Accessing NIH Controlled-Access Datasets

The Privacy and Research Data Protection Program (PRDP) and Office of Sponsored Programs (OSP) support researchers in accessing National Institutes of Health (NIH)-controlled datasets (e.g. dbGaP, ABCD, and other NIH repositories). These datasets require a formal request through an NIH website and institutional approval process at Virginia Tech. This page walks you through what to expect when engaging in this process. A list of NIH data repositories and links for requesting datasets can be found here:  NIH Controlled-Access Data Repositories and Datasets

Before You Begin

NIH requires institutions to ensure that controlled-access data are handled securely. At Virginia Tech, this is supported through approved secure research environments designed to meet NIH data protection expectations (NIST 800-171).

To meet these requirements, NIH-controlled data must be accessed using:

• COMPASS (VT Office of Export and Secure Research Compliance [OESRC]) secure enclave
• ARC Biomedical Cluster (ARC BC) for computing needs

These environments are already configured to meet NIH expectations so using them will simplify your request and approval process. 

Access to these systems is only provided through Virginia Tech-managed (provisioned) devices, which are configured to meet required security standards. Personal laptops or unmanaged machines cannot be used to access COMPASS or ARC when working with these datasets.

Step 1: Submit Your NIH Data Request

1. Submit your request thorugh the NIH system (dbGaP, NIMH Data Archive, or other respository)
2. List Signing Official (SO): Linda Duffy (lindafd@vt.edu)
3. List IT Point of Contact (if repository requires): Dave Raymond (raymondd@vt.edu)
4. Most NIH repositories require that you describe how you will protect the data.  You can use the following language to describe the COMPASS and ARC BC secure environment:
   • Virginia Tech has developed handling and processing procedures for Controlled Unclassified information in full compliance with contractual requirements and federal regulations. The Office of Export and Secure Research Compliance manages a secure enclave, called COMPASS, that meets National Institute and Standards and Technology 800-171 security controls and associated management and documentation. Currently, COMPASS resources are self-assessed as Cybersecurity Maturity Model Certification (CMMC) Level 2 compliant with expectation of completing CMMC Third-Party Assessment Organization (C3PAO) certification in 2026 to meet Department of War contractual requirements for CMMC. For NIH NIST 800-171 compliance, users have the option to connect to Virginia Tech’s Division of Information Technology’s Advanced Research Computing High Performance Computing (HPC) clusters for greater processing power via COMPASS. This method ensures NIST 800-171 compliance from the moment a user logs in through COMPASS, submits jobs to a NIST 800-171 compliant HPC environment, receives the HPC outputs, and continues to work with the data from either within HPC directly or within COMPASS.

Step 2: Prepare Your Research Team

While your request is under review, you can prepare your team so access can be granted as quickly as possible once approved.

Each team member will need to:

• Complete the Virginia Tech Research Security Training
• Sign the User Agreement that details individual responsibilities for protecting the NIH data at VT: User Agreement for Accessing NIH Datasets
• FOR VT EMPLOYEES ONLY: Researchers who are VT employees also need to have completed the Virginia Tech IT Cybersecurity Awareness Training

Access to the COMPASS and ARC BC can be provisioned once these steps are complete.

Step 3: Institutional Review and Sign-Off

• Once NIH approves your request, they will route your Data Use Certification to Virginia Tech signatories (Linda Feuster Duffy, and in some cases, Dave Raymond)
• The VT Signatory(ies) will review and sign the Data Use Certification (DUC)
• You will be notified via the online NIH system once this step is complete and the DUC has been signed
• If you would like a status update on institutional sign-off you can contact ospcontracts@vt.edu. Please include PI Name, dataset, project name, and submission date.  

Step 4: Access Setup

Once NIH approval and institutional sign-off are complete:

• Virginia Tech teams will coordinate to set up your access to COMPASS and ARC
• You will receive instructions for securely downloading the NIH datasets
• Please wait to download any NIH data until you are set up in the secure environment

Step 5: Managing Your Research Team

If your research team changes during the project:

• Add or remove research team members through the NIH system
• Ensure access to data in COMPASS and ARC is removed when no longer needed

This helps keep your project aligned with NIH requirements.

Step 6: Annual Check-in

Each year, you will be asked to confirm that your project continues to comply with the Data Use Certification

• Watch for an email from SUMMIT and PRDP
• Submit renewal requests through the NIH system if you need continued access