Skip to main content
 
  • SPONSOR(S):  Paul Rivers
  • DEPT OR DIVISION: ITS Security and Identity Management
  • PROJECT MANAGER:  Brenda Carpen
  • CHANGE MANAGER:  Jackie Treschl
  • STATUS: Completed
  • Project Theme: Serving Our Communities

What is it?

The National Institute of Health (NIH) is improving data security and is requiring stronger proof that a person logging into their system is who they say they are. The NIH uses the criteria defined in the REFEDS Assurance Framework to define levels of assurance. REFEDS, which stands for “Research and Education FEDerations,” is an organization that represents the requirements of research and education related to access and identity management.

Why are we doing it?

UNC faculty researchers receive more than $522 million in NIH research funding annually. We need to comply with NIH requirements to allow researchers to continue to use their UNC credentials to access NIH applications.

How does this impact our UNC community?

Researchers, Grant Awardees and Principal investigators (PIs), Faculty

Researchers, grant awardees and principal investigators (PIs), and faculty will need to use multi-factor authentication when using their UNC Onyen and password to access the NIH websites.

To have the highest level of Identity Assurance, researchers, grant awardees and principal investigators (PIs), and faculty may need to take present in-person, government-issued documentation. That process is under development.

When is this happening?

February 2023 – The UNC Project team decided to put the project on hold pending updated guidance from the NIH on the timeline and implementation of Identity Assurance. The last update from NIH on the requirements for identity assurance was in September 2021.

There are three phases to the NIH Requirements.

Phase 3 – Categorize identity assurance levels as low, medium, or high based on REFEDS definitions, which are related to NIST 800-63 guidelines. Providing assurance at these levels may require in-person verification of government documents and a written procedure. If we cannot achieve all three levels, we need a plan to reach them. Our goal is to default to low assurance for UNC users, identify those needing medium or high assurance, and develop a process for high-level identity assurance.  Due December 31, 2022

Phase 2 – Asserted local enterprise equivalency. When a person logs into a NIH website with their UNC Onyen and Password UNC asserts that this person is trusted to access the University’s administrative systems, they can be trusted to access some external resources as well. Completed June 30, 2022

Phase 1 – Require Duo 2-Step verification for UNC faculty and staff who log in to NIH systems using their UNC Onyen and password.  Completed September 2022

Where can I find more information?

Project Website for New NIH Requirements for Identity Assurance