Privacy appendix of draft NIST cybersecurity framework under fire


Some major Internet companies say the proposed privacy approach of the cybersecurity framework under development by the National Institute of Standards and Technology would be potentially burdensome, something that could discourage organizations from adopting it.

NIST is due to release a final draft of the framework in February, 12 months after President Obama called for its creation in executive order 13636.

Privacy indisputably is a requirement of the framework, but a group of companies and trade associations gathered in the Internet Commerce Coalition – its members include Amazon, AT&T, Google and TechAmerica – submitted a comment (.pdf) questioning the scope of NIST's proposed methodology.

Requiring protections for personally identifiable information in private sector cybersecurity programs under the NIST definition would be unworkable, says the coalition.

NIST, in the privacy appendix of its catalog of security controls, Special Publication 800-53, defines PII as information that can be used to distinguish or trace an individual's identity – or which isn't by itself indicative of that, but which can be combined with information linked to an individual's identity. (The original source of that language is actually a January 2007 memo [.pdf] from the Office of Management and Budget on federal identity credentials.)

The coalition says it favors an approach and methodology developed (.pdf) by Hogan Lovells partner Harriet Pearson. Under her approach, firms would be required to guard "protected information," defined as data subject to breach notification requirements, subject to lawful prohibition from disclosure, subject to a legal requirement of securing against unauthorized access, or anything else voluntarily so designated.

Pearson also says that a number of privacy concerns are addressed in the core of the framework, in informative controls about data security and other security categories.

Rather than set up a privacy appendix of the framework with informative controls matched to security functions and categories (as is proposed now), Pearson suggests a far more general scheme without informative controls. In the place of detailed controls, Pearson would have companies make sure to do things such as have a " support compliance of cybersecurity activities with applicable privacy laws."

The Internet Commerce Coalition also says that proposed NIST language that would require data minimization efforts such that PII and communications content is used and shared in cyber incidents to the degree necessary for detection, investigation, and response "would require special privacy compliance measures that could impair security measures and increase the costs associated with adopting the framework."

For more:
- go to a NIST webpage with links to all submitted framework comments
- download the Internet Commerce Coalition comment (.pdf)
- download Harriet Pearson's comment (.pdf)

Related Articles:
NIST focused on outcomes for privacy appendix in cybersecurity framework, says Lefkovitz
Many unknowns pervade NIST preliminary cybersecurity framework
PCAST calls for auditable cybersecurity processes in federally regulated industries