The National Institutes of Health Needs to Improve the Cybersecurity of the All of Us Research Program to Protect Participant Data

25-A-18-127.01 to NIH - Open Unimplemented

Update expected on 03/28/2026

We recommend that NIH require the DRC awardee to implement access controls to prevent DRC and DRC-RW information systems users from accessing the systems while abroad without verified approval.

25-A-18-127.02 to NIH - Open Unimplemented

Update expected on 03/28/2026

We recommend that NIH require the DRC awardee to identify and implement a control or compensating control to prevent the downloading of detailed participant data, as required by the All of Us Data Use Policies.

25-A-18-127.03 to NIH - Open Unimplemented

Update expected on 03/28/2026

We recommend that NIH formally communicate national security concerns related to maintaining genomic data to All of Us award recipients that use or maintain genomic data and require the implementation of the IT security and privacy controls to protect the storage, transmission, and processing of such data.

25-A-18-127.04 to NIH - Open Unimplemented

Update expected on 03/28/2026

We recommend that NIH require the DRC awardee to reevaluate the security categorization for the DRC and DRC-RW information systems considering the national security concerns of maintaining genomic data.

25-A-18-127.05 to NIH - Open Unimplemented

Update expected on 03/28/2026

We recommend that NIH require the DRC awardee to update the remediation timeframe in its system security plans to comply with the timeframes specified in its award agreement with NIH.