In response to Executive Order 14117: Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, NIH implemented new security requirements for its Controlled Access Data Repositories (CADR). These security measures have been integrated into BioShare to enable websites built on the BioShare platform to be compliant.
CADR Security Measures Implemented
Prohibited Users and Identity Proofing
- Supports Identity Proofing with IAL2 Enforcement
- Automatic rejection of users from Countries of Concern and those using email addresses unaffiliated with their institution or corporation
Support for Data Access Committee (DAC) reviews
- Review module where information about the request and users is available, online discussion can be posted during review, and votes are tracked
- Full contact information including institutional affiliation and country of residence for all collaborators and signing officials is captured on the Request Form
- Documentation of the institutional affiliation for all data users, signed by an institutional official, can be uploaded to the request form
- Linked requests for collaborators from separate institutions
Enforced Standard for Data Access
- Flexible Data Use Agreement (DUA) templates that can use the specific language required
- Automatic DUA generation and optional e-signatures via DocuSign
- Automatic notifications use institutional email addresses
- Automatic reminders of DUA expirations
- Progress Report module where requestors can provide updates on their research, including publications
- Publication Module that links to manuscripts and conference abstracts generated with the requested materials
- Data delivery is user-specific and time-limited
- Data destruction certification can be uploaded to the request for documentation
Threat Mitigation
- Hosting in a secure environment that meets OMB Circular A-130 and NIST guidelines at the “moderate” level
- Logs of activity and access
- Cyber incident investigation and reporting
