National Institute of Science releases a guideline Cybersecurity and Privacy of Genomic Data
August 10, 2025 |
The National Institute of Science and Technology’s guidelines and other publications are used as best practice standards for industry. It’s publications and standards are referenced by privacy regulators. For good reason. It has just released the Cybersecurity and Privacy of Genomic Data.
The Project Overview provides:
Project Overview
Advancements in genomic sequencing technologies are accelerating the speed and volume of data collection, sequencing, and analysis. However, this progress also heightens cybersecurity and privacy risks. In response, NIST is engaging with genomic stakeholders across government, academia, and industry to develop voluntary, actionable guidelines to help organizations manage cybersecurity and privacy risks for systems that process genomic data.
Genomic Data Community Profile
The NCCoE published NIST Internal Report (IR) 8432, Cybersecurity of Genomic Data, summarizing the current practices, challenges, and solutions for protecting genomic data across its lifecycle. Building on additional insights from our ongoing collaborations with the genomics community, the NCCoE updated draft the NIST IR 8467, Genomic Data Cybersecurity and Privacy Frameworks Community Profile (Genomic Data Profile), a structured, risk-based approach for managing both cybersecurity and privacy risks in processing genomic data. The updated draft incorporates the NIST Cybersecurity Framework (CSF) version 2.0 and NIST Privacy Framework (PF) version 1.0 to help organizations prioritize and unify both cybersecurity and privacy capabilities. This Profile is the first joint CSF and PF Community Profile developed by NIST.
Cybersecurity and Privacy Threat Modeling
The NCCoE has also been developing cybersecurity and privacy threat modeling resources, which evaluate potential cybersecurity and privacy threats in genomic data processing. These resources provide an example use case and demonstrate an approach that organizations can adapt to identify cybersecurity threats and apply appropriate mitigations in their environments.
Privacy-Enhancing Technologies Testbed
Ongoing project work includes developing a Privacy Enhancing Technologies (PETs) Testbed for privacy-preserving federated learning (PPFL), and the PETs Testbed’s Genomics PPFL Platform 2025 Red-Teaming Event.
The Executive Summary provides:
Genomic data is a digital representation of the DNA in a biological DNA encodes hereditary information for cells to function, but this same information poses cybersecurity and privacy challenges as it can reveal potentially sensitive details about an individual’s kinship, traits, and health status. Genome sequencing refers to the laboratory process of converting a physical sample to digital format using purpose-built The data output for common sequencing experiments ranges from multiple gigabytes to terabytes, which is then analyzed for research or in clinical Genomic data processing systems can include proprietary sequencing equipment or utilization of genome sequencing service providers followed by genomic analysis computations occurring on premise or in a cloud Given the varied landscape of genome data processing systems, this Special Publication (SP) 1800-series from the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) describes a threat modeling exercise—methodical analysis of cybersecurity and privacy risks to system components and data transfers across a product or environment lifecycle—on an example genomic data workflow.
CHALLENGE
From a cybersecurity perspective, the size and compute requirements for genomic data analysis make it difficult to ensure the confidentially, integrity, and availability of computing environments. Regarding privacy engineering, since genomic data represents immutable personal information, designing and maintaining data processing systems with the objectives of predictability, manageability, and disassociability is complex. These challenges are compounded by the involvement of multiple stakeholders which can include researchers, healthcare providers, and third-party vendors.
SOLUTION
To gain insights into actual processes and system designs, the NCCoE collaborated with stakeholders to solution illustrate how to perform threat modeling in a real-world genomic data processing scenario. The project used a multi-step approach to analyze system components and dataflows for possible threats, then map threats to taxonomies of tactics, techniques, and Privacy threat modeling analyses utilized the NIST Privacy Risk Assessment Methodology (PRAM) as well as LINDUNN. For cybersecurity threat modeling, the STRIDE technique identified threats to components and These analysis findings were mapped to known taxonomies for cybersecurity and privacy resulting in a structured view of threats along with possible mitigations. The approaches used in the solution support security and privacy standards and guidelines such as the NIST PRAM, NIST Privacy Framework, and NIST SP 800-53r5. This SP 1800-series uses technology and security capabilities (shown below) from our project partners.