NIST draft spells out privacy controls
The National Institute of Standards and Technology (NIST) has released a draft document to tackle the increasing challenge of maintaining confidentiality and the integrity of personally identifiable information by adding privacy controls to the catalog of security controls used to protect federal information and information systems.

The new document will become Appendix J of "Security Controls for Federal Information Systems and Organizations" (NIST Special Publication 800-53, Revision 4) when the document is updated in December, according to NIST. SP 800-53 is also one of the Joint Task Force Transformation Initiative documents that NIST produces with the Department of Defense and the intelligence community. “The material released is for public review and comment and will be modified accordingly prior to final publication,” NIST stated.

Incorporating privacy controls into SP 800-53 and taking advantage of established security controls to provide a solid foundation for information security will help to ensure that privacy requirements will be satisfied in a comprehensive, cost-effective and risk-based manner, according to the document.

The new privacy appendix seeks to:

  • Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards and guidance;
  • Establish a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements, which may overlap in concept and in implementation within federal information systems and organizations;
  • Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment and monitoring of privacy controls deployed in federal information systems and organizations; and
  • Promote closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards and guidance.

In addition to the basic privacy controls in Appendix J, NIST stated it plans to develop assessment procedures to allow organizations to evaluate the effectiveness of the controls on an ongoing basis. Standardized privacy controls and assessment procedures will provide a more disciplined and structured approach for satisfying federal privacy requirements and demonstrating compliance to those requirements, NIST stated.

The public comment period for this appendix runs through Sept. 2. The publication may be found here.