Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Beta This is a new resource

NIH Cybersecurity Oversight

Announced on  | Last Modified on  | Project Number: A-18-24-06111
Status
Completed
Agency
National Institutes of Health

OBJECTIVE

The National Institutes of Health (NIH) is the primary Federal agency for conducting and supporting biomedical research. The All of Us Research Program (AoURP) is a major component of the Precision Medicine Initiative overseen by the NIH. The AoURP is responsible for building a national research cohort of more than 1 million participants who provide their personal health information to NIH so that researchers, providers, and patients can work together to build a better future for health care. Without appropriate security and privacy controls to protect AoURP data, the AoURP and its award recipients cannot effectively minimize information security and cybersecurity risks to an acceptable level. The purpose of this audit is to determine whether the AoURP's award recipients: (1) limit program research data access, (2) implement information security and privacy controls, and (3) remediate information security and privacy weaknesses in accordance with Federal requirements.

TIMELINE

REPORT PUBLISHED

The National Institutes of Health Needs to Improve the Cybersecurity of the All of Us Research Program to Protect Participant Data (A-18-24-06111)

The DRC award recipient implemented some cybersecurity controls to protect participant data; however, NIH did not:

  • ensure that the DRC award recipient limited the access of authorized data users to program data in accordance with program policies,
  • communicate national security concerns associated with maintaining genomic data to the DRC award recipient to enable it to choose the appropriate security and privacy cybersecurity controls for its information systems, and
  • ensure that security and privacy weaknesses were remediated within federally required timeframes.

25-A-18-127.01 to NIH - Open Unimplemented
Update expected on 03/28/2026
We recommend that NIH require the DRC awardee to implement access controls to prevent DRC and DRC-RW information systems users from accessing the systems while abroad without verified approval.

25-A-18-127.02 to NIH - Open Unimplemented
Update expected on 03/28/2026
We recommend that NIH require the DRC awardee to identify and implement a control or compensating control to prevent the downloading of detailed participant data, as required by the All of Us Data Use Policies.

25-A-18-127.03 to NIH - Open Unimplemented
Update expected on 03/28/2026
We recommend that NIH formally communicate national security concerns related to maintaining genomic data to All of Us award recipients that use or maintain genomic data and require the implementation of the IT security and privacy controls to protect the storage, transmission, and processing of such data.

25-A-18-127.04 to NIH - Open Unimplemented
Update expected on 03/28/2026
We recommend that NIH require the DRC awardee to reevaluate the security categorization for the DRC and DRC-RW information systems considering the national security concerns of maintaining genomic data.

25-A-18-127.05 to NIH - Open Unimplemented
Update expected on 03/28/2026
We recommend that NIH require the DRC awardee to update the remediation timeframe in its system security plans to comply with the timeframes specified in its award agreement with NIH.

View in Recommendation Tracker
Work Plan Type
Office of Audit Services
HHS Agencies
National Institutes of Health
Issue Areas
Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Other Funding