Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

NIH Generally Implemented System Controls Over the Sequence Read Archive But Some Improvements Needed

Why OIG Did This Audit

The Department of Health and Human Services (HHS), Office of Inspector General (OIG) has identified securing HHS data and systems to positively impact the cybersecurity posture of HHS and the sectors HHS influences as a key component within HHS's top management challenges.

The National Institutes of Health (NIH) Sequence Read Archive (SRA), which is hosted by National Library of Medicine (NLM), is the largest publicly available repository of high throughput sequencing data used for genomic research. The SRA holds diverse genomic data, including early COVID-19 sequencing, and is part of the International Nucleotide Sequence Database Collaboration.

The objective was to determine whether NIH has adequate controls in place to ensure data integrity of the NCBI Sequence Read Archive. OIG engaged the independent certified public accounting firm Brown & Company CPAs and Management Consultants, PLLC (Brown & Company) to conduct this audit.

How OIG Did This Audit

To accomplish our objective, Brown & Company interviewed NIH officials, reviewed NIH's SRA information security policies and procedures, tested system controls; and examined 50 samples of the SRA data normalization and SRA Lite files to determine if the files were normalized as intended.

What OIG Found

Brown & Company found that NIH adequately implemented most of the system and information integrity controls that ensure the integrity of the SRA data. However, control weaknesses were identified that should be addressed to improve the security of the SRA and its data.

While NIH stated the overall security categorization for the SRA was low impact, NIH did not document the rationale for the security categorization as is required by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60 Volume 1, Revision 1.

NIH also did not conduct an SRA system-level risk assessment to identify threats and vulnerabilities as required by NIH's policy. However, NIH was required by NIST SP 800-53, Revision 4, to perform a system-level risk assessment for the SRA before it was authorized to operate and put into production.

In addition, the SRA data normalization policy lacked the assignment of roles and responsibilities to ensure the integrity of the SRA and its data.

What OIG Recommends

Brown & Company recommends that the NIH implement the recommendations below to improve controls over its SRA.

In written comments on our draft report, NIH concurred with all the recommendations and described actions it plans to take to implement the recommendations.

Filed under: National Institutes of Health