AWS Public Sector Blog

Complying with updated NIH Genomic Data Sharing policies on AWS

Background

The rapid growth of genomic and biomedical research has led to an exponential increase in the amount of genomic data being generated. Given the sensitive nature of human genetic data and the need for increased collaboration, there is a requirement for this data to be shared by controlled access mechanisms to safeguard participant privacy and prevent unauthorized access or misuse.

To address these critical data security and privacy concerns, the National Institutes of Health (NIH) has long maintained guidelines governing the responsible management of controlled access human genomic and phenotypic data maintained in NIH-designated data repositories. Recently, the NIH updated these guidelines to align with the NIST SP 800-171 security standard, which defines a comprehensive framework for securing Controlled Unclassified Information (CUI).

Key points of the updated guidelines:

  • Outlines NIH’s expectations for managing and protecting controlled access data
  • Applies to data transferred to and maintained by organizations in their own IT environments or using public cloud service providers
  • Takes effect on January 25, 2025
  • Places additional responsibilities on researchers and institutions, to implement robust security measures

Amazon Web Services (AWS) has a proven history of building and maintaining a culture of security, defined by AWS Compliance Programs. These programs provide robust controls to maintain the security and compliance of the AWS Cloud. For users of NIH controlled-access data, this should instill confidence that they can begin or continue their research on AWS while maintaining the confidentiality, integrity, and availability of data entrusted to them by the NIH.

In this blog post, we will explore the specifics of the updated NIH guidance and outline how AWS can help customers build a compliant environment to meet these requirements.

Summary of key requirements in the new NIH policy

In the NIH Notice – NOT-OD-24-157, issued by the Office of The Director, detailed updates for two practices under the NIH Genomic Data Sharing (GDS) Policy:

  1. Modernizing security standards provided in the “NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy
  2. Establishing minimum expectations for access to controlled-access data by developers

The Scope and Applicability section of the NOT-OD-24-157 provides specific details for approved users of controlled-access human genomic data from NIH controlled-access data repositories. We will discuss how these users and their institutions can leverage AWS to address the requirements of NIST 800-171 “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.”

Note: Non-U.S. users of controlled access data that are unable to align to the NIST SP 800-171 are permitted to use the ISO/IEC 27001/27002 instead.

NIST Special Publication 800-171 Revision 2 contains 110 security controls organized into 14 families or categories. These requirements provide a comprehensive approach to protecting CUI in nonfederal systems and organizations. Each high-level requirement is further broken down into more specific controls and practices detailed in the NIST SP 800-171 document.

Best practices for compliance on AWS

As we discuss leveraging AWS services and features to meet NIST 800-171 requirements, it is critical to understand the AWS Shared Responsibility Model. Under this model, AWS is responsible for “Security of the Cloud,” including hardware, software, networking, and physical facilities that run AWS Cloud services. Customers are responsible for “Security in the Cloud,” determined by the AWS Cloud services they select and how they configure them to meet their applicable requirements. This shared responsibility model extends to IT controls, which are categorized into three types:

  1. Inherited Controls: Fully inherited from AWS, including physical and environmental controls.
  2. Shared Controls: Apply to both infrastructure and customer layers, but in separate contexts. AWS provides infrastructure requirements, while customers implement controls within their use of AWS services. Examples include patch management and configuration management awareness and training.
  3. Customer Specific: Solely the customer’s responsibility, based on the application deployed within AWS services. An example is a system and communications protection.

To support compliance needs, AWS customers and partners can use the Landing Zone Accelerator (LZA) on AWS. The LZA solution deploys a cloud foundation architected to align with AWS best practices and multiple global compliance frameworks. This solution helps customers with highly-regulated workloads and complex compliance requirements better manage and govern their multi-account environment.

An example of a NIST SP 800 171 third-party audited deployment is described in this blog, and the whitepaper can be downloaded from AWS Artifact. While the verified architecture is on GovCloud, the same controls can be implemented in other AWS regions.

The AWS Secure Research Environment solution

To address the forthcoming NIH mandate, AWS is developing the Secure Research Environment (SRE), a comprehensive solution that leverages Landing Zone Accelerator on AWS and Organizational Units (OUs) to comply with NIST 800-171 controls.

Key features of the AWS SRE:

  • Designed to help research institutions meet new requirements efficiently and effectively
  • Built to address security controls outlined in NIST SP 800-171 Revision 2
  • Leverages the AWS Shared Responsibility Model
  • Uses customizable Organizational Units (OUs) to address various compliance requirements
  • Includes Landing Zone Accelerator on AWS for secure, resilient, scalable, and fully automated cloud foundation
  • Implements robust security measures including encryption, access controls, continuous monitoring, and audit logging
  • Leverages a superset of config rules aligning with recommendations in the NIST 800-171 conformance pack

Using AWS Audit manager for evidence collection

AWS Audit Manager provides a prebuilt standard framework supporting “NIST 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” This framework includes:

  • A prebuilt collection of controls with descriptions and testing procedures
  • Controls grouped into sets according to NIST requirements
  • Customization options to support internal audits with specific requirements.

Using the framework, you can create an Audit Manager assessment and start collecting relevant evidence for your audit.

Note: The controls in this AWS Audit Manager framework cannot guarantee passing a NIST audit. AWS Audit Manager doesn’t automatically check procedural controls that require manual evidence collection.

Call to action

If you work with NIH controlled access data as a researcher or support researchers as an IT professional, now is the time to verify that your research environment satisfies the NIH Security Best Practices for Users of Controlled-Access Data.

Options for compliance:

  1. Implement the SRE solution or put the necessary controls in place using in-house resources in consultation with your AWS team.
  2. Work with the AWS Professional Services or an SI partner from the AWS Partner Network to implement the SRE solution.
  3. Utilize out-of-the-box solutions from AWS genomics ISVs like DNANexus and Velsera.

Contact your AWS representative today to schedule a consultation and begin your journey towards a fully compliant research environment.

Additional Resources

TAGS: , , , , , , , , , , , ,
Sujaya Srinivasan

Sujaya Srinivasan

Sujaya is the global genomics technical lead for Amazon Web Services (AWS) Worldwide Public Sector. She has a strong background in both technology and bioinformatics, and has more than 15 years of experience in oncology, clinical genomics, and pharma. She is passionate about using technology to accelerate research and discovery in life sciences, genomics, and precision medicine.

Donny Wilson

Donny Wilson

Donny is the global security and compliance principal solutions architect for Worldwide Public Sector at Amazon Web Service (AWS). He leads the HCLS Security and Compliance Focus Area and advises healthcare customers on security, compliance, threat detection and response, and resilient architectures. Donny has 25-plus years of experience in healthcare and enterprise IT. His hobbies include creating community through grilling food and amateur car racing.

John Paul Laverde

John Paul Laverde

John Paul (JP) is a member of Amazon Web Services' (AWS) Higher Education Global Research Group. He previously served as Director of Technology and Innovation at NSWC Dahlgren and is currently a Naval Officer in the U.S. Navy Reserves. JP combines academic expertise with practical experience to help universities harness AWS technologies for cutting-edge computational, data science, and artificial intelligence/machine learning (AI/ML) research.

Karthik Narasimhan

Karthik Narasimhan

Karthik is the senior business development manager for genomics and life sciences research at Amazon Web Services (AWS). He focuses on helping researchers in US higher education institutions accelerate their research and push the boundaries of science and discovery by leveraging AWS cloud technology. Karthik has more than 12 years of experience in healthcare and life sciences and holds a PhD in biological sciences and an MBA.

Venkatesan Chandrababu

Venkatesan Chandrababu

Venkat is a senior solutions architect for education at Amazon Web Services (AWS). He focuses on secure research and specializes in multi-account infrastructure, security, and networking. With 15-plus years of experience in IT architecture and security, Venkat is passionate about helping organizations build secure, scalable, and efficient cloud environments. Away from work, he enjoys photography, chasing perfect shots that capture majestic landscapes.