All partners in the All of Us Research Program are required to adhere to the Precision Medicine Initiative (PMI) Data Security Policy Framework.
The National Institutes of Health (NIH) is an Operational Division (OpDiv) of the U.S. Department of Health and Human Services. Security controls are required by the Department to provide minimum levels of assurance for safeguarding OpDiv information. The NIH's All of Us Research Program (All of Us) is a special federally funded program that has selected National Institute of Standards and Technology (NIST) Special Publication 800-53 as its security controls framework.
Please note that NIST SP 800-53 is designed for safeguarding federal information and information systems, however the controls outlined in the framework provide adequate security that can be applied to extramural research partners as a method of meeting the PMI Data Security Policy Framework.
For non-federal awards (otherwise not covered by Federal Acquisition Regulation), All of Us shall provide a list of National Institute of Standards and Technology (NIST) SP 800-53 exempt security controls. A separate control mapping will be provided as equivalent to lower risk profile systems that apply the NIST SP 800-171 controls framework for non-federal systems processing Controlled Unclassified Information.