Practicing good cyber-hygiene is essential to protecting our grants data and information in ever-evolving business and security landscapes. With Cybersecurity Awareness Month underway, we are reminding users about proper security practices for eRA, including avoiding sharing log-in credentials and when to appropriately delegate tasks.
eRA is our enterprise system used to manage NIH grant activities. To do this successfully, eRA is dedicated to a security-first focus as outlined in their current strategic plan. The system's general growth over time (see the table below) further underscores how important continued cyber diligence is for managing extramural biomedical research materials.
Table 1. Changes in eRA Systems Usage FY 2019 - 2023
We trust that the vast majority of users interacting with eRA are doing so appropriately and honestly. One key cybersecurity best practice to remember here is to not share one's eRA credentials and passwords with others. Your account and credentials are meant only for you, and nobody else. If they are shared, all actions taken will be attributed to you. And, if sensitive information is accessed, you will have inappropriately shared that information.
We are aware of instances where organizations have allowed their staff to inappropriately share eRA Commons passwords with one another. Because the person certifying statements may not be someone authorized to do so, we may not be able to confirm that the submitted materials are true, complete, and accurate. NIH may, in circumstances when concerns arise with the submitted information, need to remedy any non-compliance if an applicant or recipient does not disclose all pertinent information, makes false statements, inappropriately accesses confidential review material, or knowingly skirts eRA rules. Such remedies may include, but are not limited to, requiring return of awarded grant funds, imposing special award conditions, requiring training, monitoring institutional internal controls and policy changes, and other correction action plan requirements. The actions taken are based on the duration (or extent), pattern and severity of the non-compliance.
Some people may have legitimate reasons to need help completing certain required tasks through eRA Commons. We recognize this need, and have built capabilities that allow users to officially delegate certain tasks in eRA Commons to other authorized users. Someone can delegate tasks like:
It is critical that all users exercise what we call "cyber-honesty" when engaging with NIH grant systems and be fully transparent with the information provided. When applicants provide appropriate information and follow proper cybersecurity practices, NIH is better positioned to make informed and objective decisions on funding future research projects and keep sensitive biomedical research ideas protected.