Precision Medicine Initiative Data Security Framework Special Award Condition

All partners in the All of Us Research Program are required to adhere to the Precision Medicine Initiative (PMI) Data Security Policy Framework.

The National Institutes of Health (NIH) is an Operational Division (OpDiv) of the U.S. Department of Health and Human Services. Security controls are required by the Department to provide minimum levels of assurance for safeguarding OpDiv information. The NIH's All of Us Research Program (All of Us) is a special federally funded program that has selected National Institute of Standards and Technology (NIST) Special Publication 800-53 as its security controls framework.

Please note that NIST SP 800-53 is designed for safeguarding federal information and information systems, however the controls outlined in the framework provide adequate security that can be applied to extramural research partners as a method of meeting the PMI Data Security Policy Framework.

For non-federal awards (otherwise not covered by Federal Acquisition Regulation), All of Us shall provide a list of National Institute of Standards and Technology (NIST) SP 800-53 exempt security controls. A separate control mapping will be provided as equivalent to lower risk profile systems that apply the NIST SP 800-171 controls framework for non-federal systems processing Controlled Unclassified Information.

Additional Conditions for Awardees with Significant Security Responsibilities

Compliance with All of Us Research Program Security Authorization Process

All of Us requires that the Award Partner comply with the All of Us Security Authorization Process for all All of Us systems under the direct management and operations of the Award Partner. All of Us requires the awardee to describe how it will design and implement technical and policy safeguards necessary to ensure data security, in accordance with NIST Special Publication 800-53 meeting or exceeding the Federal Information Security Management Act (FISMA) minimum requirements based on the risk profile outlined in the Security Categorization / FIPS 199.

All awardees will apply NIH organizationally defined parameters outlined in the NIH IT Security Handbook unless provided a waiver by All of Us Information Systems Security Office (ISSO). Additionally, the awardee shall abide by the terms outlined in the Authority to Operate letter requiring that the authorization will remain in effect as long as:

  • The required security status reports for the system are submitted per defined submission schedule to the All of Us ISSO;
  • The vulnerabilities reported during the continuous monitoring process do not result in additional NIH-level risk which is deemed unacceptable; and
  • The system has not exceeded the maximum allowable time between security assessments (one-third security controls are reviewed annually within three-year authorization period).

The All of Us ISSO will request an annual independent review of security controls, in addition to continual review and testing, to ensure overall effectiveness against evolving threats and consistent implementation as a requirement of renewal of the ATO. Security controls assessments will use NIST SP 800-53a or NIST 800-171a depending on the risk profile and data sensitivity risk impacts of the system.

All major changes to the system boundary will be evaluated using a Security Impact Analysis within the All of Us Security Authorization Process to determine if a new or additional ATO is required.

Risk Management

All of Us, through the program’s ISSO in coordination with the Program Officer, may require additional security measures and defined parameters not included in NIST SP 800-53 to provide advanced cybersecurity measures following a risk-based approach. Any additional security measures and defined parameters will be communicated to the awardee at a minimum of 6 months prior to implementation. All of Us and the Partner shall establish data security implementation plans and timelines collaboratively. All of Us will regularly monitor compliance with ongoing and new security requirements as specified by All of Us.

The following terms apply:

  • Partners are required to implement and maintain compliance with applicable NIH Manual Chapter Policies, NIH IT Security Handbook, NIH Data Sharing Policies, All of Us Policies, and All of Us Security Procedures and Memorandum;
  • Partners shall make available to the All of Us accurate security documentation and architecture diagrams;
  • Partners shall maintain accurate security documentation and asset inventories;
  • Partners shall implement reducing measures and other All of Us recommendations as requested;
  • Partners shall maintain a record of completed trainings and signed user access agreements (Rules of Behavior);
  • Partners shall coordinate and complete an annual Incident Response and IT Contingency Plan tests with Run Book Scenarios designed in collaboration with All of Us;
  • Partners shall conduct penetration testing and report findings in accordance with All of Us Penetration Testing Procedure;
  • Partners shall provide security relevant information as requested by the All of Us ISSO;
  • Partners shall provide security information and event management (SIEM) data as part of the All of Us Continuous Diagnostics and Monitoring (CDM) Program;
  • Partners shall provide program and system-level configuration management information that includes identity and access management, logging and monitoring, networking, and data storage as requested by the All of Us ISSO;
  • Partners shall identify and uniquely call-out systems storing personally identifiable information within system security boundary diagrams, asset inventory tables, and ad hoc reports as requested by the All of Us ISSO; and
  • Partners shall encrypt all participant records that include personally identifiable information as defined by NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).

Plans of Action & Milestones

A Plan of Action & Milestones (POA&M) register or tracking tool will be maintained by the awardee and reviewed at least monthly with the All of Us ISSO.

The following terms apply:

  • Partners shall follow the All of Us Plan of Actions & Milestones Procedure for managing and maintaining accurate reportable POA&Ms as a key component of Continuous Monitoring
  • POA&Ms shall be documented at both Program and System-level
  • POA&M corrective actions shall follow the following standard
    • Critical within 30 days;
    • High within 60 days;
    • Medium and Lows within 1 year;
  • POA&Ms shall be created based on the following criteria:
    •  Security findings discovered by vulnerability scans (v-scans) that cannot be resolved within 30 days of discovery due to security, operational, or a functional impact;
    • Security findings discovered from the results of periodic security controls testing;
    • Security findings discovered as a result of security incident;
    • Security findings discovered during an independent audit;
    • Non-compliance with All of Us mandates;
  • All risk waivers shall be created from POA&Ms that cannot be completed due to technology limitation, functional impact to All of Us, or a conflict in policy between Partner and the NIH;
  • All risk waivers shall be documented with accuracy and will be approved by the All of Us ISSO;
  •  All risk waivers shall be maintained by the All of Us ISSO and reviewed within twelve months of approval;
  •  Partners shall use an NIH designated platform, site, or repository to share documents as directed by the All of Us  ISSO;
  • The completion of POA&Ms shall be a collaborative effort requiring acknowledgement from the Partner ISSO, System Owner, and the All of Us ISSO; and
  •  Status of all milestones will be included in the quarterly report and thereby incorporated into the NIH award record.

Incident Response

All of Us requires all awardees to maintain an active and evolving security program with incident response capabilities that meet All of Us requirements. All awardees will use the HHS Policy and Plan for Responding to a Breach as guide for implementing incident response capabilities. The following incident reporting requirements must be followed:

  • Partners shall designate a dedicated incident response point of contact;
  •  Partners shall conduct incident response drills in accordance with the NIH IT Security Handbook;
  • All perceived and potential security and privacy incidents must be reported to the All of Us ISSO within 1 hour of discovery;
  • Partners notified or alarmed by a third-party of a potential incident, shall notify All of Us within one-hour of the alert and take necessary actions to resolve the incident;
  • During high impact incidents or as needed, Partners shall provide necessary system-level access to third-parties, that include NIH employees, contractors and other incident responders / platform technology experts identified by the All of Us  ISSO;
  • During “major incidents” as defined by OMB M-22-05, All of Us reserves the right to retain third-party incident responders / platform technology experts identified by the All of Us ISSP;
  • All incidents will require full transcript of incident and timeline, response action report, and final report;
  • Notification of incidents will be submitted via ISAO-AllofUs-Security@mail.nih.gov and contain non-sensitive information; all follow up communication and sharing information potentially containing with sensitive information will utilize NIH Secure Email and File Transfer (SEFT) or secure method of transfer approved by the All of Us ISSO.

Continuous Monitoring Reporting

All of Us requires all awardees to maintain a continuous monitoring program that follows NIH guidelines and aligns with NIST SP 800-137. The purpose of the continuous monitoring program is to provide visibility into organizational assets, awareness of threats and vulnerabilities, and visibility into the effectiveness of deployed security controls. The continuous monitoring program provides ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance as well as the information needed to respond to risk in a timely manner should observations indicate that the security controls are inadequate. Continuous Monitoring Reporting frequency shall be based on the risk-impact level to All of Us. All reporting will be used to compile operational metrics.

The following Continuous Monitoring Reporting requirements must be followed.

  • Partners shall maintain, manage, and report accurate access control lists
    1. At a minimum, all users will be grouped as general and privileged users as defined by NIST SP 800-53.
    2. Partners shall grant access to resources following the concept of Least Privilege.
    3. Privileged user access must follow Least Privilege and Separation of Duties controls as defined by NIST SP 800-53; for example, IAM roles and permission configurations may vary between cloud service providers, ensure that no IAM user has access to general usage and administrative permissions as well as those accounts that administer do not also manage auditing within the environment.
    4. Partners shall submit quarterly administrative console output for Cloud and Infrastructure IAM rosters and other application administrative consoles generated from LDAP, Directory Services, and/or Cloud IAM for all users with direct access to all services within All of Us managed infrastructure.
    5. Partners shall submit annually a record of signed Rules of Behavior for calendar months October 1 through Sept 30, no later than August 31.
    6. Required Continuous Monitoring Reporting shall include:
      1. Total number of user accounts within the cloud administrative and application administrative consoles with breakdown to include the following: username, user creation date and time, IAM role, services, permissions, etc.;
      2. Total number of privileged users;
      3. Total number of inactive accounts (i.e., user account that can provide access to system, services and applications but does not have a valid owner) unused for over 90 days per partner; and
      4. Total Number of Staff that have received phishing awareness training.
  • Partners shall follow the All of Us Vulnerability Scanning Procedure for frequency, scan type, target scope, acceptable reporting formats, remediation timelines, and reporting details:
    1. Vulnerability scans shall be conducted in two-week cycles (biweekly); with a target to complete two vulnerability scans within a monthly patch management cycle
    2. Required Continuous Monitoring Reporting shall include:
      1. Total number of vulnerabilities resolved;
      2. Total number of vulnerabilities unresolved;
      3. Total number of vulnerabilities Unresolved and Overdue as defined by All of Us Policy;
      4. Total number of vulnerabilities group by severity based on the CVSS 3.x (Critical, High, Moderate, and Low); and
      5. Scan start and finish times (includes timestamps for discovery).
  • Partners shall report POA&Ms and risks to All of Us
    1. Required Continuous Monitoring Reporting shall include.
      1. Total Number of Open POA&Ms;
      2. Total Number of Closed POA&Ms;
      3. Total Number of POA&Ms Overdue; and
      4. Total Number of POA&Ms (Critical, High, Moderate, and Low).
  • At the request of the All of Us ISSO, all Partners will be required to provide All of Us operational insight by means of access to cloud administrative consoles and security event logs.

NIH may take action, including reduction or reallocation of funds or termination of the award, for non-compliance with security requirements and milestones as agreed upon by both the NIH and the awardee.

Dispute resolution process: Any disagreements or disputes regarding data security requirements specified by All of Us will be elevated to the NIH ATO signatories, i.e., the NIH Office of Chief Information Officer and the Director of the All of Us Research Program.