In January 2025, the National Institutes of Health began enforcing a new data security policy that requires any institution accessing its 39 controlled-access genomic data repositories, including dbGaP, the ABCD Study, and the Trans-Omics for Precision Medicine program, to comply with NIST SP 800-171, a federal cybersecurity framework with roughly 110 security requirements across 14 control families. Seventeen months later, researchers across the United States report that the mandate has slowed or halted projects, forced them to delete data accumulated over a decade, and pushed them into expensive, improvised workarounds.
“It’s very hard for researchers to comply,” Andrew Lynn, a developmental cognitive neuroscientist at the University of Louisville, told Science. Lynn lost access to the ABCD Study data, which includes not just genomic data but also MRI scans and questionnaire responses, for two months. He paid approximately $1,200 from his startup funds for a temporary solution, and his cloud computing costs rose by $8,000 to $10,000.
The requirement, codified in NIH Notice NOT-OD-24-157 (published July 25, 2024), was part of a broader federal push to secure sensitive personal data, triggered by Executive Order 14117 signed in February 2024, which restricts the transfer of bulk sensitive data, including genomic information, to countries of concern (China, Russia, Iran, North Korea, Cuba, and Venezuela).
The policy applies to any researcher whose institution signs a Data Use Certification Agreement for one of NIH’s controlled-access repositories. Those institutions must attest to NIST SP 800-171 compliance, and both the repositories and any third-party cloud service providers must meet NIST SP 800-53 security standards corresponding to the FedRAMP Moderate baseline. Non-U.S. users may use the equivalent ISO/IEC 27001/27002 framework.
The mandate applies not only to new grants but also to renewals and continuing awards, meaning researchers with active, multi-year projects suddenly found themselves locked out of data they had been analyzing for years.
The impact
The most dramatic case reported is Paul Auer, a human geneticist at the Medical College of Wisconsin, who had to delete twelve years of accumulated data from the Trans-Omics for Precision Medicine program, a dataset covering more than 180,000 whole genomes, because his institution could not find a NIST-compliant storage solution in time. His research was paused for a full year, and migrating to a secure cloud environment will cost more than $10,000.
Carlos Cardenas-Iniguez, a neuroscientist at the University of Southern California who studies the ABCD Study data, spent a year searching for a free NIST-compliant server on campus. USC would not fund it. He eventually found one, but it is not ideal for his analytical needs. “A lot of [the new rules] makes sense,” he said, but the NIST protocol’s 110-plus conditions seem “somewhat excessive for deidentified data.”
Deanna Barch, a principal investigator for the ABCD Study at Washington University in St. Louis, is helping build an alternative secure online platform with built-in analytical tools that would allow researchers to work inside a compliant environment without managing their own infrastructure. She also spearheaded a letter to NIH documenting the difficulties.
Security experts weigh in
The tension is between a genuine need for better data security and a compliance framework designed for federal IT systems, not academic research environments. Jess Morley, a data ethics researcher at the Yale Digital Ethics Center, noted that U.S. data security norms have been “very, very, very behind” other countries, suggesting increased oversight is warranted. A 2025 Government Accountability Office report (GAO-25-107377) found that NIH does not proactively audit data security compliance, relying instead on self-reports and whistleblowers, and identified multiple violations including breaches and unauthorized access between July 2018 and May 2024.
High-profile incidents have underscored the risks. A January 2026 New York Times investigation found that ABCD Study data had been accessed by individuals who used it to promote scientifically unfounded claims about race and brain development. In April 2026, UK Biobank data on 500,000 individuals was reportedly listed for sale on Alibaba.
What’s next
NIH told Science that it “takes its responsibility to safeguard sensitive research data seriously and regularly reviews and updates its policies.” But the policy has no grandfather clause, it applies upon renewal for existing Data Use Certifications, which may have been signed years before the mandate took effect. With no central fund to help institutions comply, the burden falls on individual researchers and their universities.
The Coalition for Academic Scientific Computation published guidance in July 2025 specifically addressing NIST SP 800-171 compliance challenges for high-performance computing and research environments. But for smaller institutions without dedicated cybersecurity teams, the path to compliance remains unclear.
Source: Science AAAS, “New NIH security rules for genomic data sets are slowing research, prompting workarounds” by Georgia Michelman (June 18, 2026). https://www.science.org/content/article/new-nih-security-rules-genomic-data-sets-are-slowing-research-prompting-workarounds