IMS BioShare Offers Roadmap for New NIH Data Security Mandates

CALVERTON, MD – April 06, 2026 – As federal agencies tighten the security screws on sensitive health data, Information Management Services, Inc. (IMS) has released a white paper detailing how its BioShare platform can serve as a roadmap for research institutions navigating this complex new landscape. The paper outlines a case study in adapting to the National Institutes of Health's (NIH) strengthened requirements for Controlled-Access Data Repositories (CADRs), a move that is reshaping how scientific data is managed, shared, and secured across the country.

The publication, co-authored by Leslie Carroll and David Hacker, arrives as universities and research organizations are grappling with a series of stringent federal mandates aimed at protecting controlled data from ever-evolving cybersecurity threats. These new rules, while critical for safeguarding privacy and ensuring data integrity, present significant technical, financial, and administrative challenges.

A Higher Bar for Data Security

The regulatory pressure stems largely from the NIH's Data Management and Sharing (DMS) Policy, which took effect in January 2023. This policy mandates that all NIH-funded research generating scientific data must include a robust plan for managing and sharing that data. For institutions handling particularly sensitive information in CADRs, the requirements go much further, demanding a fundamental overhaul of security and governance practices.

A key deadline looms: by February 25, 2026, all NIH-designated CADRs must comply with the cybersecurity standards outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. This standard, designed to protect controlled unclassified information in nonfederal systems, includes a comprehensive framework of over 100 security controls. Institutions must be able to formally attest to their compliance, a process that requires deep technical expertise and significant investment.

The mandates also specify heightened identity verification standards. The requirement for Identity Assurance Level 2 (IAL2) authentication, for example, means institutions can no longer rely on simple username and password combinations. Instead, they must implement systems that can verify a researcher's real-world identity, either in person or through a rigorous remote proofing process.

A Case Study in Compliance

IMS's white paper positions its BioShare platform as a pre-configured solution to these mounting challenges. The company details a series of enhancements designed to align the web-based request tracking system with the new federal mandates. BioShare is already in use across multiple NIH programs to manage access to controlled datasets and biospecimens.

"Scientific progress depends on responsible data sharing, but that sharing must occur within a secure, well-governed environment," said Leslie Carroll, co-author of the paper. "This paper demonstrates how BioShare enables organizations to adopt NIH-aligned CADR security standards quickly and with minimal operational disruption."

Key upgrades highlighted in the case study directly address the NIH's new rules:

• Identity Verification: The platform has integrated IAL2 authentication to meet the stringent identity-proofing requirements.
• Governance Workflows: It features expanded workflows for Data Access Committees (DACs), the bodies responsible for approving research requests. These workflows include role-based permissions to ensure proper oversight and segregation of duties.
• Automated Agreement Management: The system standardizes the management of Data Use Agreements (DUAs), the legal contracts governing data access. It includes features like optional electronic signatures and automated enforcement of the standard 12-month access expiration, reducing administrative burden and compliance risk.
• Secure Data Delivery: Access to data is strengthened through project-specific permissions, controlled download windows, and detailed audit logs that track every action.

The company credits the platform's underlying design for its ability to adapt. "BioShare's configurable architecture allowed us to rapidly integrate new NIH requirements without redevelopment or major downtime," noted co-author David Hacker. "It demonstrates what a forward-compatible CADR platform can look like."

The Broader Impact on Scientific Research

While the new security mandates present formidable hurdles, they are also intended to foster a more trustworthy and productive research ecosystem. By standardizing security and governance, the NIH aims to build a foundation that can accelerate discovery while protecting patient privacy. Secure, well-managed data sharing allows researchers to validate findings, avoid duplicative efforts, and ask novel questions of large, combined datasets.

However, the transition is not without friction. The increased complexity and cost of compliance may disproportionately affect smaller institutions or individual labs that lack dedicated cybersecurity staff and large IT budgets. The NIH does allow for data management and sharing costs to be included in grant applications, but this requires institutions to accurately forecast these complex expenses far in advance.

The new era of controlled access is forcing a cultural shift, balancing the long-held scientific ideal of open collaboration with the modern reality of digital threats and privacy obligations. The goal is not to lock data away, but to create secure, audited gateways that allow approved researchers to access information in a controlled manner. Platforms like BioShare are emerging to serve as the gatekeepers and facilitators in this new model.

Navigating the Implementation Maze

For any institution, achieving CADR compliance is a significant undertaking. Even with a turn-key solution, implementation involves more than just installing software. It requires a holistic approach that encompasses technology, policy, and personnel.

Institutions must conduct thorough risk assessments, develop new policies and procedures, and train researchers and staff on security protocols. Integrating a new platform with existing legacy systems for identity management and data storage can present its own set of technical hurdles. The financial investment is substantial, covering not only software licensing but also potential infrastructure upgrades, cloud computing fees, and the cost of personnel with specialized expertise in federal compliance.

Ultimately, the path to compliance is an ongoing process, not a one-time fix. The landscape of cybersecurity threats and federal regulations is constantly evolving, requiring continuous monitoring, adaptation, and investment. By providing a detailed case study, IMS aims to show that while the path is complex, a strategic approach leveraging forward-compatible technology can make the journey manageable for organizations committed to advancing science securely.