Topic: AnVIL meets the new security requirements under the Genomic Data Sharing Policy

November 19, 2025 at 10:00 AM ET on Zoom

10:00 AM - 10:30 AM ET – Demo on AnVIL

On October 4, 2024, NIH updated its Genomic Data Sharing Policy, mandating that starting January 25, 2025, researchers must store and analyze NIH controlled‑access data on NIST SP 800‑171 (or equivalent) compliant systems. During this demo, the AnVIL security team will provide a brief overview for how AnVIL meets these requirements and answer questions from the community.

10:30 AM - 11:00 AM ET – Q&A

We’ll open up the floor to questions about the demo presented, and will have AnVIL and Terra support on call to answer any questions about AnVIL you might have!

Sign up: Register for AnVIL Demos

What are AnVIL Demos?

AnVIL Demos are a monthly, virtual meeting where we highlight what you can do on the NHGRI Analysis, Visualization, and Informatics Lab-space (AnVIL; https://anvilproject.org/), a cloud-based computing platform for genomic data science! AnVIL Demos will start out with a 30-minute demonstration on the platform followed by open time for Q&A and user support.

The demos will highlight a range of topics, from a capability of the platform to a scientific analysis powered by AnVIL. If you’re interested in showcasing how you use AnVIL at a future AnVIL Demos session, reach out to Natalie Kucher (nkucher3@jhu.edu). After the demo, we’ll open up the floor to answer questions about the demo and to answer any general questions you might have about AnVIL.

Watch past AnVIL Demos recordings from our YouTube playlist!

Resources

• AnVIL Getting Started Guide. An opinionated guide on how to get set up and start your work on AnVIL. Get started here.

• AnVIL YouTube Channel. Learn about AnVIL capabilities and features with our “AnVIL in 2 minutes” videos. Watch AnVIL in 2 minutes here or watch past AnVIL Demos here.

• AnVIL Support Forum. Join the conversation at help.anvilproject.org.

Upcoming Events

Sign up to hear about future AnVIL Demos and announcements at http://bit.ly/anvil-mailing-list and learn about upcoming events at https://anvilproject.org/events!

Q: AnVIL can provide an attestation on request. How many people have been requesting this?

A: AnVIL is built on Terra, Terra has FedRAMP, which meets the minimum requirements in the NIH genomic data sharing policy. AnVIL has developed a HEVCAT that helps researchers and universities get the details that are needed to satisfy their requests that AnVIL is compliant.

There are researchers who are inquiring weekly about this.

Q: NHGRI has observed that a number of researchers have experienced project closeouts as a result of their institution not being able to meet the requirements of the NIH policy. AnVIL is a great way to bring the data in for analysis in a compliant platform.

Q: Could you please speak more to the new updates to compliance requirements, relative to say a year ago?

A: The new Controlled-Access Data Repository (CADR) requirements have added logging and monitoring, strict access controls, additional specific guidance on Data Access Committee (DAC) processes, and requirements to lock users from countries of concern. These users are identified based on their user email address for known domains, and additionally this is enforced by blocking users from free domains. The requirements have been met.

These requirements apply to all controlled access data repositories hosted by NIH and for data access committees.

Q: A frequent question from analysis groups and users are to understand the boundaries between AnVIL and Google Cloud?

A: Using AnVIL and Terra, if users copy data over to a personal project, then the data will leave the security boundary (and will require egress fees). If accessing via any other platform or copying to another platform, then the data are no longer in the required perimeter.

Q: If users have Google, use BigQuery, Batch, other services, does this fall in the security perimeter?

A: Google has organizations, and Terra is within the Broad organization in Google, so it meets the security environments. Some services are within the perimeter (e.g., Batch), and some services are not (e.g., BigQuery).

Q: You mentioned that Terra can extend the security blanket when new services are being integrated. How do services go through this process, such as seqr?

A: Seqr and Dockstore went under review and were approved by Terra that they met NIST-800-53. These services would be required to get their own attestation that would then be reviewed by the Terra Data Sciences Platform.

Q: Often we get questions about user responsibilities, users pick AnVIL and use AnVIL data. What is still on the user to make sure they are still appropriately following the terms of their Data Access Request (DAR) and security agreements?

A: This depends on how they’re looking at Information Security. For NIST-800-53, there is a publicly available customer responsibilities document. This includes bringing your own user account to register with Terra, and cannot enforce certain requirements like password strength & multi-factor authentication, and that connections are encrypted. Customer Security Responsibilities: Customer Security Requirements - Terra .

Q: Users frequently ask about cloud use statements and what should be put in them from a DAR perspective. Are there any recommendations from the DAC perspective on how to complete cloud use statements?

A: NIH determined that institutions need to attest that AnVIL is compliant, this should even be part of the dbGaP data access request process. The cloud use statement will be primarily reviewed if there is concern, for example if using a cloud platform that is not recognized by NIH is a designated cloud repository. However, when using an NIH-designed cloud repository, these can simply be listed as they are recognized by NIH DACs through existing compliance and approval.