008 SUBMITTED TO NIH. 130 00:05:35,008 --> 00:05:36,610 WHEN INVESTIGATORS REQUEST 131 00:05:36,610 --> 00:05:42,315 ACCESS TO THESE DATA FROM AN NIH 132 00:05:42,315 --> 00:05:43,917 CONTROLLED ACCESS AND 133 00:05:43,917 --> 00:05:45,152 REPOSITORY, USERS AGREE TO THE 134 00:05:45,152 --> 00:05:46,987 TERMS OF ACCESS THAT INCLUDE 135 00:05:46,987 --> 00:05:49,923 SECURING THE DATA ACCORDING TO 136 00:05:49,923 --> 00:05:52,259 SECURITY STANDARDS AND THIS 137 00:05:52,259 --> 00:05:53,760 EXPECTATION IS WHETHER THE 138 00:05:53,760 --> 00:05:54,895 APPROVED USER IS FUNDED BY NIH 139 00:05:54,895 --> 00:06:05,038 OR NOT. 140 00:06:05,539 --> 00:06:08,408 SO, TODAY WE'LL BE DISCUSSING 141 00:06:08,408 --> 00:06:14,815 THE UPDATE TO THE GDS POLICY ON 142 00:06:14,815 --> 00:06:19,419 THAT CONTINUES TO PROMOTE IT 143 00:06:19,419 --> 00:06:21,054 ACCESS TO THE DATA AND THIS 144 00:06:21,054 --> 00:06:23,490 UPDATE HAS THREE PARTS TO IT. 145 00:06:23,490 --> 00:06:27,828 THE FIRST PART APPLIES TO NIH 146 00:06:27,828 --> 00:06:31,298 CONTROLLED ACCESS REPOSITORIES 147 00:06:31,298 --> 00:06:32,933 THAT MEET THE CURRENT CRITERIA 148 00:06:32,933 --> 00:06:33,266 BELOW. 149 00:06:33,266 --> 00:06:35,268 THAT THEY'RE SUPPORT THE BY AN 150 00:06:35,268 --> 00:06:39,139 NIH AWARD OF SOME KIND OR SOME 151 00:06:39,139 --> 00:06:42,042 SORT OF NIH SUPPORT THAT THE 152 00:06:42,042 --> 00:06:43,376 REPOSITORY STORE OR PROVIDE 153 00:06:43,376 --> 00:06:45,812 ACCESS TO HUMAN GENOMIC DATA 154 00:06:45,812 --> 00:06:48,715 GENERATED UNDER THE GDS POLICY. 155 00:06:48,715 --> 00:06:53,253 THAT THERE IS CONTROLLED ACCESS 156 00:06:53,253 --> 00:06:56,389 TO THESE DATA THAT PERSPECTIVELY 157 00:06:56,389 --> 00:06:58,758 REVIEW SO PERHAPS SOME SORT OF 158 00:06:58,758 --> 00:07:05,932 FIRE WALL BETWEEN ACCESS AND THE 159 00:07:05,932 --> 00:07:09,269 ACTUAL DATA AND THE USE OF 160 00:07:09,269 --> 00:07:11,204 FEDERAL EMPLOYEES ARE PROVIDED 161 00:07:11,204 --> 00:07:12,405 TO CONDUCT REVIEWS. 162 00:07:12,405 --> 00:07:15,475 YOU CAN LOOK AT THIS AS FOR 163 00:07:15,475 --> 00:07:18,111 EXAMPLE A DATA ACCESS COMMITTEE. 164 00:07:18,111 --> 00:07:21,448 AND SO REPOSITORIES THAT MEET 165 00:07:21,448 --> 00:07:23,016 THESE CRITERIA WILL BE KNOWN AS 166 00:07:23,016 --> 00:07:24,517 OUR NIH CONTROLLED ACCESS 167 00:07:24,517 --> 00:07:28,321 REPOSITORIES. 168 00:07:28,321 --> 00:07:32,826 THE SECOND UPDATE APLAYS TO 169 00:07:32,826 --> 00:07:35,929 DEVELOPERS THAT WORK IN THESE 170 00:07:35,929 --> 00:07:37,898 REPOSITORIES AS STATED ABOVE AND 171 00:07:37,898 --> 00:07:40,300 THE THIRD UPDATE, WHICH YOU'RE 172 00:07:40,300 --> 00:07:42,769 ALL HERE FOR, UPDATES SECURITY 173 00:07:42,769 --> 00:07:52,545 EXPECTATIONS FOR APPROVED USERS. 174 00:07:52,545 --> 00:07:54,781 SO, FOR THE FIRST UPDATE THE 175 00:07:54,781 --> 00:07:56,249 REPOSITORIES THAT MEET THE 176 00:07:56,249 --> 00:07:57,918 CRITERIA, NIH HAS IDENTIFIED 20 177 00:07:57,918 --> 00:08:00,720 OF THESE REPOSITORIES THAT ARE 178 00:08:00,720 --> 00:08:01,488 IN SCOPE. 179 00:08:01,488 --> 00:08:04,925 THERE'S A CURRENT LIST OF THESE 180 00:08:04,925 --> 00:08:06,192 REPOSITORIES ON THE NIH 181 00:08:06,192 --> 00:08:08,528 SCIENTIFIC DATA SHARING WEBSITE 182 00:08:08,528 --> 00:08:11,464 AND THAT CAN BE ACCESSED HERE. 183 00:08:11,464 --> 00:08:13,900 AND WE WANT TO EMPHASIZE THAT IF 184 00:08:13,900 --> 00:08:15,969 YOUR REPOSITORY IS NOT CURRENTLY 185 00:08:15,969 --> 00:08:19,839 LISTED, THIS UPDATE IS NOT 186 00:08:19,839 --> 00:08:23,543 APPLICABLE TO YOU AND YOUR 187 00:08:23,543 --> 00:08:25,078 REPOSITORY'S NOT CONSIDERED AN 188 00:08:25,078 --> 00:08:29,049 NIH CONTROLLED ACCESS REPOSITORY 189 00:08:29,049 --> 00:08:29,616 WHEREBY THESE PARTICULAR 190 00:08:29,616 --> 00:08:31,084 SECURITY EXPECTATIONS WILL BE 191 00:08:31,084 --> 00:08:38,425 EXPECTED JANUARY 25, 2025. 192 00:08:38,425 --> 00:08:40,260 THERE'S BEEN QUESTIONS WE 193 00:08:40,260 --> 00:08:42,295 RECEIVED WHETHER THE UPDATE 194 00:08:42,295 --> 00:08:43,630 APPLIES TO AN INSTITUTION THAT'S 195 00:08:43,630 --> 00:08:46,800 BEEN FUNDED TO GENERATE LARGE 196 00:08:46,800 --> 00:08:50,937 SCALE HUMAN GENOMIC DATA AND 197 00:08:50,937 --> 00:08:52,339 STORED ON LOCAL SERVERS. 198 00:08:52,339 --> 00:08:54,441 WE WANT TO REMIND YOU THIS IS 199 00:08:54,441 --> 00:08:56,843 NOT IN SCOPE OF THIS PARTICULAR 200 00:08:56,843 --> 00:08:59,279 SECURITY UPDATE ONLY THOSE 201 00:08:59,279 --> 00:09:00,580 REPOSITORIES CURRENTLY LISTED 202 00:09:00,580 --> 00:09:02,716 ARE IN SCOPE OF THEE OF THIS 203 00:09:02,716 --> 00:09:09,389 UPDATE. 204 00:09:09,389 --> 00:09:13,093 SO THE SECOND UPDATE DEALS WITH 205 00:09:13,093 --> 00:09:14,027 MINIMUM EXPECTATIONS AND 206 00:09:14,027 --> 00:09:17,764 OVERSIGHT FOR DEVELOPERS. 207 00:09:17,764 --> 00:09:23,103 SO THIS PATHWAY IS SPECIFIC FOR 208 00:09:23,103 --> 00:09:24,371 NIH OR FEDERALLY FUNDED 209 00:09:24,371 --> 00:09:25,605 DEVELOPERS AND CENTRAL TO THE 210 00:09:25,605 --> 00:09:27,841 MISSION IF THE DEVELOPERS ARE 211 00:09:27,841 --> 00:09:34,180 FUNDED TO ESTABLISH, SUPPORT OR 212 00:09:34,180 --> 00:09:35,782 MAINTAIN NIH CONTROLLED 213 00:09:35,782 --> 00:09:36,549 REPOSITORY THOSE MENTIONED ON 214 00:09:36,549 --> 00:09:37,250 THE WEBSITE I MENTIONED 215 00:09:37,250 --> 00:09:40,153 PREVIOUSLY. 216 00:09:40,153 --> 00:09:44,624 AND BEGINNING JANUARY 25, 2025, 217 00:09:44,624 --> 00:09:46,593 NIH NOTICE OF FUNDING 218 00:09:46,593 --> 00:09:49,295 OPPORTUNITIES, CONTRACTS OR 219 00:09:49,295 --> 00:09:51,031 OTHER TRANSACTIONS WILL INDICATE 220 00:09:51,031 --> 00:09:52,165 THE APPLICABILITY OF THIS 221 00:09:52,165 --> 00:10:01,441 PARTICULAR UPDATE. 222 00:10:01,441 --> 00:10:03,910 SO FINALLY WE GET TO THE THIRD 223 00:10:03,910 --> 00:10:04,944 UPDATE OF PARTICULAR INTEREST TO 224 00:10:04,944 --> 00:10:05,612 THIS COMMUNITY. 225 00:10:05,612 --> 00:10:07,981 THE UPDATE TO SECURITY STANDARDS 226 00:10:07,981 --> 00:10:11,751 FOR APPROVED USERS. 227 00:10:11,751 --> 00:10:13,153 SO, TO BREAK THIS DOWN WE WANT 228 00:10:13,153 --> 00:10:16,156 TO START WITH THE DEFINITION 229 00:10:16,156 --> 00:10:18,725 FIRST OF WHO IS AN APPROVED 230 00:10:18,725 --> 00:10:20,727 USER. 231 00:10:20,727 --> 00:10:23,163 APPROVED USERS ARE PRINCIPALED 232 00:10:23,163 --> 00:10:24,597 INVESTIGATORS WHO HAVE APPROVED 233 00:10:24,597 --> 00:10:27,067 ACCESS DATA FROM ONE OF THE 20 234 00:10:27,067 --> 00:10:28,334 CONTROLLED ACCESS DATA 235 00:10:28,334 --> 00:10:29,436 REPOSITORIES INDICATED ON THE 236 00:10:29,436 --> 00:10:32,272 PREVIOUS SLIDE. 237 00:10:32,272 --> 00:10:34,274 AS TYPICAL THEY AGREE TO TERMS 238 00:10:34,274 --> 00:10:37,911 OF ACCESS THAT ARE IN THE DATA 239 00:10:37,911 --> 00:10:39,345 USE CERTIFICATION AGREEMENT OR 240 00:10:39,345 --> 00:10:41,748 DATA USE AGREEMENT AND WHEN 241 00:10:41,748 --> 00:10:44,150 AGREEING TO THESE TERMS THERE'S 242 00:10:44,150 --> 00:10:46,052 ALSO AGREEMENT TO SECURE THE 243 00:10:46,052 --> 00:10:49,355 DATA ACCORDING TO PARTICULAR 244 00:10:49,355 --> 00:10:51,791 STANDARDS AND EXISTING DOCUMENT 245 00:10:51,791 --> 00:10:53,793 DESCRIBED THE SECURITY STANDARDS 246 00:10:53,793 --> 00:10:55,195 IN THE NIH SECURITY BEST 247 00:10:55,195 --> 00:10:58,832 PRACTICES FOR CONTROLLED ACCESS 248 00:10:58,832 --> 00:10:59,799 DATA SUBJECT TO THE NIH GENOMIC 249 00:10:59,799 --> 00:11:04,037 SHARING POLICY. 250 00:11:04,037 --> 00:11:05,772 DUE TO THE NOTICE UPDATE, THIS 251 00:11:05,772 --> 00:11:09,075 DOCUMENT IS GETTING UPDATED WITH 252 00:11:09,075 --> 00:11:11,411 UPDATED SECURITY STANDARDS THAT 253 00:11:11,411 --> 00:11:16,349 WILL APPLY ON OR AFTER JANUARY 254 00:11:16,349 --> 00:11:19,152 25, 2025. 255 00:11:19,152 --> 00:11:22,021 AND THIS UPDATED SECURITY 256 00:11:22,021 --> 00:11:25,058 STANDARD WILL BE DESCRIBED IN 257 00:11:25,058 --> 00:11:25,792 THE NIH SECURITY BEST PRACTICES 258 00:11:25,792 --> 00:11:30,196 FOR USERS OF CONTROLLED ACCESS 259 00:11:30,196 --> 00:11:30,396 DATA. 260 00:11:30,396 --> 00:11:32,432 THESE TAKES EFFECT FOR USERS WHO 261 00:11:32,432 --> 00:11:36,703 SUBMIT A NEW REQUEST OR RENEWING 262 00:11:36,703 --> 00:11:39,105 AN EXISTING REQUEST ON OR AFTER 263 00:11:39,105 --> 00:11:40,874 JANUARY 25, 2025. 264 00:11:40,874 --> 00:11:44,677 AND SO THOSE WITH EXISTING 265 00:11:44,677 --> 00:11:46,379 REQUESTS DO NOT HAVE TO WITH A 266 00:11:46,379 --> 00:11:50,416 SWITCH TO UPDATE TO THE UPDATED 267 00:11:50,416 --> 00:11:53,520 STANDARDS ON JANUARY 25, 2025. 268 00:11:53,520 --> 00:11:55,722 AND IT'S ONLY AFTER THAT DATE IF 269 00:11:55,722 --> 00:11:58,424 THE PROJECT IS RENEWED THE 270 00:11:58,424 --> 00:11:59,926 UPDATED SECURITY STANDARDS WILL 271 00:11:59,926 --> 00:12:05,331 BE EXPECTED TO BE ADHERED TO. 272 00:12:05,331 --> 00:12:08,735 SO WHAT IS NIH EXPECTING IN THIS 273 00:12:08,735 --> 00:12:09,402 UPDATE? 274 00:12:09,402 --> 00:12:11,004 NIH EXPECTS THAT APPROVED USERS 275 00:12:11,004 --> 00:12:16,042 WILL SECURE THE DATA ACCORDING 276 00:12:16,042 --> 00:12:26,486 TO STANDARD 800-171 AND IF ON A 277 00:12:26,486 --> 00:12:29,556 THIRD PARTY CLOUD TO ATTEST THE 278 00:12:29,556 --> 00:12:31,224 THIRD PARTY OR CLOUD SERVICE 279 00:12:31,224 --> 00:12:34,294 PROVIDER IS SECURING THE DATA 280 00:12:34,294 --> 00:12:40,200 ACCORDING TO IT NIST800-171 AND 281 00:12:40,200 --> 00:12:42,835 SECURE THE DATA TO THE NIST 282 00:12:42,835 --> 00:12:50,343 STANDARD EQUIVALENT ISO, 283 00:12:50,343 --> 00:12:52,979 ISE27001 OR 27002 STANDARD. 284 00:12:52,979 --> 00:12:54,948 WHEN YOU TALK ABOUT ATTESTATION 285 00:12:54,948 --> 00:12:57,884 THEY MAY VARY BUT IT'S BASED ON 286 00:12:57,884 --> 00:13:03,056 A SELF-ASSESSMENT UNDERTAKEN BY 287 00:13:03,056 --> 00:13:04,557 THE PRINCIPAL INVESTIGATOR AND 288 00:13:04,557 --> 00:13:07,293 THE INSTITUTION THE SYSTEM 289 00:13:07,293 --> 00:13:12,165 HOLDING THE GENOMIC DATA MEETS 290 00:13:12,165 --> 00:13:13,833 NIST SECURITY CONTROLS. 291 00:13:13,833 --> 00:13:18,571 SO I WILL PASS IT ON TO MY 292 00:13:18,571 --> 00:13:21,107 COLLEAGUE MS. FALVELLA TO DIVE 293 00:13:21,107 --> 00:13:22,375 DEEPER INTO EXPECTATIONS FOR 294 00:13:22,375 --> 00:13:22,875 MEETING THESE SECURITY 295 00:13:22,875 --> 00:13:33,052 STANDARDS. 296 00:13:36,389 --> 00:13:37,390 >> GOOD MORNING. 297 00:13:37,390 --> 00:13:40,560 WE'LL START OFF TALKING ABOUT 298 00:13:40,560 --> 00:13:41,794 WHY NIH MADE THE CHANGES AND 299 00:13:41,794 --> 00:13:44,197 WHAT YOU AS A RESEARCHER NEEDS 300 00:13:44,197 --> 00:13:46,733 TO KNOW ABOUT THE SECURITY BEST 301 00:13:46,733 --> 00:13:48,468 PRACTICES BEFORE WE SHIFT AND 302 00:13:48,468 --> 00:13:51,437 DEEP DIVE INTO WHAT YOU AS AN 303 00:13:51,437 --> 00:13:54,040 I.T. ADMINISTRATOR MAY NEED TO 304 00:13:54,040 --> 00:13:57,510 KNOW AND HAVE KEY TAKEAWAYS AND 305 00:13:57,510 --> 00:13:59,045 PROVIDE RESOURCES BEFORE WE OPEN 306 00:13:59,045 --> 00:14:01,948 UP TO QUESTIONS. 307 00:14:01,948 --> 00:14:07,720 LETS DIVE IN THE GLOBAL THREAT 308 00:14:07,720 --> 00:14:07,987 LANDSCAPE. 309 00:14:07,987 --> 00:14:10,189 THERE'S WILL THREATS NATION 310 00:14:10,189 --> 00:14:12,191 STATE ACTORS TO DEMONSTRATE 311 00:14:12,191 --> 00:14:14,360 THEIR CYBER CAPABILITIES AS A 312 00:14:14,360 --> 00:14:17,297 DEFENSE DETERRENT OR SEEKING 313 00:14:17,297 --> 00:14:19,532 ACCESS TO INFORMATION TO GAIN A 314 00:14:19,532 --> 00:14:22,035 GETTIVE EDGE AND WE HAVE 315 00:14:22,035 --> 00:14:24,404 CRIMINAL ORGANIZATIONS TO 316 00:14:24,404 --> 00:14:26,873 CONSIDER AND THEY'RE SEEKING IT 317 00:14:26,873 --> 00:14:29,442 FINANCIAL GAIN AND BOTH LEVERAGE 318 00:14:29,442 --> 00:14:31,444 ADVERSARIAL TECHNOLOGIES AND 319 00:14:31,444 --> 00:14:35,014 THIS IS A GROWING CONCERN AS 320 00:14:35,014 --> 00:14:37,617 A.I. TOOL AND THE CAPABILITIES 321 00:14:37,617 --> 00:14:42,588 OF A.I. TOOL BECOME MORE 322 00:14:42,588 --> 00:14:45,325 ACCESSIBLE AS WELL AS SUPER 323 00:14:45,325 --> 00:14:47,293 COMPUTING POWER BECOME GROWING 324 00:14:47,293 --> 00:14:47,560 CONCERNS. 325 00:14:47,560 --> 00:14:53,266 SO ALL THESE THREAT SOURCES HAVE 326 00:14:53,266 --> 00:14:56,102 CREATED PROBLEMS AND WE RELY ON 327 00:14:56,102 --> 00:14:57,637 COLLABORATION AND INFORMATION 328 00:14:57,637 --> 00:14:59,372 SHARING TO DRIVE INNOVATION AND 329 00:14:59,372 --> 00:14:59,639 DISCOVERY. 330 00:14:59,639 --> 00:15:03,009 THE EROSION OF PUBLIC TRUST AND 331 00:15:03,009 --> 00:15:05,511 FINANCIAL LOSSES FROM CYBER 332 00:15:05,511 --> 00:15:06,612 SECURITY ATTACKS POSE A 333 00:15:06,612 --> 00:15:07,880 SUBSTANTIAL CHALLENGE NOT ONLY 334 00:15:07,880 --> 00:15:09,816 TO NIH BUT THE BROADER RESEARCH 335 00:15:09,816 --> 00:15:11,484 INSTITUTIONS AND THEIR 336 00:15:11,484 --> 00:15:11,851 COMMUNITIES. 337 00:15:11,851 --> 00:15:14,487 JUST TO FURTHER EMPHASIZE THIS, 338 00:15:14,487 --> 00:15:18,124 WE'VE SEEN AN 84% OF DATA 339 00:15:18,124 --> 00:15:20,960 BREACHERS OVER THE LAST DECADE. 340 00:15:20,960 --> 00:15:22,795 HEALTH CARE AND RESEARCH 341 00:15:22,795 --> 00:15:24,764 INSTITUTIONS HAVE SEEN AN 342 00:15:24,764 --> 00:15:25,898 INCREASE IN RANSOMWARE ATTACKS. 343 00:15:25,898 --> 00:15:28,768 WITH THE WORLD BEING ON THE 344 00:15:28,768 --> 00:15:31,104 BRINK OF REACHING POST QUANTUM 345 00:15:31,104 --> 00:15:32,839 COMPUTING AND A.I., THE ABILITY 346 00:15:32,839 --> 00:15:35,375 TO LINK IDENTITIES FROM 347 00:15:35,375 --> 00:15:37,910 DE-IDENTIFIED INFORMATION IS A 348 00:15:37,910 --> 00:15:38,444 REAL CONCERN. 349 00:15:38,444 --> 00:15:40,880 SO IF LEADERS WITHIN THE 350 00:15:40,880 --> 00:15:42,815 BIOMEDICAL COMMUNITY WE HAVE A 351 00:15:42,815 --> 00:15:43,916 UNIQUE ROLE TO PLAY. 352 00:15:43,916 --> 00:15:46,018 NIH IS COMMITTED TO PROTECTING 353 00:15:46,018 --> 00:15:49,255 PUBLIC TRUST AND PREPARING FOR 354 00:15:49,255 --> 00:15:50,957 NATIONAL SECURITY DIRECTIVES AND 355 00:15:50,957 --> 00:15:52,792 POLICIES AND ACKNOWLEDGE AT 356 00:15:52,792 --> 00:15:54,160 TIMES RESEARCH INSTITUTIONS HAVE 357 00:15:54,160 --> 00:15:57,196 FOUND IT CHALLENGES TO FOLLOW A 358 00:15:57,196 --> 00:15:59,365 PATCH WORK OF SECURITY STANDARDS 359 00:15:59,365 --> 00:16:01,000 SO NIH IS UNIFYING OUR SECURITY 360 00:16:01,000 --> 00:16:03,002 STANDARDS TO EASE THE BURDEN ON 361 00:16:03,002 --> 00:16:04,670 INSTITUTIONS SEEKING FUNDING 362 00:16:04,670 --> 00:16:05,538 FROM NIH. 363 00:16:05,538 --> 00:16:09,142 THESE FACTORS NECESSITATE AND 364 00:16:09,142 --> 00:16:12,445 WERE THE DRIVERS IN NIH UPDATING 365 00:16:12,445 --> 00:16:16,382 THE SHARING POLICY AND BEST 366 00:16:16,382 --> 00:16:20,753 PRACTICES FOR USERS OF DATA. 367 00:16:20,753 --> 00:16:23,222 SO, WHAT DO YOU AS A RESEARCHER 368 00:16:23,222 --> 00:16:24,323 NEED TO KNOW? 369 00:16:24,323 --> 00:16:26,259 NIH SECURITY BEST PRACTICES ARE 370 00:16:26,259 --> 00:16:27,693 SECURITY BENCHMARKS. 371 00:16:27,693 --> 00:16:29,896 THEY'RE NOT REGULATORY 372 00:16:29,896 --> 00:16:32,265 REQUIREMENTS AND THEY'RE USED TO 373 00:16:32,265 --> 00:16:33,332 MEASURE YOUR INSTITUTE'S 374 00:16:33,332 --> 00:16:35,234 SECURITY POSTURE AGAINST THE 375 00:16:35,234 --> 00:16:38,004 NIST PUBLICATION 800-171 WHICH 376 00:16:38,004 --> 00:16:39,372 HAS SECURITY CONTROLS THAT ALIGN 377 00:16:39,372 --> 00:16:42,341 TO THE NIST RISK MANAGEMENT 378 00:16:42,341 --> 00:16:42,608 FRAMEWORK. 379 00:16:42,608 --> 00:16:44,010 THE FRAMEWORK OFFERS YOU A 380 00:16:44,010 --> 00:16:46,245 PATHWAY TO ACHIEVE ATTAINABLE 381 00:16:46,245 --> 00:16:50,983 SECURITY PRACTICES THROUGH A 382 00:16:50,983 --> 00:16:52,485 SIX-PHASED PROCESS DESIGN TO 383 00:16:52,485 --> 00:16:55,288 CONTINUOUSLY MONITOR THE RISK IN 384 00:16:55,288 --> 00:16:57,657 THE I.T. LIFE STRIKE FROM THE 385 00:16:57,657 --> 00:17:00,393 INCEPTION OF AN I.T. SYSTEM TO 386 00:17:00,393 --> 00:17:03,362 THE DECOMMISSIONING OF THAT 387 00:17:03,362 --> 00:17:03,596 SYSTEM. 388 00:17:03,596 --> 00:17:05,398 THE BEST PRACTICES FOR USERS OF 389 00:17:05,398 --> 00:17:08,000 CONTROLLED ACCESS DATA ARE ONLY 390 00:17:08,000 --> 00:17:10,036 EXPECTED TO BE APPLIED TO THOSE 391 00:17:10,036 --> 00:17:12,238 SYSTEMS THAT HANDLE ACCESS DATA. 392 00:17:12,238 --> 00:17:14,040 I'M GOING TO REALLY STRESS THAT 393 00:17:14,040 --> 00:17:15,775 POINT AND STATE THAT AGAIN. 394 00:17:15,775 --> 00:17:17,844 IT'S NOT EXPECTED THAT NIH 395 00:17:17,844 --> 00:17:19,111 SECURITY BEST PRACTICES BE 396 00:17:19,111 --> 00:17:22,014 APPLIED TO ALL OF YOUR I.T. 397 00:17:22,014 --> 00:17:24,951 SYSTEMS JUST THE SYSTEMS THAT 398 00:17:24,951 --> 00:17:27,186 PROCESS NIH CONTROLLED ACCESS 399 00:17:27,186 --> 00:17:28,087 DATA. 400 00:17:28,087 --> 00:17:29,589 SYSTEMS AT YOUR INSTITUTION THAT 401 00:17:29,589 --> 00:17:31,791 DO NOT INTERACT WITH THE DATA 402 00:17:31,791 --> 00:17:33,493 ARE NOT EXPECTED TO ADOPT THE 403 00:17:33,493 --> 00:17:34,794 SECURITY STANDARD THOUGH WE 404 00:17:34,794 --> 00:17:37,597 WOULD ENCOURAGE YOU TO MAKE THAT 405 00:17:37,597 --> 00:17:37,897 ADOPTION. 406 00:17:37,897 --> 00:17:39,332 YOU'LL FIND THE SECURITY 407 00:17:39,332 --> 00:17:42,168 STANDARDS UNDER THE 800-171 ARE 408 00:17:42,168 --> 00:17:51,077 REALLY THE BEST PRACTICES FOR 409 00:17:51,077 --> 00:17:52,378 MODERN ORGANIZATIONS AGAINST 410 00:17:52,378 --> 00:17:58,384 MODERN THREAT. 411 00:17:58,384 --> 00:18:04,223 BY JANUARY 25, 2025 IMPLEMENT 412 00:18:04,223 --> 00:18:05,024 SECURITY CONTROLS. 413 00:18:05,024 --> 00:18:07,493 ANY DEVIATION FROM THE 414 00:18:07,493 --> 00:18:08,561 DOCUMENTED CONTROLS SHOULD BE 415 00:18:08,561 --> 00:18:10,263 DOCUMENTED IN YOUR PLAN OF 416 00:18:10,263 --> 00:18:12,431 ACTION AND MILESTONES WHICH WILL 417 00:18:12,431 --> 00:18:15,768 ALLOW YOU TO FURTHER MITIGATE 418 00:18:15,768 --> 00:18:16,269 THE RISK. 419 00:18:16,269 --> 00:18:17,403 ONCE ASSESSMENTS HAVE BEEN MADE 420 00:18:17,403 --> 00:18:19,338 AND DEVIATIONS DOCUMENTED, 421 00:18:19,338 --> 00:18:20,573 INSTITUTIONS SHOULD INFORM THEIR 422 00:18:20,573 --> 00:18:23,009 RESEARCHERS THEY CAN ATTEST TO 423 00:18:23,009 --> 00:18:25,811 THE NIH SECURITY BEST PRACTICES 424 00:18:25,811 --> 00:18:29,148 WHEN SUBMITTING NEW OR RENEWAL 425 00:18:29,148 --> 00:18:30,850 DATA ACCESS REQUEST TO NIH 426 00:18:30,850 --> 00:18:33,019 CONTROLLED ACCESS GENOMIC DATA 427 00:18:33,019 --> 00:18:37,323 ON OR AFTER JANUARY 25, APPROVED 428 00:18:37,323 --> 00:18:40,293 USERS OF NIH CONTROLLED ACCESS 429 00:18:40,293 --> 00:18:44,897 GENOMIC DATA ARE EXPECTED TO 430 00:18:44,897 --> 00:18:49,802 CONTROL THE DATA TO THE STANDARD 431 00:18:49,802 --> 00:18:52,805 AND IF YOU CHOOSE A THIRD PARTY 432 00:18:52,805 --> 00:18:53,973 CLOUD ACCESS SYSTEM FOR ANALYSIS 433 00:18:53,973 --> 00:18:56,943 OR STORAGE OF YOUR PROJECT, YOU 434 00:18:56,943 --> 00:18:59,178 SHOULD REQUEST FROM THAT THIRD 435 00:18:59,178 --> 00:19:00,212 PARTY OR CLOUD SERVICE PROVIDER 436 00:19:00,212 --> 00:19:02,915 AN ATTESTATION OF THEIR 437 00:19:02,915 --> 00:19:05,451 COMPLIANCE TO 800-171 BECAUSE 438 00:19:05,451 --> 00:19:07,420 THAT'S THE ONLY WAY YOU'LL HAVE 439 00:19:07,420 --> 00:19:08,788 ASSURANCES IT WILL ALLOW YOU TO 440 00:19:08,788 --> 00:19:12,258 ATTEST TO THE STANDARD WHEN 441 00:19:12,258 --> 00:19:13,426 SUBMITTING RENEWAL OF ACCESS 442 00:19:13,426 --> 00:19:19,498 REQUESTS. 443 00:19:19,498 --> 00:19:19,732 OKAY. 444 00:19:19,732 --> 00:19:21,400 SO AS AN I.T. ADMINISTRATOR, 445 00:19:21,400 --> 00:19:23,502 WHAT CAN DO YOU NEED TO KNOW? 446 00:19:23,502 --> 00:19:27,173 WE'LL SHIFT NOW TO TALK ABOUT 447 00:19:27,173 --> 00:19:28,975 WHAT I.T. SUPPORT STAFF NEED TO 448 00:19:28,975 --> 00:19:29,475 KNOW. 449 00:19:29,475 --> 00:19:36,048 SO THE NIST 800-171 ARTICULATES 450 00:19:36,048 --> 00:19:39,719 THE REQUIREMENTS ACROSS 17 451 00:19:39,719 --> 00:19:42,755 CONTROLLED FAMILIES FROM ACCESS 452 00:19:42,755 --> 00:19:44,957 SECURITY AND MANAGEMENT TO 453 00:19:44,957 --> 00:19:49,395 SUPPLY CHAIN RISK MANAGEMENT. 454 00:19:49,395 --> 00:19:50,763 WITH THE RECENT INTRODUCTION OF 455 00:19:50,763 --> 00:19:54,967 REV 3, THREE WERE ADDED AROUND 456 00:19:54,967 --> 00:19:57,236 SUPPLY CHAIN RISK MANAGEMENT 457 00:19:57,236 --> 00:20:00,940 WITH THE UNDERSTANDING MOST 458 00:20:00,940 --> 00:20:05,277 MODERN SOPHISTICATED ACTORS ARE 459 00:20:05,277 --> 00:20:07,179 ACCESSING THROUGH THIRD PARTY 460 00:20:07,179 --> 00:20:09,915 PROVIDERS OR PROCURED SOFTWARE 461 00:20:09,915 --> 00:20:13,486 OR EQUIPMENT. 462 00:20:13,486 --> 00:20:14,720 ADDITIONALLY, REV 3 INTRODUCED 463 00:20:14,720 --> 00:20:17,056 THE CONCEPT RISK SHOULD NOT ONLY 464 00:20:17,056 --> 00:20:18,357 BE ASSESSED ONCE BUT MONITORED 465 00:20:18,357 --> 00:20:20,192 THROUGH THE LIFE CYCLE OF A 466 00:20:20,192 --> 00:20:20,426 SYSTEM. 467 00:20:20,426 --> 00:20:22,495 SO PLEASE NOTE IF YOU'RE 468 00:20:22,495 --> 00:20:27,233 INSTITUTION IS ALREADY ON REV 2 469 00:20:27,233 --> 00:20:30,069 AND ACKNOWLEDGE AND TIME TO 470 00:20:30,069 --> 00:20:33,439 ADJUST UNDER REV 3 SO WE WILL 471 00:20:33,439 --> 00:20:35,741 ACCESS REV 2 AND REV 3 AS 472 00:20:35,741 --> 00:20:37,476 FULFILLING THE EXPECTATIONS OF 473 00:20:37,476 --> 00:20:40,746 THE NIH SECURITY BEST PRACTICES. 474 00:20:40,746 --> 00:20:44,550 WE ASK THAT IF YOU ARE ON REV 2 475 00:20:44,550 --> 00:20:47,353 YOU START TO PLAN FOR REV 3 476 00:20:47,353 --> 00:20:47,687 ADOPTION. 477 00:20:47,687 --> 00:20:49,555 START TO PLAN NOW, CREATE A PLAN 478 00:20:49,555 --> 00:20:50,923 OF ACTION AND MILESTONE ENTRY 479 00:20:50,923 --> 00:20:53,626 FOR EACH OF THE NEW CONTROL 480 00:20:53,626 --> 00:20:56,462 FAMILIES SO YOU CAN TRACK YOUR 481 00:20:56,462 --> 00:20:57,263 PROGRESS AND ATTAIN REV 3 482 00:20:57,263 --> 00:21:04,503 COMPLIANCE. 483 00:21:04,503 --> 00:21:04,704 OKAY. 484 00:21:04,704 --> 00:21:08,040 WE'RE GOING TO SHIFT NOW TO KIND 485 00:21:08,040 --> 00:21:13,012 OF LOOK AT THE ANATOMY OF THE 486 00:21:13,012 --> 00:21:17,083 NIST800171 CONTROLS TO GIVE YOU 487 00:21:17,083 --> 00:21:18,517 SITUATIONAL AWARENESS TO KNOW 488 00:21:18,517 --> 00:21:21,987 HOW TO USE THE 800-171 SERIES. 489 00:21:21,987 --> 00:21:24,256 ONCE BEING ON SERIES IS MADE OF 490 00:21:24,256 --> 00:21:26,292 UP OF TWO DOCUMENTS. 491 00:21:26,292 --> 00:21:28,461 ONE IS THE 171 WHICH DOCUMENTS 492 00:21:28,461 --> 00:21:30,696 THE CONTROLS. 493 00:21:30,696 --> 00:21:33,799 AND THEN THERE'S A COMPLIMENTARY 494 00:21:33,799 --> 00:21:35,601 171A USED TO ASSESS THE 495 00:21:35,601 --> 00:21:35,868 CONTROLS. 496 00:21:35,868 --> 00:21:44,543 SO THE NIST 800-171 WILL PROVIDE 497 00:21:44,543 --> 00:21:46,746 THE REQUIREMENT FOR THE CONTROL 498 00:21:46,746 --> 00:21:48,781 AND SOME WILL LIST 499 00:21:48,781 --> 00:21:50,182 ORGANIZATIONAL REQUIREMENTS. 500 00:21:50,182 --> 00:21:52,251 WHEN YOU SEE THIS THAT MEANS 501 00:21:52,251 --> 00:21:53,819 YOUR ORGANIZATION CAN SET OR 502 00:21:53,819 --> 00:21:55,121 ESTABLISH THE POLICY OR 503 00:21:55,121 --> 00:21:56,822 PROCEDURE FOR THAT CONTROL. 504 00:21:56,822 --> 00:21:58,858 YOU GENERALLY SEE THAT IN A 505 00:21:58,858 --> 00:22:00,893 CONTROL WHERE THE FREQUENCY OF 506 00:22:00,893 --> 00:22:02,628 THE ACTIVITY OR FREQUENCY OF THE 507 00:22:02,628 --> 00:22:09,301 CONTROL IS AT THE ORGANIZATION'S 508 00:22:09,301 --> 00:22:09,902 DIRECT 509 00:22:09,902 --> 00:22:10,202 DISCRETION. 510 00:22:10,202 --> 00:22:11,670 THAT OFFERS MAXIMUM FLEXIBILITY. 511 00:22:11,670 --> 00:22:13,639 NEXT YOU'LL SEE NIST WILL HAVE 512 00:22:13,639 --> 00:22:15,708 THE CONTROL DESCRIPTION. 513 00:22:15,708 --> 00:22:21,480 THAT WILL ARTICULATE ACCEPTABLE 514 00:22:21,480 --> 00:22:24,483 MEANS AND YOU'LL SEE A CROSSWALK 515 00:22:24,483 --> 00:22:29,922 OF CONTROL IN THE 800-CONTROL 516 00:22:29,922 --> 00:22:31,223 AND ADDITIONAL RESOURCES 517 00:22:31,223 --> 00:22:32,391 AVAILABLE TO YOU WHICH YOU CAN 518 00:22:32,391 --> 00:22:33,993 REFERENCE FOR CONTEXT OR 519 00:22:33,993 --> 00:22:35,661 ADDITIONAL OPTIONS OR 520 00:22:35,661 --> 00:22:39,331 CLARIFICATION FOR THE CONTROL. 521 00:22:39,331 --> 00:22:42,601 SO THE KEY TAKEAWAY IS THE 171 522 00:22:42,601 --> 00:22:44,403 WILL PROVIDE EVERYTHING YOU NEED 523 00:22:44,403 --> 00:22:52,044 TO KNOW HOW TO SELF-ASSESS OR 524 00:22:52,044 --> 00:22:53,279 IMPLEMENT THE CONTROL IN THE 525 00:22:53,279 --> 00:22:54,146 SERIES. 526 00:22:54,146 --> 00:22:56,582 NOW WE'LL SHIFT TO THE 171A. 527 00:22:56,582 --> 00:23:00,619 THIS IS THE DOCUMENT THAT YOU'RE 528 00:23:00,619 --> 00:23:03,322 GOING TO USE FOR YOURSELF 529 00:23:03,322 --> 00:23:09,261 ASSESSMENT AND COMPLIMENTS THE 530 00:23:09,261 --> 00:23:09,562 NIST800-171. 531 00:23:09,562 --> 00:23:11,997 YOU'LL SEE NIST WILL PROVIDE THE 532 00:23:11,997 --> 00:23:13,432 CONTROL NUMBER AND NAME AND 533 00:23:13,432 --> 00:23:14,633 UNDERNEATH YOU'LL GET THE 534 00:23:14,633 --> 00:23:18,504 REQUIREMENTS YOU'RE ASSESSING 535 00:23:18,504 --> 00:23:18,737 AGAINST. 536 00:23:18,737 --> 00:23:25,644 YOU'LL DETERMINE IF THE 537 00:23:25,644 --> 00:23:28,013 ASSESSMENT AND WAYS TO DETERMINE 538 00:23:28,013 --> 00:23:29,515 AND EXAMINE AND POLICY OR 539 00:23:29,515 --> 00:23:29,782 PROCEDURE. 540 00:23:29,782 --> 00:23:32,651 YOU CAN INTERVIEW SUCH AS 541 00:23:32,651 --> 00:23:35,421 INTERVIEW I.T. PERSONNEL OR 542 00:23:35,421 --> 00:23:37,489 CONDUCT AN I.T. TEST SUCH AS 543 00:23:37,489 --> 00:23:39,358 ATTEMPTING TO PASSWORD GUESS THE 544 00:23:39,358 --> 00:23:42,027 ACCESS MANAGEMENT SYSTEM. 545 00:23:42,027 --> 00:23:45,264 WHAT LEVEL YOU CONDUCT THE 546 00:23:45,264 --> 00:23:46,932 SELF-ASSESSMENT AT IS UP TO YOU 547 00:23:46,932 --> 00:23:48,767 AND YOU CAN DETERMINE THE RIGHT 548 00:23:48,767 --> 00:23:50,569 LEVEL BASED ON YOUR SECURITY AND 549 00:23:50,569 --> 00:23:51,770 CONTROL IMPLEMENTED AND THE 550 00:23:51,770 --> 00:23:52,404 RESOURCES AND TIME AVAILABLE TO 551 00:23:52,404 --> 00:23:53,873 YOU. 552 00:23:53,873 --> 00:23:58,043 DEPENDING ON THE METHOD, THE 553 00:23:58,043 --> 00:24:00,379 171A ASSESSMENT METHOD WILL 554 00:24:00,379 --> 00:24:02,047 ARTICULATE WHICH ARTIFACT SHOULD 555 00:24:02,047 --> 00:24:03,782 BE REVIEWED, WHO YOU SHOULD BE 556 00:24:03,782 --> 00:24:05,718 INTERVIEWING AND WHAT CONTROLS 557 00:24:05,718 --> 00:24:08,053 ARE APPLICABLE FOR TESTING. 558 00:24:08,053 --> 00:24:10,456 KEY TAKEAWAY IS THE 171A WILL 559 00:24:10,456 --> 00:24:13,859 PROVIDE YOU WITH EVERYTHING YOU 560 00:24:13,859 --> 00:24:16,061 NEED TO KNOW TO SELF-ASSESS 561 00:24:16,061 --> 00:24:23,836 AGAINST THE 171 CONTROLS. 562 00:24:23,836 --> 00:24:25,337 NIST PROVIDES A WEALTH OF 563 00:24:25,337 --> 00:24:26,438 INFORMATION AND RESOURCES 564 00:24:26,438 --> 00:24:28,440 AVAILABLE TO YOU TO LEVERAGE. 565 00:24:28,440 --> 00:24:35,915 ONE IS THE NIST CYBER SECURITY 566 00:24:35,915 --> 00:24:42,488 REFERENCE TOOL AND OVERLAY AND 567 00:24:42,488 --> 00:24:44,924 ALLOW YOU TO EXPORT THE FAMILIES 568 00:24:44,924 --> 00:24:46,225 INTO A NICE EXCEL SPREAD SHEET. 569 00:24:46,225 --> 00:24:48,093 YOU CAN TURN IT OVER TO YOUR 570 00:24:48,093 --> 00:24:50,396 I.T. STAFF FOR THEM TO DOCUMENT 571 00:24:50,396 --> 00:24:52,731 THE CONTROLS DIRECTLY IN THE 572 00:24:52,731 --> 00:24:53,999 SPREAD SHEET AND SIMILARLY 573 00:24:53,999 --> 00:24:56,936 OFFERS A TOOL WITH A SIMILAR 574 00:24:56,936 --> 00:24:58,737 FUNCTIONALITY FOR CONDUCTING 575 00:24:58,737 --> 00:24:59,571 SELF-ASSESSMENTS. 576 00:24:59,571 --> 00:25:04,810 WE'RE ALSO GOING TO PROVIDE IN 577 00:25:04,810 --> 00:25:06,445 THE CHAT THE LINK TO PROVIDE A 578 00:25:06,445 --> 00:25:11,183 DEEP DIVE OF THE 800-171 SERIES 579 00:25:11,183 --> 00:25:16,522 AS WELL AS AN OVERVIEW OF THE 580 00:25:16,522 --> 00:25:19,925 TWO POOLS. 581 00:25:19,925 --> 00:25:22,127 SO, LET'S RECAP WHERE WE ARE. 582 00:25:22,127 --> 00:25:25,931 IF YOU ARE AN I.T. SUPPORT STAFF 583 00:25:25,931 --> 00:25:28,534 MEMBER, YOU ARE TO ASSESS 584 00:25:28,534 --> 00:25:32,171 IN-SCOPE SYSTEMS AGAINST THE 585 00:25:32,171 --> 00:25:33,939 NIST800-171 CONTROLS AND TO THE 586 00:25:33,939 --> 00:25:35,808 BEST OF YOUR ABILITY PERIMETER 587 00:25:35,808 --> 00:25:37,910 THE SECURITY CONTROLS. 588 00:25:37,910 --> 00:25:39,578 YOU'RE ALSO TO DOCUMENT ANY 589 00:25:39,578 --> 00:25:41,613 DEVIATIONS AND PLAN OF ACTION 590 00:25:41,613 --> 00:25:46,652 AND MILESTONES AND ANY CONTROLS 591 00:25:46,652 --> 00:25:48,420 YOU PARTIALLY IMPLEMENTED OR 592 00:25:48,420 --> 00:25:51,557 PLAN TO AND ONCE DONE YOU SHOULD 593 00:25:51,557 --> 00:25:55,861 COMMUNICATE OUT TO STAFF AND 594 00:25:55,861 --> 00:25:57,496 RESEARCHERS TO ATTEST THE 595 00:25:57,496 --> 00:25:59,198 APPROPRIATE CONDITIONS. 596 00:25:59,198 --> 00:26:01,767 STARTING ON JANUARY ON OR AFTER 597 00:26:01,767 --> 00:26:04,837 JANUARY 25, YOUR TO ATTEST TO 598 00:26:04,837 --> 00:26:06,972 PROTECTING NIH GENOMIC DATA WHEN 599 00:26:06,972 --> 00:26:09,308 REQUESTING NEW OR RENEWING 600 00:26:09,308 --> 00:26:17,316 ACCESS TO NIH CONTROLLED ACCESS 601 00:26:17,316 --> 00:26:19,451 DATA JUST TO PROVIDE YOU WITH 602 00:26:19,451 --> 00:26:23,322 ALL THE LINKS IN ONE SPOT WE 603 00:26:23,322 --> 00:26:26,025 COVERED TODAY, NIH HAS AN 604 00:26:26,025 --> 00:26:29,928 EXTENSIVE LIBRARY OF DOCUMENTS 605 00:26:29,928 --> 00:26:30,729 AND INFORMATION AVAILABLE TO YOU 606 00:26:30,729 --> 00:26:32,998 AND ALSO WANTED TO COLLECT AND 607 00:26:32,998 --> 00:26:34,933 HIGHLIGHT THE NIST RESOURCES 608 00:26:34,933 --> 00:26:35,801 AVAILABLE TO YOU. 609 00:26:35,801 --> 00:26:36,935 THEY'RE HERE ON THE SLIDE AND 610 00:26:36,935 --> 00:26:41,807 WILL BE SHARED OUT WITH YOU 611 00:26:41,807 --> 00:26:43,909 AFTER THE PRESENTATION. 612 00:26:43,909 --> 00:26:47,913 I WANT TO THANK YOU FOR HANGING 613 00:26:47,913 --> 00:26:50,616 IN THERE AS WE WENT OVER THE 614 00:26:50,616 --> 00:26:53,886 INFORMATION AND MICHAEL WILL BE 615 00:26:53,886 --> 00:26:57,456 FACILITATING OUR Q&A SESSION AND 616 00:26:57,456 --> 00:26:58,757 COORDINATING. 617 00:26:58,757 --> 00:27:00,359 OVER TO YOU. 618 00:27:00,359 --> 00:27:01,326 >> THANK YOU. 619 00:27:01,326 --> 00:27:04,897 I'M THE NIH ICO COMMUNICATIONS 620 00:27:04,897 --> 00:27:07,166 LEAD AND I'LL BE FACILITATING 621 00:27:07,166 --> 00:27:08,367 THE Q&A SESSION FOR THIS EVENT. 622 00:27:08,367 --> 00:27:13,872 AS A FRIENDLY REMINDER ENTER 623 00:27:13,872 --> 00:27:18,377 YOUR QUESTIONS IN THE Q&A AND 624 00:27:18,377 --> 00:27:22,614 THOSE IN ZOOM YOU CAN ADD YOUR 625 00:27:22,614 --> 00:27:24,983 QUESTIONS AND WE'LL TRY TO 626 00:27:24,983 --> 00:27:27,453 TODAYS AS MANY QUESTIONS AND YOU 627 00:27:27,453 --> 00:27:32,491 CAN E-MAIL QUESTIONS AT THE 628 00:27:32,491 --> 00:27:34,526 E-MAIL ON THE SCREEN. 629 00:27:34,526 --> 00:27:36,895 TO KICK OFF THE Q&A THE FIRST 630 00:27:36,895 --> 00:27:41,400 QUESTION IS FOR MS. FALVELLA. 631 00:27:41,400 --> 00:27:47,406 HOW MUCH AMOUNT OF TIME TO 632 00:27:47,406 --> 00:27:47,673 REMEDIATE. 633 00:27:47,673 --> 00:27:51,009 >> TIME TO REMEDIATE AND 634 00:27:51,009 --> 00:27:53,812 MILESTONE ITEMS THAT COULD 635 00:27:53,812 --> 00:27:54,880 INCLUDE IDENTIFIED RISK OR 636 00:27:54,880 --> 00:27:57,049 SYSTEM WEAKNESSES ANY PARTIAL OR 637 00:27:57,049 --> 00:28:00,586 PLANNED CONTROLS IDENTIFIED IN 638 00:28:00,586 --> 00:28:02,321 THE SELF-ASSESSMENT AND THOSE 639 00:28:02,321 --> 00:28:03,322 MEDIATION TIMES ARE SPECIFIC TO 640 00:28:03,322 --> 00:28:03,989 YOUR ORGANIZATION BUT THEY 641 00:28:03,989 --> 00:28:06,225 SHOULD BE ALIGNED TO BEST 642 00:28:06,225 --> 00:28:09,294 EFFORTS TO RESOLVE IN A TIMELY 643 00:28:09,294 --> 00:28:10,129 MANNER WITHOUT REASONABLE DELAY 644 00:28:10,129 --> 00:28:12,064 AND BASED ON THE RISK OF 645 00:28:12,064 --> 00:28:14,199 POTENTIAL IMPACT. 646 00:28:14,199 --> 00:28:16,902 IT'S UP TO THE ORGANIZATION. 647 00:28:16,902 --> 00:28:18,704 ANY RISK MANAGEMENT YOU WANT TO 648 00:28:18,704 --> 00:28:22,307 MAKE SURE IT'S TIMELY, 649 00:28:22,307 --> 00:28:23,175 REALISTIC, FEASIBLE WITHOUT 650 00:28:23,175 --> 00:28:25,344 UNREASONABLE DELAY AND BASED ON 651 00:28:25,344 --> 00:28:27,546 THE RISK THAT CONTROL OR 652 00:28:27,546 --> 00:28:28,113 WEAKNESS MAY PRESENT TO THE 653 00:28:28,113 --> 00:28:32,951 ORGANIZATION. 654 00:28:32,951 --> 00:28:34,486 >> THANK YOU. 655 00:28:34,486 --> 00:28:37,422 ANOTHER QUESTION FOR YOU, MS. 656 00:28:37,422 --> 00:28:40,025 FALVELLA TOO THE SCANNING. 657 00:28:40,025 --> 00:28:42,394 IT READS DO DOCKER IMAGES NEED 658 00:28:42,394 --> 00:28:44,329 TO HAVE BASELINE CONFIGURATION 659 00:28:44,329 --> 00:28:45,831 AND VULNERABILITY SCANS BEFORE 660 00:28:45,831 --> 00:28:47,799 THEY'RE ALLOWED TO HANDLE NIH 661 00:28:47,799 --> 00:28:49,801 CONTROLLED ACCESS DATA? 662 00:28:49,801 --> 00:28:52,838 >> YES, VULNERABILITY MONITORING 663 00:28:52,838 --> 00:28:55,474 AND SCANNING IS PART OF THE NIST 664 00:28:55,474 --> 00:28:59,344 CONTROL FAMILIES UNDER 800-171. 665 00:28:59,344 --> 00:29:03,715 IT'S CONTROLLED 3.1102 AND 666 00:29:03,715 --> 00:29:06,051 REQUIRE SYSTEMS UNDER GO 667 00:29:06,051 --> 00:29:07,719 VULNERABILITY MONITORING AND 668 00:29:07,719 --> 00:29:07,986 SCANNING. 669 00:29:07,986 --> 00:29:10,088 THE TYPES OF SCANS AND FREQUENCY 670 00:29:10,088 --> 00:29:11,890 ARE ORGANIZATIONALLY DEFINED 671 00:29:11,890 --> 00:29:12,191 REQUIREMENT. 672 00:29:12,191 --> 00:29:15,761 THOSE ARE THE CONTROLS WE 673 00:29:15,761 --> 00:29:17,863 MENTIONED WITH MAXIMUM 674 00:29:17,863 --> 00:29:18,764 FLEXIBILITY BUT THE EXPECTATION 675 00:29:18,764 --> 00:29:22,935 IS IF YOU ARE CONDUCTING 676 00:29:22,935 --> 00:29:23,969 VULNERABILITY MONITORING AND 677 00:29:23,969 --> 00:29:25,037 SCANNING AS APPROPRIATE FOR 678 00:29:25,037 --> 00:29:26,905 SYSTEMS THAT ARE PROCESSING THE 679 00:29:26,905 --> 00:29:34,913 NIH CONTROLLED ACCESS DATA. 680 00:29:34,913 --> 00:29:37,649 >> OUR NEXT QUESTION IS FOR 681 00:29:37,649 --> 00:29:42,721 DR. JACOBS, DOES NIH INTEND FOR 682 00:29:42,721 --> 00:29:44,990 IT TO GO TO DATA CREATED THROUGH 683 00:29:44,990 --> 00:29:47,059 THE PROCESSING OR ANALYSIS OF 684 00:29:47,059 --> 00:29:49,228 THE CONTROLLED ACCESS GENOMIC 685 00:29:49,228 --> 00:29:51,730 DATA, IF SO WHAT DERIVED DATA 686 00:29:51,730 --> 00:29:53,398 WOULD BE CONSIDERED RESTRICTED 687 00:29:53,398 --> 00:29:54,366 AND WHAT DATA ARE NOT SUBJECT TO 688 00:29:54,366 --> 00:29:56,668 THESE CONTROLS? 689 00:29:56,668 --> 00:29:57,803 DR. JACOBS, OVER TO YOU. 690 00:29:57,803 --> 00:30:01,907 >> THANK YOU. 691 00:30:01,907 --> 00:30:07,179 TO BE CLEAR, NIH IS NOT FORMERLY 692 00:30:07,179 --> 00:30:14,486 OR HAS NOT FORMERLY DIAG 693 00:30:14,486 --> 00:30:17,422 DESIGNATED TO BE CLASSIFIED 694 00:30:17,422 --> 00:30:18,223 DEFINED IN THE REGULATION. 695 00:30:18,223 --> 00:30:21,994 NIH IS EXPECTING USERS IN THEIR 696 00:30:21,994 --> 00:30:24,196 INSTITUTIONS THAT OBTAIN HUMAN 697 00:30:24,196 --> 00:30:26,231 GENOMIC DATA FROM THE NIH 698 00:30:26,231 --> 00:30:28,734 CONTROLLED ACCESS DATA 699 00:30:28,734 --> 00:30:31,470 REPOSITORIES THAT WERE INDICATED 700 00:30:31,470 --> 00:30:32,371 PREVIOUSLY THAT THEY WILL 701 00:30:32,371 --> 00:30:34,406 PROTECT THESE DATA ACCORDING TO 702 00:30:34,406 --> 00:30:38,877 THE NIST STANDARD 800-171. 703 00:30:38,877 --> 00:30:41,079 WE WANT TO REMIND FOLKS ON THE 704 00:30:41,079 --> 00:30:42,881 CALL THAT NIH HAS TYPICALLY 705 00:30:42,881 --> 00:30:46,451 INDICATED IN TERMS OF ACCESS 706 00:30:46,451 --> 00:30:49,454 AGREEMENTS SUCH AS THE DATA USE 707 00:30:49,454 --> 00:30:51,390 CERTIFICATION, ALL TYPES OF 708 00:30:51,390 --> 00:30:53,925 DERIVED DATA ARE PROTECTED AND 709 00:30:53,925 --> 00:30:56,595 CONTROLLED ACCESS REPOSITORIES 710 00:30:56,595 --> 00:30:59,831 SO THE EXAMPLE GIVEN IN THE DOCK 711 00:30:59,831 --> 00:31:04,069 ARE SINGLE NUCLEOTIDE 712 00:31:04,069 --> 00:31:06,405 POLYMORPHISMS OR SNIPS THEY'RE 713 00:31:06,405 --> 00:31:08,807 CONSIDERED DATA DERIVATIVES AND 714 00:31:08,807 --> 00:31:12,477 WOULD BE TYPICALLY TREATED AND 715 00:31:12,477 --> 00:31:13,645 SECURED SIMILARLY TO INDIVIDUAL 716 00:31:13,645 --> 00:31:20,218 CONTROLLED ACCESS DATA. 717 00:31:20,218 --> 00:31:21,320 >> THANK YOU, DR. JACOBS. 718 00:31:21,320 --> 00:31:23,889 WE HAVE ANOTHER QUESTION FOR 719 00:31:23,889 --> 00:31:24,056 YOU. 720 00:31:24,056 --> 00:31:26,325 COULD YOU PROVIDE EXAMPLES OF 721 00:31:26,325 --> 00:31:26,992 DEVELOPERS AT UNIVERSITY THAT 722 00:31:26,992 --> 00:31:28,760 ARE ALSO NOT RESEARCHERS? 723 00:31:28,760 --> 00:31:31,930 >> WE GET THIS QUESTION A LOT 724 00:31:31,930 --> 00:31:35,467 AND WE ARE REALLY FOCUSSING ON 725 00:31:35,467 --> 00:31:37,903 THE ACTION OF THOSE 726 00:31:37,903 --> 00:31:39,571 INVESTIGATORS THAT ARE FUNDED TO 727 00:31:39,571 --> 00:31:42,007 DO THE WORK RATHER THAN THE 728 00:31:42,007 --> 00:31:44,543 DEFINITION AND SO WHEN WE'RE 729 00:31:44,543 --> 00:31:50,682 TALKING ABOUT DEVELOPERS, THEIR 730 00:31:50,682 --> 00:31:53,218 WORK IS NOT RESEARCH AND WHAT WE 731 00:31:53,218 --> 00:31:54,886 MEAN BY THAT IS THESE DEVELOPERS 732 00:31:54,886 --> 00:32:01,159 ARE FUNDED BY NIH TO DO A 733 00:32:01,159 --> 00:32:02,527 PARTICULAR SERVICE ON ONE OF THE 734 00:32:02,527 --> 00:32:05,697 20 OR SO REPOSITORIES THAT WE 735 00:32:05,697 --> 00:32:08,300 INDICATED ON THE SLIDE. 736 00:32:08,300 --> 00:32:10,535 AND THEY'RE ESTABLISHING THE 737 00:32:10,535 --> 00:32:11,503 REPOSITORY PROVIDING MAINTENANCE 738 00:32:11,503 --> 00:32:14,439 OR DEVELOPING A TOOL FOR A 739 00:32:14,439 --> 00:32:16,241 REPOSITORY AND WE WOULD CONSIDER 740 00:32:16,241 --> 00:32:23,548 THAT AWARDED P.I. TO BE A 741 00:32:23,548 --> 00:32:25,150 DEVELOPER. 742 00:32:25,150 --> 00:32:26,518 IN CONTRAST IF A P.I. IS AWARDED 743 00:32:26,518 --> 00:32:32,224 TO MAKE A TOOL THAT WOULD BE OF 744 00:32:32,224 --> 00:32:34,526 SERVICE IN GENERAL TO 745 00:32:34,526 --> 00:32:36,161 RESPOSITORIES AND NOT FUNDED TO 746 00:32:36,161 --> 00:32:40,432 WORK ON A PARTICULAR REPOSITORY, 747 00:32:40,432 --> 00:32:40,999 THAT WOULD BE CLASSIFIED AS 748 00:32:40,999 --> 00:32:42,501 RESEARCH. 749 00:32:42,501 --> 00:32:47,038 AND SOMETHING WE WANT TO POINT 750 00:32:47,038 --> 00:32:51,443 OUT IS THAT BASED ON THE 751 00:32:51,443 --> 00:32:53,645 ACTIVITY, A P.I. COULD BE FUNDED 752 00:32:53,645 --> 00:32:55,747 TO DO DEVELOPER WORK SO WORK 753 00:32:55,747 --> 00:33:00,118 THAT IS ON ONE OF THE 20 754 00:33:00,118 --> 00:33:03,221 REPOSITORIES AND ALSO SEPARATELY 755 00:33:03,221 --> 00:33:05,457 HAVE A RESEARCH GOAL AND IF THEY 756 00:33:05,457 --> 00:33:09,828 DO, THEY WOULD BE EXPECTED TO 757 00:33:09,828 --> 00:33:14,900 SUBMIT A DATA ACCESS REQUEST TO 758 00:33:14,900 --> 00:33:15,434 THE APPROPRIATE DECK FOR 759 00:33:15,434 --> 00:33:19,671 RESEARCH. 760 00:33:19,671 --> 00:33:21,173 >> AWESOME. 761 00:33:21,173 --> 00:33:22,974 NOW, WE HAVE ANOTHER QUESTION 762 00:33:22,974 --> 00:33:28,480 AND THIS IS FOR YOU, MS. F 763 00:33:28,480 --> 00:33:31,283 FALVE 764 00:33:31,283 --> 00:33:34,619 FALVELLA, IS VERSION 2 OR 3? 765 00:33:34,619 --> 00:33:37,889 >> NIH WILL ACCEPT THE REV 2 AND 766 00:33:37,889 --> 00:33:40,459 REV 3 AS FULFILLING SECURITY 767 00:33:40,459 --> 00:33:42,160 EXPECTATIONS IN THE BEST 768 00:33:42,160 --> 00:33:42,427 PRACTICES. 769 00:33:42,427 --> 00:33:47,532 SO WHAT WE DO ENCOURAGE IS THAT 770 00:33:47,532 --> 00:33:49,568 THEY ASSESS AGAINST THE REV 3. 771 00:33:49,568 --> 00:33:51,636 SO IF YOU'RE ON REV 2, ADD THE 772 00:33:51,636 --> 00:33:54,272 ADDITIONAL CONTROL FAMILIES TO 773 00:33:54,272 --> 00:33:56,875 YOUR PLAN OF ACTION MILESTONES 774 00:33:56,875 --> 00:33:58,510 FOR YOUR I.T. SYSTEMS SO YOU CAN 775 00:33:58,510 --> 00:34:01,980 START TO PLAN AHEAD FOR THAT 776 00:34:01,980 --> 00:34:03,081 CONVERSION. 777 00:34:03,081 --> 00:34:08,920 WE HAVE NOT ESTABLISHED A DATE 778 00:34:08,920 --> 00:34:12,324 WHEN WE'LL SUNSET THE REV 2 BUT 779 00:34:12,324 --> 00:34:15,227 YOU SHOULD PLAN FOR ADOPTING THE 780 00:34:15,227 --> 00:34:18,597 FULL REV 3 STANDARD. 781 00:34:18,597 --> 00:34:19,731 THAT'S DRIVEN BY WHAT WE'RE 782 00:34:19,731 --> 00:34:21,099 SEEING IN THE THREAT LANDSCAPE. 783 00:34:21,099 --> 00:34:23,235 THERE'S SO MANY THREATS COMING 784 00:34:23,235 --> 00:34:25,237 IN THROUGH AUTHORIZED SERVICE 785 00:34:25,237 --> 00:34:29,841 PROVIDERS AND AUTHORIZED 786 00:34:29,841 --> 00:34:31,343 SOFTWARE AND SO WE REALLY 787 00:34:31,343 --> 00:34:33,512 ENCOURAGE YOU TO MAKE A SWITCH 788 00:34:33,512 --> 00:34:35,013 FROM A SECURITY PERSPECTIVE 789 00:34:35,013 --> 00:34:40,785 BECAUSE THE RISKS ARE SO HIGH. 790 00:34:40,785 --> 00:34:41,052 THANKS. 791 00:34:41,052 --> 00:34:43,021 >> THANK YOU, MS. FALVELLA. 792 00:34:43,021 --> 00:34:45,390 I THINK THERE'S INTEREST TO KNOW 793 00:34:45,390 --> 00:34:46,892 WHERE CAN WE FIND THE LIST OF 794 00:34:46,892 --> 00:34:48,793 SUBJECT REPOSITORIES? 795 00:34:48,793 --> 00:34:52,731 WE'LL SHARE THE LINK IN THE 796 00:34:52,731 --> 00:34:52,931 CHAT. 797 00:34:52,931 --> 00:34:58,737 WE'LL GATHER THAT HERE. 798 00:34:58,737 --> 00:35:01,139 WE'LL PUT THAT IN THE CHAT FOR 799 00:35:01,139 --> 00:35:01,306 YOU. 800 00:35:01,306 --> 00:35:03,174 CARLOS PUT THAT IN THE CHAT SO 801 00:35:03,174 --> 00:35:04,476 YOU CAN FIND THE LINK TO THE 802 00:35:04,476 --> 00:35:06,177 LIST OF SUBJECT REPOSITORIES. 803 00:35:06,177 --> 00:35:09,080 WE HAVE A QUESTION FOR YOU, 804 00:35:09,080 --> 00:35:11,049 DR. JACOBS. 805 00:35:11,049 --> 00:35:12,751 DOES NIH CONSIDER THIS DATA TO 806 00:35:12,751 --> 00:35:16,988 BE CUI OR ARE YOU SIMPLY USING 807 00:35:16,988 --> 00:35:22,160 THE CUI SAFEGUARDS AND STANDARDS 808 00:35:22,160 --> 00:35:24,696 BECAUSE IT'S BEST PRACTICE? 809 00:35:24,696 --> 00:35:25,964 >> NIH DOES NOT CONSIDER TO BE 810 00:35:25,964 --> 00:35:29,301 THE DATA TO BE CONTROLLED, 811 00:35:29,301 --> 00:35:31,469 UNCLASSIFIED INFORMATION. 812 00:35:31,469 --> 00:35:33,672 RATHER WE'RE USING THE STANDARD 813 00:35:33,672 --> 00:35:36,308 AND SECURITY CONTROLS AT NIH 814 00:35:36,308 --> 00:35:39,144 PREVIOUSLY HAD A DOCUMENT THAT 815 00:35:39,144 --> 00:35:41,947 OUTLINED SECURITY CONTROLS 816 00:35:41,947 --> 00:35:42,981 SEPARATE FROM PARTICIPANT 817 00:35:42,981 --> 00:35:47,218 PRIVACY AND PROTECTION AND SO 818 00:35:47,218 --> 00:35:50,755 THIS IS IN LINE WITH UPDATING 819 00:35:50,755 --> 00:35:52,457 HOW THE DATA SHOULD BE SECURED 820 00:35:52,457 --> 00:35:57,295 AND PROTECTED FROM ANY CYBER 821 00:35:57,295 --> 00:35:59,464 SECURITY THREATS AS MS. FALVELLA 822 00:35:59,464 --> 00:36:04,169 HAD OUTLINED. 823 00:36:04,169 --> 00:36:07,505 >> THANK YOU. 824 00:36:07,505 --> 00:36:08,406 NOW, WE HAVE A QUESTION ASKING 825 00:36:08,406 --> 00:36:10,709 WHAT IS THE DEFINITION OF 826 00:36:10,709 --> 00:36:10,976 DEVELOPER? 827 00:36:10,976 --> 00:36:12,377 I THINK WE TOUCHED ON THIS 828 00:36:12,377 --> 00:36:13,912 SLIGHTLY BEFORE BUT I THINK WE 829 00:36:13,912 --> 00:36:15,814 NEED TO ISOLATE THIS AND EXPAND 830 00:36:15,814 --> 00:36:16,381 ON IT. 831 00:36:16,381 --> 00:36:18,283 FOR THE DEVELOPERS, WHAT IS THE 832 00:36:18,283 --> 00:36:20,986 DEFINITION OF WHO IS A 833 00:36:20,986 --> 00:36:21,486 DEVELOPER? 834 00:36:21,486 --> 00:36:31,997 >> YEAH, SO TO GO BACK THERE 835 00:36:32,697 --> 00:36:38,336 ISN'T -- IT'S BASED ON AN 836 00:36:38,336 --> 00:36:39,537 AWARDEE FUNDED TO DO PARTICULAR 837 00:36:39,537 --> 00:36:43,708 WORK IN ONE OF THE 20 838 00:36:43,708 --> 00:36:46,044 REPOSITORIES LISTED ON THE 839 00:36:46,044 --> 00:36:52,050 SHARING SITE AND SO THAT'S WHERE 840 00:36:52,050 --> 00:36:54,386 THE PARTICULAR -- DAVID ON THE 841 00:36:54,386 --> 00:36:57,088 ACTION IS WHEN THE WORDING WOULD 842 00:36:57,088 --> 00:36:58,023 BE CHARACTERIZED AS DOING 843 00:36:58,023 --> 00:37:00,291 DEVELOPER ACTIVITIES. 844 00:37:00,291 --> 00:37:02,494 >> SOUNDS GOOD. 845 00:37:02,494 --> 00:37:04,629 AND DR. JACOBS, WHILE YOU'RE 846 00:37:04,629 --> 00:37:05,730 STILL ON THE MIKE THERE'S A 847 00:37:05,730 --> 00:37:07,098 QUESTION FOR YOU. 848 00:37:07,098 --> 00:37:10,335 IT READS, I KNOW THIS IS 849 00:37:10,335 --> 00:37:11,970 FOCUSSING PRIMARILY ON NIH 850 00:37:11,970 --> 00:37:13,004 CONTROLLED ACCESS DATA. 851 00:37:13,004 --> 00:37:15,240 WHAT THE EXPECTATIONS FOR DATA 852 00:37:15,240 --> 00:37:17,008 GENERATIONS AND FACILITIES WHICH 853 00:37:17,008 --> 00:37:19,177 CAN GENERATE FACILITY BASED ON 854 00:37:19,177 --> 00:37:20,912 GDS POLICY, IRB AND CONSENT MAY 855 00:37:20,912 --> 00:37:25,517 END UP IN ONE OF THE FUNDED 856 00:37:25,517 --> 00:37:27,052 DATABASE LIKE THE GB GAP. 857 00:37:27,052 --> 00:37:27,619 IS THERE DOCUMENTATION FOR 858 00:37:27,619 --> 00:37:36,227 GUIDANCE? 859 00:37:36,227 --> 00:37:41,299 >> I WANT TO BETTER UNDERSTAND 860 00:37:41,299 --> 00:37:42,934 THAT QUESTION. 861 00:37:42,934 --> 00:37:44,269 IF YOU DON'T MIND READING THAT 862 00:37:44,269 --> 00:37:44,469 AGAIN. 863 00:37:44,469 --> 00:37:46,304 >> IT READS I KNOW THIS IS 864 00:37:46,304 --> 00:37:48,006 FOCUSSING PRIMARILY ON 865 00:37:48,006 --> 00:37:50,341 INTERACTION FOR NIH-FUNDED 866 00:37:50,341 --> 00:37:52,110 CONTROLLED ACCESS DATA, WHAT ARE 867 00:37:52,110 --> 00:37:54,979 THE EXPECTATIONS FOR DATA 868 00:37:54,979 --> 00:37:56,347 GENERATORS, EXAMPLE, CAR 869 00:37:56,347 --> 00:37:58,283 FACILITIES WHICH CAN GENERATE 870 00:37:58,283 --> 00:38:00,752 FACILITIES BASED ON GDS POLICY, 871 00:38:00,752 --> 00:38:05,390 IRB AND CONSENT MAY END UP IN A 872 00:38:05,390 --> 00:38:08,293 FUNDED DATABASE LIKE GP GAP. 873 00:38:08,293 --> 00:38:11,229 IS THERE DOCUMENTATION FOR 874 00:38:11,229 --> 00:38:16,134 GUIDANCE? 875 00:38:16,134 --> 00:38:17,068 >> GOT IT. 876 00:38:17,068 --> 00:38:19,504 THE USERS OF CONTROLLED ACCESS 877 00:38:19,504 --> 00:38:23,475 DATA IS LIMITED TO THOSE P.I.s 878 00:38:23,475 --> 00:38:26,377 THAT ARE REQUESTING ACCESS AND 879 00:38:26,377 --> 00:38:28,146 ARE APPROVED. 880 00:38:28,146 --> 00:38:33,418 ACCESS DATA FROM ONE OF THE 20 881 00:38:33,418 --> 00:38:35,687 REPOSITORIES INDICATED, THIS 882 00:38:35,687 --> 00:38:40,058 DOES NOT APPLY TO DATA 883 00:38:40,058 --> 00:38:42,393 GENERATORS, THERE'S NOT AN 884 00:38:42,393 --> 00:38:45,430 EXPECTATION FOR ANY OF THE 885 00:38:45,430 --> 00:38:46,931 SECURITY STANDARDS INDICATED IN 886 00:38:46,931 --> 00:38:51,803 THIS UPDATE TO APPLY TO THOSE 887 00:38:51,803 --> 00:38:56,775 ENTITIES. 888 00:38:56,775 --> 00:38:57,442 >> SOUNDS GOOD. 889 00:38:57,442 --> 00:39:02,380 THANK YOU, DR. JACOBS. 890 00:39:02,380 --> 00:39:05,216 NOW, OUR NEXT QUESTION, NIH 891 00:39:05,216 --> 00:39:06,718 ACCESS TRACKING. 892 00:39:06,718 --> 00:39:08,286 INVESTIGATE HOW THE NIH IS 893 00:39:08,286 --> 00:39:09,754 TRACKING ACCESS TO CORRELATE AND 894 00:39:09,754 --> 00:39:10,622 VALIDATE THE RIGHT PEOPLE WITH 895 00:39:10,622 --> 00:39:15,326 THE RIGHT ACCESS. 896 00:39:15,326 --> 00:39:17,395 WHEN AN INDIVIDUAL DOWNLOADS 897 00:39:17,395 --> 00:39:18,196 CONTROLLED DATA AND THAT PERSON 898 00:39:18,196 --> 00:39:19,531 LEAVES FOR ANOTHER INSTITUTION, 899 00:39:19,531 --> 00:39:20,598 WHICH INSTITUTION IS RESPONSIBLE 900 00:39:20,598 --> 00:39:23,034 FOR THAT DATA SET? 901 00:39:23,034 --> 00:39:26,137 IS THE INDIVIDUAL REQUIRED TO 902 00:39:26,137 --> 00:39:29,407 RESUBMIT TO ACCESS THE DATA SET, 903 00:39:29,407 --> 00:39:32,377 ARE THEY TRACKING LEVERS? 904 00:39:32,377 --> 00:39:35,547 IF SOMEONE COMES TO MAYO AND 905 00:39:35,547 --> 00:39:36,681 BRINGS DATA, WHAT IS THE PROCESS 906 00:39:36,681 --> 00:39:38,283 AND WHO IS RESPONSIBLE? 907 00:39:38,283 --> 00:39:44,255 >> I'LL TAKE THAT ONE. 908 00:39:44,255 --> 00:39:50,161 SO, NIH DOES NOT TRACK DOES NOT 909 00:39:50,161 --> 00:39:52,530 APPLY ANY IDENTIFIER TO TRACK 910 00:39:52,530 --> 00:39:54,432 USERS WHEN THEY GET ACCESS TO 911 00:39:54,432 --> 00:40:00,738 DATA OR IF THEY'RE WORKING 912 00:40:00,738 --> 00:40:01,339 INSIDE A CLOUD ENVIRONMENT AT 913 00:40:01,339 --> 00:40:06,044 NIH. 914 00:40:06,044 --> 00:40:11,382 WHAT IS RECORDED IS THE P.I.'S 915 00:40:11,382 --> 00:40:14,285 NAME AND THEIR INSTITUTION AND 916 00:40:14,285 --> 00:40:18,289 THEIR RESEARCH USE STATEMENT. 917 00:40:18,289 --> 00:40:22,560 WHAT WE DO SAY IN THE DATA USE 918 00:40:22,560 --> 00:40:26,497 CERTIFICATION THAT IF A P.I. 919 00:40:26,497 --> 00:40:30,001 LEAVES AN INSTITUTION THAT THEY 920 00:40:30,001 --> 00:40:35,206 ARE EXPECTED TO CLOSE OUT THEIR 921 00:40:35,206 --> 00:40:37,108 PROJECT AT THEIR OLD INSTITUTION 922 00:40:37,108 --> 00:40:42,213 AND THEN AT THEIR NEW 923 00:40:42,213 --> 00:40:46,885 INSTITUTION TO SUBMIT A NEW -- 924 00:40:46,885 --> 00:40:48,620 COULD BE THE SAME BUT TO SUBMIT 925 00:40:48,620 --> 00:40:51,122 ANOTHER DATA ACCESS REQUEST AT 926 00:40:51,122 --> 00:40:53,858 THE NEW INSTITUTION WHERE THAT 927 00:40:53,858 --> 00:40:55,560 INSTITUTIONAL SETTING OFFICIAL 928 00:40:55,560 --> 00:40:57,395 AND THEREFORE INSTITUTION IS 929 00:40:57,395 --> 00:41:00,899 AGREEING TO THE TERMS OF ACCESS 930 00:41:00,899 --> 00:41:01,766 AS WELL AS THE P.I. 931 00:41:01,766 --> 00:41:05,870 THIS IS ON THE INSTITUTION AND 932 00:41:05,870 --> 00:41:07,739 THE P.I. TO MAKE SURE THAT ONCE 933 00:41:07,739 --> 00:41:10,475 A P.I. LEAVES, THEY HAVE 934 00:41:10,475 --> 00:41:11,609 APPROPRIATELY CLOSED THE PROJECT 935 00:41:11,609 --> 00:41:13,645 AND IF THEY'RE NOT MOVING DATA 936 00:41:13,645 --> 00:41:15,280 TO THEIR NEW INSTITUTION, THEN 937 00:41:15,280 --> 00:41:17,415 DELETED THE DATA FROM THE OLD 938 00:41:17,415 --> 00:41:22,020 INSTITUTION AND THEN IT'S UP TO 939 00:41:22,020 --> 00:41:24,122 THE NEW INSTITUTION TO MAKE SURE 940 00:41:24,122 --> 00:41:26,291 THE P.I., IF THEY'RE STILL 941 00:41:26,291 --> 00:41:29,360 WORKING WITH THAT DATA HAVE 942 00:41:29,360 --> 00:41:31,596 SUBMITTED A NEW DAR TO COVER 943 00:41:31,596 --> 00:41:32,130 THAT RESEARCH AT THE NEW 944 00:41:32,130 --> 00:41:35,099 INSTITUTION. 945 00:41:35,099 --> 00:41:36,000 >> EXCELLENT. 946 00:41:36,000 --> 00:41:36,834 THANK YOU, DR. JACOBS. 947 00:41:36,834 --> 00:41:38,803 I HAVE ANOTHER QUESTION FOR YOU 948 00:41:38,803 --> 00:41:42,273 AND MAUREEN CAN CONTEXT AFTER 949 00:41:42,273 --> 00:41:43,207 YOUR RESPONSE. 950 00:41:43,207 --> 00:41:45,143 WILL NIH REQUIRE AN AUTHORIZED 951 00:41:45,143 --> 00:41:47,512 OFFICIAL TO SUBMIT THE 952 00:41:47,512 --> 00:41:50,481 ATTESTATION OR ARE RESEARCHERS 953 00:41:50,481 --> 00:41:51,749 GOING TO BE ABLE TO SUBMIT THE 954 00:41:51,749 --> 00:41:52,483 ATTESTATION DIRECTLY? 955 00:41:52,483 --> 00:42:01,592 >> YES, THIS IS A GOOD QUESTION. 956 00:42:01,592 --> 00:42:06,264 SO, WHAT WE DO EXPECT IS THAT 957 00:42:06,264 --> 00:42:08,399 THERE WILL BE A SELF-ASSESSMENT 958 00:42:08,399 --> 00:42:11,436 GUIDED BY THE P.I. AND THEIR 959 00:42:11,436 --> 00:42:12,503 INSTITUTION AND THROUGHOUT THE 960 00:42:12,503 --> 00:42:16,140 DAR PROCESS THAT IS TYPICAL 961 00:42:16,140 --> 00:42:19,243 RIGHT NOW SAY FOR DB GAP WE HAVE 962 00:42:19,243 --> 00:42:21,579 THE PRINCIPAL INVESTIGATOR 963 00:42:21,579 --> 00:42:24,983 SUBMITTING THE DAR SIGN OFF ON 964 00:42:24,983 --> 00:42:27,185 MEETING CERTAIN REQUIREMENTS AND 965 00:42:27,185 --> 00:42:29,454 EXPECTATIONS IN TERMS OF ACCESS 966 00:42:29,454 --> 00:42:31,456 AND THE INSTITUTIONAL SIGNING 967 00:42:31,456 --> 00:42:31,756 OFFICIAL. 968 00:42:31,756 --> 00:42:35,226 SO THE WAY WE HAVE IT RIGHT NOW, 969 00:42:35,226 --> 00:42:39,397 THERE WILL NOT BE A SEPARATE 970 00:42:39,397 --> 00:42:42,367 ATTESTATION LETTER OR ANYTHING 971 00:42:42,367 --> 00:42:42,633 SUBMITTED. 972 00:42:42,633 --> 00:42:44,702 THIS WILL BE A PART OF THE DAR 973 00:42:44,702 --> 00:42:46,804 PROCESS THAT IS TYPICAL RIGHT 974 00:42:46,804 --> 00:42:50,908 NOW TO ADHERE TO SECURITY BEST 975 00:42:50,908 --> 00:42:52,510 PRACTICES THE ATTESTATION WILL 976 00:42:52,510 --> 00:42:54,412 BE PART OF THE DAR PROCESS AND 977 00:42:54,412 --> 00:42:59,684 WILL NOT BE A SEPARATE LETTER 978 00:42:59,684 --> 00:43:02,020 ACCEPTED AND THAT THE P.I. WILL 979 00:43:02,020 --> 00:43:04,922 SIGN OFF ON THIS IT ATTESTATION. 980 00:43:04,922 --> 00:43:08,626 RIGHT NOW IN DB GAP IS A CHECK 981 00:43:08,626 --> 00:43:12,697 BOX IN A DIFFERENT SYSTEM AND 982 00:43:12,697 --> 00:43:14,465 SIMILARLY THE INSTITUTIONAL 983 00:43:14,465 --> 00:43:17,835 SIGNING OFFICIAL WOULD ATTEST AS 984 00:43:17,835 --> 00:43:21,339 PART OF THE DAR PROCESS AND DB 985 00:43:21,339 --> 00:43:21,973 GAP WE ANTICIPATE THIS WILL BE A 986 00:43:21,973 --> 00:43:23,775 CHECK BOX BUT AGAIN IN ANOTHER 987 00:43:23,775 --> 00:43:25,376 SYSTEM THIS COULD BE DIFFERENT. 988 00:43:25,376 --> 00:43:26,978 >> THAT'S GREAT. 989 00:43:26,978 --> 00:43:30,648 I WANTED TO CLARIFY THE 990 00:43:30,648 --> 00:43:32,450 TERMINOLOGY USED, AUTHORIZING 991 00:43:32,450 --> 00:43:36,187 OFFICIAL IS A TERMINOLOGY USED 992 00:43:36,187 --> 00:43:37,488 FOR REGULATORY COMPLIANCE. 993 00:43:37,488 --> 00:43:38,756 THIS IS NOT A REGULATORY 994 00:43:38,756 --> 00:43:39,123 REQUIREMENT. 995 00:43:39,123 --> 00:43:41,159 THIS IS A SECURITY BENCHMARK 996 00:43:41,159 --> 00:43:42,760 THAT WE'RE APPLYING. 997 00:43:42,760 --> 00:43:46,030 SO I JUST WANT TO CLARIFY BUT 998 00:43:46,030 --> 00:43:50,268 AUTHORIZING OFFICIALS, THAT ROLE 999 00:43:50,268 --> 00:43:57,141 WHICH IS CLOSELY TIED TO PISMA 1000 00:43:57,141 --> 00:43:59,377 FOR INVESTIGATORS AT THE POINT 1001 00:43:59,377 --> 00:44:03,915 OF ACCESS MUST ATTEST ALIGNING 1002 00:44:03,915 --> 00:44:07,885 TO 171 SO FURTHER CLARIFYING THE 1003 00:44:07,885 --> 00:44:09,387 AUTHORIZATION OF AUTHORIZING 1004 00:44:09,387 --> 00:44:10,455 OFFICIAL IS NOT TO SUBMIT 1005 00:44:10,455 --> 00:44:11,656 DOCUMENTATION TO THE GOVERNMENT. 1006 00:44:11,656 --> 00:44:17,762 THIS IS NOT A PISMA REQUIREMENT 1007 00:44:17,762 --> 00:44:18,863 AND AUTHORIZATION TO OPERATE THE 1008 00:44:18,863 --> 00:44:25,103 COST SO -- GOVERNMENT SO JUST 1009 00:44:25,103 --> 00:44:26,671 WANT TO ADD CONTEXT THERE. 1010 00:44:26,671 --> 00:44:28,840 >> SPEAKING OF ATTESTATION WE 1011 00:44:28,840 --> 00:44:31,542 HAVE AN INQUIRY ABOUT THE FUTURE 1012 00:44:31,542 --> 00:44:32,743 ATTESTATION PROCESS. 1013 00:44:32,743 --> 00:44:38,349 THIS QUESTION STATES, FOR THE 1014 00:44:38,349 --> 00:44:39,183 LONG-TERM ATTESTATION AND VISION 1015 00:44:39,183 --> 00:44:41,152 IS THE INDIVIDUAL OR ENTERPRISE 1016 00:44:41,152 --> 00:44:45,323 THAT COMPLETES THE ATTESTATION. 1017 00:44:45,323 --> 00:44:46,991 >> THE INDIVIDUAL IS ATTESTING 1018 00:44:46,991 --> 00:44:50,194 TOE PROTECTING THE DATA TO A 1019 00:44:50,194 --> 00:44:53,331 SECURITY BENCHMARK WHICH IS THE 1020 00:44:53,331 --> 00:44:57,435 171 OR INTERNATIONAL. 1021 00:44:57,435 --> 00:45:01,706 >> SOUNDS GOOD. 1022 00:45:01,706 --> 00:45:03,341 WE HAVE LOTS OF QUESTIONS COMING 1023 00:45:03,341 --> 00:45:03,508 IN. 1024 00:45:03,508 --> 00:45:06,978 LET ME CAPTURE THEM AND ASK 1025 00:45:06,978 --> 00:45:11,616 ACCORDINGLY. 1026 00:45:11,616 --> 00:45:12,216 ALL RIGHT. 1027 00:45:12,216 --> 00:45:16,487 SO FOR THE CONTROL REPOSITORY 1028 00:45:16,487 --> 00:45:19,390 SCOPE, THERE'S A QUESTION IF THE 1029 00:45:19,390 --> 00:45:20,391 ATTESTATION PROCESS WOULD EXTEND 1030 00:45:20,391 --> 00:45:22,994 TO OTHER REPOSITORIES OR OTHER 1031 00:45:22,994 --> 00:45:33,204 DATA TYPES. 1032 00:45:35,540 --> 00:45:37,341 >> I'LL TAKE THAT ONE. 1033 00:45:37,341 --> 00:45:41,779 WHAT IS TYPICAL OF THE 1034 00:45:41,779 --> 00:45:48,019 ATTESTATION AT THE REPOSITORY 1035 00:45:48,019 --> 00:45:51,422 LEVEL. 1036 00:45:51,422 --> 00:45:53,658 IT'S NOT BY INDIVIDUAL DATA TYPE 1037 00:45:53,658 --> 00:45:56,394 SO IF THERE ARE MULTIPLE DATA 1038 00:45:56,394 --> 00:46:04,368 TYPES IN A REPOSITORY ALONG WITH 1039 00:46:04,368 --> 00:46:10,374 GENOMIC DATA OR PROTEOMICS AND 1040 00:46:10,374 --> 00:46:12,577 THE ATTESTATION AND THE 1041 00:46:12,577 --> 00:46:14,612 EXPECTATION TO SECURE THE DATA 1042 00:46:14,612 --> 00:46:18,316 WILL APPLY DESPITE IT NOT 1043 00:46:18,316 --> 00:46:20,051 NECESSARILY BEING GENOMIC DATA. 1044 00:46:20,051 --> 00:46:22,987 SO IF A REPOSITORY HAS GENOMIC 1045 00:46:22,987 --> 00:46:24,989 AND ASSOCIATED DATA ALL THAT 1046 00:46:24,989 --> 00:46:27,558 DATA WILL BE EXPECTED TO BE 1047 00:46:27,558 --> 00:46:34,065 SECURED ACCORDING TO THE NIST 1048 00:46:34,065 --> 00:46:39,003 STANDARD AND SO THE ATTESTATION 1049 00:46:39,003 --> 00:46:43,274 WILL APPLY EVEN IF SAY GENOMIC 1050 00:46:43,274 --> 00:46:45,476 DATA IS NOT NECESSARILY ACCESSED 1051 00:46:45,476 --> 00:46:46,544 AT THE SAME TIME AS THE OTHER 1052 00:46:46,544 --> 00:46:49,013 ASSOCIATED DATA. 1053 00:46:49,013 --> 00:46:50,114 >> AWESOME. 1054 00:46:50,114 --> 00:46:51,716 THANK YOU, DR. JACOBS. 1055 00:46:51,716 --> 00:46:56,487 NOW, WE HAVE A QUESTION FOR MS. 1056 00:46:56,487 --> 00:47:00,491 FALVELLA AND THERE'S QUESTIONS 1057 00:47:00,491 --> 00:47:04,662 AND STATES WHAT ARE THE 1058 00:47:04,662 --> 00:47:07,031 EXPECTATIONS FOR APPROVAL UNDER 1059 00:47:07,031 --> 00:47:10,034 POEM WILL THERE BE AN EXTENSIVE 1060 00:47:10,034 --> 00:47:11,736 REVIEW OR CREATING THE POEM AND 1061 00:47:11,736 --> 00:47:14,038 THE DOCUMENT IS THAT ENOUGH? 1062 00:47:14,038 --> 00:47:15,373 THE SECOND PART. 1063 00:47:15,373 --> 00:47:16,741 WE'LL ADDRESS THE FIRST PART AND 1064 00:47:16,741 --> 00:47:21,212 THEN GO TO THE SECOND PART. 1065 00:47:21,212 --> 00:47:24,282 >> SOUNDS GOOD. 1066 00:47:24,282 --> 00:47:25,383 SO THE EXPECTATION IS THAT 1067 00:47:25,383 --> 00:47:26,717 RESEARCHERS ATTEST TO PROTECTING 1068 00:47:26,717 --> 00:47:29,487 THE DATA AND THEN PROTECT THE 1069 00:47:29,487 --> 00:47:29,754 DATA. 1070 00:47:29,754 --> 00:47:35,860 AFTER YOU ATTEST AFTER THAT 1071 00:47:35,860 --> 00:47:37,161 POINT YOU'RE HELD ACCOUNTABLE 1072 00:47:37,161 --> 00:47:38,963 FOR PROTECTING THE DATA IN 1073 00:47:38,963 --> 00:47:44,035 ACCORDANCE WITH NIST800-171. 1074 00:47:44,035 --> 00:47:45,870 YOUR ORGANIZATION WILL HAVE TO 1075 00:47:45,870 --> 00:47:47,672 SELF-ASSESS AGAINST THE SERIES 1076 00:47:47,672 --> 00:47:49,440 AND ANY PLANNED SYSTEM YOU 1077 00:47:49,440 --> 00:47:51,542 CREATE A POEM FOR. 1078 00:47:51,542 --> 00:47:54,545 THOSE ARE ALL ORGANIZATIONALLY 1079 00:47:54,545 --> 00:47:56,113 MANUALED ARTIFACTS THAT WILL 1080 00:47:56,113 --> 00:47:57,648 THEN ALLOW MORE RESEARCHERS TO 1081 00:47:57,648 --> 00:48:02,286 ATTEST TO PROTECTING THE DATA. 1082 00:48:02,286 --> 00:48:04,422 SO THIS IS NOT A DELIVERABLE TO 1083 00:48:04,422 --> 00:48:05,656 THE GOVERNMENT. 1084 00:48:05,656 --> 00:48:08,426 POEMS ARE NOT DELIVERABLE TO THE 1085 00:48:08,426 --> 00:48:10,261 GOVERNMENT THEY'RE AN 1086 00:48:10,261 --> 00:48:11,729 ORGANIZATIONALLY MANAGED 1087 00:48:11,729 --> 00:48:12,963 ARTIFACT. 1088 00:48:12,963 --> 00:48:17,368 YOU'LL MANAGE THOSE WITHIN YOUR 1089 00:48:17,368 --> 00:48:18,602 INSTITUTION AND SO YOUR 1090 00:48:18,602 --> 00:48:21,372 ORGANIZATION MAINLY YOUR I.T. 1091 00:48:21,372 --> 00:48:22,640 SUPPORT STAFF SHOULD HELP YOU 1092 00:48:22,640 --> 00:48:24,141 CREATE YOUR PLAN OF ACTION 1093 00:48:24,141 --> 00:48:26,243 MILESTONE AND SHOULD BE MANAGING 1094 00:48:26,243 --> 00:48:26,444 THAT. 1095 00:48:26,444 --> 00:48:30,348 THAT WILL GIVE YOU ASSURANCES. 1096 00:48:30,348 --> 00:48:34,118 IF THERE IS AN INSTANCE OR 1097 00:48:34,118 --> 00:48:39,423 CONCERN RELATIVE TO A DATA 1098 00:48:39,423 --> 00:48:41,025 MANAGEMENT OR FROM A PRIVACY 1099 00:48:41,025 --> 00:48:44,428 BREACH, THOSE ARE INSTANCES 1100 00:48:44,428 --> 00:48:47,898 WHERE THE GOVERNMENT MAY REQUEST 1101 00:48:47,898 --> 00:48:49,433 ADDITIONAL INFORMATION IN 1102 00:48:49,433 --> 00:48:51,969 ALIGNMENT WITH YOUR AGREEMENT 1103 00:48:51,969 --> 00:48:53,204 THROUGH YOUR DATA ACCESS REQUEST 1104 00:48:53,204 --> 00:48:56,173 THAT'S AN AGREEMENT WE HAVE WITH 1105 00:48:56,173 --> 00:48:56,340 YOU. 1106 00:48:56,340 --> 00:48:59,243 SO THOSE ARE INSTANCES WHERE WE 1107 00:48:59,243 --> 00:49:00,678 WOULD REQUIRE ADDITIONAL 1108 00:49:00,678 --> 00:49:01,812 INFORMATION AND MAY REQUIRE AS 1109 00:49:01,812 --> 00:49:04,215 PART OF THAT YOUR PLAN OF ACTION 1110 00:49:04,215 --> 00:49:06,183 AND MILESTONE BUT THAT'S NOT A 1111 00:49:06,183 --> 00:49:07,485 DELIVERABLE TO THE GOVERNMENT. 1112 00:49:07,485 --> 00:49:10,921 THIS IS WHERE IT'S DIFFERENT 1113 00:49:10,921 --> 00:49:14,024 THAN A FEDERAL PISMA REGULATION 1114 00:49:14,024 --> 00:49:14,859 RATHER THAN A SECURITY 1115 00:49:14,859 --> 00:49:15,126 BENCHMARK. 1116 00:49:15,126 --> 00:49:15,793 >> AWESOME. 1117 00:49:15,793 --> 00:49:16,861 THE SECOND PART OF THAT QUESTION 1118 00:49:16,861 --> 00:49:20,231 IS WHAT ARE THE EXPECTATIONS AND 1119 00:49:20,231 --> 00:49:21,699 TIME PERIOD FOR POEMS? 1120 00:49:21,699 --> 00:49:25,803 ONE YEAR, MORE OR LESS? 1121 00:49:25,803 --> 00:49:29,840 YOU CAN AUG 1122 00:49:29,840 --> 00:49:30,374 >> GREAT QUESTION. 1123 00:49:30,374 --> 00:49:37,982 I WANT TO GO BACK TO THE 1124 00:49:37,982 --> 00:49:39,517 ORGANIZATIONS SHOULD AND IT'S AT 1125 00:49:39,517 --> 00:49:42,586 THEIR DISCRETION ALIGN TO BEST 1126 00:49:42,586 --> 00:49:45,890 EFFORTS, RIGHTS, RESOLVING IN A 1127 00:49:45,890 --> 00:49:47,091 TIMELY MANNER WITHOUT 1128 00:49:47,091 --> 00:49:48,058 UNREASONABLE DELAY AND BASED ON 1129 00:49:48,058 --> 00:49:50,628 A RISK OF A SECURITY CONTROL OR 1130 00:49:50,628 --> 00:49:54,231 SYSTEM WEAKNESS NOT IN PLACE OR 1131 00:49:54,231 --> 00:49:56,333 WEAKNESS DISCOVERED SHOULD 1132 00:49:56,333 --> 00:49:59,203 DETERMINE WHAT THE FEASIBLE TIME 1133 00:49:59,203 --> 00:50:02,606 IS, REALISTIC TIME TO RESOLVE A 1134 00:50:02,606 --> 00:50:03,874 POEM ITEM. 1135 00:50:03,874 --> 00:50:05,409 THE GOVERNMENT IS NOT 1136 00:50:05,409 --> 00:50:05,943 ARTICULATING WHAT THE 1137 00:50:05,943 --> 00:50:09,847 REQUIREMENT SHOULD BE. 1138 00:50:09,847 --> 00:50:13,451 THAT IS AN ORGANIZATION 1139 00:50:13,451 --> 00:50:19,323 DETERMINED ELEMENT, IF YOU WILL. 1140 00:50:19,323 --> 00:50:21,225 AGAIN, OUR EXPECTATIONS ARE YOU 1141 00:50:21,225 --> 00:50:23,828 ARE PROTECTING THE DATA ALIGNED 1142 00:50:23,828 --> 00:50:28,365 TO THE 800-171 THAT ALSO HAS A 1143 00:50:28,365 --> 00:50:31,001 CONTROL AND PLAN OF ACTION AND 1144 00:50:31,001 --> 00:50:36,407 MILESTONES AND TIME. 1145 00:50:36,407 --> 00:50:37,041 >> EXCELLENT. 1146 00:50:37,041 --> 00:50:40,544 DR. JACOBS, I HAVE ANOTHER ONE 1147 00:50:40,544 --> 00:50:41,512 FOR YOU. 1148 00:50:41,512 --> 00:50:43,214 DID NIH DO ANY REVIEW OF THE 1149 00:50:43,214 --> 00:50:46,150 FINANCIAL IMPACT OF THESE NEW 1150 00:50:46,150 --> 00:50:46,417 STANDARDS? 1151 00:50:46,417 --> 00:50:50,488 MANY BIO MEDICAL INSTITUTIONS 1152 00:50:50,488 --> 00:50:52,923 DON'T HAVE EXISTING ENVIRONMENT 1153 00:50:52,923 --> 00:50:56,060 OR ONLY HAVE COMPLIANCE BASED ON 1154 00:50:56,060 --> 00:50:56,594 THEIR AIR GAPS. 1155 00:50:56,594 --> 00:51:00,798 OVER TO YOU. 1156 00:51:00,798 --> 00:51:03,901 >> THANK YOU. 1157 00:51:03,901 --> 00:51:05,302 SO, NIH HAS CONSIDERED THE 1158 00:51:05,302 --> 00:51:12,910 IMPACT OF THESE CONTROLS ON 1159 00:51:12,910 --> 00:51:13,777 INSTITUTION AND WHEN CONSIDERING 1160 00:51:13,777 --> 00:51:17,915 THE IMPACT IT'S ALSO IN 1161 00:51:17,915 --> 00:51:23,287 CONSIDERATION OF THE LANDSCAPE 1162 00:51:23,287 --> 00:51:27,091 IN WHICH REGULATIONS AND LAWS 1163 00:51:27,091 --> 00:51:32,730 ARE DEFINING THE DATA SECURITY 1164 00:51:32,730 --> 00:51:33,063 EXPECTATIONS. 1165 00:51:33,063 --> 00:51:37,268 IN WEIGHING BOTH OF THOSE NIH 1166 00:51:37,268 --> 00:51:42,540 WENT WITH THE SECURITY STANDARD 1167 00:51:42,540 --> 00:51:48,479 WE HAVE IDENTIFIED THAT DOES 1168 00:51:48,479 --> 00:51:51,582 REQUIRE A SELF-ASSESSMENT AND 1169 00:51:51,582 --> 00:51:55,586 PLAN OF ACTION AND MILESTONES AS 1170 00:51:55,586 --> 00:51:57,388 MS. FALVELLA OUTLINED SO IF 1171 00:51:57,388 --> 00:52:00,524 INSTITUTIONS ARE NOT ABLE TO 1172 00:52:00,524 --> 00:52:04,094 FULLY IMPLEMENT THE CONTROLS BUT 1173 00:52:04,094 --> 00:52:05,296 CAN ONLY PARTIALLY IMPLEMENT 1174 00:52:05,296 --> 00:52:09,066 THERE'S A PATHWAY TO WORK 1175 00:52:09,066 --> 00:52:14,305 TOWARDS IN SECURING ALL THE NIST 1176 00:52:14,305 --> 00:52:14,572 CONTROLS. 1177 00:52:14,572 --> 00:52:15,873 >> THANK YOU, DR. JACOBS. 1178 00:52:15,873 --> 00:52:16,774 ONE MORE. 1179 00:52:16,774 --> 00:52:21,178 IF A RESEARCHER SUBMITS AN 1180 00:52:21,178 --> 00:52:26,784 APPLICATION ATTESTING THEIR 1181 00:52:26,784 --> 00:52:28,152 SYSTEM IS COMPLIANT AND DIDN'T 1182 00:52:28,152 --> 00:52:30,387 REALIZE WHAT THEY WERE ATTESTING 1183 00:52:30,387 --> 00:52:34,091 TO AND DIDN'T CONFIRM WITH THEIR 1184 00:52:34,091 --> 00:52:35,192 ORGANIZATION, COULD THEY OR 1185 00:52:35,192 --> 00:52:36,827 THEIR INSTITUTION BE SUBJECT TO 1186 00:52:36,827 --> 00:52:38,762 FALSE CLAIMS ACT OR ENFORCEMENT 1187 00:52:38,762 --> 00:52:40,764 OR SOME CONSEQUENCES? 1188 00:52:40,764 --> 00:52:50,074 >> THERE WOULD BE CONSEQUENCES 1189 00:52:50,074 --> 00:52:55,446 THAT NIH WOULD FOLLOW-UP AS A 1190 00:52:55,446 --> 00:52:57,281 CYBER SECURITY OR DATA 1191 00:52:57,281 --> 00:52:58,882 MANAGEMENT INCIDENT AND NIH 1192 00:52:58,882 --> 00:53:05,823 WOULD WORK WITH INSTITUTION TO 1193 00:53:05,823 --> 00:53:08,959 REMEDIATE ANY PLAN TO BE ABLE TO 1194 00:53:08,959 --> 00:53:09,827 MEET CERTAIN SECURITY 1195 00:53:09,827 --> 00:53:12,563 EXPECTATIONS BUT WHAT WE DON'T 1196 00:53:12,563 --> 00:53:16,734 WANT SO EXACTLY WHAT THIS 1197 00:53:16,734 --> 00:53:19,003 EXAMPLE OUTLINED THAT AN 1198 00:53:19,003 --> 00:53:20,437 INVESTIGATOR IS ATTESTING TO 1199 00:53:20,437 --> 00:53:24,174 SOMETHING THEY DON'T UNDERSTAND 1200 00:53:24,174 --> 00:53:27,911 THAT IS A MISLEADING STATEMENT I 1201 00:53:27,911 --> 00:53:33,584 DON'T THINK NIH WOULD USE ITS 1202 00:53:33,584 --> 00:53:35,085 EXISTING PROCESSES FOR DEALING 1203 00:53:35,085 --> 00:53:38,555 WITH STATEMENT ARE NOT ACCURATE 1204 00:53:38,555 --> 00:53:40,357 EITHER PURPOSEFULLY OR 1205 00:53:40,357 --> 00:53:42,459 UNKNOWINGLY TO REMEDIATE THE 1206 00:53:42,459 --> 00:53:45,029 ACTION AND MAY TAKE FURTHER 1207 00:53:45,029 --> 00:53:47,498 COMPLIANCE ISSUES BASED ON THE 1208 00:53:47,498 --> 00:53:50,300 RESPONSE FROM THE INSTITUTION 1209 00:53:50,300 --> 00:53:52,369 AND PRINCIPAL INVESTIGATOR BUT 1210 00:53:52,369 --> 00:53:57,074 WHAT WE WANT TO EMPHASIZE HERE 1211 00:53:57,074 --> 00:54:05,315 IS INVESTIGATORS WORK WITH YOUR 1212 00:54:05,315 --> 00:54:06,517 SECURITY EXPERTS AT YOUR 1213 00:54:06,517 --> 00:54:07,418 INSTITUTION TO KNOWINGLY MEET 1214 00:54:07,418 --> 00:54:10,320 THE EXPECTATIONS OUTLINED FOR 1215 00:54:10,320 --> 00:54:12,856 REQUESTING DATA FROM NIH. 1216 00:54:12,856 --> 00:54:14,591 >> THANK YOU, DR. JACOBS. 1217 00:54:14,591 --> 00:54:18,328 MY NEXT QUESTION IS FOR YOU TOO, 1218 00:54:18,328 --> 00:54:21,832 DR. JACOBS AND MS. FALVELLA. 1219 00:54:21,832 --> 00:54:24,334 WHY WAS THIS CHOSEN AS STANDARD? 1220 00:54:24,334 --> 00:54:26,236 IT ONLY DEALS WITH 1221 00:54:26,236 --> 00:54:27,137 CONFIDENTIALITY WHICH IS NOT THE 1222 00:54:27,137 --> 00:54:28,706 SAME AS PRIVACY? 1223 00:54:28,706 --> 00:54:31,675 >> I CAN TAKE THAT ONE. 1224 00:54:31,675 --> 00:54:36,346 THE NIST800-171 IS DERIVED FROM 1225 00:54:36,346 --> 00:54:39,383 THE 80053 SERIES AND YOU'RE 1226 00:54:39,383 --> 00:54:42,286 RIGHT IT DEALS WITH 1227 00:54:42,286 --> 00:54:43,987 CONFIDENTIALITY AND INTEGRITY 1228 00:54:43,987 --> 00:54:46,190 BUT REMOVES THE SECURITY 1229 00:54:46,190 --> 00:54:49,460 CONTROLS THAT ARE AROUND 1230 00:54:49,460 --> 00:54:52,496 AVAILABILITY AND SO IT IS WIDELY 1231 00:54:52,496 --> 00:54:54,998 USED NOT ONLY ACROSS THE 1232 00:54:54,998 --> 00:54:58,736 DEPARTMENTS OF THE GOVERNMENT 1233 00:54:58,736 --> 00:55:02,473 BUT ALSO ACROSS OUR OP DIVES TO 1234 00:55:02,473 --> 00:55:04,675 PROTECT THE CONFIDENTIALITY AND 1235 00:55:04,675 --> 00:55:06,710 INTEGRITY OF THE INFORMATION FOR 1236 00:55:06,710 --> 00:55:08,445 OUR NON-FEDERAL SYSTEMS. 1237 00:55:08,445 --> 00:55:10,948 SO THAT WAS ONE CONSIDERATION. 1238 00:55:10,948 --> 00:55:12,316 THE OTHER CONSIDERATIONS THAT 1239 00:55:12,316 --> 00:55:15,486 ARE IN PLAY IS IT EASILY 1240 00:55:15,486 --> 00:55:17,588 CROSSWALKS TO HIPAA AS WELL AS 1241 00:55:17,588 --> 00:55:21,892 THE 800-53. 1242 00:55:21,892 --> 00:55:27,631 WHEN WE LOOKED AND NEEDED TO 1243 00:55:27,631 --> 00:55:29,566 EASILY TRANSLATE AND CROSSWALK 1244 00:55:29,566 --> 00:55:30,734 TO THE OTHER WIDELY USED 1245 00:55:30,734 --> 00:55:31,969 STANDARDS AND FROM A RESEARCH 1246 00:55:31,969 --> 00:55:34,304 AND DEVELOPMENT STANDPOINT WE 1247 00:55:34,304 --> 00:55:36,473 WANTED A STANDARD A CROSSWALK 1248 00:55:36,473 --> 00:55:39,009 WOULD EASILY TRANSLATE INTO THE 1249 00:55:39,009 --> 00:55:40,644 OTHER DEPARTMENTS THAT HAVE 1250 00:55:40,644 --> 00:55:42,246 LARGE RESEARCH AND DEVELOPMENT 1251 00:55:42,246 --> 00:55:44,414 AND THE 171 IS THE ONE WIDELY 1252 00:55:44,414 --> 00:55:46,950 USED FOR THOSE PURPOSES ACROSS 1253 00:55:46,950 --> 00:55:48,485 THE GOVERNMENT. 1254 00:55:48,485 --> 00:55:51,288 AND SO, THE POLICY ALREADY 1255 00:55:51,288 --> 00:55:54,291 PROVIDES CONTROL INTENDED TO 1256 00:55:54,291 --> 00:55:55,726 ADDRESS PRIVACY AND PARTICIPANT 1257 00:55:55,726 --> 00:55:58,128 AUTONOMY AND THAT WILL CONTINUE 1258 00:55:58,128 --> 00:56:00,998 TO BE THE CASE AND THE STANDARD 1259 00:56:00,998 --> 00:56:03,667 IS ALSO USED BY OTHER PARTS OF 1260 00:56:03,667 --> 00:56:06,904 THE FEDERAL GOVERNMENT FOR 1261 00:56:06,904 --> 00:56:08,372 RESEARCH WITH NON-FEDERAL 1262 00:56:08,372 --> 00:56:08,705 INSTITUTIONS. 1263 00:56:08,705 --> 00:56:09,940 I'M NOT SURE IF THERE'S ANYTHING 1264 00:56:09,940 --> 00:56:11,742 ELSE YOU WANTED TO ADD TO THAT? 1265 00:56:11,742 --> 00:56:21,585 >> I WOULD JUST ADD THAT TO 1266 00:56:21,585 --> 00:56:24,721 CLARIFY THAT NIH HAS REQUIRED 1267 00:56:24,721 --> 00:56:26,089 SECURITY STANDARD TO SECURE DATA 1268 00:56:26,089 --> 00:56:30,127 PREVIOUS TO THIS SO THIS IS IN 1269 00:56:30,127 --> 00:56:32,162 LINE WITH THAT AND AS FAR AS 1270 00:56:32,162 --> 00:56:35,265 ADDRESSING PRIVACY AND 1271 00:56:35,265 --> 00:56:39,369 PARTICIPANT AUTONOMY THE GDS 1272 00:56:39,369 --> 00:56:40,337 POLICY HAS MANY DIFFERENT WAYS 1273 00:56:40,337 --> 00:56:45,709 TO DO THAT AND SECURITY IS ONE 1274 00:56:45,709 --> 00:56:49,980 OF THOSE AND THERE'S OTHER 1275 00:56:49,980 --> 00:56:55,485 CONTROLS OF PRIVACY AND 1276 00:56:55,485 --> 00:56:56,887 PARTICIPANT AUTONOMY 1277 00:56:56,887 --> 00:56:58,222 >> THANK YOU. 1278 00:56:58,222 --> 00:56:59,590 THIS WILL BE OUR LAST QUESTION 1279 00:56:59,590 --> 00:57:05,896 AND A CLARIFYING KWESQUESTION, E 1280 00:57:05,896 --> 00:57:07,898 DON'T HAVE FULL COMPLIANCE BUT 1281 00:57:07,898 --> 00:57:09,666 HAVE A POEM IT'S SUFFICIENT OF 1282 00:57:09,666 --> 00:57:11,435 JANUARY 25 IS THAT SO? 1283 00:57:11,435 --> 00:57:12,636 >> THAT IS CORRECT. 1284 00:57:12,636 --> 00:57:15,806 SO WHAT WE EXPECT OF OUR 1285 00:57:15,806 --> 00:57:18,375 RESEARCH INSTITUTIONS TO DO 1286 00:57:18,375 --> 00:57:21,812 PRIOR TO JANUARY 25 IS TO 1287 00:57:21,812 --> 00:57:22,613 CONDUCT SELF-ASSESSMENT AND 1288 00:57:22,613 --> 00:57:24,948 IMPLEMENT THE BEST OF YOUR 1289 00:57:24,948 --> 00:57:25,916 ABILITIES AND THEN TO IMPLEMENT 1290 00:57:25,916 --> 00:57:29,019 A PLAN OF ACTION MILESTONE AS 1291 00:57:29,019 --> 00:57:30,988 YOUR ROAD MAP OF HOW YOU'LL 1292 00:57:30,988 --> 00:57:32,823 REACH FULL COMPLIANCE. 1293 00:57:32,823 --> 00:57:34,625 THAT WILL INCLUDE ANY SYSTEM OR 1294 00:57:34,625 --> 00:57:37,327 BUSINESS YOU IDENTIFIED AS WELL 1295 00:57:37,327 --> 00:57:39,863 AS ANY PARTIALLY IMPLEMENTED OR 1296 00:57:39,863 --> 00:57:42,966 NOT FULLY PLANNED CONTROLS AND 1297 00:57:42,966 --> 00:57:43,700 CONSIDERED TO BE IMPLEMENTED. 1298 00:57:43,700 --> 00:57:45,769 ONCE YOU DO THAT YOU SHOULD 1299 00:57:45,769 --> 00:57:47,304 COMMUNICATE THAT OUT TO YOUR 1300 00:57:47,304 --> 00:57:48,405 STAFF AND RESEARCHERS AND 1301 00:57:48,405 --> 00:57:49,406 INVESTIGATORS AND THAT WILL 1302 00:57:49,406 --> 00:57:58,448 ALLOW THEM TO ATTEST TO 800-171. 1303 00:57:58,448 --> 00:58:00,717 >> THANK YOU. 1304 00:58:00,717 --> 00:58:03,153 THIS CONCLUDES OUR Q&A SESSION. 1305 00:58:03,153 --> 00:58:04,454 WE'LL HAVE QUESTIONS WE'LL FUSE 1306 00:58:04,454 --> 00:58:06,156 INTO OUR DAY TWO ON FRIDAY. 1307 00:58:06,156 --> 00:58:08,358 I'LL TURN IT OVER TO DR. CHEN TO 1308 00:58:08,358 --> 00:58:09,593 CLOSE US OUT. 1309 00:58:09,593 --> 00:58:12,029 THANK YOU, ALL. 1310 00:58:12,029 --> 00:58:13,563 >> THANK YOU, MICHAEL. 1311 00:58:13,563 --> 00:58:19,369 THANK YOU, DR. JACOBS AND MS. 1312 00:58:19,369 --> 00:58:24,474 FALVELLA AND OUR INTERPRETER AND 1313 00:58:24,474 --> 00:58:25,909 CLOSED CAPTIONER. 1314 00:58:25,909 --> 00:58:28,178 THIS CONCLUDES TODAY'S OVERVIEW 1315 00:58:28,178 --> 00:58:29,079 FOR THE NIH SECURITY BEST 1316 00:58:29,079 --> 00:58:32,649 PRACTICES FOR USERS OF 1317 00:58:32,649 --> 00:58:33,717 CONTROLLED ACCESS DATA. 1318 00:58:33,717 --> 00:58:35,218 THANK YOU FOR YOUR TIME AND IF 1319 00:58:35,218 --> 00:58:37,487 THERE'S MORE QUESTIONS SEND THEM 1320 00:58:37,487 --> 00:58:47,064 TO THE GDS@MAIL@NIH.gov AND 1321 00:58:47,064 --> 00:58:49,333 WE'LL HAVE SUMMARIES AND DAY TWO 1322 00:58:49,333 --> 00:58:51,902 AND QUESTIONS ANSWERS DURING 1323 00:58:51,902 --> 00:58:53,804 THAT TIME TOO. 1324 00:58:53,804 --> 00:58:54,938 THANK YOU AGAIN AND HAVE A 1325 00:58:54,938 --> 00:58:58,175 WONDERFUL REST OF YOUR DAY AND 1326 00:58:58,175 --> 00:58:58,842 THIS CONCLUDES THE WEBINAR. 1327 00:58:58,842 --> 00:58:58,909