Estimated reading time: 4 minutes

The clock is ticking. With the NIH's updated genomic data sharing policy taking effect on January 25th, our latest NET+ AWS Town Hall brought together a community of researchers and IT professionals seeking clarity on these critical requirements. The energy in the virtual room was palpable – institutions across the research community are navigating complex security measures while trying to ensure their vital genomic research won't face interruption.

The Compliance Gap Affecting Research Nationwide

"Are we ready?" That question hung over the session as polling revealed a stark reality – only 6% of participating institutions felt confident their research infrastructure meets the updated NIH requirements, while the majority weren't sure where they stood. You could almost feel the collective intake of breath as these numbers appeared. This shared uncertainty created an immediate sense of community – we're all tackling this challenge together.

What transformed this from just another technical walkthrough into something special was Nick Weber from NIH's STRIDES initiative joining the conversation. Nick didn't just deliver official guidance – he engaged directly with the community's concerns, creating a rare direct dialogue between NIH and the institutions racing to implement changes. When he offered dedicated consultation services through strides@nih.gov, you could sense the relief spreading through the virtual room – here was a genuine pathway to solutions.

Consequences of Non-Compliance: More Than Just Lost Data Access

The atmosphere shifted noticeably when Alexandria Burke, a CMMC Assessor and senior Security Assurance consultant, shared real-world cautionary tales. The room grew quiet as she revealed the Department of Justice is pursuing action against two universities for NIST 800-171 violations, with one facing a $2.5 million fine. Suddenly, this wasn't abstract policy – these were peer institutions facing serious consequences.

Alexandria's breakdown of the NIST 800-171 requirements sparked a collective "aha" moment across screens. While most institutions focus on technical controls, she revealed that 54% of compliance work involves documentation, administrative, and procedural controls – precisely the areas where many institutions feel least prepared. You could almost see lightbulbs turning on as participants realized why they've been struggling despite their technical sophistication.

The chat erupted during Q&A as participants discovered critical nuances that immediately changed their compliance approach:

  • NIH will accept NIST 800-171 Revision 2 while institutions transition toward Revision 3
  • Virtual Desktop Infrastructure (VDI) potentially simplifies compliance for end-user devices
  • The rules apply specifically to 20 controlled-access data repositories identified by NIH

These weren't just dry facts but vital insights being shared among colleagues who understand each other's challenges.

AWS's Secure Research Environment: A Ready-Made Solution Path

You could feel the mood lift when Venkat Chandrababu took the floor to showcase AWS's Secure Research Environment. As he demonstrated how pre-configured security controls aligned with all 110 NIST 800-171 requirements, the chat lit up with questions and comments. It wasn't just about technical specifications – it was about seeing a viable path forward when many felt overwhelmed by compliance requirements.

"This could save us months of work," one participant commented as Venkat explained how AWS's approach leverages existing compliance frameworks to "raise the bar" on the shared responsibility model. The relief was tangible – here was a solution that didn't require building specialized compliance expertise across multiple domains.

A follow-up poll revealed something fascinating about our community – 45% already have secure research environments in the cloud, while 34% now recognize the urgent need to establish one. This sparked spontaneous networking in the chat, with experienced institutions offering to share insights with newcomers – exactly the kind of community-building that makes these sessions invaluable.

Implementation Options for Every Timeline and Resource Level

The tension in the virtual room was palpable when discussion turned to the rapidly approaching January 25th deadline. Karthik Narasimhan sensed this anxiety and pivoted to a practical approach that visibly calmed participants. Rather than one-size-fits-all guidance, he presented tailored implementation paths:

  1. In-house implementation with AWS guidance – bringing immediate relief to institutions with robust IT teams
  2. Partner-assisted deployment – offering hope to those with limited internal bandwidth
  3. Genomic ISP partners – providing a lifeline for institutions with just a few projects requiring compliance

The chat exploded with questions about real-world experiences, and Donny Wilson stepped in with exactly what everyone needed – a candid case study about a peer institution. As he described their journey from finding it "nearly impossible" to retrofit existing environments to dramatically reducing implementation time with cloud-based approaches, you could almost hear the collective sigh of relief. This wasn't theoretical – it was a roadmap from someone who'd navigated the same challenges.

Immediate Action Steps

As the session neared its end, the AWS team moved beyond presentations to tangible support. Rather than simply directing participants to documentation, they shared direct contact information for their security specialists and encouraged everyone to reach out for personalized guidance. "We're in this together," was the unspoken message, reinforced by offers of one-on-one consultations for institutions feeling the pressure of the approaching deadline.

The chat continued buzzing even after the formal Q&A concluded – a testament to the community connections being formed. When one attendee wryly commented, "Those who are already compliant were obviously over-engineering their existing solutions," it sparked a wave of solidarity reactions and follow-up discussions. This wasn't just information sharing – it was community building among professionals facing a common challenge.

For those who couldn't attend, here are the slides and recording for you to view on-demand. Take a look at our calendar for upcoming events that you might be interested in.

Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.