Privacy controls to be included in NIST cybersecurity guidance


Privacy controls will become an explicit part of agency cybersecurity guidance issued by the National Institute of Standards and Technology with the addition later this year of a new appendix to NIST Special Publication 800-53.

The special publication includes a catalog of recommended security controls under the Federal Information Security Management Act; its fourth revision--to be released in December--will also include a catalog of recommended privacy controls.

NIST released July 19 a draft version of the new privacy catalog for public comment, saying that "due to the special nature of the material" it's being vetted separately from other changes to SP 800-53.

The federal government needs a privacy control catalog thanks in part to advances in cloud computing, the smart grid and mobile computing, NIST says in a press release.

The authority for the controls flow from the Privacy Act of 1974, the e-Government Act of 2002 and Office of Management and Budget memos, said Ron Ross, project leader of the NIST FISMA Implementation Project, in an interview.

"We're just providing a little more specificity, a little more certainty on the requirements," Ross said. "Instead of having every agency interpret the requirements, the [proposed] controls give a more specific declaration," Ross said, adding that adoption would also make agency comparison of privacy controls easier.

It's possible that agencies might argue that their existing privacy controls trump anything NIST puts out, but Ross said he's confident of governmentwide adoption. The controls were developed in cooperation with a privacy subcommittee of the CIO Council, he said.

Agency implementation of the privacy controls would be guided by a yet-undeveloped privacy risk framework, similar to the low-, medium-, high- risk framework agencies already utilize when selecting cybersecurity controls, Ross said.

Cybersecurity and privacy "have a lot in common," Ross said, adding that publication of privacy controls in SP 800-53 should result in cybersecurity and privacy offices working more closely together.

For more:
download the draft privacy control SP 800-53 appendix (.pdf)
read the NIST press release

Related Articles:
Focus turns to privacy in second NSTIC workshop 
Lewis: Privacy precepts need revising in light of new cybersecurity measures