1 00:00:06,141 --> 00:00:07,008 >> HELLO, WELCOME TO TODAY'S 2 00:00:07,008 --> 00:00:09,177 OVERVIEW OF THE NIH SECURITY 3 00:00:09,177 --> 00:00:11,046 BEST PRACTICES FOR USERS OF 4 00:00:11,046 --> 00:00:12,781 CONTROLLED ACCESS DATA. 5 00:00:12,781 --> 00:00:16,584 I'M DR. CHEN OF THE NATIONAL 6 00:00:16,584 --> 00:00:17,952 INSTITUTES OF HEALTH OFFICE OF 7 00:00:17,952 --> 00:00:19,354 DATA SCIENCE STRATEGY. 8 00:00:19,354 --> 00:00:21,256 TODAY WE'LL ADDRESS DATA 9 00:00:21,256 --> 00:00:25,160 MANAGEMENT AND SECURITY UPDATES 10 00:00:25,160 --> 00:00:29,331 DESCRIBED IN THE GUIDE NOTICE 11 00:00:29,331 --> 00:00:31,199 IMPLEMENTATION UNDER THE GENOMIC 12 00:00:31,199 --> 00:00:32,067 SHARING POLICY. 13 00:00:32,067 --> 00:00:33,968 THE LINK WILL BE INSERTED INTO 14 00:00:33,968 --> 00:00:35,804 THE CHAT FOR ZOOM. 15 00:00:35,804 --> 00:00:42,610 THIS IS -- IF JOINING BY 16 00:00:42,610 --> 00:00:44,813 VIDEOCAST YOU CAN SEARCH FOR 17 00:00:44,813 --> 00:00:46,681 IMPLEMENTATION UPDATE FOR DATA 18 00:00:46,681 --> 00:00:49,084 MANAGEMENT AND ACCESS PRACTICES 19 00:00:49,084 --> 00:00:57,625 UNDER THE GENOMIC DATA SHARING 20 00:00:57,625 --> 00:01:00,261 POLICY, OR NOT-0D-24-157 IN YOUR 21 00:01:00,261 --> 00:01:00,895 PREFERRED SEARCH ENGINE. 22 00:01:00,895 --> 00:01:04,933 I HAVE A FEW HOUSEKEEPING ITEMS. 23 00:01:04,933 --> 00:01:07,369 WE HAVE CLOSED CAPTIONING AND AN 24 00:01:07,369 --> 00:01:09,537 AMERICAN SIGN LANGUAGE 25 00:01:09,537 --> 00:01:10,972 INTERPRETER FOR TODAY'S 26 00:01:10,972 --> 00:01:11,406 PRESENTATION. 27 00:01:11,406 --> 00:01:14,042 RESPONSE TO TODAY'S PRESENTATION 28 00:01:14,042 --> 00:01:16,878 HAS BEEN OVERWHELMING AND WE 29 00:01:16,878 --> 00:01:19,080 HAVE PARTICIPANTS BY ZOOM AND 30 00:01:19,080 --> 00:01:20,615 BROADCAST VIA NIH VIDEOCAST. 31 00:01:20,615 --> 00:01:25,720 WE HAVE INSERTED THE VIDEOCAST 32 00:01:25,720 --> 00:01:26,187 LINK. 33 00:01:26,187 --> 00:01:27,956 THIS PRESENTATION IS ALSO BEING 34 00:01:27,956 --> 00:01:29,124 RECORDED FOR FUTURE VIEWING. 35 00:01:29,124 --> 00:01:30,892 THE RECORDING WILL BE AVAILABLE 36 00:01:30,892 --> 00:01:32,460 ON THE NIH SHARING WEBSITE. 37 00:01:32,460 --> 00:01:34,195 IF YOU JOINED BY ZOOM YOU'LL SEE 38 00:01:34,195 --> 00:01:36,164 THE LINK IN THE CHAT. 39 00:01:36,164 --> 00:01:41,069 BY VIDEOCAST YOU CAN GO TO THE 40 00:01:41,069 --> 00:01:42,804 ADDRESS SHARING.NIH.GOV. 41 00:01:42,804 --> 00:01:44,706 AND CLICK ON RESOURCES FOR 42 00:01:44,706 --> 00:01:46,808 GENOMIC DATA SHARING POLICY. 43 00:01:46,808 --> 00:01:48,877 UNDER THE RESOURCES PAGE, CLICK 44 00:01:48,877 --> 00:01:50,311 ON THE WEBINAR ICON. 45 00:01:50,311 --> 00:01:52,280 THE SLIDES FOR THE PRESENTATION 46 00:01:52,280 --> 00:01:55,784 ARE ALSO AVAILABLE ON THAT WEB 47 00:01:55,784 --> 00:01:56,317 PAGE. 48 00:01:56,317 --> 00:01:58,319 THERE WERE QUESTIONS SUBMITTED 49 00:01:58,319 --> 00:02:00,588 PRIOR TO DECEMBER 17, 2024, TO 50 00:02:00,588 --> 00:02:01,589 ADDRESS DURING THE DEDICATED 51 00:02:01,589 --> 00:02:02,357 HOUR. 52 00:02:02,357 --> 00:02:03,458 IF YOU HAVE ADDITIONAL QUESTIONS 53 00:02:03,458 --> 00:02:05,960 THAT WE MAY GET TO, AND HAVE 54 00:02:05,960 --> 00:02:07,162 JOINED BY ZOOM, ENTER YOUR 55 00:02:07,162 --> 00:02:09,230 QUESTIONS IN THE Q&A FOR 56 00:02:09,230 --> 00:02:10,031 PRESENTERS TO ADDRESS. 57 00:02:10,031 --> 00:02:12,200 IF YOU JOINED BY VIDEOCAST AND 58 00:02:12,200 --> 00:02:22,544 HAVE ADDITIONAL QUESTIONS SEND 59 00:02:22,544 --> 00:02:25,880 YOUR QUESTIONS GDS.MAIL.NIH.GOV. 60 00:02:25,880 --> 00:02:29,017 THOSE PARTICIPATING IN ZOOM HAVE 61 00:02:29,017 --> 00:02:29,717 ABILITY TO UPVOTE QUESTIONS 62 00:02:29,717 --> 00:02:31,286 ENTERED IN Q&A. 63 00:02:31,286 --> 00:02:34,556 WE'LL BE ADDRESS RELEVANT 64 00:02:34,556 --> 00:02:37,425 QUESTIONS SUBMITTED PRIOR TO 65 00:02:37,425 --> 00:02:39,828 DECEMBER 27, 2024, AS MANY 66 00:02:39,828 --> 00:02:41,796 DURING THE DEDICATED HOUR FROM 67 00:02:41,796 --> 00:02:43,031 THOSE WHO JOINED. 68 00:02:43,031 --> 00:02:44,532 IF THE QUESTIONS ARE NOT 69 00:02:44,532 --> 00:02:47,402 ANSWERED LIVE, THEY WILL BE 70 00:02:47,402 --> 00:02:48,837 GROUPED AND GENERAL RESPONSES 71 00:02:48,837 --> 00:02:51,773 WILL BE POSTED AT A LATER DATE. 72 00:02:51,773 --> 00:02:53,842 NOW I'M EXCITED TO INTRODUCE 73 00:02:53,842 --> 00:02:57,479 TODAY'S SPEAKER DR. CHERYL 74 00:02:57,479 --> 00:03:00,315 JACOBS, AND MS. MAUREEN 75 00:03:00,315 --> 00:03:01,950 FALVELLA. 76 00:03:01,950 --> 00:03:03,518 NEXT SLIDE PLEASE. 77 00:03:03,518 --> 00:03:07,121 DR. JACOBS IS ASSISTANT DIRECTOR 78 00:03:07,121 --> 00:03:08,556 FOR GENOMICS FROM NIH, OFFICE OF 79 00:03:08,556 --> 00:03:09,757 SCIENCE POLICY. 80 00:03:09,757 --> 00:03:11,426 DR. JACOBS HAS OVER 10 YEARS OF 81 00:03:11,426 --> 00:03:13,461 EXPERIENCE WORKING ON AND 82 00:03:13,461 --> 00:03:14,462 LEADING EVIDENCE-BASED POLICIES 83 00:03:14,462 --> 00:03:17,732 TO SUPPORT THE BROAD AND 84 00:03:17,732 --> 00:03:20,368 RESPONSIBLE SHARING OF DATA AND 85 00:03:20,368 --> 00:03:21,569 ASSOCIATED DATA. 86 00:03:21,569 --> 00:03:24,639 SHE BRINGS KNOWLEDGE OF RESEARCH 87 00:03:24,639 --> 00:03:25,740 PARTICIPANT PROTECTIONS AND 88 00:03:25,740 --> 00:03:27,709 FACILITATING ACCESS TO GENOMIC 89 00:03:27,709 --> 00:03:34,415 AND SCIENTIFIC DATA. 90 00:03:34,415 --> 00:03:36,584 MS. FALVELLA IS CHIEF SECURITY 91 00:03:36,584 --> 00:03:38,653 OFFICE, 15 YEARS OF EXPERIENCE 92 00:03:38,653 --> 00:03:40,955 DIRECTING OPERATIONS AND 93 00:03:40,955 --> 00:03:41,689 OVERSEEING CYBERSECURITY 94 00:03:41,689 --> 00:03:43,124 PROGRAMS TO PROTECT INFORMATION 95 00:03:43,124 --> 00:03:44,559 ASSETS AT THE NATIONAL 96 00:03:44,559 --> 00:03:46,995 INSTITUTES OF HEALTH. 97 00:03:46,995 --> 00:03:48,730 INCLUDING SECURING NIH RESEARCH 98 00:03:48,730 --> 00:03:50,932 IN COVID TO ENHANCE RECOVERY 99 00:03:50,932 --> 00:03:56,004 KNOWN AS ReCOVer COVID 100 00:03:56,004 --> 00:03:57,839 INITIATIVE, THE NHLBI BIODATA 101 00:03:57,839 --> 00:03:59,707 CATALYST PROGRAM. 102 00:03:59,707 --> 00:04:01,576 SHE BRINGS EXTENSIVE EXPERIENCE 103 00:04:01,576 --> 00:04:05,480 AND ADVANCED TECHNICAL EXPERTISE 104 00:04:05,480 --> 00:04:12,220 AND STRONG UNDERSTANDING OF THE 105 00:04:12,220 --> 00:04:15,089 SCIENTIFIC MISSION. 106 00:04:15,089 --> 00:04:16,724 TODAY THEY WILL DISCUSS UPDATED 107 00:04:16,724 --> 00:04:19,327 TO TAKE EFFECT ON JANUARY 25, 108 00:04:19,327 --> 00:04:19,928 2025. 109 00:04:19,928 --> 00:04:21,462 AGAIN, TODAY'S PRESENTATION HAS 110 00:04:21,462 --> 00:04:23,097 PARTICIPANTS JOINING BY ZOOM, 111 00:04:23,097 --> 00:04:25,166 ALSO BROADCAST ON NIH VIDEOCAST, 112 00:04:25,166 --> 00:04:28,002 BEING RECORDED FOR FUTURE 113 00:04:28,002 --> 00:04:28,903 VIEWING. 114 00:04:28,903 --> 00:04:29,771 NEXT SLIDE PLEASE. 115 00:04:29,771 --> 00:04:31,839 THE PRESENTATION WILL BE DIVIDED 116 00:04:31,839 --> 00:04:33,374 INTO THREE SECTIONS, WITH 117 00:04:33,374 --> 00:04:35,677 GENERAL OVERVIEW OF THE NIH 118 00:04:35,677 --> 00:04:37,078 GUIDE NOTICE FOCUSING ON NIH 119 00:04:37,078 --> 00:04:39,414 SECURITY BEST PRACTICES FOR 120 00:04:39,414 --> 00:04:41,149 USERS OF CONTROLLED ACCESS DATA, 121 00:04:41,149 --> 00:04:43,351 FOLLOWED BY IN DEPTH OVERVIEW OF 122 00:04:43,351 --> 00:04:45,186 THE SECURITY CONTROLS THAT 123 00:04:45,186 --> 00:04:46,854 INSTITUTIONS AND APPROVED USERS 124 00:04:46,854 --> 00:04:49,691 ARE EXPECTED TO ADHERE TO 125 00:04:49,691 --> 00:04:51,659 BEGINNING ON JANUARY 25, 2025. 126 00:04:51,659 --> 00:04:54,062 FOLLOWED BY TIME FOR QUESTIONS 127 00:04:54,062 --> 00:04:54,495 AND ANSWERS. 128 00:04:54,495 --> 00:04:56,130 AGAIN, IF YOU HAVE JOINED BY 129 00:04:56,130 --> 00:04:57,432 ZOOM ENTER YOUR QUESTIONS IN THE 130 00:04:57,432 --> 00:04:57,966 Q&A. 131 00:04:57,966 --> 00:05:03,037 IF YOU JOINED BY VIDEOCAST SEND 132 00:05:03,037 --> 00:05:08,610 YOUR QUESTIONS TO 133 00:05:08,610 --> 00:05:10,044 GDS@MAIL.NIH.GOV. 134 00:05:10,044 --> 00:05:11,913 WE'LL TRY TO ANSWER AS MANY 135 00:05:11,913 --> 00:05:13,348 RELEVANT QUESTIONS AS POSSIBLE. 136 00:05:13,348 --> 00:05:16,517 I WILL HAND THE PRESENTATION 137 00:05:16,517 --> 00:05:16,951 OVER. 138 00:05:16,951 --> 00:05:21,589 DR. JACOBS, OVER TO YOU. 139 00:05:21,589 --> 00:05:21,923 >> TERRIFIC. 140 00:05:21,923 --> 00:05:24,325 THANK YOU, DR. CHEN. 141 00:05:24,325 --> 00:05:25,960 AND GOOD MORNING, EVERYONE. 142 00:05:25,960 --> 00:05:28,162 I'M DR. JACOBS, AND I'M EXCITED 143 00:05:28,162 --> 00:05:31,132 TO TALK TO YOU TODAY ABOUT THE 144 00:05:31,132 --> 00:05:34,402 UPDATES THAT NIH HAS ISSUED FOR 145 00:05:34,402 --> 00:05:37,905 DATA MANAGEMENT AND SHARING 146 00:05:37,905 --> 00:05:38,239 PRACTICES. 147 00:05:38,239 --> 00:05:41,643 SO ON THIS SLIDE I'M PROVIDING A 148 00:05:41,643 --> 00:05:44,278 BRIEF DESCRIPTION OF NIH GENOMIC 149 00:05:44,278 --> 00:05:47,015 DATA SHARING FOR GDS POLICY, 150 00:05:47,015 --> 00:05:49,217 DESCRIBE EXPECTATIONS OF THE 151 00:05:49,217 --> 00:05:53,254 POLICY, AND BY WHICH UPDATES 152 00:05:53,254 --> 00:05:57,325 WILL TAKE EFFECT. 153 00:05:57,325 --> 00:06:02,463 POLICY HAS BEEN IN EFFECT SINCE 154 00:06:02,463 --> 00:06:04,632 JANUARY 25, 2015, ENSURES BROAD 155 00:06:04,632 --> 00:06:07,502 AND RESPONSIBLE SHARING OF BOTH 156 00:06:07,502 --> 00:06:10,038 NON-HUMAN AND HUMAN LARGE SCALE 157 00:06:10,038 --> 00:06:11,572 GENOMIC DATA. 158 00:06:11,572 --> 00:06:14,642 AND IN PART, BY EXPECTING 159 00:06:14,642 --> 00:06:16,611 PARTICIPANT CONSENT FOR RESEARCH 160 00:06:16,611 --> 00:06:19,247 WHEN USING HUMAN LARGE SCALE 161 00:06:19,247 --> 00:06:20,915 GENOMIC DATA. 162 00:06:20,915 --> 00:06:22,950 THERE ARE OTHER ASPECTS OF THE 163 00:06:22,950 --> 00:06:25,620 POLICY THAT FACILITATE THE BROAD 164 00:06:25,620 --> 00:06:26,688 AND RESPONSE SHARING THAT WE'LL 165 00:06:26,688 --> 00:06:30,091 TOUCH ON LATER IN THE TALK. 166 00:06:30,091 --> 00:06:32,160 THE POLICY SCOPE TO APPLY TO 167 00:06:32,160 --> 00:06:34,262 GENERATION OF LARGE SCALE 168 00:06:34,262 --> 00:06:35,997 GENOMIC DATA AS WELL AS TO THE 169 00:06:35,997 --> 00:06:39,067 USE OF THESE DATA BY SECONDARY 170 00:06:39,067 --> 00:06:41,669 RESEARCHERS, AND THIS IS 171 00:06:41,669 --> 00:06:45,406 IRRESPECTIVE OF THE FUNDING 172 00:06:45,406 --> 00:06:46,674 MECHANISM. 173 00:06:46,674 --> 00:06:47,608 NEXT SLIDE PLEASE. 174 00:06:47,608 --> 00:06:50,111 SO WHEN SHARING LARGE SCALE 175 00:06:50,111 --> 00:06:52,280 HUMAN GENOMIC DATA UNDER THE GDS 176 00:06:52,280 --> 00:06:57,652 POLICY THERE ARE ADDITIONAL 177 00:06:57,652 --> 00:06:58,019 CONSIDERATIONS. 178 00:06:58,019 --> 00:07:02,156 WHEN AWARDEES ARE FUNDED BY NIH, 179 00:07:02,156 --> 00:07:05,760 GENERATE LARGE SCALE HUMAN DATA, 180 00:07:05,760 --> 00:07:07,528 THE POLICY EXPECTS INVESTIGATORS 181 00:07:07,528 --> 00:07:08,963 TO CONSIDER APPROPRIATENESS OF 182 00:07:08,963 --> 00:07:11,833 SHARING DATA, AND IF THEY ARE 183 00:07:11,833 --> 00:07:15,503 SHARING THE DATA TO SHARE 184 00:07:15,503 --> 00:07:17,472 ACCORDING TO PARTICIPANT 185 00:07:17,472 --> 00:07:19,674 CONSENT, AND MAKING THAT 186 00:07:19,674 --> 00:07:23,177 DECISIONS TO HAVE AN IRB PRIVACY 187 00:07:23,177 --> 00:07:25,046 BOARD OR EQUIVALENT BODY REVIEW 188 00:07:25,046 --> 00:07:26,481 THE CONSENTS AND ALSO ADVISE ON 189 00:07:26,481 --> 00:07:30,752 THE RISK OF SHARING THESE DATA. 190 00:07:30,752 --> 00:07:34,489 AND ULTIMATELY AFTER THE REVIEW 191 00:07:34,489 --> 00:07:36,724 AND ADVICE RECEIVED FROM THE 192 00:07:36,724 --> 00:07:39,393 IRB, SUBMIT THAT DATA TO NIH AND 193 00:07:39,393 --> 00:07:46,634 TELL NIH HOW THAT DATA OUGHT TO 194 00:07:46,634 --> 00:07:47,735 BE SHARED. 195 00:07:47,735 --> 00:07:48,469 WHEN INVESTIGATORS REQUEST 196 00:07:48,469 --> 00:07:52,974 ACCESS TO THESE DATA FROM NIH, 197 00:07:52,974 --> 00:07:55,943 FROM AN NIH DATA REPOSITORY 198 00:07:55,943 --> 00:07:57,612 THERE ARE TERMS AND CONDITIONS 199 00:07:57,612 --> 00:08:01,549 THAT USERS WHO ARE KNOWN AS 200 00:08:01,549 --> 00:08:02,750 APPROVED USERS AGREE TO. 201 00:08:02,750 --> 00:08:05,620 TO TERMS OF ACCESS, THAT INCLUDE 202 00:08:05,620 --> 00:08:09,924 SECURING DATA ACCORDING TO 203 00:08:09,924 --> 00:08:10,758 SECURITY STANDARDS, AND THIS 204 00:08:10,758 --> 00:08:12,760 EXPECTATION IS FOR APPROVED 205 00:08:12,760 --> 00:08:17,165 USERS THAT ARE FUNDED BY NIH OR 206 00:08:17,165 --> 00:08:20,535 NOT FUNDED BY NIH. 207 00:08:20,535 --> 00:08:21,502 NEXT SLIDE PLEASE. 208 00:08:21,502 --> 00:08:23,805 SO HERE I'M GOING TO GIVE AN 209 00:08:23,805 --> 00:08:26,207 OVERVIEW OF THE GUIDE NOTICE 210 00:08:26,207 --> 00:08:32,013 THAT WAS ISSUED IN THIS PAST 211 00:08:32,013 --> 00:08:32,680 JULY. 212 00:08:32,680 --> 00:08:38,152 THIS GUIDE NOTICE ADDS DIFFERENT 213 00:08:38,152 --> 00:08:40,021 COMPONENTS OF SECURING DATA 214 00:08:40,021 --> 00:08:43,825 ACCESS IN MANAGEMENT. 215 00:08:43,825 --> 00:08:47,028 SO, THE FIRST COMPONENT IS 216 00:08:47,028 --> 00:08:49,297 SCOPED NIH CONTROLLED ACCESS 217 00:08:49,297 --> 00:08:53,434 DATA REPOSITORIES, AND THESE ARE 218 00:08:53,434 --> 00:08:56,470 DEFINED BY REPOSITORIES THAT ARE 219 00:08:56,470 --> 00:09:00,274 SUPPORTED BY AN NIH GRANT, 220 00:09:00,274 --> 00:09:01,576 COOPERATIVE AGREEMENT, OTHER 221 00:09:01,576 --> 00:09:04,645 TRANSACTION, CONTRACT, OR 222 00:09:04,645 --> 00:09:05,746 INTRAMURAL SUPPORT. 223 00:09:05,746 --> 00:09:11,319 THEY STORE OR PROVIDE ACCESS TO 224 00:09:11,319 --> 00:09:15,690 HUMAN GENOMIC DATA UNDER THE GDS 225 00:09:15,690 --> 00:09:16,691 POLICY. 226 00:09:16,691 --> 00:09:19,627 THERE ARE CONTROLS TO ACCESS 227 00:09:19,627 --> 00:09:23,164 THESE DATA, MEANING THAT THE 228 00:09:23,164 --> 00:09:24,265 DATA ARE NOT UNRESTRICTED 229 00:09:24,265 --> 00:09:24,599 ACCESS. 230 00:09:24,599 --> 00:09:27,869 THERE'S SOME SORT OF FIREWALL 231 00:09:27,869 --> 00:09:30,404 BETWEEN THE USER ASKING FOR DATA 232 00:09:30,404 --> 00:09:33,140 AND ACTUALLY GETTING ACCESS TO 233 00:09:33,140 --> 00:09:33,908 THAT DATA. 234 00:09:33,908 --> 00:09:37,311 AND THERE'S A USE OF FEDERAL 235 00:09:37,311 --> 00:09:40,815 EMPLOYEES TO CONDUCT REVIEWS AND 236 00:09:40,815 --> 00:09:45,820 AUTHORIZE ACCESS. 237 00:09:45,820 --> 00:09:46,988 AND REALLY THE MOST FAMILIAR 238 00:09:46,988 --> 00:09:48,656 ALLEGORY TO THIS WOULD BE THE 239 00:09:48,656 --> 00:09:53,828 USE OF A DATA ACCESS COMMITTEE, 240 00:09:53,828 --> 00:09:56,964 OR A DAC. 241 00:09:56,964 --> 00:10:00,601 SECONDLY, THIS IS SCOPED TO 242 00:10:00,601 --> 00:10:02,336 DEVELOPERS WHO ARE FUNDED TO 243 00:10:02,336 --> 00:10:06,374 PROVIDE SOME SORT OF SERVICE, 244 00:10:06,374 --> 00:10:09,010 FOR SUPPORT, THOSE 245 00:10:09,010 --> 00:10:10,645 NIH-CONTROLLED ACCESS DATA 246 00:10:10,645 --> 00:10:10,978 REPOSITORIES. 247 00:10:10,978 --> 00:10:15,149 AND WE HAVE A BROAD DEFINITION 248 00:10:15,149 --> 00:10:17,551 OF DEVELOPERS. 249 00:10:17,551 --> 00:10:19,820 THEY TEST PLATFORMS, PIPELINES, 250 00:10:19,820 --> 00:10:24,025 ANALYSIS TOOLS, DO VARIOUS SORTS 251 00:10:24,025 --> 00:10:27,528 OF WORK ON THOSE NIH 252 00:10:27,528 --> 00:10:28,296 CONTROLLED-ACCESS DATA 253 00:10:28,296 --> 00:10:28,863 REPOSITORIES. 254 00:10:28,863 --> 00:10:32,033 AND WE CAN PUT A LINK IN THE 255 00:10:32,033 --> 00:10:36,170 CHAT TO THOSE REPOSITORIES THAT 256 00:10:36,170 --> 00:10:37,905 WE'RE REFERRING TO. 257 00:10:37,905 --> 00:10:40,808 AND THIRD, THIS UPDATE AFFECTS 258 00:10:40,808 --> 00:10:42,977 SECURITY STANDARDS FOR APPROVED 259 00:10:42,977 --> 00:10:45,479 USERS WHEN THEY GET ACCESS OF 260 00:10:45,479 --> 00:10:46,714 THESE DATA. 261 00:10:46,714 --> 00:10:48,449 THERE'S AN EXPECTATION OF HOW 262 00:10:48,449 --> 00:10:55,523 THE DATA OUGHT TO BE SECURED. 263 00:10:55,523 --> 00:10:57,358 NEXT SLIDE PLEASE. 264 00:10:57,358 --> 00:11:01,495 SO, TO SPEAK TO THE FIRST ITEM, 265 00:11:01,495 --> 00:11:04,165 THE NIH HAS IDENTIFIED CURRENTLY 266 00:11:04,165 --> 00:11:06,667 20 REPOSITORIES IN SCOPE OF THIS 267 00:11:06,667 --> 00:11:07,535 SECURITY UPDATE. 268 00:11:07,535 --> 00:11:10,171 AND AS I SAID, THEY ARE LISTED 269 00:11:10,171 --> 00:11:12,206 ON THE SHARING WEBSITE, AND THE 270 00:11:12,206 --> 00:11:14,976 LINK SHOULD BE IN THE CHAT. 271 00:11:14,976 --> 00:11:18,612 THIS IS KEPT UP TO DATE AND MAY 272 00:11:18,612 --> 00:11:18,846 CHANGE. 273 00:11:18,846 --> 00:11:21,349 HOWEVER, IF YOUR REPOSITORY IS 274 00:11:21,349 --> 00:11:22,984 NOT CURRENTLY LISTED, YOUR 275 00:11:22,984 --> 00:11:26,721 REPOSITORY IS NOT IN SCOPE OF 276 00:11:26,721 --> 00:11:28,055 THE SECURITY UPDATE. 277 00:11:28,055 --> 00:11:30,891 WE WANT TO REMIND EVERYONE IF 278 00:11:30,891 --> 00:11:33,627 YOU ARE A DATA GENERATOR, IF NIH 279 00:11:33,627 --> 00:11:37,031 FUNDS YOU, TO GENERATE LARGE 280 00:11:37,031 --> 00:11:38,799 SCALE GENOMIC DATA, YOU'RE NOT 281 00:11:38,799 --> 00:11:41,969 IN SCOPE OF THIS PARTICULAR 282 00:11:41,969 --> 00:11:43,604 SECURITY UPDATE. 283 00:11:43,604 --> 00:11:46,807 THIS UPDATE ONLY APPLIES TO 284 00:11:46,807 --> 00:11:49,310 THOSE REPOSITORIES THAT MEET THE 285 00:11:49,310 --> 00:11:50,411 FOLLOWING CRITERIA, THAT I WENT 286 00:11:50,411 --> 00:11:53,047 THROUGH ON THE PREVIOUS SLIDE. 287 00:11:53,047 --> 00:11:58,152 DATA GENERATORS ARE NOT IN 288 00:11:58,152 --> 00:11:59,820 SCOPE. 289 00:11:59,820 --> 00:12:02,256 NEXT SLIDE PLEASE. 290 00:12:02,256 --> 00:12:06,027 SO, THIS SECOND PART OF THE 291 00:12:06,027 --> 00:12:09,663 GUIDE NOTICE SPEAKS TO A MINIMUM 292 00:12:09,663 --> 00:12:11,298 STANDARD OPERATING PROCEDURES 293 00:12:11,298 --> 00:12:14,502 FOR DEVELOPERS TO GAIN ACCESS TO 294 00:12:14,502 --> 00:12:19,740 THOSE DATA THAT ARE UNDER THE 295 00:12:19,740 --> 00:12:21,942 GDS POLICY AND NIH CONTROLLED 296 00:12:21,942 --> 00:12:23,044 DATA ACCESS REPOSITORIES. 297 00:12:23,044 --> 00:12:27,615 WE WANT TO NOTE THAT THIS IS 298 00:12:27,615 --> 00:12:30,584 SPECIFIC FOR NIH OR FEDERALLY 299 00:12:30,584 --> 00:12:32,353 FUNDED DEVELOPERS. 300 00:12:32,353 --> 00:12:35,523 CENTRAL TO THIS DEFINITION IS 301 00:12:35,523 --> 00:12:39,126 NOT WHAT A DEVELOPER IS BUT WHAT 302 00:12:39,126 --> 00:12:41,495 THE DEVELOPER IS FUNDED TO DO. 303 00:12:41,495 --> 00:12:44,732 AND, AGAIN, WE WANT TO FOCUS ON 304 00:12:44,732 --> 00:12:47,468 THE DEVELOPERS ARE FUNDED BY NIH 305 00:12:47,468 --> 00:12:51,605 OR THE FEDERAL GOVERNMENT TO 306 00:12:51,605 --> 00:12:54,608 ESTABLISH, SUPPORT, OR MAINTAIN 307 00:12:54,608 --> 00:12:57,511 ONE OF THE 20 NIH CONTROLLED 308 00:12:57,511 --> 00:13:01,449 ACCESS DATA REPOSITORIES. 309 00:13:01,449 --> 00:13:04,752 BEGINNING ON JANUARY 25, 2025, 310 00:13:04,752 --> 00:13:06,587 NIH NOTICE OF FUNDING 311 00:13:06,587 --> 00:13:09,557 OPPORTUNITIES, CONTRACTS, OR 312 00:13:09,557 --> 00:13:11,292 OTHER TRANSACTIONS WILL INDICATE 313 00:13:11,292 --> 00:13:16,197 APPLICABILITY OF THIS PARTICULAR 314 00:13:16,197 --> 00:13:17,198 UPDATE. 315 00:13:17,198 --> 00:13:18,199 NEXT SLIDE PLEASE. 316 00:13:18,199 --> 00:13:20,701 SO HERE WE'RE JUMPING INTO WHAT 317 00:13:20,701 --> 00:13:26,207 YOU ALL HAVE JOINED THE WEBINAR 318 00:13:26,207 --> 00:13:26,373 FOR. 319 00:13:26,373 --> 00:13:28,175 THE SECURITY EXPECTATIONS FOR 320 00:13:28,175 --> 00:13:31,545 APPROVED USERS OF CONTROLLED 321 00:13:31,545 --> 00:13:34,849 ACCESS HUMAN GENOMIC DATA. 322 00:13:34,849 --> 00:13:39,587 SO, THE EXPECTATION IS THAT ON 323 00:13:39,587 --> 00:13:42,590 OR AFTER JANUARY 25, 2025, 324 00:13:42,590 --> 00:13:46,260 APPROVED USERS, P.I.s THAT 325 00:13:46,260 --> 00:13:47,895 SUBMIT A DAR AND APPROVED ACCESS 326 00:13:47,895 --> 00:13:49,663 DATA WILL BE EXPECTED TO 327 00:13:49,663 --> 00:13:52,800 SECURITY DATA ACCORDING TO THE 328 00:13:52,800 --> 00:13:54,368 UPDATED SECURITY STANDARDS, 329 00:13:54,368 --> 00:13:56,337 DESCRIBED IN NIH SECURITY BEST 330 00:13:56,337 --> 00:13:59,173 PRACTICES FOR USERS OF 331 00:13:59,173 --> 00:14:00,274 CONTROLLED-ACCESS DATA. 332 00:14:00,274 --> 00:14:03,244 THIS APPLIES TO NEW REQUESTS, 333 00:14:03,244 --> 00:14:08,182 THAT ARE SUBMITTED ON THAT DAY, 334 00:14:08,182 --> 00:14:12,019 AS WELL AS ANY REQUEST THAT HAS 335 00:14:12,019 --> 00:14:14,421 EXISTING ACCESS BUT IS RENEWED 336 00:14:14,421 --> 00:14:15,322 AFTER THAT DAY. 337 00:14:15,322 --> 00:14:17,958 SO ONE THING TO POINT OUT, YOU 338 00:14:17,958 --> 00:14:22,897 HAVE EXISTING ACCESS RIGHT NOW. 339 00:14:22,897 --> 00:14:24,431 AND THE JANUARY 25, 2025 DATE 340 00:14:24,431 --> 00:14:27,434 COMES UP, YOU WILL NOT BE 341 00:14:27,434 --> 00:14:29,570 EXPECTED TO ATTEST TO THE 342 00:14:29,570 --> 00:14:31,739 UPDATED SECURITY STANDARDS. 343 00:14:31,739 --> 00:14:35,576 IT'S ONLY AFTER YOUR RENEWAL, 344 00:14:35,576 --> 00:14:36,677 AFTER THAT DATE. 345 00:14:36,677 --> 00:14:41,515 WE WANT TO NOTE THAT THIS UPDATE 346 00:14:41,515 --> 00:14:43,817 REPLACES EXISTING SECURITY BEST 347 00:14:43,817 --> 00:14:44,985 PRACTICES FOR CONTROLLED-ACCESS 348 00:14:44,985 --> 00:14:50,057 DATA SUBJECT TO NIH GENOMIC DATA 349 00:14:50,057 --> 00:14:51,058 SHARING POLICY. 350 00:14:51,058 --> 00:14:55,529 AND THAT WHAT WE'RE ASKING FOR 351 00:14:55,529 --> 00:14:57,398 IN THIS UPDATED SECURITY 352 00:14:57,398 --> 00:15:02,636 STANDARD IS AN ATTESTATION FROM 353 00:15:02,636 --> 00:15:03,304 APPROVED USERS. 354 00:15:03,304 --> 00:15:06,040 NOW, WE'LL DO A DEEPER DIVE HOW 355 00:15:06,040 --> 00:15:07,575 TO MEET UPDATES TO SECURITY 356 00:15:07,575 --> 00:15:10,744 EXPECTS BUT IN GENERAL WHAT THIS 357 00:15:10,744 --> 00:15:13,013 ATTESTATION APPROVED USERS WILL 358 00:15:13,013 --> 00:15:15,683 ATTEST BASED ON SELF-ASSESSMENT 359 00:15:15,683 --> 00:15:17,952 THAT THEY DO THAT THEIR SYSTEM, 360 00:15:17,952 --> 00:15:20,588 NOT THE ENTIRE INSTITUTION, THE 361 00:15:20,588 --> 00:15:23,557 SYSTEM STORING THE HUMAN GENOMIC 362 00:15:23,557 --> 00:15:27,828 DATA IS COMPLIANT WITH NIST, 363 00:15:27,828 --> 00:15:29,029 800-171 CONTROLS. 364 00:15:29,029 --> 00:15:30,898 IF APPROVED USERS IS USING A 365 00:15:30,898 --> 00:15:34,168 THIRD PARTY I.T. SYSTEM OR CLOUD 366 00:15:34,168 --> 00:15:37,004 SERVICE PROVIDER, THE APPROVED 367 00:15:37,004 --> 00:15:41,075 USER IS EXPECTED TO KNOW IF THAT 368 00:15:41,075 --> 00:15:44,511 THIRD PARTY SYSTEM OR SERVICE 369 00:15:44,511 --> 00:15:48,315 PROVIDER IS COMPLIANT WITH NIST 370 00:15:48,315 --> 00:15:50,951 800-171 SECURITY CONTROLS AND 371 00:15:50,951 --> 00:15:54,255 ATTEST ON THEIR BEHALF. 372 00:15:54,255 --> 00:15:56,323 IF YOU'RE A NON-U.S. USER, 373 00:15:56,323 --> 00:16:00,594 UNABLE TO ATTEST TO THE NIST 374 00:16:00,594 --> 00:16:08,602 800-171 SECURITY STANDARDS YOU 375 00:16:08,602 --> 00:16:13,641 MAY ATTACH THE EQUIVALENT 376 00:16:13,641 --> 00:16:15,409 ISO/IEC 2700/27002 STANDARD. 377 00:16:15,409 --> 00:16:19,446 ATTESTATION MAY VARY, IT'S NOT A 378 00:16:19,446 --> 00:16:24,485 FORM, IT MAY VARY IN THAT IT'S 379 00:16:24,485 --> 00:16:26,754 ONLY IN THE AGREEMENT THAT YOU 380 00:16:26,754 --> 00:16:30,924 DESIGNED OR IT'S A PART OF THE 381 00:16:30,924 --> 00:16:33,794 DAR PROCESS, BUT AT THE END OF 382 00:16:33,794 --> 00:16:37,531 THE DAY THE ATTESTATION IS AN 383 00:16:37,531 --> 00:16:38,866 ACKNOWLEDGMENT THAT THE 384 00:16:38,866 --> 00:16:43,337 INSTITUTION HAS DONE ITS 385 00:16:43,337 --> 00:16:45,306 SELF-ASSESSMENT AND ATTESTS THAT 386 00:16:45,306 --> 00:16:48,709 THEIR LOCAL DEVICE STORING THE 387 00:16:48,709 --> 00:16:50,811 GENOMIC DATA MEETS THE 388 00:16:50,811 --> 00:16:54,648 EXPECTATIONS OF THE NIST 800-171 389 00:16:54,648 --> 00:16:54,915 CONTROLS. 390 00:16:54,915 --> 00:16:56,050 NOW, THIS CONCLUDES MY PART. 391 00:16:56,050 --> 00:16:59,687 I WILL TURN IT OVER TO 392 00:16:59,687 --> 00:17:02,956 MS. FALVELLA TO DO A DEEPER DIVE 393 00:17:02,956 --> 00:17:05,492 INTO THE NIST 800-171 CONTROLS. 394 00:17:05,492 --> 00:17:06,794 >> GOOD MORNING. 395 00:17:06,794 --> 00:17:08,996 I'M MAUREEN FALVELLA, NIH CHIEF 396 00:17:08,996 --> 00:17:10,864 INFORMATION SECURITY OFFICER AT 397 00:17:10,864 --> 00:17:11,198 NIH. 398 00:17:11,198 --> 00:17:14,034 TODAY WE'RE GOING TO DISCUSS 399 00:17:14,034 --> 00:17:15,569 UNDERLYING REASONS WHY NIH MADE 400 00:17:15,569 --> 00:17:16,870 CHANGES TO NIH SECURITY BEST 401 00:17:16,870 --> 00:17:18,505 PRACTICES FOR USERS OF 402 00:17:18,505 --> 00:17:19,606 CONTROLLED ACCESS DATA. 403 00:17:19,606 --> 00:17:21,375 WE'LL THEN TOUCH UPON WHAT YOU 404 00:17:21,375 --> 00:17:22,776 AS RESEARCHER NEED TO KNOW ABOUT 405 00:17:22,776 --> 00:17:25,212 THE NIH SECURITY BEST PRACTICES, 406 00:17:25,212 --> 00:17:26,413 BEFORE SHIFTING TO DEEP DIVE 407 00:17:26,413 --> 00:17:27,848 WHAT YOU MIGHT NEED TO KNOW IF 408 00:17:27,848 --> 00:17:32,252 YOU'RE AN I.T. SYSTEM 409 00:17:32,252 --> 00:17:33,253 ADMINISTRATOR. 410 00:17:33,253 --> 00:17:34,788 WE'LL RECAP KEY TAKEAWAYS AND 411 00:17:34,788 --> 00:17:35,723 IDENTIFY RESOURCES AVAILABLE 412 00:17:35,723 --> 00:17:39,693 BEFORE WE OPEN UP TO QUESTIONS. 413 00:17:39,693 --> 00:17:44,732 FIRST LET'S DIVE IN TO THE 414 00:17:44,732 --> 00:17:47,935 GLOBAL THREAT LANDSCAPE. 415 00:17:47,935 --> 00:17:50,537 THERE ARE THREE MAJOR THREATS TO 416 00:17:50,537 --> 00:17:51,772 RESEARCH INSTITUTIONS INCLUDING 417 00:17:51,772 --> 00:17:53,073 NIH TODAY, INCLUDING NATION 418 00:17:53,073 --> 00:17:56,777 STATE ACTORS LOOKING TO GAIN 419 00:17:56,777 --> 00:17:58,212 INTELLIGENCE, DEMONSTRATE THEIR 420 00:17:58,212 --> 00:17:59,446 CYBER CAPABILITIES AS A 421 00:17:59,446 --> 00:18:02,616 DEFENDANT TACTIC OR MIGHT BE 422 00:18:02,616 --> 00:18:03,550 SEEKING VALUABLE INFORMATION TO 423 00:18:03,550 --> 00:18:04,918 GAIN COMPETITIVE EDGE. 424 00:18:04,918 --> 00:18:09,089 WE HAVE TO CONSIDER CRIMINAL 425 00:18:09,089 --> 00:18:10,824 ORGANIZATIONS SEEKING TO DEPLOY 426 00:18:10,824 --> 00:18:12,292 SUPER ATTACKS WITH PRIMARY GOAL 427 00:18:12,292 --> 00:18:13,927 OF FINANCIAL GAIN. 428 00:18:13,927 --> 00:18:15,896 BOTH OF THESE THREAT ACTORS 429 00:18:15,896 --> 00:18:21,135 LEVERAGED ADVERSARIAL 430 00:18:21,135 --> 00:18:22,903 TECHNOLOGIES, WITH SUCH AS 431 00:18:22,903 --> 00:18:25,305 ARTIFICIAL INTELLIGENCE THREATS 432 00:18:25,305 --> 00:18:28,609 SUCH AS RANSOMWARE WHEN COMBINED 433 00:18:28,609 --> 00:18:30,377 WITH SUPER COMPUTING POWER ARE 434 00:18:30,377 --> 00:18:31,812 GROWING CONCERNS. 435 00:18:31,812 --> 00:18:34,415 SO ALL THESE THREAT SOURCES HAVE 436 00:18:34,415 --> 00:18:37,151 RESULTED IN A DIFFICULT 437 00:18:37,151 --> 00:18:38,352 CHALLENGE FOR RESEARCH 438 00:18:38,352 --> 00:18:39,987 INSTITUTIONS WHICH RELY ON 439 00:18:39,987 --> 00:18:41,722 COLLABORATION AND INFORMATION 440 00:18:41,722 --> 00:18:45,225 SHARING TO DRIVE INNOVATION AND 441 00:18:45,225 --> 00:18:45,692 DISCOVERY. 442 00:18:45,692 --> 00:18:48,095 EROSION OF PUBLIC TRUST AND 443 00:18:48,095 --> 00:18:50,731 FINANCIAL LOSS FROM CYBERATTACKS 444 00:18:50,731 --> 00:18:55,736 IS A SUBSTANTIAL CHALLENGE TO 445 00:18:55,736 --> 00:18:57,638 RESEARCH INSTITUTIONS, TO 446 00:18:57,638 --> 00:18:59,473 EMPHASIZE 84% INCREASE IN DATA 447 00:18:59,473 --> 00:19:02,976 BREACHES OVER THE LAST DECADE. 448 00:19:02,976 --> 00:19:07,381 HEALTHCARE AND RESEARCH 449 00:19:07,381 --> 00:19:10,451 INSTITUTIONS EXPERIENCED A 123% 450 00:19:10,451 --> 00:19:11,752 INCREASED IN RANSOMWARE ATTACKS. 451 00:19:11,752 --> 00:19:14,188 AT NIH WE SEE THIS ALMOST DAILY. 452 00:19:14,188 --> 00:19:18,225 OVER THE LAST TWO YEARS WE'VE 453 00:19:18,225 --> 00:19:20,060 FIELDED AS MANY PRIVACY -- SPEND 454 00:19:20,060 --> 00:19:28,202 HALF OF OUR TIME ADDRESSING 455 00:19:28,202 --> 00:19:29,036 PRIVACY BREACHES. 456 00:19:29,036 --> 00:19:36,210 WITH THE WORLD ON THE BRINK OF 457 00:19:36,210 --> 00:19:38,312 POST QUANTUM COMPUTER POWER AND 458 00:19:38,312 --> 00:19:40,981 ARTIFICIAL INTELLIGENCE LINKING 459 00:19:40,981 --> 00:19:43,383 IDENTITIES IS A REAL CONCERN. 460 00:19:43,383 --> 00:19:46,887 WE HAVE A UNIQUE ROLE TO PLAY. 461 00:19:46,887 --> 00:19:48,622 NIH IS COMMITTED TO PROTECTING 462 00:19:48,622 --> 00:19:50,691 PUBLIC TRUST AND PREPARING FOR 463 00:19:50,691 --> 00:19:52,693 FUTURE NATIONAL SECURITY 464 00:19:52,693 --> 00:19:54,127 DIRECTIVES AND SECURITY 465 00:19:54,127 --> 00:19:54,795 POLICIES. 466 00:19:54,795 --> 00:19:56,430 WE ALSO ACKNOWLEDGE THAT IN THE 467 00:19:56,430 --> 00:19:59,366 PAST IT HAS BEEN DIFFICULT FOR 468 00:19:59,366 --> 00:20:00,567 INSTITUTIONS SEEKING FUNDING 469 00:20:00,567 --> 00:20:02,536 OPPORTUNITIES AT NIH GIVEN THE 470 00:20:02,536 --> 00:20:04,171 PATCHWORK OF SECURITY STANDARDS 471 00:20:04,171 --> 00:20:05,506 YOU MAY FACE. 472 00:20:05,506 --> 00:20:07,474 ONE INSTITUTION MIGHT HAVE ONE 473 00:20:07,474 --> 00:20:08,675 STANDARD WHILE ANOTHER 474 00:20:08,675 --> 00:20:09,776 INSTITUTION MAY REQUIRE 475 00:20:09,776 --> 00:20:11,178 COMPLETELY DIFFERENT STANDARD. 476 00:20:11,178 --> 00:20:12,913 SO NIH IS UNIFYING OUR STANDARDS 477 00:20:12,913 --> 00:20:15,349 TO EASE THE BURDEN ON 478 00:20:15,349 --> 00:20:18,218 INSTITUTIONS SEEKING FUNDING 479 00:20:18,218 --> 00:20:20,120 OPPORTUNITIES AT NIH. 480 00:20:20,120 --> 00:20:20,988 THESE FACTORS NECESSITATE AND 481 00:20:20,988 --> 00:20:24,358 WERE THE DRIVERS OF NIH 482 00:20:24,358 --> 00:20:29,396 RELEASING THE UPDATED SHARING 483 00:20:29,396 --> 00:20:31,365 POLICY AND SUPPORTING BEST 484 00:20:31,365 --> 00:20:34,434 PRACTICE USES FOR CONTROL OF 485 00:20:34,434 --> 00:20:34,868 DATA. 486 00:20:34,868 --> 00:20:35,969 NEXT SLIDE PLEASE. 487 00:20:35,969 --> 00:20:38,105 SO, IF YOU ARE A RESEARCHER, 488 00:20:38,105 --> 00:20:41,208 HERE'S WHAT YOU NEED TO KNOW. 489 00:20:41,208 --> 00:20:43,143 NIH SECURITY BEST PRACTICES ARE 490 00:20:43,143 --> 00:20:44,611 SECURITY BENCHMARKS. 491 00:20:44,611 --> 00:20:46,680 THEY ARE NOT REGULATORY 492 00:20:46,680 --> 00:20:47,047 REQUIREMENTS. 493 00:20:47,047 --> 00:20:49,983 THEY ALLOW YOU TO MEASURE YOUR 494 00:20:49,983 --> 00:20:52,152 INSTITUTION SECURITY POSTURE 495 00:20:52,152 --> 00:20:54,121 AGAINST THE NIST SPECIAL 496 00:20:54,121 --> 00:20:55,155 PUBLICATION 171 SECURITY 497 00:20:55,155 --> 00:20:57,858 CONTROLS THAT ALIGN TO THE NIST 498 00:20:57,858 --> 00:20:59,159 RISK MANAGEMENT FRAMEWORK. 499 00:20:59,159 --> 00:21:01,795 THIS FRAMEWORK OFFERS A PATHWAY 500 00:21:01,795 --> 00:21:05,499 TO ACHIEVE ATTAINABLE SECURITY 501 00:21:05,499 --> 00:21:08,135 PRACTICES THROUGH SIX-PHASE 502 00:21:08,135 --> 00:21:08,802 PROCESS, DESIGNED TO 503 00:21:08,802 --> 00:21:10,971 CONTINUOUSLY MONITOR RISK FOR 504 00:21:10,971 --> 00:21:12,272 I.T. SYSTEMS LIFE CYCLES, THAT 505 00:21:12,272 --> 00:21:13,941 STARTS AT THE INCEPTION OF AN 506 00:21:13,941 --> 00:21:16,543 I.T. SYSTEM AND WILL GO THROUGH 507 00:21:16,543 --> 00:21:18,879 TO A SYSTEM BEING 508 00:21:18,879 --> 00:21:19,246 DECOMMISSIONED. 509 00:21:19,246 --> 00:21:21,582 THE NIH SECURITY BEST PRACTICES 510 00:21:21,582 --> 00:21:23,116 FOR CONTROLLED ACCESS DATA ARE 511 00:21:23,116 --> 00:21:26,286 ONLY EXPECTED TO BE APPLIED TO 512 00:21:26,286 --> 00:21:29,790 THOSE SYSTEMS THAT HANDLE NIH 513 00:21:29,790 --> 00:21:30,724 CONTROLLED-ACCESS DATA. 514 00:21:30,724 --> 00:21:32,559 I'M GOING TO STRESS AND REPEAT 515 00:21:32,559 --> 00:21:34,328 BECAUSE IT'S WORTH REPEATING. 516 00:21:34,328 --> 00:21:37,931 IT IS NOT EXPECTED THAT THE NIH 517 00:21:37,931 --> 00:21:38,932 SECURITY BEST PRACTICE BE 518 00:21:38,932 --> 00:21:40,767 APPLIED TO ALL YOUR I.T. 519 00:21:40,767 --> 00:21:46,807 SYSTEMS, JUST THE SYSTEMS THAT 520 00:21:46,807 --> 00:21:49,643 PROCESS NIH CONTROLLED-ACCESS 521 00:21:49,643 --> 00:21:50,210 DATA. 522 00:21:50,210 --> 00:21:52,112 SYSTEMS THAT DO NOT INTERACT 523 00:21:52,112 --> 00:21:53,280 WITH NIH CONTROLLED-ACCESS DATA 524 00:21:53,280 --> 00:21:55,148 ARE NOT EXPECTED TO ADOPT 525 00:21:55,148 --> 00:21:56,016 SECURITY STANDARDS. 526 00:21:56,016 --> 00:21:59,620 AS MENTIONED BY DR. JACOBS, DATA 527 00:21:59,620 --> 00:22:02,022 GENERATORS SUCH AS THOSE WITHIN 528 00:22:02,022 --> 00:22:04,558 THE DATA COLLECTION CENTERS, 529 00:22:04,558 --> 00:22:05,859 DATA COORDINATING CENTERS, THAT 530 00:22:05,859 --> 00:22:08,929 GENERATE DATA PRIOR TO IT BEING 531 00:22:08,929 --> 00:22:10,163 SHARED WITH NIH 532 00:22:10,163 --> 00:22:10,931 CONTROLLED-ACCESS DATA 533 00:22:10,931 --> 00:22:13,133 REPOSITORIES ARE NOT WITHIN 534 00:22:13,133 --> 00:22:15,235 SCOPE OF THE NIH GENOMIC DATA 535 00:22:15,235 --> 00:22:18,171 SHARING POLICY AND SECURITY BEST 536 00:22:18,171 --> 00:22:18,705 PRACTICES. 537 00:22:18,705 --> 00:22:20,574 DATA DOWNLOADED AND PROCESSED 538 00:22:20,574 --> 00:22:22,876 DIRECTLY FROM THE NIH 539 00:22:22,876 --> 00:22:23,744 CONTROLLED-ACCESS DATA 540 00:22:23,744 --> 00:22:25,646 REPOSITORIES ARE WITHIN SCOPE. 541 00:22:25,646 --> 00:22:28,582 THIS SCOPE INCLUDES WORK 542 00:22:28,582 --> 00:22:31,518 STATIONS, SERVERS, THIRD PARTY 543 00:22:31,518 --> 00:22:34,388 SYSTEMS, CLOUD SERVICES THAT 544 00:22:34,388 --> 00:22:38,191 ACCESS AND/OR PROCESS NIH 545 00:22:38,191 --> 00:22:40,627 CONTROLLED-ACCESS DATA. 546 00:22:40,627 --> 00:22:43,697 SO, BY JANUARY 25, 2025, 547 00:22:43,697 --> 00:22:46,433 INSTITUTIONS ARE EXPECTED TO 548 00:22:46,433 --> 00:22:48,635 ASSESS SYSTEMS AGAINST NIST 549 00:22:48,635 --> 00:22:51,171 800-171 CONTROLS, AND TO THE 550 00:22:51,171 --> 00:22:53,674 BEST OF THEIR ABILITY IMPLEMENT 551 00:22:53,674 --> 00:22:54,675 SECURITY CONTROLS. 552 00:22:54,675 --> 00:22:55,876 ANY DEVIATIONS MUST BE 553 00:22:55,876 --> 00:22:57,611 DOCUMENTED WITHIN A PLAN OF 554 00:22:57,611 --> 00:23:00,147 ACTION AND MILESTONES TO FURTHER 555 00:23:00,147 --> 00:23:01,448 MITIGATE THE RISK. 556 00:23:01,448 --> 00:23:06,186 ONCE YOU'VE MADE YOUR ASSESSMENT 557 00:23:06,186 --> 00:23:07,487 AND DEVIATIONS DOCUMENTED 558 00:23:07,487 --> 00:23:08,388 INSTITUTIONS SHOULD INFORM 559 00:23:08,388 --> 00:23:10,323 RESEARCHERS THEY CAN ATTEST TO 560 00:23:10,323 --> 00:23:12,726 THE NIH SECURITY BEST PRACTICES 561 00:23:12,726 --> 00:23:15,262 WHEN THEY ARE SUBMITTING NEW OR 562 00:23:15,262 --> 00:23:21,168 RENEWAL DATA ACCESS REQUESTS TO 563 00:23:21,168 --> 00:23:22,936 NIH'S CONTROLLED-ACCESS GENOMIC 564 00:23:22,936 --> 00:23:23,470 DATA. 565 00:23:23,470 --> 00:23:26,440 ON OR AFTER JANUARY 25 APPROVED 566 00:23:26,440 --> 00:23:28,075 USERS OF NIH CONTROLLED-ACCESS 567 00:23:28,075 --> 00:23:29,342 GENOMIC DATA ARE EXPECTED TO 568 00:23:29,342 --> 00:23:32,446 PROTECT THE DATA IN ACCORDANCE 569 00:23:32,446 --> 00:23:35,182 WITH THE NIST 800-171 SERIES. 570 00:23:35,182 --> 00:23:38,151 OR ITS EQUIVALENT INTERNATIONAL 571 00:23:38,151 --> 00:23:38,518 STANDARDS. 572 00:23:38,518 --> 00:23:40,320 IF YOU CHOOSE TO USE A 573 00:23:40,320 --> 00:23:42,622 THIRD-PARTY I.T. SYSTEM OR CLOUD 574 00:23:42,622 --> 00:23:44,925 SERVICE PROVIDER FOR DATA 575 00:23:44,925 --> 00:23:47,327 ANALYSIS AND/OR STORAGE, FOR 576 00:23:47,327 --> 00:23:49,863 YOUR PROJECT, YOU MUST REQUEST 577 00:23:49,863 --> 00:23:52,799 AND BE PROVIDED ATTESTATION 578 00:23:52,799 --> 00:23:54,034 STATEMENTS FROM THE SYSTEM OR 579 00:23:54,034 --> 00:23:56,737 CLOUD SERVICE PROVIDER TO GIVE 580 00:23:56,737 --> 00:23:58,672 ASSURANCES THEY ARE PROTECTING 581 00:23:58,672 --> 00:24:01,341 AGAINST THE -- IN ACCORDANCE 582 00:24:01,341 --> 00:24:04,411 WITH THE NIST SPECIAL 583 00:24:04,411 --> 00:24:05,612 PUBLICATION 800-171, THAT WILL 584 00:24:05,612 --> 00:24:11,752 GIVE THE ATURNSES -- ASSURANCES 585 00:24:11,752 --> 00:24:18,959 FOR YOU TO ATTEST THE STANDARDS. 586 00:24:18,959 --> 00:24:19,960 NEXT SLIDE. 587 00:24:19,960 --> 00:24:21,695 SO WE'RE NOW GOING TO SHIFT TO 588 00:24:21,695 --> 00:24:24,364 WHAT YOU NEED TO KNOW IF YOU'RE 589 00:24:24,364 --> 00:24:29,402 AN I.T. SUPPORT STAFF AND YOU'RE 590 00:24:29,402 --> 00:24:31,138 IMPLEMENTING NIST SPECIAL 591 00:24:31,138 --> 00:24:35,208 PUBLICATION 800-171 SERIES. 592 00:24:35,208 --> 00:24:37,611 SO, 800-171 ARTICULATES SECURITY 593 00:24:37,611 --> 00:24:39,246 REQUIREMENTS ACROSS 17 SECURITY 594 00:24:39,246 --> 00:24:41,214 CONTROL FAMILIES. 595 00:24:41,214 --> 00:24:43,183 THESE RANGE FROM ACCESS 596 00:24:43,183 --> 00:24:45,152 CONTROLS, GO THROUGHOUT THE LIFE 597 00:24:45,152 --> 00:24:47,687 CYCLE AND COMPONENTS OF I.T. 598 00:24:47,687 --> 00:24:49,089 ORGANIZATION, ALL THE WAY 599 00:24:49,089 --> 00:24:54,728 THROUGH TO SUPPLY CHAIN RISK 600 00:24:54,728 --> 00:24:55,028 MANAGEMENT. 601 00:24:55,028 --> 00:24:56,963 WITH THE INTRODUCTION OF REV 3 602 00:24:56,963 --> 00:24:58,932 LAST YEAR THREE FAMILIES WERE 603 00:24:58,932 --> 00:25:01,268 ADDED TO ADDRESS SUPPLY CHAIN 604 00:25:01,268 --> 00:25:04,738 RISKS, AN ACKNOWLEDGMENT AND 605 00:25:04,738 --> 00:25:05,972 UNDERSTANDING THAT MOST 606 00:25:05,972 --> 00:25:07,073 SOPHISTICATED ACTORS ARE 607 00:25:07,073 --> 00:25:09,342 ENTERING THROUGH AUTHORIZED 608 00:25:09,342 --> 00:25:10,577 SERVICE PROVIDERS, THROUGH 609 00:25:10,577 --> 00:25:14,614 EXPLOITS OF SOFTWARE WE USE, AND 610 00:25:14,614 --> 00:25:16,817 THROUGH EXPLOITS THAT HAVE 611 00:25:16,817 --> 00:25:21,755 BEEN -- HAVE OCCURRED THROUGH 612 00:25:21,755 --> 00:25:22,022 EQUIPMENT. 613 00:25:22,022 --> 00:25:24,491 ADDITIONALLY THE REV 3 614 00:25:24,491 --> 00:25:25,358 INTRODUCED CONCEPT ASSESSING 615 00:25:25,358 --> 00:25:26,927 RISK SHOULDN'T JUST HAPPEN WHEN 616 00:25:26,927 --> 00:25:28,662 YOU CREATE A SYSTEM OR YOU 617 00:25:28,662 --> 00:25:30,297 DESIGN A SYSTEM BUT SHOULD ALSO 618 00:25:30,297 --> 00:25:32,799 HAPPEN THROUGHOUT THE LIFE CYCLE 619 00:25:32,799 --> 00:25:34,034 OF A SYSTEM. 620 00:25:34,034 --> 00:25:36,303 IF YOU'RE AN INSTITUTION AND 621 00:25:36,303 --> 00:25:38,405 YOU'RE ON REV 2, UNDERSTANDING 622 00:25:38,405 --> 00:25:41,007 THAT REV 3 WAS INTRODUCED LAST 623 00:25:41,007 --> 00:25:42,108 YEAR, WE UNDERSTAND THAT IT WILL 624 00:25:42,108 --> 00:25:44,544 TAKE SOME TIME FOR YOU TO ADJUST 625 00:25:44,544 --> 00:25:47,280 TO THE NEW REV 3 CONTROL FAMILY. 626 00:25:47,280 --> 00:25:50,984 SO, I WANT TO STRESS NIH WILL 627 00:25:50,984 --> 00:25:54,821 ACCEPT REV 2 AND REV 3, BOTH 628 00:25:54,821 --> 00:26:00,193 FULFILL EXPECTATIONS OF NIH 629 00:26:00,193 --> 00:26:01,394 SECURITY BEST PRACTICES, START 630 00:26:01,394 --> 00:26:02,829 PLANNING NOW AND ASSESS AGAINST 631 00:26:02,829 --> 00:26:04,731 THE THREE NEW CONTROL FAMILIES 632 00:26:04,731 --> 00:26:05,966 INTRODUCED UNDER REV 3, AND THAT 633 00:26:05,966 --> 00:26:07,467 YOU CREATE PLAN OF ACTION AND 634 00:26:07,467 --> 00:26:09,035 MILESTONES FOR ANY OF THE 635 00:26:09,035 --> 00:26:10,604 CONTROLS THAT YOU DON'T HAVE IN 636 00:26:10,604 --> 00:26:12,105 PLACE TODAY BUT PLAN TO 637 00:26:12,105 --> 00:26:13,640 IMPLEMENT IN THE FUTURE. 638 00:26:13,640 --> 00:26:15,375 IN THIS WAY YOU'LL ACTIVELY 639 00:26:15,375 --> 00:26:18,345 MANAGE THE RISK AS WELL AS 640 00:26:18,345 --> 00:26:21,081 ENSURE YOUR EVENTUAL ADOPTION OF 641 00:26:21,081 --> 00:26:24,284 REV 3. 642 00:26:24,284 --> 00:26:25,719 NEXT SLIDE. 643 00:26:25,719 --> 00:26:25,919 OKAY. 644 00:26:25,919 --> 00:26:29,155 SO, LET'S DIVE INTO THE 800-171 645 00:26:29,155 --> 00:26:30,690 SERIES A LITTLE BIT. 646 00:26:30,690 --> 00:26:33,093 THE SERIES IS MADE UP OF TWO 647 00:26:33,093 --> 00:26:34,194 DOCUMENTS, THE FIRST DOCUMENT 648 00:26:34,194 --> 00:26:35,829 COVERS ALL THE CONTROLS AND HOW 649 00:26:35,829 --> 00:26:37,898 THEY SHOULD BE IMPLEMENTED 650 00:26:37,898 --> 00:26:40,300 WITHIN YOUR ORGANIZATION. 651 00:26:40,300 --> 00:26:45,705 THE SECOND ONE IS NIST SPECIAL 652 00:26:45,705 --> 00:26:46,673 PUBLICATION 800-171A, USED TO 653 00:26:46,673 --> 00:26:48,975 ASSESS THE CONTROLS. 654 00:26:48,975 --> 00:26:51,044 SO TWO DOCUMENTS, WE'LL COVER 655 00:26:51,044 --> 00:26:53,480 FIRST THE DOCUMENT THAT COVERS 656 00:26:53,480 --> 00:26:55,982 IMPLEMENTING CONTROLS. 657 00:26:55,982 --> 00:26:58,184 SO NIST 800-171 ARTICULATES WHAT 658 00:26:58,184 --> 00:27:00,020 THE CONTROL FAMILY IS, IT WILL 659 00:27:00,020 --> 00:27:01,888 TELL YOU WHAT THE REQUIREMENT OF 660 00:27:01,888 --> 00:27:03,323 THAT CONTROL FAMILY IS. 661 00:27:03,323 --> 00:27:07,494 AND THEN IT WILL GIVE YOU A 662 00:27:07,494 --> 00:27:09,462 DESCRIPTION OF THAT REQUIREMENT. 663 00:27:09,462 --> 00:27:13,500 NOW CONTROLS THAT HAVE IN THEIR 664 00:27:13,500 --> 00:27:14,868 DESCRIPTION ORGANIZATIONAL 665 00:27:14,868 --> 00:27:17,771 REQUIREMENTS, THAT MEANS THAT'S 666 00:27:17,771 --> 00:27:19,205 A CONTROL YOUR ORGANIZATION CAN 667 00:27:19,205 --> 00:27:21,708 SELECT EITHER THE POLICY OR 668 00:27:21,708 --> 00:27:24,010 PROCEDURE FOR THAT CONTROL. 669 00:27:24,010 --> 00:27:26,112 YOU'LL GENERALLY SEE THAT WHEN 670 00:27:26,112 --> 00:27:27,647 IT IS ACTUALLY ORGANIZATIONS 671 00:27:27,647 --> 00:27:29,950 THAT DETERMINE FREQUENCY A 672 00:27:29,950 --> 00:27:31,751 CONTROL IS TO OCCUR, OR IT IS 673 00:27:31,751 --> 00:27:35,188 OFTEN USED IF IT IS UP TO YOUR 674 00:27:35,188 --> 00:27:37,691 DISCRETION AT THE ORGANIZATION 675 00:27:37,691 --> 00:27:40,694 LEVEL, HOW YOU'RE IMPLEMENTING 676 00:27:40,694 --> 00:27:42,429 THAT CONTROL. 677 00:27:42,429 --> 00:27:44,731 THESE CONTROLS OFFER MAXIMUM 678 00:27:44,731 --> 00:27:45,498 FLEXIBILITY. 679 00:27:45,498 --> 00:27:47,400 SO NEXT WE'LL DISCUSS THE 680 00:27:47,400 --> 00:27:48,668 CONTROL BY GIVING YOU A 681 00:27:48,668 --> 00:27:49,436 DESCRIPTION AND PROVIDE 682 00:27:49,436 --> 00:27:52,472 ACCEPTABLE MEANS AND EXAMPLES OF 683 00:27:52,472 --> 00:27:53,473 IMPLEMENTING THAT CONTROL. 684 00:27:53,473 --> 00:27:58,078 AND FINALLY AT THE BOTTOM UNDER 685 00:27:58,078 --> 00:27:59,713 REFERENCE IT GIVES ADDITIONAL 686 00:27:59,713 --> 00:28:00,613 RESOURCES, PROVIDING A CROSSWALK 687 00:28:00,613 --> 00:28:02,115 TO THE CONTROL FAMILIES AS THEY 688 00:28:02,115 --> 00:28:04,084 RELATE TO THE PARENT DOCUMENT 689 00:28:04,084 --> 00:28:06,419 WHICH IS THE NIST 800-53 CONTROL 690 00:28:06,419 --> 00:28:13,059 SET, AS WELL AS GIVE ADDITIONAL 691 00:28:13,059 --> 00:28:14,060 INITIAL DOCUMENT STANDARDS AND 692 00:28:14,060 --> 00:28:16,463 RESOURCES LINKED AT THE BOTTOM 693 00:28:16,463 --> 00:28:21,067 OF THE CONTROLS. 694 00:28:21,067 --> 00:28:21,868 THE NIST 800-171 DOCUMENT 695 00:28:21,868 --> 00:28:24,104 PROVIDES A GUIDE FOR HOW TO 696 00:28:24,104 --> 00:28:25,105 IMPLEMENT THE CONTROLS, AND IT 697 00:28:25,105 --> 00:28:27,941 WILL PROVIDE YOU WITH EVERYTHING 698 00:28:27,941 --> 00:28:32,545 YOU NEED TO KNOW TO IMPLEMENT 699 00:28:32,545 --> 00:28:36,149 THE PROTECTIONS UNDER THE 700 00:28:36,149 --> 00:28:37,050 800-171. 701 00:28:37,050 --> 00:28:38,885 NEXT SLIDE. 702 00:28:38,885 --> 00:28:39,419 OKAY. 703 00:28:39,419 --> 00:28:44,157 LET'S SHIFT GEARS AND NOW WE'LL 704 00:28:44,157 --> 00:28:46,893 DIVE INTO THE 800-171A. 705 00:28:46,893 --> 00:28:48,294 TO SELF ASSESS YOUR INSTITUTION 706 00:28:48,294 --> 00:28:51,264 AND YOUR MATURITY YOU WILL USE 707 00:28:51,264 --> 00:28:55,001 THE NIST SPECIAL PUBLICATION 708 00:28:55,001 --> 00:28:56,302 800-171A FOR YOUR 709 00:28:56,302 --> 00:28:58,505 SELF-ASSESSMENT, THIS IS A GUIDE 710 00:28:58,505 --> 00:29:00,707 TO ASSESS CONTROLS YOU 711 00:29:00,707 --> 00:29:03,643 IMPLEMENTED UNDER NIST SPECIAL 712 00:29:03,643 --> 00:29:04,711 PUBLICATION 800-171. 713 00:29:04,711 --> 00:29:06,479 SIMILAR TO THE 171, IT HAS A 714 00:29:06,479 --> 00:29:08,081 SIMILAR FORMATTING, YOU HAVE THE 715 00:29:08,081 --> 00:29:10,116 CONTROL NUMBER, NAME OF THE 716 00:29:10,116 --> 00:29:11,618 CONTROL, AS WELL AS THE 717 00:29:11,618 --> 00:29:13,820 REQUIREMENTS YOU'RE GOING TO 718 00:29:13,820 --> 00:29:15,021 ASSESS YOURSELF AGAINST. 719 00:29:15,021 --> 00:29:18,324 IT WILL THEN OFFER YOU THREE 720 00:29:18,324 --> 00:29:19,759 METHODS OF ASSESSMENT. 721 00:29:19,759 --> 00:29:23,563 YOU CAN EXAMINE A POLICY OR 722 00:29:23,563 --> 00:29:24,197 PROCEDURE. 723 00:29:24,197 --> 00:29:25,999 YOU COULD INTERVIEW PERSONNEL. 724 00:29:25,999 --> 00:29:30,170 OR YOU CAN TECHNICALLY TEST THE 725 00:29:30,170 --> 00:29:30,870 CONTROL. 726 00:29:30,870 --> 00:29:31,604 WHAT LEVEL YOU CONDUCT 727 00:29:31,604 --> 00:29:33,807 ASSESSMENT IS UP TO YOU. 728 00:29:33,807 --> 00:29:36,209 AND WHAT YOU DETERMINE IS THE 729 00:29:36,209 --> 00:29:38,378 RIGHT BALANCE FOR YOUR 730 00:29:38,378 --> 00:29:39,179 ORGANIZATION'S MATURITY. 731 00:29:39,179 --> 00:29:41,381 YOU WILL WANT TO MAKE SURE YOU 732 00:29:41,381 --> 00:29:43,683 ASSESS AT THE RIGHT LEVEL, BASED 733 00:29:43,683 --> 00:29:45,752 ON THE CONTROLS YOU'VE 734 00:29:45,752 --> 00:29:47,620 IMPLEMENTED AND RESOURCES AND 735 00:29:47,620 --> 00:29:49,055 TIMES AVAILABLE TO YOU. 736 00:29:49,055 --> 00:29:54,627 DEPENDING ON THE METHOD THE 171 737 00:29:54,627 --> 00:29:56,830 ASSESSMENT WILL ARTICULATE WHICH 738 00:29:56,830 --> 00:29:58,031 ARTIFACTS REVIEWED, WHO SHOULD 739 00:29:58,031 --> 00:29:59,566 BE INTERVIEWS, WHAT CONTROLS MAY 740 00:29:59,566 --> 00:30:02,302 BE APPLICABLE TO ATTEST. 741 00:30:02,302 --> 00:30:04,304 TO RECAP, THE 171A WILL PROVIDE 742 00:30:04,304 --> 00:30:06,239 YOU WITH EVERYTHING YOU NEED TO 743 00:30:06,239 --> 00:30:10,743 KNOW FOR HOW TO CONDUCT A 744 00:30:10,743 --> 00:30:16,015 SELF-ASSESSMENT OF THE CONTROLS. 745 00:30:16,015 --> 00:30:16,983 NEXT SLIDE. 746 00:30:16,983 --> 00:30:21,254 THIS PROVIDES A WEALTH OF TOOLS 747 00:30:21,254 --> 00:30:22,655 FOR DOCUMENTING AND ASSESSING 748 00:30:22,655 --> 00:30:24,624 CONTROLS INCLUDING THE NIST 749 00:30:24,624 --> 00:30:25,625 CYBERSECURITY AND PRIVACY 750 00:30:25,625 --> 00:30:28,027 REFERENCE TOOLS AS WELL AS SOME 751 00:30:28,027 --> 00:30:29,796 CONTROL OVERLAY. 752 00:30:29,796 --> 00:30:32,198 THESE TOOLS SEEK TO ACCELERATE 753 00:30:32,198 --> 00:30:34,067 YOUR ADOPTION OF THE 171 SERIES, 754 00:30:34,067 --> 00:30:36,069 AND WILL ALLOW YOU TO EXPORT ALL 755 00:30:36,069 --> 00:30:38,571 THE CONTROLS INTO A NICE 756 00:30:38,571 --> 00:30:40,773 SPREADSHEET. 757 00:30:40,773 --> 00:30:42,742 YOU CAN USE THAT SPREADSHEET TO 758 00:30:42,742 --> 00:30:44,377 DOCUMENT YOUR CONTROLS AND 759 00:30:44,377 --> 00:30:45,945 BECOME YOUR SYSTEM SECURITY PLAN 760 00:30:45,945 --> 00:30:48,548 AS WELL AS USE THAT TO DOCUMENT 761 00:30:48,548 --> 00:30:51,184 YOUR ASSESSMENT PLAN AND THE 762 00:30:51,184 --> 00:30:52,485 RESULTS OF YOUR ASSESSMENT. 763 00:30:52,485 --> 00:30:58,091 AT THE VERY BOTTOM WE WANTED TO 764 00:30:58,091 --> 00:30:59,392 SHARE AN INFORMATIVE 765 00:30:59,392 --> 00:31:01,828 PRESENTATION NIST PROVIDED IT'S 766 00:31:01,828 --> 00:31:07,167 A AT A RECENT CYBER CONFERENCE 767 00:31:07,167 --> 00:31:08,935 COVERING EVERYTHING YOU NEED TO 768 00:31:08,935 --> 00:31:11,137 KNOW ABOUT THE 800-171 SERIES AS 769 00:31:11,137 --> 00:31:13,306 WELL AS PROVIDE A DEEP DIVE OF 770 00:31:13,306 --> 00:31:14,741 HOW YOU CAN LEVERAGE 771 00:31:14,741 --> 00:31:17,577 CYBERSECURITY AND PRIVACY TOOLS 772 00:31:17,577 --> 00:31:20,113 THAT NIST PROVIDES. 773 00:31:20,113 --> 00:31:21,648 NEXT SLIDE. 774 00:31:21,648 --> 00:31:21,948 OKAY. 775 00:31:21,948 --> 00:31:24,951 TO RECAP, IF YOU'RE AN I.T. 776 00:31:24,951 --> 00:31:26,352 SUPPORT STAFF MEMBER SUPPORTING 777 00:31:26,352 --> 00:31:29,956 THIS EFFORT, YOU ARE TO ASSESS 778 00:31:29,956 --> 00:31:32,959 IN-SCOPE SYSTEMS AGAINST NIST 779 00:31:32,959 --> 00:31:33,626 SPECIAL PUBLICATION 800-171 780 00:31:33,626 --> 00:31:33,893 CONTROLS. 781 00:31:33,893 --> 00:31:37,197 AND TO THE BEST OF YOUR ABILITY 782 00:31:37,197 --> 00:31:38,531 IMPLEMENT THOSE CONTROLS. 783 00:31:38,531 --> 00:31:41,501 YOU'RE ALSO TO DEVELOP A PLAN OF 784 00:31:41,501 --> 00:31:43,670 ACTION MILESTONE FOR ANY 785 00:31:43,670 --> 00:31:44,571 CONTROLS EITHER PARTIALLY 786 00:31:44,571 --> 00:31:47,073 IMPLEMENTED OR PLAN TO BE 787 00:31:47,073 --> 00:31:49,042 IMPLEMENTED. 788 00:31:49,042 --> 00:31:53,213 ONCE THIS IS DONE YOUR 789 00:31:53,213 --> 00:31:54,113 INSTITUTION SHOULD COMMUNICATE 790 00:31:54,113 --> 00:31:55,448 COMPLIANT STATUS TO STAFF AND 791 00:31:55,448 --> 00:31:58,484 RESEARCHERS SO THEY CAN ATTEST 792 00:31:58,484 --> 00:32:01,521 TO THE APPROPRIATE PROTECTION. 793 00:32:01,521 --> 00:32:03,389 IF YOU'RE A RESEARCHER ON OR 794 00:32:03,389 --> 00:32:06,226 AFTER JANUARY 25 YOU'RE TO 795 00:32:06,226 --> 00:32:08,328 ATTEST TO PROTECTING NIH GENOMIC 796 00:32:08,328 --> 00:32:09,629 CONTROLLED ACCESS DATA WHEN 797 00:32:09,629 --> 00:32:12,999 REQUESTING NEW ACCESS OR 798 00:32:12,999 --> 00:32:16,536 REVIEWING ACCESS TO NIH 799 00:32:16,536 --> 00:32:19,372 CONTROLLED ACCESS TO GENOMIC 800 00:32:19,372 --> 00:32:19,939 DATASETS. 801 00:32:19,939 --> 00:32:20,707 NEXT SLIDE. 802 00:32:20,707 --> 00:32:23,209 SO, LAST BUT NOT LEAST, WE 803 00:32:23,209 --> 00:32:25,511 WANTED TO POOL RESOURCES 804 00:32:25,511 --> 00:32:27,046 AVAILABLE TO YOU ON ONE SLIDE. 805 00:32:27,046 --> 00:32:29,349 NIH HAS A WEALTH OF INFORMATION 806 00:32:29,349 --> 00:32:31,684 THAT WE'VE PUBLISHED TO OUR 807 00:32:31,684 --> 00:32:33,186 PUBLIC SITES, AND THE LINKS ARE 808 00:32:33,186 --> 00:32:34,954 HERE FOR ALL THE INFORMATION YOU 809 00:32:34,954 --> 00:32:37,890 NEED TO KNOW ABOUT THE NIH 810 00:32:37,890 --> 00:32:40,860 SECURITY BEST PRACTICES, GENOMIC 811 00:32:40,860 --> 00:32:41,728 SHARING POLICY, FREQUENTLY ASKED 812 00:32:41,728 --> 00:32:43,896 QUESTIONS ARE HERE AS WELL AS 813 00:32:43,896 --> 00:32:47,100 LIST OF APPLICABLE NIH 814 00:32:47,100 --> 00:32:47,834 CONTROLLED ACCESS DATA 815 00:32:47,834 --> 00:32:48,501 REPOSITORIES. 816 00:32:48,501 --> 00:32:50,570 NIST AS WE MENTIONED ALSO HAS A 817 00:32:50,570 --> 00:32:52,739 WEALTH OF INFORMATION AVAILABLE 818 00:32:52,739 --> 00:32:55,308 TO YOU, SO THEY ARE LISTED HERE 819 00:32:55,308 --> 00:32:55,975 AS WELL. 820 00:32:55,975 --> 00:32:57,277 I WANTED TO THANK YOU FOR 821 00:32:57,277 --> 00:32:59,579 HANGING IN THERE AS WE COVERED 822 00:32:59,579 --> 00:33:01,814 THIS WEALTH OF INFORMATION. 823 00:33:01,814 --> 00:33:03,650 MICHAEL WILL SUPPORT ME TODAY 824 00:33:03,650 --> 00:33:06,719 AND WE WILL START OUR Q&A 825 00:33:06,719 --> 00:33:07,153 SESSION. 826 00:33:07,153 --> 00:33:09,222 MICHAEL WILL BE COORDINATING OUR 827 00:33:09,222 --> 00:33:10,990 SERVICES FOR OUR PANELISTS. 828 00:33:10,990 --> 00:33:11,858 MICHAEL, WELCOME. 829 00:33:11,858 --> 00:33:14,927 OVER TO YOU. 830 00:33:14,927 --> 00:33:18,631 >> THANK YOU, MS. FALVELLA. 831 00:33:18,631 --> 00:33:19,098 GREETINGS. 832 00:33:19,098 --> 00:33:20,066 I'M MICHAEL DEBRAH, 833 00:33:20,066 --> 00:33:22,268 COMMUNICATIONS LEAD, I WILL BE 834 00:33:22,268 --> 00:33:24,804 FACILITATING THE Q&A SESSION FOR 835 00:33:24,804 --> 00:33:25,805 TODAY'S EVENT. 836 00:33:25,805 --> 00:33:26,472 PLEASE ENTER YOUR QUESTIONS IN 837 00:33:26,472 --> 00:33:29,075 THE Q&A AND FOR THOSE 838 00:33:29,075 --> 00:33:32,145 PARTICIPATING VIA ZOOM YOU'LL 839 00:33:32,145 --> 00:33:33,079 HAVE ABILITY TO UPLOAD QUESTIONS 840 00:33:33,079 --> 00:33:34,547 ENTERED IN THE Q&A FOR 841 00:33:34,547 --> 00:33:35,548 PRESENTERS TO ADDRESS. 842 00:33:35,548 --> 00:33:37,850 WE'LL TRY OUR BEST TO ANSWER AS 843 00:33:37,850 --> 00:33:39,485 MANY RELEVANT QUESTIONS AS 844 00:33:39,485 --> 00:33:40,920 POSSIBLE DURING THIS DEDICATED 845 00:33:40,920 --> 00:33:41,154 HOUR. 846 00:33:41,154 --> 00:33:45,758 ADDITIONAL QUESTIONS MAY BE SEND 847 00:33:45,758 --> 00:33:49,595 TO GDS@MAIL.NIH.GOV. 848 00:33:49,595 --> 00:33:50,897 SO TO KICK THINGS OFF THE FIRST 849 00:33:50,897 --> 00:33:54,500 QUESTION WILL BE ROUTED TO 850 00:33:54,500 --> 00:33:54,934 MS. FALVELLA. 851 00:33:54,934 --> 00:33:58,771 WORK STATIONS THAT INTERACT WITH 852 00:33:58,771 --> 00:34:00,540 SYSTEM AND SCOPE. 853 00:34:00,540 --> 00:34:01,140 >> THANKS, MICHAEL. 854 00:34:01,140 --> 00:34:04,477 YES, SHORT ANSWER IS YES, WORK 855 00:34:04,477 --> 00:34:06,346 STATIONS THAT INTERACT WITH NIH 856 00:34:06,346 --> 00:34:08,548 CONTROLLED ACCESS DATA ARE 857 00:34:08,548 --> 00:34:10,883 WITHIN SCOPE. 858 00:34:10,883 --> 00:34:15,455 ANY SYSTEM THAT DOWNLOADS, 859 00:34:15,455 --> 00:34:17,623 PROCESSES, ACCESSES, TRANSMITS, 860 00:34:17,623 --> 00:34:18,791 STORES, NIH CONTROLLED-ACCESS 861 00:34:18,791 --> 00:34:20,693 DATA APPLICABLE TO THE NIH 862 00:34:20,693 --> 00:34:24,330 GENOMIC DATA SHARING POLICY IS 863 00:34:24,330 --> 00:34:26,866 WITHIN SCOPE. 864 00:34:26,866 --> 00:34:28,701 >> SOUNDS GOOD. 865 00:34:28,701 --> 00:34:32,672 NOW, DR. JACOBS, THIS IS FOR 866 00:34:32,672 --> 00:34:32,872 YOU. 867 00:34:32,872 --> 00:34:35,208 IT READS, IF YOU HAVE GENOMIC 868 00:34:35,208 --> 00:34:37,643 DATA FROM ONE BASE NEEDED FOR 869 00:34:37,643 --> 00:34:38,511 PERFORMANCE OF NIH-FUNDED GRANT 870 00:34:38,511 --> 00:34:40,713 WILL THE COST OF COMPLIANCE BE 871 00:34:40,713 --> 00:34:45,284 CHARGEABLE AS DIRECT COST TO THE 872 00:34:45,284 --> 00:34:45,485 GRANT? 873 00:34:45,485 --> 00:34:49,122 >> YES, SO FOR THAT QUESTION, 874 00:34:49,122 --> 00:34:55,628 THE ANSWER REALLY NEEDS TO BE 875 00:34:55,628 --> 00:34:56,396 ADDRESSED TO NIH'S GRANTS 876 00:34:56,396 --> 00:34:57,463 MANAGEMENT TEAM BECAUSE THERE 877 00:34:57,463 --> 00:35:00,433 ARE A LOT OF DEPENDENCIES AND 878 00:35:00,433 --> 00:35:03,302 HOW THAT AWARD IS COMPOSED AND 879 00:35:03,302 --> 00:35:06,472 EXACTLY HOW THE DATA WOULD BE 880 00:35:06,472 --> 00:35:07,106 MANAGED AND SHARED. 881 00:35:07,106 --> 00:35:11,411 AND SO WE'LL BE PUTTING A LINK 882 00:35:11,411 --> 00:35:15,014 IN THE CHAT TO CONTACT GRANTS 883 00:35:15,014 --> 00:35:15,982 MANAGEMENT AT NIH. 884 00:35:15,982 --> 00:35:20,453 SO THEY CAN GIVE A MORE ACCURATE 885 00:35:20,453 --> 00:35:22,455 QUESTION BASED ON HOW THE 886 00:35:22,455 --> 00:35:23,890 FUNDING MECHANISM IS SET UP AND 887 00:35:23,890 --> 00:35:29,362 HOW THAT DATA OUGHT TO BE 888 00:35:29,362 --> 00:35:31,697 SHARED. 889 00:35:31,697 --> 00:35:32,331 >> THANK YOU. 890 00:35:32,331 --> 00:35:33,766 ANOTHER QUESTION FOR YOU. 891 00:35:33,766 --> 00:35:36,469 CAN YOU PLEASE CLARIFY WHAT THE 892 00:35:36,469 --> 00:35:37,703 RESEARCHERS ARE CERTIFYING TO, 893 00:35:37,703 --> 00:35:45,711 WILL ONLY RESEARCHERS THAT NEED 894 00:35:45,711 --> 00:35:51,717 TO NIST 800-171 BE ASKED TO 895 00:35:51,717 --> 00:35:51,951 CERTIFY? 896 00:35:51,951 --> 00:35:53,486 >> WE CAN TAG TEAM THIS 897 00:35:53,486 --> 00:35:53,986 QUESTION. 898 00:35:53,986 --> 00:35:59,725 I'LL BEGIN BY SAYING THAT THE 899 00:35:59,725 --> 00:36:04,797 ATTESTATION WILL BE -- WILL 900 00:36:04,797 --> 00:36:08,835 CONSIST OF A SELF-ASSESSMENT OF 901 00:36:08,835 --> 00:36:13,005 SECURING NIST CONTROLS, BY THE 902 00:36:13,005 --> 00:36:16,843 INSTITUTIONAL, EXCUSE ME, 903 00:36:16,843 --> 00:36:17,944 SECURITY STAFF INSTITUTIONAL 904 00:36:17,944 --> 00:36:20,780 TECHNOLOGY DIRECTOR OR OTHER 905 00:36:20,780 --> 00:36:21,848 PERSONSES AT THAT INSTITUTION 906 00:36:21,848 --> 00:36:25,418 ASSESSING THAT THEY ARE ABLE TO 907 00:36:25,418 --> 00:36:26,619 MEET NIST CONTROLS INCLUDING 908 00:36:26,619 --> 00:36:33,226 PLANS OF ACTIONS AND MILESTONES 909 00:36:33,226 --> 00:36:33,960 THAT ARE OUTLINED. 910 00:36:33,960 --> 00:36:38,030 THAT'S WHAT THEY ARE ATTESTING 911 00:36:38,030 --> 00:36:38,197 TO. 912 00:36:38,197 --> 00:36:38,865 THERE'S BEEN ASELF-ASSESSMENT, 913 00:36:38,865 --> 00:36:42,001 THERE ARE SECURITY CONTROLS IN 914 00:36:42,001 --> 00:36:44,537 PLACE, AND MILESTONES TO MEET 915 00:36:44,537 --> 00:36:50,042 THOSE THAT ARE PARTIALLY 916 00:36:50,042 --> 00:36:50,776 IMPLEMENTED. 917 00:36:50,776 --> 00:36:54,914 AND WOULD BE ATTESTED BY 918 00:36:54,914 --> 00:36:56,349 PRINCIPAL INVESTIGATOR 919 00:36:56,349 --> 00:36:57,316 SUBMITTING THE REQUEST, AND 920 00:36:57,316 --> 00:36:58,751 INSTITUTIONAL SIGNING OFFICIAL 921 00:36:58,751 --> 00:37:04,357 ON BEHALF OF THE INSTITUTION, SO 922 00:37:04,357 --> 00:37:06,425 THE AUTHORIZED INDIVIDUAL AOR 923 00:37:06,425 --> 00:37:09,495 ARE NOT BE EXPECTED, AND 924 00:37:09,495 --> 00:37:14,734 MS. FALVELLA CAN ADD TO WHAT 925 00:37:14,734 --> 00:37:17,036 I'VE STATED. 926 00:37:17,036 --> 00:37:19,138 >> THE I.T. SUPPORT STAFF ARE 927 00:37:19,138 --> 00:37:22,308 REALLY THE PRIMARY ROLES WHO 928 00:37:22,308 --> 00:37:25,611 WILL BE REVIEWING THE 800-171 929 00:37:25,611 --> 00:37:27,580 CONTROL FAMILIES DOCUMENTING THE 930 00:37:27,580 --> 00:37:28,981 CONTROLS, COORDINATING 931 00:37:28,981 --> 00:37:32,151 ASSESSMENT OF THOSE CONTROLS, 932 00:37:32,151 --> 00:37:32,952 AND THEN INSTITUTION, AND 933 00:37:32,952 --> 00:37:35,121 IMPLEMENTING TO THE BEST OF 934 00:37:35,121 --> 00:37:38,624 THEIR ABILITY THE CONTROLS AS 935 00:37:38,624 --> 00:37:40,359 DR. JACOBS MENTIONED, THE I.T. 936 00:37:40,359 --> 00:37:41,894 STAFF WILL ALSO BE DEVELOPING 937 00:37:41,894 --> 00:37:44,096 ANY PLAN OF ACTIONS AND 938 00:37:44,096 --> 00:37:48,034 MILESTONES, ONCE ALL OF THAT IS 939 00:37:48,034 --> 00:37:48,834 DONE. 940 00:37:48,834 --> 00:37:50,236 THEN THE INSTITUTION SHOULD 941 00:37:50,236 --> 00:37:52,204 COMMUNICATE OUT THE COMPLIANCE 942 00:37:52,204 --> 00:37:54,507 STATUS TO THEIR STAFF, AND TO 943 00:37:54,507 --> 00:37:56,909 RESEARCHERS, AND THAT WILL ALLOW 944 00:37:56,909 --> 00:38:00,112 THE RESEARCHERS TO ATTEST TO THE 945 00:38:00,112 --> 00:38:01,180 STANDARDS AND BE GIVEN 946 00:38:01,180 --> 00:38:03,516 REASONABLE ASSURANCES THAT THEY 947 00:38:03,516 --> 00:38:05,618 ARE COMPLIANT WITH THEIR DATA 948 00:38:05,618 --> 00:38:08,321 USE AGREEMENTS FOR THE DATA 949 00:38:08,321 --> 00:38:09,522 REPOSITORIES THEY ARE REQUESTING 950 00:38:09,522 --> 00:38:11,290 ACCESS TO BUT CHERYL IS SPOT ON, 951 00:38:11,290 --> 00:38:14,694 JUST A LITTLE CONTEXT ON THE 952 00:38:14,694 --> 00:38:15,761 ROLES. 953 00:38:15,761 --> 00:38:15,995 THANKS. 954 00:38:15,995 --> 00:38:19,065 >> SOUNDS GOOD. 955 00:38:19,065 --> 00:38:23,769 THANK YOU SO MUCH. 956 00:38:23,769 --> 00:38:25,204 NOW, WE HAVE SOME QUESTIONS FROM 957 00:38:25,204 --> 00:38:26,606 THE LIVE Q&A SECTION. 958 00:38:26,606 --> 00:38:31,010 I'M GOING TO TURN MY ATTENTION 959 00:38:31,010 --> 00:38:32,178 TO THAT. 960 00:38:32,178 --> 00:38:39,285 THIS IS FOR YOU GIVEN THE SHORT 961 00:38:39,285 --> 00:38:40,820 NOTIFICATION TIME IS NIH 962 00:38:40,820 --> 00:38:44,457 CONSIDERING EXTENDING DEADLINE 963 00:38:44,457 --> 00:38:45,458 FOR IMPLEMENTATION, RESEARCH 964 00:38:45,458 --> 00:38:48,894 WILL BE LIMITED GIVEN LACK OF 965 00:38:48,894 --> 00:38:50,896 TIME TO IMPLEMENT. 966 00:38:50,896 --> 00:38:52,665 AND NUMEROUS QUESTIONS, 967 00:38:52,665 --> 00:38:56,168 REGARDING HOW TO DEMONSTRATE 968 00:38:56,168 --> 00:38:57,570 COMPLIANCE, IMPLEMENTATION MAY 969 00:38:57,570 --> 00:38:59,105 BE PARTICULARLY WARRANTED GIVEN 970 00:38:59,105 --> 00:39:02,308 EVEN EFFECT OF THE POLICY 971 00:39:02,308 --> 00:39:06,445 DEPENDING ON WHEN USERS DATA 972 00:39:06,445 --> 00:39:07,546 ACCESS RENEWS, VERBOSE BUT YOU 973 00:39:07,546 --> 00:39:09,849 GET THE GIST. 974 00:39:09,849 --> 00:39:18,858 WHAT'S THE REACTION TO THAT? 975 00:39:18,858 --> 00:39:22,028 >> I'LL LET MS. FALVELLA BEGIN. 976 00:39:22,028 --> 00:39:23,462 >> SORRY, DELAY TO UNMUTE. 977 00:39:23,462 --> 00:39:26,165 NIH IS NOT CONSIDERING DELAYING 978 00:39:26,165 --> 00:39:27,500 THE DEADLINE FOR IMPLEMENTATION, 979 00:39:27,500 --> 00:39:29,902 GUIDE NOTICE WAS RELEASED IN 980 00:39:29,902 --> 00:39:33,606 JULY OF LAST YEAR, AND WE FEEL 981 00:39:33,606 --> 00:39:37,543 THERE'S ENOUGH TIME FOR 982 00:39:37,543 --> 00:39:38,110 INSTITUTIONS TO SELF-ASSESS 983 00:39:38,110 --> 00:39:39,979 AGAINST 171 STANDARD AND DEVELOP 984 00:39:39,979 --> 00:39:41,180 PLAN OF ACTION MILESTONES FOR 985 00:39:41,180 --> 00:39:43,482 HOW THEY WILL BRING SYSTEMS 986 00:39:43,482 --> 00:39:47,753 FULLY INTO MEETING THE CONTROL 987 00:39:47,753 --> 00:39:48,054 SET. 988 00:39:48,054 --> 00:39:53,192 WITH THOSE OPTIONS AVAILABLE TO 989 00:39:53,192 --> 00:39:55,394 STAFF, TO INSTITUTIONS, TIME TO 990 00:39:55,394 --> 00:39:56,495 IMPLEMENT GUIDE NOTICE AND 991 00:39:56,495 --> 00:39:59,465 PROTECT DATA IN ACCORDANCE WITH 992 00:39:59,465 --> 00:40:00,232 THE GUIDE NOTICE. 993 00:40:00,232 --> 00:40:01,701 CHERYL, I DON'T KNOW IF YOU HAVE 994 00:40:01,701 --> 00:40:11,844 ANYTHING TO ADD TO THAT. 995 00:40:11,844 --> 00:40:15,014 >> TO MEET THE NIST STANDARDS, 996 00:40:15,014 --> 00:40:16,549 IT'S BUILT IN FLEXIBILITY WITH 997 00:40:16,549 --> 00:40:19,385 THAT, THERE ARE EXISTING 998 00:40:19,385 --> 00:40:20,820 SECURITY CONTROLS OF YOUR SYSTEM 999 00:40:20,820 --> 00:40:23,556 AND IF YOU HAVE NOT SECURED ALL 1000 00:40:23,556 --> 00:40:26,926 THE CONTROLS, HAVING A PLAN OF 1001 00:40:26,926 --> 00:40:28,661 ACTION AND MILESTONE IS -- WILL 1002 00:40:28,661 --> 00:40:31,030 ALLOW YOUR INSTITUTION TO ATTEST 1003 00:40:31,030 --> 00:40:34,934 YOUR SECURITY DATA ACCORDING TO 1004 00:40:34,934 --> 00:40:37,136 THE NIST 800-171. 1005 00:40:37,136 --> 00:40:38,471 >> GREAT POINT. 1006 00:40:38,471 --> 00:40:40,539 MOST PEOPLE WILL REALIZE ONCE 1007 00:40:40,539 --> 00:40:43,275 THEY DIVE IN, MOST I.T. SHOPS 1008 00:40:43,275 --> 00:40:46,912 WILL REALIZE ONCE THEY DIVE IN 1009 00:40:46,912 --> 00:40:48,547 THE CONTROLS ARE THE BEST 1010 00:40:48,547 --> 00:40:50,082 PRACTICES FOR TODAY'S MODERN 1011 00:40:50,082 --> 00:40:52,952 WORLD, AND SO I THINK MOST 1012 00:40:52,952 --> 00:40:54,120 ORGANIZATIONS FIND ONCE THEY GET 1013 00:40:54,120 --> 00:40:55,488 STARTED ON LOOKING AT THE 1014 00:40:55,488 --> 00:40:57,022 CONTROLS THAT THEY ACTUALLY ARE 1015 00:40:57,022 --> 00:40:59,091 MEETING A MAJORITY OF THOSE 1016 00:40:59,091 --> 00:41:01,861 TODAY, I THINK MOST 1017 00:41:01,861 --> 00:41:03,496 ORGANIZATIONS FOR EXAMPLE 1018 00:41:03,496 --> 00:41:04,897 CONDUCT TRAINING ON SECURITY 1019 00:41:04,897 --> 00:41:07,633 AWARENESS, AND DO THINGS LIKE 1020 00:41:07,633 --> 00:41:08,667 ACCESS CONTROL THROUGH, YOU 1021 00:41:08,667 --> 00:41:11,470 KNOW, USER NAME AND PASSWORDS 1022 00:41:11,470 --> 00:41:13,339 WITH TOKENS, SO I THINK A LOT OF 1023 00:41:13,339 --> 00:41:15,975 THESE THING ONCE YOU DIVE INTO 1024 00:41:15,975 --> 00:41:18,811 THE SERIES IT SHOULD PUT SOME OF 1025 00:41:18,811 --> 00:41:20,346 YOUR CONCERNS AT EASE. 1026 00:41:20,346 --> 00:41:22,314 AND THE NIST PROVIDES A WEALTH 1027 00:41:22,314 --> 00:41:25,050 OF RESOURCES FOR HOW TO 1028 00:41:25,050 --> 00:41:26,585 IMPLEMENT THE CONTROLS WITH 1029 00:41:26,585 --> 00:41:29,355 VARYING LEVELS OF MATURITY SO 1030 00:41:29,355 --> 00:41:31,624 EVEN ORGANIZATIONS THAT HAVE 1031 00:41:31,624 --> 00:41:34,593 VERY SMALL RESOURCES HAVE BEEN 1032 00:41:34,593 --> 00:41:39,298 FOUND THE SERIES IS EASIER TO 1033 00:41:39,298 --> 00:41:42,134 ADOPT THAN THEY GENERALLY 1034 00:41:42,134 --> 00:41:42,468 THOUGHT. 1035 00:41:42,468 --> 00:41:47,439 SO DEFINITELY USE THE RESOURCES 1036 00:41:47,439 --> 00:41:57,516 PROVIDED BY NIST AND HOPEFULLY 1037 00:41:57,516 --> 00:41:59,151 THAT WILL HELP. 1038 00:41:59,151 --> 00:42:03,956 IS DATA PROSED THE ON THE NIH 1039 00:42:03,956 --> 00:42:06,358 SERVER COVERED, NOT A DOWNLOADED 1040 00:42:06,358 --> 00:42:10,629 DATASET PER SE BUT CATALYST. 1041 00:42:10,629 --> 00:42:15,100 >> YES, WHAT WE'RE TALKING ABOUT 1042 00:42:15,100 --> 00:42:21,140 IS AN A P.I. SUBMIT DATA ACCESS 1043 00:42:21,140 --> 00:42:23,776 REQUEST TO ONE OF THE 20 1044 00:42:23,776 --> 00:42:25,110 REPOSITORIES LISTED AND 1045 00:42:25,110 --> 00:42:26,412 APPROVED. 1046 00:42:26,412 --> 00:42:28,380 THAT DATA WHEN DOWNLOADED WOULD 1047 00:42:28,380 --> 00:42:33,519 BE EXPECTED TO BE SECURED 1048 00:42:33,519 --> 00:42:35,955 ACCORDING TO NIST 800-171. 1049 00:42:35,955 --> 00:42:38,657 NOW, THAT DATA IN YOUR 1050 00:42:38,657 --> 00:42:45,598 POSSESSION, YOU MAY WANT TO USE 1051 00:42:45,598 --> 00:42:48,634 THE IMPUTATION SERVER TOPMed 1052 00:42:48,634 --> 00:42:52,905 IMPUTATION SERVER AS SECURITY 1053 00:42:52,905 --> 00:42:57,209 STANDARDS IN PLACE THAT DO MEET 1054 00:42:57,209 --> 00:42:59,845 171 AND REALLY WHAT WE'RE 1055 00:42:59,845 --> 00:43:01,914 TALKING ABOUT IS HAVING THE P.I. 1056 00:43:01,914 --> 00:43:05,317 WHEN THEY ARE IN POSSESSION OF 1057 00:43:05,317 --> 00:43:06,819 THAT DATA, NOT NECESSARILY WHEN 1058 00:43:06,819 --> 00:43:08,787 THEY SHARE WITH IMPUTATION 1059 00:43:08,787 --> 00:43:11,223 SERVER, BUT THE SERVER IS ALSO 1060 00:43:11,223 --> 00:43:14,627 AT THAT STANDARD BUT WE'RE 1061 00:43:14,627 --> 00:43:15,928 TALKING ABOUT PRINCIPAL 1062 00:43:15,928 --> 00:43:17,429 INVESTIGATORS APPROVED WHO HAVE 1063 00:43:17,429 --> 00:43:21,267 DATA AND DOWNLOAD IT TO A LOCAL 1064 00:43:21,267 --> 00:43:23,035 SYSTEM OR THIRD PARTY I.T. 1065 00:43:23,035 --> 00:43:27,740 SYSTEM THEY ARE SECURING THAT 1066 00:43:27,740 --> 00:43:31,143 DATA ACCORDING TO NIST 800-171. 1067 00:43:31,143 --> 00:43:33,846 >> THANK YOU. 1068 00:43:33,846 --> 00:43:36,849 MS. FALVELLA, WHAT IS THE 1069 00:43:36,849 --> 00:43:43,956 MINIMAL ENDESCRIPTION STRENGTH 1070 00:43:43,956 --> 00:43:54,433 TO STORE DB DATA GAP, 128 IS 1071 00:44:01,907 --> 00:44:02,408 THAT ENOUGH? 1072 00:44:02,408 --> 00:44:05,678 >> THE CONTROL SETS, ENCRYPTION 1073 00:44:05,678 --> 00:44:06,879 MUST BE USED, REFERENCES AT THE 1074 00:44:06,879 --> 00:44:11,116 BOTTOM OF THE CONTROL THAT 1075 00:44:11,116 --> 00:44:18,057 ENCRYPTION MUST BE 141-3 1076 00:44:18,057 --> 00:44:20,259 CERTIFIED, DBC IS COMPLIANT BUT 1077 00:44:20,259 --> 00:44:21,794 I'M JUST REFERENCING HOW OTHER 1078 00:44:21,794 --> 00:44:26,632 INSTITUTIONS WHO MAY USE OTHER 1079 00:44:26,632 --> 00:44:27,533 ENCRYPTION PROTOCOLS CAN FIND 1080 00:44:27,533 --> 00:44:29,568 OUT THEY ARE COMPLIANT. 1081 00:44:29,568 --> 00:44:31,136 GO TO CONTROLS IN 171 CONTROL 1082 00:44:31,136 --> 00:44:33,872 SERIES, GO TO THAT BOTTOM 1083 00:44:33,872 --> 00:44:35,274 SECTION UNDER REFERENCES, THEY 1084 00:44:35,274 --> 00:44:38,577 WILL SEE A LINK TO 140-3, CLICK 1085 00:44:38,577 --> 00:44:40,546 ON THAT, THEY CAN FIND A WEALTH 1086 00:44:40,546 --> 00:44:42,748 OF INFORMATION OF ALL THE 1087 00:44:42,748 --> 00:44:44,917 PROTOCOLS THAT COULD BE 1088 00:44:44,917 --> 00:44:50,289 COMPLIANT TO MEET STANDARDS OF 1089 00:44:50,289 --> 00:44:51,824 THE 171 CONTROL SERIES. 1090 00:44:51,824 --> 00:44:57,262 BUT IN SHORT, YES. 1091 00:44:57,262 --> 00:44:58,163 THANK YOU. 1092 00:44:58,163 --> 00:44:59,932 >> I HOPE THAT ADDRESSES YOUR 1093 00:44:59,932 --> 00:45:01,533 CONCERN. 1094 00:45:01,533 --> 00:45:05,404 THE ANSWER IS QUESTION. 1095 00:45:05,404 --> 00:45:06,605 DR. JACOBS, SELF-ATTESTATION 1096 00:45:06,605 --> 00:45:08,040 IMPLIES THAT THE P.I. OR 1097 00:45:08,040 --> 00:45:11,210 INSTITUTION IS FULLY ACCOUNTABLE 1098 00:45:11,210 --> 00:45:12,611 FOR COMPLYING WITH 800-171. 1099 00:45:12,611 --> 00:45:16,148 IN THE EVENT OF AN INCIDENT 1100 00:45:16,148 --> 00:45:17,683 WHERE THERE'S UNAPPROVED ACCESS 1101 00:45:17,683 --> 00:45:20,619 TO THE DATA, WHAT ACTIONS COULD 1102 00:45:20,619 --> 00:45:25,124 NIH TAKE AND IS THERE AN 1103 00:45:25,124 --> 00:45:26,425 ESCALATING SCALE OF 1104 00:45:26,425 --> 00:45:26,759 CONSEQUENCES? 1105 00:45:26,759 --> 00:45:31,663 >> YES, SO IN THAT INSTANCE, 1106 00:45:31,663 --> 00:45:34,066 THERE ARE TERMS A HOW TO DEAL 1107 00:45:34,066 --> 00:45:37,936 WITH AN INCIDENT SUCH AS THAT, 1108 00:45:37,936 --> 00:45:39,471 EITHER A CYBERSECURITY INSTITUTE 1109 00:45:39,471 --> 00:45:44,043 OR DATA MANAGEMENT INCIDENT. 1110 00:45:44,043 --> 00:45:46,512 AND THERE ARE DIRECTIONS IN THE 1111 00:45:46,512 --> 00:45:51,250 AGREEMENT HOW TO DEAL WITH SUCH 1112 00:45:51,250 --> 00:45:55,421 AN EVENT, CONTACTING NIH AND 1113 00:45:55,421 --> 00:45:59,291 THEN WORKING WITH NIH TO ADDRESS 1114 00:45:59,291 --> 00:45:59,858 THE INCIDENT. 1115 00:45:59,858 --> 00:46:02,795 AND SO THERE ARE MULTIPLE 1116 00:46:02,795 --> 00:46:05,531 DEPENDENCIES HERE, ON THE TYPE 1117 00:46:05,531 --> 00:46:07,733 OF COMPLIANCE ACTIONS THAT NIH 1118 00:46:07,733 --> 00:46:12,438 WOULD TAKE, BUT MOST IMPORTANT 1119 00:46:12,438 --> 00:46:15,774 IS THAT NIH -- THAT IF THE 1120 00:46:15,774 --> 00:46:19,044 APPROVED USER, THAT THE APPROVED 1121 00:46:19,044 --> 00:46:21,313 USER RESPONDS TO NIH IN A TIMELY 1122 00:46:21,313 --> 00:46:25,317 MANNER AND IS VERY COOPERATIVE 1123 00:46:25,317 --> 00:46:28,187 WANTING TO GET THE INCIDENT 1124 00:46:28,187 --> 00:46:31,690 REMEDIATED AND RESOLVED, AND 1125 00:46:31,690 --> 00:46:33,092 THEN ADDITIONAL ENHANCEMENTS PUT 1126 00:46:33,092 --> 00:46:35,060 IN PLACE. 1127 00:46:35,060 --> 00:46:37,796 AND OPERATIONS AND PROCESS SO IT 1128 00:46:37,796 --> 00:46:40,432 WOULDN'T HAPPEN AGAIN. 1129 00:46:40,432 --> 00:46:41,333 >> SOUNDS GOOD. 1130 00:46:41,333 --> 00:46:45,471 ALSO FOR YOU, DR. JACOBS, DOES 1131 00:46:45,471 --> 00:46:47,206 THE NIST 800171 REQUIREMENT 1132 00:46:47,206 --> 00:46:48,740 APPLY TO DATA DOWNLOADED FROM A 1133 00:46:48,740 --> 00:46:50,843 CONTROLLED ACCESS REPOSITORY OR 1134 00:46:50,843 --> 00:46:54,880 ONLY TO GENOMIC DATA EXPORTED, 1135 00:46:54,880 --> 00:46:58,150 IF A RESEARCHER DOWNLOADED 1136 00:46:58,150 --> 00:46:59,051 DE-IDENTIFIED SURVEY RESPONSES 1137 00:46:59,051 --> 00:47:03,088 DOES THE REQUIREMENT APPLY THERE 1138 00:47:03,088 --> 00:47:03,622 AS WELL? 1139 00:47:03,622 --> 00:47:07,226 >> YEAH, SO FOR THE NIST 1140 00:47:07,226 --> 00:47:10,329 REQUIREMENT, IT APPLIES TO THE 1141 00:47:10,329 --> 00:47:14,032 ENTIRE REPOSITORY, SO IF ONE OF 1142 00:47:14,032 --> 00:47:15,467 THOSE REPOSITORIESES THAT 1143 00:47:15,467 --> 00:47:17,202 CONTROLLED ACCESS DATA, ALTHOUGH 1144 00:47:17,202 --> 00:47:20,272 NOT GENOMIC AND YOU GET ACCESS 1145 00:47:20,272 --> 00:47:22,774 TO THAT DATA, YOU WOULD BE 1146 00:47:22,774 --> 00:47:27,479 EXPECTED TO SECURE THE DATA 1147 00:47:27,479 --> 00:47:30,149 ACCORDING TO NIST 800-171. 1148 00:47:30,149 --> 00:47:31,216 WHEN GENOMIC DATA IS GENERATED 1149 00:47:31,216 --> 00:47:36,155 IT'S NOT IN ISOLATION . 1150 00:47:36,155 --> 00:47:37,689 ASSOCIATED DATA IS ALSO 1151 00:47:37,689 --> 00:47:37,990 GENERATED. 1152 00:47:37,990 --> 00:47:41,260 DATA FROM ONE OF THOSE 20 1153 00:47:41,260 --> 00:47:44,897 REPOSITORIES WILL STILL BE 1154 00:47:44,897 --> 00:47:46,865 EXPECTED TO THE NIST SECURITY 1155 00:47:46,865 --> 00:47:47,266 STANDARD. 1156 00:47:47,266 --> 00:47:49,401 >> ONE MORE BEFORE I TURN MY 1157 00:47:49,401 --> 00:47:53,205 ATTENTION TO DR. FALVELLA. 1158 00:47:53,205 --> 00:47:55,040 WILL THE SIGNING OFFICIAL 1159 00:47:55,040 --> 00:47:55,908 ATTESTATION ALWAYS BE REQUIRED 1160 00:47:55,908 --> 00:47:59,678 OR WILL ANY OF THE REPOSITORIES 1161 00:47:59,678 --> 00:48:02,080 RELY EXCLUSIVELY ON P.I. 1162 00:48:02,080 --> 00:48:02,381 ATTESTATION? 1163 00:48:02,381 --> 00:48:03,415 >> YEAH, THIS IS GOOD. 1164 00:48:03,415 --> 00:48:07,386 THIS IS GOOD. 1165 00:48:07,386 --> 00:48:09,755 I WANT TO REEMPHASIZE THAT WHAT 1166 00:48:09,755 --> 00:48:12,824 WE HAVE RIGHT NOW, WHAT EXISTS 1167 00:48:12,824 --> 00:48:15,761 NOW IS THAT WE EXPECT THE P.I. 1168 00:48:15,761 --> 00:48:18,964 WHEN REQUESTING ACCESS FOR DATA, 1169 00:48:18,964 --> 00:48:25,537 THE P.I. TO APPROVE THAT THEY 1170 00:48:25,537 --> 00:48:27,706 WILL MEET TERMS OF ACCESS IN THE 1171 00:48:27,706 --> 00:48:29,374 DATA USE CERTIFICATION AGREEMENT 1172 00:48:29,374 --> 00:48:31,109 AND FOR THE INSTITUTION TO DO 1173 00:48:31,109 --> 00:48:33,745 THAT, THAT DO IT IN KIND. 1174 00:48:33,745 --> 00:48:36,782 AND HOW THE INSTITUTION ATTESTS 1175 00:48:36,782 --> 00:48:38,016 NOW IS USE OF INSTITUTIONAL 1176 00:48:38,016 --> 00:48:38,784 SIGNING OFFICIAL. 1177 00:48:38,784 --> 00:48:42,588 SO THE USE OF THOSE TWO BODIES, 1178 00:48:42,588 --> 00:48:45,457 THE P.I. AND THEN INSTITUTIONAL 1179 00:48:45,457 --> 00:48:48,293 SIGNING OFFICIAL, ON BEHALF OF 1180 00:48:48,293 --> 00:48:51,163 THE INSTITUTION, THAT WILL NOT 1181 00:48:51,163 --> 00:48:52,831 CHANGE. 1182 00:48:52,831 --> 00:48:55,434 AND SO WHAT WE ARE EXPECTING AS 1183 00:48:55,434 --> 00:48:57,703 AN ATTESTATION BUT THIS IS IN 1184 00:48:57,703 --> 00:48:59,805 LINE WITH THE DAR PROCESS, IN 1185 00:48:59,805 --> 00:49:02,774 LINE WITH THOSE INDIVIDUALS THAT 1186 00:49:02,774 --> 00:49:05,244 WE ALREADY EXPECT, TO SIGN OFF 1187 00:49:05,244 --> 00:49:06,945 ON AGREEING TO THE TERMS. 1188 00:49:06,945 --> 00:49:09,781 SO WHEN ACCESS IS APPROVED, 1189 00:49:09,781 --> 00:49:11,950 ACCESS IS APPROVED FOR THE P.I. 1190 00:49:11,950 --> 00:49:14,152 AS WELL AS THE P.I.'S 1191 00:49:14,152 --> 00:49:16,922 INSTITUTION, SO WE'LL BE 1192 00:49:16,922 --> 00:49:18,557 EXPECTING INSTITUTIONAL SIGNING 1193 00:49:18,557 --> 00:49:20,092 OFFICIAL TO ATTEST, AND SO THEY 1194 00:49:20,092 --> 00:49:21,393 SHOULD HAVE KNOWLEDGE THAT WHAT 1195 00:49:21,393 --> 00:49:24,896 THEY ARE ATTESTING TO IS 1196 00:49:24,896 --> 00:49:28,934 ACCURATE, AS WELL AS THE 1197 00:49:28,934 --> 00:49:30,035 PRINCIPAL INVESTIGATOR AND 1198 00:49:30,035 --> 00:49:31,470 MS. FALVELLA, IF YOU WOULD LIKE 1199 00:49:31,470 --> 00:49:33,005 TO ADD ANYTHING, THERE'S STILL 1200 00:49:33,005 --> 00:49:35,407 QUESTIONS ABOUT THE AOR AND 1201 00:49:35,407 --> 00:49:37,909 THEIR ROLE, WE MIGHT WANT TO 1202 00:49:37,909 --> 00:49:40,979 JUST CLARIFY AGAIN WHAT WE'RE 1203 00:49:40,979 --> 00:49:42,748 ASKING FOR. 1204 00:49:42,748 --> 00:49:44,383 >> YEAH, SO WE'RE ASKING 1205 00:49:44,383 --> 00:49:45,517 INSTITUTIONS TO -- THIS IS 1206 00:49:45,517 --> 00:49:48,220 LARGELY, AGAIN, GOING TO BE DONE 1207 00:49:48,220 --> 00:49:51,723 BY THEIR I.T., YOUR I.T. SHOP, 1208 00:49:51,723 --> 00:49:54,893 TO ASSESS YOURSELF AGAINST THE 1209 00:49:54,893 --> 00:49:56,795 800-171 CONTROL SERIES, RIGHT? 1210 00:49:56,795 --> 00:50:00,532 THAT REQUIRES YOU TO REVIEW THE 1211 00:50:00,532 --> 00:50:02,167 DOCUMENTATION UNDER THE 800-171 1212 00:50:02,167 --> 00:50:05,103 AND THEN ASSESS YOURSELF AND 1213 00:50:05,103 --> 00:50:07,839 USING THE 800-171A AS YOUR 1214 00:50:07,839 --> 00:50:08,307 ASSESSMENT GUIDE. 1215 00:50:08,307 --> 00:50:10,475 AND SO THAT WILL BE DONE BY 1216 00:50:10,475 --> 00:50:12,878 LARGELY YOUR I.T. PROFESSIONALS. 1217 00:50:12,878 --> 00:50:14,646 ONCE THAT IS DONE, YOU ARE GOING 1218 00:50:14,646 --> 00:50:16,081 TO IMPLEMENT CONTROLS TO THE 1219 00:50:16,081 --> 00:50:17,516 BEST OF YOUR ABILITY BUT 1220 00:50:17,516 --> 00:50:18,817 PROBABLY ARE GOING TO HAVE SOME 1221 00:50:18,817 --> 00:50:20,452 PLAN OF ACTION AND MILESTONES 1222 00:50:20,452 --> 00:50:21,753 FOR PARTIALLY OR FULLY 1223 00:50:21,753 --> 00:50:24,723 IMPLEMENTED CONTROLS. 1224 00:50:24,723 --> 00:50:26,258 THEN THE INSTITUTION CAN 1225 00:50:26,258 --> 00:50:27,225 COMMUNICATE OUT COMPLIANCE 1226 00:50:27,225 --> 00:50:29,328 STATUS TO STAFF AND RESEARCHERS, 1227 00:50:29,328 --> 00:50:32,297 THEN THE RESEARCHERS CAN ATTEST 1228 00:50:32,297 --> 00:50:33,398 WITH ASSURANCES THEIR SYSTEMS 1229 00:50:33,398 --> 00:50:37,035 ARE COMPLIANT WHEN THEY ARE 1230 00:50:37,035 --> 00:50:38,570 ACCESSING NIH CONTROLLED-ACCESS 1231 00:50:38,570 --> 00:50:38,770 DATA. 1232 00:50:38,770 --> 00:50:41,773 AND HOPEFULLY, CHERYL, I GOT TO 1233 00:50:41,773 --> 00:50:46,011 EVERYTHING TO CLARIFY THAT. 1234 00:50:46,011 --> 00:50:46,278 EXCELLENT. 1235 00:50:46,278 --> 00:50:46,578 THANK YOU. 1236 00:50:46,578 --> 00:50:48,880 >> I HAVE A QUESTION FOR 1237 00:50:48,880 --> 00:50:49,481 MS. FALVELLA. 1238 00:50:49,481 --> 00:50:51,083 ARE THERE FUTURE PLANS TO 1239 00:50:51,083 --> 00:50:54,886 REQUIRE THAT THE NIST 800-171 1240 00:50:54,886 --> 00:50:58,623 ENVIRONMENTS HOUSING CONTROLLED 1241 00:50:58,623 --> 00:51:00,726 ACCESS DATA BE CMM 2 LEVEL 1242 00:51:00,726 --> 00:51:00,992 CERTIFIED. 1243 00:51:00,992 --> 00:51:01,460 >> GREAT QUESTION. 1244 00:51:01,460 --> 00:51:03,362 THERE ARE NOT FUTURE PLANS TO 1245 00:51:03,362 --> 00:51:05,097 REQUIRE ANY OTHER STANDARDS 1246 00:51:05,097 --> 00:51:07,532 OTHER THAN 800-171. 1247 00:51:07,532 --> 00:51:10,602 JUST TO PREFACE WHY THE 171 WAS 1248 00:51:10,602 --> 00:51:12,571 SELECTED, WHEN WE LOOKED ACROSS 1249 00:51:12,571 --> 00:51:13,972 NIH AND REMEMBER THE REFERENCE I 1250 00:51:13,972 --> 00:51:16,174 MADE ABOUT THE PATCH WORK OF 1251 00:51:16,174 --> 00:51:18,243 STANDARDS BEING USED ACROSS NIH, 1252 00:51:18,243 --> 00:51:22,180 WE FOUND THAT THERE WERE TWO 1253 00:51:22,180 --> 00:51:23,281 STANDARDS WIDELY USED, 171-53, 1254 00:51:23,281 --> 00:51:25,917 THE SAME USED FOR FEDERAL 1255 00:51:25,917 --> 00:51:28,453 SYSTEMS, AND SECOND MOST WIDELY 1256 00:51:28,453 --> 00:51:31,123 USED WAS 171, SO IF YOU WERE 1257 00:51:31,123 --> 00:51:33,091 SEEKING FUNDING FROM NIH, THOSE 1258 00:51:33,091 --> 00:51:35,060 TWO REQUIREMENTS WERE THE ONES 1259 00:51:35,060 --> 00:51:39,898 MOST PREDOMINANTLY USED AT NIH. 1260 00:51:39,898 --> 00:51:49,541 THE 800- 53 WE DIDN'T FEEL WAS 1261 00:51:49,541 --> 00:51:53,912 APPROPRIATE WITH CONTROLS AROUND 1262 00:51:53,912 --> 00:51:54,246 AVAILABILITY. 1263 00:51:54,246 --> 00:51:56,648 ADDITIONALLY LOOKING ACROSS THE 1264 00:51:56,648 --> 00:51:58,517 GOVERNMENT SAW 800-171 LARGELY 1265 00:51:58,517 --> 00:51:59,718 USED FOR SIMILAR PURPOSES, AND 1266 00:51:59,718 --> 00:52:03,655 SO IF YOU'RE SEEKING FUNDING 1267 00:52:03,655 --> 00:52:05,757 OPPORTUNITIES FOR EXAMPLE 1268 00:52:05,757 --> 00:52:09,161 THROUGH A VETERAN, FOR THE V.A., 1269 00:52:09,161 --> 00:52:14,099 YOU WILL PROBABLY BE ASKED TO 1270 00:52:14,099 --> 00:52:17,602 FULFILL 800-171, THE DoD 1271 00:52:17,602 --> 00:52:19,771 WIDELY USES THAT, AND THEN MOST 1272 00:52:19,771 --> 00:52:23,542 OF THE OTHER R&D DEPARTMENTS ARE 1273 00:52:23,542 --> 00:52:24,309 USING 171. 1274 00:52:24,309 --> 00:52:25,844 SO IT WAS SELECTED BECAUSE IT'S 1275 00:52:25,844 --> 00:52:29,014 THE MOST WIDELY USED FOR THIS 1276 00:52:29,014 --> 00:52:35,987 USE CASE. 1277 00:52:35,987 --> 00:52:38,290 ADDITIONALLY, WE SELECTED 1278 00:52:38,290 --> 00:52:39,090 800-171 LOOKING AT FUTURE 1279 00:52:39,090 --> 00:52:39,925 REQUIREMENTS THROUGH THE FEDERAL 1280 00:52:39,925 --> 00:52:42,127 GOVERNMENT, SO IT IS THE 1281 00:52:42,127 --> 00:52:44,329 STANDARD EXPECTED TO BE WIDELY 1282 00:52:44,329 --> 00:52:47,833 MANDATED FOR THE GOVERNMENT TO 1283 00:52:47,833 --> 00:52:48,366 FOLLOW. 1284 00:52:48,366 --> 00:52:51,970 AND THAT ALSO ALIGNS WITH HHS'S 1285 00:52:51,970 --> 00:52:54,706 DEPARTMENT POLICY. 1286 00:52:54,706 --> 00:53:00,946 SO NO FUTURE PLANS, TO SWITCH 1287 00:53:00,946 --> 00:53:01,847 OFF THE 800-171. 1288 00:53:01,847 --> 00:53:03,348 >> THANK YOU. 1289 00:53:03,348 --> 00:53:05,750 IN THE NEIGHBORHOOD OF 1290 00:53:05,750 --> 00:53:06,751 CERTIFICATIONS, I HAVE A 1291 00:53:06,751 --> 00:53:12,090 QUESTION FOR YOU AS WELL. 1292 00:53:12,090 --> 00:53:17,362 WOULD AN ISO 2022 CERTIFICATE BE 1293 00:53:17,362 --> 00:53:18,463 CERTIFICATE AS ATTESTATION? 1294 00:53:18,463 --> 00:53:21,433 >> I BELIEVE SO, I BELIEVE 1295 00:53:21,433 --> 00:53:24,069 THAT'S AN EQUIVALENT STANDARD, 1296 00:53:24,069 --> 00:53:27,372 ACCEPT THE ATTESTATION FOR 1297 00:53:27,372 --> 00:53:28,773 INTERNATIONAL STANDARDS UNDER 1298 00:53:28,773 --> 00:53:31,776 ISO-R ARE THE EQUIVALENT SO THEY 1299 00:53:31,776 --> 00:53:33,945 ARE GENERALLY ACCEPTED. 1300 00:53:33,945 --> 00:53:35,814 ADDITIONALLY IF YOUR GOVERNMENT 1301 00:53:35,814 --> 00:53:40,185 HAS STANDARDS OR YOU FOLLOW YOUR 1302 00:53:40,185 --> 00:53:41,620 INTERNATIONAL PARTNER AND YOU 1303 00:53:41,620 --> 00:53:45,123 FOLLOW A STANDARD THAT DERIVES 1304 00:53:45,123 --> 00:53:46,558 FROM THE ISO STANDARD, IT'S 1305 00:53:46,558 --> 00:53:48,193 HIGHLY LIKELY YOU WILL ALSO BE 1306 00:53:48,193 --> 00:53:52,464 EQUIVALENT AND BE ABLE TO 1307 00:53:52,464 --> 00:53:52,697 ATTEST. 1308 00:53:52,697 --> 00:53:54,666 WE UNDERSTAND A LOT OF 1309 00:53:54,666 --> 00:53:56,067 COMPLIANCE WILL DERIVE FROM THE 1310 00:53:56,067 --> 00:53:58,737 ISO STANDARD IF YOU'RE AN 1311 00:53:58,737 --> 00:54:00,705 INTERNATIONAL PARTNER SO IT'S 1312 00:54:00,705 --> 00:54:02,340 LIKELY IT IS EQUIVALENT BUT 1313 00:54:02,340 --> 00:54:04,843 WE'RE ALSO HAPPY TO REVIEW ANY 1314 00:54:04,843 --> 00:54:06,745 OF YOUR STANDARDS IF YOU JUST 1315 00:54:06,745 --> 00:54:13,552 DROP US A LINE ON THE GDS MAIL 1316 00:54:13,552 --> 00:54:14,619 MAILBOX. 1317 00:54:14,619 --> 00:54:18,790 WE'RE HAPPY TO REVIEW YOUR 1318 00:54:18,790 --> 00:54:19,324 PARTICULAR INTERNATIONAL 1319 00:54:19,324 --> 00:54:20,325 STANDARD. 1320 00:54:20,325 --> 00:54:23,595 >> THANK YOU SO MUCH. 1321 00:54:23,595 --> 00:54:24,829 NOW -- GO AHEAD. 1322 00:54:24,829 --> 00:54:27,098 >> BEFORE YOU MOVE ON I WOULD 1323 00:54:27,098 --> 00:54:30,502 LIKE TO ADD THAT WE DON'T EXPECT 1324 00:54:30,502 --> 00:54:35,740 A CERTIFICATE OR ANY SORT OF 1325 00:54:35,740 --> 00:54:40,679 DOCUMENT, AGAIN THIS IS BASED ON 1326 00:54:40,679 --> 00:54:41,112 SELF-ASSESSMENT. 1327 00:54:41,112 --> 00:54:42,814 SO NIH IS NOT EXPECTING TO 1328 00:54:42,814 --> 00:54:45,016 RECEIVE ANYTHING AS A PART OF 1329 00:54:45,016 --> 00:54:45,717 THE ATTESTATION. 1330 00:54:45,717 --> 00:54:48,887 THIS IS IN GOOD FAITH THAT YOU 1331 00:54:48,887 --> 00:54:50,221 ALL HAVE DONE SELF-ASSESSMENT 1332 00:54:50,221 --> 00:54:51,756 AND YOU ARE ATTESTING TO NIH 1333 00:54:51,756 --> 00:54:56,828 THAT IN GOOD FAITH YOU HAVE DONE 1334 00:54:56,828 --> 00:55:00,298 SO ADHERE TO THE NIST OR ISO 1335 00:55:00,298 --> 00:55:01,299 SECURITY STANDARDS. 1336 00:55:01,299 --> 00:55:01,700 >> GREAT POINT. 1337 00:55:01,700 --> 00:55:03,368 THANK YOU SO MUCH FOR 1338 00:55:03,368 --> 00:55:04,603 EMPHASIZING THAT, DR. JACOBS. 1339 00:55:04,603 --> 00:55:07,172 THE ONE THING I WOULD ADD TO 1340 00:55:07,172 --> 00:55:09,708 THAT THOUGH IS THERE IS A 1341 00:55:09,708 --> 00:55:12,877 CYBERSECURITY BREACH, PRIVACY 1342 00:55:12,877 --> 00:55:14,212 BREACH FOR DATA MANAGEMENT 1343 00:55:14,212 --> 00:55:16,514 INCIDENT, THEN WE MAY ASK FOR 1344 00:55:16,514 --> 00:55:17,716 DOCUMENTATION TO VERIFY YOUR 1345 00:55:17,716 --> 00:55:20,018 COMPLIANCE AS PART OF OUR 1346 00:55:20,018 --> 00:55:21,653 INVESTIGATION OF THOSE 1347 00:55:21,653 --> 00:55:21,920 INCIDENTS. 1348 00:55:21,920 --> 00:55:24,289 AND SO THAT WOULD BE THE POINT 1349 00:55:24,289 --> 00:55:26,891 OF WHERE THE GOVERNMENT MAY 1350 00:55:26,891 --> 00:55:27,692 REQUEST ADDITIONAL DOCUMENTATION 1351 00:55:27,692 --> 00:55:30,095 FROM YOU TO MAKE SURE YOU'RE IN 1352 00:55:30,095 --> 00:55:30,862 COMPLIANCE WITH YOUR AGREEMENT, 1353 00:55:30,862 --> 00:55:33,565 BUT AGAIN TO DR. JACOBS' POINT 1354 00:55:33,565 --> 00:55:36,201 WE'LL NOT BE REQUESTING ANY 1355 00:55:36,201 --> 00:55:41,239 DOCUMENTATION IN ADDITION TO 1356 00:55:41,239 --> 00:55:43,541 RESEARCHERS ATTESTATION. 1357 00:55:43,541 --> 00:55:44,342 >> SOUNDS GOOD. 1358 00:55:44,342 --> 00:55:47,178 DR. CHERYL, THERE'S A QUESTION 1359 00:55:47,178 --> 00:55:49,147 ABOUT CUIs. 1360 00:55:49,147 --> 00:55:55,820 WILL THERE BE FURTHER 1361 00:55:55,820 --> 00:55:57,722 CLARIFICATION, CONTROLLED ACCESS 1362 00:55:57,722 --> 00:56:02,694 DATA IS NOT CONSIDERED CUI? 1363 00:56:02,694 --> 00:56:04,596 >> THANK YOU. 1364 00:56:04,596 --> 00:56:07,699 WE'RE NOT CONSIDERING GENOMIC 1365 00:56:07,699 --> 00:56:09,200 DATA AT CUI. 1366 00:56:09,200 --> 00:56:11,503 AND WE WANT TO SEPARATE WHAT IS 1367 00:56:11,503 --> 00:56:15,774 CUI, WHAT IS NOT CUI. 1368 00:56:15,774 --> 00:56:20,578 FOR JUST THE BASIC POINT THAT 1369 00:56:20,578 --> 00:56:23,081 THERE'S SECURITY CONTROLS 1370 00:56:23,081 --> 00:56:25,850 EXISTING NOW, IN THE GDS POLICY 1371 00:56:25,850 --> 00:56:27,485 THAT'S AN EXPECTATION TO PROTECT 1372 00:56:27,485 --> 00:56:29,688 DATA, SO WE'RE UPDATING THOSE 1373 00:56:29,688 --> 00:56:31,856 SECURITY CONTROLS USING A NIST 1374 00:56:31,856 --> 00:56:32,557 STANDARD. 1375 00:56:32,557 --> 00:56:37,595 AND WHETHER OR NOT CUI IS REALLY 1376 00:56:37,595 --> 00:56:40,098 NOT THE PURPOSE OF THE SECURITY 1377 00:56:40,098 --> 00:56:40,432 UPDATE. 1378 00:56:40,432 --> 00:56:44,803 THE SECURITY UPDATE IS THAT WE 1379 00:56:44,803 --> 00:56:47,305 ARE FOLLOWING NIST 800-171 AND 1380 00:56:47,305 --> 00:56:48,740 WE'RE LOOKING FOR INSTITUTION 1381 00:56:48,740 --> 00:56:52,010 THAT HOLDS THE DATA SO NOT -- 1382 00:56:52,010 --> 00:56:54,112 EXCUSE ME, ON THE LOCAL SYSTEMS, 1383 00:56:54,112 --> 00:56:55,747 NOT THE ENTIRE INSTITUTION OR 1384 00:56:55,747 --> 00:56:56,114 CAMPUS. 1385 00:56:56,114 --> 00:57:00,218 I DID SEE A QUESTION ABOUT THAT. 1386 00:57:00,218 --> 00:57:03,088 IT'S THE LOCAL SYSTEM THAT HOLDS 1387 00:57:03,088 --> 00:57:05,390 THE DATA, WE'RE LOOKING FOR 1388 00:57:05,390 --> 00:57:06,925 SELF-ASSESSMENT OF THAT SYSTEM 1389 00:57:06,925 --> 00:57:10,095 FOR THE USER TO ATTEST TO THE 1390 00:57:10,095 --> 00:57:12,163 SECURITY CONTROL SO REALLY FOCUS 1391 00:57:12,163 --> 00:57:14,699 ON THE SECURITY CONTROLS AND 1392 00:57:14,699 --> 00:57:16,668 WHETHER OR NOT CUI IS REALLY NOT 1393 00:57:16,668 --> 00:57:19,070 THE GOAL OF THE UPDATE, THE GOAL 1394 00:57:19,070 --> 00:57:22,941 OF THE UPDATE ARE THE SECURITY 1395 00:57:22,941 --> 00:57:24,909 CONTROLS, 800-171. 1396 00:57:24,909 --> 00:57:26,878 ON THE SYSTEM, THAT'S SECURING 1397 00:57:26,878 --> 00:57:31,282 THE DATA, NOT THE ENTIRE CAMPUS. 1398 00:57:31,282 --> 00:57:34,786 IT'S THE SYSTEM. 1399 00:57:34,786 --> 00:57:35,653 >> SOUNDS GOOD. 1400 00:57:35,653 --> 00:57:38,923 NOW, WE ARE AT TIME NOW. 1401 00:57:38,923 --> 00:57:41,226 SO IF OUR PRESENTERS HAVE ONE 1402 00:57:41,226 --> 00:57:42,861 MORE QUESTION, THE TIME FOR ONE 1403 00:57:42,861 --> 00:57:45,063 MORE QUESTION, WE CAN DO THAT 1404 00:57:45,063 --> 00:57:49,434 AND WRAP UP. 1405 00:57:49,434 --> 00:57:51,302 I BELIEVE THIS RELATES TO THE 1406 00:57:51,302 --> 00:57:52,003 ATTESTATION FORM. 1407 00:57:52,003 --> 00:57:54,139 SO YOU'RE SAYING THERE'S A 1408 00:57:54,139 --> 00:57:55,273 COMMENT, YOU SAY ATTESTATION IS 1409 00:57:55,273 --> 00:57:57,442 NOT A FORM, WHERE SPECIFICALLY 1410 00:57:57,442 --> 00:58:03,882 WILL INVESTIGATORS SEE THIS 1411 00:58:03,882 --> 00:58:04,182 ATTESTATION? 1412 00:58:04,182 --> 00:58:05,750 >> YEAH, ATTESTATION WILL VARY 1413 00:58:05,750 --> 00:58:07,185 FOR DBGaP, YOU'LL SEE THIS 1414 00:58:07,185 --> 00:58:10,789 PART OF THE DAR PROCESS AS 1415 00:58:10,789 --> 00:58:13,324 YOU'RE GOING THROUGH AND SEEING 1416 00:58:13,324 --> 00:58:17,162 YOU'LL PROTECT DATA ACCORDING TO 1417 00:58:17,162 --> 00:58:18,563 DATA USE LIMITATIONS AND SUCH, 1418 00:58:18,563 --> 00:58:21,232 THERE WILL BE ANOTHER BOX YOU 1419 00:58:21,232 --> 00:58:28,673 WILL ATTEST. ATTEST TO, FOR DBP 1420 00:58:28,673 --> 00:58:30,308 THAT'S AN EXAMPLE THAT WILL BE 1421 00:58:30,308 --> 00:58:33,278 PART OF THE DAR PROCESS. 1422 00:58:33,278 --> 00:58:35,580 >> THANK YOU SO MUCH, DR. 1423 00:58:35,580 --> 00:58:35,814 JACOBS. 1424 00:58:35,814 --> 00:58:37,315 THIS CONCLUDES OUR Q&A SESSION. 1425 00:58:37,315 --> 00:58:40,385 I WILL NOW GIVE THE MIC TO DR. 1426 00:58:40,385 --> 00:58:40,718 CHEN. 1427 00:58:40,718 --> 00:58:43,254 PLEASE CLOSE US OUT. 1428 00:58:43,254 --> 00:58:49,594 THANK YOU SO MUCH. 1429 00:58:49,594 --> 00:58:51,596 >> THANK YOU, EVERYONE. 1430 00:58:51,596 --> 00:58:53,531 SPECIAL THANKS TO CLOSED 1431 00:58:53,531 --> 00:58:55,633 CAPTIONERS AND ASL INTERPRETERS, 1432 00:58:55,633 --> 00:58:56,734 TO THOSE WHO TOOK THE TIME OUT 1433 00:58:56,734 --> 00:58:58,403 OF YOUR DAY TO JOIN US FOR 1434 00:58:58,403 --> 00:58:59,704 TODAY'S OVERVIEW OF THE NIH 1435 00:58:59,704 --> 00:59:01,039 SECURITY BEST PRACTICES FOR 1436 00:59:01,039 --> 00:59:02,473 USERS OF CONTROLLED ACCESS DATA. 1437 00:59:02,473 --> 00:59:05,076 FOR ALL THE TIME THAT YOU SPENT 1438 00:59:05,076 --> 00:59:06,277 WITH US TODAY. 1439 00:59:06,277 --> 00:59:08,379 IF THERE ARE ADDITIONAL 1440 00:59:08,379 --> 00:59:14,185 QUESTIONS SEND THEM TO 1441 00:59:14,185 --> 00:59:16,054 GDS@MAIL.NIH.GOV, THEY WILL BE 1442 00:59:16,054 --> 00:59:17,589 GROUPED AND POSTED AT A LATER 1443 00:59:17,589 --> 00:59:18,690 DATE, RECORDING WILL BE 1444 00:59:18,690 --> 00:59:20,558 AVAILABLE AT A LATER TIME. 1445 00:59:20,558 --> 00:59:27,765 SLIDES CAN BE FOUND AT THE 1446 00:59:27,765 --> 00:59:29,167 SHARING.NIH.GOV, ONCE YOU SEE 1447 00:59:29,167 --> 00:59:31,469 GENOMIC DATA SHARING POLICY. 1448 00:59:31,469 --> 00:59:34,539 AND ONCE IN THE GDS POLICY 1449 00:59:34,539 --> 00:59:36,507 SECTIONS RESOURCES PAGE CLICK ON 1450 00:59:36,507 --> 00:59:36,941 WEBINAR. 1451 00:59:36,941 --> 00:59:38,276 THANK YOU FOR JOINING US AGAIN, 1452 00:59:38,276 --> 00:59:40,011 AND HAVE A WONDERFUL REST OF 1453 00:59:40,011 --> 00:59:41,779 YOUR DAY. 1454 00:59:41,779 --> 00:59:42,680 THIS CONCLUDES TODAY'S WEBINAR. 1455 00:59:42,680 --> 00:59:45,483 [END OF PROGRAM] 1456 00:59:45,483 --> 00:59:55,526