NIST requirements for Sage

[ByroneCole-SageBionetworks]

• Tom: Byrone is putting together the meeting to loop in the Sage ISO (information security officer) along with key people in INCLUDE to get a better understanding of the security required on Synapse and sign off by CHOP and SBG for what we want to achieve.

• Jack: I would very strongly suggest starting a new Compliance agreement for Sage. We are in the final signatures of the CHOP/SBG/NHLBI agreement (2 of 3 parties have signed). That will cover the clearinghouse for SBG and NIST controls for CHOP.

• Allison: We should be clear about this - there is a three way agreement between SBG, CHOP and NHLBI as part of the ISA. This is because SBG and CHOP systems are directly transferring data with the NHLBI account. There is no expectation that Sage/Synapse will need to directly connect to the NHLBI account and no need for any further federal agreements. However, since CHOP is now required to do NIST 800-171, we may make requests to Sage/Synapse about compliance artifacts because we anticipate the platform to be able to index and utilize CHOP S3 resources for DMC purposes. It would be good to have a three-way discussion however, because I think we would like to use similar models that SBG does for their users / systems that do not have to interconnect with federal systems. I'll bring a diagram to the meeting and hopefully that'll help.