In the spring of 2025, Andrew Lynn, a developmental cognitive neuroscientist at the University of Louisville, began a project using data from the Adolescent Brain Cognitive Development (ABCD) Study, a major U.S. initiative examining factors that influence children’s brain development and health. When he attempted to download the dataset, he encountered an unfamiliar requirement referencing NIST SP 800-171.
He later learned that the standard is a National Institute of Standards and Technology protocol designed for securing highly sensitive information. It had been newly applied to genomic data within the ABCD Study. Although Lynn intended to use only non-genomic information such as MRI scans and behavioral questionnaires, the updated policy meant that access to any portion of the dataset would soon require compliant high-security computing systems—systems his university did not have.
Unable to meet the deadline, his lab lost access for two months before finding a temporary workaround. The disruption slowed his research at a critical stage in his tenure-track career.
“I take data security seriously,” Lynn says. “But the communication [about the new standard] and the abruptness of it has caused some consternation, to say the least.”
The National Institutes of Health (NIH) introduced stricter IT requirements in January 2025 for researchers working with large genomic datasets. The ABCD Study repository was among 39 affected data platforms.
In explanatory materials, NIH cited national security concerns, including risks of bioterrorism and cyberattacks targeting sensitive health and genetic information.
However, more than a year later, many researchers report ongoing difficulties adapting to the requirements. Institutions lacking advanced cybersecurity infrastructure are especially affected, and in some cases universities are shifting costs onto individual labs or investigators.
For scientists working in human genetics, the changes have created widespread disruption.
“For the whole community of people who research human genetics, this is a big deal,” says Paul Auer, a statistical geneticist at the Medical College of Wisconsin.
NIH’s stricter stance follows several high-profile incidents involving genomic data misuse. Investigations have revealed cases in which ABCD data were improperly shared and used to support racist and pseudoscientific claims about brain development.
Separately, in April, data from the UK Biobank, which contains genomic and medical information from over 500,000 participants, was reportedly listed for sale on an overseas platform.
While most datasets are de-identified and governed by strict access agreements, experts note that enforcement has historically relied heavily on institutional practices and researcher compliance.
Data security in U.S. biomedical research has been “very, very, very behind” other countries, according to Jess Morley of the Yale University Digital Ethics Center.
Although many scientists agree with the goal of stronger protection, they say the rollout of the NIST SP 800-171 requirements has been chaotic.
Carlos Cardenas-Iniguez, a neuroscientist at the University of Southern California and member of ABCD’s responsible data use working group, described the new expectations as unexpectedly stringent.
He referred to the requirements as “DOD level” security standards.
His lab was initially allowed to continue working under existing arrangements but later had to reapply for access. By that point, the university informed him that compliance would require specialized secure servers—costs that were not covered by institutional funding. After months of searching, his team eventually secured access to a compliant system already operating on campus.
Smaller institutions have faced even greater barriers, unable to build or purchase the required infrastructure.
Some researchers report losing access entirely to long-used datasets. In one case, a scientist who had worked for over a decade with the Trans-Omics for Precision Medicine (TOPMed) dataset—containing more than 180,000 genome sequences—was required to delete locally stored data and transition to a secure cloud system.
The transition has stalled research for over a year. Even with partial institutional support, estimated costs remain significant, with some cloud solutions priced between $8,000 and $10,000 per researcher.
Andrew Lynn reports similar financial strain. His institution has not covered the costs of compliant systems, leaving him to rely on startup funds.
He has already spent about $1,200 and estimates that a fully compliant setup could cost up to $10,000.
Some initiatives aim to reduce the burden on individual labs. Deanna Barch, an ABCD principal investigator at Washington University in St. Louis, has been working with colleagues to develop a centralized secure platform that would host datasets and provide analytical tools within a compliant environment.
She has also called for broader institutional and governmental support, including funding for infrastructure and training in secure cloud computing.
Barch suggests the NIH and research community need a “conversation” about shared responsibility for the costs of compliance.
NIST computer scientist Victoria Yan Pillitteri, a contributor to the updated guidelines, notes that the framework is intended to be flexible, while implementation details are left to agencies like NIH.
This division has contributed to uneven rollout across institutions.
Researchers emphasize that participants in biomedical studies expect strong privacy protections, but also want their data to contribute to scientific discovery.
“They also want their data to be used to answer important questions,” Barch says.
At the same time, many scientists argue that overly rigid implementation is slowing research progress and excluding institutions that lack resources.
The tension is increasingly visible at the individual level. Lynn continues working with a limited version of the ABCD dataset through a virtual environment while attempting to build a compliant infrastructure for his lab.
If those efforts fail, he may need to move entirely to cloud-based high-performance computing systems.
For now, he continues piecing together solutions as costs accumulate and timelines stretch.
“I’m still trying to chip away at access,” he says.
But with limited institutional support, the long-term sustainability of such work remains uncertain, as researchers across the field adapt—unevenly—to a new era of genomic data security.
In 1973, John Archibald Wheeler captured the relationship between matter and space-time in two concise…
Before the end of the month, a robotic spacecraft will launch on an unprecedented rescue…
One afternoon in April, Cecilia Garraffo sat at the head of a conference room table…
After clearing a spring forecasting hurdle, scientists see growing odds of a powerful climate event…
It might seem remarkable that a question as basic as "what is the Moon made…
Every time this question comes up in particle physics, it quickly becomes less straightforward than…